Windows 2008 notes
These notes taken from
Microsoft Windows Server Administration book.
Table of Contents
HW Reqs
1 GHz x86 or 1.4 GHz x64, rec 2GHz+
512M, rec 2G
15G Disk (30G for upgrade), rec 40G
- 5436M for installation
- 10412 for free space for install
- swap file log files, additional server roles
Versions
| Standard |
targetted at small to medium sized businesses
- x86 32-bit ver -4G mem max,up to
4 procs in SMP config.
- x64 64 bit ver - 32G mem max,up to 4 procs
in SMP config.
- Supports Netwrk Load Balancing clusters, but no
failover clustering
|
| Enterprise |
targetted at large businesses.
- adds Failover Clustering - allows another svr to
service client requests in event original svr fails
- adds AD Federation Services - allows ID federation
between organizations (e.g. to allow access to local svcs)
- x86 32-bit ver - 64G mem max,up to 8 procs
in SMP config.
- x64 64 bit ver - 2TB mem max,up to 8 procs
in SMP config.
|
| Datacenter |
targetted at very large businesses. only
available through OEM mfgs.
- adds unlimited virtual image rights (e.g. for
consolidating svrs).
- x86 32-bit ver - 64G mem max,up to 32 procs
in SMP config.
- x64 64 bit ver - 2TB mem max,up to 64 procs
in SMP config.
|
| Web |
designed to function as web app svr.
Other roles not supported. Does not support higher
powered
hw configs of other versions of win2008 svr.
- x86 32-bit ver - 4G mem max, up to 4 procs
in SMP config.
- x64 64-bit ver - 32G mem max, up to 4 procs in SMP
config.
|
| Itanium |
Designed
for Intel Itanium 64-bit proc. Only addition that can be
installed on Itanium-based computer, requires Itanium 2 processor.
App and Web svr are supoprted. Virt and Windows
Deployment
Services are not available.
- 2TB mem max, up to 64 procs in SMP config.
|
HyperV will only run on x64 versions of OS.
Server Core
Any of the Versions can be installed as Server Core.
- Stripped-down
version, no desktop.
- Administered from command-line, and/or MMC.
- Can RDP to server, but must use command shell/line.
- Reduced attack surface.
- Lower hardware requirements for fewer installed components.
- Does notsupportPowerShell commands directly (can be run
remotely against a Core install via WMI). It is possible to
run Script Host scripts.
- Can run regedit
and Notepad.
Can also invoke Date Control Panel (control
timedate.cpl) and
International Settings Control Panel (control
intl.cpl).
- oclist.exe -
lists all server roles installed and available for install
- ocsetup.exe -
add or remove server roles
- ocsetup.exe
IIS-WebServerRole
- ocsetup.exe /uninstall
IIS-WebServerRole (make sure all role's services are shut
down prior to attempting)
- Not possible to upgrade Server Core version to full version.
- IIS supported but no .NET Framework.
- AD Cert Svcs, AD Federation Svcs, Windows Deployment Svcs
not available in initial release but may in later SP.
- Windows 2003 cannot be updated to Server Core.
Installing 2008
- You can put in product key early in install process to
determine what version of OS you are
- Consider waiting to activate in case you need additional
memory or hardware. You have 30-day activation grace period.
- You can install from DVD,
PXE (Automated Server
Deployment) install, or using a Windows Preinstallation
Environment (Windows PE),
and use OS sys files on network share to
perform a network
installation. Windows PE is a free tool that you
can download from Microsoft. http://technet.microsoft.com/en-us/windowsvista/aa905120.aspx
.
- Installs normally com without Hyper-V. Hyper-V
can be installed, but install files must be downloaded from Microsoft.
Upgrading from 2003
- No cheaper upgrade version of 2008 is available.
- Must be initiated from within 2003 SP1 or later (or 2003
R2) (not from install media).
- All versions of 2003 go to similar named versions of 2008
accept 2003 Standard that can go to 2008 Standard or Enterprise.
- x32 must go to x32. x64 must go to x64.
- It is possible to install 2008 to a separate partition.
- Make sure to do full backup before upgrade or fresh
installation.
- Compatability check is run prior to initiating upgrade
process.
- Choose to upgrade when a significant amount of
customization is required post-upgrade/install that can not be done by
simply restoring backed-up data.
- Implmenting Bitlocker is very difficult on top of a upgrade.
- Windows 2003 cannot be updated to Server Core.
Bitlocker
Full volume encryption and integrity-checking mechanism to ensure boot
env hasn't been tampered with.
- If BitLocker keys for a server are lost, and boot env is
compromised, data stored on svr will be unrecoverable.
- For integrity checking, BitLocker requires computer have a
chip and BIOS capable of supporting Trusted Platform Module (TPM) 1.2
or later. In these cases, if startup components change (BIOS,
Master Boot Record, Boot Sector, Boot Manager, Windows Loader)
then volumes are locked, and cannot be unlocked without correct digital
keys.
- Advised that you disable BitLocker during maintenance that
will update startup components. Otherwise you need to recover
with 48-character password that is generated during Bitlocker setup.
pw is stored separately or directly to AD (recommended for
Enterprise environments).
- Without TPM (and TCG compatible BIOS), key is stored on
removable USB memory that has
to be present and supported by BIOS each time computer starts up.
Bitlocker Volume Config
- You need create separate 1.5GB partition, and format it
before installing 2008 OS that might
need bitlocker in the future. If you have to install
bitlocker in future without doing this, will take many hours of
reconfig work.
- This makes upgrade from 2003 with bitlocker installation
difficult.
Bitlocker Group Policies
Computer
Configuration\Policies\Administrative Templates\Windows
Components\BitLocker
Drive Encryption node in 2008 Group policy object.
