Mark Minasi Darril Gibson Wendy Henry MASTERI Aidan Finn Byron Hynes NG s NJ crosoft Windows Server 2008 R Install and Manage Windows Server 2008 R2 OstB SERIOUSSKILLS Master the Features of Server 2008 R2 Mastering Windows Server R2008 R2 Mark Minasi Darril Gibson Aidan Finn Wendy Henry Byron Hynes 02 Contents at a Glance Introduction Chapter What's New in Windows Server 2008 and 2008 R2 Chapter Installing and Upgrading to Windows Server 2008 R2 17 Chapter The New Server: Introduction to Server Core 111 Chapter Windows Server 2008 IPv4: What Has Changed? 165 Chapter DNS and Naming in Server 2008and Active Directory 179 Chapter Creating the Simple AD: The One-Domain, One-Location AD Chapter Creating and Managing User Accounts Chapter Group Policy: AD's Gauntlet Chapter • Active Directory Delegation Chapter 10 Files, Folders, and Shares 419 431 Chapter 11 • Creating and Managing Shared Folders 471 Chapter 12 • SYSVOL: Old and New 517 Chapter 13 Sharing Printers on Windows Server 2008 R2 Networks Chapter 14 Remote Server Administration Chapter 15 Connecting Windows Clients to the Server Chapter 16 Working the Web with IIS 7.0 and 7.5 Chapter 17 Watching Your System Chapter 18 Windows Server 2008 R2 and Active Directory Backup and Maintenance 595 745 Chapter 19 • Advanced IP: Routing with Windows 793 817 Chapter 20 Getting from the Office to the Road: VPNs Chapter 21 Adding More Locations: Sites in Active Directory Chapter 22 The Third DC: Understanding Read-Only Domain Controllers , 937 , 853 , 909 Contents Introduction Chapter • What's New in Windows Server 2008 and 2008 R2 Server 2008 and R2 Goals .1 AD Changes Read-Only DomainControllers .2 New Windows Backup Fine-Grained Password Policies PowerShelland AD Administrative Center DCPromo Improvements OS Changes Under the Hood .2 R21s ServerCore Hyper-V Networking Changes TCP Network Access Protection (NAP) Secure Socket Tunneling Protocol (SSTP)VPN New Setup Technologies New Management Tools .8 10 Server Manager 10 The New Remote Tools: WinRM and WinRS 11 Remote Desktop Services: Terminal Services with a New Name and New Features New Group Policiesand Tools New Event Viewer File and Print Sharing 12 13 SMB 2.0 More Reliable SYSVOL Replication Print Management Console and Printer Driver Isolation Web-BasedServices 11 12 13 13 13 14 Web Server (IIS) 14 Server 15 Windows Server Update Services (WSUS) , Chapter • Installing and Upgrading to Windows Server 2008 R2 15 17 What Has Changed Since 2000and 2003? The Media 18 InstallationRequirements 19 64-bit Support 21 xn 'CONTENTS • Installing the Operating System Performing a Clean Installation Performing an Upgrade Installation Initial Configuration Tasks Utility Using Server Manager to Configure Your Servers Changes to Server Manager Common Configuration Tasks Adding and Removing Roles TroubleshootingRolesand Features Remote Management Wrapping Up Server Manager Upgrading Active Directory An Overview of Active Directory: New Functionality in 22 23 .33 46 50 58 78 80 82 .82 82 Windows Server 2008 and 2008 R2 New Active Directory Functionality in Windows Server 2008 R2 Active Directory Upgrade Strategies UnattendedInstallations Installing Windows Automated Installation Kit (WAIK) Creating an Answer File Using an Answer File Installing a Sample Server Network for This Book's Examples The BottomLine Chapter • The New Server: Introduction to Server Core What in the World Is Server Core? Installing Server Core Server Core Survival Guide Accessing the Task Manager Closing the Command Prompt Changing the Administrator's Password Accessing FileShares Finding Commands from A to Z Finding Command Syntax: The Question Mark Reading Text Files with Notepad Reverse Engineering Editing the Registry Rebootingand ShuttingDown Initial Configurations for Server Core Step 1:Provide Computer Information Step 2: Update This Server Step 3: Customize This Server Administering Server Core Remotely Configuring Rolesand Features Creating a Domain Controller and Managing DNS Configuringthe DHCPService Setting Up a File Server 84 85 88 .89 92 107 108 109 111 111 113 116 116 116 117 118 118 118 119 119 120 120 ••.: 120 121 124 127 130 141 142 143 146 CONTENTS Setting Up a Print Server Managing Licenseswith Key Management Service Protecting Data with Windows Backup Server The Bottom Line 151 157 162 Chapter • Windows Server 2008 IPV4:What Has Changed? TCP Then and Now 165 Improving Transaction Time with Autoscaling Employing Policy-BasedQoS 165 173 Sharing Files and Printers with SMB2.0 Alternatives for Network Performance 174 176 Wrapping Up the New and Improved TCP 177 DHCP and Network Access Protection 177 New to 2008 R2 The Bottom Line 177 178 Chapter • DNSand Naming in Server 2008 and Active Directory 179 Components of Microsoft's DNS 179 Understanding the DNS Server Role Implementing Zones to Manage Namespaces Understanding Record Types Implementing the DNS Role on Server Core Managing DNS Clients and Name Resolution 179 186 194 198 Understanding Active Directory'sDNS Configuring DNSAutomatically Understanding SRVRecords and Clients Windows Server 2008 R2's Additional Features Supporting Internet-Based DNS Resolution Supporting External DNS Domains Resolving External Namespaces Administration and Troubleshooting with DNSTools Administering the DNS Server with the DNS Management Console and DNSCmd Leveraging Nslookup, DCDiag, and DNSLint , The Bottom Line 203 210 211 212 216 216 218 219 , 219 221 Chapter • Creating the Simple AD:The One-Domain, One-LocationAD 227 An Introduction to Active Directory Basics 227 A Single-DomainForest Benefits of a Single Domain Creating a Single-Domain Forest , Adding a Second DC Before Running DCPromo , Deployment Configuration for the Second DC DNS for the Second DC Global Catalog for the Second DC Running DCPromo for the Second DC 231 231 245 245 246 246 247 248 xlv CONTENTS Creating Organizational Units, Accounts, and Groups Creating Organizational Units Creating Accounts Creating Groups 250 257 .261 262 DelegatingControl DomainMaintenanceTasks 262 Joining a Domain Decommissioning a DC Troubleshooting 263 264 ADI DNS 265 Raising Domain and Forest Functional Levels Using NetDom .268 269 Managingthe DomainTime Creating Fine-Grained Password Policies Requirements for Fine-Grained Password Policies Creating a Password Settings Object The BottomLine .271 272 272 276 279 Chapter • Creating and Managing User Accounts UserAccounts Creating Local User Accounts 280 280 •• Creating Domain User Accounts Setting Local User Account Properties Setting Domain-Based User Account Properties GroupManagement Local Groups Active Directory Groups Monday-Morning Admin Tasks Forgotten Passwords Users Locked-Out 284 289 296 312 .312 .321 330 330 331 What's New in Windows Server 2008R2 for User and Group Management Active Directory Administrative Center Active Directory Module for Windows PowerSheII The BottomLine Chapter • Group Policy: AD's Gauntlet Group Policy Concepts PoliciesAre "All or Nothing" PoliciesAre Inherited and Cumulative Group Policy Power! Refresh Intervals Local Policiesand Group PolicyObjects Administrators or Non-Administrators LGPO 333 343 356 359 359 .360 361 361 362 User-Specific LGPO Creating GPOs Group Policy Basics Replicationof Group Policy Is Built In GPOs Undo Themselves When Removed YouNeedn't Log On to Apply GPO Settings , 370 370 CONTENTSI XV Modifying Group PolicyDefault Behavior Group Policy Policies Group Policy over Slow Links Group PolicyApplication How Group PolicyIs Applied FilteringGroup Policywith AccessControl Lists Using VVMIFilters with Group Policy Enforcing and BlockingInheritance Group PolicyExample: Forcing Complex Passwords Group PolicySetting Possibilities Decrypting User and Computer Configuration Settings Using Group Policy to Set Password and Account Lockout Policy Group Policy Preferences The New and Improved GPMC Starter GPOs BackingUp and Restoring GPOs Delegating Group PolicyAdministration Troubleshooting Group Policies The Resultant Set of Policy (RSOP)Tool Group PolicyResults Using the GPMC Group PolicyModeling Using the GPMC 374 375 381 408 410 412 412 412 414 gpresult gpotool 414 Using Event Viewer 416 416 416 417 415 Troubleshooting 101:Keep It Simple A Closing Thought or Two on Group Policy The Bottom Line , Chapter • Active Directory Delegation 419 AD Delegation vs NT Domains 419 DelegatingControl Using Organizational Units Creating a New Organizational Unit 421 422 Moving User Accounts into an OU Creating a MktPswAdm Group Delegating the Marketing OU's Password Reset Control to MktPswAdm Advanced Delegation:Manually Setting Permissions , Finding Out Which Delegations Have Been Set, or Undelegating The BottomLine Chapter 10 • Files, Folders, and Shares Understanding the File Services Role Adding RoleServices Adding the File Services Role 424 428 430 431 431 432 Creating Shares Creating Shares with Server Manager Creating Shares on Remote Computers Using Server Manager Publishing Shares in Active Directory , 423 433 435 435 437 439 XVI CONTENTS .440 ManagingPermissions NTFSPermissions Share Permissions Share and NTFS Permission Similarities Modifying Share and NTFS Permissions 441 441 441 • Combining Share and NTFS Permissions Connecting to Shares •• • "A Set of Credentials Conflicts" Using net use on a WAN Common Shares 449 File Server Resource Manager Creating Quota Policies Creating File Screen Policies Generating Reports File Server Resource Manager Options 459 Understanding SMB 2.0 Compatibility with SMB 1.0 SMB 2.0 Security Implementing BitLocker Hardware Requirements Enabling BitLocker Using Offline Files/Client-Side Caching How Offline Files Works BranchCache Enabling Offline Files on the Server 461 461 TheBottomLine Chapter 11 • Creating and Managing Shared Folders Creating Shared Folders Creating Shares from Explorer Remotely Creating Shares with the Computer Management Console ManagingPermissions Creating Share Permissions Understanding File and Directory Permissions Working with Hidden Shares Exploring the Distributed File System Understanding DFS Terminology Choosing Stand-Alone vs Domain-Based DFS Creating a DFS Root Adding Links toa DFSRoot Configuring DFS Replications Understanding DFS Replication Managing DFS Replication Exploring the Network File System The Bottom Line 465 467 468 471 471 473 474 476 477 480 494 496 496 498 499 503 504 506 507 510 515 CONTENTSIxvn Chapter 12 • SYSVOL: Old and New The Old: FileReplicationService File SystemJunctions 517 517 518 519 Understanding File ReplicationService How FRS Works with SYSVOL The New: Distributed File System Replication 524 Understanding DFSR Migrating to DFSR 524 The Bottom Line 536 Chapter 13 • Sharing Printers on Windows Server 2008 R2 Networks Print ServicesOverview The Print Spooler The Printer Driver 541 Installing the Print and Document Services Role Adding the Print and Document Services Working in the Print Management Console Adding the Print Services Role to Server Core Deploying Printers to the Masses Adding a Printer to a Client Manually Adding a Printer Using Active Directory Search Deploying Printers via GPO Viewing Deployed Printers Adjusting Print Server Settings Server Properties Printer Migration ManagingPrinter Properties 561 561 569 569 Printer Properties Sharing Tab Printer Properties