Introducing Windows Deployment Services 63 EXERCISE 2.5 (continued) 7. Enter Peter as the first name. Enter Parker as the last name. Enter PeterParker as the logon name. Your display should look similar to the following graphic. Click Next. 8. Enter P@ssw0rd in the Password and Confirm password boxes. Deselect User Must Change Password at Next Logon. Click Next. Review the information you’ve entered, and click Finish. 9. Double-click the Peter Parker account to open the properties page. Select the Member Of tab. Click Add. 10. In the Select Groups dialog box, enter G _ ITAdmins. This is the group you created earlier in this exercise. Click OK. On the properties page, click OK again. At this point, you have created an account and added that account to the G_ITAdmins group. Any permissions granted to the G_ITAdmins group will be granted to the Peter Parker user account. Your display should look similar to the following graphic. 11. If it’s not already launched, launch Windows Deployment Services by clicking Start Ø Administrator Tools Ø Windows Deployment Services. 12. Within WDS, browse to the Install Images Ø IISServers container. 93157c02.indd 63 8/11/08 1:09:19 PM 64 Chapter 2 N Planning Server Deployments EXERCISE 2.5 (continued) 13. Right-click the IISServers Image group, and select Security. Your goal is to remove the Authenticated Users group from accessing the ISSServers Image group. How- ever, these permissions are inherited, so you must first disable inheritance. 14. Click Advanced. Deselect the Include Inheritable Permissions from This Object’s Par- ent check box. In the Windows Security dialog box, review the information, and click Copy. This will copy all the inherited permissions to this object but allow them to be manipulated. Click OK. Modifying the inherited permissions works the same way in Active Directory Users and Computers (as we’re doing in this step) as it does in NTFS. As a matter of fact, the dialog boxes are identical. Inherited permissions can’t be modified unless you change their behavior. The three choices are as follows: Copy (changes the permissions from inherited to applied so that they can ÛN be modified) Remove (removes all inherited permissions) ÛN Cancel (makes no changes) ÛN 15. Select the Authenticated Users group, and click Remove. Click OK. Removing the Authenticated Users group will prevent any user from accessing the images in the IISServers Image group. 16. Click Add, enter G _ ITAdmins, and click OK. By default, the Read & Execute, List Folder Contents, and Read permissions are granted. This will be enough to allow users in the G_ITAdmins group to access and deploy images through WDS. Your display should look similar to the following graphic. Click OK. At this point, only users in the G_ITAdmins group will be able to see and pick images located in the IISServers Image group. 93157c02.indd 64 8/11/08 1:09:19 PM Introducing Windows Deployment Services 65 Deploying a Computer Image With images created, you now need to deploy the image. Remember, the destination com- puter must be a PXE client (meaning it can boot from the NIC to the LAN). WDS does not provide any capability to partition a hard drive. If partitions are desired, you can use DiskPart to partition the hard drive before the installation. The PXE client will first locate the DHCP server and receive TCP/IP configuration informa- tion such as the IP address and subnet mask, and then it will contact the WDS server. Once WDS is contacted, the computer’s identity will be checked. The computer could be known or unknown, and depending on how the WDS server is configured, the WDS server could answer the computer or ignore it. A computer is known if it is prestaged in Active Directory Domain Services with its GUID. You’ll see how to do this in the next section. Additionally, WDS can be configured so that an administrator is notified when an unknown computer connects. The computer will be listed as a pending device, and the administrator can then approve or reject the computer, either allowing or disallowing the computer to download an image. If WDS answers the computer, the user will be presented with a list of possible boot images that can be chosen from a command-line menu. These images will download and install only the boot program, which provides a GUI interface. Once the boot program and the GUI are launched, the user will be able to log in to the domain. The user will then be given a choice of install images from which to choose. Only images that the user has permissions to install will appear. Prestaging Computers A prestaged computer has been created in Active Directory before the PXE-boot session is started. WDS identifies prestaged computers by using a globally unique identifier (GUID). PXE clients include GUIDs. These are sometimes included on a sticker on the case of the