Chapter 13 Deploying Windows Server 2008 429 ■ On a lossy or congested network, if a single UDP fragment is lost, the whole UDP becomes useless. ■ The maximum data that can be transferred in is restricted by the maximum size of the UDP packet, which is 65,535 bytes. ■ Some network switches apply ACLs on the UDP fragments as well and might discard UDP fragments if the fragments match their ACL. TFTP in Windows Server 2008 Although the changes mentioned earlier in this sidebar do help to improve the download times, it was evident that we needed more for Windows Server 2008. So the WDS team added support for windowing in Windows Server 2008. The idea is that instead of the server sending one data packet and then waiting for acknowledgment from the client, the server now has a window of multiple data packets that are sent back- to-back without any acknowledgment from client. The client receives all data packets and then sends an acknowledgment. This mechanism also improves performance in high-latency networks. The number of packets the server should send without acknowledgment is configurable: 1. Go to the appropriate architecture directory, REMINST\Boot\<architecture>. 2. Use the BcdEdit.exe tool to add or edit the window size: BcdEdit -store default.bcd -set {68d9e51c-a129-4ee1-9725-2ab00a957daf} ramdisktftpwindowsize <window size> 3. Inform the WDS server that the configuration has changed so that it can apply the changes: sc control wdsserver 129 Best Practices Following is a list of best practices to follow when working with TFTP windowing: ■ Change one parameter at a time, and perform testing in a controlled environment to assess the impact. ■ If network switches in your environment enforce ACLs, set the block size to 1024 bytes and tweak the window size. –Asad Yaqoob Software Design Engineer, Windows Deployment Team 430 Introducing Windows Server 2008 EFI x64 Network Boot Support Finally, a third enhancement to Windows Deployment Services in Windows Server 2008 is the support for x64 EFI network boot. Extended Firmware Interface (EFI) is the next- generation firmware model and is likely to replace the legacy BIOS in the next few years. Overall, the enterprise hardware landscape is quickly moving toward EFI, particularly on x64 server hardware. Unfortunately, no network boot support for x64 EFI exists on Windows Server 2003—only IA64 hardware supports EFI for Windows Server 2003. And although the initial release of Windows Vista didn’t include x64 EFI support, future releases of this plat- form will likely do so. But Windows Server 2008 does include x64 EFI support, though it’s limited in scope to supporting basic network boots and has no support for architecture discovery, pending devices, or PXE referral. Still, it’s a good start, and it makes deploying Windows Server 2008 to x64 EFI hardware a reality today using Windows Deployment Services. Before we leave the topic of Windows Deployment Services, let’s hear once again from one of our experts, this time talking about how to upgrade your old RIS server to a Windows Deployment Server running Windows Server 2008: From the Experts: Upgrading Your Old RIS Server to a Windows Server 2008 WDS Server Windows Deployment Services is a replacement of the Remote Installation Services optional component in Windows Server 2003. However, the two services use different operating system image formats: RIS uses RIPREP and RISETUP images, while WDS uses WIM images, as found on the Windows Vista and Windows Server 2008 DVDs. Because of this, a Windows Server 2003 server running RIS cannot be directly upgraded to a Windows Server 2008 server—the data in these images would be lost. The upgrade path, therefore, requires the following process to be completed: 1. Update RIS to WDS. There are two ways to do this: either apply Service Pack 2 to the server, or install the hotfix update included in the Windows AIK. Speaking of which… 2. Install the Windows AIK. It contains necessary support files for image conversion. 3. Update the path environment variable to include the Windows AIK install directory. 