Академический Документы
Профессиональный Документы
Культура Документы
OS Responsibilities
Process Management
Memory Management I/O Management File Management Object Management
Windows Architecture
Windows Architecture
System Processes
Executive, Kernel, HAL Architectural Details Subsystems and Layers User Mode & Kernel mode Kernel Objects Sharing kernel objects
OS classifications
Based on Functionality
Single user single tasking
Based on architecture
Monolithic OS Microkernel OS
OS classifications
What is Single tasking? The execution of a single task as against multiple tasks (programs) by the operating system. The practice or capability of handling only one task at a time.
Kernel
What is a Kernel?
The kernel is the indispensable and therefore most important part of an operating system.
Roughly, an operating system itself consist of two parts:
The kernel space (privileged mode) The user space (unprivileged mode)
Monolithic Kernel
The older approach is the monolithic kernel, of which Unix, MS-DOS and the early Mac OS are typical examples.
It runs every basic system service like process and memory management, interrupt handling and I/O communication, file system, etc. in kernel space
Monolithic Kernel
Application Program
Application Program
User Mode
Kernel Mode
System Services
Operating System Services
Hardware
8
Monolithic Kernel
The inclusion of all basic services in kernel space has the following drawbacks:
The kernel size Lack of extensibility The bad maintainability Bug fixing or the addition of new features means a recompilation of the whole kernel.
Microkernel
What is Microkernel?
The concept was to reduce the kernel to basic process communication and I/O control, and let the other system services reside in user space in form of normal processes (as so called services), there by providing protection between the processes.
There is a service for managing memory issues, one service does process management, another one manages drivers, and so on. Because the services do not run in kernel space anymore, so called "context switches" are needed, to allow user processes to enter privileged mode (and to exit again).
Microkernel OS
Client Application
Process Server
Microkernel Hardware
Kernel Mode
11
Multithreading
Process : Program in execution. Thread : A thread is basically a path of execution through a program. Also defined as a set of instructions Process owns one or more threads of program execution. The actual agent of execution is always a thread within a process.
12
Process
A Process comprises of:
Executable program comprising of initial code and data. A Private virtual address space, which is a set of virtual memory addresses that the process can use. System Resources : semaphores and files that the OS allocates to the process when threads open them. Process ID. At least one thread of execution.
13
Threads
A thread includes following components:
The contents of a set of volatile registers representing the state of the processor.
Two Stacks, one for the thread to use while executing in kernel mode and the other for executing in the user mode. Private Storage are for use by DLLs, runtime libraries and subsystems. Thread ID. All these constitute a thread context which is platform specific.
14
Multiprocessing
Only symmetric multiprocessing systems are supported. All systems share the same main memory and each system has equal access to peripheral devices. Thread scheduling and interrupt handling can be equally distributed among all the processors. Basic architecture supports up to 32 processors.
15
NT Features
16
process and the upper half (0x80000000 thru 0xffffffff) is used by OS itself.
Lower half addresses (0x00000000 thru 0x7fffffff) contain data
used by the current process, including program instructions, stack space, variables and constants.
Upper half addresses (0x80000000 thru 0xffffffff) contain data
used by the operating system itself, including kernel, executive, HAL, device drivers, cache memory and paged/nonpaged memory pools.
17
SMP Support
By default, every NT Server supports Symmetric Multiprocessing on up to 4 processors. NT Server is designed to support SMP configuration of up to 32 processors. However, you must have license to use additional (more than 4) processor support.
18
NT O/S Components
System Processes
Simplified NT Architecture
Server Processes Environment Subsystems User Applications
User Mode Components Kernel Mode Components
19
NT O/S Components
In user mode, the CPU only grants access to the memory of the current process and limited set of instructions. In kernel mode, the CPU grants access to all memory and all the instructions.
20
Applications
Task manager Windows Explorer
User Application Subsystem DLLs
System Threads
Ntdll.dll
USER MODE KERNEL MODE
Win32
USER GDI
I/O manager
KERNEL
Graphic drivers
21
22
23
The executive contains the base operating system services The kernel consists of low-level operating system functions
translate user I/O function calls into specific hardware device I/O requests as well as file system and network drivers.
24
that isolates the kernel, device drivers, and the rest of the executive from platform-specific differences (such as differences between motherboards).
The windowing and graphics system implements the
graphical user interface (GUI) functions (Win32 USER and GDI functions), such as dealing with windows, user interface controls, and drawing.
25
Services Overview
Windows Services are like Unix daemons.
Service processes can be configured to start with the OS and
RPC
Alerter Process
Services
Services are controlled by the Service Control Manager (SCM),
tracks all running services and a static database under key HKEY_LOCAL_MACHINE \SYSTEM\ CurrentControlSet\Services.
Each service has its own key under Services key in the registry
that contains parameters (Error Control, Service Type, and Startup Order) to control the service.
27
Services
The overall service loading process occurs in three phases:
this phase, all drivers required to boot the operating system load.
28
Memory Management
Topics
Overview
29
Windows uses a linear memory architecture that uses virtual memory. In linear addressing, addresses form a single, continuous address space. Windows uses a total of 4GB address space (32-bit Operating System) An address space is a set of address. The addresses start from 0x00000000 and run through 0xFFFFFFFF. Every process gets a 2GB/3GB address space
30
Linux
Licensed Software
Windows etc.
Client Access License License required by the client to access the server
Per Server Per connection license Per Seat Per client license
File Systems
What is a File System? File System is a Method of storing files. Types of File Systems:
FAT-16 (File Allocation Table) FAT-32 (File Allocation Table) NTFS (New Technology File System) HPFS (High Performance File System) CDFS (Compact Disk File System) NFS (Network File System)etc
What is a Shell?
Shell is a UNIX term for the interactive user interface with an operating system. The shell is the layer of programming that understands and executes the commands a user enters. In some systems, the shell is called a command interpreter. A shell usually implies an interface with a command syntax (think of the DOS operating system and its "C:>" prompts and user commands such as "dir" and "edit"). As the outer layer of an operating system, a shell can be contrasted with the kernel, the operating system's inmost layer or core of services.
What is a Script? In computer programming, a script is a program or sequence of instructions that is interpreted or carried out by another program rather than by the computer processor (as a compiled program is). Some languages have been conceived expressly as script languages. Among the most popular are Perl, REXX (on IBM mainframes), JavaScript, and VB Script
File Types
Hardware Devices
Devices Hardware viz. Hard Disk Drive, Floppy Disk Drive, Memory Chip, Display Card, NIC etc.
Drivers Software interface between the OS and a specific hardware device
Driver Software Supplied by the hardware vendor along with the device
Boot Process
What is Booting? Pre-Windows Vista Boot Process Windows Vista/Windows 7/Windows 2008 Boot Process
Boot Process
Types of Booting:
Cold Boot - When you start from off state or power off and than on by using the power button. POST is performed. Warm Boot - Restarting the computer without turning power off. When you restart the computer using Ctrl+Alt+Del combination or restart command from the startup menu. POST is not performed during this process which decreases the boot up time and the PC boots faster.