computer, sometimes inside the case, and sometimes in the BIOS. It is a 32-character hexa- decimal code. Once you locate the GUID, you can create the account in Active Directory and use it to prestage the computer. To prestage the computer, launch Active Directory Users and Computers. Right-click the container or organizational unit you want to add the computer to and select New Ø Computer. Enter the computer name, and click Next. In the Managed dialog box, select This Is a Managed Computer, and enter the computer’s GUID. Figure 2.2 shows a computer being added with the GUID entered. Managing Devices When configuring the WDS server to respond to clients, you have three choices: Do not respond to any clients. ÛN Respond only to known clients. ÛN Respond to all (known and unknown) client computers. ÛN You can also select the option to allow administrators to approve unknown clients. Figure 2.3 shows these choices. 93157c02.indd 65 8/11/08 1:09:19 PM 66 Chapter 2 N Planning Server Deployments FIGURE 2.2 Creating a prestaged computer in ADUC FIGURE 2.3 Configuring the WDS server to respond to clients Before you have fully configured WDS, it’s a good idea to set it so that it does not respond to any clients. If set this way, the WDS server won’t respond to the client at all. You’ll never get to the menu that allows you to press F12 the second time. Known clients are those that have been prestaged in Active Directory, as demonstrated in the previous section. If properly prestaged, everything works without any other action. If you’ve selected the option to allow administrators to approve unknown clients, then after pressing F12 the first time, the WDS server will answer. However, instead of download- ing the boot image, it will indicate that it’s waiting for a response from the administrator. 93157c02.indd 66 8/11/08 1:09:20 PM Introducing Windows Deployment Services 67 The unknown client will appear in the Pending Devices container within WDS, as shown in Figure 2.4. The administrator can then right-click the client and approve it. It’s also possible for the administrator to select Name and Approve, which creates a computer account in Active Directory based on the name the administrator chooses. FIGURE 2.4 Approving an unknown client As soon as the client is approved, the client will be prompted to press F12 again to start the download of the boot image. From here on, the deployment of the image is as usual. Exercise 2.6 shows how to deploy an image to a client computer. EXERCISE 2.6 Deploying an Image 1. Boot a PXE-enabled computer, and press F12 to start a network boot. The computer will obtain TCP/IP information from DHCP. Note that if your PXE client boots to an installed operating system instead of the NIC, you’ll need to enter the BIOS to change the boot order. 2. When prompted, press F12 again. This will launch the Windows Boot Manager menu and display any boot images available on the WDS server. 3. If prompted, select a boot image from the menu. This will launch the boot program, which is a graphical user interface. 4. On the Windows Deployment Services menu, select your locale and keyboard or input method, and click Next. 5. On the login screen, enter the username and password of a user. The permissions and group membership of this user will determine which images are viewable. 6. Enter MCITP\PeterParker as the username. If your domain is something different from MCITP, then enter your domain name followed by a slash and then PeterParker (the user created earlier and added to the G_ITAdmins group). 93157c02.indd 67 8/11/08 1:09:20 PM 68 Chapter 2 N Planning Server Deployments EXERCISE 2.6 (continued) 7. Enter the password of P@ssw0rd, and click OK. 8. Accept the defaults, and click Next. 9. On the Operating System page, you will be presented with a listing of images from which you can choose. Select one of the operating systems, and click Next. If you had saved the IIS server image, you would be able to choose it from this menu. Note that the user you logged on as is a member of the Authenticated Users group. The default permissions for image groups grant access to authenticated users. Unless this was changed in other groups, the user will be able to see all images in all image groups. The difference at this point is that users who are not in the G_ITAdmins group will not be able to see images in the IISServers Image group since the permissions in this group have been changed. 