Windows 2008 notes

These notes taken from Microsoft Windows Server Administration book.

Table of Contents

HW Reqs

1 GHz x86 or 1.4 GHz x64, rec 2GHz+
512M, rec 2G
15G Disk (30G for upgrade), rec 40G


Standard targetted at small to medium sized businesses
  • x86 32-bit ver -4G mem max,up to 4 procs in SMP config.
  • x64 64 bit ver - 32G mem max,up to 4 procs in SMP config.
  • Supports Netwrk Load Balancing clusters, but no failover clustering
Enterprise targetted at large businesses.
  • adds Failover Clustering - allows another svr to service client requests in event original svr fails
  • adds AD Federation Services - allows ID federation between organizations (e.g. to allow access to local svcs)
  • x86 32-bit ver - 64G mem max,up to 8 procs in SMP config.
  • x64 64 bit ver - 2TB mem max,up to 8 procs in SMP config.
Datacenter targetted at very large businesses. only available through OEM mfgs.
  • adds unlimited virtual image rights (e.g. for consolidating svrs).
  • x86 32-bit ver - 64G mem max,up to 32 procs in SMP config.
  • x64 64 bit ver - 2TB mem max,up to 64 procs in SMP config.
Web designed to function as web app svr. Other roles not supported. Does not support higher powered hw configs of other versions of win2008 svr.
  • x86 32-bit ver - 4G mem max, up to 4 procs in SMP config.
  • x64 64-bit ver - 32G mem max, up to 4 procs in SMP config.
Itanium Designed for Intel Itanium 64-bit proc. Only addition that can be installed on Itanium-based computer, requires Itanium 2 processor. App and Web svr are supoprted. Virt and Windows Deployment Services are not available.
  • 2TB mem max, up to 64 procs in SMP config.

HyperV will only run on x64 versions of OS.

Server Core

Any of the Versions can be installed as Server Core.

Installing 2008

Upgrading from 2003


Full volume encryption and integrity-checking mechanism to ensure boot env hasn't been tampered with.

Bitlocker Volume Config

Bitlocker Group Policies

Computer Configuration\Policies\Administrative Templates\Windows Components\BitLocker Drive Encryption node in 2008 Group policy object.
Other policies include:

EFS vs. Bitlocker

Turning off Bitlocker

You can disable (e.g. for a BIOS upgrade) or decrypt (this takes a while).

Installing partition for BitLocker

Repair the computer instead of straight install.
Go to command prompt.
select disk 0
create partition primary size=1500
assign letter=S
create partition primary
assign letter=C
format c: /y /q /fs:NTFS
format s: /y /q /fs:NTFS

Group Policy commands (general)

gpupdate /force - forces group policy updates to replicate/replication to all AD servers

Quick commands

net start telnet (start the telnet server)
net stop telnet

Promoting server to domain controller

dcpromo - copies files necessary before promoting to DC.

Automated Server Deployment

Answer Files

Windows Deployment Services



Product activation

Consider using volume activation during WDS deployment.


Upgrade Precautions


NOTE: APIPA (Auto Private IP Addressing, AutoNet) - DHCP failover mechanism in Windows - generates address in but with subnet mask of
Only good for isolated nets - can't be routed


Some of th IPv6 stuff came from Pearson's CCNA Routing and Switching 200-101 Complete Video Course. IPv6 = 128 bits = 16 bytes = 2^128 addrs =
667 by 1021 (667 sextillion) for every square meter on earth's surface (if not subnetted or reserved et. al).
IPv4 = 32 bits = 4 bytes = 2^32 addrs (just over 4 billion)

IPv6 addresses

8 16-bit boundaries (double bytes or words)
is the same as
21cd:53:0:0:3ad:3f:af37:8d62 (leading zeros removed)
is the same as
21cd:53::3ad:3f:af37:8d62 (contiguous zeros replaced with 2 colons - can only be used once in addr)

ff06::2 is the same as ff06:0:0:0:0:0:0:2

NOTE: Site ID is %1 or %2 or whatever # after address. ???
NOTE: Zone ID is %1 or %2 or whatever # after addr, but with ???