App-V for RDS RDS - Better Together with Windows 7 and Citrix Summary
Server Virtualization
Presentation Virtualization
Management
Desktop Virtualization Application Virtualization
TS RemoteApp TS Gateway TS Session Broker TS Web Access TS Easy Print Terminal Server
RemoteApp RD Gateway RD Connection Broker RD Web Access RD Easy Print RD Session Host RD Virtual Host RemoteApp & Desktop Connections
Install and maintain applications once in the datacenter, not on every desktop Enable flexible work scenarios such as hot-desking and work from home Deploy applications to devices that cant run them natively, or that require hardware upgrades to run them
Keep data safe in the datacenter to help eliminate the risk of laptop data theft Help simplify the burden of regulatory compliance with centralized tracking
Quickly connect remote workers with the critical applications they need from a Web page Provide users with secure access to remote applications from outside the corporate network (without using VPN infrastructure)
RD Session Host
RD Gateway
RD Connection Broker
RD Virtualization Host
RD Connection Broker
RD Client
RD Session Host
RD Client
RD Virtualization Host
RD Connection Broker
RD Client
Active Directory
Role
RemoteApp
Function
Publishes applications with just the application UI, and not a full desktop UI Hosts centralized, session-based applications and remote desktops Hosts centralized, virtual-machine-based (virtual) desktops on top of Hyper-V for VDI environment Creates unified administrator experience for session-based and virtual-machine based remote desktops Allows connection from clients outside the firewall, using SSL, and proxies those to internal resources RD Web Access provides Web-based connection to resources published by RD Connection Broker. Supports traditional web page, as well as new RemoteApp & Desktop Connections Simplifies printing to a local printer, and supports legacy and new print drivers without the need to install those on the host
RD Session Host
RD Virtualization Host RD Connection Broker RD Gateway RD Web Access / RemoteApp & Desktop Connections (Windows 7)
RD EasyPrint
Active Directory
Hardware Pre-Requisites
RAM
Server 2008:
Minimum: 512 MB (for both the Server Core installation
dependent.
Hardware Pre-Requisites
Processor
workload-dependent.
Hardware Pre-Requisites
Disk
The following are the approximate disk space requirements for the
system partition. Itanium-based and x64-based operating systems will vary from these estimates.
Minimum: 8 GB (for both the Server Core installation and full
installation options)
Recommended: 40 GB (full installation option) or 8 GB (Server Core
installation option)
Optimal: 80 GB (full installation option) or 40 GB or more (Server
disk space for the paging file, hibernation, and dump files.
Server Core
Server Core requires less software maintenance, such as installing updates. Server Core has fewer attack vectors by default (services with listening ports) exposed to the network, and therefore less of an attack surface. Server Core is easier to manage Server Core uses less disk space for installation.
Can continue to use current instrumentation (COM, ADSI, WMI, ADO, XML, Text, )
AD DS
DNS
WINS WDS
DHCP etc.
Windows Backup
.NET Framework
Failover Clustering etc.
Module Overview
Partitioning Disks in Windows 7 Managing Disk Volumes
Partition
Enhances reliability
Scriptable Graphical user interface command line utility Disk Management Snap-in interface Manage disks and volumes, both basic and Graphical user Create scripts to automate disk-related tasks
MBR
Diskpart.exe
Scriptable command line utility Create scripts to automate disk-related
MBR
GPT
tasks
Convert a Disk to GPT by using Diskpart.exe Convert Disk 3 to GPT by using Disk Management Verify the Disk Type
10 min
Simple Volume
Can be extended on same disk Not fault tolerant Volume I/O performance the same as Disk I/O performance Can be extended across disks creating a spanned volume
In this demonstration, you will see how to create a simple volume by using Disk Management and Diskpart.exe.
10 min
Striped
Spanned
Requires multiple dynamic disks Allocated space from each disk must
be of identical volume joins areas unallocated space disks into a single logical disk.
single striped volume
Striped
No fault tolerance
Well suited for isolating the paging A striped volume maps stripes of data compared to simple volumes file cyclically across the disks. Provides for faster throughput
Demonstration: Creating Spanned and Striped Volumes In this demonstration, you will see how to:
10 min
Before shrinking:
Defragment the disk
be shrunk
Demonstration: Resizing a Volume In this demonstration, you will see how to:
5 min
Defragmenting a Disk
Rearrange data and reunite fragmented files
C:>
consumption
Proactively monitor
available space
Determine who is
digital signature.
The driver store is the driver repository. Device metadata packages contain device experience XML
The properties of the device Applications and services that support the device.
Add to the Driver Store by using the Plug-andPlay utility (Pnputil.exe) at a Command Prompt
Device Stage
manage devices to access devices update drivers and for advanced options for hardware devices, managing them change the hardware Devices that display in settings for those this are usually location Devices in use are shown devices, and external devices that on the taskbar with a troubleshoot problems you connect or photo-realistic icon disconnect theManager Usefrom Device computer to through manage a devices port or network only on a local connection computer
Windows Update Delivers software updates and drivers, and provides automatic updating options Manufacturers media or Web site
Use the media or browse to the device manufacturers
Device Manager
Updates the driver software for the device manually
Compatibility Report Use this report to load a new or updated driver during an upgrade
command with the /si switch to obtain a basic list of signed and unsigned device drivers computers
Demonstration: Managing Drivers In this demonstration, you will see how to:
Update a device driver Roll back a device driver Install a driver into the driver store
12 min
Managing Printing
Printing Components in Windows Server 2008 Demonstration: Installing and Sharing a Printer
Event Logs
Application Log
Security Log System Log
Event Logs
What are Event Logs? Event logs contain the information about the various events related to applications, operating system, and security, which can later be used for monitoring and troubleshooting.
Event Logs
Types of Event Logs
Application Log Contains information specific to Applications Security Log - Contains information specific to Security Viz. Authentication, Authorization etc. System Log - Contains information specific to Operating System
Windows Update
Contain the latest debugged and updated Windows OS related files, which are downloadable from Microsoft web site.
Service Packs and Patches contain a set of updated and debugged Windows OS files, to stabilize the OS.
Software Update Service is a centralized software from Microsoft to securely apply Windows Update from a central location to all the client and server operating systems in the network.
Browser
What is a Browser?
KMS activation
Automates activation of Volume Licensed Vista and Windows Server 2008 Systems Uses either Multiple Activation Keys or Key Management Service Offers central management for Volume License keys
MAK Proxy
MS Activation Clearinghouse
Key considerations:
Number of computers in the target network Network and Internet connectivity
DNS servers support for DDNS and SRV records Centralized KMS recommended if bandwidth is sufficient
MAK recommended for remote computers with limited connectivity
1
2
Read the discussion questions Discuss your answers with the class
2008
Core
Module Overview
> net user Administrator > netsh interface ipv4 set address > netsh interface ipv4 add dnsserver
> start /w ocsetup DHCPServerCore > Netsh dhcp add server dhcpsrv1.example.microsoft.com 10.2.2.2 > start /w ocsetup DNS-Server-CoreRole
> Start /w ocsetup PrintingServerCore-Role > start /w ocsetup FRSInfrastructure > start /w ocsetup DFSN-Server
Creating and Managing AD Domain Objects Creating and Managing User and Group Accounts AD Domain Groups Group Types
Group Scopes
Security Policies
Domain Policies
Accounts Policy
Local Policies
Accounts Policy
NTLM Authentication
Agenda
Active Directory Roles DCPromo Improvements
Directory Certificate Services (AD CS) Directory Federation Services (AD FS) Directory Lightweight Directory Services (AD LDS) Directory Rights Management Services (AD RMS)
Active
DCPromo Improvements
advanced mode, that provides experienced users with more control over the operation:
Using backup media (IFM) from an existing DC in the same domain to reduce network traffic that is associated with initial replication. Selecting the source DC for the installation. Modifying the NetBIOS name that the wizard generates by default. Defining the Password Replication Policy for an RODC.