- For non-TPM you can use Control
Panel Setup: Enable
Advanced Startup Options policy. With TPM, this
CP can be used to require startup code be entered.
Other policies include:
- BitLocker Backup to AD.
- CP Setup: Configure Recovery Folder (where recovery keys
are stored).
- CP Setup: Configure Recovery Options (disable recovery pw
and key - if both disabled backup to AD must be enabled).
- Configure Encryption mode (properties of AES used).
- Prevent Memory Overwrite on Restart. (speeds up
restarts, but increases risk of BitLocker being compromised).
- Configure TPM Platform Validation Profile.
EFS vs. Bitlocker
- Encrypting File System encrypts files or folders for
different users.
- BitLocker encrypts whole harddrive or partition, but is
transparent to valid user.
Turning off Bitlocker
You can disable (e.g. for a BIOS upgrade) or decrypt (this takes a
while).
- Disabling causes plaintext key to be written to hard drive.
Computer is insecure. When BitLocker is re-enabled,
plaintext key is removed.
Installing partition for BitLocker
Repair the computer instead of straight install.
Go to command prompt.
diskpart
select disk 0
clean
create partition primary size=1500
assign letter=S
active
create partition primary
assign letter=C
exit
format c: /y /q /fs:NTFS
format s: /y /q /fs:NTFS
Group Policy commands (general)
gpupdate /force - forces
group policy updates to replicate/replication to all AD servers
Quick commands
net start telnet (start the telnet server)
net stop telnet
Promoting server to domain controller
dcpromo - copies files
necessary before promoting to DC.
Automated Server Deployment
Answer Files
- Windows
System Image Manager (SIM) included in the Windows Automated
Installation Kit (Windows AIK or WAIK), can create the XML file
(usually autounattended.xml).
The file can be saved any any accessible volume (including
USB) during installation. Install will look for it...
- \Sources\install.wim
file in windows install media has all the settings for an install.
Should be able to open this with Windows SIM. If
you're
going to modify, copy to a temp directory.
- To modify, right click on the
Components or Package
in the Windows Image section, and select Add
Setting to Pass x yyyyy to be able to edit.
(Double click on the element in the Credentials/Settings
section.
- Windows PE
can be used to link to a share and run setup.exe
/unattend:x:\autounattended.xml.
Windows Deployment Services
WDS
- A role that can be added to 2008 svr to allow remote
deployment of Windows OSes.
- Needs PXE network card (or could use other method such as
WIndows PE).
- client has to be authorized
- multicast has to be configured on network (so multiple
PCs can be installed simultaneously)
- autoattended.xml
on WDS server will allow update with no prompts from admin/installer.
- WDS needs to be installed on computer in AD domain.
DNS server is required.
- Authorized DHCP svr needs to be present on network.
If DHCP svr is
on WDS svr, configure WDS
svr to not listen on
port 67. Also make sure to add option tag 60 for DHCP,
so PXE clients can detect presence of WDS server.
- NTFS partition needs to be available to store OS images.
- Cannot be run on Server Core install.
- Configured by WDS Config Wizard orWDSUtil.exe.
Configuring
- You can configure theautoattended.xml
filename in theclient
tab.
- Multicast ranges,ports, and bandwidth used
configured in the Network Settings
tab.
- You can configure PXE response settings (all, only AD
pre-staged computers, none).
- You
can schedule multicast transmission of OS to occur at particular
time. Remember that this needs an answer file, otherwise it
will
stall waiting for input.
- auto-cast means multicast transmission starts as soon as
client requests install image.
- install
(e.g. boot.wim) images
and boot
(e.g. boot.wim) images
usually located in the \Sources
directory.
- Make sure to have different images (e.g. x64 and x86 from
different arch-specific install media).
- install images can be:
- basic
boot image
- capture
image - boot image prepared with thesysprep utility, capturing ref
computer's image for deployment with WDS.
- discover
images
- deployed to computers that are not PXE-enabled. Written to
CD,
DVD, or USB and computer is booted off of media (traditional method of
using WDS.
Product activation
Consider using volume activation during WDS deployment.
- Multiple
Activation Key
(MAK) - activate a specific # of computers from activation pool.
Can use MAK Proxy Activation (proxy request through MS
activation
svrs), or MAK Independent Activation (each computer activates
independently through MS activation svrs).
- Key Mgmt Svcs
(KMS) - KMS is installed on local server, and computers in environment
connect to that computer to perform activation. Recommended
to
have 2 KMS svrs deployed, with one acting as backup. KMS
requires
at least 25 computers, and reconnect to the KMS server every 180 days.
- If
you have no Internet connectivity (MAK), and less than 25 computers
(KMS), than you will need to activate each system over the telephone.
Rollback
- During
2008 installation, once a successful login has occured, you cannot
rollback. At this point, the only rollback is reformat, and
restore 2003 backups you took.
- You could also deploy 2003 in 2008's virtualization feature.
Upgrade Precautions
- Perform an Automated System Recovery (ASR) Backup of 2003
computer.
- Perform full backup of all data, incl. sys state data.
- Have a plan to rollback upgrade ready (ASR application,
restore sys state and user data, install extra apps).
APIPA
NOTE: APIPA (Auto Private
IP Addressing, AutoNet) - DHCP
failover mechanism in Windows - generates address in 169.265.0.0/24 but
with subnet mask of 255.255.0.0.
Only good for isolated
nets - can't be routed
IPv6
Some of th IPv6 stuff came from Pearson's CCNA Routing and Switching 200-101 Complete Video Course.
