MCTS Windows Server® 2008 Applications Infrastructure Configuration Study Guide
Joel Stidley
Wiley Publishing, Inc.
61705ffirs.indd 3
6/28/08 9:54:24 AM
MCTS
Windows Server® 2008 Applications Infrastructure Configuration Study Guide
61705ffirs.indd 1
6/28/08 9:54:23 AM
61705ffirs.indd 2
6/28/08 9:54:23 AM
MCTS Windows Server® 2008 Applications Infrastructure Configuration Study Guide
Joel Stidley
Wiley Publishing, Inc.
61705ffirs.indd 3
6/28/08 9:54:24 AM
Acquisitions Editor: Jeff Kellum Development Editor: Denise Santoro Lincoln Technical Editor: Pawan K. Bhardwaj Production Editor: Christine O’Connor Copy Editor: Judy Flynn Production Manager: Tim Tate Vice President and Executive Group Publisher: Richard Swadley Vice President and Executive Publisher: Joseph B. Wikert Vice President and Publisher: Neil Edde Project Coordinator, Cover: Lynsey Stanford Media Project Supervisor: Jenny Swisher Media Development Specialist: Josh Frank Media Quality Assurance: Angie Denny Book Designer: Judy Fung and Bill Gibson Compositor: Craig Woods, Happenstance Type-O-Rama Proofreader: Scott Klemp, Word One and Larry West Indexer: Jack Lewis Cover Designer: Ryan Sneed Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 978-0-470-26170-5 No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disappeared between when this work was written and when it is read. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data. Stidley, Joel, 1976MCTS : Windows server 2008 applications infrastructure configuration study guide (Exam 70-643) / Joel Stidley.—1st ed. p. cm. ISBN 978-0-470-26170-5 (paper/cd-rom) 1. Electronic data processing personnel—Certification. 2. Microsoft software—Examinations—Study guides. 3. Microsoft Windows server. I. Title. QA76.3.S749827 2008 005.4'476—dc22 2008026322 TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Windows Server is a registered trademark of Microsoft Corporation in the United States and/ or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. 10 9 8 7 6 5 4 3 2 1
61705ffirs.indd 4
6/28/08 9:54:24 AM
Dear Reader, Thank you for choosing MCTS: Windows Server 2008 Applications Infrastructure Configuration Study Guide. This book is part of a family of premium quality Sybex books, all written by outstanding authors who combine practical experience with a gift for teaching. Sybex was founded in 1976. More than thirty years later, we’re still committed to producing consistently exceptional books. With each of our titles we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available. I hope you see all that reflected in these pages. I’d be very interested to hear your comments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at
[email protected], or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.
61705ffirs.indd 5
Best regards,
Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley
6/28/08 9:54:25 AM
To my patient and lovely wife, Andrea, and children, Ethan and Jaelyn, who have learned to put up with me, and to my parents, Paul and Gayle, who fostered my love for computers ever since they were told my handwriting would never get any better.
61705ffirs.indd 6
6/28/08 9:54:25 AM
Acknowledgments It took a lot of hard work and patience to complete this book, as it does all publications. Thanks to Jeff Kellum and Denise Santoro Lincoln for being patient and considerate despite the scheduling setbacks and for retraining me on the format changes. Also, the production team of Christine O’Connor and Judy Flynn were top-notch and a joy to work with. They did an impeccable job making sure we were not just technically sound but also grammatically correct! Thanks to Rawlinson Rivera for helping get this book going and for recommending me for this project. I hope you are feeling better and look forward to our next project! One of our pinch hitters was Jabez Gan Ming Teik, who really came through by getting a chapter reworked after a change in objectives on the Microsoft exam. This book was a bit of a test for me and caused me to have to rely on a number of colleagues for a little help with developing the content. Without Erik Gustafson, Mike Hodson, and Siegfried Jagott, this book would not have been possible. Last, I’d like to thank both the Monster Beverage Company and Hearthroast for fueling the late-night writing sessions with Lo-Carb Monster and home-roasted coffee.
61705ffirs.indd 7
6/28/08 9:54:25 AM
About the Author Joel Stidley has been working in the IT field for over 12 years and has been a computer fanatic for much longer. He obtained his first Microsoft certification in 1999 and is currently both an MCSE and MCTS. At the beginning of his IT career, he was supporting MS-DOS and Windows for Workgroups clients on a Novell NetWare network at a small manufacturing company. Shortly thereafter, he discovered the joys of Windows NT Server and led the charge in converting that company from a Novell NetWare directory to a Windows NT domain. He also convinced the company’s engineering department to switch from the SunOS-based workstations to new Windows NT 4.0 Workstation machines. Joel has since taken on numerous other projects, from a number of Active Directory and Exchange Server migrations to deploying large-scale virtualization environments. In 2004, Joel founded ExchangeExchange.com, a Microsoft Exchange–focused community website where he blogs and provides forums for discussing Exchange, PowerShell, certification, and general Windows information. In the last few years, he has also contributed to MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008) and was lead author on Professional PowerShell for Exchange Server 2007 SP1 (Wrox, 2008). Currently he is a solutions architect at Terremark Worldwide Inc. where he works with a variety of directory, storage, virtualization, and messaging technologies. He currently lives in the Dallas area with his wife and two children.
About the Contributors Erik R. Gustafson is a 7-year veteran of the IT consulting and IT support business. He started working professionally with Microsoft products while running a successful signage business in 1995, and after selling the business a few years later, he refocused his career on providing IT services. He obtained his first Microsoft certification in 2002 and is currently an MCSE and an MCSA. The last few years he has spent helping grow an IT consulting business and setting up an IT outsourcing MSP from the ground up. He recently relocated to the Dallas area and now works as a solutions architect for Terremark Worldwide Inc. When not shooting womp rats back home, Erik enjoys drinking piña coladas and getting caught in the rain. Mike Hodson has a bachelor of science in mathematics from Texas Woman’s University and has worked in the IT industry for more than 11 years, receiving his first Microsoft certification in 1998. He has been working with desktop virtualization for more than 6 years and recently has been deeply involved with server virtualization projects. Mike is currently the team lead in the group responsible for storage networking and virtualization at Terremark Worldwide Inc. in Dallas, Texas.
61705ffirs.indd 8
6/28/08 9:54:25 AM
About the Author
ix
Siegfried Jagott works as a senior systems architect and team lead for the Messaging and Collaboration team at Siemens IT Solutions located in Munich, Germany. He is part of the Siemens-central architecture team that works closely together with Microsoft to plan future enhancements of not only Windows and Exchange but also other products. For the past 10 years, he has been involved in planning, designing, and implementing some of the world’s largest Windows and Exchange Server infrastructures for various international customers, including Siemens. In addition, he is hosting a monthly column for Windows IT Magazine called “Exchange & Outlook UPDATE: Outlook Perspectives” and writes about Outlook 2007–related topics. He is also a frequent writer for various international magazines and speaks on conferences about Windows- and Exchange-related topics. He was also a contributing author for MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008). In his spare time, he is actively engaged in a carnival club as a vice president and likes to go skiing in the Alps or traveling around the world. Siegfried is currently living in Rednitzhembach, a small town in southern Germany. He holds an MBA and a Diploma in Management from Open University in England and has been a Microsoft Certified Systems Engineer (MCSE) since 1997. Rawlinson Rivera, an 11-year veteran of the IT consulting and training field, has worked on a variety of technologies ranging from IBM to VMware to Microsoft. He has developed specializations in architecting secure messaging and collaboration infrastructure with Windows Server 2000/2003/2008, Office SharePoint Server 2007, Exchange Server 2000/2003/2007, and VMware Virtual Infrastructure 3. Rawlinson is the founder of RawlsNet Technologies LLC, a firm that focuses on consulting, training, and developing industry content. He is the lead author of Sybex’s MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008). Jabez Gan Ming Teik is a Microsoft MVP for Windows Server File System/Storage. He is currently the senior technical officer for a consulting company that specializes in Microsoft technologies. He is also a writer for Msblog.org (blog) and technology sites and a speaker at technology events. Jabez can be reached at
[email protected].
61705ffirs.indd 9
6/28/08 9:54:25 AM
61705ffirs.indd 10
6/28/08 9:54:25 AM
Contents at a Glance Introduction
xxv
Assessment Test
xxxvi
Chapter 1
Windows Server 2008 Storage Services
Chapter 2
Exploring Terminal Services in Windows Server 2008
41
Chapter 3
Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services
99
Chapter 4
Configuring Web Services Infrastructure
147
Chapter 5
Advanced Web Infrastructure Configuration
185
Chapter 6
Configuring Additional Communication Services
219
Chapter 7
Configuring Windows SharePoint Services (WSS)
267
Chapter 8
Using Virtualization In Windows Server 2008
313
Chapter 9
Deploying Servers
363
Chapter 10
Configuring High Availability in Windows Server 2008
403
Chapter 11
Monitoring Windows Server 2008 for High Availability
443
Appendix A
About the Companion CD
517
Glossary Index
61705ffirs.indd 11
1
521 529
6/28/08 9:54:25 AM
61705ffirs.indd 12
6/28/08 9:54:25 AM
Contents Introduction
xxv
Assessment Test Chapter
Chapter
1
2
xxxvi Windows Server 2008 Storage Services Storage in Windows Server 2008 Initializing Disks Working with Basic and Dynamic Disks Working with Volume Sets RAID Mount Points Microsoft MPIO (Multipath I/O) iSCSI Internet Storage Name Service (iSNS) Fibre Channel Network Attached Storage (NAS) Managing SANs Virtual Disk Service (VDS) Storage Manger for SANs (SMfS) Storage Explorer Summary Exam Essentials Review Questions Answers to Review Questions
2 2 5 8 11 15 17 19 23 27 28 28 28 29 32 33 34 35 38
Exploring Terminal Services in Windows Server 2008
41
Remote Desktop Connection Display Custom Display Resolutions Monitor Spanning Font Smoothing Display Data Prioritization Desktop Experience Device Redirection Single Sign-On for Terminal Services Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp) Installing Programs to Be Used with TS RemoteApp Configuring Remote Programs to Be Used with TS RemoteApp Creating and Deploying a Windows Installer Package for TS RemoteApp Programs
61705book.indd 13
1
43 43 44 45 46 47 51 54 55 56 60 63
6/27/08 8:51:58 AM
xiv
Contents
Export or Import RemoteApp Programs and Settings Distributing RemoteApp Applications Prepare and Configure Terminal Services Gateway (TS Gateway) Preparing the Necessary TS Gateway Role Services Obtaining and Configuring a Certificate for TS Gateway Creating Terminal Services Connection Authorization Policies (TS CAPs) Creating Terminal Services Resource Authorization Policies (TS RAPs) Configuring the Terminal Services Client for TS Gateway Configuring Terminal Services Load Balancing Configuring a Terminal Server Farm with TS Session Broker Configuring Network Load Balancing Summary Exam Essentials Review Questions Answers to Review Questions Chapter
3
Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services Configuring Terminal Services Licensing Terminal Services Client Access Licenses (TS CALs) Installing TS Licensing and TS Client Access Licenses (CALs) Configuring License Settings on a Terminal Server Managing Terminal Services through Group Policy Group Policy Settings for Terminal Services Configuring Global Deployment Settings for TS RemoteApp Monitoring TS Gateway Using TS Gateway Manager Resource Allocation for Terminal Services Summary Exam Essentials Review Questions Answers to Review Questions
Chapter
61705book.indd 14
4
65 67 72 72 74 77 80 82 84 84 89 91 92 93 96
99 100 100 101 114 125 125 130 135 138 139 140 141 144
Configuring Web Services Infrastructure
147
Configuring Web Applications Installing IIS 7.0 Creating and Configuring Websites
148 150 152
6/27/08 8:51:58 AM
Chapter
Chapter
61705book.indd 15
5
6
Contents
xv
Configuring a File Transfer Protocol (FTP) Server Configuring Permissions Configuring FTP Site for Extranet Users FTP IPv4 and Domain Restrictions Configuring a Simple Mail Transfer Protocol (SMTP) Server Configuring General SMTP Virtual Server Properties Configuring Access Configuring Message Size and Transfer Limits Configuring Delivery Options Summary Exam Essentials Review Questions Answers to Review Questions
164 165 165 166 167 168 169 171 172 177 178 179 183
Advanced Web Infrastructure Configuration
185
Managing Internet Information Services (IIS) Configuring Monitoring and Logging Backup and Restore Delegating Administrative Rights Configuring Secure Sockets Layer (SSL) Security Requesting and Renewing SSL Certificates Enabling SSL on a Website Exporting and Importing Certificates Configuring Website Authentication and Permissions Configuring Application Access Client Certificate Mapping Summary Exam Essentials Review Questions Answers to Review Questions
186 188 195 197 201 202 205 206 207 209 211 211 212 213 217
Configuring Additional Communication Services
219
Configuring Fax Services Configuring Fax (Local) Properties Defining a Dialing Rule Defining a Fax Routing Location Configuring Media Server Configuring Basic Streaming Solutions Configuring Advanced Streaming Solutions Options for Configuring Security in a Windows Media Server Configuring Digital Rights Management (DRM) How Does DRM work? Encryption
220 222 225 227 229 232 240 245 249 250 251
6/27/08 8:51:59 AM
xvi
Contents
Sharing Business Rules Configuring License Delivery Configuring Policy Templates Summary Exam Essentials Review Questions Answers to Review Questions Chapter
Chapter
61705book.indd 16
7
8
252 253 256 260 260 261 265
Configuring Windows SharePoint Services (WSS)
267
Configuring Windows SharePoint Services Configuring Incoming Email Settings Configuring Outgoing Email Settings Configuring Workflow Settings Configuring Diagnostic Logging Settings Configuring Antivirus Settings Using the Best Practices Analyzer Tool Configuring Windows SharePoint Services (WSS) Sites Upgrading from WSS 2.0 Creating or Extending Web Applications Configuring Alternate Access Mapping Creating Zones for Web Applications Creating Quota Templates Creating Site Collections Enabling Access For End Users Adding Site Content Configuring Authentication for WSS Configure Digest Authentication Configuring Web SSO Authentication by Using ADFS Summary Exam Essentials Review Questions Answers to Review Questions
269 270 273 277 278 281 282 283 283 284 287 289 290 291 292 295 295 297 300 305 305 306 310
Using Virtualization In Windows Server 2008
313
Hyper-V Overview What Is Virtualization? Hyper-V Features Hyper-V Architecture Hyper-V Requirements Hyper-V Installation and Configuration Install Hyper-V Role Hyper-V in Server Manager Using Hyper-V Manager
314 314 315 316 318 320 320 323 324
6/27/08 8:51:59 AM
Contents
Configure Hyper-V Settings Manage Virtual Networks Managing Virtual Hard Disks Configuring Virtual Machines Creating and Managing Virtual Machines Back Up and Restore Virtual Machines Summary Exam Essentials Review Questions Answers to Review Questions Chapter
9
Deploying Servers Windows Deployment Services Deploying Images by Using Windows Deployment Services Using Windows Deployment Services Configuring WDS Capturing Images Deploying Server Core Configuring Microsoft Windows Activation Installing KMS Configuring KMS Summary Exam Essentials Review Questions Answers to Review Questions
Chapter
10
Configuring High Availability in Windows Server 2008 Components of High Availability Achieving High Availability Achieving High Availability with Failover Clustering Failover Clustering Requirements Cluster Quorum Validating a Cluster Configuration Creating a Cluster Clustered Application Settings Resource Properties Achieving High Availability with Network Load Balancing How Does Network Load Balancing Work? Network Load Balancing Requirements Creating an NLB Cluster Modifying Cluster Properties Managing NLB Clusters
61705book.indd 17
xvii
325 326 329 337 337 347 355 355 357 361 363 364 365 366 369 375 380 381 384 385 397 397 398 401 403 404 405 407 409 410 412 417 422 426 429 429 430 431 433 434
6/27/08 8:51:59 AM
xviii
Contents
Summary Exam Essentials Review Questions Answers to Review Questions Chapter
Appendix
11
A
Monitoring Windows Server 2008 for High Availability
443
Monitoring Servers Using Performance Data Working with Data Collector Sets Log Data in Performance Monitor Diagnosis Report View System Stability with Reliability Monitor Monitoring Servers Using Event Logs Using wevtutil.exe to Manage Event Logs Configuring Computers to Forward and Collect Events Reading Events through Custom Views Monitoring Using Task Scheduler Scheduling a Task Managing a Task Managing or Creating a Task on a Remote Computer Using the Command-Line Tool Schtasks.exe Running a Task in Response to a Given Event Monitoring System Activity Monitoring General System Activity Using Resource Monitor Monitoring Specific System Activity Using Performance Monitor Configuring and Monitoring Using Simple Network Management Protocol (SNMP) Install SNMP Services Configuring Agent Properties Configuring Traps Configuring SNMP Security Properties Starting or Stopping the SNMP Service Configuring Event to Trap Translator Summary Review Questions Answers to Review Questions
444 446 456 459 461 467 469 470 472 475 477 481 485 487 488 490
About the Companion CD
517
What You’ll Find on the CD Sybex Test Engine PDF of the Book
61705book.indd 18
435 436 437 441
490 495 500 500 501 503 504 506 507 507 509 514
518 518 518
6/27/08 8:51:59 AM
Contents
Adobe Reader Electronic Flashcards System Requirements Using the CD Troubleshooting Customer Care Glossary Index
61705book.indd 19
xix
519 519 519 519 520 520 521 529
6/27/08 8:51:59 AM
Table of Exercises Exercise 1.1
61705flast.indd 20
Initializing Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Exercise 1.2
Converting a Basic Disk to a Dynamic Disk . . . . . . . . . . . . . . . . . . . . . . . . . 6
Exercise 1.3
Creating a Volume Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Exercise 1.4
Creating Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Exercise 1.5
Installing Microsoft MPIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Exercise 1.6
Configuring iSCSI Storage Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Exercise 1.7
Installing the iSNS Feature on Windows Server 2008 . . . . . . . . . . . . . . . . 24
Exercise 1.8
Installing Storage Manager for SANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Exercise 2.1
Enabling Font Smoothing on a Client Computer . . . . . . . . . . . . . . . . . . . . 45
Exercise 2.2
Verifying ClearType settings on Window Server 2008 . . . . . . . . . . . . . . . 46
Exercise 2.3
Enabling the Desktop Experience Feature . . . . . . . . . . . . . . . . . . . . . . . . . 48
Exercise 2.4
Starting the Themes Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Exercise 2.5
Setting the Theme on Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . 49
Exercise 2.6
Making Desktop Composition Available on a Vista Client . . . . . . . . . . . . 50
Exercise 2.7
Redirect Plug and Play Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Exercise 2.8
Configuring Authentication of a Windows 2008 Terminal Server . . . . . . 54
Exercise 2.9
Configuring SSO on a Client Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Exercise 2.10
Installing the Terminal Services Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Exercise 2.11
Adding an application to the TS RemoteApp Program List . . . . . . . . . . . 60
Exercise 2.12
Packaging a TS RemoteApp Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Exercise 2.13
Exporting the RemoteApp Programs List and Deployment Settings . . . 65
Exercise 2.14
Installing TS Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Exercise 2.15
Adding the Computer Account of the TS Web Access Server to the TS RemoteApp Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Exercise 2.16
Installing the TS Gateway Role Service . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Exercise 2.17
Installing a Certificate on the TS Gateway Server . . . . . . . . . . . . . . . . . . 75
Exercise 2.18
Mapping the Certificate to the TS Gateway Server . . . . . . . . . . . . . . . . . . 76
Exercise 2.19
Creating a TS CAP for the TS Gateway Server . . . . . . . . . . . . . . . . . . . . . . 77
Exercise 2.20
Creating a TS RAP and Specifying Computers . . . . . . . . . . . . . . . . . . . . . 80
Exercise 2.21
Configuring the Terminal Services client for TS Gateway . . . . . . . . . . . . 83
Exercise 2.22
Installing TS Session Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Exercise 2.23
Adding Terminal Servers to the Session Directory Computers Local Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
6/27/08 9:36:03 AM
Table of Exercises
61705flast.indd 21
xxi
Exercise 2.24
Configuring the Terminal Servers to Join a Farm and Participate in Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Exercise 2.25
Configuring DNS for TS Session Broker Load Balancing . . . . . . . . . . . . . 88
Exercise 2.26
Installing NLB and Creating an NLB Cluster . . . . . . . . . . . . . . . . . . . . . . . . 89
Exercise 3.1
Installing TS Licensing Role Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Exercise 3.2
Installing TS Licensing Manager as a Feature . . . . . . . . . . . . . . . . . . . . . 105
Exercise 3.3
Activating a TS License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Exercise 3.4
Install Terminal Services Client Access Licenses . . . . . . . . . . . . . . . . . . . 111
Exercise 3.5
Creating a Report for TS Per User CAL Issuance . . . . . . . . . . . . . . . . . . . . 119
Exercise 3.6
Revocation of Per Device CALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Exercise 3.7
Running Licensing Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Exercise 3.8
TS RemoteApp Global Deployment Settings . . . . . . . . . . . . . . . . . . . . . 131
Exercise 3.9
TS RemoteApp TS Gateway Global Deployment Settings . . . . . . . . . . . 132
Exercise 3.10
TS RemoteApp Common RDP Global Deployment Settings . . . . . . . . . 133
Exercise 3.11
TS RemoteApp Digital Signature Global Deployment Settings . . . . . . . 135
Exercise 3.12
Specifying TS Gateway Events to Log . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Exercise 3.13
Viewing User Connection Information through TS Gateway Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Exercise 3.14
Installing Windows System Resource Manager . . . . . . . . . . . . . . . . . . . 138
Exercise 3.15
Configuring WSRM for Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . 139
Exercise 4.1
Installing IIS 7.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Exercise 4.2
Creating a Site Using Host Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Exercise 4.3
Installing IIS Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Exercise 5.1
Using AppCmd.exe to List Configured Websites . . . . . . . . . . . . . . . . . . . . 186
Exercise 5.2
Enabling Failed Request Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Exercise 5.3
Modifying Configuration History Settings . . . . . . . . . . . . . . . . . . . . . . . . 195
Exercise 5.4
Delegating Administrative Permissions for Remote Administration of a Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Exercise 5.5
Enabling SSL on a Web Server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Exercise 6.1
Configuring a Fax Device to Receive Faxes . . . . . . . . . . . . . . . . . . . . . . . 222
Exercise 6.2
Configuring Fax Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Exercise 6.3
Configuring a Dialing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Exercise 6.4
Configuring Incoming Fax Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Exercise 6.5
Adding a Routing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Exercise 6.7
Creating a Broadcast Publishing Point . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Exercise 6.7
Configuring a Multicast Stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
6/27/08 9:36:03 AM
xxii
61705flast.indd 22
Table of Exercises
Exercise 6.8
Enabling Fast Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Exercise 6.9
Enabling Advanced Fast Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Exercise 6.10
Enabling FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Exercise 6.11
Setting Client Connect Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Exercise 6.12
Changing the Anonymous Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Exercise 6.13
Enabling ACL Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Exercise 6.14
Allowing or Denying IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Exercise 6.15
Creating an ACL List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Exercise 6.16
Using AD DRM to Protect a Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Exercise 6.17
Configuring Users’ Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Exercise 6.18
Configuring Application Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Exercise 6.19
Configuring Policy Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Exercise 7.1
Configuring Incoming Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Exercise 7.2
Configuring Outgoing Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Exercise 7.3
Configuring Outgoing Email Settings for a Specific Web Application . 276
Exercise 7.4
Configuring Diagnostic Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Exercise 7.5
Configuring Digest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Exercise 7.6
Configuring Web SSO authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Exercise 8.1
Installing Hyper-V on Full Installation Mode . . . . . . . . . . . . . . . . . . . . . . 320
Exercise 8.2
Creating an internal Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Exercise 8.3
Creating a Differencing Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Exercise 8.4
Creating a Fixed Size Disk and Cloning a Local Drive . . . . . . . . . . . . . . . 332
Exercise 8.5
Adding a Pass-Through Disk to a Virtual Machine . . . . . . . . . . . . . . . . . . 335
Exercise 8.6
Creating a new Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Exercise 8.7
Installing Hyper-V Integration Components . . . . . . . . . . . . . . . . . . . . . . . 346
Exercise 8.8
Creating a Snapshot of a Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . 351
Exercise 8.9
Applying a Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Exercise 9.1
Installing the WDS Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Exercise 9.2
Configuring WDS Server for First Use . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Exercise 9.3
Configuring WDS Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Exercise 9.4
Creating a Capture Image Using the Wizard . . . . . . . . . . . . . . . . . . . . . . 376
Exercise 9.5
Using WDSUTIL to Create a Capture Image . . . . . . . . . . . . . . . . . . . . . . . 379
Exercise 9.6
Installing Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Exercise 9.7
Installing a KMS Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Exercise 9.8
Configuring DNS Permissions for a KMS Host . . . . . . . . . . . . . . . . . . . . 387
6/27/08 9:36:03 AM
Table of Exercises
61705flast.indd 23
xxiii
Exercise 9.9
Publishing in Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Exercise 9.10
Creating a KMS SVR Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Exercise 9.11
Capturing data for Install from Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Exercise 10.1
Installing the Failover Cluster Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Exercise 10.2
Running the Validate a Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . 415
Exercise 10.3
Creating a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418
Exercise 10.4
Clustering the Print Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Exercise 10.5
Using the Dependency Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Exercise 10.6
Creating a Network Load Balancing Cluster . . . . . . . . . . . . . . . . . . . . . . . 431
Exercise 11.1
Assigning the “Log On as a Batch Job” User Right . . . . . . . . . . . . . . . . . 446
Exercise 11.2
Creating a Data Collector Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Exercise 11.3
Creating a New Data Collector Set from a Template . . . . . . . . . . . . . . . . 449
Exercise 11.4
Manually Creating a New Data Collector Set . . . . . . . . . . . . . . . . . . . . . . 450
Exercise 11.5
Scheduling the Start Condition for a Data Collector Set . . . . . . . . . . . . . 451
Exercise 11.6
Scheduling the Stop Condition for a Data Collector Set . . . . . . . . . . . . . 453
Exercise 11.7
Configuring Data Management for a Data Collector Set . . . . . . . . . . . . 454
Exercise 11.8
Loading Log Data in Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . 458
Exercise 11.9
Navigating the Log View in Performance Monitor . . . . . . . . . . . . . . . . . 459
Exercise 11.10
Viewing the System Diagnostics Report . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Exercise 11.11
Viewing System Availability in Performance Monitor . . . . . . . . . . . . . . 463
Exercise 11.12
Configuring Computers to Forward and Collect Events . . . . . . . . . . . . . 470
Exercise 11.13
Filtering Only Informational Events in the Current Log . . . . . . . . . . . . . . 473
Exercise 11.14
Creating a Custom View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Exercise 11.15
Scheduling a Basic Task by Using a Wizard . . . . . . . . . . . . . . . . . . . . . . . 477
Exercise 11.16
Scheduling a Task Manually by Using the Windows Interface . . . . . . . . 480
Exercise 11.17
Scheduling a Task Manually by Using the Command Line . . . . . . . . . . . 481
Exercise 11.18
Displaying All Running Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Exercise 11.19
Exporting Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Exercise 11.20
Importing Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Exercise 11.21
Viewing the History of a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Exercise 11.22
Managing or Creating a Task on a Remote Computer Using Task Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Exercise 11.23
Managing or Creating Task on a Remote Computer Using Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Exercise 11.24
Running a Task in Response to an Event . . . . . . . . . . . . . . . . . . . . . . . . . . 488
6/27/08 9:36:04 AM
xxiv
61705flast.indd 24
Table of Exercises
Exercise 11.25
Monitoring General System Activity Using Resource Monitor . . . . . . . 491
Exercise 11.26
Adding Counters to the Current Performance Monitor View . . . . . . . . . 495
Exercise 11.27
Changing the Graph Type for the Log Data in Performance Monitor . . 499
Exercise 11.28
Installing SNMP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Exercise 11.29
Configuring Agent Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Exercise 11.30
Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Exercise 11.31
Configuring SNMP Security Properties . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Exercise 11.32
Starting or Stopping SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Exercise 11.33
Configuring Event to Trap Translator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
6/27/08 9:36:04 AM
Introduction Microsoft has recently changed its certification program to contain three primary series: Technology, Professional, and Architect. The Technology Series of certifications is intended to allow candidates to target specific technologies and is the basis for obtaining the Professional Series and Architect Series of certifications. The certifications contained within the Technology Series consist of one to three exams, focus on a specific technology, and do not include job-role skills. By contrast, the Professional Series of certifications focus on a job role and are not necessarily focused on a single technology but rather a comprehensive set of skills for performing the job role being tested. The Architect Series of certifications offered by Microsoft includes premier certifications that consist of passing a review board made up of previously certified architects. To apply for the Architect Series of certifications, you must have a minimum of 10 years of industry experience. When obtaining a Technology Series certification, you are recognized as a Microsoft Certified Technology Specialist (MCTS) on the specific technology or technologies that you have been tested on. The Professional Series certifications include Microsoft Certified IT Professional (MCITP) and Microsoft Certified Professional Developer (MCPD). Passing the review board for an Architect Series certification will allow you to become a Microsoft Certified Architect (MCA). This book has been developed to give you the critical skills and knowledge you need to prepare for the exam requirement for obtaining the MCTS: Windows Server 2008 Applications Infrastructure, Configuring (Exam 70-643).
The Microsoft Certified Professional Program Since the inception of its certification program, Microsoft has certified more than 2 million people. As the computer network industry continues to increase in both size and complexity, this number is sure to grow—and the need for proven ability will also increase. Certifications can help companies verify the skills of prospective employees and contractors. Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. Several levels of certification are available based on specific suites of exams. Microsoft has recently created a new generation of certification programs: Microsoft Certified Technology Specialist (MCTS) T he MCTS can be considered the entry-level certification for the new generation of Microsoft certifications. The MCTS certification program targets specific technologies instead of specific job roles. You must take and pass one to three exams. Microsoft Certified IT Professional (MCITP) T he MCITP certification is a Professional Series certification that tests network and systems administrators on job roles rather than only on a specific technology. The MCITP generally consists of passing one to three exams in addition to obtaining an MCTS-level certification.
61705flast.indd 25
6/27/08 9:36:04 AM
xxvi
Introduction
Microsoft Certified Professional Developer (MCPD) T he MCPD certification is a Professional Series certification for application developers. Similar to the MCITP, the MCPD is focused on a job role rather than on a single technology. The MCPD generally consists of passing one to three exams in addition to obtaining an MCTS-level certification. Microsoft Certified Architect (MCA) T he MCA is Microsoft’s premier certification series. Obtaining the MCA requires a minimum of 10 years of experience and requires the candidate to pass a review board consisting of peer architects.
How Do You Become Certified on Windows Server 2008 Applications Infrastructure? Attaining a Microsoft certification has always been a challenge. In the past, students have been able to acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new generation of exams, this is simply not the case. Microsoft has taken strong steps to protect the security and integrity of its new certification tracks. Now prospective candidates must complete a course of study that develops detailed knowledge about a wide range of topics. It supplies them with the true skills needed, derived from working with the technology being tested. The new generations of Microsoft certification programs are heavily weighted toward hands-on skills and experience. It is recommended that candidates have troubleshooting skills acquired through hands-on experience and working knowledge. Fortunately, if you are willing to dedicate the time and effort to learn the Windows Server 2008 applications infrastructure, you can prepare yourself well for the exam by using the proper tools. By working through this book, you can successfully meet the requirements to pass the Windows Server 2008 Applications Infrastructure exam. This book is part of a complete series of Microsoft certification Study Guides, published by Sybex Inc., that together cover the new MCTS, MCITP, and MCPD exams as well as the core MCSA and MCSE operating system requirements. Please visit the Sybex website at www.sybex.com for complete program and product details.
MCTS Exam Requirements Candidates for MCTS certification on Windows Server 2008 Applications Infrastructure must pass one Windows Server 2008 Applications Infrastructure exam. Other MCTS certifications may require up to three exams. For a more detailed description of the Microsoft certification programs, including a list of all the exams, visit the Microsoft Learning website at www.microsoft.com/learning/mcp.
61705flast.indd 26
6/27/08 9:36:04 AM
Introduction
xxvii
The Windows Server 2008 Applications Infrastructure, Configuring Exam The Windows Server 2008 Applications Infrastructure exam covers concepts and skills related to installing, configuring, and managing Windows Server 2008 applications. This includes the following applications: NN
SharePoint Services
NN
Windows Deployment Services
NN
Terminal Services
NN
Internet Information Services 7.0
It emphasizes the basic Windows Server 2008 roles and features required to configure and support this functionality. Microsoft provides exam objectives to give you a general overview of possible areas of coverage on the Microsoft exams. Keep in mind, however, that exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit the Microsoft Learning website ( www.microsoft.com/learning/mcp) for the most current listing of exam objectives.
Types of Exam Questions In an effort to both refine the testing process and protect the quality of its certifications, Microsoft has focused its newer certification exams on real experience and hands-on proficiency. There is a greater emphasis on your past working environments and responsibilities and less emphasis on how well you can memorize. In fact, Microsoft says that certification candidates should have hands-on experience before attempting to pass any certification exams. Microsoft will accomplish its goal of protecting the exams’ integrity by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements.
Exam questions may be in a variety of formats. Depending on which exam you take, you’ll see multiple choice questions, as well as drag-and-drop, build list and reorder, and hot area questions. Simulations and case study-based formats are included as well. You may also find yourself taking what’s called an adaptive format exam. Let’s take a look at the types of exam questions and examine the adaptive testing technique so you’ll be prepared for all of the possibilities.
61705flast.indd 27
6/27/08 9:36:04 AM
xxviii
Introduction
With the release of Windows 2000, Microsoft stopped providing a detailed score breakdown. This is mostly because of the various and complex question formats. Previously, each question focused on one objective. However, recent exams, such as the Windows Server 2008 Active Directory exam, contain questions that may be tied to one or more objectives from one or more objective sets. Therefore, grading by objective is almost impossible. Also, Microsoft no longer offers a score. Now you will only be told if you pass or fail.
Multiple Choice Questions Multiple choice questions come in two main forms. One is a straightforward question followed by several possible answers, of which one or more is correct. The other type of multiple choice question is more complex and based on a specific scenario. The scenario may focus on several areas or objectives.
Drag-and-Drop Questions Drag-and-drop exam questions involve graphical elements that you must manipulate to successfully answer the question. For example, you might see a diagram of a computer network, as shown in the following graphic taken from the select-and-place demo downloaded from Microsoft’s website.
61705flast.indd 28
6/27/08 9:36:05 AM
Introduction
xxix
A typical diagram will show computers and other components next to boxes that contain the text “Place here.” The labels for the boxes represent various computer roles on a network, such as a print server and a file server. Based on information given for each computer, you are asked to select each label and place it in the correct box. You need to place all of the labels correctly. No credit is given for the question if you correctly label only some of the boxes.
Build List and Reorder Questions In another drag-and-drop problem you might be asked to put a series of steps in order by dragging items from boxes on the left to boxes on the right and placing them in the correct order. One other type requires that you drag an item from the left and place it under an item in a column on the right. For more information on the various exam question types, go to www.microsoft.com/learning/mcpexams/policies/innovations.mspx.
Simulations Simulations are the kinds of questions that most closely represent actual situations and test the skills you use while working with Microsoft software interfaces. These exam questions include a mock interface on which you are asked to perform certain actions according to a given scenario. The simulated interfaces look nearly identical to what you see in the actual product, as shown in the following example.
61705flast.indd 29
6/27/08 9:36:05 AM
xxx
Introduction
Because of the number of possible errors that can be made on simulations, be sure to consider the following recommendations from Microsoft: NN
NN
NN
NN
Do not change any simulation settings that don’t pertain to the solution directly. When related information has not been provided, assume that the default settings are used. Make sure that your entries are spelled correctly. Close all the simulation application windows after completing the set of tasks in the simulation.
The best way to prepare for simulation questions is to spend time working with the graphical interface of the product on which you will be tested.
Case Study-Based Questions Case study-based questions first appeared in the MCSD program. These questions present a scenario with a range of requirements. Based on the information provided, you answer a series of multiple-choice and select-and-place questions. The interface for case study-based questions has a number of tabs, each of which contains information about the scenario. At present, this type of question appears only in most of the Design exams. Microsoft will regularly add and remove questions from the exams. This is called item seeding. It is part of the effort to make it more difficult for individuals to memorize exam questions that were passed along by previous test-takers.
Tips for Taking the MCTS: Windows Server 2008 Applications Infrastructure Configuring Exam Here are some general tips for achieving success on your certification exam: NN
NN
NN
NN
NN
61705flast.indd 30
Arrive early at the exam center so that you can relax and review your study materials. During this final review, you can look over tables and lists of exam-related information. Read the questions carefully. Do not be tempted to jump to an early conclusion. Make sure you know exactly what the question is asking. Answer all questions. If you are unsure about a question, mark it for review and come back to it at a later time. On simulations, do not change settings that are not directly related to the question. Also, assume default settings if the question does not specify or imply which settings are used. For questions you’re not sure about, use a process of elimination to get rid of the obviously incorrect answers first. This improves your odds of selecting the correct answer when you need to make an educated guess.
6/27/08 9:36:05 AM
Introduction
xxxi
Exam Registration You may take the Microsoft exams at any of more than 1,000 Authorized Prometric Testing Centers (APTCs) around the world. For the location of a testing center near you, call Prometric at 800-755-EXAM (755-3926). Outside the United States and Canada, contact your local Prometric registration center. You may also register for your exams online at www.prometric.com. Find out the number of the exam you want to take, and then register with the Prometric registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $125 each and you must take them within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some locations, subject to space availability. Where same-day registration is available, you must register a minimum of two hours before test time. When you schedule the exam, you will be provided with instructions regarding appointment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Prometric. Microsoft requires certification candidates to accept the terms of a nondisclosure agreement before taking certification exams.
Is This Book for You? If you want to acquire a solid foundation in Windows Server 2008 applications, and your goal is to prepare for the exam by learning how to use and manage the new operating system functions in practical ways, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp and plenty of help to achieve the high level of professional competency you need to succeed in your chosen field. If you want to become certified as an MCTS, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows Server 2008 applications, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of Windows Server 2008 applications.
What’s in the Book? What makes a Sybex Study Guide the book of choice for hundreds of thousands of MCPs? We took into account not only what you need to know to pass the exam, but what you need to know to take what you’ve learned and apply it in the real world. Each book contains the following: Objective-by-objective coverage of the topics you need to know Each chapter lists the objectives covered in that chapter.
61705flast.indd 31
6/27/08 9:36:05 AM
xxxii
Introduction
The topics covered in this Study Guide map directly to Microsoft’s official exam objectives. Each exam objective is covered completely.
Assessment test Directly following this introduction is an assessment test that you should take. It is designed to help you determine how much you already know about Windows Server 2008 Active Directory. Each question is tied to a topic discussed in the book. Using the results of the assessment test, you can figure out the areas where you need to focus your study. Of course, we do recommend you read the entire book. Exam essentials To highlight what you learn, you’ll find a list of exam essentials at the end of each chapter. The exam essentials section briefly highlights the topics that need your particular attention as you prepare for the exam. Glossary T hroughout each chapter, you will be introduced to important terms and concepts that you will need to know for the exam. These terms appear in italic within the chapters, and at the end of the book, a detailed glossary gives definitions for these terms as well as other general terms you should know. Review questions, complete with detailed explanations Each chapter is followed by a set of review questions that test what you learned in the chapter. The questions are written with the exam in mind, meaning that they are designed to have the same look and feel as what you’ll see on the exam. Exercises I n each chapter, you’ll find exercises designed to give you the important handson experience that is critical for your exam preparation. The exercises support the topics of the chapter, and they walk you through the steps necessary to perform particular functions. Real World Scenarios B ecause reading a book isn’t enough for you to learn how to apply these topics in your everyday duties, we have provided Real World Scenarios in special sidebars. These explain when and why a particular solution would make sense, in a working environment you’d actually encounter. Interactive CD Every Sybex Study Guide comes with a CD complete with additional questions, flashcards for use with an interactive device, and the book in electronic format. Details are in the following section.
What’s on the CD? With this new member of our best-selling Study Guide series, we are including quite an array of training resources. The CD offers bonus exams and flashcards to help you study for the exam. We have also included the complete contents of the Study Guide in electronic form. The CD’s resources are described here: The Sybex E-book for Windows Server 2008 Applications Infrastructure Many people like the convenience of being able to carry their whole Study Guide on a CD. They also like being able to search the text via computer to find specific information quickly and easily.
61705flast.indd 32
6/27/08 9:36:05 AM
Introduction
xxxiii
For these reasons, the entire contents of this Study Guide are supplied on the CD, in PDF. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF contents as well as the search capabilities. The Sybex Test Engine T his is a collection of multiple-choice questions that will help you prepare for your exam. There are four sets of questions: NN
NN
NN
Two bonus exams designed to simulate the actual live exam. All the questions from the Study Guide, presented in a test engine for your review. You can review questions by chapter, or you can take a random test. The assessment test.
Here is a sample screen from the Sybex Test Engine:
Sybex Flashcards for PCs and Handheld Devices T he “flashcard” style of question offers an effective way to quickly and efficiently test your understanding of the fundamental concepts covered in the exam. The Sybex Flashcards set consists of 100 questions presented in a special engine developed specifically for this Study Guide series. Here’s what the Sybex Flashcards interface looks like:
61705flast.indd 33
6/27/08 9:36:06 AM
xxxiv
Introduction
Because of the high demand for a product that will run on handheld devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Handspring’s Visor).
Hardware and Software Requirements You should verify that your computer meets the minimum requirements for installing Windows Server 2008. We suggest that your computer meets or exceeds the recommended requirements for a more enjoyable experience. The exercises in this book assume that your computer is configured in a specific manner. Your computer should have at least a 20GB drive that is configured with the minimum space requirements and partitions. Other exercises in this book assume that your computer is configured as follows:
61705flast.indd 34
NN
20GB C: partition with the NTFS filesystem
NN
Optional D: partition with the NTFS filesystem
NN
15GB or more of free space
6/27/08 9:36:06 AM
Introduction
xxxv
Of course, you can allocate more space to your partitions if it is available. The first exercise in the book assumes that you have installed Windows Server 2008. Many of the exercises, including the failover clustering exercises in Chapter 10, assume that you have an Active Directory domain configured and that you have administrative rights on that domain.
Contacts and Resources To find out more about Microsoft Education and Certification materials and programs, to register with Prometric, or to obtain other useful certification information and additional study resources, check the following resources: Microsoft Learning Home Page www.microsoft.com/learning
This website provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification. Microsoft TechNet Technical Information Network www.microsoft.com/technet
(800) 344-2121 Use this website or phone number to contact support professionals and system administrators. Outside the United States and Canada, contact your local Microsoft subsidiary for information. Prometric www.prometric.com
(800) 755-3936 Contact Prometric to register to take an exam at any of more than 800 Prometric Testing Centers around the world. MCP Magazine Online www.mcpmag.com
Microsoft Certified Professional Magazine is a well-respected publication that focuses on Windows certification. This site hosts chats and discussion forums and tracks news related to the MCTS and MCITP program. Some of the services cost a fee, but they are well worth it. WindowsITPro Magazine www.windowsITPro.com
You can subscribe to this magazine or read free articles at the website. The study resource provides general information on Windows Vista, Server, and .NET Server.
61705flast.indd 35
6/27/08 9:36:06 AM
Assessment Test 1. You have been given a server with three hard disks, all with the same capacity. The first drive contains the operating system files. You must provide data redundancy while providing the most amount of capacity. To accomplish this, which of the following would you do? A. Select the first drive, right-click, and select New RAID 5 Volume. B. Select the first drive, right-click, and select New Mirrored Volume. C. Select the first drive, right-click, and select New Striped Volume. D. Select the first drive, right-click, and select New Simple Volume. 2. You have been given a server that contains three HBAs. Each card can access the storage over a separate path. The application that runs on the server can exceed the usage of a single path. Which of the following MPIO options should be selected to provide the needed bandwidth as well as minimal redundancy? A. Failover B. Dynamic Least Queue Depth C. Weighted path D. Round robin 3. A server named TSrv1 running Windows Server 2008 has the Terminal Server role installed and you have deployed a remote application from this server. You have already contacted the vendor to verify that the application is supported in a Terminal Server environment, but the installation package does not use an MSI installer package. After you have deployed the remote application, users report remote application time-outs and various disconnected sessions. How can you ensure that the application has been installed to support multiple sessions? A. Run the change user /disable command on TSrv1, install the application, and run the change user /enable command on TSrv1. B. Run mstsc /v:TSrv1 /admin from you client computer to log on to the TSrv1 and install the application. C. Run the change user /execute command on TSrv1, install the application, and run the change user /install command on TSrv1. D. Run the change user /install command on TSrv1, install the application, and run the change user /execute command on TSrv1.
61705flast.indd 36
6/27/08 9:36:06 AM
Assessment Test
xxxvii
4. You are a server administrator with two servers running Windows 2008 with the Terminal Services role installed, TSrv1 and TSrv2. TSrv1 is currently publishing remote applications and distributing them through RDP files through a web virtual directory. You want the program lists and deployment settings to be the same on both servers, so you import the RemoteApp programs settings from TSrv1. Users complain that they cannot access the remote applications on TSrv2 but can on TSrv1. Which of the following procedures would you do to ensure that users can access the applications on TSrv2? A. Copy the RDP files from TSrv1 to a new web virtual directory for TSrv2. B. Configure TSrv1 and TSrv2 to participate in TS Session Broker Load Balancing. C. Re-create the RDP files on TSrv2 and distribute them to the users. D. Re-create the RDP files on TSrv1 and distribute them to the users. 5. Your company runs Window Server 2008 Terminal Service servers and all the clients are Windows Vista. There is a new company video broadcast that the clients will be running from these terminal servers. Which of the follow action would you take to ensure that Media Player 11 is enabled on the terminal servers? A. Install the Desktop Experience feature on the Terminal Service servers. B. Install the Vista theme on the Terminal Service servers. C. Check the Desktop composition box on the RDC client of the user’s computer. D. Install Windows Media Server 2008 on the Terminal Service servers. 6. You have an Active Directory domain and the TS Licensing service role is installed on a server named TSrv1 that is in a workgroup. You cannot enable TS Per User CALs on this license server. What do you need to do to enable TS Per User CALs? A. Get license keys from the Microsoft Clearinghouse and enter the keys into the license server. B. Join TSrv1 to the domain. C. Install the Terminal Services Role on TSrv1. D. Install the TS Gateway role on TSrv1. 7. You are running the Terminal Services role on a server and are publishing RemoteApps and using GPOs to set the policies on the server. You check Terminal Services Manager and notice that there are disconnected sessions that are several days old. How in the future can you ensure that disconnected sessions do not exist? A. Log into Terminal Services Manager and reset each disconnected session. B. In the Group Policy Management Console, enable the policy Restrict Terminal Service users to a remote session. C. In the Group Policy Management Console, enable the policy Set time limit for disconnected sessions. D. Set the terminal server to drain mode.
61705flast.indd 37
6/27/08 9:36:06 AM
xxxviii
Assessment Test
8. You have installed a TS license server and you wish to activate it. You choose the automatic connection to activate the server with the Microsoft Clearinghouse but it fails. You suspect that your firewall is configured incorrectly, and you want the activation process to happen automatically. How can you ensure this? A. Open port 443 on your firewall. B. Open port 80 on your firewall. C. Open port 3389 on your firewall. D. Open port 1494 on your firewall. 9. You have just deployed a new .NET web application and need to provide it with the least amount of privileges. The application needs to be able to access the Registry. Which of the following .NET trust levels will provide the least amount of privileges required? A. Full B. High C. Medium D. Low E. Minimal 10. You have configured an SMTP server to be the smart host for a number of servers so that the server can send all outbound email out to the Internet. None of the messages that have been sent have been received by the recipient. What must be done to allow email to be delivered? A. Enable TLS encryption. B. Add the sending servers to the exceptions list on the connection control. C. Add the sending servers to the allow list in the relay restrictions. D. Enable LDAP Routing. 11. You must configure a website to allow Windows user credentials based on file system permissions to provide access to a single virtual directory. Which authentication modules must you disable on the virtual directory if the IUSR_ServerName account has permissions on the site content? A. Basic Authentication B. Anonymous Authentication C. Digest Authentication D. Integrated Windows Authentication 12. You must restore the server’s configuration to before the last set of configuration changes you made. Which command should you run? A. AppCmd restore backup “Last Backup” B. AppCmd restore backup “CFGHISTORY_0000000001” C. AppCmd restore backup “CFGHISTORY_0000000100” D. AppCmd add backup “CFGHISTORY_0000000100”
61705flast.indd 38
6/27/08 9:36:06 AM
Assessment Test
xxxix
13. You are the administrator for an engineering firm. The chief information officer (CIO) informs you that the president of the company wants to make a live broadcast to all employees. The CIO informs you that he does not want the employees to be able to record the broadcast or pause it. In addition, he wants you to reduce the impact that the broadcast will have on the server. What two options should you choose to meet the CIO’s requirements? A. Deliver the content with a unicast stream. B. Use on-demand publishing points. C. Deliver the content with a multicast stream. D. Use a broadcast publishing point. 14. Your company has a shared directory that contains files created with Word, Excel, PowerPoint, and Publisher. The senior network administrator wants you to use the newly installed Windows 2008 Server to provide better control over who has access to those files and to limit the amount of time the files can be used. In addition, he wants you to reduce the amount of administration effort that is currently being spent used to change rights on user files. What options should you choose to install and configure? (Choose all that apply.) A. Windows SharePoint Services B. Active Directory Rights Management Service Role (AD RMS) C. Configure Rights Policy Templates D. Configure Active Directory Security Groups 15. After deploying your WSS 3.0 site, you get a request from management to create a document library for the human resources department. Management has also requested that the human resources department should only be able to view and add content to the site. What level of security permissions should you provide to the human resources group? A. Owner B. Visitor C. Member D. Administrator 16. You deploy a new WSS 3.0 site in your company intranet. The sales department asks you to create a new web application for this new site. After you create the new web application, users in the sales department report that they cannot access it. What step do you need to perform so that the application is available to your users in the sales department? A. Manually reset IIS on all servers within your SharePoint farm. B. Ask users in the sales department to log off and then log on to their workstations. C. Change permissions on the sales user group to administrator level. D. Give sales users site owners permissions to the web application. 17. When is an operating system Hyper-V hypervisor aware? A. Automatically, if you install a Microsoft operating system B. When you install the VM components C. After you install the Integration Components D. When you turn on hypervisor awareness in Hyper-V
61705flast.indd 39
6/27/08 9:36:06 AM
xl
Assessment Test
18. What types of virtual hard disks can you configure in Hyper-V Manager? (Choose all that apply.) A. Dynamically expanding B. Fixed size C. Differencing D. Pass-through 19. What statement is correct when you create an internal only virtual network for your virtual machines on a Hyper-V server? A. The virtual machines can communicate with each other and with the host machine. B. The virtual machines can communicate with each other only. C. The virtual machines can communicate with each other, with the host machine, and with the network. D. The virtual machines cannot communicate with each other. 20. You are an IT administrator for a medium-size company. This company has 250 Vista computers and 15 Windows 2008 Server machines. One of your users puts in a service request stating that he is no longer able to open certain programs or access some functions. When the user logs into another machine, he is able to access the programs and features. He also states that he has been getting a Windows Activation popup from time to time. What would you do to resolve this issue? A. Check the user’s permissions in Active Directory and assign admin rights to his machine. B. Scan for viruses. C. Activate his copy of Windows Vista. D. Restore the machine from a backup. 21. The CIO of your company informs you that you have 80 machines to replace this year and every year going forward as part of the technology refresh program the company has just adopted. He also informs you that this needs to be done with your current staff and you need to stay within the budgeted hours. The CIO also wants you to find a way to enforce standards because he claims that many of the builds by some of the new technicians are not up to company standards. Your company has 500 Windows XP machines and 10 Windows 2003 Server machines and two newly deployed Windows Server 2008 machines. How can you meet the CIO’s requests? A. Install an RIS server and use Norton Ghost to create a image to be deployed to the new machines. B. Install Windows 2008 Server on a machine and install the WDS role. Create images based on the company standards and then use those images to deploy the new machines. C. Modify the ntuser file to meet the standards of the company. Then include this file in the users login script. D. Have the vendor create a machine that includes all the standards required by the company.
61705flast.indd 40
6/27/08 9:36:07 AM
Assessment Test
xli
22. To meet your company’s growing demands, you have installed WDS on a Windows Server 2008 machine. This machine is also used for DNS, DHCP, and print services. This WDS install will allow you to deploy images to new computers and servers and provide a tool for the help desk in case they need to reinstall the operating system. Your network administrator has created the proper images and placed them in the image folder. The administrator reports that he is not able to PXE boot into the WDS server. He is sure that the boot and deploy images are configured properly and in the right location. You check the services and they are all running. What could be the issue? A. Check the DNS server to make sure its running. B. Boot image has not been added to the server. C. You need to run WDSUTIL /start-server. D. Change the DHCP port. 23. A failover cluster contains two nodes, and a business requires the cluster’s application to remain active and not have a single point of failure. Which of the following quorum models would work in a two-node failover cluster? (Choose all that apply.) A. No Majority: Disk Only B. Node Majority C. Node and Disk Majority D. Node and File Share Majority 24. A two-node failover cluster has two clustered services. Each node should have only one clustered service running when both nodes are operational or have returned to operation. Which two options must be configured on each clustered service? (Choose all that apply.) A. Set the Allow failback option. B. Set the Prevent failback option. C. Set each service to have a different preferred owner. D. Set each resource to attempt restart on the current node. 25. An NLB cluster has three nodes. One of the cluster nodes has less hardware resources than the other two nodes and cannot handles as many connections. What would you need to do to reduce the number of connections that the NLB attempts to handle? A. Change the port rules on each node and set an appropriate load. B. Change the port rule on the underpowered server and set a higher number for load. C. Change the port rule on the underpowered server and set a lower number for load. D. Change the Affinity setting on the underpowered server to be Single.
61705flast.indd 41
6/27/08 9:36:07 AM
xlii
Answers to Assessment Test
Answers to Assessment Test 1. B. Using RAID-1 is only correct option because OS files and boot files cannot reside on RAID-5 disks. Striped and simple volumes are not redundant. 2. D. A round robin configuration uses all available active paths and will distribute I/O in a balanced round robin fashion. Failover only uses a primary and standby paths, allowing for link failure. Weighted path assigns requests to the path with the least weight value. Dynamic Least Queue Depth routes requests to the path with the least number of outstanding requests. 3. D. To install an application that does not use an MSI package, you must change the server mode to install mode. After the installation is complete, the server must be placed back in execute mode. A is incorrect because the disable command changes the mode so the user cannot establish a connection to the terminal server. B is incorrect because installing an application from the administrator’s session does not place the server into the correct mode. C is incorrect because the commands are in reversed order. 4. C. Because the original RDP files where created on TSrv1, they will connect only to TSrv1, thus new RDP files will have to be created and distributed from TSrv2. Copying or re-creating the RDP files from TSrv1 won’t work because it will not change the connection path for the users. Configuring TS Session Broker Load Balancing won’t work because all the RDP files would have to point to the terminal server farm name. 5. A. To enable Media Player 11 for the remote clients, the Desktop Experience feature must be installed. B and C are incorrect because they involve setting up the Aero desktop for remote desktop sessions. D is incorrect because there is no need for Media Server on the server. 6. B. Per User CALs are available if only the TS license server is a member of a domain. 7. C. If you enable and configure Set time limit for disconnected sessions, a time limit for disconnected session will be set and when the time limit is reached the session will be deleted from the server. The policy is useful to ensure that resources are released on the server. Although option A is possible, it is not the best way to accomplish this task. Restricting the user’s remote session will remove disconnected sessions. Putting the server in drain mode will not allow users to connect at all. 8. A. The automatic connection requires an SSL connection (TCP port 443) to activate the license server with Microsoft Clearinghouse over the Internet. 9. B. Medium and lower trust levels do not allow access to the Registry, so they would not be suitable levels for this application. High is the first level that allows the required access. Full allows too much access, so it is also not a valid answer. 10. C. The messages are not being delivered because the default setting is to not allow relaying. The sending servers must be added to be allowed to relay. Enabling TLS encryption may secure the SMTP transmission, but it will not affect message delivery. Adding the servers to the exceptions will not allow the servers to communicate to the SMTP server at all. Enabling LDAP routing will allow email address lookups but will not affect delivery of email to the Internet.
61705flast.indd 42
6/27/08 9:36:07 AM
Answers to Assessment Test
xliii
11. B. Since the IUSR_ServerName account has permission, Anonymous authentication will keep the server for prompting for credentials. 12. C. The highest configuration number is the latest backup, so that would be correct backup to restore. The backup set named “Last Backup” would not be correct as it would have been manually run instead of done when a configuration change was made. When AppCmd add backup is run, it creates a new backup, not a restore, so it would also be an incorrect choice. 13. C, D. C and D are correct because multicast streams reduce the impact on the server by producing a single stream that multiple users can connect to and broadcast publishing only allows the user to play the content. A and B are incorrect because unicast streams would not decrease the load on the server and on-demand publishing is for delivering content that the users can control. 14. B, C. B and C are correct because AD RMS is the role that allows for better control of files and configuring rights policy templates would reduce the amount of administration needed because it allows the user to apply a preconfigured rights template. A is incorrect because, while SharePoint can control content access, it is not used to limit the amount of time a file is on a user’s computer or can be accessed. D is wrong because Active Directory Security Groups would still have to be administered by the IT staff and wouldn’t reduce the time spent on rights management. 15. C. Options A and D would give the group more than the requested permissions. Option B would not allow the group to add content. Option C would allow them to contribute content. 16. A. Option A is correct because any new applications require an IIS reset before they will be available to the end user. Option B is wrong because it is related to the Active Directory account and not the web application. Options C and D are incorrect because if the problem have been related to permissions, the WSS page that the users saw would have stated that they did not have permission to view this page. 17. C. An operating system running in a virtual machine gets hypervisor aware once the Hyper-V Integration Components or Services are installed because it will support using the VMBus. 18. A, B, C, D. All options are correct. 19. A. The virtual machines can communicate with each other and with the host machine. That’s the definition for an internal only network. If they communicate only with each other, that’s called a private virtual network. If the virtual machines also can communicate with the external network, that’s called external. The last option assumes that no virtual network is configured at all, thus virtual machines cannot communicate with each other 20. C. C is the correct answer because when a Windows Vista product is not activated, it will reduce the functionality of the machine until it is activated. Option A is incorrect because we have no indication that this is related to his user account. B is wrong because there is no solid evidence that this user has a virus. D is incorrect because this would not solve the issue of loss of functions.
61705flast.indd 43
6/27/08 9:36:07 AM
xliv
Answers to Assessment Test
21. B. A and D are incorrect because they do not meet the request by the CIO to stay with normal budget. C is wrong because it would not reduce the time to install the operating systems. B is correct because it would meet the needs of the CIO. 22. D. When WDS and DHCP are running on the same machine, it causes a conflict. Changing the port in the WDS server properties will resolve the issue. B and C are wrong because the image was added to the server and running WDSUTIL /start-server will start all the WDS services, but you have confirmed them as running. Option A is wrong because you have not been informed of any other issues related to DNS. 23. C, D. Node and Disk Majority and Node and File Share Majority both allow for one of the nodes to be offline and still have quorum. Although No Majority: Disk Only allows for a node to be offline, the quorum shared disk is a single point of failure. Since there are only two nodes, both nodes have to be up if only Node Majority were chosen. 24. A, C. The preferred owner would need to be set for each clustered service so that each service would have a different preferred owner. Also, the allow failback would have to be set to make sure that after a failure has been recovered, the clustered service would automatically fail back to the preferred owner. The prevent failback option would not allow the clustered service to automatically fail back to the preferred owner. Also, setting the resources to attempt to restart on the current node will not ensure that the clustered application is on the preferred node. 25. A. For the load to be changed, each node would need to have compatible load settings. If load was changed on only one of the nodes, convergence would never complete. Also, changing the Affinity setting does not affect the number of connections to a particular node.
61705flast.indd 44
6/27/08 9:36:07 AM
Chapter
1
Windows Server 2008 Storage Services Microsoft Exam Objectives covered in this chapter: ÛÛ Configure storage. May include but is not limited to: RAID types, Virtual Disk Specification (VDS) API, Network Attached Storage, iSCSI and fibre channel Storage Area Networks, mount points.
61705c01.indd 1
6/27/08 10:21:44 AM
Disk storage is a requirement for just about every computer and application used in any corporate environment. Administrators have some familiarity with storage, whether it is internal storage, a locally attached set of disks, or network attached storage (NAS). In this chapter, we will examine the various aspects of Windows Server 2008 Storage Services. We’ll discuss the various types of storage technologies, but this chapter will primarily focus on iSCSI because of the new native features in Windows Server 2008. This chapter includes the following main topics: NN
Initializing disks
NN
Dynamic and basic disks
NN
Volume sets
NN
RAID types
NN
Mount points
NN
Storage technologies (iSCSI, Fibre Channel, NAS)
NN
Virtual Disk Specification (VDS)
NN
Storage Manager for SANS
NN
Storage Explorer
Storage in Windows Server 2008 What type of disks should be used? What type of RAID sets should be made? What type of hardware platform should be purchased? These are all questions that many administrators have to make when planning for storage in Windows Server 2008. In the following sections, we will attempt to answer these questions so that administrators can make the best decisions for their storage environment. We’ll cover the basics to prepare you to make these decisions when you’re either purchasing or configuring your storage solutions.
Initializing Disks To begin this section, we must first discuss how to add disk drives to a server. Once a disk drive has been installed, it must be initialized by selecting the type of partition. There are
61705c01.indd 2
6/27/08 10:21:45 AM
Storage in Windows Server 2008
3
two types of partition styles used to initialize disks: Master Boot Record (MBR) and GUID Partition Table (GPT). MBR has a partition table that indicates where the partitions are located on the disk drive, and with this particular partition style, only volumes up to two terabytes (1,024 gigabytes) are supported. An MBR drive can have up to four primary partitions or three primary partitions and one extended partition that can be divided into unlimited logical drives. Windows Server 2008 can boot off only an MBR disk unless it is based on the Extensible Firmware Interface (EFI); then it can boot from GPT. An Itanium server is an example of EFI-based system. GPT is not constrained by the same limitations MBR is. In fact, a GPT disk drive can support volumes of up to 18 exabytes (1 million terabytes) and 128 partitions. As a result, GPT is recommended for disks larger than 2TB or disks used on Itanium-based computers. Exercise 1.1 demonstrates the process of initializing additional disk drives to an active computer running Windows Server 2008. E x e r c i se 1 . 1
Initializing Disk Drives Follow these steps to initialize disk drives:
1. Click Start Administrative Tools Server Manager. 2. Click and then expand Storage. 3. Select Disk Management. 4. After disk drives have been installed, right-click Disk Management and select Rescan Disks.
61705c01.indd 3
6/27/08 10:21:45 AM
4
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 1 ( c o n t i n u e d )
5. A pop-up box appears indicating that the server is scanning for new disks. 6. After the server has completed the scan, the new disk appears as Unknown.
7. Right-click the Unknown disk and select Initialize Disk.
61705c01.indd 4
6/27/08 10:21:45 AM
Storage in Windows Server 2008
5
E x e r c i se 1 . 1 ( c o n t i n u e d )
8. A pop-up box appears asking for the partition style. For this exercise, choose MBR.
9. Click OK. The disk will now appear online as a basic disk with unallocated space.
Working with Basic and Dynamic Disks Windows Server 2008 supports two types of disk configurations: basic and dynamic. Basic disks are divided into partitions and can be used with previous versions of Windows. Dynamic disks are divided into volumes and can be used with Windows 2000 Server and later releases. When a disk is initialized, it is automatically created as a basic disk, but when a new fault-tolerant volume set is created, the disks in the set are converted to dynamic disks. Fault-tolerance features and the ability to modify disks without having to reboot the server are what distinguish dynamic disks from basic disks. A basic disk can simply be converted to a dynamic disk without loss of data. When a basic disk is converted, the partitions are automatically changed to the appropriate volumes. However, converting a dynamic disk back to a basic disk is not as simple. First, all the data on the dynamic disk must be backed up or moved. Then all the volumes on the dynamic disk have to be deleted. The dynamic disk can then be converted to a basic disk. Partitions and logical drives can be created and the data restored. The following are actions that can be performed on basic disks:
61705c01.indd 5
NN
Format partitions.
NN
Mark partitions as active.
NN
Create and delete primary and extended partitions.
NN
Create and delete logical drives.
NN
Convert from a basic disk to a dynamic disk.
6/27/08 10:21:45 AM
6
Chapter 1 Windows Server 2008 Storage Services n
The following are actions that can be performed on dynamic disks: NN
Create and delete simple, striped, spanned, mirrored, or RAID-5 volumes.
NN
Remove or break a mirrored volume.
NN
Extend simple or spanned volumes.
NN
Repair mirrored or RAID-5 volumes.
NN
Convert from a dynamic disk to basic after deleting all volumes. In Exercise 1.2, you’ll convert a basic disk to a dynamic disk.
E x e r c i se 1 . 2
Converting a Basic Disk to a Dynamic Disk Follow these steps to convert a basic disk to a dynamic disk:
1. Click Start Administrative Tools Server Manager. 2. Click and then expand Storage. 3. Select Disk Management. 4. Right-click a basic disk that you want to convert and select Convert to Dynamic Disk.
61705c01.indd 6
6/27/08 10:21:45 AM
Storage in Windows Server 2008
7
E x e r c i se 1 . 2 ( c o n t i n u e d )
5. The Convert to Dynamic Disk dialog box appears. From here, select all the disks that you want to convert to dynamic disks. In this exercise, only Disk 2 will be converted.
6. Click OK. 7. The Convert to Dynamic Disk dialog box changes to the Disks to Convert dialog box and show the disk/disks that will be converted to dynamic disks.
8. Click Convert. 9. Disk Management will warn that if you convert the disk to dynamic, you will not be able to start the installed operating system from any volume on the disk (except the current boot volume).
10. Click Yes. The converted disk will now show as dynamic in Disk Management.
61705c01.indd 7
6/27/08 10:21:46 AM
8
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 2 ( c o n t i n u e d )
Microsoft recommends using basic disks if you do not require spanned volumes, striped volumes, mirrored volumes, or RAID-5 volume sets.
Working with Volume Sets A volume set is created from volumes that span multiple drives by using the free space from those drives to construct what will appear to be a single drive. The following list includes the various types of volume sets and their definitions: Simple volume uses only one disk or a portion of a disk. Spanned volume is a simple volume that spans multiple disks, with a maximum of 32. Use a spanned volume if the volume needs are too great for a single disk. Striped volume stores data in stripes across two or more disks. A striped volume gives you fast access to data but is not fault tolerant, nor can it be extended or mirrored. If one disk in the striped set fails, the entire volume fails.
61705c01.indd 8
6/27/08 10:21:46 AM
Storage in Windows Server 2008
9
Mirrored volume duplicates data across two disks. This type of volume is fault tolerant because if one drive fails, the data on the other disk is unaffected. RAID-5 volume stores data in stripes across three or more disks. This type of volume is fault tolerant because if a drive fails, the data can be re-created from the parity off the remaining disk drives. Operating system files and boot files cannot reside on the RAID-5 disks. Exercise 1.3 illustrates the procedure for creating a volume set. E x e r c i se 1 . 3
Creating a Volume Set Follow these steps to create a volume set:
1. Click Start Administrative Tools Server Manager. 2. Click and then expand Storage. 3. Select Disk Management. 4. Select and right-click a disk that has unallocated space. If there are no disk drives available for a particular volume set, that volume set will be grayed out as a selectable option. In this exercise, you’ll choose a spanned volume set, but the process after the volume set selection is the same regardless of which kind you choose. The only thing that differs is the amount of disk drives chosen.
61705c01.indd 9
6/27/08 10:21:46 AM
10
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 3 ( c o n t i n u e d )
5. The Welcome page of the New Spanned Volume Wizard appears and explains the type of volume set chosen. Click Next.
6. The Select Disks page appears. Select the disk that will be included with the volume set and click Add. Repeat this process until all the desired disks have been added. Click Next.
7. The Assign Drive Letter or Path page appears. From here you can select the desired drive letter for the volume, mount the volume in an empty NTFS folder, or choose to not assign a drive letter. The new volume is labeled as E. Click Next.
8. The Format Volume page appears. Choose to format the new volume. Click Next. 9. Click Finish. 10. If the disks have not been converted to dynamic, you will be asked to convert the disks. Click Yes. The new volume will appear as a healthy spanned dynamic volume with the new available disk space of new volume set.
61705c01.indd 10
6/27/08 10:21:46 AM
Storage in Windows Server 2008
11
E x e r c i se 1 . 3 ( c o n t i n u e d )
RAID Built into Windows Server 2008 is the ability to support drive sets and arrays using Redundant Array of Independent Disks (RAID) technology. RAID can be used to enhance data performance, or it can be used to provide fault tolerance to maintain data integrity in case of a hard disk failure. Windows Server 2008 supports three different types of RAID technologies: RAID-0, RAID-1, and RAID-5. RAID-0 is also known as disk striping. Disk striping is using two or more volumes on independent disks created as a single striped set. There can be a maximum of 32 disks. In a striped set, data is divided into blocks that are disturbed sequentially across all the drives in the set. With RAID-0, disk striping, you get very fast read and write performance because multiple blocks of data can be accessed off of multiple drives simultaneously. However, RAID-0 does not offer the ability to maintain data integrity during a single disk failure. In other words, RAID-0 is not fault tolerant; a single disk event will cause the entire striped set to be lost, and it will have to be re-created through some type of recovery process, such as a tape backup.
61705c01.indd 11
6/27/08 10:21:47 AM
12
Chapter 1 Windows Server 2008 Storage Services n
RAID-1 is also known as disk mirroring. Disk mirroring is two logical volumes on two separate identical disks created as a duplicate disk set. Data is written on two disks at the same time; that way, in the event of a disk failure, data integrity is maintained and available. Although this fault tolerance gives administrators data redundancy, it comes with a price because it diminishes the amount of available storage space by half. For example, if an administrator wants to create a 300GB mirrored set, they would have to install two 300GB hard drives into the server, thus doubling the cost for the same available space. RAID-5 is also known as disk striping with parity. With disk striping with parity, you use three or more disks (with a maximum of 32) striped across all the disks with an additional block of error-correction called parity, which is used to reconstruct the data in the event of a disk failure. RAID-5 has slower write performance than the other RAID types because the OS must calculate the parity information for each stripe that is written, but the read performance is equivalent to a stripe set, RAID-0, because the parity information is not read. Like RAID-1, RAID-5 comes with additional cost considerations. For every RAID-5 set, roughly an entire hard disk is consumed for storing the parity information. For example, a minimum RAID-5 set requires three hard disks, and if those disks are 300GB each, approximately 600GB of disk space is available to the OS and 300GB is consumed by parity information, which equates to 33.3 percent of the available space. Similarly, in a five-disk RAID-5 set of 300GB disks, approximately 1200GB of disk space is available to the OS, which means that 20 percent of the total available space is consumed by the parity information. The words roughly and approximately are used when calculating disk space because a 300GB disk will really be only about 279GB of space. This is because vendors define a gigabyte as one billion bytes, but the OS defines it as 2^30(1,073,741,824) bytes. Also remember that file systems and volume managers have overhead as well. Table 1.1 breaks down the various aspects of the supported RAID types in Window Server 2008. Ta b l e 1 .1 Supported RAID Level Properties on Windows Server 2008
61705c01.indd 12
Advantages
Minimum Number of Disks
Maximum Number of Disks
No
Fast reads and writes
2
32
Disk mirroring
Yes
Data redundancy and faster writes than RAID-5
2
2
Disk striping with parity
Yes
Data redundancy with less overhead and faster reads than RAID-1
3
32
RAID Level
RAID Type
Fault Tolerant
0
Disk s triping
1
5
6/27/08 10:21:47 AM
Storage in Windows Server 2008
13
RAID-1 total available disk space is calculated by taking one half of the sum of both disks in the disk set, and RAID-5 total available disk space is calculated by subtracting the space of one entire disk from the sum of all the disks in the disk set.
Creating RAID Sets Now that you understand the fundamental concepts of RAID sets and how to use them, we can now look at the creation of RAID sets in Windows Server 2008. The process of creating a RAID set is the same as the process for creating a simple or spanned volume set except for the minimum disk requirements associated with each RAID type. Creating a mirrored volume set is the same as creating a volume set, as shown in Exercise 1.3, except you will select New Mirrored Volume in the fourth step. It is after the disk select wizard appears that you’ll begin to see the difference. Since a new mirrored volume is being created, the volume requires two disks. During the disk select process, if only one disk is selected, the Next button will be unavailable because the disk minimum has not been met. Refer to Figure 1.1 to view the Select Disks page of the New Mirrored Wizard during the creation of a new mirrored volume and notice that the Next button is not available. F i g u r e 1 .1 Select Disks page of the New Mirrored Volume Wizard
To complete the process, you must select a second disk by highlighting the appropriate disk and adding it to the volume set. Once the second disk has been added, the Add button becomes unavailable and the Next button is available to complete the mirrored volume set creation (see Figure 1.2).
61705c01.indd 13
6/27/08 10:21:47 AM
14
Chapter 1 Windows Server 2008 Storage Services n
F i g u r e 1 . 2 Adding the second disk to complete a mirrored volume set
After you clicking Next, the creation of the Mirrored Volume set is again just like the rest of the steps, 7 through 11, in Exercise 1.3. A drive letter will have to be assigned and the volume will need to be formatted. The new mirrored volume set will appear in Disk Management. In Figure 1.3, notice that the capacity of the volume equals one disk even though two has been selected. F i g u r e 1 . 3 Newly created mirrored volume set
61705c01.indd 14
6/27/08 10:21:47 AM
Storage in Windows Server 2008
15
To create a RAID-5 volume set, you use the same process you use to create a mirrored volume set. The only difference is that a RAID-5 volume set requires that a minimum of three disks be selected to complete the volume creation. The process is simple: Select New RAID-5 Volume and then select the three disks that will be used in the volume set. Assign a drive letter and format the volume. Figure 1.4 shows a newly created RAID-5 volume set in Disk Management. F i g u r e 1 . 4 Newly created RAID-5 volume set
Mount Points With the ever increasing demands of storage, mount points are used to surpass the limitation of 26 drive letters and to join to volumes into a folder on a separate physical disk drive. A mount point allows you to configure a volume to be accessed from a folder on another existing disk. Through Disk Management, a mount point folder can be assigned to a drive instead of using a drive letter and can be used on basic or dynamic volumes that are formatted with NTFS. However, mount point folders can be created only on empty folders within a volume. Additionally, mount point folder paths cannot be modified; they can only be removed once they have been created. Exercise 1.4 shows steps to create a mount point.
61705c01.indd 15
6/27/08 10:21:47 AM
16
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 4
Creating Mount Points Follow these steps to create a mount point:
1. Click Start Administrative Tools Server Manager. 2. Click and then expand Storage. 3. Select Disk Management. 4. Right-click the volume where the mount point folder will be assigned and select Change Drive Letter and Paths.
5. Click Add. 6. Either type the path to an empty folder on an NTFS volume or click Browse to select or make a new folder for the mount point.
When you explore the drive, you’ll see the new Folder created. Notice that the icon indicates that it is a mount point.
61705c01.indd 16
6/27/08 10:21:47 AM
Storage in Windows Server 2008
17
Microsoft MPIO (Multipath I/O) Multipath I/O (MPIO) is associated with high availability because a computer will be able to use a solution with redundant physical paths connected to a storage device. So if one path fails, an application will continue to run because it can access the data across the other path. The MPIO software provides the functionality needed for the computer to take advantage of the redundant storage paths. MPIO solutions can also load-balance data traffic across both paths to the storage device, virtually eliminating bandwidth bottlenecks to the computer. What allows MPIO to provide this functionality is the new native Microsoft Drive Specific Module (Microsoft DSM). The Microsoft DSM is a driver that communicates with storage devices—iSCSI, Fibre Channel or SAS—and provides the chosen loadbalancing policies. Windows Server 2008 supports the following load-balancing policies: Failover I n a failover configuration, there is no load balancing. There is a primary path that is established for all requests and subsequent standby paths. If the primary path fails, one of the standby paths will be used. Failback T his is similar to failover in that it has primary and standby paths. However, with failback you designate a preferred path that will handle all process requests until it fails, after which, the standby path will become active until the primary reestablishes a connection and will automatically regain control. Round robin I n a round robin configuration, all available paths will be active and will be used to distribute I/O in a balanced round robin fashion. Round robin with a subset of paths I n this configuration, a specific set of paths will be designated as a primary set and another as standby paths. All I/O will use the primary set of paths in a round robin fashion until all the sets fail. Only at this time will the standby paths become active. Dynamic Least Queue Depth I n a Dynamic Least Queue Depth configuration, I/O will route to the path with the least number of outstanding requests. Weighted path I n a weighted path configuration, paths are assigned a numbered weight. I/O requests will use the path with the least weight. The higher the number, the lower the priority. Exercise 1.5 demonstrates the process of installing the Microsoft MPIO feature for Window Server 2008. E x e r c i se 1 . 5
Installing Microsoft MPIO Follow these steps to install Microsoft MPIO:
1. Click Start Administrative Tools Server Manager. 2. Right-click Features and select Add Features.
61705c01.indd 17
6/27/08 10:21:47 AM
18
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 5 ( c o n t i n u e d )
3. In the Add Features Wizard, check Multipath I/O and click Next.
4. On the Confirm Installation Selections page, verify that Multipath I/O is the feature that will be installed. Click Install.
5. After the installation completes, the Installation Results page appears stating that the server must be rebooted to finish the installation process.
6. Click Close. 7. Click Yes to restart. 8. After the restart, the installation will resume. Once it’s complete, click Close. 9. To open MPIO, click Start Administrative Tools MPIO.
Typically, most storage arrays work with the Microsoft DSM. However, some hardware vendors require DSM software that is specific to their products. Third-party DSM software is installed through the MPIO utility: 1. Click Start Administrative Tools MPIO. 2. Select the DSM Install tab (Figure 1.5). 3. Add the path of the INF file and click Install.
61705c01.indd 18
6/27/08 10:21:48 AM
Storage in Windows Server 2008
19
F i g u r e 1 . 5 The DSM Install tab on the MPIO Properties dialog box
iSCSI Internet Small Computer System Interface (iSCSI) is an interconnect protocol used to establish and manage a connection between a computer (initiator) and a storage device (target) by using an existing network through TCP port 3260, which allows it to be used over a LAN, a WAN, or the Internet. Each initiator is identified by its iSCSI Qualified Name (iqn) and is used to establish its connection to an iSCSI target. iSCSI was developed to allow block-level access to a storage device over a network instead of using a Network Attached Storage (NAS) device that connects with through the use of Common Internet File System (CIFS) or Network File System (NFS). Block-level access is important to many applications that require direct access to storage, applications like MS Exchange and MS SQL, for example. By being able to leverage the existing network infrastructure, iSCSI was also developed as an alternative to Fibre Channel storage by alleviating the additional hardware costs associated with a Fibre Channel storage solution. iSCSI also has another advantage over Fibre Channel in that it can provide security for the storage devices by using Challenge Handshake Authentication Protocol (CHAP) for authentication and Internet Protocol security (IPSec) for encryption. Windows Server 2008 is able to connect an iSCSI storage device out of the box with no additional software that needs to be downloaded. This is because the Microsoft iSCSI initiator is built into the operating system. Windows Server 2008 supports two different ways to initiate an iSCSI session. NN
NN
61705c01.indd 19
Through the native Microsoft iSCSI software initiator that resides on Windows Server 2008. Through using a hardware iSCSI host bus adapter (HBA) that is installed in the computer.
6/27/08 10:21:48 AM
20
Chapter 1 Windows Server 2008 Storage Services n
Both the Microsoft iSCSI software initiator and iSCSI HBA present an iSCSI Qualified Name (iqn) that identifies the host initiator. When the Microsoft iSCSI software initiator is used, the CPU utilization may be as much as 30 percent higher than on a computer with a hardware iSCSI HBA. This is because all of the iSCSI process requests are handled within the operating system. Using a hardware iSCSI HBA, process requests can be offloaded to the adapter, thus freeing the CPU overhead associated with the Microsoft iSCSI software initiator. However, iSCSI HBAs can be expensive, whereas the Microsoft iSCSI software initiator is free. It is worthwhile to install the Microsoft iSCSI software initiator and perform load testing to see how much overhead the computer will have prior to purchasing an iSCSI HBA or HBAs, depending on the redundancy level. Exercise 1.6 explains how to install and configure an iSCSI connection. E x e r c i se 1 . 6
Configuring iSCSI Storage Connection Follow these steps to configure iSCSI storage connection:
1. Click Start Administrative Tools iSCSI Initiator. 2. Click the Discovery tab. 3. In the Target Portals portion of the tab, click Add Portal.
61705c01.indd 20
6/27/08 10:21:48 AM
Storage in Windows Server 2008
21
E x e r c i se 1 . 6 ( c o n t i n u e d )
4. Enter the IP address of the target portal and click OK.
5. The IP address of the target portal appears in the Target Portals box.
61705c01.indd 21
6/27/08 10:21:48 AM
22
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 6 ( c o n t i n u e d )
6. Next select the Targets tab and then click the Refresh button. The iqn of the target appears. Notice that the target’s status is Inactive.
7. Select the iqn and click the Log On button. 8. Check Automatically Restore This Connection When the Computer Starts. Don’t check Enable Multi-Path. Remember, only select Enable Multi-Path if the iSCSI multipath software has already been installed. Refer to Exercise 1.5 for details on how to install the MPIO feature for Windows Server 2008.
9. Click OK.
61705c01.indd 22
6/27/08 10:21:48 AM
Storage in Windows Server 2008
23
E x e r c i se 1 . 6 ( c o n t i n u e d )
Notice that the target’s status has now changed to Connected.
To use the storage that has now been presented to the server, you must create a volume on it and format the space. Refer to Exercise 1.3 to review this process.
Internet Storage Name Service (iSNS) Internet Storage Naming Service (iSNS) allows for central registration of an iSCSI environment because it automatically discovers available targets on the network. The purpose of iSNS is to help find available targets on a large iSCSI network. The Microsoft iSCSI initiator includes an iSNS client that is used to register with the iSNS. The iSNS feature maintains a database of clients that it has registered either through DCHP discovery or through manual registration. iSNS DHCP is available after the installation of the service and used to allow iSNS clients to discover the location of the iSNS. However, if iSNS DHCP is not configured, iSNS clients must be registered manually with the iscsicli command. To execute the command, launch a command prompt on a computer hosting the Microsoft iSCSI and type the following: iscsicli addisnsserver <servername>, where <servername> is the name of the computer hosting iSNS. Exercise 1.7 walks through the steps to install the iSNS feature on Windows Server 2008.
61705c01.indd 23
6/27/08 10:21:48 AM
24
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 7
Installing the iSNS Feature on Windows Server 2008 Follow these steps to install the iSNS feature on Windows Server 2008:
1. Click Start Administrative Tools Server Manager. 2. Right-click Features and select Add Features. 3. In the Add Features Wizard, check Internet Storage Name Server and click Next.
4. On the Confirm Installation Selections page, verify that Internet Storage Name Server is the feature that will be installed. Click Install.
5. After the installation completes and the Installation Results page appears, verify that the installation was successful and click Close.
6. Launch iSNS Server by clicking Start Administrative Tools iSNS Server.
61705c01.indd 24
6/27/08 10:21:49 AM
Storage in Windows Server 2008
25
E x e r c i se 1 . 7 ( c o n t i n u e d )
7. Click the General tab. This tab displays the list of registered initiators and targets. In addition to their iSCSI Qualified Name (iqn), it lists storage node type (Target or Initiator), alias string, and entity identifier (the Fully Qualified Domain Name (FQDN) of the machine hosting the iSNS client).
8. Click the Discovery Domains tab. The purpose of Discovery Domains is to provide a way to separate and group nodes. This is very similar to zoning in Fibre Channel. The following options are available on the Discovery Domains tab: Create Used to create a new discovery domain. Refresh Used to repopulate the Discovery Domain drop-down list. Delete Used to delete the currently selected discovery domain. Add Used to add nodes that are already registered in iSNS to the currently selected discovery domain. Add New Used to add nodes by entering the iSCSI Qualified Name (iqn) of the node. These nodes do not have to be currently registered. Remove Used to remove selected nodes from the discovery domain.
61705c01.indd 25
6/27/08 10:21:49 AM
26
Chapter 1 Windows Server 2008 Storage Services n
E x e r c i se 1 . 7 ( c o n t i n u e d )
9. Click the Discovery Domain Sets tab. The purpose of discovery domain sets is to further separate discovery domains. Discovery domains can be enabled or disabled, giving administrators the ability to further restrict the visibility of all initiators and targets. The options on the Discovery Domain Sets tab are as follows: Enable A check box used to indicate the status of the discovery domain sets and to turn them off and on. Create Used to create new discovery domain sets. Refresh Used to repopulate the Discovery Domain Sets drop-down list. Delete Used to delete the currently selected discovery domain set. Add Used to add discovery domains to the currently selected discovery domain set. Remove Used to remove selected nodes from the discovery domain sets.
61705c01.indd 26
6/27/08 10:21:49 AM
Storage in Windows Server 2008
27
E x e r c i se 1 . 7 ( c o n t i n u e d )
Fibre Channel Fibre Channel storage devices are similar to iSCSI storage devices in that they both allow block-level access to their data sets and can provide MPIO policies with the proper hardware configurations. However, Fibre Channel requires a Fibre Channel HBA, fibre optic cables, and Fibre Channel switches to connect to a storage device. A World Wide Name (WWN) from the Fibre Channel HBA is used from the host and device so they can communicate directly with each other, similar to using a NIC’s MAC address. In other words, a logical unit number (LUN) is presented from a Fibre Channel storage device to the WWN of the host’s HBA. Fibre Channel has been the preferred method of storage because of the available connection bandwidth between the storage and the host. Fibre Channel devices supports 1Gb/s, 2Gb/s, and 4Gb/s connections and soon will support 8Gb/s connections, but now that 10Gb/s Ethernet networks are becoming more prevalent in many datacenters, iSCSI can be a suitable alternative. It is important to consider that 10Gb/s network switches can be more expensive than comparable Fibre Channel switches.
61705c01.indd 27
6/27/08 10:21:49 AM
28
Chapter 1 Windows Server 2008 Storage Services n
Network Attached Storage (NAS) The concept of a Network Attached Storage (NAS) solution is that it is a low-cost device for storing data and serving files through the use of an Ethernet LAN connection. A NAS device accesses data at the file level via a communication protocol such as NFS, CIFS, or even HTTP, which is very different from iSCSI or FC Fibre Channel storage devices that access the data at the block level. NAS devices are best used in file storing applications, and it does not require a storage expert to install and maintain the device. In most cases, the only setup that is required is an IP address and an Ethernet connection.
Managing SANs In the following sections, we will discuss the tools in Windows Server 2008 that will help manage the various aspects of storage: Storage Manager for SANs (SMfS) and Storage Explorer. These tools are used independently of one another, but they both provide a very powerful and centralized interface to administer a storage environment. Storage Manager for SANs manages the physical storage arrays; conversely, Storage Explorer views and manages the Fibre Channel and iSCSI connections available in the environment.
Virtual Disk Service (VDS) Virtual Disk Server (VDS) has been created to ease the administration efforts of managing all the various type of storage devices. Many storage hardware providers used their own applications for installation and management, and this made administering all these various devices very cumbersome. VDS is a set of application programming interfaces (APIs) that provide a centralized interface for managing all the various storage devices. The native VDS API enables the management of disks and volumes at an OS level, and hardwarevendor-supplied APIs manage the storage devices at a RAID level. These are known as software and hardware providers. A software provider is host based and interacts with Plug and Play Manager because each disk is discovered and operates on volumes, disks, and disk partitions. VDS includes two software providers: basic and dynamic. The basic software provider manages basic disks with no fault tolerance, whereas the dynamic software providers manage dynamic disks with fault management. A hardware provider translates the VDS APIs into instructions specific to the storage hardware. This how storage management applications are able to communicate with the storage hardware to create LUNs or Fibre Channel HBAs to view the WWN. The following are Windows Server 2008 storage management applications that use VDS: Disk Management snap-in T his application configures and manages the disk drives on the host computer. You have already seen this application in use when you initialized disks and created volume sets.
61705c01.indd 28
6/27/08 10:21:49 AM
Managing SANs
29
DiskPart is a command-line utility that configures and manages disks, volumes, and partitions on the host computer. It can also be used to script many of the storage management commands. DiskPart is a very robust tool and should be studied on your own because it beyond the scope of this book. Figure 1.6 shows the various commands and their function for the DiskPart utility. F i g u r e 1 . 6 DiskPart commands
DiskRAID is also a scriptable command-line utility that configures and manages hardware RAID storage systems. However, at least one VDS hardware provider must be installed for DiskRAID to be functional. DiskRAID is another useful utility and should be studied on your own because it’s beyond the scope of this book. Storage Manager for SANs Storage Manager for SANs is a graphical user interface utility that is used to manage SANs. It will be discussed further in the following section.