Active Directory
Active Directory
Active Directory is a central repository which stores information about various network resources viz. users, computers, groups, printers, contacts etc. in a meaningful hierarchy.
Active Directory
Centralized Management
Organize Manage
Resources
Single point of administration Full user access to directory resources by a single logon
Control
Objects
Printers
Attribute Value
Users
Computers
List of Attributes
accountExpires department distinguishedName directReports dNSHostName operatingSystem repsFrom repsTo middleName
Users
Printers
Directory by Specifying Unique Naming Paths for Each Object in the Directory
Distinguished
names
Relative
distinguished names
Forest Collection of one or more trees which share common schema and configuration information, but do not share a common name space.
Tree
Collection of one or more domains which share common schema, common configuration information, as well as a common name space.
Domain Collection of various network resources viz. users, computers, groups, printers etc. defined by a security boundary.
Organizational Unit
Domains
A Domain Is a Security Boundary A domain administrator can administer only within the domain, unless explicitly granted administration rights in other domains
A Domain Is a Unit of Replication
Domain controllers in a domain participate in replication and contain a complete copy of the directory information for their domain
Replication
Organizational Units
Forest Tree
nwtraders.msft asia. contoso.msft au. contoso.msft
Tree
asia. nwtraders.msft au. nwtraders.msft
Global Catalog
Domain Domain
Domain
Domain
Domain Domain
Global Catalog
Domain Controllers
Domain Controllers:
Replication
Domain Controller Domain Controller
Sites
IP subnet Sites:
Site
IP subnet
Optimize replication traffic Enable users to log on to a domain controller by using a reliable, highspeed connection
Search
OU1 Domain OU2
Active Directory:
Enables a single administrator to centrally manage resources Allows administrators to easily locate information Allows administrators to group objects into OUs Uses Group Policy to specify policy-based settings
12 3
Apply Group Policy Once Windows 2000 Enforces Continually
Domain OU1
1 2 3
OU2
OU3
Control and lock down what users can do Centrally manage software installation, repairs, updates, and removal Configure user data to follow users whether they are online or offline
Assign Permissions:
For specific OUs to other administrators To modify specific attributes of an object in a single OU To perform the same task in all OUs
DCPromo Improvements
New options in DCPromo:
Choose to install DNS on the server Choose to configure the new DC as a GC Create a new RODC Join to a Site Postpone replication Auto-reboot the server after the DCPromo process is finished Save an answer/unattend file using the options configured during DCPromo
Computers
Search in Sites and
Services
ADSIEdit integration
with ADUC
NTDS Objects
exposed in ADUC
Support tools
integration
Overview New Domain Controller Deployment Option Typically Deployed at Perimeter / Branch Office Ideal for Sites Lacking Deep IT Knowledge Logic
Increase End User Productivity Mitigate Poor Physical Server Security Lower Impact of Compromise, Theft , or Error Meet Requirements of Specific LOB Applications
RODC features
Active Directory Domain Services (AD DS) objects and attributes that a writable domain controller holds.
Clients are not able to write changes directly to the
RODC.
Local applications that request Read access to the
applications that perform a Write operation are referred to a writable domain controller in a hub site.
RODC features
RODC filtered attribute set
Some
applications that use AD DS as a data store may have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is stolen or compromised.
RODC features
Unidirectional replication
Writable
DCs that are replication partners do not have to pull changes from the RODC. changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. also reduces the workload of bridgehead servers in the hub site and the effort required to monitor replication.
Any
This
RODC features
Credential caching
credentials except for its own computer account and a special krbtgt account for that RODC.
You must explicitly allow
contact and pull the credentials from a writable domain controller that is running Windows Server 2008 at the hub site.
RODC features
Password Replication Policy (PRP)
The PRP that is enforced at the writable DC determines if the
RODC is stolen, only those credentials that are cached can potentially be compromised.
RODC features
domain user or security group can be delegated to be the local administrator of an RODC without granting that user or group any rights for the domain or other domain controllers. delegated administrator can log on to an RODC to perform maintenance work on the server such as upgrading a driver. But the delegated administrator would not be able to log on to any other domain controller or perform any other administrative task in the domain.
RODC features
can install the DNS Server service on an RODC. RODC is able to replicate all application directory partitions that are used by DNS, including ForestDNSZones and DomainDNSZones. the DNS server is installed on an RODC, clients can query it for name resolution as they would query any other DNS server.
If
The
DNS server on an RODC does not support client updates directly, and instead, the server returns a referral.
Deployment steps:
1.
ADPREP /ForestPrep
2.
3. 4.
ADPREP /DomainPrep
Promote a Windows Server 2008 DC Verify Forest Functional Mode is Windows RODC 2003 ADPREP /RodcPrep
Specific task
5. 6.
Promote RODC
NTDSUTIL > IFM > Create RODC <path> Secrets are removed, so if IFM is lost, no harm is done DIT is defragged to remove free space Take the IFM to the remote site, then use DCPROMO with the advanced checkbox to use it
servers.
controller, such as applying updates or performing offline defragmentation, without restarting the server.
While AD DS is running, a domain controller running
Windows Server 2008 behaves the same way as a domain controller running Microsoft Windows 2000/2003 Server.
While AD DS is stopped, other domain controllers can
snap-in
stop/start command
command
Powershell WinRS
audit logs can show you who made changes to what object attributes, but the events do not display the old and new values. there was one audit policy - Audit directory service access - that controlled whether auditing for directory service events was enabled or disabled.
In Windows 2000/2003,
Directory Service Access Directory Service Changes Directory Service Replication Detailed Directory Service Replication
The new audit policy subcategory adds the following capabilities to auditing in
AD DS:
Moving of an object
Undeleting an object
enabled with a new audit policy subcategory called Directory Service Changes.
There is no GUI tool available in Windows Server 2008
to view or set audit policy subcategories. Use Auditpol.exe from the command prompt.
A new event (5136) is generated when the action is performed on the object This event lists the previous value of the changed attribute, and the new value
Fine-Grained Passwords
Before Windows Server 2008 One password policy per domain In Windows Server 2008
Still set only one password policy at domain level Additional settings for users needing different policy available in ADSIEdit These settings are called Password Settings objects (PSOs) Does NOT apply to:
Fine-Grained Passwords
PSO settings include attributes for the following password and account
settings:
Enforce password history Maximum password age Minimum password age Minimum password length Passwords must meet complexity requirements Store passwords using reversible encryption
Fine-Grained Passwords
RSOP
A user or group object can have multiple PSOs linked to it, either because of membership in multiple groups that each have different PSOs applied to them or because multiple PSOs are applied to the object directly.
