Visit us at w w w s y n g r e s s c o m Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our customers We are also committed to extending the utility of the book you purchase via additional materials available from our Web site SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assortment of valueadded features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s) ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations Contact us at sales@syngress.com for more information CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use Contact us at sales@syngress.com for more information.use Contact us at sales@syngress.com for more information This page intentionally left blank Brien Posey Technical Editor Tariq Azad Colin Bowern Laura Hunter John Karnay Mohan Krishnamurthy Jeffery Martin Tony Piltzecker Susan Snedaker Arno Theron Shawn Tooley Gene Whitley Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) not guarantee or warrant the results to be obtained from the Work There is no guarantee of any kind, expressed or implied, regarding the Work or its contents The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents Because some states not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files Syngress Media® and Syngress®, are registered trademarks of Elsevier, Inc Brands and product names mentioned in this book are trademarks or service marks of their respective companies KEY 001 002 003 004 005 006 007 008 009 010 SERIAL NUMBER HJIRTCV764 PO9873D5FG 829KM8NJH2 BPOQ48722D CVPLQ6WQ23 VBP965T5T5 HJJJ863WD3E 2987GVTWMK 629MP5SDJT IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc Elsevier, Inc 30 Corporate Drive Burlington, MA 01803 The Real MCTS/MCITP Exam 649 Preparation Kit Copyright © 2008 by Elsevier, Inc All rights reserved Printed in the United States of America Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication Printed in the United States of America ISBN 13: 978-1-59749-234-8 Publisher: Andrew Williams Acquisitions Editor: David George Technical Editor: Brien Posey Project Manager: Gary Byrne Page Layout and Art: SPI Copy Editors: Adrienne Rebello and Audrey Doyle Indexers: Ed Rush and Nara Wood Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@elsevier.com Technical Editor Brien Posey is a freelance technical writer who has received Microsoft’s MVP award four times Over the last 12 years, Brien has published over 4,000 articles and whitepapers, and has written or contributed to over 30 books In addition to his technical writing, Brien is the cofounder of Relevant Technologies and also serves the IT community through his own Web site Prior to becoming a freelance author, Brien served as CIO for a nationwide chain of hospitals and healthcare facilities and as a network administrator for the Department of Defense at Fort Knox He has also worked as a network administrator for some of the nation’s largest insurance companies Brien wishes to thank his wife, Taz, for her love and support throughout his writing career v Contributing Authors Tariq Bin Azad is the principal consultant and founder of NetSoft Communications Inc., a consulting company located in Toronto, Canada He is considered a top IT professional by his peers, coworkers, colleagues, and customers He obtained this status by continuously learning and improving his knowledge and information in the field of information technology Currently, he holds more than 100 certifications, including MCSA, MCSE, MCTS, MCITP (Vista, Mobile 5.0, Microsoft Communications Server 2007, Windows 2008, and Microsoft Exchange Server 2007), MCT, CIW-CI, CCA, CCSP, CCEA, CCI,VCP, CCNA, CCDA, CCNP, CCDP, CSE, and many more Most recently, Tariq has been concentrating on Microsoft Windows 2000/2003/2008, Exchange 2000/2003/2007, Active Directory, and Citrix implementations He is a professional speaker and has trained architects, consultants, and engineers on topics such as Windows 2008 Active Directory, Citrix Presentation Server, and Microsoft Exchange 2007 In addition to owning and operating an independent consulting company, Tariq works as a senior consultant and has utilized his training skills in numerous workshops, corporate trainings, and presentations.Tariq holds a Bachelor of Science in Information Technology from Capella University, USA, a bachelor’s degree in Commerce from University of Karachi, Pakistan, and is working on his ALMIT (Masters of Liberal Arts in Information Technology) from Harvard University Tariq has been a coauthor on multiple books, including the best-selling MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (ISBN: 047018146X) and The Real MCTS/MCITP Exam 640 Preparation Kit (ISBN: 978-1-59749-235-5) Tariq has worked on projects or trained for major companies and organizations, including Rogers Communications Inc Flynn Canada, Cap Gemini, HP, Direct Energy, Toyota Motors, Comaq, IBM, Citrix Systems Inc., Unicom Technologies, and Amica Insurance Company He lives in Toronto, Canada, and vi would like to thank his father, Azad Bin Haider, and his mother, Sitara Begum, for his lifetime of guidance for their understanding and support to give him the skills that have allowed him to excel in work and life Colin Bowern is the Vice President of Technology at official COMMUNITY in Toronto, Canada Through his work with the clients, Colin and the team help recording artists build and manage an online community to connect with their fans Colin came to official COMMUNITY from Microsoft where he was a Senior Consultant with the Microsoft Consulting Services unit working with enterprise customers on their adoption of Microsoft technology During his time at Microsoft, Colin worked with several product groups to incorporate customer feedback into future product releases, as well as the MCSE certification exam development Colin holds two Microsoft DeliverIt! awards for work done within the financial industry in Canada to drive the adoption of NET as a development platform and developing an SMBIOS inventory tool that was incorporated into the Windows Pre-installation Environment Colin has delivered a number of in-person and Microsoft Developer Network (MSDN) webcast sessions since the early part of the decade on topics ranging from NET Development to infrastructure deployment with the Microsoft platform In addition to technical talks, Colin participates in the community through active contributions on the MSDN and ASP.NET Forums, publishing code examples, sharing experiences through his blog, and attending local user group events Colin has been a technical reviewer for Addison-Wesley’s NET development series, the Windows Server 2003 series from Microsoft Press, and has co-authored a Windows Server 2003 MCSE study guide for Syngress Publishing In addition, he holds a Masters of Science degree from the University of Liverpool Laura E Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the university vii Her specialties include Microsoft Windows 2000/2003 design and implementation, troubleshooting, and security topics As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure Laura’s previous experience includes a position as the director of computer services for the Salvation Army and as the LAN administrator for a medical supply firm She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of Web sites Laura has previously contributed to Syngress Publishing’s Configuring Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7) She has also contributed to several other exam guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S Government other participants dedicated to increasing the security of United States critical infrastructures John Karnay is a freelance writer, editor, and book author living in Queens, NY John specializes in Windows server and desktop deployments utilizing Microsoft and Apple products and technology John has been working with Microsoft products since Windows 95 and NT 4.0 and consults for many clients in New York City and Long Island, helping them plan migrations to XP/Vista and Windows Server 2003/2008 When not working and writing, John enjoys recording and writing music as well as spending quality time with his wife, Gloria, and daughter, Aurora Mohan Krishnamurthy Madwachar (MCSE, CCA) is the GM – Network Security at Almoayed Group in Bahrain Mohan is a key contributor to Almoayed Group’s projects division and plays an viii important role in the organization’s network security initiatives Mohan has a strong networking, security, and training background His tenure with companies such as Schlumberger Omnes and Secure Network Solutions India adds to his experience and expertise in implementing large and complex network and security projects Mohan holds leading IT industry-standard and vendor certifications in systems, networking, and security He is a member of the IEEE and PMI Mohan would like to dedicate his contributions to this book to his friends: Pankaj Sehgal,V.P Ajan, Anand Raghavendra Rao,Vijendran (Vijay) Rao, Neeti (D’lima) Rodrigues, Ali Khan,Vishnu Venkataraman, Azeem Usman Bharde, Hasan Qutbi, Dharminder Dargan, Sudhir Sanil, Venkataraman Mahadevan, Amitabh Tiwari, Aswinee Kumar Rath, Rajeev Saxena, Rangan Chakravarthy and Venkateswara Rao Yendapalli Mohan has co-authored five books published by Syngress: Designing & Building Enterprise DMZs (ISBN: 1597491004), Configuring Juniper Networks NetScreen & SSG Firewalls (ISBN: 