IPv6 = 128 bits = 16 bytes = 2^128 addrs =
667 by 1021 (667 sextillion) for every square meter on earth's surface (if not subnetted or reserved et. al).
vs
IPv4 = 32 bits = 4 bytes = 2^32 addrs (just over 4 billion)
- 5x10^28 adrs for each person on planet
- 5 fields in header (vs 12 in IPv4 Header
- No broadcast, but ther is a all addrs multicast
- security and mobility features built-in
- no fragmentation: MTU discovery performed for each session
- Can co-exist with IPv4 during migration - dual stack, IPv6 over IPv4
- 64-bit host portion (interface ID) can be auto generated from network adapter hardware (ethernet is 48-bits...)
- IPv6
stateless addresses hosts on link auto configure themselves
with
IPv6 addrs. Optionally - derived from prefixes advertised by
lcl
rtrs.
- IPv6 and IPv4 headers not compatible.
- IPv6 header 2x as large as IPv5 header. Optional
fields placed in extension headers.
- IPv6 global addresses set up to aggregate well.
- IPv6 IPSec is mandatory, standardized, and interperable
between implementations (?).
- QoS is not affected by encryption (e.g. ESP).
Payload ID is included in Flow Label field.
- Network
Discovery (ND) replaces IPv4 ARP, ICMPv4 Rtr Disc, and ICMPv4 Redirect
msgs with more efficient protocol for mgmt of interaction of nodes on
same link (neighboring nodes).
- Improved pkt handling
- Increased scalability and longevity
- QoS mechanisms
- Integrated security
- Header format simplification - faster packet handling
- Improved support for extensions and options
IPv6 addresses
8 16-bit boundaries (double bytes or words)
XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
21cd:0053:0000:0000:03ad:003f:af37:8d62
is the same as
21cd:53:0:0:3ad:3f:af37:8d62 (leading zeros removed)
is the same as
21cd:53::3ad:3f:af37:8d62 (contiguous zeros replaced with 2 colons - can only be used once in addr)
ff06::2 is the same as ff06:0:0:0:0:0:0:2
NOTE: Site ID is %1 or %2 or whatever # after address. ???
NOTE: Zone ID is %1 or %2 or whatever # after addr, but with
???
Network Prefixes
first part of address. subnet prefix/id.
- 21cd:53::/64 contains 21cd:53::3ad:3f:af37:8d62
- multinetting
- multiple subnets on same link
Address Types
rfc2373.txt has info on IPv6 addr structure and architecture.
http://www.rfc-editor.org/rfc/rfc3879.txt
(Deprecating Site Local)
http://www.ietf.org/rfc/rfc4291.txt
(IPv6 Addressing Standards)
http://en.wikipedia.org/wiki/Unique_local_address
Quick address type map
0:0:0:0:0:0:0:1
::1 |
loopback |
| 0:0:0:0:0:0:w.x.y.z (::w.x.y.z) |
IPv4-Compatible
addr - IPv4 addr used as IPv6 dest, encapsulate an IPv4
header, and send to dest using IPv4 infra. |
| 0:0:0:0:0:ffff:w.x.y.z (::ffff:w.x.y.z) |
IPv4-Mapped
addr - represents an IPv4-only node to an IPv6 node.
The IPv4-mapped addr is never used as the source or dest of
an IPv6 packet. |
| 2000::
to 3fff:ffff:.... |
unicast global
- like IPv4 public unicast addrs
|
|
2001::/32
|
Teredo
addr - used to be 3ffe:831f::/32 |
|
2002::/32
|
6to4 addr |
| fe80:: to fe80:ffff:.... |
unicast link-local - like APIPA (169.24.0.0/16) NOT ROUTABLE? |
| feco:: to feco::ffff:ffff:ffff:ffff:ffff |
unicast site-local (deprecated)
- like IPv4 private addrs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| fc00:: to fd00::ffff:ffff:ffff:ffff |
unicast/unique local addressing
- like IPv4 private addrs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) |
| 0200::
to 03ff:ffff:.... |
NSAP - OSI (e.g. connecting equip to ATM net) |
| 0400::
to 07ff:ffff:.... |
IPX - no longer used. Novell supports TCP/IP. |
| ff..:: |
multicast
- ff0.:: - well-known
- ff1.:: - Transient
- 4th digit 1-nodelocal, 2-link, 5-site,
8-organizational, E-Global
- ff02::1:ff00:0/104
+ 24 bits of IPv6 is solicited-node multicast
|
| unicast addr prefix + 0s |
subnet-router anycast addr |
unicast - single interface. multi interfaces using same addr can occur as long as interfaces appear as one interface. Used for load-balancing systems).