Storage Manger for SANs (SMfS) Storage Manager for SANs is a utility that is used to create and manage LUNs on both Fibre Channel and iSCSI storage arrays that support Virtual Disk Service (VDS). A LUN is similar to a volume in that it is a logical representation of a disk drive that is a part of a storage array. A SAN using Storage Manager simplifies the management of these resources in a SAN environment because it is a centralized location were LUNs can be assigned
61705c01.indd 29
6/27/08 10:21:49 AM
30
Chapter 1 Windows Server 2008 Storage Services n
access and control privileges even though Fibre Channel and iSCSI use different types of hardware and network protocols. To use Storage Manager for SANs, you must make sure the server and the storage array meet the following requirements: NN
The server must have the Storage Manager for SANs feature installed.
NN
The storage array must support VDS.
NN
NN
NN
The VDS hardware provider’s software for the storage array must be installed on the server. The storage array must be directly attached or accessible over the network. In order to manage an iSCSI array through Storage Manager for SANs, you must install an iSCSI initiator on the server.
Exercise 1.8 demonstrates the procedures for installing the Storage Manager for SANs feature on Windows Server 2008. E x e r c i se 1 . 8
Installing Storage Manager for SANs Follow these steps to install Storage Manager for SANs:
1. Click Start Administrative Tools Server Manager. 2. Right-click Features and select Add Features. 3. In the Add Features Wizard, check Storage Manager for SANs and click Next.
61705c01.indd 30
6/27/08 10:21:49 AM
Managing SANs
31
E x e r c i se 1 . 8 ( c o n t i n u e d )
4. On the Confirm Installation Selections page, verify that Storage Manager for SANs is the feature that will be installed. Click Install.
5. After the installation, when the Installation Results page appears, verify that the installation was successful and click Close.
6. To launch Storage Manager for SANs, click Start Administrative Tools Storage Manager for SANs.
Opening Storage Manager for SANs, you will notice three main sections: LUN Management, Subsystems, and Drives. All the tasks that can be preformed are performed within these three sections. In the LUN Management section, the following tasks can be preformed:
61705c01.indd 31
NN
View information about the LUNs on your Fibre Channel and iSCSI storage systems.
NN
Create, rename, extend, delete, assign, and unassign LUNs.
NN
Add servers to your SAN and enable HBAs and iSCSI initiators.
NN
Create, remove, and configure security settings and log on to iSCSI targets.
6/27/08 10:21:49 AM
32
Chapter 1 Windows Server 2008 Storage Services n
In the Subsystems section, the following tasks can be preformed: NN
View information about the storage systems that have been discovered by VDS.
NN
Rename a storage system. In the Drives section, the following tasks can be preformed:
NN
NN
View information about the disk drives in the storage systems that have been iscovered. d Make a drive light blink.
Storage Explorer Storage Explorer is used by administrators to view and manage Fibre Channel and iSCSI fabrics available in the environment. The Storage Explorer interface provides a tree-structured view of the components by using APIs to collect data about the storage devices. The following detailed information can be found in Storage Explorer: NN
HBA information
NN
Fibre Channel switches
NN
iSCSI initiators
NN
iSCSI targets An administrator can also perform various iSCSI-related tasks from Storage Explorer:
NN
Log on to iSCSI targets.
NN
Configure iSCSI security.
NN
Add iSCSI target portals.
NN
Add iSNS servers.
NN
Manage discovery domains.
NN
Manage discovery domain sets.
Figure 1.7 shows the Storage Explorer interface with an iSCSI initiator selected and also illustrates the management options that are available.
61705c01.indd 32
6/27/08 10:21:50 AM
Summary
33
F i g u r e 1 . 7 Storage Explorer interface
Summary In this chapter, we examined the various aspects of Windows Server 2008 Storage Services as well as the various types of storage technologies and native Windows Server 2008 storage management tools. We started the chapter with initializing disks and choosing a partition type, MBR or GPT. We then discussed the types of disk configurations, dynamic and basic, that are supported in Windows Server 2008. You learned that there are various properties associated with each type of configuration. Then we discussed the different types of RAID and the properties of each. The next section explored storage technologies, namely iSCSI, Fibre Channel, and NAS. We primarily focused on iSCSI because of the native support in Window Server 2008. You learned how to configure an iSCSI initiator and a connection to an iSCSI target. After that we looked at its iSNS server and how to configure it. We concluded the chapter by looking at Storage Manager for SANs and Storage Explorer, which are built-in management tools in Windows Server 2008 for storage devices.
61705c01.indd 33
6/27/08 10:21:50 AM
34
Chapter 1 Windows Server 2008 Storage Services n
Exam Essentials Know the disk types. K now how to initialize disks and the type of partitioning to chose. Also know the difference between dynamic and basic disks and when to use them. Understand what RAID is and how it works. K now the various RAID types, the requirements for each, and when it is appropriate to use each type. Know the storage technologies. Understand how to use the storage technologies Fibre Channel, iSCSI, and NAS. Know how to configure an iSCSI initiator and how to establish a connection to a target. Know the various MPIO policies. Know how to manage storage. K now want type of administrative features are available for Storage Manager for SANs and Storage Explorer.
61705c01.indd 34
6/27/08 10:21:50 AM
Review Questions
35
Review Questions 1. What are the various supported RAID types in Windows Server 2008? (Choose three.) A. RAID-5 B. RAID-1 C. RAID-0 D. RAID-1+0 2. What type of MPIO policy allows load balancing across multiple active paths? A. Failover B. Round robin C. Dynamic Least Queue Depth D. Weighted path 3. What is the minimum number of disks required in a RAID-5 set? A. One B. Two C. Three D. Four 4. What is the minimum number of disks required in a RAID-1 set? A. One B. Two C. Three D. Four 5. What is the default TCP port for iSCSI? A. 3389 B. 1433 C. 21 D. 3260 6. What is the largest partition size available for MBR? A. 1TB B. 2TB C. 3TB D. 4TB
61705c01.indd 35
6/27/08 10:21:50 AM
36
Chapter 1 Windows Server 2008 Storage Services n
7. How many primary partitions can be made on a disk drive with MBR? A. One B. Two C. Three D. Four 8. Which of the following names/terms identifies a Fibre Channel HBA? A. WWN B. iqn C. UNC D. MAC 9. True/False: A basic disk can be configured in a RAID-5 volume set. A. True B. False 10. Five 100GB disk drive are used in a RAID-5 set. Approximately how much disk space is available? A. 200GB B. 100GB C. 500GB D. 400GB E. 300GB 11. Calculate the available disk space on RAID 1 set using 100GB disk drives. A. 200GB B. 100GB C. 500GB D. 400GB E. 300GB 12. If an administrator would like to create a LUN on a storage device, what management tool would they use? A. Storage Explorer B. MPIO C. Storage Manager for SANs D. iSCSI initiator
61705c01.indd 36
6/27/08 10:21:50 AM
Review Questions
37
13. Which of the following is an alternative term used for RAID-0? A. Disk striping B. Disk striping with parity C. Disk mirroring D. Disk mirroring in a striped set 14. True/False: A computer with the Microsoft iSCSI software initiator has less CPU overhead than a computer using an iSCSI HBA. A. True B. False 15. Which of the follow management tools is used to log off of a current iSCSI connection? A. MPIO B. iSNS C. iSCSI initiator D. Storage Manager for SANs 16. True/False: VDS is a set of APIs that provide a centralized interface for managing all the various storage devices. A. True B. False 17. What command would be used to manually register an iSCSI initiator to an iSNS server? A. iscsicli refreshisnsserver <servername> B. iscsicli listisnsservers <servername> C. iscsicli removeisnsserver <servername> D. iscsicli addisnsserver <servername> 18. True/False: Mount points are assigned drive letters. A. True B. False 19. Each iSCSI initiator and target must have a unique name. What is the designation of this name? A. WWN B. MAC C. iqn D. SCSI ID 20. True/False: The Microsoft iSCSI initiator does not have built-in security features. A. True B. False
61705c01.indd 37
6/27/08 10:21:50 AM
38
Chapter 1 Windows Server 2008 Storage Services n
Answers to Review Questions 1. A, B, C. Windows Server 2008 supports only software RAID levels 0, 1, and 5. Other types of RAID, such as RAID-1+0, are available with hardware RAID controllers. 2. B. Round robin uses all available paths and all paths will be active. Failover, Dynamic Least Queue Depth, and weighted path will not load-balance across the paths. 3. C. The minimum number disks required in a RAID-5 set is three. 4. B. The minimum number of disks requires in a RAID-1 set is 2. 5. D. The iSCSI default port is TCP 3260. Port 3389 is used for RDP, port 1433 is used for MS SQL, and port 21 is used for FTP. 6. B. The largest available partition available with MBR is 2 terabytes. 7. D. MBR supports only primary partitions, but the fourth partition can be made into an extended partition when many logical partitions can be created. 8. A. Fibre Channel HBAs use the WWN (World Wide Name) to identify itself from other HBAs in a Fibre Channel fabric. An iqn is used by iSCSI initiators to identify themselves. MAC addresses are used with NICs. A UNC (Universal Naming Convention) is use to designate file locations on a network. 9. B. When you’re creating a RAID-5 volume set, a basic disk will be converted into a dynamic disk. 10. D. To calculate RAID-5 disk space, add the total available space across all disks and subtract the space of one disk. In this case, 500 - 100 = 400. 11. B. A RAID-1 set uses only two disks, and the available disk space is only on one of the disks. 12. C. Storage Manager for SANs is used to manage the actual storage devices. Storage Explorer is used to manger the fabric. MPIO is used to manage the multipath software. iSCSI initiator is used to configure the host’s iSCSI settings. 13. A. RAID-0 is disk striping. RAID-5 is disk striping with parity. RAID-1 is disk mirroring. RAID-1+0 is disk mirroring in a striped set. 14. B. A computer uses an iSCSI HBA to offload the iSCSI request to the card so it will not consume any extra CPU cycles. 15. C. iSCSI initiator is used to log off and on of iSCSI connections. iSNS is used to register iSCSI initiators. MPIO is used to manage the multipath software. Storage Manager for SANs is used to manage storage devices. 16. A. VDS is used in conjunction with Storage Manager for SANs to manage storage devices.
61705c01.indd 38
6/27/08 10:21:50 AM
Answers to Review Questions
39
17. D. The iscsicli addisnsserver <servername> command manually registers the host server to an iSNS server. refreshisnsserver refreshes the list of available servers. removeisnsserver removes the host from the iSNS server. listisnsservers lists the available iSNS servers. 18. B. The purpose of a mount point is to logically assign a path to an existing drive without using a drive letter. 19. C. The iqn (iSCSI Qualified Name) applies to all iSCSI HBAs and the Microsoft iSCSI software initiator. MACs are associated with NICs, and WWN names are associated with FC HBAs. 20. B. The Microsoft iSCSI initiator supports both CHAP and IPSec.
61705c01.indd 39
6/27/08 10:21:50 AM
61705c01.indd 40
6/27/08 10:21:50 AM
Chapter
2
Exploring Terminal Services in Windows Server 2008 Microsoft Exam Objectives covered in this chapter: ÛÛ Configure Terminal Services client connections. May include but is not limited to: connecting local devices and resources to a session, Terminal Services profiles, Terminal Services home folders, Remote Desktop Connection (RDC), single sign-on, Remote Desktop SnapIn, MSTSC.exe ÛÛ Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp). May include but is not limited to: Configuring Terminal Services Web Access, configuring Terminal Services Remote Desktop Web Connection ÛÛ Configure Terminal Services Gateway. May include but is not limited to: certificate configuration, Terminal Services Gateway Manager (TS Gateway Manager), specifying resources that users can access through TS Gateway by using Terminal Services resource authorization policy (TS RAP) and Terminal Services connection authorization policy (TS CAP) ÛÛ Configure Terminal Services load balancing. May include but is not limited to: Terminal Services Session Broker redirection modes, DNS registration; setting through group policy
61705c02.indd 41
6/27/08 10:35:55 AM
Whether it’s publishing a remote desktop or remotely logging into a server for maintenance, you have probably used or heard of Terminal Services for Windows. In Windows NT 4 Terminal Server Edition, using the services for business applications without third-party tools was very cumbersome. With advances over the years and even updates in Windows Server 2003 to the previous version of Terminal Services, Terminal Services for Windows Server 2008 is a much more attractive option for some business applications or, at the very least, worth a look. The client computer communicates to a terminal server over TCP port 3389 using client software called Remote Desktop Connection (RDC). Many of the new features available with Windows Server 2008 require the most recent update to the RDC client software, although older RDC clients will continue to work. These older RDC clients will have more or less the same functionality as Terminal Services for Windows Server 2003. If you are using Windows Vista pre Service Pack 1, the client is RDC 6.0 (Control Version 6.0.6000). The client will be able to connect to Terminal Services Server on Windows Server 2008 and have some of the same functionality, but not all the functionality is available. For example, to access TS RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1, but higher resolutions, monitor spanning, font smoothing, and Desktop Experience are all available on both RDC 6.0 and RDC 6.1. RDC 6.1, which supports Remote Desktop Protocol version 6.1, is available with Windows Server 2008, Windows Vista Service Pack 1, and Windows XP Service Pack 3. To find out the version of RDC that is installed, open the Remote Desktop Connection client by clicking Start All Programs Accessories Remote Desktop Connection. Once the client is open, right-click the compute icon in the upper-left corner and choose About. A dialog box appears with version information and supported features on the RDC client installed, such as Network Level Authentication. Figure 2.1 shows the version information of an RDC 6.1 client. RDC 6.1 (Control Version 6.0.6001) supports Remote Desktop Protocol 6.1.
61705c02.indd 42
6/27/08 10:35:55 AM
Remote Desktop Connection Display
43
F i g u r e 2 .1 RDC version information
Remote Desktop Connection Display The new RDC software enables the use of higher-resolution displays with multiple-monitor spanning on the client computer and clearer text with font smoothing. In conjunction with Terminal Server running Windows Server 2008, the new RDC software will give the users a Windows Vista look and feel with the new Desktop Experience. In addition, Display Data Prioritization will give display, mouse, and keyboard traffic better performance.
Custom Display Resolutions In previous versions, the only supported display resolution was 4:3 with the maximum resolution of 1600×1200. Now, with widescreen monitors, 16:9 and 16:10 are available with resolutions of 1680×1050 and 1920×1200 and a new maximum supported resolution of 4096×2048. Figure 2.2 shows the Display tab of the Remote Desktop Connection client, accessed via the Options button.
61705c02.indd 43
6/27/08 10:35:55 AM
44
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
F i g u r e 2 . 2 The RDC Display tab
Custom display resolutions can also be set in an RDP file or from a command prompt: NN
Open the RDP file in a text editor and edit the following settings, where
is the resolution (for example, 1920 or 1200): desktopwidth:i: desktopheight:i:
NN
Use mstsc.exe at the command prompt with the following settings: mstsc.exe /w:<width> /h:
Monitor Spanning Monitor spanning allows the display of the remote desktop session to stretch across multiple monitors. For monitor spanning to function, all the monitors must have the same resolution and their total resolution cannot exceed 4096×2048. Another limitation is that spanning only occurs horizontally (side by side), not vertically. You can set monitor spanning in an RDP file or from a command prompt. NN
Open the RDP file in a text editor. Change the following setting, where = 0 indicates that monitor spanning is disabled and = 1 indicates that monitor spanning is enabled: Span:i:
NN
Use mstsc.exe at the command prompt with the following settings: mstsc.exe /span
61705c02.indd 44
6/27/08 10:35:56 AM
Remote Desktop Connection Display
45
Font Smoothing If you’re using an LCD monitor, font smoothing is a feature that will be of interest. Windows Server 2008 now supports ClearType, which is a Microsoft technique that improves the readability of text. For users to take advantage of this feature, terminal servers must have ClearType enabled and font smoothing must be enabled in the RDC client. The following operating systems support font smoothing: NN
Windows Vista
NN
Windows Server 2003 Service Pack 1 or 2 with RDC 6.0
NN
Windows XP Service Pack 2 with RDC 6.0 In Exercise 2.1, you’ll enable font smoothing on a Windows Vista client.
E x e r c i se 2 . 1
Enabling Font Smoothing on a Client Computer Follow these steps to enable font smoothing on a Windows Vista client:
1. Click Start All Programs Accessories Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the Run line.)
2. In the Remote Desktop Connection dialog box, click Options. 3. On the Experience tab, check Font Smoothing. 4. Click Connect to launch the new session.
61705c02.indd 45
6/27/08 10:35:56 AM
46
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
By default, ClearType is enabled in Windows Server 2008. To ensure that ClearType is enabled, follow the steps in Exercise 2.2. E x e r c i se 2 . 2
Verifying ClearType settings on Window Server 2008 Follow these steps to verify ClearType is enabled:
1. Click Start Control Panel Personalization Window Color and Appearance. 2. On the Appearance tab, select Effects. 3. Check the Use the Following Method to Smooth Edges of Screen Fonts check box, 4. Select ClearType from the drop-down menu. 5. Click OK.
Although ClearType increases the overall user experience, enabling it will increase the bandwidth consumed between 4 to 10 times over a similarly configured TS server with ClearType disabled.
Display Data Prioritization Another new feature to help with network utilization is Display Data Prioritization. Display Data Prioritization automatically controls and sets the precedence higher for the display, keyboard, and mouse virtual channel traffic than it is for virtual channel traffic for copying
61705c02.indd 46
6/27/08 10:35:56 AM
Remote Desktop Connection Display
47
files and printing. This alleviates the issue of having a slow or unresponsive mouse cursor after sending a large print job. By default, the Display Data Prioritization bandwidth ratio is 70:30. Seventy percent of the available bandwidth goes to operations in which data is input, such as display, mouse, and keyboard operations, while file transfers, print jobs, and Clipboard operations can consume only 30 percent. Of course, these settings are modifiable by editing the Registry and changing the DWORD entry values located under the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\TermDD subkey. Here is a list the values and the characteristics of each: FlowControlDisable Default value is 0. To disable Display Prioritization, set this value to 1. Once it’s disabled, all requests are first in, first out. FlowControlDisplayBandwidth Default value is 70. This value changes the relative bandwidth priority for display and other input data. The maximum allowed value is 255. FlowControlChannelBandwidth Default value is 30. This value changes the relative bandwidth priority for Clipboard operations, file transfers, and print jobs. The maximum allowed value is 255. FlowControlChargePostCompression T his value determines if flow control calculates the bandwidth allocation based on precompression or postcompression bytes. The default is precompression, which is 0. Display Data Prioritization is based on the ratio of the Registry values FlowControlDisplayBandwidth and FlowControlChannelBandwidth. For example, if FlowControlDisplayBandwidth is set to 200 and FlowControlChannelBandwidth is set 50, the Display Data Prioritization ratio is 200:50, so 80 percent of the available bandwidth will go to display and other input data. Remember that the default ratio is 70:30, so 70 percent of the available bandwidth will go to display and other input data.
Desktop Experience In previous versions of Terminal Services, the Desktop was bland and dull and had limited features. Terminal Services for Windows Server 2008 and Remote Desktop Connection 6.0 gives users features like an improved Desktop that can be customized using themes, Windows Media Player 11, and even photo management. For a user to benefit from the new Desktop experience, the client computer must have the Remote Desktop Connection 6.0 software, at a minimum, and the Windows Server 2008 Terminal Server must have the Desktop Experience feature enabled, which will be covered later in this section. To complete the desktop experience, Microsoft has introduced Desktop Composition in Windows Server 2008. Windows 2008 Terminal Server is configurable to provide the functionality of a Windows Aero desktop by using Remote Desktop Connection with a Windows Vista client computer. With features such as Windows Flip 3D, translucent windows (Aero glass), and thumbnail-sized Taskbar button window previews, a user no longer has to look at a dull lifeless Desktop. However, with this new functionality also come limitations because Desktop Composition is supported only when you’re connecting to a Windows 2008 TS server running in single-user mode or with a host client running Windows Vista.
61705c02.indd 47
6/27/08 10:35:56 AM
48
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
Three things must occur to enable Desktop Composition. First, you must enable Desktop Experience on the Windows 2008 Terminal Services server. Second, you must use the Windows Vista theme on the Windows 2008 TS server. Third, you must enable Desktop Composition on the Windows Vista host client. It is important to note that the Windows Vista client must have the hardware capable of supporting Windows Aero to benefit from the Desktop Composition feature. However, the 2008 TS server does not need to have hardware that is capable of running Windows Aero.
Exercises 2.3, 2.4, 2.5, and 2.6 walk you through the necessary steps to enable Desktop Experience for Terminal Services on Windows Server 2008. E x e r c i se 2 . 3
Enabling the Desktop Experience Feature Follow these steps to install Desktop Experience on Windows Server 2008
1. Open Server Manager. Click Start Administrative Tools Server Manager. 2. Right-click Features and select Add Feature from the menu. 3. Check Desktop Experience in the Feature Wizard. 4. Click Next. 5. Verify that the Desktop Experience feature is checked and click Install. 6. Reboot after installation is complete.
61705c02.indd 48
6/27/08 10:35:56 AM
Remote Desktop Connection Display
49
In Exercise 2.4, you’ll continue the configuration of the Desktop Experience by enabling the Themes service. E x e r c i se 2 . 4
Starting the Themes Service Follow these steps to start the Themes service for Windows Server 2008
1. Click Start Administrative Tools Services. 2. Right-click Themes and choose Properties. 3. On the General tab, change the startup type to Automatic. 4. Click Apply. 5. Click Administrative Tools Services. 6. Double-click Themes. 7. On the General tab, change the startup type to Automatic. 8. Click OK. 9. Right-click Themes and choose Start to start the Themes service.
Now that you have enabled the Themes service, you must select the Windows Vista theme (Exercise 2.5). E x e r c i se 2 . 5
Setting the Theme on Windows Server 2008 Follow these steps to set the Theme on Windows Server 2008
1. Click Start Control Panel Personalization Theme. 2. On the Themes tab, change the theme to Windows Vista.
61705c02.indd 49
6/27/08 10:35:56 AM
50
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 5 ( c o n t i n u e d )
3. Click OK.
The final step is to enable Desktop Composition and Themes on the client. Exercise 2.6 shows you how. E x e r c i se 2 . 6
Making Desktop Composition Available on a Vista Client Follow these steps to enable Desktop Composition on a Vista client
1. Click Start All Programs Accessories Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the run line.)
2. In the Remote Desktop Connection dialog box, click Options. 3. On the Experience tab, check Desktop Composition and Themes.
61705c02.indd 50
6/27/08 10:35:56 AM
Remote Desktop Connection Display
51
E x e r c i se 2 . 6 ( c o n t i n u e d )
4. Click Connect to launch the new session.
Remember that Windows Aero will require more resources on your terminal server, so careful consideration must be made on how many concurrent user connections a single terminal server’s hardware will be able to support. This will be critical to overall user experience and server performance.
Device Redirection The following sections are about the device redirection framework for Windows Server 2008. Device redirection gives users the ability to connect physical devices on their local computer and use them within their Terminal Services session. The first section discusses Plug and Play device redirection for media players and digital cameras based on the Picture Transfer Protocol (PTP). The second section introduces Microsoft Point of Services for .NET device redirection. In third section, we discuss printing redirection with TS Easy Print.
Plug and Play Device Redirection for Media Players and Digital Cameras New to Windows Server 2008 and RDC 6.0 is the ability to redirect specific Plug and Play (PNP) Windows portable devices. These devices include media players and digital cameras
61705c02.indd 51
6/27/08 10:35:57 AM
52
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
based on the Media Transfer Protocol (MTP) and the Picture Transfer Protocol (PTP), respectively. Plug and Play device redirection allows applications to access devices whether the application is running in a TS remote desktop or with TS RemoteApp. Another new feature is the ability to attach Plug And Play devices after a session has already been established with the Devices that I plug in later option within the Remote Desktop Connection client software. When a new session is launched, Plug and Play notifications will appear in the Taskbar on the client computer. The newly detected device is attached to that particular session and is not accessible from any other session. Exercise 2.7 walks us through the process of enabling Plug and Play device redirection. E x e r c i se 2 . 7
Redirect Plug and Play Devices Follow these steps to enable Plug and Play device redirection.
1. Click Start All Programs Accessories Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the run line.)
2. In the Remote Desktop Connection dialog box, click Options. 3. On the Local Resources tab, click More. 4. Under Local devices and resources expand Supported Plug and Play Devices. 5. Choose the device you want to redirect. 6. To make Plug and Play device that you will plug in later available, select the Devices that I plug in later check box.
7. Click Connect to launch the new session.
61705c02.indd 52
6/27/08 10:35:57 AM
Remote Desktop Connection Display
53
It is also possible to redirect drives that have been connected after a new session has been established by selecting the Drives that I connect to later check box.
Microsoft Point of Service for .NET Device Redirection Microsoft Point of Service (POS) for .NET Device Redirection allows peripheral devices such as bar code scanners and magnetic card readers to interface with Terminal Services for Windows 2008. Microsoft POS for .NET 1.1 is available to download at the Microsoft Download Center. Once it’s installed, the Terminal Services UserMode Port Redirector service must be restarted. Microsoft Point of Service for .NET Device Redirection is supported only when you’re running the x86 version of Windows Server 2008.
Terminal Services Easy Print Microsoft has improved printing in Terminal Services for Windows 2008 by adding Terminal Services Easy Print and group polices that enable the redirection of only the default client printer. In the past, the client computer and the Terminal Services server had to have the proper driver installed in order to successfully print. Now matching the drivers on the two different systems is no longer necessary because the TS Easy Print driver proxies all requests to the client’s actual driver. This feature will please many administrators who had to support printer drivers in the previous version of Terminal Services. Another perk for administrators is that TS Easy Print will increase the scalability and decrease the complexity of the TS server by limiting the number of printers the spooler has to enumerate. When a TS session is created, Winlogon will redirect a particular printer instead of redirecting all printers. The last benefit of TS Easy Print is that administrators will appreciate the support for legacy print drivers. Although TS Easy Print has decreased administrator headaches with printing in Terminal Services, only a select client base will receive its benefit. TS Easy Print is available only on client computers running Windows Vista SP1 or Windows Server 2008 using the RDC 6.1 and either the Microsoft .NET Framework 3.0 Service Pack 1 or Microsoft .NET Framework 3.5 or later. Terminal Services Easy Print is enabled by default.
61705c02.indd 53
6/27/08 10:35:57 AM
54
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
Single Sign-On for Terminal Services With Single Sign-On for Terminal Services, a domain user can enter their credentials once and gain access to a terminal server or their remote application. The current credentials of the logged-on user will be passed to the connecting TS server without the user having to retype their password. To use Single Sign-On (SSO), the client must be running on Windows Vista or another Windows 2008 Server machine, the user must have the appropriate rights to log on, and the client computer and TS server must be in the same domain. Exercise 2.8 demonstrates the process to configuring the Authentication level of Windows Server 2008. E x e r c i se 2 . 8
Configuring Authentication of a Windows 2008 Terminal Server Follow these steps to set Authentication type for Window Sever 2008 Terminal Server.
1. Open Terminal Server Configuration. Click Start Administrative Tools Terminal Services Terminal Services Configuration.
2. Under Connections, right-click RDP-TCP and choose Properties. 3. On the General tab, verify that the Security Layer value is either Negotiate or SSL (TLS 1.0) and then click OK.
61705c02.indd 54
6/27/08 10:35:57 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
55
Exercise 2.9 walks us through the procedures to configure Single Sign-On on a Windows Vista computer. E x e r c i se 2 . 9
Configuring SSO on a Client Computer Follow these steps to configure Single Sign-On on a Windows Vista computer.
1. Open Local Group Policy Editor. Click Start Run type gpedit.msc, and press Enter.
2. Expand and navigate to Computer Configuration Administrative Templates System Credentials Delegation.
3. Double-click Allow Delegating Default Credentials. 4. In Properties on the Setting tab, click Enable and click Show. 5. In Show Contents, click Add and add the terminal servers to the policy list by typing the prefix termsrv/ in front of the server name (for example, termsrv/TServ1). 6. Click OK three times to close all the dialog boxes.
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp) In the following sections, we’ll discuss a new feature of Terminal Services for Windows 2008 called Terminal Services RemoteApp (TS RemoteApp). In previous versions of Terminal Services, the only option was to publish the full Desktop, but with TS RemoteApp, now individual applications can be published. What this means is that, instead of launching a new Desktop session to run an application that is running on the terminal server, you can publish an individual application from the terminal server and it will appear as if is it is running on the client’s local computer. No longer will users have to deal with the confusion of running two different Desktops to run all their applications. Before we dive too deep into TS RemoteApp and its features, we need to install the Terminal Server role on our Windows 2008 server.
61705c02.indd 55
6/27/08 10:35:57 AM
56
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
Installing Programs to Be Used with TS RemoteApp TS RemoteApp is made available through the installation of Terminal Services on Windows Server 2008. As the administrator of the server installs applications on the server, they can be added to a published list of programs that users will be able to access. In Exercise 2.10, you’ll install the Terminal Services role and change the user mode to allow applications to be installed correctly on a TS server. E x e r c i se 2 . 1 0
Installing the Terminal Services Role Follow these steps to install the Terminal Services Role for Window Server 2008.
1. Open Server Manager. Click Start Administrative Tools Server Manager. 2. Under Roles Summary, click Add Roles. 3. In the Add Role Wizard, on the Before You Begin page, click Next. 4. On the Select Server Roles page, check Terminal Services. If Terminal Services is already installed, this check box will be grayed out.
61705c02.indd 56
6/27/08 10:35:58 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
57
E x e r c i se 2 . 1 0 ( c o n t i n u e d )
5. Click Next. 6. On the Introduction to Terminal Services page, click Next. 7. On the Select Role Services page, select Terminal Server and click Next.
8. On the Uninstall and Reinstall Applications for Compatibility page, click Next. 9. On the Specify Authentication Method for Terminal Server page, select the authentication you will be using and click Next. If you select Require Network Level Authentication, only computers running Windows Vista with RDC 6.0 or higher will be allowed to connect to the server. If you select Do Not Require Network Level Authentication, any RDC client can connect to the TS server.
61705c02.indd 57
6/27/08 10:35:58 AM
58
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 0 ( c o n t i n u e d )
10. On the Specify Licensing Mode page, select the licensing mode you will be using and click Next.
61705c02.indd 58
6/27/08 10:35:58 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
59
E x e r c i se 2 . 1 0 ( c o n t i n u e d )
11. On the Select User Groups Allowed Access to this Terminal Server page, add the users or groups that you will allow to connect and click Next.
12. On the Confirm Installation Selections page, verify settings and click Install.
13. After the installation, you will be prompted to restart the server to finish the installation process. Click Close and Yes to restart the server.
After you install the Terminal Services role, you need to install the programs that are going to be published. Before you install a program on a terminal server, the server needs to be placed in install mode, and after installation is complete, the server needs to placed back into execute mode (see Figure 2.3). NN
NN
NN
61705c02.indd 59
To change the system to install mode, type change user /install at the command prompt. To change the system to execute mode, type change user /execute at the command prompt. To get additional information or help, type change user or change user /? at the command prompt.
6/27/08 10:35:58 AM
60
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
F i g u r e 2 . 3 User mode commands
Configuring Remote Programs to Be Used with TS RemoteApp Now that the Terminal Services role is installed and you know how to change the user mode to install an application, you need to make an application available for remote users by adding the program to the RemoteApps list. To add a program, you’ll use TS RemoteApp Manager, which specifies the programs installed on the terminal server that users will be able to access. Exercise 2.11 walks you through the process of adding a program to the RemoteApps list. E x e r c i se 2 . 1 1
Adding an application to the TS RemoteApp Program List Follow these steps to add an application to the TS RemoteApp Program List.
1. Launch Server Manager. Click Start Administrative Tools Server Manager. 2. Expand Roles. Expand Terminal Services. 3. Click TS RemoteApp Manager.
61705c02.indd 60
6/27/08 10:35:58 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
61
E x e r c i se 2 . 1 1 ( c o n t i n u e d )
4. In the Actions pane, click Add RemoteApp Programs. 5. In the RemoteApp Wizard, click Next. 6. Select the application to add to the RemoteApp program list and click Next.
7. Click Finish. 8. If you examine the TS RemoteApp Manager, you’ll see that the programs that have been added to the TS RemoteApp program list are now visible. You will notice here that TS Web Access is enabled. It’s enabled by default; we’ll discuss TS Web Access later in this chapter in “Distributing RemoteApp Applications.” If you double-click a RemoteApp program, a new Actions pane will appear on the right. This is where you can change the properties of the program, disable TS Web Access, create an RDP file or an MSI installer package, and even remove the RemoteApp program.
61705c02.indd 61
6/27/08 10:35:58 AM
62
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 1 ( c o n t i n u e d )
9. Clicking Properties in the Actions pane shows various attributes of the RemoteApp program. From the Properties tab, you can see the RemoteApp program name, its location, whether it is available through TS Web Access, and what command-line arguments are available.
61705c02.indd 62
6/27/08 10:35:58 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
63
Creating and Deploying a Windows Installer Package for TS RemoteApp Programs Now that you have installed an application that will be used for a TS RemoteApp program, you need to know how to deploy a package that contains the TS RemoteApp program connection information. There are two different ways to package TS RemoteApp programs: a Windows Installer file (MSI) or a Remote Desktop file (RDP). The focus in this section will be on using an MSI file because most administrators are used to using group policies to deploy Windows Installer packages to client computers. In order for the client computer to run these packages, they must be running RDC 6.0 or 6.1. In Exercise 2.12, you will follow the procedures to package TS RemoteApp programs. E x e r c i se 2 . 1 2
Packaging a TS RemoteApp Program Follow these steps to package a TS RemoteApp Program.
1. In TS RemoteApp Manager, under RemoteApp Programs, select the application for which you will create a package.
2. In the Actions pane, click Create Windows Installer Package. 3. In the RemoteApp Wizard, click Next on the Welcome screen. 4. On the Specify Package Settings screen, you can change the default location to save packages to as well as the server name, the RDP port, the TS Gateway setting and certificate settings. (TS Gateway and certificate settings are discussed later in this chapter.)
61705c02.indd 63
6/27/08 10:35:59 AM
64
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 2 ( c o n t i n u e d )
5. Click Next. 6. On the Configure Distribution Package page, you will place the RemoteApp program into the user’s Start menu under a folder named Remote Programs, and you can also select Desktop. This screen also specifies whether or not to take over client extensions. What this means is that whenever the user opens a file with this extension, it will automatically launch the RemoteApp program. This setting is necessary only when the application is not installed locally on the client.
7. Click Next. 8. Review Settings, click Finish.
By default, the package will be save in C:\Program Files\Pack Programs with a .rap .msi filename extension. Now that you have the .rap.msi file, Group Policy procedures can be used to deploy the package to users within the domain.
61705c02.indd 64
6/27/08 10:35:59 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
65
Using TS RemoteApp in large environments There are some rules that should be considered when using TS RemoteApp in a large server farm. First, think about applications that are similar in nature or share data using Dynamic Data Exchange, DDE (for example, copy and paste); these should reside on the same server. Second, place silo applications that conflict with other applications onto separate terminal servers; your users will thank you in long run by not complaining about poor performance or errors in their sessions. Third, consider other factors that are not technology related, such as groups like HR always wanting their applications segregated from everyone else. A good rule of thumb is an 80/20 split. Try to maintain and keep the software consistent on the majority of the terminal servers with the main subset of your applications, usually MS Office and the like.
Export or Import RemoteApp Programs and Settings With Terminal Services for Windows 2008, you have the ability to export and import the RemoteApp Programs list from one TS server to another. This is a benefit when you have to configure a larger server farm with an identical RemoteApp Programs list. Any RDP or MSI packages that were created will not be exported or imported and will have to be recreated to reflect the name of the terminal server. However, if a server is a member of a TS server farm and during the creation of the packages the farm name was specified instead of the name of an individual server, you can manually copy the packages. In Exercise 2.13, you will to export the RemoteApp Programs list and deployment settings. E x e r c i se 2 . 1 3
Exporting the RemoteApp Programs List and Deployment Settings Follow these steps to Export the TS Remote program list and deployment settings to other Windows Server 2008 Terminal Servers.
1. Start TS RemoteApp Manager.
61705c02.indd 65
6/27/08 10:35:59 AM
66
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 3 ( c o n t i n u e d )
2. In the Actions pane, click Export RemoteApp Settings.
3. Select Export the RemoteApp Program List and Settings to Another Terminal Server or Export the RemoteApp Programs List and Settings to a File.
4. Click OK.
61705c02.indd 66
6/27/08 10:35:59 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
67
When the TS ReportApp settings are exported to a file, the location is specified by the administrator and the file itself is saved with the .tspub extension. To import the TS RemoteApp programs list and deployment settings, use the same procedure except use Import RemoteApp settings instead. It is important to note that importing the settings to another server will overwrite the settings.
Distributing RemoteApp Applications There are several ways to deploy RemoteApps, and we have already touched on two of them: distributing an RDP file through a file share or distributing a MSI through a GPO. In the following sections, you’ll learn about distributing TS RemoteApp programs with Terminal Services Web Access. Microsoft has enhanced Terminal Services Web Access (TS Web Access) in Windows 2008 by imbedding the ActiveX controls into a web page hosted on Internet Information Services (IIS). A user can create a session using the client’s web browser. To take advantage of TS Web Access, the client computer must be running Remote Desktop Client (RDC) 6.1, which is available on Windows Server 2008, Windows Vista SP1, and Windows XP SP3.
Installing TS Web Access TS Web Access must be installed as a role on a server that users will to connect to access their RemoteApp programs. As result of installing TS Web Access as a role, Internet Information Services 7.0 is also installed. The server that has the TS Web Access role acts as a web server and does not have to be a terminal server. In Exercise 2.14, you’ll install TS Web Access. E x e r c i se 2 . 1 4
Installing TS Web Access Follow these steps to install TS Web Access.
1. Open Server Manager. Click Start Administrative Tools Server Manager. 2. Click Roles and Expand. 3. Right click Terminal Server and click Add Roles Services.
61705c02.indd 67
6/27/08 10:35:59 AM
68
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 4 ( c o n t i n u e d )
4. Select TS Web Access. If all the roles required for TS Web Access are not installed, you will receive a prompt to install them. Click Add Required Role Services.
5. Click Next. 6. If installing IIS is required, click Next on the Introduction to Web Server page. 7. On the Roles Services Selections for IIS page, click Next.
61705c02.indd 68
6/27/08 10:36:00 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
69
E x e r c i se 2 . 1 4 ( c o n t i n u e d )
8. On the Confirm Installation Selections page, click Install.
9. On the Installation Results page, verify that the installation was successful and click Close.
If the TS RemoteApp server and the TS Web Access server are separate, the computer account of the TS Web Access server must be added the TS Web Access Computer security group on the TS RemoteApp server. In Exercise 2.15, you’ll add the computer account to the TS Web Access group.
61705c02.indd 69
6/27/08 10:36:00 AM
70
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 5
Adding the Computer Account of the TS Web Access Server to the TS RemoteApp Server Follow these steps to add the computer account to the TS Web Access group.
1. Click Start Administrative Tools Computer Management. 2. Expand Local Users and Groups and click Groups. 3. Double-click TS Web Access Computers. 4. Click Add. 5. Click Objects Types, select Computers, and click OK. 6. Type the computer name of the TS Web Access server and click OK. 7. Click OK.
By default, the TS Web Access website is http://<server_name>/ts, where <server_name> is the NetBIOS or the fully qualified domain name of the TS Web Access server. Launching the site, you can see the TS RemoteApp programs that are TS Web Access enabled. Figure 2.4 shows the TS Web Access page with the available program list. F i g u r e 2 . 4 TS Web Access published application list
61705c02.indd 70
6/27/08 10:36:00 AM
Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)
71
When you launch an application as a TS RemoteApp and launch an application from the local computer, it becomes very difficult to tell the difference between the TS RemoteApp and the local application. Figure 2.5 shows WordPad launched as a TS RemoteApp and launched locally. F i g u r e 2 . 5 Side-by-side comparison of a RemoteApp and a local application
Using Task Manager, you can see which application is running locally and which application is running as a TS RemoteApp. Figure 2.6 shows the WordPad in Task Manager and indicates which application is running remotely. F i g u r e 2 . 6 Task Manager view of a RemoteApp
61705c02.indd 71
6/27/08 10:36:00 AM
72
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
Prepare and Configure Terminal Services Gateway (TS Gateway) Terminal Services Gateway is a role for Windows Server 2008 that encapsulates Remote Desktop Protocol (RDP) traffic over HTTP with SSL encryption (HTTPS) and provides a secure link for authorized remote users on the Internet to access internal terminal server applications without creating a virtual private network (VPN) connection. Instead of using TCP port 3389, TS Gateway transmits the RDP traffic over TCP port 443, so little or no modification is needed to the external firewall because this port is usually already open for other HTTPS traffic. The TS Gateway server sits behind the external firewall, and when the firewall receives RDP over HTTP traffic, it strips off the HTTP header and passes the RDP packets to the TS Gateway sever. The TS Gateway server will then check the Network Policy Server (NPS) service and Active Directory to authenticate the remote user. Once authentication has completed, the user will be allowed access to the internal terminal servers to run the TS Web Access–enabled TS RemoteApp programs.
Preparing the Necessary TS Gateway Role Services Very similar to installing TS RemoteApps, TS Gateway requires that additional roles be installed on the Windows 2008 server. To install the TS Gateway role, the following roles services are also required: NN
Remote Procedure Call (RPC) over HTTP Proxy
NN
Web Server (Internet Information Services 7.0)
NN
Network Policy and Access Services Exercise 2.16 explains how to install and configure the TS Gateway role.
E x e r c i se 2 . 1 6
Installing the TS Gateway Role Service Follow these steps to install the TS Gateway Role Server on Windows Server 2008.1. Open Server Manager.
2. Right-click Roles Add Role. 3. Under Select Server Roles, check Terminal Services and click Next. 4. Click Next on the Introduction to Terminal Services page. 5. Under Select the Role Services to Install for Terminal Services, check TS Gateway. An Add Roles Wizard appears to install the required role services and features. Click Add Required Role Services.
61705c02.indd 72
6/27/08 10:36:00 AM
Prepare and Configure Terminal Services Gateway (TS Gateway)
73
E x e r c i se 2 . 1 6 ( c o n t i n u e d )
6. Click Next. 7. On the Choose a Server Authentication Certificate for SSL Encryption page, select the appropriate SSL encryption. (In the next section, we will discuss how to create, obtain, and configure a certificate.)
61705c02.indd 73
6/27/08 10:36:00 AM
74
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 6 ( c o n t i n u e d )
8. Click Next. 9. On the Create Authorization Polices for TS Gateway page, accept the default to create authorization polices now. Click Next.
10. Select the user groups that can connect through TS Gateway by clicking Add. Then click Next.
11. On the Create a TS CAP for TS Gateway page, accept the default name TS_CAP_01 or specify a new name, select supported Windows authentication methods, and then click Next.
12. On the Create a TS RAP for TS Gateway page, accept the default name TS_RAP_01 or specify a new name. Then either specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer groups, or specify that users can connect to any computer on the network. Click Next.
13. On the Network Policy and Access Services page, click Next. 14. Verify that the Network Policy Server role service is selected and click Next. 15. On the Web Server (IIS) page, click Next. 16. Accept the default roles to install for Web Server (IIS). Click Next. 17. Confirm the installation selections and click Install.
Obtaining and Configuring a Certificate for TS Gateway TS Gateway requires a valid digital certificate so that it can use SSL to encrypt the traffic to the remote clients. The purpose of the digital certificate is to prove the identity of a remote person or a remote resource. In TS Gateway, there are two methods of obtaining a certificate. The first is to purchase a digital certificate from a third-party certificate authority (CA). Microsoft has a list of approved CAs at the following site: http://support.microsoft .com/kb/931125. The second option is to create a self-signed certificate. Although the option to create a self-signed certificate is available, it not recommend for other than testing and evolution purposes because the certificate must be copied and installed in the Trusted Root Certification Authorities store on each client computer. Exercise 2.17 walks you through the installation of a certificate on a TS Gateway server. The procedure in Exercise 2.17 is not required if you have created a selfsigned certificate.
61705c02.indd 74
6/27/08 10:36:00 AM
Prepare and Configure Terminal Services Gateway (TS Gateway)
75
E x e r c i se 2 . 1 7
Installing a Certificate on the TS Gateway Server Follow these steps to install a certificate on a TS Gateway server.
1. Click Start Run. Type mmc and press Enter. 2. On the File menu, click Add/Remove Snap In. 3. From the available snap-ins, select Certificates and click Add. 4. In Certificates Snap-in, select Computer Account and click Finish. 5. Click OK. 6. Expand Certificates. 7. Right-click Personal All Tasks Import. 8. On the Welcome to the Certificate Import Wizard page, click Next. 9. On the File to Import page, enter the name of the certificate that will be imported. Click Next.
10. On the Password page, do the following: NN
NN
NN
If you specified a password for the private key associated with the certificate earlier, type the password. If you want to mark the private key for the certificate as exportable, ensure that Mark This Key as Exportable is selected. If you want to include all extended properties for the certificate, ensure that Include All Extended Properties is selected.
11. Click Next. 12. On the Certificate Store page, accept the defaults and click Next. 13. Confirm that the correct certificate has been selected and click Finish. 14. A confirmation message appears when the certificate has been imported successfully.
Exercise 2.18 guides you through the mapping of the certificate to the TS Gateway server.
61705c02.indd 75
6/27/08 10:36:01 AM
76
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 8
Mapping the Certificate to the TS Gateway Server Follow these steps to map a certificate to a TS Gateway server.
1. Open TS Gateway Manager. Click Start Administrative Tools Terminal Services TS Gateway Manager.
2. Right-click the TS Gateway server and choose Properties. 3. On the SSL Certificate tab, click Select an Existing Certificate for SSL Encryption.
4. Click Browse Certificates. 5. Click the appropriate certificate, and click Install.
61705c02.indd 76
6/27/08 10:36:01 AM
Prepare and Configure Terminal Services Gateway (TS Gateway)
77
E x e r c i se 2 . 1 8 ( c o n t i n u e d )
6. Click OK.
Creating Terminal Services Connection Authorization Policies (TS CAPs) Terminal Services connection authorization policies (TS CAPs) must be created after the TS Gateway role service has been installed. The purpose of TS CAPs is to set conditions that remote users must meet in order to gain access to a TS Gateway server. You can set criteria such as whether users connecting must be a member of a particular security group, whether computers requesting a connection must be a member of a security group, and who has the ability to disable some or all device redirections. Polices are placed in numerical order, which are shown in TS Gateway Manager. Access to the TS Gateway server is granted by matching the first policy that meets all the set conditions. For example, if a remote client does not meet the requirements of the first TS CAP in the list, it will move to the second TS CAP and will keep going down the list until it locates a TS CAP whose requirements it matches. If a remote client does not meet any of the requirements in the TS CAPs list, TS Gateway denies access. Exercise 2.19 shows you how to create a TS CAP for the TS Gateway server. E x e r c i se 2 . 1 9
Creating a TS CAP for the TS Gateway Server Follow these steps create a TS CAP for a TS Gateway server.
1. Open TS Gateway Manager. Click Start Administrative Tools Terminal Services TS Gateway Manager.
61705c02.indd 77
6/27/08 10:36:01 AM
78
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 9 ( c o n t i n u e d )
2. Expand the TS Gateway server. 3. Expand Policies and click Connection Authorization Policies. 4. In the Actions pane, click Create New Policy and select Custom. 5. On the General tab, type the name of the policy, and verify that Enable This policy is checked.
6. On the Requirements tab, check the Supported Windows authentication methods, either Password or Smart Card or both.
7. In User Group Membership, click Add Group to specify the user group(s) that can connect to the TS Gateway server. Note that at least one user group must be listed.
61705c02.indd 78
6/27/08 10:36:01 AM
Prepare and Configure Terminal Services Gateway (TS Gateway)
79
E x e r c i se 2 . 1 9 ( c o n t i n u e d )
8. In Client Computer Group Membership, click Add Group if computer groups are going to be users. Computer groups are optional.
9. On the Device Redirection tab, enable or disable the redirection for client devices. The following screen shot shows one possible configuration for device redirection.
61705c02.indd 79
6/27/08 10:36:01 AM
80
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 1 9 ( c o n t i n u e d )
10. Click OK. 11. The policy will appear in the Connection Authorization Policies pane.
Creating Terminal Services Resource Authorization Policies (TS RAPs) Like TS CAPs, Terminal Services resource authorization polices (TS RAPs) also must be created after the TS Gateway role service has been installed. The purpose of TS RAPs is to specify computers that remote users can connect to through the TS Gateway server. TS RAPs associates specific user groups with computer groups, which grants access to the computers listed in the group. For example, members of the Accounting Users user group are allowed to connect only to computers that are members of the Accounting Computers computer group. Exercise 2.20 shows you how to create a TS RAP for the TS Gateway server. Remote users connecting through a TS Gateway server are granted access only when they meet at least one TS CAP and one TS RAP.
E x e r c i se 2 . 2 0
Creating a TS RAP and Specifying Computers Follow these steps to create a TS RAP for a TS Gateway server and add computers to the policy.
1. Open TS Gateway Manager. Click Start Administrative Tools Terminal Services TS Gateway Manager.
2. Expand the TS Gateway server. 3. Expand Policies and click Resource Authorization Polices. 4. In the Actions pane, click Create New Policy and select Custom. 5. On the General tab, type the name of the policy, add a brief description, and verify that Enable This Policy is checked.
61705c02.indd 80
6/27/08 10:36:01 AM
Prepare and Configure Terminal Services Gateway (TS Gateway)
81
E x e r c i se 2 . 2 0 ( c o n t i n u e d )
6. On the User Groups tab, click Add to select the user groups. 7. On the Computer Group tab, specify the computer group that the users will connect to through TS Gateway.
61705c02.indd 81
6/27/08 10:36:01 AM
82
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 2 0 ( c o n t i n u e d )
8. On Allowed Ports tab, specify the TCP ports users will be using.
9. Click OK. The new TS RAP appears in the Resource Authorization Policies pane.
Configuring the Terminal Services Client for TS Gateway The client computer must verify and trust the TS Gateway server before a user can complete their authentication. They must have the CA of the TS Gateway server in their Trusted Root Certification Authorities store. This is accomplished in a similar manner that’s similar to importing the CA to TS Gateway through the use of the Certificates snap-in on the client computer. Remember, if a CA is issued by a third-party certificate authority, the digital certificate does not need to be added to the client’s Trusted Root Certification Authorities store. In Exercise 2.21, we will walk through the client’s Remote Desktop Connection settings to established a connection through the TS Gateway server.
61705c02.indd 82
6/27/08 10:36:02 AM
Prepare and Configure Terminal Services Gateway (TS Gateway)
83
E x e r c i se 2 . 2 1
Configuring the Terminal Services client for TS Gateway Follow these steps configure RDC connection properties for TS Gateway.
1. Click Start All Programs Accessories Remote Desktop Connection. 2. In the Remote Desktop Connection dialog box, click Options. 3. On the Advanced tab, under the Connect from Anywhere section, click Settings. 4. On the TS Gateway Server Settings page, select the appropriate option. NN
NN
NN
Automatically Detect TS Gateway Server Settings is the default. The option is used if the client is configured to use Group Policy settings. Group Policy settings will be covered in the next chapter. Use These TS Gateway Server Settings is used if the TS Gateway server name or TS Gateway server farm and a logon method are not being enforced by a Group Policy. Do Not Use a TS Gateway Server is used if the client is always connected to the LAN or if the client does not need to pass through a firewall.
5. Click OK. 6. Click Connect to launch the new session.
61705c02.indd 83
6/27/08 10:36:02 AM
84
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
Configuring Terminal Services Load Balancing Terminal Services Session Broker (TS Session Broker) is new and improved in Windows Server 2008. Many of you will remember this feature from Windows Server 2003 as Terminal Services Session Directory. In its latest incarnation, it allows users to reconnect to a disconnected session in a load-balanced terminal server farm. TS Session Broker stores various session state information, like session ID and user name, so a user can reconnect and resume work right where they left off even if the user has reconnected from a different client computer. With Windows Server 2003, Session Directory required the Enterprise Edition, but TS Session Broker is available on the Standard Edition of Windows Server 2008 and on Windows Server 2008 Enterprise and Datacenter editions. Another change to the feature is that Windows Server 2008 has integrated the TS Session Broker Load Balancing feature to include out-of-the-box load balancing designed to replace Microsoft Network Load Balancing (NLB), although TS Session Broker will continue to work with other third-party solutions, like hardware load balancers, and with Microsoft NLB. The final new feature introduced with TS Session Broker is Terminal Server Draining; a terminal server in a TS Session Broker load-balanced terminal server farm can be placed in drain mode, aka maintenance mode, where users can reconnect to disconnected sessions but not establish new sessions.
Configuring a Terminal Server Farm with TS Session Broker TS Session Broker Load Balancing works in two stages: DNS Load Balancing (DNS round robin) or Microsoft Network Load Balancing (NLB) and a query to the TS Broker server to determine user redirection. After the initial connection is made with DNS round robin or NLB, the TS Session Broker checks for the existence of a user session. If the user has an existing session, they will connect back to the same terminal server and continue working in their original session, whereas if there is no existing session, the user will connect to the terminal server that has the fewest sessions and create a new session. To prevent a single server from being overwhelmed by new logon requests, TS Session Broker Load Balancing sets a limit of 16 maximum pending logon requests to any one terminal server. It is important to note that when using DNS round robin, the client will connect to the first DNS record initially but the TS Session Broker service will direct the connection to the appropriate server based on the farm settings. It is also possible to assign a relative weight value to each server that can help distribute the load of the servers within the terminal server farm. The default relative weight value is 100. When you change the relative weight value to 200, the server with the new value of 200 will receive twice as many connections. This is a way to distribute users to servers that have greater hardware capabilities.
61705c02.indd 84
6/27/08 10:36:02 AM
Configuring Terminal Services Load Balancing
85
There are some specific requirements to utilize TS Session Broker Load Balancing. A TS Session Broker server and terminal servers in the farm all must be running Windows Server 2008 to participate in TS Session Broker Load Balancing. All the terminals must have identical RemoteApp program lists, they must have the same server configuration, and they must be in the same domain. The client computers must be running RDC 5.2 or later. Now that you have an understanding of what TS Session Broker Load Balancing is, you need to learn how to deploy it. There are four tasks to complete the install and setup: 1. Install the TS Session Broker role. 2. Add terminal servers in the farm to the Session Directory Computers local group on
the TS Session Broker server. 3. Configure the terminal servers to join a farm and participate in load balancing. 4. Configure DNS for TS Session Broker Load Balancing.
You cannot use the TS Session Broker Load Balancing feature on Windows Server 2003 terminal servers.
Installing the TS Session Broker Role Service The Session Broker server tracks and manages load balancing based on the number of user sessions. Once a TS server researches the maximum session limit, users will no longer be able to establish sessions with that TS server. The maximum session limit is the maximum amount of sessions a particular TS server can host. This setting is disabled by default and has to be configured manually in the Registry by creating and setting the value of the following key: HKLM\System\CurrentControlsSet\Control\Terminal Server\ UserSessionLimit. The TS Session Broker server does not have to have to be a terminal server, but it does have to be a member of the domain. Additionally, the TS Session Broker role can be installed on a domain controller. In Exercise 2.22, you’ll install TS Session Broker. E x e r c i se 2 . 2 2
Installing TS Session Broker Follow these steps to install TS Session Broker for Windows Server 2008.
1. Open Server Manager. Click Start Administrative Tools Server Manager. 2. Right-click Roles Add Role. 3. Under Select Server Roles, check Terminal Services and click Next. 4. Click Next on the Introduction to Terminal Services page.
61705c02.indd 85
6/27/08 10:36:02 AM
86
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 2 2 ( c o n t i n u e d )
5. On the Select Role Services page, check TS Session Broker.
6. Confirm the installation selections and click Install. 7. Confirm the installation results and click Close.
Now that the TS Session Broker has been installed, you need to add the terminal servers to the Session Directory Computer local group. This group is created during the installation of the TS Session Broker role. Exercise 2.23 walks you through the process. E x e r c i se 2 . 2 3
Adding Terminal Servers to the Session Directory Computers Local Group Follow these steps to add Terminal Servers to the Session Directory Computer Local Group.
1. Click Start Administrative Tools Computer Management. 2. Expand Local Users and Groups and click on Groups. 3. Open Session Directory Computers.
61705c02.indd 86
6/27/08 10:36:02 AM
Configuring Terminal Services Load Balancing
87
E x e r c i se 2 . 2 3 ( c o n t i n u e d )
4. Click Add. 5. In the Select Users, Computers or Groups window, click Object Types. 6. Check Computers. 7. Add the computer accounts for each terminal server. 8. Click OK.
For a TS server to join a TS Session Broker farm, you must know the following: NN
NN
TS Session Broker server name or IP address. This is the name or the IP address of the TS Session Broker server. TS Session Broker farm name. This is the name of the farm that you want to join in.
TS Session Broker uses a farm name to determine which servers are in the farm. The same farm name must be use for all server that are participating in the same load-balanced farm. In Exercise 2.24, you’ll use the Terminal Services Configuration tool to configure a TS server to join a TS Session Broker farm and to participate in TS Session Broker Load Balancing. E x e r c i se 2 . 2 4
Configuring the Terminal Servers to Join a Farm and Participate in Load Balancing Follow these steps to configure Terminal Servers to join a TS Broker Farm and participate in TS Session Broker Load Balancing.
1. Start Terminal Service Configuration. Click Start Administrative Tools Terminal Services Terminal Services Manager.
2. In Edit Settings, under TS Session Broker, double-click Member of Farm in TS Session Broker. NN
NN
NN
NN
61705c02.indd 87
On the TS Session Broker tab, select the Join a Farm in TS Session Broker check box. In the TS Session Broker Server Name or IP Address text box, type the name or the IP address of the TS Session Broker server. In the Farm Name in TS Session Broker text box, type the name of the farm that you want to join in TS Session Broker. In the Select IP Addresses to Be Used for Reconnection list, select the check box next to each IP address that you want to use.
6/27/08 10:36:02 AM
88
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 2 4 ( c o n t i n u e d )
3. Click OK.
The next step in the configuration of TS Session Broker is to configure DNS. Exercise 2.25 shows you how to configure DNS for TS Session Broker Load Balancing. E x e r c i se 2 . 2 5
Configuring DNS for TS Session Broker Load Balancing Follow these steps to configure DNS for TS Session Broker Load Balanicng.
1. Click Start Administrative Tools DNS. 2. Expand Server Name. 3. Expand Forward Lookup Zones. 4. Right-click the zone, and select New Host (A or AAAA). 5. In the Name (use parent domain if blank) field, type the terminal server farm name. Do not use the name of an existing server for the farm name.
6. In the IP Address field, type the IP address of the terminal server in the farm. 7. Click Add Host.
61705c02.indd 88
6/27/08 10:36:02 AM
Configuring Terminal Services Load Balancing
89
E x e r c i se 2 . 2 5 ( c o n t i n u e d )
8. Click OK when the message host record is successfully created. 9. Add each terminal server that is in the farm. If you have six terminal servers in the farm, you should have six farm entries.
10. Click Done.
Configuring Network Load Balancing As stated previously, TS Session Broker can also take advantage of Microsoft NLB instead of DNS round robin to distribute clients over the terminals. The requirements for NLB are as follows: NN
All hosts in the NLB cluster must reside on the same subnet.
NN
The cluster’s clients must be able to access that subnet.
NN
All terminal servers in the TS farm are in the same domain.
Just as we did in the section on TS Session Broker Load Balancing, we can break down the installation of TS Session Broker with Microsoft NLB into separate tasks: 1. Set up a terminal server farm with TS Session Broker. Refer to Exercise 2.22 for how
to install TS Session Broker. Remember that the IP address used for reconnection must not be the same as the cluster IP address. 2. Install NLB. 3. Create an NLB cluster.
Exercise 2.26 will walk you through the process of installing Microsoft NLB and creating an NLB cluster. E x e r c i se 2 . 2 6
Installing NLB and Creating an NLB Cluster Follow these steps to install NLB and create an NLB Cluster.
1. Open Server Manger. Click Start Administrative Tools Server Manager. 2. Right-click Features and choose Add Features. 3. Check Network Load Balancing. 4. Click Next.
61705c02.indd 89
6/27/08 10:36:03 AM
90
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
E x e r c i se 2 . 2 6 ( c o n t i n u e d )
5. Confirm the installation selections and click Install. 6. Confirm the installation results and click Close. 7. Open Network Balancing Manager. Click Start Administrative Tools Network Load Balancing Manager.
8. Rick-click Network Load Balancing Clusters and choose New Cluster. 9. Enter the hostname and click Connect. 10. Select the interface you want to cluster. 11. Click Next. 12. In the Host Parameters , select Priority (Unique Host Identifier). This value is a unique ID for each host. Click Next.
13. In the Cluster IP Address , click Add to enter the IP address that will be shared with all terminal servers in the farm. Click Next.
14. In the Cluster Parameter , verify that Unicast is selected and click Next. 15. In the Port Rules , click Edit and configure the following: NN
Port Range: 3389 to 3389
NN
Protocols: TCP
NN
Filtering Mode: Multiple Host
NN
Affinity: None
16. Click OK. 17. Click Finish. 18. To add more hosts to the cluster, right-click the new cluster and then click Add Host to Cluster. Do this for every terminal server in the farm.
61705c02.indd 90
6/27/08 10:36:03 AM
Summary
91
Summary In this chapter, we discussed the features, roles, and enhancements in Windows Server 2008 Terminal Services. The first section of this chapter focused on new RDC display features, new device redirection features, and Single Sign-On. The new RDC display features discussed in this chapter include monitor spanning, support for higher resolutions, font smoothing, Display Data Prioritization, and the new Desktop Experience. Device redirection includes Plug and Play device redirection for media players and digital cameras, Microsoft Point of Service (POS) for .NET, and TS Easy Print. We rounded out discussion of Windows Server 2008 features with the topic of Single Sign-On, which is method of authentication that allows user to only log on once. All these new improvements in Windows Server 2008 give users options and customization within their sessions that will ultimately increase their experience working in a terminal server environment. We looked at roles and features included with Windows Server 2008. The section started by introducing TS RemoteApps, which allows users to access applications from their client computer and makes it appear as if the application is running locally. You learned how to install the Terminal Services roles and configure the Remote Programs list through TS RemoteApp Manager as well as export and import the TS RemoteApp settings from one server to another. And we explored the different ways to distribute remote applications using an MSI or RDP file or using a web browser to launch an application through TS Web Access. This chapter also discussed securing your Terminal Server environment by utilizing TS Gateway. TS Gateway encapsulates Remote Desktop Protocol (RDP) traffic over HTTP with SSL encryption (HTTPS) and provides a secure link for authorized remote users on the Internet to access internal terminal server applications without creating a virtual private network (VPN) connection. We installed and discussed the various roles as well how to configure a TS Gateway server through the TS Gateway Manger. You learned how to obtain and configure a digital certificate for the TS Gateway server. And you learned how to create TS CAPs and TS RAPs that ensure that the client computers comply with the businesses security standards. The chapter concluded with a discussion of TS Session Broker and how to provide load balancing to the Terminal Server environment. The TS Session Broker enables users to reconnect to an existing session in a load-balanced environment as well as evenly distributing the session load across the terminal servers. We explored how to configure and join a TS Session Broker farm using the Terminal Services Configuration utility. Finally, we set up two different options for load balancing with TS Session Broker: DNS Load Balancing and Microsoft NLB. With all the new features, Terminals Services for Windows 2008 has made huge leaps over the previous versions. It is a much more appealing offering and a viable solution for many businesses. We believe Microsoft is heading the right direction with the continuing development of Terminal Services; it will be interesting to see what the next steps in the product’s evolution will be.
61705c02.indd 91
6/27/08 10:36:03 AM
92
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
Exam Essentials Know the RDC Client settings. It is important to know all the client setting tabs and how to use the settings. Also remember that there are different client versions and which one works with the appropriate Terminal Services features. Know how to use TS RemoteApps. TS RemoteApps is a great new feature in Windows Server 2008. Know how to configure and maintain the remote programs list. It’s also important to know how to export and import the RemoteApp settings and as well as knowing the different ways to deploy the RemoteApp programs. Know how to use TS Gateway. TS Gateway is a wonderful way to secure your Terminal Services environment. You should know how to use the TS Gateway Manager to configure and maintain the connections to the TS Gateway server. Also know how to get and configure a digital certificate for your TS Gateway server. Last, know how to configure and maintain your TS CAPs and TS RAPs. Know TS Session Broker. K now how a user can reconnect to a session and how to set up NLB for a terminal server farm. Remember that there are different ways to accomplish load balancing with TS Session Broker and know how to configure them.
61705c02.indd 92
6/27/08 10:36:03 AM
Review Questions
93
Review Questions 1. What is the default TCP port for the Remote Desktop Protocol? A. 1337 B. 1494 C. 3389 D. 2598 2. What it the default website for TS Web Access? A. http://server_name B. http://ts C. http://server_name/ts D. http://server_name/terminal 3. What does TS Gateway require so that it can use SSL to encrypt traffic to remote clients? A. A valid digital certificate B. Digitally signed files C. USB Token D. Firewall 4. When you’re using TS Web Access, the client must have what version on the Remote Desktop client to establish a connection? A. 6.0 B. 5.2 C. 3.14 D. 6.1 5. What is the name of the Windows Server 2008 feature that allows users to reconnect to a disconnected session in a load-balanced terminal server farm? A. TS Gateway B. TS Session Broker C. TS Web Access D. TS RemoteApp 6. True/False: Monitor spanning support vertical displays. A. True B. False
61705c02.indd 93
6/27/08 10:36:03 AM
94
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
7. So users can take advantage of the Aero desktop when connecting to a remote desktop, what feature must be installed on the Windows Server 2008 computer? A. High-performance video card B. Desktop Experience C. 2GB of memory D. Updated video drivers 8. True/False: One of the new features for RDC and Terminal Services for Window Server 2008 is the ability to connect and use a USB drive after a Remote Desktop session has already been established. A. True B. False 9. When deploying a TS RemoteApp, what that are the two packaging methods? (Choose two.) A. MSI file B. MSA file C. RDP file D. Zip file 10. What TCP port does TS Gateway use to create a secure connection with the remote client? A. 1433 B. 443 C. 6453 D. 22 11. What is the command to switch the Terminal Server modes to be able to install an application? A. change user /execute B. change user /add C. change user /install D. change user /mode 12. When you’re connecting to TS Gateway, what are the two type of policies that a must match in order to gain access? (Choose two.) A. TS CAP B. TS RAP C. TS SSL D. TS CAT 13. True/False: Servers in a terminal server farm that participate in Terminal Server Session Broker Load Balancing do not have to be in the same domain. A. True B. False
61705c02.indd 94
6/27/08 10:36:03 AM
Review Questions
95
14. Font smoothing is support on which of the follow operating systems? (Choose all that apply.) A. Windows Vista B. Windows Vista SP1 C. Windows XP SP3 D. Windows XP SP2 E. Windows Server 2008 15. True/False: Applications listed in the TS RemoteApp Programs list are by default enabled for TS Web Access? A. True B. False 16. If the TS RemoteApp server and the TS Web Access server are separate servers, to what local group must the TS Web Access server computer account be added on the TS RemoteApp server? A. Remote Desktop User B. TS Web Access Computer Security C. Administrators D. Session Directory Computers 17. True/False: TS Session Broker requires Windows Server 2008 Enterprise Edition. A. True B. False 18. Single Sign-On is supported on which of the following operating systems? (Choose all that apply.) A. Windows XP B. Windows Vista C. Windows Server 2003 D. Windows Server 2008 19. True/False: The use of ClearType decreases the bandwidth between the client computer and the terminal server. A. True B. False 20. What is the new service role for Windows Server 2008 that allows users to access applications without using a published desktop? A. TS RemoteApp B. TS Session Broker C. TS PublishedApp D. TS Gateway
61705c02.indd 95
6/27/08 10:36:03 AM
96
Chapter 2 Exploring Terminal Services in Windows Server 2008 n
Answers to Review Questions 1. C. The default port for RDP is 3389. Port 80 is the common port for HTTP traffic. Ports 1494 and 2598 are ports Citrix Presentation server use. Port 1337 is not a common port associated with any application. 2. C. The default website for TS Web Access is http://server_name/ts. 3. A. The digital certificate proves the identity of a remote person or remote resource. 4. D. RDC 6.1 is required to connect to TS Web Access. RDC 6.1 is available on Windows Vista SP1, Windows XP SP3, and Windows Server 2008. 5. B. TS Session Broker allows users to reconnect to a disconnected session in a load-balanced terminal server farm. 6. B. False. Monitor spanning supports only horizontal displays (i.e., side-by-side displays). 7. B. For users to receive the windows Vista Aero desktop, the Desktop Experience feature must be installed in Server Manger and the Windows Vista theme must be set. 8. A. True. With the Drives I Connect Later setting on the Remote Desktop client, a user can connect a USB drive after the connection has already been established. 9. B, C. In the TS RemoteApp Manager, the only two options available to package a remote application is to create an MSI file or an RDP file. 10. B. TCP port 443 is used to establish an HTTPS connection between the client and the TS Gateway server. 11. C. For an application not packaged with MSI Installer to be installed on a terminal server, the mode must be changed from execute to install. After installation is complete, the mode needs be change back to execute. 12. A, B. A user must match at least one policy in each of the TS CAPs and TS RAPs to gain access to the internal terminal servers. 13. B. False. All servers participating in Terminal Server Session Broker Load Balancing have to be in the same domain. 14. A, B, C, D, E. Font smoothing is available for any client running RDC 6.0. 15. A. True. To change the default setting for web access, you have to disable TS Web Access in the programs’ properties in TS RemoteApp Manager. 16. B. To present a published application, the TS Access Web server computer account has to be in the local security group TS Web Access Computer Security on the TS RemoteApp server. 17. B. False. TS Session Broker requires only Windows Server 2008 Standard Edition. In fact, all the terminal server roles are available with the standard edition.
61705c02.indd 96
6/27/08 10:36:03 AM
Answers to Review Questions
97
18. B, D. To use SSO, the client must be Windows Vista or another Windows 2008 server, the user must have the appropriate rights to log on, and the client computer and TS server must be in the same domain. 19. B. False. ClearType can increase the bandwidth to from 4 to 10 times than terminal servers with ClearType disabled. 20. A. TS RemoteApp is the new feature that will publish an individual application from the terminal server so it appears as if is it is running on the client’s local computer.
61705c02.indd 97
6/27/08 10:36:03 AM
61705c02.indd 98
6/27/08 10:36:03 AM
Chapter
3
Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services Microsoft Exam Objectives covered in this chapter: ÛÛ Configure Terminal Services licensing. May include but is not limited to: deploy licensing server, connectivity between terminal servers and Terminal Services licensing server, recovering Terminal Services licensing server, managing Terminal Services client access licenses (TS CALs) ÛÛ Configure and monitor Terminal Services resources. May include but is not limited to: allocate resources by using Windows Server Resource Manager, configure application logging ÛÛ Configure Terminal Services server options. May include but is not limited to: logoff, disconnect, reset, remote control, monitor, Remote Desktop Protocol (RDP) permissions, connection limits, session time limits, managing by using GPOs, viewing processes, session permissions, display data prioritization ÛÛ Configure Terminal Services client connections. May include but is not limited to: connecting local devices and resources to a session, Terminal Services profiles, Terminal Services home folders, Remote Desktop Connection (RDC), single sign-on, Remote Desktop Snap-In, MSTSC.exe
61705c03.indd 99
6/27/08 10:51:06 AM
In the previous chapter we discussed the new features of Terminal Services for Windows Server 2008, installed various server roles, and then configured them. These roles give us the functionality we need for users to access their applications remotely, but without proper management of the server roles, a Terminal Server environment can quickly get out of hand and become an administrative nightmare. This chapter shows you how to alleviate headaches by managing TS CALs, how to perform advanced configurations on the clients and servers, and how to customize your Terminal Server environment. In this chapter, we will cover the following topics: NN
Configuring Terminal Services Licensing
NN
Managing through Group Policy
NN
Configuring global deployment settings for TS RemoteApp
NN
Monitoring TS Gateway using TS Gateway Manager
NN
Resource allocation for Terminal Services
Configuring Terminal Services Licensing Terminal Services Licensing (TS Licensing) is one of those necessary evils that we all want to dismiss, but without proper licensing, your terminal server will stop accepting connections after a period of time. This time period depends on the OS version you are using. What TS Licensing does is manage the client access licenses (TS CALs) that are required of a user or a device to connect to a terminal server. TS Licensing in Windows Server 2008 has some new features that will ease management, enable the administrator to revoke licenses, and provide more effective ways to diagnose licensing issues.
Terminal Services Client Access Licenses (TS CALs) There are two types of client access licenses (CALs), TS Per Device CALs and TS Per User CALs, and they must match the licensing mode that has been configured on the Terminal Services license server. With the Per Device licensing mode, a client computer connecting for the first time is issued a temporary license. At the next connection, the license server verifies that there are enough TS Per Device CALs and issues the client computer a permanent CAL. Inversely, TS Per User CALs give users the ability to connect to a terminal server
61705c03.indd 100
6/27/08 10:51:06 AM
Configuring Terminal Services Licensing
101
from any client computer and are not enforced by the TS license server. To ensure that you are complaint with the license terms, you can use the TS Licensing Manager tool to track and generate reports of the TS Per User CALS that have been issued by the TS license server. This will be covered later in the chapter when we learn how to create TS Per CAL usage reports.
Installing TS Licensing and TS Client Access Licenses (CALs) To use Terminal Services, there must be at least one license server deployed in the environment. As mentioned earlier, there is a licensing grace period within which the license server will issue temporary TS CALs and does not have to be activated. The grace period begins when a terminal server accepts its first client connection and ends when the number of days in the grace period is exceeded or when the first permanent TS CAL is issued by the license server. The length of the grace period is dependent on the OS the terminal server is running (see Table 3.1). Before the grace period ends, the appropriate number of TS CALs must be purchases and installed. A message stating the number of days left in the licensing grace period appears in the lower-right corner of a terminal server’s desktop when an administrator logs on. Ta b le 3 .1 Licensing Grace Periods of Terminal Services by OS Operating System
Grace Period
Windows Server 2008
120 days
Windows Server 2003 R2
120 days
Windows Server 2003
120 days
Windows 2000
90 days
Remote Desktop supports two concurrent connections for remote administration that do not require licenses.
Terminal Services License Server Discovery Before you install a TS license server, you need to decide on the type of discovery scope you will select during the installation of the TS Licensing role service. Terminal Services license server discovery determines how the license server will be discovered by terminal servers. There are three discovery scopes available: Workgroup, Domain, and Forest. If the
61705c03.indd 101
6/27/08 10:51:07 AM
102
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
TS Licensing role service is being installed on a computer that is not a member of a domain, choose the Workgroup discovery scope. In this scenario, terminal servers and the license servers have to be in the same workgroup and on the same local subnet for the autodiscovery process to work. However, if the license server is later joined to a domain, the discovery scope will be changed from Workgroup to Domain. Domain and Forest discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members. For terminal servers to automatically discover a license server with the Domain discovery scope, the license server must be installed on a domain controller and the person installing the role must have domain administrator credentials. It is possible to install the TS Licensing role service on a computer that doesn’t serve as a domain controller; however, the terminal servers in the domain will not automatically discover the license server. License servers configured with the Forest discovery scope are published in Active Directory Domain Services, which allows terminal servers within the same forest to discover the license server automatically. To install the license server with the Forest discovery scope, the person installing the role must have enterprise administrator’s credentials. Regardless of the discovery scope type, Domain or Forest, a license server issuing TS Per User CALs must be a member of the Terminal Server License Servers group. TS servers attempt to contact license servers in the follow order: 1. License servers in Terminal Services Configuration tool or using GPOs. 2. License servers installed on the same computer as the TS server. 3. License servers published in Active Directory Domain Services. 4. License servers installed on domain controllers in the same domain as the TS server.
Once you have decided what type of TS CALs to use, purchased the type and number of TS CALs required in the environment, and determined the method of license server discovery, you need to ensure that the license server is supported by the terminal server OS. A terminal server running Windows Server 2008 is able to talk to only a license server running Windows Server 2008. However, a Windows Server 2008 TS Licensing Server supports terminal servers on the following operating systems: NN
Windows Server 2008
NN
Windows Server 2003 R2
NN
Windows Server 2003
NN
Windows Server 2000
Installing TS Licensing Role Service Now that we have discussed TS CALs and how Terminal Services License Server Discovery works, you can begin installing the TS Licensing role server (see Exercise 3.1).
61705c03.indd 102
6/27/08 10:51:07 AM
Configuring Terminal Services Licensing
103
E x e r c i se 3 . 1
Installing TS Licensing Role Service Follow these steps to install the TS Licensing role service:
1. Click Start Administrative Tools Server Manger. 2. Right-click Roles and choose Add Roles. 3. On the Select Server Roles page of the Add Roles Wizard, select Terminal Services.
4. Click Next. 5. On the Introduction to Terminal Services page, click Next. 6. On the Select Role Services page, select TS Licensing.
61705c03.indd 103
6/27/08 10:51:07 AM
104
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 1 ( c o n t i n u e d )
7. Click Next. 8. On the Configure Discovery Scope for TS Licensing page, select the appropriate discovery scope for your installation. Leave the TS Licensing database location as the default, C:\Windows\system32\LServer.
61705c03.indd 104
6/27/08 10:51:08 AM
Configuring Terminal Services Licensing
105
E x e r c i se 3 . 1 ( c o n t i n u e d )
9. Click Next. 10. On the Confirm Installation Selections page, review the TS Licensing information that has been selected.
11. Click Install. 12. On the Installation Results page, verify that the TS Licensing role service installation succeeded.
13. Click Close.
Connecting to the license server in Windows Server 2008 is done through the TS Licensing Manager tool, which is automatically installed when the TS Licensing role service has been installed. However, you can manage the license server from a remote computer running Windows Server 2008 by adding the TS Licensing Manager feature from Server Manager. Exercise 3.2 demonstrates how to install TS Licensing Manager as a feature. E x e r c i se 3 . 2
Installing TS Licensing Manager as a Feature Follow these steps to install TS Licensing Manager as a Feature in Windows Server 2008:
1. Click Start Administrative Tools Server Manger. 2. Right-click Features and choose Add Features.
61705c03.indd 105
6/27/08 10:51:08 AM
106
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 2 ( c o n t i n u e d )
3. On the Select Features page of the Add Features Wizard, expand Remote Server Administration Tools.
4. Expand Role Administration Tools. 5. Expand Terminal Services Tools. 6. Select TS Licensing Tools.
7. Click Next. 10. On the Confirm Installation Selections page, click Install. 11. On the Installation Results page, verify that the installation of TS Licensing Tools succeeded.
12. Click Close. 13. To Start TS Licensing Manager, click Start Administrative Tools Terminal Services TS Licensing Manager.
61705c03.indd 106
6/27/08 10:51:08 AM
Configuring Terminal Services Licensing
107
Activating Terminal Services License Server As you know, a Terminal Services license server must be activated to issue TS CALs. The activation process uses the Activate Server Wizard within the TS Licensing Manager tool. There are three methods to activate a license server: Automatic connection M icrosoft recommends using this method to activate the license server. However, it requires an SSL connection (TCP port 443) because the license server will connect to the Microsoft Clearinghouse over the Internet. Web browser T his method is used when the license server does not have Internet access. A URL to the Microsoft Clearinghouse is displayed in the Activate Server Wizard and accessed through a computer that does have Internet access. Telephone T his method is used is used if no Internet access is available. The telephone number is displayed in the Activate Server Wizard after the appropriate country or region is selected. The following exercise, Exercise 3.3, illustrates the process for activating a TS license server. E x e r c i se 3 . 3
Activating a TS License Server Follow these steps to activate a TS license server:
1.
Click Start Administrative Tools Terminal Services TS Licensing Manager.
2. Right-click the license server that requires activation and click Activate Server. Notice that the server will have a red X and that Activation Status is set to Not Activated.
3. On the first page of the Activate Server Wizard, click Next. 4. On the Connection Method page, select the appropriate method for your environment.
61705c03.indd 107
6/27/08 10:51:08 AM
108
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 3 ( c o n t i n u e d )
5. Click Next. (From here it will depend on the method chosen. In this scenario, the chosen method is Web Browser.)
6. On the License Server Activation page, copy the product ID.
7. From a computer with Internet access, use the URL provided to go to the Terminal Server Licensing website.
8. On the Terminal Server Licensing website, select your language and activate a license server.
61705c03.indd 108
6/27/08 10:51:09 AM
Configuring Terminal Services Licensing
109
E x e r c i se 3 . 3 ( c o n t i n u e d )
9. Click Next. 10. Enter all the required information.
11. Click next. 12. Review and confirm all the information that you provided. Click Next. 13. You will now receive your license server ID, which you enter into the Terminal Server License Server Activation Wizard. Copy or print this web page so that you have the information.
14. At this point you can request the license tokens by clicking Yes. We are going to click No because we will install the tokens in Exercise 3.4.
15. Go back to the TS Licensing Manager and Activate Server Wizard. 16. Enter the license server ID you received from the Terminal Server Licensing website. Refer to step 6 of this exercise.
17. Click Next. 18. On the Completing the Activate Server Wizard page, you will see the status message “The license server has been successfully activated.” Uncheck Start Install Licenses Wizard Now, for we will be installing the TS CALs later.
61705c03.indd 109
6/27/08 10:51:09 AM
110
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 3 ( c o n t i n u e d )
19. Click Finish. 20. Notice that in the TS Licensing Manager, the red X has changed to a green check mark and the activation status has changed to Activated.
Installing Terminal Services Client Access Licenses The same three methods you use when you activate a Terminal Services license server apply when installing Terminal Services client access licenses. However, when you’re installing licenses, the Install Licenses Wizard retains the connection method used when you activated the license server. In our case, the connection method is web browser. The connection method can be changed in TS Licensing Manager by right-clicking the appropriate server and selecting Properties. The three methods (automatic connection, web browser, and telephone) are available under the Connection Method tab. You must activate the TS license server have the license code to install TS CALs. Exercises 3.4 walks you through the process.
61705c03.indd 110
6/27/08 10:51:09 AM
Configuring Terminal Services Licensing
111
E x e r c i se 3 . 4
Install Terminal Services Client Access Licenses Follow these steps to install TS CALs:
1. Start TS Licensing Manager by clicking Start Administrative Tools Terminal Services TS Licensing Manager.
2. Right-click the license server and choose Install Licenses. 3. On the Welcome to the Install Licenses Wizard page, click Next. Notice that the connection method is Web Browser.
4. On the Obtain Client License Key Pack page, copy the license server ID and go to the Terminal Services Licensing website from a computer with Internet access.
61705c03.indd 111
6/27/08 10:51:09 AM
112
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 4 ( c o n t i n u e d )
5. On the Terminal Services Licensing website, select the appropriate language and select Install Client Access License Tokens.
61705c03.indd 112
6/27/08 10:51:09 AM
Configuring Terminal Services Licensing
113
E x e r c i se 3 . 4 ( c o n t i n u e d )
6. Click Next. 7. Enter all the required fields, including the license server ID, and select the license program. Notice that there are number of choices for the license program.
8. Click Next. 9. The license program you chose in step 7 determines what information will be needed on this page. Normally a license code or an agreement number is all that will be required. Also, you must select the type and quantity of TS CALs to install on the license server.
61705c03.indd 113
6/27/08 10:51:09 AM
114
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 4 ( c o n t i n u e d )
10. Click Next. 11. The web page displays a key pack ID generated by the Microsoft Clearinghouse. Make sure you keep a copy in case assistance is needed recovering TS CALs.
12. Go back to the TS Licensing Manager and the Activate Server Wizard. 13. Enter the license key pack ID you received from the Terminal Server Licensing website. Refer to step 4.
14. Click Next. 15. On the Completing the Install License Wizard page, click Finish. The TS license server can now issues TS CALs to clients.
Configuring License Settings on a Terminal Server Now that the TS license server has been installed and activated, you can specify the Terminal Services licensing mode and discovery mode. Remember, the TS licensing mode determines the type of TS CALs a terminal server requests for a connecting client; a terminal server must also be configured to match the type of TS CAL available from the TS license server. The discovery mode determines how a terminal server will find the TS license servers so it can request TS CALs for the connecting clients.
Specifying the TS Licensing Mode The TS licensing mode can be configured in three ways. The first way is to set the licensing mode during the installation of the Terminal Services role (see Figure 3.1). The second way is to configure the TS licensing mode is to use the Terminal Services Configuration tool. 1. Open the Terminal Services Configuration tool by clicking Start Administrative
Tools Terminal Services Terminal Services Configuration. 2. In the center frame in the Edit settings area on the General tab, double-click User
Logon Mode or right-click User Logon mode and select Properties. 3. On the Licensing tab, specify the Terminal Services licensing mode, either Per Device
or Per User. See Figure 3.2.
61705c03.indd 114
6/27/08 10:51:09 AM
Configuring Terminal Services Licensing
115
F i g u r e 3 .1 Specifying the licensing mode when installing the TS server role
F i g u r e 3 . 2 Specifying the licensing mode from the Terminal Services Configuration tool
61705c03.indd 115
6/27/08 10:51:10 AM
116
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
The third way to configure the TS licensing mode is to enable the Set Terminal Service licensing mode group policy. It is important to note that Group Policy settings will take precedence over the settings in the Terminal Services Configuration tool. 1. Open Group Policy Management Editor. This can be done through the Local Group
Policy Editor or the Group Policy Management Console. 2. Navigate to Computer Configuration Administrative Templates Windows Compo-
nents Terminal Services Terminal Server Licensing Set the Terminal Service licensing mode. See Figure 3.3. F i g u r e 3 . 3 Terminal Services licensing mode Group Policy
3. Double-click Set the Terminal Service licensing mode. 4. Click Enabled. See Figure 3.4 5. Specify the licensing mode for the terminal server. (Per Device or Per User). 6. Click OK.
Specifying the TS License Server Discovery Mode The TS License server discovery mode can be set two ways. The first way is to use the Terminal Services Configuration tool. 1. Click Start Administrative Tools Terminal Services Terminal Services
Configuration. 2. In the center frame in the Edit settings area on the General tab, double-click User
Logon Mode or right-click User Logon Mode and select Properties.
61705c03.indd 116
6/27/08 10:51:10 AM
Configuring Terminal Services Licensing
117
F i g u r e 3 . 4 Settings for the Set Terminal Services licensing mode Group Policy
3. On the Licensing tab, specify the license server discovery mode. Either select Automati-
cally Discover a License Server or identify a particular server by typing its name within the Use the Specified License Server box. 4. Click OK.
The second way to configure the TS discovery mode is to set it with the Use the specified Terminal Services license servers group policy. 1. Open Group Policy Management Editor. This can be done through the Local Group
Policy Editor or the Group Policy Management Console. 2. Navigate to Computer Configuration Administrative Templates Windows Compo-
nents Terminal Services Terminal Server Licensing Use the specified Terminal Services license servers. See Figure 3.5. 3. Double-click Use the specified Terminal Services license servers. 4. Click Enabled and enter the name of the license servers. See Figure 3.6. 5. Click OK.
Tracking the Issuance of Terminal Services Per User Client Access Licenses New to Windows Server 2008 is the ability to track the TS Per User CALs that have been issued by a TS license server. TS Per User CALs can be tracked only if the terminal server and TS license server are members of a domain. Therefore, Workgroup mode is not supported when tracking and reporting TS Per User CALs. When a user logs into a terminal server, the terminal server checks the license server mode and then checks in with the license server. The license server modifies the terminalServer attribute for the user within Active Directory and the CAL becomes associated with the user account object. This is why the license server must be a member of the Terminal Server License Servers security group in the domain because
61705c03.indd 117
6/27/08 10:51:10 AM
118
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
this group grants the right to modify user attributes within Active Directory. If a license server is going to be used in multiple domains, it must be a member of the Terminal Server License Servers group for each domain. Because the issued Per User CALs are stored in Active Directory Domain Services (AD DS), the only way to obtain the most current information is to create a report using the TS Licensing Manager. Exercise 3.5 walks you through the process of creating a report for TS Per User Cal issuance. F i g u r e 3 . 5 Specifying the Terminal Services license servers with a Group Policy
F i g u r e 3 . 6 Settings for the Use the specified Terminal Services license servers Group Policy
61705c03.indd 118
6/27/08 10:51:10 AM
Configuring Terminal Services Licensing
119
E x e r c i se 3 . 5
Creating a Report for TS Per User CAL Issuance Follow these steps to create a TS Per User CAL issuance report:
1. Click Start Administrative Tools Terminal Services TS Licensing Manager. 2. Select the license server. Right-click the server and select Create Report. 3. Click Per User CAL-Usage. 4. Select how the report will search Active Directory. There are three options: NN
NN
NN
Entire Domain. This will create a report based on the domain in which the license server is a domain member. Organizational Unit. This will create a report based on a specific OU in the domain in which the license sever is a domain member. Entire Domain and All Trusted Domains. This will only create a report on license servers that are in that are in the Terminal Server License Server security group.
