Windows Server ® 2008 UNLEASHED 800 East 96th Street, Indianapolis, Indiana 46240 USA Rand Morimoto, Ph.D., MCSE, CISSP Michael Noel, MCSE+I, CISSP, MCSA, MVP Omar Droubi, MCSE Ross Mistry, MCTS, MCDBA, MCSE Chris Amaris, MCSE, CISSP Windows Server ® 2008 Unleashed Copyright © 2008 by Sams Publishing All rights reserved. No part of this book shall be reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photo- copying, recording, or otherwise, without written permission from the publisher. No patent liability is assumed with respect to the use of the information contained herein. Although every precaution has been taken in the preparation of this book, the publisher and author assume no responsibility for errors or omissions. Nor is any liability assumed for damages resulting from the use of the information contained herein. ISBN-13: 978-0-672-32930-2 ISBN-10: 0-672-32930-1 Library of Congress Cataloging-in-Publication Data is on file Printed in the United States of America First Printing: February 2008 Trademarks All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Sams Publishing cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Warning and Disclaimer Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information provided is on an “as is” basis. The authors and the publisher shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book. Bulk Sales Sams Publishing offers excellent discounts on this book when ordered in quan- tity for bulk purchases or special sales. For more information, please contact U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com For sales outside of the U.S., please contact International Sales international@pearsoned.com Editor-in-Chief Karen Gettman Senior Acquisitions Editor Neil Rowe Development Editor Mark Renfrow Managing Editor Gina Kanouse Project Editor Betsy Harris Copy Editor Karen Annett Senior Indexer Cheryl Lenser Proofreader Kathy Ruiz Technical Editor Jeff Guillet, MCSE: Messaging, MCSA, MCP+I, CISSP Publishing Coordinator Cindy Teeters Book Designer Gary Adair Senior Compositor Jake McFarland Contributing Writers Kimberly Amaris, PMP Scott G. Chimner, CISSP, MCSE, MCSA Stefan Garaygay, MCSE Jeff Guillet, MCSE: Messaging, MCSA, MCP+I, CISSP Robert Jue, MCSE, MCDBA Tyson Kopczynski, CISSP, GSEC, GCIH, MCSE Security Alec Minty, MCSE Shirmattie Seenarine Colin Spence, MCP James V. Walker, MCP, MCSE Chris Wallace, MCSA, MCSE Contents at a Glance Part I Windows Server 2008 Overview 1 Windows Server 2008 Technology Primer 3 2 Planning, Prototyping, Migrating, and Deploying Windows Server 2008 Best Practices 39 3 Installing Windows Server 2008 and Server Core . 73 Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer 105 5 Designing a Windows Server 2008 Active Directory 139 6 Designing Organizational Unit and Group Structure . 165 7 Active Directory Infrastructure 185 8 Creating Federated Forests and Lightweight Directories . 217 9 Integrating Active Directory in a UNIX Environment . 235 Part III Networking Services 10 Domain Name System and IPv6 251 11 DHCP/WINS/Domain Controllers . 297 12 Internet Information Services . 331 Part IV Security 13 Sever-Level Security 375 14 Transport-Level Security 399 15 Security Policies, Network Policy Server, and Network Access Protection 415 Part V Migrating to Windows Server 2008 16 Migrating from Windows 2000/2003 to Windows Server 2008 . 439 17 Compatibility Testing for Windows Server 2008 . 473 Part VI Windows Server 2008 Administration and Management 18 Windows Server 2008 Administration 499 19 Windows Server 2008 Group Policies and Policy Management . 533 20 Windows Server 2008 Management and Maintenance Practices 581 21 Automating Tasks Using PowerShell Scripting . 639 22 Documenting a Windows Server 2008 Environment . 685 23 Integrating Systems Center Operations Manager 2007 with Windows Server 2008 715 Part VII Remote and Mobile Technologies 24 Server-to-Client Remote and Mobile Access . 737 25 Terminal Services 783 Part VIII Desktop Administration 26 Windows Server 2008 Administration Tools for Desktops 839 27 Group Policy Management for Network Clients . 