4. Initialize the WDS server. This can be done either through the WDS MMC Wizard or by running WDSUTIL /Initialize-Server /RemInst:D:\RemoteInstall, where D:\RemoteInstall is the path to the REMINST shared directory used by RIS. This places the server into Mixed Mode. Chapter 13 Deploying Windows Server 2008 431 5. Convert the RIS images to WIM. There are two ways to do this: ❑ Deploy them to a reference PC, run sysprep to generalize them, and then use the WDS Capture tool to capture them as a WIM and upload them to the WDS server. ❑ Convert them offline on the WDS server. To do this from the WDS MMC, open the Legacy Images node on the server, right-click on an image, and select Convert To WIM. Alternatively, at a command prompt, run WDSUTIL /Convert-RIPREPImage /FilePath:<path1> /DestinationImage /FilePath:<path2>, where <path1> is the full path to the riprep.sif file and <path2> is the full path and file name of the new WIM file. Note that offline conversion works only on RIPREP images, not on RISETUP images. 6. Force the server into Native mode by running WDSUTIL /Set-Server /ForceNative. 7. Upgrade the server to Windows Server 2008. –Jez Sadler Program Manager, Windows Deployment Team Solution Accelerator for Windows Server Deployment If you’ve begun deploying Windows Vista within your organization, you’ve probably been using the Microsoft Solution Accelerator for Business Desktop Deployment (BDD) 2007, a set of comprehensive guidance and tools from Microsoft that you can use to optimally deploy Windows Vista and the 2007 Office system. BDD 2007 is the deployment story Microsoft has for Windows Vista, so it make sense that Microsoft is also developing a similar story for the Windows Server 2008 platform. The Microsoft Solution Accelerator for Windows Server Deployment will provide role-based deployment and purposing of Windows Server 2008 servers through automation tools and guidance. The Solution Accelerator for Windows Server Deployment will leverage the Microsoft System Center Configuration Manager 2007 Operat- ing System Deployment (OSD) Package and the Microsoft Systems Management Server V4 Task Sequencer for its infrastructure. Core deployment scenarios for using the Solution Accelerator for Windows Server Deployment include performing clean installs of Windows Server 2008 using Lite Touch Installation (LTI) and Zero Touch Installation (ZTI), upgrading Windows Server 2003 to Windows Server 2008 using LTI and ZTI, and performing clean installs of Windows Server 2003 using LTI and ZTI. In addition, current plans are for you to be able to deploy Windows Server 2008 with a subset of available roles, including the AD, DNS, DCHP, File and Print, and IIS roles. All I can say is this: if BDD is terrific, then the Solution Accelerator for Windows Server Deployment will likely be absolutely outstanding and will end up being the best-practice solu- tion for deploying Windows Server 2008 for mid- and large-sized organizations. So stay tuned! 432 Introducing Windows Server 2008 Understanding Volume Activation 2.0 Finally, it’s not enough to deploy Windows Server 2008—you also have to ensure that the product is properly licensed and activated. Microsoft products sold through OEM, retail, and Volume Licensing channels now include product activation technology to reduce software piracy and ensure that your copies of the products are genuine. Windows Server 2008 uses the same type of activation that was first introduced in Windows Vista—namely, Volume Acti- vation (VA) 2.0. (Previous versions of Microsoft operating systems such as Windows XP and Windows Server 2003 use VA 1.0.) VA 2.0 uses two types of keys: ■ Multiple Activation Keys (MAKs) In this scenario, your product keys activate either individual computers or a group of computers by connecting over the Internet to special servers at Microsoft. (You can also activate your computers by telephone if needed.) MAKs can be used only a limited number of times, though the activation limit can be increased by calling your Microsoft Activation Center. Computers running Windows Vista or Windows Server 2008 can be activated with a MAK either by having each com- puter connect directly to Microsoft servers (something called individual activation) or by having multiple computers activated simultaneously using a single connection to Microsoft (called proxy activation, which is similar to how VA 1.0 works). ■ Key Management Service (KMS) In this scenario, your organization hosts its own internal KMS running on Windows Server 2008, Windows Vista, or Windows Server 2003. This KMS is used to automatically activate Windows Vista and Windows Server 2008. Computers that have been activated using KMS are required to reactivate by connecting to your KMS host at least once