Ports Tab Printer Properties Security Tab Printer Properties Advanced Tab Managing Print Jobs Using Custom Filters Troubleshooting Printer Problems BasicTroubleshooting:Identifying the Situation Restarting the Spooler Service , Isolating Printer Drivers The BottomLine Chapter 14 • Remote Server Administration Remote Desktop for Administration Configuring the Server for Remote Desktop Using Remote Desktop Connection Remote Desktop Gateway Remote Desktops 539 574 575 575 576 581 , 592 592 593 • • .595 Configuring a Server for Remote Assistance , 595 596 597 614 , 616 xvlll CONTENTS 618 ••• Windows Remote Management Service 619 Enabling WinRM Using WinRS Remote Server Administration Tools 620 RSATCompatibilityIssues RSATTools 624 Installing RSAT The BottomLine Chapter 15 • ConnectingWindowsClients to the Server .627 627 What to Know BeforeYouBegin Understanding Client-Side Software Requirements Domain Accounts and Local Accounts Verifying Your Network Configuration Verifying Local Area Connection Settings Test Network Connectivity with the ping Command Verifying and Setting Local Area Connection Information Using the GUI 628 629 630 634 Joiningthe Domain 643 Joining a Domain from Windows 649 Vista Windows Joining a Domain from 651 Joining a Domain from Windows XP 652 Joining a Domain from Windows 2000 Professional 653 Changing Domain User Passwords 655 Vista and Windows from Windows Passwords Domain Changing XP and Windows 2000 from Windows Changing Domain Passwords 656 Professional Connecting to Network Resources Connecting to Network Resources from Windows and Windows Vista 671 Connecting to Network Resources from Windows XP 679 2000 Connecting to Network Resources from Windows 680 The BottomLine Chapter 16 • Working the Web with IIS 7.0 and 7.5 Creating Simple Websites A Sum of Pages Lively Web Pages What's so Different About IIS 7.0 and 7.5? Introducing IIS Modules What's Included? Feature Delegation Installing IIS Adding the Web Server Role • 683 684 .689 695 695 Installing IIS7 via the CommandLine Installing IIS on Server Core Renovating IIS Construction 700 701 CONTENTS! xtx WebsiteProvisioning UnderstandingGlobalSettings Creating a SimpleWebsite Configuring SiteSettings Hosting Multiple Websites Deploying Sites SiteUniqueness Setting Up an Anonymous Account 711 718 719 Delegating Administration Integrating SMTP into IIS Web Pages 724 Getting Started Adding the SMTP Server Feature Setting Up an SMTPServer Adding the SMTP E-mail Feature to an IIS Website Integrating FTP into IIS Web Pages The FTP7 File Transfer Publishing Service Adding FTP to an IIS Website Advanced Administration Using Web Management Services Connecting, Securing, Auditing Windows System Resource Manager BackingUp and Restoring Data 740 741 The Bottom Line 742 Chapter 17 • Watching YourSystem .745 Monitoring Your System with Event Viewer Viewing an Event Understanding 745 746 Event Levels , Creating and Using Custom Views Modifying the Displayed Columns in the Event Viewer , Understanding Windows Logs Understanding Applicationsand ServicesLogs Configuring Event Log Properties 747 748 Attaching Tasks to Events Viewing Events on Server Core 763 Subscribing to Event Logs Understanding Subscription Types Selecting Events Setting Advanced Options Understanding Event Subscription Protocols , ConfiguringEventSubscriptions Troubleshooting Event Forwarding Checking the Runtime Status Using the Windows Event Collector Utility Monitoring Performance Using Monitoring Tools Using Data Collector Sets The Bottom Line 778 780 780 783 791 CONTENTS Chapter 18 • Windows Server 2008 R2 and Active Directory Backup and Maintenance 793 Backing Up and Restoring Windows Server Backing Up and Restoring a Full Server Backing Up and Restoring Files and Folders Stopping and Restarting Active Directory Stopping and Starting AD DS Defragmenting Active Directory Offline Checking the Integrity of an Active Directory Database Capturing Active Directory Snapshots Creating an Active Directory Snapshot Mounting an Active Directory Snapshot Working with Mounted Active Directory Snapshots Backing Up and Restoring Active Directory Recovering Active Directory Objects Creating an Active Directory Backup Restoring an Active Directory Backup Performing an Authoritative Restore 793 795 801 803 .804 805 807 807 808 808 809 811 813 813 814 815 The BottomLine Chapter 19 • AdvancedIP: Routing with Windows The Lifeof an IP Packet First, the Simple Case: No Routing Required Now the Hard Case: With Routing , From Classes to Classless In the BeginningWasthe Class Unusable Host Addresses 817 817 .819 822 825 825 826 AllY'all Broadcast Gets Narrower: The First UnroutableAddresses .827 Routing the Unroutable Part I: Private Addresses Sockets, Ports, and Winsock Winsock: Why We Can All Use the Internet Routing the Unroutable Part Il: NAPT and PAT Routing the Unroutable Part Ill: ApplicationLayer Gateways Installing a NAT Testing and Troubleshooting Using the Application Itself Pinging a Remote Computer with ping Pinging a Remote Computer with traceroute Checking Your Configuration with ipconfig Showing Routing and Neighbors Using Network Monitor The BottomLine 827 827 833 835 836 837 838 846 847 847 848 848 , 849 850 851 CONTENTS! Chapter 20 • Getting from the Office to the Road: VPNs Introducing VPNs The Many Names of VPN Servers Gateway-to-Gateway VPN Understanding the Tunneling Protocols Layer Tunneling Protocol Secure Socket Tunneling Protocol Internet Key Exchange Version 856 Using Network Policy and Access Services Role Routing and Remote Access Adding the Network Policy and Access Services Configuring Routing and RemoteAccess