Windows 2008 notes
These notes taken from
Microsoft Windows Server Administration book.
Table of Contents
1 GHz x86 or 1.4 GHz x64, rec 2GHz+
512M, rec 2G
15G Disk (30G for upgrade), rec 40G
- 5436M for installation
- 10412 for free space for install
- swap file log files, additional server roles
||targetted at small to medium sized businesses
- x86 32-bit ver -4G mem max,up to
4 procs in SMP config.
- x64 64 bit ver - 32G mem max,up to 4 procs
in SMP config.
- Supports Netwrk Load Balancing clusters, but no
||targetted at large businesses.
- adds Failover Clustering - allows another svr to
service client requests in event original svr fails
- adds AD Federation Services - allows ID federation
between organizations (e.g. to allow access to local svcs)
- x86 32-bit ver - 64G mem max,up to 8 procs
in SMP config.
- x64 64 bit ver - 2TB mem max,up to 8 procs
in SMP config.
||targetted at very large businesses. only
available through OEM mfgs.
- adds unlimited virtual image rights (e.g. for
- x86 32-bit ver - 64G mem max,up to 32 procs
in SMP config.
- x64 64 bit ver - 2TB mem max,up to 64 procs
in SMP config.
||designed to function as web app svr.
Other roles not supported. Does not support higher
hw configs of other versions of win2008 svr.
- x86 32-bit ver - 4G mem max, up to 4 procs
in SMP config.
- x64 64-bit ver - 32G mem max, up to 4 procs in SMP
for Intel Itanium 64-bit proc. Only addition that can be
installed on Itanium-based computer, requires Itanium 2 processor.
App and Web svr are supoprted. Virt and Windows
Services are not available.
- 2TB mem max, up to 64 procs in SMP config.
HyperV will only run on x64 versions of OS.
Any of the Versions can be installed as Server Core.
version, no desktop.
- Administered from command-line, and/or MMC.
- Can RDP to server, but must use command shell/line.
- Reduced attack surface.
- Lower hardware requirements for fewer installed components.
- Does notsupportPowerShell commands directly (can be run
remotely against a Core install via WMI). It is possible to
run Script Host scripts.
- Can run regedit
Can also invoke Date Control Panel (control
International Settings Control Panel (control
- oclist.exe -
lists all server roles installed and available for install
- ocsetup.exe -
add or remove server roles
- ocsetup.exe /uninstall
IIS-WebServerRole (make sure all role's services are shut
down prior to attempting)
- Not possible to upgrade Server Core version to full version.
- IIS supported but no .NET Framework.
- AD Cert Svcs, AD Federation Svcs, Windows Deployment Svcs
not available in initial release but may in later SP.
- Windows 2003 cannot be updated to Server Core.
- You can put in product key early in install process to
determine what version of OS you are
- Consider waiting to activate in case you need additional
memory or hardware. You have 30-day activation grace period.
- You can install from DVD,
PXE (Automated Server
Deployment) install, or using a Windows Preinstallation
Environment (Windows PE),
and use OS sys files on network share to
perform a network
installation. Windows PE is a free tool that you
can download from Microsoft. http://technet.microsoft.com/en-us/windowsvista/aa905120.aspx
- Installs normally com without Hyper-V. Hyper-V
can be installed, but install files must be downloaded from Microsoft.
Upgrading from 2003
- No cheaper upgrade version of 2008 is available.
- Must be initiated from within 2003 SP1 or later (or 2003
R2) (not from install media).
- All versions of 2003 go to similar named versions of 2008
accept 2003 Standard that can go to 2008 Standard or Enterprise.
- x32 must go to x32. x64 must go to x64.
- It is possible to install 2008 to a separate partition.
- Make sure to do full backup before upgrade or fresh
- Compatability check is run prior to initiating upgrade
- Choose to upgrade when a significant amount of
customization is required post-upgrade/install that can not be done by
simply restoring backed-up data.
- Implmenting Bitlocker is very difficult on top of a upgrade.
- Windows 2003 cannot be updated to Server Core.
Full volume encryption and integrity-checking mechanism to ensure boot
env hasn't been tampered with.
- If BitLocker keys for a server are lost, and boot env is
compromised, data stored on svr will be unrecoverable.
- For integrity checking, BitLocker requires computer have a
chip and BIOS capable of supporting Trusted Platform Module (TPM) 1.2
or later. In these cases, if startup components change (BIOS,
Master Boot Record, Boot Sector, Boot Manager, Windows Loader)
then volumes are locked, and cannot be unlocked without correct digital
- Advised that you disable BitLocker during maintenance that
will update startup components. Otherwise you need to recover
with 48-character password that is generated during Bitlocker setup.
pw is stored separately or directly to AD (recommended for
- Without TPM (and TCG compatible BIOS), key is stored on
removable USB memory that has
to be present and supported by BIOS each time computer starts up.