every six months. VA 2.0 has been modified and enhanced in Windows Server 2008 in several ways: ■ Windows Server 2008 currently requires only a KMS count of 5 to activate, compared with the 25 required for Windows Vista activation. (This behavior might change before RTM, however.) ■ There are multiple KMS keys and a new Hierarchical KMS activation structure. These are described by one of our experts in the sidebar that follows. From the Experts: Volume Activation 2.0 and Windows Server 2008 The following sidebar explains Volume Activation 2.0 in Windows Server 2008 and provides technical insight and recommendations for deploying a VA 2.0 solution. Knowledge and Strategies for a Successful Deployment Volume Activation 2.0 is a solution that helps IT Pros automate and manage the activation of volume editions of Windows Vista and Windows Server 2008. Product acti- vation is a new requirement for each installed system covered under a Volume License Chapter 13 Deploying Windows Server 2008 433 agreement. Using volume activation can greatly speed up and simplify the deployment process, but it requires some planning up front. There are multiple activation methods available, and they use two types of customer- specific keys—namely, Multiple Activation Key (MAK) and the Key Management Service (KMS). A MAK is a product key that can be installed on multiple computers and that acti- vates a predefined number of times. Each MAK-activated computer must independently activate by phone or over the Internet, or be proxy activated over the Internet using the Volume Activation Management Tool (VAMT) found at http://go.microsoft.com/fwlink/ ?LinkID=77533. It should be noted that an update to VAMT will be required at Windows Server 2008 RTM for VAMT to function with Windows Server 2008 Volume Licensing. VAMT is currently available for use with Vista Volume Licensing at the link just mentioned. The alternative method—KMS activation—is often the least understood aspect of VA 2.0. KMS is a trusted mechanism that, once the KMS host is activated, allows volume client computers within the enterprise to activate themselves without any interactions with Microsoft. The following section describes KMS functionality and strategies that can ensure a successful Windows Server 2008 KMS deployment. For a complete description of Volume Activation 2.0, including both MAK and KMS activation, see the “Windows Vista Volume Activation 2.0 Step-by-Step Guide” found at http://go.microsoft.com/fwlink/?LinkID=76704. Volume Licensing Changes Windows Vista introduced VA 2.0, which represents a significant change from previous Volume Licensing (VL) solutions. Windows Server 2008 includes several changes and refinements in the implementation of VA 2.0. Under VA 2.0, volume clients do not need a product key during installation. By default, VL editions of Windows Server 2008 and Windows Vista install as KMS clients. With a properly configured KMS infrastructure, these clients automatically discover the KMS hosts on the network and activate them- selves without administrative or user intervention. This can equate to a huge deployment savings, both in time and effort. However, organizations must also secure their KMS hosts from a public access point to comply with Microsoft product usage policies. An important concept to understand about KMS activation is that the KMS returns only a count to the KMS clients. The client reads the count and decides whether or not the count is high enough for the client to activate. As of this writing, Windows Server 2008 KMS clients will activate if the count is 5 or higher. Windows Vista KMS clients require a count of 25. There are many editions of Windows Server 2008. To simplify these for the purpose of Volume Licensing, they have been combined into three product groups: Group_A, Group_B, and Group_C. Product Group A includes Storage Server, Web Server, and Compute Cluster Editions. Product Group B includes Storage Server Enterprise and 434 Introducing Windows Server 2008 Windows Server 2008 Standard and Enterprise Editions. Product Group C includes Datacenter and Itanium Editions. MAK and KMS keys are associated with each product group. This is illustrated in Table 13-1. Specific attention should be paid to this key matrix to ensure that the proper keys are used so that all deployed systems will activate properly. Note that Windows Server 2008 Storage Server editions can be activated