Configuring Policies Authenticating VPN Clients 861 882 Configuring Accounting Exploring Routing and Remote Access Protecting VPNs with IP Security' (IPSec) Understanding IPSec:The Four Security Options Understanding IPSec Filters IPSec Rules = IPSec Actions + IPSec Filters Signing and Encrypting Need One More Piece:Authentication How IPSec Works in VVindows Using IPSec to Protect Systems Through Packet Filtering A Few Final Thoughts About IPSec TheBottomLine Chapter 21 • Adding More Locations: Sites in Active Directory Mastering SiteConcepts Sitesand Replication Understanding SiteTerminology ExploringSites How Sites Work 896 897 904 908 908 909 909 910 911 913 913 Renaming Default-First-Site-Name Defining a Site 915 Deciding on DCs in Remote Locations Defining a Subnet and Placing It in a Site , Placing a Server in a Site Adding Site Links Configuring Intersite Replication Bridgehead Servers Forcing Replication 893 894 895 , 915 916 919 920 920 924 927 928 Configuring Clients to Access the Next Closest Site 929 Configuring Next Closest Sitewith Group Policy Configuring Next Closest Site Through the Registry Using PowerShell 930 The Bottom Line 930 931 934 xxn CONTENTS Chapter 22 • The Third DC:Understanding Read-Only Domain Controllers Introducing RODCs Making Changes on a Read-OnlyDomain Controller RODC Contents RODC Requirements RODC and Server Applications 937 .937 938 939 .950 950 954 Installing the RODC Installing RODC on Server Core 955 957 958 Viewing the RODC Properties Modifying the Allowed List Staged Installations DNS on the RODC The Bottom Line Chapter 23 • Creating LargerActiveDirectory Environments: Beyond One Domain The Foundations of Multiple-DomainDesigns Domains 967 967 967 Forests Trees You Must Build Trees and Forests Together 970 971 972 Planning Your Active Directory Environment 973 Satisfying Political Needs Connectivity and ReplicationIssues 974 Multiple Domains: When They Make Sense The Case for an Empty Root Active Directory Design Pointers Creating Multiple Domains Naming Multidomain Structures Preparing the DC for the Second Domain Creating a Second Domain Functional Levels The Beginning of Functional Levels in Windows 2000 Domain Functional Levels Forest Functional Levels 975 .976 978 980 , 981 982 986 986 .986 FSMOsandGCs Multimaster vs Single-Master Replication But Not Everything Is Multimaster Domain Naming: A FSMO Example Why Administrators Must Know About FSMOs GlobalCatalogs 991 991 991 992 992 FSMO Roles Schema Master Domain Naming Master FSMO RID Pool FSMO Infrastructure Master 1000 CONTENTSi xxm PDC Emulator FSMO .1001 Transferring FSMO Roles 1002 Time Sync Trusts Defining the Domain: "Trust" Trust Relationships in More Detail 1005 1009 1009 1009 Trusts Have Direction Some Trusts Are Transitive 1010 Trusts Do Not Remove All Security Trusts Involve Administrators from Both Sides Four Kinds of Trusts 1011 1011 1011 1012 Understanding Transitive Forest Trusts Manually Creating Trusts 1012 1013 The Bottom Line 1021 Chapter 24 • Migrating, Merging, and Modifying Your ActiveDirectory MigrationStrategies Migrating with an In-Place Upgrade Migrating with a Swing Migration Migrating with a Clean and Pristine Migration Using Microsoft's Free Migration Tool:ADMT An Example Migration Setup Establishing the Trust Getting Both Sides ADMT-Friendly Starting Up ADMTand Migrating Testing the Migrated Group's Accessto Resources Translating LocalProfiles Migrating Computer Accounts RollbackConsiderations Renaming a Domain Understanding the Requirements Affecting Business Operations Who Needs Remote Desktop Services? Centralized Deployment of Applications Supporting Remote Users Supporting PC-UnfriendlyEnvironments Reducing Hardware Refreshes Providing Help-DeskSupport Deploying RDSRemoteApp 1037 1038 1039 1042 1050 1050 1053 1054 Chapter 25 • Installing, Using, and Administering Remote Desktop Services Simplifying the User Interface 1024 1027 1032 .1035 1054 Understanding the Business Performing the Domain Rename The Bottom Line 1023 1055 1055 1056 1056 1065 • 1067 1067 1068 1068 1068 1069 1070 1070 1071 xxtv CONTENTS 1071 Understanding the Remote Desktop Services Processing Model 1071 Sonof Mainframe? 1072 Anatomy of a Thin-Client Session Server and Client Requirements ServerHardware ClientHardware 1075 1075 1079 1080 Adding Remote Desktop Services 1081 1082 1082 Required RoleServices Easy Print Single Sign-On Network Level Authentication Licensing Mode 1083 1083 1084 Remote Desktop Users Group Adding the Remote Desktop Services Role Adding Applications Connecting to an RDS Session Adding an RDS RemoteApp Application Monitoring Remote Desktop Services Remote Desktop Services Manager Remote Desktop Session Host Configuration Remote Desktop Licensing Manager The Bottom Line 1084 1087 1087 1089 1100 1100 1103 1113 1115 1117 1117 1120 1122 1122 1123 1124 Chapter 26 • Connecting Mac OS X Clients Preparing Active Directory for Mac OS X Clients Connecting a Mac to the Domain Connecting to File Shares Connecting to Printers Using Remote Desktop from a Mac Client Troubleshooting TheBottomLine 1125 Chapter 27 • Patch Management 1127 1127 The Four Phases of Patch Management 1127 Phase I: Assess Phase 2: Identify Phase 3: Evaluate and Plan 1128 1130 1131 Dissecting a Security Update Digging into Windows Server Update Services Features of WSUS 3.0 Software Requirements for WSUSServers and Clients 1132 1132 1132 1133 1134 1135 1139 1143 1146 Phase 4: Deploy DeploymentScenarios Configuring Prerequisites for WSUS 3.0 Installing and Configuring WSUS3.0 Pointing YourClients to the WSUSServer The BottomLine • CONTENTS xxv Chapter 28 • File Shares Made Even