### DEPLOY, MANAGE, AND MAINTAIN SERVERS

- Deploy Servers (WDS)

- Manage Servers: Implement Patch Management (WSUS)
- Maintain Servers: Monitor Servers (Data Collector)
~ Discover Servers
~ Gather Interesting Information from Servers (FPCAS)
** Best practices for WDS
** Best practices for WSUS

# DEPLOYING AND CONFIGURING SERVER IMAGES

# WINDOWS DEPLOYMENT SERVICES
- WDS is a Server Role that is included with Windows Server 2012
- WDS is used for network based installation
- WDS uses technologies like Windows PE, .WIM, .VHD and .VHDX and image based de
ployment.
- WDS is used to deploy Windows Images to a bare metal computer (a computer with
a blank hard drive.. nothing on it)
- Can be used to deploy both Server and Client images.. (What will you most like
ly use it for? Your clients.. not servers.. in most networks, there are mny many
more clients than Servers).. Also you'll probably use another method to deploy
your Servers.
- WDS can deploy clients going back to Windows XP
- WDS Supports lite-touch, zero-touch or high volume deployments
- Managed with WDS MMC snapin
+ Components of WDS
- Servers which are used to store and deploy images
- Clients that receive images
- Images are received via PXE (Pre-Execution Environment)..
- If the computer can PXE Boot, you dont need to have anything locally. The PC c
an go across the network and download a boot image
+
-

WDS Pre-requisites
ADDS: What is it neede for?
DNS: What is it needed for? Server Locator
DHCP: What is it needed for? PXE Boot (if the DHCP Server will be on your WDS,
you need to prevent it from listening on UDP port 67.. You also need DHCP optio
n 60 enabled.. this enables the DHCP client to locate the WDS Server.. If the Se
rver is a DHCP Server first, then when you install WDS on that Server, it happen
s automatically.. you only have to do this if you are first a WDS Server and the
n decide to make it a DHCP Server)
- NTFS Volume (for storing images)
- Clients are PXE enabled
+ Post Installation Tasks
- Configure WDS: WDS Configuration Wizard or WDSUtil.exe
You will need to add at least one boot image and one install image to the image
store.
-

# WINDOWS SERVER UPDATE SERVICES

** This is a very important part of the security of your infrastructure
- In security, we have things called vulnerabilities. What are vulnerabilities?
They are bugs of mistakes in codes that can be exploited. Vulnerabilities are di
scovered from time to time in Software. In Windows. So when vulnerabilities are
discovered, software vendors release codes that patch these vulnerabilities. So
part of our jobs as System admins is to ensure that both our Servers and clients
are regularly and promptly patched.. But we must still go through the process o
f change
~ How would you do this in an infrastructure? Test
~ Port number for clients to access the Server
~ What is the proxy server for?

# MONITORING
~ Would we really use this in the real world or use a 3rd party monitoring solut
ion?
~ identify a potential performance bottleneck.
~ Viewing and Configuring Centralized Event Logs
~ Configure a Performance Counter Alert
~ You will have centralized event logs and examined these logs for performance-r
elated events.

## WDS Fundamentals/WDS Essentials

#
-

Features
Network Deployments
PXE Boot capabilities (we can configure the response to PXE Boot)
Dynamic Driver Provisioning
Automating Deployments
Multicast
WDSUti;
Integrating WDS with other products like MDT and SCCM 2012

- Network Based Installation

# WDS Process Explained

** Networking must be okay and PXE response should be configured correctly
1. Computer boots up and gets IP from DHCP (IP, SM, DNS, DG)
2. Computer goes to a DNS Server and looks for locator records for ADDS
3. Computer goes to WDS Server and offers credentials that are checked by ADDS

# WDS Role Services Explained

- Deployment Server with Transport Server means full ADDS integrated
- Just transport means standalone
# Adding BOOT and INSTALL Images (and setting default image)
- The priority of the boot image dictates which one will be loaded by default..
which priority wins? lower or higher?
- What is the advantage of the image group? savid hard drive space.. stores only
the bits that are different from the original image.. create groups by product
and architecture to see any advantages.. E.g. Win 8 32bit in one group.. Win8 64
bit in another group..
# WDS Driver Management (Dynamic Drive Provisioning)
- Add Driver
- Filter Type.. Model; BIOS vendor, e.t.c.
- The filters determines which clients will get this driver (Manufacturer, Model
, BIOS Vendor, BIOS Version, Chassis e.t.c)
- We don't have to set up a filter group if we don't want to. Dynamic Driver Pro
visioning can still automatically install drivers without a filter.
# WDS Server Properties
#

# Active Directory Pre-Staged Devices

# Configuring DNS
# Configuring Advanced Auditing
- Auditing is managed through group policy.. So you'll need to create your "Audi
t Policy"
- You want to audit things not people.. things that are taking place on your net
work.. Also from a legal perspective, you dont want to audit people or certain i
ndividuals.. it could violate certain discrimination laws.. You want to audit co
mputers (mainly your servers); folders; objects; files... you also want to audit
both success and failure events
+ Computer Configuration --> Policies --> Windos Settings --> Security Settings
--> (local policies --> Audit Policy)
~ Object access needs to be enabled in the policy and in Windows explorer also (
Security tab --> Advanced --> Auditing --> add everyone --> and both success and
failures)
~ You want to be specific when it comes to object access.. you dont want your lo
gs to be too cluttered
~ Someone has to be responsible for reviewing audit logs for its benefit to be s
een.. It's also beneficial in times when evidence is needed.

- Computer Configuration --> Policies --> Windos Settings --> Security Settings
--> Advanced Audit Policy Configuration --> Audit Policies.
## Also you need to understand how to understand event viewer messages like spec
ial logon e.t.c and also how to export to a syslog server and view your logs fro
m there..

~ Restrict access to Remote Access Server to certain groups

~ Configure client and server firewall via Group Policy