Sybex mcts, windows server 2008 applications infrastructure configuration study guide (2008)

Wiley Publishing, Inc.

MCTSWindows Server® 2008

Applications Infrastructure Configuration

Study Guide

Joel Stidley

61705ffirs.indd 3 6/28/08 9:54:24 AM



Study Guide

61705ffirs.indd 1 6/28/08 9:54:23 AM

61705ffirs.indd 2 6/28/08 9:54:23 AM

Wiley Publishing, Inc.



Study Guide

Joel Stidley

61705ffirs.indd 3 6/28/08 9:54:24 AM

Acquisitions Editor: Jeff KellumDevelopment Editor: Denise Santoro LincolnTechnical Editor: Pawan K. Bhardwaj Production Editor: Christine O’ConnorCopy Editor: Judy FlynnProduction Manager: Tim TateVice President and Executive Group Publisher: Richard SwadleyVice President and Executive Publisher: Joseph B. WikertVice President and Publisher: Neil EddeProject Coordinator, Cover: Lynsey StanfordMedia Project Supervisor: Jenny SwisherMedia Development Specialist: Josh FrankMedia Quality Assurance: Angie DennyBook Designer: Judy Fung and Bill GibsonCompositor: Craig Woods, Happenstance Type-O-RamaProofreader: Scott Klemp, Word One and Larry WestIndexer: Jack LewisCover Designer: Ryan Sneed

Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-0-470-26170-5

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., India-napolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Website is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Website may provide or recommendations it may make. Further, readers should be aware that Internet Websites listed in this work may have changed or disap-peared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data.

Stidley, Joel, 1976- MCTS : Windows server 2008 applications infrastructure configuration study guide (Exam 70-643) / Joel Stidley.—1st ed. p. cm. ISBN 978-0-470-26170-5 (paper/cd-rom) 1. Electronic data processing personnel—Certification. 2. Microsoft software—Examinations—Study guides. 3. Microsoft Windows server. I. Title. QA76.3.S749827 2008 005.4'476—dc22 2008026322

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. Windows Server is a registered trademark of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.

10 9 8 7 6 5 4 3 2 1

61705ffirs.indd 4 6/28/08 9:54:24 AM

Dear Reader,

Thank you for choosing MCTS: Windows Server 2008 Applications Infrastructure Con-figuration Study Guide. This book is part of a family of premium quality Sybex books, all written by outstanding authors who combine practical experience with a gift for teaching.

Sybex was founded in 1976. More than thirty years later, we’re still committed to produc-ing consistently exceptional books. With each of our titles we’re working hard to set a new standard for the industry. From the paper we print on, to the authors we work with, our goal is to bring you the best books available.

I hope you see all that reflected in these pages. I’d be very interested to hear your com-ments and get your feedback on how we’re doing. Feel free to let me know what you think about this or any other Sybex book by sending me an email at [email protected], or if you think you’ve found a technical error in this book, please visit http://sybex.custhelp.com. Customer feedback is critical to our efforts at Sybex.

Best regards,

Neil Edde Vice President and Publisher Sybex, an Imprint of Wiley

61705ffirs.indd 5 6/28/08 9:54:25 AM

To my patient and lovely wife, Andrea, and children, Ethan and Jaelyn,

who have learned to put up with me, and to my parents, Paul and Gayle,

who fostered my love for computers ever since they were told my

handwriting would never get any better.

61705ffirs.indd 6 6/28/08 9:54:25 AM

AcknowledgmentsIt took a lot of hard work and patience to complete this book, as it does all publications. Thanks to Jeff Kellum and Denise Santoro Lincoln for being patient and considerate despite the scheduling setbacks and for retraining me on the format changes. Also, the production team of Christine O’Connor and Judy Flynn were top-notch and a joy to work with. They did an impeccable job making sure we were not just technically sound but also grammatically correct!

Thanks to Rawlinson Rivera for helping get this book going and for recommending me for this project. I hope you are feeling better and look forward to our next project! One of our pinch hitters was Jabez Gan Ming Teik, who really came through by getting a chapter reworked after a change in objectives on the Microsoft exam.

This book was a bit of a test for me and caused me to have to rely on a number of col-leagues for a little help with developing the content. Without Erik Gustafson, Mike Hodson, and Siegfried Jagott, this book would not have been possible.

Last, I’d like to thank both the Monster Beverage Company and Hearthroast for fueling the late-night writing sessions with Lo-Carb Monster and home-roasted coffee.

61705ffirs.indd 7 6/28/08 9:54:25 AM

About the AuthorJoel Stidley has been working in the IT field for over 12 years and has been a computer fanatic for much longer. He obtained his first Microsoft certification in 1999 and is cur-rently both an MCSE and MCTS. At the beginning of his IT career, he was supporting MS-DOS and Windows for Workgroups clients on a Novell NetWare network at a small manufacturing company. Shortly thereafter, he discovered the joys of Windows NT Server and led the charge in converting that company from a Novell NetWare directory to a Win-dows NT domain. He also convinced the company’s engineering department to switch from the SunOS-based workstations to new Windows NT 4.0 Workstation machines. Joel has since taken on numerous other projects, from a number of Active Directory and Exchange Server migrations to deploying large-scale virtualization environments.

In 2004, Joel founded ExchangeExchange.com, a Microsoft Exchange–focused com-munity website where he blogs and provides forums for discussing Exchange, PowerShell, certification, and general Windows information. In the last few years, he has also contrib-uted to MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008) and was lead author on Profes-sional PowerShell for Exchange Server 2007 SP1 (Wrox, 2008). Currently he is a solutions architect at Terremark Worldwide Inc. where he works with a variety of directory, storage, virtualization, and messaging technologies. He currently lives in the Dallas area with his wife and two children.

About the ContributorsErik R. Gustafson is a 7-year veteran of the IT consulting and IT support business. He started working professionally with Microsoft products while running a successful signage business in 1995, and after selling the business a few years later, he refocused his career on providing IT services. He obtained his first Microsoft certification in 2002 and is currently an MCSE and an MCSA. The last few years he has spent helping grow an IT consulting business and setting up an IT outsourcing MSP from the ground up. He recently relocated to the Dallas area and now works as a solutions architect for Terremark Worldwide Inc. When not shooting womp rats back home, Erik enjoys drinking piña coladas and getting caught in the rain.