However, only one PSO can be applied as the effective password policy.
Only the settings from that PSO can affect the user or group. The settings from other PSOs that are linked to the user or group cannot be merged in any way.
Fine-Grained Passwords
Fine-Grained Passwords
msDS-MaximumPasswordAge:-1728000000000
msDS-MinimumPasswordAge:-864000000000 msDS-MinimumPasswordLength:8 msDS-PasswordHistoryLength:24 msDS-PasswordComplexityEnabled:TRUE msDS-PasswordReversibleEncryptionEnabled:FALSE msDS-LockoutObservationWindow:-18000000000 msDS-LockoutDuration:-18000000000 msDS-LockoutThreshold:0 msDS-PasswordSettingsPrecedence:20 msDS-PSOAppliesTo:CN=user1,CN=Users,DC=contoso,DC=com
To import:
Ldifde i f c:\pso.ldf
In Windows Server 2008, you can use the NTDSUTIL to create snapshots of the current Active Directory database (NTDS.DIT) By using the Active Directory database mounting tool, you can examine any changes that are made to data that is stored in Active Directory Domain Services. You can use the AD snapshot to export objects and settings, and import them to the live AD instance Users cannot be fully restored in this manner because of SID issues
The snapshot creation process can be automated Use the DSAMAIN tool to mount the AD snapshot to a specific LDAP port You can connect to that AD instance by using any management tool:
DSA.msc
LDP.exe ADSIEDIT.msc CSVDE and LDIFDE
Module Overview
Unattended Windows Server 2008 installation Unattended Domain Controller installation
Unattend.xml Format
Unattend.xml
UI elements can be hidden or shown but pre-configured by Unattend.xml Uses a hierarchical XML format
</userdata>
<setupdata> <skipeula value ="yes"/>
Unattend File
Unattended Dcpromo Syntax New Options dcpromo /?:unattend shows all options
Module Overview
Windows Deployment Services Working with the WIM format
Server 2008
History of Deployment
Previous Solutions: RIS, ADS Single solution for entire enterprise Windows Vista and Windows Server 2008 shipped in
WIM format
RIS
WDS
Windows Deployment Services Microsoft Management Console Native support for Windows PE as a boot operating system New client menu for selecting boot operating systems
Benefits of WDS
WDS
Lower TCO
WDS Environment
Server Components
Management Components
Client Components
File Share
DNS and DHCP Load balancing capable
WDS Server
Diskpart
Upgrading and Interoperability RIS Windows 2000 Server and Server 2003 Boot capability (PXE) Remote
Wizard based-installation
Multicasting
Scheduled-Cast
Auto-Cast
After Clients are connected, transmission starts Efficient, but labor intensive
Client can join at anytime Server repeats transmission until all clients are completed
WDS Management
WDS Server
Golden Image
Demonstration: ImageX
Use ImageX to mount an image Viewing and editing WIM files
WDS
Module Overview
Introduction to the Microsoft Deployment Toolkit Using the Microsoft Deployment Toolkit
MDT Components
Preparing for Lite Touch Installation Preparing for Zero Touch Installation
Deployment Challenges
Thin Images
MDT Components
Deployment Points
What is Light Touch Deployment? Originally LTI was the installation of the OS without SMS (Systems Management Service)/SCCM (System Center Configuration Manager) using BDD (Business Desktop Deployment) or MDT (Microsoft Deployment Toolkit). In this technology we can PXE boot or execute a VBScript to initiate the OS deployment. This would require a technical person to interact with the machine to initiate the build, but would then be unattended, hence Light Touch.
What is Zero Touch Deployment? If you're deploying with SCCM (System Center Configuration Manager) the endpoint machine requires no interaction in the REFRESH COMPUTER scenario (i.e. when wiping the existing OS and replacing with new) hence Zero Touch.
3
4 5 6 7
Test
Launch SIM directly or use Task Sequence properties Open a Windows image or catalog file Customize a setting in an answer file Create an answer file
Maintaining Images
Maintenance Procedure 1 Use ImageX to mount an Windows image 2 add/remove drivers, language packs, 3
Windows features
Use ImageX to unmount the Windows image Use Pkgmgr.exe or OCSetup to
Language Packs 1 Start Deployment Workbench. 2 Start the Add New Package wizard
Deployment Toolkit
Deployment Toolkit
Domain Restructuring
Tools for Migration- ADMT Precautions before Migration
Upgrade Sequence
Migrating GPOs Migrating Roaming Profiles
Module Overview
Upgrading File and Print Servers Upgrading Web and Application Servers Upgrading Remote Infrastructure Servers
Changes in File Service Functionality File Server Storage Changes Migrating EFS Files Changes to Print Services in Windows Server 2008
Transactional NTFS
Shared configuration
Componentized installation
Simpler management
Authentication
IIS and ASP.NET authentication united
Anonymous authentication under worker process
SSL
Application Pools
Classic Mode Integrated Mode
<httpModules> configuration
<httpHandlers> configuration
Metabase Compatibility
v1.1 SP1
Enable the ASP.NET v1.1 ISAPI Extension Add the IgnoreSection Handler to Framework v1.1
Upgrade Path
RODC Functionality
RODC Requirements and Special Considerations RODC Replication, Promotion and Deployment
Communication
Management Security
Replication
RODC Functionality
Functionality requirements
Full-disk encryption Integrity checking
Recovery options
Installation Remote Management Group Policy settings
Exercise 2: Create DFS Namespaces Exercise 3: Schedule a Backup Exercise 4: Migrate a Printer
Upgrading a Windows Server 2003 Web Server to Windows Server 2008 and IIS 7.0
Exercise 1: Export Application and
For upgrades in any domain where all domain controllers run Windows NT 4.0, review the upgrade plan. Decide whether to upgrade any FAT or FAT32 partitions to NTFS. Check the system log for errors that could cause problems during the upgrade.
Upgrading to Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition on Cluster Nodes Checklist: Preparation for upgrading a cluster Upgrades in a Windows NT 4.0 Domain
Choosing a File System for the Installation Partition Preparing your system for an upgrade
Back up files. If upgrading from Windows NT 4.0, prepare mirror sets or other disk sets for upgrade. Disconnect UPS devices.
Preparing your system for an upgrade Working with volume, mirror, or stripe sets or stripe sets with parity Preparing your system for an upgrade
Start Setup on an x86-based computer Start Setup on an Itanium architecture-based computer Start Setup on an x64-based computer Domain and forest functionality Upgrading from a Windows NT domain
If domain controller upgrades are complete, review concepts about domain functional levels and, if appropriate, raise the functional level.