unicast global
link-local
Unique Local Address
Loopback/localhost
::1
128 zeros and a 1bit
like 127.0.0.1
Unspecified
128 bits are 0
::
used to check link-local address does a DAD (Duplicate Address Detection) - Neighbor Solicitation - source addr is ::
Same for Router Solicitation message
Solicited-Node Multicast Address
FF02::1:FF (104 bits) - then last 24 bits of IPv6 addr
Used to learn MAC addr (like an ipv4 ARP broadcast) neighbor discovery
also Duplicate Address Detection (DAD) for link-local
EUI-64 - Extended Uniqueu Identifier
48 bit MAC address based
0013.2be4.9b60 - take mac addr
0013.2bff.fee4.9b60 - stick fffe in the middle
0213.2bff.fee4.9b60 - swap 7th bit
0213:2bff:fee4:9b60 - colon format for ip addr
fe80::213:2bff:fee4:9b60 - append into link-local
IPv4 Auto configuration
- stateful autoconfig - use dhcpv6 - sends solicit multicast msg - dest ff02;:1:2 (ALL DHCPv6 servers)
client dhcpv6 server
(LL: fe80::AAAA) (LL: fe80::BBBB)
---solicit (src fe80::AAAA, dst FF02::1:2)--->
<--advertise (src fe80::BBBB, dst fe80::AAAA)-
---request (src fe80::AAAA, dst fe80::BBBB)-->
<---reply (src fe80::BBBB), dst fe80::AAAA)---
- stateless autoconfig - get ipv6 addr and params from ipv6 rtr
client dhcpv6 server
(LL: fe80::AAAA) (LL: fe80::CCCC)
--node solicitation (src ::, dst ff02::1:ff00:AAAA)--> (note this is Solicited-Node Multicast Addr)
<-------------no response (hopefully)-----------------
------rtr solicitation (src :00, dst ff02::2)--------> (dst is all rtrs multicast dest)
<---rtr advertisement (src fe80::CCCC, dst ff02::1)--- (dst is all nodes multicast dest)
(rtr adv incl global network we're on, subnet, gw, etc., info)
(node appends eui-64 addr to global network, and away we go)
ipv6 traff flows
- unicast - 1-to-1
- multicast - ff - 1-to-many
- Anycast - 1 to nearest communications
- rtr determines nearest device
- Site-Local
- equivalent to IPv4 private addrs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- FP fec0
followed by 32 zeros than 16-bit
subnet ID (fec0:: to fec0::ffff:ffff:ffff:ffff:ffff
- can
be allocated by DHCPv6 or other stateful config. Host will
use it
when router advert msgs do not include prefixes, or if no rtrs are
present.
- addr config can be combo of stateful and
stateless whe rtr advert msgs incl stateless addr prefixes, but req
that hosts use stateful addr config protocol.
- check out http://www.microsoft.com/technet/technetmag/issues/2007/08/CableGuy
.
- Special
- Unspecified
-0:0:0:0:0:0:0:0
(or ::) - absence of address. same as 0.0.0.0 .
- Loopback
-0:0:0:0:0:0:0:1
(or ::1) - absence of address. same as 127.0.0.1 .
- NSAP
and IPX
- 0200::
to 03ff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
is NSAP (used for OSI (e.g. connecting equipment to ATM net)).
- 0400::
to 07ff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
is IPX. Not used (Novell uses TCP/IP now).
multicast
multiple interfaces. delivered to all interfaces id'ed by
addr.
Starts with FF::/8
+--8bits--+-4bits-+-4bits-+---------------------------112bits---------------------------------+
1111 1111 Flags Scope Group ID
- FP 1111 1111
(ff00:: to ffff:....)
- 008 bits
1111 1111
- 004 bits
flags
- cisco says 0RPT
- 0 - reserved and set to 0
- R - if set to 1, P and T must be set to 1, indicates there is a Rendezvous Point (RP) addr embedded in multicast addr (RP used with PIM sparse mode (PIM - Protocol Independent Multicast))
- RP - router which forwards multicast traffic to routers asking to receive traffic
- microsoft says only flag currently defined istransient (T)
- low-order field bit. set to 0 - mult addr is well known,
assigned by IANA. set to 1 - mult addr is transient.
- 004 bits
scope
| 0 |
Reserved |
| 1 |
Node/Interface-local |
| 2 |
Link-local (e.g. APIPA)
(e.g. FF02::1 all nodes in link-local scope)
(e.g. FF02::2 all routers in link-local scope |
| 4 |
Admin-local (e.g. 192.168.0.0/16) |
| 5 |
Site-local (e.g. 192.168.0.0/16) |
| 8 |
Organization-local |
| E |
Global |
| F |
Reserved |
- 112 bits
group id
- transient group ids relevant to specific scope
- permanently assigned group IDs are independent of scope
- ff01::
through ff0f::
are reserved, well-known
addresses.
- rfc2373 recommends
assigning group ID from low-order
32 bits of IPv6 multicast addr, and setting rest of group ID
bits to 0.
- read rfc2373
for more info on assigning group IDs.
- Solicited-Node
Multicast Addr
- to resolve link-local (fe80 like IPv4 APIPA 169.
addrs), IPv6 uses ND msg with solicited-node multi addr ff02::1:ff00:0/104 with last 24 bits of IPv6 addr
being resolved.
This becomes a pseudo-unicast addr for efficient
addr resolution. (Remember MAC addr, becomes Int ID, becomes
solicited-node addr?).
ff01::
is broadcast|well-known|Node-local
ff15::
is broadcast|transient|Site-local
anycast
multiple interfaces. delivered to nearest interface (e.g.
number of hops) id'ed by addr. one-to-one-to-many comm,
deliv to
single interface.
- taken from unicast addr space, destination addresses, scope
is unicast addr type, assigned only to routers.
- subnet-router
anycast addr - subnet
prefix plus remaining
bits 0. assigned to every router interface.
IPv4 to IPv6 transition strategy
rfc4213.txt
basic transition mechanisms
http://technet.microsoft.com/en-us/library/bb726951.aspx
- MS IPv6 Transition Technologies
Dual Stack Transition
both stacks
active in net
Configured Tunneling Transition
IPv4 traffic
carries
(tunnels/encapsulates) IPv6 traffic while IPv6 routing infra is under
development. Point-to-point links between network endpoints.
- Configured tunnels are called explicit tunnels.
- Tunnel
broker can manage tunnel requests coming from end users.
See rfc3053.
Automatic Tunneling
IPv4-compatible
addr within IPv6 addr.
IPv4 infra carries IPv6 tunneled traffic without
pre-configured tunnels. Seerfc2893.
6to4
IPv6 nets
use IPv4 to communicate to each other without explicit
tunnels. IPv6 communicate with native IPv6 domains via relay
routers. Treats IPv4 Internet as single data link.
See rfc3056.