1597491187), How to Cheat at Securing Linux (ISBN: 1597492078), How to Cheat at Administering Office Communications Server 2007 (ISBN: 1597492126), and Microsoft Forefront Security Administration Guide (ISBN: 1597492447) He also writes in newspaper columns on various subjects and has contributed to leading content companies as a technical writer and a subject matter expert Jeffery A Martin MS/IT, MS/M (MCSE, MCSE:Security, MCSE: Messaging, MCDBA, MCT, MCSA, MCSA:Security, MCSE:Messaging, MCP+I, MCNE, CNE, CNA, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM) has been working with computer networks for more than 20 years He is an editor, coeditor, author, or coauthor of more than 15 books and enjoys training others in the use of technology Tony Piltzecker (CISSP, MCSE, CCNA, CCVP, Check Point CCSA, Citrix CCA), author and technical editor of Syngress Publishing’s MCSE Exam 70-296 Study Guide and DVD Training System and How to Cheat at Managing Microsoft Operations Manager 2005, is an independent consultant based in Boston, MA Tony’s specialties include ix 1052 Index Auditor, 204 authentication client certificate considerations, 502–505 definition of, 566 with FTP Publishing Service, 603 for FTP site, 572–573 IPSec, 821–822 Kerberos, NTLMv2 and, 810–811 NAP 802.1x enforcement, 960–961 NAP client authentication methods, 961–963 NPS, 809–810 PKI goal, 156–157 protocols, changes to, 816 with public key cryptography, 173–174 public key infrastructure, 809 RADIUS, 906 secure network access, implementing, 815 site role, 389 for SMTP Server, 597 for Terminal Server role service, 614–615 UPN, with Global Catalog, 368 Web server, overview of, 499–502 wireless/wired technologies, 813–814 authentication header (AH), IPSec, 822–823 authentication server, 960 authoritative restores, 276–282, 345–346 authorization definition of, 566 folder access, restricting, 506–508 for FTP site, 573–578 IP, 509–510 overview of, 505 RADIUS, 906–907 request filtering, 510–513 URL, 505–506 Authorization Manager, autoconfiguration, IPv6, 781 autoenrollment, of certificates, 205 automatic alternative configuration, TCP/IP, 779 automatic connection method for TS CALS installation, 647, 648–653 TS Licensing role service activation, 626, 627–633 availability See high availability B backbone area, 877 Backup Operator, 204 backup/restore of Certificate Services, 197–203 critical volumes, 264–265 DSRM, 273–276 of failover cluster, 68–69 files, backing up specific, 263 files, recovering specific, 267–273 GPOs, 283–292 IIS server configuration, 533–534 LVR, 283 overview of, 242–243, 343 removable media, 256–259 restores, authoritative, 276–282 restores, nonauthoritative, 276, 283 scheduling, 248–255 Server Backup, 243–248 system state data, backing up, 259–262 system state data, recovering, 265–266 of Terminal Services Licensing server, 657 band-aid approach, 558 bandwidth GC server placement within sites and, 373–374 Remote Desktop Connection utility configuration, 665 basic authentication enabling on a folder, 501–502 IIS, 500, 572 www.syngress.com with SMTP Server, 597 bindings, 587–588 bit lengths, 495 BitLocker Drive Encryption (BitLocker) function of, 104 improvements in functionality, bkf format, 243, 345 block symmetric algorithms, 161 boot image, 51 bootstrapping, wireless client, 913 boundary network, 956 bridgehead servers, 415 bridging, 415–416 broadcast networks, 911 browser See Web browser browsing, directory, 470–472 bulk data encryption, 174 C C: drive, 62–64 CA Administrator, 204 caching output in IIS, 526–528 RODC cached accounts, 108 Universal Group membership caching, 374–376 capture image, 51 CDPs (CRL Distribution Points), 207 Cert Publishers group, 228 certificate authority (CA) certificate enrollments, 204–205 certificate practice statement, 197 certificate requests, 192–196 in Certificate Services installation, 179, 181–182 certificate services process, 175 configuration of, 189–197 hierarchy levels, 235 implementation of, 233 key recovery agent and, 229–230 PKI component, 158 revocation of certificate, 205–209 root vs subordinate CA, 191–192 server roles, installation of, 957–959 standard vs enterprise CA, 190–191 trusted third party as, 189–190 Certificate Manager, 204 Certificate Practice Statement (CPS), 197 certificate requests, 192–196 certificate revocation lists (CRLs) description of, types of, 207–209 publishing interval of, 235 Certificate Services, 189–209 backup/restore, 197–203 certificate authority, configuration of, 189–197 enrollments, 204–205 improvements in functionality, installation of, 176–185 key recovery, 197 process of, 175 revocation of certificate, 205–209 roles, assignment of, 204 security with, 186–187 certificate templates, 209–230 Certificate Templates snap-in, 210 Computer Certificate Templates, 222–224 Cryptography tab, 213–215 custom, 224–227 function of, 209–210 general properties of new template, 211–212 issuance requirements, 217–220 key recovery agent, 229–230 other certificate types, 224 permissions, securing, 227–228 Request Handling tab, 213 security settings, 220–221 Subject Name tab, 216 User Certificate Templates, 221–222 versioning, 228–229 Certificate Templates snap-in certificate requests via, 192–195 Cryptography tab, 213–215 general properties of new template, 211–212 issuance requirements, 217–220 new template creation, 210 Request Handling tab, 213 security settings, 220–221 Subject Name tab, 216 certificates for AD RMS configuration, 122–125 adding new with IIS, 493–498 application certificates, 188 auteoenrollment of, 235 Certificate Services, installation of, 176–185 Certificate Services, process of, 175–176 client, mapping, 505 creation changes, 596 enrollments, 204–205 format of, 234 for FTP site, 567–570, 603 health, 955–956 how they work, 168–171 IIS management of, 491–493 machine certificates, 188 machine on SSL VPN server, 901–905 needs, analysis of, 188–189 overview of, 232–233 PKI components, 158–159 purpose of, 186 reviewing, 175 revocation of certificate, 205–209 SSL, types, 496–497 TS Gateway Server certificate configuration, 712–714 user certificates, 187 certification policies, 197 Certification Request Syntax Standard, 164 Challenge Handshake Authentication Protocol (CHAP), 62 CIDR (Classless Inter-Domain Routing), 778 Citrix Systems, Inc., 610–611 Class A/B/C network addresses, 770 Classless Inter-Domain Routing (CIDR), 778 client certificates authentication, 500 IIS, 502–505 client components, of WDS, 42 client connections to Terminal server, 658–671 overview of, 674 Remote Desktop Connection utility for, 658–666 Remote Desktops Snap-in, installation of, 666–671 clients DHCP, 784–785 NAP, 935–936 remote, TS Gateway, 709–710 clustering failover clusters, 65–73 failover clusters, improvements to, 84 CNG (Cryptography Next Generation), 160 Code Access Security, 513 COM interface for remote administration of IIS on Server Core, 555 for remote IIS administration, 464 command prompt accessing, 84 output, saving to file, 828–829 Remote Desktop Connection utility launch from, 659 Windows activation via, 80 Index 1053 command-line tools AppCmd, 463 DHCP, new options with, 798 for IPSec, 827–829 OCLIST command, 460 for remote administration of IIS on Server Core, 555 for Server Backup, 245 Wbadmin.exe, 255–256 for WFAS, 849–850 communication, 945–946 communication server See remote access server compaction, offline, 295–298 compatibility, backward, 358–366 compliance NAP enforcement points, 936 with Network Access Protection, 932 software policy validation, 939 componentization, of IIS, 452 compression CPU throttling and, 540–541 of Web site content, 529–531 Computer Certificate Templates, 222–224 confidentiality, 157 configuration partition, 358, 393 Connection Authorization Policy See TS Connection Authorization Policy connection control, 598 connection limits, 739–740, 744 Connection Request Policies, 950–951 connections NAP Connection Request Policies, 950–951 NAP Network Policies, 951–952 NPS configuration for remote VPN connections, 946–949 Remote Desktop Connection utility, 658–666 Remote Desktops (RD) Snap-in, 666–671 site link costs, configuration of, 408–410 Terminal Services client connections, 674 TS Licensing server/Terminal Server, 638–647 content, 529–530 contiguous namespace, 357 costs, site link, 408–410 counter, 333 CPS (Certificate Practice Statement), 197 CPU thresholds, 529 credentials, 659–660 critical volumes, 264–265 CRL Distribution Points (CDPs), 207 CRLs (certificate revocation lists) description of, types of, 207–209 publishing interval of, 235 cryptanalysis, 157 Cryptographic Token Interface Standard, 164 cryptography definition of, 157 history of PKI, 160–162 modulo operator, 167 See also public key cryptography; public key infrastructure Cryptography Message Syntax Standard, 163 Cryptography Next Generation (CNG), 160 Cryptography tab, 213–215 cryptology, 157 custom certificate templates, 224–227 custom views, 310–313 D Data Collector Sets overview of, 337–338 user-defined, creating, 338–339 Data Encryption Standard (DES), 161, 162 data prioritization, 751–752 data transfer, 548–549 database mounting tool, 115 DCs See domain controllers default trusts, 428 DEFAULTIPSITELINK, 400 Default-Site-First-Name creation of, 393 renaming, 399, 400 defense-in-depth, 829–830 defragging, 295–298, 346 delegation, in IIS, 514–521 delivery options, for SMTP virtual server, 591–594 Delta