5. Click Create Report. The created report will be in the Reports section under the license server. The report provides the following information:
61705c03.indd 119
NN
Report date
NN
Report scope (domain, OU, or all trusted domains)
NN
TS CAL type
NN
Installed TS CALs
NN
TS CALs in use
NN
TS CAL availability
6/27/08 10:51:10 AM
120
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 5 ( c o n t i n u e d )
It is also possible to save a report as a comma-delimited file (CSV). To save the report as a CSV, right-click the report choose and Save As. Enter a filename and a location. The CSV file includes additional information about the TS Per User CALs issued, as shown in Figure 3.7. NN
Issued to User
NN
TS CAL Version
NN
Expires On
F i g u r e 3 . 7 CSV output for TS Per User CAL report
61705c03.indd 120
6/27/08 10:51:11 AM
Configuring Terminal Services Licensing
121
Revocation of Client Access Licenses Before Windows Server 2008, there was no way to revoke issued licenses from systems that have been replaced and no way to make those licenses available immediately. Issued licenses would expire in 52 to 89 days, and after that they would become part of the available license pool. To address this, Microsoft has introduced a method to revoke licenses manually in Windows Server 2008. However, there are some small caveats to the revocation process. The revocation process supports only Per Device CALs, and you can revoke only a maximum of 20 percent of a specific version. For example, if you have 100 Windows Server 2008 Per Device CALs and 50 Windows Server 2003 CALs installed on your license server, you can revoke 20 of the Windows Server 2008 CALs and 10 of the Windows Server 2003 CALs; each type of Per Device CAL can be revoked at any time because operating system Per Device CALs are independent of each other. Exercise 3.6 demonstrates the revocation process for Per Device CALs. Although the CAL revocation is very handy and certainly alleviates some administrative headaches, it is not a substitute for proper planning and ensuring that there are enough CALs for your environment.
E x e r c i se 3 . 6
Revocation of Per Device CALs Follow these steps to revoke Per Device CALs:
1. Start Administrative Tools Terminal Services TS Licensing Manager. 2. Expand the license server for which you want to revoke licenses. 3. Right-click on the CAL you want revoke and choose Revoke CAL. 4. The revoked CAL is now available. Its status has changed from Active to Revoked.
Terminal Services Licensing Diagnosis With Windows Server 2008, Microsoft has introduced a Licensing Diagnosis tool that will help manage and identify possible licensing problems by analyzing and highlighting potential terminal server configuration issues. Terminal Services Licensing Diagnosis can also determine the license servers that are discoverable by the Terminal Services server. It can also provide suggested resolutions to specific problems for a license server. Exercise 3.7 shows the procedures to run the Terminal Services Licensing Diagnosis tool.
61705c03.indd 121
6/27/08 10:51:11 AM
122
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 7
Running Licensing Diagnosis Follow these steps to run licensing diagnosis:
1. Click Start Administrative Tools Terminal Services Terminal Services Configuration.
2. Click Licensing Diagnosis in the left pane. The Licensing Diagnosis tool automatically discovers the license servers and identifies licensing configuration problems and display the results. License Diagnosis is split into four sections: NN
NN
NN
61705c03.indd 122
Terminal Server Configuration Details displays status and configuration information for the Terminal Services server.
Licensing Diagnosis Information displays licensing problems and suggests resolutions.
Terminal Services License Server Information displays license servers that are discoverable by the Terminal Services server.
6/27/08 10:51:11 AM
Configuring Terminal Services Licensing
123
E x e r c i se 3 . 7 ( c o n t i n u e d )
NN
License Server Configuration Details displays status and configuration information about the TS license server.
How Do I Remotely Administer Windows Server 2008? Now that know how to install and configure Terminal Services and TS Licensing, we’ll look at how you connect to remotely administer your servers running Windows Server 2008. Remote administration in Windows Server 2008 is changing. In Windows Server 2003, to remotely connect a Terminal Services server, you would use RDC with mstsc.exe /console and this would give you access to the console session on the server. With Window Server 2008, the /console switch is ignored and replaced with RDC switch mstsc.exe /admin, which will allow you to administer the server. The /admin switch has been introduced with RDC 6.1 and is available only on Windows Server 2008, Windows Vista Service Pack 1, and Windows XP Service Pack 3. To start a remote administration session, you
61705c03.indd 123
6/27/08 10:51:11 AM
124
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
must be a member of the Administrators groups on the server. After you start your remote administration session with /admin, the following are true: NN
There can be two active remote administration sessions and they do not require a TS CAL.
NN
Time zone redirection is disabled.
NN
TS Session Broker redirection is disabled.
NN
Plug and Play device redirection is disabled.
NN
The remote session theme is changed to Windows Classic.
NN
Terminal Services Easy Print is disabled.
Why the change? In Windows Server 2003, all services and some user applications ran in the same session as the first user who logged on to the console, which is called Session 0. Session 0, or console session, is always the first to load and is configured with Windows display, mouse, and keyboard drivers. After creating Session 0, the terminal server calls Windows Session Manager (smss.exe); the Session Manager is what creates and manages all sessions. The Session Manager would then start the Client-Server Runtime Subsystem (csrss.exe), which in turn invokes the Winlogon process (winlogon.exe). The ClientServer Runtime Subsystem manages all the process and threads for all logon sessions, and Winlogon handles all user logons and logoffs and is responsible for starting the Windows shell, explorer.exe. Winlogon now launches the Local Security Authority Subsystem Service (lsass.exe) and the Service Control Manager (services.exe). The Local Security Authority Subsystem Service is responsible for enforcing the security policies on the system, and the Service Control Manager manages the all the Windows services. What does all this really mean? Here’s an example. In this scenario, we have a service belonging to a particular application and it generates a dialog box that requires user interaction on Session 0, such as click OK or Cancel. The application is now waiting on this user interaction to proceed, and the only way to see the dialog box is to log on with /console. From the perspective of the other clients logged on to the server, the application appears to be hung when in fact it is waiting for a user response. So to alleviate those types of issues, Microsoft has made Session 0 noninteractive in Windows Server 2008, but by doing so, it has made us have to change the way we administer our servers. How are things different in Windows Server 2008? As in previous versions, the Session Manager (smss.exe) is still the first process created during the boot process. However, the Session Manager now launches a second instance of itself, making a dedicated Session 0 process. This dedicated process in Session 0 then launches the Windows Startup Application (wininit.exe) and a Client-Server Runtime System (csrss.exe) for Session 0. The Client-Server Runtime System exits, but the Windows Startup Application continues by starting the Service Control Manager (services.exe) and the Local Security Authority Subsystem Service (lsass.exe) as well as a new process called the Local Session Manager (lsm.exe). The Local Session Manager administers TS Server
61705c03.indd 124
6/27/08 10:51:11 AM
Managing Terminal Services through Group Policy
125
connections for the computer. While all this happening, a console session is also being initialized. Just as with Session 0, the Session Manager creates a new instance and starts the Client-Server Runtime System and the Winlogon process (winlogon.exe). The console’s Winlogon process now launches the Logon User Interface Host (logonui.exe) and displays the Ctrl+Alt+Delete logon to the users.
Managing Terminal Services through Group Policy A Terminal Services server is different than other servers in that it also acts as a user workstation. In the following sections, we are going to discuss how to utilize Group Policy Objects (GPO) to help administer the Terminal Services server in your environment. The topics that we will discuss include Group Policy settings for Terminal Services, TS Gateway, TS RemoteApp, and TS Session Broker.
Group Policy Settings for Terminal Services In this section, you’ll learn about some of the generic settings for Terminal Services that will help you administer the server. These include user disconnects, remote control, RDP permissions, connection limits, and session time limits. For simplicity, the section is written with the assumption that you already know the basics of Group Policy and Active Directory configurations. All of the policies for Terminal Services can be found in Group Policy Management Editor under Computer Configuration\Administrative Templates\Windows Components\Terminal Services or under User Configuration\Administrative Templates\Windows Components\Terminal Services. There are a number of policy settings under the Terminal Services location and we will not be able to cover them all, so we will just highlight the most common settings. We will begin by looking at the policies under Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Connections. These policies are as follows: Automatic reconnection Enabling this policy allows clients to reconnect to a disconnected session if the network link go down. By default, the terminal server tries to reconnect every 5 seconds and continues trying up to 20 times. This policy should be used in conjuction with the next policy, Configure keep-alive connection interval. Configure keep-alive connection interval This policy is a useful setting for networks that are unreliable, such as WAN links, and will set how often, in minutes, the server checks the session state. If this policy is left disabled or not configured, the server will not check the session state. See Figure 3.8.
61705c03.indd 125
6/27/08 10:51:11 AM
126
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
F i g u r e 3 . 8 Keep-alive connection interval properties
Set rules for remote control of Terminal Services user sessions T his sets the level of remote control for a session. If it’s left disabled or not configured, remote control rules are determined by the Terminal Services Configuration tool. See Figure 3.9. Restrict Terminal Service users to a remote session T his policy can limit the resources used by limiting users to one session on the terminal server. If it’s left disabled, users are allowed unlimited concurrent remote connections. F i g u r e 3 . 9 Set rules for remote control of Terminal Services user sessions properties
61705c03.indd 126
6/27/08 10:51:12 AM
Managing Terminal Services through Group Policy
127
Some policies can be set in both Computer Configuration and User Configuration. If both policies are set, the Computer Configuration policy takes precedence.
The next set of policies that we will examine is under Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\Remote Session Environment: Limit maximum color depth By setting this policy, you can reduce network bandwidth and also decrease the resource load on the terminal server. The setting specifies the maximum color depth allowed for a session. If Client Compatible is selected, the highest color depth supported by the client will be used. See Figure 3.10. F i g u r e 3 .1 0 Properties for Limit maximum color depth
Remove “Disconnect” option from Shut Down dialog Enabling this policy removes the Disconnect option from the Shut Down Windows dialog box. The reason for this is to prevent users from disconnecting the session instead of terminating the session. If a session is in a disconnected state, the session continues to run and consume server resources. After a user connects to a terminal server, it’s a good idea to change their profile path and home directory. This is done through Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles. These policies are as follows: Set TS User Home Directory Enabling this policy specifies whether Terminal Services uses a network or a local drive for a user’s home directory. You must choose a location on the network or the local machine by designating the location with a UNC path or local drive.
61705c03.indd 127
6/27/08 10:51:12 AM
128
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
If you chose On the Network, you must also specify the drive letter that the user’s session will use. Use mandatory profiles on the terminal server Enabling this policy allows the terminal server to enforce a mandatory profile for all users connecting to the terminal server. If you enable this policy, you must all enable the Set path for TS Roaming User Profile policy. Set path for TS Roaming User Profile By default, Terminal Services stores all user profiles locally. Enabling this policy allows the administrator to set a specific network path for roaming user profiles. The profile path is set with a UNC path, \\Computername\ Sharename. Moving down the policy list, the next set will be Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\Session Time Limits: Set time limit for disconnected sessions I f this policy is enabled, a time limit for disconnected session will be set and when the time limit is reached the session will be deleted from the server. The policy is useful to ensure that resources are released on the server. See Figure 3.11. F i g u r e 3 .11 Properties for Set time limit for disconnected sessions
Set time limit for active but idle Terminal Services sessions Enabling this policy will put idle session into a disconnected state after a period of time. It’s similar to the time limits that are available in the preceding policy.
61705c03.indd 128
6/27/08 10:51:12 AM
Managing Terminal Services through Group Policy
129
Set time limit for logoff of RemoteApp sessions Enabling this policy specifies how long a RemoteApp session will remain in a disconnected state before the session in logged off. If this policy is disabled or not configured, a closed RemoteApp will be disconnected from the terminal server. Before moving on, we need to mention that the TS Session Broker policies are also available is this area. The TS Session Broker policies are located under Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\TS Session Broker. Here are the available TS Session Broker policies: Join TS Session Broker Enabling this policy tell the terminal server to join the farm that is specified in the Configure TS Session Broker farm name policy. Configure TS Session Broker farm name Enabling this policy specifies the name of the farm for TS Session Broker. Use IP Address Redirection Enabling this policy specifies the redirection method used when a client reconnects to an existing session. This setting applies to a terminal server that is configured to use TS Session Broker, not the TS Session Broker server. Configure TS Session Broker server name Enabling this policy specifies the TS Session Broker server that the terminal servers will use to track and redirect user session in a loadbalanced terminal server farm. Use TS Session Broker load balancing Enabling this policy specifies whether to use the TS Session Broker load balancing feature. It is important to note that when you enable this policy, you must also enable and configure the Join TS Session Broker, Configure TS Session Broker server name, and Configure TS Session Broker farm name group policies. To configure the TS Gateway settings through Group Policy, you must use the User Configuration settings for Terminal Services, which are located under User Configuration\ Administrative Templates\Windows Components\Terminal Services\TS Gateway. Here are the available TS Gateway policies: Enable connection through TS Gateway Enabling this policy will cause clients to attempt to connect to the TS Gateway server that is specified in the Set TS Gateway server address policy. Set TS Gateway authentication method Enabling this policy specifies the authentication method used when a user is connected to a terminal server through a TS Gateway server. If this policy is disabled or not configured, the authentication method specified by the user is used, and if the user has not specified a method, the NTLM protocol that is enabled on the client or a smart card can be used. See Figure 3.12. Set TS Gateway server address Enabling this policy specifies the address of the TS Gateway server that the clients will use when connecting to a terminal server.
61705c03.indd 129
6/27/08 10:51:12 AM
130
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
F i g u r e 3 .1 2 Properties for Set TS Gateway authentication method
Configuring Global Deployment Settings for TS RemoteApp We have already configured the basics to publish a TS RemoteApp. In the following sections, we will discuss the options available for configuring the global deployment settings that apply to all RemoteApp programs. The following settings are global deployment settings: NN
Terminal server settings
NN
TS Gateway settings
NN
Remote Desktop Protocol (RDP) settings
NN
Digital signature settings
Configuring Terminal Server Settings In this section, we will discuss how to configure the following RemoteApp deployment settings:
61705c03.indd 130
NN
Server name
NN
RDP port
NN
Remote desktop access
NN
Access to unlisted programs
6/27/08 10:51:12 AM
Managing Terminal Services through Group Policy
131
The settings in Exercise 3.8 define how users connect to a terminal server to access TS RemoteApp programs. E x e r c i se 3 . 8
TS RemoteApp Global Deployment Settings Follow these steps to configure TS RemoteApp global deployment settings:
1. Click Start Administrative Tools Terminal Services TS RemoteApp Manager. 2. In the Actions pane, click Terminal Server Settings. 3. On the Terminal Server tab under Connection Settings, you can change the server name, RDP port, and whether or not server authentication is required.
4. Under Remote Desktop Access, check Show a Remote Desktop Connection to This Terminal Server in TS Web Access if you would like to provide a link to the full terminal server desktop through TS Web Access.
5. Under Access to Unlisted Programs, choose either Do Not Allow Users to Start Unlisted Programs on Initial Connection or Allow Users to Start Both Listed and Unlisted Programs on Initial Connection. By not allowing users to start unlisted programs, you help protect against users starting a program from an RDP file.
61705c03.indd 131
6/27/08 10:51:12 AM
132
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 8 ( c o n t i n u e d )
Remember, you can use Group Policy and AD DS to centralize and simplify the administration of the client settings.
Configuring TS Gateway Settings The TS Gateway settings define how clients will connect to the TS Gateway server when using TS RemoteApp programs on the terminal server, as shown in Exercise 3.9. There are three TS Gateway settings that are configurable: NN
Automatically Detect TS Gateway Server Settings.
NN
Use the TS Gateway Server Settings.
NN
Do Not Use a TS Gateway Server.
E x e r c i se 3 . 9
TS RemoteApp TS Gateway Global Deployment Settings Follow these steps to configure TS RemoteApp’s TS Gateway global deployment settings:
1. Click Start Administrative Tools Terminal Services TS RemoteApp Manager. 2. In the Actions pane, click TS Gateway Settings.
61705c03.indd 132
6/27/08 10:51:12 AM
Managing Terminal Services through Group Policy
133
E x e r c i se 3 . 9 ( c o n t i n u e d )
3. On the TS Gateway tab, there are three server settings. NN
NN
NN
Automatically Detect TS Gateway Server Settings. If this is selected, the client tries to use Group Policy settings to determine the behavior of the client connection to the TS Gateway server. Use These TS Gateway Server Settings. This selection will allow you to configure the TS Gateway server name and logon method. The server name must match the SSL certificate you acquired for the TS Gateway server. Do Not Use a TS Gateway Server. Use this selection if the client is not accessing the TS servers from the Internet.
Configuring RDP Settings Using these RDP selections will specify settings users will get when connecting to a RemoteApp, such as device and resource redirection and some display settings. Exercise 3.10 shows the available user RDP selections. E x e r c i se 3 . 1 0
TS RemoteApp Common RDP Global Deployment Settings Follow these steps to configure TS RemoteApp’s common RDP global deployment settings:
1. Click Start Administrative Tools Terminal Services TS RemoteApp Manager. 2. In the Actions pane, click Terminal Server Settings and then click the Common RDP Settings tab.
61705c03.indd 133
6/27/08 10:51:13 AM
134
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 1 0 ( c o n t i n u e d )
3. Under the Devices and Resources section, you can choose what will be available when a user connects to a remote session: NN
Printers
NN
Disk drives
NN
Clipboard
NN
Smart cards
NN
Supported Plug and Play devices
4. Under User Experience, you can select Allow Font Smoothing as well as the color depth for the remote session.
Configuring Digital Signature Settings The digital signature settings allow the digital certificate signing of RDP files that are use for RemoteApp connections. By using a server authentication certificate (SSL certificate) or a code signing certificate, you can better protect the server from malicious users and applications. If you’re already using an SSL certificate for a terminal server or TS Gateway server, you can use the same certificate to sign the RDP files. Exercise 3.11 explains how to configure TS RemoteApp Digital Signature global deployment settings.
61705c03.indd 134
6/27/08 10:51:13 AM
Managing Terminal Services through Group Policy
135
E x e r c i se 3 . 1 1
TS RemoteApp Digital Signature Global Deployment Settings Follow these steps to configure TS RemoteApp Digital Signature global deployment settings:
1. Click Start Administrative Tools Terminal Services TS RemoteApp Manager. 2. In the Actions pane, click Digital Signature Settings. 3. Select Sign with a Digital Certificate. 4. In the Digital Certificate detail box, click Change. 5. In the Select Certificate dialog box, chose the certificate you want to use.
Monitoring TS Gateway Using TS Gateway Manager After completing the configuration options for the client connections to TS Gateway, it is important to know how to monitor active connections and look for errors specific to the TS Gateway server. This discussion will be focused on the events that will be logged and how to view active connections using TS Gateway Manager. The discussion will be split into the following topics: NN
Specifying TS Gateway events to log.
NN
Viewing details about active connections through a TS Gateway server.
Specifying TS Gateway Events to Log The TS Gateway Manager is used to specify the type of events that will be monitored, and when an event does occur, the event can be viewed with Windows Event Viewer. TS Gateway server events are located under Application and Service Logs\Microsoft\Windows\ TerminalServices-Gateway. Exercise 3.12 shows how to select which events will be logged as TS Gateway events. E x e r c i se 3 . 1 2
Specifying TS Gateway Events to Log Follow these steps to specify TS Gateway events logs:
1. Click Start Administrative Tools Terminal Services TS Gateway Manager. 2. Select the TS Gateway server. 3. Right-click the name of the server and choose Properties.
61705c03.indd 135
6/27/08 10:51:13 AM
136
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 1 2 ( c o n t i n u e d )
4. On the Auditing tab, select the appropriate events to monitor.
Table 3.2 shows the name, description, and event ID of the various TS Gateway event types. Ta b le 3 . 2 TS Gateway Event Types
61705c03.indd 136
Event Name
Description
Event ID
Successful User Disconnection from the Resource
This event allows you to verify the user session time and the amount of data (in kilobytes) that was sent and received by the remote client through the TS Gateway server.
303: When the client disconnects from the resource 202: When an administrator disconnects the client
Failed User Connection to the Resource
The client met the conditions for the TS CAP and TS RAP but could not connect to a computer because it was unavailable.
304
Failed Connection Authorization
The client could not connect because it did not meet the conditions of the TS CAPs.
201
6/27/08 10:51:13 AM
Managing Terminal Services through Group Policy
137
Ta b le 3 . 2 TS Gateway Event Types (continued) Event Name
Description
Event ID
Failed Resource Authorization
The remote client could not connect to 301 the specified computer because no TS RAPs are configured to allow the user access to it.
Successful User Connection to the Resource
The remote client successfully connected to a computer.
Successful Connection Authorization
The client met the condition of one TS 200 CAP and connected successfully.
Successful Resource Authorization
The client met the condition of one TS 300 RAP and connected successfully.
302
Viewing Details about Active Connection through a TS Gateway Server Another use of TS Gateway Manager is to view detailed information about the user connections that have been granted access. Administrators can use the information displayed in the TS Gateway Manager to troubleshoot specific user connection issues. Exercise 3.13 details the steps to view user connection information through TS Gateway Manager as well as the type of information that is displayed. E x e r c i se 3 . 1 3
Viewing User Connection Information through TS Gateway Manager 1. Click Start Administrative Tools Terminal Services TS Gateway Manager. 2. Select the TS Gateway server. 3. Expand the server and select Monitoring. In the Results pane, a summary of the number of connections will be displayed. When you select a connection, the connection detail will appear in the lower pane. For this exercise, disconnect a specific connection or all the connections for a user.
4. To refresh the connections display, click Refresh in the Actions pane. The following information is displayed in the Monitoring pane:
61705c03.indd 137
NN
Connection ID
NN
User ID
NN
User Name
6/27/08 10:51:13 AM
138
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
E x e r c i se 3 . 1 3 ( c o n t i n u e d )
NN
Connected On
NN
Connection Duration
NN
Idle Time
NN
Target Computer
NN
Client IP Address
NN
Target Port
Resource Allocation for Terminal Services Windows System Resource Manager (WSRM) is a feature of Windows Server 2008 that can control how CPU and memory resources are allocated to applications, services, and processes. WSRM is not a feature of Terminal Services, but if it’s used on a terminal server, the ability to control resource allocation will give the users a better experience. This is accomplished through resource allocation policies that determine how computer resources are used. When installed on a terminal server, WSRM presents two policies: Equal_Per_User CPU allocation is divided into equal shares among the users, and processes created by the user are able to consume only as much as the total CPU allocation reserved for that user. Equal_Per_Session New to Windows Server 2008, this policy allocates an equal share of CPU resources among each user session. For example, there is a user that has two sessions running on the same terminal server and a second user running one session. When you use the Equal_Per_User resource allocation policy, the user with two sessions will get the same amount of CPU resources as the user with only one session. If you use the Equal_Per_Session resource allocation policy, the user with two sessions will receive twice the CPU resource allocation as the user with only one session. Exercise 3.14 walks through the process of installing Windows System Resource Manager. E x e r c i se 3 . 1 4
Installing Windows System Resource Manager Follow these steps to install Windows System Resource Manager:
1. Click Start Administrative Tools Server Manager. 2. Right-click Features.
61705c03.indd 138
6/27/08 10:51:13 AM
Summary
139
E x e r c i se 3 . 1 4 ( c o n t i n u e d )
3. Select Add Features. 4. On the Select Features page, select Windows System Resource Manager. 5. A dialog box appears stating that Windows Internal Database also needs to be installed.
6. Click Add Required Features. 7. Click Next. 8. On the Confirm Installation Selections page, click Install. 9. On the Installation Results page, click Close.
Exercise 3.15 demonstrates how to configure WSRM for Terminal Services by setting either the Equal_Per_User or Equal_Per_Session resource allocation policy. E x e r c i se 3 . 1 5
Configuring WSRM for Terminal Services Follow these steps to configure WSRM for Terminal Services:
1. Start Administrative Tools Windows System Resource Manager. 2. On the Connect to Computer page, select This Computer. Click Connect. 3. Expand the Resource Allocation Policies node. 4. Right-click Equal_Per_User or Equal_Per_Session, and then click Set as Managing Policy.
5. A dialog box appears warning that the calendar will be disabled. Click OK.
Summary In this chapter, we examined various aspects of TS license servers as well as the different deployment configurations for TS RemoteApps. We started the chapter by looking at the various configuration aspects of a TS license server, and then we examined TS CALs and the differences between TS Per User CALs and TS Per Device CALs. Next we discussed the
61705c03.indd 139
6/27/08 10:51:13 AM
140
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
temporary grace period prior to activating a TS license server. After that we studied the TS license server discovery process for workgroups, domains, and forests. After we discussed the various aspects of TS CALs and the discovery process, we moved on to the actual installation and activation of a TS license server. We first walked through the process of installing the TS Licensing service role and the installation of the TS Licensing Manager tool. We then stepped through the process of activating the TS license server and installing the appropriate TS CALs. Next we looked at the TS Licensing discovery mode and the different ways to configure it. You then learned how to track and report TS Per User CALs and how to revoke TS device CALs. We looked at some of the more common GPO settings and what value they provided. After that we looked the different configuration options with the Terminal Sever settings, TS Gateway settings, and RDP settings. Finally, we looked at how to monitor TS Gateway and how to control resource allocation in Terminal Services through Windows System Resource Manger.
Exam Essentials Know the features of Terminal Services licensing. Understand all the different discovery options and the processes to activate the server and TS CALs. Know TS remote program settings. It is important to understand all the different configuration options that are available in TS RemoteApp Manager. Know TS Gateway monitoring and events. Remember how to set the event logging features and where to find them when events do occur. Know Windows System Resource Manager (WSRM). Understand how WSRM is used in a Terminal Services server environment.
61705c03.indd 140
6/27/08 10:51:14 AM
Review Questions
141
Review Questions 1. Which of the following operating systems has the incorrect licensing grace period? A. Windows Server 2008 - 120 days B. Windows Server 2003 - 120 days C. Windows Server 2003 R2 - 120 days D. Windows Server 2000 - 120 days 2. What are the three ways to activate a TS license server? (Choose three.) A. Telephone B. Purchasing the licensing from a retail store C. Web browser D. Automatic connection 3. When viewing user the connections through TS Gateway Manager, which of the following is information will be displayed? (Choose all that apply.) A. Connection ID B. Idle Time C. Client IP Address D. User Name E. Target Computer 4. When configuring the TS Session Broker group policy Use TS Session Broker load balancing, which of the following Group Policy objects must also be configured? (Choose three.) A. Join TS Session Broker B. Configure TS Session Broker server name C. Configure TS Session Broker farm name D. Use IP Address Redirection 5. TS Licensing Manager can create a TS Per User CAL issuance report by all of the following organizational specifications except which one? A. Organizational unit B. Entire domain C. Work group D. Entire domain and all trusted domains 6. True/False: To remotely administer Windows Server 2008, the following command is used: mstsc.exe /console. A. True B. False
61705c03.indd 141
6/27/08 10:51:14 AM
142
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
7. True/False: The revocation process works on all TS Per User CALs. A. True B. False 8. In TS RemoteApp Manager, it is possible to set the properties a user will receive when connecting to a RemoteApp. Which of the following is not configurable in TS RemoteApp Manager? A. Supported Plug and Play devices B. Disk drives C. COM port D. Printers 9. When using TS RemoteApp Manager to configure the deployment settings, where can you set the RDP port? A. Terminal Server tab B. TS Gateway tab C. Digital Signature tab D. Common RDP Settings tab 10. What Windows System Resource Manger resource allocation policy is new to Windows Server 2008 Terminal Services? A. Equal_Per_Process B. Equal_Per_User C. Equal_Per_IISAppPool D. Equal_Per_Session 11. What are the two ways the Terminal Services discovery mode can be set? (Choose two.) A. Through the Terminal Services Configuration tool B. Through TS Licensing Manager C. Through the Group Policy Management Console D. Through TS Gateway Manger 12. What is the maximum percentage of Per Device CALs that can be manually revoked? A. 25% B. 20% C. 10% D. 15% 13. True/False: A TS license server can be remotely administered for any other server running Windows Server 2008. A. True B. False
61705c03.indd 142
6/27/08 10:51:14 AM
Review Questions
143
14. How many concurrent administration sessions can be active without requiring a TS CAL? A. 1 B. 2 C. 3 D. 4 15. True/False: All events for TS Gateway are viewed in the TS Gateway Manager. A. True B. False 16. True/False: The GPO Set time limit for disconnected session deletes a session when a time limit has been reached. A. True B. False 17. Which two discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members? (Choose two.) A. Workgroup B. Domain C. Forest 18. In the TS Licensing Manger, what does a red X on the license server indicate? A. The server has been activated. B. The server has not been activated. C. The server is out of licenses. D. The server must be restarted. 19. In what order should the following options be to indicate the order in which terminal servers attempt to contact a license server? A. License server installed on the same computer as the TS server B. License servers published in Active Directory Domain Services C. License servers listed in the Terminal Services Configuration tool or group policies D. License servers installed on domain controllers in the same domain as the TS server 20. Regardless of the discovery scope type, Domain or Forest, a license server issuing TS Per User CALs must be a member of which AD security group? A. Administrators B. Remote Desktop Users C. Terminal Server License Servers D. Window Authorization Access Group
61705c03.indd 143
6/27/08 10:51:14 AM
144
Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring n
Answers to Review Questions 1. D. Windows Server 2000 has only a 90-day grace period before the licensing server becomes inactive. The grace period for all the other operating systems is correct. 2. A, C, D. A licensing server can be activated by automatic connection through the Internet, using a web browser to activate the product ID through a website, or calling the Microsoft Clearinghouse by telephone. 3. A, B, C, D, E. All of the information listed is displayed when you’re viewing user connections through the TS Gateway Manager. 4. A, B, C. The Join TS Session Broker, TS Session Broker server name, and TS Session Broker farm name must also be configured and enabled when the Use TS Session Broker load balancing group policy is configured. Use IP Address Redirection is used to set the method of redirection when the server is use TS Session Broker not the TS Session Broker server name. 5. C. TS Per User CAL reporting supports only license servers that are in a domain. 6. B. With RDP 6.0, the /console command has been replaced with /admin. 7. B. The revocation process works only on TS Per Device CALs, not TS Per User CALs. 8. C. Supported Plug and Play devices, disk drives, and the printer are configurable in TS RemoteApp Manager. COM port connections are configured in Terminal Services Configuration Manger. 9. A. The Terminal Server tab in the deployment setting is where the RDP port can be changed. All the other tabs are used for other configuration settings. 10. D. Equal_Per_Session allocates an equal share of CPU resources to each user session and is new to Windows Server 2008 Terminal Services. Equal_Per_Process and Equal_ Per_IISAppPool are not Terminal Services specific. 11. A, C. The two ways to set the discovery mode are through the Terminal Services Configuration tool or the Group Policy Management Console. TS Licensing Manager is incorrect because it manages the license server itself. TS Gateway Manager has nothing to do with the terminal server license server discovery process. 12. B. The revocation process supports only Per Device CALs and only a maximum of 20 percent of a specific version of a CAL can be revoked. 13. A. Managing the license server from a remote computer running Windows Server 2008 can be done by adding the feature from Server Manager. 14. B. Remote Desktop supports two concurrent connections that do not require licenses for remote administration. 15. B. All TS Gateway events are viewed with Windows Event Viewer and are located under Application and Service\Logs\Microsoft\Windows\TerminalServices-Gateway.
61705c03.indd 144
6/27/08 10:51:14 AM
Answers to Review Questions
145
16. A. When this policy is enabled, disconnected sessions will reach a time limit and will be deleted from the server. The policy is useful to ensure that resources are released on the server. 17. B, C. Domain and Forest discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members. However, if the licensing server with the Workgroup discovery scope is later joined to a domain, the discovery scope will be changed from Workgroup to Domain. 18. B. When the server changes to a green check mark, it indicates that the license server has been activated. 19. C, A, B, D. Terminal servers first attempt to contact license server listed in the Terminal Services Configuration tool or group polices. Next, they try contact the license server installed on the same computer as the TS server. Then they try to contact license server published in Active Directory Domain services. Finally, terminal servers try to contact a license server install on domain controllers in the domain. 20. C. When a user logs into a terminal server, the terminal servers checks the license server and the license server then modifies the terminalServer attribute for the user within Active Directory. The CAL then becomes associated with the user account object. This is why the license server must be a member of the Terminal Server License Servers security group in the domain. This group grants the right to modify user attributes within Active Directory.
61705c03.indd 145
6/27/08 10:51:14 AM
61705c03.indd 146
6/27/08 10:51:14 AM
Chapter
4
Configuring Web Services Infrastructure Microsoft Exam Objectives covered in this chapter: ÛÛ Configure Web applications. May include but is not limited to: directory-dependent; publishing; URL-specified configuration; Microsoft .NET components, for example, .NET and aspx; configure application pools ÛÛ Manage Web sites. May include but is not limited to: migrate sites and Web applications; publish IIS Web sites; configure virtual directories ÛÛ Configure a File Transfer Protocol (FTP) server. May include but is not limited to: configure for extranet users; configure permissions ÛÛ Configure Simple Mail Transfer Protocol (SMTP). May include but is not limited to: setting up smart hosts; configuring size limitations; setting up security and authentication to the delivering server; creating proper service accounts; authentication; SMTP relay
61705c04.indd 147
6/27/08 11:15:41 AM
Windows Server 2008 introduces a new version of Internet Information Services (IIS). IIS 7.0 has a completely new management interface and is more flexible and more tightly integrated with the .NET Framework. This chapter will cover how to configure and manage websites, FTP services, and Simple Mail Transport Protocol (SMTP) servers. This chapter covers the following topics: ■■
Configuring Web applications
■■
Configuring a File Transfer Protocol (FTP) Server
■■
Configuring Simple Mail Transfer Protocol (SMTP)
Configuring Web Applications At the heart of IIS are web applications. A web application may not be what you might think it is. In IIS 7.0, a web application is a collection of files that delivers content. It may be a virtual directory with a specific set of files and configuration. Although there are a lot of complex and advanced things IIS can do, creating and managing websites are the most basic tasks. Previous versions of IIS all had very similar management interfaces, and it was a pretty smooth transition between versions for administrators because even though the inner workings of IIS changed, the changes to the management interface were not that significant. In this version, however, both have changed significantly. The first change that takes some getting used to is that IIS is now based on small singlepurposed loadable components called modules. Modules are loaded to add features and functionality. The modules are loaded as role features in Server Manager. Rather than building all of the functionality of IIS into just a couple of core modules, Microsoft provided over 30 built-in modules. Using modules instead of creating a monolithic stack has quite a few advantages: NN
It’s easier for administrators to control which modules should be running.
NN
Modules can be replaced with custom modules to change behavior and/or add features.
NN
NN
61705c04.indd 148
Higher security is possible if unnecessary modules are removed because there are fewer possible vulnerabilities. There is less administrative and system resource overhead when unnecessary modules are removed.
6/27/08 11:15:41 AM
Configuring Web Applications
149
To find out more about the available IIS 7.0 modules, go to http://learn.iis .net/page.aspx/101/introduction-to-iis7-architecture/.
First, the type of web applications and the functions required needs to be determined. Then, during the installation of IIS, the required modules can be selected. The second change that takes some getting used to is all of the IIS configuration is now stored in XML-based files. Gone are the days of the notorious metabase that plagued administrators trying to run a Web farm in previous versions of IIS with complexity and difficulty. The following list describes the main configuration settings and which file they are stored in: NN
Global (computer-wide) settings NN
NN
NN
NN
NN
Lets you define settings for individual websites, web applications, or directories. You can store this file in the same directory with application code and content. The settings can be overridden or locked from higher levels. %windir%\Microsoft.NET\Framework\\config\machine.config.
This contains settings for the entire server. The settings are inherited by all other .NET configuration files, including IIS configuration files.
ASP.NET configuration NN
NN
NN
Web.config (in root of each website or directory).
.NET Framework configuration NN
NN
System.webServer. Contains configuration settings such as security, HTTP compression, and logging.
Website, application, and directory settings NN
NN
System.applicationHost. Contains configuration settings for sites, applications, virtual directories, and application pools.
%windir%\Microsoft.NET\Framework\\config\web.config
This defines the default settings for individual websites, web applications, or directories. This file can also be stored in the same directory with the application code and content.
FTP settings NN
Original version is stored in IIS 6.0–style metabase.bin.
NN
Updated version is stored in %windir%\system32\inetsrv\config\ ApplicationHost.config.
Knowing where settings are stored is important as you dig further into configuration tasks. This will help to determine how settings affect one another and the object that must be configured.
61705c04.indd 149
6/27/08 11:15:41 AM
150
Chapter 4 Configuring Web Services Infrastructure n
Installing IIS 7.0 Installing IIS 7.0 is similar to installing other Windows Server 2008 roles. The process is started from within Server Manager and the Add Roles Wizard is used to select the Web Server (IIS) role. If any dependant feature or role service is required, you will be prompted to add them. Exercise 4.1 walks through the basic installation of IIS. E x e r cise 4 . 1
Installing IIS 7.0 Follow these steps to install Internet Information Services (IIS) 7.0:
1. Click Start Administrative Tools Server Manager. 2. From the Action menu, choose Add Roles. 3. Click Next on the Before You Begin window. 4. Select Web Server (IIS) from the list of available roles.
5. Click Add Required Features on the modal box that prompts the user to add the features required to support IIS.
61705c04.indd 150
6/27/08 11:15:41 AM
Configuring Web Applications
151
E x e r cise 4 . 1 ( c o n t i n u e d )
6. Click Next on the Select Server Roles page. 7. Click Next on the Web Server (IIS) page.
8. On the Select Role Services page, select any additional role services and any required dependencies (for example, FTP or ASP.NET) that will be required and click Next.
61705c04.indd 151
6/27/08 11:15:42 AM
152
Chapter 4 Configuring Web Services Infrastructure n
E x e r cise 4 . 1 ( c o n t i n u e d )
9. Click Install and wait for the installation to complete. 10. Click Close.
Testing the installation is as simple as opening a web browser and typing in http://127.0.0.1. During the installation of IIS 7, a default web page is added to the root directory of the Default Web Site. As shown in Figure 4.1, the displayed default web page confirms that the installation was successful.
Creating and Configuring Websites Once IIS is installed, the server is able to serve Web content to clients. A default website is created when IIS is installed. It can be modified and used to serve content, and additional websites can be created as long as each site has a unique binding. A basic binding consists of an IP address and a TCP port. The well-known port for Hypertext Transfer Protocol (HTTP), the protocol used to transfer web pages, is 80. Also, the well-known port for Secure Hypertext Transfer Protocol (HTTPS) is 443. HTTPS uses certificates to provide authenticated and encrypted website data. When a website is hosted on TCP port 80, no port needs to be specified in the web browser because if no port is specified, port 80 is
61705c04.indd 152
6/27/08 11:15:42 AM
Configuring Web Applications
153
assumed. The Default Web Site, created during the installation, is set to bind to port 80 on all IP addresses assigned to the server that aren’t already bound to another Web site. A binding configures the server to listen for clients to request information on that IP address and at that port. The Default Web Site bindings, which includes the IP addresses and ports the site is bound to, are shown in Figure 4.2. Fi g u r e 4 .1 The displayed default web page confirming installation was successful
Fi g u r e 4 . 2 Default Web Site bindings
Creating a New Website from Internet Information Services (IIS) Manager To create a new website from Internet Information Services (IIS) Manager, select the Sites node underneath the local server from the Connections pane and then click the Add Web Site option in the Actions pane. You will be prompted to provide a name for the website, the path to where the content will be stored, and the IP binding information.
61705c04.indd 153
6/27/08 11:15:42 AM
154
Chapter 4 Configuring Web Services Infrastructure n
When you’re adding websites to a server, you will need to provide a unique binding from other websites that are already configured. It is possible to bind additional sites at other unused TCP ports; however, this is not a recommended solution, especially for websites accessible from the Internet. In most cases, another IP address can be added to the network adapter of the server, and that IP address can be bound to the new site. For example, WebServer1 has a base IP address of 192.168.19.66 and the Default Web Site is already hosting content. To add another site, you can add another available IP address to the server, like 192.168.19. 91, and then the new website can be created with a binding for the new IP address and port 80, as shown in Figure 4.3. Fi g u r e 4 . 3 Viewing website bindings
Using Host Headers There is actually one more way to create a unique binding, by using what are called host headers. Host headers allow multiple sites to share a single IP address and port for sites that do not require Secure HTTP connections. IIS listens for connections on the assigned IP address and port and then inspects the Uniform Resource Locator (URL) requested. It then directs the request to the website with the configured binding information. Since host headers rely on the name in the URL, the name of the site must resolve in DNS to the server IP address. Many low-cost web-hosting companies employ host headers to reduce the number of IP addresses that are needed. As mentioned, however, HTTPS does not support host headers, so if any site on the server requires HTTPS, a dedicated IP address should be assigned. In Exercise 4.2, you will be creating a second website using host headers for a help desk application called helpdesk.mcts.local on an internal Web server. The DNS entry for helpdesk.mcts.local has already been created.
61705c04.indd 154
6/27/08 11:15:42 AM
Configuring Web Applications
155
E x e r cise 4 . 2
Creating a Site Using Host Headers Follow these steps to create a site using host headers:
1. Click Start Administrative Tools Internet Information Services (IIS) Manager. 2. In the Connections pane, select Sites under the server name. 3. In the Actions pane, click Add Web Site. 4. In the Add Web Site dialog box, type the following information: NN
Site name: Help Desk
NN
Physical Path: C:\inetpub\helpdesk
NN
Host name: helpdesk.mcts.local
5. Click OK
Configuring Virtual Directories Virtual directories are directories underneath the root of the site. They might contain distinct web applications or just additional content, much like directories on a hard drive. If the root site is www.microsoft.com a virtual directory might be /windows. To connect to this virtual directory and view the content, the end users would specify www.microsoft[.com]/windows. Virtual directories can be located on a different drive or network share than the root of the site, and certain configuration settings can be adjusted. Virtual directories can also be nested;
61705c04.indd 155
6/27/08 11:15:42 AM
156
Chapter 4 Configuring Web Services Infrastructure n
for example, at www.microsoft.com/windows/downloads, /downloads is a nested virtual directory underneath the /windows virtual directory. To create a virtual directory, do this in the Connections pane: 1. Right-click on the website or virtual directory underneath which you’re creating the
new virtual directory. 2. Choose Add Virtual Directory. 3. From there, you will be prompted to provide a virtual directory name and the physical
path to the files. Similar to virtual directories in function are web applications. They are created in the same way, although unlike virtual directories, applications contain another set of content as well as code. To configure how the code will run, you create an application in IIS.
Configuring Redirection Redirection is used to send users from one site or URL to a new URL. In previous versions of IIS, redirecting a site or directory was as easy as modifying the virtual directory or website settings. This is especially useful during migrations and software upgrades. Often companies will change their websites to add fresh content or a new look. This can break the old links that customers have saved. One way to help users trying to navigate to old links is to use a redirect to guide them to the new URL. Since IIS 7.0 is modular, the first step to enable redirection is to install the HTTP Redirection module. Exercise 4.3 shows the steps required. This exercise specifically installs the HTTP Redirection module; to install other modules, follow the same steps but choose the module that is required. E x e r cise 4 . 3
Installing IIS Modules Use the following steps to install an IIS module:
1. Click Start Administrative Tools Server Manager. 2. In the Server Manager pane, select Web Server under Roles. 3. In the Content pane, click Add Role Services. 4. Select the module or modules that need to be installed. In this case, select HTTP Redirection under Common HTTP Features (Installed) and click Next.
61705c04.indd 156
6/27/08 11:15:42 AM
Configuring Web Applications
157
E x e r cise 4 . 3 ( c o n t i n u e d )
5. Confirm the selections and click Install. 6. Click Close.
Once the HTTP Redirection module is installed, a new HTTP Redirect option will be available for each website, virtual directory, and web application. This option is shown in Figure 4.4. The options for redirecting using the HTTP Redirection module are shown in Figure 4.5: Redirect Requests to This Destination T his is the URL that the clients will be redirected to. This can be another site, another page, or another virtual directory in the same site. Redirect All requests to Exact Destination (Instead of relative to Destination) T his option is selected to redirect to the exact URL listed in the first text box regardless of the original URL. If this option is unchecked, the portion of the request URL after the redirection will be appended to the redirected URL. Leaving this option unchecked would be great if an application was moved from one server to another. If the user requests http://oldserver .sybex.com/books/ExchangeServer.apx and the redirect was put on the book’s virtual directory set to http://newserver.sybex.com/books, the user would be redirected to http:// newserver.sybex.com/books/ExchangeServer.aspx. This would bring the user to a list of the books they are interested in. If this option was checked in this scenario, the user would be redirected to http://newserver.sybex.com/books and would be given a list of all books rather than what he was looking for.
61705c04.indd 157
6/27/08 11:15:43 AM
158
Chapter 4 Configuring Web Services Infrastructure n
Fi g u r e 4 . 4 Using HTTP Redirect option
Only Redirect Requests to Content in This Directory (Not Subdirectories) T his option can be used when the preceding option is not enabled. When this option is enabled, any requests that are for subdirectories of the redirected directory will not be redirected but will be served by the local web server. Status Code T here are three options for status code, and they affect the status code that is returned to the browser as it is being redirected. Found (302) Notifies the browser to request the new location. Permanent (301) Notifies the browser that this new location is a permanent redirection. Temporary (307) Notifies the browser that this new location is temporary and allows any HTTP POST request to retain data for the redirection.
Setting Website Limits When you’re hosting a number of websites on one server, it may be advantageous to limit the number of connections a site may have. This will help to limit the amount of resources the site can consume. Restrictions can be set on the following criteria:
61705c04.indd 158
NN
The amount of bandwidth the website can use.
NN
The number of concurrent connections to the website.
NN
The time before an inactive connection is disconnected from the server.
6/27/08 11:15:43 AM
Configuring Web Applications
159
Fi g u r e 4 . 5 Configuring a HTTP redirect
The default setting is to not limit the amount of bandwidth or the number of connections to the website; however, the default time-out for idle sessions is 120 seconds. When a bandwidth limit is reached, no additional bandwidth will be available to service requests. Similar too, when a connection limit is reached, new connections cannot be made until the number of sessions fall below the limit. Figure 4.6 shows an example of configuring these settings. Fi g u r e 4 . 6 Setting website limits
61705c04.indd 159
6/27/08 11:15:43 AM
160
Chapter 4 Configuring Web Services Infrastructure n
Microsoft .NET Components Many people that use IIS will leverage the .NET Framework for developing applications. Many of the options set in the Internet Information Services (IIS) Manager tool will modify settings for how .NET components function, such as .NET Compilation, Globalization, Profiles, Roles, Users, Applications Pools, and the list goes on and on. The next two sections will cover .NET trust levels and application pools in more detail.
.NET Trust Levels .NET trust levels set the level of code access security (CAS). Using code access security is a way of controlling the access that an application has as it runs. The rule of thumb is to provide an application with the least amount of access required. Application developers should be able to help qualify the specific actions or functions the application requires, which should help to determine which .NET trust level is required. Trust levels are configured in the Internet Information Services (IIS) Manager; however, the information is stored in the applicationHost.config file. To set the .NET trust levels, you must select one of the following options: Full T his option sets unrestricted permissions. The ASP.NET application has permissions to access any resource that is subject to operating system security. All privileged operations are supported. High T his option sets a high level of code access security so that the application is unable to do any one of the following: NN
Run unmanaged code.
NN
Write to the event log.
NN
Access Message Queuing service queues.
NN
Call serviced components.
NN
Access data sources.
Medium This option sets a medium level of code access security that, in addition to the High trust level restrictions, prevent the ASP.NET application from doing any of the following: NN
Access files outside the application directory.
NN
Access the Registry.
NN
Make network or web service calls.
Low T his option sets a low level of code access security that, in addition to the Medium trust level restrictions, prevents the application from doing any of the following: NN
Write to the file system.
NN
Call the Assert method.
Minimal T his option sets a minimal level of code access security so that the application has only execute permissions. The .NET trust level is set by selecting one of the options in Figure 4.7.
61705c04.indd 160
6/27/08 11:15:43 AM
Configuring Web Applications
161
Fi g u r e 4 . 7 Setting the .NET trust level
Configuring Application Pools An application pool is a collection of web applications that share a worker process or a set of worker processes. An application pool segments the applications so that they are unable to affect applications in other application pools. Although application pools can contain .NET applications, they can also be used to group non-.NET (nonmanaged code) applications as well. Application pools have several real benefits. They allow an administrator to do the following: NN
NN
NN
Dedicate an application pool for applications that require a higher number of resources so that the performance of other applications does not decrease. Isolate unstable applications so when the application fails, it does not also take down other applications. Configure application pools to automatically restart when memory, time, or other performance indicators are met, improving recovery and application stability.
Application pools are configured in the Internet Information Services (IIS) Manager; however the information is stored in the applicationHost.config file. To create an application pool, select the Application Pools folder in the Connections pane of Internet Information Services (IIS) Manager and then click Add Application Pool from the Actions pane. As shown in Figure 4.8, there are four options in the Add Application Pool dialog box. Name T his text box is for the name of the application pool that is being created. .NET Framework Version T his option defines either the version of .NET Framework all of the applications in the application pool will run that no managed code will be used in the application pool.
61705c04.indd 161
6/27/08 11:15:43 AM
162
Chapter 4 Configuring Web Services Infrastructure n
Managed Pipeline Mode T his option sets whether the application will run in integrated or classic mode. If an application is set to Integrated mode, the integrated request-processing pipelines of IIS and ASP.NET will be used to handle requests. If an application is set to Classic mode, the server will process requests through the Aspnet_isapi.dll library, as was done in IIS 6.0. The Classic mode should be used only with legacy applications that do not work in Integrated mode. Start Application Pool Immediately T his sets whether the application will be started when the Windows Process Activation Service (WPAS) is started. If this is not set, the application pool will need to be started manually before any applications in the pool will run. Fi g u r e 4 . 8 Creating an application pool
Once an application pool is created, a number of other settings are available to wrangle the applications in the pool into submission. If the applications in the pool are misbehaving due to bad code, database connection problems, or user error, there are a number of methods to have IIS automatically recover from those problems. One way is to set the recycling conditions of the application pool. To configure the recycling conditions in Internet Information Services (IIS) Manager, complete the following steps: 1. Select the Application Pools folder in the Connections pane. 2. Select the application pool that you want to adjust in the Content pane. 3. Click Recycling in the Actions pane.
The options available on the first page of the Edit Application Pool Recycling Settings Wizard are shown in Figure 4.9. The options are as follows: Regular Time Intervals (in Minutes) T his option specifies the length of time, in minutes, that the application pool worker process should be restarted. This is ideal for applications that tend to perform worse after a long period of time. Fixed Number of Requests T his option specifies the number of requests that should be taken by the application pool before recycling the worker process. This is ideal for applications that tend to perform worse after a certain number of requests are handled. Specific Time(s) This option can be used to specify the time or times that the worker process should be recycled. This is ideal for problematic applications that can benefit from having the worker process restarted at specific times.
61705c04.indd 162
6/27/08 11:15:43 AM
Configuring Web Applications
163
Fi g u r e 4 . 9 Edit Application Pool Recycling Settings Wizard
Virtual Memory Usage (in KB) T his option can be used to specify the maximum amount of virtual memory that can be used by the worker process before it is recycled. This is ideal for applications that tend to continue to consume memory and perform worse until they are recycled. Private Memory Usage (in KB) This option can be used to specify the maximum amount of private memory can be used by the worker process before it is recycled. This is ideal for applications that tend to continue to consume memory and perform worse until they are recycled. On the second page, you can configure the options selected on the previous page to generate event log entries when the application pool is recycled, as shown in Figure 4.10. Fi g u r e 4 .1 0 The event log settings for recycling events
61705c04.indd 163
6/27/08 11:15:44 AM
164
Chapter 4 Configuring Web Services Infrastructure n
Configuring a Web Farm A web farm is a collection of servers that have the same configuration so they can be load balanced for redundancy and additional performance. In previous versions of IIS, the metabase needed to be restored to each server and then modified extensively, or a custom provisioning tool needed to be leveraged in order to create a Web farm. Products like Microsoft Application Center 2000 tried to address the problem of synchronizing and configuring a web farm, but it was far from perfect. IIS 7 provides true “Robocopy deployment,” the ability to copy a set of files to a share or between servers to configure the websites and application settings. To create a web farm, you should create a network load balanced cluster so that network traffic is loaded across the servers. (More information about NLB can be found in Chapter 10.) After you create an NLB cluster, the servers need to be configured with the websites that will be hosted. IIS 7.0 has a built-in featured called Shared Configuration. This allows an administrator to publish the server configuration to a network share for all of the servers to use. The websites can be configured on this one server and then exported to the file share for other servers to use. To have each of the servers in the web farm use the shared configuration, you need to configure the %windir%\system32\inetsrv\config\redirection.config file to point to the shared configuration. Last, the web content will need to be either on a file share or copied to each web server.
Configuring a File Transfer Protocol (FTP) Server FTP is used to provide file transfers, usually across the Internet. Permissions can be set to allow all users or specific users to have permissions to files. With all of the advancements made in IIS 7, there was very little time for Microsoft to improve the already feature-sparse FTP services that IIS 6.0 contained before releasing Windows Server 2008. If you are familiar with FTP services in IIS 6.0, you should have no problem working with built-in FTP services for IIS 7. To add FTP services to a server that already has the Web Services (IIS) role installed, you must add the FTP Server Role Service. After installation of the FTP Service, all management is done through the Internet Information Services (IIS) 6.0 Manager. If you are fond of the IIS 6.0 management tools, welcome home. After the installation of the built-in FTP Server is complete, the Default FTP Site is stopped. To start using FTP, you will need to restart it.
61705c04.indd 164
6/27/08 11:15:44 AM
Configuring a File Transfer Protocol (FTP) Server
165
On the same day Windows Server 2008 was released to the public, an update was released for IIS 7.0 to include a more feature-rich version of the FTP Server. Here are some of the key features of this updated version: Integrated Management The new IIS Management tools are used to manage the FTP service. Secure Publishing F TP over SSL (FTPS) is now supported. Virtual Host Names A llows multiple FTP sites with different domain names to be hosted on the same IP address. This is similar to the Web Host Headers functionality. User Isolation T his feature redirects users to a directory that matches the logon account without having to create a physical directory. This keeps users files hidden from each other. Non-Windows Authentication T his allows IIS Web Manager and ASP.NET Membership accounts to log in and use FTP services. Windows accounts are no longer required. To install the updated FTP Service for IIS 7.0, you must first install IIS 7.0 without the built-in FTP Publishing Service. Then the installation package can be downloaded from the Microsoft website. The 32-bit installation package for x86 editions of Windows Server 2008 is available here: go.microsoft.com/fwlink/?LinkId=87847. The 64-bit installation package for x64 editions of Windows Server 2008 is available here: go.microsoft.com/ fwlink/?LinkId=89114. The following sections will deal specifically with the updated version of the FTP Publishing Service for IIS 7.0.
Configuring Permissions To configure the permissions that groups of users have, you must use FTP authorization rules. An Allow authorization rule can be applied to the following: NN
All Users
NN
All Anonymous Users
NN
Specified Roles or user groups
NN
Specified Users
Also, the group or users that are defined in the authorization rule can be given read or write permissions. These same criteria can be used to deny users from accessing the content as well, as shown in Figure 4.11. Once a user has access to the files and has been authorized, permissions are based on file system permissions; the more restrictive permissions are combined with the permissions assigned by the authorization rules. If domain accounts are used to log on to the FTP site, assign the file system permissions as you would for other file shares.
Configuring FTP Site for Extranet Users One feature that was lacking in previous versions of the FTP services is that users outside the company had to have either a local Windows account or domain accounts. This was a
61705c04.indd 165
6/27/08 11:15:44 AM
166
Chapter 4 Configuring Web Services Infrastructure n
messy security problem since you really do not want to give FTP users a domain account. The solution is to leverage the IIS 7.0 Management Service or ASP.NET users. Fi g u r e 4 .11 Creating an Allow authorization rule
The high-level process for configuring the IIS 7.0 Management Service to handle FTP logons is as follows: 1. Install FTP Service for IIS 7.0. 2. Grant the Network Service read access to the IIS configuration. 3. Add the IIS Management Service Role Service. 4. Create a new FTP site. 5. Configured Basic Authentication. 6. Configure the FTP site to use an IIS 7.0 Manager account. 7. Enable IIS 7.0 Manager authentication. 8. Grant access to the site for an IIS 7.0 Manager account. 9. Create an authorization rule to allow the IIS 7.0 Manager account appropriate permis-
sions to the FTP site.
FTP IPv4 and Domain Restrictions To restrict which servers can connect to the FTP site at a protocol level, IPv4 and domain restrictions can be used. The default is to allow all unspecified IP addresses to access the FTP server. To change the setting so that all IP addresses are denied except those listed, on the FTP IPv4 Address and Domain Restrictions feature page, click Edit Feature Settings on the Actions pane. This will bring up the dialog box shown in Figure 4.12, where you can choose whether unspecified clients will be allowed or denied.
61705c04.indd 166
6/27/08 11:15:44 AM
Configuring a Simple Mail Transfer Protocol (SMTP) Server
167
Fi g u r e 4 .1 2 The Edit IPv4 Address and Domain Restrictions Settings dialog box
Also, from this dialog box you can enable domain name restrictions so that domain names can be added to allow and deny lists rather than specifying a specific IP address. Figure 4.13 shows an example of adding a Deny Restriction rule based on a domain name. Fi g u r e 4 .1 3 Adding a Deny Restriction rule based on a domain name
Configuring a Simple Mail Transfer Protocol (SMTP) Server Simple Mail Transfer Protocol (SMTP) is the email protocol for Internet-based messaging. Just like the built-in FTP services, the SMTP server is largely unchanged from previous versions of IIS. Unlike FTP, however, the SMTP server that has been included in IIS and the base that Exchange 2000 Server and Exchange Server 2003 is built on have a healthy set of features and excellent performance. To install the SMTP server on a Windows Server 2008 computer, you must install the SMTP Server feature. When the SMTP Server feature is installed, the IIS 6.0 Management tools are also installed because they are required to perform configuration.
61705c04.indd 167
6/27/08 11:15:44 AM
168
Chapter 4 Configuring Web Services Infrastructure n
Do I Need a Better SMTP Server? Often people get caught up with judging whether a product works well or not based on its cost. On a number of occasions, customers have tried to determine the best way to send a large amount of legitimate email. One such company was generating a bunch of email messages because of the number of orders its site was processing. A number of SMTP products were reviewed, but IIS was chosen. Using just IIS, the server was able to deliver the entire amount of messages generated by the site, and the company didn’t need to purchase additional hardware or software. If you need a high-performance SMTP server, you should consider IIS.
The SMTP server is a single-purpose message transport agent (MTA); it sends and receives SMTP-based email. It does not generate email, nor does it provide any sort of client connectivity; it just routes email. In the next few sections, we will cover the main areas of the SMTP server that can be configured and when you might want to make the changes.
Configuring General SMTP Virtual Server Properties The management interface for the SMTP server is basic and straightforward. As shown in Figure 4.14, the left pane lists the SMTP virtual servers that are configured on the connected server. To make changes to the SMTP virtual server, right-click and choose Properties. Fi g u r e 4 .1 4 Configuring the SMTP virtual server
61705c04.indd 168
6/27/08 11:15:44 AM
Configuring a Simple Mail Transfer Protocol (SMTP) Server
169
The General tab, shown in Figure 4.15, includes options to bind the SMTP virtual server to a specific IP address and port number, limit the number of connections to the SMTP virtual server, change the idle time-out time, and enable protocol logging. Fi g u r e 4 .1 5 Configuring General properties of the SMTP virtual server
As with websites, it may be important to limit the number of connections and the connection time-out values to keep the SMTP virtual server from negatively impacting other processes on the server. Enabling protocol logging on the SMTP virtual server can aid with troubleshooting delivery problems because it documents the SMTP session information down to the exact information sent and received. These logs are, by default, written in W3C Extended Log format and can be read in any text editor or one of the many W3C log viewers.
Configuring Access You many need to configure access to the SMTP virtual server to restrict the servers or users that connect to it, to configure the type of authentication used, to enable Transport Layer Security (TLS) encryption, or to restrict the users or servers that can relay email through it. All of these can be accomplished from the Access tab on the virtual server Properties dialog box, as shown in Figure 4.16. The default authentication method for an SMTP virtual server is Anonymous access. This means that the SMTP virtual server will not accept any sort of logon attempt and that all anonymous users have access to send email to the server. With Basic authentication enabled, the server will accept Windows or domain usernames and passwords in cleartext for authentication. This is discouraged without first requiring Transport Layer Security (TLS) to encrypt the SMTP conversation and the username and password. The last option is Integrated Windows Authentication, which allows Windows to provide credentials without having to pass them in cleartext. The configuration types are shown in Figure 4.17.
61705c04.indd 169
6/27/08 11:15:45 AM
170
Chapter 4 Configuring Web Services Infrastructure n
Fi g u r e 4 .1 6 Configuring access properties on an SMTP virtual server
Fi g u r e 4 .17 Configuring authentication types
As mentioned in the previous paragraph, TLS is recommended to protect usernames and passwords from being transmitted in cleartext. To use TLS, you must first install a certificate on the server. Once the certificate is installed, it can be assigned to the SMTP virtual server. It is even possible to require that all connections to the SMTP virtual server be encrypted with TLS. It may be that this server is intended only to transfer email between a limited number of servers or between servers on a specific network. If this is the case, connection control can be set to limit the servers that are allowed to connect by IP address or domain name. As shown in Figure 4.18, there are two options for restricting access: either all servers are allowed except those explicitly defined, or no server has access except those explicitly defined.
61705c04.indd 170
6/27/08 11:15:45 AM
Configuring a Simple Mail Transfer Protocol (SMTP) Server
171
Fi g u r e 4 .1 8 Configuring connection control
Relaying is a term that means sending email to an SMTP server that will forward the message to its destination. The default setting is to not allow any relaying because relaying is what many spammers use to deliver email. If you decide to allow any type of relaying, be careful not to leave any openings that might allow a spammer to use your server for nefarious purposes. That doesn’t mean that relaying is a bad thing; there are a number of legitimate uses. One such use is to have one server in the datacenter that is allowed access to send SMTP email out through the firewall. You will need to allow the authorized SMTP servers to relay through the authorized server. Relay authorization settings are similar to the connection control settings because you can either allow all servers to relay through with a list of exceptions or deny all relays with a list of exceptions, as shown in Figure 4.19. Fi g u r e 4 .1 9 Configuring relay restrictions
Configuring Message Size and Transfer Limits The next configuration options are on the Messages tab. These options help to control the size and number of messages that can be delivered. In many cases, the default settings will
61705c04.indd 171
6/27/08 11:15:45 AM
172
Chapter 4 Configuring Web Services Infrastructure n
be adequate because many email systems today provide similar limits to protect the stability of the server and control bandwidth congestions. The configuration settings control the following options for both receiving and sending messages: NN
The size of a single message.
NN
The size of all messages delivered in a single SMTP session.
NN
The number of messages sent in a single SMTP session.
NN
The number of recipients in a single email message.
NN
An email address to send all nondelivery reports.
NN
The directory to store all email messages that could not be delivered.
These message options are shown in Figure 4.20. Fi g u r e 4 . 2 0 Configuring message options
Configuring Delivery Options There are a number of options that control how email messages are delivered and how long to continue to attempt to deliver messages. The Delivery tab has the following options: First retry Interval T his is the length of time the server waits before attempting to resend a message after the initial failure. This is usually a fairly short time frame because transient problems can cause failures. Second Retry Interval T his is the length of time the server waits before attempting to resend a message after the second failure.
61705c04.indd 172
6/27/08 11:15:45 AM
Configuring a Simple Mail Transfer Protocol (SMTP) Server
173
Third Retry Interval T his is the length of time the server waits before attempting to resend a message after the third failure. Subsequent Retry Interval T his is the length of time the server waits after the fourth failure, until either the message is delivered or expires. Delay Notification T his is the length of time a message will sit in the outbound message queue before an email message is sent to the originator of the message notifying them that the message is still queued. Expiration Timeout This is the length of time a message can be queued before it is removed. These settings, shown in Figure 4.21, can greatly affect the number of messages that are queued on the server. If the email being sent is extremely time sensitive, it may not be important to continue to attempt to retry delivery for two days. On the other hand, if the email messages being sent are important, it may be better to increase the expiration time. This allows for the case when a remote server is down for extended maintenance, because the server will queue the mail until either the server is again available or the expiration time-out is reached. Fi g u r e 4 . 2 1 Configuring delivery options
Outbound Security We discussed the Access tab in the section “Configuring Access.” The Access tab is where the allowed inbound authentication methods are available. In this case, the outbound security option on the Delivery tab allows what options will be used to connect to other SMTP servers. The options for outbound security are as follows: Anonymous T his option provides no user authentication when sending messages. This is the default option and is suitable for most Internet communications.
61705c04.indd 173
6/27/08 11:15:45 AM
174
Chapter 4 Configuring Web Services Infrastructure n
Basic Authentication T his option allows a user and password to be specified to authenticate against the remote SMTP server. It is important to use TLS encryption to protect the username and password. Integrated Windows Authentication T his option allows you to select a user from the domain or from the local server to authenticate. This method does not pass cleartext usernames and passwords, but it still should be protected with TLS encryption. TLS Encryption T his option enables TLS encryption for the session. TLS encryption encrypts the entire session with a certificate on the remote SMTP server.
Outbound Connections The Outbound Connections option that is available at the bottom of the Delivery tab allows you to configure the number of connections, time-out settings, and the TCP/IP port that will be used for outbound SMTP sessions. Figure 4.22 shows the dialog box that appears when you click Outbound Connections. Fi g u r e 4 . 2 2 Configuring outbound connection settings
These settings will normally stay at the default configuration. It may be necessary to modify the number of connections to tweak the number of messages the server can send at one time. It may be that the server and the bandwidth you have can handle more than the 1,000 concurrent outbound connections and can deliver messages more quickly if the limit was increased to 5,000 connections.
Advanced Delivery Options The advanced delivery options accessed by clicking the Advanced button at the bottom of the Delivery tab are shown in Figure 4.23. These are very powerful options that often require adjusting. Maximum Hop Count T his setting helps to prevent email loops. No, the hop count isn’t the number of people that can attend a 1950s dance party; it is the number of times a message can traverse any SMTP server. If the SMTP server receives the message and the email has already traversed the number of servers in the limit, the email will be deleted. Masquerade Domain T his option can be set to replace the local domain name in the From address field to the domain listed here. This is useful if email from the local server needs to appear as if it comes from another business unit or company.
61705c04.indd 174
6/27/08 11:15:45 AM
Configuring a Simple Mail Transfer Protocol (SMTP) Server
175
Fi g u r e 4 . 2 3 Configuring Advanced Delivery options
Fully-Qualified Domain Name T his option is by default the name of the server. The name listed here is what is announced to other SMTP servers, either when a client connects to it or when it is sending email out. This is important because if you are sending email out to the Internet and the internal server reports its name as WebServer10.MyInternalDomain. local, the receiving server has no way to verify whether your server is valid or you are a flyby-night spammer. It would be better to replace this name with a name that would be able to be resolved by DNS externally, such as email.sybex.com. Some anti-spam vendors will attempt to resolve the sending servers name in DNS; check to see if that host has an MX record because presumably the server that is sending out email should be listed as a mail server for the domain. Smart Host If a smart host is not listed, the server will attempt to deliver the email by looking up the domain names in DNS; however, if a smart host is listed, all email is sent directly to that host or list of hosts for delivery. The check box can also be selected to attempt to use DNS to deliver the message first, and if that is unsuccessful, to send it to the smart host. If you list multiple servers, they should be separated by a comma. If you list servers by their IP address, you must enclose the IP address in brackets, such as, for example, [192.168.19.98]. Perform Reverse DNS Lookup on Incoming Messages This option is often thought of as being an anti-spam measure, but it is not. It will attempt to perform a reverse DNS lookup on the SMTP client’s IP address to see if it matches the server name announced by the client. If the lookup is successful, the messages remain unchanged. If the verification fails, “unverified” appears after the IP address in the message header. If DNS lookup fails completely, “RDNS failed” will appear in the message header. Since this process is done on all incoming messages, it can have a negative impact on server performance.
LDAP Routing The default method for delivering SMTP email is to look up the MX records for the destination domain in DNS. Figure 4.24 shows the Lightweight Directory Access Protocol
61705c04.indd 175
6/27/08 11:15:46 AM
176
Chapter 4 Configuring Web Services Infrastructure n
(LDAP) Routing tab in the SMTP virtual server that provides options for using an LDAP server for resolving senders and recipients. Fi g u r e 4 . 2 4 Configuring LDAP routing
The following is a list of the options that must be configured to enable LDAP routing: Server T his option specifies the server that will be used as the LDAP directory. This field should not be necessary when using Active Directory because the server will be able to find the nearest domain controller. Schema T his option is used to select the directory service that is being used. The available types are as follows: NN
Active Directory
NN
Site Server Membership Directory
NN
Exchange LDAP Service
Binding T his option sets the binding type. The binding type specifies how the SMTP virtual server is authenticated by the directory service. The available types are as follows: NN
Anonymous
NN
Plaintext
NN
Windows SSPI
NN
Service account
Domain T his sets the domain of the account you want to use to bind to the LDAP directory if you are using the plaintext or Windows SSPI binding types. User Name This options specifies the distinguished name (DN) of the account being used to bind to the LDAP directory if you are using the plaintext or Windows SSPI binding types.
61705c04.indd 176
6/27/08 11:15:46 AM
Summary
177
Password T his sets the password that is used for logging on to the directory service if you are using the plaintext or Windows SSPI binding types. Base T his options specifies the distinguished name of a container in the directory service that will be searched.
Configuring Domains When the SMTP Server feature is installed, a default domain is created and placed in the Domains node that is identical to the local server name. This domain is used to route mail. It is possible to create additional domains as well, as shown in Figure 4.25, if custom settings are required. The domain configuration allows a smart host to be configured for specific domains. This may be beneficial if most email should be sent using DNS with the exception of email that is sent to an internal domain that should be sent to a specific server. A domain can also be used to create outbound security settings that are specific for that domain. Fi g u r e 4 . 2 5 Configuring an additional domain
Summary Internet Information Services 7.0 web services have been completely rewritten from IIS 6.0. Improvements have been made to the configuration that include moving configuration to XML-based files from the metabase. This opens up simple and flexible administration. IIS 7.0 web services are also based on modules. Modules are installed to add functionality. Only the required modules are installed to reduce on server hardware and maintenance. This
61705c04.indd 177
6/27/08 11:15:46 AM
178
Chapter 4 Configuring Web Services Infrastructure n
chapter covered creating websites, applications, virtual directories, and application pools and other configuration tasks. There are two FTP servers available for Windows Server 2008; the one that comes on the installation media, which is very similar to previous versions, and the downloadable update to the FTP service that fully integrates with IIS 7.0 and provides enhanced functionality such as Secure FTP. Although the SMTP server is largely unchanged from previous versions, it provides valuable functionality. This chapter covered configuration for sending and relaying email. Although configuration is simple and straightforward, there are a number of settings that can be used to customize how the SMTP server behaves.
Exam Essentials Know how to add modules. I IS 7.0 has over 30 modules included. To add functionality, you must add modules to IIS. Know when to use application pools. Application pools are used for application isolation, security, and stability. Know why they are created and some basic settings. Know how to configure an SMTP server for relay and smart hosts. K now what the SMTP server does and how to configure it to relay email and to send mail to a smart host. Know what .NET trust levels are. Security is a big problem in today’s environment. Know what the .NET trust levels are and what level of access each provides to .NET code.
61705c04.indd 178
6/27/08 11:15:46 AM
Review Questions
179
Review Questions 1. Which of the following options is used to deliver email when DNS lookup is not available? A. Assign a masquerade domain. B. Adjust the fully qualified domain name. C. Do not perform DNS lookup on incoming messages. D. Assign a smart host. 2. Which of the following are valid reasons for creating a separate application pool for two web applications? (Choose three.) A. To keep applications from affecting each other. B. To reduce overall memory usage. C. To increase security. D. To create different recovery settings. 3. What benefits are gained from using modules for IIS 7.0? (Choose two.) A. Reduced management control B. Reduced patching requirements C. Increased flexibility D. Increased system resource 4. How many built-in modules are available for IIS 7.0? A. Less than 15 B. 16 to 25 C. 25 to 30 D. More than 30 5. Which configuration file contains the global IIS settings such as website and logging configuration? A. ApplicationHost.config B. Web.config C. Machine.config D. Metabase.bin 6. Which of the following files contains the settings for the SMTP configuration? A. ApplicationHost.config B. Web.config C. Machine.config D. Metabase.bin
61705c04.indd 179
6/27/08 11:15:46 AM
180
Chapter 4 Configuring Web Services Infrastructure n
7. Which of the followings TCP/IP ports is used for Secure HTTP communication? A. 25 B. 80 C. 443 D. 3389 8. You have a web server at your hosting provider and do not have any additional IP addresses to assign. You need to create another website for the company’s marketing department. Which of the following bindings will allow users to access the site from the Internet? A. Bind the website to 127.0.01 on port 80. B. Bind the website to the same IP address as the original site and use host headers for both. C. Bind the website to the same IP address as the original and use Port 8080. D. Bind the website to the same IP address as the original and use port 80. 9. A new web server has been deployed with a new domain name. All of the content on the new server is identical to the old server. What should be put in place to notify the user of the new URL? A. Application pool B. Virtual directory C. Redirect D. Limit 10. Which of the following can be set to limit resources on a website? A. Bandwidth B. Concurrent connections C. Number of pages downloaded D. CPU usage 11. Which of the following .NET trust levels provides the application with the least restrictions? A. High B. Medium C. Low D. Minimal 12. To create a web farm, which of the following steps must be taken? (Choose all that apply.) A. Create a redirection.config file for each node. B. Create a load-balanced cluster. C. Provide each node with access to the website code. D. Export a valid configuration to a network share for all nodes to use.
61705c04.indd 180
6/27/08 11:15:46 AM
Review Questions
181
13. To restrict connections that can be made to an FTP server based on a DNS name, what must be enabled? A. IIS Management B. FTP authorization rules C. Domain name restrictions D. TLS encryption 14. To protect plaintext username and passwords in an SMTP session, what also must be enabled? A. Basic authentication B. LDAP routing C. TLS D. Anonymous authentication 15. Which setting will configure the number of times an email has been sent through a server before it is removed? A. Hop Count B. Expiration Time-Out C. Delay Notification D. Smart Host 16. Which of the following options acts as an anti-spam filter? A. Smart host B. Masquerade domain C. Performing reverse DNS lookup on incoming messages D. None of the above 17. Which of the following are new features of FTP for IIS 7.0? (Choose three.) A. Download resume B. Secure FTP C. Virtual hostnames D. User isolation 18. After installing the built-in version of FTP Server, what must be done to use the Default FTP Site? A. Create the Default FTP Site. B. Start the Default FTP Site. C. Start the FTP service. D. Reboot the server.
61705c04.indd 181
6/27/08 11:15:46 AM
182
Chapter 4 Configuring Web Services Infrastructure n
19. Which of the following tools can be used to create a Windows Server 2008 web farm? A. Microsoft Application Center B. Robocopy C. Microsoft Operations Manager D. Server Manager 20. How do you install IIS 7.0 modules? A. Add a feature. B. Add a role. C. Add a role service. D. Windows Update.
61705c04.indd 182
6/27/08 11:15:46 AM
Answers to Review Questions
183
Answers to Review Questions 1. D. A smart host defines a server that can be used to deliver messages. 2. A, B, D. Creating two application pools allows segregation of the applications to a point where they should not be able to affect each other or access each other’s data, which improves security. Also, separate application pools allow different recovery settings to be chosen. Creating separate application pools does not decrease the overall memory usage for the server. 3. B, C. Using modules to build IIS 7.0 allows administrators to install only the modules required; only the modules installed will need to be patched. Also, since modules can be replaced with custom-written functionality, they are very flexible. 4. D. There are more than 30 built-in IIS modules. 5. A. The ApplicationHost.config file contains the global IIS settings. 6. D. The SMTP server still uses the legacy metabase.bin file to store configuration information. 7. C. TCP/IP port 443 is used for HTTPS communications. 8. B. Host headers allow multiple sites to be bound to the same IP address and port and both function. Although binding the site to a nonstandard port will work, it is not best practice because websites running on nonstandard ports require a user to know the port. 9. C. A redirect can notify the end user of the new server name. 10. A, B. Both the amount of bandwidth and the number of active connections can be limited in IIS. 11. A. The High .NET trust level provides a high level of trust for the application and has fewer limits on what the application can do. 12. A, B, C ,D. All of these steps must be taken to create a web farm. 13. C. To allow DNS lookups for connection restrictions, domain name restrictions must be enabled. 14. C. Transport Layer Security (TLS) provides encryption of the SMTP session. 15. A. The hop count controls the number of time an email can traverse a server before it is removed. 16. D. There are no built-in anti-spam features in the SMTP server that comes with IIS. 17. B, C, D. Secure FTP, virtual hostnames, and user isolation are all new features. This version of FTP still does not have download resume.
61705c04.indd 183
6/27/08 11:15:46 AM
184
Chapter 4 Configuring Web Services Infrastructure n
18. B. With the built-in version of the FTP Server, the installation creates the Default FTP Site; however, it must be started to begin to function. 19. B. Now that IIS 7.0 is based on text files, Robocopy can be used to create a web farm. Application Center is not supported on Windows Server 2008. 20. C. To install IIS modules, the Add a Role service action is used.
61705c04.indd 184
6/27/08 11:15:47 AM
Chapter
5
Advanced Web Infrastructure Configuration Microsoft Exam Objectives covered in this chapter: ÛÛ Manage Internet Information Services (IIS). May include but is not limited to: Web site content backup and restore; IIS configuration backup; monitor IIS; configure logging; delegation of administrative rights ÛÛ Configure SSL security. May include but is not limited to: configure certificates; requesting SSL certificate; renewing SSL certificate; exporting and importing certificates ÛÛ Configure Web site authentication and permissions. May include but is not limited to: configure site permissions and authentication; configure application permissions; client certificate mappings
61705c05.indd 185
6/27/08 11:21:02 AM
Chapter 4, “Configuring Web Services Infrastructure,” covered the very basic concepts and tasks for IIS 7. Although not overly complex, IIS is a powerful tool with a lot of functionality. Many volumes can be filled with information about best practices and in-depth tweaking and configuration. This chapter will focus on a number of more advanced IIS functionality: NN
Backup and recovery
NN
Delegation of Administrative rights
NN
Configuring SSL and authentication
Managing Internet Information Services (IIS) In the previous chapter, we covered some of the basics of configuration and management of the IIS components. We’ll now go into more detail on these topics, focusing on monitoring, management logging, and backing up and restoring. In the previous chapter we used only Internet Information Services (IIS) Manager to configure IIS. There is also a command-line configuration tool called AppCmd.exe (or AppCmd). This tool is used to view and configure IIS settings. There are even tasks that must be done in AppCmd, such as setting the automatic history backup and performing a manual configuration backup, both of which we will cover later in this chapter. Even though AppCmd is a command-line administrative tool, it is not based on Windows PowerShell. The AppCmd utility was created before PowerShell was put in to Windows Server 2008. Exercise 5.1 demonstrates how to use AppCmd to list the currently configured websites. E x e r ci s e 5 . 1
Using AppCmd.exe to List Configured Websites Follow these steps to use AppCmd.exe to list configured websites:
1. Open an elevated command prompt. 2. Change to %System%\System32\InetSrv, the directory where AppCmd.exe resides.
61705c05.indd 186
6/27/08 11:21:02 AM
Managing Internet Information Services (IIS)
187
E x e r ci s e 5 . 1 ( c o n t i n u e d )
3. Run appcmd list sites to list configured sites.
The following objects are available for administration with AppCmd.exe:
61705c05.indd 187
NN
Site - Manage Web sites
NN
App - Manage applications
NN
VDir - Manage virtual directories
NN
AppPool - Manage application pools
NN
Config - Mange server configuration
NN
WP - Mange worker processes
NN
Request - Manage request settings
NN
Module - Manage loaded modules
NN
Backup - Manage backup and restores
NN
Trace - Manage trace settings.
6/27/08 11:21:02 AM
188
Chapter 5 Advanced Web Infrastructure Configuration n
Many of the options available in AppCmd were covered using the Internet Information Services (IIS) Manager in Chapter 4. For more information on these actions, please refer to Chapter 4. Using Back and Trace will be covered later in this chapter. Each object has a set of commands that can be run to configure it. For example, the Site object has the following available commands: list, set, add, delete, start, and stop. To get a list of the available actions for a specific object, type AppCmd.exe /?.
Configuring Monitoring and Logging To provide a consistent reliable service, it’s essential to monitor performance. Chapter 11, “Monitoring Windows Server 2008 for High Availability,” covers how to use new tools such as the Windows Performance Diagnostic Console and the Reliability Monitor and the Windows event logs in Windows Server 2008 to monitor performance and stability.
Trace Logging One of the more troublesome tasks is figuring out what exactly is happening when a failure occurs. This can be because the problem is occurring sporadically, or perhaps there are thousands of users connecting to the server simultaneously. Trace logging helps to rectify this problem by watching requests and, if a defined failure occurs, writing a log of the request and the actions involved in the request. Each failed request is stored in a separate XML-based file that is sequentially numbered. The XML file can be opened in Internet Explorer or other XML-capable readers. To use trace logging, you must install the Tracing role service. After the Tracing role service is installed, you can enable failed request tracing for a particular website. See Exercise 5.2. E x e r ci s e 5 . 2
Enabling Failed Request Tracing Follow these steps to enable failed request tracing:
1. Click Start Administrative Tools Internet Information Services (IIS) Manager. 2. In the Connections pane, expand the server name, then expand Sites and click on Default Web Site.
3. In the Actions pane, click Failed Request Tracing.
61705c05.indd 188
6/27/08 11:21:02 AM
Managing Internet Information Services (IIS)
189
E x e r ci s e 5 . 2 ( c o n t i n u e d )
4. Check the Enable box and type in the name of the directory in which you want to save the log files.
After you enable failed request tracing and define the number of trace files to keep, you must create failure definitions to specify what failures should be logged. For example, if a 500 error occur intermittently in the .NET application on the website, you could create a failed request tracing rule to watch for a status code of 500 on all files with an .aspx filename extension. Failed request tracing rules can be created at the server, website, or virtual directory level. The rules are always inherited from the parent container. You will want to be careful about enabling the rule closest to the problem directory or application because failed request tracing can have a negative impact on server performance.
61705c05.indd 189
6/27/08 11:21:03 AM
190
Chapter 5 Advanced Web Infrastructure Configuration n
The three criteria for a creating a rule are content, conditions, and trace provider, as shown in Figure 5.1. The content criterion specifies the name of the files or path that should be traced. There are four options: NN
All content (*)
NN
ASP.NET (*.aspx)
NN
ASP (*.asp)
NN
Custom
Fi g u r e 5 .1 Specifying content to trace
Content With the first three content options, it is easy to identify what is going to be traced. The All Content (*) option specifies watching all content below where the rule is created. The ASP. NET (*.aspx) option specifies tracing only requested URLs that end with .aspx, and the ASP (*.asp) option specifies tracing only requested URLs that end in .asp. The last option, Custom, allows you to be more specific. You can specify watching Web pages with a name that has a specific beginning or end. If you need to watch all pages that started with forum, like forum.aspx or forumLogin.aspx, you could add forum* in the Custom field. Of note, though, is that you are allowed only one wild card in this field, meaning you could not add in *forum* to be able to trace StartForumLogin.aspx. Instead, you would need to find a more generic option to trace code on that Web page.
61705c05.indd 190
6/27/08 11:21:03 AM
Managing Internet Information Services (IIS)
191
Condition The next criterion that needs to be specified is the condition or conditions that would constitute a failure. If more than one condition is specified, the first condition that is matched will generate the log files. There is no way to specify that multiple conditions must be met to generate the file. You can select three options for conditions: Status Code(s) T his option should be selected when you want to generate a trace log based on an HTTP response code. Multiple status codes can be entered; however, they must be separated by commas. Time Taken (in Seconds) T his option should be selected when you want to generate a trace log when a specific request takes longer to process than expected. If this is selected, a time interval must also be entered in seconds. Event Severity T his option should be selected when you want to generate a trace log based on the severity of an error that occurs. If this is chosen, one of the following options must also be chosen: Error T his will provide information when components generate errors and do not continue to process requests. Critical Error T his will provide information when components cause a process to end. Warning T his will provide information when components experience an error and continue to process requests. You can see these options in Figure 5.2. Fi g u r e 5 . 2 Defining trace conditions
61705c05.indd 191
6/27/08 11:21:03 AM
192
Chapter 5 Advanced Web Infrastructure Configuration n
Trace Provider The last criterion that must be defined is which trace providers should be used and at which verbosity. There are a number of differences that are not all that obvious. The following four built-in trace providers are shown in Figure 5.3: NN
ASP
NN
ASPNET
NN
ISAPI Extension
NN
WWW Server
Fi g u r e 5 . 3 Selecting trace providers
As is the case with ASPNET and WWW Server, you are given the option to specify areas that should also be traced. With the ASPNET provider, you can specify the following areas: Infrastructure T his option traces requests when the request is going between different tracing areas within ASP.NET. Module T his option traces the requests through the HTTP pipeline or managed modules. Page This option traces page events and can also capture Trace.Write and Trace.Warn events. AppServices T his option traces the requests through application services. WWW Server has the following areas: Authentication T his option traces authentication attempts and includes the authenticated user, the scheme (such as Anonymous or Basic), and the results of the attempt. Security T his option traces events when the server rejects the requests for security or permission reasons.
61705c05.indd 192
6/27/08 11:21:03 AM
Managing Internet Information Services (IIS)
193
Filter T his option traces how long it takes an ISAPI filter to process a request. StaticFile T his option traces how long static file requests take to be completed. CGI T his option traces when a request is made to the CGI Module. Compression T his option traces through the compression modules. Cache T his option traces through the cache compression modules. RequestNotifications T his option traces all request notifications, both on entrance and on exit. Module T his option traces the requests through the HTTP pipeline or managed modules. There are also six verbosity settings for each of the providers. To get the information required to pinpoint the problem, you will want to select the minimum verbosity to reduce the impact on the server. In the following list, the verbosity levels are listed in order; the first level results in the least amount of data and the last in the most: NN
General
NN
Critical Errors
NN
Errors
NN
Warnings
NN
Information
NN
Verbose Tracing failed requests can have a negative impact on server performance. If you must use tracing on a production server, be aware of the impact. Test the configuration in a test lab under load while monitoring standard metrics such as CPU, memory, disk I/O, and application response time.
Access Logging Who is visiting a website and what they are doing when they are there is something most web developers want to know so they can provide a experience to the end user, see how good a job they are doing at getting people to visit the site, and determine how users were referred to the site. This is where access logging is useful. Server administrators can use it too, to determine if there are errors and when the busiest times are for the server. Also, a period when the server is at its least busy so that maintenance can be scheduled, this period is often called a change window. Access logs files store the request activity for each request—information such as time, software client used, amount of data transferred, and the status code from the server. The exact attributes of the request can be modified to meet the needs of your business for reporting and auditing. Access logs can be processed by reporting software to allow a more user-friendly
61705c05.indd 193
6/27/08 11:21:04 AM
194
Chapter 5 Advanced Web Infrastructure Configuration n
and more digestible way of viewing the data. There are now two main ways of storing access logs, on a per-server and on a per-site basis. Per-server logging Per-server logging creates a single log for all of the sites on the server. There are two options to choose from: Centralized Binary Logging and Centralized World Wide Web Consortium (W3C) Extended Log. Binary logging is written in the Internet Binary Log format, which isn’t readable with common text editors but can be read by third-party tools as well as LogParser, which is available from Microsoft. The W3C extended log is written in a text format and can be read with common text editing software. Per-site access logging Per-site access logging, which is similar to the method used in previous versions of IIS, is per-site access logging. There are four types of built-in per-site logging: National Center for Supercomputing Applications (NCSA) Common, Microsoft Internet Information Services (IIS), World Wide Web Consortium (W3C) Extended, and Custom (ODBC) Logging. Both W3C and Custom logging allow configuration of the information that will stored in the access log. Modifying the type of information that will be logged is sometimes necessary for some reporting software to be able to deliver detailed reports. Per-server logging and the default per-site configuration is completed at the server level using the Logging Features options. At the site level, the Logging feature can be used to customize per-site configuration settings. Whether you choose per-server or per-site logging, the base directory for storing the files is %SytemDrive%\inetpub\Logs\Logfiles\W3SVC. If you choose per-site, however, the individual site log files are placed in a directory based on the site number. For example, website 1 would be stored in %SytemDrive%\inetpub\Logs\Logfiles\ W3SVC1. The log file names in those directories depend on the format chosen and rollover settings. Log file rollover sets the criteria for when a log file should split. There are four main rollover criteria: Schedule T his option should be selected if a new log file should be created by one of the following time schedules: NN
Hourly
NN
Daily
NN
Weekly
NN
Monthly
Maximum File Size (in Bytes) T his option should be selected if the log file should reach a specific size before a new one is created. Do Not Create New Log Files T his option should be selected if a single log file should be created. Often this is used with legacy web reporting software that has to reference a single filename to create reports. Use Local Time for File Naming and Rollover This option should be selected if the local time should be used. The default is to use Coordinated Universal Time (UTC-Temps Universel Coordonné) for rollover and file naming.