Bitlocker Volume Config
- You need create separate 1.5GB partition, and format it
before installing 2008 OS that might
need bitlocker in the future. If you have to install
bitlocker in future without doing this, will take many hours of
- This makes upgrade from 2003 with bitlocker installation
Bitlocker Group Policies
Drive Encryption node in 2008 Group policy object.
Other policies include:
- For non-TPM you can use Control
Panel Setup: Enable
Advanced Startup Options policy. With TPM, this
CP can be used to require startup code be entered.
- BitLocker Backup to AD.
- CP Setup: Configure Recovery Folder (where recovery keys
- CP Setup: Configure Recovery Options (disable recovery pw
and key - if both disabled backup to AD must be enabled).
- Configure Encryption mode (properties of AES used).
- Prevent Memory Overwrite on Restart. (speeds up
restarts, but increases risk of BitLocker being compromised).
- Configure TPM Platform Validation Profile.
EFS vs. Bitlocker
- Encrypting File System encrypts files or folders for
- BitLocker encrypts whole harddrive or partition, but is
transparent to valid user.
Turning off Bitlocker
You can disable (e.g. for a BIOS upgrade) or decrypt (this takes a
- Disabling causes plaintext key to be written to hard drive.
Computer is insecure. When BitLocker is re-enabled,
plaintext key is removed.
Installing partition for BitLocker
Repair the computer instead of straight install.
Go to command prompt.
select disk 0
create partition primary size=1500
create partition primary
format c: /y /q /fs:NTFS
format s: /y /q /fs:NTFS
Group Policy commands (general)
gpupdate /force - forces
group policy updates to replicate/replication to all AD servers
net start telnet (start the telnet server)
net stop telnet
Promoting server to domain controller
dcpromo - copies files
necessary before promoting to DC.
Automated Server Deployment
System Image Manager (SIM) included in the Windows Automated
Installation Kit (Windows AIK or WAIK), can create the XML file
The file can be saved any any accessible volume (including
USB) during installation. Install will look for it...
file in windows install media has all the settings for an install.
Should be able to open this with Windows SIM. If
going to modify, copy to a temp directory.
- To modify, right click on the
Components or Package
in the Windows Image section, and select Add
Setting to Pass x yyyyy to be able to edit.
(Double click on the element in the Credentials/Settings
- Windows PE
can be used to link to a share and run setup.exe
Windows Deployment Services
- A role that can be added to 2008 svr to allow remote
deployment of Windows OSes.
- Needs PXE network card (or could use other method such as
- client has to be authorized
- multicast has to be configured on network (so multiple
PCs can be installed simultaneously)
on WDS server will allow update with no prompts from admin/installer.
- WDS needs to be installed on computer in AD domain.
DNS server is required.
- Authorized DHCP svr needs to be present on network.
If DHCP svr is
on WDS svr, configure WDS
svr to not listen on
port 67. Also make sure to add option tag 60 for DHCP,
so PXE clients can detect presence of WDS server.
- NTFS partition needs to be available to store OS images.
- Cannot be run on Server Core install.
- Configured by WDS Config Wizard orWDSUtil.exe.
- You can configure theautoattended.xml
filename in theclient
- Multicast ranges,ports, and bandwidth used
configured in the Network Settings
- You can configure PXE response settings (all, only AD
pre-staged computers, none).
can schedule multicast transmission of OS to occur at particular
time. Remember that this needs an answer file, otherwise it
stall waiting for input.
- auto-cast means multicast transmission starts as soon as
client requests install image.
(e.g. boot.wim) images
(e.g. boot.wim) images
usually located in the \Sources
- Make sure to have different images (e.g. x64 and x86 from
different arch-specific install media).
- install images can be:
image - boot image prepared with thesysprep utility, capturing ref
computer's image for deployment with WDS.
- deployed to computers that are not PXE-enabled. Written to
DVD, or USB and computer is booted off of media (traditional method of
Consider using volume activation during WDS deployment.
(MAK) - activate a specific # of computers from activation pool.
Can use MAK Proxy Activation (proxy request through MS
svrs), or MAK Independent Activation (each computer activates
independently through MS activation svrs).
- Key Mgmt Svcs
(KMS) - KMS is installed on local server, and computers in environment
connect to that computer to perform activation. Recommended
have 2 KMS svrs deployed, with one acting as backup. KMS
at least 25 computers, and reconnect to the KMS server every 180 days.
you have no Internet connectivity (MAK), and less than 25 computers
(KMS), than you will need to activate each system over the telephone.
2008 installation, once a successful login has occured, you cannot
rollback. At this point, the only rollback is reformat, and
restore 2003 backups you took.
- You could also deploy 2003 in 2008's virtualization feature.
- Perform an Automated System Recovery (ASR) Backup of 2003
- Perform full backup of all data, incl. sys state data.
- Have a plan to rollback upgrade ready (ASR application,
restore sys state and user data, install extra apps).
NOTE: APIPA (Auto Private
IP Addressing, AutoNet) - DHCP
failover mechanism in Windows - generates address in 169.265.0.0/24 but
with subnet mask of 255.255.0.0.