CRLs, 207–209 demilitarized zones (DMZs), 114 dependencies, role service, 460–461 DES (Data Encryption Standard), 161, 162 desktop size, 670 development, application settings, IIS Manager, 486–487 third-party runtime environments, enabling, 487–489 DH (Diffie-Hellman) algorithms, 161 DHCP See Dynamic Host Configuration Protocol diagnostics IIS tools for, 520–521 Web server failed request tracing, 521–524 Web server logging, 524–525 dial-up, 885–886 Diffie-Hellman (DH) algorithms, 161 Diffie-Hellman Key Agreement Standard, 163 digest authentication, IIS, 500 digital certificates See certificates Digital Rights Management (DRM), 121–122 digital signatures description of, 172–173 encryption process of, 166 personal vs CA-issued, 234 as safe, 186 digitally signed drivers, 21 Direct Attached Storage (DAS), 58 direction of trust default trusts, 424–425 description of, 423–424 one-way trusts, 426 directories FTP virtual directories, 564 information search with Global Catalog, 368–370 recovering, 267–273 virtual, adding in IIS, 469–471 directory browsing enabling with IIS, 471–472 FTP Publishing Service, configuration of, 560–561 Directory Services Restore Mode (DSRM) administrator password, resetting, 275–276, 345 overview of, 273–274 disconnecting, Terminal Services session, 671 discontiguous namespace, 357 discover image, 51 discovery scope, 638–639 disk space, 20–21 Display tab, 661 distance-vector routing protocol, 876 distinguished name (DN) Global Catalog for, 358 specifying, 169 DMZs (demilitarized zones), 114 DNS See Domain Name Service document, default, 469–470 domain controllers (DCs) AD design before installation of, 437 forest/domain functional levels, 358–366 FSMO roles, 376–388 Global Catalog and, 366–368 install from media, 37–38 intersite replication, 414–415 read-only domain control, 107–114 replication, troubleshooting, 420–422 replication and, 411–412 Restartable Active Directory Domain Services, 292–295 system state recovery, 266 domain database, read-only replicas of, 108 domain functional levels function of, 358 list of, 359 raising, 364–366, 437 Windows 2000 domain functional level, 360 Windows Server 2003 domain functional level, 360–361 Windows Server 2008 domain functional level, 361–362 Domain Name Service (DNS) DNS SRV record, 78–79 for TS Session Broker load balancing, 704–706 for WDS installation, 43 Domain Naming Master DC authorization levels, 377 function of, 376 locating/transferring, 383–384 placing within AD environment, 388 domain partition, 358 domain tree, 357 domains in Active Directory structure, 355–356 definition of, 354 description of, 356–358 forest root domain, 356 forest/domain functional levels, 358–366 FSMO roles, 376–388 Global Catalog, 366–370 Global Catalog replication, 370–372 Global Catalog servers, placing within sites, 372–376 intrasite replication, 412–414 as logical structure of organization, 391 replication, 411–412 replication between sites, 419 routing instructions, 583–586 SID filtering, 431–432 sites and, 390–392 trust relationships, 393 TS Licensing role service discovery scope, 638–639 TS Licensing role service installation and, 623, 625 DomainSysvol folder, 288 drivers, digitally signed, 21 DRM (Digital Rights Management), 121–122 DSA (Direct Attached Storage), 58 DSRM See Directory Services Restore Mode dual layer architecture, 782 DVD, backing up to, 257–259 Dynamic Host Configuration Protocol (DHCP) configuration overview, 784–785 DHCP server role, adding, 785–787 exam questions, 857 exclusions, 798–800 leases, suggestions for, 785 NAP and, 804–806 NAP enforcement point, 936 NAP policy enforcement, implementation of, 939–945 options, creating new, 797–798 overview of, 854–855 PXE Boot, 802–803 relay agents, 785, 802 scope options, configuring, 790–797 scopes, configuring, 787–790 server authorization, 800–801 Server Core vs., 806–808 servers, suggestions for, 785 www.syngress.com 1054 Index Dynamic Host Configuration Protocol (DHCP) (Continued ) WDS configuration, 49–51 for WDS installation, 43 Dynamic Host Configuration Protocol for IPv6 (DHCPv6), 806 E EAP See Extensible Authentication Protocol EAP-TLS See Extensible Authentication Protocol–Transport Layer Security elevation of privilege attack, 431–432 e-mail, 368 Encapsulating Security Payload (ESP) description of, 822–823, 894 overview of, 824–825 Encrypting File System (EFS) new functionality in, travel and, 234 encryption bulk data encryption, 174 EFS, 234 history of PKI, 160–162 public key cryptography authentication, 173–174 enforcement DHCP, 939–945 IEEE 802.1x enforcement, 960–963 IPsec, 955–959 NAP enforcement points, 936 VPN, 945–949 enrollments AD RMS self-enrollment, 121 certificate, 204–205 PKI role assignment, 204 security settings for certificate template, 220–221 Enterprise Certification Authority NAP enforcement and, 946 standard CA vs., 190–191 Enterprise PKI (PKIView), 159 Entrust, 156, 190 equal per session, 688, 692, 758 equal per user, 688, 692, 758 error pages, 472–475 ESP See Encapsulating Security Payload event logs, 420 Event Viewer for AD event logging, 421–422 Applications and Services logs, 314–315 custom views, creating, 310–313 new benefits of, 346 overview of, 310 Subscriptions, 315–319 Windows Logs, 313 Exchange Server, 373 exclusions IP address, 798–800 IPv6, 794 Experience tab, 664–665 expiration, certificate, 206 explicit FTP SSL, 566–567 explicit trusts, 427, 438 extended validation certificate, 496–497 Extended-certificate Syntax Standard, 163 Extensible Authentication Protocol (EAP) in IEEE 802.1x enforcement, 961 for smart card authentication, 236 wired/wireless authentication, 813 Extensible Authentication Protocol–Transport Layer Security (EAP–TLS) user certificate autoenrollment for, 815 in wired/wireless authentication, 813 Extensions tab, 218–219 external trusts www.syngress.com creation of, 429–430 function of, 423, 437 extranet, 130–431 F fabric technology, 58 failed request tracing IIS, overview of, 521–522 rule, adding, 522–524 failover clusters definition of, 65 geographically dispersed, 65–66 improvements to, 84 installation/validation of, 66–68 management of, 68–69 farm, Web See Web farm scaling FastCGI, 487 Fax Server Role, 6–7 Federation Services See Active Directory Federation Services Feistel, Horst, 161 Fibre Channel Host Bus Adapter (HBA), 60 Fibre Channel Protocol (FCP) failover cluster installation and, 66 ports defined in, 59–60 SAN use of, 57, 58 File Transfer Protocol (FTP), 548–549 See also FTP Publishing Service; FTP sites files backing up specific, 263 recovering specific, 267–273 filtering filtered attribute sets, 108 inbound/outbound filters, 905–906 request, 510–513 SID, 431–432 See also traffic filtering, incoming/outgoing firewall Firewall Support feature of FTP Publishing Service, 561–562 replication, troubleshooting, 421 WFAS, improvements of, 925 Windows Firewall, changes in, 870 See also Windows Firewall with Advanced Security flash drives, 345 Flexible Host Isolation, 957 Flexible Single Master Operation (FSMO) roles function of, 376 new child domain, creation of, 378–379 operational master roles, 376–378 role holders, placing/transferring/seizing, 379–388 spreading out, 437 folder conversion to application, 565 conversion to Web application, 481–484 restricting access to in IIS, 506–508, 541 restriction of access to, 574–575 User Isolation feature, 577–578 forest discovery scope name of, 638 TS CALs in multiple domains, 639 forest functional levels configuration of, 362–364 function of, 358 list of, 359 raising, 364–365, 437 forest root domain, 356 forest trusts creation of, 428–429 function of, 423 forests in Active Directory structure, 355–356 adding RODC to existing, 109 definition of, 354, 393 domains and, 356–358 explicit trusts, 427 forest root domain, 356 forest/domain functional levels, 358–366 FSMO roles, 376–388 Global Catalog, 366–370 Global Catalog replication, 370–372 Global Catalog servers, placing within sites, 372–376 installation of Windows Server 2008 forest, 23–36 preparation for Windows Server 2008 installation, 22 trust relationships, 423 TS Licensing role service discovery scope, 639 TS Licensing role service installation and, 623, 625 forms authentication, IIS, 502 free space, 20–21 FSMO roles See Flexible Single Master Operation (FSMO) roles FTP (File Transfer Protocol), 548–549 FTP Publishing Service authentication with, 603 FTP site, securing, 566–578 FTP sites, provisioning, 556–565 installation of, 550–556 overview of, 600–602 release of, 549 FTP Server installation of, 550–553 installation on Server Core, 553–556 FTP sites application pools, 565 certificate for, 603 creation of, 556–560 directory browsing, 560–561 Firewall Support feature, 561–562 messages, 562–563 securing, 566–578 virtual directories, 564 fully qualified domain name (FQDN), 668 G General tab, 660 geographically dispersed cluster, 65–66 Global Catalog (GC) description of, 366–368 directory information search, 368–370 for distinguished name, 358 enabling on DC, 439 install from media, 37–38 replication, 370–372 Schema Master vs., 380 servers, placing within sites, 372–376 servers in sites, 440 Universal Group membership information, 370 UPN authentication, 368 globally unique identifier (GUID) partition table (GPT) disks, 69 Group Policy PKI certificate settings in, 160 settings, for TS, 721–724 WFAS, managing via, 847–848 wireless, creating, 918–919 Group Policy