61705c05.indd 194
6/27/08 11:21:04 AM
Managing Internet Information Services (IIS)
195
Logging can be stored in either the Unicode Transformation Format (UTF-8) or the ANSI format; however, it can only be selected at the server level. The server format controls all site logging formats. When log settings are changed, the site must be restarted to activate the new settings.
Backup and Restore One of the most important configuration and setup steps is to make sure that restores work because doing a backup is useless unless a restore can be accomplished. mentioned in Chapter 4, the configuration for IIS is stored in a number of XML-based files. These files can be backed up and then restored to return the server’s configuration to the point in time the configuration was created. Since an errant configuration change can negatively impact the server’s functionality, a backup is made of the server configuration when an administrator makes changes. The default setting keeps up to 10 configuration backup sets in a uniquely named subdirectory of %SystemDrive%\Inetpub\History before removing the oldest automatic backup. The backup is completed by default every 2 minutes as changes are made. This avoids the need for having a backup for each check box selected and setting tweaked; instead, all changes during the 2 minutes are committed at the same time, with a single backup done. Configuration backups protect only the server configuration files. They do not back up application Web.config files, nor do they back up website content.
The number of configuration backups is controlled by the maxHistories attribute of the configHistory section of the applicationHost.config file and the interval that the configuration file is backed up is controlled by the Period attribute. The period is specified in the hours:minutes:seconds format. If you want to specify a 10-minute period, you would use 00:10:00. The AppCmd.exe utility can be used to modify both of these attributes. Exercise 5.3 walks you through changing these settings. E x e r ci s e 5 . 3
Modifying Configuration History Settings Follow these steps to modify configuration history settings.
1. Open an elevated command prompt. 2. Change to %System%\System32\InetSrv, the directory where AppCmd.exe resides.
61705c05.indd 195
6/27/08 11:21:04 AM
196
Chapter 5 Advanced Web Infrastructure Configuration n
E x e r ci s e 5 . 3 ( c o n t i n u e d )
3. Run appcmd set config /section:configHistory /maxHistories:50 /period :00:10:00 to set the maximum number of history backups to 50 with a save interval of 10 minutes.
What if you want to make a manual backup of the configuration to keep for future recovery? This too can be done with the AppCmd.exe utility. Figure 5.4 shows AppCmd.exe being run to manually generate a backup called Server Backup 1. Fi g u r e 5 . 4 Manually creating a server configuration backup
To list the automatic and manual configuration backups that have been completed, you would run AppCmd.exe list backups. Figure 5.5 shows the results of running this command. Now you have configuration backups, but what use are they unless you can perform a restore? When you restore the configuration, you restore IIS settings for all of the sites, application pools, virtual directories, and applications. Figure 5.6 shows an example of running a restore of a manual backup named Server Backup 1 by running AppCmd restore backup “Server Backup 1”.
61705c05.indd 196
6/27/08 11:21:04 AM
Managing Internet Information Services (IIS)
197
Fi g u r e 5 . 5 Listing available backups
Fi g u r e 5 . 6 Restoring the configuration from a backup
Now that the server configuration is being protected, the next step is to ensure that the content of the websites are protected. There isn’t a whole lot of IIS-specific magic when it comes to backing up content. The new Windows Server Backup feature should be used to perform regular backups of site content, which would include any Web.config files that contain configuration data not captured by the IIS configuration backup. The Windows Server Backup feature is installed from Server Manager by selecting Add Features from the Action menu.
Delegating Administrative Rights To allow developers, help desk personnel, or non-IT staff to perform specific administrative functions, IIS 7 had feature delegation. Authentication for feature delegation is done by default with Windows credentials; alternatively, IIS Manager credentials can be configured as well. To start off with feature delegation, first the IIS Management Service role service must be installed. The role service can be added using Server Manager. The Management Service role service is used to allow remote administration of IIS, which is the method that delegated IIS administrators must use to connect to get delegated feature rights.
61705c05.indd 197
6/27/08 11:21:04 AM
198
Chapter 5 Advanced Web Infrastructure Configuration n
There are two forms of administrative rights that can be delegated, IIS management and feature management. Either form of delegation affects all sites, directories, or applications below where the delegation takes place. IIS management delegation grants permissions to allow a user to be able to manage specific sites or applications. Exercise 5.4 will demonstrate how to grant a user IIS Manager permissions to manage an entire website remotely. E x e r ci s e 5 . 4
Delegating Administrative Permissions for Remote Administration of a Website Follow these steps to delegate administrative permissions for remote administration of a website:
1. Click Start Administrative Tools Internet Information Services (IIS) Management. 2. Select Default Web Site in the Connections pane. 3. In the Content pane, double-click on IIS Manager Permissions.
61705c05.indd 198
6/27/08 11:21:05 AM
Managing Internet Information Services (IIS)
199
E x e r ci s e 5 . 3 ( c o n t i n u e d )
4. In the Actions pane, click Allow User. 5. In the Allow User dialog box, type or select the user that you want to grant access to and click OK.
The more granular delegation option available is feature delegation. It allows you to specify whether the feature’s related configuration is locked or unlocked. When a feature is locked the configuration is enforced to all lower levels. Locking a feature is used when you want all conflicting configurations in Web.config files below to be overridden. This may be important for specific features to block developers or administrators from overriding standards that have been set. The default for all feature delegation is to user lower-level configuration files for feature configuration settings. IIS Manager permissions are delegated for a site or an application because computer administrators automatically have permission at the server level.
Feature delegation is done from the server level; however, the features can be delegated at a variety of levels. To configure feature delegation for all sites on the server, as you would do when you give a user or set of users access to administer all sites, you would perform the delegation at the server level. If you are delegating rights on only a particular site, you would start the delegation at that site. To manage feature delegation, select the local server in the Connections pane and double-click the Feature Delegation icon in the Content pane (Figure 5.7). There are three general settings and one action for each feature: Read/Write T his sets the feature to unlocked and allows features to be changed in lower-level Web.config files for the sites and applications below. This also allows all non-administrators to configure the feature in IIS Manager if they have been given permissions to connect.
61705c05.indd 199
6/27/08 11:21:05 AM
200
Chapter 5 Advanced Web Infrastructure Configuration n
Fi g u r e 5 . 7 Managing feature delegation
Read Only T his locks the feature’s configuration to the server-level configuration file. The configuration cannot be overridden by any lower-level Web.config files. It also denies all non-administrators the ability to configure these features in IIS Manager; however, the user will be able to view the configuration. Not Delegated T his locks the feature’s configuration to the server-level configuration file. The configuration cannot be overridden by any lower-level Web.config files. It also denies all non-administrators from being able to see or modify the feature in IIS Manager. Reset to Inherited This action sets the delegation state to what it is set to at the parent level. Two exceptions are .NET Users and .NET Roles. These features are assigned either Configuration Read/Write or Configuration Read Only and Reset All Delegation. and They are similar to the preceding features except that they affect the configuration for the feature, not the data the feature uses. Figure 5.8 shows an example of configuring the feature delegation options.
61705c05.indd 200
6/27/08 11:21:05 AM
Configuring Secure Sockets Layer (SSL) Security
201
Fi g u r e 5 . 8 Configuring feature delegation
Configuring Secure Sockets Layer (SSL) Security Security is something that is extremely important to companies today. Improperly protecting sensitive user data can destroy a company’s reputation. Secure Sockets Layer (SSL) is a method of encrypting and authenticating client-to-server communications. It provides reasonable assurance that the information being exchanged between the client and the server is safe from prying eyes. To provide SSL communication, you must install a certificate on the server. SSL certificates are based on Public Key Infrastructure (PKI), which consists of a private key, a public key, and a certificate authority (CA) that is able to validate the keys.
61705c05.indd 201
6/27/08 11:21:05 AM
202
Chapter 5 Advanced Web Infrastructure Configuration n
The public keys provide details about the owner of the certificate, whether it is valid, and how the certificate can be used. The public key is, as its name suggests, public and can be distributed anyone who requests it. The private key, however, should be kept secure and only stored on the server or servers that require it. If the private key is made public or compromised in another way, the certificate should be discarded and a new one generated. The public and private keys are a matched pair of numbers used in asymmetrical computations. It would be like having one key that locks the door and another key that unlocks it. For the certificate, when one key is used to encrypt the data, the other must be is used to decrypt it. If one of the keys is missing, the encryption or authorization process cannot complete. The certificates are authenticated and issued by a CA. A CA can be likened to a passport agency. The passport agency verifies the information the requestor provides and then issues a passport that is valid for a specific period. When a passport holder travels, they provide the passport as a means of identification because governments trust that the government that issued passport has properly verified the identity of the holder. Similarly, when a CA issues a certificate, it verifies that you are who you purport to be by verifying specific information and often requesting documentation. Once the verification is complete, the certificate is issued. For a certificate to be valid, all parties must trust the CA. Windows Server 2008 includes Active Directory Certificate Services (AD CS) as an available role that can act as a CA and issue certificates. If you create your own CA, users on the Internet will not automatically trust your CA and will receive errors when trying to access your site. Using AD CS may be a valid option if all users are under your control or in your domain because you can use Group Policy to force the machines to trust your CA. Third parties such as VeriSign, GeoTrust, and Thawte operate CAs that are trusted by many major operating systems like Windows Server 2008. When you’re requesting a certificate for a website, it is best to obtain the certificate from a widely trusted third party so that Internet users do not have problems when visiting your site.
Requesting and Renewing SSL Certificates The first step in configuring SSL on a website is to obtain a certificate. To protect the private key, a request must be generated and the pertinent information sent to a CA so that the certificate can be generated with the public key. To create a simple certificate request from IIS Manager, follow the steps listed in below. 1. Choose the server name in the Connections pane and then double-click on the Server
Certificates icon. 2. Choose Create Certificate Request from the Actions menu (Figure 5.9).
61705c05.indd 202
6/27/08 11:21:05 AM
Configuring Secure Sockets Layer (SSL) Security
203
Fi g u r e 5 . 9 Managing server certificates
3. In the Request Certificate dialog box, provide information specific to your organiza-
tion. This information is used by the CA to determine if you are eligible to request a certificate for this organization. Note that the common name must match the hostname of the server. Click Next. (Figure 5.10) Fi g u r e 5 .1 0 Entering Certificate Details
61705c05.indd 203
6/27/08 11:21:05 AM
204
Chapter 5 Advanced Web Infrastructure Configuration n
4. On the Cryptographic Service Provide Properties page (Figure 5.11), choose the encryp-
tion service provider and the bit length of the encryption. The bit lengths available in this step range from 384 to 16384. The larger the bit length, the higher the level of encryption, but a higher level of encryption also puts more load on the server because the encryption and decryption process requires complicated mathematical functions to complete. It will also require more information to be exchanged between the server and client. Fi g u r e 5 .11 Setting the cryptographic service provider Properties
5. Provide a location to save the certificate request and click Finish.
The process is not over. The next step is to take the certificate request file and submit it along with any other documentation to the CA so that the certificate can be issued. After the CA processes the request, you must use the response to complete the certificate. From Server Certificates in IIS Manager on the server from which the request was generated, choose Complete Certificate Request from the Actions pane. As shown in Figure 5.12, on the Specify Certificate Authority Response dialog, enter the location of the text file containing the response from the CA, assign a name for the certificate, and then click OK. To do testing with SSL certificates, you can also create a self-signed SSL certificate. Since there is no trusted certificate authority, no one other than the server will automatically trust the certificate. To create a self-signed certificate, simply select Create Self-Signed Certificate from the Actions pane from Server Certificates in IIS Manager. After the certificate is issued, it is valid for only a specific amount of time. To renew the certificate, you must generate a renewal request. This request can then be given to the CA, and the CA will issue a new response, which in turn will generate a new certificate.
61705c05.indd 204
6/27/08 11:21:05 AM
Configuring Secure Sockets Layer (SSL) Security
205
Fi g u r e 5 .1 2 Completing a certificate request
Enabling SSL on a Website Once you have a valid certificate on the server—one issued from a trusted third-party CA, one from a local AD CS server, or a self-signed certificate—you must assign it to a website to enable SSL. E x e r ci s e 5 . 5
Enabling SSL on a Web Server: 1. Select the website for which you would like to enable SSL. 2. Choose Bindings from the Actions pane. 3. Click Add in the Site Binding dialog box. 4. In the Add Site Binding dialog box, set the type to https and select an IP address to bind to if you’re not using the default.
5. Select the SSL certificate from the drop-down list and click OK.
61705c05.indd 205
6/27/08 11:21:06 AM
206
Chapter 5 Advanced Web Infrastructure Configuration n
After SSL has been enabled, you should be able to visit the site from a browser using https://<sitename>/. If you want to require that all clients connect to a site or virtual
directory with SSL, navigate to where you want to enforce SSL in the Connections pane and then double-click on SSL Settings in the Content pane. As shown in Figure 5.13, enable Require SSL and, if needed, Require 128-bit SSL to ensure that a stronger encryption standard is met. Fi g u r e 5 .1 3 Configuring the Require SSL setting
Exporting and Importing Certificates You may need to export a certificate from one server to another when multiple web servers in a web farm must host the same SSL secured site. When you export a certificate, the private key is also exported, so the exported data should be protected. Allowing the private key for the site to fall into the wrong hands increases the likelihood of compromising the integrity of the certificate. To export a certificate, select the server in the Connections pane and then double-click on Server Certificates in the Content pane. Then choose Export from the Actions pane. As shown in Figure 5.14, specify a filename and a password to protect the certificate.
61705c05.indd 206
6/27/08 11:21:06 AM
Configuring Website Authentication and Permissions
207
Fi g u r e 5 .1 4 Exporting a certificate
To import a certificate, you follow a similar procedure. Select the server in the Connections pane and then double-click on Server Certificates in the Content pane. Then choose Import from the Actions pane. As shown in Figure 5.15, select the certificate file, type in the password and then select whether you would like the certificate to be exportable from this server. Fi g u r e 5 .1 5 Importing a certificate
Configuring Website Authentication and Permissions A number of authentication types are available for IIS 7.0 to meet the needs of your application. A number of native authentication modules are available that enable specific authentication types. AD Client Certificate Authentication T his allows authentication using certificates stored in Active Directory. Anonymous Authentication T his allows any user who can access the site to view content without having to authenticate. The IUSR[_ServerName] account is used by IIS to access the content on the server.
61705c05.indd 207
6/27/08 11:21:06 AM
208
Chapter 5 Advanced Web Infrastructure Configuration n
ASP.NET Impersonation This allows an ASP.NET application to run under accounts other than the default ASPNET account. Basic Authentication This allows users to access content after providing a username and password. Basic authentication transmits the username and password with weak encryption, so it is best to use this on a trusted network or to provide additional encryption using SSL. Digest Authentication This allows using domain credentials to authenticate; however, all passwords must be stored with reversible encryption. Forms Authentication This uses an HTML form to request credentials from a user. The credentials can be validated to a number of sources, including Active Directory or another database. The username and password are sent in plain text, and it is recommended that you use SSL to provide protection. Windows Authentication This allows authentication with NTLM or Kerberos to domain or local accounts. By default, Anonymous authentication is enabled. If Anonymous is enabled along with other authentication modules, users will be able to view all publicly available content. If someone attempts to access content that isn’t publicly available, they are prompted to provide credentials. To enable an authentication module, you must first install it. All of the authentications modules are listed under the security heading when role services are installed, as shown in Figure 5.16. Fi g u r e 5 .1 6 Adding authentication modules
61705c05.indd 208
6/27/08 11:21:06 AM
Configuring Website Authentication and Permissions
209
Once you have installed the modules required to provide authentication for your site, only Anonymous authentication is enabled by default. To enable other authentication, navigate to the server, site, or applications for which you want to enable the authentication type in the Connections pane. From there, double-click on Authentication in the Content pane. As shown in Figure 5.17, you will be able to view a list of available authentication types and then enable, disable, and configure each authentication type as needed. Fi g u r e 5 .17 Configuring authentication
Configuring Application Access Authorization rules can be used to control access to a website. They can be specific to users, groups, or roles that have access to the site and can optionally apply to specific HTTP commands (verbs). This can be done by creating either an allow or a deny authorization rule. To use authorization rules, you must install the URL Authorization module. The authorization rule is then created at the site or application on which it should be enforced and affects all down-level content unless specifically removed. The Entry Type column lists Inherited for rules applied from the parent and Local for rules created at the selected level. Figure 5.18 shows several inherited rules from the parent container as well as a single rule created at the selected level.
61705c05.indd 209
6/27/08 11:21:06 AM
210
Chapter 5 Advanced Web Infrastructure Configuration n
Fi g u r e 5 .1 8 Viewing authorization rules
An authorization rule is applied to one of the following: NN
All users
NN
All anonymous users
NN
Specified user groups or ASP.NET roles
NN
Specified users
When creating an authorization rule, you have the option of applying this allow or deny rule to specific HTTP commands known as verbs. You can see these options in Figure 5.19. Fi g u r e 5 .1 9 Creating an authorization rule
61705c05.indd 210
6/27/08 11:21:07 AM
Summary
211
Client Certificate Mapping Client certificates allow a user to authenticate with the site. To enable a website to accept certificates, you must first install the AD Client Certificate Authentication modules and enable them at the server level. To allow a website or application to accept client certificates, you must configure the SSL settings. To do this, select the site or application in the Connections pane and then double-click on SSL Settings in the Content pane. Then under Client Certificates in the Content pane, choose Accept or Require as shown in Figure 5.20. Choose to accept client certificates if not all users have certificates to authenticate, and choose Require if you want to enforce all users to authenticate with a certificate. If you choose Require, you must also require SSL to connect to the site or applications. Fi g u r e 5 . 2 0 Configuring client certificate settings
Summary Although IIS can be very easy to use and configure, there are a number of more advanced topics that warrant consideration. In this chapter we covered advanced management tasks like backup and restoring, configuring SSL certificates, and configuring authentication types. In several examples, we used the AppCmd.exe command-line tool to work with configuration backup, restores, and configuration history. We also discussed creating failed request tracing rules to be able to pinpoint problems within a web application.
61705c05.indd 211
6/27/08 11:21:07 AM
212
Chapter 5 Advanced Web Infrastructure Configuration n
Access logging can be configured either per site or per server to provide detailed logs that track client access to the site. These logs can be used to identify the popularity of a web application or to determine usage patterns. Feature delegation is used to control the features that can be configured or to allow feature settings to be overridden that are configured at higher levels in the configuration. Next, the chapter covered authentication settings to control access and methods of authenticating users. Last, we discussed requesting, binding, and exporting certificates.
Exam Essentials Know how to perform a manual backup and restore. Using AppCmd to complete backups and restores is important. Know what syntax to use and what scenarios that you would be required to perform a backup or a restore do. Know what an SSL certificate is and how to request a new one. Certificates are used to encrypt and authenticate communications between the server and client. Know the steps required to secure a website and where to obtain an SSL certificate. Know which modules are used for authentications. I IS 7.0 has a number of modules used for authentication. Know which modules to use in specific instances. Know which authentication modules are used for different authentication requirements.
61705c05.indd 212
6/27/08 11:21:07 AM
Review Questions
213
Review Questions 1. What is the name of the tool used to view and configure IIS settings? A. Computer Manager B. WDSUTIL C. AppCmd D. IISmgt 2. In order to troubleshoot and monitor failures in IIS, what role service needs to be installed? A. Monitoring B. Tracing C. Event Viewer Service D. File Sharing 3. What must be created to define which failures should be logged? A. Event viewer filter B. Event view monitor C. System task to monitor log files D. Failed request tracing rule 4. What are three criteria for creating a trace rule? A. Content B. Trace provider C. Event ID D. Conditions 5. Which of the following trace providers are built in? A. .NET B. ASP C. HTML D. PHP 6. What log files are used to determine information such as time, software client used, amount of data transferred, and status codes? A. Access log B. Application logs C. Event view log D. System logs
61705c05.indd 213
6/27/08 11:21:07 AM
214
Chapter 5 Advanced Web Infrastructure Configuration n
7. If you have more than one site on your server and you want to keep all the logs in a single file, what type of logging will you use? A. Single access log B. Combined log C. Per-server logging D. Per-domain logging 8. What is the location where the log files are stored regardless of whether you use per-server or per-site logging? A. %SystemDrive%\inetpub\Logs\Logfiles\W3SVC B. %SystemDrive%\inetpub\Logs\Logfiles C. %SystemDrive%\inetpub\Logs D. %SystemDrive%\Windows\System32\LogFiles 9. What tool is used to create a manual backup of the IIS server configuration? A. WDSUTIL B. NTBACKUP C. AppCmd D. IISState 10. Before you can use the IIS feature delegation, what role needs to be installed? A. IIS Management Service B. Permissions Verifier C. Active Directory Certificate Service D. Network Policy and Access Service 11. At what level is feature delegation preformed? A. Application level B. Workstation level C. User level D. Server level 12. What method is used to encrypt and provide authentication for client and server communications? A. DRM B. SSL C. Bit Level D. NTFS
61705c05.indd 214
6/27/08 11:21:07 AM
Review Questions
215
13. What needs to be installed on a server before it can provide SSL communication? A. Bit-level encryption B. NTFS C. DHCP D. SSL certificate 14. If the ___________________ is compromised, the SSL certificate must be replaced. A. Private key B. Public key C. Server key D. Domain key 15. In order for a certificate to be valid, what must happen? A. It must be issued by Microsoft. B. It must be at least one year old. C. It must be trusted by all parties. D. It must be created by an administrator. 16. What are the limitations of creating your own CA? A. None B. Users on the Internet will not automatically trust your CA and will receive errors when trying to access your site. C. You cannot create your own CA. It will cause errors in the Event Viewer. D. You will not be able to generate TLS certificates. 17. What are public and private keys? A. Matched pairs of numbers used in asymmetrical computations. B. Serial numbers used to activate an operating system. C. Encryption types. D. Keys that are listed on public domains and private domains. 18. What information is listed in public keys? (Choose all that apply.) A. No information is supplied. B. The private encryption key C. Owner of the certificate. D. How the certificate can be used.
61705c05.indd 215
6/27/08 11:21:07 AM
216
Chapter 5 Advanced Web Infrastructure Configuration n
19. What two forms of administrative rights can be delegated in IIS? A. IIS management B. Feature management C. Active Directory groups D. User creation 20. When changes are made to IIS, what is the default backup schedule? A. 10 minutes B. 2 minutes C. 30 minutes D. 60 minutes
61705c05.indd 216
6/27/08 11:21:07 AM
Answers to Review Questions
217
Answers to Review Questions 1. C. The AppCmd tool is used to configure and view the settings for IIS. 2. B. The Tracing role service needs to be installed in order to monitor when failures occur. 3. D. Failed request tracing rules will monitor for failures you define. 4. A, B, D. The criteria for creating a rule are content, conditions, and trace provider. 5. B. ASP is a built-in trace provider. 6. A. Access logs are used to collect data that may include time, software client used, amount of data transferred, and status codes. 7. C. Per-server logging is used when you have multiple sites on a single server and you want a single log for all sites. 8. D. Log files are located at %SystemDrive%\inetpub\Logs\Logfiles\W3SVC. 9. C. AppCmd is used to create a manual backup of the server configuration. 10. A. IIS Management Service is required for IIS feature delegation. 11. D. All feature delegation is done at the server level. 12. B. SSL is a method of encrypting and authenticating client-to-server communications. 13. D. An SSL certificate must be installed on a server before it can provide SSL communication. 14. A. If the private key is exposed to the public, the SSL certificate must be replaced. 15. C. For a certificate to be valid, all parties must trust the CA. 16. B. If you create your own CA, users on the Internet will not automatically trust your CA and will receive errors when trying to access your site. Windows Server 2008, Active Directory Certification Services allows generation of TLS and other types of certificates on the proper edition on the product. 17. A. Public and private keys are matched pairs of numbers used in asymmetrical computations. 18. C, D. The public keys provide details about the owner of the certificate, whether it is valid, and how the certificate can be used. The private key is kept separate from the public key and is protected from public access. 19. A, B. There are two forms of administrative rights that can be delegated, IIS management and feature management. 20. B. Backups are completed by default every 2 minutes as changes are made.
61705c05.indd 217
6/27/08 11:21:07 AM
61705c05.indd 218
6/27/08 11:21:07 AM
Chapter
6
Configuring Additional Communication Services Microsoft Exam Objectives covered in this chapter: ÛÛ Configure Windows Media server. May include but is not limited to: on-demand replication; configure timesensitive content; caching and proxy ÛÛ Configure Digital Rights Management (DRM). May include but is not limited to: encryption; sharing business rules; configuring license delivery; configuring policy templates
61705c06.indd 219
6/27/08 11:29:37 AM
Windows Server 2008 includes communication services that can benefit your organization, like fax services. Additional services can prove to be valuable to any organization that looks to manage both delivering live or on-demand digital media and sending and receiving faxes. Learning about these services is important not only for the exam, but for real-life applications as well. As organizations grow, the need for better communication management becomes a necessity. IT administrators who not only want to keep pace with the industry but want their organizations to use their resources to the fullest will devote the time needed to configure communication services. In addition to configuration, time should be devoted to understanding each organization’s needs and how it will benefit from these additional tools. Many may argue that the time spent on these additional services is wasted. Anyone who has ever had to work to make a company’s fax services work or figure out how to record meetings and then replay them in either audio or video form will disagree. Most likely the majority of the companies in today’s workforce do value communication services, and this is where the IT administrator can shine. Want to show your employer that you are truly a valuable asset? Take some time to understand the additional communication services and think about how they can make your organization more efficient and productive. This chapter covers the following topics: NN
NN
NN
Configuring Fax Services, including configuring local fax properties and defining a fax routing location Configuring Media Services, including configuring basic streaming solutions and options for configuring security in a Windows Media Server Configuring Digital Rights Management (DRM), including DRM encryption and DRM business rules For this chapter, we assume you have a basic understanding of Windows Server 2008 and that you understand how to use Server Manager.
Configuring Fax Services Fax services for Windows Server have been around since the days of Windows NT. It has always left something to be desired in becoming an enterprise faxing solution, but over the years it has shown improvements in both features and in instructions on how an IT administrator can configure it.
61705c06.indd 220
6/27/08 11:29:37 AM
Configuring Fax Services
221
Is a faxing service still needed, however? Simply put, yes. Even in a world where everything moves at a fast pace and more communication is done via email, faxing is still the first choice in many communications tasks. Perhaps this is because people still like the feel of paper in their hands. In any case, fax services will not be going away anytime soon. Microsoft continues to support this older, but still heavily relied upon, resource. We will endeavor to show you how to configure this service in Windows Server 2008. We assume you have already installed the Fax Service role using Server Manager. After you have completed the installation of the Fax Server Role, can use the Fax Service Manager to do the following: NN
Manage users
NN
Configure fax devices
NN
Set up routing polices for faxes
NN
Create rules for outgoing faxes
NN
Archive received or sent faxes
NN
Track the use of fax resources
It is recommended you install the Windows Fax and Scan on your Windows 2008 Server machine because it will allow you to monitor the activity in the Incoming, Inbox, and Outbox folders. To install the Windows Fax and Scan role from the Server Manager, complete the following steps: 1. In the left pane, click Features, and then in the right pane, click Add Features
(Figure 6.1). F i g u r e 6 .1 Server Manager
61705c06.indd 221
6/27/08 11:29:37 AM
222
Chapter 6 Configuring Additional Communication Services n
2. In the Select Features section, select Desktop Experience and click Next. 3. On the next screen, choose Install.
If your users are using Microsoft’s Windows Vista, they can send and receive faxes using the built-in Windows Fax and Scan utility. Windows XP users can send faxes using the Fax Console utility.
Configuring Fax (Local) Properties After installing the Fax Service role on your Windows Server 2008 machine, it will automatically detect and install any fax device that has been attached to the server. If a fax device does not already exist, a local fax printer connection is created. This fax device represents all the physical fax devices that are connected to the server. By default, all detected fax devices are enabled for sending faxes but not for receiving them. You must specifically enable each device to receive faxes. Server Manager will be used to enable these devices. After you install the Fax Service role, sharing is not enabled by default. You can share a Fax device within the printers option in Control Panel.
In Exercise 6.1, you will use Server Manager to configure the properties of a fax device and enable it to receive faxes. E x e r c i se 6 . 1
Configuring a Fax Device to Receive Faxes To enable your Fax Device to receive faxes, do the following steps:
1. In the left pane in Server Manager, expand Roles and expand Fax Server. 2. Expand Devices and Providers, and click Devices.
61705c06.indd 222
6/27/08 11:29:38 AM
Configuring Fax Services
223
E x e r c i se 6 . 1 ( c o n t i n u e d )
3. In the Content pane, right-click the device you want to configure and then choose whether you want the device to automatically answer a fax call or if the users must manually answer.
4. Choose OK.
The next step is to configure the properties of the fax server. The following tabs are found in the Fax Properties dialog box: General Within this tab, you can review the current activity and disable sending and/or receiving faxes. Receipts T his tab allows you to configure delivery options. Event Reports T his is where you specify event tracking levels. Activity Logging T his section allows you to choose to log incoming and outgoing fax activity.
61705c06.indd 223
6/27/08 11:29:38 AM
224
Chapter 6 Configuring Additional Communication Services n
Outbox T his is the were you can configure the options for the queue of all outgoing faxes. Archives Here you can configure your archive settings for sent and received faxes. Accounts Here you can choose to assign messages to individual accounts. Security T his section allows you to set permissions for users or groups for fax configurations and documents. In Exercise 6.2, you’ll configure the settings for the most common features within the Fax Properties dialog box. E x e r c i se 6 . 2
Configuring Fax Properties To configure the Fax properties, follow the steps below:
1. Within Server Manager, expand Roles and then expand Fax Server. 2. Right-click Fax and choose Properties.
3. On the Receipts tab, click the box labeled Enable SMTP E-Mail Receipts Delivery and enter a From e-mail address, SMTP server address, and port number.
4. Select the Activity Logging tab. Click the boxes next to Log Incoming Fax Activity and Log Outgoing Fax Activity.
61705c06.indd 224
6/27/08 11:29:38 AM
Configuring Fax Services
225
E x e r c i se 6 . 2 ( c o n t i n u e d )
5. In the Activity Log Folder text box, enter the path to store the activity log. The default location is C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog. 6. Select the Outbox tab, check the Automatically Delete Faxes Older Than option and then choose the number of days to keep faxes.
7. Select the Archives tab and then check Archive All Faxes to This Folder. 8. Browse to the location that should be used to store archived faxes. The default is C:\ProgramData\Microsoft\Windows NT\MSFax.
9. To allow faxes to be reassigned, select the Accounts tab and then check the On box under Reassign Settings.
10. Click OK.
Defining a Dialing Rule Setting up dialing rules will help the fax server understand what your area requires. For example, most locations in the United States require dialing a 1 before dialing a number outside a local area code. When dialing within an area code, only 7 digits are needed. Alternatively, if a local area uses 10-digit dialing, a user has to put in an area code plus the 7-digit phone number. As you can see, by setting up the dialing rules first, you keep your users from having to enter numbers such as 1 before the area code.
61705c06.indd 225
6/27/08 11:29:38 AM
226
Chapter 6 Configuring Additional Communication Services n
The you can configure the following options for dialing rules: Dialed Number You can enter a region code and area code. Target Device Choose to apply your rule to devices. To configure these options follow the steps in Exercise 6.3. E x e r c i se 6 . 3
Configuring a Dialing Rule Dialing rules can be configured with the following steps:
1. Under Fax Server in Server Manager, expand Outgoing Routing. 2. Right-click on Rules and choose New and then Rule.
3. In the Dialed Number section of the Add New Rule dialog box, enter your region code. If you are unsure, click Select and then choose from the list.
4. In the Target Device section, choose whether you want this rule to apply to a device or a routing group and then choose from the list in the drop-down box.
5. Click OK.
61705c06.indd 226
6/27/08 11:29:38 AM
Configuring Fax Services
227
Defining a Fax Routing Location As the administrator, you can configure both the incoming and outgoing fax routes. You can route incoming faxes to a particular user group or an individual user. In the Fax Service Manager, you can configure routing extensions that are global, which means they’re applied to all devices, and you can configure others that are associated with only individual devices. For global methods, you can set the order in which they are applied to a received fax. For example, you could have a fax routed first to an email address, then printed, then stored in a folder. For individual routing methods, these are configured per device. After you configure a method, it can be enabled or disabled. More than one incoming route can be applied to a fax. You can configure the following default incoming routing methods: Route through E-Mail You can specify the address for receiving incoming faxes. Store in Folder Choose the folder to store a copy of the incoming fax. Print Define the path to which you want the incoming fax printed. Exercise 6.4 shows you how to configure an incoming fax routing method. E x e r c i se 6 . 4
Configuring Incoming Fax Routing The next steps will configure Incoming Fax routing:
1. Open the Server Manager. 2. On the left side, expand Fax and then click on Devices and Providers.
61705c06.indd 227
6/27/08 11:29:39 AM
228
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 4 ( c o n t i n u e d )
3. Now click on Devices, double-click on the device you want to configure, and choose Incoming Methods.
4. In the Content pane, right-click on the method you want to configure and choose Properties.
5. Now click the Store in Folder tab, and then either enter the Universal Naming Convention (UNC) path or click Browse to choose the folder.
6. To configure the routing, choose the Route through E-Mail method and click the Email tab. Type in the address to which you want incoming faxes to be delivered.
7. For the Print method, click the Print tab and type in the UNC path of the printer you want faxes to be printed to.
8. After you have configured your incoming methods, you must right-click each method in the Details pane and click Enable.
9. Click OK.
For outgoing faxes you can also create rules, which will allow you to optimize the use of available fax devices. You can create rules that get associated with a device or group of devices and have faxes sent to a specific domestic area code or specific region. For example, if you have many faxes that go to a vendor in China, you can create a rule that will send faxes to this vendor from a specific device. Meanwhile, your other devices can continue to service other areas or regions and not be affected by the heavy fax traffic to China. Using rules will help ensure that your fax resources are being used efficiently instead of having your faxes sit in long queues. Exercise 6.5 walks you through adding a routing rule for outgoing faxes. E x e r c i se 6 . 5
Adding a Routing Rule Follow these steps to add a Routing rule:
1. Open Server Manager. 2. Expand Fax Server and then expand Fax. 3. Click on Outgoing Routing. 4. Right-click on Rules, then New, and then Rule.
61705c06.indd 228
6/27/08 11:29:39 AM
Configuring Media Server
229
E x e r c i se 6 . 5 ( c o n t i n u e d )
5. Add the country/region code and the local area code in the Dialed Number section. 6. Next, choose the target device or routing group in the Target Device section. 7. Click OK.
Configuring Media Server Fax Server Role not the only valuable service that Windows Server 2008 can provide. Windows Media Server can improve communication and instruction in a organization. A Windows media server delivers digital media to clients across a network using Windows Media Services 2008. What this service does is translate a client’s request for media into a physical path on the server that is hosting the content. Windows Media Services delivers basic streaming functionality, like unicast streaming, and server-side playlists and is included in the following Windows Server editions:
61705c06.indd 229
NN
Windows Server 2008 Standard
NN
Windows Web Server 2008
6/27/08 11:29:39 AM
230
Chapter 6 Configuring Additional Communication Services n
Fax Routing and Archiving When would these features be practical? Well, say your client receives many faxes throughout a given week. These faxes must be acknowledged, processed, completed, and then stored. This can be a time-consuming process when it’s done manually. However, the benefits of using the Fax Service role is that you are able to provide all the steps but in a digital form. If you configure your fax routing to first print to a printer in your sales department, this would allow your sales department to get an immediate hard copy of the order. In the manual process, this document would have to be scanned into an image file and emailed to your processing dept. However, you configure the second step in routing to email a copy to the processing dept. This allows them to get an email instantly after the copy is printed. Now normally this fax would be put into a folder for filing, but again you have configured archiving of faxes on your fax server and the fax is copied to a designated folder on your server. Not only did you reduce the amount of effort required to take an order from a fax, you also just decreased the amount of time before that faxed-in order can be shipped. This results in efficient workflow and happier customers.
It will provide advanced features such as multicast streaming when installed on the following operating systems: NN
Windows Server 2008 Enterprise
NN
Windows Server 2008 Datacenter
Table 6.1 provides an overview of available features based on what server version is installed. Ta b l e 6 .1 Media Services Features
61705c06.indd 230
Feature
Windows Server 2008 Standard and Web
Windows Server 2008 Enterprise and Datacenter
Absolute Playlist Time
Yes
Yes
Advanced Fast Start
Yes
Yes
Advanced FF/RW
No
Yes
Advertising server support
Yes
Yes
Broadcast Auto-Start
Yes
Yes
6/27/08 11:29:39 AM
Configuring Media Server
231
Ta b l e 6 .1 Media Services Features (continued)
61705c06.indd 231
Feature
Windows Server 2008 Standard and Web
Windows Server 2008 Enterprise and Datacenter
Cache/Proxy
Yes
Yes
Custom Plug-In
Yes
Yes
Event-based scripting
Yes
Yes
Fast Cache
Yes
Yes
Fast Reconnect
Yes
Yes
Fast Start
Yes
Yes
Fast Streaming
Yes
Yes
Internet authentication
Yes
Yes
Internet Group Management
No
Yes
IPv6
Yes
Yes
Intranet authentication
Yes
Yes
Multicast
No
Yes
Multiple authorization
Yes
Yes
Multiple control protocol
Yes
Yes
Multiple media parser
Yes
Yes
Multiple playlist parser
Yes
Yes
Play while archiving
No
Yes
RTSP streaming
Yes
Yes
Robust event notification
Yes
Yes
Repacketization
Yes
Yes
Unicast
Yes
Yes
6/27/08 11:29:39 AM
232
Chapter 6 Configuring Additional Communication Services n
By default, in Windows Server 2008, Streaming Media Services Role is not available using the Add Roles Wizard. You must download this service add-in from Microsoft’s website at http://microsoft.com/downloads/details.aspx?FamilyID=9ccf6312-723b-4577-be587caab2e1c5b7&displaylang=en. Before installing Media Services, be sure the server meets the following system requirements: Processor One or more processors with a recommended speed of 550MHz; minimum supported speed is 133MHz. Memory 512MB of RAM, minimum of 256MB. Hard disk space 2GB of free space. File system configuration N TFS.
Configuring Basic Streaming Solutions When you think about streaming media basics, you might have a few questions: NN
What is streaming media?
NN
How do I create content?
NN
How do I make this content available to my users?
The following sections will answer those questions and show you how to configure the basic options.
What Is Streaming Media? Let’s look at our first question. What is streaming media? It’s any media that is displayed to the end user while it’s being delivered by a provider. It can be live or prerecorded, and unlike a file that you might download, no data is saved to the user’s hard disk when the content has finished streaming. Like television or radio, the term streaming media refers more to the delivery method than to the actual medium itself. Attempts to display media this way date back to the mid-1900s, but little progress was made for a long time due to the limits in computer hardware and networks.
How Do I Create Content for My Users? Windows Media Encoder, Microsoft Producer, and Windows Movie Maker can create and compress your audio and video content into the Windows Media format so you can create content for users. Table 6.2 shows the tools that are available from Microsoft.
61705c06.indd 232
6/27/08 11:29:39 AM
Configuring Media Server
233
Ta b l e 6 . 2 Tools to Create Content Tool
Description
Windows Media Player
Rip content from a CD.
Windows Media Encoder
Convert live and recorded content.
Windows Movie Maker
Use for simple editing of audio and video.
Windows Media Stream Editor
Combine or split streams in existing Media files.
Many third-party programs in addition to the ones listed in Table 6.2 will allow you to encode media as a Windows Media file. Check with your vendor for details on how to perform the encoding.
How Do I Make This Content Available to My Users? Now you understand what streaming media is and how to create it, but how do you make it available to your users or clients? Simply put, you place the content into a directory, create a reference point called a publishing point for the content, and then create an announcement to tell your users about the content. Windows Media Services uses these publishing points to tell a client how to reach the content. After that, the media server manages the connection and streams the content. There are two types of publishing points: broadcast and on-demand. You can use two methods to get the content to your users: unicast stream and multicast stream. In this section, we will look at four basic areas that will allow you to get the content to your users: 1. Using broadcast publishing points 2. Using on-demand publishing points 3. Delivering content as a unicast stream 4. Delivering content as a multicast stream
Let’s first look at broadcast publishing points. If you are looking for a solution to provide content similar to a television or radio show, then you will choose broadcast publishing. This allows the server to control the content. Most of the time, this would be what you see in a live broadcast of a company meeting. Because it is controlled at the server, a user can join the session and hear the content but they cannot rewind or fast forward. Therefore, users have no control over the session; they can only start and stop the feed.
61705c06.indd 233
6/27/08 11:29:39 AM
234
Chapter 6 Configuring Additional Communication Services n
Using on-demand publishing points, users are able to stream a video file whenever they want. This means that the content is streamed to the client only when they are connected, and therefore, the server has a separate connection with each client. This is best used when you want your clients or users to be able to have more control over the session. With ondemand publishing, users can stop, rewind, pause, fast-forward, and skip the content at their leisure. When would this be used? Many companies record training material that they want the users or instructors to be able to control. On-demand publishing would be a good fit for this type of use. On-demand publishing points can also be used to stream media from a remote server or another publishing point. These can be part of a playlist or just content on another server. However, when the media resides on another server, the users will not be able to use the playback controls, such as pause, fast-forward, skip, and rewind.
By default, Windows Media Services uses unicast streaming. The stream is a one-toone connection between the server and the client. Only those clients that request a specific stream will receive it. You can use both on-demand and broadcast publishing points. The benefit of using this type of streaming is that it is easier to set up and will work in environments that are not set up for multicast streaming. The drawback of unicast is that because it’s a one-to-one connection, it will be limited by the speed of the server and the network. If your content is going to be viewed simultaneously by a large number of clients, you will want to monitor your server to ensure that it is not overwhelmed. You would want to consider using unicast if the following applies to you: NN
NN
NN
You require a detailed client log. Your audience is small or the content is small enough to be compatible with your network and server. Your network is not multicast enabled.
Multicast is the ability to stream media from a single server to many clients at the same time. The server streams the content to a multicast IP address on the network, and all clients receive the same stream by using that IP address. Unlike unicast streaming, multicast streaming can only be done from a broadcast publishing point. The hardware and network must be multicast enabled; they have to be able to transmit a Class D IP address (224.0.0.0 to 239.255.255.255). If you are unsure if the network hardware, like routers and firewalls, can transmit this type of address, check with your hardware vendors before attempting a multicast stream. The benefit of using this type of streaming is that, if the network allows, there is only one stream from the server no matter how many clients you have; it requires the same amount of bandwidth as a unicast stream. This will preserve network bandwidth and can be used if your network bandwidth is low. Multicast on the Internet is generally not a viable option since only small portions are multicast enabled. Multicast is best used in a corporate environment where all routers can be multicast enabled.
61705c06.indd 234
6/27/08 11:29:39 AM
Configuring Media Server
235
Multicast might be a good solution if the following applies: NN
You’re broadcasting to a large audience.
NN
Network and server capacities are limited.
NN
The entire network is multicast enabled.
In Exercise 6.6, you will learn how to create a broadcast publishing point, and then in Exercise 6.7, you will configure a multicast stream from that publishing point. E x e r c i se 6 . 7
Creating a Broadcast Publishing Point The following steps will aid you in creating a Broadcast Publishing Point:
1. In Server Manager, expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Choose Add Publishing Point (Wizard).
3. On the Welcome to the Add Publishing Point Wizard screen, click Next. 4. Now choose a name for the publishing point and click Next.
61705c06.indd 235
6/27/08 11:29:40 AM
236
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 6 ( c o n t i n u e d )
5. On the following page, choose the option that fits your content type and then click Next.
6. Now choose how you want your content to be delivered and then click Next. You have the option to choose Unicast (each client connects to the server) or Multicast (requires a multicast router between the server and clients). For this exercise, choose Unicast, which is selected by default.
7. On the next screen, enter the encoder URL. An example would be http://encoder, and it would match the name of the server doing the encoding.
8. Check Enable Logging on This Publishing Point, if you want to log data about the clients that are connecting. Click Next
9. On the Summary page, review the selections, and if you want to publish this content right away, check Start Publishing Point When Wizard Finishes. Click Next
10. Now you are at the Completing the Add Publishing Point Wizard page. Here you can create the announcement for the stream. Check After the Wizard Finishes and choose the type of announcement to make. If you are unsure, leave the default box checked, which is Create an Announcement File (.asx) or Web Page (.htm).
11. Click Finish. 12. Since the Unicast stream option was chosen in step 6, the Unicast Announcement Wizard appears. Click Next.
61705c06.indd 236
6/27/08 11:29:40 AM
Configuring Media Server
237
E x e r c i se 6 . 6 ( c o n t i n u e d )
13. Review the Access to the Content page to ensure that the URL is pointing to the publishing point that was created in step 4. If it is not correct, click Modify and enter the server name or IP address.
14. On the Save Announcement page, make sure the announcement file is correctly pointing to the publishing point that was created in step 4. If not, click the Browse button and choose the location of the file. Click Next.
15. Edit any metadata on the next screen, where you can add a title, author name, and a copyright notice to the file. When finished, click Next.
16. Click Finish. 17. If everything completed successfully, you will be able to test your new content at the next screen.
Now that you have created the broadcast publishing point, you want to change the streaming type to make it a multicast stream, which will conserve network bandwidth and server load, as shown in Exercise 6.7. E x e r c i se 6 . 7
Configuring a Multicast Stream The next steps can be used to configure a Multicast Stream:
1. In Server Manager, expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Click on the publishing point you created in Exercise 6.5, step 12.
61705c06.indd 237
6/27/08 11:29:40 AM
238
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 7 ( c o n t i n u e d )
3. In the Content pane, click the Properties tab.
4. In the Category section, click Multicast Streaming.
5. In the Plug-In section, click WMS Multicast Data Writer and then right click and click Properties.
61705c06.indd 238
6/27/08 11:29:40 AM
Configuring Media Server
239
E x e r c i se 6 . 7 ( c o n t i n u e d )
6. In the Destination Multicast IP Address and Port section, specify the following settings: NN
IP address: Type in the multicast address.
NN
Port: This is the port from which the content will be streamed.
NN
Time-to-Live (TTL): Here you enter the number of routers your multicast stream pass through before timing out.
7. Click the Advanced tab if you have multiple network adapters on your server.
8. Click the IP address you want to use in the drop-down box. 9. In the Logging URL box, enter the URL to the logging directory and click OK. 10. To start this publishing point, right-click on it and choose Start.
61705c06.indd 239
6/27/08 11:29:40 AM
240
Chapter 6 Configuring Additional Communication Services n
Configuring Advanced Streaming Solutions Windows Media Services allow you to control most aspects of how you stream content to your users. If you just need to get a small video out to a limited number of users, the default settings will most likely accomplish the task. However, if you have a media server that gets a lot of traffic, it might be to your benefit to change some of the more advanced options. In this section, we will review two areas: NN
Intelligent streaming
NN
Fast streaming
The method that your server uses with Windows Media Player to detect and adjust the properties of a stream automatically is called intelligent streaming. This type of streaming allows for a continuous flow of content that is set according to the user’s connection speed. A user’s media player will respond to having low bandwidth by requesting that the server reduce the bit rate. For the most part, intelligent streaming is completely automatic and requires no additional configuration. Fast streaming refers to a group of features that Windows Media Services includes to improve the quality of the user’s session: NN
Fast Cache
NN
Fast Start
NN
Advanced Fast Start
NN
Fast Recovery
NN
Fast Reconnect
Fast Cache Fast caching is a way for the Windows Media Services and Windows media players to stream the content to the clients faster than the specified rate. So if you have a 128 kilobits per second (Kbps) stream, using Fast Cache you can stream it at 700Kbps. This is accomplished by streaming the content to the client machine and then the Windows Media Player is able to buffer it before playing at the specified data rate. This is extremely useful when streaming over wireless networks that have high latency or when the quality of the content received is of top priority. When Fast Cache is enabled, intelligent streaming cannot be used. In addition, Fast Cache is used only by clients that connect to a unicast stream.
Exercise 6.8 shows you how to enable Fast Cache.
61705c06.indd 240
6/27/08 11:29:41 AM
Configuring Media Server
241
E x e r c i se 6 . 8
Enabling Fast Cache Do the following to enable Fast Cache:
1. In Server Manager expand Roles\Streaming Media Services\Windows Media Services\<server name>\Publishing Points.
2. Click on your broadcast and click the Properties tab in the Content pane. 3. Now click on General in the Category section. 4. In the Property section, right-click Enable Fast Cache and choose Enable. (In the following screen shot, the Enable option is grayed out because Fast Cache is already enabled.)
Fast Start Fast Start allows users to start to receive content more quickly. It does this by allowing the player to provide data directly to the buffer at higher speeds than the request bit rate. This option is available to users with Windows Media Player for Windows XP or later. It helps reduce the delays and re-buffering that occur when a user fast-forwards and rewinds content. It also aids in a smoother transition between content items. Fast Start also reduces the amount of playback errors due to packet loss as it pre-buffers data.
61705c06.indd 241
6/27/08 11:29:41 AM
242
Chapter 6 Configuring Additional Communication Services n
Advanced Fast Start Advanced Fast Start is used for reducing startup times in Windows Media Player 10 and higher. It has all the same features and benefits as Fast Start but can start to play a stream before its buffer is full, unlike the Fast Start option, which makes the user must wait until the buffer is full. With Advanced Fast Start, as soon as the player receives the minimum amount of data, playback will begin. While the content is being played, the buffer will continue to fill at an advanced rate until full. Once the buffer is full, the acceleration stops and the stream continues to be received and played at its specified rate. Advanced Fast Start must be enabled because it is disabled by default (see Exercise 6.9). E x e r c i se 6 . 9
Enabling Advanced Fast Start Advanced Fast Start will be enabled in the following steps:
1. In Server Manager, expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Click on the broadcast and click the Properties tab. 3. Click on General in the Category section. 4. In the Property section, right-click on Enable Advanced Fast Start and choose Enable.
61705c06.indd 242
6/27/08 11:29:41 AM
Configuring Media Server
243
Fast Recovery and Fast Reconnect Fast Recovery and Fast Reconnect are similar in that they allow a media player to resume in case of corruption or network outage. Fast Recovery is used when a media player receives lost or damaged data packets. If this occurs, the player does not have to request that the server resend the data. It can recover the lost or damaged data itself. To utilize this feature, you should enable forward error correction (FEC) on a publishing point. Enabling FEC will help in networks where packet loss or corruption frequently occurs, such as wireless networks and satellite connections. Exercise 6.10 shows you how to enable FEC on a publishing point. E x e r c i se 6 . 1 0
Enabling FEC To enable FEC, do the following steps:
1. In Server Manager, expand Roles\Streaming Media Services\<server name>\Publishing Points.
2. Click on your broadcast and click the Properties tab. 3. Now click on Wireless in the Category section. 4. Right-click Enable Forward Error Correction and choose Enable.
61705c06.indd 243
6/27/08 11:29:41 AM
244
Chapter 6 Configuring Additional Communication Services n
Fast Reconnect will reconnect a media session in case of temporary network outage. When a client loses its connection to a media server, Fast Reconnect enables the client to reconnect to the server automatically and restart the streaming. How it affects the playback to the user depends on following two factors: Connected to an on-demand publishing point T he client restarts the playback at the point the connection was lost. Connected to a broadcast publishing point Client reconnects to the broadcast in progress. The user may experience a gap in the broadcast. In Exercise 6.11, you’ll set the number of times a client can attempt a reconnect. E x e r c i se 6 . 1 1
Setting Client Connect Attempts Configure client connect attempt with the following steps:
1. In Server Manager, expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Click on your broadcast and click the Source tab.
3. In the Content Source section, click Change.
61705c06.indd 244
6/27/08 11:29:41 AM
Configuring Media Server
245
E x e r c i se 6 . 1 1 ( c o n t i n u e d )
4. In the location box, add ?WMReconnect=3 to the end of your location. This will allow the clients to attempt a reconnect three times.
5. Click OK.
Options for Configuring Security in a Windows Media Server The content you provide to your users can be very valuable to your organization. Much time and money has been spent to create this content, and one of the more important tasks that you can do is control access to it. It is therefore important that you configure the security options of your media server. This will ensure that your company’s valuable media is protected from unauthorized access. The following sections will cover these topics: NN
Authentication
NN
Authorization
Authentication Authentication confirms the identity of a user who is trying to gain access to a resource. After a user is authenticated, authorization occurs so that the user gains proper access to the content. When the user attempts to gain access, the server attempts to authenticate through the anonymous authentication plug-in. You would use this type of anonymous authentication if you do not want the users to have to enter a username and password. This is configured by default, but if you want to change the Anonymous account, you must make sure the account you use has read permissions for any files and folders that will be streamed. In Exercise 6.12, you’ll change the Anonymous account. E x e r c i se 6 . 1 2
Changing the Anonymous Account To change the Anonymous account, follow these steps:
1. In Server Manager, expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Click on your broadcast and click the Properties tab. 3. In the Category section, click Authentication. 4. In the Plug-In section, click on WMS Anonymous User Authentication.
61705c06.indd 245
6/27/08 11:29:41 AM
246
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 1 2 ( c o n t i n u e d )
5. Click the Properties button. 6. In the User Name box, type the account name you want anonymous users to use.
7. In the Password box, enter the password for the account. 8. In the Confirm box, reenter the password. 9. Click OK. 10. Right-click WMS Anonymous User Authentication and choose Enable.
Authorization and Authentication work hand in hand to grant access to the media on your server. If Authorization is enabled but Authentication is disabled, clients cannot access the server.
Authorization Authorization takes information it receives from the authentication process and uses it to grant or deny access to the content. Authorization occurs only after authentication is successful. During this process, the server checks the user against the access permissions set on the resource.
61705c06.indd 246
6/27/08 11:29:42 AM
Configuring Media Server
247
Authorization uses the following three plug-ins: WMS NTFS ACL Authorization If you use NTFS, you can enable this feature to enforce the permissions. WMS IP Address Authorization You can allow or deny access based on IP address. WMS Publishing Points ACL Authorization You can create access control lists (ACLs) for your publishing points and assign access permissions to users or groups. To configure these plug-ins, you will again use Server Manager (Exercise 6.13). E x e r c i se 6 . 1 3
Enabling ACL Authorization To enable WMS NTFS ACL authorization, follow these steps:
1. In Server Manager expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Click on the broadcast and click the Properties tab. 3. In the Category section, click Authorization. 4. Right-click WMS NTFS ACL Authorization and choose Enable.
To allow or deny access by IP address, you need to configure the WMS IP Address Authorization plug-in (see Exercise 6.14). E x e r c i se 6 . 1 4
Allowing or Denying IP Addresses To allow or deny IP addresses, follow these steps:
1. In Server Manager, expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Click on the broadcast and click the Properties tab. 3. In the Category section, click Authorization. 4. Right-click on WMS IP Address Authorization and choose Properties. 5. Now choose one of the following options:
61705c06.indd 247
NN
Allow All Except Those in the Deny List
NN
Deny All Except Those in the Allow List
NN
Restrict as Specified in the Following List
6/27/08 11:29:42 AM
248
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 1 4 ( c o n t i n u e d )
6. After making the choices and filling in the IP addresses, click OK.
At times you will want to create ACL lists for publishing points on your sever. Configuring the ACL list will allow you to grant or deny access to users or clients. Exercise 6.15 walks you through creating an ACL list. E x e r c i se 6 . 1 5
Creating an ACL List ACL list can be configured by following these steps:
1. In Server Manager expand Roles\Streaming Media Services\<server name>\ Publishing Points.
2. Click on your broadcast and click the Properties tab. 3. In the Category section, click Authorization. 4. Right-click on WMS Publishing Points ACL Authorization and click properties. 5. On the Properties dialog box, you can do the following:
61705c06.indd 248
NN
Add or remove a user or group
NN
Set permissions for a new user or group
NN
Change the permissions for a group
6/27/08 11:29:42 AM
Configuring Digital Rights Management (DRM)
249
E x e r c i se 6 . 1 5 ( c o n t i n u e d )
6. Click OK.
Configuring Digital Rights Management (DRM) Digital Rights Management, or DRM, is a technology that allows the owner of some forms of media to enforce the terms to the people who have access to use it. Those who own the copyright to music, film, books, and video commonly use DRM to protect their property. You or your company may own media that you deliver on your media server or provide in email or SharePoint sites. It’s important to protect it. It is common for confidential and critical information to be sent from one company to a competing company or media outlet. This can cause public relations, legal, or competition problems for an organization. For example, a company may create a widget that is far superior to the competitor’s widgets. The company has spent thousands of man hours and millions of dollars to create and document this new widget. A disgruntled employee could easily send these documents to the competitor or post them to a weblog for the world to see. If the company protected these documents using a DRM solution, it would be able to avoid theft.
61705c06.indd 249
6/27/08 11:29:42 AM
250
Chapter 6 Configuring Additional Communication Services n
DRM Controversy Much debate has sprung from companies using DRM to protect the media they own. This is especially true of the entertainment industry. Over the past five years, controversy over audio files such as MP3s—more specifically, the sharing of these files—has lead the industry to adopt DRM protection. Those in favor of DRM state that it is necessary for the copyright holders to be able to prevent others from duplicating and sharing their work illegally. Those opposed take the stand that as long as they are not using the media in a way that would violate commercial use, they should not have restrictions on content that they have purchased. Despite the controversy around DRM, companies like Apple and Microsoft continue to use this form of protection. It allows the companies to provide content, such as music, on a subscription basis. Some companies are listening to the cries of the users and are now are providing content that is DRM free. As bandwidth speeds increase to consumers’ homes, the availability of video and movies appear to be heading to a similar pay-per-view model. Will DRM continue to be a method to protect the rights of those who create or publish the content? Time will tell. Although music and videos are often in the middle of this controversy, many companies are adopting DRM to protect internal documentation from prying eyes.
How Does DRM work? When media is created, it is encrypted in order to protect it. For a user to access this encrypted media, they have to have a license. This license contains information such as the following: NN
How long the content can be used
NN
What actions can be done on the media
Simply put, the license or key unlocks the content and allows it to be played. The nice thing about DRM is that you get to control how long it will be unlocked. For example, say you want to provide content as a promotion that lasts only five days. With DRM protection, you can set the key to expire in five days. With DRM you don’t have to worry about users copying material and giving it to others because no matter who plays the content, they still need to acquire a key or license. DRM rights are stored in the key and not the content. This means that you can create different keys for the same file. A normal DRM scenario would be that you encode content with DRM protection. Then it would be posted so that users could download it. After the content is downloaded, the user’s player sees that it is protected and connects to your license provider site to get the needed key. After the user pays for the key, they are able to play the content.
61705c06.indd 250
6/27/08 11:29:42 AM
Configuring Digital Rights Management (DRM)
251
DRM also can be used to protect other types of files: NN
Office documents
NN
Email
Word, Excel, PowerPoint, and other important company files can be protected using Active Directory Rights Management Service (AD RMS). A typical example would be using a SharePoint intranet that has or allows external users to view content. The following sections, it is assumes that you have installed the AD RMS role and have reviewed the event log for any errors.
Encryption Before the Internet boom, encryption was mainly used by the military to protect data. However, today encryption is a normal and needed protection against theft of content or documents. What is encryption? It is locking up data through the use of electronic keys. It is similar to locking the doors on your home. You need a key to lock and unlock your door locks. It is doubtful you would ever consider having a home without any locks or leaving the doors open and going away for six months. If you did, you wouldn’t be surprised if your valuables were stolen. Some people even pay large amounts of money to purchase high-end security alarms to ensure that they have the best protection for their home. The same is true of your data; without locking it with a lock and key, you are inviting anyone to take it. AD RMS encrypts data by keeping out people who do not have proper keys. With AD RMS, only trusted entities are granted access rights, just like giving someone you trust a key to your home. In addition to the AD RMS clients installed on a computer, AD RMS can be used in specialized applications, these are enabled to enforce the usage rights. The following applications are AD RMS enabled: NN
Microsoft Office 2003
NN
Office 2007
NN
Windows Mobile 6
The AD RMS client is included with Windows Vista and Windows Server 2008. If you are using Windows 2000 Server, Windows XP, or another operating system, you can download the AD RMS client from the Microsoft Download Center at www.microsoft.com/downloads/ details.aspx?FamilyId=02DA5107-2919-414B-A5A3-3102C7447838&displaylang=en.
For AD RMS to encrypt your data, you need to both have the AD RMS client installed and have an AD RMS–enabled application. However, to be able to create protected content you need to have the following: NN
Office 2007 Enterprise
NN
Office 2007 Professional
NN
Office 2007 Ultimate Exercise 6.16 will demonstrate how to create a protected document.
61705c06.indd 251
6/27/08 11:29:42 AM
252
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 1 6
Using AD DRM to Protect a Document Protecting a document can be done by following these steps:
1. Open Microsoft Word 2007. 2. Open a document you want AD RMS to protect. 3. Click the Microsoft button in the top-left corner of the screen. 4. Click Prepare. 5. Click Restrict Permissions. 6. Click Restrict Access. 7. Now click Restrict Permission to This Document. 8. In the Read box, type in the name of the group that you want to allow read permissions. 9. Now save this document in your network location. The group you specified can only view this document now. They will not be able to change, print, or even copy it.
Sharing Business Rules Business rules are no different than policies. Business rules allow you, the administrator, to tell the user or client how they can use protected content. Once you have created and protected your content, it is time to distribute it. For others to be able to view the content, they need access to your business rules. This means that you have to share your business rules with the license issuer. In this case, the license issuer would be your AD RMS server, so it would need to have access to these rules or policies. Business rules can consist of the following: NN
Seed
NN
Public key
NN
Specific rules When you create protected content, you will choose a set of rules to do the following:
61705c06.indd 252
NN
Specify when the document expires
NN
Allow printing
NN
Allow copying
6/27/08 11:29:42 AM
Configuring Digital Rights Management (DRM)
NN
Specify whether users can request additional permissions
NN
Give users and groups permissions to the document
253
This information gets stored within a license and is considered a rule because it states what the user can or cannot do. If you create the permission in an AD RMS application, such as Microsoft Word, your client machine has the rules. Now when you save the data, the rules are shared with the RMS server. When another user wants to view the content, their application recognizes that the content is protected and requests the license or set of business rules. If they have been given permissions to view the content, the content will open. Sharing business rules is something that happens automatically when you create protected content in an environment where AD RMS is running. Sharing is done between the client and the server and requires no interaction from the user or administrator unless the content business rule requires the user to pay for the use.
Configuring License Delivery When a user tries to open a file that is protected by AD RMS, it requests a license. The AD RMS server must look up the license information and then pass that along to the client. This allows the client to play the protected content. This means that the user must have access to the license server to receive the license. You can control who has access to receive the license by configuring the exclusions policies (Exercise 6.17). E x e r c i se 6 . 1 7
Configuring Users’ Exclusions To configure Users’ Exclusions, do the following steps:
1. Open the Active Directory Rights Management Services console by clicking Start\ Administrative tools\Active Directory Rights Management Services.
2. Expand the local server and select Exclusion Polices. 3. From here you have the option to exclude the following: NN
Users
NN
Applications
NN
Windows versions
NN
Lockbox
4. To exclude users, first right-click on Users in the left pane and choose Enable. 5. In the Actions pane, click Exclude User.
61705c06.indd 253
6/27/08 11:29:42 AM
254
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 1 7 ( c o n t i n u e d )
6. In the Exclude User Wizard that opens, check the box Use this option for excluding rights accounts certificates of internal users who have a Active Directory Domain Services account.
7. Enter the username of the account you want to exclude from having access to the license server.
8. If you’re unsure of the username, click the Browse button and choose the user account.
9. After entering the username, click Finish.
You can also exclude certain applications from receiving access to the license server. This is useful when you want users to be able to receive access to content such as Word, Excel, and PowerPoint documents but do not want them to be able to use a media player to play media content in the protected library. Exercise 6.18 shows you how to exclude an application.
61705c06.indd 254
6/27/08 11:29:43 AM
Configuring Digital Rights Management (DRM)
255
E x e r c i se 6 . 1 8
Configuring Application Exclusions Follow these steps to configure Application Exclusions:
1. Open the Active Directory Rights Management Services console by clicking Start\ Administrative tools\Active Directory Rights Management Services.
2. Expand the local server and select Exclusion Polices. 3. In the Content pane, right-click on Applications and choose Enable. 4. In the Actions pane, click Exclude Applications.
5. On the Exclude Application page, enter the application filename and versions you want to exclude.
61705c06.indd 255
6/27/08 11:29:43 AM
256
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 1 8 ( c o n t i n u e d )
6. Click Finish.
Configuring Policy Templates Policy templates help administrators set a standard for user access when it comes to content. In the past, this would have been done with NTFS rights and folders. Before AD RMS and DRM, administrators would create a network folder and then set access control rights on the folder. With AD RMS, you can reduce your workload and have users assign this control themselves. For example, policy templates can make sure that users do not, remove the administrator ability to move, copy or backup the content. While creating policies is a relatively simple process, care is needed to ensure that your templates meet your users’ needs. This will require that you spend some time with your users and try to understand the needs of your company. Here are some of the things you want to consider:
61705c06.indd 256
NN
Needs of individual users
NN
Needs of groups of users
NN
Department access
NN
Client access
NN
How this affects network administrators
6/27/08 11:29:43 AM
Configuring Digital Rights Management (DRM)
257
After spending time figuring out your company’s requirements, you can create policy templates so that when users create protected content, they can select your preconfigured templates. Templates can be made available for users who might not be connected to the network when they create their content. This is accomplished by deploying your templates from a shared folder. The AD RMS client will then store copies of the policies on the local machine. This still allows you to change a policy that is in a shared folder, and then when the AD RMS client (which is installed on the client machines) polls the AD RMS server it will detect that a change has occurred in the templates and download it to the local machine. To configure policy templates, open the Active Directory Rights Management Services console by clicking Start, then choosing Administrative Tools and then Active Directory Rights Management Services. Then follow the steps in Exercise 6.19. E x e r c i se 6 . 1 9
Configuring Policy Template To configure a Policy Template, do the following:
1.
Expand the local server.
2. Click on Rights Policy Templates.
61705c06.indd 257
6/27/08 11:29:43 AM
258
Chapter 6 Configuring Additional Communication Services n
E x e r c i se 6 . 1 9 ( c o n t i n u e d )
3. In the Actions pane, click Create Distributed Right Policy Template.
4. In the Template Identification page, click Add. 5. In the Name box, enter the name for this policy. 6. In the Description box, enter a description for this policy. 7. Click Add. 8. Back at the Template Identification page, click Next. 9. On the Add User Rights page, add the users and permissions required.
61705c06.indd 258
6/27/08 11:29:43 AM
Configuring Digital Rights Management (DRM)
259
E x e r c i se 6 . 1 9 ( c o n t i n u e d )
10. When finished, click Next. 11. Next, you are able to specify an expiration policy. Enter the dates, if any, on which you want the content being protected by this policy to expire.
12. Click Next. 13 On the Specify Extended Policy page, choose any additional conditions that you require for this template. 14. Click Next. 15. In the Specify Revocation Policy page, check the box next to Require Revocation if you need to deny permission based on other factors. Those factors can include users, application, content ID, or operating systems.
16. Click Finish to create the template.
61705c06.indd 259
6/27/08 11:29:44 AM
260
Chapter 6 Configuring Additional Communication Services n
Summary Fax services are still a solution that companies, big and small, rely on to maintain and increase business. It is important that you do not overlook this technology. Spending time to configure routing rules will increase the productivity of your users because it can automate the process of scanning, emailing, and filing faxes. After spending time understanding Windows Media Services, you should have an appreciation for how it can help an organization to create, distribute, and publish content. Many options exist beyond the basics. Looking at the advanced options helped you to understand that you can optimize the way you deliver the content to the user. Digital Rights Management is something to take seriously as in this day and age. If you don’t protect your data, chances are someone will acquire it. Protecting data is just smart management. AD RMS allows an administrator to protect files such as those created in Word, Excel, and PowerPoint. This is a great feature in Windows Server 2008, allowing users to protect data stored on a network share was something that administrators were reluctant to do. This was typically something that administrators would perform themselves. Now with AD RMS and policy template, administrators can create a policy for protection and access control and the end user can apply that to their content, thus freeing up IT staff to perform other tasks.
Exam Essentials Understand Fax Server options. Review how to configure dialing rules and routing rules. Understand how to set up a local fax and how to configure its properties. Know how to configure basic media streaming solutions. It is important that you know when to use multicast and when to use unicast streaming, what publishing points are, and the difference between broadcast and on-demand publishing and when to use each. NN
When to use multicast and when to use unicast streaming: NN
Publishing points
NN
The difference between broadcast and on-demand publishing and when to use each
Understand advanced options for media streaming. Understand topics such as fast caching, intelligent streaming and Fast Reconnect. Know how DRM and AD RMS protect content. Review all forms of rights protection. Understanding terms like business rules and policies is important. Know how to configure a policy template and why they are needed.
61705c06.indd 260
6/27/08 11:29:44 AM
Review Questions
261
Review Questions 1. To monitor activity in the Incoming, Inbox and Outbox folders of a fax server, it is recommended that you install Windows Fax and Scan. What feature should be installed for that software to be available? A. Print Services B. Fax Service C. Media Services D. Desktop Experience 2. How do you install fax devices that were used on the server prior to installation of the Fax Services role? A. Rerun the Install Printer Wizard. B. Do nothing. Fax devices are detected when the role is installed. C. Consult the fax device vendor for installation instructions specific to your device. D. Use the windows update service to re-install the device with the drives needed for Fax Services. 3. When a fax device is detected and installed, it is automatically configured to do what? A. Send faxes. B. Receive faxes. C. Send and receive faxes. D. Nothing is enabled by default. 4. How is individual fax routing configured? A. Per printer B. Per fax device C. Based on clients D. Depends on volume 5. How would you ensure that faxes going to a certain area code are sent from only a particular fax device? A. Instruct users to choose the device for that area code. B. Configure the users’ computers to only use one device. C. Create a fax rule that specifies a device to use a certain area code. D. Install advanced fax software on your users’ computers and configure it to send faxes to the right device.
61705c06.indd 261
6/27/08 11:29:44 AM
262
Chapter 6 Configuring Additional Communication Services n
6. Which editions of Windows Server 2008 will allow advanced features such as multicast streaming? A. Windows Server 2008 Standard B. Windows Web Server 2008 C. Windows Server 2008 Core D. Windows Server 2008 Enterprise 7. Which of the following is a correct procedure to install Windows Media Services? A. Add Roles wizard. B. Add Features wizard. C. It must be downloaded and installed from Microsoft’s website as a service add-in. D. Use Add/Remove Programs in Control Panel. 8. What are the system requirements for installing Windows Media Services? A. One or more processors with a minimum speed of 550MHz B. One or more processors with a minimum speed of 133MHz C. 1GB of RAM D. 5GB of free space 9. Which of the following correctly describes the term streaming media? A. Media that is newer than 2003 B. Media that is created by Microsoft C. Media that is displayed to the end user as it is being delivered from a server D. Any media that contains audio 10. What does Media Services use publishing points for? A. To stream Microsoft Publisher files B. To tell clients how to reach content C. To allow network users to use Microsoft Publisher without having the program installed D. To hold content directories 11. What type of publishing point would you use to allow the users to control the fast-forward and rewind features for content? A. Broadcast B. Pay per view C. On-demand D. Silent
61705c06.indd 262
6/27/08 11:29:44 AM
Review Questions
263
12. By default, what type of streaming does Media Services use? A. Unicast B. Single C. Multicast D. Multipoint 13. What type of streaming allows streaming from a single server to many clients? A. Unicast B. Multicast C. Multipoint D. Dual connection 14. When would you consider using Multicast streaming? (Choose all that apply.) A. When your switches have unicast support B. When you have only two media servers C. When you’re broadcasting to a large audience D. When your network is multicast enabled 15. What wizard is used to create a publishing point? A. Media Services B. Add/Remove Programs C. Add Publishing Point D. Add a Feature 16. When you enable Fast Cache, what other method cannot be used? A. Intelligent streaming B. Fast Start C. Fast Reconnect D. Fast Recovery 17. When Authorization is enabled on a media server but Authentication is disabled, what happens to the client’s request for access? A. Nothing. B. Clients are notified that Authentication is disabled. C. Clients are not able to access the server. D. Client requests are not affected.
61705c06.indd 263
6/27/08 11:29:44 AM
264
Chapter 6 Configuring Additional Communication Services n
18. AD RMS can protect what types of files? A. Office documents B. SharePoint files C. Email D. All of the above 19. The method to protect or lock up content with a electronic key is known as___________________? A. Intelligent protection B. Encryption C. DRM security D. Lock and key 20. Which of the following is requested by a client computer when a user tries to open a protected file from Windows Server 2008? A. Code B. Authorization C. License D. Authentication
61705c06.indd 264
6/27/08 11:29:44 AM
Answers to Review Questions
265
Answers to Review Questions 1. D. When the Desktop Experience feature is installed, it installs Windows Fax and Scan by default. 2. B. When the Fax Server role is installed, any devices already connected to the server are detected and installed. 3. A . After installation of a fax device, the fax server configures the device to send faxes. 4. B . Individual fax routing is configured on a per-device basis. 5. C . Fax rules allow you to optimize the use of faxes by associating a rule with a fax device and an area code or region. 6. D . Advanced features for Windows media servers are available on only Windows Server 2008 Enterprise and Datacenter editions. 7. C . Windows Media Services is not available from the Add Roles Wizard. It must be downloaded and installed from Microsoft’s website. 8. B . Windows Media Services require a minimum processor speed of 133MHz. 9. C . Any media that is played in a user’s player but resides on a server would be considered streaming. 10. B . Publishing points are used to tell clients how to find content. 11. C . On-demand broadcast allows the user to control the media. The user can stop, pause, rewind, and fast-forward the content. 12. A . Windows Media Services uses, by default, unicast streaming. 13. B . Multicast streaming allows the streaming of media from a single server to multiple clients. 14. C , D. You would consider using multicast if you need to deliver content to a large audience. Your network must be multicast enabled. 15. C . The Add Publishing Point Wizard is used to create publishing points. 16. A . When you use Fast Cache, you are not able to use intelligent streaming. 17. C . When Authentication is disabled, clients will not be able to access the server because both Authorization and Authentication is needed to grant a client’s request. 18. D. AD RMS can protect Office documents, SharePoint libraries, and email. 19. B . Encryption is the locking or protecting data by using electronic keys. 20. C . A user will request a license from the server to view protected content.
61705c06.indd 265
6/27/08 11:29:44 AM
61705c06.indd 266
6/27/08 11:29:44 AM
Chapter
7
Configuring Windows SharePoint Services (WSS) Microsoft Exam Objectives covered in this chapter: ÛÛ Configuring Network Application Services NN
61705c07.indd 267
Configure Microsoft Windows SharePoint Services server options. May include but is not limited to: site permissions; backup; antivirus; configuring Windows SharePoint Services service accounts
6/27/08 4:26:25 PM
Windows SharePoint Services offers businesses a simple and cost-effective solution to collaborate and to manage knowledge, such as user forums, company libraries, and professional training. Microsoft provides this as a free add-on, starting with Windows Server 2003. Windows SharePoint Services, or WSS 3.0 as it will be referred to in the rest of the chapter, has had a major overhaul since its previous version, WSS 2.0, starting with using the .NET Framework 3.0. WSS 3.0 has also closed many of the gaps that WSS 2.0 had in ease of use and functionality. This makes WSS 3.0 a secure and simple-to-deploy option for any company looking to increase its efficiency in business processes. In short, WSS can give your people the access to information they need when they need it. This chapter will give you the information you need to configure some key options of WSS, such as: ■■
■■
■■
Configuring Windows SharePoint Services, including incoming and outgoing email settings, workflow settings, antivirus configuration. Configuring Windows SharePoint Services Sites, including upgrading from WSS 2.0, creating or extending web applications. Configuring Authentication for Windows SharePoint Services, including authentication for WSS, Digest Authentication, and Web Single Sign-On.
This chapter assumes that you have already met the prerequisites and have already installed WSS 3.0 on your server per the Microsoft readme and deployment documents. Installation files, deployment documentation, and readme files are available from Microsoft TechNet site for WSS 3.0 at www.microsoft.com/technet/ windowsserver/sharepoint/default.mspx. You must install WSS 3.0 with Service Pack 1 on Windows Server 2008 as WSS 3.0 is not supported, more information about this can be found at http://support.microsoft.com/ kb/943587.
The configurations and labs in this chapter are typical setups using Microsoft default settings. This is known as an out-of-the-box installation of WSS 3.0 on a Windows Server 2008 domain member server. Many of the steps explained here can also be used on a similar Windows Server 2003 Service Pack 1 (SP1) installation.
61705c07.indd 268
6/27/08 4:26:28 PM
Configuring Windows SharePoint Services
269
Configuring Windows SharePoint Services Email, workflow, logging, and anti-virus settings allow your WSS site to provide superior functionality, thus increasing workflow and productivity. You don’t need to be an expert web designer to configure these options. You will, however, need information on your current email server to proceed. For the following sections, you will need the email server display address ( @yourcompany.com) and the outbound SMTP (Simple Mail Transfer Protocol) server address.
The WSS 3.0 Central Administration site will be used to configure the options in the following sections (Figure 7.1). To open the Central Administration site on your WSS server, choose Start All Programs Administrative Tools and click on SharePoint 3.0 Central Administration. F i g u r e 7.1 WSS Central Administration site
61705c07.indd 269
6/27/08 4:26:28 PM
270
Chapter 7 Configuring Windows SharePoint Services (WSS) n
On this central site is an Administrator Tasks checklist. It provides you with prioritized tasks, which will aid you in a successful setup. It is best if you take some time to familiarize yourself with the first item, “READ FIRST - Click this link for deployment instructions,” which is displayed on the Central Administration home page. The quick start guide will help you understand how to deploy WSS in different deployment scenarios, such as deploying in server farm environments.
Configuring Incoming Email Settings Before you enable incoming email, you must have preinstalled the Internet Information Services (IIS6 or newer is required for WSS 3.0) and Simple Mail Transfer Protocol (SMTP) server. This can be done from the Add/Remove programs option in Control Panel on your server. Why do you need to bother with using the incoming email settings section? Say your users have started to use your new SharePoint site only to find out that in order for them to store email from other teams, they have to open the SharePoint site and upload the content. This would not only decrease productivity, it would also discourage users from using the information management features. Configuring this feature will allow your users to store their email-based information in lists and libraries and allows the site to receive email directly. The lists and libraries can be assigned an email address that will make the team sites more efficient in managing their information. Do you have a need to receive or offer support in your organization? Perhaps you could create a form for IT support. Configuring incoming email would allow your users to create an email message that can be sent to your staff. With some custom coding, you could use this feature to trace the progress of requests and have WSS alert them anytime a change is made to a request. And there are other benefits of configuring incoming email settings: NN
Archiving email
NN
Creating a place to share information
NN
Adding content via email
To configure the incoming email settings, you need to locate the configuration page for incoming email. This page is found by following these steps: 1. On the navigation bar on the Central Administration site, click Operations. 2. Locate the Topology and Services section and select Incoming E-Mail settings, which
will take you to the Configure Incoming E-mail Settings page (Figure 7.2).
61705c07.indd 270
6/27/08 4:26:29 PM
Configuring Windows SharePoint Services
271
F i g u r e 7. 2 Configuring email settings
There are four different sections that you should understand how to configure: Enable Incoming E-Mail W hen incoming email is enabled, sites can accept email and store incoming messages in list and libraries. Directory Management Service T his is how SharePoint connects your SharePoint site to your users’ organization directory. When active, it provides enhanced email features like creation and management of email distribution groups, creation of contacts in users’ directories, and allowing users to find email-enabled SharePoint lists in their address book. Incoming E-Mail Server Display Address This is usually something like @yourcompany.com. Safe E-Mail Servers T his is where you specify if you want to lock down your SharePoint environment to just certain email servers or if you want to allow any email server to be able to route email to your site. Now that you have a basic overview of the options, you’ll choose the options for the example scenario. In Exercise 7.1, you’ll configure the incoming email settings.
61705c07.indd 271
6/27/08 4:26:29 PM
272
Chapter 7 Configuring Windows SharePoint Services (WSS) n
E x e r c i se 7 . 1
Configuring Incoming Email Settings To configure the incoming email settings, follow these steps:
1. Open the Central Administration site by choosing Start All Programs Administrative Tools and clicking SharePoint 3.0 Central Administration.
2. On the navigation bar on the Central Administration site, click Operations. 3. In the Topology and Services section, select Incoming E-Mail Settings.
4. In the Enable Incoming E-Mail section, choose Yes. 5. Select Automatic in the Enable Incoming E-Mail section. 6. In the Directory Management Service section, select No. 7. In the E-Mail Server Display Address box, type the email server name in the form @mycompany.com.
8. In the Safe E-Mail Servers section, select Accept mail from All E-Mail Servers. 9. Click OK.
61705c07.indd 272
6/27/08 4:26:29 PM
Configuring Windows SharePoint Services
273
E x e r c i se 7 . 1 ( c o n t i n u e d )
Specify the email server address that which is displayed when users create an incoming email address for a list or group. Use this setting in conjunction with the SharePoint Directory Management Service to provide an email server address that is more user friendly. If you select Advanced for the Enable Incoming E-Mail option, you can specify a folder that the emails will be “dropped” into instead of using an SMTP server. In this scenario, we know that we have only one email server in production, so there is no need to block other servers. However, if you choose to enable the Accept Mail from These Safe E-Mail Servers option, then type the IP addresses (one per line) of the email servers that you want to specify as safe in the corresponding box.
Configuring Outgoing Email Settings Outgoing email settings are the building blocks administrators can use for several different email notification features. fact, without proper configuration of the outgoing email settings, you will not be able to utilize alerts or application notification. Similar to when you configured incoming email settings, you must have preinstalled the Internet Information Services (IIS6 or newer is required for WSS 3.0) and Simple Mail Transfer Protocol (SMTP) server. So where would you use these features? As a company grows, it has a greater need to get key information to its users fast. Therefore, here are a few ways you could use alerts and notifications: Alerts Users can have the WSS site alert them when updates to lists, discussions, libraries, and other parts of the site are updated. This works out nicely when you have two different groups working on the same documents, list, or libraries. Users can configure alerts to notify them when changes are made to the documents they are responsible for. As users are able to manage this configuration, this reduces the amount of administration effort. If your users are not able to configure alerts, check your permissions on the site. Users must have at least View permissions.
Notifications or administration notices As a site administrator, you could use these to receive emails when a user requests access to a site or if you want to know when someone has gone over their storage quota. This would help simplify the process for your users and reduce the impact on your help desk.
61705c07.indd 273
6/27/08 4:26:30 PM
274
Chapter 7 Configuring Windows SharePoint Services (WSS) n
WSS Email Benefits About a year ago, we came across a client who was looking for a low-cost application that would allow them to create a purchase order form. They said that this application must send out email alerts to the approving manager and the user who submitted the purchase order. They wanted it to pull the user’s information from Active Directory and populate it on the form, which would save the user time and make sure the information on the request was standard. We looked into several different applications to accomplish this task. After some additional research, we realized that WSS and the outgoing email feature would be exactly the foundation we would need to accomplish what the client wanted. While this required some additional programming on our part, it was nice that we only had to configure the outgoing email settings to send alerts to the proper people. After setting up the outgoing email, we created the forms they wanted and linked certain dialog boxes to populate their Active Directory user account. We were able to do all of this while staying in the client’s modest budget. The best part is that we are now able to take the code we used for this client and sell it to other clients as an already finished product.
Let’s review a few requirements that must be met before you can configure the settings because outgoing email relies on several components that you must consider. NN
NN
The From email address is used to help identify the sender of the message you receive. This can be something like [email protected]. A Reply-To address is needed. This will be the address that your users reply to when they get an alert or administrator notification. Many companies use [email protected] or something similar as a Reply-To address because they do not monitor this email address and thus do not want users to reply to an alert or system notice.
NN
NN
SMTP service installed. You will need to know the DNS name or IP address of the SMTP server you plan to use. Some SMTP mail servers require usernames and passwords that you have to configure to allow your WSS site to use SMTP to send mail. Character set. You need to know what language set to use in the body of your alert email. If you do not know, use the default language. Now that you are armed with the requirements, you can proceed to Exercise 7.2.
61705c07.indd 274
6/27/08 4:26:30 PM
Configuring Windows SharePoint Services
275
E x e r c i se 7 . 2
Configuring Outgoing Email Settings Follow these steps to configure outgoing email settings:
1. Choose Start All Programs Administrative Tools and click SharePoint 3.0 Central Administration.
2. On the navigation bar in the upper-left side of your screen, choose Operations. 3. Under the Topology and Services section, choose Outgoing E-Mail Settings to configure your mail settings.
4. In the Outbound SMTP Server box, enter your SMTP server address or IP address (for example, mailer.yourcompany.net).
5. In the From Address field, put in the address you want people to see when they get an email alert (for example, [email protected]).
6. In the Reply-To Address box, enter the email address you want people to use to reply (for example, [email protected]).
7. For the Character Set option, leave the default selected, which is 65001 (Unicode UTF-8).
8. Now click OK.
61705c07.indd 275
6/27/08 4:26:30 PM
276
Chapter 7 Configuring Windows SharePoint Services (WSS) n
Configuring Outgoing Email Settings for a Specific Web Application Now that you have configured the outgoing email for your WSS site applications, you might have a need for different settings for a specific web application. WSS gives you the ability to have two different applications send out email using different email addresses. For example, you can have an application in your HR department that sends out emails and an application on your news page that sends out alerts. You can configure each application to use a different From and Reply-To address. Exercise 7.3 shows how to configure the settings for a specific application. In the exercise, the same SMTP settings that were used in Exercise 7.2 will be used again. E x e r c i se 7 . 3
Configuring Outgoing Email Settings for a Specific Web Application To change the outgoing email settings for a web application, follow these steps:
1. Choose Start All Programs Administrative Tools and click SharePoint 3.0 Central Administration.
2. On the navigation bar at the upper-left side of your screen, choose Application Management.
3. Under the SharePoint Web Application Management section, choose Web Application Outgoing Email Settings.
61705c07.indd 276
6/27/08 4:26:31 PM
Configuring Windows SharePoint Services
277
E x e r c i se 7 . 3 ( c o n t i n u e d )
4. In the Web Application section, select the application from the drop-down list. 5. Now, the first option in the Mail Settings section is Outbound SMTP Server. Input the same information you entered in. If you plan to use an SMTP server other than the default, enter the new server DNS name or IP address here.
6. Enter the From and Reply-to addresses you plan to use for this specific application. The From address is the address that will appear to your email recipients. The Replyto address is the address your users will send to when they choose Reply.
7. The character set can remain at the default setting or one that is appropriate for your language.
8. Click OK.
Configuring Workflow Settings Workflow settings are configured at the application level. This allows the site administrator or your end users to create their own application-specific workflows. You can have different workflows for each application. You can choose to control whether end users or site administrators will configure these settings. Allowing your users to configure them can greatly reduce your administrators’ involvement, but it can increase the risk of nonstandard workflows entering your work environment. By default, your users can create their own workflows using only code that your site administrators deploy. You also have the option to choose whether you want internal or external users to receive alerts when they are assigned a task. If you want external users to participate in the workflow process, then WSS will send them a copy of the document assigned to them. As mentioned, the workflow is application specific and you will most likely configure these options after you have developed your applications. The Central Administration site will allow you to configure the workflow settings. You can configure these settings by following these steps: 1. From the Central Administration site, click Application Management on the navigation
bar in the upper-left portion of the screen. 2. Choose Workflow Settings. 3. In the Web Application section, choose your application. 4. Under User-Defined Workflows, select Yes or No. 5. For Workflow Task Notifications, you have the option of choosing Yes or No to send
alerts to your users when they assigned a task and if you want external users to be sent a copy of any documents assigned to them. 6. Click OK.