Network Prefixes

first part of address. subnet prefix/id.

Address Types

rfc2373.txt has info on IPv6 addr structure and architecture. (Deprecating Site Local) (IPv6 Addressing Standards)

Quick address type map
0:0:0:0:0:0:w.x.y.z (::w.x.y.z) IPv4-Compatible addr - IPv4 addr used as IPv6 dest, encapsulate an IPv4 header, and send to dest using IPv4 infra.
0:0:0:0:0:ffff:w.x.y.z (::ffff:w.x.y.z) IPv4-Mapped addr - represents an IPv4-only node to an IPv6 node. The IPv4-mapped addr is never used as the source or dest of an IPv6 packet.
2000:: to 3fff:ffff:.... unicast global
  • like IPv4 public unicast addrs
Teredo addr - used to be 3ffe:831f::/32
6to4 addr
fe80:: to fe80:ffff:.... unicast link-local - like APIPA ( NOT ROUTABLE?
feco:: to feco::ffff:ffff:ffff:ffff:ffff unicast site-local (deprecated)
- like IPv4 private addrs (,,
fc00:: to fd00::ffff:ffff:ffff:ffff unicast/unique local addressing
- like IPv4 private addrs (,,
0200:: to 03ff:ffff:.... NSAP - OSI (e.g. connecting equip to ATM net)
0400:: to 07ff:ffff:.... IPX - no longer used. Novell supports TCP/IP.
ff..:: multicast
  • ff0.:: - well-known
  • ff1.:: - Transient
  • 4th digit 1-nodelocal, 2-link, 5-site, 8-organizational, E-Global
  • ff02::1:ff00:0/104 + 24 bits of IPv6 is solicited-node multicast
unicast addr prefix + 0s subnet-router anycast addr
unicast - single interface. multi interfaces using same addr can occur as long as interfaces appear as one interface. Used for load-balancing systems).
unicast global
Unique Local Address
128 zeros and a 1bit
128 bits are 0
used to check link-local address does a DAD (Duplicate Address Detection) - Neighbor Solicitation - source addr is ::
Same for Router Solicitation message
Solicited-Node Multicast Address
FF02::1:FF (104 bits) - then last 24 bits of IPv6 addr
Used to learn MAC addr (like an ipv4 ARP broadcast) neighbor discovery
also Duplicate Address Detection (DAD) for link-local
EUI-64 - Extended Uniqueu Identifier
48 bit MAC address based
0013.2be4.9b60 - take mac addr
0013.2bff.fee4.9b60 - stick fffe in the middle
0213.2bff.fee4.9b60 - swap 7th bit
0213:2bff:fee4:9b60 - colon format for ip addr
fe80::213:2bff:fee4:9b60 - append into link-local

IPv4 Auto configuration

ipv6 traff flows

multiple interfaces. delivered to all interfaces id'ed by addr.
Starts with FF::/8
 1111 1111  Flags   Scope                             Group ID
ff01:: is broadcast|well-known|Node-local
ff15:: is broadcast|transient|Site-local
multiple interfaces. delivered to nearest interface (e.g. number of hops) id'ed by addr. one-to-one-to-many comm, deliv to single interface.

IPv4 to IPv6 transition strategy

rfc4213.txt basic transition mechanisms - MS IPv6 Transition Technologies

Dual Stack Transition

both stacks active in net

Configured Tunneling Transition

IPv4 traffic carries (tunnels/encapsulates) IPv6 traffic while IPv6 routing infra is under development. Point-to-point links between network endpoints.

Automatic Tunneling

IPv4-compatible addr within IPv6 addr. IPv4 infra carries IPv6 tunneled traffic without pre-configured tunnels. Seerfc2893.


