Installing, Managing and Troubleshooting Windows Server 2008 R2

 

  

an 2008-to-2008R2 "delta" audio course by Mark Minasi, author of Mastering Windows Server 2008 R2

Course Objectives

A new version of Windows Server (2008 R2), delivered a scant year and a half after the previous one (2008)?  Heck, we haven't seen that sort of rapid-fire rollouts of new Server releases since the NT 3.5 days.  Oh, wait, it's just an "R2" -- that explains it, it's probably just a repackaging of some already-downloadable stuff, right?  Surprisingly, no — R2's almost as much as a change from 2008 as 2008 was from 2003, and arguably more so in the area of Active Directory.  While the timing of this completely new Server will be troublesome for some ("arrgh, we just started rolling out 2008 and this appears!"), its non-trivial list of changes means that it's time to wade through a sea of white papers to figure out whether it's worth an upgrade... or, alternatively, perhaps it's time to spend two days with veteran Windows Server expert, consultant and best-selling author Mark Minasi.  Mark's insights, experience and unbiased advice have helped millions get the most out of Windows Server from NT 3.1 onward, and now he's back to pick apart Windows Server 2008 R2 for you — the good, the bad, and the incompatible.

In this course, Mark starts with a brief high-level look at how R2 changes your network, then moves to its new management tools and network infrastructure changes in DHCP and DNS.  He then covers R2's relatively minor changes to Windows storage technology, Hyper-V's couple of improvements, and then looks at some important security upgrades, from NTLM policies to DirectAccess.  Then, in the remainder of the course, Mark explains how R2 changes Active Directory, and you'll see that there's nothing merely "R2-ish" about what's new in Active Directory.  Finally, he'll show you where you may be able to save some money with BranchCache, as you turn "Patch Tuesday" into "Torrent Tuesday!"

To save time and maximize the depth of our coverage, this is a "delta" course that only covers what's new in Windows Server 2008 R2.  If, however, you've not had a chance to understand the changes to Windows Server that Server 2008 brought, then pick up a copy of our Server 2008 audio course at http://www.minasi.com/2008class/audio/. Listening to both courses will bring you completely up to speed on what's changed between Server 2003 and Server 2008 R2!

Key Seminar Benefits

  • Delve into how to Server 2008 R2's new VPN replacement, DirectAccess, works and what you'll need in order to set it up
  • Understand how AD's undelete feature (AD recycle bin) works, its limitations and its operation
  • Check out what BranchCache can do to relieve pressure on your WAN links, and know exactly how to get it up and running
  • See the new DHCP add-ons that could be useful for almost any enterprise
  • Know what parts of R2 completely replace tools introduced in Server 2008
  • Grasp the changes to server virtualization that improve Hyper-V's value in R2
  • Discover how Server 2008 R2 and Windows 7 let you protect your DNS infrastructure with  DNSSEC
  • Meet the array of new server management tools both for "full server" and Server Core
  • See how Managed Service Accounts can remove the headaches associated with running services and IIS application pools under separate accounts
  • Learn what Win 7/R2's new "offline domain join" feature simplifies joining systems en masse to a domain and its three different approaches
  • Meet AD's new admin tools:  a new GUI and 76 PowerShell cmdlets

Course Outline

  1. Server 2008 R2 Overview

    As with previous versions, Server 2008 R2 comes in several flavors and requires a few choices.  In this section, we briefly outline the versions of Server 2008 R2, highlight any upgrade considerations, and tackle that thorny "Standard or Enterprise?" question.

    1. Hardware issues:  64 bit is it!
    2. Server versions:  can you avoid Enterprise in 2008 R2?
    3. Upgrade paths
    4. Virtual licensing considerations
    5. Will you need new CALs?

  2. New R2 Server Management Tools

    Windows Server 2008 brought us three new overall server management tools.  The first was called (not surprisingly) Server Manager; it was joined by a command-line counterpart named servermanagercmd.exe and a ready-for-Server-Core version called "ocsetup.exe."  Now, if you're not confused yet, then get ready for Server 2008 R2, where servermanager.exe and ocsetup.exe are deprecated and deleted, and are replaced by two new tools... the Deployment Image Service Manager (DISM) and a handful of new PowerShell tools.  But that's not all:  Server Manager (which is still around, surprisingly) can now control remote servers, including Server Core systems. 

    1. Server Manager changes
      1. New roles and features
      2. Remote control... but not the way you expect
      3. Setting up remote Server Manager:  Windows Remote Management setup
      4. Enabling remote Server Manager
    2. Servermanagercmd's replacement:  DISM
      1. DISM's role in server management
      2. DISM online versus offline
      3. Using DISM on Server Core
      4. Using DISM on full Server
    3. Using the new Server Manager cmdlets
      1. Installing the server management module
      2. Using the server management cmdlets

  3. Server 2008 R2 Server Core Configuration and Operation

    Server Core was one of Server 2008's innovations, a version of Server that essentially lacks a GUI (and therefore a Web browser), and so requires fewer updates, offers fewer places for bugs to crawl in, and uses fewer megabytes of disk and RAM.  As attractive as a GUI-less place is security-wise, administering it wasn't quite so attractive, as most admins aren't all that familiar with the command-line tools that Server Core required to get admin jobs done.  R2 changes that situation in a few ways, as you'll discover in this section.