61705c07.indd 277
6/27/08 4:26:31 PM
278
Chapter 7 Configuring Windows SharePoint Services (WSS) n
Configuring Diagnostic Logging Settings In this section, you have to make some basic decisions about what you want to log and how much you want to share with Microsoft. We will cover the following topics: NN
Error reporting
NN
Microsoft Customer Experience Improvement Program (CEIP)
NN
Event throttling
When software is being set up, one of the least-configured settings is logging, which provides valuable data for both the IT professional and the application vendor. Taking some time to configure these options can save many hours of troubleshooting. In addition, if you choose to share this information with Microsoft, it will help the developers produce a better product. Providing this information to Microsoft is optional. We will review each of these options so you can make an informed decision. Error reporting W hen you have any issues with your application or hardware or encounter a problem, error reporting will create an error report or log information in a system log for you to review. The following list includes some of the items WSS collects: NN
IP address of the server
NN
Product ID
NN
Condition of server when problem occurred
NN
Hardware your server is using
NN
Software version
While Microsoft does not try to collect personal information, it is entirely possible that such information could be included in the report. Personal information can include, but is not limited to, usernames, email addresses, URLs, and IP addresses. Microsoft states that it uses this information only to help determine the problem and how to solve it, but you will have to whether you want Microsoft to have it. You can choose to either send these error reports periodically or have this information sent silently. Please review any policies your corporation may have on sharing of information. Microsoft Customer Experience Improvement Program (CEIP) I f you agree to allow the sharing of information with Microsoft, it will use the information to improve the stability, functionality, and performance of the WSS product. Event throttling W hen you choose to log events, it is important that you manage not only what type of information is put into the logs, but also how big in size the logs can become. If you don’t configure these settings, you run the risk of the files growing out of control. You can choose to have this information logged into the Windows event log or trace logs. You have a lot of control in WSS 3.0 when it comes to event throttling. You will have to decide the level of importance of each event because WSS has settings that specify how critical
61705c07.indd 278
6/27/08 4:26:31 PM
Configuring Windows SharePoint Services
279
each event is. WSS breaks up the events into categories and you can decide to throttle them all or just throttle a single event. Categories such as the following are defined by different services or common events in Windows SharePoint: NN
All
NN
By product
NN
Features
NN
SharePoint services
NN
Administration functions
NN
Shared services
After choosing the type of category you want to log, you will want to choose the level of events to include in the log. The options for logging Windows events are as follows: NN
None
NN
Error
NN
Warning
NN
Audit failure
NN
Audit success
NN
Information When choosing the level of events to log, keep in mind that you want to always choose the least critical event to monitor. WSS will record events that are equal to or greater than the selected event. This applies to both Windows events and trace logs. For more information on Windows event logs, please review the documentation that comes with your server.
The following options are available when using trace logs: NN
None
NN
Unexpected
NN
Monitorable
NN
High
NN
Medium
NN
Verbose In Exercise 7.4, we will show you how to configure the diagnostic settings.
61705c07.indd 279
6/27/08 4:26:31 PM
280
Chapter 7 Configuring Windows SharePoint Services (WSS) n
E x e r c i se 7 . 4
Configuring Diagnostic Log Settings To configure diagnostic logging, follow these steps:
1. Choose Start All Programs Administrative Tools and click SharePoint 3.0 Central Administration.
2. On the navigation bar in the upper-left portions of your screen, choose Operations. 3. In the Logging and Reporting section, click Diagnostic Logging.
4. Choose Yes or No in the Customer Experience Improvement Program section. 5. In the Error Report section, choose to collect the error reports or to ignore them. If you choose to collect reports, decide if you want to periodically download or silently send the reports to Microsoft.
6. In the Event Throttling section, click on the drop-down box to select your category of events. In the Least Critical Event menus, choose the event equal to the lowest level you want to monitor.
7. In the Trace Log section, add the path to the location in which you want the log files to reside. If your WSS is in a server farm configuration, make sure the location you choose is available on all servers.
61705c07.indd 280
6/27/08 4:26:31 PM
Configuring Windows SharePoint Services
281
E x e r c i se 7 . 4 ( c o n t i n u e d )
8. In the Number of Log Files box, enter the number of files you want to retain. If you are unsure, leave the default.
9. Change the number of minutes to use the log files. 10. Click OK.
Configuring Antivirus Settings In today’s world, running your WSS server, or any other server for that matter, without an antivirus product is playing a dangerous game. It will only be a matter of time until a user uploads a virus and distributes it to others. It is best practice to install an antivirus product on all servers in a server farm. After you install an antivirus product on the WSS server, it is important to configure the antivirus settings. In a server farm, all web servers with documents must have the antivirus product installed before these settings will take effect.
There are four antivirus settings we can configure: Scan Documents on Upload W hen a user uploads a document to your WSS site, your antivirus product will scan it to ensure that it does not contain viruses. This will help protect from spreading viruses to other users. Scan Documents on Download W hen selected, this feature will scan a document before it is downloaded to a user’s computer. It will prompt the user about an infection and allow them to decide to continue or not, unless you check the next option. Allow Users to Download Infected Documents When this option is selected, it allows users to download infected documents to their local computer. This is not a recommended option to select unless you have a specific reason to, like troubleshooting a document. Attempt to Clean Infected Documents I f a virus is found during the scanning process, this option will allow the antivirus product to clean it automatically. To locate these options, follow these steps: 1. Open the Central Administration site by choosing Start All Programs Administra-
tive Tools and clicking SharePoint 3.0 Central Administration. 2. On the top navigation bar, click Operations. 3. In the Security Configuration section, click Antivirus. Use this page, seen in Figure 7.3,
to configure your antivirus options.
61705c07.indd 281
6/27/08 4:26:32 PM
282
Chapter 7 Configuring Windows SharePoint Services (WSS) n
F i g u r e 7. 3 Antivirus options
Using the Best Practices Analyzer Tool The Best Practices Analyzer tool is used to check for common problems and to determine if your WSS installation contains the best security practices. The tool is also used to help you fine-tune your WSS installation so that it is optimized for performance. To use the tool, download it and install on your server. After it’s installed, you can check your site’s configuration by opening a command prompt and then switching to the location that contains the Best Practice Analyzer. By default this is C:\BPA. Now follow these steps: 1. Type sharepointbpa.exe -cmd analyze -substitutions SERVER_NAME CentralAdministrationServer and press Enter.
Replace CentralAdministrationServer with the name of your server. You need to keep SERVER_NAME in capital letters. 2. After the Best Practice Analyzer tool has finished analyzing your site, open sharepointbpa.report.htm in a web browser to view the results. This file will be located in the same location as the installation. The default is C:\BPA.
You can download the tool at the following link: http://go.microsoft.com/ fwlink/?LinkID=83335&clcid=0x409.
61705c07.indd 282
6/27/08 4:26:32 PM
Configuring Windows SharePoint Services (WSS) Sites
283
Configuring Windows SharePoint Services (WSS) Sites With the installation of your default WSS 3.0 site is complete, you are ready to start creating additional sites. In the following sections, you will learn about these topics: Upgrading from WSS 2.0 Careful planning and preparation is needed to successfully upgrade a WSS 2.0 installation. Create or extend web applications You must create applications before sites can be created. You will learn how to create and extend Web applications. Configure alternate access mapping This allows you to assign different URLs to the same site. Create zones for web applications A default zone is automatically created when you create a web application. We will explain how to add additional zones. Create quota templates With quota templates, you can control how large a site collection can become. You will learn how to configure the quota templates. Create site collections We will show you how to create a site collection and assign the primary and secondary owners. Enable access for end users A fter the creation of a site is completed, access will need to be granted to your users. Add site content A fter site collections are created, content can be added.
Upgrading from WSS 2.0 Performing an upgrade from WSS 2.0 to WSS 3.0 is not a simple process. Because each environment is different, as are the WSS applications, you must plan accordingly. It is also important that you not only give consideration to the initial software upgrade but also think about any issues that might come up after the upgrade. First, Service Pack 2 for SharePoint Services 2.0 must be installed. Then the remaining prerequisites must also be met as follows: NN
Install Microsoft .NET Framework 3.0.
NN
Enable Microsoft ASP.NET 2.0.
NN
Application and web server must be running Windows Server 2003 with Service Pack 1 (SP1).
Next, make sure that a full backup of the assigned SQL server has been completed. This will ensure that a recovery can be completed in case something goes wrong with the upgrade. WSS 2.0 uses two types of databases, a configuration database and a content database.
61705c07.indd 283
6/27/08 4:26:32 PM
284
Chapter 7 Configuring Windows SharePoint Services (WSS) n
Microsoft has provided a pre-upgrade tool to scan the site that will be upgraded and then fix any errors before attempting the upgrade. During the installation of the WSS 3.0 upgrade, the installation wizard will exit and prompt you to run this tool. It is a good idea to run the tool each time that an error is fixed to make sure no additional issues have appeared. For more information on the WSS 2.0 upgrade tool and the upgrade procedures, visit http://technet2.microsoft.com/windowsserver/WSS/en/ library/700c3d60-f394-4ca9-a6d8-ab597fc3c31b1033.mspx?mfr=true.
If any custom Web Parts have been created for the site that will be upgraded, especially if ASP.NET 2.0 was used, you will need to test and verify that the Web Parts will work in the upgraded environment. If these parts were created with ASP.NET 1.1, they must be rebuilt using ASP.NET 2.0 before you attempt an upgrade. You are now ready to perform the upgrade. We will cover only an in-place upgrade, so please consult the Microsoft TechNet articles from the above link for other upgrade options. Other options include a gradual upgrade and database migration. Performing an in-place upgrade is the simplest option. In-place upgrades will update all content and configuration data at the same time. Keep in mind that while this upgrade is running, your users will not be able to access the web server; make sure you inform your users of this downtime. An in-place upgrade is best when you have a single server or a small farm with little to no custom applications. If you are in a medium to large server farm or have heavy customization, you are better off using a gradual upgrade, which would reduce the impact on your users. The process of upgrading includes the following steps: NN
NN
NN
Install Windows SharePoint Services Version 3.0: This will perform an automated in-place upgrade. Run the Configuration Wizard: This will finish your upgrade and install the Central Administration web application. Review log files and resolve any issues: Log files can be located at %commonprogramfiles%\Microsoft Shared\web server extensions\12\LOGS.
When the upgrade is finished, review and perform any post-upgrade steps found in the Microsoft TechNet article referenced in this section.
Creating or Extending Web Applications A web application is an IIS site with a unique application pool. Before creating sites or site collections, you first must create a web application. When you create a new application, a new database will also be created and the methods used to authenticate your connection to the database will be defined. If you have a need to broaden your web application to users that are not on your domain, you will have to extend your application to another IIS website.
61705c07.indd 284
6/27/08 4:26:32 PM
Configuring Windows SharePoint Services (WSS) Sites
285
Performing an In-Place Upgrade We recently did an in-place upgrade from WSS 2.0 to WSS 3.0 for a client that had about 250 users. The users had become very accustomed to using the WSS 2.0 site and found that the tool was valuable to their organization. The client asked for some additional features, such as allowing extranet users, blogging, and some additional forms that would be linked to their Internet site. All of the custom applications were designed using WSS 2.0, and that was a cause for concern. We wanted to minimize the amount of development work needed to upgrade them to WSS 3.0. We decided to go ahead with the upgrade plans because the increased functionality and the ease of use were very appealing to both their administrators and end users. In addition, WSS 3.0 has features that would allow them to have extranet users and reduce the administration needed. Following the Microsoft TechNet articles for Windows SharePoint Service 3.0 proved invaluable to having a successful upgrade. We determined to make images of the server before attempting the upgrade, which we highly recommend. After the images were created (we created an image of a domain controller for Active Directory access), we converted them to virtual machines. We’re glad we took the time to create the virtual machines because it allowed us to attempt several upgrades. We say several because the first time we preformed an upgrade to WSS 3.0, the upgrade failed. Just a tip: make sure you install all the prerequisites listed on the site. We had failed to upgrade ASP.NET from 2.0 to 3.0. After the upgrade was completed, our development staff had to update some of our custom applications. They would not work after the upgrade because the applications were developed in ASP.NET 2.0. Overall the upgrade was a success and we learned a lot in the process.
Follow these steps to create a new Web application: 1. Choose Start All Programs Administrative Tools and click SharePoint 3.0 Central
Administration. 2. On the top navigation bar, click Application Management. 3. Choose Create or Extend Web Applications and then choose Create a New Web
Application (Figure 7.4). 4. After you choose Create a New Web Application, the next page will allow you to
choose to use an existing IIS site or create a new site. These options are found in the IIS Web Site section of the Create New Web Application page. 5. On the Create New Web Application page, enter your host header info and port number. 6. In the Security Configuration section, choose an authentication provider and whether
you want to allow Anonymous access. If you are unsure, leave the defaults.
61705c07.indd 285
6/27/08 4:26:32 PM
286
Chapter 7 Configuring Windows SharePoint Services (WSS) n
F i g u r e 7. 4 Creating a new web application
7. When SSL is chosen, remember to add an appropriate certificate on each server. 8. In the Load Balanced URL section, add the URL that all sites will use as links on their
pages. By default, the box will add the current server name and port. 9. Choose an already existing application pool or make a new one. If you want to use an
existing pool, then just choose that pool from the menu list. To create a new pool, click Create New Application Pool. NN
Type the name of the pool in the Application Pool Name box.
NN
Choose Predefined to use an existing application pool security account.
NN
If you want to use an account for security that is not currently being used, type the username in the User Name box and the password in the Password box.
10. In the section titled Reset Internet Information Services, choose whether you want to
allow SharePoint to restart IIS. If you choose not to allow SharePoint to restart the IIS service, this procedure must be preformed manually, which can be done by running iisreset /noforce on each web server in the farm. Your new site will not be functional until after you restart the IIS service. 11. Now choose your database server, database name, and the method of authentication
for the web application. 12. Click OK to create the new application.
61705c07.indd 286
6/27/08 4:26:33 PM
Configuring Windows SharePoint Services (WSS) Sites
287
To extend an existing web application, follow these steps: 1. Click Create or Extend Web application in the Web Application Management section. 2. Next, choose Extend an Existing Web Application. 3. In the Web Application section, choose a web application in the drop-down menu. 4. In the IIS Web Site section, choose whether you want to use an existing site or create
a new one. The boxes below—Description, Port, and Path—will populate with default information. You can choose to keep the default information or enter your own. 5. In the Security Configuration section, configure the authentication and encryption
options. If unsure, leave the default options. 6. Next, in the Use Secure Sockets section, choose whether you want to use Secure Sockets
Layer (SSL). If you choose this option, an SSL certificate must also be installed. 7. In the Load Balanced URL section, add the URL that all sites will use as links on their
pages. By default, the box will add the current server name and port. 8. In the same section, under Zone, select the zone for the extended web application.
Options are Intranet, Internet, Custom, and Extranet. 9. Click OK.
Configuring Alternate Access Mapping Alternate access mapping is one of the more powerful features in WSS 3.0. Yet, for whatever reason, it is also one of the least understood. Where does this feature shine? Do you have a reverse proxy or load balancing needs? Then this feature will benefit you. But just what is alternate access mapping? Simply put, it tells SharePoint how to map a request from a web browser to the proper web application. This is needed so that SharePoint can give the correct content back to you. It then tells WSS what URL the user should be directed to. One of the biggest reasons you would want to configure alternate access mapping is when the URL of a web request received by IIS is not the same URL that the user entered. Each web application can support five collections of mappings per URL. They correspond to the five zones: default, intranet, extranet, Internet, and custom. You will now learn how to add an internal URL, edit or delete an internal URL, map to an external source, and edit public URLs: 1. Choose Start All Programs Administrative Tools and click SharePoint 3.0 Central
Administration. 2. On the top navigation bar, click Operations and then choose Alternate Access Mappings.
To add an internal URL, follow these steps: 1. Click Add Internal URLs on the Alternate Access Mappings page (Figure 7.5).
61705c07.indd 287
6/27/08 4:26:33 PM
288
Chapter 7 Configuring Windows SharePoint Services (WSS) n
F i g u r e 7. 5 Add Internal URL
2. If your collection is not specified in the Alternate Access Mapping Collection, choose
the collection from the drop-down menu. 3. Add the new URL in the next box and choose your zone. 4. Click Save.
To edit or delete an Internal URL, follow these steps: 1. In the Alternate Access Mappings page, click on the URL you want to edit or delete. 2. Modify the URL and or the zone. 3. If the URL needs to be deleted, click Delete at the bottom of the screen. 4. If you made any changes to the URL, click Save.
You cannot delete the last URL because there should always be at least one URL for the default zone.
To edit public URLs, follow these steps: 1. Back on the Alternate Access Mappings page, click Edit Public Zone URLs. 2. Select a collection from the Alternate Access Mapping Collection menu box. See
Figure 7.6
61705c07.indd 288
6/27/08 4:26:33 PM
Configuring Windows SharePoint Services (WSS) Sites
289
F i g u r e 7. 6 Edit Public Zone URLs
3. Modify or add URLs in the Public URLs section. 4. Click Save.
WSS 3.0 allows you to define resources that are outside of an internal application, but you need to make sure the URL is unique to your server farm. To map to an external source, follow these steps: 1. On the Alternate Access Mappings page, click Map to External Resource. The Create
External Resource Mapping page is shown in Figure 7.7. 2. Type a unique resource name and add a new URL in the boxes in the External
Resource Mapping section. 3. Click Save.
Creating Zones for Web Applications Use the procedure outlined in the section “Creating or Extending Web Applications” to create a new zone. A new zone is created when you extend an existing Web application.
61705c07.indd 289
6/27/08 4:26:34 PM
290
Chapter 7 Configuring Windows SharePoint Services (WSS) n
F i g u r e 7. 7 The Create External Resource Mapping page.
Creating Quota Templates As users get used to using your WSS site, they will naturally start storing more and more data on it. This can be a blessing because you are finally getting them to use your new data management tool. However, caution is needed because a database can grow out of control. Quota templates are a solution to this problem. With these templates, you can add storage limits on a site collection. This feature can trigger an email alert to your administrators when this size limit is reached. You can apply these quotas to any site collection in a server farm. The quota will apply to the top-level site and all other sites under it. To create a new quota template, follow these steps: 1. Open the Central Administration site by clicking Start All Programs Administra-
tive Tools and clicking SharePoint 3.0 Central Administration. 2. Click Application Management. 3. Under the SharePoint Site Management section, choose Quota Templates (Figure 7.8).
61705c07.indd 290
6/27/08 4:26:34 PM
Configuring Windows SharePoint Services (WSS) Sites
291
F i g u r e 7. 8 Creating a quota template
4. Choose Create a New Quota Template in the Template Name section. (From this sec-
tion, you can also choose to edit an existing template or delete an existing template). You can create this template using an existing quota template or just choose a new blank one. Name the new template. 5. In the Storage Limit Values section, set the limits for data storage and the threshold for
sending an alert email. 6. Click OK.
Creating Site Collections When you create a new site collection, you are also creating a top-level website for WSS. You will have the option to choose several templates for the site, such as templates for document libraries, help desk, knowledge bases, room and equipment reservations, team sites, wikis, and blogs. To create a new site collection, you will need to navigate to the Application Management page, which can be done by choosing Start All Programs Administrative Tools and clicking SharePoint 3.0 Central Administration. Then, follow these steps: 1. Click Application Management, and in the SharePoint Site Management section, click
Create Site Collection. The Create Site Collection page is shown in Figure 7.9.
61705c07.indd 291
6/27/08 4:26:34 PM
292
Chapter 7 Configuring Windows SharePoint Services (WSS) n
F i g u r e 7. 9 Creating a new site
2. Make sure the web application is selected in the Web Application drop-down box. 3. Give the collection a title and description, and then add a URL in the URL box. 4. Choose a template in the Template Selection section. 5. Next, add a primary and secondary site administrators. 6. Select a quota template. 7. Click OK.
Enabling Access For End Users Now that the WSS site is created, you can give access to your users. This section will help you understand how to give access to site administrators, collection administrators, site owners, and, most important, end users. Without proper access planning, you can find yourself taking away or add access needlessly. For more information on planning site security, visit http://technet .microsoft.com/en-us/library/cc288189.aspx.
61705c07.indd 292
6/27/08 4:26:34 PM
Configuring Windows SharePoint Services (WSS) Sites
293
Within a site collection, you can configure access to sites, libraries, folders, documents, and items. Most of the configuration of user access will take place in the site collection and not from the Central Administration page. First add site collection administrators to your site. This portion is done from the Central Administration site by choosing Start All Programs Administrative Tools and clicking SharePoint 3.0 Central Administration. Then, just follow these steps: 1. Choose Application Management from the navigation bar. 2. In the SharePoint Site Management section, click Site Collection Administrators.
Figure 7.10 shows the Site Collection Administrators page. F i g u r e 7.1 0 The Site Collection Administrators page
3. Select a site collection from the drop-down menu. 4. In the following two boxes, add primary and secondary site collection administrators. 5. Click OK.
You are now ready to give site owners, visitors, and other groups access to your site. When assigning access, it is a good practice to add groups for access instead of individual users. This makes administration of security easier to manage.
61705c07.indd 293
6/27/08 4:26:35 PM
294
Chapter 7 Configuring Windows SharePoint Services (WSS) n
First we’ll show you how to set up groups and then how to add users to those groups. Navigate to your site, and on the home page, select Site Settings from the Site Action menu. Then follow these steps: 1. Click People and Groups. Figure 7.11 shows the resulting page. F i g u r e 7.11 Adding users and groups
2. From this page, choose Groups from the Settings menu. 3. From the Settings menu drop down, click Set Up Groups. 4. From this page, you can set up or change users and groups. You can also create a
new group. Now that you have your groups set up, you can add users groups and give them proper permissions: 1. On the People and Groups page, click on the new group that was created. 2. Choose New on the navigation bar and select Add Users. 3. On the Add Users page, type the name of the accounts to add. You can browse for
users in Active Directory. 4. In the Give Permissions section, add the level of permissions you want the users to
have. Make sure you have selected Add Users to a SharePoint Group and that you select the correct group. 5. Finally, choose whether you want to have a welcome email sent to the new user and
any personal message. 6. Click OK.
61705c07.indd 294
6/27/08 4:26:35 PM
Configuring Authentication for WSS
295
Adding Site Content There are three main ways you can add content to your WSS sites: NN
Allow users to add content.
NN
Use web designers to create content.
NN
Migrate content from another site.
There are some things to consider when choosing what option you will use for adding site content: NN
Will the public see this content?
NN
Is the site for a large organization?
NN
Are you redesigning or reorganizing another site?
NN
Will the site be a collaboration site, which might include wikis, blogs, or other usercreated content? Here are two of the more popular choices for adding content to a WSS site:
User-added content You can immediately allow users and site owners to add content to the WSS sites by following the steps in the section “Enabling Access For End Users” earlier in this chapter. The benefit of allowing user-added content is it involves users immediately, and they tend to want to add and update the content on a regular basis. Migrate content You have a couple of options to migrate content from a different site. One option is to use the Export and Import operations of the Stsadm tool. The other option is to use the Central Administration page to perform a migration. Read more about the Stsadm tool and the Central Administration options for migrating content by visiting the Windows SharePoint Services 3.0 Technical Library at http://technet.microsoft.com/en-us/library/cc288664.aspx.
Configuring Authentication for WSS Authentication is the process of validating a user’s rights to log into your WSS site and verifying the level of access they should have. WSS uses IIS to manage user authentication. After IIS has determined that the user is authentic, WSS will perform the authorization. WSS will then allow the user to access the resources on the WSS site to which they have been given access.
61705c07.indd 295
6/27/08 4:26:35 PM
296
Chapter 7 Configuring Windows SharePoint Services (WSS) n
WSS has provided support for federated authorization, also known as Web Single Sign On (Web SSO). This means that the authentication system is not local to the computer that hosts Windows SharePoint Services 3.0. WSS provides for several other authentication scenarios: NN
Standard Windows authentication.
NN
Simple database containing usernames and passwords.
NN
Integrating directly into your company’s identity management system.
NN
Using several systems together. This would allow for a company identity system to authenticate partner employees but another system to authenticate internal employees. Table 7.1 shows the supported authentication methods.
Ta b le 7.1 Supported Authentication Methods Authentication Methods
Description
Examples
Windows
These are standard IIS windows authentication methods.
Basic Anonymous Digest Certificates Kerberos (Integrated Windows) NTLM (Integrated Windows)
ASP.NET forms
WSS 3.0 adds support for identity management systems by adding ASP.NET-based forms authentication.
LDAP (Lightweight Directory Access Protocol) SQL Database or other databases Other ASP.NET-based forms
Web Single Sign-On (SSO)
Enables SSO in environments that are on disparate platforms.
ADFS (Active Directory Federation Services) Additional identity management systems
The following sections will cover a couple of the configuration options:
61705c07.indd 296
NN
Digest authentication
NN
Web Single Sign-On (Web SSO) using Active Directory Federation Services (ADFS)
6/27/08 4:26:35 PM
Configuring Authentication for WSS
297
Configure Digest Authentication Digest authentication is similar to Basic authentication. The main difference is that Digest authentication is more secure. How does Basic authentication work? First, Windows account credentials must have been previously assigned. Then, Basic authentication allows credentials to be passed on over a web browser. Basic authentication. however, lacks security because user credentials are passed over the network in plain text and over an unsecure HTTP session. You are able to increase security by using SSL encryption. Digest authentication provides increased security because user credentials are encrypted before being sent over the network. Digest uses a challenge/response protocol, which means that the authentication requestor will have to correctly answer a challenge from the server. To do this, the client has to supply a correct shared secret password string. To use Digest authentication, you have to meet the following requirements: NN
Users and the IIS server must be on the same domain or have a trust relationship.
NN
You must have a valid user account in Active Directory.
NN
You must have at least one Windows Server 2003 server in the domain.
NN
NN
NN
You must install the IISSuba.dll file on the domain controller. This file is automatically copied to the server when you install a Windows Server 2003 server. Windows Server 2003 must have SP2 installed. A hot fix is needed if you are using a web browser that is not Internet Explorer 6.0 or 7.0.
Users can be configured for authentication within a zone of a web application. The zones are as follows: Internet For your customers Intranet For your internal users Default For your remote employees Custom For your administrators Extranet For your partners Both WSS and IIS must be configured to use Digest authentication. Exercise 7.5 shows how to configure Digest authentication. E x e r c i se 7 . 5
Configuring Digest Authentication To configure Digest Authentication, follow these steps:
1. Choose Start All Programs Administrative Tools and click SharePoint 3.0 Central Administration.
61705c07.indd 297
6/27/08 4:26:35 PM
298
Chapter 7 Configuring Windows SharePoint Services (WSS) n
E x e r c i se 7 . 5 ( c o n t i n u e d )
2. On the navigation bar in the upper-left side of your screen, choose Application Management.
3. In the Application Security section, choose Authentication providers.
4. On the Authentication Providers page, make sure the application you want to configure is listed and then click on it.
5. Click the zone of the web application for which you want to enable Digest authentication.
6. In the IIS Authentication section of the Edit Authentication page, clear the Integrated Windows Authentication and Basic Authentication boxes.
7. Click Save.
61705c07.indd 298
6/27/08 4:26:35 PM
Configuring Authentication for WSS
299
E x e r c i se 7 . 5 ( c o n t i n u e d )
Now we will use the IIS management console to enable Digest authentication in IIS:
8. Choose Start All Programs Administrative Tools and click Internet Information Services.
9. In the connections pane, under sites, click on the IIS site that corresponds to the web application zone for which you want to configure Digest authentication. In the features view, in the center of the screen under IIS, double-click Authentication.
10. Highlight Digest Authentication, and then right click on Digest Authentication, choose Enable. This will enable Digest authentication with the default settings.
61705c07.indd 299
6/27/08 4:26:36 PM
300
Chapter 7 Configuring Windows SharePoint Services (WSS) n
E x e r c i se 7 . 5 ( c o n t i n u e d )
11. Optionally, in the Actions section, click the Edit button to enter a realm name. 12. Enter the realm that is appropriate and click OK. 13. Click OK on any remaining dialog boxes.
Configuring Web SSO Authentication by Using ADFS Web Single Sign On (SSO) will allow users in a company different than your own to access servers hosted by you. It accomplishes this by using their existing Active Directory accounts. Web SSO relies on Active Directory Federation Services (ADFS) to create a trust relationship between two companies, which results in a one-time logon for end users. After a user is authenticated, they are given an authentication token (cookie).
The Microsoft SharePoint blog has some good information about configuring multiple authentication providers. The URL is http://blogs.msdn.com/ sharepoint/archive/2006/08/16/configuring-multiple-authenticationproviders-for-sharepoint-2007.aspx.
61705c07.indd 300
6/27/08 4:26:36 PM
Configuring Authentication for WSS
301
To complete Exercise 7.6, you should have already installed the Web Agent for Claims Aware Applications, installed the hot fix for ADFS (it’s included in Windows 2003 Service Pack 2), and created a web application. The web application needs to be configured to use Windows authentication. In this exercise, you’ll configure your extranet web application so that it will use Web SSO. E x e r c i se 7 . 6
Configuring Web SSO authentication Web SSO authentication will be configured by performing the following steps:
1. First, extend the web application. This can be done from the Central Administration site. 2. Open the Central Administration site by choosing Start All Programs Administrative Tools and clicking on SharePoint 3.0 Central Administration.
3. On the navigation bar, choose Application Management. 4. Click Create or Extend Web Applications and then click Extend an Existing Web Application.
5. Make sure the application is selected in the Web Application menu. 6. In the IIS Web Site section, add a host header (for example, extranet.myresearch.net).
61705c07.indd 301
6/27/08 4:26:36 PM
302
Chapter 7 Configuring Windows SharePoint Services (WSS) n
E x e r c i se 7 . 6 ( c o n t i n u e d )
7. Now change the zone to Extranet. 8. Give the site a host header name. This will be what you will configure DNS to resolve against.
9. Check the box to use SSL. 10. Change the port number to 443 (it is required by ADFS). 11. In the Load Balanced URL box, delete the :443 text string. 12. Finish extending the web application by clicking OK. 13. Verity that the URLs on the Alternate Access Mappings page are correct. (See Figure 7.5 earlier in this chapter.)
14. You will now need to add an SSL certificate. This certificate should be issued to the name that clients will use. You added this same name as a host header.
61705c07.indd 302
6/27/08 4:26:36 PM
Configuring Authentication for WSS
303
E x e r c i se 7 . 6 ( c o n t i n u e d )
You will now configure the authentication provider for the extranet zone so that is uses Web SSO:
15. Under the Application Security section on the Application Management page, click Authentication Providers.
16. From the menu bar labeled Web Application, select your application from the drop down menu.
17. You should now see two mapped zones for this application. Click the Windows link for the Extranet zone.
18. Choose Web Single Sign On in the Authentication Type section.
61705c07.indd 303
6/27/08 4:26:36 PM
304
Chapter 7 Configuring Windows SharePoint Services (WSS) n
E x e r c i se 7 . 6 ( c o n t i n u e d )
19. In the Membership Provider Name box, add the following: SingleSignOnMembershipProvider2. Keep this value because you will need it when you edit the web.config file.
20. Add SingleSignOnRoleProvider2 in the Role Manager box. Remember this value also for editing the web.config file. 21. Check to make sure the Enable Client Integration setting is set to No. 22. Click Save.
Now the application has been configured to use Web SSO. However, permissions still need to be assigned to the users so they can access this site. To find out how to configure user permissions for extranet websites, please review the documentation found at the following URL: http://technet .microsoft.com/en-us/windowsserver/sharepoint/default.aspx.
61705c07.indd 304
6/27/08 4:26:36 PM
Exam Essentials
305
Summary Proper configuration of email, logging, alerts, and workflow settings is vital to a productive WSS installation. Taking the time to configure these settings, as well as antivirus settings, will ensure that all WSS sites are running at peak performance. When you’re finished with the configuration of these settings, run the Best Practices Analyzer tool. In this chapter, you saw how powerful an application WSS can become when you create and extend web applications. Never overlook the value of quota templates to ensure that site collections do not grow out of control. This chapter also stressed the importance of a properly planned and executed upgrade from WSS 2.0 to 3.0. As you plan a WSS 3.0 installation, time should be devoted to how users will be authenticated. WSS 3.0 supports several security scenarios, such as standard Windows authentication, simple database, using a company identity management system, and Web Single Sign On.
Exam Essentials Understand how to perform an upgrade. It is important for you to be familiar with the recommended upgrade procedures. Knowing what the prerequisites are will prove valuable. Know authentication types. Review all forms of authentication and the differences between basic, digest, NTLM, and ADFM. It’s important to know when and why to use each type. Understand logging. K now where you would look to find event logs for WSS events. Review what information is collected and how to set up trace logging. Configuring incoming and outgoing email. Review and understand how to configure both incoming and outgoing email settings. Understand how a WSS 3.0 site can benefit from using these features.
61705c07.indd 305
6/27/08 4:26:37 PM
306
Chapter 7 Configuring Windows SharePoint Services (WSS) n
Review Questions 1. Where can you configure email, workflow, and logging settings? A. SharePoint Community Portal B. SharePoint Central Administration site C. Site actions D. Team site 2. The term safe email servers refers to what? A. Email servers that are configured properly B. Email servers that are not on the DNS blacklist C. Servers you deem safe to receive emails from D. Servers that are on the same Active Directory domain 3. For users to be able to configure email alerts, they must have at least what level of permissions? A. Site administrator B. Read and Write C. Full D. View 4. What service must be installed before you can send out emails and alerts from your WSS server? A. DNS B. SMTP C. Active Directory D. SNMB 5. What are some of the errors that diagnostic logging will record? (Choose all that apply.) A. Product ID B. IP address of server C. Software version D. Condition of your server at time of error 6. What categories are defined in WSS event throttling? (Choose all that apply.) A. Features B. By product C. Workstations D. Active Directory users
61705c07.indd 306
6/27/08 4:26:37 PM
Review Questions
307
7. When choosing the level of event to log, what should you keep in mind? A. WSS will record events that are greater than or equal to the selected event. B. How many users will be accessing your WSS site? C. How much free space is left on your WSS server hard drives? D. WSS will record events that are equal to or less than the selected event. 8. What options do you have when using trace logs? (Choose all that apply). A. High B. Medium C. Unnecessary D. None 9. On a properly configured WSS server using an anti-virus solution, when would you allow users to download infected documents? A. When users complain that they need the document for a project deadline. B. Always, because most all of the warnings in a WSS site are considered false positives. C. Only when you have a specific reason such as troubleshooting a virus on your system. D. Only when you have an antivirus solution on the end users’ computers. 10. When should you use the Best Practices Analyzer tool? A. When you need to check for common problems and determine if your installation is configured with the best security practices B. Only when you have an issue with a web application C. Only when you want to use this tool in a server farm network D. Only when you are using Exchange servers 11. What does alternate access mapping allow you to do? A. Create a specific web zone. B. Control how large your site collections become. C. Add different UNC paths. D. Assign different URLs to the same site. 12. What are the prerequisites for upgrading from WSS 2.0? (Choose all that apply.) A. Microsoft .NET Framework 3.0. B. Service Pack 2 for SharePoint Services 2.0. C. 100GB of free space for the upgraded database. D. Nothing; you cannot upgrade SharePoint services 2.0 to WSS 3.0.
61705c07.indd 307
6/27/08 4:26:37 PM
308
Chapter 7 Configuring Windows SharePoint Services (WSS) n
13. Before performing an upgrade from a 2.0 WSS site to 3.0, what type of backup should be preformed? A. Full B. Not needed because it is preformed during upgrade. C. Partial D. Differential 14. When must you rebuild your Web Parts before you perform an upgrade? A. When the web parts were created with ASP.NET 1.1. B. It is not required to rebuild Web Parts because the upgrade will rebuild the application. C. When the Web Parts were created with ASP.NET 2.0. D. Only when the Web Parts contain workflow settings. 15. True/False: Quota templates are used to manage a site’s template library. A. True B. False 16. When you create a new site collection you are also creating a top-level ___________________ . A. Application B. Library C. Website D. Extranet site 17. What items can you configure access for within a site collection? (Choose all that apply.) A. Library B. Folder C. Item D. Document 18. The majority of the configuration of user access is configured within ___________________ . A. Central Administration site B. Site collection C. Active Directory D. User groups
61705c07.indd 308
6/27/08 4:26:37 PM
Review Questions
309
19. It is good practice, when giving users access, to assign access by ___________________ . A. Individual users B. NTFS C. Groups D. NDS 20. While WSS allows for Basic authentication, why is it not recommended? A. Lacks security. B. IIS does not support it. C. Will not authenticate with Active Directory users. D. It is only for NDS networks.
61705c07.indd 309
6/27/08 4:26:37 PM
310
Chapter 7 Configuring Windows SharePoint Services (WSS) n
Answers to Review Questions 1. B. Email, workflow, and logging are configured from the WSS 3.0 Central Administration site. 2. C. When you configure incoming email settings, you enter the DNS names or IP addresses of servers from which you can safely receive incoming email. 3. D. Users must have at least View permissions to configure alerts. 4. B. Before you can enable outgoing email, you must install the SMTP service. The SMTP service is a component of IIS and must be running on at least one server in your farm. 5. A, B, C, D. All of the items listed are logged into an error report or system log when diagnostic logging is configured properly. 6. A, B. Categories are defined by services or common events. Workstations and Active Directory users are not events or services. However, defining by features or by products is supported. 7. A. You always want to choose the least-critical event to monitor because WSS will record only events that are greater than or equal to the selected event. 8. A, B, D. Your options when using trace logs include None, Unexpected, Monitorable, High, Medium, and Verbose. 9. C. You should enable the feature to download infected documents only when you are troubleshooting a virus or if you have a specific reason. By default, you want to disable this feature. 10. A. This tool can be used for troubleshooting common problems and to determine if you have the best security configuration. It can also be used to optimize your configuration. 11. D. Alternate access mapping allows you to give different URLs to the same site. 12. A, B. Before you can upgrade to WSS 3.0, you have to install .NET 3.0, enable ASP.Net 2.0, and install Service Pack 2 for SharePoint Services 2.0, and your application and web server must be on Service Pack 1 of Windows 2003. 13. A. To ensure that you can recover your current installation of SharePoint Services, you always want to have a current full backup of your SQL database. 14. A. If any custom Web Part was created with ASP.NET 1.1, you must first rebuild the part with ASP.NET 2.0 and then perform an upgrade. 15. B. Quota templates are used to add storage limits on your site collections. 16. C. A top-level website is also created when you create a new site collection.
61705c07.indd 310
6/27/08 4:26:37 PM
Answers to Review Questions
311
17. A, B, C, D. Within a site collection you have the ability to configure access to libraries, folders, items, and documents. 18. B. User access is configured within the site collections. 19. C. When you plan for and give access to users for site collections, it is best practice to create groups and assign groups access. 20. A. WSS will support Basic authentication but lacks security because it passes the user’s information over the network in clear text.
61705c07.indd 311
6/27/08 4:26:37 PM
61705c07.indd 312
6/27/08 4:26:37 PM
Chapter
8
Using Virtualization In Windows Server 2008 Microsoft Exam Objectives covered in this chapter: ÛÛ Configure Windows Server Hyper-V and virtual machines. May include but is not limited to: NN
61705c08.indd 313
Virtual networking, virtualization hardware requirements, Virtual Hard Disks, migrate from physical to virtual, VM additions, backup, optimization, server core
6/27/08 4:34:12 PM
Hyper-V is a new server role in Windows Server 2008 that allows you to virtualized your environment and therefore run multiple virtual operating system instances on a physical server simultaneously. This not only helps you to improve server utilization, it helps you to create a more cost effective and dynamic system. In this chapter, you will learn the basic concepts and features of Hyper-V that a Windows Server 2008 technical specialist must know. You will also get a solid understanding of what is important in virtualization and in what areas of your work life you can use it. As this chapter is being written, Hyper-V is not yet final. All testing, pictures and screen shots in this chapter have been made with the Hyper-V Release Candidate 0 version.
This chapter will cover the following topics: NN
Hyper-V overview
NN
Hyper-V installation and configuration
NN
Configure virtual machines
Hyper-V Overview In the following sections, we’ll introduce you the Hyper-V. To begin, we’ll take a look at virtualization and what types of virtualization exist. We will then discuss Hyper-V features and the Hyper-V architecture before finishing up with the Hyper-V requirements for software and hardware.
What Is Virtualization? Virtualization is a method for abstracting physical resources from the way they interact with other resources. For example, if you abstract the physical hardware from the operating system, you get the benefit of being able to move the operating system between different physical systems. This is called server virtualization. But there are also other forms of virtualization available, such as presentation virtualization, desktop virtualization, and
61705c08.indd 314
6/27/08 4:34:12 PM
Hyper-V Overview
315
application virtualization. We will now briefly explain the differences between these forms of virtualization: Server virtualization T his basically enables multiple servers to run on the same physical server. Hyper-V is a server virtualization tool that allows you to move physical machines to virtual machines and manage them on a few physical servers. Thus, you will be able to consolidate physical servers. Presentation virtualization W hen you use presentation virtualization, your applications run on a different computer and only the screen information is transferred to your computer. An example for presentation virtualization is Microsoft Terminal Services in Windows Server 2008. Desktop virtualization T his provides you with a virtual machine on your desktop, comparable to server virtualization. You run your complete operating system and applications in a virtual machine, so your local physical machine just needs to run a very basic operating system. An example for this form of virtualization is Microsoft Virtual PC. Application virtualization Application virtualization helps to prevent conflicts between applications on the same PC. Thus it helps you to isolate the application running environment from the operating system installation requirements by creating application-specific copies of all shared resources and helps reduce application-to-application incompatibility and testing needs. An example of an application virtualization tool is Microsoft SoftGrid Application Virtualization.
Hyper-V Features As a lead-in to the virtualization topic and Hyper-V, we will start with a list of key features, followed by a list of supported guest operating systems. This should provide you with a quick high-level view on this feature before we dig deeper into the technology.
Key Features of Hyper-V The following list provides the key features of Hyper-V: New architecture T he hypervisor-based architecture that has a 64-bit micro-kernel provides a new array of device support as well as performance and security improvements. Operating system support 32-bit and 64-bit operating systems can run simultaneous in Hyper-V. Also different platforms like Windows, Linux and others are supported. Support for Symmetric Multiprocessors (SMP) Support for up to four processors in a virtual machine environment provides you with the ability to run applications as well as multiple virtual machines faster. Network load balancing Hyper-V provides support for Windows Network Load Balancing (NLB) to balance the network load across virtual machines on different servers.
61705c08.indd 315
6/27/08 4:34:12 PM
316
Chapter 8 Using Virtualization In Windows Server 2008 n
New hardware architecture Hyper-V’s new architecture provides improved utilization of resources like networking and disks. Quick migration Hyper-V’s quick migration feature provides you with the functionality to run virtual machines in a clustered environment with switch-over capabilities when there is a failure. Thus you can reduce downtime and achieve higher availability of your virtual machines. Virtual machine snapshot You can take snapshots of running virtual machines, which provides you with the capability to easily recover to any previous virtual machine snapshot state quickly. Scripting Using the Windows Management Instrumentation (WMI) interfaces and APIs, you can easily build custom scripts to automate processes in your virtual machines.
Supported Guest Operating Systems The following guest operating systems have been successfully tested on Hyper-V and are hypervisor aware: NN
Windows Server 2008 x86 (VM configured as 1-, 2-, or 4-way SMP)
NN
Windows Server 2008 x64 (VM configured as 1-, 2-, or 4-way SMP)
NN
Windows Server 2003 x86 (VMs configured as 1- or 2-way SMP only)
NN
Windows Server 2003 x64 (VMs configured as 1-way only)
NN
Windows Vista x86 with Service Pack 1 (VMs configured as 1-way only)
NN
Windows XP x86 with Service Pack 3 (VMs configured as 1-way only)
NN
SUSE Linux Enterprise Server 10 with Service Pack 1 x86 Edition
NN
SUSE Linux Enterprise Server 10 with Service Pack 1 x64 Edition
The list of supported guest operating systems might be extended once Hyper-V is released. Please check the official Microsoft Hyper-V site to get an accurate list of supported operating systems: www.microsoft.com/ virtualization.
Hyper-V Architecture This section will provide you with an overview of the Hyper-V architecture (see Figure 8.1). We’ll explain the differences between a hypervisor-aware and non-hypervisor-aware child partition.
61705c08.indd 316
6/27/08 4:34:13 PM
Hyper-V Overview
317
Fi g u r e 8 .1 Hyper-V architecture Parent partition
Child partitions
Virtualization stack WMI provider VM service
VM worker process
Applications
Applications User mode
Windows Server 2008
Windows kernel
Applications
Hypervisor-aware OS (e.g., Windows Server 2003, 2008)
Xen-enabled Linux kernel
Non-hypervisoraware OS
Windows kernel VSP
Integration components
Linux Integration components Kernel mode Emulation
VMBus Hyper-V hypervisor Hardware
As you can see, Hyper-V is based on the new microkernel architecture. Hyper-V provides a virtualization layer called a hypervisor that runs directly on the system hardware. You can see that the hypervisor is similar to what the kernel is to Windows. It is a software layer responsible for the interaction with the core hardware and works in conjunction with an optimized instance of Windows Server 2008 that allows running multiple operating systems on a physical server simultaneously. The Hyper-V architecture consists of the hypervisor and parent and child partitions. The Windows Server 2008 operating system runs in the parent partition and provides the WMI provider for scripting as well as the VM service. Virtual machines run each in their own child partitions. Child partitions do not have direct access to hardware resources; instead, they have a virtual view of the resources, which are called virtual devices. If you’re running a hypervisor-aware operating system like Windows Server 2003 or Windows Server 2008 in your virtual machine, any request to the virtual devices is redirected via the high-speed Imbues to the devices in the parent partition, which will manage the requests. By default, only Windows Server 2008 is a hypervisor-aware operating system. Once you install the Hyper-V integration components on the operating system other than Windows Server 2008, it will be hypervisor aware. Microsoft provides a hypervisor adapter to make Linux hypervisor aware. Non-hypervisor-aware operating systems (e.g., Windows NT 4.0) use an emulator to communicate with the Windows hypervisor, which is slower than using the Imbues.
61705c08.indd 317
6/27/08 4:34:13 PM
318
Chapter 8 Using Virtualization In Windows Server 2008 n
Hyper-V Requirements The following sections will describe the hardware and software requirements for installing the Hyper-V server role. It is important to understand these requirements for your software license as well as for planning for server hardware. When you understand the requirements, you can design and configure a Hyper-V solution that will meet the needs of your applications.
Hardware Requirements In addition to the basic hardware requirements for Windows Server 2008, there are requirements that are needed to run the Hyper-V server role on your Windows server. They are listed in Table 8.1. Ta b l e 8 .1 Hardware Requirements for Hyper-V Requirement Area
Definition
An x64-based processor (Intel or AMD). Remember Hardware Data Execution Protection that Hyper-V does not support Itanium (IA-64) (DEP) must be available and enabled. processors. Specifically, you must enable Intel XD bit (execute disable bit) or AMD NX bit (no execute bit). CPU
Hardware-assisted virtualization. This is available in processors that include a virtualization option, specifically, Intel VT and AMD Virtualization (AMD-V) Memory
512MB minimum for the operating system.
Additional memory is required for each virtual machine, depending on the operating system you want to run. Hard disk
8GB for operating system.
Additional space is required for each virtual machine, depending on the operating system you want to run.
61705c08.indd 318
6/27/08 4:34:13 PM
Hyper-V Overview
319
The Add Roles Wizard in Server Manager additionally verifies the hardware requirements. A good starting point is to check your hardware against the Microsoft hardware list to make sure your hardware is supported by Windows Server 2008. If you try to install the Hyper-V server role on a computer that does not meet the CPU requirements, you get a warning window that looks like Figure 8.2. Fi g u r e 8 . 2 Warning window that Hyper-V cannot be installed
Verifying Hyper-V’s CPU requirements is not that easy, especially if you don’t know exactly where to look. We found a freeware tool called Securable that you can use to check your CPU to make sure it meets Hyper-V’s requirements. You can download it from the following page: http:// www.grc .com/securable.htm.
Software Requirements To use virtualization in Windows Server 2008, you need to consider the basic software requirements for Hyper-V. Hyper-V runs only on the following editions of the Windows Server 2008 operating system: NN
Windows Server 2008 Standard (x64 based)
NN
Windows Server 2008 Enterprise (x64 based)
NN
Windows Server 2008 Datacenter (x64 based)
It’s important to understand for your exam that Windows Server 2008 Web edition, any Windows Server 2008 x86-based editions, and Windows Server 2008 editions without Hyper-V do not support the Hyper-V server role. Also, Hyper-V is not available on the Windows Server 2008 for Itanium-Based Systems edition.
61705c08.indd 319
6/27/08 4:34:14 PM
320
Chapter 8 Using Virtualization In Windows Server 2008 n
For the exam, you should know what Windows Server 2008 editions will support Hyper-V. Also remember that Hyper-V can be installed on Full and Server Core installation options.
Hyper-V Installation and Configuration The following sections explain how to install the Hyper-V role using Server Manager in Windows Server 2008 full installation mode or the command line in Windows Server 2008 server core. We will then take a look at Hyper-V as part of Server Manager before discussing how to use the Hyper-V Manager. Finally, we will look at the Hyper-V server settings and then cover two important areas for Hyper-V: virtual networks and virtual hard disks.
Install Hyper-V Role Now it’s time to see how to install the Hyper-V server role on the two installation options of Windows Server 2008, namely, a full as well as Server Core.
Installing Hyper-V on Full Installation Mode You can install the Hyper-V server role on any Windows Server 2008 installation for which the Full option was chosen. In addition, the server must meet both the hardware and software requirements. The installation process is as simple, as Exercise 8.1 shows. E x e r c ise 8 . 1
Installing Hyper-V on Full Installation Mode Complete the following steps to install Hyper-V on Windows Server 2008:
1. Click Start Administrative Tools Server Manager. 2. In Server Manager, click Roles Add Roles. 3. On the Select Server Roles page, check Hyper-V and click next.
61705c08.indd 320
6/27/08 4:34:14 PM
Hyper-V Installation and Configuration
321
E x e r c ise 8 . 1 ( c o n t i n u e d )
4. On the Hyper-V page, click next. 5. On the Create Virtual Networks page, leave Local Area Connection unchecked, and click next.
61705c08.indd 321
6/27/08 4:34:14 PM
322
Chapter 8 Using Virtualization In Windows Server 2008 n
E x e r c ise 8 . 1 ( c o n t i n u e d )
6. On the Confirm Installation Selections page, review the selection and then click Install.
7. After the installation is finished, click the Close button.
8. Now the Add Roles Wizard will pop up and ask you to restart the system. Click yes to perform a restart.
9. After the system restarts and you log in again, the Resume Configuration Wizard appears and finishes the installation. Once the Installation Results page appears click close.
Install Hyper-V on Server Core New to Windows Server 2008 is the Server Core installation option, which creates an operating system installation without a GUI shell. You can either manage the server remotely from another system or use the server core’s command-line interface. This installation option provides the following benefits:
61705c08.indd 322
NN
Reduces attack surface (because fewer applications are running on the server)
NN
Reduces maintenance and management (because only the required options are installed)
NN
Requires less disk space and produces less processor utilization
NN
Provides a minimal parent partition
NN
Reduces system resources required by the operating system as well as the attack surface
6/27/08 4:34:14 PM
Hyper-V Installation and Configuration
323
Using Hyper-V on a server core installation, you can fundamentally improve availability because the attack surface is reduced and downtime due to patches is optimized. It will thus be more secure and reliable with less management. To install Hyper-V on your Windows installation, you must execute the following command in the command-line interface: start /w ocsetup Microsoft-Hyper-V
Because the OCSETUP command is case sensitive, make sure you write Microsoft-Hyper-V exactly as shown. Otherwise you will get an error message and Hyper-V won’t be added as a server role.
Hyper-V in Server Manager As with all the other Windows Server 2008 roles, the Hyper-V role neatly integrates into Server Manager. Server Manager filters the information just for the specific role and thus displays only the required information. As you can see in Figure 8.3, the Hyper-V Summary page shows related event log entries, the state of the system services for Hyper-V, and useful resources and support. Fi g u r e 8 . 3 Hyper-V in Server Manager
61705c08.indd 323
6/27/08 4:34:15 PM
324
Chapter 8 Using Virtualization In Windows Server 2008 n
Using Hyper-V Manager Hyper-V Manager is the central management console to configure your server and create and manage your virtual machines, virtual networks, and virtual hard disks. Unlike Virtual Server 2005, where you managed all virtual machines through a web interface, Hyper-V Manager is managed through a Microsoft Management Console (MMC) snap-in. You can access it either in Server Manager or by using Start Administrative Tools Hyper-V Manager. Figure 8.4 shows how Hyper-V Manager looks once you start it. Fi g u r e 8 . 4 Hyper-V Manager
Hyper-V Manager is available for the following operating systems: NN
Windows Server 2008
NN
Windows Vista with Service Pack 1(SP1)
Hyper-V Manager is only installed on a Windows Server 2008 machine when you install Hyper-V on it. On Windows Vista, you will need to install the Hyper-V Manager MMC for Vista SP1 to manage Hyper-V from your Vista client. Hyper-V Manager can be installed only on the following versions of Windows Vista:
61705c08.indd 324
NN
Business
NN
Enterprise
NN
Ultimate
6/27/08 4:34:15 PM
Hyper-V Installation and Configuration
325
To download Vista Hyper-V Manager, use the following URLs: NN
NN
For Windows Vista x64: www.microsoft.com/downloads/details.aspx?FamilyId=450931F5EBEC-4C0B-95BD-E3BA19D296B1&displaylang=en For Windows Vista x86: www.microsoft.com/downloads/details.aspx?FamilyId=BC3D09CC3752-4934-B84C-905E78BE50A1&displaylang=en It’s important to understand that there will be no version of Hyper-V Manager for Windows XP or Windows Server 2003. Thus, you might need to use a remote control solution like Remote Desktop Connection to a computer that can run Hyper-V Manager in order to manage it from your desktop.
You can use Hyper-V Manager to connect to any Full or Server Core installation remotely. Besides Hyper-V Manager, you can use the WMI interface for scripting Hyper-V.
Configure Hyper-V Settings In this section, you will get an overview of the available Hyper-V settings for the server. You configure all server-side default configuration settings like default locations of your configuration files or the release key. You can open the Hyper-V Settings page (Figure 8.5) in Hyper-V Manager by clicking Hyper-V Settings in the Actions pane. Fi g u r e 8 . 5 Hyper-V settings
61705c08.indd 325
6/27/08 4:34:15 PM
326
Chapter 8 Using Virtualization In Windows Server 2008 n
The Hyper-V Settings page includes the following settings: Virtual Hard Disks Specifies the default location of your virtual hard disk files (.vhd). Virtual Machines Specifies the default location of your virtual machine configuration files. It includes the Virtual Machine XML configuration files (part of the Virtual Machines folder) as well as related snapshots (part of the Snapshot folder). Keyboard Defines how to use Windows key combinations. Options are Physical Computer, Virtual Machine, and Virtual Machine only when running full screen. Release Key Specifies the key combination to release the mouse in your virtual machine. Options are Ctrl+Alt+left arrow, Ctrl+Alt+right arrow, Ctrl+Alt+space, and Ctrl+Alt+Shift. User Credentials Specifies whether you want to use your default credentials to connect to a running virtual machine. Delete Saved Credentials Deletes any saved credentials stored on this computer. Reset Check Boxes Resets any check boxes that hide pages and messages when checked. This will bring up again any window on which you checked the Do Not Show This Window Again check box.
Manage Virtual Networks A virtual network provides the virtual links between nodes in either a virtual or a physical network. Virtual networking in Hyper-V is provided in a secure and dynamic way because you can granularly define virtual network switches for their required usage. For example, you can define a private or internal virtual network if you don’t want to allow your virtual machines to send packages to the physical network. In order to allow your virtual machines to communicate with each other, you need virtual networks. Just like normal networks, virtual networks exist only on the host computer and allow you to configure how virtual machines communicate with each other, with the host, and with the network or Internet. You manage virtual networks in Hyper-V using Virtual Network Manager, shown in Figure 8.6. Using Virtual Network Manager, you can create, manage, and delete virtual networks, sometimes also called virtual switches. You can define the network type as external, internal only, or private: External A ny virtual machine connected to this virtual switch can access the physical network. You would use this option if you want to allow your virtual machines to access, for example, other servers on the network or the Internet. This option is used in production environments where your clients connect directly to the virtual machines. Internal Only This option allows virtual machines to communicate with each other as well as the host system, but not with the physical network. When you create an internal network, it also creates a local area connection in Network Connections that allows the host machine to communicate with the virtual machines. You can use this if you want to separate your host’s network from your virtual networks.
61705c08.indd 326
6/27/08 4:34:15 PM
Hyper-V Installation and Configuration
327
Fi g u r e 8 . 6 Virtual Network Manager
Private virtual machine network W hen you use this option, virtual machines can communicate with each other but not to the host system or the physical network, thus no network packets are hitting the wire. You can use this to define internal virtual networks for test environments or labs, for example. It is of the utmost importance that you understand the different virtual network types because it is highly likely that there will be a question about them on the exam.
On the external and internal only virtual networks, you also can enable virtual LAN (VLAN) identification. You can use VLAN to partition your network into multiple subnets using a VLAN ID. When you enable virtual LAN identification, the NIC connected to the switch will never see packets tagged with VLAN IDs. Instead, all packets traveling from the NIC to the switch will be tagged with the access mode VLAN ID as they leave the switch port. All packets traveling from the switch port to the NIC will have their VLAN tags removed. You can use this if you are already logically segmenting your physical machines, also for your virtual ones. Exercise 8.2 explains how to create an internal only virtual network switch.
61705c08.indd 327
6/27/08 4:34:16 PM
328
Chapter 8 Using Virtualization In Windows Server 2008 n
E x e r c ise 8 . 2
Creating an internal Virtual Network Follow these steps to create an internal virtual network so you can communicate between the virtual machine and the host computer:
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, in the Actions pane, click Virtual Network Manager. 3. On the Create Virtual Network page, select Internal and click the Add button. 4. On the New Virtual Network page, enter Internal Virtual Network in the Name field. 5. Click OK.
When you create the internal virtual network, a network device is created in Network Connections, as shown in Figure 8.7. Fi g u r e 8 . 7 Virtual network card
This is also the case when you create an external virtual network because it will replace the physical network card of the host machine to give the parent partition a virtual network card that is also used in the child partitions. Unlike with Virtual Server 2005, Hyper-V binds the virtual network service to a physical network adapter only when an external virtual network is created. The benefit for this is that the performance is better if you do not use the external virtual network option. The downside, however, is that there will be a network disruption when you create or delete an external virtual network.
61705c08.indd 328
6/27/08 4:34:16 PM
Hyper-V Installation and Configuration
329
Communication between the virtual machine and the local host computer is not configured automatically. Once you install a virtual machine, you need to make sure the TCP/IP settings are in correspondence with the settings you define in the virtual network card. Start with a ping from your host machine to the virtual machines in order to verify that communication is working.
Managing Virtual Hard Disks In addition to virtual networks, you also need to manage virtual hard disks that you attach to your virtual machines. A virtual hard disk in Hyper-V, apart from a pass-through disk, is a VHD file that basically simulates a hard drive to your virtual machine. The following sections will first show you what types of virtual hard disks are available and then show you how to create them. You will also learn about what options are available to manage virtual hard disks.
Types of Hard Disks Depending on how you want to use the disk, Hyper-V offers various types, as described in Table 8.2. Ta b l e 8 . 2 Virtual Hard Disks in Hyper-V
61705c08.indd 329
Type of Disk
Description
When to Use It
Dynamically expanding
This disk starts with a small VHD file and expands it on demand once an installation takes place. It can grow to the maximum size you defined during creation. You can use this type of disk to clone a local hard drive during creation.
This option is effective when you don’t know the exact space needed on the disk and when you want to preserve hard disk space on the host machine. Unfortunately, it is the slowest disk type.
Fixed size
The size of the VHD file is fixed to the size specified when the disk is created. This option is faster than a dynamically expanding disk. However, a fixed size disk uses up the maximum defined space immediately. This type is ideal for cloning a local hard drive.
A fixed size provides faster access than dynamically expanding or differencing disks but is slower than a physical disk.
6/27/08 4:34:16 PM
330
Chapter 8 Using Virtualization In Windows Server 2008 n
Ta b l e 8 . 2 Virtual Hard Disks in Hyper-V (continued) Type of Disk
Description
When to Use It
Differencing
This type of disk is associated in a parent-child relationship with another disk. The differencing disk is the child and the associated virtual disk is the parent. Differencing disks include only the differences to the parent disk. By using this type, you can save a lot of disk space in similar virtual machines. This option is suitable if you have multiple virtual machines with similar operating systems.
Differencing disks are most commonly found in test environments and should not be used in production environments.
Physical (or passthrough disk)
The virtual machine receives direct pass-through access to the physical disk for exclusive use. This type provides the highest performance of all disk types and thus should be used for production servers where performance is top priority. The drive is not available for other guest systems.
This type is used in high-end datacenters to provide optimum performance for VMs. Also in failover cluster environments.
You should make sure you understand the different virtual hard disk types by heart because there are often questions about them!
Creating Virtual Hard Disks To help you gain practice in creating virtual hard disks, the following three exercises will teach you how to create a differencing hard disk, how to clone an existing disk by creating a new disk, and how to configure a physical or pass-through disk to your virtual machine. First, in Exercise 8.3, you will learn how to create a differencing virtual hard disk.
61705c08.indd 330
6/27/08 4:34:16 PM
Hyper-V Installation and Configuration
331
E x e r c ise 8 . 3
Creating a Differencing Hard Disk Follow these steps to create a differencing disk:
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, on the Actions pane, click New Hard Disk. 3. In the New Virtual Hard Disk Wizard, click Next on the Before You Begin page. 4. On the Choose Disk Type page, select Differencing and click Next. 5. On the Specify Name and Location page, enter the new name of the child disk (for example, child-disk.vhd). You can also modify the default location of the new VHD file if you want. Click Next to continue.
6. Next, on the Configure Disk page, you need to specify the parent VHD file. This will be the basis for your differencing disk. For example, a complete installation of Windows Server 2008 is a good parent. Click Next to continue.
61705c08.indd 331
6/27/08 4:34:16 PM
332
Chapter 8 Using Virtualization In Windows Server 2008 n
E x e r c ise 8 . 3 ( c o n t i n u e d )
7. On the Completing the New Virtual Hard Disk Wizard page, verify that all settings are correct and click Finish to create the hard disk.
Exercise 8.4 will show you how to create a fixed disk based on a local hard drive. Please remember that only fixed size or dynamically expanding disks can be used to clone a local hard drive during creation. E x e r c ise 8 . 4
Creating a Fixed Size Disk and Cloning a Local Drive Follow these steps to create a fixed hard disk and migrate a physical disk to it:
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, on the Actions pane, click New Hard Disk. 3. In the New Virtual Hard Disk Wizard, click Next on the Before You Begin page. 4. On the Choose Disk Type page, select Fixed Size and click Next. 5. On the Specify Name and Location page, enter the new name of the virtual hard disk (for example, clone.vhd). You can also modify the default location of the new VHD file if you want. Click Next to continue.
61705c08.indd 332
6/27/08 4:34:16 PM
Hyper-V Installation and Configuration
333
E x e r c ise 8 . 4 ( c o n t i n u e d )
6. Next, on the Configure Disk page, you can decide if you want to create a blank virtual hard disk with a specified size or if you want to copy the contents of a hard disk to the virtual disk. For this exercise, select Copy the Contents of the Specified Physical Disk and select a physical drive on which to copy to the virtual disk. Then click Next to continue.
7. On the Completing the New Virtual Hard Disk Wizard page, verify that all settings are correct and click Finish to create the virtual hard disk and start the copy process.
61705c08.indd 333
6/27/08 4:34:17 PM
334
Chapter 8 Using Virtualization In Windows Server 2008 n
Because the process to copy a physical drive to a virtual disk is just a normal copy process, you should allow enough time to complete it. The time varies depending on the size of your physical disk.
The process to add a physical or pass-through disk to a virtual machine is quite different. For this, you first need to create the virtual machine, and then you open the Virtual Machine Settings to configure the physical disk. If you did not yet create a virtual machine in Hyper-V Manager, you should complete Exercise 8.6 to create one and come back to this section. If you want to add a physical disk to a virtual machine, the physical disk must be set as Offline in Disk Management, as shown in Figure 8.8. Fi g u r e 8 . 8 Disk Management you can set disks offline
To access Disk Management, click the Start button, right-click on Computer, select Manage, and then expand Storage in the left pane and click Disk Management. You cannot share a physical disk among multiple virtual machines or with the host system.
Now we will continue our excursion in the world of virtual disks by adding a physical or pass-through disk to a virtual machine.
61705c08.indd 334
6/27/08 4:34:17 PM
Hyper-V Installation and Configuration
335
E x e r c ise 8 . 5
Adding a Pass-Through Disk to a Virtual Machine To add a physical or pass-through disk to your virtual machine, follow these steps:
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine you want to add a physical drive to and then click Settings. Remember, the virtual machine state must be set to Off to configure hard drive settings.
3. In the Settings window, in the Hardware pane, click on IDE Controller 0. 4. In the IDE Controller pane, select Hard Drive and click the Add button. 5. In the Hard Drive pane, you now need to select Physical Hard Disk and select the appropriate disk drive in the drop-down list.
6. Click OK.
61705c08.indd 335
6/27/08 4:34:17 PM
336
Chapter 8 Using Virtualization In Windows Server 2008 n
Physical or pass-through disks might not be that important if your use for virtualization is based on test environments, but it gets crucial when you need to plan for highly available virtual datacenters. This is especially true if you consider using failover clusters to provide the Quick Migration feature, which is when you should consider matching one logical unit number (LUN) from your enterprise storage system or storage area network (SAN) as one physical disk. This provides you with the optimum performance you need in such an environment.
Managing Virtual Hard Disks Hyper-V also provides two tools to manage virtual hard disks: Inspect Disk and Edit Disk. These tools are available on Actions pane in Hyper-V Manager: Inspect Disk Provides you with information about the virtual disk. It shows you not only the type of the disk but also information like the maximum size for dynamically expanding disks and the parent VHD for differencing disks. Edit Disk Provides you with the Edit Virtual Hard Disk Wizard, which you can use to compact, convert, expand, merge, and reconnect hard disks. Figure 8.9 shows you the wizard’s options when you select a dynamically expanding disk. Fi g u r e 8 . 9 The Edit Virtual Hard Disk Wizard
Table 8.3 provides you with an overview of what you can do with the wizard.
61705c08.indd 336
6/27/08 4:34:17 PM
Configuring Virtual Machines
337
Ta b l e 8 . 3 Edit Disk Overview Action
Description
Compact
Reduces the size of a dynamically expanding or differencing disk by removing blank space from deleted files.
Convert
Converts a dynamically expanding disk to a fixed disk or vice versa.
Expand
Increases the storage capacity of a dynamically expanding disk or a fixed virtual hard disk.
Merge
Merges the changes from a differencing disk into either the parent disk or another disk (applies to differencing disks only!).
Reconnect
If a differencing disk does not find its referring parent disk anymore, this option can reconnect the parent to the disk again.
Configuring Virtual Machines The following sections cover the topics of creating and managing virtual machines as well as how to back up and restore virtual machines using features like Import and Export and Snapshot. We’ll also briefly cover Hyper-V’s Quick Migration feature.
Creating and Managing Virtual Machines It is important to learn how to create a virtual machine, how to change its configuration, and how to delete it. We will take a look at the Virtual Machine Connection tool and install the Hyper-V Integration Components to a virtual machine.
Virtual Machines Virtual machines define the child partitions in which you run operating system instances. Each virtual machine is separate and can only communicate with the others using a virtual network. You can assign hard drive(s), virtual network(s), DVD drives, and other system components to it. A virtual machine is similar to an existing physical server, but it doesn’t run on dedicated hardware anymore but shares the hardware of the host system with the other virtual machines that run on the host. Exercise 8.6 shows you how to create a new virtual machine.
61705c08.indd 337
6/27/08 4:34:17 PM
338
Chapter 8 Using Virtualization In Windows Server 2008 n
E x e r c ise 8 . 6
Creating a new Virtual Machine Follow these steps to create a new virtual machine:
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, on the Actions pane, click New Virtual Machine. 3. In the New Virtual Machine Wizard, click Next on the Before You Begin page. 4. On the Specify Name and Location page, give your virtual machine a name and change the default location of the virtual machine configuration files. Click Next to continue.
5. On the Assign Memory page, define how much of your host computer’s memory you want to assign to this virtual machine. Remember that once your virtual machine uses up all your physical memory, they will start swapping to disk, thus reducing the performance of all virtual machines. Click Next to continue.
6. On the Configure Networking page, select the virtual network that you previously configured using Virtual Network Manager. Click Next to continue.
61705c08.indd 338
6/27/08 4:34:18 PM
Configuring Virtual Machines
339
E x e r c ise 8 . 6 ( c o n t i n u e d )
7. On the next page, you configure your virtual hard disk. You can create a new virtual hard disk, select an existing disk, or choose to attach the hard disk later. Be aware that you can create only a dynamically expanding virtual disk on this page; you cannot create a differencing, physical, or fixed virtual hard disk here. However, if you created the virtual hard disk already, you can select of course it. Click Next to continue.
61705c08.indd 339
6/27/08 4:34:18 PM
340
Chapter 8 Using Virtualization In Windows Server 2008 n
E x e r c ise 8 . 6 ( c o n t i n u e d )
8. On the Installation Options page, you can select how you want to install your operating system. You have the option to install an operating system later, install the operating system from a boot CD/DVD-ROM where you can select a physical device or an image file (ISO file), install an operating system from a floppy disk image (VFD file, or a virtual boot floppy disk), or install an operating system from a network-based installation server. The last option will install a legacy network adapter to your virtual machine so you can boot from the network adapter. Select Install an operating system later and then click on Next.
9. On the Completing the New Virtual Machine Wizard summary page, verify that all settings are correct. You also have the option to immediately start the virtual machine after creation. Click Next to create the virtual machine.
After completing Exercise 8.6, you will have a virtual machine available in Hyper-V Manager. Initially, the state of the virtual machine will be Off. Virtual machines can have the following states: Off, Starting, Running, Paused, and Saved. You can change the state of a virtual machine in the Virtual Machines pane by right-clicking on the virtual machine’s name, as seen in Figure 8.10, or by using the virtual machine connection window.
61705c08.indd 340
6/27/08 4:34:18 PM
Configuring Virtual Machines
341
Fi g u r e 8 .1 0 Options available when right-clicking on a virtual machine
Here is a list of all state options you have available for a virtual machine: Start Turn on the virtual machine. This is similar to pressing the power button when the machine is turned off. This option is available when your virtual machine is off or in saved state. Turn Off Turn off the virtual machine. This is similar to pressing the power off button on the computer. This option is available when your virtual machine is in running, saved, or paused. Shut Down T his option shuts down your operating system. You need to have the Hyper-V Integration Components installed on the operating system; otherwise Hyper-V will not be able to shut down the system. You will read about the Hyper-V Integration Components in the section “Installing Hyper-V Integration Components” later in this chapter. Save T he virtual machine is saved to disk in its current state. This option is available when your virtual machine is running or in paused state. Pause Pause the current virtual machine, but do not save the state to disk. You can use this option to quickly release processor utilization from this virtual machine to the host system.
61705c08.indd 341
6/27/08 4:34:18 PM
342
Chapter 8 Using Virtualization In Windows Server 2008 n
Reset Reset the virtual machine. This is like pressing the reset button on your computer. You will lose the current state and any unsaved data in the virtual machine. This option is available when your virtual machine is running or in paused state. Resume W hen your virtual machine is paused, you can resume it and bring it online again.
Change Configuration on an Existing Virtual Machine To change the configuration settings on an existing virtual machine, you right-click on your virtual machine’s name in the Virtual Machines pane in Hyper-V Manager and choose Settings. You can change settings like memory allocation and hard drive configuration. All items that you can configure are described in the following list: Add Hardware Add devices to your virtual machine, namely a SCSI controller, a network adapter, or a legacy network adapter. A legacy network adapter is required if you want to perform a network-based installation of an operating system. BIOS T his is the replacement of the virtual machine’s BIOS. Because you cannot enter the BIOS during startup anymore, you need to configure it with this setting. You can turn Num Lock on or off and change the basic startup order of the devices. Memory Change the amount of random access memory (RAM) allocated to the virtual machine. Processor Change the number of logical processors this virtual machine can use as well as define resource control to balance resources among virtual machine by using a relative weight. IDE Controller Add/change and remove devices from the IDE controller. You can have hard drives or DVD drives as devices. Every IDE controller can have up to two devices attached, and by default you have two IDE controllers available. Hard Drive Select a controller to attach to this device as well as specify the media to use with your virtual hard disk. The available options are Virtual hard disk (.vhd) file (with additional buttons labeled New, Edit, Inspect, and Browse that are explained in the virtual hard disk section) and Physical hard disk. You can also remove the device here. DVD Drive Select a controller to attach to this device as well as specify the media to use with your virtual CD/DVD drive. The available options are None, Image file (ISO image), and Physical CD/DVD drive connected to the host computer. You also can remove the device here. SCSI Controller Configure all hard drives that are connected to the SCSI controller. You can add up to 63 hard drives to each SCSI controller, and you can have multiple SCSI controllers available. Network Adapter Specify the configuration of the network adapter or remove it. You can also configure for each adapter the virtual network and MAC address and enable virtual LAN identification.
61705c08.indd 342
6/27/08 4:34:18 PM
Configuring Virtual Machines
343
COM 1 Configure the virtual COM port to communicate with the physical computer through a named pipe. You have COM1 and COM2 available. Diskette Drive Specify a virtual floppy disk file to use. Name Edit the name of the virtual machine and provide some notes about it. Integration Services Define what integration services are available to your virtual machine. Options are Operating system shutdown, Time synchronization, Data Exchange, Heartbeat, and Backup (volume snapshot). Snapshot File Location Define the default file location of your snapshot files. Automatic Start Action Define what this virtual machine will do when the physical computer starts. Options are Nothing, Automatically start if the service was running, and Always start this virtual machine. You also can define a start delay here. Automatic Stop Action Define what this virtual machine will do when the physical computer shuts down. Options are Save State, Turn Off, and Shut down. Please be aware that only some settings can be changed when the virtual machine’s state is Running. It is best practice to shut down the virtual machine before you want to modify any setting.
Deleting Virtual Machines You can also delete virtual machines using Hyper-V Manager. However, this only deletes the configuration files, not any related virtual disks, as seen in Figure 8.11. Fi g u r e 8 .11 Delete virtual machine warning window
Make sure you manually delete any virtual disks that were part of the virtual machines in order to free up disk space.
Virtual Machine Connection Similar to the Virtual Machine Remote Control (VMRC) client that was available with Virtual Server 2005 R2 and previous versions, Hyper-V comes with Virtual Machine Connection to connect to virtual machines that run on a local or remote server. You can use it to log onto the virtual machine and use your computer’s mouse and keyboard to interact
61705c08.indd 343
6/27/08 4:34:18 PM
344
Chapter 8 Using Virtualization In Windows Server 2008 n
with the virtual machine. You can open Virtual Machine Connection in Hyper-V Manager by double-clicking on a virtual machine or right-click on a virtual machine and select Connect. If your virtual machine is turned off, you might see a window similar to the one in Figure 8.12. Fi g u r e 8 .1 2 Virtual Machine Connection window when the machine is turned off
Virtual Machine Connection provides you with functionality similar Hyper-V Manager, such as being able to change the state of a virtual machine, but it also provides you with additional features that are especially useful when you want to work with a virtual machine: File Access settings or exit Virtual Machine Connection. Action Change the state of a virtual machine and create or revert a snapshot. Additionally, you have the options to send Ctrl+Alt+Delete to your virtual machine and Insert Integration Services Setup Disk. Media I nsert or eject a DVD or floppy media. Clipboard Type the text that is on the Clipboard in virtual machine or capture screen of the machine. Context-sensitive buttons are available to provide you with quick access to the most important features under the menu bar, as you can see in Figure 8.13.
61705c08.indd 344
6/27/08 4:34:19 PM
Configuring Virtual Machines
345
Fi g u r e 8 .1 3 Virtual Machine Connection window showing a running Windows Server 2003 virtual machine
Installing Hyper-V Integration Components Hyper-V Integration Components, also called Integration Services, are required to make your guest operating system “hypervisor aware.” Similar to the VM Additions that were part of Microsoft Virtual Server 2005, the components improve the performance of the guest operating system once the components are installed. On the architectural perspective, virtual devices are redirected directly via the VMBus, thus quicker access to resources and devices is provided. If you do not install the Hyper-V Integration Components, the guest operating system uses emulation to communicate with the host’s devices, which of course makes the guest operating system slower. Hyper-V Integration Components are currently available for the following operating systems:
61705c08.indd 345
NN
Windows Vista SP1 (x86)
NN
Windows XP SP3 (x86)
6/27/08 4:34:19 PM
346
Chapter 8 Using Virtualization In Windows Server 2008 n
NN
Windows Server 2003
NN
Windows Server 2008
NN
SUSE Linux Enterprise Server 10 SP1 or XEN-Enabled Linux
As this chapter was being written, Microsoft had not announced any other operating systems that support the Hyper-V Integration Components. This is subject to change quite quickly, so you should use this list as a reference. Please check the official Microsoft Hyper-V site at www.microsoft .com/virtualization for any new announcements.
Exercise 8.7 shows you how to install Hyper-V Integration Components on one of your virtual machines running Windows Server 2003. E x e r c ise 8 . 7
Installing Hyper-V Integration Components Follow these steps to install the Hyper-V Integration Components in a virtual machine running Windows Server 2003 or 2008:
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine on which you want to install Hyper-V Integration Components and select Start.
3. Right-click the virtual machine again and select Connect to Open a Virtual Machine Connection. Meanwhile, your virtual machine should be already booting.
4. If you need to log in to the operating system of your virtual machine, you should do so. 5. Once the Windows Desktop appears, you need to select Insert Integration Services Setup Disk from the Actions menu of your Virtual Machine Connection window.
6. Once the Hyper-V Integration Components are installed, you are asked to perform a reboot.
61705c08.indd 346
6/27/08 4:34:19 PM
Configuring Virtual Machines
347
E x e r c ise 8 . 7 ( c o n t i n u e d )
After the reboot, Hyper-V Integration Components are installed on your operating system and you will be able to use them.
Back Up and Restore Virtual Machines The following sections cover exporting and importing virtual machines between host machines as well as taking a snapshot to back up a certain state of your virtual machine. We will also briefly discuss what Quick Migration is and how Hyper-V uses it.
Exporting and Importing Virtual Machines This section will explain how to move virtual machines between host computers or move them to a different drive. This is quite different to previous versions of Microsoft’s virtualization software. To move a virtual machine in Virtual Server 2005, you stopped the machine
61705c08.indd 347
6/27/08 4:34:19 PM
348
Chapter 8 Using Virtualization In Windows Server 2008 n
and moved its configuration file (VMC) as well as its virtual hard disk file (VHD) to the target location and then changed the VMC file to point to the VHD file. Using Hyper-V, you cannot move the configuration files anymore. You need to use the Export feature to export the virtual machine and then use Import on the target machine to import the virtual machine to Hyper-V. To export a virtual machine, it must be either in Off or Saved state. Open Hyper-V Manager, select the virtual machine you want to export and either right-click on the virtual machine and select Export or click on Export on the virtual machine name’s pane. You will see the Export Virtual Machine dialog box, shown in Figure 8.14. Fi g u r e 8 .1 4 Export Virtual Machine window
In this dialog box, you can set the export path for the virtual machine and choose whether to export your virtual machine state data or not. Because Hyper-V will use the exported files after importing them, you should store the export directly on the target machine’s disks and not on a file share.
61705c08.indd 348
6/27/08 4:34:19 PM
Configuring Virtual Machines
349
Once you check Don’t Export Virtual Machine State Data, only the virtual machine’s configuration files will be exported. The virtual hard disk and snapshots will not be exported. In the export path, a folder with the name of the virtual machine is created along with the following subfolders: Virtual Machines This includes the virtual machine configuration files as well as the virtual machine state if the machine is saved. Virtual Hard Disks If you exported the state data, this folder will include your virtual hard disks VHD file(s). Snapshots If you exported the state data, this folder will include all snapshot files. Once the virtual machine finishes exporting, you can move the export folder to the target machine if you did not store it directly on the server’s disks. Open Hyper-V Manager and click Import Virtual Machine, which is located in Actions pane. The Import Virtual Machine dialog box asks you for the path to the exported virtual machine and allows you to decide if you want to reuse the old virtual machine ID as shown in Figure 8.15. Fi g u r e 8 .1 5 The Import Virtual Machine dialog box
You want to reuse old virtual machine IDs if you’re moving all virtual machines from a host to a new target machine. The virtual machines are practically the same as on the source system. However, you do not want to reuse old virtual machine IDs if you used Export to clone a virtual machine. Because Hyper-V uses the import folder as the new target folder for the imported virtual machine, an exported virtual machine can be imported only once. Of course, if you copy the files to a different location before importing them, you can overcome this limitation.
When you import a virtual machine with state data, Hyper-V will use the import path for the virtual hard disks as well as snapshots in its virtual machine configuration XML. Thus, you’re able to import an exported machine only once. For that reason, the import folder should already be on the host’s target disk.
61705c08.indd 349
6/27/08 4:34:19 PM
350
Chapter 8 Using Virtualization In Windows Server 2008 n
If you import only the virtual machine configuration, without the state data or hard disks, you will receive a warning message like the one in Figure 8.16. Fi g u r e 8 .1 6 Import warning message
You receive this warning because the virtual machine has probably one or more hard drives configured that now point to no VHD file. You need to correct these settings before starting the virtual machine to have this work.
Managing Snapshots With virtual machine snapshots, you can save a copy of the virtual machine at any point in time, including while the virtual machine is running. You can take multiple snapshots of a virtual machine and then revert it to any previous state by applying a snapshot. Using snapshots makes it easier to diagnose the cause of errors by reducing the number of times you need to repeat a task or sequence within a virtual machine. The benefit is obvious; if you use snapshots to revert to a previous virtual machine configuration, you do not need to copy virtual machines to keep a state. Thus it is a quick and easy way to back up a certain state of your virtual machine. You can create a snapshot when a virtual machine is in a running, saved, or turned-off state. It’s only from a paused state that you cannot perform a snapshot.
Snapshots are extremely useful in training classes or testing environments. When your company goes to test new software, you can make sure to do snapshots at every single step so you can immediately go back if some problems or issues arise. In training classes, you can prepare each virtual machine for your students according to your special requirements, and once the course is finished, you just revert all virtual machines to their initial configuration. No hassles with experienced users that change your configuration without letting you know anymore.
In Exercise 8.8. you’ll create and rename a snapshot.
61705c08.indd 350
6/27/08 4:34:20 PM
Configuring Virtual Machines
351
E x e r c ise 8 . 8
Creating a Snapshot of a Virtual Machine Follow these steps to create and rename a snapshot of a virtual machine using Hyper-V Manager:
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine. 3. In the Actions pane, select Snapshot.
4. Once the snapshot is taken, it should appear in the Snapshots pane in Hyper-V Manager. Right-click the snapshot and select Settings.
5. In the Settings window, on the Management pane, click Name and type in First Snapshot as the name. You can also add some notes to make it easy to identify.
61705c08.indd 351
6/27/08 4:34:20 PM
352
Chapter 8 Using Virtualization In Windows Server 2008 n
E x e r c ise 8 . 8 ( c o n t i n u e d )
6. Click OK to apply the changes.
61705c08.indd 352
6/27/08 4:34:20 PM
Configuring Virtual Machines
353
Technically speaking, when you make a snapshot, the following files will be created in the virtual machine’s snapshot folder: NN
A virtual machine configuration file
NN
Virtual machine saved state files
NN
Snapshot differencing disks (AVHDs)
Once you create a snapshot for a virtual machine, you will also have the Revert option available in the virtual machine name’s pane in Hyper-V Manager. Reverting basically means that you restore the last snapshot made. You also see the last snapshot taken marked with a green arrow in the Snapshots pane (Figure 8.17). Fi g u r e 8 .17 Revert Option in Hyper-V
However, you will also have options available directly on the snapshot level that let you perform certain actions: Settings T his opens the settings window of the virtual machine. The only settings you can change are the name and the notes field. All others are read-only. Apply Applying a snapshot to a virtual machine technically means that you copy the virtual machine state from the snapshot to the active virtual machine. You can look at this as a “restore this snapshot” option. Because you would lose all unsaved data and settings from the active virtual machine, you will be asked if you want to create another snapshot before you apply this snapshot. If you just click Apply, the active machine will be overwritten and reverted back to the state it was in when the snapshot was made. This snapshot will not be removed. Figure 8.18 shows you the warning message that appears when you apply a snapshot.
61705c08.indd 353
6/27/08 4:34:20 PM
354
Chapter 8 Using Virtualization In Windows Server 2008 n
Fi g u r e 8 .1 8 Window that appears when you Apply a Snapshot
Rename You can change the name of the snapshot without the need to open settings. Delete Snapshot Deleting a snapshot is like deleting a backup file. You will be no longer able to restore to that point in time. Deleting a single snapshot does not affect any other snapshots that you made for this virtual machine. You will delete only the selected snapshot. However, sometimes when you do delete a snapshot, the system needs to merge the differencing disks. This occurs in the background when the virtual machine is not running. The user does not see when it happens. Delete Snapshot Subtree T his will delete the selected snapshot and all snapshots that are hierarchically underneath it. If you delete a snapshot with only one sub-snapshot, the configuration and saved state files for the snapshot will be deleted and the snapshot’s differencing disks will be merged. If you have more sub-snapshots, merging will not take place. In Exercise 8.9, you will apply a snapshot thus revert to a previous virtual machine state. E x e r c ise 8 . 9
Applying a Snapshot To recover a snapshot, follow these steps.
1. Click Start Administrative Tools Hyper-V Manager. 2. In Hyper-V Manager, in the Virtual Machines pane, click the virtual machine for which you created a snapshot.
3. In the Snapshots pane, select First Snapshot. 4. In the First Snapshot pane, under Actions pane, click Apply. 5. In the Apply Snapshot window, click Apply.
Quick Migration In combination with Windows Server 2008’s clustering support in Enterprise and Datacenter editions, Quick Migration enables high availability features for virtual machines, so if one server fails, its workload can be picked up by another node member with minimal interruption in user access.
61705c08.indd 354
6/27/08 4:34:21 PM
Exam Essentials
355
Basically, each virtual machine is defined as a virtual machine application on a cluster node. Once the cluster node goes down, another cluster node can take over the virtual machine. Unfortunately this means that in the event of failure, the system state of the virtual machine is lost because it does a normal bootup with the virtual machine. Planned failover saves the current state, moves it, and then restores it on the target side correctly. This topic is too complicated for the 70-643 exam, but we wanted you to understand the basic concept so you would know that this feature is available in Hyper-V.
Summary Virtualization is quickly becoming a hot topic. The potential for consolidation is tremendous, thus it will get more and more important. After reading this chapter, you should have a good understanding of the Hyper-V architecture and what it requires to install Hyper-V. The section about installation and configuration covered various basic aspects of configuring the virtualization environment. You learned about the different types of virtual networks that are available, the options for installing the Hyper-V role, and the various types of virtual hard disks that you can use to optimize virtualization for your specific scenario. You also learned how to configure virtual machines using the Hyper-V environment and how to create your own virtual datacenter on top of your Hyper-V machines. We showed you how to create and manage virtual machines, how to use Virtual Machine Connection to remotely control a virtual machine, and how to install Hyper-V Integration Components. And you learned how to export and import virtual machines as well as how to do snapshots of your virtual machine. If you have never worked with virtualization software before, the information in this chapter may have been completely new to you. You should now be well prepared to try out Hyper-V in your own environment.
Exam Essentials Understand Hyper-V’s architecture. When you have a good understanding of Hyper-V’s architecture, especially when an operating system in a virtual machine is hypervisor aware versus non-hypervisor aware, you have a solid understanding of what is important from an architectural perspective. You should know about the Hyper-V Integration Components and how they change the behavior of a virtual machine. Also know which operating systems the integration components are available for. Know Hyper-V’s requirements and how to install it. K now the hardware and software requirements as well as how to install Hyper-V. Hyper-V requires an x64-based processor and Data Execution Protection (DEP), and hardware assisted virtualization must enabled.
61705c08.indd 355
6/27/08 4:34:21 PM
356
Chapter 8 Using Virtualization In Windows Server 2008 n
Don’t forget this! Also remember that you can install Hyper-V two ways: using Server Manager or using the command line in Server Core. Understand virtual networks and virtual hard disks. Virtual networks and hard disks are the two most tested topics. You definitely should know the types of virtual networks available (i.e., external, internal only, and private virtual network) as well as all types of virtual hard disks (i.e., dynamically expanding, fixed size, differential, and physical or passthrough). You should be able to apply the correct one when needed. Don’t forget the Edit Virtual Hard Disk Wizard, which is also a good source for questions in the exam. Know how to create and manage virtual machines. You should be able to explain how to create a virtual machine, what options you have to install an operating system in a virtual machine, and how to install the Hyper-V Integration Components on a virtual machine. Don’t forget about the virtual machine states and the virtual machine settings! Understand how to back up and restore virtual machines. Have a good understanding of the concept of exporting and importing virtual machines, how snapshots work, and what lies behind a Quick Migration. Understand how you can export a virtual machine, what you should consider when moving it to a new host machine, and what happens after importing it to the import folder. The same applies to snapshots: You need to know what options you have available and what each option will do. Especially recognize the difference between applying and reverting a snapshot.