Only good for isolated
nets - can't be routed
Some of th IPv6 stuff came from Pearson's CCNA Routing and Switching 200-101 Complete Video Course.
IPv6 = 128 bits = 16 bytes = 2^128 addrs =
667 by 1021 (667 sextillion) for every square meter on earth's surface (if not subnetted or reserved et. al).
IPv4 = 32 bits = 4 bytes = 2^32 addrs (just over 4 billion)
- 5x10^28 adrs for each person on planet
- 5 fields in header (vs 12 in IPv4 Header
- No broadcast, but ther is a all addrs multicast
- security and mobility features built-in
- no fragmentation: MTU discovery performed for each session
- Can co-exist with IPv4 during migration - dual stack, IPv6 over IPv4
- 64-bit host portion (interface ID) can be auto generated from network adapter hardware (ethernet is 48-bits...)
stateless addresses hosts on link auto configure themselves
IPv6 addrs. Optionally - derived from prefixes advertised by
- IPv6 and IPv4 headers not compatible.
- IPv6 header 2x as large as IPv5 header. Optional
fields placed in extension headers.
- IPv6 global addresses set up to aggregate well.
- IPv6 IPSec is mandatory, standardized, and interperable
between implementations (?).
- QoS is not affected by encryption (e.g. ESP).
Payload ID is included in Flow Label field.
Discovery (ND) replaces IPv4 ARP, ICMPv4 Rtr Disc, and ICMPv4 Redirect
msgs with more efficient protocol for mgmt of interaction of nodes on
same link (neighboring nodes).
- Improved pkt handling
- Increased scalability and longevity
- QoS mechanisms
- Integrated security
- Header format simplification - faster packet handling
- Improved support for extensions and options
8 16-bit boundaries (double bytes or words)
is the same as
21cd:53:0:0:3ad:3f:af37:8d62 (leading zeros removed)
is the same as
21cd:53::3ad:3f:af37:8d62 (contiguous zeros replaced with 2 colons - can only be used once in addr)
ff06::2 is the same as ff06:0:0:0:0:0:0:2
NOTE: Site ID is %1 or %2 or whatever # after address. ???
NOTE: Zone ID is %1 or %2 or whatever # after addr, but with
first part of address. subnet prefix/id.
- 21cd:53::/64 contains 21cd:53::3ad:3f:af37:8d62
- multiple subnets on same link
rfc2373.txt has info on IPv6 addr structure and architecture.
(Deprecating Site Local)
(IPv6 Addressing Standards)
Quick address type map
unicast - single interface. multi interfaces using same addr can occur as long as interfaces appear as one interface. Used for load-balancing systems).
addr - IPv4 addr used as IPv6 dest, encapsulate an IPv4
header, and send to dest using IPv4 infra.
addr - represents an IPv4-only node to an IPv6 node.
The IPv4-mapped addr is never used as the source or dest of
an IPv6 packet.
- like IPv4 public unicast addrs
addr - used to be 3ffe:831f::/32
|fe80:: to fe80:ffff:....
||unicast link-local - like APIPA (220.127.116.11/16) NOT ROUTABLE?
|feco:: to feco::ffff:ffff:ffff:ffff:ffff
||unicast site-local (deprecated)
- like IPv4 private addrs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
|fc00:: to fd00::ffff:ffff:ffff:ffff
||unicast/unique local addressing
- like IPv4 private addrs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
||NSAP - OSI (e.g. connecting equip to ATM net)
||IPX - no longer used. Novell supports TCP/IP.