Prepare a Windows Server 2008 Server Core Installation for Use as a Remote Infrastructure Server
Exercise 1: Enable Remote Desktop
Module 4
Module Overview
This module contains the following Parts: Part 1 DNS Overview
Lesson Lesson
1 DNS Functional Description (Review) 2 - New DNS Functionality in Windows Server 2008
Summary of Existing Features 2003 and 2008 (new features are covered in Lesson 2):
Stub Zones
Integration with other MS nets services Ease of Administration
LLMNR
Installed No
from Server Manager via the Add Roles Wizard longer installed via Add/Remove Windows Components
during restart
Enables DNS to respond to requests from other zones. When the DNS server starts, it:
Enumerates all zones to be loaded Loads root hints from files or AD DS storage Loads all file-backed zones, that is, zones that are stored in files rather than in AD DS Begins responding to queries and remote procedure calls (RPCs) Spawns one or more threads to load the zones that are stored in AD DS
OS and SP Level
No No Yes
Gives bad response No Response Query AD for the data and respond
IPv6 Support
Windows Server 2008 DNS fully supports IPv6 address format in UI, Zone Data, DNS
queries:
Zone Data:
UI:
DNS Queries
Behavior:
RODCreplicates a full read-only copy of all application directory partitions used by DNS:
DomainDNSZones.
Ensures that DNS server running on RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions.
RODC administrator can view contents of a primary read-only zone Changes only allowed on the centrally located domain controller. These changes to the DNS Server service are required to support Active Directory on an RODC.
GlobalNames Zone
New DNS Zone type:
Purpose/Benefits:
Enables organizations with critical reliance on single-label network names can move away from WINS to an all-DNS environment
Provides the benefits of static, global, single-label names to all-DNS networks Ensures that single-label names are unique across the entire forest. WINS may still be needed where dynamic registrations of single-label names is required.
GlobalNames Zone functionality and configuration is covered in detail in Part 4 of this Module.
LLMNR
Link-local multicast name resolution Multi-cast DNS (mDNS) Resolves names on a local network segment when a DNS server is not available IPv6 enabled by default DNS Client service performs name registration Auto-generation of IPv6 DNS server addresses
Client-side Changes are listed in this Lesson, and covered in detail in Part 6 of the Module
Lessons:
Lesson Lesson
Instructor Student
shots
All other hosts including clients and member servers should point to local DNS Servers
Lesson Lesson
File
280
AAAA Record
Hosts file
Provides
Comparable
The
only new record type needed to support name resolution for IPv6 hosts
UI
For
DNSCMD.exe
Command-line
addresses
(server-to-server)
Servers can accept IPv6 addresses in addition to (or
accommodate IPv6
Reverse lookup zones for IPv6 addresses require much longer names
New reverse lookup namespace (RFC 1886) Each hexadecimal digit in fully expressed 32-digit IPv6 address becomes a separate level in the reverse domain hierarchy, in inverse order
FEC0::1:2AA:FF:FE3F:2A1C
Fully expressed as:
FEC0:0000:0000:0001:02AA:00FF:FE3F:2A1C
Address
Example:
Name
3ffe:ffff:6c2b:f282:204:5aff:fe56:f62 ipv6test
Zone
New feature in Windows Server 2008 DNS New use of a Forward Lookup Zone
Enables resolution of static single-label network names using DNS rather than WINs
GNZ Records
No dynamic update
Not intended to provide same level of functionality as WINS
289
1.DNS client makes request using a single-label name 2.Suffix is appended to name based on suffixes configured
at the client
3
GlobalNamesZone
2
1
DNS Client Joe Shmoe
291
a)Lookups: b)Updates
from GNZ.
are rejected.
4.If the name is not found in the GNZ then the authoritative zone for
the name on the DNS Server is checked for queries or updates as normal.
5.The appropriate response for names not found in the GNZ for
292
Requests
Benefits:
GNZ
Eliminates
IPv6 support
overhead of having to maintain long suffix search list is only current solution for resolving a single label names to an IPv6 address
GNZ
293
Limitations of GNZ
Server 2008 required throughout in order to guarantee:
Desired Global
responses to queries
uniqueness
Records
294
No
To create
Add
a new forward lookup zone, named GlobalNames (no spaces and no quotes and not case-sensitive).
The
The
295
Then the Connection Specific DNS Suffix for each adapter is used. (For Vista only, for IPv6 adapters using DHCPv6 servers Only) If there is a Connection Specific Suffix Search List configured via DHCPv6 Servers for an adapter, this is appended in order of the list.
If the name cannot be resolved via DNS using various Suffixes then the
In
order to guarantee that names are globally unique and globally resolvable:
All the DNS Servers in the forest must host the GNZ.
Recommendations:
Create
Configure All
All
Instructor
will Demo:
Installation Enabling
Student
shots
1: What are DNS Security Extensions (DNSSEC)? 2: DNSSec Support in Windows Server 2008 3: DNS Server Global Block List 4: Configuring DNS Global Block
List
DNS
Client Protection from forged records Authentication based on RFC 2535 server only
Server
Loosely
Secondary No
DNSSec Authentication
Each zone has its own public and private key to encrypt
An encrypted, or secure, zone is a DNS zone that has both When a RRset in a zone is signed using a private key,
resolvers containing the zone's public key can authenticate whether a RRset received from the zone is properly authorized. received from a secure zone actually came from the correct zone.
Provides
basic support of the DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535. DNS currently can only function as secondary DNS server for existing DNSSEC-compliant, secure zones. not capable of signing zones and resource records (creating cryptographic digital signatures) or validating the SIG RRs.
WS-08
Currently
Loads DNSSec records along with other RR types DNSSec records written to zone data file during zone transfer
When a WS-08 DNS server receives a request for a resource record in a zone also containing DNSSEC resource records:
Client-side:
Essentially, DNSSec aware only Does not read/store key for the trusted zone Does not perform any cryptography, authentication, or verification. Returns and Caches DNSSec records same as any other RR
Application (other than WS-08 DNS Client) must perform the necessary cryptography to authenticate resource records.
is based has been superseded by RFC 4033, RFC 4034, and RFC 4035
Add subkey:
HKLM\SYSTEM\CCS\Services\DNS\Parameters
Add DWORD Entry
EnableDnsSec = 1
WPAD ISATAP
DNS maintains list of blocked names Server does not resolve queries for names in list Replies to the query as though no resource record exists List applies only to zones for which server is authoritative Does not apply to forwarded or stub zone queries Query blocking only, not update blocking
The DNS Server service configures the block list on initial startup following installation/upgrade to WS-08 DNS
Initial contents of list depend on whether WPAD and ISATAP are already present when WS-08 DNS is deployed
If ISATAP or WPAD is present in any zone, it is omitted from the block list
If ISATAP or WPAD is NOT present in any zone, it is included in the block list and blocking is enabled
DNS only checks for these protocols on initial startup:
Admin must manually disable blocking if WPAD or ISATAP are introduced AFTER deploying WS-08 DNS
Custom words may be added by issuing command with complete list of words to be blocked Remove a word by re-issuing command with only desired words to be blocked.