Management, 759 Group Policy Objects (GPOs) backing up, 283–288 restoring, 289–292 Server Backup and, 346 TS Session Broker load balancing with, 706–709 GUI, 101 GZIP compression, 529 Index 1055 H hardware load balancers, 711 RAID, 55 system requirements, 9–10 hash description of, 161 for digital signatures, 172–173 HBA (Fibre Channel Host Bus Adapter), 60 headers FTP and, 557–558 host, 491–492 multiple, 540 response, 476–477 health, IIS tools for, 520–525 Health Certificate Server (HCS), 955–959 health certificates, 955–956 Health Policies, NAP configuration of, 949–950 Connection Request Policies, 950–951 creation of, 953–954 function of, 952 Network Access Protection settings, 954 Network Policies, 951–952 remediation server group, creation of, 954–955 Health Registration Authority (HRA) function of, 936 server roles, installation of, 957–959 health requirement server, 937 Hellman, Martin, 161 Henry II, King of England, 172 hierarchical model levels for, 235 PKI trust model option, 189 root vs subordinate CA, 191–192 high availability description of, 65 failover clusters, 65–69 network load balancing, 69–73 overview of, 83 HOST command, 558 host headers FTP and, 557–558 multiple, 540 SSL and, 491–492 host-based firewalls, 830 HRA See Health Registration Authority Hypertext Preprocessor (PHP), 487–489 Hypertext Transfer Protocol (HTTP) errors, custom pages for, 472–475 MIME types, 477–478 Redirect module, 475–476 Response Headers, custom, 476–477 service unavailable responses, 532–533 I IAS (Internet Authentication Service), 870 ICS See Internet Connection Sharing identity association identifier (IAID), 797 identity management, 129 IEEE 802.1x settings, configuring in Server 2008, 816–819 wireless/wired authentication technologies, 813–814 WLAN authentication using, 812–813 IEEE 802.1x enforcement issues with, 967–968 NAP, configuration of, 960–963 NAP enforcement point, 936 IEEE 802.11 protocol, 911 IETF (Internet Engineering Task Force), 587 IFM (install from media), 37–38 IIS See Internet Information Server; Internet Information Services images WDS, capturing, 51–52 WDS, deployment of, 52–54 WDS, name of, 86 implicit trusts definition of, 438 description of, 427 implied trust, 438 inbound filters, 905–906 Infrastructure Master DC authorization levels, 378 function of, 376 locating/transferring, 384–387 placing within AD environment, 388 infrastructure mode, 916–918 inheritance, 515 initiators, 60–62 install from media (IFM), 37–38 installation of Active Directory Domain Services Role, 104–107 of failover cluster, 66–68 of File Transfer Publishing Service, 550–556 IIS, 448–453, 537 of network load balancing, 70–73 of Server Core, 38–41 of SMTP Server, 580–582 of Terminal Server role service, 611–618 of TS Licensing role service, 621–626 of Windows Server 2008 forest, 23–36 of Windows Server Enterprise Edition, 8–20 instances, Performance Monitor, 333 Integrated Services Digital Network (ISDN), 879 integrated Windows authentication, 597 integration policy, 804–805 integrity, 157 Internet, 155–156 Internet Authentication Service (IAS), 870 Internet Connection Sharing (ICS) configuring, 892–893 overview of, 890–892 Internet Engineering Task Force (IETF), 587 Internet Information Server (IIS) FTP Publishing Service, installation of, 550–556 FTP Publishing Service, release of, 549 FTP site, securing, 566–578 FTP sites, provisioning, 556–565 function of, 103 SMTP Service, in general, 578–580 SMTP Service, installation of, 580–582 SMTP Service, provisioning virtual servers, 583–595 SMTP virtual server, securing, 595–599 Internet Information Services (IIS) application development settings, 486–487 application pool, creating, 480–481 application pool settings, 485–486 deployment scenarios, 454–455 directory browsing, enabling, 471–472 error pages, customizing, 472–475 in Federation Services configuration, 133–134 folder to Web application conversion, 481–484 installing, 456–459 installing/configuring, 448–453, 537 migrating from previous releases, 489 MIME types, adding, 477–478 overview of, 535–536 PHP on Web server, enabling, 487–489 redirecting requests, 475–476 remote server administration tools, 462–464 response headers, 476–477 on Server 2008 vs Vista, 540 Server Core administration, 540 on Server Core installation, 453–454 Server Manager to install role, 98–100 virtual directory, adding, 469–471 Web applications, configuring, 478–480 Web server role, installing on Server Core, 459–461 Web sites, creating, 466–468 Web sites, provisioning, 464–465 Internet Information Services (IIS) Manager, 519–520 Internet Information Services (IIS), managing configuration/delegation, 514–521 health/diagnostics, 520–525 overview of, 514, 538–539 server configuration, backup/restore of, 533–534 Web farm scaling, 525–533 Internet Protocol (IP) authorization in IIS, 509–513 notation, 784 Server 2008 features of, 894 for site replication, 418 Internet Protocol Version (IPv4) address configuration, 853 addressing format, 770–771 alternative configuration, 779 configuration overview, 768 IPv6 vs., 769 local settings, configuring, 772–773 options, configuring, 774 subnetting, 774–778 supernetting, 778 Internet Protocol Version (IPv6) address configuration, 853 address format, 779–780 address types, 780–781 alternative configuration, 779 autoconfiguration options, 781 configuration overview, 768 exam questions, 857 IPv4 vs., 769 NLB support of, 73 overview of, 779 resources, 771 rolling out, 782 settings configuration, 782–784 subnets and, 401–402 subnetting, 774–778 supernetting, 778 transition technologies, 781–782 Internet Security Association and Key Management Protocol (ISAKMP), 824, 894 Internet Small Computer System Interface (iSCSI), 60–62 intersite replication definition of, 394 description of, 414–415 Inter-site Topology Generator (ISTG), 414 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), 782 intrasite replication definition of, 394 description of, topologies, 412–414 IP address access restriction based on, 575–576 redirection, 703–704 for Remote Desktops Snap-in connection, 668 subnets, creation of, 400–403 IP addressing/services DHCP configuration, 784–808 IPSec configuration, 821–830 IPv4/IPv6 configuration, 768–784 network authentication configuration, 809–821 overview of, 768, 851–853 WFAS in Server 2008, 830–850 www.syngress.com 1056 Index IP authorization, 575–576 IP Security (IPSec) AH, 823–824 configuration overview, 821–823, 855 defense-in-depth, 829 description of, 894 enforcement, configuration of, 955–959 enforcement, issues with, 967–968 ESP, 824–825 firewall traffic filtering and, 842–846 IPSec SA, 824 isolation policy, 829 policy, creating, 827 Server 2008, configuring in, 825–827 settings, WFAS vs Group Policy, 858–859 SSTP and, 895 using command line, 827–829 WFAS and, 826 IPv4 See Internet Protocol Version IPv6 See Internet Protocol Version IPv6 over IPv4 tunneling, 782 ISAKMP (Internet Security Association and Key Management Protocol), 824, 894 ISAPI ASP and, 540 Extensions, role service dependencies and, 460 for PHP enabling, 487 ISATAP (Intra-Site Automatic Tunnel Addressing Protocol), 782 iSCSI (Internet Small Computer System Interface), 60–62 isolation Flexible Host Isolation, 957 IPSec isolation policy, 829–830 User Isolation feature, 577–578 ISSDN (Integrated Services Digital Network), 879 Issuance Requirements tab, 216–220 ISTG (Inter-site Topology Generator), 414 K kernel mode operations, 307 Key Management Service (KMS) DNS SRV record, creation of, 78–79 enabling clients to use, 79 installation of, 76–78 replication among hosts, 85 for Windows activation, 73, 74–75 key pair, 156 key recovery, 197 key recovery agent, 229–230 keys, 73–75 See also private key; public key; public key infrastructure Knowledge Consistency Checker (KCC) for choice of replication topology, 411 GC replication topology, 371 for intrasite replication, 412–413 scheduling, 438 L label names, backup, 254 Layer Two Tunneling Protocol (L2TP), 894 Layer Two Tunneling Protocol with Internet Protocol security (L2TP/IPSec), 819–821 LDAP routing, 594–595 LDS See Active Directory Lightweight Directory Service leases, DHCP, 785 license states, 75 licensing activation from command prompt, 80 AD RMS functions, 120 DNS SRV record, creation of, 78–79 www.syngress.com evaluation copy of Windows Server 2008, 85 installation of KMS, 76–78 Key Management Service keys, 74–75 keys for activation, 73 KMS, enabling clients to use, 79 license reporting, 76 license states, 75 Multiple Activation Keys, 74 TS, 684 licensing, Terminal Services overview of, 673–674 recovery of TS license server, 657 TS CALs, installation./management of, 647–657 TS Licensing role service, activation of, 626–647 TS Licensing role service, installation of, 621–626 licensing mode for Terminal Server role service, 615–617 for Terminal Server role service, specifying after installation, 618–620 Lightweight Directory Service See Active Directory Lightweight Directory Service link state protocol, 876 linked value replication (LVR), 283 links site link costs, configuration of, 408–410 site link replication protocols, 417–418 site links, creation of, 405–408 site links, replication, 416–417 load balancing, terminal services configuring, 694–697, 758 DNS registration, 704–706 local group on Session Broker, adding, 697 NLB, installing, 697–703 overview of, 693–694, 755 Session Broker redirection modes, 