Mike Hodson has a bachelor of science in mathematics from Texas Woman’s University and has worked in the IT industry for more than 11 years, receiving his first Microsoft cer-tification in 1998. He has been working with desktop virtualization for more than 6 years and recently has been deeply involved with server virtualization projects. Mike is currently the team lead in the group responsible for storage networking and virtualization at Terre-mark Worldwide Inc. in Dallas, Texas.

61705ffirs.indd 8 6/28/08 9:54:25 AM

Siegfried Jagott works as a senior systems architect and team lead for the Messaging and Collaboration team at Siemens IT Solutions located in Munich, Germany. He is part of the Siemens-central architecture team that works closely together with Microsoft to plan future enhancements of not only Windows and Exchange but also other products. For the past 10 years, he has been involved in planning, designing, and implementing some of the world’s largest Windows and Exchange Server infrastructures for various international customers, including Siemens.

In addition, he is hosting a monthly column for Windows IT Magazine called “Exchange & Outlook UPDATE: Outlook Perspectives” and writes about Outlook 2007–related topics. He is also a frequent writer for various international magazines and speaks on conferences about Windows- and Exchange-related topics. He was also a con-tributing author for MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008).

In his spare time, he is actively engaged in a carnival club as a vice president and likes to go skiing in the Alps or traveling around the world. Siegfried is currently living in Red-nitzhembach, a small town in southern Germany. He holds an MBA and a Diploma in Management from Open University in England and has been a Microsoft Certified Systems Engineer (MCSE) since 1997.

Rawlinson Rivera, an 11-year veteran of the IT consulting and training field, has worked on a variety of technologies ranging from IBM to VMware to Microsoft. He has devel-oped specializations in architecting secure messaging and collaboration infrastructure with Windows Server 2000/2003/2008, Office SharePoint Server 2007, Exchange Server 2000/2003/2007, and VMware Virtual Infrastructure 3. Rawlinson is the founder of RawlsNet Technologies LLC, a firm that focuses on consulting, training, and developing industry content. He is the lead author of Sybex’s MCITP: Microsoft Exchange Server 2007 Messaging Design and Deployment Study Guide: Exams 70-237 and 70-238 (Sybex, 2008).

Jabez Gan Ming Teik is a Microsoft MVP for Windows Server File System/Storage. He is currently the senior technical officer for a consulting company that specializes in Microsoft technologies. He is also a writer for Msblog.org (blog) and technology sites and a speaker at technology events. Jabez can be reached at [email protected].

About the Author ix

61705ffirs.indd 9 6/28/08 9:54:25 AM

61705ffirs.indd 10 6/28/08 9:54:25 AM

Contents at a GlanceIntroduction xxv

Assessment Test xxxvi

Chapter 1 Windows Server 2008 Storage Services 1

Chapter 2 Exploring Terminal Services in Windows Server 2008 41

Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services 99

Chapter 4 Configuring Web Services Infrastructure 147

Chapter 5 Advanced Web Infrastructure Configuration 185

Chapter 6 Configuring Additional Communication Services 219

Chapter 7 Configuring Windows SharePoint Services (WSS) 267

Chapter 8 Using Virtualization In Windows Server 2008 313

Chapter 9 Deploying Servers 363

Chapter 10 Configuring High Availability in Windows Server 2008 403

Chapter 11 Monitoring Windows Server 2008 for High Availability 443

Appendix A About the Companion CD 517

Glossary 521

Index 529

61705ffirs.indd 11 6/28/08 9:54:25 AM

61705ffirs.indd 12 6/28/08 9:54:25 AM

ContentsIntroduction xxv

Assessment Test xxxvi

Chapter 1 Windows Server 2008 Storage Services 1

Storage in Windows Server 2008 2Initializing Disks 2Working with Basic and Dynamic Disks 5Working with Volume Sets 8RAID 11Mount Points 15Microsoft MPIO (Multipath I/O) 17iSCSI 19Internet Storage Name Service (iSNS) 23Fibre Channel 27Network Attached Storage (NAS) 28

Managing SANs 28Virtual Disk Service (VDS) 28Storage Manger for SANs (SMfS) 29Storage Explorer 32

Summary 33Exam Essentials 34Review Questions 35Answers to Review Questions 38

Chapter 2 Exploring Terminal Services in Windows Server 2008 41

Remote Desktop Connection Display 43Custom Display Resolutions 43Monitor Spanning 44Font Smoothing 45Display Data Prioritization 46Desktop Experience 47Device Redirection 51Single Sign-On for Terminal Services 54

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp) 55

Installing Programs to Be Used with TS RemoteApp 56Configuring Remote Programs to Be Used with

TS RemoteApp 60Creating and Deploying a Windows Installer Package for

TS RemoteApp Programs 63

61705book.indd 13 6/27/08 8:51:58 AM

xiv Contents

Export or Import RemoteApp Programs and Settings 65Distributing RemoteApp Applications 67

Prepare and Configure Terminal Services Gateway (TS Gateway) 72

Preparing the Necessary TS Gateway Role Services 72Obtaining and Configuring a Certificate for TS Gateway 74Creating Terminal Services Connection Authorization

Policies (TS CAPs) 77Creating Terminal Services Resource Authorization

Policies (TS RAPs) 80Configuring the Terminal Services Client for TS Gateway 82

Configuring Terminal Services Load Balancing 84Configuring a Terminal Server Farm with

TS Session Broker 84Configuring Network Load Balancing 89


Chapter 3 Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services 99

Configuring Terminal Services Licensing 100Terminal Services Client Access Licenses (TS CALs) 100Installing TS Licensing and TS Client Access

Licenses (CALs) 101Configuring License Settings on a Terminal Server 114

Managing Terminal Services through Group Policy 125Group Policy Settings for Terminal Services 125Configuring Global Deployment Settings for

TS RemoteApp 130Monitoring TS Gateway Using TS Gateway Manager 135Resource Allocation for Terminal Services 138


Chapter 4 Configuring Web Services Infrastructure 147

Configuring Web Applications 148Installing IIS 7.0 150Creating and Configuring Websites 152

61705book.indd 14 6/27/08 8:51:58 AM

Contents xv

Configuring a File Transfer Protocol (FTP) Server 164Configuring Permissions 165Configuring FTP Site for Extranet Users 165FTP IPv4 and Domain Restrictions 166

Configuring a Simple Mail Transfer Protocol (SMTP) Server 167Configuring General SMTP Virtual Server Properties 168Configuring Access 169Configuring Message Size and Transfer Limits 171Configuring Delivery Options 172