    1. Server Core's new "GUI-ish" admin tool
    2. Ocsetup's out, DISM's in:  basic Server Core configuration, PowerShell Setup
    3. Connecting Server Manager to Server Core
      1. PowerShell setup
      2. Enabling remote control
      3. What a remote Server Manager can and can't do for Server Core
    4. Managing Server Core with PowerShell
      1. Getting PowerShell on Server Core
      2. Using the server management cmdlets
      3. Remote PowerShell administration

  4. DHCP Upgrades

    Believe it or not, Server 2008 R2 includes a number of fairly useful changes to the way that the DHCP server runs.  (It's almost like the new DHCP team actually uses the product... who knew?)  This section outlines what you'll get when you move your DHCP servers to R2.

    1. Split-scope support and configuration wizard
    2. MAC address filtering
    3. DHCP Server Events Tool
    4. Client-side upgrades:  SSID caching

  5. 21st Century DNS:  DNSSEC Comes to Server

    Once considered to be the safe, secure bedrock of the Internet, DNS has come under attack in recent years, and that's highlighted the perceived need for some sort of way of establishing that the DNS data you're getting is indeed the data that you want.  That way seems to be DNSSEC, a set of technologies first outlined in RFCs in 2000 but that many folks still aren't using.  That may change, however, as the US government implements DNSSEC on their .mil and .gov roots in the near future, and private roots like .com and .net may soon follow.  In order to play in this secure new world, Microsoft's DNS needs to support DNSSEC, and 2008 R2's DNS server finally does.

    1. DNSSEC explained
    2. Where to apply DNSSEC
    3. Implementing DNSSEC in a Windows network
    4. Client support of DNSSEC:  the "name resolution policy table" (NRPT)

  6. R2 Storage Changes

    R2 brings a few changes to storage, with some improvements to the new backup tools introduced in Server 2008 and some news on the death of the File Replication Service.

    1. New disk layout: the "unlettered drive"
    2. Changes to Windows Backup
    3. Distributed File System (DFS) no longer supports FRS

  7. Battening Down the (Logon) Hatches: NTLM Audit/Blocking Policies

    Over the years, Microsoft has created a number of ways to enable secure logon over insecure wires.  The needs of backwards compatibility, however, leads the vast majority of us to leave older, less secure logon protocols activated in our networks.  As computers get faster and hacking tools get smarter, however every network admin must face the fact that allowing NTLM logons over a Windows network will soon be as crazy as sending passwords over the network in cleartext.  That's probably why Microsoft included some useful tools to help you find and eliminate NTLM activity in your network, as you'll learn in this section.
     

    1. Logon types and insecurity:  the nature of LM and NTLM's threats
    2. How Active Directory users can end up doing NTLM logons
    3. NTLM audit and blocking policies: where they are, how they work, how to use them.

  8. Auditing Gets a Lot More Specific

    The "NT" family of Windows has supported "auditing," -- a security feature which enables Windows to record security-related activity on a particular computer in that computer's Security log.  Enabling and tracking Windows logs, however, is often something that we don't do, however, because it's somewhat difficult to make useful. Vista and Server 2008 simplified things a bit when it introduced event log centralization and easily-scheduled event log archiving, and Windows 7 makes things a bit more useful with four changes to how and what you can audit.  In this section, you'll see how to make use of these new auditing capabilities.

    1. Auditable items goes from 9 to 54
    2. Track a person's actions more easily with global SACLs
    3. "Reason for failure" reports answer the question, "exactly why couldn't I access that object?" 

  9. No More VPNs:  DirectAccess and R2

    In the ranks of "necessary but irritating evils," VPNs definitely place in the top three.  (Having to change your password every few weeks and needing to reboot just because Windows Defender has a new pattern file are the other two.)  Over the years, Microsoft has slowly lessened the need for VPNs in the first place, first in the Outlook/Exchange connection in Server 2003 and more recently in Remote Desktop Services (the new name for Terminal Services) in the Terminal Services Gateway.  With Server 2008 R2, you get the option to essentially forgo VPNs altogether, replacing it with an IPsec-based secure connection to your enterprise servers called DirectAccess.  As you'll see in this section, DirectAccess is a potentially very neat technology, but you need a panoply of other technologies in place before you can use it -- don't miss this chance to get "the short version" of whether DirectAccess is right for you and if so, what you'll need to get it working!

    1. Current VPN structure and limitations
    2. DirectAccess structure and benefits
    3. The price of DirectAccess:  required technologies
    4. DirectAccess installation outline

  10. Introducing R2's Active Directory

    In the remaining sections of the class, you'll examine R2's AD change in great depth.  This section starts us out with quick look at some overall changes.