by KMS, but they cannot host KMS. The volume keys available for Windows Server 2008 follow the product grouping. For MAK, this is fairly intuitive, as shown in Table 13-2. To ensure that organizations don’t need multiple KMS hosts to support the deployment of mixed Windows Server 2008 editions, KMS activation of Windows Server 2008 fol- lows a hierarchical structure. Each successive product group can activate all the groups below it, and the KMS can be hosted on any edition that it can activate. Additionally, Windows Server 2008 KMS keys can be used with KMS for Windows Server 2003. Installing Windows Server 2008 keys in KMS for Windows Server 2003 requires an update at Windows Server 2008 RTM. Ta b l e 1 3 - 1 Product Groups and Server Editions for Windows Server 2008 Product group Server editions Group A Storage Server Web Server Compute Cluster Group B Storage Server Enterprise Standard Enterprise Group C Datacenter Itanium Ta b l e 1 3 - 2 MAK Keys Available for Windows Server 2008 Product group MAK used to activate Group A MAK_A Group B MAK_B Group C MAK_C Chapter 13 Deploying Windows Server 2008 435 As detailed in Table 13-3, a KMS_A key can activate only product Group A and Windows Vista. A KMS_C key, on the other hand, can activate all three Windows Server 2008 product groups and Windows Vista. This same KMS_C key can be hosted on any edition of Windows Server 2008 listed in the three product groups, as well as on KMS for Windows Server 2003. Table 13-3 lists the KMS keys, the OS editions that can host a given KMS, and the KMS clients that key can activate. Ta b l e 1 3 - 3 KMS Keys vs. Supported Hosts and Clients Activated KMS key Hosts that support this KMS key KMS clients activated by this key Vista KMS keys KMS for Windows Server 2003 Windows Vista Windows Vista KMS_A KMS for Windows Server 2003 Windows Server 2008 Web Server Windows Server 2008 Compute Cluster Windows Vista Windows Server 2008 Storage Server Windows Server 2008 Web Server Windows Server 2008 Compute Cluster KMS_B KMS for Windows Server 2003 Windows Server 2008 Web Server Windows Server 2008 Compute Cluster Windows Server 2008 Standard Edition Windows Server 2008 Enterprise Edition Windows Vista Windows Server 2008 Storage Server Windows Server 2008 Storage Server Enterprise Windows Server 2008 Web Server Windows Server 2008 Compute Cluster Windows Server 2008 Standard Edition Windows Server 2008 Enterprise Edition KMS_C KMS for Windows Server 2003 Windows Server 2008 Web Server Windows Server 2008 Compute Cluster Windows Server 2008 Standard Edition Windows Server 2008 Enterprise Edition Windows Server 2008 Datacenter Windows Server 2008 Server Itanium Windows Vista Windows Server 2008 Storage Server Windows Server 2008 Storage Server Enterprise Windows Server 2008 Web Server Windows Server 2008 Compute Cluster Windows Server 2008 Standard Edition Windows Server 2008 Enterprise Edition Windows Server 2008 Datacenter Windows Server 2008 Server Itanium 436 Introducing Windows Server 2008 Always use the highest KMS key available to your organization. This ensures that the later installations of Windows Server 2008 KMS clients will be able to activate. If you later purchase a license from a higher product group, install that KMS key on the exist- ing KMS hosts using slmgr /ipk <KMS Key> and then reactivate the KMS with Microsoft (by Internet or telephone). This process replaces the lower KMS key. KMS clients will pick up the new key the next time they renew their activation. KMS Auto-Discovery To get the greatest value from volume activation, KMS auto-publishing and KMS auto- discovery should be used as much as possible. This requires a working understanding of KMS interaction with DNS. KMS clients query DNS automatically to locate KMS hosts, looking specifically for SRV records named _VLMCS._TCP. These SRV records identify KMS hosts on the network. When a KMS key is installed on a KMS host, the host publishes an SRV record to the DNS zone identified in its Primary DNS Suffix (by default). (This requires Dynamic DNS, and the host must have write permissions. This is discussed in depth in the “Windows Vista Volume Activation 2.0 Step-by-Step Guide” mentioned earlier.) However, a KMS host can be configured to publish to multiple domains by listing the domains in the following registry key. If you use this approach, make sure that all desired zones are listed—setting this value overrides