Chapter 5 Advanced Web Infrastructure Configuration 185

Managing Internet Information Services (IIS) 186Configuring Monitoring and Logging 188Backup and Restore 195Delegating Administrative Rights 197

Configuring Secure Sockets Layer (SSL) Security 201Requesting and Renewing SSL Certificates 202Enabling SSL on a Website 205Exporting and Importing Certificates 206

Configuring Website Authentication and Permissions 207Configuring Application Access 209Client Certificate Mapping 211


Chapter 6 Configuring Additional Communication Services 219

Configuring Fax Services 220Configuring Fax (Local) Properties 222Defining a Dialing Rule 225Defining a Fax Routing Location 227

Configuring Media Server 229Configuring Basic Streaming Solutions 232Configuring Advanced Streaming Solutions 240Options for Configuring Security in a Windows

Media Server 245Configuring Digital Rights Management (DRM) 249

How Does DRM work? 250Encryption 251

61705book.indd 15 6/27/08 8:51:59 AM

xvi Contents

Sharing Business Rules 252Configuring License Delivery 253Configuring Policy Templates 256


Chapter 7 Configuring Windows SharePoint Services (WSS) 267

Configuring Windows SharePoint Services 269Configuring Incoming Email Settings 270Configuring Outgoing Email Settings 273Configuring Workflow Settings 277Configuring Diagnostic Logging Settings 278Configuring Antivirus Settings 281Using the Best Practices Analyzer Tool 282

Configuring Windows SharePoint Services (WSS) Sites 283Upgrading from WSS 2.0 283Creating or Extending Web Applications 284Configuring Alternate Access Mapping 287Creating Zones for Web Applications 289Creating Quota Templates 290Creating Site Collections 291Enabling Access For End Users 292Adding Site Content 295

Configuring Authentication for WSS 295Configure Digest Authentication 297Configuring Web SSO Authentication by Using ADFS 300


Chapter 8 Using Virtualization In Windows Server 2008 313

Hyper-V Overview 314What Is Virtualization? 314Hyper-V Features 315Hyper-V Architecture 316Hyper-V Requirements 318

Hyper-V Installation and Configuration 320Install Hyper-V Role 320Hyper-V in Server Manager 323Using Hyper-V Manager 324

61705book.indd 16 6/27/08 8:51:59 AM

Contents xvii

Configure Hyper-V Settings 325Manage Virtual Networks 326Managing Virtual Hard Disks 329

Configuring Virtual Machines 337Creating and Managing Virtual Machines 337Back Up and Restore Virtual Machines 347


Chapter 9 Deploying Servers 363

Windows Deployment Services 364Deploying Images by Using Windows Deployment Services 365Using Windows Deployment Services 366

Configuring WDS 369Capturing Images 375Deploying Server Core 380

Configuring Microsoft Windows Activation 381Installing KMS 384Configuring KMS 385


Chapter 10 Configuring High Availability in Windows Server 2008 403

Components of High Availability 404Achieving High Availability 405Achieving High Availability with Failover Clustering 407

Failover Clustering Requirements 409Cluster Quorum 410Validating a Cluster Configuration 412Creating a Cluster 417Clustered Application Settings 422Resource Properties 426

Achieving High Availability with Network Load Balancing 429How Does Network Load Balancing Work? 429Network Load Balancing Requirements 430Creating an NLB Cluster 431Modifying Cluster Properties 433Managing NLB Clusters 434

61705book.indd 17 6/27/08 8:51:59 AM

xviii Contents


Chapter 11 Monitoring Windows Server 2008 for High Availability 443

Monitoring Servers Using Performance Data 444Working with Data Collector Sets 446Log Data in Performance Monitor 456Diagnosis Report 459View System Stability with Reliability Monitor 461

Monitoring Servers Using Event Logs 467Using wevtutil.exe to Manage Event Logs 469Configuring Computers to Forward and Collect Events 470Reading Events through Custom Views 472

Monitoring Using Task Scheduler 475Scheduling a Task 477Managing a Task 481Managing or Creating a Task on a Remote Computer 485Using the Command-Line Tool Schtasks.exe 487Running a Task in Response to a Given Event 488

Monitoring System Activity 490Monitoring General System Activity Using

Resource Monitor 490Monitoring Specific System Activity Using

Performance Monitor 495Configuring and Monitoring Using Simple

Network Management Protocol (SNMP) 500Install SNMP Services 500Configuring Agent Properties 501Configuring Traps 503Configuring SNMP Security Properties 504Starting or Stopping the SNMP Service 506Configuring Event to Trap Translator 507

Summary 507Review Questions 509Answers to Review Questions 514

Appendix A About the Companion CD 517

What You’ll Find on the CD 518Sybex Test Engine 518PDF of the Book 518

61705book.indd 18 6/27/08 8:51:59 AM

Contents xix

Adobe Reader 519Electronic Flashcards 519

System Requirements 519Using the CD 519Troubleshooting 520

Customer Care 520

Glossary 521

Index 529

61705book.indd 19 6/27/08 8:51:59 AM

Table of ExercisesExercise 1.1 Initializing Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Exercise 1.2 Converting a Basic Disk to a Dynamic Disk . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Exercise 1.3 Creating a Volume Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Exercise 1.4 Creating Mount Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Exercise 1.5 Installing Microsoft MPIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Exercise 1.6 Configuring iSCSI Storage Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Exercise 1.7 Installing the iSNS Feature on Windows Server 2008 . . . . . . . . . . . . . . . . 24

Exercise 1.8 Installing Storage Manager for SANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Exercise 2.1 Enabling Font Smoothing on a Client Computer . . . . . . . . . . . . . . . . . . . . 45

Exercise 2.2 Verifying ClearType settings on Window Server 2008 . . . . . . . . . . . . . . . . 46

Exercise 2.3 Enabling the Desktop Experience Feature . . . . . . . . . . . . . . . . . . . . . . . . . 48

Exercise 2.4 Starting the Themes Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Exercise 2.5 Setting the Theme on Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . 49

Exercise 2.6 Making Desktop Composition Available on a Vista Client . . . . . . . . . . . . . 50

Exercise 2.7 Redirect Plug and Play Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Exercise 2.8 Configuring Authentication of a Windows 2008 Terminal Server . . . . . . 54

Exercise 2.9 Configuring SSO on a Client Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Exercise 2.10 Installing the Terminal Services Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Exercise 2.11 Adding an application to the TS RemoteApp Program List . . . . . . . . . . . . 60