703–704 techniques, 694 through Group Policy, 706–709 See also Network Load Balancing Local Area Connections dialogue box for IPv6, 782–783 IPv4, configuring, 772–773 Local Resources tab, of RDC utility, 661–662 location locking, 517–518 log off, TS users, 752–753 logging activity, IIS, 524–525 application logging, 692–693 for SMTP virtual server, 588–589 logical structure, 391 Logical Unit Number (LUN), 61 logon, 368 LVR (linked value replication), 283 M MAC (Media Access Control) address, 790 machine certificate function of, 188 requesting/installing on SSL VPN server, 901–905 maintenance, offline AD storage allocation, 298–299 defrag/compaction, 295–298 overview of, 242, 292, 343–344 Restartable Active Directory, 292–295 MAKs See Multiple Activation Keys management components of WDS, 42 of failover cluster, 68–69 via Group Policy, 847–848 many-to-one mapping, 503 mapping AD Certificate Mapping, 541 client certificate, 503–505 media, removable, 256–259 Media Access Control (MAC) address, 790 message digest, 173 message limits, 589–591 messages FTP messages module configuration, 562–563 SMTP Server relay process, 578–579 SMTP virtual server delivery options, 591–594 Microsoft PKI development, 154 Terminal Services and, 610–611 Microsoft Communication Server, 130 Microsoft TechNet on certificate needs, 188 Network Access Protection Web site, 968 for Server Core tools, 102 migration, 489 MIME types, 477–478 modulo operator, 167 monitoring, 846–847 See also Active Directory (AD), monitoring mount points, 62–64 MPPE encryption, 820–821 msi packages, 725 multimaster environment, 411–412 multimaster replication model, 376 Multiple Activation Keys (MAKs) choice of, 77 for Windows activation, 73 Multiple hosts, 702, 758 N NA (naming authority), 169 name, of certificate template, 211 namespace, of forest, 357 naming authority (NA), 169 naming contexts, 358 NAP See Network Access Protection NAP Health Policies, 949–955 NAP Health Policy Server (NPS) DHCP enforcement, 940–945 functions of, 937 NAP enforcement points, 936 server roles, installation of, 957–959 software policy validation, 939 VPN enforcement, 945–949 NAS See Network Attached Storage NAT (Network Address Translation), 888–890 National Security Agency (NSA), 161 NBP (network boot program), 802–803 NDES (Network Device Enrollment Service), 160 NET interface IIS configuration and, 514 for remote IIS administration, 464, 555 NET Trust Levels ASP.NET applications and, 541 overview of, 513–514 NetBIOS name, 668 Netsh commands, 913 network access configuration ad hoc vs infrastructure mode, 916–918 Dial-up, 885–886 ICS, 890–893 inbound/outbound filters, 905–906 NAT, 888–890 NPS/NAP, 881–885 overview of, 868–869, 920 RADIUS Server, 906–910 remote access, 878–879 remote access policy, 886–888 remote access protocols, 893–900 routing, 871–878 RRAS, 879–881 Index 1057 Server 2008, 869–871 SSID, 914–915 VPNs, 900–905 wireless access, 910–914 wireless group policy, 918–919 WPA, 915 WPA2, 916 Network Access Protection (NAP) DHCP and, 804–806 DHCP enforcement, 939–945 enforcement methods in NPS, 884–885 function of, 84 functionality areas, 934 Health Policies, configuration of, 949–955 IEEE 802.1x enforcement, 960–963 improvements in functionality, 932–933 IPsec enforcement, 955–959 Network Access Quarantine Control vs., 933 network layer protection, 934–939 overview of, 881–884, 964–966 VPN enforcement, 945–949 Network Access Protection Partners, 933 Network Access Quarantine Control NAP changes from, 967 NAP vs., 933 problems of, 932 Network Address Translation (NAT), 888–890 Network Attached Storage (NAS) benefits/drawbacks of, 56–57 SAN vs., 58 network authentication configuration overview, 809–810, 854 NTLMv2/Kerberos, 810–811 RRAS, 819–821 WLAN using 802.1x/802.3, 812–819 network boot program (NBP), 802–803 Network Device Enrollment Service (NDES), 160 Network Diagnostics Framework, 912 Network Information Service (NIS), 796 network interface card, 772 network layer protection, of NAP, 934–939 Network Load Balancing (NLB) clustering modes supported by, 702 Filtering mode Multiple host, 702 installation/configuration of, 70–73 load balancing and, 694 manager, description of, 687 scalability of, 69–70 service, installing, 697–703 shared configuration, 531–532 TCP/HTTP service unavailable responses, 532–533 for Web sites, 531 Network Monitor, 299–302 network operating system (NOS), network perimeter firewalls, 830 network policies, 951–952 See also remote access Network Policy and Access Services (NPAS) functions of, installation of, 811 Network Policy Server (NPS) authentication and, 809–810 configuring NAP policies/settings in, 884–885 NAP Health Policies, configuration of, 949–955 overview of, 881–884 on RADIUS Servers, 908–910 network security, 154 network storage, 467–468 network traffic, 373–374 Networking tab, Task Manager, 307–308 NIS (Network Information Service), 796 NLB See Network Load Balancing nonauthoritative restores authoritative vs., 345–346 performing, 276, 283 non-broadcast networks on Server 2008, 911 SSID, connection with on, 914 nonrepudiation, 157 nontemporary IP address, 783–784 nontransitive trust, 424 NOS (network operating system), not-so-stubby area (NSSA), 878 NPAS (Network Policy and Access Services) functions of, installation of, 811 NPS See NAP Health Policy Server; Network Policy Server NSA (National Security Agency), 161 NSSA (not-so-stubby area), 878 NT LAN Manager version (NTLMv2), 810–811 NTBackup.exe, 242 NTDS Site Settings Properties box, 375 ntds.dit, 296–297 ntdsutil.exe, 379–380 NTFS, 62–64 O object GC directory information search, 368–370 Performance Monitor, 333 OCLIST command, 460 OEM keys, 73 offline maintenance See maintenance, offline one-to-one mapping, 503 one-way trusts, 425–426 Online Certificate Status Protocol (OCSP), 160 Open Shortest Path First (OSPF), 877–878 operating system (OS) planning/preparation steps for, 2–3 Windows Deployment Services, 41–54 operational master roles, 376–379 Other tab, Remote Desktops Snap-in, 670–671 outbound filters, 905–906 output caching, 526–528 P parent and child trust, 428 partitions naming contexts of AD, 358 in Windows Server 2008 installation, 17–19 passive FTP mode, 562 pass-through authenticator, 960, 961 Password-based Cryptography Standard, 163 passwords, 273–276, 345 PDC Emulator DC authorization levels, 378 function of, 377 locating/transferring, 384–387 placing within AD environment, 388 role holder, seizing, 380 PEAP (Protected Extended Authentication Protocol) for VPN client/NAP communication, 945–946 in wired/wireless authentication, 813 PEAP-Microsoft Challenge Handshake Authentication Protocol version (PEAP-MS-CHAPv2), 813 PEAP-TLS (Protected Extended Authentication Protocol–Transport Layer Security), 815 peer-to-peer wireless network, 911 performance, AD sites and, 389 Performance Monitor counters, adding in, 334–335 overview of, 333 Performance tab, Task Manager, 306–307 permissions for certificate template, 227–228 TS session, 747–748 Personal Information Exchange Syntax Standard, 164 PHP (Hypertext Preprocessor), 487–489 physical structure, 391 PKCS (Public-Key Cryptography Standards), 162–164 PKI See public key infrastructure PKIView (Enterprise PKI), 159 plaintext, 173–174 planning AD site, 393–394 for Terminal Server role service, 618 for Windows Server 2008 installation, 2–3 plug and play device, 662–663 Point-to-Point Protocol (PPP), 945 Point-to-Point Tunneling Protocol (PPTP), 819–821, 894 policies caching, creating IIS, 527–528 IPSec, creating, 827 IPSec isolation, 829–830 NAP/DHCP integration, 804–805 pool, application See application pool port binding, 587–588 ports defined in Fibre Channel, 59–60 FTP data transfer, 549 WFAS, identifying in, 848 PPP (Point-to-Point Protocol), 945 PPTP (Point-to-Point Tunneling Protocol), 819–821, 894 Pre-Boot Execution Environment (PXE Boot), 802–803 prime number theory, 167 Print Services Role Server, prioritization, data, 751–752 privacy PKI function, 157–158 with transport security, 566–572 private key digital signatures, 166, 172–173 key recovery agent for, 229–230 PKI component, 158 in PKI verification process, 156 public key cryptography authentication, 173–174 public/private key data exchange, 164–165 recovery of, 197 Private-key Information Syntax Standard, 163 probe requests, 914–915 Processes tab, Task Manager, 305 profiles, firewall, 841–842 Programs tab, of Remote Desktop Connection utility, 663–664 Protected Extended Authentication Protocol (PEAP) for VPN client/NAP communication, 945–946 in wired/wireless authentication, 813 Protected Extended Authentication Protocol–Transport Layer Security (PEAP–TLS), 815 protocols 802.11, 911 authentication, changes to, 816 Server 2008 unsupported, 810 tips for remembering, 858 WFAS, identifying in, 848 See also remote access protocols public key CA and, 190 certificates to hold, 186 digital signatures, 166, 172–173 PKI component, 158 in PKI verification process, 156 www.syngress.com 1058 Index public key (Continued ) public key cryptography authentication, 173–174 public/private key data exchange, 164–165 secret key agreement via, 174 public key cryptography authentication, 173–174 bulk data encryption without prior shared secrets, 174 description of, 161–162 digital signatures, 172–173 function of, 171–172 secret key agreement via public key, 174 public key infrastructure (PKI) application certificates, 