865 Part IX Fault Tolerance Technologies 28 File System Management and Fault Tolerance 935 29 System-Level Fault Tolerance (Clustering/Network Load Balancing) 993 30 Backing Up the Windows Server 2008 Environment . 1043 31 Recovering from a Disaster . 1077 Part X Optimizing, Tuning, Debugging, and Problem Solving 32 Optimizing Windows Server 2008 for Branch Office Communications . 1111 33 Logging and Debugging . 1145 34 Capacity Analysis and Performance Optimization 1189 Part XI Integrated Windows Application Services 35 Windows SharePoint Services 3.0 . 1233 36 Windows Media Services 1281 37 Deploying and Using Windows Virtualization . 1313 Index 1339 Table of Contents Introduction xlix Part I Windows Server 2008 Overview 1 Windows Server 2008 Technology Primer 3 Windows Server 2008 Defined . 3 Windows 2008 Under the Hood . 4 Windows Server 2008 as an Application Server 6 When Is the Right Time to Migrate? . 8 Adding a Windows Server 2008 System to a Windows 2000/2003 Environment 8 Migrating from Windows 2000/2003 Active Directory to Windows Server 2008 Active Directory 9 Versions of Windows Server 2008 . 9 Windows Server 2008, Standard Edition . 10 Windows Server 2008, Enterprise Edition . 10 Windows Server 2008, Datacenter Edition 11 Windows Web Server 2008 . 11 Windows Server 2008 Server Core . 12 What’s New and What’s the Same About Windows Server 2008? 13 Visual Changes in Windows Server 2008 13 Continuation of the Forest and Domain Model . 13 Changes That Simplify Tasks 14 Increased Support for Standards 16 Changes in Active Directory 16 Renaming Active Directory to Active Directory Domain Services 17 Renaming Active Directory in Application Mode to Active Directory Lightweight Directory Service 17 Expansion of the Active Directory Federation Services 17 Introducing the Read-Only Domain Controller . 18 Windows Server 2008 Benefits for Administration . 18 Improvements in the Group Policy Management . 19 Introducing Performance and Reliability Monitoring Tools 20 Leveraging File Server Resource Manager 21 Introduction of Windows Deployment Services . 21 Improvements in Security in Windows Server 2008 . 22 Enhancing the Windows Server 2008 Security Subsystem 22 Transport Security Using IPSec and Certificate Services . 23 Security Policies, Policy Management, and Supporting Tools for Policy Enforcement 23 Improvements in Windows Server 2008 for Better Branch Office Support . 23 Read-Only Domain Controllers for the Branch Office . 24 BitLocker for Server Security . 24 Distributed File System Replication 25 Improvements in Distributed Administration 26 Improvements for Thin Client Terminal Services . 26 Improvements in RDP v6.x for Better Client Capabilities 26 Terminal Services Web Access . 27 Terminal Services Gateway . 28 Terminal Services Remote Programs . 28 Improvements in Clustering and Storage Area Network Support . 29 No Single Point of Failure in Clustering . 29 Stretched Clusters . 30 Improved Support for Storage Area Networks 30 Improvements in Server Roles in Windows Server 2008 30 Introducing Internet Information Services 7.0 . 30 Windows SharePoint Services . 31 Windows Rights Management Services . 31 Windows Server Virtualization 32 Identifying Which Windows Server 2008 Service to Install or Migrate to First 33 Windows Server 2008 Core to an Active Directory Environment 33 Windows Server 2008 Running Built-in Application Server Functions . 34 Windows Server 2008 Running Add-in Applications Server Functions . 36 2 Planning, Prototyping, Migrating, and Deploying Windows Server 2008 Best Practices 39 Determining the Scope of Your Project 40 Identifying the Business Goals and Objectives to Implement Windows Server 2008 . 40 High-Level Business Goals 41 Business Unit or Departmental Goals . 42 Identifying the Technical Goals and Objectives to Implement Windows Server 2008 . 43 Defining the Scope of the Work 44 Determining the Time Frame for Implementation or Migration 46 Defining the Participants of the Design and Deployment Teams . 