- ff0.:: - well-known
- ff1.:: - Transient
- 4th digit 1-nodelocal, 2-link, 5-site,
+ 24 bits of IPv6 is solicited-node multicast
|unicast addr prefix + 0s
||subnet-router anycast addr
Unique Local Address
128 zeros and a 1bit
128 bits are 0
used to check link-local address does a DAD (Duplicate Address Detection) - Neighbor Solicitation - source addr is ::
Same for Router Solicitation message
Solicited-Node Multicast Address
FF02::1:FF (104 bits) - then last 24 bits of IPv6 addr
Used to learn MAC addr (like an ipv4 ARP broadcast) neighbor discovery
also Duplicate Address Detection (DAD) for link-local
EUI-64 - Extended Uniqueu Identifier
48 bit MAC address based
0013.2be4.9b60 - take mac addr
0013.2bff.fee4.9b60 - stick fffe in the middle
0213.2bff.fee4.9b60 - swap 7th bit
0213:2bff:fee4:9b60 - colon format for ip addr
fe80::213:2bff:fee4:9b60 - append into link-local
IPv4 Auto configuration
- stateful autoconfig - use dhcpv6 - sends solicit multicast msg - dest ff02;:1:2 (ALL DHCPv6 servers)
client dhcpv6 server
(LL: fe80::AAAA) (LL: fe80::BBBB)
---solicit (src fe80::AAAA, dst FF02::1:2)--->
<--advertise (src fe80::BBBB, dst fe80::AAAA)-
---request (src fe80::AAAA, dst fe80::BBBB)-->
<---reply (src fe80::BBBB), dst fe80::AAAA)---
- stateless autoconfig - get ipv6 addr and params from ipv6 rtr
client dhcpv6 server
(LL: fe80::AAAA) (LL: fe80::CCCC)
--node solicitation (src ::, dst ff02::1:ff00:AAAA)--> (note this is Solicited-Node Multicast Addr)
<-------------no response (hopefully)-----------------
------rtr solicitation (src :00, dst ff02::2)--------> (dst is all rtrs multicast dest)
<---rtr advertisement (src fe80::CCCC, dst ff02::1)--- (dst is all nodes multicast dest)
(rtr adv incl global network we're on, subnet, gw, etc., info)
(node appends eui-64 addr to global network, and away we go)
ipv6 traff flows
- unicast - 1-to-1
- multicast - ff - 1-to-many
- Anycast - 1 to nearest communications
- rtr determines nearest device
- equivalent to IPv4 private addrs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- FP fec0
followed by 32 zeros than 16-bit
subnet ID (fec0:: to fec0::ffff:ffff:ffff:ffff:ffff
be allocated by DHCPv6 or other stateful config. Host will
when router advert msgs do not include prefixes, or if no rtrs are
- addr config can be combo of stateful and
stateless whe rtr advert msgs incl stateless addr prefixes, but req
that hosts use stateful addr config protocol.
- check out http://www.microsoft.com/technet/technetmag/issues/2007/08/CableGuy
(or ::) - absence of address. same as 0.0.0.0 .
(or ::1) - absence of address. same as 127.0.0.1 .
is NSAP (used for OSI (e.g. connecting equipment to ATM net)).
is IPX. Not used (Novell uses TCP/IP now).
multiple interfaces. delivered to all interfaces id'ed by
Starts with FF::/8
1111 1111 Flags Scope Group ID
- FP 1111 1111
(ff00:: to ffff:....)
- 008 bits
- 004 bits
- cisco says 0RPT
- 0 - reserved and set to 0
- R - if set to 1, P and T must be set to 1, indicates there is a Rendezvous Point (RP) addr embedded in multicast addr (RP used with PIM sparse mode (PIM - Protocol Independent Multicast))
- RP - router which forwards multicast traffic to routers asking to receive traffic
- microsoft says only flag currently defined istransient (T)
- low-order field bit. set to 0 - mult addr is well known,
assigned by IANA. set to 1 - mult addr is transient.
- 004 bits
||Link-local (e.g. APIPA)
(e.g. FF02::1 all nodes in link-local scope)
(e.g. FF02::2 all routers in link-local scope
||Admin-local (e.g. 192.168.0.0/16)
||Site-local (e.g. 192.168.0.0/16)
- 112 bits
- transient group ids relevant to specific scope
- permanently assigned group IDs are independent of scope
are reserved, well-known
- rfc2373 recommends
assigning group ID from low-order
32 bits of IPv6 multicast addr, and setting rest of group ID
bits to 0.
- read rfc2373
for more info on assigning group IDs.
- to resolve link-local (fe80 like IPv4 APIPA 169.
addrs), IPv6 uses ND msg with solicited-node multi addr ff02::1:ff00:0/104 with last 24 bits of IPv6 addr
This becomes a pseudo-unicast addr for efficient
addr resolution. (Remember MAC addr, becomes Int ID, becomes
multiple interfaces. delivered to nearest interface (e.g.
number of hops) id'ed by addr. one-to-one-to-many comm,
- taken from unicast addr space, destination addresses, scope
is unicast addr type, assigned only to routers.
anycast addr - subnet
prefix plus remaining
bits 0. assigned to every router interface.
IPv4 to IPv6 transition strategy
basic transition mechanisms
- MS IPv6 Transition Technologies
Dual Stack Transition
active in net
Configured Tunneling Transition
(tunnels/encapsulates) IPv6 traffic while IPv6 routing infra is under
development. Point-to-point links between network endpoints.
- Configured tunnels are called explicit tunnels.
broker can manage tunnel requests coming from end users.
addr within IPv6 addr.
IPv4 infra carries IPv6 tunneled traffic without
pre-configured tunnels. Seerfc2893.
use IPv4 to communicate to each other without explicit
tunnels. IPv6 communicate with native IPv6 domains via relay
routers. Treats IPv4 Internet as single data link.
- 16 bits -
2002::/16 - FP
- 32 bits
- IPv4 addr in hex notation
- 16 bits
- 64 bits
- host address within subnet
of 6to4 supported by w2k2008. tunnels IPv6 in
IPv4 UDP, so that IPv4 NAT device can work. Requires svr and
relay elements to assist. rfc4380.txt.
- 32 bits -
2001::/32 - FP
- 32 bits
- IPv4 pub addr of Teredo server that assisted in config of addr.