188 authentication via, 809 certificate needs, analysis of, 188–189 Certificate Services, installation of, 176–185 Certificate Services, process of, 175 Certificate Services, security with, 186–187 Certificate Services, working with, 189–209 certificate templates, 209–230 certificates, 167–171 components of, 158–159 definition of, 155–157 function of, 157–158 hidden operations, 234 how it works, 160–167 machine certificates, 188 network access authentication and, 815 overview of, 154–155, 231–233 public key functionality, 171–174 user certificates, 187 Windows Server 2008 enhancements, 159–160 Public-Key Cryptography Standards (PKCS), 162–164 publishing, TS Licensing server, 642–647 PXE Boot (Pre-Boot Execution Environment), 802–803 Q queries, 368–370 R RADIUS, 950–951 RADIUS (Remote Authentication Dial-In User) Server configuring, 906–908 NPS, installing, 908–910 RAID, 55–56 RAP See resource allocation policies RDC utility See Remote Desktop Connection (RDC) utility RDP See Remote Desktop Protocol read-only DNS, 108 read-only domain controllers (RODCs), 107–114 AD DS installation, 22 configuration of, 108–113 definition of, 94 features of, 108 function of, 107–108 overview of, 144 removal of, 113–114 replication of, 146 realm trusts, 437 recovery IFM for disaster recovery, 37–38 key recovery agent, 229–230 of TS license server, 657 See also backup/restore redirection modes, 703–704 Relative ID (RID) Master DC www.syngress.com authorization levels, 378 function of, 377 locating/transferring, 384–387 placing within AD environment, 388 role holder, seizing, 380 relay agents, DHCP description of, 785 overview of, 802 relay restrictions, 598–599 Reliability and Performance Monitor Data Collector Sets, 337–339 overview of, 331–332, 346 Performance Monitor, 333–335 Reliability Monitor, 335–337 Reports, 339–340 Resource Overview, 332–333 Reliability Monitor, 335–337 remediation NAP enforcement points and, 936 NAP restricted network, 938 Remediation Server Group, 954–955 remote access configuring, 921–922 dial-up, 885–886 ICS, 890–893 inbound/outbound filters, 905–906 NAT, 888–890 NPS/NAP, 881–885 overview of, 878–879 RADIUS Server, 906–910 remote access policy, 886–888 remote access protocols, 893–900 RRAS, 879–881 VPNs, 900–905 remote access protocols overview of, 893–894 SSTP, 895–899 SSTP, configuring on Server 2008, 899–900 remote access server, 879 remote administration of IIS on Server Core, 555 Web site, 519–520 Remote Authentication Dial-In User (RADIUS) Server configuring, 906–908 NPS, installing, 908–910 Remote Desktop Connection (RDC) utility configuration of, 660–666 for connection to Terminal Services, 658 launching, using, 658–660 screen mode, 677 TS Web Access with, 735 Remote Desktop Protocol (RDP) connection options, 759 permissions, 739–740 permissions, TS Manager configuration of, 740–744 traffic on TS Gateway, 709–710 Remote Desktops (RD) Snap-in adding new connection, 667–669 configuration of connection properties, 669–671 connecting/disconnecting, 671 for connection to multiple terminal servers, 676 display of console session, 677 function of, 666 remote domains, 585 Remote Installation Services (RIS) WDS as replacement of, 7, 41 WDS changes from, 42–43 Remote Procedure Calls (RPCs), 412 Remote Server Administration Tools (RSAT), 462–464 removable media, backing up to, 256–259 renaming, site, 399–400, 439 renewal period, 212 RepAdmin, 326–329 replication bridgehead servers, 415 failure, troubleshooting, 420–422 forcing, 417 GC servers, placing within sites, 372–376 Global Catalog, 370–372 intersite, 414–415 intrasite, 412–414 intrasite/intersite, 394 of KMS hosts, 85 monitoring, 346 replication protocols, 417–418 replication topology, 418–419 of RODC, 146 scheduling, 416–417 site link bridges, 415–416 site role, 389 of sites, 411–412 between sites, configuration of, 419 unidirectional, of RODC, 108 Replication Monitor (Replmon), 319–325 replication topology creation of, 418–419 planning, 418 replication, troubleshooting, 420 reporting licenses, 76 Reliability and Performance Monitor, 339–340 Request Handling tab, Certificate Templates snap-in, 212–213 requests, redirecting in IIS, 475–476 reservations DHCP IPv6 client, 796–797 IPv4, 790 options, 791 resource allocation policies (RAP) description of, 692 TS, 688 Resource Authorization Policy See TS Resource Authorization Policy Resource Overview screen, 332–333 resources, TS configuring, 684–687 monitoring, 755 response headers, 476–477 Restartable Active Directory Domain Services, 292–295 restore authoritative, 276–282 authoritative vs nonauthoritative, 345 of Certificate Services, 200–203 IIS server configuration, 533–534 nonauthoritative, 276, 283 See also backup/restore restricted network of IPsec-based NAP network, 956, 957 NAP, 938 retail keys, 73 revocation, of certificate, 205–209, 235 RFC 2228, 549 RFC 2476, 587 RFC-standard Digest authentication, 500 RID Master DC See Relative ID (RID) Master DC Rights Management Server (RMS) See Active Directory Rights Management Server rights-protected information, 120 ring topology, 412–413 RIP (Routing Internet Protocol), 876–877 RIS See Remote Installation Services Rivest, Ronald, 161 RMS See Active Directory Rights Management Server RODCs See read-only domain controllers roles AD RMS delegation of, 121 deployment with scripting tools, 147 Index 1059 PKI, assignment of, 204 scripting vs GUI for installation of, 101 of Server Core, 39–40 Server Manager to implement, 95–100 trend towards, 94 Web Server, installing, 456–459 Web Server, installing on Server Core, 459–461 See also server roles; Web Server (IIS) role root CA subordinate CA vs., 191–192 as sufficient, 235 routing configuring, 920–921 OSPF, 877–878 overview of, 871–873 RIP, 876–877 static, 875–876 table on Server 2008, 874–875 Routing and Remote Access Services (RRAS) authentication, 819–821 installing, 880–881 NAT, 888–890 NPS/NAP, 881–885 overview of, 879 Routing Internet Protocol (RIP), 876–877 routing metric, 872 routing tables overview of, 871–873 on Server 2008, 873–875 routing token redirection, 704 RPCs (Remote Procedure Calls), 412 RRAS See Routing and Remote Access Services RSA algorithm description of, 162–163 for digital signatures, 166 popularity of, 172 RSA Labs key pairs and, 161 PKCS standards, 162–164 RSAT (Remote Server Administration Tools), 462–464 rules, firewall connection security, 840–841 traffic filtering, 837–838 traffic filtering, creating, 838–840 runtime environments, 487–489 S SA (security association), 824 SANs See Storage Area Networks scalability of NLB, 69–70 of SANs, 57 scheduling backup, 248–255 site link replication, 416–417 Schema Master DC adprep /forestprep run in, 22 authorization levels, 377 function of, 376 locating/transferring, 380–383 placing within AD environment, 388 role holder, seizing, 380 schema partition, 358 scope options, DHCP configuring, 787, 790 IPv4, configuring, 787–789 IPv4 reservations, 790 IPv6, configuring, 796 IPv6 client reservation configuration, 796–797 IPv6 scopes, configuring, 793–795 reservation options, 791 scope options, 791 server options, 790–791 setting, 792–793 Screen Options tab, of Remote Desktops Snap-in, 670 scripting, 101 search, GC directory information search, 368–370 secret key, 174 secret key encryption, 161 Secure Communication, 596 Secure Hash Algorithm-1 (SHA1), 821 secure network, 956 Secure Socket Tunneling Protocol (SSTP) connection security with, 819–820 in Server 2008, 870–871 SSL VPNs and, 925 Secure Sockets Layer (SSL) certificates, multiple, 540 cryptographic system, 898 explicit FTP SSL process, 566–567 FTP over SSL for FTP site, 571–572 SSTP and, 895 transport security with, 490–493 types, differences between, 496–497 VPN, 925 VPN server, installing/configuring, 901–905 security certificate template settings for, 220–221 domains and, 356–357 FTP site, securing, 566–578 PKI for, 155–158 for SMTP virtual server, 595–599 for Terminal Server role service, 618 TLS, 490–499 Web site/application, 489–490, 537–538 security association (SA), 824 security certificates See certificates Security Configuration Wizard, security principal, 432 Security tab, 219–220 Selected Attribute Types Standard, 163 self-enrollment, of AD RMS, 121 self-signed certificate, 191 self-signed token-signing certificate, 132–133 Server authentication Remote Desktop Connection utility configuration, 665–666 Remote Desktops Snap-in configuration, 670–671 Server Certificates module, 567–570 server components, of WDS, 42 server configuration, IIS, 533–534 Server Core in 32-bit/64-bit editions, 147 AD LDS support of, 115 definition of, 95 description of, 101–102 DHCP configuration via, 806–808 features of, 103 FTP Server installation on, 553–556 full installation vs., 464 IIS administration on, 540 IIS on, 453–454 installation, command line for, 808 installation of, 38–41, 857 installation of Active Directory Domain Services Role, 104–107 as minimal environment, Web Server Role, installing on, 459–461 server gated certificate, 496 Server Manager for AD FS configuration, 131–143 for AD LDS configuration, 115–118 for AD RMS configuration, 122–129 Add Role Wizard, 98–100 definition of, 95 DHCP role in, 786 features of, 95–97 functions of, opening, 97–98 for RODC configuration, 108–113 for role deployment, 147 tools, 900 server roles Active Directory Federation Services, 129–143 Active Directory Lightweight Directory