the default publishing behavior: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL Value Name: DnsDomainPublishList Type: REG_MULTI_SZ When a KMS client successfully contacts a KMS, the KMS host name is cached in the registry. As shown in Figure 13-1, when a KMS client attempts to activate or renew its activation, it first checks the registry for a cached KMS host. If no name is cached or if an activation attempt against a cached KMS host fails, the client queries the DNS zone specified in the Primary DNS Suffix. If no KMS SRV records are found or if the Primary DNS Suffix is empty, the KMS client determines whether or not the system is domain joined. KMS clients joined to an Active Directory domain query the DNS zone specified by Active Directory. Non-domain-joined computers query the DNS Suffix specified by DHCP Option 15. If no KMS SRV records are found, the KMS client attempts to activate again in two hours by default. Chapter 13 Deploying Windows Server 2008 437 Figure 13-1 KMS auto-discovery algorithm No Does the Registry list a KMS host? Query the DNS Domain specified by the Primary DNS Suffix for an SRV record Was an SRV record for KMS found? Contact KMS host for activation Yes Was an SRV record for KMS found? No Is this computer in a Workgroup or a domain? Workgroup Query the DNS domain specified by DHCP Option 15 for an SRV record No Retry according to the Activation Interval- 2 hours by default Contact KMS host for activation Yes Query the DNS domain specified by Active Directory for an SRV record Domain Contact KMS host for activation Yes 438 Introducing Windows Server 2008 KMS Deployment Strategies By understanding the KMS auto-discovery process and your DNS architecture, you can better plan the deployment of KMS hosts and minimize KMS client issues. Following these steps and using the KMS ability to publish to multiple domains should ensure that KMS clients can locate your KMS hosts and activate without further administrative interaction: 1. Primary DNS Suffix One of the following steps will be appropriate for your deployment: ❑ If a Primary DNS Suffix exists on your volume clients, ensure that a KMS exists in the specified DNS zone. ❑ If the KMS cannot be placed in the zone specified by the Primary DNS Suffix, ensure a KMS SRV record is published in that DNS zone. 2. DHCP Ensure that Option 15 in all DHCP servers contains a DNS zone in which a KMS SRV record is published. 3. Active Directory If Active Directory exists in the organization, ensure that a KMS SRV record exists in the AD domain. 4. Network Access KMS clients contact the KMS using RPC over TCP. By default, the clients use Port 1688, but this is configurable. When planning the activation infra- structure, remember that not only do the clients need to find the KMS, they must be able to communicate with it and receive its response. Summary Windows Server 2008 and Windows Vista deployments can be simplified by creating an effective KMS infrastructure. Use the KMS key for the highest Windows Server 2008 product group you have licensed, and upgrade your KMS if you purchase a Volume License for a higher product group. This ensures that your high-end servers can activate. Take the time to fully understand KMS auto-discovery; this is the most important step in this process. In Windows Vista and Windows Server 2008, multilevel name searches do not use the DNS Suffix search list. Therefore, properly positioning the KMS SRV resource records in DNS is critical to a successful KMS client deployment. Finally, though it has not been described previously in this sidebar, always monitor your deployment for issues. Confirm that KMS SRV records exist in each identified DNS zone. Make sure that the volume clients in each subnet and site can locate the KMS and successfully contact it. Use the activation-related tools and methods described in the “Windows Vista Volume Activation 2.0 Step-by-Step Guide,” including the remote WMI functionality built into slmgr.vbs. Use VAMT, SMS-SP3, and the KMS Management Pack for MOM 2005 found at http://go.microsoft.com/fwlink/?LinkID=83216. [...]... http://www .microsoft. com/learning/books /windows/ longhorn/ ■ Windows Server 2008 Resource Kit ■ Windows Server 2008 Virtualization Resource Kit ■ Windows Server 2008 Security Resource Kit ■ Windows Administration Resource Kit: Productivity Solutions for IT Professionals ■ Windows Server 2008 Active Directory Resource Kit ■ Internet Information Services (IIS) 7.0 Resource Kit ■ Windows Server 2008 Administrator’s Companion ■ Windows Server. .. 