Better: Windows SharePoint Services 3.0 Overview of Windows SharePoint Services 1149 How Does WSS Work? 1151 Prerequisites Installing 1151 WSSV3 1152 1153 Loading IIS 7.5 Loading the NETFramework 1155 Loading WSS 3.0 1156 Configuring Products and Technologies Introducing Central Administration SharePoint Website Provisioning 1158 1159 1162 Creating a Web Application Creating a Site Collection Adding Sites to a Site Collection 1164 1167 1168 Creating SharePoint Document Libraries Creating a Document Library Populating a Document Library Managing SharePoint Documents , 1170 1171 1172 1174 1174 DocumentMetadata Document Library Settings Workflows 1149 1182 1189 Accessing SharePoint Documents Enforcing Security Creating Useful Navigation Updating Search Indexes Using Alerts and RSS Managing Information Rights Advanced WSSAdministration 1194 1194 1201 1202 1203 1205 1205 Authentication Providers 1206 Managing Features , Limiting Content Integrating Client Software Internet ExplorerIntegration Office2007ApplicationIntegration 1207 1208 1210 1211 1211 The Bottom Line 1213 Chapter 29 • Server Virtualization with Hyper-V 1215 What Is Server Virtualization? What Use Is Server Virtualization? What Do You Need to Get Started with Hyper-V? The Hyper-V Feature Set Installing the Host with a Virtual Machine Installing and Configuring Hyper-V Configuring a Virtual Machine Installing a Virtual Machine , 1215 1217 1218 1220 1222 1223 1230 1238 XXVI CONTENTS Understanding Hyper-V Architecture The Hyper-V Parent Partition Hyper-V Child Partitions Security Design in Hyper-V Using Virtual Disks Virtual Disks and Their Controllers Virtual Disk Types and When to Use Them Adding a Disk to an Existing VM Disk Maintenance Time Travel with Snapshots Using Virtual Networks Understanding Virtual Switches Connecting VMSto Virtual Switches Managing Virtual Machines Licensing Hyper-V Hosts and Their VMs Moving VMSAround: Export and Import Backing Up and Restoring Virtual Machines Server Core and the Hyper-VServer Moving VMs: Quick Migration and Live Migration Malware Protection and Patching Scripting Hyper-V The Bottom Line 1242 1244 1248 1249 1251 1251 1252 1253 1257 1259 1263 1264 1266 1269 1269 1270 .1274 1277 1280 .1287 1288 1293 Chapter 30 • Advanced User Account Management and User Support .1295 Experiencing the Flexible Desktop Configuring Home Directories Setting Up the Lab Creating the Home Directories Creating Home Directories: The Easy Way Creating Home Directories: The Hard Way Home Directory vs Local Storage Creating Roaming Profiles Creating a Roaming Profiles Share: The Easy Creating a Roaming Profiles Share: The Hard Way Configuring Mandatory Profiles Configuring Super Mandatory Profiles , Configuring a Default Network Profile Managing Roaming Profiles Machine Settings User Settings Redirecting Folders 1295 1297 Basic Folder Redirection Advanced Folder Redirection Managing Folder Redirection Managing the Desktop Using Group Policy 1298 1299 1304 1307 .1309 1309 1311 1319 1321 1328 1329 1330 1335 1336 1338 1345 1346 1347 CONTENTS : xxvn Managing Users with Logon Scripts 1352 User Access Control and Logon Scripts Multiple Logon Scripts Managing Logon Scripts with Group Policy Managing Shutdown Tasks with Logoff Scripts The Bottom Line 1357 1358 1360 1361 Appendix • The Bottom Line Chapter 3: The New Server: Introduction to Server Core Chapter 4: Windows Server 2008 IPv4: What Has Changed? 1363 1363 1364 1365 Chapter 8: Group Policy: AD's Gauntlet 1367 1368 1372 Chapter 2: Installing and Upgrading to Windows Server 2008 R2 Chapter 5: DNS and Naming in Server 2008and Active Directory Chapter 6: Creating the Simple AD: The One-Domain, One-Location AD Chapter 7:Creating and Managing User Accounts 1366 Chapter 9: Active Directory Delegation Chapter 10:Files,Folders,and Shares Chapter 11:Creating and Managing Shared Folders 1373 1374 1375 Chapter 12: SYSVOL:Old and New 1376 1377 Chapter 13: Sharing Printers on Windows Server 2008 R2 Networks Chapter 14:Remote Server Administration Chapter 15:Connecting Windows Clients to the Server 1378 1379 Chapter 16: Working the Web with IIS 7.0 and 7.5 1380 Chapter 17:Watching Your System Chapter 18: Windows Server 2008 R2 and Active Directory Backup 1382 and Maintenance 1383 Chapter 19:Advanced IP: Routing with 1384 Chapter 20: Getting From the Office to the Road: 1385 Chapter 21:Adding More Locations: Sites in Active Directory 1386 Chapter 22: The Third DC: Understanding Read-Only Domain Controllers 1387 Chapter 23: Creating Larger Active Directory Environments: Beyond One Domain 1388 Chapter 24:Migrating, Merging, and Modifying YourActive Directory 1390 Chapter 25: Installing, Using, and Administering RemoteDesktop Services , 1391 Chapter 26:Connecting Mac OS X Clients 1392 Chapter 27:Patch Management 1393 Chapter 28: File Shares Made Even Better: Windows SharePoint Services 3.0 Chapter 29:Server Virtualization with Hyper-V Chapter 30: Advanced User Account Management and User Support Index 1394 1395 1397 1399 Introduction Welcome to Mastering Windows Server 2008 R2! I've got to tell you, I haven't been this excited about a new version of Server since Windows 2000, almost 10 years ago Why? I guess because it feels fun Yeah, that's the word—fun Here's what I mean R2's 10-year-old older brother, Windows Server 2000, was neat because it was such a gamechanger, an OS lushly festooned with completely new concepts and tools to get to know Now, I've seen big operating system upgrades before, like DOS 2.0 in 1982,OS 2.0 in 1992,or Windows 3.0 in 1990,and in every case things seemed to work out the same way: first we get the holy-moley-there's- so-much-new-stuff