48 Windows Server 2008 Unleashed vi The Discovery Phase: Understanding the Existing Environment . 49 Understanding the Geographical Depth and Breadth 51 Managing Information Overload . 52 The Design Phase: Documenting the Vision and the Plan . 52 Collaboration Sessions: Making the Design Decisions . 53 Organizing Information for a Structured Design Document . 54 Windows Server 2008 Design Decisions 55 Agreeing on the Design . 56 The Migration Planning Phase: Documenting the Process for Migration . 57 Time for the Project Plan . 57 Speed Versus Risk . 58 Creating the Migration Document 59 The Prototype Phase: Creating and Testing the Plan . 62 How Do You Build the Lab? . 63 Results of the Lab Testing Environment . 63 The Pilot Phase: Validating the Plan to a Limited Number of Users . 64 The First Server in the Pilot 65 Rolling Out the Pilot Phase 66 Fixing Problems in the Pilot Phase 67 Documenting the Results of the Pilot . 67 The Migration/Implementation Phase: Conducting the Migration or Installation . 67 Verifying End-User Satisfaction . 67 Supporting the New Windows Server 2008 Environment 68 3 Installing Windows Server 2008 and Server Core 73 Preplanning and Preparing a Server Installation 73 Verifying Minimum Hardware Requirements . 74 Choosing the Appropriate Windows Edition . 75 Choosing a New Installation or an Upgrade 75 Determining the Type of Server to Install . 77 Gathering the Information Necessary to Proceed . 77 Backing Up Files . 79 Installing a Clean Version of Windows Server 2008 Operating System . 79 1. Customizing the Language, Time, Currency, and Keyboard Preferences 80 2. The Install Now Page . 80 3. Entering the Product Key . 80 4. Selecting the Type of Operating System to Install . 81 5. Accepting the Terms of the Windows Server 2008 License 82 6. Selecting the Type of Windows Server 2008 Installation 82 Contents vii 7. Selecting the Location for the Installation . 82 8. Finalizing the Installation and Customizing the Configuration . 83 Upgrading to Windows Server 2008 88 Backing Up the Server . 88 Verifying System Compatibility 89 Ensuring the Drivers Are Digitally Signed . 89 Performing Additional Tasks . 89 Performing the Upgrade 90 Understanding Server Core Installation 93 Performing a Server Core Installation . 93 Managing and Configuring a Server Core Installation 95 Launching the Command Prompt in a Server Core Installation 95 Changing the Server Core Administrator’s Password . 95 Changing the Server Core Machine Name 96 Assigning a Static IPV4 IP Address and DNS Settings 96 Adding the Server Core System to a Domain . 97 Server Core Roles and Feature Installations . 97 Installing the Active Directory Domain Services Role 99 Performing an Unattended Windows Server 2008 Installation 100 Part II Windows Server 2008 Active Directory 4 Active Directory Domain Services Primer 105 Examining the Evolution of Directory Services 106 Reviewing the Original Microsoft Directory Systems . 106 Numbering the Key Features of Active Directory Domain Services . 107 Understanding the Development of AD DS . 107 Detailing Microsoft’s Adoption of Internet Standards 108 Examining AD DS’s Structure 108 Understanding the AD DS Domain 108 Describing AD DS Domain Trees . 109 Describing Forests in AD DS . 110 Numbering the AD DS Authentication Modes . 110 Outlining Functional Levels in Windows Server 2008 AD DS . 110 Outlining AD DS’s Components 111 Understanding AD DS’s X.500 Roots 111 Conceptualizing the AD DS Schema . 112 Defining the Lightweight Directory Access Protocol (LDAP) . 113 Detailing Multimaster Replication with AD DS Domain Controllers 114 Windows Server 2008 Unleashed viii Conceptualizing the Global Catalog and Global Catalog Servers . 114 Numbering the Operations Master (OM) Roles . 114 Understanding Domain Trusts 116 Conceptualizing Transitive Trusts 116 Understanding Explicit Trusts . 116 Defining Organizational Units 118 Determining Domain Usage Versus OU Usage . 118 Outlining the Role of Groups in an AD DS Environment 119 Choosing Between OUs and Groups 121 Explaining AD DS Replication 121 Sites, Site Links, and Site Link Bridgeheads 121 Understanding Originating Writes . 