Exercise 2.12 Packaging a TS RemoteApp Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Exercise 2.13 Exporting the RemoteApp Programs List and Deployment Settings . . . . 65

Exercise 2.14 Installing TS Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Exercise 2.15 Adding the Computer Account of the TS Web Access Server to the TS RemoteApp Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Exercise 2.16 Installing the TS Gateway Role Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Exercise 2.17 Installing a Certificate on the TS Gateway Server . . . . . . . . . . . . . . . . . . . 75

Exercise 2.18 Mapping the Certificate to the TS Gateway Server . . . . . . . . . . . . . . . . . . 76

Exercise 2.19 Creating a TS CAP for the TS Gateway Server . . . . . . . . . . . . . . . . . . . . . . 77

Exercise 2.20 Creating a TS RAP and Specifying Computers . . . . . . . . . . . . . . . . . . . . . . 80

Exercise 2.21 Configuring the Terminal Services client for TS Gateway . . . . . . . . . . . . . 83

Exercise 2.22 Installing TS Session Broker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Exercise 2.23 Adding Terminal Servers to the Session Directory Computers Local Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

61705flast.indd 20 6/27/08 9:36:03 AM

Table of Exercises xxi

Exercise 2.24 Configuring the Terminal Servers to Join a Farm and Participate in Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Exercise 2.25 Configuring DNS for TS Session Broker Load Balancing . . . . . . . . . . . . . 88

Exercise 2.26 Installing NLB and Creating an NLB Cluster . . . . . . . . . . . . . . . . . . . . . . . . 89

Exercise 3.1 Installing TS Licensing Role Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Exercise 3.2 Installing TS Licensing Manager as a Feature . . . . . . . . . . . . . . . . . . . . . . 105

Exercise 3.3 Activating a TS License Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Exercise 3.4 Install Terminal Services Client Access Licenses . . . . . . . . . . . . . . . . . . . 111

Exercise 3.5 Creating a Report for TS Per User CAL Issuance . . . . . . . . . . . . . . . . . . . 119

Exercise 3.6 Revocation of Per Device CALs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Exercise 3.7 Running Licensing Diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Exercise 3.8 TS RemoteApp Global Deployment Settings . . . . . . . . . . . . . . . . . . . . . . 131

Exercise 3.9 TS RemoteApp TS Gateway Global Deployment Settings . . . . . . . . . . . 132

Exercise 3.10 TS RemoteApp Common RDP Global Deployment Settings . . . . . . . . . . 133

Exercise 3.11 TS RemoteApp Digital Signature Global Deployment Settings . . . . . . . 135

Exercise 3.12 Specifying TS Gateway Events to Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Exercise 3.13 Viewing User Connection Information through TS Gateway Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Exercise 3.14 Installing Windows System Resource Manager . . . . . . . . . . . . . . . . . . . . 138

Exercise 3.15 Configuring WSRM for Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . 139

Exercise 4.1 Installing IIS 7 .0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Exercise 4.2 Creating a Site Using Host Headers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Exercise 4.3 Installing IIS Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Exercise 5.1 Using AppCmd.exe to List Configured Websites . . . . . . . . . . . . . . . . . . . . 186

Exercise 5.2 Enabling Failed Request Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Exercise 5.3 Modifying Configuration History Settings . . . . . . . . . . . . . . . . . . . . . . . . 195

Exercise 5.4 Delegating Administrative Permissions for Remote Administration of a Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Exercise 5.5 Enabling SSL on a Web Server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Exercise 6.1 Configuring a Fax Device to Receive Faxes . . . . . . . . . . . . . . . . . . . . . . . . 222

Exercise 6.2 Configuring Fax Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Exercise 6.3 Configuring a Dialing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Exercise 6.4 Configuring Incoming Fax Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Exercise 6.5 Adding a Routing Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Exercise 6.7 Creating a Broadcast Publishing Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Exercise 6.7 Configuring a Multicast Stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

61705flast.indd 21 6/27/08 9:36:03 AM

xxii Table of Exercises

Exercise 6.8 Enabling Fast Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Exercise 6.9 Enabling Advanced Fast Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Exercise 6.10 Enabling FEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Exercise 6.11 Setting Client Connect Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Exercise 6.12 Changing the Anonymous Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Exercise 6.13 Enabling ACL Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Exercise 6.14 Allowing or Denying IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

Exercise 6.15 Creating an ACL List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

Exercise 6.16 Using AD DRM to Protect a Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Exercise 6.17 Configuring Users’ Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Exercise 6.18 Configuring Application Exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Exercise 6.19 Configuring Policy Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Exercise 7.1 Configuring Incoming Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Exercise 7.2 Configuring Outgoing Email Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Exercise 7.3 Configuring Outgoing Email Settings for a Specific Web Application . . 276

Exercise 7.4 Configuring Diagnostic Log Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Exercise 7.5 Configuring Digest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Exercise 7.6 Configuring Web SSO authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Exercise 8.1 Installing Hyper-V on Full Installation Mode . . . . . . . . . . . . . . . . . . . . . . . 320

Exercise 8.2 Creating an internal Virtual Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Exercise 8.3 Creating a Differencing Hard Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Exercise 8.4 Creating a Fixed Size Disk and Cloning a Local Drive . . . . . . . . . . . . . . . . 332

Exercise 8.5 Adding a Pass-Through Disk to a Virtual Machine . . . . . . . . . . . . . . . . . . 335

Exercise 8.6 Creating a new Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Exercise 8.7 Installing Hyper-V Integration Components . . . . . . . . . . . . . . . . . . . . . . . 346

Exercise 8.8 Creating a Snapshot of a Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . 351

Exercise 8.9 Applying a Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

Exercise 9.1 Installing the WDS Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Exercise 9.2 Configuring WDS Server for First Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Exercise 9.3 Configuring WDS Server Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Exercise 9.4 Creating a Capture Image Using the Wizard . . . . . . . . . . . . . . . . . . . . . . . 376

Exercise 9.5 Using WDSUTIL to Create a Capture Image . . . . . . . . . . . . . . . . . . . . . . . 379

Exercise 9.6 Installing Server Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Exercise 9.7 Installing a KMS Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Exercise 9.8 Configuring DNS Permissions for a KMS Host . . . . . . . . . . . . . . . . . . . . . 387

61705flast.indd 22 6/27/08 9:36:03 AM

Table of Exercises xxiii

Exercise 9.9 Publishing in Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Exercise 9.10 Creating a KMS SVR Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Exercise 9.11 Capturing data for Install from Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Exercise 10.1 Installing the Failover Cluster Feature . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Exercise 10.2 Running the Validate a Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . 415