10. On the Where Do You Want to Install Windows page, choose a partition, and click Next. On the warning screen, click OK. Your computer will connect with the WDS server and download the image. Multicast Transmissions Deploying an image to one or many computers can take a lot of bandwidth. Depending on what else is going on in your network, the extra bandwidth taken up by WDS may be unacceptable. Using a multicast transmission allows you to send only one transmission that is received by multiple computers at the same time. The destination computers need to join a multicast group, and then when the multicast transmission begins, the image will be sent to all com- puters in the group. When configuring multicast transmissions, you need to consider your network layout. For example, some routers won’t pass multicast transmissions automatically. Additionally, doing a multicast transmission in some segments of your network may significantly load down the network. Two choices for multicast transmissions are automatic (auto-cast) and scheduled (scheduled-cast). Automatic Multicast (Auto-Cast) Transmissions An automatic multicast transmission will automatically begin after the first client has con- nected. Then as additional clients connect, they join the transmission that has already started. Even though a client may have missed part of the transmission, they will still get the full trans- mission. You can think of auto-cast as an “always-on” transmission, though it will transmit only when clients are connected. 93157c02.indd 68 8/11/08 1:09:20 PM Introducing Windows Deployment Services 69 A significant benefit of auto-cast is that even though multiple clients may be connected, the server is sending only one stream that takes less bandwidth. Compare this to five different clients connecting to WDS to download an install image; the WDS server will actually be sending five different transmissions in the second example. Scheduled Multicast (Scheduled-Cast) Transmissions Scheduled multicast transmissions can be done based on two criteria: how many clients connect or the time of day. By specifying a threshold of connected clients, you can tell the server when to start the multicast transmission. For example, you may have nine servers that need a copy of an image. You set up the multicast transmission and specify 9 as the threshold. When the ninth client connects, the multicast begins. Scheduled transmissions can be very useful when WDS is in one location and the clients are located elsewhere. You can set up WDS and then go to the clients. After all the clients have connected, the transmission will start automatically. You don’t have to return to the WDS server to start the process. Once the client connects to the server (before the threshold is reached), it will display a message saying it’s waiting for the server. This might look like it’s not working, but it’s actually normal. It has connected to the server and is waiting for the multicast transmission to begin. To verify the client has actually connected to the server, you can refresh the server to show the clients currently connected. Figure 2.5 shows a multicast transmission with one client connected. Deploy IIS Servers is the name of the multicast transmission. The details pane shows one client connected. FIGURE 2.5 Verifying a client has connected The second scheduled-cast capability is based on the time. You can specify what day and what time to start the multicast session. As an example, say you have created your standard server and now need to deploy nine more using the same settings. However, you may realize that you’d significantly slow down the network if you did it in the middle of the day. 93157c02.indd 69 8/11/08 1:09:20 PM 70 Chapter 2 N Planning Server Deployments You can configure a multicast transmission to occur in the middle of the night: 1. Within WDS, right-click the image you want to deploy. 2. Select Create Multicast Transmission. 3. Enter a friendly name for your transmission such as Deploy IIS Servers. 4. Select Scheduled Cast. 5. Select Start Automatically at a Later Time, and enter the date and time when you want the multicast transmission to begin. Your display will look similar to the following graphic. Click Next, and click Finish. Before you leave for the night, make sure your destination computers have connected to the WDS server to accept this transmission. Specifically, boot the client into WDS by pressing F12 to boot to the LAN and then pressing F12 to boot to WDS. Select a boot image. After the boot image has loaded, you can then follow the wizard to select the multicast transmis- sion using the friendly name. If you change your mind about starting the multicast transmission later and want to start it immediately for a client, you can right-click the client within the multicast transmission container and select Bypass Multicast. The transmission will start immediately. You can also start the session immediately for all connected clients. Simply right-click the session, and select Start. All connected clients will begin to receive the transmission. Introducing Server Core Server Core is an installation of Windows Server 2008 that installs only what is necessary to support the installed services. Instead of a full GUI, only the command line is available for configuration. You can think of Server Core as “Windows without windows.” Although you can do a lot via the command line, expect to do most of the administra- tion of Server Core remotely. Because of this, configuring Server Core for remote adminis- tration becomes very important. 