Registry:
HKLM\SYSTEM\CCS\Services\DNS\Parameters\
changes and considerations for Windows Server 2008 DNS, and includes the following Lessons:
Lesson
Lesson Lesson
1: GPO Settings
Lesson
Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries (Unqualified = no dot at end)
Can provide Peer-to-Peer name resolution for both IPv4 and IPv6 Currently the only solution for IPv6 P2P name resolution
Client tries DNS first, proceeds with LLMNR only if DNS resolution fails
Querying host sends multicast query over UDP for target name LLMNR-enabled receiving host sends unicast reply containing responders host name to sender.
Disabling LLMNR
LLMNR is enabled by default in Vista/WS-08 Can be disabled for all or specific interfaces Create/set registry entries Disabling LLMNR on all interfaces:
HKLM/SYSTEM/CCS/Services/DnsCache/Parameters/EnableMulticast = 0
Disabling LLMNR on a specific interface:
HKLM/SYSTEM/CurrentControl
Replace <adapterGUID> with the GUID of interface to be disabled. Setting these values to 1 enables LLMNR for the respective interface or interfaces. Use Group Policy to disable LLMNR on managed computers.
DNS
Does not impair IPv4 connectivity
automatically populate configuration with the following well-known IPv6 DNS Server addresses:
fec0:0:0:ffff::1 fec0:0:0:ffff::2 fec0:0:0:ffff::3 Site-local addresses are formally deprecated in RFC 3879 for future IPv6 implementations Manually configure DNS servers with these addresses Add host routes to routing infrastructure so that the DNS servers are reachable from WS-08 and downlevel IPv6 hosts
Recommendation:
Lesson
IPv6-specific
Considerations
Controller
New
IPv6-specific Considerations
IPCONFIG Behavior (v4 versus v6)
Windows
/registerdns
option:
When promoting a server to Domain Controller, the dcpromo utility invokes autoconfiguration of the DNS client settings.
Loopback adapter is added to the top of the DNS server list in all cases. The loopback adapter is added at top of the list for the first DC in a new domain The loopback adapter is added to the bottom of the list for any replica DC
May appear on new DC after reboot if the DC points only to itself for DNS name resolution. May cause authentication delays of 15 minutes, or greater, following reboot after DCPOROMO.
Will likely be used for performing a lookup of a phone number to SIP URI.
DNAME
Like a CNAME but for an entire domain. Can only be created with dnscmd
Improves the level of support for DNAME records from Windows 2003:
Windows 2003 RTM didnt recognize the DNAME record Windows 2003 SP1 recognized DNAME, but could not host it.
Event 5504 is logged when a Windows Server 2003-based DNS server receives a packet that contains a DNAME resource record Available via WS-08 DNS GUI, but crypto operations are not performed by WS-08 DNS. WS-08 DNS will only host the DNSSec records.
for constructing a URI will likely be used for performing a lookup of a phone number to SIP URI.
Module 3
In this Module
Part 1 DHCP in Windows Server 2008 Part 2 DHCP Client and Server Implementation Details
Lesson 1 Whats Changed in DHCP? Lesson 2 - Adding the DHCP Server Role in Windows Server 2008
Explain the purpose and basic functionality of DHCP in Windows Server 2008. List and describe new and changed features in Windows Server 2008 DHCP. Add/Install the DHCP Server Role on Windows Server 2008.
Not
Similar
to the W2003 DHCP interface with the addition of NAP integration. now supports IPv6 address configuration
Stateful
Detailed
DHCP
Walk-Through
of using Add Roles Wizard to add and configure the DHCP Role
Screen
Module
All options, including server options, scope options, reservation options, and class options
All registry keys and other configuration settings (for example, audit log settings and folder location settings) set in DHCP server properties
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\D HCPServer\Parameters
Restoring DHCP
Reasons for Restoring
Disk Failure
Database corruption
Moving Role to another Server (Including 2003 to 2008)
How to Restore?
Right-click server
Selecting restore
Select location for the backup files Stop and Restart DHCP service
c:\DhcpBackup
c:\DhcpBackup\DHCPcfg
with no extension)
(this is a file
Lesson 12 DHCPv6
Explain the purpose of IPv6 in Windows Server 2008. Identify and explain the IPv6 Interfaces present on Windows Server 2008. Explain IPv6 addressing and routing concepts; identify and explain IPv6 address types. Configure IPv6 addresses and routing options on Windows Server 2008.
Explain the purpose of DHCPv6, and describe how it differs from DHCPv4.
Install and configure DHCPv6 on Windows Server 2008. Discuss likely DHCPv6 implementation scenarios.
Identify likely DHCPv6 support issues, and perform basic troubleshooting steps.
Large address space Efficient routing Ease of configuration Enhanced security New Optimized Header Format Stateless and Stateful Address Configuration Built-in Security - Full Support for IPSec Improved Support for QoS Neighbor Discovery
Other Features/Benefits
2008
Be
See
C:\>netsh int show int C:\>netsh int ipv4 show int C:\>netsh int ipv6 show int Shows details for Ethernet adapter and IPv6 interfaces.
2001:0db8:0000:0001:0000:0000:0000
:0001
2001:db8:0:1:0:0:0:1
Compressed Zeros
2001:db8:0:1::1
IPv6 Prefixes
IPv6 Address Types (Commonly seen) Link-Local Site-Local Multicast Global Unicast Address Teredo: Global Teredo IPv6 Service Prefix Global (for documentation)
IPv6 Prefix FE80:: (non-routable) FEC0:: FF00:: - FFFF:: 2000::/3 (RFC3587) 2001:0000:/3 (RFC4380) 2001:DB8::/32 (RFC3849)
6to4
ISATAP
2002::
[64-bit prefix]:0:5EFE:w.x.y.z
IPv6 DNS
Addresses Servers
Stateless
Stateful
Stateless Addressing
Unmanaged
Stateful Addressing
Managed
Discovery Address
Managed Other
Stateful
Configure Publish
IPv6 Routing
Netsh int ipv6 set int interface_name (or idx number) forwarding=enabled
When Forwarding is enabled, server is now an IPv6 router, but the IPv6 clients are not aware of the router until Advertising is enabled
Enable Advertising
Causes the system to send Router Advertisement messages Allows IPv6 clients to be aware of the IPv6 router. netsh command:
netsh int ipv6 set int Local Area Connection (or idx number) Advertise=enabled
Publish Routes
netsh int ipv6 set route 2001:db8:0:1::/64 Local Area Connection publish=yes
netsh int ipv6 set route 2001:db8:0:2::/64 Local Area Connection 2 publish=yes
Router Discovery
IPv6 parameter that allows clients to:
To enable RouterDiscovery:
netsh int ipv6 set int Local Area Connection (or idx
number) RouterDiscovery=enabled
router:
The
M O
Client sends a DHCP Solicit packet to initiate DHCPv6 process with DHCPv6 server
Netsh int ipv6 set int interface_name (or idx number) ManagedAddress=enabled
Determines if client will request DHCPv6 options (in addition to address) from DHCPv6 server
ManagedAddress enabled assumes DHCP will provide both address and options
Netsh Command:
Otherstateful=enabled
Default IPv6
configuration with no IPv6 Router present Router present and Managed Address and Other Stateful Enabled at the Router configuration with IPv6 Router present and Other Stateful Enabled
Default
IPv6 client forced DHCPv6 client IPv6 client Manual IPv6 addr + DHCPv6 options
Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\ Parameters\DisabledComponents Bit mask values used to disable various interface types See Lesson text for specific bit mask values
Overview
Review
DHCPv6
Support in Windows
DHCPv6
Message Exchanges
Dual IPv4/IPv6 IP stack with DHCPv4/DHCPv6 client functionality DHCPv6 client is present by default, but only attempts DHCPv6-based communication when:
Local parameter config has ManagedAddress or OtherStateful enabled, or When indicated by the M and O flags in received Router Advertisement messages.