thrill of discovery and newness, then we sit down and start using the thing, and then we find ourselves shaking our heads saying, "OK, this [fill in the new feature] is cool, but why did they leave this part of it out," or "OK, this is cool, but it, um, doesn't exactly work as advertised." In every one of those cases, the OS's vendor released the next version, better known as "version 1.1."Sure, they didn't all actually have a ".1"in their version numbers—DOS 2.0's "1.1"was DOS 3.0—but all of the 1.1sshared the same basic trait in that they were the useful upgrade of the game-changers People ran those better-fitting 1.1s(MS-DOS3.x, Windows 3.1,and OS/2 2.1 in the three examples I cited) and liked them so much that two of their successors—DOS 4.0 and OS/2 Warp 3—sold nary a copy In fact, Windows 3.1'ssuccessor, Windows 95,sold well because Windows 95 itself was also a paradigm shifter But even in the case of Windows 95, its popularity was far outpaced by its 1.1,Windows 98,and again, consider how unwell Windows Millennium Edition (Windows 98's putative replacement) sold Version 1.1s offer more, however, than bushels of much-needed bug fixes They tend to sport a handful of completely new features as well, such as DOS 3.x's support for larger drives, Windows 3.1'sbuilt-in multimedia capabilities (the birth of the Windows' "bonk!" error sounds, as well as Windows 98's USB support), and now Windows Server 2008 R2's AD Recycle Bin and a host of other things you'll read about in these pages Beyond fixes and features, however, it's always seemed to me that the best part of a 1.1is its "broken-in" feel, a sort of "um, sorry; this was the version that we meant to ship" air to the follow-on OS versions, which brings me back to why I like Server 2008 R2 I'd argue that, in a sense, 2008 R2 is a "1.1"version not merely for Windows Server 2008,but indeed for Windows 2000 Server and Windows Server 2003 Why? Well, it seems like it's the first version of Server built since Windows NT 4.0 Server where the programmers actually got some time to look back at the previous version of Server and add a bit of that "broken-in" feel that I referred to earlier I know that sounds odd, but as far as I can see, it's true Server 2003 didn't get to be a decent 1.1because BillGates realized in January 2002that Microsoft's software needed a top-to-bottom overhaul to make it more secure, making it a year and half late and causing it to lack quite a number of asked-for features Heck, Microsoft couldn't even come up with a name for it until xxx INTRODUCTION betas and release the last minute— its moniker was ''Windows NET Server 2003" in all of its appeared about four candidates 2008 was delayed when the embarrassing Blaster worm, which security cleanup job months after Windows Server 2003's debut, sort of demonstrated that 2002's Vista and its wasn't entirelv effective, and led to a major reexamination of the kernel in Windows is evident any number of companion product, Windows Server 2008.Server 2008's rushed nature places, but three jump to mind: (which allow you Its arguably best nevv Active Directory feature, flexible password policies person and to vary things Iike how often passwords have to be changed from person to AD "deepfrom group to group within an AD domain) can't be accessed without donning diving" gear and working with the cryptic ADSI Edit tool • Server 2008; Its vastly improved new FTP server is indeed great, but it's not in the box in you've got to download it separately from a Microsoft site 2008 only Its enterprise-class server virtualization tool, Hyper-V Server, shipped with Server released after 2008 months five as a beta and wasn't available in a finished version for another to the public WHAT ABOUT WINDOWS 2003 R2? Server, much And before you ask, Windows Server 2003 R2 doesn't really count as a version of replication the new DFSR file with 2003 SPI Server less a "1.1," because it was nothing more than service added Well, the So, how'd we get our first not-built-under-the-gun version of Server in nearly 10 years? the first got—for 22, 2009, we October of as of that as noticing main key to understanding this is in hasn't been two years That less than Server in Windows time in quite some ti me—til'0 versions of "bonus" for this we can thank the case since the days of NT 3.x and NT 4, and we all know whom in the version of Windows Server Vista Yup, in the end analysis, it was Vista's horrendous failure marketplace that made Microsoft decide to try to essentially "change the conversation" by taking there are no drivers advantage of the fact that two of the biggest objections voiced about Vista—" insupportable with the largely machine"—became for Vista" and "Vista runs too slowly on my 7," "Windows it as Vista, rebrand passage of time, allowing them to make fairly small changes to as decided, "Heck, and release it We Server folks can just be thankful that someone in Redmond guys long as we're releasing a minor upgrade of the desktop OS, we may as well let the server we might have been waiting Vista, Without R2 2008 Server the same thing," which led to Windows until 2013 for new Server stuff to play with OH, AND BY THE WAY very Let me clarify that I'm not casting aspersions about Windows 7, because I liked Vista from the kernel reliability-enhancing securityand under-the-hood overlooked beginning for its largely changes History may show that Windows will turn out to be one of the most successful 1.1sin operating system history INTRODUCTION I xxxl Who Is The Book For? Like every other book in this 15-year-plusseries, we've aimed this book at people who need to know