Service, 114–119 Active Directory Rights Management Service, 120–129 DHCP, adding, 785–787 new roles in Windows Server 2008, 94–95 overview of, 144–145 read-only domain controllers, 107–114 scripting vs GUI, 101 Server Core, Active Directory, 101–107 Server Manager to implement roles, 95–100 TS Web Access, 735–739 servers access, types of, 905 DHCP, authorizing, 800–801 DHCP, non-Windows, 801 DHCP, suggestions for, 785 recovering system state for, 265–266 RSAT, installing, 462–464 servers, deployment of high availability, configuration of, 65–73 storage, configuration of, 54–64 Windows activation, configuration of, 73–80 Windows Deployment Services, 41–54 See also Windows Server 2008, installation of Service Set Identifier (SSID), 914–915 Services tab, Task Manager, 306 Session Initiation Protocol (SIP), 796 sessions, TS disconnecting, 753 monitoring, 749–750 permissions, 746–748 Session Broker, description of, 685 time limits, 739–740 users, logging off from, 752–753 SFTP (SSH File Transfer Protocol), 549 SHA (System Health Agent), 939 SHA1 (Secure Hash Algorithm-1), 821 Shamir, Adi, 161 shared configuration, NLB, 531–532 shared secret key, 174 shortcut trusts creation of, 430–431 for efficiency, 423 function of, 437 SHVs (System Health Validators), 939, 954 SID filtering elevation of privilege attack and, 431–432 to secure trust relationship, 438 signatures See digital signatures Simple Message Transfer Protocol (SMTP) Service installation of, 580–582 overview of, 601, 602 for site replication, 417–418 SMTP Server, real world use of, 579–580 SMTP server relay process, 578–579 virtual server, adding domain routing instructions, 583–586 virtual server, configuration of, 586–595 virtual server, creating new, 583 virtual server, securing, 595–599 single CA model, 189 SIP (Session Initiation Protocol), 796 site, definition of, 389 site link bridges, 415–416 site links creation of, 405–408 replication, scheduling, 416–417 www.syngress.com 1060 Index site links (Continued) replication protocols, 417–418 site link costs, configuration of, 408–410 transitivity, disabling, 439 verification of, 421 sites FTP site, securing, 566–578 FTP sites, provisioning, 556–565 GC servers, placing within, 372–376 sites, Active Directory configuration for multiple sites, 438–439 creation of site, 394–398 overview of, 354, 435–436 renaming, 399–400, 439 replication, 411–418 replication between sites, configuration of, 419 replication failure, troubleshooting, 420–422 replication topology, 418–419 site link costs, configuration of, 408–410 site links, creation of, 405–408 subnets, associating with sites, 403–405 subnets, creation of, 400–403 6to4, 782 smart card, 235, 236 SMTP Server authentication, 597 connection control, 598 creation of new virtual server, 583 domain routing instructions, 583–586 installation of, 580–582 mail forwarding, 603 mail queuing, 604 real world use of, 579–580 relay process, 578–579 relay restrictions, 598–599 transport security for, 595–596 virtual server, configuration of, 586–595 SMTP Service See Simple Message Transfer Protocol (SMTP) Service software policy validation, NAP, 939 software RAID, 55 SRV record, 78–79 SSH File Transfer Protocol (SFTP), 549 SSID (Service Set Identifier), 914–915 SSL See Secure Sockets Layer SSTP See Secure Socket Tunneling Protocol Stability Index, 335–337 standard CA, 190–191 standard certificate, 496 standards, 932 Starter GPOs, 288 static compression, 529 static IP address, 783–784 static routing description of, 924 overview of, 875–876 storage demand for, 54 Fibre Channel Protocol, 59–60 iSCSI, 60–62 of keys in PKI, 165 mount points, 62–64 Network Attached Storage, 56–57 network for Web site content, 467–468 overview of, 82 RAID types, 55–56 Storage Area Networks, 57–58 Storage Area Networks (SANs) benefits/drawbacks of, 57–58 failover cluster on, 66 stream symmetric algorithms, 161 Streaming Media Services Role, stub area, 877–878 Subject Name tab, 215–216 subnet mask IPv4, 774–778 overview of, 770–771 www.syngress.com subnets in Active Directory, 392 associating with sites, 403–405 communication with, 389 creation of, 400–403 subordinate CA, 191–192 Subscriptions, in Event Viewer, 315–319 supernetting, 778 Superseded Templates tab, 217–218 supplicant, 960 symmetric algorithms, 161 symmetric key encryption, 162 System Health Agent (SHA), 939 System Health Validators (SHVs), 884, 939, 954 System Stability Chart, 335–337 system state data backing up, 259–262 recovering, 265–266 WSB backup of, 345 system volume warning, 48 T tape, backup, 345 targets, of iSCSI, 61–62 Task Manager Applications tab, 304–305 Networking tab, 307–308 overview of, 302–304 Performance tab, 306–307 Processes tab, 305 Services tab, 306 Users tab, 309 TCP port 3389, 720 TCP service unavailable responses, 532–533 TCP/IP See Transmission Control Protocol/ Internet Protocol telephone method for TS CALS installation, 648, 655–657 TS Licensing role service activation, 626 templates See certificate templates Teredo, 782 Terminal server, client connections to connectivity with TS Licensing server, 638–647 Remote Desktop Connection utility for, 658–666 Remote Desktops Snap-in, installation of, 666–671 Terminal Server role service installation of, 611–618 license mode, 618–620 overview of, 673 planning for, 618 Terminal Service (TS) Gateway Manager, 714–715 Terminal Services benefits of, 610 client connections, establishing, 658–671 original components of, 610–611 role, 5–6 Terminal Server role service, deployment of, 611–620 Terminal Services Client Access Licenses (TS CALs) activation methods, 647–648 activation without Internet, 676 backup of, 657 installation/activation with automatic connection method, 648–653 installation/activation with telephone method, 655–657 installation/activation with Web browser method, 653–655 Per Device connection blocking, 675 Terminal Services Configuration tool description of, 686 to specify Terminal Services Licensing server, 639–642 Terminal Services Gateway certificate configuration, 712–714 description of, 685 function of, 759 overview of, 709–712, 755–756 TS CAP, accessing resources using, 715–719 TS Gateway Manager, 714–715 TS Group Policy settings, 721–724 Terminal Services Gateway Manager, 687 Terminal Services licensing grace period, 675 overview of, 673–674 recovery of TS license server, 657 TS CALs, installation/management of, 647–657 TS Licensing role service, activation of, 626–647 TS Licensing role service, installation of, 621–626 Terminal Services Licensing Manager activation methods for TS Licensing role service, 626 activation with Automatic connection, 627–633 publishing TS Licensing server with, 642 TS CALs installation/activation with, 647–657 Terminal Services Licensing role service activation of, 626–647 activation with Automatic connection, 627–633 activation with telephone method, 635–638 activation with Web browser method, 633–635 connectivity, 638–647 installation of, 621–626 licenses, obtaining, 675–676 Terminal Services Licensing server connectivity with Terminal Server, 638–647 installation of, 621–626 publishing, 642–647 recovery of, 657 Terminal Services Configuration tool to specify, 639–642 Terminal Services Manager description of, 686 sessions, disconnecting, 753 TS services reset with, 753 users, logging off with, 752–753 Terminal Services (TS), managing application logging, configuring, 692–963 configuring/monitoring, 684–687 connection limits, 744 data prioritization, displaying, 751–752 load balancing, 693–709 overview of, 684, 740, 754–755, 756–757 processes, viewing, 748–749 RDP permissions, 740–744 RemoteAPP, 724–734 resetting, 753 session permissions, 746–748 session time limits, 745–746 sessions, disconnecting, 753 sessions, monitoring, 749–750 tasks involved in, 759 Terminal Services Gateway, 709–724 TS Remote Desktop Web connection, 738–740 TS Web Access, 735–738 users, logging off, 752–753 WSRM, allocating resources using, 687–692 termination, of RDC session, 659–660 three-hop rule, 414–415 Index 1061 TLS See Transport Layer Security tools Event Viewer, 310–319 IIS diagnostics, 520–525 Reliability and Performance Monitor, 331–340 Remote Server Administration Tools, 462–464 TS management, 758 Wbadmin.exe, 255–256 See also command-line tools traffic filtering, incoming/outgoing connection security rules, 840–841 firewall profiles, 841–842 IPSec settings, 842–846 monitoring, 846–847 rules, creating, 838–840 WFAS, 837 WFAS, identifying in, 837–838 transition technologies, IPv6, 781–782, 784 transitive trust, 424–425 transitivity site link transitivity, 439 of trust, 424–425 Transmission Control Protocol/Internet Protocol (TCP/IP) IPv6 and, 401 network communication with, 768 stack, next generation, 774 Transport Layer Security (TLS) description of, 490–491 for SMTP Server, 595–596 transport mode, IPSec, 822 transport security for FTP site, 566–572 overview of, 490–493 secure communication, enabling, 498–499 security certificate, adding new, 493–498 for SMTP virtual server, 595–596 Transport Server, 52 tree-root trust, 428 troubleshooting fact lists, 509 with Reliability Monitor, 336 replication, 420–422 with Task Manager, 303–304, 309 Truman, Harry, 161 trust, definition of, 425 trust anchor, 191 trust levels See NET Trust Levels trust model, 189 trust path, 425 trust policy, 137–139 trusted third party (TTP) as CA, 189–190 online, 156 PKI component, 158 in PKI process, 