- 16 bits
- flags. Only one currently set is highest ordered flag -
cone flag set when NAT connected to Internet is cone NAT.
- 16 bits
- XORed (with 0xffff) external UDP port that corresponds to all Teredo
traffic for Teredo client interface. Initial packet to Teredo
server, NAT maps source UDP port to packet of diff ext UDP port.
Done to limit NAT capability.
- 32 bits
- XORed (with 0xffffffff) external IPv4 addr that corresponds to all
Teredo traffic for client interface. Done to limit NAT
- 2001:: - Teredo addr
- 4136:e378 -> 41.36.e3.78 -> 18.104.22.168
teredo svr used
- 8000 - cone flag is set
- 0x63bf XOR 0xffff = 0x9c40 = 40000 port
- 0x3ffffdd2 XOR 0xffffffff = 0xc000022d ->
c0.00.02.2d -> 192.0.2.45 public IPv4 addr on NAT
- 2001:: - Teredo address
- ce497601 -> ce.49.76.01 -> 22.214.171.124
teredo svr used
- e866 - cone flag (high bit) is set. rest of
bits are randomized by MS.
- 0xefff XOR 0xffff = 0x1000 = 4096 port
- 0xf5ff9bfe XOR 0xffffffff = 0x0a006401 ->
0a.00.64.01 -> 10.0.100.1 public IPv4 addr on NAT
- host with IPv4 connectivity to the internet behind NAT.
Uses Teredo tunneling proto to acces IPv6 Internet.
- clients use to detect NAT, and maintain binding on NAT toward the
- remote end for tunnel (across Internet/IPv4 network)
host-specific relay - runs on a particular host and
services that host only.
Auto Tunnel Addr Protocol) - views IPv4 net as link layer for IPv6, and
other nodes on net as potential IPv6 hosts or routers.
Creates host-to-host, host-to-router, or router-to-host auto
- 64 bits
- unicast link-local, site--local, global or 6to4 global prefix.
- 32 bits
- 32 bits
- IPv4 addr (can be written in dotted decimal or hexadecimal format.
- By default w2k8 configures fe80::5efe:w.x.y.z for each IPv4
|netsh interface ipv6 6to4
|netsh interface ipv6 isatap
|netsh interface ipv6 add v6v4tunnel "Remote" a.b.c.d
||create IPv6-in-IPv4 tunnel between a.b.c.d and w.x.y.z
on an interface named Remote
|netsh interface ipv6 show address (level=verbose)
||shows site ids also %
|netsh interface ipv6 show interfaces (level=verbose)
|netsh interface ipv6 show neighbors
||IPv6 ints on local subnet
netsh int ipv6 show neighbors
netsh int ipv6 del neighbors
netsh int ipv6 show destinationcache
netsh int ipv6 del destinationcache
ping (or ping6)
Check rtr connect
netsh int ipv6 show route
tracert -d <ipv6 addr>
pathping -d <ipv6 addr>
netsh int ipv6 show dnsservers
netsh int ipv6 add dnsserver
netsh int ipv6 add route
netsh int ipv6 set route (modify existing route)
netsh int ipv6 del route
- doesn't generate IPaddr (autoconfigured), but does specify
addr of DNS server.
- stateful -
specifies host addrs
svrs can be configured via DHCPv6 option 23 (DNS Recursive Name
Server), or via scope option (preferred when IPv6 addrs not configured
through rtr discovery).
- scope options override server options.
- DHCPv6 reqs and acks can pass through BootP-enabled rtrs
and l3 switches.
- DHCP servers (especially 20-percent scopes) are good
candidates for virtualization.
- In general, configure 2 DHCP servers per site to support
Problems ping/connect/route after DHCP addr acquired
on win pc that can't connect
netstat -rn (you'll likely see you don't the dhcp addr related route)
netsh int ipv6 sh addr (note the interface # associated with the dhcp addr)
netsh int ipv6 add route fec0:0:0:fffe::/64 "8" publish=yes
fec0:... is the prefix. "8" is the interface from the sh addr above
on dhcp svr you may need to add
netsh interface ipv6 set interface <server_interface> advertise=enabled man=en other=en
advertise=enabled - send router advertisements to this interface
man=en - enable manged addr config
other=en - enable other stateful configuration
- DNS zone data can be stored in either domain or
directory partition of AD DS. It can also be stored in files
(not recommended for primary DNS servers).
- contains only resource records to ID auth DNS svrs for
(e.g. child zone).
- fully complient with dynamic update protocol
dynamic updates insure only
authenticated users with
appropriate rights can update resource records. only avail
for zones integrate with AD DS.
- win2003 introduced incremental
zone transfers (e.g. to secondary DNS svrs).
- forward queries that are unknown. conditional forwarders
- forward queries based on domain name in query (that are unknown).
- Forwarding requires thatrecursive
- Forwarding to externals allows firewalls to limit
queries through the firewall.