- 16 bits -
2002::/16 - FP
- 32 bits
- IPv4 addr in hex notation
- 16 bits
- subnet
- 64 bits
- host address within subnet
Teredo
enhancement
of 6to4 supported by w2k2008. tunnels IPv6 in
IPv4 UDP, so that IPv4 NAT device can work. Requires svr and
relay elements to assist. rfc4380.txt.
http://www.microsoft.com/technet/network/ipv6/teredo.mspx.
- 32 bits -
2001::/32 - FP
- 32 bits
- IPv4 pub addr of Teredo server that assisted in config of addr.
- 16 bits
- flags. Only one currently set is highest ordered flag -
cone flag set when NAT connected to Internet is cone NAT.
- 16 bits
- XORed (with 0xffff) external UDP port that corresponds to all Teredo
traffic for Teredo client interface. Initial packet to Teredo
server, NAT maps source UDP port to packet of diff ext UDP port.
Done to limit NAT capability.
- 32 bits
- XORed (with 0xffffffff) external IPv4 addr that corresponds to all
Teredo traffic for client interface. Done to limit NAT
capability.
- 2001:0000:4136:e378:8000:63bf:3fff:fdd2
- 2001:: - Teredo addr
- 4136:e378 -> 41.36.e3.78 -> 65.54.227.120
teredo svr used
- 8000 - cone flag is set
- 0x63bf XOR 0xffff = 0x9c40 = 40000 port
- 0x3ffffdd2 XOR 0xffffffff = 0xc000022d ->
c0.00.02.2d -> 192.0.2.45 public IPv4 addr on NAT
- 2001::ce49:7601:e866:efff:f5ff:9bfe
- 2001:: - Teredo address
- ce497601 -> ce.49.76.01 -> 206.73.118.1
teredo svr used
- e866 - cone flag (high bit) is set. rest of
bits are randomized by MS.
- 0xefff XOR 0xffff = 0x1000 = 4096 port
- 0xf5ff9bfe XOR 0xffffffff = 0x0a006401 ->
0a.00.64.01 -> 10.0.100.1 public IPv4 addr on NAT
- Client
- host with IPv4 connectivity to the internet behind NAT.
Uses Teredo tunneling proto to acces IPv6 Internet.
- Server
- clients use to detect NAT, and maintain binding on NAT toward the
server.
- Relay
- remote end for tunnel (across Internet/IPv4 network)
- Teredo
host-specific relay - runs on a particular host and
services that host only.
ISATAP
(Intra-Site
Auto Tunnel Addr Protocol) - views IPv4 net as link layer for IPv6, and
other nodes on net as potential IPv6 hosts or routers.
Creates host-to-host, host-to-router, or router-to-host auto
tunnel.
- 64 bits
- unicast link-local, site--local, global or 6to4 global prefix.
- 32 bits
- 0:5efe
- 32 bits
- IPv4 addr (can be written in dotted decimal or hexadecimal format.
- By default w2k8 configures fe80::5efe:w.x.y.z for each IPv4
addr.
Commands/Tools
| netsh interface ipv6 6to4 |
|
| netsh interface ipv6 isatap |
|
| netsh interface ipv6 add v6v4tunnel "Remote" a.b.c.d
w.x.y.z |
create IPv6-in-IPv4 tunnel between a.b.c.d and w.x.y.z
on an interface named Remote |
| netsh interface ipv6 show address (level=verbose) |
shows site ids also %
|
| netsh interface ipv6 show interfaces (level=verbose) |
|
| netsh interface ipv6 show neighbors |
IPv6 ints on local subnet |
Verifying connectivity
netsh int ipv6 show neighbors
netsh int ipv6 del neighbors
netsh int ipv6 show destinationcache
netsh int ipv6 del destinationcache
ping (or ping6)
Check rtr connect
ipconfig
netsh int ipv6 show route
route print
netstat -r
route check
tracert -d <ipv6 addr>
pathping -d <ipv6 addr>
dns problems
dnscmd
ipconfig
netsh int ipv6 show dnsservers
netsh int ipv6 add dnsserver
nslookup
Modifying route
netsh int ipv6 add route
netsh int ipv6 set route (modify existing route)
netsh int ipv6 del route
DHCPv6
- stateless
- doesn't generate IPaddr (autoconfigured), but does specify
addr of DNS server.
- stateful -
specifies host addrs
- DNS
svrs can be configured via DHCPv6 option 23 (DNS Recursive Name
Server), or via scope option (preferred when IPv6 addrs not configured
through rtr discovery).
- scope options override server options.
- DHCPv6 reqs and acks can pass through BootP-enabled rtrs
and l3 switches.
- DHCP servers (especially 20-percent scopes) are good
candidates for virtualization.
- In general, configure 2 DHCP servers per site to support
80:20 rule.
Problems ping/connect/route after DHCP addr acquired
on win pc that can't connect
netstat -rn (you'll likely see you don't the dhcp addr related route)
netsh int ipv6 sh addr (note the interface # associated with the dhcp addr)
netsh int ipv6 add route fec0:0:0:fffe::/64 "8" publish=yes
fec0:... is the prefix. "8" is the interface from the sh addr above
on dhcp svr you may need to add
netsh interface ipv6 set interface <server_interface> advertise=enabled man=en other=en
advertise=enabled - send router advertisements to this interface
man=en - enable manged addr config
other=en - enable other stateful configuration
DNS
- DNS zone data can be stored in either domain or
application
directory partition of AD DS. It can also be stored in files
(not recommended for primary DNS servers).
- stub
zone
- contains only resource records to ID auth DNS svrs for
that zone
(e.g. child zone).
- fully complient with dynamic update protocol
defined rfc2136
and rfc3007
.