how to install, configure, maintain, and troubleshoot a Windows network Readers of previous editions, however, may recall that the books were getting a bit too large, so we split our Server 2008 and R2 coverage into two books: a "networking novice" volume, Mastering Windows Server 2008 Networking Foundations, and this book Now, if you haven't read NetworkingFoundations,must you go out and get a copy? Well, it depends on how much you already know about networking, and Windows networking in particular Before tackling this book, I strongly recommend that you be comfortable with these topic areas (all of which are covered in NetworkingFoundations): What does a computer network do? How does Windows security work in general? What are authentication and authorization, and how they differ? What is a file permission? • How you install a Windows operating system? + Do you have a basic working level of comfort with the Windows GUI and Microsoft Management Consoles (MMCs)in particular? The command line? Can you use regedit.exe to basic registry editing? Can you partition and format hard drives in Windows? + Do you know how to configure IP addresses on a Windows system? Can you set up a Dynamic Host Configuration Protocol (DHCP)server on a Windows system to provide automatic IP addresses to clients on a network? How you set up Windows name services with Windows Internet Name Services (WINS) and Domain Name Service (DNS)? Please don't tackle this book until you're comfortable with these Windows networking basics—the last thing we'd want would for you to start reading and get immediately confused and frustrated (After all, you could get confused and frustrated absolutely free of charge by reading most of the stuff on the Internet about Windows networking why pay for it?) What's Inside? Chapter starts out with an overview of Windows Server 2008 and Windows Server 2008 R2 (let's henceforth abbreviate that "Server 2008/R2"), as well as a high-level look at why you'd want to upgrade to either of them, and Chapter shows you how to install them on your servers and how to begin to integrate them with your existing network, if you've got one Chapter is actually a great example of R2's "1.1-ness,"because Server 2008's setup routine is a new platform named Panther that makes installation and deployment quite easy andR2 installs with an updated Panther Veterans of Windows networking will expect Server 2008/R2 to look like other versions of Windows does, with a desktop, a Start menu, and a host of graphically based tools, but Server 2008 introduced a new option for Server installation called Server Core, a version of Server with no Start menu and a very limited GUI Its great selling points are that it uses less CPU and RAM than XXXII INTRODUCTION them because there's less code to the full versions of Server 2008/R2 and is easier to secure than really thins out the "critical patch" have to patch (Not having to install Internet Explorerpatches that you spend time learning it list.) Chapter gets you started on Server Core, and I recommend and Chapter does the same for Chapter looks at how IPv4 networking changes with 2008/R2, that is both secure and is also DNS, answering the question, "How I build a DNS infrastructure crafted to serve an Active Directory best?" Windows Server technolSpeaking of AD, Chapter is the first chapter to address that essential type of Active Directory: ogy, with an explanation of how to build the most common, and simplest, going to build huge, globeyou're if one that contains just one domain and just one location.Even Then, once you've skip it don't spanning ADS, this first look provides a necessary foundation, so you how got your AD up, you'll need to create and manage user accounts, and Chapter shows Once you've got a working AD in place, then it's time to get some payback from all your design and setup work, and the tool for that is Group Policy The good news is that Group Policy is a great way to control 10 or 10,000machines and user accounts centrally; the bad news is that Group Policy can be a mite complex—but Chapter helps on that score The fourth AD-related chapter, Chapter 9, covers Active Directory delegation, a process that lets you create user accounts that are a bit more powerful than regular old users but not as all-powerful as a full-blown domain administrator, allowing you to fine-tune exactly how much power you give each user Chapter 10starts out a three-part series on sharing files and folders in Windows Server Chapter 10 covers the basics of sharing folders and files and using Windows' security to control who can get to particular files Chapter Il covers the Distributed File System or, as it's been renamed in the past few years, Distributed File System Namespaces (DFS-N), an overlay atop simple file sharing that combines multiple file shares into one unified, easy-to-understand unit for users and that lets you deploy multiple copies of those file shares around your company so that everyone can get local,high-speed access to those shares Chapter 12 zooms in on the most important DFS/DFS-N-based file share of all, the SYSVOLshare that every Active Directory domain controller can't live without; that chapter also covers how to accomplish an essential SYSVOL upgrade, which Server 2008 offers for the first time Many servers serve not only files but shared printers as well, and Chapter 13 shows you how to accomplish this with Server 2008/R2 Following that, Chapter 14 shows you how to maintain and control your servers remotely using a number of built-in technologies, including Remote Desktop, a Windows feature that got a lot of upgrades in Windows