155 trusts default trusts, 428 direction of trust, 423–424 external, realm, shortcut trusts, 437 external trusts, 429–430 forest trusts, 428–429 implicit/explicit trusts, 427 implied, implicit, explicit trusts, 438 one-way trusts, 425–426 overview of, 434–435, 436 for protection of resources, 422–423 shortcut trusts, 430–431 SID filtering, 431–432 transitive trust, 424–425 TS See Terminal Services TS CALs See Terminal Services Client Access Licenses TS Connection Authorization Policy (TS CAP) accessing resources through TS Gateway using, 715–719 description of, 759 TS RAP See TS Resource Authorization Policy TS Remote Desktop Web connection, 738–740 TS RemoteApp configuring, 725–735 overview of, 724–725, 756 TS RemoteApp Manager, 686–687 TS Resource Authorization Policy (TS RAP) accessing resources through TS Gateway using, 719–721 description of, 759 TS Session Broker local group, adding on, 697 redirection modes, 758 role, installing, 694–697 role, load balancing with, 694 TS Web Access configuring, 735–738 TS Remote Desktop Web connection, 739–740 TS Web Access Administration, 687 TTP See trusted third party tunnel mode, IPSec, 822 U unattend file, 51–52 unidirectional replication, 108 Universal Group membership caching, 374–376 information in GC server, 370 replication and, 371 upgrade from Windows Server 2003, 84 to Windows Server 2008, 10–12, 20–21 upgrade paths, 10–12 URL authorization for FTP site authorization, 574–575 module, IIS, 505–506 User Account Control, 7–8 User Certificate Templates, 221–222 user certificates auteoenrollment of, 235 function of, 187 User Datagram Protocol (UDP) DHCP traffic on, 799 traffic filtering and, 848 User Isolation feature, 577–578 user principal names (UPNs) authentication, 368 Global Catalog to resolve, 366 users access restriction based on IP address, 575–576 authentication for FTP site, 572–573 authorization for FTP site, 573–578 IP address, access restriction by, 509–513 keys stored in user profile, 165 TS, logging off, 752–753 Users tab, Task Manager, 309 V validity period for certificate template, 211 determination of, 236 for new certificate, 235 VAMT (Volume Activation Management Tool), 74 VeriSign, 156, 190 versioning, certificate templates, 228–229 vhd image files, 242, 261–262 virtual channel traffic, 751 virtual directories adding with IIS, 469–471 FTP, creation of, 564 virtual hosts, 557–558 virtual local area networks (VLANs) importance of understanding, 967 NAP and, 938–939 Virtual Private Networks (VPNs) NAP and, 882 NAP VPN enforcement, 945–949 overview of, 900 RRAS authentication, 819–820 with Server 2008, 899 SSL server, installing/configuring, 901–905 vs SSTP, 898 virtual server SMTP, provisioning, 583–595 SMTP, securing, 595–599 Virtualization Role, VLANs See virtual local area networks Volume Activation Management Tool (VAMT), 74 volume mount points, 62–64 Volume Shadow Copy Service (VSS) description of, 259 for failover cluster backup/restore, 69 volumes, critical, 264–265 VPNs See Virtual Private Networks W w3wp.exe, 483–484 Wbadmin.exe description of, 255–256 removable media, backing up to, 256–259 for System State backup, 259–262 WDS See Windows Deployment Services Web access, TS, 684 Web application services, 448 See also Internet Information Services Web applications, configuring with IIS, 478–480 Web browser certificate request via, 195–196 for TS CALS installation, 648, 653–655 TS Licensing role service activation, 626 Web enrollment, of PKI, 159–160 Web farm scaling compression, 528–531 NLB, 531–533 output caching, 526–528 overview of, 525 Web farms large, IIS deployment on, 455 small, IIS deployment on, 454–455 Web infrastructure services See FTP Publishing Service; Simple Message Transfer Protocol (SMTP) Service Web server certificate request via, 195–196 compression module, 530 enabling PHP on, 487–489 simple, IIS deployment on, 454 Web Server (IIS) role of FTP Publishing Service installation, 550–553 FTP Server installation on Server Core, 553–556 improvements in functionality, installing, 456–459 installing on Server Core, 459–461 Web sites content, using network storage for, 467–468 content compression, 529–531 creating with IIS, 466–468 provisioning with IIS, 464–465 secure communication, enabling, 498–499 securing, 537–538 Web sites/applications, securing authentication, 499–502 authorization, 505–513 client certificate mapping, AD, 505 www.syngress.com 1062 Index Web sites/applications, securing (Continued ) client certificates considerations, 502–505 NET Trust Levels, 513–514 overview of, 489–490 secure communication, enabling, 498–499 security certificate, adding new, 493–498 TLS, 490–493 web.config, 515 Web-site bound FTP site, 559–560 WFAS See Windows Firewall with Advanced Security Whitfield, Diffie, 161 Wi-Fi Protected Access (WPA2), 916 Wi-Fi Protected Access (WPA), 915 wildcard certificate, 497 Windows 2000 domain functional level, 360 forest functional level, 362–363 forest/domain functional levels, 358, 359 Windows activation See activation, Windows Windows authentication, IIS, 500 Windows Backup, 243 Windows Deployment Services (WDS) components of, configuration of, 43–50 finding server, 86 function of, 41 images, capturing, 51–52 images, deployment of, 52–54 installation requirements, 43 modifications to, 42–43 NBP in, 803 overview of, 82 Windows Firewall, 870 Windows Firewall with Advanced Security (WFAS) command-line tools, 849–850 configuring, 835–837 exceptions for Server Core installation, 459, 461 improvements of, 925 inbound/outbound filters of, 905–906 incoming/outgoing traffic filtering, 837–847 IPSec and, 826 managing via Group Policy, 847–848 new features in, 830–835 overview of, 855–856 ports/protocols, 848 in Server 2008, 830 Windows Image (.wim) format, 51–52 Windows interface, 798 Windows Logs, 313 Windows Management Instrumentation (WMI) for failover cluster management, 69 www.syngress.com for remote administration of IIS on Server Core, 555 for remote IIS administration, 464 Windows Resource Protection (WRP), 259 Windows Security Health Agent (WSHA), 939 Windows Security Health Validator (WSHV), 939 Windows Server 2003 domain functional level, 360–361 forest functional level, 363–364 forest/domain functional levels, 358, 359 IPSec, configuring in, 826 vs Server 2008 NPS, 925 Windows Server 2008 changes from, 3–8 Windows Server 2008 802.1x settings, configuring in, 816–819 authentication, 809 connection limits, 744 domain functional levels, 361–362 forest functional level, 364 forest functional levels, configuration of, 362–364 forest/domain functional levels, 358–359 IIS features of, 448–451 IPSec, configuring in, 825–827 new server roles in, 94–95 NPS and, 925 OSPF and, 878 PKI components, 158–159 PKI enhancements in, 159–160 PPTP and L2TP/IPSec protocols, 820–821 protocols not supported by, 810 remote access with, 870–871 RIP support of, 877 routing changes in, 924 routing with, 869–870 RRAS changes in, 819 Server Backup, 243, 345 Server Core vs full installation, 464 SSTP, configuring on, 899–900 TS management tools, 758 WFAS in, 830–850 wireless access with, 871 Windows Server 2008 Datacenter Edition, Windows Server 2008 Enterprise Edition features of, 8–9 hardware system requirements, 9–10 installation of, 12–20 upgrade paths, 10–12 Windows Server 2008 for Itanium-based Systems, Windows Server 2008, installation of AD DS, new installation options, 21–22 Enterprise Edition, installation of, 8–20 install from media, 37–38 installation of Windows Server 2008 forest, 23–36 new functionality, 3–8 planning/preparation steps, 2–3 Server Core, installation of, 38–41 upgrading to Windows Server 2008, 20–21 Windows Server 2008 Standard Edition, Windows Server Backup backup scheduling, 248–255 installing, 243–248 overview of, 242–243 tape backup support, 345 Windows Server Web application services, 448 Windows System Resource Manager (WSRM) accounting data, 758 allocating resources using, 687–688 application logging, configuring, 692–963 installing, 688–692 overview of, 329–331 TS management with, 687 Windows Vista, 448–451 Windows Web Server 2008, WinFrame, 610–611 wireless access configuring, 910–914, 922–923 SSID, 914–915 WPA, 915 WPA2, 916 Wireless Auto Configuration, 911 wireless diagnostics tracing, 912 wireless group policy, 918–919 witness disk, 69 WMI See Windows Management Instrumentation workgroup option, 638 World Wide Web, 155–156 WPA (Wi-Fi Protected Access), 915 WPA2 (Wi-Fi Protected Access 2), 916 WRP (Windows Resource Protection), 259 WS-Federation Passive Requester Profile (WS-F PRP), 129 WSHA (Windows Security Health Agent), 939 WSHV (Windows Security Health Validator), 939 WSRM See Windows System Resource Manager X X.509 standard certificate data in, 168–169 Certificate Practice Statement, 197 format for certificates, 234 ... taking the exam Upgrading Your MCSE Certification Those who already hold the MCSE Windows 2003 can upgrade their certifications to MCITP Server Administrator by passing: ■ Exam 70-649 ■ Exam 70-646... installation of Windows Server 2008 EXERCISE 1.1 INSTALLING WINDOWS SERVER 2008 To install Windows Server 2008, follow these steps: Insert the Windows Server 2008 Enterprise Edition DVD in the DVD-ROM... Pack (SP2) Windows Server 2008 Standard RC0 Windows Server 2008 Standard RC1 Windows Server 2003 R2 Enterprise Edition Full installation of Windows Server 2008 Enterprise Windows Server 2003 Enterprise