123 Outlining the Role of DNS in AD DS 123 Examining DNS Namespace Concepts 123 Comprehending Dynamic DNS . 124 Comparing Standard DNS Zones and AD-Integrated DNS Zones . 125 Understanding How AD DS DNS Works with Foreign DNS . 125 Outlining AD DS Security 125 Understanding Kerberos Authentication . 125 Taking Additional Security Precautions . 126 Outlining AD DS Changes in Windows Server 2008 . 126 Restarting AD DS on a Domain Controller 126 Implementing Multiple Password Policies per Domain 127 Auditing Changes Made to AD Objects . 132 Reviewing Additional Active Directory Services 133 Examining Additional Windows Server 2008 AD DS Improvements 134 Reviewing Legacy Windows Server 2003 Active Directory Improvements 134 5 Designing a Windows Server 2008 Active Directory 139 Understanding AD DS Domain Design . 139 Examining Domain Trusts 140 Choosing a Domain Namespace 141 Choosing an External (Published) Namespace . 141 Choosing an Internal Namespace 142 Examining Domain Design Features 142 Choosing a Domain Structure . 143 Understanding the Single Domain Model . 144 Choosing the Single Domain Model 145 Exploring a Single Domain Real-World Design Example 146 Contents ix [...]... 289 Contents xv How to Configure IPv6 on Windows Server 2008 289 Manually Setting the IPv6 Address 290 Setting Up a DHCPv6 Server on Windows Server 2008 291 Setting Up a DHCPv6 Scope on Windows Server 2008 292 Adding an IPv6 Host Record in Windows Server 2008 DNS 292 11 DHCP/WINS/Domain... 20 Windows Server 2008 Management and Maintenance Practices 581 Initial Configuration Tasks 582 Managing Windows Server 2008 Roles and Features 583 Roles in Windows Server 2008 583 Features in Windows Server 2008 585 xxiv Windows. .. Protection (NAP) in Windows Server 2008 415 Exploring the Reasons for Deploying NAP 416 Outlining NAP Components 416 Understanding Windows Server 2008 NAP Terminology 417 Deploying a Windows Server 2008 Network Policy Server ... OpsMgr Agent on the Windows Server 2008 System 729 Monitoring Functionality and Performance with OpsMgr 732 Part VII 24 Remote and Mobile Technologies Server- to-Client Remote and Mobile Access 737 Windows Server 2008 RRAS Features and Services 738 Virtual Private Networking in Windows Server 2008 ... Environment 235 Understanding and Using Windows Server 2008 UNIX Integration Components 235 The Development of Windows Server 2008 UNIX Integration Components 236 Understanding the UNIX Interoperability Components in Windows Server 2008 ... Protocol 431 Enabling VPN Functionality on an RRAS Server 432 Modifying the RRAS Network Policy 434 Part V 16 Migrating to Windows Server 2008 Migrating from Windows 2000/2003 to Windows Server 2008 439 Beginning the Migration Process 439... Group Policy Administrative Templates Explained 550 Administrative Templates for Windows 2000, Windows XP, and Windows Server 2003 551 Group Policy Administrative Templates for Windows Vista and Windows Server 2008 552 Custom Administrative Templates ... 392 Installing WSUS on a Windows Server 2008 Server 392 Automatically Configuring Clients via Group Policy 394 Deploying Security Patches with WSUS 396 14 Transport-Level Security 399 Introduction to Transport-Level Security in Windows Server 2008 400 The Need for Transport-Level Security... 585 xxiv Windows Server 2008 Unleashed Server Manager 587 Server Manager Roles and Features 588 Server Manager Roles Page 588 Server Manager Features Page 592 Server Manager Diagnostics... Security 316 xvi Windows Server 2008 Unleashed Reviewing the Windows Internet Naming Service (WINS) 317 Understanding the Need for Legacy Microsoft NetBIOS Resolution 317 Exploring WINS and DNS Integration 317 Reviewing Changes in Windows Server 2008 WINS . Contents Introduction xlix Part I Windows Server 2008 Overview 1 Windows Server 2008 Technology Primer 3 Windows Server 2008 Defined Windows Server 2008 Administration and Management 18 Windows Server 2008 Administration 499 19 Windows Server