- FQDNs max len is 255 bytes. for DCs 155
- internal DNS can forward external DNS requests to
servers - do not try to resolve res
request if they do
not receive valid resp to forwarded DNS req. Typically these
are used in conjunction with secure Internet conns.
DNS related commands
||command line tool that can be used to manage and query
||clear dns cache
||force name registration with DNS
||displays dns info
ls -d <domain>
|get a zone transfer (security has to be set low)
|netsh interface ipv6 show dnsservers
||displays IPv6 DNS configs
|dnscmd win2008svr1 /ZoneAdd 0.c.e.f.ip6.arpa /DsPrimary
||add a (reverse) domain (AD integrated /DsPrimary).
note ipv4 reverse would be in-addr.arpa
2008 dns features
zone loading - restarting accesses
records quicker (entire
zone does not have to load). Needs to be stored in AD DS.
Required data not already loaded will be queried (prior to
complete load) when requests come in.
domain controllers (RODCs)
- If server can't be secured.
- Need to be part of domain.
- Global single names - Global Name Zone (GNZ) - single-label name resolution for nets that don't deploy WINS. used when DNS name suffixes can't be used.
- GlobalNames zone supports single-label name res throughout multiple forest org - use SRV records to publish zone location.
- GlobalNames zone resolves names for limited set of hosts, typically servers and web sites. No peer-to-peer res. No dynamic updates.
- GlobalNames zone holds CNAME resources which map
single-label name to FQDN. Can contain RRs for names already
statically configured on WINS.
- WINS will likely be unsupported in next server
- to enable global names support -
/config /enableglobalnamessupport 1
Read Only Domain Controllers
- Might do it for remote office that needs to logon to domain
but doesn't have trusted IT staff to manage domain.
- Might also do it for application that needs to be on DC
with admin to manage application, but not domain.
- Good for remote locations relatively few users or no IT
knowledge, inadequate phys securty, low net bw, etc.
logins first time requires validation across WAN. After that
pulls user credentials so that further logons by same user are
validated locally. Have to permit this in domain pw
policy with respect to RODC (against computer account name in
- Functional level for AD with RODCs is (minimally) Windows
- Look up the following on technet or technet2
- RODC filtered attribute set
- Deploying an RODC
- adprep /rodcprep command
- DNS servers on RODCs act as a secondary DNS
- do not auto-update DNS entries.
Instead refer them to writable DC.
- RODC DNS can request only updated record (doesn't need to
grab whole zone data/list.
- RODC and DNS may be virtualized. File and app
svrs seldom are virtualized?
Planning RODC Implementation
- Must specify Password Replication Policy on computer
account in domain (e.g. from DC that via domain admin)
AD Lightweight Directory Services?
LDAP server without AD Directory Service (DS) tie-ins.
New and enhanced tools and wizards
- streamlines and simplifies AD DS.
- changes to MMC (e.g. easily locate DCs in large ent ntwk,
and config prep policy for RODCs).
- running AD DS Installation Wizard - dcpromo
or even better
dcpromo /adv to get
advanced mode (non-advanced mode uses default settings...).
Additional settings include:
- select specific DC fo installation/iknitial rep of domain
- use bkup media from existing DC to reduce net traf
associated with init replication.
- create a new domain tree
- change default NetBIOS name
- set forest and domain funct lvls when creating new forest
- config pwd rep policy on RODC.
- export settings to answer file to use as template for
subsequent installs or uninstalls. Password will have to
manually put into file (won't be automatically saved) - recommended to
put password=* in answer
file, and let wizard prompt you for
will let you force demotion of DC started in Dir Svcs Restore Mode.
- You can delegate RODC install, by creating RODC account
and delegate install and admin of the RODC to a user or security group.
install and admin users can:
- create RODC by running dcpromo
/UseExistingAccount:Attach, and can administer RODC without requiring
admin rights to rest of domain or forest.
and Svcs snap-in includes a Find command on toolbar and
action menu, to discover site in which DC is placed. Can help
you troubleshoot replication probs.
- Password repl policy page for RODC can set thes settings
- advanced button on RODC computer account can see what pws
have been sent or are stored on rodc oand what accounts have
Fine-grained security policies
- password policies can be customized for diff users or
groups. Don't need to be in diff domain.
- fine-grained sec policies only work with AD at 2008 level
- can only be applied to user objs or global sec grps (or
- For pws to apply to computers, usee techniques such as pw
filters. fine-grained pw policies do not interfere.
Password Settings Options (PSO) can override security
- 2 new obj classes
- pw settings container (PSC)
- by def under system container in domain - Make sure to enable
advanced settings in AD Users and Computers/domain/view) - contains
Domain Admins (by default) can create PSOs. Can
create a PSO by saving params in text file with .ldf
extension and using ldifde
command form Command Console (or ADSI Edit
MMC snap-in. Look up Creating PSOs in technet2.