To configure multiple clients to use DHCPv6, the IPv6 router(s) in the environment can be configured with:
ManagedAddress=enable OtherStateful=enable DHCPv6 servers and relay agents in the environment must be configured to service each IPv6 subnet. Support stateful and stateless DHCPv6 configuration DHCPv6 relay agent included in the NPAS role and RRAS role service.
IPv6
Configuration
All_DHCP_Relay_Agents_and_Servers address - FF02::1:2. Similar to DHCPDiscover message in DHCP for IPv4. Indicate that it can provide address and configuration services. Similar to DHCPOffer message in DHCP for IPv4.
Similar
to the DHCPInform message in DHCP for IPv4. server sends Reply message with requested configuration settings. servers domain names
DHCPv6
DNS DNS
Other
Lesson 1 Ipv6 Troubleshooting Tools Lesson 2 DHCP Logging Lesson 3 IPv6 FAQ Demonstrate and explain IPv6-specific options available for the ipconfig and ping commands. Enable logging for both DHCPv4 and DHCPv6 Use ipconfig, ping, and DHCP logging to gather useful troubleshooting information Answer common customer questions about IPv6 in Windows Server 2008.
Route Print
Objectives
Describe features of the major Windows file systems Secure access to files with permissions
A file system defines the method and format that an OS uses to store, locate, and retrieve files from electronic storage media
Modern file systems are composed of some or all of the following components:
Filenaming convention
Hierarchical organization
Data storage method Metadata Attributes Access control lists
(ACLs)
FAT (File Allocation Table) consists of two variations: FAT16 and FAT32 FAT16 is limited to 2 GB partitions (Windows NT extends this to 4 GB) with a maximum file size of 2 GB FAT32 allows partitions up to 2 TB in size, but Windows 2000 and later limit the size of FAT32 partitions at creation to 32 GB due to performance; FAT32 supports files up to 4 GB in size
FAT
Disk
quotas
Volume
Shadow
mount points
copies
File
compression
File System (EFS)
Encrypting
Disk Quotas
Disk quotas help administrators control how disk space is
used on a server
Enable quota management Deny disk space to users exceeding quota limit
Volume mount points enable you to access a volume as a folder in another volume instead of by using a drive letter
Volume holding the folder to serve as the mount point must be an NTFS volume
Reasons for using mount points
Shadow Copies
Allows access to previous versions of files and the ability to restore files that were deleted or corrupted Upon enabling Shadow Copies, Windows will warn that default settings are not ideal for heavily used servers The following can be configured in the Settings dialog box for Shadow Copies:
Located on this volume Details Maximum size Schedule
implemented as attributes
Files copied to a new location inherit the compression attribute from the parent container Files moved to a new location on the same volume retain their current compression attributes Files moved to a new location on a different volume inherit the compression attribute from the parent container
Can be set on a file or a folder, but not an entire Rules for encryption behavior
Encrypted files that are copied or moved always stay encrypted, regardless of the destinations encryption attribute Unencrypted files that are moved or copied to a folder with the encryption attribute set are always encrypted
additional users who can decrypt the file; however, a user must have a valid EFS certificate in order to be added
Share NTFS
permissions permissions
shared files, while NTFS permissions apply whether accessing network shares or local files
always be the most restrictive permissions between Share and NTFS permissions
Share Permissions
Share permissions apply to folders and files accessed
Read
Change
Full
Control
Everyone
NTFS Permissions
NTFS permissions can be configured on folders and files 6 permissions and 14 special permissions for folders
Write
Modify Full
three ways
Create Take
Assigned
By default, initial permissions are set at the root of a volume, and then new folders and files inherit these settings unless configured otherwise
Permission inheritance can be disabled in the Advanced Security Settings dialog box, by clearing the Include inheritable permissions from this objects parent option
File services role required to share folders Folders in Windows Server 2008 can only be shared by members of the Administrators or Server Operators groups Methods to configure folder sharing in Windows Server 2008
NETLOGON
Sysvol
hidden
Shared Folders snap-in can be used to create, delete, and monitor shares, as well as view open files or monitor and manage user connections or sessions
methods:
UNC
Active
Browsing Mapping
File
Distributed File
Server Resource Manager (FSRM) for Network File System Search Service Server 2003 File Services
Can also:
Provision Share
storage
Publish Manage
The Disk Management snap-in provides more advanced features than the Share and Storage Management snapin in relation to disk administration and can perform the following tasks:
386
multiple servers into a single folder hierarchy, with replication for fault tolerance
387
388
File Server Resource Manager (FSRM) is a suite of services and management tools for monitoring storage space, managing quotas, controlling the types of files that users can store on a server, and creating storage reports Contains three tools
Windows Printing
Print device
Printer
Print Server
Print queue
A print server can provide additional printing functions Access control Printer pooling
Printer priority
Print job management Availability control In order to configure a Windows 2008 Server system as a print server, a printer must be shared
The Sharing tab in a printers Properties dialog box provides the following options:
Always available / Available from Priority Driver Spooling options Hold mismatched documents Print spooled documents first Keep printed documents
Printer Permissions
Print
Manage printers
Manage documents
In addition, there are six special permissions
Print Services role is not necessary to create printer shares or to manage the print server Provides the Print Management snap-in, which can be used to manage multiple printers and print servers Allows the installation of two other role services: Line Printer Daemon (LPD) and Internet Printing
Share a printer
Migrate printers Deploy printers by using group policies List or remove printers from Active Directory Display printers based on a filter
Chapter Summary
File systems define the method and format that an OS uses to store, locate, and retrieve files from storage media; Windows supports two file systems: FAT and NTFS FAT file system consists of two variations: FAT16 and FAT32 FAT16 is limited to 2 GB partitions, and FAT32 supports up to 2 TB; FAT file systems lack encryption, file compression, and file and folder security
NTFS is the ideal file system on Windows systems; features include file and folder security, disk quotas, mount points, shadow copies, file compression, and EFS
There are three share permissions: Read, Change, and Full control; NTFS permissions have 6 standard permissions and 13 special permissions
Files can be shared by using the File Sharing Wizard, the Advanced Sharing dialog box, the Shared Folders snapin, and the Share and Storage Management snap-in
Windows includes administrative shares automatically, which are hidden and accessible only by members of the Administrators group
The File Services role adds tools to manage all aspects of storage and can install several additional role services Windows printing consists of these components: print device, printer, print server, and print queue The Print Services role provides printer sharing, the Print Management snap-in, and optionally the LPD Service and Internet Printing role services
IIS 7.0 Components Protocol Listeners Hypertext Transfer Protocol Stack (HTTP.sys) World Wide Web Publishing Service (WWW service) Windows Process Activation Service (WAS) IIS 7.0 Modules Native Modules Managed Modules IIS 7.0 Request Processing IIS 7.0 Application Pools HTTP Request Processing in IIS 7.0
Hypertext Transfer Protocol Stack (HTTP.sys) {Since IIS 6.0 replacing Windows Sockets API (Winsock) used in IIS 5.0}
The HTTP listener is part of the networking subsystem of Windows operating systems, and it is implemented as a kernel-mode device driver called the HTTP protocol stack (HTTP.sys). HTTP.sys listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers.