    1. What still isn't fixed in AD in 2008 R2
    2. New domain/forest functional level
    3. Functional levels can be rolled back
    4. Adding R2 DCs to an existing Active Directory

  11. Active Directory Gets PowerShell

    In R2, Active Directory finally gets PowerShell support with over 70 new cmdlets.  In this section, you'll get an easy-to-understand look at how to use AD's PowerShell support, and what goes on under the hood when running that support.

    1. Installing the AD cmdlets
    2. AD cmdlet overview
    3. Remote PowerShell administration
    4. AD's new web service
    5. Does "web service" mean I'm running IIS on every domain controller, eeek! (Don't worry, it doesn't mean that... but there is a new tcp port to know.)
    6. Examining the "atomic" cmdlets
    7. Tying them together:  useful pipeline examples
    8. Finding AD PowerShell scripts

  12. AD Best Practices Analyzer (BPA)

    For years, we've used DCDIAG to get some notion of the health of our AD.  With Server 2008 R2, Microsoft's extended their "health model," something that they inaugurated with Server 2008, to AD with a new AD Best Practices Analyzer.  

    1. Where to find the BPA
    2. BPA strengths and weaknesses
    3. Running the Analyzer
    4. Interpreting the results and reconfiguring the BPA

  13. "Oops" Protection in Active Directory:  the AD Recycle Bin

    Well, AD's been with us for about ten years now, and if we've learned nothing else, most of us have painfully discovered that un-deleting accidentally deleted AD objects is a pain.  Server 2008 introduced a sort of "70 percent solution" to the problem in the form of AD snapshots, a pretty neat idea that might have made AD undeletes easy... but that ultimately went nowhere.  Instead, Server 2008 R2 took the undelete bull by the horns and offers a complete solution in the form of the somewhat misnamed "AD recycle bin."  While it can undelete objects quite nicely, there are a few catches -- but in this section you'll learn how to make the AD recycle bin work for you.

    1. AD recycle bin overview
    2. What you'll need to make it work
    3. Undelete syntax and examples
    4. How long before it starts to smell?  A look at how quickly you've got to perform a desired recycle
    5. Recycle hitches and solutions

  14. Active Directory's New GUI:  the AD Administrative Center

    When AD arrived with Windows 2000, it introduced Active Directory Users and Computers (ADUC).  ADUC's nice, but it's a bit quirky in some ways, so Server 2008 R2 ships with a brand-new GUI admin tool for Active Directory, the "AD Administrative Center" (ADAC).  This section shows ADAC's abilities and gives it an under-the-hood look.

    1. Running ADAC
    2. ADAC capabilities
    3. ADAC requirements
    4. ADAC:  PowerShell scripts with a GUI front-end

  15. Managed Service Accounts

    Much of the publicity about R2's AD features heralds the AD recycle bin as being R2's most attractive new AD-related feature, but many folks we've spoken to are more excited about a new-to-R2 item called "Managed Service Accounts" or MSAs.  If you've ever set up a service or an IIS application pool to run under an account other than the local System account, then you might also find MSAs pretty interesting, as they're a new sort of account designed specifically to be used one of those service/IIS app pool situations.

    1. MSA overview
      1. New type of AD account
      2. Serve services on member servers
      3. Automatic password updates
    2. MSA requirements
    3. Creating and using an MSA
      1. Creating the account
      2. Preparing the member server
      3. Attaching the account to the service/pool
    4. Managing MSAs
    5. Automatic SPN management

  16.  Offline Domain Joins

    Anyone rolling out dozens of clients from the same image knows that one of the biggest pains in deploying those clients comes when it's time to join them to an AD.  Server 2008 R2's Active Directory lets you do this more simply in a two-step operation called an "offline domain join," (ODJ) as you'll learn in this section. 

    1. How offline domain joins work
    2. What you can and can't join with an ODJ
    3. Three options
      1. Online
      2. Offline
      3. XML scripted offline domain joins
    4. Step-by-step instructions on doing each approach
       
  17. BONUS Section: BranchCache:  WAN Caching for SMB and HTTP

    Windows 6 (that is, Vista and Server 2008) saw Microsoft introduce a number of technologies aimed at making IT run more smoothly in branch offices.  Windows 7 and Server R2 add to those with BranchCache, a tool that enables Windows 7 Enterprise/Ultimate desktops to cooperatively cache incoming SMB and HTTP traffic.  The basic idea is that if a bunch of people in your branch office all want to access the same file from the central office, then only the first two actually need to retrieve (and cache) the file over the WAN link — the others get it from the local systems that have already cached the data.  Sounds simple, but actually making it work and controlling it can be a bit tricky, until you know what you'll get from this very detailed section.

    1. BranchCache overview
      1. Protocols cached: SMB and HTTP
      2. Intended to save WAN bandwidth to branch offices
      3. Driven by latency
      4. SMB caching different than HTTP
      5. Caching can happen either on Win 7 desktops or Server 2008 R2 servers
    2. Setting up a distributed HTTP BranchCache
    3. Configuring BranchCache systems via command-line
    4. Configuring BranchCache systems via group policies
    5. Setting up a hosted HTTP BranchCache
    6. Configuring clients and the host server
    7. Setting up SMB caching
    8. Monitoring BranchCache
    9. BranchCache tuning parameters