Exercise 10.3 Creating a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

Exercise 10.4 Clustering the Print Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Exercise 10.5 Using the Dependency Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

Exercise 10.6 Creating a Network Load Balancing Cluster . . . . . . . . . . . . . . . . . . . . . . . 431

Exercise 11.1 Assigning the “Log On as a Batch Job” User Right . . . . . . . . . . . . . . . . . 446

Exercise 11.2 Creating a Data Collector Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Exercise 11.3 Creating a New Data Collector Set from a Template . . . . . . . . . . . . . . . . 449

Exercise 11.4 Manually Creating a New Data Collector Set . . . . . . . . . . . . . . . . . . . . . . 450

Exercise 11.5 Scheduling the Start Condition for a Data Collector Set . . . . . . . . . . . . . 451

Exercise 11.6 Scheduling the Stop Condition for a Data Collector Set . . . . . . . . . . . . . 453

Exercise 11.7 Configuring Data Management for a Data Collector Set . . . . . . . . . . . . . 454

Exercise 11.8 Loading Log Data in Performance Monitor . . . . . . . . . . . . . . . . . . . . . . . . 458

Exercise 11.9 Navigating the Log View in Performance Monitor . . . . . . . . . . . . . . . . . . 459

Exercise 11.10 Viewing the System Diagnostics Report . . . . . . . . . . . . . . . . . . . . . . . . . . 460

Exercise 11.11 Viewing System Availability in Performance Monitor . . . . . . . . . . . . . . . 463

Exercise 11.12 Configuring Computers to Forward and Collect Events . . . . . . . . . . . . . 470

Exercise 11.13 Filtering Only Informational Events in the Current Log . . . . . . . . . . . . . . 473

Exercise 11.14 Creating a Custom View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Exercise 11.15 Scheduling a Basic Task by Using a Wizard . . . . . . . . . . . . . . . . . . . . . . . 477

Exercise 11.16 Scheduling a Task Manually by Using the Windows Interface . . . . . . . . 480

Exercise 11.17 Scheduling a Task Manually by Using the Command Line . . . . . . . . . . . 481

Exercise 11.18 Displaying All Running Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

Exercise 11.19 Exporting Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Exercise 11.20 Importing Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Exercise 11.21 Viewing the History of a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

Exercise 11.22 Managing or Creating a Task on a Remote Computer Using Task Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485

Exercise 11.23 Managing or Creating Task on a Remote Computer Using Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

Exercise 11.24 Running a Task in Response to an Event . . . . . . . . . . . . . . . . . . . . . . . . . . 488

61705flast.indd 23 6/27/08 9:36:04 AM

xxiv Table of Exercises

Exercise 11.25 Monitoring General System Activity Using Resource Monitor . . . . . . . . 491

Exercise 11.26 Adding Counters to the Current Performance Monitor View . . . . . . . . . 495

Exercise 11.27 Changing the Graph Type for the Log Data in Performance Monitor . . . 499

Exercise 11.28 Installing SNMP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

Exercise 11.29 Configuring Agent Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502

Exercise 11.30 Configuring Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

Exercise 11.31 Configuring SNMP Security Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

Exercise 11.32 Starting or Stopping SNMP Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

Exercise 11.33 Configuring Event to Trap Translator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

61705flast.indd 24 6/27/08 9:36:04 AM

IntroductionMicrosoft has recently changed its certification program to contain three primary series: Technology, Professional, and Architect. The Technology Series of certifications is intended to allow candidates to target specific technologies and is the basis for obtaining the Profes-sional Series and Architect Series of certifications. The certifications contained within the Technology Series consist of one to three exams, focus on a specific technology, and do not include job-role skills. By contrast, the Professional Series of certifications focus on a job role and are not necessarily focused on a single technology but rather a comprehensive set of skills for performing the job role being tested. The Architect Series of certifications offered by Microsoft includes premier certifications that consist of passing a review board made up of previously certified architects. To apply for the Architect Series of certifications, you must have a minimum of 10 years of industry experience.

When obtaining a Technology Series certification, you are recognized as a Microsoft Certified Technology Specialist (MCTS) on the specific technology or technologies that you have been tested on. The Professional Series certifications include Microsoft Certified IT Professional (MCITP) and Microsoft Certified Professional Developer (MCPD). Passing the review board for an Architect Series certification will allow you to become a Microsoft Certified Architect (MCA).

This book has been developed to give you the critical skills and knowledge you need to prepare for the exam requirement for obtaining the MCTS: Windows Server 2008 Applica-tions Infrastructure, Configuring (Exam 70-643).

The Microsoft Certified Professional ProgramSince the inception of its certification program, Microsoft has certified more than 2 million people. As the computer network industry continues to increase in both size and complexity, this number is sure to grow—and the need for proven ability will also increase. Certifications can help companies verify the skills of prospective employees and contractors.

Microsoft has developed its Microsoft Certified Professional (MCP) program to give you credentials that verify your ability to work with Microsoft products effectively and professionally. Several levels of certification are available based on specific suites of exams. Microsoft has recently created a new generation of certification programs:

Microsoft Certified Technology Specialist (MCTS) The MCTS can be considered the entry-level certification for the new generation of Microsoft certifications. The MCTS cer-tification program targets specific technologies instead of specific job roles. You must take and pass one to three exams.

Microsoft Certified IT Professional (MCITP) The MCITP certification is a Professional Series certification that tests network and systems administrators on job roles rather than only on a specific technology. The MCITP generally consists of passing one to three exams in addition to obtaining an MCTS-level certification.

61705flast.indd 25 6/27/08 9:36:04 AM

xxvi Introduction

Microsoft Certified Professional Developer (MCPD) The MCPD certification is a Profes-sional Series certification for application developers. Similar to the MCITP, the MCPD is focused on a job role rather than on a single technology. The MCPD generally consists of passing one to three exams in addition to obtaining an MCTS-level certification.

Microsoft Certified Architect (MCA) The MCA is Microsoft’s premier certification series. Obtaining the MCA requires a minimum of 10 years of experience and requires the candi-date to pass a review board consisting of peer architects.

How Do You Become Certified on Windows Server 2008 Applications Infrastructure?Attaining a Microsoft certification has always been a challenge. In the past, students have been able to acquire detailed exam information—even most of the exam questions—from online “brain dumps” and third-party “cram” books or software products. For the new generation of exams, this is simply not the case.