- secure
dynamic updates insure only
authenticated users with
appropriate rights can update resource records. only avail
for zones integrate with AD DS.
- win2003 introduced incremental
zone transfers (e.g. to secondary DNS svrs).
- forwarders
- forward queries that are unknown. conditional forwarders
- forward queries based on domain name in query (that are unknown).
- Forwarding requires thatrecursive
queries be
possible.
- Forwarding to externals allows firewalls to limit
dns
queries through the firewall.
- FQDNs max len is 255 bytes. for DCs 155
bytes.
- internal DNS can forward external DNS requests to
external
DNS server
- subordinate
servers - do not try to resolve res
request if they do
not receive valid resp to forwarded DNS req. Typically these
are used in conjunction with secure Internet conns.
DNS related commands
| dnscmd |
command line tool that can be used to manage and query
dns server |
| ipconfig /flushdns |
clear dns cache |
| ipconfig /registerdns |
force name registration with DNS |
| ipconfig /displaydns |
displays dns info |
nslookup
ls -d <domain> |
get a zone transfer (security has to be set low) |
| netsh interface ipv6 show dnsservers |
displays IPv6 DNS configs |
| dnscmd win2008svr1 /ZoneAdd 0.c.e.f.ip6.arpa /DsPrimary |
add a (reverse) domain (AD integrated /DsPrimary).
note ipv4 reverse would be in-addr.arpa |
2008 dns features
- background
zone loading - restarting accesses
records quicker (entire
zone does not have to load). Needs to be stored in AD DS.
Required data not already loaded will be queried (prior to
complete load) when requests come in.
- Read-only
domain controllers (RODCs)
- If server can't be secured.
- Need to be part of domain.
- Global single names - Global Name Zone (GNZ) - single-label name resolution for nets that don't deploy WINS. used when DNS name suffixes can't be used.
- GlobalNames zone supports single-label name res throughout multiple forest org - use SRV records to publish zone location.
- GlobalNames zone resolves names for limited set of hosts, typically servers and web sites. No peer-to-peer res. No dynamic updates.
- GlobalNames zone holds CNAME resources which map
single-label name to FQDN. Can contain RRs for names already
statically configured on WINS.
- WINS will likely be unsupported in next server
OS.
- to enable global names support -
dnscmd <server
name>
/config /enableglobalnamessupport 1
- IPv6
support
AD add-ons
RODCs
Read Only Domain Controllers
- Might do it for remote office that needs to logon to domain
but doesn't have trusted IT staff to manage domain.
- Might also do it for application that needs to be on DC
with admin to manage application, but not domain.
- Good for remote locations relatively few users or no IT
knowledge, inadequate phys securty, low net bw, etc.
- User
logins first time requires validation across WAN. After that
RODC
pulls user credentials so that further logons by same user are
validated locally. Have to permit this in domain pw
replication
policy with respect to RODC (against computer account name in
(writable)DC).
- Functional level for AD with RODCs is (minimally) Windows
2003.
- Look up the following on technet or technet2
- RODC filtered attribute set
- Deploying an RODC
- adprep /rodcprep command
- DNS servers on RODCs act as a secondary DNS
- do not auto-update DNS entries.
Instead refer them to writable DC.
- RODC DNS can request only updated record (doesn't need to
grab whole zone data/list.
- RODC and DNS may be virtualized. File and app
svrs seldom are virtualized?
Planning RODC Implementation
- Must specify Password Replication Policy on computer
account in domain (e.g. from DC that via domain admin)
AD Lightweight Directory Services?
LDAP server without AD Directory Service (DS) tie-ins.
New and enhanced tools and wizards
- streamlines and simplifies AD DS.
- changes to MMC (e.g. easily locate DCs in large ent ntwk,
and config prep policy for RODCs).
- running AD DS Installation Wizard - dcpromo
or even better
dcpromo /adv to get
access to
advanced mode (non-advanced mode uses default settings...).
Additional settings include:
- select specific DC fo installation/iknitial rep of domain
data
- use bkup media from existing DC to reduce net traf
associated with init replication.
- create a new domain tree
- change default NetBIOS name
- set forest and domain funct lvls when creating new forest
or domain.
- config pwd rep policy on RODC.
- export settings to answer file to use as template for
subsequent installs or uninstalls. Password will have to
manually put into file (won't be automatically saved) - recommended to
put password=* in answer
file, and let wizard prompt you for
credentials.
- wizard
will let you force demotion of DC started in Dir Svcs Restore Mode.
- You can delegate RODC install, by creating RODC account
and delegate install and admin of the RODC to a user or security group.
RODC delegated
install and admin users can:
- create RODC by running dcpromo
/UseExistingAccount:Attach, and can administer RODC without requiring
admin rights to rest of domain or forest.
- ADSites
and Svcs snap-in includes a Find command on toolbar and
action menu, to discover site in which DC is placed. Can help
you troubleshoot replication probs.
- Password repl policy page for RODC can set thes settings
- advanced button on RODC computer account can see what pws
have been sent or are stored on rodc oand what accounts have
authenticated.
Fine-grained security policies
- password policies can be customized for diff users or
groups. Don't need to be in diff domain.
- fine-grained sec policies only work with AD at 2008 level
(or higher).
- can only be applied to user objs or global sec grps (or
inetOrgPerson objects).
- For pws to apply to computers, usee techniques such as pw
filters. fine-grained pw policies do not interfere.
- exceptional
Password Settings Options (PSO) can override security
group PSOs.
- 2 new obj classes
- pw settings container (PSC)
- by def under system container in domain - Make sure to enable
advanced settings in AD Users and Computers/domain/view) - contains
Password Settings
Objects (PSOs).