61705c08.indd 356
6/27/08 4:34:21 PM
Review Questions
357
Review Questions 1. On which of the following x64 editions of Windows Server 2008 does Hyper-V run? (Choose all that apply.) A. Windows Server 2008, Web Edition B. Windows Server 2008, Standard Edition C. Windows Server 2008, Enterprise Edition D. Windows Server 2008, Datacenter Edition 2. You want to build a test environment based on virtual machines on a single Windows Server 2008 machine, but you also want to make sure that the virtual machines communicate with only each other. What type of virtual network do you need to configure? A. External B. Internal only C. Private virtual machine network D. Public virtual machine network 3. Andy wants to change the memory of a virtual machine that is currently powered up. What does he need to do? A. Shut down the virtual machine, use virtual machine’s settings to change the memory, and start it again. B. Use the virtual machine’s settings to change the memory. C. Pause the virtual machine, use virtual machine’s settings to change the memory, and resume it again. D. Save the virtual machine, use virtual machine’s settings to change the memory, and resume it again. 4. You want to make sure the hard disk space for your virtual machines is only occupied once needed. What type of virtual hard disk would you recommend? A. Dynamically expanding disk B. Fixed size disk C. Differencing disk D. Physical or pass-through disk 5. How do you add a physical disk to a virtual machine? A. Use the Virtual Hard Disk Wizard. B. Use the Edit Virtual Hard Disk Wizard. C. Use the virtual machine’s settings. D. Use the New Virtual Machine Wizard.
61705c08.indd 357
6/27/08 4:34:21 PM
358
Chapter 8 Using Virtualization In Windows Server 2008 n
6. Sigi bought a new server with an Itanium IA-64 processor, 4GB RAM and a SAN that provides 1TB hard disk space. After installing Windows Server 2008 for Itanium-Based Systems, he wants to install Hyper-V on this server. Can Hyper-V be installed on this system? A. Yes B. No 7. What are the minimum CPU requirements for running Hyper-V on a machine? (Choose all that apply.) A. An x64-based processor (Intel or AMD). B. Hardware Data Execution Protection (DEP) must be enabled. C. Hardware-assisted virtualization must be enabled. D. The processor must at least have a dual core. 8. What is the command to install Hyper-V on a Windows Server 2008 machine that was installed in Server Core? A. start /w ocsetup Hyper-V B. start /w ocsetup microsoft-hyper-v C. start /w ocsetup Microsoft-Hyper-V D. start /w ocsetup hyper-v 9. On what operating systems can you install the Hyper-V Manager MMC? (Choose all that apply.) A. Windows Server 2008 B. Windows Server 2003 C. Windows XP SP3 D. Windows Vista SP1 10. What statement is correct for an external virtual network? A. The virtual machines can communicate with each other and with the host machine. B. The virtual machines can communicate with each other only. C. The virtual machines can communicate with each other, with the host machine, and with an external network. D. The virtual machines cannot communicate with each other. 11. In your test lab, Carola wants to save hard disk space and therefore creates a master virtual disk that should be used as the basis for the virtual machines. What type of virtual hard disks should she create for the virtual machines? A. Dynamically expanding B. Fixed size C. Differencing D. Physical or pass-through
61705c08.indd 358
6/27/08 4:34:21 PM
Review Questions
359
12. You want to create a virtual disk that clones a local drive available on your host machine. What types of disk can you use to be able to copy a physical disk to a virtual disk using Hyper-V Manager? (Choose all that apply.) A. Dynamically expanding B. Fixed size C. Differencing D. Physical or pass-through 13. Joel wants to use the fastest option of virtual hard disks available because he needs excellent performance for his virtual machines. What is the best choice for him? A. Dynamically expanding B. Fixed size C. Differencing D. Physical or pass-through 14. What is a legacy network adapter in Hyper-V? A. A virtual network adapter that can be configured when the Hyper-V Integration Components are installed B. A virtual network adapter that can connect to the virtual networks C. A virtual network adapter that you need in order to boot from the network D. A virtual network adapter that connects your virtual machine to the host machine 15. You run an operating system like Windows NT 4.0 in a virtual machine where you do not have the Hyper-V Integration Components available. What statement about this situation is correct? A. The operating system will not run in the virtual machine. B. The operating system will run in the virtual machine and use the Imbues to communicate with the hypervisor. C. The operating system will run in the virtual machine but needs a separate hypervisor to be installed. D. The operating system will run in the virtual machine but uses emulation to communicate with the hypervisor. 16. How do you move virtual machines between host machines? A. Use the Export and Import Virtual Machine command in Hyper-V. B. Move the virtual machine files to the target host and add them to Hyper-V. C. Create a snapshot of the virtual machine and apply it to a different machine. D. Use the Save command in Hyper-V.
61705c08.indd 359
6/27/08 4:34:21 PM
360
Chapter 8 Using Virtualization In Windows Server 2008 n
17. Jan does an export of a virtual machine. He checks the Don’t Export Virtual Machine State Data option. Considering this, what folder(s) will be available in the export? A. Virtual Machines B. Virtual Hard Disks C. Snapshots D. VM Configuration 18. Once you create a snapshot, what options do you have available for it? (Choose all that apply.) A. Settings B. Apply C. Delete Snapshot D. Revert 19. You are using a differencing disk for your virtual machine. When you use the Edit Virtual Hard Disk Wizard in Hyper-V, what options do you have available with this type of disk? (Choose all that apply.) A. Compact B. Convert C. Expand D. Merge 20. Robert is administrator of a Hyper-V machine that hosts many virtual machines. He created five snapshots for a single virtual machine on which he is currently installing software. Now he wants to go back to snapshot no. 3 without losing the other snapshots. What statements are correct considering that he applies snapshot no.3? (Choose all that apply.) A. After snapshot no.3 is applied, all later snapshots are deleted. B. After snapshot no.3 is applied, he is still able to go back to snapshot no.5. C. After snapshot no.3 is applied, snapshot no.3 will be deleted. D. After snapshot no.3 is applied, the active virtual machine will be in the exact state of snapshot no.3.
61705c08.indd 360
6/27/08 4:34:21 PM
Answers to Review Questions
361
Answers to Review Questions 1. B, C, D. Hyper-V can be installed on Standard, Enterprise, or Datacenter Edition of Windows Server 2008 x64 editions. Itanium, x86, and Web Editions are not supported. 2. C. The external virtual network type will allow the virtual machine to communicate with the external network as it would with the Internet, so A is wrong. The internal only network type allows communication between the virtual machines and the host machine. Because the question says that only communication between the virtual machines should be allowed, the only valid answer is private virtual machine network. The last option, public virtual machine network, does not exist in Hyper-V. 3. A. This question focuses on the fact that you cannot change the memory if the virtual machine is running, paused, or saved. The only valid answer is to shut it down and then change the memory. 4. A. The only virtual hard disk that increases in size is the dynamically expanding disk. Thus this is the only valid answer to this question. The fixed size disk creates a disk of the size you specify, the differencing disk is a special disk that stores only the differences between it and a parent disk, and the physical disk uses a physical drive and makes it available to the virtual machine. 5. C. Physical hard disks cannot be configured using the Virtual Hard Disk Wizard, the Edit Virtual Hard Disk Wizard, or the New Virtual Machine Wizard. You can only configure and attach a physical disk using the virtual machine’s settings. 6. B. Hyper-V is not supported on Itanium-based systems, thus he cannot install it. 7. A, B, C. The minimum CPU requirement for running Hyper-V is a x64-based processor (Itanium is not supported), hardware Data Execution Protection must be enabled, and hardware-assisted virtualization must be enabled. There is no minimum requirement for a dual-core processor. 8. C. This question is regarding the setup command to install the Hyper-V server role on a Server Core machine. It’s important to remember that housetop commands are case sensitive and that the correct command is start /w ocsetup Microsoft-Hyper-V, which is option C. All other commands will fail to install Hyper-V on a Server Core machine. 9. A, D. The Hyper-V Manager is available only for Windows Server 2008 and Windows Vista SP1. There is no version available that runs on Windows Server 2003 or on Windows XP SP3. 10. C. The virtual network type in which the machines communicate with each other and with the host machine is called internal only. In a private virtual network, the virtual machines can communicate only with each other, but not with the network or the host machine. The external network type defines a network where the virtual machines can communicate with each other, with the host machine, and with an external network like the Internet. Thus, C is the correct answer. Once you define a virtual network, the virtual machines can communicate with each other. So the only scenario in which the virtual machines cannot communicate with each other is when they don’t have a virtual network defined.
61705c08.indd 361
6/27/08 4:34:21 PM
362
Chapter 8 Using Virtualization In Windows Server 2008 n
11. C. Only the differencing hard disk is associated in a parent-child relationship with another disk. Dynamically expanding starts with a small VHD file and expands it on demand once an installation takes place. The fixed size disk sets a fixed size on the VHD file. The physical disk is a physical drive on the host machine, so it doesn’t support a parent-child relationship with another disk. 12. A, B. Hyper-V Manager support only copying a physical disk to a virtual disk using dynamically expanding or fixed size virtual hard disks. You can perform this task in the New Virtual Hard Disk Wizard. Differencing and physical disks are not available for this feature. 13. D. The fastest virtual hard disk is the physical or pass-through disk because it directly uses the physical disk. The fixed size disk is the fastest option using a VHD file. Dynamically expanding and differencing disks are slower, so they are not recommended for use in production datacenters. 14. C. A legacy network adapter is a virtual network adapter that allows you to boot from the network. All other options are misleading and only point to different virtual network types. 15. D. All operating systems that do not have the Hyper-V Integration Components available will not be hypervisor aware. For this reason, they cannot use the Imbues but need emulation to communicate with the hypervisor. The operating system will still run, but it will be slower. 16. A. The only supported way to move virtual machines between host machines listed here is to use Export and Import Virtual Machine. The option to move the virtual machine files cannot be used anymore because you will lose the configuration of your virtual machines. You cannot apply a snapshot to a different host machine, nor is a Save command available in Hyper-V. 17. A. As the virtual machine state data is not exported, only the Virtual Machines folder will be available in the export folder. Virtual Hard Disks and Snapshots are created only when you export the machine state data. VM Configuration doesn’t exist. 18. A, B, C. Only Revert is wrong, as this option applies to the virtual machine, not to the snapshot. Settings, Apply, and Delete Snapshot are all valid options for a snapshot. 19. A, D. When you use a differencing disk, you have only the option to compact, meaning to remove blank space from the VHD file, and to merge, meaning to merge the changes from the differencing disk directly into the parent or another disk. 20. B, D. When Robert applies one snapshot, all earlier or later snapshots, as well as the snapshot that he applies, are not affected. Thus options A and C are wrong. Because Hyper-V keeps later snapshots, he is able to apply one. Also, the basic concept of snapshots is they act as the active virtual machine state once you apply them.
61705c08.indd 362
6/27/08 4:34:22 PM
Chapter
9
Deploying Servers Microsoft Exam Objectives covered in this chapter: ÛÛ Configuring Windows Deployment Services, Install from media (IFM), capture Windows Deployment Services images, deploy Windows Deployment Services images, server core ÛÛ Deploy images using Windows Deployment Services. May include but is not limited to: Install from media (IFM); configure Windows Deployment Services; capture Windows Deployment Services images; deploy Windows Deployment Services images; server core ÛÛ Configure Microsoft Windows activation. May include but is not limited to: install a KMS server; create a DNS SRV record, replicate volume license data
61705c09.indd 363
6/27/08 11:50:51 AM
Windows Deployment Services is a tool that allows administrators to easily deploy and manage images, scripts, and the unattended installation of computer systems. This service can prove to be invaluable to those tasked with the administration of a medium or large corporate network. Windows Deployment Services can help with basic tasks such as formatting and partitioning a physical system, deploying a consistent set of standards across the network, simplifying the installation of operating systems, and performing post-installation tasks. In this chapter, we will cover the following areas: NN
Deploying images
NN
Installing from media
NN
Configuring Windows Deployment Services (WDS)
NN
Deploying Server Core
NN
Configuring Windows Activation
NN
Installing and configuring KMS
Windows Deployment Services Before the development of tools such as Microsoft Windows Deployment Services (WDS), a network administrator was tasked with manually configuring all of the systems in a network to upgrade or install an operating system. This would involve many man-hours, costing organizations time and money. Deployment Services reduces that need to physically install or upgrade systems, allowing IT administrators to manage the installation of systems from a central location, which can result in more time to devote to other, more important tasks. Several modifications have been made to Windows Deployment Services from the previous version, which was known as Remote Installation Services (RIS) and Windows Deployment Services on Windows Server 2003. WDS now includes the following:
61705c09.indd 364
NN
Ability to deploy Windows Vista and Windows Server 2008
NN
Support for Windows PE as a boot operating system
NN
Ability to transmit data and images by use of multicast
NN
Support for network boot of x64-bit operating systems
6/27/08 11:50:51 AM
Deploying Images by Using Windows Deployment Services
365
To fully explore the latest version of WDS, you should be familiar with the following topics: NN
Windows image (.wim) format
NN
Windows Pre-boot Execution Environment (PXE)
NN
Active Directory
NN
Dynamic Host Configuration Protocol (DHCP)
NN
Windows Preinstallation Environment (WinPE)
For many small shops, and in previous years, server installations were done by manually installing the operating system. This means that an administrator would have to manually monitor and configure each server install. As the resources to deploy images have improved, it has opened the way for a simplified deployment of servers, one that an IT administrator can trust. The benefit of WDS goes beyond just freeing up time; it takes a major step forward in assuring company standards when it comes to how servers are built and configured. If you are not familiar with these terms and components, we recommend that you spend some time studying them before attempting to deploy system images in a production environment. You can find more information on Windows Imaging from Microsoft TechNet: http://technet2.microsoft.com/windowsserver2008/en/library/ fbd2d37b-4127-43fd-a079-f78bbd44b7601033.mspx?mfr=true.
While WDS can deploy an operating system to your workstation environment, this chapter will focus on using WDS to deploy servers.
Deploying Images by Using Windows Deployment Services Windows Deployment Services include several components that can help a network administrator quickly, easily, and effectively install operating systems to servers: Management Tools T hese are the tools you will use to create system images and manage the server and client machine accounts. Server components T he server components are the items needed to boot a client computer and install an operating system on a client machine. will be created to keep the data needed for the network boot, such as boot and install images. Client components T hese components are needed for the client machine to communicate with the server so that the proper items are installed and configured. The Windows PE interface is a client component.
61705c09.indd 365
6/27/08 11:50:51 AM
366
Chapter 9 Deploying Servers n
To understand these components, you must understand first what an image is. Simply put, in this context, it’s a snapshot of a server that was built to your specifications. WDS uses two types of images: Install image T his contains the operating system you want to deploy to a server. Boot Image T his is the image that a client computer or server will boot to before you install the install image. Think of these images this way: a boot image is like a car and the install image is like a resort. Before you can sit in the comfort of the resort, you have to know how to get there and then have some means to travel to it. The car is what gets you to your destination; it knows the distance, direction, and speed it takes to get you there. With WDS, you are able to customize your images so they have exactly the configuration required by company standards. This will save time and money because you only need to set up the images, not babysit each server install. Before you can take advantage of this powerful tool, a proper installation and configuration is vital. Windows Deployment Services will not successfully deploy an operating system if the required components are not configured properly. The next section will guide you through the recommended installation of Windows Deployment Services and show you how configure them.
Using Windows Deployment Services Before you can start to deploy servers, you must configure Windows Deployment Services and create images. A check list can assist you in making sure your installation is completed correctly. Here are some things to be sure your check list includes: Active Directory T he WDS server must at least be a member server in an Active Directory domain. DHCP and DNS W DS relies on DHCP and DNS for both IP addresses and name resolution. NTFS T he WDS server requires the NTFS filesystem. Credentials T he user account that will be used to perform the install and related tasks must be a member of the local Administrators group. Make sure the server you plan to use for WDS has these items installed and properly configured. When time is taken to ensure that the server is properly prepared, it will result in a trouble-free installation and configuration of WDS. After you have met the prerequisites for the server build, WDS must be installed as a role (Exercise 9.1).
61705c09.indd 366
6/27/08 11:50:52 AM
Using Windows Deployment Services
367
Benefit of Images Recently a client had an increasing need to improve the quality of their machine builds and reduce the time that was spent deploying new machines. This client had 250 computers in five locations and two states. They had just signed an agreement to refresh onethird of their machines, and because this was a leasing program, they would be doing this every year. The current standard operating procedure was to build each machine by hand, which would result in an IT administrator or specialist spending 3 to 5 hours per machine. Each phase of the technical refresh program would have around 80 machines. Simple math tells you that this would require 240 to 400 hours spent on just building the machines, which is not efficient. A plan was developed to create system images and then deploy them with the earlier version of WDS, which was called Remote Installation Service, or RIS. While RIS was not as easy to use or set up as WDS, it did show how valuable images really are. They decided to create three separate images, each with various applications installed based on the departments. A lot of time was spent working with department heads to determine what exactly the images would contain, which allowed us to create base images that needed very little additional attention after they were installed. While we knew that this would reduce the time needed to deploy a machine and would create a standard build, a side benefit turned out to be using the images to assist the help desk. If the help desk encountered an issue that would normally result in them deploying someone to rebuild the machine, they would instead deploy the build image. Overall, the use of images saved many man-hours and saved the organization money.
E x e r c i se 9 . 1
Installing the WDS Role Follow these steps to install the Window Deployment Services role:
1. To open Server Manager, click Start All Programs Administrative Tools Server Manager.
2. In the left pane, click Roles. 3. In the Roles Summary section, choose Add Roles. 4. Click Next on the Before You Begin screen. 5. On the Select Server Roles page, check the box next to Windows Deployment Services.
61705c09.indd 367
6/27/08 11:50:52 AM
368
Chapter 9 Deploying Servers n
E x e r c i se 9 . 1 ( c o n t i n u e d )
6. Click Next on the Overview of Windows Deployment Services page. 7. On the Select Role Services, check the Deployment Server and Transport Server boxes.
61705c09.indd 368
6/27/08 11:50:52 AM
Using Windows Deployment Services
369
E x e r c i se 9 . 1 ( c o n t i n u e d )
8. Review the selections on the Confirm Installation Selections page. 9. After reviewing the selections, click Install.
During the installation of WDS, the deployment server and transportation server were chosen. The following paragraphs briefly explain these two services: Transportation Server T his option can be chosen without choosing the Deployment Server option. It is used to create a namespace to transmit data from a single server. When just this feature is installed, the server does not need Active Directory, DHCP, or DNS. This option would be selected by itself when you are doing a custom deployment solution. While some advanced options can be configured, such as using a defined range of IP address or setting up the UDP port, the standard installation does not require any additional configuration. Deployment Server T he Deployment Server option gives WDS full functionality. When this option is checked during installation, the transportation server must be installed along with it. This end-to-end solution brings the following functionality: NN
Support for network boot (PXE server)
NN
Location to store images
NN
Multicast
NN
Monitor for clients installs
NN
Management tool
With the installation of the WDS role completed, the next section will explain how to configure the WDS settings.
Configuring WDS One of the nice things about WDS is that it is included as a role that you choose to install. After the role is installed, it requires very little configuration. This means you are able to start creating your deployments within a short period of time. It is necessary to configure WDS before you use it the first time. The following options are among those that can be configured: NN
NN
NN
NN
61705c09.indd 369
Create a shared folder that will be used to store the install images, PXE boot files, and the files for Windows PE booting. Answer settings for how the server handles incoming client boot requests. Add a DHCP tag, which is needed so that the clients know what port the WDS server is listening on. Set boot client options so boot clients can find the DHCP server.
6/27/08 11:50:52 AM
370
Chapter 9 Deploying Servers n
Microsoft allows WDS to be configured in two ways: NN
Using the Windows Deployment Services Configuration Wizard
NN
Using a command line and the WDSUTIL In Exercise 9.2, you’ll configure WDS for first use.
E x e r c i se 9 . 2
Configuring WDS Server for First Use Follow these steps to configure WDS Server for first use:
1. Choose Start All Programs Administrative Tools Windows Deployment Services.
2. In the left pane, expand the Servers node. 3. Right-click on the server name and choose Configure Server. This will open the Windows Deployment Services Configuration Wizard.
4. On the Welcome Page, click Next. 5. On the Remote Installation Folder Location screen, choose the folder that will hold the images.
6. Choose the answer policy on the PXE Server Initial Settings screen. For this exercise, choose Do not respond to any client computer.
61705c09.indd 370
6/27/08 11:50:53 AM
Using Windows Deployment Services
371
E x e r c i se 9 . 2 ( c o n t i n u e d )
Three options are presented to you on the PXE Server Initial Settings screen: Do Not Respond to Any Client Computer Use this option if you do not want the WDS server to respond to any clients. Respond Only to Known Client Computers If the client is not prestaged in Active Directory, which means you will have to add the computer to AD before PXE boot to a machine, then selecting this option will prevent them from PXE boot to the WDS server. Respond to All (Known and Unknown) Client Computers This will allow all clients to boot to the WDS server. Additionally, checking the box “For unknown clients, notify administrator and respond after approval” will require that an administrator approve new clients before allowing them to receive the boot service.
7. Click Finish. 8. On the Configuration Complete screen, choose to either add images now or add them later with the Add Image Wizard.
9. Click Finish.
After completing the basic configuration, you can configure the server properties. The options that can be configured are as follows:
61705c09.indd 371
NN
PXE response settings
NN
Directory Services
6/27/08 11:50:53 AM
372
Chapter 9 Deploying Servers
NN
Boot
NN
Client
NN
DHCP
NN
Network Settings
NN
Advanced
n
The configuration wizard sets up the basic settings like the PXE response settings, but there are some common settings that need to be looked at or configured. They’re on the following tabs: Boot tab W hen the client wants to interact with the server, it will follow the settings on this tab. By default, the configuration wizard configures the PXE boot to require the clients to press F12 for the boot to start. This can be changed so that the PXE boot begins immediately. This might be a great option if you are doing a large-scale migration that occurs after hours when you don’t want to have to press F12 on each client. Network Settings tab On this tab, you can configure the Multicast IP address, the UDP port range, and the network profile. If any changes are made in this tab, you must restart the service. DHCP tab If the WDS server is installed on a server running DHCP, it will cause a conflict because both WDS and DHCP by default listen on port 67. This tab will allow you to change the settings so that WDS will not listen on port 67. In Exercise 9.3, you’ll configure some server properties. E x e r c i se 9 . 3
Configuring WDS Server Properties Follow these steps to configure WDS server properties:
1. Choose Start All Programs Administrative Tools Windows Deployment Services.
2. In the left pane, expand Servers. 3. Right-click on the WDS server and choose Properties.
61705c09.indd 372
6/27/08 11:50:53 AM
Using Windows Deployment Services
373
E x e r c i se 9 . 3 ( c o n t i n u e d )
4. In the server’s Properties dialog box, click the Boot tab.
5. On the Boot tab, make any necessary changes to the boot program or add a default boot image.
61705c09.indd 373
6/27/08 11:50:53 AM
374
Chapter 9 Deploying Servers n
E x e r c i se 9 . 3 ( c o n t i n u e d )
6. On the Network Settings tab, determine what the multicast IP address will be or set it to be obtained from a DHCP server. Microsoft doesn’t recommend changing the default IP address range (unless your network needs a different range). The UDP port range and network profile can be changed on this tab.
7. If the WDS server is running DHCP, click on the DHCP tab, check the Do Not Listen on Port 67 and Configure DHCP Option 60 to PXEClient.
8. Click OK to finish.
61705c09.indd 374
6/27/08 11:50:54 AM
Using Windows Deployment Services
375
Capturing Images Many IT administrators are familiar with the concept of system images. When most think of system images, they think of products such as Symantec Ghost or Acronis True Image. When you use images, you are essentially using an existing operating system configuration and creating a copy or a clone of it. Then this clone can be used to restore the computer or deploy it to additional computers to give them the same configuration. So what do we mean when we talk about capturing images specifically for WDS? Normally, when a image is deployed it will start up to a operating system setup wizard. Capturing images will start the image to a capture wizard instead, thus allowing the image to be saved as a WIM file (with a .wim filename extension). What is involved in creating an image? Here’s a high-level overview: 1. Install an operating system on a server or computer. 2. Make any custom changes needed, such as installing software, specific drivers, or any-
thing else specific to your organization. 3. Sysprep the server or computer. 4. Reboot into Windows Preinstallation Environment (WinPE). 5. Capture the offline image into a WIM file. 6. Store the image in WDS the image store.
That is a high-level overview of the imaging process in WDS; let’s look at what WDS image capture utility does: 1. WinPE boots and the WDS image capture utility is started. 2. WDSCapture.exe looks for the WDSCapture.inf file. This file will contain answers to
the questions asked in the GUI during installation. If this file does not exist, you will have to manually enter the answers. 3. Drives are then scanned for a sysprep offline image. 4. Metadata is extracted from the data points in the image. This data will contain infor-
mation such as HAL type, architecture, product name, OS version, and language. 5. The volume in which to save the WIM file is selected. 6. The image is updated with the information that was extracted in step 4 and any other
values that are entered by the user. 7. The image is uploaded to the WDS server.
An image can be captured both from the wizard and using a command-line tool. Exercises 9.4 and 9.5 will show you how to use both. Exercise 9.4 assumes you have already created a sysprep image and have added it to the Install Image folder. It also assumes you have added a boot image to the Boot Image folder.
61705c09.indd 375
6/27/08 11:50:54 AM
376
Chapter 9 Deploying Servers n
E x e r c i se 9 . 4
Creating a Capture Image Using the Wizard Follow these steps to create a capture image using the wizard:
1. Choose Start All Programs Administrative Tools Windows Deployment Services.
2. In the left pane, expand Servers. 3. Expand your WDS server and then expand Install Images.
4. Expand the Boot Image folder and right-click on the image. 5. Choose Create Capture Boot Image.
61705c09.indd 376
6/27/08 11:50:54 AM
Using Windows Deployment Services
377
E x e r c i se 9 . 4 ( c o n t i n u e d )
6. In the Create Capture Image Wizard, on the Capture Image Metadata page, enter a name, description, and location.
61705c09.indd 377
6/27/08 11:50:54 AM
378
Chapter 9 Deploying Servers n
E x e r c i se 9 . 4 ( c o n t i n u e d )
7. Click Next to create the capture image. 8. Right-click on the Boot Image folder. 9. Click Add Boot Image. 10. Browse and choose the capture image that was just created. 11. Click Next. 12. Enter the image name and description and click Next. 13. Review the selections on the Summary screen and click Next. 14. After the image is added, click Finish. 15. Create a machine that will be used for the image. Install the operating system, add your applications, and customize it to your standards.
16. Sysprep the computer. 17. When sysprep is finished, restart the computer and press F12. 18. On the Boot Manager Screen, select the capture image and click Next. 19. Choose the correct drive, add a name and description, and click Next. 20. Select the location to store the image and click Save. 21. Click Upload Image to WDS Server. 22. Provide the name of the WDS server, and then click Connect. If prompted for credentials, enter the username and password with rights to the WDS server.
23. Choose the image group in which to store the image. 24. Click Finish.
To create a sysprep image and add to WDS image store, please refer to the Microsoft TechNet article at http://technet2.microsoft.com/windowsserver2008/en/library/b7978b72-3b39-441d-924c-4b7a2fd96c371033. mspx?mfr=true.
Exercise 9.5 shows the steps involved in using the command-line utility named WDSUTIL to create a capture image.
61705c09.indd 378
6/27/08 11:50:54 AM
Using Windows Deployment Services
379
E x e r c i se 9 . 5
Using WDSUTIL to Create a Capture Image Follow these steps to use WDSUTIL to create a capture image:
1. Click Start, right-click Command Prompt, and choose Run as Administrator.
2. Within the command prompt, type the following: WDSUTIL /New-CaptureImage /Image: /Architecture:x86 / Filepath: Replace with the name of the boot image you want to use to create the capture image and with the file location and name of the new capture image.
3. Type the following: WDSUTIL /Add-Image /Imagefile: /ImageType:boot Replace with the filename and location of the capture image you want to add to the image store.
4. After the capture image has been created, follow steps 8 through 22 in Exercise 9.4 to boot the computer to the capture image and capture the operating system.
61705c09.indd 379
6/27/08 11:50:54 AM
380
Chapter 9 Deploying Servers n
Deploying Server Core A new feature introduced with Windows Server 2008 is Server Core. Server Core is a bare-bones installation of Windows Server 2008. You can think of it this way: If Windows Server 2008 is a top-of-the-line luxury car, then Windows Server 2008 Server Core is the stripped-down “no air conditioning, manual windows, with cloth seats” model. It might not be pretty to look at, but it gets the job done. Server core supports a limited amount of roles: NN
Active Directory Domain Services
NN
Active Directory Lightweight Directory Services
NN
DHCP
NN
DNS
NN
File Services
NN
Print Services
NN
Windows Virtualization
NN
Streaming Media Services
NN
Internet Information Services (IIS)
Server Core does not have the normal Windows interface or GUI. Most everything has to be configured via the command line or in some cases using Remote Server Administration Tools from a full version of Windows Server 2008 or Windows Vista. While this might scare some administrators off, it has many benefits: Reduced management B ecause Server Core has a minimum number of applications installed, it reduces management. Minimal maintenance Only basic systems can be installed on Server Core, so it reduces the upkeep you would need in a normal server installation. Smaller footprint Server Core requires only 1GB of disk space to install and 2GB free space for operations. Tighter security With only a few applications running on a server, it is less vulnerable to attacks. The prerequisites for Server Core are basic. It requires the Windows Server 2008 installation media, the product key, and the hardware on which to install it. It only takes a few minutes, depending on hardware, to install Server Core. One of the things to keep in mind is that you cannot upgrade or downgrade to Server Core. Server Core requires a clean installation. There are three editions available for Server Core installations: NN
Windows Server 2008 Standard
NN
Windows Server 2008 Enterprise
NN
Windows Server 2008 Datacenter Following the steps in Exercise 9.6 will result in the base install of Server Core.
61705c09.indd 380
6/27/08 11:50:55 AM
Configuring Microsoft Windows Activation
381
E x e r c i se 9 . 6
Installing Server Core Follow these steps to install Server Core:
1. Insert the Windows Server 2008 CD and boot to the CD. 2. At the Install Windows screen, choose the language, time format, and keyboard method that is relevant to your location and click Next.
3. Click Install Now. 4. Type in your product key and click Next. 5. At the Select the Edition of Windows You Purchased screen, choose the Windows version and click Next.
6. Accept the license terms and click Next. 7. The only option available at the next screen will be Custom (Advanced).Click that option.
8. Choose the disk on which to install Server Core and click Next. 9. Allow setup to complete. 10. After setup is finished, click Other User and type Administrator with no password. 11. Press Enter. 12. Enter a password for the Administrator account.
After you install the base operating system, you use the command-line or remote administrative tools to configure the network settings, add the machine to the domain, create and format disks, and install roles and features.
Configuring Microsoft Windows Activation Windows Product Activation (WPA) was introduced with the release of Windows XP. The early versions required a 25-character alphanumeric format, and then starting with Windows XP SP2, it added a physical key (which is identified by the hardware). Large corporations, however, used a different set of rules. In the beginning, they were given OEM copies of the software, which did not require activation. Over time, these copies were leaked to other users
61705c09.indd 381
6/27/08 11:50:55 AM
382
Chapter 9 Deploying Servers n
and then the Internet. Microsoft worked hard to combat this by introducing Windows Genuine Advantage, which, when the user opts to use it, will allow them to download updates and content from Microsoft’s websites.
Starting with Windows Vista, if a user does not have a product key, it will result in loss of some of the functions, and that will eventually lead to most of the features being disabled. Microsoft understands that companies still use volume keys and need to reduce any loss of production due to product activation. In an effort to make activation easier for companies, Microsoft has allowed for the installation of Key Management Services (KMS). When KMS is installed or activated on a host machine, it becomes the centralized location from which Windows client machines can activate. This reduces the time to activate your products and reduces the impact on your bandwidth. When a KMS host is created with a KMS key, that machine will activate with Microsoft. Then in turn, when machines in your local network need to activate, they activate with the KMS host on your network.
s Windows Activation Backlash When Windows Product Activation (WPA) was first announced by Microsoft in 2001 as a means to prevent piracy, it was received with mixed reviews. Other than Microsoft itself, hardly anyone was in favor of it. Companies were not in favor of this new product activation feature because they were unsure of how it would affect their organization. They were used to having a single install disk without any restrictions, and each individual company had its own specific deployment needs. Home users were also concerned about the implications of the new activation feature. Would their private information be sent to Microsoft? Would Microsoft monitor their activity? How much change in hardware was required to trigger a new activation? The initial primary focus for Windows Activation was to discourage casual copying of Microsoft’s products, such as when one person purchases a copy of Microsoft Office and lets a friend install it on their machine. When Product Activation, what Windows Activation was then called, was introduced, it was reported that 50 percent of all piracy was casual copying. Over time, Windows Activation has gained not so much an acceptance but more of a tolerance by users. Microsoft has continued to refine the process to seem less of a bother to people, and in general, people have started to purchase their own copies of software.
KMS has the following prerequisites:
61705c09.indd 382
NN
The KMS host must have the appropriate volume license.
NN
Machines on your network or KMS clients must also have the proper volume license.
6/27/08 11:50:55 AM
Configuring Microsoft Windows Activation
NN
NN
383
KMS clients need access to the KMS server. The KMS server uses TCP port 1688 by default. Applications and services logs to be configured to handle the volume in your organization. Log sizes can be set in the Log Properties dialog box.
When planning to use a KMS host on your network, it is good to keep a few things in mind: KMS host changes T he KMS host has the same rules as all other computers. If major hardware changes are made to the KMS server or it is on a virtual machine and is transferred to another computer, the KMS host will be required to reactivate with Microsoft. KMS key It is best to use the KMS key from the highest product group that your company has licensed. Volume licenses If you upgrade your product group or purchase a new volume license, you need to upgrade your existing KMS host. KMS requires a minimum number of physical servers on the network before it will start activating client machines. This is called the activation threshold. The thresholds are as follows: Windows Vista Requires 25 physical computers Windows Server 2008 Requires 5 servers How do the requirement thresholds work? A KMS host will count the number of physical computers that are requesting activation. The count is a combination of both Windows Vista machines and Windows Server 2008. For example, a company has 10 computers. Of the 10 computers, 8 are Windows Vista and 2 are Windows Server 2008. When these computers request activation, they are given an activation number, so the first computer that is running Vista is given the number 1. The next two computers are given numbers 2 and 3. The fourth computer is Windows Server 2008 and is given number 4, but none of the computers can be activated yet. The next computer to request activation is another Windows Server 2008 computer, and because it gets a number 5, it activates; however, the Vista computer will not activate until the number of total physical computers has reached 25. Therefore, this company has enough computers to reach the activation threshold for Windows Server 2008 but not for Windows Vista. Once the thresholds are met, the KMS server will activate virtual machines, but until the numbers are reached, the virtual machines will not count toward the total number of machines needed to cross the threshold. It is thus important to have met these thresholds before the expiration period so that the computers can be activated. The grace period for meeting the KMS threshold requirements for all editions of Windows Vista is 30 days. The grace period for Windows Server 2008 is 60 days.
61705c09.indd 383
6/27/08 11:50:55 AM
384
Chapter 9 Deploying Servers n
Installing KMS Starting with Windows Server 2008, KMS is automatically included. However, the first KMS host needs a KMS key installed and then activated with Microsoft. After this initial activation, the KMS host does not communicate any further information to Microsoft. The following information is sent to Microsoft when you active the first KMS host: NN
IP address
NN
Product key
NN
Language settings
NN
Edition of the operating system
NN
Hardware ID hash
NN
Current date
NN
License and activation condition
Microsoft recommends having a minimum of two KMS host machines. This will ensure a failover to one or the other host in case of loss of connectivity. The KMS service does not require a backup because it does not contain any data that can be lost. If a KMS host is lost, the replacement server will require the same configuration and hostname as the previous KMS host. The new host will then start to collect the activation request until it reaches the minimum threshold. You can keep a record of the KMS activations by saving the Key Management Service logs that will appear in the applications and services logs.
KMS can be installed on any physical machine running Windows Vista, Windows Server 2008, or Windows Server 2003. A KMS host installed on a Vista machine can only activate other Vista machines, so planning is needed for your environment. After the first KMS host is activated with Microsoft, the additional KMS host will activate to the first KMS host. A KMS key can be used to activate up to five more KMS hosts on a network. Each KMS host can then be activated up to nine more times with the same key. If your company requires more than six KMS hosts, you can request additional activations. For more information, see the Volume Licensing website at http://go.microsoft.com/fwlink/?LinkID=73076.
In Exercise 9.7, you’ll install a KMS host on a Windows 2008 Server machine.
61705c09.indd 384
6/27/08 11:50:55 AM
Configuring Microsoft Windows Activation
385
E x e r c i se 9 . 7
Installing a KMS Host Follow these steps to install a KMS host:
1. Click Start, right-click Command Prompt, and choose Run as Administrator. 2. To your KMS key, type the following and press enter: cscript C:\windows\system32\slmgr.vbs /ipk Replace with your License key
3. To activate your KMS host, you have two options a. To active online, type the following and press enter: cscript C:\windows\system32\slmgr.vbs /ato
b. To active over the phone, type the following and press Enter: slui.exe 4
4. When the activation completes, restart the Software Licensing Service.
When you install a new KMS key, it will reset your activation count. The KMS count will need to be rebuilt before the KMS host can serve client machines. This will be done automatically because client machines will check back with the KMS server on a regular basis.
Configuring KMS After a KMS host is enabled and activated, no additional configuration is required. There are a number of options that can be configured if your environment has special needs. Table 9.1 lists some provided scripts that can be run in a elevated command prompt to modify the standard configuration. Ta b le 9 .1 Optional KMS Settings
61705c09.indd 385
Description
Cscript
Configure the TCP port used by the KMS host
Cscript C:\windows\system32\slmgr.vbs /sprt
Disable DNS publishing
Cscript C:\windows\system32\slmgr.vbs /cdns
Re-enable DNS publishing
Cscript C:\windows\system32\slmgr.vbs /sdns
<port>
6/27/08 11:50:55 AM
386
Chapter 9 Deploying Servers n
Ta b le 9 .1 Optional KMS Settings (continued) Description
Cscript
Set KMS host process to a lower priority
Cscript C:\windows\system32\slmgr.vbs /cpri
Set KMS host process to normal priority
Cscript C:\windows\system32\slmgr.vbs /spri
Change activation interval for clients not activated
Cscript C:\windows\system32\slmgr.vbs /sai
Change activation renewal interval
Cscript C:\windows\system32\slmgr.vbs /sri
After changing any of the default settings, it is recommended to restart the KMS service or reboot the computer. A very important item to review and make any needed changes to is DNS. If your environment uses Dynamic DNS, which most Active Directory domains do, and you plan to have only a single KMS host, then you might not require any further configuration. However, if your network does not have Dynamic DNS or you have multiple KMS servers, some changes may be needed for KMS clients to receive updated information from DNS. When a domain contains multiple KMS hosts, only one KMS host can update the DNS entries. Any additional KMS hosts will be unable to change or update the SRV records unless changes are made to the DNS server. Think of it this way: For a house to receive mail and packages, it is given a unique address. Only that one house receives that address, and it stays with that house so that delivery services know where to find it. A normal person cannot change that address. Similarly, the first KMS host to record its DNS information becomes the owner of that DNS record. When an environment has more than one KMS host, it requires that we give permission to all the KMS hosts to change or update information. This can be accomplished in two ways: manually change the DNS SRV record or change the default SRV permission on the DNS server. DNS publishing is enabled by default. For KMS publishing to work, the network must support SRV publishing. Many organizations prevent this for security reasons. If this is the case, then it is necessary to create or copy the SRV record manually. If it all possible, it is recommended that you use the KMS publishing in DNS. Using this method will allow the KMS host to make changes in DNS; some of the changes include IP address, computer name, and TCP port. The KMS host will update its record once a day just in case DNS scavenges the information. To configure permissions on the DNS server to allow KMS host to publish SRV information in a single DNS domain, complete Exercise 9.8.
61705c09.indd 386
6/27/08 11:50:55 AM
Configuring Microsoft Windows Activation
387
E x e r c i se 9 . 8
Configuring DNS Permissions for a KMS Host Follow these steps to configure DNS permissions for a KMS host:
1. Choose Start All Programs Administrative Tools Active Directory Users and Computers.
2. Expand your organization, right-click on Users, and choose New and then Group.
3. Provide a name for the KMS host group and ensure that the group type is Global.
61705c09.indd 387
6/27/08 11:50:56 AM
388
Chapter 9 Deploying Servers n
E x e r c i se 9 . 8 ( c o n t i n u e d )
4. Click OK. 5. Right-click on the newly created group and choose Properties. 6. Click on the Members tab and then click Add. 7. In the Select Users box that opens, click Object Types.
8. In the Object Types box, check Computers and then click OK.
9. In the Enter Object Names box, input the names of the KMS host machines and click OK.
10. Click Apply and OK, which will then close the AD group Properties dialog box. 11. Close the Active Directory Users and Computers MMC. 12. Open Windows DNS Manager by choosing, Start All Programs Administrative Tools DNS.
13. Right-click the DNS server and choose Properties. 14. Click the Security tab and then click Add.
61705c09.indd 388
6/27/08 11:50:56 AM
Configuring Microsoft Windows Activation
389
E x e r c i se 9 . 8 ( c o n t i n u e d )
15. Enter the security group that was created in step 4. 16. Give the group that was just added permissions to allow updates on the DNS server. 17. Click OK to finish.
At times, organizations will have more than one DNS domain. If this is the case, you can create a list of DNS domains that the KMS host can use when publishing it records. By default, a KMS host will publish information only to the primary DNS domain. This behavior is modified by editing the Registry. Remember that editing the Registry can lead to serious damage to the operating system if not done properly. As a general practice, you should have a proper backup of the server and the Registry settings before editing the Registry. To change the KMS host to publish in multiple domains, follow the steps outlined in Exercise 9.9. E x e r c i se 9 . 9
Publishing in Multiple Domains To configure a KMS host to publish in multiple domains, complete the following steps:
1. Click Start, right-click Command Prompt, and choose Run as Administrator. 2. Type Regedit.exe and then press Enter.
61705c09.indd 389
6/27/08 11:50:56 AM
390
Chapter 9 Deploying Servers n
E x e r c i se 9 . 9 ( c o n t i n u e d )
3. Navigate to the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SL
4. Right-click on SL and choose New and then Multi-String Value.
61705c09.indd 390
6/27/08 11:50:56 AM
Configuring Microsoft Windows Activation
391
E x e r c i se 9 . 9 ( c o n t i n u e d )
5. For the name of the new value, type DnsDomainPublishList and press Enter.
6. Right-click DnsDomainPublishList and choose Modify. 7. In the Value Data section, type each DNS domain suffix that you want the KMS host to publish to; each one should be on a separate line.
8. Click OK to finish. 9. Restart the Software Licensing Service.
61705c09.indd 391
6/27/08 11:50:56 AM
392
Chapter 9 Deploying Servers n
If your environment has security policies or anything else that would block the KMS host from creating and updating the DNS SVR record, you will need to manually create the entry. If the KMS host is not allowed to create or update the SVR record, then it is recommended that you disable the auto-publishing on all KMS hosts. Exercise 9.10 will walk you through creating a KMS SVR record in a Microsoft DNS server. E x e r c i se 9 . 1 0
Creating a KMS SVR Record Follow these steps to manually create a KMS SVR record in a DNS server:
1. Choose, Start All Programs Administrative Tools DNS. 2. Expand the DNS server and expand Forward Lookup Zones. 3. As seen in the following screen shot, right-click on the first domain that will contain the SRV record and choose Other New Records.
4. Scroll down and click on Service Location (SRV).
61705c09.indd 392
6/27/08 11:50:57 AM
Configuring Microsoft Windows Activation
393
E x e r c i se 9 . 1 0 ( c o n t i n u e d )
5. Click Create Record. 6. In the New Resource Record dialog box, enter the following: Service: _VLMCS Protocol: _TCP Port Number: 1688 Host Offering This Service: (This is the Full Qualified Domain Name of your server.)
7. Click OK and then Done.
61705c09.indd 393
6/27/08 11:50:57 AM
394
Chapter 9 Deploying Servers n
Install from Media When you’re planning to use WDS to deploy a server, using Install from Media (IFM) can create a copy of the Active Directory data to reduce synchronization for the new domain controller. IFM can create install media for writeable (full) and read-only domain controllers (RODC). Although this section may seem to be out of place for a chapter on deploying servers, using IFM can speed up the deployment of Active Directory servers. Knowing how to use IFM is important for passing the 70-643 exam; however, knowing how Active Directory works and how to manage it is outside the scope of this book. IFM uses the ntdsutil utility and is a subcommand of that utility. This utility is built into Windows Server 2008 and is available if you have one of the following two roles installed: NN
Active Directory Domain Services (AD DS)
NN
Active Directory Lightweight Directory Services (AD LDS)
Earlier versions of IFM required several steps to create the media, including a backup and restore, but in Windows 2008, it is possible to create an IFM set in one step. Again, the NTDSUTIL is used to create the media, with or without the SYSVOL. NTDSUTIL uses Volume Shadow Copy to create a snapshot of AD from a running domain controller; then it defrags the database and replays its logs. When would this feature be of benefit? One example would be when you’re deploying servers to branch offices. In many cases, branch offices have slower WAN links, which in turn may make it take a considerable amount of time and bandwidth to replicate the data. In short, using IFM can deploy domain controllers more quickly and efficiently. There are a number of facts to keep in mind when using IFM: NN
NN
NN
NN
NN
NN
You can use a 32-bit domain controller with Windows Server 2008 to create installation media for a 64-bit DC. Using the NTDSUTIL to create RODC is safe. It will remove any cached secrets like passwords from the media. However, you still want to keep the media in a safe location because it includes the information to create a DC in your network. Full AD DS installation media includes the Registry and SYSVOL data, if that option in chosen. If the during the creation of the IFM media you press Ctrl+C or it gets interrupted in other manners, be sure to remove the temp log files before trying again. IFM cannot be run on a DC that runs Windows 2003. When you install AD DS on another DC, be sure to specify the same subfolder used when running the IFM command.
When a server is deployed using IFM, it will only need to replicate any changes to objects in AD since the IFM media was created. This means that the amount of time that has passed since the creation of the media would affect how much data will be replicated. IFM media is thus time sensitive and is no longer valid after 60 days by default because the domain tombstone threshold would have passed.
61705c09.indd 394
6/27/08 11:50:57 AM
Configuring Microsoft Windows Activation
395
Exercise 9.11 will show you how to capture data for IFM: E x e r c i se 9 . 1 1
Capturing data for Install from Media To create IFM media, follow these steps:
1. Click Start, right-click Command Prompt, and choose Run as Administrator.
2. Type ntdsutil and press Enter.
61705c09.indd 395
6/27/08 11:50:57 AM
396
Chapter 9 Deploying Servers n
E x e r c i se 9 . 1 1 ( c o n t i n u e d )
3. Type IFM and press Enter. 4. To create an RODC, type Create rodc c:\installfrommedialocation. C:\installfrommedia is the location where you want the media to be created. This will create a installation that does not include SYSVOL. To create an installation that contains SYSVOL, add sysvol after typing create. Here’s an example: Create sysvol rodc c:\installfrommedialocation
5. When the media creation is successful, you’ll see the message “IFM media created successfully in .”
61705c09.indd 396
6/27/08 11:50:57 AM
Exam Essentials
397
Summary Windows Deployment Services can provide an immediate value to both an IT administrator and an organization. It makes images or exact copies of a properly prepared machine that can be used to clone other machines. This allows for increased efficiency and results in standardization in machine builds. Time should be devoted to planning and configuring the WDS server and creating proper build images. An exciting new feature was introduced called Windows 2008 Server Core. This edition of the server family provides a simplified version of the full product. You saw how fast and simple it was to install Server Core in Exercise 9.6. We also reviewed the benefits of having a simple version of Windows Server 2008. The importance of Windows Product Activation (WPA) was stressed when we looked at Key Management Services (KMS). If a product is not properly activated, it functionality will become limited. This reduction in functionality will continue until a user can use a web browser for only 60 minutes. A KMS host server can reduce the footprint of activation on an organization’s network and allow them to continue to use volume license keys.
Exam Essentials Understand how to use images. K now how to capture, prepare, and deploy images. A understanding of the build process works will be beneficial. You should also know when to create an image and how to prepare one. Take the time to get familiar with IFM and the types of IFM you can create along with when you would use each type. Understand how to Deploying Images. Understand how the deployment process works and how to deploy an image to multiple machines at the same time. Understand the Server Core basics. L earn the steps needed to install Server Core and when deploying it would make the most sense. Understand the basic features as well as the perquisites that are necessary for installation. Understand the importance of Windows Activation. Have a thorough knowledge of how KMS works and why it is needed. Understand how it interacts with DNS and how to configure or create SVR records. Take some time to study how to install or enable KMS with a license key.
61705c09.indd 397
6/27/08 11:50:57 AM
398
Chapter 9 Deploying Servers n
Review Questions 1. What changes have been make in WDS? (Choose all that apply.) A. Support for WinPE as a boot operating system B. Support for x64-bit systems C. Can be used to deploy Norton Ghost images D. Removed the ability to use multicast 2. What is an install image? A. This is the image a client machine will boot into. B. This is the CD that contains the installation media. C. This is the image that contains the operating system you want to deploy. D. This is a backup image that is used to restore single files. 3. What two components does WDS rely on for IP addresses and name resolution? A. NTFS B. DNS C. KMS D. DHCP 4. What is the difference between a transportation server and deployment server when discussing WDS? A. A deployment server gives WDS full functionality. B. There is no difference as they are both services of WDS. C. A deployment server does not need AD. D. A transportation server provides full WDS functions. 5. What is the name of the utility that Microsoft provides, besides a wizard, to configure WDS? A. Command prompt B. DNSLint C. FCIV D. WDSUTIL 6. What are some of the options that can be configured in WDS Properties? (Choose all that apply.) A. Boot settings B. Transportation rules C. DHCP port D. Activation
61705c09.indd 398
6/27/08 11:50:57 AM
Review Questions
399
7. Which role must be installed on a server to use IFM? A. Fax B. Active Directory Domain Services C. DNS D. DHCP 8. What is RODC? A. The protocol in which a domain controller replicates B. Redundant Domain Controller C. Read-only Domain Controller D. Writeable Domain Controller 9. If the process of creating the IFM media gets interrupted, what files should be deleted before trying again? A. Temp log files B. Install files C. WIM files D. PST files 10. What tool or utility is used to configure Windows Server Core? A. COREUtil B. WDSUTIL C. Server manager D. Command line 11. What roles are supported by Server Core? (Choose all that apply.) A. DHCP B. Streaming Media Services C. .NET D. Desktop Experience 12. How much memory is required to install Server Core? A. 2GB B. 512MB C. 256MB D. 1GB 13. How much free space does Server Core require to install? A. 2GB B. 4GB C. 1GB D. 8GB
61705c09.indd 399
6/27/08 11:50:58 AM
400
Chapter 9 Deploying Servers n
14. What is a prerequisite for a KMS installation? A. 2GB of free space B. 512MB RAM C. Volume license key D. Windows Installation media 15. What are the activation thresholds for KMS before it will start activating clients? (Choose all that apply.) A. 50 physical Vista computers B. 25 physical Vista computers C. 100 physical Vista computers or servers D. 5 physical Windows 2008 servers 16. What information is sent to Microsoft when you activate the first KMS host? A. Web activity B. DOC file numbers C. Product key D. Number of computers on the network 17. How do you back up a KMS host? A. No backup is needed. B. Use NTBACKUP. C. Use a third-party backup program. D. Microsoft will provide the backup utility when you purchase the KMS key. 18. What operating systems can a KMS host be installed on? (Choose all that apply.) A. Windows Server 2000 B. Windows Vista C. Windows 2008 Server D. Windows XP 19. How many other KMS host can the first KMS host activate? A. 5 B. 9 C. 1 D. 7 20. To run the scripts to configure additional settings in KMS, what utility should be used? A. Command prompt B. KMSUTIL C. Elevated command prompt D. WDSUTIL
61705c09.indd 400
6/27/08 11:50:58 AM
Answers to Review Questions
401
Answers to Review Questions 1. A, B. WDS changes include support for WinPE and the ability to support x64 bit systems. 2. C. Install images contain the operating system that you want to deploy to a machine. 3. B, D. WDS relies on DHCP and DNS to provide IP addresses and name resolution. 4. A. When the Deployment Server option has been selected, it provides full functionality to the WDS server. 5. D. Microsoft provides the WDSUTIL utility to configure the WDS server. 6. A, C. You can configure the boot settings and change the DHCP port within WDS server properties. 7. B. To use the IFM utility, you must install the AD DS role or the AD LDS role. 8. C. An RODC is a read-only domain controller. 9. A. Delete the temp log files before attempting to retry a failed IFM creation. 10. D. As Server Core does not contain a GUI, configuration is accomplished by using the command line. 11. A, B. Server Core supports DHCP and Streaming Media Services. 12. B. Server Core requires 512MB of RAM for installation.. 13. C. Server Core requires 1GB of free space to install. 14. C. You must have a valid volume license key to enable KMS. 15. B, D. KMS requires 25 physical Vista computers and 5 Windows 2008 servers before it will activate clients. 16. C. One of the items that is sent to Microsoft when you activate the first KMS host is the product key. 17. A. It is not necessary to back up a KMS host because it contains only activation logs. 18. B, C. A KMS host can be installed on both a Windows Vista and a Windows Server 2008 machine. 19. A. KMS key can activate up to five more hosts on a network. 20. C. You must run the scripts from an elevated command prompt.
61705c09.indd 401
6/27/08 11:50:58 AM
61705c09.indd 402
6/27/08 11:50:58 AM
Chapter
10
Configuring High Availability in Windows Server 2008 Microsoft Exam Objectives covered in this chapter: ÛÛ Configure high availability. May include but is not limited to: failover clustering, Network Load Balancing, hardware redundancy
61705c10.indd 403
6/27/08 11:57:17 AM
Windows Server 2008 has improved the options for high availability as well as the ease of configuring them. High availability can be better achieved with Windows Server 2008’s superior software stability and improved failover and network load balanced clustering. The exam will cover the basic configuration and operational functions for both a failover cluster and network load balancing. This chapter will give an introduction to achieving high availability with hardware and operational changes as well as using the high availability features of Windows Server 2008. This chapter will cover the following topics: NN
Components of high availability
NN
Achieving high availability with failover clustering
NN
Achieving high availability with network load balancing
Components of High Availability High availability is a buzzword that many application and hardware vendors like to throw around to get you to purchase their product. Many different options are available to achieve high availability, and there also seem to be a number of different definitions and variations that help vendors sell their products as high availability solutions. But when it comes down to it, high availability is simply providing services with maximum uptime by avoiding unplanned downtime. Often disaster recovery (DR) is also closely lumped into discussions of high availability, but DR encompasses the business and technical processes that are used to recover once a disaster has happened. Defining a high availability plan usually starts with a Service Level Agreement (SLA). At its base, an SLA defines the services and metrics that must be met for availability and performance of an application or service. Often an SLA is created for an IT department or service provider to provide a specific level of service. An example of this might be an SLA for a Microsoft Exchange server. The SLA agreement for an Exchange server might have uptime metrics on how much time during the month the mailboxes need to be available to end users, or it might define performance metrics for the amount of time that it takes for email messages to be delivered. When determining an SLA, two other factors need to be considered, but often you will see them discussed when only in the context of disaster recovery even though they are important for designing a highly available solution. These factors are recovery point objective (RPO) and recovery time objective (RTO). An RTO is the length of time an application
61705c10.indd 404
6/27/08 11:57:17 AM
Achieving High Availability
405
can be unavailable before service must be restored to meet the SLA. For example, a single component failure would have an RTO of less than 5 minutes, and a full-site failure might have an RTO of 3 hours. An RPO is essentially the amount of data that must be restored for a failure. For example, in a single server or component failure, the RPO would be 0, but in a site failure, the RPO might allow for up to 20 minutes of lost data. SLAs, on the other hand, are usually expressed in percentages of the time the application is available. These percentages are also often referred to as the number of nines the percentage has, as shown in Table 10.1. Ta b l e 1 0 .1 Availability Percentages Availability Rating
Allowed Unplanned Downtime/year
99%
3.7 days
99.9%
8.8 hours
99.99%
53 minutes
99.999%
5.3 minutes
Two important factors that affect an SLA are the mean time between failure (MTBF) and the mean time to recover (MTTR). To be able to reduce the amount of unplanned downtime, the time between failures must be increased and the time it takes to recover must be reduced. Modifying these two factors will be covered in the next several sections of this chapter.
Achieving High Availability As the information presented during the Windows installation states, Windows Server 2008 is the most secure and reliable Windows version to date. It also is the most stable, mature, and capable of any version of Windows. Although we have seen similar claims in previous versions of Windows Server, we can be sure that Windows Server 2008 is much better than previous versions for a variety of reasons. An honest look at the feature set and real-world experience should prove that this version of Windows provides the most suitable foundation for creating a highly available solution. However, more than just good software is needed to be able to offer high availability for applications. Just as a house needs a good foundation, a highly available Windows Server needs a stable and reliable hardware platform to run on. Although Windows Server 2008 will technically run on desktop-class hardware, high availability is more easily achieved with server-class hardware. What differentiates desktop-class and server-class hardware? Serverclass hardware has more management and monitoring features built in so that the health
61705c10.indd 405
6/27/08 11:57:17 AM
406
Chapter 10 Configuring High Availability in Windows Server 2008 n
of the hardware is able to be monitored and maintained. Another large difference is that server-class hardware has redundancy options. Server-class hardware often has options to protect from drive failures, such as RAID controllers, and to protect against power supply failures, such as multiple power supplies. And enterprise-class servers have more. More needs to be done than just installing Windows Server 2008 to ensure that the applications stay running with the best availability possible. A house needs maintenance and upkeep to keep the structure in proper repair, as does a server. In the case of a highly available server, this means patch management. Microsoft releases monthly security updates to fix security problems with its software, both for operating system fixes and for applications. To ensure that your highly available applications are immune to known vulnerabilities, these patches need to be applied in a timely manner during a schedule maintenance window. Also, to address stability and performance issues, updates and service packs are released regularly for many applications, such as Microsoft SQL Server, Exchange Server, and SharePoint Portal Server. Many companies have a set schedule— daily, weekly, or monthly—to apply these patches and updates after they are tested and approved. To continue even further with the house analogy, if you were planning to have crown molding installed, would you rather hire a college student on spring break looking to make some extra money to do the job or a seasoned artisan? Of course you would want someone with experience and a proven record of accomplishment to install your expensive crown molding. Likewise, with any work that needs to be done on your highly available applications, it’s best to hire only adequately qualified individuals. This is why obtaining a Microsoft certification is definitely an excellent start in becoming qualified to properly configure a server to be highly available. There is no substitute for real-life and hands-on experience. Working with highly available configurations in a lab and in production will help you to know not only what configurations are available, but also how the changes should be made. For example, it may be possible to use failover clustering for a WINS server, but in practice it may be easier to support and less expensive in hardware cost to use WINS replication to provide high availability. This is something you would know only if you had enough experience to make this decision. As with your house, once you have a firm and stable foundation built by skilled artisans and a maintenance plan has been put into place, you need to ascertain what more is needed. If you can’t achieve enough uptime with proper server configuration and mature operational processes, a cluster may be needed. Windows Server 2008 provides for two types of clustering: failover clustering and Network Load Balancing (NLB). Failover clustering is used for applications and services such as SQL Server and Exchange Server. Network Load Balancing is used for network-based services such as web and FTP servers. The remaining sections of the chapter will cover both of these clustering options in detail.
61705c10.indd 406
6/27/08 11:57:17 AM
Achieving High Availability with Failover Clustering
407
To Cluster or Not to Cluster Clustering is often thrown into the mix when someone wants to achieve higher availability. This is often a good step toward improved availability, but at times the return on the investment of a cluster doesn’t always add up. Although Windows Server 2008 greatly simplifies both the creation and management of a failover cluster, there is added complexity and cost in hardware, software, and personnel. How do you determine whether to cluster applications? Sometimes even though it is possible to cluster applications, they perform worse when clustered. Other times only a small improvement is made when a cluster is created. You have to balance the slight improvement over the increased hardware cost, increased complexity, and the increased level of training required for the administrators.
Achieving High Availability with Failover Clustering Taking high availability to the next level for enterprise services often means creating a failover cluster. In a failover cluster, all of the clustered application or service resources are assigned to one node or server in the cluster. Commonly clustered applications are SQL Server and Exchange Server; commonly clustered services are File and Print. Since the differences between a clustered application and a clustered service are primarily related to the number of functions or features, for simplicity we will refer to both as clustered applications. If there is a failure of the primary node, or if the primary node is taken offline for maintenance, the clustered application is started on another cluster node. The client requests are then automatically redirected to the new cluster node to minimize the impact of the failure. How does failover clustering improve availability? By increasing the number of server nodes that the application has available to run on, you can move the application to a healthy server if there is a problem, if maintenance needs to be completed on the hardware or the operating system, or if patches need to be applied. The clustered application can be moved from node to node without having to restart. Usually, moving an application between nodes is transparent to the clients. Only severe node failures will require the application to be restarted before it is able to service clients. Figure 10.1 shows an example of SQL Server running on the first node of a Windows Server 2008 failover cluster.
61705c10.indd 407
6/27/08 11:57:17 AM
408
Chapter 10 Configuring High Availability in Windows Server 2008 n
F i g u r e 1 0 .1 Using failover clustering to cluster SQL Server
Clients
Node A
Node B
SQL Server
Active
Passive
SAN
The clustered SQL Server in Figure 10.2 can be failed over to another node in the cluster and still service database requests. F i g u r e 1 0 . 2 Failing the SQL Server service to another node
Clients
Node A
Node B SQL Server
Passive
Active
SAN
Failover clustering is notorious for being complicated and expensive. Windows Server 2008 makes strides to remove both of these concerns. Troubleshooting and other advanced concepts are outside the scope of the 70-643 exam and thus this book, so we will cover only the basic requirements and concepts need to configure a failover cluster.
61705c10.indd 408
6/27/08 11:57:19 AM
Achieving High Availability with Failover Clustering
409
Failover Clustering Requirements To be able to configure a failover cluster, first you must have the required components. The first requirement is that the correct Windows Server 2008 edition has been installed. Only the Windows Server 2008 Enterprise Edition and Windows Server 2008 Datacenter Edition are allowed to participate in a failover cluster. A single failover cluster can have up to 16 nodes when using the x64 installation and up to 8 nodes when using the x86 installation; however, the clustered service or application must support that number of nodes. The appropriate server hardware is also required. Although the exact hardware will depend on the clustered application, there are a few requirements that are standard. The basic hardware requirements are as follows: NN
Server components must be marked with the “Certified for Windows Server 2008” logo.
NN
Server hardware should match and contain the same or similar components.
NN
All of the Validate a Configuration Wizard tests must pass.
NN
All servers in a cluster must run the same processor architecture, such as 32-bit, x64-based, or Itanium-based architecture.
The requirements for failover clustering storage have changed from previous versions of Windows. For example, Parallel SCSI is no longer a supported storage technology for any of the clustered disks. There are, however, additional requirements that need to be met for the storage components: NN
Disks available for the cluster must be Fibre Channel, iSCSI, SAS, or SATA-based disk.
NN
Each cluster node must have a dedicated network interface card for iSCSI connectivity.
NN
Multipath software must be based on Multipath I/O (MPIO).
NN
NN
NN
Storage drivers must be based on storport.sys. Drivers and firmware for the storage controllers on each server node in the cluster should be the identical. Storage components must be marked with the “Certified for Windows Server 2008” logo. In addition, there are network requirements that must be met for failover clustering:
NN
NN
NN
Cluster nodes should be connected to multiple networks for communication redundancy. Network adapters should be the same make, use the same driver, and have the firmware version in each cluster node. Network components must be marked with the “Certified for Windows Server 2008” logo.
There are two types of network connections in a failover cluster. These should have adequate redundancy as total failure of either could cause loss of functionality of the cluster. The two types are as follows: NN
NN
61705c10.indd 409
Public network. This is the network through which clients are able to connect to the clustered service application. Private network. This is the network used by the nodes to communicate to each other.
6/27/08 11:57:19 AM
410
Chapter 10 Configuring High Availability in Windows Server 2008 n
To provide redundancy for these two network types, additional network adapters would need to be added to the node and configured to connect to the networks. In previous versions of Windows Server, support was given only when the entire cluster configuration was tested and listed on the HCL. The tested configuration listed the server and storage configuration down to the firmware and driver versions. This proved to be very difficult and expensive from both a vendor and consumer perspective to deploy supported Windows clusters. When problems did arise and Microsoft support was needed, it caused undue troubleshooting complexity as well. With Windows Server 2008 failover clustering, simplified requirements, including the “Certified for Windows Server 2008” logo program and the Validate a Configuration Wizard, all but eliminate the guesswork that was put into getting the cluster components configured in a way that will follow best practices and allow for Microsoft support to easily assist in a case it might be needed.
Cluster Quorum When a group of people sets out to accomplish a single task or goal, a method for settling disagreements and for making decisions is required. In the case of a cluster, the goal is to provide a highly available service in spite of failures. When a problem occurs and a cluster node loses communication with the other nodes due to a network error, the functioning nodes are supposed to try to bring the redundant service back online. How, though, is it determined which node should bring the clustered service back online? If all of the nodes are functional despite the network communications issue, each one might try. Just like a group of people with their own ideas, a method must be put in place to determine which idea, or node, to allow control of the cluster. Windows Server 2008 failover clustering, like other clustering technologies, requires that a quorum exist between the cluster nodes before a cluster becomes available. A quorum is a consensus of the status of each of the nodes in the cluster. Quorum must be achieved in order for a clustered application to come online by obtaining a majority of the votes available. Windows Server 2008 has four quorum models, or methods for determining quorum and for adjusting the number and types of votes available: NN
Node Majority
NN
Node and Disk Majority
NN
Node and File Share Majority
NN
No Majority: Disk Only
Node Majority, shown in Figure 10.3, allows only the cluster nodes to vote to obtain quorum. Node Majority is recommended for clusters with an odd number of nodes. When this quorum model is chosen, the cluster can sustain failures of up to one less than half of the nodes. For example, a five-node cluster can sustain two node failures. Node and Disk Majority, shown in Figure 10.4, allows the cluster nodes and a disk on shared storage to vote to obtain quorum. Node and Disk Majority is recommended for clusters with an even number of nodes. When this quorum method is chosen, the cluster can sustain failures of up to half the nodes if the witness disk remains online. For example, an eight-node
61705c10.indd 410
6/27/08 11:57:19 AM
Achieving High Availability with Failover Clustering
411
cluster with the witness disk online could sustain four node failures. Similar to a Node Majority quorum, this model can sustain failures of up to one less than half of the nodes if the witness disk goes offline or fails. F i g u r e 1 0 . 3 Node Majority cluster When a majority of the nodes are communicating, the cluster is functional.
x When a majority of the nodes are not communicating, the cluster stops.
x
x
x
F i g u r e 1 0 . 4 Node and Disk Majority cluster When two out of the four nodes and the witness disk communicate, the cluster is running.
x
x When three out of the four nodes communicate, the cluster is running.
x x When only one of the four nodes and the witness disk communicate, the cluster is down.
x
61705c10.indd 411
x
x
6/27/08 11:57:21 AM
412
Chapter 10 Configuring High Availability in Windows Server 2008 n
Node and File Share Majority allows the cluster nodes and a file share to vote to obtain quorum. Node and File Share Majority is recommended for clusters with non-shared disk configurations such as Exchange Server 2007 Clustered Continuous Replication (CCR) clusters or multi-site clusters. This quorum works in a similar way to Node and Disk Majority, but instead of a witness disk, this cluster uses a witness file share. No Majority: Disk Only, shown in Figure 10.5, uses only a shared disk to obtain quorum. This quorum type is similar to legacy Windows Server cluster types and is not a recommended solution because the shared disk is a single point of failure. If the shared disk fails, none of the clustered applications can come online. It can, however, sustain failures of all nodes except one, assuming the shared disk is online. F i g u r e 1 0 . 5 No Majority: Disk Only cluster When one node and the disk are communicating, the disk is running.
x
x
When all three of the nodes are communicating with each other but not with the disk, the cluster stops.
x Validating a Cluster Configuration Configuring a failover cluster in Windows Server 2008 is much simpler than in previous versions of Windows Server. Before a cluster can be configured, the Validate a Configuration Wizard should be run to verify that the hardware is configured in a fashion that is supportable. Before you can run the Validate a Configuration Wizard, however, the Failover Clustering feature needs to be installed using Server Manager. The account that is used to create a cluster must have administrative rights on each of the cluster nodes and have permissions to create a cluster name object in Active Directory. Follow these steps: 1. Prepare hardware and software perquisites. 2. Install the Failover Clustering feature on each server. 3. Log in with appropriate user ID and run the Validate a Configuration Wizard. 4. Create a cluster. 5. Install and cluster applications and services.
61705c10.indd 412
6/27/08 11:57:23 AM
Achieving High Availability with Failover Clustering
413
To install the Failover Clustering feature on a cluster node, follow the steps outlined in Exercise 10.1. E x e r c i se 1 0 . 1
Installing the Failover Cluster Feature Follow these steps to install the Failover Cluster feature:
1. Click Start Administrative Tools Server Manager. 2. Select Add Features, located in the Features Summary section of Server Manager. 3. Select the Failover Clustering feature from the displayed list and click Next. 4. In the Confirm Installation Selections page, review the selection and then click Install. 5. When the installation process completes, click Close.
Using the Validate a Configuration Wizard before creating a cluster is highly recommended. This wizard validates that the hardware and software configuration for the potential cluster nodes are in a supported configuration. Even if the configuration passes the tests, care should be taken to review all warnings and informational messages so that they can be addressed or documented before the cluster is created. Running the Validate a Configuration Wizard does the following: NN
NN
Conducts four types of tests: Software and Hardware Inventory, Network, Storage, and System Configuration. Confirms that the hardware and software settings are supportable by Microsoft support staff.
You should run Validate a Configuration Wizard before creating a cluster or after any major hardware or software changes to the cluster. Doing this will help identify any misconfigurations that could cause problems with the failover cluster. In the next section, we will cover the process for running the Validate a Configuration Wizard.
Running the Validate a Configuration Wizard The Validate a Configuration Wizard, shown in Figure 10.6, is simple and straightforward to use, as its “wizard” name would suggest. It must be run after the Failover Clustering feature has been installed on each of the cluster nodes and can be run as many times as required. When you are troubleshooting cluster problems or have changed the configuration of the cluster hardware, it is a good idea to run the Validate a Configuration Wizard again to help pinpoint potential cluster configuration problems.
61705c10.indd 413
6/27/08 11:57:23 AM
414
Chapter 10 Configuring High Availability in Windows Server 2008 n
F i g u r e 1 0 . 6 The Validate a Configuration Wizard
If you already have a cluster configured and want to run the Validate a Configuration Wizard, you can do so; however, you will not be able to run all of the storage tests without taking the clustered resources offline. As shown in Figure 10.7, you will be prompted to either skip the disruptive tests or take the clustered resources offline so the tests can complete. F i g u r e 1 0 . 7 Validating a running cluster
61705c10.indd 414
6/27/08 11:57:23 AM
Achieving High Availability with Failover Clustering
415
Exercise 10.2 shows the exact steps to successfully run the Validate a Configuration Wizard on two servers, named NODEA and NODEB, that are not yet clustered. E x e r c i se 1 0 . 2
Running the Validate a Configuration Wizard Follow these steps to run the Validate a Configuration Wizard:
1. Click Start Administrative Tools Failover Cluster Management. 2. In the Actions pane, click Validate a Configuration and click Next.
3. Type NODEA in the Enter Name field and click Add.
61705c10.indd 415
6/27/08 11:57:23 AM
416
Chapter 10 Configuring High Availability in Windows Server 2008 n
E x e r c i se 1 0 . 2 ( c o n t i n u e d )
4. Type NODEB in the Enter Name field and click Add. 5. Click Next. 6. Leave Run All Tests (Recommended) selected and click Next.
7. Click Next. 8. Let the test complete and review the report in the Summary window, and then click Finish.
61705c10.indd 416
6/27/08 11:57:24 AM
Achieving High Availability with Failover Clustering
417
Addressing Problems Reported by the Validate a Configuration Wizard After the Validate a Configuration Wizard has been run, it will show the results, as shown in Figure 10.8. This report can also be viewed in detail later using a web browser. The report is named with the date and time the wizard was run and is stored in %windir%\ cluster\Reports. F i g u r e 1 0 . 8 Validate a Configuration Wizard results
How should errors listed in the report be addressed? Often the errors reported by the Validate a Configuration Wizard are self-explanatory; however, there are times when additional help is required. The following three guidelines should help troubleshoot the errors: NN
NN
NN
Read all of the errors because multiple errors may be related. Use the check lists available in the Windows Server help files to ensure that all steps have been completed. Contact the hardware vendor for updated drivers and firmware and guidance for using the hardware in a cluster.
Creating a Cluster After you have successfully validated a configuration and the cluster hardware is in a supportable state, you can create a cluster. The process for creating a cluster is straightforward and similar to process of running the Validate a Configuration Wizard. To create a cluster with NODEA and NODEB, follow the instructions in Exercise 10.3.
61705c10.indd 417
6/27/08 11:57:24 AM
418
Chapter 10 Configuring High Availability in Windows Server 2008 n
E x e r c i se 1 0 . 3
Creating a Cluster Follow these steps to create a cluster:
1. Click Start Administrative Tools Failover Cluster Management. 2. In the Management section of the center pane, select Create a Cluster. 3. Read the Before You Begin information and click Next. 4. In the Enter Server Name box, type NODEA, and then click Add.
5. Again in the Enter Server Name box, type NODEB, and then click Add. 6. Verify the entries, and then click Next. 7. In the Access Point for Administering the Cluster section, enter Cluster1 for the cluster name.
8. Type 10.10.1.96 as the IP address, type 255.255.255.0 as the subnet mask, and then click Next.
9. In the Confirmation dialog box, verify the information, and then click Next. 10. On the Summary page, click Finish.
61705c10.indd 418
6/27/08 11:57:24 AM
Achieving High Availability with Failover Clustering
419
E x e r c i se 1 0 . 3 ( c o n t i n u e d )
By creating a cluster, you have established the foundation for your clustered applications. At this point in the configuration, however, there are only a couple of activities that can be completed, such as adding, pausing, and evicting cluster nodes. One of the configuration settings you can change at this point is the quorum type of the cluster. During the setup of the cluster, the best quorum model is chosen based on the number of cluster nodes and the disk configuration. To change the quorum type, in Failover Cluster Management, choose the cluster name from the Connections pane and then click Quorum Settings from the Actions pane. As shown in Figure 10.9, this will allow you to choose a valid quorum model based on the current cluster configuration.
Working with Cluster Nodes Once a cluster is created, there are a couple actions that are available. First, you can add another node to the cluster by using the Add Node Wizard from the Failover Cluster Management Actions pane. Also at this point, you have the option to pause a node, which prevents resources from being failed over or moved to the node. You typically would pause a node when the node is involved in maintenance or troubleshooting. After a node is paused, it must be resumed to allow resources to again be run on it. Another action available to perform on a node at this time is evict. Eviction is a reversible process. Once you evict the node, it must be re-added to the cluster. You would evict a node when it is damaged beyond repair or is no longer needed in the cluster. If you evict a damaged node, you can repair or rebuild it and then add it back to the cluster using the Add Node Wizard.
61705c10.indd 419
6/27/08 11:57:24 AM
420
Chapter 10 Configuring High Availability in Windows Server 2008 n
F i g u r e 1 0 . 9 Changing the quorum model
Clustering Roles, Services, and Applications Once the cluster is created, applications, services, and roles can be clustered. Windows Server 2008 includes a number of built-in roles and features that can be clustered. The following roles and features can be clustered in Windows Server 2008: NN
Virtual Machines File Services
NN
Print Services
NN
DHCP Server
NN
Windows Internet Naming Services (WINS)
In addition, other common services and applications are clustered on Windows Server 2008 clusters: NN
Enterprise database services such as Microsoft SQL Server
NN
Enterprise messaging services such as Microsoft Exchange Server
To cluster a role or feature such as Print Services, the first step is to install the role or feature on each node of the cluster. The next step is to use the Configure a Service or Application Wizard in the Failover Cluster Management tool. Exercise 10.4 shows how to cluster the Print Services role once an appropriate disk has been presented to the cluster. E x e r c i se 1 0 . 4
Clustering the Print Service Follow these steps to cluster the Print Service:
1. Click Start Administrative Tools Failover Cluster Management.
61705c10.indd 420
6/27/08 11:57:24 AM
Achieving High Availability with Failover Clustering
421
E x e r c i se 1 0 . 4 ( c o n t i n u e d )
2. In the console tree, click the plus sign next to the cluster name to expand the items underneath it.
3. In the Actions pane, click Configure a Service or Application and click Next on the Before You Begin page.
4. Click Print Server in the Select Service or Application Page, and then click Next.
61705c10.indd 421
6/27/08 11:57:24 AM
422
Chapter 10 Configuring High Availability in Windows Server 2008 n
E x e r c i se 1 0 . 4 ( c o n t i n u e d )
5. Type the name of the print server, such as Print1, and type in the IP address that will be used to access the print service, such as 192.168.1.108. Then click Next.
6. Select Cluster Disk 1 in the Select Storage page as the storage volume for the print server and then click Next.
7. Click Next again. 8. After the wizard runs and the Summary page appears, you can view a report of the tasks the wizard performed by clicking View Report.
9. Close the report and click Finish.
The built-in roles and features all are configured in a similar fashion. Other applications such as Microsoft Exchange Server 2007 have specialized cluster configuration routines that are outside the scope of this exam. Applications that are not developed to be clustered can also be clustered using the Generic Application, Generic Script, or Generic Service option in the Configure a Service or Application Wizard, as shown in Figure 10.10.
Clustered Application Settings Windows Server 2008 has options that allow an administrator to fine-tune the failover process to meet the needs of their business. In the next few sections, we’ll cover those options.
61705c10.indd 422
6/27/08 11:57:25 AM
Achieving High Availability with Failover Clustering
423
F i g u r e 1 0 .1 0 Configuring a generic application
Failover is when a clustered application or service moves from one node to another. The process can be triggered automatically due to a failure or server maintenance or manually by an administrator. The failover process works as follows: 1. The cluster service takes all the resources in the application offline in the order set in
the dependency hierarchy. 2. The cluster service transfers the application to the node that is listed next on the appli-
cation’s list of preferred host nodes. 3. The cluster service attempts to bring all of the application’s resources online, starting
at the bottom of the dependency hierarchy. In a cluster that is hosting multiple applications, it may be important to set specific nodes to be primarily responsible for each clustered application. This can be helpful from a troubleshooting perspective since a specific node is targeted for hosting service. To set a preferred node and an order of preference for failover, use the General tab on the Properties dialog box of the clustered application. Also, the order of failover is set in this same dialog box by moving the order in which the nodes are listed. If NODEA should be the primary node and NODEC should be the server that the application fails to first, NODEA should be listed first and selected as the preferred owner. NODEC should be listed second, and the remaining cluster nodes would be listed after NODEC. As shown in Figure 10.11, there are a number of failover settings that can be configured for the clustered service. The failover settings control the number of times a clustered application can fail in a period of time before the cluster does not try to restart it. Typically, if a clustered application fails a number of times, some sort of manual intervention will be required to return the application to a stable state. Specifying the maximum number of failures will keep
61705c10.indd 423
6/27/08 11:57:25 AM
424
Chapter 10 Configuring High Availability in Windows Server 2008 n
the application from trying to restart until it is manually brought back online after the problem has been resolved. This is beneficial because if the application continues to be brought online and then fails, it may show as being functional to the monitoring system even though it continues to fail. After the application is put in a failed state, the monitoring system would not be able to contact the application and should report it as being offline. F i g u r e 1 0 .11 Clustered application failover settings
Figure 10.11 also shows the Failback settings for Print1. Failback settings control whether or not and when a clustered application would fail back to the preferred cluster node once it becomes available. The default setting is Prevent Failback. If failback is allowed, two additional options are available, either to fail back immediately after the preferred node is available or to fail back within a specified time. The time is specified in the 24-hour format. If you want to allow failback between 10:00 p.m. and 11:00 p.m., you would set the failback time to be between 22 and 23. Setting a failback time to off hours is an excellent way to ensure that your clustered applications are running on the designated nodes and automatically scheduling the failover process for a time when it will impact the fewest users. One tool that is valuable in determining how resources affect other resources is the dependency viewer. The dependency viewer is a tool that visualizes the dependency hierarchy created for an application or service. Using this tool can help when troubleshooting why specific resources are causing failures and help an administrator better visualize the current configuration and adjust it to meet business needs. Exercise 10.5 will show you how to run the dependency viewer.
61705c10.indd 424
6/27/08 11:57:25 AM
Achieving High Availability with Failover Clustering
425
E x e r c i se 1 0 . 5
Using the Dependency Viewer Follow these steps to run the dependency viewer:
1. Choose Start Administrative Tool Failover Cluster Management. 2. In the console tree, click the plus sign to expand the cluster. 3. Under the cluster name, click the plus sign to expand Services and Applications. 4. In Services and Applications, select a service or application such as Print1. 5. In the Actions pane, click Show Dependency Report. 6. Review the dependency report.
7. Close Internet Explorer.
Exercise 10.5 generated a dependency report that shows how the print service is dependent on a network name and a clustered disk resource. The network name is then dependent on an IP address.
61705c10.indd 425
6/27/08 11:57:25 AM
426
Chapter 10 Configuring High Availability in Windows Server 2008 n
Resource Properties Resources are physical or logical objects, like a file share or IP address, that the failover cluster manages. They may be a service or application available to clients or they may be part of the cluster. Resources include physical hardware devices such as disks and logical items such as network names. They are the smallest configurable unit in a cluster and can run on only a single node in a cluster at a time. Like clustered applications, resources have a number of properties available to meeting business requirements for high availability. This section covers resource dependencies and policies. Dependencies can be set on individual resources and control how resources are brought online and offline. Simply put, a dependent resource is brought online after the resources that it depends on and is taken offline before those resources. As shown in Figure 10.12, dependencies can be set on a specific resource, such as the print spooler. F i g u r e 1 0 .1 2 Resource dependencies
Resource policies are settings that control how resources respond when a failure occurs and how resources are monitored for failures. The Policies tab of a resource’s Properties dialog box is shown in Figure 10.13.
61705c10.indd 426
6/27/08 11:57:25 AM
Achieving High Availability with Failover Clustering
427
F i g u r e 1 0 .1 3 Resource Policies
The Policies tab sets configuration options for how a resource should respond in the event of a failure. The options available are as follows: If Resource Fails, Do Not Restart T his option, as it would lead you to believe, leaves the failed resource offline. If Resource Fails, Attempt Restart on Current Node With this option set, the resource tries to restart if it fails on the node on which it is currently running. There are two additional options if this is selected so that the number of restarts can be limited. They set the number of time the resource should restart on the current node in a specified length of time. For example, if you specify 5 for maximum restarts in the specified period and 10:00 (mm:ss) for the period, the cluster service will try to restart the resource five times during that 10-minute period. After the fifth restart, the cluster service will no longer attempt to restart the service on the active node. If Restart Is Unsuccessful, Fail Over All Resources in This Service or Application If this option is selected, when the cluster service is no longer trying to restart the resource on the active node, it will fail the entire service or application to another cluster node. If you wanted to leave the application or service with a failed resource on the current node, you would clear this check box. If All the Restart Attempts Fail, Begin Restarting Again after the Specified Period (hh:mm) If this option is selected, the cluster service will restart the resource at a specified interval if all previous attempts have failed.
61705c10.indd 427
6/27/08 11:57:25 AM
428
Chapter 10 Configuring High Availability in Windows Server 2008 n
Pending Timeout T his option is used to set the amount of time in minutes and seconds that the cluster service should wait for this resource to respond to changing in states. If a resource takes longer than the cluster expects to change states, the cluster will mark it as having failed. If a resource consistently takes longer than this timer and the problem cannot be resolved, you may need to increase this value. The Advanced Policies tab is shown in Figure 10.14. F i g u r e 1 0 .1 4 Resource Advanced Policies
The options available on the Advanced Policies tab are as follows: Possible Owners This option allows an administrator to remove specific cluster nodes from running this resource. Using this option is valuable when there are issues with resource on a particular node and the administrator wants to keep the applications from failing over to that node until the problem can be repaired. Basic Resource Health Check Interval T his option allows an administrator to customize the health check interval for this resource. Thorough Resource Health Check Interval T his options allows an administrator to customize the thorough heath check interval for this resource. Run This Resource in a Separate Resource Monitor I f the resource needs to be debugged by a support engineer, or if the resource conflicts with other resources, this option may need to be used.
61705c10.indd 428
6/27/08 11:57:25 AM
Achieving High Availability with Network Load Balancing
429
Achieving High Availability with Network Load Balancing Some applications that need to be highly available do not require failover clustering, such as applications based on web services. These applications typically are able to use Network Load Balancing to balance connections across a number of server nodes. This is more easily done with applications that are session-less or have a minimal amount of session data. An NLB cluster load-balances client TCP/IP connections between cluster nodes and does not share any application data between nodes. If application data needs to be shared between cluster nodes, another facility such as replicaton will need to be used, or the application will need to be able to retrieve this data. This can be accomplished with data replication, accessing data from a centralized location, or other methods. Network Load Balancing is used both for fault tolerance and for scalability. When it’s used for fault tolerance, a failed node can be removed from the cluster and another node will automatically start servicing requests that were handled by the failed node. In some cases, one server does not have enough resources to handle all of the request; when this occurs, NLB can be used to spread the connection load across multiple nodes. When NLB is configured this way, it is configured for scalability.
How Does Network Load Balancing Work? As the name suggests, an NLB cluster uses the network to provide load balancing and redundancy. It is able to accomplish this using a virtual IP address and a virtual media access control (MAC) address that is shared between all of the nodes in the cluster. Client connections are all made to this virtual IP address, as shown in Figure 10.15. When an incoming packet is addressed to the virtual IP address, all of the NLB nodes receive it, but only the appropriate node responds. When a client request arrives, all hosts simultaneously perform a calculation in order to determine which node should handle the request. The chosen node then accepts and responds to the client request and the other cluster nodes discard it. If all nodes are configured identically, the same percentage of client requests will be load-balanced to each node; however, this can be customized to match server capabilities. All nodes synchronize their data about which node should respond to each request and which nodes are active members of the cluster. There are a number of significant improvements to NLB in Windows Server 2008 and they are as follows: NN
NN
NN
NN
61705c10.indd 429
Support for IPv6 addresses. Support of Network Driver Interface Specification (NDIS) 6.0 with compatibility with older versions. Network Load Balancing can detect and notify applications of excessive load or attack scenarios. Rolling upgrades can be done from Windows Server 2003 to Windows Server 2008.
6/27/08 11:57:26 AM
430
Chapter 10 Configuring High Availability in Windows Server 2008 n
F i g u r e 1 0 .1 5 Network load balanced cluster
One of the advance features of Network Load Balancing is to create port rules. Port rules specify how requests to a specific port range are sent to the NLB cluster. This allows you to specify which nodes will receive traffic for specific TCP/IP ports. For example, say you have an NLB cluster consisting of four servers and it needs to load-balance a web server and an FTP site. The website that runs on TCP port 80 can be limited to use only three of the NLB nodes and the FTP server can be set to only run on two nodes of the NLB cluster. This will help reduce the number of nodes the FTP services would impact when under load.
Network Load Balancing Requirements Failover clusters require that all of the cluster nodes run either the Enterprise or Datacenter edition of Windows Server 2008. Network Load Balancing is a feature that is available in all editions of Windows Server 2008. However, when you’re using x86 editions of Windows Server 2008, the NLB cluster is limited to 8 nodes. When x64 editions of Windows Server 2008 are used, up to 32 nodes can be achieved. What sort of hardware is required to leverage NLB? The recommended configuration uses two network adapters on each node in the cluster. The primary network adapter is used for client communication and the second network adapter facilitates the communication between the cluster nodes. In some configurations, a single network adapter can be used, but the network hardware must support multicast traffic. If multicast is chosen, additional network hardware requirements must be taken into consideration. For instance, upstream network hardware might need the multicast MAC address statically entered in the Address Resolution Protocol (ARP) table. This is because some network hardware does not accept an ARP response that resolves unicast IP addresses to
61705c10.indd 430
6/27/08 11:57:26 AM
Achieving High Availability with Network Load Balancing
431
multicast MAC addresses. Also, using the Internet Group Management Protocol (IGMP) multicast option enables IGMP support for limiting switch flooding by limiting traffic to Network Load Balancing ports only. This ensures that traffic intended for an NLB cluster passes through only those network ports serving the cluster hosts and not all ports. If standard multicasting is used, switches might require additional configuration to set the ports that are used for the multicast traffic.