Microsoft has taken strong steps to protect the security and integrity of its new certi-fication tracks. Now prospective candidates must complete a course of study that devel-ops detailed knowledge about a wide range of topics. It supplies them with the true skills needed, derived from working with the technology being tested.

The new generations of Microsoft certification programs are heavily weighted toward hands-on skills and experience. It is recommended that candidates have troubleshooting skills acquired through hands-on experience and working knowledge.

Fortunately, if you are willing to dedicate the time and effort to learn the Windows Server 2008 applications infrastructure, you can prepare yourself well for the exam by using the proper tools. By working through this book, you can successfully meet the requirements to pass the Windows Server 2008 Applications Infrastructure exam.

This book is part of a complete series of Microsoft certification Study Guides, published by Sybex Inc., that together cover the new MCTS, MCITP, and MCPD exams as well as the core MCSA and MCSE operating system requirements. Please visit the Sybex website at www.sybex.com for complete program and product details.

MCTS Exam RequirementsCandidates for MCTS certification on Windows Server 2008 Applications Infrastructure must pass one Windows Server 2008 Applications Infrastructure exam. Other MCTS cer-tifications may require up to three exams. For a more detailed description of the Microsoft certification programs, including a list of all the exams, visit the Microsoft Learning web-site at www.microsoft.com/learning/mcp.

61705flast.indd 26 6/27/08 9:36:04 AM

Introduction xxvii

The Windows Server 2008 Applications Infrastructure, Configuring ExamThe Windows Server 2008 Applications Infrastructure exam covers concepts and skills related to installing, configuring, and managing Windows Server 2008 applications. This includes the following applications:

SharePoint ServicesNN

Windows Deployment ServicesNN

Terminal Services NN

Internet Information Services 7.0NN

It emphasizes the basic Windows Server 2008 roles and features required to configure and support this functionality.

Microsoft provides exam objectives to give you a general overview of pos-sible areas of coverage on the Microsoft exams . Keep in mind, however, that exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion . Please visit the Microsoft Learning web-site (www.microsoft.com/learning/mcp) for the most current listing of exam objectives .

Types of Exam QuestionsIn an effort to both refine the testing process and protect the quality of its certifications, Microsoft has focused its newer certification exams on real experience and hands-on profi-ciency. There is a greater emphasis on your past working environments and responsibilities and less emphasis on how well you can memorize. In fact, Microsoft says that certification candi-dates should have hands-on experience before attempting to pass any certification exams.

Microsoft will accomplish its goal of protecting the exams’ integrity by regularly adding and removing exam questions, limiting the number of questions that any individual sees in a beta exam, limiting the number of questions delivered to an individual by using adaptive testing, and adding new exam elements .

Exam questions may be in a variety of formats. Depending on which exam you take, you’ll see multiple choice questions, as well as drag-and-drop, build list and reorder, and hot area questions. Simulations and case study-based formats are included as well. You may also find yourself taking what’s called an adaptive format exam. Let’s take a look at the types of exam questions and examine the adaptive testing technique so you’ll be prepared for all of the possibilities.

61705flast.indd 27 6/27/08 9:36:04 AM

xxviii Introduction

With the release of Windows 2000, Microsoft stopped providing a detailed score breakdown . This is mostly because of the various and complex ques-tion formats . Previously, each question focused on one objective . However, recent exams, such as the Windows Server 2008 Active Directory exam, contain questions that may be tied to one or more objectives from one or more objective sets . Therefore, grading by objective is almost impossible . Also, Microsoft no longer offers a score . Now you will only be told if you pass or fail .

Multiple Choice Questions

Multiple choice questions come in two main forms. One is a straightforward question followed by several possible answers, of which one or more is correct. The other type of multiple choice question is more complex and based on a specific scenario. The scenario may focus on several areas or objectives.

Drag-and-Drop Questions

Drag-and-drop exam questions involve graphical elements that you must manipulate to successfully answer the question. For example, you might see a diagram of a computer net-work, as shown in the following graphic taken from the select-and-place demo downloaded from Microsoft’s website.

61705flast.indd 28 6/27/08 9:36:05 AM

Introduction xxix

A typical diagram will show computers and other components next to boxes that con-tain the text “Place here.” The labels for the boxes represent various computer roles on a network, such as a print server and a file server. Based on information given for each com-puter, you are asked to select each label and place it in the correct box. You need to place all of the labels correctly. No credit is given for the question if you correctly label only some of the boxes.

Build List and Reorder Questions

In another drag-and-drop problem you might be asked to put a series of steps in order by dragging items from boxes on the left to boxes on the right and placing them in the correct order. One other type requires that you drag an item from the left and place it under an item in a column on the right.

For more information on the various exam question types, go to www.microsoft.com/learning/mcpexams/policies/innovations.mspx .

Simulations

Simulations are the kinds of questions that most closely represent actual situations and test the skills you use while working with Microsoft software interfaces. These exam questions include a mock interface on which you are asked to perform certain actions according to a given scenario. The simulated interfaces look nearly identical to what you see in the actual product, as shown in the following example.

61705flast.indd 29 6/27/08 9:36:05 AM

xxx Introduction

Because of the number of possible errors that can be made on simulations, be sure to consider the following recommendations from Microsoft:

Do not change any simulation settings that don’t pertain to the solution directly.NN

When related information has not been provided, assume that the default settings NN

are used.

Make sure that your entries are spelled correctly.NN

Close all the simulation application windows after completing the set of tasks in the NN

simulation.

The best way to prepare for simulation questions is to spend time working with the graphical interface of the product on which you will be tested.

Case Study-Based Questions

Case study-based questions first appeared in the MCSD program. These questions present a scenario with a range of requirements. Based on the information provided, you answer a series of multiple-choice and select-and-place questions. The interface for case study-based questions has a number of tabs, each of which contains information about the scenario. At present, this type of question appears only in most of the Design exams.

Microsoft will regularly add and remove questions from the exams . This is called item seeding . It is part of the effort to make it more difficult for indi-viduals to memorize exam questions that were passed along by previous test-takers .

Tips for Taking the MCTS: Windows Server 2008 Applications Infrastructure Configuring ExamHere are some general tips for achieving success on your certification exam:

Arrive early at the exam center so that you can relax and review your study materials. NN

During this final review, you can look over tables and lists of exam-related information.

Read the questions carefully. Do not be tempted to jump to an early conclusion. Make NN

sure you know exactly what the question is asking.