IPv6 nets use IPv4 to communicate to each other without explicit tunnels. IPv6 communicate with native IPv6 domains via relay routers. Treats IPv4 Internet as single data link. See rfc3056.


enhancement of 6to4 supported by w2k2008. tunnels IPv6 in IPv4 UDP, so that IPv4 NAT device can work. Requires svr and relay elements to assist. rfc4380.txt.


(Intra-Site Auto Tunnel Addr Protocol) - views IPv4 net as link layer for IPv6, and other nodes on net as potential IPv6 hosts or routers. Creates host-to-host, host-to-router, or router-to-host auto tunnel.


netsh interface ipv6 6to4
netsh interface ipv6 isatap
netsh interface ipv6 add v6v4tunnel "Remote" a.b.c.d w.x.y.z create IPv6-in-IPv4 tunnel between a.b.c.d and w.x.y.z on an interface named Remote
netsh interface ipv6 show address (level=verbose) shows site ids also %
netsh interface ipv6 show interfaces (level=verbose)
netsh interface ipv6 show neighbors IPv6 ints on local subnet

Verifying connectivity

netsh int ipv6 show neighbors
netsh int ipv6 del neighbors
netsh int ipv6 show destinationcache
netsh int ipv6 del destinationcache
ping (or ping6)

Check rtr connect
netsh int ipv6 show route
route print
netstat -r

route check
tracert -d <ipv6 addr>
pathping -d <ipv6 addr>

dns problems
netsh int ipv6 show dnsservers
netsh int ipv6 add dnsserver

Modifying route

netsh int ipv6 add route
netsh int ipv6 set route (modify existing route)
netsh int ipv6 del route


Problems ping/connect/route after DHCP addr acquired

on win pc that can't connect
netstat -rn (you'll likely see you don't the dhcp addr related route)
netsh int ipv6 sh addr (note the interface # associated with the dhcp addr)
netsh int ipv6 add route fec0:0:0:fffe::/64 "8" publish=yes
fec0:... is the prefix. "8" is the interface from the sh addr above
on dhcp svr you may need to add
netsh interface ipv6 set interface <server_interface> advertise=enabled man=en other=en
advertise=enabled - send router advertisements to this interface
man=en - enable manged addr config
other=en - enable other stateful configuration


DNS related commands

dnscmd command line tool that can be used to manage and query dns server
ipconfig /flushdns clear dns cache
ipconfig /registerdns force name registration with DNS
ipconfig /displaydns displays dns info
ls -d <domain>
get a zone transfer (security has to be set low)
netsh interface ipv6 show dnsservers displays IPv6 DNS configs
dnscmd win2008svr1 /ZoneAdd /DsPrimary add a (reverse) domain (AD integrated /DsPrimary). note ipv4 reverse would be

2008 dns features

AD add-ons


Read Only Domain Controllers

Planning RODC Implementation

AD Lightweight Directory Services?

LDAP server without AD Directory Service (DS) tie-ins.

New and enhanced tools and wizards

Fine-grained security policies

Restartable AD DS

AD DS data mining tool

dsamain.exe - can expose snapshot as LDAP svr. Specify LDAP port. LDAP-SSL port, GC port, GC-SSL port.

AD DS Auditing (expanded)

Planning Domain and Forest Functionality

Forest Level Trusts

every domain in one forest trusts every domain in second forest


AD Federation Svcs

server role - like a cross-forest trust that operates over Internet and extends trust relationship to web apps.

AD Reminders

FSMO Roles

Transferring/Seizing FSMO Roles

connect to server <servername>
q (out of connections)
? (to list commands)
transfer <role> orseize <role>
q (to get out of fsmo maintenance)
q (to get out of ntdsutil)

Group Policy

GP settings containedin Group Policy objects (GPOs) - linked to OUs.
types central store locations
.admx language neutral files C:\Windows\SYSVOL\domain\policies\PolicyDefinitions
.adml files are language specific C:\Windows\SYSVOL\domain\policies\PolicyDefinitions\en-us

Some new GP settings in W2K8

Starter GPOs

Troubleshooting Group Policy