93157c02.indd 70 8/11/08 1:09:20 PM Introducing Server Core 71 Many IT departments and administrators will see two primary benefits of Server Core: increased security due to a reduced attack surface and a simpler installation due to fewer drivers and services being installed: Reduced attack surface Since Server Core installs only what is necessary, there is less to attack. This follows a long-standing security principle of eliminating unneeded services and protocols. For example, if IIS is not needed on a server, you simply don’t install it. If it’s not installed, you don’t need to worry about any IIS attacks on this server. This might seem rather obvi- ous, but I remember when IIS was installed by default on Windows Server 2000 and subse- quently became the victim of the rather nasty Nimda virus. Server Core takes this a step further and eliminates many of the underlying core services and files. A new installation installs only about 40 services. While a full Server installation installs close to 6GB of files, Server Core installs only about 1GB. Security is not sacrificed. Server Core includes Windows Firewall, IPSec, and Windows File Protection. It also includes Event Log, Performance Monitor counters, and outgoing HTTP support. Simpler installation A simple but direct benefit of Server Core is that there are fewer moving parts and therefore fewer things to go wrong. I’m reminded of the old KISS phrase (“Keep It Simple, Silly”). The simpler things are, the less that can go wrong. In a full installation when things go wrong, Microsoft releases patches and hotfixes. With fewer files installed on a Server Core installation, expect to do less patching. Additionally, with less running on a Server Core installation, less maintenance is required, and less disk space is required. Installing Server Core is relatively easy. Whether you’re installing from a CD, over the network, or via WDS, it works the same way up to the point of choosing the version. When you choose a Server Core installation, it simply installs significantly fewer files. Because of this, expect the installation to complete much more quickly. Although the Server Core interface shows only the command line by default, the mouse still works, and you can access Task Manager by pressing Ctrl+Shift+Esc. Of course, any standard command-line commands work in a Server Core installation. For example, if you want to stop and start DNS that has been installed in a Server Core installation, you could use the Service Control Manager to issue stop and start commands as follows: sc stop dns sc start dns For a list of commands available from the Server Core installation, enter Help at the command line. 93157c02.indd 71 8/11/08 1:09:20 PM 72 Chapter 2 N Planning Server Deployments Server Core can host the following server roles: The DNS role ÛN The DHCP role ÛN The File Services role ÛN The Print Services role ÛN The Active Directory Domain Services role ÛN The Active Directory Lightweight Directory Services role ÛN The Internet Information Services role ÛN The Streaming Media Services role ÛN Hyper-V ÛN Managing Server Core Remotely One of the first things you’ll want to do after installing Server Core is to configure it for remote administration. (Well, maybe you’ll rename it with wmic since you don’t have the choice to set the name during the install, then set the IP address with netsh if it’s not a DHCP client, and finally configure it for remote administration.) Three primary methods of remote administration are possible: Using Remote Desktop Connection Configure using the scregedit.wsf Windows script file. Managing remotely using an MMC snap-in Configure using the NetShell ( netsh) com- mand to manipulate the firewall settings. Using Windows Remote Shell Configure using the WinRm command to create a WinRM listener. Using Remote Desktop Connection Remote Desktop Connection (RDC) allows you to remotely connect to a server and administer it as if you were standing in front of it. Almost anything you could do while physically at the server, you’ll find you can do remotely via RDC. You can access RDC via Start Ø All Programs Ø Accessories Ø Remote Desktop Con- nection. If you click the Options button to expand the options, your display will look like Figure 2.6. To enable the ability to access a Server Core installation remotely using RDC, you can use the scregedit.wsf script. You’ll explore scregedit.wsf more fully later in this chapter, but for now here’s what you need to do: 1. Log on to your Server Core installation. 