441 442 Introducing Windows Server 2008 Microsoft Windows Server TechCenter Microsoft Windows Server TechCenter is the place for you to connect with Windows Server related resources within Microsoft and the broader Windows Server community I’ve been told by internal teams that the TechCenter home page for Windows Server 2008 will initially be located at http://www .microsoft. com/technet/windowsserver/longhorn/default.mspx... at http://www .microsoft. com/ technet/traincert/virtuallab/default.mspx for learning about Windows Server 2008: ■ Microsoft Windows Server “Longhorn” Server Core Virtual Lab ■ Microsoft Windows Server “Longhorn” Server Manager Virtual Lab ■ Microsoft Windows Server “Longhorn” Terminal Services Gateway and Remote Programs Virtual Lab ■ Windows Vista: Managing Windows Longhorn Server and Windows Vista... Server 2008 TCP/IP Protocols and Services ■ Windows Server 2008 Terminal Services ■ Windows Server 2008 Networking Guide ■ Understanding IPv6, Second Edition ■ Microsoft Group Policy Guide, Second Edition ■ Windows Server 2008 Administrator’s Pocket Consultant ■ Windows Server 2008 Inside Out ■ Internet Information Services (IIS) 7.0 Administrator’s Pocket Consultant Chapter 14 Additional Resources ■ Microsoft. .. Guide ■ Microsoft Windows Server “Longhorn” Storage Manager for SANs Step-by-Step Guide ■ Windows Server “Longhorn” Terminal Services Remote Programs Step-by-Step Guide ■ Windows Server “Longhorn” TS Gateway Server Step-by-Step Setup Guide ■ Windows Server “Longhorn” Release TS Licensing Step-by-Step Setup Guide ■ Windows Server “Longhorn” Windows Deployment Services Step-by-Step Guide ■ Microsoft Windows. .. aspects of Windows Server 2008 (and they’re ordered roughly in the same order as features are presented in this book): ■ Introducing Windows Server Code-Named “Longhorn” (Level 200) ■ Ten Reasons to Prepare for Windows Server Code-Named “Longhorn” (Level 200) ■ Windows Server “Longhorn” and Windows Vista: Better Together (Level 200) ■ Understanding Windows Hypervisor and Virtualization in Windows Server. .. migrating from Windows Server 2003 to Windows Server 2008, 273 Network Load Balancing as form of, 252 new quorum model, 254 to 256 overview, 251 providing high availability for file servers, 269 to 273 server clusters, 252 storage enhancements in Windows Server 2008, 256 to 257 troubleshooting, 273 to 274 validating solutions, 261 to 266 Windows server core installation support, 146 Windows Server Virtualization... Guide ■ Windows Server “Longhorn” Performance and Reliability Monitoring Step-by-Step Guide ■ Step-by-Step Guide for Planning, Deploying, and Using a Windows Server “Longhorn” Read-Only Domain Controller ■ Microsoft Windows Server “Longhorn” Print Management Step-by-Step Guide ■ Windows Server “Longhorn” Restartable Active Directory Step-by-Step Guide ■ Microsoft Windows Server Code Name “Longhorn” Server. .. for Windows Server 2008 is currently found at http://www .microsoft. com/windowsserver/longhorn As of Beta 3, it will include an updated product overview, a more comprehensive features list, links to where you can get the Beta 3 eval bits, TechCenter, and more The goal of the product site is to help build awareness of Windows Server 2008 among Microsoft customers, so start there if Windows Server 2008. .. updated for each successive release of Windows Server 2008 And second, I wrote this chapter just before the Beta 3 release of Windows Server 2008 as a result, some of the main Web sites such as the Windows Server 2008 home page and the Windows Server 2008 section on TechNet were still in their preliminary form and had limited content I’ve been told by various teams inside Microsoft, however, that as of Beta . Storage Server Windows Server 2008 Web Server Windows Server 2008 Compute Cluster KMS_B KMS for Windows Server 2003 Windows Server 2008 Web Server Windows Server 2008 Compute Cluster Windows Server. 2008 Storage Server Windows Server 2008 Storage Server Enterprise Windows Server 2008 Web Server Windows Server 2008 Compute Cluster Windows Server 2008 Standard Edition Windows Server 2008. Server 2008 Standard Edition Windows Server 2008 Enterprise Edition Windows Vista Windows Server 2008 Storage Server Windows Server 2008 Storage Server Enterprise Windows Server 2008 Web Server Windows