HTTP.sys provides the following benefits: Kernel-mode caching. Requests for cached responses are served without switching to user mode. Kernel-mode request queuing. Requests cause less overhead in context switching because the kernel forwards requests directly to the correct worker process. If no worker process is available to accept a request, the kernel-mode request queue holds the request until a worker process picks it up. Request pre-processing and security filtering.
World Wide Web Publishing Service (WWW service) In IIS 7.0, functionality that was previously handled by the World Wide Web Publishing Service (WWW Service) alone is now split between two services:
WWW Service Windows Process Activation Service (WAS)
In IIS 6.0, WWW Service manages the following main areas in IIS: HTTP administration and configuration WWW Service reads configuration information from the IIS metabase and uses that information to configure and update the HTTP listener, HTTP.sys. In addition, WWW service starts, stops monitors, and manages worker processes that process HTTP requests. Process management WWW Service monitors performance and provides performance counters for Web sites and for the IIS cache. Performance monitoring WWW Service manages application pools and worker processes, such as starting, stopping, and recycling worker processes. Additionally, WWW Service monitors health of the worker processes, and invokes rapid fail detection to stop new processes from starting when several worker processes fail in a configurable amount of time.
Process Management
WAS manages application pools and worker processes for both HTTP and non-HTTP requests.
Handler Mappings
In IIS 7, handlers generate responses for requests made to sites and applications. Like modules, handlers are implemented as either native or managed code. When you have a certain type of content in your site or application, you must have a handler that can process requests for that type of content and you must map that handler to the content type. For example, there is a handler (Asp.dll) that processes requests for ASP pages, and, by default, IIS 7 maps the handler to all requests for ASP files.
ISAPI Filters
Internet Server Application Programming Interface (ISAPI) filters are programs that you can add to IIS to enhance Web server behavior.
Benefits include: All file types can use features that were originally available only to managed code. Second, this design eliminates the duplication of several features in IIS and ASP.NET. (In IIS 6.0 IIS and ASP.NET used separate pipelines) You can manage all of the modules in one location, instead of managing some features in IIS and some in the ASP.NET configuration.
In a worker process, an HTTP request passes through several ordered steps, called events, in the Web Server Core.
Implementing FTP Configuring FTP Sites Securing FTP Sites Implementing SMTP Configuring SMTP
Migrating or Upgrading a Windows Server 2003 Branch Office Server to Windows Server 2008 Low-Touch Branch Office Server Deployment
LAB
Prepare a Windows Server 2008 Server Core Installation for use as a Branch Office Server
Clinic Outline
Overview of Microsoft Hyper-V Technical Background and Architecture
More Control
Increased Protection
Greater Flexibility
and DEP
Technical Background
High Availability
Parent partition
Virtualization Stack WMI VM Service VM Worker
Guest Applications
VSCs
Windo ws
Kernel
Enlightments
Server Manager
OCSetup Command
Editing disks
Compact
Convert Expand Inspecting disks View Information Merge with Parent
Creating a dynamically expanding disk Creating a fixed disk Creating a differencing disk Editing an existing disk Inspecting an existing disk
Internal
External None
Location:
Memory: Network: Virtual Hard Disk: OS Installation:
Uses an implementation of Remote Desktop Protocol (RDP) Allows interaction with VM before it is started
Using Snapshots
Point-in-time Allows for rollback when VM is offline Replaces previous undo disks functionality
Saved State
Migrate to Microsoft Hyper-V Secure Virtualization Platform Manage with Group Policy
Snapshots
Automation via WMI CPU Utilization Control Utilization Counters Offline VHD Manipulation
a single system.
Failover Clustering
Host
Cluster
Virtual Machines
HOST1
HOST2
SCVMM
Maximize Data Center Rapid Provisioning Leverage Expertise Manage Virtual Machines
Implementation/Usage Scenarios
Server Consolidation Dynamic Data Center Branch Office Operations Testing and Development
Server Consolidation
Live Migration
Cloning
Recommendations
Windows PowerShell
Hosted by
Hosted by
Hosted by
Apply Hotfixes
Use automated patch distribution
Configure Clients
500 + Use Software Update Services Feature pack and SMS Download Feature Pack (free to licensed SMS users) Configure for automated update and auditing
Hosted by
2. Follow Microsoft advice for hardening systems Checklists, security templates, instructions abound!
Use them!
Many successful attacks could have been
Hosted by
Hosted by
To secure systems
Software Restriction policies
Hosted by
Accounts
Security Options User Rights Then design incremental policies for computer and user roles in your network
Hosted by
Strengthen passwords
Teach users how to make strong passwords Audit password strength periodically
Hosted by
Hosted by
643 domain policy changed 644 user account locked 675 pre-authentication failed 681 domain logon filature 529, 530, 531, 532, 533, 535,534, 539, 548, 549 logon failure
Hosted by
Hosted by
Hosted by
Hosted by
Restrict to Administrators
Right to Restore files and folders Change System Time Allow logon to Terminal Services (on non
Hosted by
Deny access
To SUPPORT_388945a0 account To computer from network Logon as a batch Logon through terminal services To non-operating systems service accounts Logons from terminal services To compute from network
Hosted by
Hosted by
Hosted by
Manage Services
Set permissions: who can start , stop, disable?
Hosted by
Unnecessary services?
Baseline:
Application Layer Gateway Service Application Management ASP .NET State Service Automatic Updates Background Intelligent Transfer Service. Certificate Services Client Service for Netware Clustering Service*COM+_System Application DHCP Server
Hosted by
Messenger
Microsoft POP3 Service MSSQL$UDDI
Hosted by
And More
MSSQLServerADHelper
.NET Framework Support Service NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM NNTP Portable Media Serial Number
Hosted by
And More
Telnet
Terminal Services Licensing Terminal Services Session Directory Themes Trivial FTP Daemon UPS Upload manager Virtual Disk Service Web Client Web Element Manager Windows Audio Windows Image Acquisition (WIA)
Hosted by
And more
WINS Windows Media Services Windows System Resource Manger WinHTTP Web Proxy Auto Discovery service Wireless Configuration World Wide Web Publishing Service
Hosted by
Set Restricted Groups Add group Enter authorized members Users added in normal GUI will be removed if not also added here
Hosted by
Hosted by
Allow all traffic to and from the file server and domain
controllers
Hosted by
Hosted by
Hosted by
Hosted by
Accounts have unique SIDS; policy that might impact these accounts cannot be centrally set Guest the group Guests Support 388045a0
Hosted by
Hosted by
Hosted by
Bonus -