Creating an NLB Cluster The first step in creating an NLB cluster is to prepare each cluster node. In our example, we are going to use two servers, each with two network adapters. The network adapter that will host the load-balanced virtual IP and is used for client connections is renamed Client Network, and the network adapter used for cluster communications is renamed Cluster Network. Last, the Network Load Balancing feature is installed on both servers to prepare for configuration. Exercise 10.6 walks you through creating a simple NLB cluster. E x e r c i se 1 0 . 6
Creating a Network Load Balancing Cluster Follow these steps to create a network load-balanced cluster:
1. Click Start Administrative Tools Network Load Balancing Manager. 2. In the left pane, right-click Network Load Balancing Clusters, and then click New Cluster.
3. In the Host field, type NODEA, and then click Connect.
61705c10.indd 431
6/27/08 11:57:26 AM
432
Chapter 10 Configuring High Availability in Windows Server 2008 n
E x e r c i se 1 0 . 6 ( c o n t i n u e d )
4. Click Client Network, and then click Next. 5. Click Next to accept the default values for host parameters. 6. Click Add to add a cluster IP address. 7. In the IPv4 address field, type 10.10.0.100.
8. In the Subnet mask field, type 255.255.0.0, click OK, and then click Next. 9. In the Full Internet name field, type webapp.sybex.com. 10. Select Unicast, click Next, and then click Finish.
61705c10.indd 432
6/27/08 11:57:26 AM
Achieving High Availability with Network Load Balancing
433
E x e r c i se 1 0 . 6 ( c o n t i n u e d )
11. Right-click webapp.sybex.com, and then click Add Host to Cluster. 12. In the Host field, type NODEB, and then click Connect. 13. Click Client Network, and then click Next. 14. Click Next to accept the default values for host parameters, and then click Finish.
Modifying Cluster Properties As mentioned earlier, port rules modify how traffic is directed to NLB cluster nodes. The filtering mode in a port rule defines how request are distributed among nodes in the NLB cluster. You have the following options for filtering modes, as shown in Figure 10.16: Multiple Host By default, this option is set. It configures all NLB nodes to respond based on the weight assigned to each node. This spreads the load across multiple cluster nodes to increase scalability. If this option is selected, one of the Affinity options also needs to be selected. The higher the weight setting, the more load the node will handle. F i g u r e 1 0 .1 6 NLB port rules
61705c10.indd 433
6/27/08 11:57:26 AM
434
Chapter 10 Configuring High Availability in Windows Server 2008 n
Single Host T his option, when configured, makes it so only the NLB node with the highest priority responds. If the highest-priority node fails, then the next highest-priority node begins to respond. Sending requests to a single node increases availability but does not increase scalability. Disable This Port Range T his option blocks all packets for this port range. This option is used when the cluster does not run any applications on a specific port range. The Affinity options, available when the Multiple Host option is selected in the filter, control how requests are distributed to the available cluster nodes. The options for Affinity are as follows: None W hen this option is set, any available node can respond to any client request. This is suitable for applications such as static web pages that don’t require state information to be saved. For example, the client may retrieve the first web page from Node A and the second web page from Node B. Single W hen this option is set, a single node responds to all requests from a single client IP address. This is required for applications that you must authenticate, require session state, or encryption. This would be important for web applications that have user session variables like shopping carts. Network. W hen this option is set, a single node responds to all requests from a specific Class C network. This is useful when clients are accessing the NLB cluster from behind a group of proxy servers. This option ensures that a client connection can be maintained to a specific server even when the source IP address varies within the same subnet. When changing port rules for a specific node, make sure the changes are reflected on the other nodes, otherwise the cluster nodes may never complete convergence, which is needed for all the available cluster nodes to work properly.
Managing NLB Clusters The Network Load Balancing Manager is the graphical interface used to configure and manage NLB clusters and nlb.exe is the command-line counterpart. As shown in Figure 10.17, there are five main functions that can be performed on active NLB cluster nodes: Start, Stop, Drainstop, Suspend, and Resume. These actions are used when managing an NLB cluster. Each of the options has a slightly different function and reason to use: Start T his action starts a stopped NLB cluster node so that it can handle NLB traffic. Stop T his action stops the node temporarily from participating in the cluster and handling NLB traffic. Drainstop T his action stops the node from taking new sessions and then waits for active sessions to end before completely stopping participation in the cluster.
61705c10.indd 434
6/27/08 11:57:26 AM
Summary
435
F i g u r e 1 0 .17 Managing an NLB cluster node
Suspend T his action is different from Stop because suspending NLB stops NLB on the node and suspends all NLB cluster-control commands on the node except for the resume and query commands. Resume T his action will start NLB on a node that has been suspended. After the NLB cluster is created and configured, the application also needs to be installed and configured on each server. In the case of a website, it would need to be created on each server and then the content either copied or provided over a network connection to be served.
Summary High availability is more than just clustering. It is achieved through improved hardware, software, and processes. This chapter focused on how to configure failover clustering and Network Load Balancing (NLB) to achieve high availability and scalability. High availability should be approached through proper hardware configuration, training, and operational discipline. Failover clustering provides a highly available base for many applications such as databases and mail servers. These clusters require either the Enterprise or Datacenter edition of Windows Server 2008. Network load balanced clusters are used to provide high availability and scalability for network-based applications such as VPNs and web servers. Network load balanced clusters can be configured with any edition of Windows Server 2008.
61705c10.indd 435
6/27/08 11:57:27 AM
436
Chapter 10 Configuring High Availability in Windows Server 2008 n
Exam Essentials Know how to modify failover and failback settings. T hese settings are set on the clustered service or application but can be modified by settings on the resources. Know the hardware requirements for failover clustering and Network Load Balancing. Failover clustering and Network Load Balancing have distinct hardware requirements. Know the differences. Know which applications work with Network Load Balancing and which ones work in a failover cluster. Failover clustering is required for applications and services such as file services and database servers, and NLB is suited for network and web services. Know the differences.
61705c10.indd 436
6/27/08 11:57:27 AM
Review Questions
437
Review Questions 1. Which of the following editions of Windows Server 2008 can be configured in a failover cluster? (Choose all that apply.) A. Windows Server 2008 Web Edition B. Windows Server 2008 Standard Edition C. Windows Server 2008 Enterprise Edition D. Windows Server 2008 Datacenter Edition 2. Which of the following editions of Windows Server 2008 can be configured in a Network Load Balancing cluster? (Choose all that apply.) A. Windows Server 2008 Web Edition B. Windows Server 2008 Standard Edition C. Windows Server 2008 Enterprise Edition D. Windows Server 2008 Datacenter Edition 3. What is the maximum number of nodes that can participate in a Windows Server 2008 failover cluster? (Choose all that apply.) A. 2 B. 4 C. 8 D. 16 4. Which of the following actions should be performed against an NLB cluster node if maintenance needs to be performed while not terminating current connections? A. Evict B. Drainstop C. Pause D. Stop 5. What is the maximum number of nodes that can participate in a Windows Server 2008 NLB cluster? (Choose all that apply.) A. 4 B. 8 C. 16 D. 32
61705c10.indd 437
6/27/08 11:57:27 AM
438
Chapter 10 Configuring High Availability in Windows Server 2008 n
6. Which of the following applications would be better suited on a failover cluster instead of a network load balanced cluster? (Choose all that apply.) A. SQL Server B. Website C. Exchange Mailbox Server D. VPN Services 7. Which of the following applications would be better suited on a Network Load Balancing cluster instead of a failover cluster? (Choose all that apply.) A. SQL Server B. Website C. Exchange Client Access Server D. Terminal Services 8. To configure an NLB cluster with unicast, what is the minimum number of network adapters required in each node? A. 1 B. 2 C. 3 D. 6 9. Which of the following will help improve the mean time between failure of a server? (Choose all that apply.) A. Use RAID-5 set for data storage. B. Perform data backup. C. Install multiple power supplies. D. Use RAID-0 set for data storage. 10. In a three-node cluster set to a Node Majority quorum model, how many cluster nodes can be offline before quorum is lost? A. 0 B. 1 C. 2 D. 3 11. In a four-node cluster set to a Node and File Share Majority quorum model, how many votes can be lost before quorum is lost? A. 1 B. 2 C. 3 D. 4
61705c10.indd 438
6/27/08 11:57:27 AM
Review Questions
439
12. In a six-node cluster set to a No Majority: Disk Only quorum model, how many nodes can be lost before quorum is lost? A. 3 B. 5 C. 2 D. 1 13. After installing the operating system and configuring the hardware, what is the first step that should be taken to create a failover cluster. A. Install the Failover Cluster feature. B. Run the Validate a Configuration Wizard. C. Install a clustered application. D. Install the Remote Server Administration Tools. 14. When creating a cluster, after successfully completing the Validate a Configuration Wizard, what next step should be taken? A. Run the Create a Cluster Wizard. B. Run the Configure a Service or Application Wizard. C. Install the application that will be clustered. D. Reboot each node individually. 15. During a series of troubleshooting events, an administrator evicted one of the cluster nodes. How can the evicted node be made active again in the cluster? A. The cluster should be deleted and re-created with all required nodes. B. Reboot all cluster nodes simultaneously to restart the cluster. C. Use the Add Node Action to add the evicted node. D. Pause the remaining nodes of the cluster and resume one at a time. 16. You have just created an NLB cluster for a web site. What other steps must be completed so that end users can access the load-balanced web site? (Choose all that apply.) A. Create a website on each node. B. Copy or share web content for each node. C. Create a DNS entry for each node. D. Create a DNS entry for the NLB cluster IP address. 17. Users that are connecting to an NLB cluster have been complaining that after using the site for a few minutes they are prompted to log in using their username. What should you do to fix the problem and retain scalability? A. Create a port rule to allow only ports 80 and 443. B. Set the cluster affinity to None. C. Set the filtering mode to Single Host. D. Set the cluster affinity to Single.
61705c10.indd 439
6/27/08 11:57:27 AM
440
Chapter 10 Configuring High Availability in Windows Server 2008 n
18. You have a two-node cluster and have a specific resource that fails often but is not crucial to the functionality. What would you do to keep the resource from causing the entire application from failing to the other node while still providing redundancy for the application when needed? A. Remove one node of the possible owners from the cluster nodes. B. Select the option to run the resource in a separate resource monitor. C. Unselect the option to allow the resource to fail over the service or application. D. Select the option to allow the resource to fail over the service or application. 19. You have a custom application with custom resources. Several times when the application has started the resources failed initially and then started later after the disk resource came online. What can be done to make the custom resource start after the disk resource comes online? A. Increase the pending time-out of the custom resource. B. Make the custom resource dependant on the disk resource. C. Make the disk resource dependant on the custom resource. D. Decrease the pending time-out of the disk resource. 20. If you have a running cluster and need to run the Validate a Configuration Wizard again, which of the following tests may require cluster resources to be taken offline? A. Network tests B. Storage tests C. System Configuration tests D. Inventory tests
61705c10.indd 440
6/27/08 11:57:27 AM
Answers to Review Questions
441
Answers to Review Questions 1. C, D. Only the Enterprise and Datacenter editions of Windows Server 2008 can participate in a failover cluster. 2. A, B, C, D. All editions of Windows Server 2008 can be configured in an NLB cluster. 3. C, D. A Windows Server 2008 cluster consisting of servers running the x64 version can contain up to 16 nodes, whereas a cluster consisting of servers running the x86 version can contain up to 8 nodes. 4. B. Drainstop is the function that allows the current session to end before stopping the cluster on the node. Evict is used to completely remove a node from failover cluster. Pause is used to keep resources from failing over to a failover cluster node. Stop will immediately end the cluster service on the NLB cluster node, not allowing the current sessions to complete. 5. B, D. A Windows Server 2008 cluster consisting of servers running the x64 version can contain up to 32 nodes, whereas a cluster consisting of servers running the x86 versions can contain up to 8 nodes. 6. A, C. SQL servers and Exchange servers are only supported on failover clusters. Websites and VPN services are network-based services, so they are better suited for NLB clusters. 7. B, C, D. Websites, Exchange Server 2007 Client Access Server, and Terminal Services are all designed to work with NLB clusters. Database servers like SQL do not work on NLB clusters. 8. B. To use unicast communication between NLB cluster nodes, each node must have a minimum of two network adapters. 9. A, C. Using a RAID-5 set for data storage will survive a disk failure and extend the overall MTBF for the server. Also, adding a second power supply can improve MTBF. Performing backup tasks is important but does not improve MTBF. RAID-0 does not provide any protection from failures. 10. B. In a three-node cluster, only one node can be offline before quorum is lost because a majority of the votes must be available to achieve quorum. 11. B. Up to two votes can be lost before quorum is no longer able to be achieved. These votes can come from the file share witness or a cluster node. 12. B. In a No Majority: Disk Only quorum model cluster, quorum is solely based on access to the quorum disk. Therefore, only one cluster node must be online and have access to the quorum disk to obtain quorum. 13. A. To create a failover cluster, the first step is to install the Failover Cluster feature. 14. A. After validating the configuration for a cluster, you should create a cluster. After the cluster is created, the applications can be added. A reboot does not need to be done after completing the validation.
61705c10.indd 441
6/27/08 11:57:27 AM
442
Chapter 10 Configuring High Availability in Windows Server 2008 n
15. C. To add an evicted node back into the cluster, use the Add Node action in the Failover Cluster Management tool. 16. A, B, C. To allow end users to access the website, the first step would be to create a DNS entry for the cluster IP address. Then each node would need a website and content created. 17. D. Setting the cluster affinity to Single will send all traffic from a specific IP address to a single cluster node. Doing this will keep a client on a specific node where the client should not have to authenticate again. Setting the filtering mode to Single would remove the authentication problem but would not distribute the load to other servers unless the initial server were down. This is not a scalable solution. Creating a port rule for 80 and 443 will not change anything since these ports are already working, judging by the fact that users can access the site. Setting cluster affinity to None is probably what the cluster is set since there is no preference for keeping a client connected to the same node, which may cause additional login prompts. 18. C. To keep the failed resource from causing the entire application to fail over, this option must be unchecked. Removing the possible owners from the clustered application would keep the application from failover even when needed. Running the resource in a separate resource monitor does not change how it affects the failover of the application. 19. B. To start the custom resource after the disk resource, it should be made dependant on the disk resource. Changing the pending time-out will not have any affect if the resource fails because it only affects resources that take longer to respond. 20. B. The storage tests require the clustered disk resource to be offline. If you need to run the storage tests, the Validate a Configuration Wizard will prompt to make sure you want to take the resources offline.
61705c10.indd 442
6/27/08 11:57:27 AM
Chapter
11
Monitoring Windows Server 2008 for High Availability Microsoft Exam Objectives covered in this chapter: ÛÛ Configure high availability. May include but is not limited to: failover clustering, Network Load Balancing, hardware redundancy
61705c11.indd 443
6/27/08 12:05:23 PM
Two of the most potent indicators of availability across your network are the performance of the operating system and its reliability. Performance is most commonly represented by the speed at which certain application and system tasks can be completed and hence also the number of tasks that can be completed in a given period of time. A system’s performance can be significantly determined by its hardware configuration, such as the clock speed of the processor, the access speed of the physical hard disk, and the amount of available memory. Therefore, access to such information is crucial for IT professionals to gauge the availability of the system and to decide on the necessary maintenance tasks, configuration changes, and hardware upgrades, if necessary. Reliability, on the other hand, is represented by the ability of the system to perform desirably on a consistent basis. Reliability is hindered when applications, services, or drivers fail to run smoothly and, worst of all, when the operating system itself fails. The Windows Reliability and Performance Monitor, event logs, and Task Scheduler are the vital features of Windows Server 2008 that enable IT professionals to monitor and maintain the performance and availability of the systems.
Monitoring Servers Using Performance Data To monitor the availability of a system across the network, it’s crucial to have access to data relating to the performance and configuration of the system as well as application errors and hardware failures. By using the Windows Reliability and Performance Monitor, IT professionals can get an overview of the major components of the system that affect system availability. These include the utilization of the CPU, the physical hard disk, and network and system memory along with records of key events such as failures and changes to the system configuration. More importantly, the Windows Reliability and Performance Monitor helps you detect and dissect the cause of performance errors in addition to obtaining performance data. It is also a good tool for tasks such as creating performance baselines and troubleshooting.
61705c11.indd 444
6/27/08 12:05:23 PM
Monitoring Servers Using Performance Data
445
The Windows Reliability and Performance Monitor is a Microsoft Management Console (MMC) snap-in that includes the following components (please refer to Figure 11.1): NN
Resource Overview
NN
Performance Monitor
NN
Reliability Monitor
NN
Data collector sets
NN
Reports
F i g u r e 11 .1 Windows Reliability and Performance Monitor main view
The following features are new to the Windows Reliability and Performance Monitor in Windows Server 2008:
61705c11.indd 445
NN
Data collector sets
NN
Resource Overview
NN
Reliability Monitor
NN
User-friendly diagnosis reports
NN
Unified property configuration for all data collection, including scheduling
NN
Wizards and templates for creating logs
6/27/08 12:05:23 PM
446
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Working with Data Collector Sets A data collector set (DCS) is a collection of counters to diagnose and monitor anything related to the operating system and applications. DCS is a new feature and is included with Windows Server 2008 and Windows Vista. In the past, gathering different types of data statistics required extra time because counters needed to be re-created. With DCS, however, counters can be created once and scheduled for running through the use of Task Scheduler. A major advantage of DCSs is that they allows for greater control over performance monitoring and data gathering. There are three types of data collector sets: User-defined Created and configured by the user. System X ML data collector set templates that are included with Windows Server 2008 and are saved in Windows\PLA\System. Event trace sessions Configured for Event Tracing for Windows (ETW). Before creating a data collector set, make sure one of the following requirements is met: NN
NN
The logged-on user is part of the Local Administrators group. The logged-on user is part of the Performance Log Users group. However, please ensure that the user has been assigned the “Log on as a batch job” user right. (see Exercise 11.1).
Exercise 11.1 will help you assign the “Log on as a batch job” user right to the Performance Log Users group. Providing the “Log on as a batch job” user right allows users to manage performance logs, counters and alerts. E x e r c i se 1 1 . 1
Assigning the “Log On as a Batch Job” User Right Normal users would not be able to create or manage data collector set by default, until “Log On as a Batch Job” user right has been assigned. To assign the log on as batch job user right complete the following procedures:
1. Click Start, select Run, type secpol.msc in the Run command dialog, and press Enter. This will open the Local Security Policy snap-in.
2. In the left pane, expand Local Policies, and click User Rights Assignment. 3. In the console pane, right-click Log On as a Batch Job, then click Properties.
61705c11.indd 446
6/27/08 12:05:23 PM
Monitoring Servers Using Performance Data
447
E x e r c i se 1 1 . 1 ( c o n t i n u e d )
4. In the Log On as a Batch Job Properties window, click Add User or Group. 5. In the Select Users or Groups dialog box, click Object Types. 6. In the Object Types dialog box, check Groups and click OK. 7. Return to the Log On as a Batch Job Properties window and click OK.
Exercise 11.2 will walk you through creating a new data collector set. Creating new data collector sets allows system administrators to monitor system performance and simplify troubleshooting of server systems. E x e r c i se 1 1 . 2
Creating a Data Collector Set As the first step of collecting performance data automatically through Performance Monitor, Data Collector Set needs to be created. To create a Data Collector Set complete the following:
1. Open the Reliability and Performance Monitor by clicking Start Control Panel Administrative Tools Reliability and Performance Monitor, or click Start, then select Run, type perfmon.msc in the Run command dialog, and press Enter.
2. In the left pane, expand Data Collector Sets, and select User Defined.
61705c11.indd 447
6/27/08 12:05:24 PM
448
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 2 ( c o n t i n u e d )
3. Right-click on the area in the right pane and select New Data Collector Set. This launches the Create New Data Collector Set Wizard.
4. Enter a name for the new data collector set and choose from creating from a template and creating manually.
The simplest way to create a new data collector set is by using one of the preconfigured templates listed in the Create New Data Collector Set Wizard. The templates are developed based on the most common monitoring scenarios and are included in Windows Server 2008 to inject speed and convenience in performance and availability monitoring. Three preconfigured templates for creating data collector sets are built into Windows Server 2008. The preconfigured templates create the following sets: Basic I n this DCS, user-defined data collectors will be added on by the user. System Diagnostics This DCS includes pre-defined data collectors that help the user maximize system performance and streamline system operation. It generates a report of the status of local hardware resources, system response times, and processes on the local computer as well as system information and configuration data. System Performance Predefined data collectors are included here, which help the user identify possible causes of performance issues. It generates a report of the status of local hardware resources, system response times, and processes on the local computer.
61705c11.indd 448
6/27/08 12:05:24 PM
Monitoring Servers Using Performance Data
449
In Exercise 11.3, you’ll create a new data collector set from a template by continuing the steps followed in Exercise 11.2. E x e r c i se 1 1 . 3
Creating a New Data Collector Set from a Template Continuing the steps followed in Exercise 11.2, Data Collector Set will be created base on a template. To create a new Data Collector Set from a template complete the following steps:
1. In the Create New Data Collector Set Wizard , after entering a name for the data collector set, select Create from a Template and click Next.
2. Choose a template and click Finish to save the data in the default root directory, which is %systemdrive%\perflogs\<User-defined data collector set name>; otherwise, click Next to browse and select the preferred directory or enter the directory name. Please note that if you enter the directory name manually, you must not type a backslash at the end of the directory name.
3. Click Next if the user intends to run the data collector set as a specific user, which can be done by clicking the Change button and entering the username and password of the specific user if it’s different than the default user listed.
4. Click Finish to complete the wizard. The user can select Open Properties for This Data Collector Set to view the properties of the data collector set or select Start This Data Collector Set Now to start the data collection immediately. The user can also select Save and Close to save the data collector set without starting collection.
61705c11.indd 449
6/27/08 12:05:24 PM
450
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Members of the Performance Log Users group must configure the newly created data collector sets to run under their own credentials.
Exercise 11.4 shows you how to create a new data collector set manually. E x e r c i se 1 1 . 4
Manually Creating a New Data Collector Set Data Collector Set could be created from scratch, without using a template. To manually create a new Data Collector Set use the following steps:
1. In the Create New Data Collector Set Wizard, after entering a name for the data collector set, select Create Manually and click Next.
2. To create data logs, select Create Data Logs and then select one or more of the types of logs to be created (Performance Counter, Event Trace Data, and System Configuration Information). Alternatively, select Performance Counter Alert if the above data logs doesn’t want to be created. Click Next. The continuing steps in Exercise 11.4 will varies according to what type of logs are selected to be created in this step.
3. To create Performance Counter data logs, select the performance counters, if any, that will be collected and click Next.
4. To create Event Trace Data logs, select the event trace providers, if any, to be enabled and click Next.
5. To create System Configuration Information data logs, select the Registry keys, if any, to be recorded and click Next.
61705c11.indd 450
6/27/08 12:05:24 PM
Monitoring Servers Using Performance Data
451
E x e r c i se 1 1 . 4 ( c o n t i n u e d )
6. Browse and select the preferred root directory in which the data will be saved if the user is not in favor of using the default root directory of %systemdrive%\ perflogs\<User-defined data collector set name>. Click Next. 7. Choose the specific user who will run the data collector set, which can be done by clicking the Change button and entering the username and password of the specific user if it’s different than the default user listed. Select one out of the options (Open Properties for This Data Collector Set, Start This Data Collector Set Now, or “Save and Close) and click Finish.
Once the data collector sets are created and selected by the user to help keep track of system performance, the data can be stored as logs for future review. The logs can be further managed and organized into schedules by configuring the properties of the data collector sets and by utilizing the built-in Data Manager in the Windows Reliability and Performance Monitor. A log file is generated automatically by a data collector set. Data management procedures can then be used to configure the storage options for each data collector set. Through data management, the user is able to include information about the log in the filename, choose to overwrite or append data, and limit the file size of individual logs. A Data Manager is included in each data collector set and controls its data management tasks, which consist of conditions/actions, data retention policy, data transfer, and report generation. Once the Data Manager is enabled, a Server Performance Advisor (SPA) overview report is generated to summarize data results upon the completion of data collection. Before creating logs from a data collector set, make sure the following requirements are met: NN
NN
NN
The logged-on user is part of the Local Administrators group. If the logged-on user is not part of the Local Administrators group, the user must be part of the Performance Log Users group. However, please ensure that the user has been assigned the “Log on as a batch job” user right. At least one data collector set has been created. In Exercise 11.5, you’ll schedule the Start condition for a data collector set.
E x e r c i se 1 1 . 5
Scheduling the Start Condition for a Data Collector Set Data Collector Set needs to be started to collect performance data. To schedule the start condition for a data collector set, please complete the following:
1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.
2. Right-click the data collector set to be scheduled, and click Properties.
61705c11.indd 451
6/27/08 12:05:25 PM
452
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 5 ( c o n t i n u e d )
3. In the Properties window, select the Schedule tab.
4. Click Add to configure a starting date and the day or time for data collection. When a new data collector set is being configured, the starting date must be after the current date and time.
5. If the user wishes to stop the data collection after a certain date, select an expiration date. On a side note, data collection does not stop on the expiration date itself, though new data will not be collected after that date. To further configure how data collection is stopped, select the Stop Condition tab.
6. Click OK when you’re finished.
In Exercise 11.6, you’ll schedule the Stop condition for a data collector set.
61705c11.indd 452
6/27/08 12:05:25 PM
Monitoring Servers Using Performance Data
453
E x e r c i se 1 1 . 6
Scheduling the Stop Condition for a Data Collector Set Data Collector Set needs to be stopped after an interval of time. System performance will be affected if Data Collector Set runs continuously, especially on busy hours. To schedule the stop condition for a data collector set, use the following steps:
1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.
2. Right-click the data collector set to be scheduled, and click Properties. 3. In the Properties window, select the Stop Condition tab. 4. To stop data collection after a specific time period, select Overall Duration and choose the quantity (Time) and unit (Seconds/Minutes/Hours). However, if data collection is to be done indefinitely, the Overall Duration check box needs to be unchecked.
5. To divide the collected data into separate logs, select “When a limit is reached, restart the data collector set” to specify the desired limits in duration and/or maximum size.
A. Select Duration to specify a time period for data collection to write into a single log. B. Select Maximum Size, in megabytes (MB), to restart the data collector set or to stop data collection when the limit is reached. Please note that Overall Duration, if selected, will override limits. If both types of limits are selected, data collection will be stopped or restarted once the first limit is reached.
6. If an overall duration is configured, the user can select “Stop when all data collectors have finished” to enable all data collectors to finish logging the most recent values before the data collector set is stopped.
7. Click OK.
The use of limits to automatically organize logs into segments is recommended because large log files slow down the report generation process.
Managing Logs for a Data Collector Set As time passes, logs will grow quickly. It is wise to plan and configure the logs before a data collector set is used. In Exercise 11.7, you’ll configure data management for a data collector set.
61705c11.indd 453
6/27/08 12:05:25 PM
454
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 7
Configuring Data Management for a Data Collector Set Every data collector set could have their own data management settings. Data management settings allow each data collector set to have its own policies. To configure data management for a data collector set, complete these steps:
1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.
2. Right-click the data collector set to be configured, and click Data Manager. 3. On the Data Manager tab, you can make changes according to the user’s data retention policy. Refer to Table 10.1 for details of each option.
A. When Minimum Free Disk or Maximum Folders is selected, previous data will be deleted according to the selected resource policy (Delete Largest or Delete Oldest) setting as part of the data collector set’s Data Manager tab when the limit is reached.
B. When “Apply policy before the data collector set starts” is selected, previous data will be deleted according to the selected resource policy before the data collector set generates its next log file.
C. When Maximum Root Path Size is selected, previous data will be deleted according to the selected resource policy when the root log folder size limit is reached. Please note that Resource Policy is used to define how long a data can be stored before it is deleted, to save storage space. Resource Policy actions are carried out on a folder basis rather than a file basis.
61705c11.indd 454
6/27/08 12:05:25 PM
Monitoring Servers Using Performance Data
455
E x e r c i se 1 1 . 7 ( c o n t i n u e d )
4. On the Actions tab, you can choose to perform folder actions when specified data manager conditions are met. New actions can be configured by clicking Add, while existing actions can be changed or removed by clicking Edit or Remove. Folder actions enable the user to configure the way in which data is archived before it is permanently deleted according to the resource policy. Refer to Table 10.2 for details of each option.
5. When all the desired changes are made, click OK.
If the user prefers to manage data with folder actions, the user may choose to disable the Data Manager limits.
Table 11.1 lists and describes the data management options available in the Data Manager tab. Data size limitation can be configured on individual data collector sets through this tab. Ta b le 11 .1 Data Management Options Available in the Data Manager Tab Option
Description
Minimum Free Disk
The amount of disk space that is mandatory on the drive where log data is stored. If this option is selected, previous data will be deleted according to the selected resource policy when the limit is reached.
Maximum Folders
The number of subfolders that can be included in the data collector set data directory. If this option is selected, previous data will be deleted according to the selected resource policy when the limit is reached.
Resource Policy
Specifies whether to delete the largest or oldest folder within the data collector set’s root folder when limits are reached.
Maximum Root Path Size
The maximum size of the data directory for the data collector set, including all subfolders. If this option is selected, the minimum free disk and maximum folders limits will be overridden and previous data will be deleted according to the selected resource policy when the root log folder size limit is reached.
Table 11.2 lists and describes the data management options available in the Actions tab. Conditions and actions of a data collector set can be configured through this tab.
61705c11.indd 455
6/27/08 12:05:25 PM
456
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Ta b le 11 . 2 Data Management Options Available in the Actions Tab Option
Description
Age
A condition based on the age of the data file, in units of either days or weeks. If the value is 0, the criterion will not be used.
Size
A condition based on the size of the folder where the log data is stored in megabytes (MB). If the value is 0, the criterion will not be used.
Cab
A cabinet (.cab) file. These archive files can be created from raw log data and extracted to be used when necessary. Choose to create or delete cabinet files based on the age or size criteria.
Data
Raw log data collected by the data collector set. The data can be deleted after a cabinet file is created. A backup of the original data will be retained.
Report
The report file generated by Windows Reliability and Performance Monitor from raw log data. Report files can be retained even after the raw log data or cabinet file has been deleted.
Log Data in Performance Monitor The collected logs in Windows Reliability and Performance Monitor can be viewed as reports or as Performance Monitor data. All of the display options included in real-time monitoring with Performance Monitor can be viewed as log data. New in the Performance Monitor in Windows Server 2008 is the availability of several view modes to facilitate convenient viewing of log data. The three view modes can be selected in the shortcut menu of each data collector listed under the data collector set in the Reports node on the left pane: Report view If Data Manager is enabled for the selected data collector set, Report view is available and accessible as the Report option when View is highlighted in the shortcut menu, which is opened by clicking and then right-clicking the data collector set in the Reports node. If Data Manager is disabled, the Report option will be inaccessible. The Data Manager report is a Server Performance Advisor (SPA) report that presents a summary of the logged performance data. The Application Counters section can be expanded to show a summarized view of the Mean, Minimum, and Maximum data values from the data collector. The report is saved as an XML file in the Data Collector Set folder associated with the selected data collector. See Figure 11.2. Performance Monitor view If the Performance Monitor view is selected, the Performance Monitor log file is displayed in a line graph by default, with all the configured counters. See Figure 11.3. Folder view If the Folder view is selected, the folder containing all the files of the selected data collector set is displayed. See Figure 11.4.
61705c11.indd 456
6/27/08 12:05:25 PM
Monitoring Servers Using Performance Data
457
F i g u r e 11 . 2 Report view of a report generated by a data collector set
F i g u r e 11 . 3 Performance Monitor view of a report generated by a data collector set
61705c11.indd 457
6/27/08 12:05:26 PM
458
Chapter 11 Monitoring Windows Server 2008 for High Availability n
F i g u r e 11 . 4 Folder view of a report generated by a data collector set
Before viewing log data in Performance Monitor, make sure the following requirements are met: NN
NN
NN
The logged-on user is part of the Local Administrators group. If the logged-on user is not part of the Local Administrators group, the user must be part of the Performance Log Users group. You must ensure that the user has been assigned the “Log on as a batch job” user right. At least one log file is generated from a data collector set. Exercise 11.8 will show you how to load log data in Performance Monitor.
E x e r c i se 1 1 . 8
Loading Log Data in Performance Monitor Once logs have been created by Data Collector Set, it needs to be loaded into Performance Monitor for viewing by the system administrator. To load the log data in Performance Monitor, please execute the following tasks:
1. In the left pane of Windows Reliability and Performance Monitor, expand Reports and expand User Defined.
2. Expand the data collector set whose log data you will view. 3. Select the log file to view. 4. To change view modes, right-click the log file in the left pane, select View, and select Performance Monitor to display the Performance Monitor view or Folder to display the Folder view.
61705c11.indd 458
6/27/08 12:05:26 PM
Monitoring Servers Using Performance Data
459
E x e r c i se 1 1 . 8 ( c o n t i n u e d )
Exercise 11.9 shows you how to navigate the log view in Performance Monitor. E x e r c i se 1 1 . 9
Navigating the Log View in Performance Monitor Viewing and using the Log View could be confusing for inexperience users. To navigate the Log View in Performance Monitor, please execute the following steps:
1. Log data is displayed in a line chart by default. In the chart, the x-axis of the graph represents the total time included in the log.
2. To view a specific time frame in the display, click and highlight a section in the chart, and then click the Zoom button or press Ctrl+Z.
3. Other viewing options are available, and actions can be taken to add performance counters in the log view. For descriptions of the viewing options and actions, refer to the following sections.
Diagnosis Report Two system reports are built into Windows Reliability and Performance Monitor in order to assess the health of the system and to diagnose issues pertaining to system performance. The System Diagnostics report can be viewed once the required data has been collected.
61705c11.indd 459
6/27/08 12:05:26 PM
460
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Before running any data collector set reports, make sure either one of the following requirements are met: NN
NN
The logged-on user is part of the Local Administrators group. The logged-on user starts Windows Reliability and Performance Monitor with elevated privileges. The System Diagnostics report utilizes the Windows Kernel Trace Provider, which can only be accessed by the Local Administrators Group members.
Exercise 11.10 shows you how to view the system diagnostics report. E x e r c i se 1 1 . 1 0
Viewing the System Diagnostics Report The default system reports built into Windows Reliability and Performance Monitor offers a deep level of system diagnostics details. To view the System Diagnostics Report, please execute the following steps:
1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand System.
2. Right-click System Diagnostics and click Start to begin collecting data. 3. In the left pane, expand Reports, expand System, expand System Diagnostics, and click on a date to view the report, which will appear on the console pane.
61705c11.indd 460
6/27/08 12:05:26 PM
Monitoring Servers Using Performance Data
461
The System Diagnostics report collects data for 60 seconds, and an additional 60 seconds may be required for the report to be generated.
View System Stability with Reliability Monitor The Reliability Monitor (as shown in Figure 11.5) provides an overview of system availability as well as trend analysis with detailed information on events that can affect the overall availability of the system. Data collection for Reliability Monitor begins at the time of system installation. The data is then presented in the form of a chart that can be utilized to identify the applications, drivers, or hardware that are hampering the reliability and availability of the system. Several categories of events will be recorded in Reliability Monitor: NN
Software installations and removals
NN
Application failures
NN
Hardware failures
NN
Windows failures
NN
Miscellaneous failures
F i g u r e 11 . 5 Reliability Monitor main view
61705c11.indd 461
6/27/08 12:05:26 PM
462
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Several vital features are included in Reliability Monitor: automatic data collection and processing, the System Stability Chart, the Stability Index, and the System Stability Report.
Automatic Data Collection and Processing Data collection and processing is carried out by Reliability Monitor through the Reliability Analysis Component (RAC). Data is automatically gathered by the availability analysis metrics calculation executable (racagent.exe), which processes the data based on its analysis, aggregation, and correlation of user disruptions in the operating system, programs, and services into availability metrics. The availability analysis metrics calculation executable runs as a hidden scheduled task named RACAgent to collect specific events from the event log. The RACAgent task runs hourly and processes the acquired data daily. The availability index number that is generated after data processing by the RACAgent task varies on a scale from 0 to 10, with 0 representing the least reliable and 10 representing the most reliable. The availability index, as well as the results of the event tracing, is then displayed in the System Stability Chart in the Windows Reliability and Performance Monitor.
System Stability Chart The System Stability Chart is presented in the Reliability Monitor window together with a calendar control that can be used to select the time range to view. The System Stability Chart can be used to assess the consistency of system availability within a certain time period, as represented by the consistency of the availability index. System availability and availability events of up to one year will be displayed in the System Stability Chart.
Stability Index As mentioned previously, reliability/availability of the system is translated into the form of ratings and is represented by the Stability Index. The index, which ranges from 0 to 10, is generated according to the data that is gathered and processed by Reliability Monitor. Reliability Monitor traces every instance of user disruptions and remembers the number of occurrences each day over a 28-day rolling window period, with the latest day of the rolling window being the current day. Before data collection of 28 days is completed, the Stability Index is displayed as a dotted line in the System Stability Chart as it has yet to establish a valid baseline for calculation. A real number with two decimal places is used as the Stability Index.
System Stability Report The System Stability Report found below the System Stability Chart in the Reliability Monitor window contains the details of the events of the selected date or date range. The report details the application, driver, or other system component that is affecting the system availability index. The report can be used to identify changes in system state that may contribute to system unavailability.
61705c11.indd 462
6/27/08 12:05:26 PM
Monitoring Servers Using Performance Data
463
The data files that are created and accessed by the Reliability Monitor are stored in the following folders: \ProgramData\Microsoft\RAC\PublishedData \ProgramData\Microsoft\RAC\StateData
When the files in the two folders are deleted, Reliability Monitor will be reset to its default state with no availability information displayed. The files will be re-created with current availability information once the RACAgent schedules its next task run. The data presented in the default and time-specific views of Reliability Monitor are taken from HTML pages that are created by Reliability Monitor before it displays a particular view. The HTML files, named Rmo(4-digit random number).tmp.htm, are created in the \Users\<username>\AppData\Local\Temp folder. The files can be used for trend analysis. The HTML files will be automatically deleted once Reliability Monitor is closed. Also, trend analysis is a method to determine and compare the system availability and availability over a time period. It can also be used to determine the Service Level Agreement (SLA) of the systems.
Availability Before viewing system availability with Reliability Monitor, make sure the following requirements are met: NN
NN
The computer has been running for a minimum of 24 hours since the installation of the operating system. The RACAgent scheduled task is running. The task runs by default unless it is manually stopped or disabled. In Exercise 11.11, you’ll view system availability with Reliability Monitor.
E x e r c i se 1 1 . 1 1
Viewing System Availability in Performance Monitor It is possible to do a quick system availability overview through Performance Monitor. To view System Availability in Performance Monitor, please execute the following steps:
1. In the left pane of Windows Reliability and Performance Monitor, expand Monitoring Tools and click Reliability Monitor.
2. View the System Stability Chart on the top half of the console pane, or expand the sections of the System Stability Report below the chart. Refer to the following sections for descriptions of the viewing options and actions.
61705c11.indd 463
6/27/08 12:05:27 PM
464
Chapter 11 Monitoring Windows Server 2008 for High Availability n
The following points will help you make sense of the System Stability Chart: NN
NN
The date range is represented by the x-axis, while the Stability Index number is represented by the y-axis. If more than 30 days of data have been recorded, the scroll bar at the bottom of the chart can be used to navigate to the desired date or period if it’s not visible by default. NN
Within the System Stability Chart, as seen below, records of events that disrupt the availability of the system, as well as installations and removals of software, are presented in five rows of information.
The following points will help you understand the System Stability Report: NN
NN
When all dates are selected, the reports are sorted first by date in descending order and then by the application or driver name in ascending alphabetical order. When a single date is selected, the reports are sorted by the application or driver name in ascending alphabetical order. The reports are based on specific event data that is organized into the following categories: System Clock Changes, Software (Un)Installs, Application Failures, Hardware Failures, Window Failures, and Miscellaneous Failures.
System Clock Changes Significant changes to the system clock are recorded in this category. Information on clock changes is available only if at least one major clock change has been made on the system. Table 11.3 details the information available in the System Clock Changes report.
61705c11.indd 464
6/27/08 12:05:27 PM
Monitoring Servers Using Performance Data
465
Ta b le 11 . 3 Information in the System Clock Changes Report Data Type
Description
Old Time
Specifies the previous date and time before the clock change.
New Time
Specifies the selected date and time during the clock change.
Date
Specifies the date in which the clock change is made.
The System Clock Changes category appears in the System Stability Report only when a date in which a significant clock change has occurred is selected. Any date that records a significant clock change will be indicated by an information icon on the System Stability graph.
Software (Un)Installs Installations and removals as well as configuration changes and updates of applications, drivers, system components, and Windows Updates are recorded in this category. Table 11.4 details the information available in the Software (Un)Installs report. Ta b le 11 . 4 Information in the Software (Un)Installs Report Data Type
Description
Software
Specifies name of the operating system, the affected application, the affected driver, or the affected Windows Update.
Version
Specifies the operating system, application, or driver version. This field is not applicable to Windows Updates.
Activity
Indicates whether the event is an installation or removal (uninstall).
Activity Status
Indicates whether the event is a success or a failure.
Date
Specifies the date of the installation or removal.
Application Failures Application hangs and crashes, including the termination of a nonresponding application, are recorded in this category. Table 11.5 lists the information listed in the Application Failures report.
61705c11.indd 465
6/27/08 12:05:27 PM
466
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Ta b le 11 . 5 Information in the Application Failures Report Data Type
Description
Application
Specifies the name of the executable file of the failed application.
Version
Specifies the version number of the failed application.
Failure Type
Indicates whether the application stopped responding or stopped working.
Date
Specifies the date on which application failure occurred.
Hardware Failures Disk and memory failures are recorded in this category. The information available in the Hardware Failures report is listed in Table 11.6. Ta b le 11 . 6 Information in the Hardware Failures Report Data Type
Description
Component Type Indicates whether the failure occurred in the hard drive or the memory. Device
Specifies the failed device.
Failure Type
Indicates whether the failure is caused by a bad disk or by faulty memory.
Date
Specifies the date on which the hardware failure occurred.
Windows Failures Operating system boot failures, crashes, and sleep failures are recorded in this category. Information listed in the Windows Failures report appears in Table 11.7. Ta b le 11 . 7 Information in the Windows Failures Report
61705c11.indd 466
Data Type
Description
Failure Type
Indicates whether the event is a boot failure or an operating system crash.
Version
Specifies the version number of the operating system and service pack.
6/27/08 12:05:27 PM
Monitoring Servers Using Event Logs
467
Ta b le 11 . 7 Information in the Windows Failures Report (continued) Data Type
Description
Details
Indicates whether the event is an operating system failure, a boot failure, or a sleep failure. An operating system failure is indicated by the stop code, a boot failure is indicated by the reason code, and a sleep failure is indicated by the component veto or failure to enter hibernation.
Date
Specifies the date on which the Windows failure occurred.
Miscellaneous Failures Unexpected system shutdowns as well as other system failures that do not fall under previous categories are recorded in this category. Table 11.8 lists the information available in the Miscellaneous Failures report. Ta b le 11 . 8 : Information in the Miscellaneous Failures Report Data Type
Description
Failure Type
Indicates an event of disruptive shutdown.
Version
Specifies the version number of the operating system and service pack.
Failure Detail
Indicates an event in which the computer is not shut down normally.
Date
Specifies the date on which the miscellaneous failure occurred.
Monitoring Servers Using Event Logs Like performance and reliability monitoring, the Windows Eventing features that are available in Windows Server 2008 are used by IT professionals to gather essential information on the state of the hardware, the software, and the system as a whole. While the Performance and Reliability Monitor provides IT professionals with statistics and real-time information on system availability, the Event Viewer provides users with in-depth information and detailed logs of events affecting system health. Event Viewer is used to browse and manage event logs, which contain information on hardware and software problems as well as security events of the system. Event Viewer is thus a valuable tool for troubleshooting issues pertaining to system availability and performance. To see what the Event Viewer looks like, see Figure 11.6.
61705c11.indd 467
6/27/08 12:05:27 PM
468
Chapter 11 Monitoring Windows Server 2008 for High Availability n
In Windows Server 2008, the Event Viewer enables access to component-specific logs that mostly contain operational, analytic, and debug events that are non-administrative. The non-administrative events, which are usually non-actionable and more verbose, are included for the purpose of tracing normal operations and obtaining more details on potential problems. Administrative events are still usually logged in the application or system log. However, cases in which significant volumes of administrative events are associated with certain components or applications will lead to such events being logged in separate component-specific administrative logs. Unlike in previous Windows Server versions, the Event Viewer in Windows Server 2008 is easier to navigate while packing more detailed information and providing easier filtering of events. The updated Windows Eventing 6.0 event log service in Windows Server 2008 is aimed at providing the following services for administrators, developers, and IT professionals: NN
Custom views of event logs
NN
Forwarding events using industry-standard protocols
NN
Local and remote subscription to events
NN
Query and selection of events for analysis, diagnostics, and monitoring
F i g u r e 11 . 6 Event Viewer
61705c11.indd 468
6/27/08 12:05:27 PM
Monitoring Servers Using Event Logs
469
Using wevtutil.exe to Manage Event Logs Event logs in Windows Server 2008 are divided into two main categories: Windows logs and application and services logs. Apart from the Event Viewer, the wevtutil.exe command-line tool can also be used to manage event logs. If wevtutil.exe is used to manage event logs, the user has to be aware that the messages in wevtutil.exe might refer to event logs as channels. Please refer to the following list here of all available logs which is built in Windows Server 2008. Windows Logs Windows logs are directed to store events from legacy applications and events that apply to the entire system. The Windows Logs category in Event Viewer includes the following logs: Application log The application log comprises events logged by applications or programs. For example, a database program might record a file error in the application log, while program developers would decide which events to log. Security log The security log consists of events such as valid and invalid logon attempts as well as events related to resource use, such as creation, deletion, and opening of files or other objects. For example, the assignment of special privileges to a newly logged-on user is recorded in the security log. Setup log T he setup log comprises events related to application setup. System log T he system log includes events logged by Windows system components, and the event types are predetermined by Windows. For example, failure of the print spooler to reopen an existing connection is recoded in the system log. Forwarded events log T he forwarded events log is made up of events collected from remote computers. Application and services logs Application and services logs contain events from a single application or component rather than events that affect the entire system. The Application and Services Logs category in Event Viewer includes the following types of logs: Admin Admin logs comprise events that indicate the problems and well-defined solutions that an administrator can act on. The events are either well documented or come with direct instructions of what must be done to rectify the problem. Error and warning events, for example, are always logged in an admin log, and information events that indicate a service’s return to a healthy state can also be recorded in an admin log. Analytic A nalytics logs are made up of events that are used in problem diagnosis or performance analysis. Analytic logs provide information on program operation and indicate problems that cannot be handled by user intervention. They are also known as trace logs and are mainly disabled by default. Debug Debug logs include events that are used by developers for troubleshooting purposes. Debug logs are hidden and disabled by default.
61705c11.indd 469
6/27/08 12:05:28 PM
470
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Operational Operational logs are typically made out of private logs in which components can log events that are helpful for troubleshooting or launching automated actions. Operational logs are normally used to analyze or diagnose a problem or occurrence. Most information events are recorded in operational logs, which are enabled by default. Within every log category in Event Viewer are subcategories of event attributes that enable administrators and tools to filter the events and automate tasks. The event attributes are as follows: Level T he Level column indicates whether the event was critical, an error, a warning, or a routine action presented as information. Keyword Keyword refers to the set of categories or tags that can be used to filter or search on events. Keywords are assigned to security logs which, unlike other logs, are not categorized by levels. Date and Time T he Date and Time column indicates the date and time in which the event occurred. Source Source refers to the name of the component that published the event. Event ID Event ID refers to the numeric ID unique to a specific event or source.
Configuring Computers to Forward and Collect Events Before events can be collected and organized in the computer, subscriptions to events have to be made, and before subscriptions can be made, the collecting computer as well as each computer from which events will be collected has to be configured. To learn how to configure computers to forward and collect events, see Exercise 11.12. E x e r c i se 1 1 . 1 2
Configuring Computers to Forward and Collect Events Before forwarding and collecting of events work, both forwarding and collecting computers need to be configured. To configure computers to forward and collect events, please execute the following steps:
1. Log on to the collecting computer and all source computers. It is recommended that a domain account with administrative privileges is used to perform the tasks.
2. On each source computer, click Start, select Run, and type cmd in the Run command dialog. Then press Enter to open the command prompt.
3. In the command prompt, type winrm quickconfig and press Enter. Please note that if the user intends to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, this command must also be run on the collecting computer.
61705c11.indd 470
6/27/08 12:05:28 PM
Monitoring Servers Using Event Logs
471
E x e r c i se 1 1 . 1 2 ( c o n t i n u e d )
4. On the collecting computer, open the command prompt, type in wecutil qc, and press Enter.
5. On each source computer, add the account of the collecting computer to the Administrators group.
6. The computers are now configured to forward and collect events.
Running winrm quickconfig will set the startup type for both services Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) to Automatic. Both of these services are needed for forwarding/ collecting of events to work.
61705c11.indd 471
6/27/08 12:05:28 PM
472
Chapter 11 Monitoring Windows Server 2008 for High Availability n
In addition to the steps in Exercise 11.12, there are a number of considerations that the user has to take note of. When working in a workgroup environment, there are several additional steps and considerations: NN
NN
NN
NN
A Windows Firewall exception for Remote Event Log Management has to be added on each source computer. An account with administrator privileges must be added to the Event Log Readers group on each source computer. The account must be specified in the Configure Advanced Subscription Settings dialog when a subscription is created on the collecting computer. On the collecting computer, type winrm set winrm/config/client @ {TrustedHosts=“<sources>”} in the command prompt to allow all source computers to use NTLM authentication when communicating with WinRM on the collecting computer. The names of all the participating source computers in the workgroup, separated by commas, are entered in place of <sources>. Alternately, wildcards can be used to match the names of all the source computers. This command is run only once. For more information on this command, type winrm help config in the command prompt. Only Normal mode (Pull) subscriptions can be used.
To specify a user account by using the Specific User option in Advanced Subscription Settings when adding a subscription, you must ensure that the user account is part of the local Administrators group on each of the source computers in step 4. Alternately, the Windows Event Log command-line utility can be used to grant account access to individual logs. For more information on the command-line utility, type wevtutil sl -? in the command prompt. If a subscription is configured to utilize the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings, corresponding Windows Firewall exceptions for port 443 must be set. For a subscription that uses Normal delivery optimization (PULL mode), the exception must be set only on the source computers. For a subscription that uses Minimize Bandwidth or Minimize Latency delivery optimization (PUSH mode), the exception must be set on source computers and the collecting computer.
Reading Events through Custom Views Event Viewer in Windows Server 2008 has increased the amount of events to log. This poses a challenge when searching through the many events that are logged. Because Event Viewer is now XML based, searching through the Event Viewer could become easy by creating custom views. Custom views allow filtering of events, thus users will see only the events they are interested in. Windows Server 2008 by default has an Administrative Events custom view. If server roles are installed, each one will have its own custom view automatically created by Windows Server 2008. See Figure 11.7.
61705c11.indd 472
6/27/08 12:05:28 PM
Monitoring Servers Using Event Logs
473
F i g u r e 11 . 7 Administrative Events custom view
There are two ways to filter events: filter the current log or create a custom view. Exercise 11.13 explains the steps required to filter events within a specific log in Event Viewer. E x e r c i se 1 1 . 1 3
Filtering Only Informational Events in the Current Log Finding useful information from a comprehensive log will take a lot of time, and it would be more productive to only show the needed logs. To show only the informational events, please execute the following steps:
1. Open up the event log that needs to be filtered. 2. With the event log displayed on the screen, under the Actions pane, select Filter Current Log.
3. The Filter Current Log window appears. Filter Current Log supports filtering based on time, event level, event logs, event sources, event IDs, task category, keywords, user, and computers.
61705c11.indd 473
6/27/08 12:05:28 PM
474
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 1 3 ( c o n t i n u e d )
4. When you click OK, Event Viewer will show only the informational events.
Events can also be filtered through XML’s XPath. XPath is a language for finding information in an XML document. XPath is used to navigate through elements and attributes in an XML document. For more information about XPath, see http://msdn.microsoft.com/en-us/library/ms256115.aspx and www.w3.org/TR/xpath.
The second method for displaying events is through custom views. Custom views can be very useful for administrators because they speed up the troubleshooting process. However, it is best to have fewer than 30 custom views or productivity could be decreased. The Create Custom View window allows the same filtering of data. To create custom view, complete Exercise 11.14. E x e r c i se 1 1 . 1 4
Creating a Custom View If flexibility in filtering logs is needed, it can be accomplished through the use of custom view. To create a custom view, please execute the following steps:
1. In Event Viewer, in the navigation pane, right-click on Custom Views, and select Create Custom View.
61705c11.indd 474
6/27/08 12:05:28 PM
Monitoring Using Task Scheduler
475
E x e r c i se 1 1 . 1 4 ( c o n t i n u e d )
2. The Create Custom View window appears. As with the Filter Current Log feature, Create Custom View also supports event filtering based on time, event level, event logs, event sources, event IDs, task category, keywords, user, and computers.
3. Specify a name and a description (optional) of the custom view and click OK. 4. A new custom view is now created and is shown in the navigation pane.
Monitoring Using Task Scheduler Task Scheduler enables the user to perform automated tasks on the system. In this scenario, Task Scheduler is used by IT professionals to monitor server performance by configuring system assessment tasks that will run automatically. Task Scheduler maintains a collection of all scheduled tasks in the Task Scheduler Library presented in an organized view. The user can use Task Scheduler to run, disable, modify, and delete tasks. Any program can be scheduled to run at any time or when a specific event occurs. The selected time and event criteria are monitored by the Task Scheduler, which will execute the task when the criteria are met. See Figure 11.8.
61705c11.indd 475
6/27/08 12:05:28 PM
476
Chapter 11 Monitoring Windows Server 2008 for High Availability n
F i g u r e 11 . 8 Task Scheduler
Task Scheduler in Windows Server 2008 is loaded with improvements in the following key areas: User interface A new Task Scheduler user interface based on the Microsoft Management Console (MMC) is presented in Windows Server 2008. The interface is enhanced with a number of new conditions and filters that are helpful for administrators in defining and managing scheduled tasks. Administrative Task status monitoring has been improved with detailed failure reporting and comprehensive task history. Status feedback has also been significantly improved. An email that includes the complete runtime history of an event can be sent to the administrator in the event of a failure. The complete history of executed scheduled tasks, as well as the list of currently running tasks, can be easily accessed and reviewed by the administrator at any time. Tasks can also be run and stopped on demand. The Task Scheduler API is now fully available to scripting languages, which is extremely helpful for administrators in scripting complex tasks. Platform and manageability Hosting and activation of troubleshooters and other corrective actions are now enabled with the use of Task Scheduler. Periodic data collection has been implemented in order to improve event detection. Quotas may now be assigned in task process prioritization. Computer resources are more efficiently utilized because tasks are activated based on a true idle state, which is defined by CPU, memory, and I/O usage; user presence; and non-presentation mode.
61705c11.indd 476
6/27/08 12:05:29 PM
Monitoring Using Task Scheduler
477
Scheduling The time-based task launch has been improved with enhanced scheduling options as well as higher granularity. In a noticeable improvement, the user is now allowed to chain a series of actions together as opposed to creating multiple scheduled tasks one by one. Tasks can be scheduled on demand for execution when a specific event is logged to an event log. Scheduled tasks can be configured to run when the computer is idle or to wake a computer from sleep or hibernation. Previously scheduled tasks can also be executed when a powered-down computer is turned back on. Scalability has also been improved as limitations on the number of registered tasks have been removed and multiple instances of a task have been allowed to run in parallel or in sequence. Security New security features are represented by the ability to securely store passwords needed for running tasks with the use of Credentials Manager and the ability to run Service for User (S4U) for scenarios such that passwords do not need to be stored at all. To further strengthen security, scheduled tasks are now executed in separate sessions instead of the same session as the current user or system services. Therefore, system tasks are executed in the system session (session 0), while user tasks are executed in the user’s session. Separate per-user credentials are required for Winstations and desktops.
Scheduling a Task A task can be scheduled either by creating a basic task with the Create Basic Task Wizard or by creating a task manually by supplying task information in the Create Task dialog box. A task can also be scheduled by using a command line. If the Create Basic Task Wizard is used, most of the task properties will be set according to default values and the trigger for the task will be chosen from the most commonly used triggers. To use a wizard to schedule a basic task, complete Exercise 11.15. E x e r c i se 1 1 . 1 5
Scheduling a Basic Task by Using a Wizard Scheduling a task is just a step by step wizard in Windows Server 2008. To schedule a basic task using a wizard, please execute the following steps:
1. Start Task Scheduler by clicking Start Control Panel Administrative Tools and then double-clicking Task Scheduler.
2. In the left pane, select the task folder in which the new task is to be created. 3. In the Actions pane on the right, click Create Basic Task. 4. Type a name for the task and a description, if required, and then click Next.
61705c11.indd 477
6/27/08 12:05:29 PM
478
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 1 5 ( c o n t i n u e d )
5. Select a trigger to determine when the task will start, and then click Next. Refer to Table 11.9 for more information on trigger options.
6. If prompted, fill in the details for the selected trigger. If not, skip to the next step. 7. Select an action to be performed by the task. The options are Start a Program, Send an E-Mail, and Display a Message. Then click Next.
8. Fill in the details for the selected action, and then click Next. 9. Confirm the details of the task in the summary, and then click Finish.
A new task folder can be created if existing folders are not going to be used. To create a new task folder, click Action on the main menu; then click New Folder and enter a name before clicking OK.
To see a listing of triggers for a task, see Table 11.9.
61705c11.indd 478
6/27/08 12:05:29 PM
Monitoring Using Task Scheduler
479
Ta b le 11 . 9 Triggers for a Task Trigger Name
Description
On a schedule
Runs the task according to a specified schedule. Options are available to schedule the tasks to run one time or on a daily, weekly, or monthly schedule. The time that is set by the user is relative to the time zone that is set on the computer that runs the task. If a set of tasks is to be scheduled to run simultaneously in multiple time zones, the Universal check box has to be selected because the time needs to be made relative to Coordinated Universal Time (UTC). The UTC abbreviation corresponds to the French version of the term.
61705c11.indd 479
At log on
Runs the task when a user logs on to the computer. Options are available to specify whether the task will be triggered when any user logs on or when a specific user or user group member logs on to the computer.
At startup
Runs the task when the computer starts up.
On idle
Runs the task after the computer enters an idle state. The idle settings can be configured on the Conditions tab in the Create Task or Task Properties dialog box.
On an event
Runs the task when specific event entries are added to an event log. Basic and custom options are available to configure the trigger settings. If basic settings are chosen, the task will be triggered by a single event from a specific event log. If custom settings are chosen, the task will be triggered by events matched by a specified custom event viewer query or XML event query.
At task creation/modification
Runs the task as soon as it is created or modified.
On connection to user session
Runs the task when a user session is connected from a local computer or from a remote desktop connection. Options are available to specify whether the task will be triggered when any user connects to a user session or when a specific user or member of a specific user group connects.
On disconnect from user session
Runs the task when a user session is disconnected from a local computer or from a remote desktop connection. Options are available to specify whether the task will be triggered when any user disconnects to a user session or when a specific user or member of a specific user group disconnects.
6/27/08 12:05:29 PM
480
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Ta b le 11 . 9 Triggers for a Task (continued) Trigger Name
Description
On workstation lock
Runs the task when the computer is locked. Options are available to specify whether the task will be triggered when any user or when a specific user or member of a specific user group locks the computer.
On workstation unlock
Runs the task when the computer is unlocked. Options are available to specify whether the task will be triggered when any user or when a specific user or member of a specific user group unlocks the computer.
Exercise 11.16 shows you how to schedule a task manually by using the Windows interface. E x e r c i se 1 1 . 1 6
Scheduling a Task Manually by Using the Windows Interface Advance users who wants a fast and straightforward way to schedule a task, can schedule a task without wizards. To schedule a task manually using Windows interface, please execute the following steps:
1. Start Task Scheduler. 2. In the left pane, select the task folder in which the new task is to be created. 3. In the Actions pane on the right, click Create Task. The Create Task dialog box opens. 4. On the General tab, type a name and, optionally, a description for the task, and specify the desired Security options.
61705c11.indd 480
6/27/08 12:05:29 PM
Monitoring Using Task Scheduler
481
E x e r c i se 1 1 . 1 6 ( c o n t i n u e d )
5. On the Triggers tab, click the New button to add a trigger for the task. 6. On the Actions tab, click the New button to add an action for the task. 7. (Optional) On the Conditions tab, specify conditions for the task. 8. (Optional) On the Settings tab, change the settings for the task. 9. Click OK.
To schedule a task by using a command line, complete the steps in Exercise 11.17. E x e r c i se 1 1 . 1 7
Scheduling a Task Manually by Using the Command Line Scheduling of a task can be scripted using command line. To schedule a task manually using the command line, please execute the following steps:
1. Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open command prompt.
2. Type the following command: schtasks /Create [/S <system> [/U <username> [/P [<password>]]]] [/RU <username> [/RP <password>]] /SC <schedule> [/MO <modifier>] [/D ] [/M <months>] [/I ] /TN /TR [/ST <starttime>] [/RI ] [ {/ET <endtime> | /DU } [/K] [/XML <xmlfile>] [/V1]] [/SD <startdate>] [/ED <enddate>] [/IT] [/Z] [/F]
3. To view the help topics for this command, type the following command: schtasks /Create /?
Refer to the section “Using the Command-Line Tool Schtasks.exe” for information on the Schtasks.exe command line tool.
Managing a Task Task management and monitoring is made simple in the Task Scheduler with options to display all running tasks, export tasks, import tasks, and view task history. When you open
61705c11.indd 481
6/27/08 12:05:30 PM
482
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Task Scheduler in Windows Server 2008, you’ll see detailed task information next to all the tasks. Status and last run results will also be shown so administrators would be able to identify problems immediately. Exercise 11.18 shows you how to display and/or end running tasks. E x e r c i se 1 1 . 1 8
Displaying All Running Tasks Monitoring running tasks can be done through task manager. To display all running tasks, please execute the following steps:
1. Start Task Scheduler. 2. In the Actions pane on the right, click Display All Running Tasks. The All Running Tasks window opens.
3. To manually refresh the display, click the Refresh button. 4. To stop one or more tasks on demand, select the running task(s) and click the End Task button.
Tasks can be saved and exported to an XML file and then imported when necessary, on either the same computer or on a different computer. The portability of tasks is enhanced by this feature. Exercise 11.19 shows you how to export tasks.
61705c11.indd 482
6/27/08 12:05:30 PM
Monitoring Using Task Scheduler
483
E x e r c i se 1 1 . 1 9
Exporting Tasks Migration or backing up of tasks could be done by exporting the tasks from task manager. To export tasks, please execute the following steps:
1. Start Task Scheduler. 2. In the console pane on the center, right-click the task to be exported and select Export. 3. Browse for a location in which to save the file, type a name for the file, and then click Save.
Tasks that have been exported can be easily imported to the same computer as well as to another computer (see Exercise 11.20). E x e r c i se 1 1 . 2 0
Importing Tasks If tasks need to be imported into a newly built or existing server, it could be done through task manager. To import tasks, please execute the following steps:
1. Start Task Scheduler.
61705c11.indd 483
6/27/08 12:05:30 PM
484
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 2 0 ( c o n t i n u e d )
2. Under the Task Scheduler Library in the left pane, right-click the desired task folder and select Import Task.
3. Browse for the location in which the XML file is stored, select the file, and click Open.
On the History tab of a task in Task Scheduler, all known events for that task are displayed, allowing you to quickly view the previous status and running time. Only events related to the currently selected task will be displayed. There is no longer an need to review the Task Scheduler event log for individual events from specific tasks. In Exercise 11.21, you’ll view the history of a task. E x e r c i se 1 1 . 2 1
Viewing the History of a Task Monitoring of the past history of a task is important when it comes to server auditing. To view the history of a task, please execute the following steps:
1. Start Task Scheduler. 2. In the left pane, select the task folder that contains the task you want to view. 3. In the console pane in the center, select the task.
61705c11.indd 484
6/27/08 12:05:30 PM
Monitoring Using Task Scheduler
485
E x e r c i se 1 1 . 2 1 ( c o n t i n u e d )
4. Click the History tab to view the history of the task. In the history list, select an event to view the event description.
Managing or Creating a Task on a Remote Computer You can use the Task Scheduler interface to connect to a remote computer and create and manage tasks. The name or IP address of the remote computer must be specified. The user credential that is used to connect to a remote computer must be part of the Administrators group on the remote computer. If the computer you will be connected to is running Windows Server 2008 or Windows Vista, the Remote Scheduled Tasks Management firewall exception must be enabled on the remote computer. If the computer you will be connected to is running Windows Server 2003 or Windows XP, the File and Printer Sharing firewall exception must be enabled on the remote computer. Exercise 11.22 shows you how to manage and create a task on a remote computer. E x e r c i se 1 1 . 2 2
Managing or Creating a Task on a Remote Computer Using Task Scheduler Task Scheduler could be managed remotely, without logging onto the console or doing it on-site. To manage or create a task on a remote computer using Task Scheduler, please execute the following steps:
1. Start Task Scheduler.
61705c11.indd 485
6/27/08 12:05:30 PM
486
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 2 2 ( c o n t i n u e d )
2. In the left pane, select Task Scheduler. 3. In the Actions pane on the right, click Connect to Another Computer. The Select Computer dialog box opens.
4. In the Select Computer dialog box, select Another Computer. 5. Enter the name or IP address of the remote computer in the text box or click Browse to search for a remote computer.
6. (Optional) You can use credentials other than those for the current user to connect to the remote computer. Select the Connect as Another User check box and click Set User. Enter the username and password.
7. When the remote computer is specified, click OK. 8. Once the remote computer is connected, you can manage and create tasks by using the same procedures that are performed on a local computer.
Exercise 11.23 shows you how to manage or create a task on a remote computer by the using command line. E x e r c i se 1 1 . 2 3
Managing or Creating Task on a Remote Computer Using Command Line An alternative method of managing or creating task on a remote computer is to use command line. To manage or create a task on a remote computer using command line, please execute the following steps:
1. Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open command prompt.
61705c11.indd 486
6/27/08 12:05:30 PM
Monitoring Using Task Scheduler
487
E x e r c i se 1 1 . 2 3 ( c o n t i n u e d )
2. Use the Schtasks.exe tool to manage or create a task. Specify the name or IP address of the remote computer in the /S system argument, the username that is used to connect to the remote computer in the /U username argument, and the password for the user in the /P password argument. Refer to the following section for information on the Schtasks.exe command-line tool. 3. To view the help topics for this command, type the following: schtasks /Create /? Schtasks /Run /? Schtasks /End /? Schtasks /Delete /? Schtasks /Change /?
Using the Command-Line Tool Schtasks.exe Schtasks.exe is the command-line tool used to perform Task Scheduler actions in the command prompt. The Schtasks.exe command-line tool enables administrators to create,
delete, change, run, end, and query scheduled tasks on a local or remote computer. The following command syntax is used by the Schtasks.exe command interface: schtasks /<parameter> [arguments]
The command parameters used by the Schtasks.exe command interface are as follows: /Create Create a new scheduled task. /Delete Delete the scheduled task(s). /Change Change the properties of scheduled task. /Run Run the scheduled task immediately. /End Stop the running scheduled task. /Query Display all scheduled tasks.
You can use Schtasks.exe on various tasks: NN
NN
Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open a command prompt. To delete tasks, type this: schtasks /Delete [/S <system> [/U <username> [/P [<password>]]]] /TN [F]
61705c11.indd 487
6/27/08 12:05:31 PM
488
NN
Chapter 11 Monitoring Windows Server 2008 for High Availability n
To change tasks, type the following; schtasks /Change [/S <system> [/U <username> [/P [<password>]]]] /TN {[/RU <username>][/RP <password>][/TR ] [/ST <starttime>][/RI ] [ {/ET <endtime> |/DU } [/K]] [/SD <startdate>] [/ED <enddate>] [/ENABLE\/DISABLE] [/IT] [/Z]}
NN
To run tasks, type this: schtasks /Run [/S <system> [/U <username> [/P [<password>]]]] /TN
NN
To end tasks: schtasks /End [/S <system> [/U <username> [/P [<password>]]]] /TN
NN
To query tasks: schtasks /Query [/S <system> [/U <username> [/P [<password>]]]] [/FO [/NH] [/V] [/?]
Running a Task in Response to a Given Event The ability to run a task in response to a given event is the result of the integration of Task Scheduler with the Event Viewer. Tasks are configured to run in such a way in order to diagnose and troubleshoot a given event immediately. Exercise 11.24 shows you how to run a task in response to an event. E x e r c i se 1 1 . 2 4
Running a Task in Response to an Event Sometimes it is useful to run a script if an error occurs, maybe to notify the system administrator or generate error reports. To run a task as a response to an event, please execute the following steps:
1. Start Task Scheduler. 2. In the left pane, select the task folder in which the new task will be created. 3. In the Actions pane on the right, click Create Task. The Create Task dialog box opens. 4. On the General tab, type a name and, optionally, a description for the task, and specify the desired security options.
5. On the Triggers tab, click the New button. 6. In the New Trigger dialog box, select On an Event in the Begin the Task drop-down list.
61705c11.indd 488
6/27/08 12:05:31 PM
Monitoring Using Task Scheduler
489
E x e r c i se 1 1 . 2 4 ( c o n t i n u e d )
7. To run the task in response to a basic system-created event log, select the Basic bullet box.
8. In the Log drop-down list, select the event log in which the event is found. 9. In the Source drop-down list, select the component that published the event to narrow down the criteria. In this example, Source is set to EventCollector.
10. In the Event ID box, enter the unique ID of the specific event to further narrow down the criteria. A list of Event IDs can be found from www.eventid.net.
11. To run the task in response to a new custom event log, select the Custom bullet box and click the New Event Filter button to create a new custom view. Refer to section ”Reading Events Through Custom View” for the step-by-step procedure.
12. On the Actions tab, click the New button to add an action for the task. 13. (Optional) On the Conditions tab, specify conditions for the task. 14. (Optional) On the Settings tab, change the settings for the task. 15. Click OK.
61705c11.indd 489
6/27/08 12:05:31 PM
490
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Monitoring System Activity In Windows Server 2008, the Performance Monitor and the Reliability Monitor, which are essential to performance and availability monitoring tasks, are major components of the Windows Performance Diagnostic Console, a Microsoft Management Console (MMC) snap-in. The Windows Performance Diagnostic Console allows the user to perform a number of crucial system activity monitoring tasks: NN
Customization of data collection
NN
Customized viewing of past performance data
NN
Definition of thresholds for alerts and automatic actions
NN
Real-time system monitoring
NN
Report generation
System activity monitoring can now be more efficiently and speedily done with the introduction of a new Resource View screen and an improved graphical interface in Performance Monitor. The user can choose to monitor system activities in general by using Resource View or to monitor specific system activities by using the Performance Monitor.
Monitoring General System Activity Using Resource Monitor The Resource Monitor is the default page of the Windows Performance Diagnostic Console, which provides a real-time graphical overview of CPU, disk, network, and memory utilization. Details of the specific processes that are utilizing specific resources can be accessed by expanding the four sections. Figure 11.9 shows the Resource View. F i g u r e 11 . 9 Resource View in action
61705c11.indd 490
6/27/08 12:05:31 PM
Monitoring System Activity
491
To monitor general system activity using Resource Monitor (Exercise 11.25), you must first ensure that the logged on user is a member of the local Administrators group. E x e r c i se 1 1 . 2 5
Monitoring General System Activity Using Resource Monitor Resource Monitor provides a quick overview of the health of the system. To monitor general system activity using Resource Monitor, please execute the following steps:
1. Click Start Control Panel Administrative Tools Reliability and Performance Monitor. Or you can click Start Run, type perfmon.msc in the Run dialog box and press Enter.
2. Obtain a summary of real-time information of CPU, disk, network, and memory utilization on the local computer by viewing the graphs in the Resource Overview pane.
3. Click a graph to expand its corresponding details. 4. Obtain process-level details on each resource by expanding the labeled sections below the graphs.
5. Refer to Tables 11.10 through 11.15 for information on navigating Resource View.
To open Resource View in its own window when it is started, type perfmon /res at a command prompt.
Resource View provides a very brief and general outline of how the system is doing. Through Resource View, it is possible to determine if there are potential bottlenecks being created on any of the four core system components. Table 11.10 shows the four system components. Ta b le 11 .1 0 Resource View Details
61705c11.indd 491
Label
Description
CPU
Total percentage of CPU capacity currently in use is displayed in green. Maximum frequency of CPU is displayed in blue.
Disk
Total current I/O is displayed in green. Percentage of highest active time is displayed in blue.
6/27/08 12:05:31 PM
492
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Ta b le 11 .1 0 Resource View Details (continued) Label
Description
Network
Current total network traffic is displayed in green. Percentage of network capacity currently in use is displayed in blue.
Memory
Current hard faults per second is displayed in green. Percentage of physical memory currently in use is displayed in blue.
CPU Resource View works similar to Task Manager’s Process tab. The only difference is that by default, threads and CPU average are not shown in Task Manager’s Process tab, but it is shown under CPU Resource View. If any process is holding a high amount (80 percent and above) of CPU resources for a period of 30 seconds or more, you will need to start monitoring the process. Table 11.11 shows the individual details as part of CPU Resource View. Ta b le 11 .11 CPU Resource View Details Label
Description
Image
The application that is utilizing CPU resources
PID
The process ID of the application instance
Description
Description of the application
Threads
The number of currently active threads from the application instance
CPU
Currently active CPU cycles from the application instance
Average CPU
The average CPU load resulting from the application instance
Disk Resource View shows the disk performance of all physical disks that are installed on the system. It shows the image (process) and the corresponding file’s read and write performance. To find a bottleneck created by disks, depending on the disk configuration (RAID/Disk controller/iSCSI), or to monitor Read, Write, IO Priority and Response Time. Table 11.12 shows the individual details as part of Disk Resource View.
61705c11.indd 492
6/27/08 12:05:31 PM
Monitoring System Activity
493
Ta b le 11 .1 2 Disk Resource View Details Label
Description
Image
The application that is utilizing disk resources
PID
The process ID of the application instance
File
The file that is being read and/or written by the application instance
Read
The current speed (bytes/min.) at which data is being read by the application instance
Write
The current speed (bytes/min.) at which data is being written by the application instance
IO Priority
The priority of the I/O task for the application
Response Time
The response time of the disk activity in milliseconds
Network Resource View shows the network traffic transfers based on process (or image) and the network address the process is sending to or receiving from. Network Resource View provides a graph showing only basic network traffic information. It is only useful for checking how much data is being transferred. If network troubleshooting is needed, it is always wiser to stick to creating data collector sets. Table 11.13 shows the individual details as part of Network Resource View. Ta b le 11 .1 3 Network Resource View Details
61705c11.indd 493
Label
Description
Image
The application that is utilizing network resources
PID
The process ID of the application instance
Address
The network address from which information is exchanged with the local computer
Send
The amount of data (in bytes/min.) that is currently being sent by the application instance from the local computer to the address
Receive
The amount of data (in bytes/min.) that is currently being received by the application instance from the address
Total
The total bandwidth (in bytes/min.) that is currently being sent and received by the application instance
6/27/08 12:05:31 PM
494
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Memory Resource View shows a basic memory usage based on process (or image). To determine whether memory is the bottleneck of system performance, Memory Resource View can provide some helpful guidance. However, this view will not show you whether read or write access is the bottleneck. It will only show whether the system has enough memory. Table 11.14 shows the individual details as part of Memory Resource View. Ta b le 11 .1 4 Memory Resource View Details Label
Description
Image
The application that is utilizing memory resources
PID
The process ID of the application instance
Hard Faults/min.
The number of current hard faults per minute resulting from the application instance
Working Set (KB)
The number of kilobytes for the application instance that are currently residing in memory
Shareable (KB)
The number of kilobytes of the application instance working set that may be available to be utilized by other applications
Private (KB)
The number of kilobytes of the application instance working set that are dedicated to the process
Resource View is limited in this version, but you can sort columns and highlight processes (or images) for easier reading. Table 11.15 shows the actions which is supported by Resource View. Ta b le 11 .1 5 Resource View Navigation Tasks
61705c11.indd 494
Action
Procedure
Highlight an application instance
To keep highlighting when the application instance position changes in the display, click anywhere in the application instance row.
Sort columns by value
To sort in ascending order, click the column header label once. To sort in descending order, click the column header label twice.
6/27/08 12:05:32 PM
Monitoring System Activity
495
Monitoring Specific System Activity Using Performance Monitor Performance Monitor provides a graphical summary of system performance based on a number of built-in Windows performance counters, which can be viewed in real time or examined as historical data. By adding specific counters to Performance Monitor, you can monitor the activities and performances in specific areas of the system. In Windows Server 2008, Performance Monitor has been upgraded to enable better views, easier navigation, and more precise control. Improvements have been made in the following areas: NN
Drag and drop functionality
NN
New time range controls
NN
Scale to fit option
NN
Time-based algorithms
NN
Tool tips
NN
Zoom functionality
In the Performance Monitor log view, you can add preferred performance counters into the graph or report to observe specific data. In Exercise 11.26, you’ll add counters to the current Performance Monitor view. E x e r c i se 1 1 . 2 6
Adding Counters to the Current Performance Monitor View It is possible to add additional counters into performance monitor view. To add counters to performance monitor view, please execute the following steps:
1. In the left pane of Windows Reliability and Performance Monitor, expand Reports and expand User Defined.
2. Expand the data collector set for which you want to view log data. 3. Right-click the data collector of the data collector set and select the Performance Monitor view.
4. Click the Add (+) button in the menu bar above the graph in the Performance Monitor view, or right-click anywhere in the graph and select Add Counters. This launches the Add Counters dialog box.
61705c11.indd 495
6/27/08 12:05:32 PM
496
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 2 6 ( c o n t i n u e d )
5. In the Available Counters section, select the counters you want to display in Performance Monitor. Refer to Table 11.16 for details on the common tasks in the Add Counters dialog box.
6. When you have selected the counters, click OK.
61705c11.indd 496
6/27/08 12:05:32 PM
Monitoring System Activity
497
Some navigation tasks, such as displaying a description of a counter, cannot be done when Performance Monitor is displayed as a report view. They can only be done in the process of creating new data collector sets manually.
Ta b le 11 .1 6 Navigation Tasks in the Add Counters Dialog Box Task
Procedure
Choose the source computer from counters
Select a computer from the Select Counters from Computer drop-down list or click Browse to select other computers. Counters can be added from the local computer or from another computer on the network the user has access to.
Display a description of the selected counter group
Select Show Description in the lower-left corner of the dialog box. The description will be updated when other counter groups are selected.
Add a group of counters
Select by highlighting all counters under the counter group name and click Add.
Add individual counters
Select by highlighting an individual counter under a counter group and click Add.
Add certain instances of a counter
Select the required counter group or individual counter, then select the process from the list in the Instances of Selected Object box. The same counter can be created by multiple processes, though if you choose an instance, only the counters produced by the selected processes will be collected.
Search for instances of a counter
Select the required counter group or individual counter, then type the process name in the drop-down list below the Instances of Selected Object box and click Search. A valid process name will be available in the drop-down list to repeat the search with other counters. The search function will not be available if there are no multiple instances of a counter group or counter.
With so many counters available, it could be confusing to decide which counter to configure to monitor the system performance. Table 11.17 lists recommended system counter thresholds for the commonly used counters.
61705c11.indd 497
6/27/08 12:05:32 PM
498
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Ta b le 11 .17 Recommended System Counter Thresholds Resource
Object
Counter
Threshold
Disk
LogicalDisk
%Free Space
15%
Disk
LogicalDisk
%Disk Time
80%
Memory
Memory
Available Bytes
16MB
Processor
Processor
% Processor Time
85%
Processor
Processor
Interrupts/sec
1500 per second
Table 11.17 lists only the most important and commonly used system counters. The recommended thresholds are only a guideline and might not work in every environment. Windows Server 2008 also comes with three preconfigured data collector sets (LAN, System Diagnostics, and System Performance) with the necessary counters already added. The following list includes explanations of the recommended thresholds listed in Table 11.17: LogicalDisk - %Free Space Depending on the server’s usage and configuration, some might disagree with the 15% threshold. But a threshold of 15% works on most machines. LogicalDisk - %Disk Time Disk time is also known as the disk usage time. When a disk time is at 80% at a constant rate, the disk will experience hardware failure very easily due to crashing or overheating. Memory - Available Bytes T he server will start paging to hard disk as soon as the amount of available memory is reduced to less than 4MB. The server performance degrades due to excessive paging activities. Thus, it is wiser to have the threshold set higher, to 16MB, so system administrators can take action before it goes to 4MB or less. Processor - % Processor Time Sometimes a sudden spike of CPU processor time is caused if SQL Server or Exchange Server is hosted on the server. But if the processor time doesn’t go down, it could cause the server to be unavailable. Use Task Manager to identify which process is using the CPU processor time constantly. Processor - Interrupts/sec T his counter can be used to signal hardware problems. If the counter increases dramatically without a corresponding increase in server activity, a piece of hardware is responsible for the flood in interrupts. A hardware failure involving the network card, hard disk controller, or another device needs to be investigated. In the default line graph display in Reliability and Performance Monitor shown in Figure 11.10, two minutes of data is represented in a rolling format from left to right, labeled along the x-axis. With this view, changes in each counter’s activity compared with previous behavior over a short time period can be observed. The performance data can also be represented by other types of graphs as well as by a report.
61705c11.indd 498
6/27/08 12:05:32 PM
Monitoring System Activity
499
F i g u r e 11 .1 0 The default line graph view of Performance Monitor
In Exercise 11.27, you’ll change the graph type for the log data in Performance Monitor. E x e r c i se 1 1 . 2 7
Changing the Graph Type for the Log Data in Performance Monitor Changing the graph type allows the system administrator to view the report in another perspective. To change the graph type for the log data, please execute the following steps:
1. In the left pane of Windows Reliability and Performance Monitor, expand Reports and expand User Defined.
2. Expand the data collector set whose log data you want to view. 3. Right-click the data collector of the data collector set and select the Performance Monitor view.
4. In the menu bar above the graph, click the Change Graph Type button to switch types or open the drop-down list and select from Histogram Bar, Report, Area, or Stacked Area.
61705c11.indd 499
6/27/08 12:05:33 PM
500
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Configuring and Monitoring Using Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is, as its name suggests, a simple protocol that is commonly utilized in network management and monitoring. SNMP is the choice of IT professionals for network wide system monitoring tasks because it is easy to set up and easy to use. SNMP is designed to integrate the management of TCP/IP-based networks in order to manage devices from a preferred central location. SNMP is used to facilitate data transfer from agent to host. The data is then centralized in logs for effective viewing and subsequent analysis.
Install SNMP Services Windows Server 2008, just like its predecessors, does not have SNMP Services installed by default. To use SNMP Services, you will need to install the SNMP Services feature (Exercise 11.28). E x e r c i se 1 1 . 2 8
Installing SNMP Services SNMP Services is not installed by default in Windows Server. To install SNMP Services feature, please execute the following steps:
1. Click Start Server Manager. 2. In the left pane, select Features. 3. In the right pane, click Add Features. This launches the Add Features Wizard. 4. Under the Features list, select SNMP Services and click Next.
61705c11.indd 500
6/27/08 12:05:33 PM
Configuring and Monitoring Using Simple Network Management Protocol (SNMP)
501
E x e r c i se 1 1 . 2 8 ( c o n t i n u e d )
5. A confirmation window appears with the features to be added. Click Install to start installing.
6. Once SNMP Services is installed, the results appear. Click Close to complete the installation.
To install the SNMP service in Windows Server 2008 Server Core, type the following in the command prompt: start /w ocsetup SNMP-SC
Configuring Agent Properties Once SNMP Services is installed, the next step is to configure the agent. Agents are servers or devices that will be reporting to the host, telling the host whether the agents are alive or dead. Agent properties also contain information such as the person responsible for managing the agent and the services the agent will interact with on the computer. Exercise 11.29 shows you how to configure agent properties.
61705c11.indd 501
6/27/08 12:05:33 PM
502
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 2 9
Configuring Agent Properties To monitor the system using SNMP, the agent properties need to be configured. Agent, To configure the agent properties, please execute the following steps:
1. Click Start Server Manager. 2. In the left pane, expand Configuration and select Services. 3. In the details pane, select SNMP Service. 4. Right-click SNMP Service and click Properties. 5. On the Agent tab, type the name of the user or administrator in the Contact box.
6. Type the physical location of the computer or the contact in the Location box. 7. Under Service, select the services that the agent is hosting, and click OK.
Changes to Contact or Location of the SNMP Agent take effect within a few minutes.
61705c11.indd 502
6/27/08 12:05:33 PM
Configuring and Monitoring Using Simple Network Management Protocol (SNMP)
503
Configuring Traps Another option you need to configure as part of SNMP Services is Traps. The Traps tab under the Agent properties dialog box is used to configure computers to which SNMP Services sends traps. As part of the Traps properties, there will be two options that need to be configured: Community and Trap Destinations. A community is like a group, and each Community hosts one or more Trap Destinations. Trap Destinations can be Hostname, IP, or IPX Address. Exercise 11.30 shows you how to configure traps. E x e r c i se 1 1 . 3 0
Configuring Traps Traps, just like agent, needs to be configured for SNMP services to work. To configure traps, please execute the following steps:
1. Click Start Server Manager. 2. In the left pane, expand Configuration and select Services. 3. In the details pane, select SNMP Service. 4. Right-click SNMP Service and click Properties. 5. On the Traps tab, in the Community Name text box, type a name for the community to which the computer will send trap messages (the name is case-sensitive).
61705c11.indd 503
6/27/08 12:05:33 PM
504
Chapter 11 Monitoring Windows Server 2008 for High Availability n
E x e r c i se 1 1 . 3 0 ( c o n t i n u e d )
6. Under Trap Destinations, click Add. 7. In the SNMP Service Configuration dialog box, enter the name, the IP address, or the IPX address of the host, and click Add.
8. Repeat steps 5 through 7 until all the required communities and trap destinations are added.
Changes to SNMP settings take effect immediately.
Configuring SNMP Security Properties Information generated by traps are just like any other data. When transferred across the network, the data could be sniffed by malicious users. Malicious users could also send unauthorized traps to legitimate communities. To prevent these issues from occurring, it is always wise to configure SNMP security (Exercise 11.31). E x e r c i se 1 1 . 3 1
Configuring SNMP Security Properties Although configuring SNMP security properties is optional to get SNMP services working, it is still recommended to configure for security reasons. To configure SNMP security properties, please execute the following steps:
1. Click Start Server Manager. 2. In the left pane, expand Configuration and select Services. 3. In the details pane, select SNMP Service. 4. Right-click SNMP Service and click Properties. 5. On the Security tab, select Send Authentication Trap to send a trap message whenever authentication fails.
61705c11.indd 504
6/27/08 12:05:33 PM
Configuring and Monitoring Using Simple Network Management Protocol (SNMP)
505
E x e r c i se 1 1 . 3 1 ( c o n t i n u e d )
6. Under Accepted Community Names, click Add. 7. In the SNMP Service Configuration dialog box, select a permission level from the Community Rights drop-down list for the host to process SNMP requests from the specified community.
8. In the Community Name text box, type a case-sensitive community name, then click Add.
9. Specify which host(s) from which SNMP packets are accepted. NN
NN
Accept SNMP Packets from Any Host: Select to accept SNMP requests from any host on the network. Accept SNMP Packets from These Hosts: Select to accept SNMP requests from a limited number of preferred hosts. Click Add to enter the name, the IP address, or the IPX address of the host, and then click Add again.
10. Changes can be made to an entry by selecting the entry and clicking Edit. An entry can be deleted by selecting the entry and clicking Remove.
61705c11.indd 505
6/27/08 12:05:34 PM
506
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Starting or Stopping the SNMP Service Starting or stopping the SNMP Service is just like starting or stopping other services. It can be done through Services.msc or through Server Manager (Windows Server 2008 only). Exercise 11.32 shows you how to start or stop the SNMP Service using Server Manager. E x e r c i se 1 1 . 3 2
Starting or Stopping SNMP Service SNMP Service could be started or stopped for troubleshooting purposes. To start or stop SNMP Service, please execute the following steps:
1. Click Start Server Manager. 2. On the left pane, expand Configuration and select Services. 3. On the details pane, select SNMP Service. 4. Right-click SNMP Service and click Start, Stop, or Restart.