- default pw in 'Default Domain Policy/Computer
Configuration/Policies/Windows Settings/Security Settings/Account
- recommended pw policies are
- admin policies with strict settings
- svc account policy with long pw lengths, and long pw
ages (these pws are seldomtyped in)
- cannot apply PSOs to OUs directory. Consider
using shadow group
(group that mirrors OU members).
- pw settings.
Restartable AD DS
AD DS data mining tool
dsamain.exe - can expose
snapshot as LDAP svr. Specify LDAP port. LDAP-SSL
port, GC port, GC-SSL port.
- deleted AD DS or AD LDS data can be preserved in snapshots
of AD DS taken by Volume ShadowCopy Service VSS). LDAP tools
such as ldp.exe can view
read-only data in snapshots. Does
not recover deleted objects and containers- recovery is subsequent
step. To recover:
- set up snapshop as LDAP svr using dsamain.exe.
- browse with ldp.exe
- note OUs or objects you want to restore and record attrs
objects using tombstone reanimation feature, and manually re-populate
them with stripped attrs and back-links as IDed insnapshots.
Data mining tool lets you do this without restarting DC in DS
- Be careful with security (e.g.if hacker gets
copy of AD DS snapshot).
can be used to take regular snapshots of volume containing AD DS
AD DS Auditing (expanded)
- prior to 2008 you could only set whether DS access was
audited. Now you can also audit
- DS changes (old and new values)
auditpol /set /subcategory:“directory service changes” /success:enable
- DS replication
- If enabled, events loged in Security event log.
events written to Security log can initiate a task, such as generating
an alert or starting an executable program (eventvwr/action/attach tsk
- System Access Control List (SACL)
Planning Domain and Forest Functionality
- 2008 functional level only supports 2008 DCs
- 2003 level supports 2003 and 2008 DCs
- 2000 supports NT, 2000, 2003, and 2008 DCs
- Any level member server are supported,
functional level cannot be less than forest functional level.
2008 domain can be in 2000 forest, but not vice-versa.
Forest Level Trusts
every domain in one forest trusts every domain in second forest
- 1-way incoming (you have the resources), 1-way outgoing
(you have the users), or 2-way.
- Other types of trusts
trust - point trust to child domain in another forest
trust - trust external domain (e.g. from Windows NT -
self-contained, autonomous unit)
- realm trust
- trust a Unix realm that uses Kerberos authentication
can choose Forest Wide Authentication or Selective Authentication
(Detail which groups of users can access resources in question).
- functional level needs to be 2003 or 2008 (+).
- ensure forest's root domain can access root domain in other
- domain names need to be resolvable in other forest.
- need to have enterprise admin account available in each
- AD domains and Trusts/Properties (of a domain)/Trust
in W2K3 a forest trust can fail confirmation proc but still work.
Not sure if this is the same in W2K8.
AD Federation Svcs
server role - like a cross-forest trust that operates over Internet and
extends trust relationship to web apps.
- Web SSO technologies.
- dig ID and entitlement rights across sec and ent boundaries
- New 2008 features
- Improved app support - sharepoint 2007, AD rights mgmt
svcs (AD RMS)
- Improved install - new svr validation checks
- improved trust policy - import and export func help
minimize config issues
- confirms to Web Services Federation (WS-Federation) spec.
- supports Security Assertion Markup Language (SAML) 1.1 and
- bus logic cn modify claims - using claim mapping.
- supports distributred authent and authoriz
master - controls updates and mods to schema. 1/forest. Change it
from (right-click) MMC/Active Directory Schema. Need toregsvr32 schmmgmt.dll to get the Active Directory Schema snap-in.
naming master - controls add/remove of domains to forest.
1/forest. Change it from (right-click) MMC/Active Directory
Domains and Trusts.
master - responsible for updating references from objects in its domain
to objects in another domain. 1/domain. Change it from
(right-click) MMC Active Directory Users and Computers/<domain>.
ID (RID) Master - responsible for processing RID pool reqs from all DCs
in a domain. 1/domain. Change it from (right-click) MMC Active
Directory Users and Computers/<domain>.
Emulator. - Primary Domain Controller (PDC) and Domain Master
Browser (Netbios) for WinNT BDCs and computers (and older).
1/domain. Change it from (right-click) MMC Active Directory Users and Computers/<domain>.
Transferring/Seizing FSMO Rolesntdsutil
connect to server <servername>
q (out of connections)
? (to list commands)
transfer <role> orseize <role>
q (to get out of fsmo maintenance)
q (to get out of ntdsutil)
GP settings containedin Group Policy objects (GPOs) - linked to
- OUs can inherit or block inheritance from parent OUs.
- some policies (e.g. security policies) can be set to "no
override" (can't be blocked or changed).
files described GP settings WinNT thru W2K3 R2. W2K8 and
Vista replace this with
||central store locations
language neutral files
files are language specific
SAMPLE ADMX and ADML files.
need to create the cetnral store locations manually. They
replicated to all DCs using Distribruted File System Replication
(DFSR). All admins that edit domain-based GPOs can access
set of ADMX files.