Domain Admins (by default) can create PSOs. Can
create a PSO by saving params in text file with .ldf
extension and using ldifde
command form Command Console (or ADSI Edit
MMC snap-in. Look up Creating PSOs in technet2.
- default pw in 'Default Domain Policy/Computer
Configuration/Policies/Windows Settings/Security Settings/Account
Policies/Password Policy'.
- recommended pw policies are
- admin policies with strict settings
- userpolicy
- svc account policy with long pw lengths, and long pw
ages (these pws are seldomtyped in)
- cannot apply PSOs to OUs directory. Consider
using shadow group
(group that mirrors OU members).
- pw settings.
Restartable AD DS
AD DS data mining tool
dsamain.exe - can expose
snapshot as LDAP svr. Specify LDAP port. LDAP-SSL
port, GC port, GC-SSL port.
- deleted AD DS or AD LDS data can be preserved in snapshots
of AD DS taken by Volume ShadowCopy Service VSS). LDAP tools
such as ldp.exe can view
read-only data in snapshots. Does
not recover deleted objects and containers- recovery is subsequent
step. To recover:
- set up snapshop as LDAP svr using dsamain.exe.
- browse with ldp.exe
- note OUs or objects you want to restore and record attrs
and back-links.
- Reanimate
objects using tombstone reanimation feature, and manually re-populate
them with stripped attrs and back-links as IDed insnapshots.
Data mining tool lets you do this without restarting DC in DS
mode.
- Be careful with security (e.g.if hacker gets
copy of AD DS snapshot).
- ntdsutil.exe
can be used to take regular snapshots of volume containing AD DS
database.
AD DS Auditing (expanded)
- prior to 2008 you could only set whether DS access was
audited. Now you can also audit
- DS changes (old and new values)
auditpol /set /subcategory:“directory service changes” /success:enable
- DS replication
- If enabled, events loged in Security event log.
- Specific
events written to Security log can initiate a task, such as generating
an alert or starting an executable program (eventvwr/action/attach tsk
to event).
- System Access Control List (SACL)
Planning Domain and Forest Functionality
- 2008 functional level only supports 2008 DCs
- 2003 level supports 2003 and 2008 DCs
- 2000 supports NT, 2000, 2003, and 2008 DCs
- Any level member server are supported,
- Domain
functional level cannot be less than forest functional level.
2008 domain can be in 2000 forest, but not vice-versa.
Forest Level Trusts
every domain in one forest trusts every domain in second forest
- 1-way incoming (you have the resources), 1-way outgoing
(you have the users), or 2-way.
- Other types of trusts
- shortcut
trust - point trust to child domain in another forest
- external
trust - trust external domain (e.g. from Windows NT -
self-contained, autonomous unit)
- realm trust
- trust a Unix realm that uses Kerberos authentication
- You
can choose Forest Wide Authentication or Selective Authentication
(Detail which groups of users can access resources in question).
Implementing
- functional level needs to be 2003 or 2008 (+).
- ensure forest's root domain can access root domain in other
forest.
- domain names need to be resolvable in other forest.
- need to have enterprise admin account available in each
forest.
- AD domains and Trusts/Properties (of a domain)/Trust
Tab/New Trust
- Note:
in W2K3 a forest trust can fail confirmation proc but still work.
Not sure if this is the same in W2K8.
AD Federation Svcs
server role - like a cross-forest trust that operates over Internet and
extends trust relationship to web apps.
- Web SSO technologies.
- dig ID and entitlement rights across sec and ent boundaries
- New 2008 features
- Improved app support - sharepoint 2007, AD rights mgmt
svcs (AD RMS)
- Improved install - new svr validation checks
- improved trust policy - import and export func help
minimize config issues
- confirms to Web Services Federation (WS-Federation) spec.
- supports Security Assertion Markup Language (SAML) 1.1 and
Kerberos.
- bus logic cn modify claims - using claim mapping.
- supports distributred authent and authoriz
AD Reminders
FSMO Roles
- Schema
master - controls updates and mods to schema. 1/forest. Change it
from (right-click) MMC/Active Directory Schema. Need toregsvr32 schmmgmt.dll to get the Active Directory Schema snap-in.
- Domain
naming master - controls add/remove of domains to forest.
1/forest. Change it from (right-click) MMC/Active Directory
Domains and Trusts.
- Infrastructure
master - responsible for updating references from objects in its domain
to objects in another domain. 1/domain. Change it from
(right-click) MMC Active Directory Users and Computers/<domain>.
- Relative
ID (RID) Master - responsible for processing RID pool reqs from all DCs
in a domain. 1/domain. Change it from (right-click) MMC Active
Directory Users and Computers/<domain>.
- PDC
Emulator. - Primary Domain Controller (PDC) and Domain Master
Browser (Netbios) for WinNT BDCs and computers (and older).
1/domain. Change it from (right-click) MMC Active Directory Users and Computers/<domain>.
Transferring/Seizing FSMO Roles
ntdsutil
roles
connections
connect to server <servername>
q (out of connections)
? (to list commands)
transfer <role> orseize <role>
q (to get out of fsmo maintenance)
q (to get out of ntdsutil)
Group Policy
GP settings containedin Group Policy objects (GPOs) - linked to
OUs.
- OUs can inherit or block inheritance from parent OUs.
- some policies (e.g. security policies) can be set to "no
override" (can't be blocked or changed).
- .adm
files described GP settings WinNT thru W2K3 R2. W2K8 and
Vista replace this with
| types |
central store locations |
| .admx
language neutral files |
C:\Windows\SYSVOL\domain\policies\PolicyDefinitions |
| .adml
files are language specific |
C:\Windows\SYSVOL\domain\policies\PolicyDefinitions\en-us |
- You
need to create the cetnral store locations manually. They
will be
replicated to all DCs using Distribruted File System Replication
(DFSR). All admins that edit domain-based GPOs can access
same
set of ADMX files.