61705c11.indd 506
6/27/08 12:05:34 PM
Summary
507
Configuring Event to Trap Translator It is possible to trap events, convert the events into traps, and send that trap across the management systems specified in the Traps properties. To accomplish this, the events will need to be converted into traps, which is done through the trap translator. To configure event to trap translator, see Exercise 11.33. E x e r c i se 1 1 . 3 3
Configuring Event to Trap Translator Trapping an event is important for SNMP host to receive server’s trapped events. To configure event to trap translator, please execute the following steps:
1. Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open command prompt.
2. Type evntcmd /? for options and the syntax for the evntcmd command to configure the event to trap translator.
Summary Monitoring a system proactively is a task that system administrators should do on a daily basis because it provides guidance on how applications and hardware should be configured. This does not mean that system administrators will need to monitor systems on their network manually. The proper way is to let the systems monitor themselves and report to the system administrators if any warnings or errors occur.
61705c11.indd 507
6/27/08 12:05:34 PM
508
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Various monitoring tools are built into Windows Server, and it’s up to system administrators to use them wisely: NN
NN
NN
NN
Monitoring system performance through counters has improved in Windows Server 2008. Data collector sets make gathering and troubleshooting server performance data a very simple procedure. System Stability Index provides a quick summary of how a system is working and whether it has experienced any availability issues in the past. Event Viewer is now much more robust and developers can write to Event Viewer through the APIs. It is now XML based, which means easier searching and manipulation of the event logs. It is also possible to push and pull event logs to and from other computers with just a few simple clicks. Task Scheduler has been enhanced in Windows Server 2008. Events can now trigger and run a task , and Task Scheduler comes with a step-by-step wizard to create new tasks. The status of all tasks is also shown in Task Scheduler, increasing the productivity of the system administrators. SNMP Service is considered an old technology by some, but it is still one of the more useful methods to monitor systems and devices.
With a good grip on how to set up and configure the tools we covered tools in this chapter, system administrators can allocate their resources for more important tasks.
61705c11.indd 508
6/27/08 12:05:34 PM
Review Questions
509
Review Questions 1. You want to provide a help desk user with the rights to create logs for data collector sets. What do you need to do? (Choose all that apply.) A. Add the help desk user to Power Users group. B. Assign the help desk user with “Log on as a batch job” user right. C. Add the help desk user to the Administrators group. D. Add the help desk user to the Domain Users group. 2. You want to use Reliability Monitor to monitor the health of the system. However, no data is shown in Reliability Monitor. What should you do? A. Wait for 12 hours after Windows is installed. B. Wait for 18 hours after Windows is installed. C. Wait for 24 hours after Windows is installed. D. Wait for 36 hours after Windows is installed. 3. You have SNMP configured. You want to ensure that only trusted traps are collected. What should you do? A. Under the Agent tab of SNMP Service properties, deselect Internet. B. Under the Agent tab of SNMP Service properties, deselect Datalink and Subnetwork. C. Under Security tab of SNMP Service properties, select Send Authentication Trap. D. Under Security tab of SNMP Service properties, select Accept SNMP Packets from These Hosts. 4. You want to change the default Disk Defragmenter schedule. Where do you change it? A. Event Viewer B. Task Scheduler C. Performance Monitor D. Reliability Monitor 5. You are creating a task to run a program in Task Scheduler. After creating the task, you found out that the program doesn’t run when the task is started. What is your next course of action? A. Select Run with Highest Privileges. B. Select Run Whether User Is Logged On or Not. C. Use another user or group to run the task. D. Select Run Task as Soon as Possible after a Scheduled Start Is Missed.
61705c11.indd 509
6/27/08 12:05:34 PM
510
Chapter 11 Monitoring Windows Server 2008 for High Availability n
6. What is the best way to share the same scheduled tasks? A. Use the command line tool Schtasks.exe to export and import the tasks to other machines. B. Use the Task Scheduler GUI to export and import the tasks to other machines. C. Use Visual Studio to create a program to import the tasks. D. Use Group Policy to push tasks to the users. 7. A user reports that her computer is always sluggish between 2:00 to 3:00 p.m. daily. What is the best way to troubleshoot the problem? A. Create a data collector set, add all counters into it, and configure it to run from 2:00 to 3:00 p.m. daily. B. Request a support personal to be on-site standby from 2:00 to 3:00 p.m. C. Create an event-triggered task to collect data when warnings are logged. D. Create a data collector set, add the memory counters into it, and set it to run from 2:00 to 3:00 p.m. daily. 8. A user reports that her computer is sluggish from time to time, inconsistently. What is the best way to troubleshoot the problem? A. Create a data collector set, add only system performance counters into it, and set it to run 24/7. B. Request a support personal to be on-site standby daily. C. Create an event-triggered task to collect data when warnings are logged. D. Create a data collector set, add the memory counters into it, and set it to run 24/7. 9. The company has a customized performance monitoring software using Windows Management Interface (WMI) to create and modify data collector sets. However, desktop users are unable to run the application when they log on as standard user. What do you do to enable them to use the performance monitoring software? (Choose all that apply.) A. Add the desktop support technician user account to the Performance Log Users user group. B. Add the desktop support technician user account to the Performance Monitor Users user group. C. Open the Local Security Policy (secpol.msc) snap-in and add the desktop support technician user account under “Log on as a batch job.” D. Open the Local Security Policy (secpol.msc) snap-in and add the desktop support technician user account under “Log on as a service.” 10. Your company hosts many applications for customers. However, customers are complaining that their hosted applications are running too slow. What is the first step to troubleshoot? A. Run perfmon.msc and check Hard faults/min under Memory. B. Run perfmon.msc and check Threads under CPU. C. Run perfmon.msc and check I/O priority under CPU. D. Run perfmon.msc and check Private (KB) under Memory.
61705c11.indd 510
6/27/08 12:05:34 PM
Review Questions
511
11. Your company has a Windows Server 2008 file server. Clients are experiencing slower than usual connection speed when they access their files shares on the file server. What can you do to troubleshoot this issue? A. Run Performance Monitor and enable the Packets Received Discarded counter under Network Interface. B. Run Performance Monitor and enable the Segments Received/sec counter under TCPv4. C. Run Performance Monitor and enable the Connections Passive counter under TCPv4. D. Run Performance Monitor and enable the Output Queue Length counter under Network Interface. 12. After upgrading from Windows XP to Windows Vista, users are reporting that it’s taking longer than expected to open files and applications. You need to identify the cause of the issue by running Reliability Monitor. What can you do to troubleshoot this issue? (Choose all that apply.) A. Ensure that Windows Vista was installed more than 24 hours ago. B. Ensure that every publisher is recognized for establishing a baseline to display on the System Stability chart. C. Disable Reliability Analysis Component (RAC) if it is running. D. Ensure that Reliability Monitor has 28 days of data to display the availability index as a valid baseline for the measurement. E. Ensure that only users with administrator rights can access the data that Reliability Monitor uses. 13. You want to enable remote monitoring of performance and availability of the branch offices’ servers running Windows Server 2008. What do you need to do? (Choose all that apply.) A. Enable the Routing and Remote Access Services policy at the main office computer. B. Enable the Remote Registry Services policy at the branch office computers. C. Ensure that the main office computer has RACAgent enabled in Scheduled Task. D. Acquire the Local Administrators group permission to view Reliability Monitor on branch office computers. E. Ensure that the Diagnostics Service Host Service policy is enabled on branch office computers. 14. How do you create a performance logging file (.blg) in an SQL format? A. Open the data collector set report in Reliability and Performance Monitor. Then highlight date and time of issue and select Save Data As with the option Save as Type set to SQL. B. Open the data collector set report, point to Properties, and click the Source tab. Under Database radio box, select SQL Server and Log Set. C. Run Relog perfmon.blg –f sql –b M/d/yyyy h:mm:ss[AM|PM]. D. Run Relog perfmon.blg –f sql –b M/d/yyyy h:mm:ss[AM|PM]> –q.
61705c11.indd 511
6/27/08 12:05:34 PM
512
Chapter 11 Monitoring Windows Server 2008 for High Availability n
15. Your branch office is experiencing slow connection speed. All computers are configured as part of the same workgroup. You need to configure event forwarding to use the minimal bandwidth. What do you configure? A. Use the Custom setting for event delivery optimization by typing wecutil ss SUBSCRIPTIONID /cm:custom /hi:100 at the command prompt. B. Select the Normal setting for event delivery optimization on the subscription properties of the collecting computer. C. Select the Minimize Latency setting for event delivery optimization on the subscription properties of the collecting computer. D. Use the Minimize Bandwidth setting for event delivery optimization on the subscription properties of the collecting computer. 16. Your office has a slow connection speed to the remote office. The remote file server collects event forwarding logs from your office. The subscription log became corrupted and you re-create it. Users are now complaining that they are not able to access the remote file server. How do you restore the network connectivity? (Choose the best answer.) A. Restart the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services. B. On the subscription properties of the server, click Minimize Bandwidth. C. On the subscription properties of the server, click Minimize Latency. D. Restart the server. 17. You set up event forwarding on a source machine and a collecting machine. The collecting computer has a standard user set to run the subscription. The collecting computer displays the subscription status Trying. You need to ensure that the event forwarding works. What should you do? A. Run the command wecutil.exe gr <subscriptionname>. B. Ensure that the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services are running on the collecting computer. C. Add Log On As A Batch Job user right to the standard user account from Account Policy to which the event logs are received. D. Add Event Log Readers to the standard user account to which the event logs are sent. 18. Your company has multiple branch offices, and all computers are connected in the same domain in Active Directory. Event logs are sent from the branch offices to the main office. You want to prevent hackers from sniffing the logs. What should you do? A. Configure the Kerberos encryption for the user account in the event that you send by using Active Directory. B. Install a web server certificate and set up the Secure Sockets Layer (SSL) encryption. C. Configure the Encrypted File System (EFS) encryption by selecting the Encrypt Contents to Secure Data option on the properties of the event log file. D. Set up the Pretty Good Privacy (PGP) encryption through PGP NetShare.
61705c11.indd 512
6/27/08 12:05:34 PM
Review Questions
513
19. You have a main office and a branch office. The computers are connected via a workgroup environment. You want to log all critical events from the branch office to a server at the main office. What should you do first? A. Enable event forwarding by migrating to the domain environment. B. Create a virtual private network (VPN) between the collecting computer at the main office and the server at the branch office. C. Start the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services on the source and collecting computers. D. Add the Event Log Readers group to the standard user account where the event logs are forwarded. 20. Your company has multiple branch offices. You monitor the main office server by using a system utility. The system utility uses an executable file to inject a DLL file into the explorer.exe process. You discover that the system utility terminates explorer.exe when you use the Run command to run explorer.exe. You need to stop the system utility without logging off users. What should you do? A. End the looping task by using the Schtasks command. B. Delete the executable file by using the Tasklist command. C. Delete the looping task by using the Schtasks command. D. Log off the user account by using the Shutdown command.
61705c11.indd 513
6/27/08 12:05:35 PM
514
Chapter 11 Monitoring Windows Server 2008 for High Availability n
Answers to Review Questions 1. B, C. You will need to assign the “Log on as a batch job” user right or add the help desk user to the Administrators group in order for a user to collect logs from data collector sets. 2. C. Windows will only generate system availability indexes 24 hours after it is installed. 3. D. You can configure which SNMP packets to collect by using the option Accept SNMP Packets from These Hosts. 4. B. Task Scheduler is now used to run Microsoft Windows services and schedules. Configuration can be modified by using Task Scheduler. 5. A. If the program that is set to run needs elevated privileges, it will not run without the Run with Highest Privilege option. 6. B. The best way is to export and reimport using the GUI. The Schtasks.exe commandline tool doesn’t support export/import of tasks, and there’s no way to push tasks through Group Policy. 7. A. Using a data collector set to collect data and statistics about the computer is the best way to gather information for troubleshooting. Collecting just memory data is not enough to troubleshoot. 8. A. Using a data collector set to collect data and statistics about the computer is the best way to gather information for troubleshooting. 9. A, C. The standard user will need to be added into Performance Log Users to create and modify collector sets through the use of WMI. And the user will need to have the permission “Log on as a batch job” to have the proper rights to work on the custom application. 10. A. A high number of hard faults may explain the slow response time of an application if it must continually read data back from the disk rather than from physical memory. 11. D. Output Queue Length is the length of the output packet queue (in packets). If this is longer than two, there are delays. And the bottleneck should be found and eliminated, if possible. 12. A, D, E. To use the System Availability Chart, Windows installation must run 24 hours before data is collected. Stability Index will show dotted lines on the graph before 28 days to show that a valid baseline has not been established. 13. B, C. The RACAgent task needs to be running. Since Reliability Monitor data files are stored in the Registry, remote Registry access is needed. 14. C. You use the relog command to re-create the performance logging file in an SQL format. 15. B. Only the Normal setting work in a Workgroup environment.
61705c11.indd 514
6/27/08 12:05:35 PM
Answers to Review Questions
515
16. B. The Minimize Bandwidth setting uses the push delivery mode and sets a batch time-out of 6 hours and uses an interval of 6 hours. 17. A. The wecutil command-line tool provides the status of the subscription. Wecutil.exe gr <subscriptionname> provides the user with the subscription information. This will help you understand why the subscription status appears as Trying. 18. B. To set up encryption with event forwarding, the only available option is to use SSL, which requires installing the certificate on both computers before SSL can start working. 19. C. You need to start the WinRM and Wecsvc services because both do not run by default. 20. A. By stopping the task that runs the looping executable, you will stop the loop.
61705c11.indd 515
6/27/08 12:05:35 PM
61705c11.indd 516
6/27/08 12:05:35 PM
Appendix
A
About the Companion CD In this appendix: ÛÛ What you’ll find on the CD ÛÛ System requirements ÛÛ Using the CD ÛÛ Troubleshooting
61705book.indd 517
6/27/08 10:12:48 AM
What You’ll Find on the CD The following sections are arranged by category and provide a summary of the software and other goodies you’ll find on the CD. If you need help with installing the items provided on the CD, refer to the installation instructions in the section “Using the CD”later in this appendix. Some programs on the CD might fall into one of these categories: Shareware programs are fully functional, free, trial versions of copyrighted programs. If you like particular programs, register with their authors for a nominal fee and receive licenses, enhanced versions, and technical support. Freeware programs are free, copyrighted games, applications, and utilities. You can copy them to as many computers as you like—for free—but they offer no technical support. GNU software is governed by its own license, which is included inside the folder of the GNU software. There are no restrictions on distribution of GNU software. See the GNU license at the root of the CD for more details. Trial, demo, or evaluation versions of software are usually limited either by time or functionality (such as not letting you save a project after you create it).
Sybex Test Engine For Windows The CD contains the Sybex Test Engine, which includes all of the assessment test and chapter review questions in electronic format as well as two bonus exams located only on the CD.
PDF of the Book For Windows We have included an electronic version of the text in PDF format. You can view the electronic version of the book with Adobe Reader.
61705book.indd 518
6/27/08 10:12:49 AM
Using the CD
519
Adobe Reader For Windows We’ve also included a copy of Adobe Reader so you can view PDF files of the book’s content. For more information on Adobe Reader or to check for a newer version, visit Adobe’s website at http://www.adobe.com/products/reader/.
Electronic Flashcards For PC, Pocket PC, and Palm These handy electronic flashcards are just what their name implies. One side contains a question or fill in the blank, and the other side shows the answer.
System Requirements Make sure your computer meets the minimum system requirements shown in the following list. If your computer doesn’t match up to most of these requirements, you may have problems using the software and files on the companion CD. For the latest and greatest information, please refer to the ReadMe file located at the root of the CD-ROM. NN
A PC running Microsoft Windows 98, Windows 2000, Windows NT4 (with SP4 or later), Windows Me, Windows XP, or Windows Vista.
NN
An Internet connection
NN
A CD-ROM drive
Using the CD To install the items from the CD to your hard drive, follow these steps. 1. Insert the CD into your computer’s CD-ROM drive. The license agreement appears.
Windows users: The interface won’t launch if you have autorun disabled. In that case, click Start Run (for Windows Vista, Start All Programs Accessories Run). In the dialog box that appears, type D:\Start.exe. (Replace D with the proper letter if your CD drive uses a different letter. If you don’t know the letter, see how your CD drive is listed under My Computer.) Click OK.
61705book.indd 519
6/27/08 10:12:49 AM
520
Appendix A About the Companion CD n
2. Read through the license agreement, and then click the Accept button if you want to
use the CD. The CD interface appears. The interface allows you to access the content with just one or two clicks.
Troubleshooting Wiley has attempted to provide programs that work on most computers with the minimum system requirements. Alas, your computer may differ, and some programs may not work properly for some reason. The two likeliest problems are that you don’t have enough memory (RAM) for the programs you want to use and you have other programs running that are affecting installation or running of a program. If you get an error message such as “Not enough memory” or “Setup cannot continue,” try one or more of the following suggestions and then try using the software again: Turn off any antivirus software running on your computer. Installation programs sometimes mimic virus activity and may make your computer incorrectly believe that it’s being infected by a virus. Close all running programs. The more programs you have running, the less memory is available to other programs. Installation programs typically update files and programs, so if you keep other programs running, installation may not work properly. Have your local computer store add more RAM to your computer. This is, admittedly, a drastic and somewhat expensive step. However, adding more memory can really help the speed of your computer and allow more programs to run at the same time.
Customer Care If you have trouble with the book’s companion CD-ROM, please call the Wiley Product Technical Support phone number at (800) 762-2974. Outside the United States, call +1(317) 572-3994. You can also contact Wiley Product Technical Support at http://sybex. custhelp.com. John Wiley & Sons will provide technical support only for installation and other general quality control items. For technical support on the applications themselves, consult the program’s vendor or author. To place additional orders or to request information about other Wiley products, please call (877) 762-2974.
61705book.indd 520
6/27/08 10:12:49 AM
Glossary
61705book.indd 521
6/27/08 10:13:02 AM
522
Glossary
A Active Directory Federated Services (AD FS) A Windows Server 2008 role that provides Web SSO technologies to authenticate a user to multiple web applications over the life of a single online session. Active Directory Rights Management Service (AD RMS) A Windows Server 2008 role
that provides the ability to protect and control use of digital content. Administrative Delegation Functionality provided by IIS 7.0 that allows administrators
to manage a web server or website remotely. Advanced Fast Start A Windows Server 2008 Media Services feature that reduces the
time it takes between the time a media stream is accessed and the time that the media can be displayed in the viewer. AppCmd.exe A command-line utility that is used to manage Internet Information Services (IIS) 7.0. ASP.NET Microsoft’s server-based framework for running .NET code on web servers.
B Basic Disk A simple partitioning type used to create partitions, extended partitions, and
logical drives. Best Practices Analyzer tool A utility designed to discover and recommend changes to a
SharePoint server.
D Digital Rights Management (DRM) A system that can provide copyright protection of
data that is distributed. discovery domain Provides a way to separate and group nodes in an iSNS database into more easily managed groups; similar to how zoning works with Fibre Channel Display Data Prioritization A Terminal Services feature that helps network utilization, prioritizing keyboard, display, and mouse data over other traffic. dynamic disk An advanced partitioning type used to create simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. Dynamic disks allow for advanced features.
61705book.indd 522
6/27/08 10:13:03 AM
Glossary
523
E encryption A way of creating information so that it cannot be read if it is intercepted by
an untrusted party. extranet A network that is accessible to computers outside of the company.
F failover The process of moving active clustered resources from one cluster node to another
cluster node. failover cluster A cluster type that provides redundancy for applications and services. fax routing A method used to determine who should be the recipient for an incoming fax. feature delegation Functionality provided by IIS 7.0 that allows specific options to be
controlled by other administrators or by down-level configuration settings. Fibre Channel A standard for sending SCSI commands at multi-gigabit speeds over either twisted pair or fiber-optic cable.
G GUID Partition Table (GPT) A method of creating a disk partition. A GPT disk can support volumes up to 18 exabytes and 128 partitions. As a result, GPT is recommended for disks larger than 2TB or disks used on Itanium-based computers.
H host bus adapter (HBA) A network adapter that contains an iSCSI hardware initiator. host headers A method for publishing multiple websites on a single IP address using the URL passed from the browser. Hyper-V integration components Software installed on a guest machine that optimizes the operating system functions to work with Hyper-V. hypervisor A virtualization interface that allows multiple operating systems to run on a single physical machine. In Windows Server 2008, the hypervisor is one of the main components of Hyper-V.
61705book.indd 523
6/27/08 10:13:03 AM
524
Glossary
I Internet SCSI (iSCSI) A protocol that allows an initiator to send SCSI (Small Computer System Interface) commands to storage devices over TCP/IP. This is used in storage area networks (SANs) as an alterative to Fibre Channel. Internet Storage Name Server (iSNS) A protocol used for automated discovery, management, and configuration of both iSCSI and Fibre Channel devices. This service allows devices to register themselves on the server. iSCSI initiator An iSCSI client that sends and receives the iSCSI commands over the net-
work. An initiator can be either software based (using installed software on a computer) or hardware based and be installed in dedicated hardware similar to a network adapter. iSCSI Qualified Name (iqn) A method of identifying targets and initiators on an iSCSI
SAN, similar to a fully qualified domain name. iSCSI target Storage resource located on the iSCSI SAN.
L load balance Any method for evenly distributing processing or service requests across
devices in a network. logical unit number (LUN) An address that is assigned to a storage unit that is presented
to a host.
M Master Boot Record (MBR) A method of creating a disk partition. An MBR disk has a
partition table that indicates where the partitions are located on the disk drive. With this particular partition style, only volumes up to two terabytes and four primary partitions or three primary partitions and one extended partition that can be divided into unlimited logical drives. mean time between failures [MTBF] A calculation of the average time a component or
system will fail. mirrored volume A fault-tolerant storage unit that duplicates data onto two physical disks. modules Discrete components that provide specific functionality in Internet Information Services (IIS) 7.0. mount point A directory that allows a volume to be configured for access from within a
directory on another existing disk.
61705book.indd 524
6/27/08 10:13:03 AM
Glossary
525
multicast A method of delivering content in which a single data stream is transmitted
from a media server to multiple clients. Multipath I/O (MPIO) A method for using multiple physical paths to storage such as in a storage area network (SAN) and providing fault tolerance and increased performance.
N Network Attached Storage (NAS) A type of storage that uses network file sharing protocols like Common Internet File System (CIFS) or Network File System (NFS) to provide access to storage. Network Load Balancing (NLB) A shared nothing cluster type that provides redundancy
and scalability for network-based services. node A server that participates in a cluster and can host clustered resources.
P port rule In a network load-balanced cluster, a port rule defines how specific TCP or UDP ports that will be handled.
Q quota template A predefined set of quotas to apply to a Windows SharePoint Services
website.
R RAID-5 volume A fault-tolerant storage unit that stripes data and parity for the data
across three or more disks. recovery point objective (RPO) A disaster recovery term that defines the amount of data that can be lost when a disaster occurs. recovery time objective (RTO) A disaster recovery term that defines the amount of time
before a recovery must be complete. relay Sending email to a server so that it will forward it to another server for delivery. Remote Desktop Connection (RDC) Client software used to connect to a Terminal
Services computer.
61705book.indd 525
6/27/08 10:13:03 AM
526
Glossary
Remote Desktop Protocol (RDP) The TCP/IP protocol used to provide Terminal Services. resource A building block of a clustered application.
S Service Level Agreement (SLA) An agreement with a provider—whether it be an internal department or external service provider—that defines services and availability levels of a defined set of services. Simple Mail Transfer Protocol (SMTP) A protocol for sending (or relaying) email to
a server. A TCP/IP-based protocol for sending (or relaying) e-mail to a server. simple volume A storage unit that uses space from a single disk, either in contiguous or
noncontiguous space. smart host A server that is configured on an SMTP virtual server to accept all email. spanned volume A storage unit that is created from multiple disks (up to a maximum
of 32 disks). Storage Explorer A management utility used by administrators to view and manage Fibre Channel and iSCSI fabrics available in the environment. The Storage Explorer interface provides a tree-structured view of the components by using APIs to collect data about the storage devices. Storage Manger for SANs (SMfS) Utility that is used to create and manage logical unit numbers (LUNs) on both Fibre Channel and iSCSI storage arrays that support Virtual Disk Service (VDS). streaming media Digital media that can be accessed while continuously being delivered
across a network. striped volume A storage unit that is created from two or more disks. Data is allocated alternately and evenly across each of the volumes.
T Terminal Services A component of Windows Server that allows users to access applica-
tions and data remotely. Terminal Services client access licenses (TS CALs) Licenses that are required for each
device or user to connect to a terminal server.
61705book.indd 526
6/27/08 10:13:03 AM
Glossary
527
TS Easy Print A Terminal Server feature that allows proxying of print jobs from the terminal server to local client drivers, removing the need to install drivers on the terminal server. TS Gateway A Windows Server 2008 role service that encapsulates Remote Desktop Protocol (RDP) traffic over HTTPS. TS license server A Windows Server 2008 role service that manages the Terminal
Services client access licenses. TS RemoteApp A mode of Terminal Services in Windows Server 2008 where a session can connect to a specific application, making the remote applications appear to run locally to the client. TS Session Broker A Windows Server 2008 role service that supports session load balancing
between terminal servers and reconnection to an existing session. TS Web Access A role service for Terminal Services that makes TS RemoteApp programs
and remote desktop connections available from a Web browser.
U unicast A method of delivering content across a network that is used by media servers for
providing content to connected clients. Each client receives a discrete stream, and no other client has access to that stream. Uniform Resource Locator (URL) A standard way to identify a resource on the Internet.
V Virtual Disk Service (VDS) A set of application programming interfaces (APIs) created by Microsoft to simplify management and configuration of storage devices. virtualization A method for abstracting physical resources from the way they interact
with other resources. Virtualization also makes a single physical resource to function as multiple resources, for example a single physical process can be shared among a number of virtualized computers. VMBus The virtual machine bus used to handle high-speed requests from hypervisor-aware guest operating systems to the physical device in the parent partition. volume set A collection of drives that can be combined to form a single volume.
61705book.indd 527
6/27/08 10:13:03 AM
528
Glossary
W web application A software application, executed by a web server that responds to
dynamic web page requests over HTTP. web parts A module that can be added to a Windows SharePoint Services website to
increase functionality. Web Single Sign On (Web SSO) A system that consists of an agent installed on web servers
and an authentication directory to provide a way for users to not be required to log in with multiple sets of credentials. World Wide Name (WWN) A method of identifying components on a Fibre Channel
SAN, similar to how a MAC address works on an Ethernet network.
61705book.indd 528
6/27/08 10:13:03 AM
Index Note to the Reader: Page numbers in bold indicate the principle discussion of a topic or the definition of a term. Page numbers in italic indicate illustrations.
A access control applications, 209–210 SMTP server access settings, 169–171 WSS end users, 292–294 access logs, 193–195 formats, 195 overview of, 193–194 per-site and per-server, 194 rollover criteria, 194 ACLs (Access control Lists) creating, 248–249 enabling ACL authorization, 247 activation. See WPA (Windows Product Activation) Active Directory Certificate Services (AD CS), 202 Active Directory Federation Services (ADFS) configuring Web SSO, 300–304 Web SSO, 296 Active Directory Rights Management Service. See AD RMS (Active Directory Rights Management Service) AD (Active Directory), WDS server as member of AD domain, 366 AD Client Certificate Authentication client certificate mapping, 211 types of website authentication, 207 AD CS (Active Directory Certificate Services), 202 AD RMS (Active Directory Rights Management Service) business rules, 252–253 license required by, 253
61705bindex.indd 529
overview of, 251–252 policy templates, 256–259 user exclusions, 253–254 Add Counters dialog box, 497 Add Features Wizard, 17–18 Add Node Wizard, 423 Add Roles Wizard, 319 ADFS (Active Directory Federation Services) configuring Web SSO, 300–304 Web SSO, 296 Admin logs, 469 admin switch, mstc.exe, 123–124 Administrative Events custom view, 472–473 administrative notices, WSS e-mail settings, 273 administrators event logs and, 472 WDS and, 366 advanced delivery options, SMTP messages, 174–175 advanced streaming options, streaming media, 240 agent properties, SNMP, 501–502 alerts, WSS outgoing e-mail settings, 273 alternate access mapping, WSS, 287–289 American National Standards Institute (ANSI), 195 Analytics logs, 469 Anonymous authentication creating Anonymous account, 245–246 types of website authentication, 207 ANSI (American National Standards Institute), 195 antivirus settings, WSS, 281–282
6/27/08 12:07:29 PM
530
AppCmd.exe – business rules
AppCmd.exe configuring IIS settings, 186 listing and restoring backups, 196–197 listing configured websites, 186–187 objects available for administration by, 187–188 application and services logs, Event Viewer, 469 application logs, 469 application pools, 161–163 application settings, failover clustering, 426–428 application virtualization, 315 applicationHost.config, 160 applications access control, 209–210 DRM exclusions, 255–256 monitoring failures, 465–466 architecture, Hyper-V, 316–317 archiving, fax services and, 230 ASP trace content options, 190 trace provider options, 192 ASP.NET configuration settings, 149 trace content options, 190 trace provider options, 192 WSS supported authentication, 296 ASP.NET Impersonation, 208 authentication media services, 245–246 non-windows, 165 SMTP, 169–170, 174 Terminal Services, 54–55, 129–130 Web SSO (Web Single Sign On), 301–304 website, 207–209 authentication, WSS Digest authentication, 297–300 overview of, 295–296 supported methods, 296
61705bindex.indd 530
authorization application access and, 209–210 FTP, 165–166 media services, 246–249 TS CAPs (Terminal Services Connection Authorization Policies), 77–80 TS RAPs (Terminal Services Resource Authorization Policies), 80–82 automatic reconnection, Terminal Services, 125 availability, 463–464. See also high availability
B backups, 195–197 history settings, 195–196 listing and restoring with AppCmd.exe, 196–197 manual, 196 overview of, 195 virtual machine snapshots. See snapshots, of virtual machines bandwidth Display Data Prioritization and, 46–47 website settings, 158 Basic authentication SMTP, 174 types of website authentication, 208 basic disks actions performed on, 5 converting to dynamic, 6–8 Basic Input/Output System (BIOS), 342 Best Practices Analyzer tool, 282 BIOS (Basic Input/Output System), 342 block-level access, iSCSI, 19 Boot image, WDS image types, 366 broadcast publishing creating Broadcast Publishing Point, 235–237 for streaming media, 233–234 business rules, DRM, 252–253
6/27/08 12:07:29 PM
caching – console switch
C caching, fast, 240–241 CAs (Certificate Authorities) obtaining/installing certificates for TS Gateways, 74–75 SSL and, 201–202 CEIP (Customer Experience Improvement Program), 278 Central Administration site, WSS configuring diagnostic logging, 280–281 configuring incoming e-mail settings, 272–273 configuring outgoing e-mail settings, 275–276 configuring WSS, 269–270 workflow options, 277 Certificate Authorities (CAs) obtaining/installing certificates for TS Gateways, 74–75 SSL and, 201–202 certificates, SSL client certificate mapping, 211 exporting/importing, 206–207 requesting/renewing, 202–205 CHAP (Challenge Handshake Authentication Protocol), 19 ClearType, 46 client access licenses. See TS CALs (client access licenses) clients configuring client for TS Gateway, 82–83 enabling font smoothing on, 45–46 mapping client certificates, 211 media services connection settings, 244–245 WDS client components, 365 Client-Server Runtime Subsystem (csrss.exe), 124 cloning hard disks, 332–334
61705bindex.indd 531
531
clustering failover. See failover clustering NLB. See NLB (Network Load Balancing) pros/cons, 411 types of, 410 clusters, failover clustered application settings, 426–428 creating, 421–423 print services, 424–426 quorums, 414–416 roles, 424 validating configuration, 416–417 working with cluster nodes, 423–424 clusters, NLB creating, 89–90, 435–437 managing, 438–439 modifying properties, 437–438 color depth, Terminal Services settings, 127 COM ports, virtual machine configuration, 343 comma-delimited files (CSV), 120 communication services digital rights. See DRM (Digital Rights Management) exam essentials, 260 fax services. See fax services media servers. See media services overview of, 219–220 Q&As, 261–265 summary, 260 computer accounts connection authorization, 78–79 resource authorization, 81 condition options, trace logs, 191 configuration backup settings, 195–197 Configuration Wizard, 306–311 connections authorization policies, 77–80 timeout settings for websites, 158 console switch, mstc.exe, 124
6/27/08 12:07:29 PM
532
content – dialing rules
content adding to WSS sites, 295 publishing options for streaming media, 232–235 trace logs, 190 copyrights, 250 counters, Performance Monitor adding, 495–497 recommended system counter thresholds, 498 CPUs Hyper-V hardware requirements, 319 Performance Monitor counters for, 498 resource allocation for Terminal Services, 138 SMP (Symmetric Multiprocessors), 315 virtual machine configuration, 342 Create Capture Image Wizard, 377 Create Task dialog, 480–481 credentials, WDS, 366 csrss.exe (Client-Server Runtime Subsystem), 124 CSV (comma-delimited files), 120 Customer Experience Improvement Program (CEIP), 278
D data collection, Reliability Monitor, 462 Data Collector Sets. See DCS (Data Collector Sets) data management settings, DCS (Data Collector Sets), 454–456 Data Manager, Windows Reliability and Performance Monitor, 451, 454–456 DCS (Data Collector Sets) creating automatically, 447–449 creating from a template, 449 creating manually, 450–451 data management, 454–456 log management, 453
61705bindex.indd 532
“Log On as a Batch Job” user right, 446–447 overview of, 446 start condition, 451–452 stop condition, 453 DDNS (dynamic DNS), 386 Debug logs, 469 delegation of administration, 197–201 Feature delegation, 199–201 overview of, 197–198 remote administration permissions, 198–199 delivery options, SMTP messages, 172–173 dependency viewer, 429 overview of, 428 running, 429 deploying images, WDS, 365–367 deploying Server Core, 380–381 deploying servers. See WDS (Windows Deployment Services) deploying TS RemoteApps, 67 Deployment Server, WDS, 369 Deployment Services. See WDS (Windows Deployment Services) Desktop Composition making available on Vista client, 50–51 overview of, 50 Desktop Experience Desktop Composition, 50–51 overview of, 48–49 Themes, 49–50 desktop virtualization, 315 device redirection, 51–53 overview of, 51 Plug and Play and, 51–53 POS (Point of Service) and, 53 DHCP (Dynamic Host Configuration Protocol), 366, 372 diagnostic logging, WSS, 278–281 dialing rules, fax services, 225–226
6/27/08 12:07:29 PM
differencing virtual hard disks – dynamic disks
differencing virtual hard disks creating, 331–332 description and use of, 330 Digest authentication configuring, 297–300 overview of, 297 types of website authentication, 208 digital certificates. See also certificates, SSL mapping certificate to TS Gateway server, 75–76 obtaining/installing certificate for TS Gateway, 74–75 Digital Rights Management. See DRM (Digital Rights Management) digital signatures, 134–135 Directory Management Service, WSS e-mail, 271 disaster recovery (DR), 408 disconnect options, Terminal Service, 127 Discovery Domains, 25–26 discovery scopes, TS Licensing servers, 101–102 disk drives converting basic disks to dynamic, 6–8 initializing, 3 Performance Monitor counters, 498 virtual hard disks. See virtual hard disks virtual machine configuration, 342 Disk Management converting basic disks to dynamic, 6–8 creating mount points, 16 creating volume sets, 9–11 initializing disks and, 3 disk storage. See storage management DiskPart utility, 29 DiskRAID, 29 Display Data Prioritization, 46–47 displays, resolution options, 43–44 DNS (Domain Name System) KMS hosts and, 386–392 reverse lookup, 175
61705bindex.indd 533
533
TS Session Broker Load Balancing and, 88–89 WDS reliance on, 366 domain controllers, deploying with IFM, 394 Domain Name System. See DNS (Domain Name System) Domain scope, TS Licensing discovery, 101–102 domains configuring for routing SMTP mail, 177 FTP server and domain restrictions, 166–167 DR (disaster recovery), 408 drive letters assigning, 10 mount points for overcoming limitations of, 15 Drive Specific Module (DSM) installing third-party DSM software, 18–19 load balancing and, 17 DRM (Digital Rights Management), 249–259 application exclusions, 255–256 business rules, 252–253 controversy regarding, 250 document protection, 252 encryption, 251 licensed-based delivery, 253 overview of, 249–251 policy templates, 256–259 user exclusions, 253–254 DSM (Drive Specific Module) installing third-party DSM software, 18–19 load balancing and, 17 DVD drives, virtual machine configuration, 342 dynamic disks actions performed on, 6 converting basic disks to, 6–8
6/27/08 12:07:29 PM
534
dynamic DNS (DDNS) – Fast Start
dynamic DNS (DDNS), 386 Dynamic Host Configuration Protocol (DHCP), 366, 372 Dynamic Least Queue, 17 dynamically expanding hard disks, 329
E Easy Print, Terminal Services, 53 e-mail, SMTP. See SMTP (Simple Mail Transfer Protcol) e-mail, WSS benefits of, 274 incoming, 270–273 outgoing, 273–275 outgoing e-mail settings for specific web application, 275–276 encryption DRM (Digital Rights Management), 251 TLS (Transport Layer Security), 169–170 end user access, WSS, 292–294 Equal_Per_Session, CPU allocation, 138 Equal_Per_User, CPU allocation, 138 error reporting, WSS diagnostic logging, 278 event logs configuring computers to forward and collect events, 470–472 custom views, 474–475 filters, 473–474 monitoring servers with Event Viewer, 467–468 TS Gateway for specifying, 135–137 wevtutil.exe for managing, 469–470 WSS diagnostic logging, 278–279 event throttling, WSS diagnostic logging settings, 278 Event to Trap Translator, SNMP, 507
61705bindex.indd 534
Event Viewer application and services logs, 469 custom views for reading events, 472–475 log subcategories, 470 monitoring servers, 467–468 Task Scheduler integrated with, 488–489 Windows logs, 469 exclusion policies application exclusions, 255–256 user exclusions, 253–254 explorer.exe (Windows shell), 124 external virtual network, 326 extranet users, FTP server configured for, 165–166
F failback, 17 failover clustering, 411–433 cluster quorums, 414–416 cluster roles, services, and applications, 424 clustered application settings, 426–428 clustering print services, 424–426 creating clusters, 421–423 dependency viewer and, 429 installing Failover Cluster feature, 417 overview of, 411–412 requirements for, 413–414 resource properties, 430–432 Validate a Configuration Wizard, 417–421 validating cluster configuration, 416–417 working with cluster nodes, 423–424 failovers, 17 Fast Cache, 240–241 Fast Reconnect, 243 Fast Recovery, 243 Fast Start, 241–242
6/27/08 12:07:30 PM
fast streaming – hardware
fast streaming, 240 fault tolerance, NLB and, 433 Fax Service Manager, 221 fax services, 220–229 dialing rules, 225–226 installing Windows Fax and Scan role, 221–222 overview of, 220–221 properties, 223–225 receive configuration, 222–223 routing options, 227–230 FEC (forward error correction), 243–244 Fibre Channel storage devices, 27 Storage Explorer and, 32 File services, clustering and, 411 File Transfer Protocol. See FTP (File Transfer Protocol) filters event log, 473–474 NLB (Network Load Balancing), 437–438 fixed size virtual hard disks creating and migrating physical disk to it, 332–334 description and use of, 329 Folder view, Performance Monitor, 456, 458 font smoothing, 45–46 Forest scope, TS Licensing discovery, 101–102 Forms authentication ASP.NET, 296 types of website authentication, 208 forward error correction (FEC), 243–244 forwarded event logs, 469 FQDNs (Fully Qualified Domain Names), 175 FTP (File Transfer Protocol), 164–167 configuration settings, 149 extranet users, 165–166 IPv4 and domain restrictions, 166–167
61705bindex.indd 535
535
overview of, 164–165 permissions, 165 FTPS (Secure FTP), 165 Fully Qualified Domain Names (FQDNs), 175
G global deployment settings, TS RemoteApp digital signatures, 134–135 overview of, 130 RDC (Remote Desktop Connection), 133–134 Terminal server settings, 130–132 TS Gateway, 132–133 GPOs (Group Policy Objects). See Group Policy GPT (GUID Partition Table), 3 graphs, Performance Monitor, 499 Group Policy configuring server discovery mode, 117 configuring TS licensing mode, 116 Terminal Services settings, 125–130 Group Policy Objects (GPOs). See Group Policy groups connection authorization policies, 78–79 FTP authorization rules, 165–166 GUID Partition Table (GPT), 3
H hard disks Performance Monitor counters, 498 virtual. See virtual hard disks virtual machine configuration, 342 hardware adding devices to virtual machines, 342 monitoring failures, 466
6/27/08 12:07:30 PM
536
hardware architecture – hypervisor layer
hardware architecture, Hyper-V, 316 hardware requirements failover clustering, 413 Hyper-V, 318–319 NLB (Network Load Balancing) and, 434 HBA (host bus adapter) Fibre Channel, 27 iSCSI and, 19–20 high availability, 407–446 achieving, 409–411 components of, 408–409 exam essentials, 440 with failover clustering. See failover clustering with Network Load Balancing. See NLB (Network Load Balancing) overview of, 407–408 performance and reliability and, 444 Q&As, 441–446 Quick Migration and, 354 summary, 439 home directory, Terminal Services, 127 hop count, advanced delivery options, 174 host bus adapter (HBA) Fibre Channel, 27 iSCSI and, 19–20 host headers, website, 154–155 HTTP (Hypertext Transfer Protocol), 152 HTTP Redirection module, 156–158 HTTPS (Secure HTTP), 152, 154 Hyper-V adding physical (pass-through) disk to virtual machine, 335–336 applying snapshots, 354 architecture, 316–317 changing configuration of existing virtual machine, 342–345 configuring, 325–326 creating differencing virtual hard disks, 331–332
61705bindex.indd 536
creating fixed size hard disk and migrating physical disk to it, 332–334 creating snapshots, 351–354 creating virtual machines, 338–342 deleting virtual machines, 343 exam essentials, 355–356 exporting/importing virtual machines, 347–350 hardware requirements, 318–319 Hyper-V Manager, 324–325 installing Integration Components, 345–347 installing on Server Core, 322–323 installing on Windows Server 2008, 320–322 integration with Server Manager, 323 key features, 315–316 managing virtual hard disks, 336–337 managing virtual networks, 326–328 OSs supported, 316 overview of, 314 Q&As, 357–362 Quick Migration, 354–355 software requirements, 319 summary, 355 types of virtual hard disks, 329–330 Virtual Machine Connection, 343–345 virtual machines and, 337 virtualization defined, 314–315 Hyper-V Manager configuring Hyper V, 325–326 creating snapshots, 351–354 creating virtual machines, 338–342 installing Integration Components, 346–347 managing virtual hard disks, 336–337 overview of, 324–325 Revert option, 353 Virtual Machine Connection, 344 hypervisor layer, Hyper-V architecture, 317
6/27/08 12:07:30 PM
IDE controllers – keyboard
I IDE controllers, virtual machine configuration, 342 IFM (Install from Media), 394–396 creating, 395–396 overview of, 394 IGMP (Internet Group Management Protocol), 435 IIS (Internet Information Services). See also Web services infrastructure AppCmd.exe for configuring, 186 configuration settings, 149 configuring WSS e-mail, 270 FTP server features, 165–166 installing, 150–152 integration with .NET Framework, 148 Shared Configuration, 164 SMTP servers and, 167 web applications, 148–149 IIS Management Service, 197–198 IIS modules, installing, 156–158 images, WDS. See system images, WDS incoming e-mail settings, WSS, 270–273 incoming fax, routing, 227–228 inheritance, delegation of administration and, 200 in-place upgrade, WSS 2.0 to 3.0, 285 Install from Media. See IFM (Install from Media) Install image, WDS, 366 Integrated Windows Authentication, 169, 174 Integration Components Hyper-V, 345–347 virtual machine configuration, 343 intelligent streaming, 240 internal virtual network creating, 328 overview of, 326 Internet Group Management Protocol (IGMP), 435
61705bindex.indd 537
537
Internet Information Services. See IIS (Internet Information Services) Internet Information Services (IIS) Manager application pool configuration, 161–163 certificate request by, 202–205 creating website using host headers, 155 creating websites, 153–154 .NET trust level configuration, 160 Internet Small Computer System Interface. See iSCSI (Internet Small Computer System Interface) Internet Storage Naming Service. See iSNS (Internet Storage Naming Service) IP address redirection, 129 IP addresses, allowing/denying, 247–248 IP Security (IPSec), 19 IPSec (IP Security), 19 IPv4, FTP server and, 166–167 IPv6, NLB support for, 433 iSCSI (Internet Small Computer System Interface) configuring storage connections, 20–23 initiating sessions, 19–20 Storage Explorer and, 32 iSCSI Initiator, 20–23 iscsicli command, 23 iSNS (Internet Storage Naming Service), 23–27 installing, 24–27 overview of, 23
K keep-alive connection interval, Terminal Services, 125 Key Management Services. See KMS (Key Management Services) keyboard, Hyper-V settings, 326
6/27/08 12:07:30 PM
538
KMS (Key Management Services) – media services
KMS (Key Management Services) configuring, 385–386 creating KMS SVR record, 392–393 DNS permissions, 387–389 installing KMS host, 384–385 prerequisites for, 382–383 product activation and, 382 publishing in multiple domains, 389–392
L LCD monitors, font smoothing and, 45–46 LDAP (Lightweight Directory Access Protocol), 175–177 licensed-based delivery, DRM, 253 licensing, Terminal Services. See TS Licensing Licensing Diagnosis tool, Terminal Services, 121–123 licensing mode, Terminal Services, 114–116 Lightweight Directory Access Protocol (LDAP), 175–177 Linux servers Hyper-V Integration Component and, 346 Hyper-V support for, 316 load balancing. See also NLB (Network Load Balancing); TS Session Broker configuring DNS for TS Session Load Balancing, 88–89 Group Policy settings for Terminal Services, 129 policies, 17 Local Security Authority Subsystem (lsass.exe), 124 Local Session Manager (lsm.exe), 124 “Log On as a Batch Job” user right, 446–447
61705bindex.indd 538
logical unit numbers (LUN) Fibre Channel, 27 SMfS for managing, 29 Logon User Interface Host (logonui.exe), 125 logs access logs, 193–195 diagnostic logging in WSS, 278–281 managing DCS logs, 453–456 Performance Monitor, 456–459 reviewing log files during WSS upgrade, 284 trace logs. See trace logs TS Gateway for specifying event logs, 135–137 lsass.exe (Local Security Authority Subsystem), 124 lsm.exe (Local Session Manager), 124 LUN (logical unit numbers) Fibre Channel, 27 SMfS for managing, 29
M MAC (media access control) addresses, 433, 435 management tools, WDS, 365 mandatory profiles, Terminal Service, 128 Master Boot Record (MBR), 3 MBR (Master Boot Record), 3 mean time between failure (MTBF), SLAs and, 409 mean time to recover (MTTR), SLAs and, 409 media access control (MAC) addresses, 433, 435 media services, 229–249 advanced streaming options, 240 authentication settings, 245–246 authorization settings, 246–249 client connection settings, 244–245
6/27/08 12:07:30 PM
memory – network connections
content publishing options, 232–235 creating broadcast publishing point, 235–237 Fast Caching, 240–241 Fast Recovery and Fast Reconnect, 243 Fast Start, 241–242 features, 230–231 FEC (forward error correction), 243–244 installation requirements, 232 multicast streams, 237–239 streaming options, 232 Windows media services, 229–230 memory, virtual machine configuration, 342 memory counters, Performance Monitor, 498 message size, SMTP servers, 171–172 message transport agents (MTA), 168 Microsoft.NET Framework. See .NET Framework migration content to WSS sites, 295 Hyper-V Quick Migration feature, 316, 354–355 mirrored volumes creating RAID sets, 13–15 overview of, 9 monitor spanning, RDC, 44 monitoring performance access logs, 193–195 data collector sets. See DCS (Data Collector Sets) logging events. See event logs Q&As, 509–515 scheduling tasks. See Task Scheduler SNMP (Simple Management Protocol). See SNMP (Simple Management Protocol) summary, 507–508 trace logs, 188–193
61705bindex.indd 539
539
Windows Reliability and Performance Monitor. See Windows Reliability and Performance Monitor mount points creating, 16 overview of, 15 MP3s, file sharing controversy, 250 MPIO (Multipath I/O) installing, 17–18 load balancing and, 17 MSI (Windows Installer files), 63–65 mstc.exe, 123–124 MTA (message transport agents), 168 MTBF (mean time between failure), SLAs and, 409 MTTR (mean time to recover), SLAs and, 409 multicast addresses, WDS servers, 372 multicast streams configuring, 237–239 overview of, 234–235 Multipath I/O (MPIO) installing, 17–18 load balancing and, 17
N NAS (Network Attached Storage), 28 .NET Device Redirection, 53 .NET Framework application pools and, 161 components, 160 configuration settings, 149 IIS integration with, 148 trust levels, 160–161 network adapters failover clustering and, 414 virtual machine configuration, 342 Network Attached Storage (NAS), 28 network connections, for failover clusters, 413
6/27/08 12:07:30 PM
540
Network Load Balancing – ports
Network Load Balancing. See NLB (Network Load Balancing) Network Load Balancing Manager, 435 network settings, WDS servers, 372, 374 NLB (Network Load Balancing) creating clusters, 89–90, 435–437 how it works, 433–434 Hyper-V support for, 315 installing, 89–90 managing clusters, 438–439 modifying cluster properties, 437–438 overview of, 433 requirements for, 434–435 web farms and, 164 nlb.exe, 438–439 No Majority:Disk Only, cluster quorums, 414, 416 Node and Disk Majority, cluster quorums, 414–415 Node and File Share Majority, cluster quorums, 414, 416 Node Majority, cluster quorums, 414–415 Not Delegated permission, delegation of administration, 200 notifications, WSS outgoing e-mail settings, 273 ntdsutil utility, 394 NTFS filesystem, WDS and, 366
O on-demand publishing, streaming media, 233–234 operating systems (OSs) font smoothing support, 45 Hyper-V supported, 316 operational logs, 470 OSs (operating systems) font smoothing support, 45 Hyper-V supported, 316 outbound connections, SMTP server, 174 outbound security, SMTP server, 173–174 outgoing e-mail settings, WSS, 273–275
61705bindex.indd 540
P pass-through (physical) virtual hard disks adding to virtual machine, 332–334 description and use of, 330 pass-through hard disk. See physical (passthrough) virtual hard disks Per Device CALs. See TS Per Device CALs (client access licenses) Per User CALs. See TS Per User CALs (client access licenses) Performance Monitor adding counters, 495–497 creating a Data Collector Set, 447–449 graph options, 499 loading log data, 458–459 logs, 456–458 monitoring specific system activity, 495 navigating log view, 459 recommended system counter thresholds, 498 viewing system availability, 463–464 Performance Monitor view, 456–457 performance optimization, Best Practices Analyzer tool, 282 permissions FTP server, 165 remote administration, 198–199 physical (pass-through) virtual hard disks adding to virtual machine, 332–334 description and use of, 330 PKI (Public Key Infrastructure), 201 Plug and Play devices, 51–53 Point of Service (POS), 53 policies load balancing, 17 resource policies, 430–432 policy templates, DRM, 256–259 port rules, NLB, 434 ports HTTP (80), 152 HTTPS (443), 152 resource authorization policies, 82
6/27/08 12:07:31 PM
POS (Point of Service) – redirection
POS (Point of Service), 53 presentation virtualization, 315 Print services clustering, 424–426 clustering and, 411 TS Easy Print, 53 private keys, SSL certificates, 201–202 private networks, failover clustering, 413 private virtual machine network, 327 processor counters, Performance Monitor, 498 processors. See CPUs properties fax services, 223–225 SMTP virtual server, 168–169 WDS server, 372–374 Public Key Infrastructure (PKI), 201 public keys, SSL certificates, 201–202 public networks, failover clustering, 413 publishing points, steaming media enabling FEC on, 243 types of, 233 PXE, WDS servers, 370–372
Q Quick Migration, Hyper-V, 316, 354–355 quota templates, WSS, 290–291
R RAC (Reliability Analysis Component), 462 RAID (Redundant Array of Independent Disks) comparing RAID levels, 12 creating RAID sets, 13–15 high availability and, 410 types of, 11–12 RAID-0 (disk striping), 11 RAID-1 (disk mirroring), 12 RAID-5 (disk striping with parity), 12
61705bindex.indd 541
541
RDC (Remote Desktop Connection) ClearType settings, 46 client software, 42 Desktop Composition, 50–51 device redirection, 51–53 Display Data Prioritization, 46–47 display resolution options, 43–44 font smoothing, 45–46 improvements to desktop experience, 48–49 monitor spanning, 44 overview of, 43 SSO (Single Sign-On), 54–55 Themes, 49–50 TS Easy Print, 53 RDC switch, mstc.exe, 123 RDP (Remote Desktop Protocol) custom display resolutions, 44 digital signatures, 134–135 distributing RDP files, 67 exporting TS RemoteApp program, 65 global deployment settings, 133–134 monitor spanning, 44 packaging TS RemoteApp program, 63 RDC (Remote Desktop Connection) and, 42–43 RDP-TCP properties, 54 TS Gateway encapsulating RDP traffic, 72 Read Only permissions, delegation of administration, 200 read-only domain controllers (RODCs), 394 Read/Write permissions, delegation of administration, 199–200 receive configuration, fax services, 222–223 recovery point objective (RPO), 408–409 recovery time objective (RTO), 408–409 redirection configuring, 156 Terminal Services settings, 129 redirection, device. See device redirection
6/27/08 12:07:31 PM
542
Redundant Array of Independent Disks – SCSI controllers
Redundant Array of Independent Disks. See RAID (Redundant Array of Independent Disks) redundant systems, 410. See also high availability relaying, SMTP messages, 171 release key, Hyper-V settings, 326 Reliability Analysis Component (RAC), 462 Reliability Monitor features, 462–463 overview of, 461–462 viewing system stability with, 463–464 remote administration creating/managing tasks, 485–487 of licensing servers, 123–125 permissions, 198–199 Remote Desktop Connection. See RDC (Remote Desktop Connection) Remote Installation Services (RIS), 364 remote sessions, Terminal Services settings, 126 RemoteApp. See TS RemoteApps Report view, Performance Monitor, 456 reports, Windows Reliability and Performance Monitor, 459 resolution options, displays, 43–44 resource allocation, Terminal Services. See WSRM (Windows System Resource Manager) Resource Monitor monitoring general system activity, 491–494 overview of, 490 resources authorization policies, 80–82 failover clustering, 430–432 restores, 196–197. See also backups restores, virtual machines. See snapshots, of virtual machines reverse lookup, DNS, 175 Revert option, Hyper-V Manager, 353 RIS (Remote Installation Services), 364
61705bindex.indd 542
RODCs (read-only domain controllers), 394 role server installation AD RMS (Active Directory Rights Management Service), 251–252 Authentication, 208–209 Hyper-V, 320–322 IIS 7.0, 150–152 IIS Management Service, 197–198 Terminal Services, 56–60 Tracing, 188 TS Gateway, 72–74 TS Licensing, 102–105 TS Session Broker, 85–86 TS Web Access, 67–71 URL Authorization, 209 Windows Deployment Services, 367–369 Windows Fax and Scan, 221 round robin, 17 routing options, fax services, 227–230 adding routing rules, 228–229 archiving and, 230 incoming faxes, 227–228 RPO (recovery point objective), 408–409 RTO (recovery time objective), 408–409
S SANs (Storage Area Networks) managing, 28 SMfS (Storage Manager for SANs), 29–32 scalability, NLB, 433 scanning, for viruses, 281–282 scheduling tasks. See Task Scheduler Schtasks.exe creating task, 481 managing tasks, 487–488 managing tasks remotely, 487 scripting, Hyper-V, 316 SCSI controllers, virtual machine configuration, 342
6/27/08 12:07:31 PM
Secure FTP (FTPS) – Simple Mail Transfer Protocol
Secure FTP (FTPS), 165 Secure Sockets Layer. See SSL (Secure Sockets Layer) security logs, 469 SMTP, 173–174 SNMP, 504–505 Task Scheduler improvements, 477 Windows Media Server, 245 server components, WDS, 365 Server Core Hyper-V installation on, 322–323 installing, 381 overview of, 380 server deployment. See WDS (Windows Deployment Services) server discovery mode, TS Licensing, 116–117 Server Manager Add Roles Wizard, 319 allowing/denying IP addresses, 247–248 configuring client connection settings, 244–245 configuring fax device properties, 222–225 configuring fax routing, 227–229 configuring multicast streaming, 237–239 configuring SNMP agents, 502 configuring SNMP security, 504–505 configuring SNMP traps, 503–504 creating ACL list, 248–249 creating Anonymous account, 245–246 creating Broadcast Publishing Point, 235–237 enabling ACL authorization, 247 enabling Advanced Fast Start, 242 enabling FEC, 243 Hyper-V integration with, 323 installing Failover Cluster feature, 417 installing Hyper V, 320–322 installing IIS 7.0, 150–152
61705bindex.indd 543
543
installing IIS modules, 156–158 installing SNMP Services, 500–501 installing Windows Deployment Services, 367–369 installing Windows Fax and Scan, 221–222 installing WSRM, 138–139 starting/stopping SNMP Service, 506 Server Performance Advisor (SPA), 451 server roles. See role server installation server virtualization, 315 servers enabling SSL on Web servers, 205–206 event logs for monitoring, 467–468 remote administration, 123–125 servers, Terminal Services activating TS Licensing, 107–110 adding to Session Directory Computer Local Group, 86–87 adding to TS Broker Farm, 87–88 discovery scopes for TS Licensing, 101–102 global deployment settings, 130–133 installing TS Licensing, 102–105 mapping certificates to TS Gateway, 75–76 Service Control Manager (services.exe), 124 Service Level Agreements (SLAs), 408–409 Service Location (SVR) record, 392–393 Session Directory Computer Local Group, 86–87 Session Manager (smss.exe), 124 session time limits, Terminal Service, 128–129 setup logs, 469 Shared Configuration, IIS 7.0, 164 SharePoint Services. See WSS (Windows SharePoint Services) Simple Mail Transfer Protocol. See SMTP (Simple Mail Transfer Protcol)
6/27/08 12:07:31 PM
544
Simple Management Protocol – storage management
Simple Management Protocol. See SNMP (Simple Management Protocol) simple volumes, 8 Single Sign-On (SSO). See also Web SSO (Web Single Sign On) configuring on client computers, 55 for Terminal Services, 54–55 site content, WSS, 295 sites. See websites SLAs (Service Level Agreements), 408–409 smart hosts, advanced delivery options, 175 SMfS (Storage Manager for SANs), 29–32 installing, 30–31 overview of, 29–30 tasks performed with, 31–32 SMP (Symmetric Multiprocessors), 315 smss.exe (Session Manager), 124 SMTP (Simple Mail Transfer Protocol), 167–177 access settings, 169–171 advanced delivery options, 174–175 configuring WSS e-mail and, 270 delivery options, 172–173 domain configuration, 177 LDAP routing, 175–177 message size and transfer limits, 171–172 outbound connections, 174 outbound security, 173–174 overview of, 166–167 virtual server general properties, 168–169 snapshots, of virtual machines applying, 354 creating, 351–354 exporting/importing virtual machines and, 349 file location, 343 overview of, 316 SNMP (Simple Management Protocol) configuring agent properties, 501–502
61705bindex.indd 544
configuring Event to Trap Translator, 507 configuring security settings, 504–505 configuring traps, 503–504 installing SNMP Services, 500–501 overview of, 500 starting/stopping SNMP Service, 506 software install/uninstall, monitoring, 465 software requirements, Hyper-V, 319 SPA (Server Performance Advisor), 451 spanned volumes, 8 SQL Server, failover clustering, 411–412 SSL (Secure Sockets Layer) digital signatures and, 134–135 enabling on websites, 205–206 exporting/importing certificates, 206–207 FTPS (Secure FTP) and, 165 overview of, 201–202 requesting/renewing certificates, 202–205 SSO (Single Sign-On) configuring on client computers, 55 for Terminal Services, 54–55 Stability Index, Reliability Monitor, 462 start condition, DCS (Data Collector Sets), 451–452 startup/shutdown, virtual machine configuration, 343 state options, virtual machines, 341–342 stop condition, DCS (Data Collector Sets), 453 Storage Area Networks (SANs) managing, 28 SMfS (Storage Manager for SANs), 29–32 Storage Explorer, 32–33 storage management basic disks, 5 configuring iSCSI storage connections, 20–23 converting basic disks to dynamic, 6–8 creating RAID sets, 13–15
6/27/08 12:07:31 PM
Storage Manager for SANs – Terminal Services
creating volume sets, 9–11 dynamic disks, 6 exam essentials, 34 failover clustering, 413 Fibre Channel, 27 initialization disk drives, 2–5 initiating iSCSI sessions, 19–20 iSNS (Internet Storage Naming Service), 23–27 mount points and, 15–16 MPIO (Multipath I/O), 17–19 NAS (Network Attached Storage), 28 RAID (Redundant Array of Independent Disks), 11–12 review Q&As, 35–39 SANs (Storage Area Networks), 28 SMfS (Storage Manager for SANs), 29–32 Storage Explorer, 32–33 summary, 33 VDS (Virtual Disk Service), 28–29 volumes, 8–9 Storage Manager for SANs. See SMfS (Storage Manager for SANs) streaming media advanced streaming options, 240 content creation, 232–233 content publishing options, 232–235 creating Broadcast Publishing Point, 235–237 multicast streams, 237–239 overview of, 232 striped volumes, 8 SVR (Service Location) record, 392–393 Symmetric Multiprocessors (SMP), 315 system availability, 463–464. See also high availability system clock, monitoring changes to, 464–465 System Diagnostics report, 459–461 overview of, 459–460 viewing, 460–461
61705bindex.indd 545
545
system images, WDS benefits of, 367 capturing with WDSUTIL, 379 capturing with Wizard, 376–378 creating, 375 deploying, 365–367 system logs, 469 system stability, 461 System Stability Chart, Reliability Monitor, 462 System Stability Report, Reliability Monitor, 462–463 System.applicationHost, IIS settings, 149 System.WebServer, IIS settings, 149
T Task Scheduler creating/managing tasks remotely, 485–487 displaying all running tasks, 482 exporting/importing tasks, 483–484 integration with Event Viewer, 488–489 managing tasks, 481–482 overview of, 475–477 scheduling tasks manually from command line, 481 scheduling tasks manually with Windows interface, 480–481 scheduling tasks with wizard, 477–478 triggers for tasks, 479–480 viewing task history, 484–485 templates, creating DCS from, 449 Terminal Services adding applications to TS Remote App program list, 60–62 adding servers to Session Directory Computer Local Group, 86–87 adding servers to TS Broker Farm, 87–88 ClearType settings, 46
6/27/08 12:07:31 PM
546
Terminal Services client access licenses – triggers
configuring client for TS Gateway, 82–83 configuring DNS for TS Session Broker Load Balancing, 88–89 creating TS CAPs (Terminal Services Connection Authorization Policies), 77–80 creating TS RAPs (Terminal Services Resource Authorization Policies), 80–82 Desktop Composition, 50–51 Desktop Experience, 48–49 device redirection, 51–53 Display Data Prioritization, 46–47 display resolution options, 43–44 distributing TS RemoteApp applications, 67 Easy Print, 53 exam essentials, 92 exporting/importing TS RemoteApp programs and settings, 65–67 font smoothing, 45–46 Group Policy settings for, 125–130 installing Terminal Services role, 56–60 installing TS Gateway role, 72–74 installing TS Session Broker role, 85–86 installing TS Web Access role, 67–71 load balancing, 84 mapping certificate to TS Gateway server, 75–76 monitor spanning, 44 NLB (Network Load Balancing), 89–90 obtaining/installing certificate for TS Gateway, 74–75 overview of, 41–42 packaging TS RemoteApp program, 63–65 Q&As, 93–97 RDC (Remote Desktop Connection), 43
61705bindex.indd 546
resource allocation. See WSRM (Windows System Resource Manager) SSO (Single Sign-On), 54–55 summary, 90–91 Themes, 49–50 Terminal Services client access licenses. See TS CALs (client access licenses) Terminal Services Configuration tool configuring licensing mode, 114–115 configuring server discovery mode, 116–117 running licensing diagnosis, 122–123 Terminal Services Connection Authorization Policies (TS CAPs), 77–80 Terminal Services Resource Authorization Policies (TS RAPs), 80–82 Terminal Services Role, installing, 56–60 Themes service setting new theme, 49–50 starting, 49 TLS (Transport Layer Security) encrypting SMTP communication, 169–170 SMTP outbound security, 174 trace logs condition options, 191 content options, 190 enabling failed request tracing, 188–190 trace provider options, 192–193 Windows event categories, 279 transfer limits, SMTP messages, 171–172 Transport Layer Security (TLS) encrypting SMTP communication, 169–170 SMTP outbound security, 174 Transportation Server, WDS, 369 traps, SNMP configuring, 503–504 Event to Trap Translator, 507 triggers, for tasks, 479–480
6/27/08 12:07:32 PM
trust levels – TS RemoteApp Manager
trust levels, .NET Framework, 160–161 TS CALs (client access licenses) activating license servers, 107–110 installing, 110–114 revoking CALs, 121 stored in Active Directory Domain Services, 118 tracking issuance of Per User CALs, 117–120 TS CAPs (Terminal Services Connection Authorization Policies), 77–80 TS Easy Print, 53 TS Gateway, 72–83 configuring client for, 82–83 creating TS CAPs (Terminal Services Connection Authorization Policies), 77–80 creating TS RAPs (Terminal Services Resource Authorization Policies), 80–82 global deployment settings, 132–133 Group Policy settings, 129–130 installing TS Gateway role, 72–74 mapping certificates to server, 75–76 monitoring, 135–137 obtaining/installing certificates, 74–75 overview of, 72 viewing user connection information, 137–138 TS Gateway Manager monitoring with, 135–137 viewing user connection information with, 137–138 TS License server discovery mode, 116–117 TS Licensing activating license servers, 107–110 client access licenses, 100–101 configuring licensing mode, 114–116 configuring server discovery mode, 116–117 exam essentials, 140
61705bindex.indd 547
547
installing, 101 installing CALs, 110–114 installing TS Licensing Manager, 105–106 installing TS Licensing role service, 102–105 Licensing Diagnosis tool, 121–123 overview of, 99–100 Q&As, 141–145 remote administration of servers, 123–125 revoking CALs, 121 server discovery, 101–102 summary, 139–140 tracking TS Per User CALs, 117–120 TS Licensing Manager activating license servers, 107–110 connecting to license servers, 105 installing, 105–106 installing CALs, 111–114 reports on CAL issuance, 119–120 TS licensing mode, 114–116 TS Per Device CALs (client access licenses) revoking, 121 stored in Active Directory Domain Services, 118 types of client access licenses, 100–101 TS Per User CALs (client access licenses) reports on license issuance, 119–120 stored in Active Directory Domain Services, 118 tracking issuance of, 117–118 types of client access licenses, 100–101 TS RAPs (Terminal Services Resource Authorization Policies), 80–82 TS RemoteApp Manager adding applications to TS Remote App program list, 60 configuring digital signatures, 134–135 RDP global deployment settings, 133–134
6/27/08 12:07:32 PM
548
TS RemoteApps – Virtual Disk Service (VDS)
Terminal server global deployment settings, 130–132 TS Gateway global deployment settings, 132–133 TS RemoteApps, 55–72 adding applications to program list, 60–62 applying in large environments, 65 digital signature settings, 134–135 distributing applications, 67 exam essentials, 140 exporting/importing programs and settings, 65–67 global deployment settings, 130–132 installing Terminal Services Role, 56–59 overview of, 55 packaging programs, 63–65 Q&As, 141–145 RDP global deployment settings, 133–134 summary, 139–140 TS Gateway global deployment settings, 132–133 TS Session Broker configuring DNS for load balancing, 88–89 configuring server farms, 84–85 configuring servers to join farm and participate in load balancing, 87–88 Group Policy settings, 129 installing TS Session Broker Role service, 85–86 NLB (Network Load Balancing) and, 89–90 overview of, 84 TS Web Access adding computer account to TS RemoteApp server, 70–71 installing, 67–69
61705bindex.indd 548
U unicast streaming, 234 Unicode Transformation Format-8 (UTF-8), 195 Uniform Resource Locators. See URLs (Uniform Resource Locators) upgrades, WSS 2.0 to 3.0, 283–285 URL Authorization module, 209 URLs (Uniform Resource Locators) alternate access mapping and, 287–289 host headers relying on, 154 redirection and, 156 user connections, TS Gateway Manager for viewing, 137–138 user credentials, Hyper-V, 326 user exclusions, DRM, 253–254 user interface, Task Scheduler, 476 user profiles, Terminal Service, 128 user rights, “Log On as a Batch Job” user right, 446–447 user-added content, WSS sites, 295 users connection authorization policies, 78 FTP authorization rules, 165–166 resource authorization policies, 81 UTF-8 (Unicode Transformation Format-8), 195
V Validate a Configuration Wizard, 417–421 addressing problems reported by, 421 overview of, 417–419 running, 419–420 VDS (Virtual Disk Service), 28–29 VHD files, 329, 348. See also virtual hard disks virtual directories, 155–156 Virtual Disk Service (VDS), 28–29
6/27/08 12:07:32 PM
virtual hard disks – Web services infrastructure
virtual hard disks adding physical (pass-through) disk to virtual machine, 335–336 configuring, 326 creating differencing disk, 331–332 creating fixed size disk and migrating physical disk to it, 332–334 exporting/importing virtual machines and, 349 managing, 336–337 types of, 329–330 virtual host names, 165 virtual LAN (VLAN), 327 Virtual Machine Connection, 343–345 functions of, 344 overview of, 343–344 window illustration, 345 Virtual Machine Remote Control (VMRC), 343 virtual machines adding physical (pass-through) disk to, 335–336 applying snapshots, 354 changing configuration of existing, 342–345 configuring, 326 creating, 338–342 creating snapshots, 351–354 deleting, 343 exporting/importing, 347–350 installing Integration Components to Windows Server, 346–347 overview of, 337 Virtual Machine Connection, 343–345 Virtual Network Manager, 326 virtual networks, 326–328 creating internal virtual network, 328 overview of, 326 types of, 326–327 virtual server, SMTP, 168–169 virtual switches. See virtual networks virtualization, 314–315. See also Hyper-V virus scans, WSS, 281–282
61705bindex.indd 549
549
VLAN (virtual LAN), 327 VMC file, 348 VMRC (Virtual Machine Remote Control), 343 volumes creating volume sets, 9–11 types of, 8–9
W WDS (Windows Deployment Services), 363–401 capturing images with WDSUTIL, 379 capturing images with Wizard, 376–378 configuration settings, 369–370 configuring WDS server for first use, 370–372 configuring WDS server properties, 372–374 creating images, 375 deploying images, 365–367 deploying Server Core, 380–381 exam essentials, 397 IFM (Install from Media), 394–396 installing WDS role, 367–369 overview of, 364–365 Q&As, 397–401 summary, 397 WDS image capture utility, 375 WDSUTIL, 379 web applications configuring, 148–149 creating zones for, 289–290 creating/extending with WSS, 284–287 Web farms, configuring, 161–163 Web servers, enabling SSL on, 205–206 Web services infrastructure application pools, 161–163 configuring Web applications, 148–149 creating/configuring websites, 152–153 exam essentials, 178
6/27/08 12:07:32 PM
550
Web services infrastructure – Windows Media Player
FTP service. See FTP (File Transfer Protocol) host headers for creating websites, 154–155 installing IIS 7.0, 150–152 installing IIS modules, 156–158 Internet Services (IIS) Manager for creating websites, 153–154 .NET components, 160 .NET trust levels, 160–161 overview of, 147–148 Q&As, 179–184 redirection, 156 SMTP service. See SMTP (Simple Mail Transfer Protcol) summary, 177–178 virtual directories, 155–156 Web farm configuration, 161–163 website limits, 158–159 Web services infrastructure, advanced access logs, 193–195 AppCmd.exe for configuring IIS settings, 186–188 application access, 209–210 backups and restores, 195 client certificate mapping, 211 configuration backup settings, 195–197 delegation of administration, 197–201 exam essentials, 212 overview of, 185 Q&As, 213–217 SSL. See SSL (Secure Sockets Layer) summary, 211–212 trace logs, 188–193 website authentication, 207–209 Web SSO (Web Single Sign On). See also SSO (Single Sign-On) configured by ADFS, 300–304 federated authorization in WSS, 296 Web.config, IIS settings, 149 websites AppCmd.exe for listing, 186–187 authentication, 207–209
61705bindex.indd 550
creating/configuring, 152–153 host headers for creating, 154–155 Internet Services (IIS) Manager for creating, 153–154 resource limits, 158–159 SSL enabled on, 205–206 websites, WSS adding content, 295 alternate access mapping, 287–289 configuring, 283 creating site collections, 291–292 creating/extending web applications, 284–287 end user access, 292–294 quota templates, 290–291 upgrading WSS 2.0 and, 283–284 zones for web applications, 289–290 weighted paths, 17 wevtutil.exe, 469–470 WIM files, 375 Windows authentication types of website authentication, 208 WSS and, 296 Windows Deployment Services. See WDS (Windows Deployment Services) Windows Deployment Services Configuration Wizard, 370–372 Windows events, logging, 279 Windows Fax and Scan role, 221–222 Windows Firewall, 472 Windows Installer files (MSI), 63–65 Windows logs, Event Viewer, 469 Windows Management Instrumentation (WMI), 316 Windows Media Encoder, 232–233 Windows Media format, 232 Windows Media Player Advanced Fast Start, 242 creating content, 232–233 Fast Start, 241
6/27/08 12:07:32 PM
Windows Media Services – WSRM (Windows System Resource Manager)
Windows Media Services. See also media services Advanced Fast Start, 242 advanced streaming options, 240 Fast Cache, 240–241 Fast Recovery and Fast Reconnect, 243–244 Fast Start, 241 overview of, 229–230 security, 245 unicast streaming, 234 Windows Media Stream Editor, 232–233 Windows Movie Maker, 232–233 Windows OSs AD RMS support, 251 fax services, 222 Hyper-V availability, 324–325 Hyper-V Integration Component, 345–346 Hyper-V support, 316 KMS support, 384 managing tasks remotely, 485 monitoring failures, 466–467 Windows PE, WDS interface, 366 Windows Performance Diagnostic Console monitoring general system activity, 491–494 overview of, 490 Resource Monitor, 490–491 Windows Process Activation Service (WPAS), 162 Windows Product Activation (WPA) backlash to, 382 configuring, 381–383 Windows Reliability and Performance Monitor application failures, 465–466 components and new features, 445 data collector sets. See DCS (Data Collector Sets) hardware failures, 466 log data, 456–459 miscellaneous failures, 467
61705bindex.indd 551
551
overview of, 444 Reliability Monitor features, 462–463 reports, 459 software install/uninstall, 465 system clock changes, 464–465 System Diagnostics report, 459–461 viewing system availability, 463–464 viewing system stability, 461 Windows OS failures, 466–467 Windows Remote Management (WinRM), 471 Windows Servers Hyper-V software requirements, 319 Hyper-V support for, 316 media services and, 229–231 Windows shell (explorer.exe), 124 Windows Startup Application (wininit.exe), 124 Windows System Resource Manager. See WSRM (Windows System Resource Manager) Winlogon (winlogon.exe), 124–125 WinRM (Windows Remote Management), 471 WMI (Windows Management Instrumentation), 316 Word documents, AD RMS protection, 252 workflow options, WSS, 277 Workgroup, TS Licensing discovery scopes, 101–102 World Wide Name (WWN), 27 WPA (Windows Product Activation) backlash to, 382 configuring, 381–383 WPAS (Windows Process Activation Service), 162 WSRM (Windows System Resource Manager) configuring, 139 installing, 138–139 overview of, 138
6/27/08 12:07:32 PM
552
WSS (Windows SharePoint Services) – zones
WSS (Windows SharePoint Services), 267–311 alternate access mapping, 287–289 antivirus settings, 281–282 authentication, 295–296 Best Practices Analyzer tool, 282 configuring, 269–270 configuring sites, 283 configuring SSO, 300–304 creating site collections, 291–292 creating/extending web applications, 284–287 diagnostic logging settings, 278–281 Digest authentication, 297–300 end user access, 292–294 exam essentials, 305 incoming e-mail settings, 270–273 outgoing e-mail settings, 273–275
61705bindex.indd 552
outgoing e-mail settings for specific web application, 275–276 overview of, 267–268 Q&As, 306–311 quota templates, 290–291 site content, 295 summary, 305 upgrading version 2.0, 283–285 workflow options, 277 zones for web applications, 289–290 WWN (World Wide Name), 27 WWW Server, 192
Z zones, web applications authentication and, 297 creating, 289–290
6/27/08 12:07:32 PM
Wiley Publishing, Inc. End-User License Agreement READ THIS. You should carefully read these terms and conditions before opening the software packet(s) included with this book “Book”. This is a license agreement “Agreement” between you and Wiley Publishing, Inc. “WPI”. By opening the accompanying software packet(s), you acknowledge that you have read and accept the following terms and conditions. If you do not agree and do not want to be bound by such terms and conditions, promptly return the Book and the unopened software packet(s) to the place you obtained them for a full refund. 1. License Grant. WPI grants to you (either an individual or entity) a nonexclusive license to use one copy of the enclosed software program(s) (collectively, the “Software,” solely for your own personal or business purposes on a single computer (whether a standard computer or a workstation component of a multi-user network). The Software is in use on a computer when it is loaded into temporary memory (RAM) or installed into permanent memory (hard disk, CD-ROM, or other storage device). WPI reserves all rights not expressly granted herein. 2. Ownership. WPI is the owner of all right, title, and interest, including copyright, in and to the compilation of the Software recorded on the physical packet included with this Book “Software Media”. Copyright to the individual programs recorded on the Software Media is owned by the author or other authorized copyright owner of each program. Ownership of the Software and all proprietary rights relating thereto remain with WPI and its licensers. 3. Restrictions On Use and Transfer. (a) You may only (i) make one copy of the Software for backup or archival purposes, or (ii) transfer the Software to a single hard disk, provided that you keep the original for backup or archival purposes. You may not (i) rent or lease the Software, (ii) copy or reproduce the Software through a LAN or other network system or through any computer subscriber system or bulletin-board system, or (iii) modify, adapt, or create derivative works based on the Software. (b) You may not reverse engineer, decompile, or disassemble the Software. You may transfer the Software and user documentation on a permanent basis, provided that the transferee agrees to accept the terms and conditions of this Agreement and you retain no copies. If the Software is an update or has been updated, any transfer must include the most recent update and all prior versions. 4. Restrictions on Use of Individual Programs. You must follow the individual requirements and restrictions detailed for each individual program in the About the CD-ROM appendix of this Book or on the Software Media. These limitations are also contained in the individual license agreements recorded on the Software Media. These limitations may include a requirement that after using the program for a specified period of time, the user must pay a registration fee or discontinue use. By opening the Software packet(s), you will be agreeing to abide by the licenses and restrictions for these individual programs that are detailed in the About the CD-ROM appendix and/or on the Software Media. None of the material on this Software Media or listed in this Book may ever be redistributed, in original or modified form, for commercial purposes. 5. Limited Warranty. (a) WPI warrants that the Software and Software Media are free from defects in materials and workmanship under normal use for a period of sixty (60) days from the date of purchase of this Book. If WPI receives notification within
61705book.indd 553
the warranty period of defects in materials or workmanship, WPI will replace the defective Software Media. (b) WPI AND THE AUTHOR(S) OF THE BOOK DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SOFTWARE, THE PROGRAMS, THE SOURCE CODE CONTAINED THEREIN, AND/ OR THE TECHNIQUES DESCRIBED IN THIS BOOK. WPI DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE SOFTWARE WILL BE ERROR FREE. (c) This limited warranty gives you specific legal rights, and you may have other rights that vary from jurisdiction to jurisdiction. 6. Remedies. (a) WPI’s entire liability and your exclusive remedy for defects in materials and workmanship shall be limited to replacement of the Software Media, which may be returned to WPI with a copy of your receipt at the following address: Software Media Fulfillment Department, Attn.: MCTS: Windows Server Applications Infrastructure Configuration Study Guide, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, or call 1-800-762-2974. Please allow four to six weeks for delivery. This Limited Warranty is void if failure of the Software Media has resulted from accident, abuse, or misapplication. Any replacement Software Media will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. (b) In no event shall WPI or the author be liable for any damages whatsoever (including without limitation damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising from the use of or inability to use the Book or the Software, even if WPI has been advised of the possibility of such damages. (c) Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation or exclusion may not apply to you. 7. U.S. Government Restricted Rights. Use, duplication, or disclosure of the Software for or on behalf of the United States of America, its agencies and/or instrumentalities “U.S. Government” is subject to restrictions as stated in paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS 252.227-7013, or subparagraphs (c) (1) and (2) of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR supplement, as applicable. 8. General. This Agreement constitutes the entire understanding of the parties and revokes and supersedes all prior agreements, oral or written, between them and may not be modified or amended except in a writing signed by both parties hereto that specifically refers to this Agreement. This Agreement shall take precedence over any other documents that may be in conflict herewith. If any one or more provisions contained in this Agreement are held by any court or tribunal to be invalid, illegal, or otherwise unenforceable, each and every other provision shall remain in full force and effect.
6/27/08 9:15:57 AM
T
he Absolute MCTS: Windows Server 2008 Applications Infrastructure Configuration Book/CD Package on the Market! Get ready for your Microsoft Certified Technology Specialist: Windows Server 2008 Applications Platform, Configuration or MCTIP: Enterprise or Server Administrator certifications with the most comprehensive and challenging sample tests anywhere! The Sybex Test Engine features: NN All the review questions, as covered in each chapter of the book NN Challenging questions representative of those you’ll find on the real exam NN Two full-length bonus exams available only on the CD NN An Assessment Test to narrow your focus to certain objective groups.
Use the Electronic Flashcards for PCs or Palm devices to jog your memory and prep last-minute for the exam! NN Reinforce your understanding of key concepts with these hardcore flashcard-style questions. NN Download the Flashcards to your Palm device and go on the road. Now you can study for the MCTS: Windows Server 2008 Applications Platform, Configuring (70-643) exam any time, anywhere. NN CD also includes the PrepLogic’s robust Audio+ exam preparation product for Exam 70-643, exclusive for Sybex Study Guides.
Search through the complete book in PDF! NN Access the entire MCTS: Microsoft Windows Server 2008 Applications Platform Configuration Study Guide complete with figures and tables, in electronic format. NN Search the MCTS: Microsoft Windows Server 2008 Applications Platform Configuration Study Guide chapters to find information on any topic in seconds.
61705book.indd 554
6/27/08 10:13:20 AM
PrepLogic www.preplogic.com
1-800-418-6789
Learn While... Driving to Work. Get certified more quickly than ever with PrepLogic audio training. Quiz Me & Lecture Series audio give you the freedom and flexibility to learn anywhere – driving to work, sipping morning coffee, or even walking your dog. Want to pass your exam in record time? Use audio training from PrepLogic.
PrepLogic Audio Training Now on CD or MP3!
Try PrepLogic for FREE! Now you can enjoy our high-speed audio training for FREE. Visit PrepLogic today for over 80 free Quiz Me & Lecture Series sample lessons for the most challenging, popular and valuable certifications including MCSE, CCNA, A+, PMP, CISSP® and more. Try PrepLogic today for Free!
www.preplogic.com/freeaudio
61675badvert.indd 577 61705book.indd 555
PrepLogic
4/2/08 11:09:37 PM 6/27/08 9:16:29 AM
Need More Practice? Preparing for your certification exams just got easier thanks to TestSuccess from Sybex. With 24-hour access to this online test prep environment, you can practice how you want, when you want, from wherever you can access the Internet. With your paid subscription you will be able to: • Gain access to 200 questions per exam covering all exam subject areas • Get explanations of questions and answers in Practice Mode • Select your own questions • Take your own customized practice exams • Create a “quick” exam, pulling questions randomly from the entire test bank • View detailed strength and weakness reports separated by subject area • Compare your performance and scores to other users to see how you rank
Available exams: • CCNA: Cisco Certified Network Associate (640-802)
• MCTS: Microsoft Windows Vista Configuration (70-620)
• CompTIA A+ Essentials
• CISSP: Certified Information System Security Professional
• CompTIA A+ IT Technician • Comp TIA Linux+ • CompTIA Network+ • CompTIA Security+
• PHR/SPHR: Professional/Senior Professional in Human Resources • PMP: Project Management Professional
Go to www.sybextestsuccess.com today for more information and to subscribe!
61705book.indd 556
6/27/08 9:16:29 AM
MCTS: Windows Server 2008 Applications Infrastructure Configuration Study Guide Exam 70-643: TS: Windows Server 2008 Applications Infrastructure, Configuring Objectives Objective
Chapter
Deploying Servers Deploy images by using Windows Deployment Services. May include but is not limited to: Install from media (IFM), configure Windows Deployment Services, capture Windows Deployment Services images, deploy Windows Deployment Services images, server core Configuring Windows Deployment Services, capture Windows Deployment Services images, deploy Windows Deployment Services images, server core
9
Configure Microsoft Windows activation. May include but is not limited to: install a KMS server; create a DNS SRV record; replicate volume license data
9
Configure Windows Server Hyper-V and virtual machines. May include but is not limited to: virtual networking; virtualization hardware requirements; Virtual Hard Disks; migrate from physical to virtual; VM additions; backup; optimization; server core
8
Configure high availability. May include but is not limited to: failover clustering; Network Load Balancing; hardware redundancy
10, 11
Configure storage. May include but is not limited to: RAID types; Virtual Disk Specification (VDS) API; Network Attached Storage; iSCSI and fibre channel Storage Area Networks; mount points
1
Configuring Terminal Services Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp). May include but is not limited to: Configuring Terminal Services Web Access; configuring Terminal Services Remote Desktop Web Connection
2
Configure Terminal Services Gateway. May include but is not limited to: certificate configuration; Terminal Services Gateway Manager (TS Gateway Manager); specifying resources that users can access through TS Gateway by using Terminal Services resource authorization policy (TS RAP) and Terminal Services connection authorization policy (TS CAP); Terminal Services group policy
2
Configure Terminal Services load balancing. May include but is not limited to: Terminal Services Session Broker redirection modes; DNS registration; setting through group policy
2
61705book.indd 2
6/27/08 10:13:32 AM
Objective
Chapter
Configure and monitor Terminal Services resources. May include but is not limited to: allocate resources by using Windows Server Resource Manager; configure application logging
3
Configure Terminal Services licensing. May include but is not limited to: deploy licensing server; connectivity between terminal servers and Terminal Services licensing server; recovering Terminal Services licensing server; managing Terminal Services client access licenses (TS CALs)
3
Configure Terminal Services client connections. May include but is not limited to: connecting local devices and resources to a session; Terminal Services profiles; Terminal Services home folders; Remote Desktop Connection (RDC); single sign-on; Remote Desktop Snap-In; MSTSC.exe
2, 3
Configure Terminal Services server options. May include but is not limited to: logoff; disconnect; reset; remote control; monitor; Remote Desktop Protocol (RDP) permissions; connection limits; session time limits; managing by using GPOs; viewing processes; session permissions; display data prioritization
3
Configuring a Web Services Infrastructure Configure Web applications. May include but is not limited to: directorydependent; publishing; URL-specified configuration; Microsoft .NET components, for example, .NET and aspx; configure application pools
4
Manage Web sites. May include but is not limited to: migrate sites and Web applications; publish IIS Web sites; configure virtual directories
4
Configure a File Transfer Protocol (FTP) server. May include but is not limited to: configure for extranet users; configure permissions
4
Configure Simple Mail Transfer Protocol (SMTP). May include but is not limited to: setting up smart hosts; configuring size limitations; setting up security and authentication to the delivering server; creating proper service accounts; authentication; SMTP relay
4
Manage Internet Information Services (IIS). May include but is not limited to: Web site content backup and restore; IIS configuration backup; monitor IIS; configure logging; delegation of administrative rights
5
Configure SSL security. May include but is not limited to: configure certificates; requesting SSL certificate; renewing SSL certificate; exporting and importing certificates
5
Configure Web site authentication and permissions. May include but is not limited to: configure site permissions and authentication; configure application permissions; client certificate mappings
5
Exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s website ( www.microsoft.com/ learning) for the most current listing of exam objectives.
61705book.indd 3
6/27/08 10:13:33 AM
Objective
Chapter
Configuring Network Application Services Configure Windows Media server. May include but is not limited to: on-demand replication; configure time-sensitive content; caching and proxy
6
Configure Digital Rights Management (DRM). May include but is not limited to: encryption; sharing business rules; configuring license delivery; configuring policy templates
6
Configure Microsoft Windows SharePoint Services server options. May include but is not limited to: site permissions; backup; antivirus; configuring Windows SharePoint Services service accounts
7
Configure Windows SharePoint Services e-mail integration. May include but is not limited to: configuring a document library to receive e-mail; configuring incoming vs. outgoing e-mail
7
61705book.indd 4
6/27/08 10:13:33 AM