Answer all questions. If you are unsure about a question, mark it for review and come NN

back to it at a later time.

On simulations, do not change settings that are not directly related to the question. NN

Also, assume default settings if the question does not specify or imply which settings are used.

For questions you’re not sure about, use a process of elimination to get rid of the obvi-NN

ously incorrect answers first. This improves your odds of selecting the correct answer when you need to make an educated guess.

61705flast.indd 30 6/27/08 9:36:05 AM

Introduction xxxi

Exam RegistrationYou may take the Microsoft exams at any of more than 1,000 Authorized Prometric Test-ing Centers (APTCs) around the world. For the location of a testing center near you, call Prometric at 800-755-EXAM (755-3926). Outside the United States and Canada, contact your local Prometric registration center. You may also register for your exams online at www.prometric.com.

Find out the number of the exam you want to take, and then register with the Prometric registration center nearest to you. At this point, you will be asked for advance payment for the exam. The exams are $125 each and you must take them within one year of payment. You can schedule exams up to six weeks in advance or as late as one working day prior to the date of the exam. You can cancel or reschedule your exam if you contact the center at least two working days prior to the exam. Same-day registration is available in some loca-tions, subject to space availability. Where same-day registration is available, you must regis-ter a minimum of two hours before test time.

When you schedule the exam, you will be provided with instructions regarding appoint-ment and cancellation procedures, ID requirements, and information about the testing center location. In addition, you will receive a registration and payment confirmation letter from Prometric.

Microsoft requires certification candidates to accept the terms of a nondisclosure agree-ment before taking certification exams.

Is This Book for You?If you want to acquire a solid foundation in Windows Server 2008 applications, and your goal is to prepare for the exam by learning how to use and manage the new operating sys-tem functions in practical ways, this book is for you. You’ll find clear explanations of the fundamental concepts you need to grasp and plenty of help to achieve the high level of pro-fessional competency you need to succeed in your chosen field.

If you want to become certified as an MCTS, this book is definitely for you. However, if you just want to attempt to pass the exam without really understanding Windows Server 2008 applications, this Study Guide is not for you. It is written for people who want to acquire hands-on skills and in-depth knowledge of Windows Server 2008 applications.

What’s in the Book?What makes a Sybex Study Guide the book of choice for hundreds of thousands of MCPs? We took into account not only what you need to know to pass the exam, but what you need to know to take what you’ve learned and apply it in the real world. Each book con-tains the following:

Objective-by-objective coverage of the topics you need to know Each chapter lists the objec-tives covered in that chapter.

61705flast.indd 31 6/27/08 9:36:05 AM

xxxii Introduction

The topics covered in this Study Guide map directly to Microsoft’s official exam objectives . Each exam objective is covered completely .

Assessment test Directly following this introduction is an assessment test that you should take. It is designed to help you determine how much you already know about Windows Server 2008 Active Directory. Each question is tied to a topic discussed in the book. Using the results of the assessment test, you can figure out the areas where you need to focus your study. Of course, we do recommend you read the entire book.

Exam essentials To highlight what you learn, you’ll find a list of exam essentials at the end of each chapter. The exam essentials section briefly highlights the topics that need your particular attention as you prepare for the exam.

Glossary Throughout each chapter, you will be introduced to important terms and con-cepts that you will need to know for the exam. These terms appear in italic within the chapters, and at the end of the book, a detailed glossary gives definitions for these terms as well as other general terms you should know.

Review questions, complete with detailed explanations Each chapter is followed by a set of review questions that test what you learned in the chapter. The questions are written with the exam in mind, meaning that they are designed to have the same look and feel as what you’ll see on the exam.

Exercises In each chapter, you’ll find exercises designed to give you the important hands-on experience that is critical for your exam preparation. The exercises support the topics of the chapter, and they walk you through the steps necessary to perform particular functions.

Real World Scenarios Because reading a book isn’t enough for you to learn how to apply these topics in your everyday duties, we have provided Real World Scenarios in special side-bars. These explain when and why a particular solution would make sense, in a working environment you’d actually encounter.

Interactive CD Every Sybex Study Guide comes with a CD complete with additional questions, flashcards for use with an interactive device, and the book in electronic format. Details are in the following section.

What’s on the CD?With this new member of our best-selling Study Guide series, we are including quite an array of training resources. The CD offers bonus exams and flashcards to help you study for the exam. We have also included the complete contents of the Study Guide in electronic form. The CD’s resources are described here:

The Sybex E-book for Windows Server 2008 Applications Infrastructure Many people like the convenience of being able to carry their whole Study Guide on a CD. They also like being able to search the text via computer to find specific information quickly and easily.

61705flast.indd 32 6/27/08 9:36:05 AM

Introduction xxxiii

For these reasons, the entire contents of this Study Guide are supplied on the CD, in PDF. We’ve also included Adobe Acrobat Reader, which provides the interface for the PDF con-tents as well as the search capabilities.

The Sybex Test Engine This is a collection of multiple-choice questions that will help you prepare for your exam. There are four sets of questions:

Two bonus exams designed to simulate the actual live exam.NN

All the questions from the Study Guide, presented in a test engine for your review. NN

You can review questions by chapter, or you can take a random test.

The assessment test.NN

Here is a sample screen from the Sybex Test Engine:

Sybex Flashcards for PCs and Handheld Devices The “flashcard” style of question offers an effective way to quickly and efficiently test your understanding of the fundamental con-cepts covered in the exam. The Sybex Flashcards set consists of 100 questions presented in a special engine developed specifically for this Study Guide series. Here’s what the Sybex Flashcards interface looks like:

61705flast.indd 33 6/27/08 9:36:06 AM

xxxiv Introduction

Because of the high demand for a product that will run on handheld devices, we have also developed, in conjunction with Land-J Technologies, a version of the flashcard questions that you can take with you on your Palm OS PDA (including the PalmPilot and Hand-spring’s Visor).

Hardware and Software RequirementsYou should verify that your computer meets the minimum requirements for installing Windows Server 2008. We suggest that your computer meets or exceeds the recommended requirements for a more enjoyable experience.

The exercises in this book assume that your computer is configured in a specific man-ner. Your computer should have at least a 20GB drive that is configured with the minimum space requirements and partitions. Other exercises in this book assume that your computer is configured as follows:

20GB C: partition with the NTFS filesystemNN

Optional D: partition with the NTFS filesystemNN

15GB or more of free spaceNN

61705flast.indd 34 6/27/08 9:36:06 AM

Introduction xxxv

Of course, you can allocate more space to your partitions if it is available.The first exercise in the book assumes that you have installed Windows Server 2008.