- .admx files modify the registry. test
before deploying on production network. test with sample
files
that do not affect registry until you are confident using ADMX syntax.
(search for .admx sample files on Microsoft download sites).
- .admx schema defines syntax for ADMX files.
Download schema from Microsoft
- To display ADMX files under a single category node in Group
Policy Object Editor, you need to create custom base file.
Search for 'Creating a Custom Base ADMX File' on Technet.
- admx
file contains:
- XML declaration
- PolicyDefinitions
element
- PolicyNamespaces
element
- Resources
element - specifies reqs for lang-specific resources.
- SupportedOn
element - refs localized text strings defining OSes or apps affected by
specific policy setting.
- Categories
element - specifies categories under which olicy setting in th file wil
be displayed in GPO editor. Dupl category name that exists in
another ADMX file => duplicate node
- Policies
element - contains ind policy setting defs.
- adml
files contains:
- XML delaration
- PolicyDefinitionResources
element
- Resources
element - contains StringTable element and PresentationTable element
for specific language.
SAMPLE ADMX and ADML files.
- GPs processed in 2 grps:
- Core
processing
- can client reach DC
- have GPOs been changed
- process these policy settings
- Client-side
extension (CSE) processing
- Specfic CSE processes (and has rules for) settings in each category).
core GP engine calls CSEs required. Categories
include:
- Admin templates
- security settings
- folder redirection
- disk quota
- software installation.
- You
can add comments to starter GPOs or ordinary GOPs, and secondary
comments to individual settings. You can filter by either
setting
or comment.
Some new GP settings in W2K8
- Allow Remote
Start of Unlisted Programs - (computer based) In Terminal
Server remote session. If restricted - use TS Remote App Mgr
to creat list.
- Allow Time
Zone Redirection - (user based) clients modify Terminal
Server remote session chars.
- Always show
desktop on connection - (user based) - RDC/Terminal
Services based.
- Disk
Diagnostic: Configure Custom Alert Text
- (computer based) - requires Desktop Experience (Server Mgr/Add
Features) is installed. SMART faults generate custom msg.
Search for "Self-Monitoring, Analysis, and Reporting
Technology."
- Disk
Diagnostic: Configure Execution Level
- (computer based) - requires Desktop Experience - notifies users of
SMART faults, and guides them through bkup and recovery procs.
- Do Not Allow
Clipboard Redirection - (user based) - disables clipboard
sharing - Terminal Services based.
- Do Not
Display Initial Configuration Tasks Window Automatically At Logon
- (computer based)
- Do Not
Display Server Manger Page At Logon - (computer based).
- Enforce
Removal of Remote Desktop Wallpaper - (computer based) -
Termainal Services.
- Group Policy
Management Editor -
(user based) - toggles whether Group Policy Management Editor snap-in
can be used. Otherwise 'Restrict Users To The Explicitly
Permitted List of Snap-Ins' kicks in.
- Group Policy
Starter GPO Editor- (user based) - toggles
wither GP Starter GPO Editor snap-in can be used.
- Redirect Only
The Default Client Printer - (2 vers - userand
computer based)
- Set The
Number of Retries for Password Sync Servers (computer
based)
- Set The Retry
Interval For Password Sync Servers (computer based)
- Set Update
Interval for NIS Subordinate Servers (computer based) -
NIS maps being pushed to NIS sub svrs. Search for NIS and
SNIS.
- Use TS
Session Broker Load Balancing (computer based) - new users
redirect to svr in farm with fewest sessions. Search for TS
Session Broker and TS farms.
- Turn On
Extensive Logging For Password Sync Servers (computer
based)
- Turn On
Extensive Logging For Domain Controllers Running Server for NIS.
- Turn On The
Windows To NIS Password Sync For Migrated Users For Password Sync
Servers (computer based) - for UNIX users migrated to AD.
- Use Terminal
Services Easy Print Driver First (2 vers - user and
computer based) - install all client printers?
Starter GPOs
- in GPMC, locate starter GPOs container in lefthand pane.
- right-click Starter GPOs container, select new
- config GPOs in container as you would config any GPO (only
admin templates avail)
- stored
in folder on DC (default c:\windows\SYSVOL\domain\StarterGPOs).
Replicated to other DCs as part of SYSVOL replication.
- to create new GPO using starter, right-click on starter,
select new GPO From Starter GPO.
- starter
GPOs not backed up when you click backup in GPMC. Need to
backup
separately by righ-clicking Starter GPOs container and selecting backup
up all or right click each starter GPO and backup.
Troubleshooting Group Policy
- make sure network connectivity exists. client
having issues has joined domain, and has correct system time.
- check domain infra correctly planned and implemented.
- make sure the following are not affecting normal GPO
processing
- security filtering
- Windows Management Instrumentation (WMI) filters
- block inheritance setting
- no-override settings
- loopback processing
- slow-link settings
- GPResult.exe
verifies policy settings for specific user or computer
- GPOTool.exe
checks GPOs for consistency on each DC in domain.
- Reporting function in GPMC. Look for answers to:
- Is GPO applied?
- Is setting listed in GP results Report?
Is GPO listed in Denied List?
- Check logs - Event Viewer/Applications and Services
Logs/Microsoft/Windows/Group Policy.
- If core proc does not happen, CSE processing might not
begin and Group Policy might not apply.
- Check to make sure GPO is linked to user or computer's
site, domain or OU.
- Has replication occured? Do a gpudate /force if necessary...
- ensure that client computer can connect to DC, that IP,
DNS, and DHCP are configured and running.