2. At the command prompt, enter the following command: Cscript c:\windows\system32\scregedit.wsf /AR 0 93157c02.indd 72 8/11/08 1:09:20 PM [...]... and File Servers.” F i g u r e 2 8  ​ Three virtual servers within one physical server  ​ Windows Server 2008 as Host VS1 Virtual Machine DC1 (Running Windows Server 2008 Active Directory) Virtual Machine DNS1 (Running Windows Server 2008 Server Core) DC2 931 57c02.indd 81 DNS2 Virtual Machine DHCP1 (Running Windows Server 2008 Server Core) DHCP2 8/11/08 1:09: 23 PM 82  Chapter 2    Planning Server Deployments... can also host 32 -bit and 64-bit operating systems on a single server For example, you may have one server running an application on 32 -bit Windows Server 20 03 and another server running an application on a 64-bit Windows Server 20 03 Hyper-V can be used to host both applications within two virtual machines on the same server Consolidating Servers One of the obvious reasons to use virtual servers is to... Server Licensing When planning to deploy servers, it’s important to understand the licensing requirements of virtual servers The licensing requirements of the three editions of Windows Server 2008 are as follows: Windows Server 2008 Standard with Hyper-V  ​ he Standard with Hyper-V editions T includes support for a single virtual server A single virtual instance license is included Windows Server 2008. .. the Transport server 931 57c02.indd 93 8/11/08 1:09:26 PM 931 57c02.indd 94 8/11/08 1:09:26 PM Chapter 3 Using Windows Server 2008 Management Tools Microsoft exam objectives covered in this chapter: ÛÛ Planning for Server Management NN Plan Server Management Strategies May include but is not limited to: remote administration, remote desktop, server management technologies, Server Manager and ServerManagerCMD,... your Server 2008 servers You are considering using Server Core for as many servers as possible Which of the following roles will support Server Core? (Choose all that apply.) A Domain Name Services B Dynamic Host Configuration Protocol C Certificate Services D Active Directory Domain Services E Internet Information Services 17 You are preparing to upgrade a server from Windows Server 20 03 to Windows Server. .. Windows XP 11 You have built a Windows Server 2008 server hosting Active Directory Domain Services in a Server Core configuration You want to manage the server remotely using Remote Desktop Connection (RDC) You manage servers remotely using both a desktop running Windows XP and a laptop running Windows Vista Which of the following commands should you run on the Server Core server? (Choose all that apply.)... servers are using 64-bit processors How many WDS servers are needed? A 1 B 2 C 3 D 20 2 You are using Windows Deployment Services (WDS) to deploy Windows Server 2008 onto several new servers The WDS server is set up to respond only to known computers None of the new servers can connect to the WDS server What should be done? A Run Sysprep on each of the servers before booting B Prestage each of the computers... the Server Core servers You can do this with the scregedit /CS 0 command 931 57c02.indd 92 8/11/08 1:09:26 PM Answers to Review Questions  93 11 A, C.  The Server Core Registry Editor Windows script file (scregedit.wsf) is used to manipulate registry settings within a Server Core server The first setting is /AR 0, which will enable RDC Since you need to manage Server Core from both Windows XP and Windows. .. PC running Windows Vista However, you’ve logged on to a different PC running Windows XP and find you cannot connect to the servers running Server Core Why not? A Windows XP cannot connect to Server Core You can connect using Windows Vista only B You need to upgrade the RDC version on Windows XP C You need to modify the CredSSP setting on the Server Core servers D You need to install SP2 on Windows XP... be deploying as many as 20 images to servers located on three separate subnets Routers in your network are RFC 1542 compliant How many DHCP servers are needed? A 1 B 2 C 3 D 20 931 57c02.indd 88 8/11/08 1:09:26 PM Review Questions  89 10 You manage a network environment including many Windows Server 2008 servers running Server Core You’ve been able to manage these servers remotely with Remote Desktop . (Running Windows Server 2008 Server Core) Virtual Machine DHCP1 (Running Windows Server 2008 Server Core) DC2 DNS2 DHCP2 931 57c02.indd 81 8/11/08 1:09: 23 PM 82 Chapter 2 N Planning Server. Maintaining Print and File Servers.” FIGURE 2.8 Three virtual servers within one physical server Windows Server 2008 as Host VS1 Virtual Machine DC1 (Running Windows Server 2008 Active Directory) Virtual. a Windows Server product): Server side In the context of this section, the server side is the server running Server Core. You configure the server with a WS-Management listener to listen for Windows