Server 2008 but that many folks don't know about, so don't miss that chapter By now, you've got some working servers (which is nice) but no clients to use those services (which makes the whole thing sort Ofpointless), so Chapter 15shows you how to hook up the various varieties of Windows created in the past decade to a Windows Server 2008/R2 network What's that you say? You've got a Mac?OK then skip ahead to Chapter 26, and you'll get the skinny on getting Our Team to talk with Their Team (Note that the previous sentence was cleverly crafted so that you can project whatever OS you like onto "our team" and "their team." When I was a kid, I always heard that it's a bad idea to discuss politics and religion, but in the past 15years or so it seems that both of those topics are far safer than the "PC or Mac?" question.) Chapter 16gets you up and running with one of Windows' most complex Server add-ons, Microsoft's Internet Information Services (IIS), better known as the web server You'll learn how to get IIS running, how to set up a simple website, and how to find your way around the all-new IIS management tools built into Server 2008/R2 By now, you'll have a lot of time invested in getting your server up and running, so you'll be ready for Chapters 17 and 18—-monitoringyour system's INTRODUCTION : xxxm performance and backing it up If you've ever worked with a pre-2008 version of Windows Server, then get ready, because everything that you thought you knew is unfortunately wrong (Fortunately, however, Chapter 18 will remedy that.) Chapter 19 discusses how a Server 2008/R2 system can facilitate IP routing, which may sound like an odd topic until you consider that you need to understand a bit of IP-routing-ona-Windows-Server before you can tackle Chapter 20, which shows you how to use vour Server 2008/R2 system to set up a virtual private network Hey, why spend money for a VPN appliance when you've already got a working server that can it for you? (Well, there are several possible reasons, but we'll cover those in that chapter.) Now it's time to return to Active Directory and take on some more advanced AD topics with four chapters Chapter 21 shows you how to add multilocation awareness to your AD with a look at sites, site links, and subnets, AD-style And if you've got multiple sites, then you may have some sites that you might be a bit uneasy about installing a domain controller into—which is why Server 2008 introduced the idea of read-only domain controllers (RODCs);learn about them in Chapter 22 After that, it's time to consider when you'd need to complicate your AD a bit by adding one, two, or a hundred more domains to it, in Chapter 23 Mergers, acquisitions, or just plain old reorganizations may require you to reshape your AD in a manner that's not all that easy, unless you learn about domain migrations, SID histories, and trust relationships—as you will in Chapter 24 Back in Chapter 14,we considered how Windows Terminal Services let us easily control a server from hundreds of miles away, but Terminal Services—which R2 renames as Remote Desktop Services—cando a lot more than that Chapter 25 delves more deeply into how Terminal Ser oops,sorry, let's try it again RemoteDesktop Services lets you easily roll out applications across your network For our last few chapters, we cover several mildly advanced topics Chapter 27 shows you how to set up and manage Windows Server Update Services (WSUS) on one of your services VVSUS handles one of those annoying but necessary jobs: keeping your systems patched Chapter 28 helps you get started with a subsystem that was supposed to ship with Server 2008 but that instead makes you install it separately; I thought was important enough that the book needed a chapter on it: Windows SharePoint Services Why learn SharePoint? Well, there are lots of reasons, but here's the unexpected one for many people: it's a web server that does many of the things that a file server does, and Microsoft has made very clear that it's the way it's going to go in the future when it comes to delivering file services You've already read that Hyper-V is a pretty big thing in Windows Server 2008and R2,so we can't call the book complete without a chapter on that topic—and we've got a very comprehensive one on it for you, Chapter 29 Even if you don't virtualization, give this a look, because it'll help you understand the technology and issues in server virtualization, which is a must-know field Finally, in Chapter 30, we'll return to user management, expanding our earlier discussion of user management that we began in Chapter into more advanced topics Stay Up-to-Date with My Free Newsletter My coauthors and I have tried to cover as many of 2008 R2's good points and bad points, but we learn more as time goes on, and it'd be a shame for you to miss out on any of my additions to this volume For the past decade, I've regularly put together a series of technical newsletters with tips I've recently learned, problems I've solved, and in-depth articles on things that somehow didn't ... me back to why I like Server 2008 R2 I'd argue that, in a sense, 2008 R2 is a "1.1"version not merely for Windows Server 2008,but indeed for Windows 2000 Server and Windows Server 2003 Why? Well,... Upgrading to Windows Server 2008 R2 17 Chapter The New Server: Introduction to Server Core 111 Chapter Windows Server 2008 IPv4: What Has Changed? 165 Chapter DNS and Naming in Server 2008and.. .Mastering Windows Server R20 08 R2 Mark Minasi Darril Gibson Aidan Finn Wendy Henry Byron Hynes 02 Contents at a Glance Introduction Chapter What's New in Windows Server 2008 and 2008 R2 Chapter