- .admx files modify the registry. test
before deploying on production network. test with sample
that do not affect registry until you are confident using ADMX syntax.
(search for .admx sample files on Microsoft download sites).
- .admx schema defines syntax for ADMX files.
Download schema from Microsoft
- To display ADMX files under a single category node in Group
Policy Object Editor, you need to create custom base file.
Search for 'Creating a Custom Base ADMX File' on Technet.
- XML declaration
element - specifies reqs for lang-specific resources.
element - refs localized text strings defining OSes or apps affected by
specific policy setting.
element - specifies categories under which olicy setting in th file wil
be displayed in GPO editor. Dupl category name that exists in
another ADMX file => duplicate node
element - contains ind policy setting defs.
- XML delaration
element - contains StringTable element and PresentationTable element
for specific language.
- GPs processed in 2 grps:
- can client reach DC
- have GPOs been changed
- process these policy settings
extension (CSE) processing
- Specfic CSE processes (and has rules for) settings in each category).
core GP engine calls CSEs required. Categories
- Admin templates
- security settings
- folder redirection
- disk quota
- software installation.
can add comments to starter GPOs or ordinary GOPs, and secondary
comments to individual settings. You can filter by either
Some new GP settings in W2K8
- Allow Remote
Start of Unlisted Programs - (computer based) In Terminal
Server remote session. If restricted - use TS Remote App Mgr
to creat list.
- Allow Time
Zone Redirection - (user based) clients modify Terminal
Server remote session chars.
- Always show
desktop on connection - (user based) - RDC/Terminal
Diagnostic: Configure Custom Alert Text
- (computer based) - requires Desktop Experience (Server Mgr/Add
Features) is installed. SMART faults generate custom msg.
Search for "Self-Monitoring, Analysis, and Reporting
Diagnostic: Configure Execution Level
- (computer based) - requires Desktop Experience - notifies users of
SMART faults, and guides them through bkup and recovery procs.
- Do Not Allow
Clipboard Redirection - (user based) - disables clipboard
sharing - Terminal Services based.
- Do Not
Display Initial Configuration Tasks Window Automatically At Logon
- (computer based)
- Do Not
Display Server Manger Page At Logon - (computer based).
Removal of Remote Desktop Wallpaper - (computer based) -
- Group Policy
Management Editor -
(user based) - toggles whether Group Policy Management Editor snap-in
can be used. Otherwise 'Restrict Users To The Explicitly
Permitted List of Snap-Ins' kicks in.
- Group Policy
Starter GPO Editor- (user based) - toggles
wither GP Starter GPO Editor snap-in can be used.
- Redirect Only
The Default Client Printer - (2 vers - userand
- Set The
Number of Retries for Password Sync Servers (computer
- Set The Retry
Interval For Password Sync Servers (computer based)
- Set Update
Interval for NIS Subordinate Servers (computer based) -
NIS maps being pushed to NIS sub svrs. Search for NIS and
- Use TS
Session Broker Load Balancing (computer based) - new users
redirect to svr in farm with fewest sessions. Search for TS
Session Broker and TS farms.
- Turn On
Extensive Logging For Password Sync Servers (computer
- Turn On
Extensive Logging For Domain Controllers Running Server for NIS.
- Turn On The
Windows To NIS Password Sync For Migrated Users For Password Sync
Servers (computer based) - for UNIX users migrated to AD.
- Use Terminal
Services Easy Print Driver First (2 vers - user and
computer based) - install all client printers?
- in GPMC, locate starter GPOs container in lefthand pane.
- right-click Starter GPOs container, select new
- config GPOs in container as you would config any GPO (only
admin templates avail)
in folder on DC (default c:\windows\SYSVOL\domain\StarterGPOs).
Replicated to other DCs as part of SYSVOL replication.
- to create new GPO using starter, right-click on starter,
select new GPO From Starter GPO.
GPOs not backed up when you click backup in GPMC. Need to
separately by righ-clicking Starter GPOs container and selecting backup
up all or right click each starter GPO and backup.
Troubleshooting Group Policy
- make sure network connectivity exists. client
having issues has joined domain, and has correct system time.
- check domain infra correctly planned and implemented.
- make sure the following are not affecting normal GPO
- security filtering
- Windows Management Instrumentation (WMI) filters
- block inheritance setting
- no-override settings
- loopback processing
- slow-link settings
verifies policy settings for specific user or computer
checks GPOs for consistency on each DC in domain.
- Reporting function in GPMC. Look for answers to:
- Is GPO applied?
- Is setting listed in GP results Report?
Is GPO listed in Denied List?
- Check logs - Event Viewer/Applications and Services
- If core proc does not happen, CSE processing might not
begin and Group Policy might not apply.
- Check to make sure GPO is linked to user or computer's
site, domain or OU.
- Has replication occured? Do a gpudate /force if necessary...
- ensure that client computer can connect to DC, that IP,
DNS, and DHCP are configured and running.