Many of the exercises, including the failover clustering exercises in Chapter 10, assume that you have an Active Directory domain configured and that you have administrative rights on that domain.

Contacts and ResourcesTo find out more about Microsoft Education and Certification materials and programs, to register with Prometric, or to obtain other useful certification information and additional study resources, check the following resources:

Microsoft Learning Home Page

www.microsoft.com/learning

This website provides information about the MCP program and exams. You can also order the latest Microsoft Roadmap to Education and Certification.

Microsoft TechNet Technical Information Network

www.microsoft.com/technet

(800) 344-2121

Use this website or phone number to contact support professionals and system adminis-trators. Outside the United States and Canada, contact your local Microsoft subsidiary for information.

Prometric

www.prometric.com

(800) 755-3936

Contact Prometric to register to take an exam at any of more than 800 Prometric Testing Centers around the world.

MCP Magazine Online

www.mcpmag.com

Microsoft Certified Professional Magazine is a well-respected publication that focuses on Windows certification. This site hosts chats and discussion forums and tracks news related to the MCTS and MCITP program. Some of the services cost a fee, but they are well worth it.

WindowsITPro Magazine

www.windowsITPro.com

You can subscribe to this magazine or read free articles at the website. The study resource provides general information on Windows Vista, Server, and .NET Server.

61705flast.indd 35 6/27/08 9:36:06 AM

Assessment Test

1. You have been given a server with three hard disks, all with the same capacity. The first drive contains the operating system files. You must provide data redundancy while provid-ing the most amount of capacity. To accomplish this, which of the following would you do?

A. Select the first drive, right-click, and select New RAID 5 Volume.

B. Select the first drive, right-click, and select New Mirrored Volume.

C. Select the first drive, right-click, and select New Striped Volume.

D. Select the first drive, right-click, and select New Simple Volume.

2. You have been given a server that contains three HBAs. Each card can access the storage over a separate path. The application that runs on the server can exceed the usage of a single path. Which of the following MPIO options should be selected to provide the needed bandwidth as well as minimal redundancy?

A. Failover

B. Dynamic Least Queue Depth

C. Weighted path

D. Round robin

3. A server named TSrv1 running Windows Server 2008 has the Terminal Server role installed and you have deployed a remote application from this server. You have already contacted the vendor to verify that the application is supported in a Terminal Server environment, but the installation package does not use an MSI installer package. After you have deployed the remote application, users report remote application time-outs and various disconnected ses-sions. How can you ensure that the application has been installed to support multiple sessions?

A. Run the change user /disable command on TSrv1, install the application, and run the change user /enable command on TSrv1.

B. Run mstsc /v:TSrv1 /admin from you client computer to log on to the TSrv1 and install the application.

C. Run the change user /execute command on TSrv1, install the application, and run the change user /install command on TSrv1.

D. Run the change user /install command on TSrv1, install the application, and run the change user /execute command on TSrv1.

61705flast.indd 36 6/27/08 9:36:06 AM

Assessment Test xxxvii

4. You are a server administrator with two servers running Windows 2008 with the Terminal Services role installed, TSrv1 and TSrv2. TSrv1 is currently publishing remote applications and distributing them through RDP files through a web virtual directory. You want the program lists and deployment settings to be the same on both servers, so you import the RemoteApp programs settings from TSrv1. Users complain that they cannot access the remote applications on TSrv2 but can on TSrv1. Which of the following procedures would you do to ensure that users can access the applications on TSrv2?

A. Copy the RDP files from TSrv1 to a new web virtual directory for TSrv2.

B. Configure TSrv1 and TSrv2 to participate in TS Session Broker Load Balancing.

C. Re-create the RDP files on TSrv2 and distribute them to the users.

D. Re-create the RDP files on TSrv1 and distribute them to the users.

5. Your company runs Window Server 2008 Terminal Service servers and all the clients are Windows Vista. There is a new company video broadcast that the clients will be running from these terminal servers. Which of the follow action would you take to ensure that Media Player 11 is enabled on the terminal servers?

A. Install the Desktop Experience feature on the Terminal Service servers.

B. Install the Vista theme on the Terminal Service servers.

C. Check the Desktop composition box on the RDC client of the user’s computer.

D. Install Windows Media Server 2008 on the Terminal Service servers.

6. You have an Active Directory domain and the TS Licensing service role is installed on a server named TSrv1 that is in a workgroup. You cannot enable TS Per User CALs on this license server. What do you need to do to enable TS Per User CALs?

A. Get license keys from the Microsoft Clearinghouse and enter the keys into the license server.

B. Join TSrv1 to the domain.

C. Install the Terminal Services Role on TSrv1.

D. Install the TS Gateway role on TSrv1.

7. You are running the Terminal Services role on a server and are publishing RemoteApps and using GPOs to set the policies on the server. You check Terminal Services Manager and notice that there are disconnected sessions that are several days old. How in the future can you ensure that disconnected sessions do not exist?

A. Log into Terminal Services Manager and reset each disconnected session.

B. In the Group Policy Management Console, enable the policy Restrict Terminal Service users to a remote session.

C. In the Group Policy Management Console, enable the policy Set time limit for discon-nected sessions.

D. Set the terminal server to drain mode.

61705flast.indd 37 6/27/08 9:36:06 AM

xxxviii Assessment Test

8. You have installed a TS license server and you wish to activate it. You choose the automatic connection to activate the server with the Microsoft Clearinghouse but it fails. You suspect that your firewall is configured incorrectly, and you want the activation process to happen automatically. How can you ensure this?

A. Open port 443 on your firewall.

B. Open port 80 on your firewall.

C. Open port 3389 on your firewall.

D. Open port 1494 on your firewall.

9. You have just deployed a new .NET web application and need to provide it with the least amount of privileges. The application needs to be able to access the Registry. Which of the following .NET trust levels will provide the least amount of privileges required?

A. Full

B. High

C. Medium

D. Low

E. Minimal

10. You have configured an SMTP server to be the smart host for a number of servers so that the server can send all outbound email out to the Internet. None of the messages that have been sent have been received by the recipient. What must be done to allow email to be delivered?

A. Enable TLS encryption.

B. Add the sending servers to the exceptions list on the connection control.

C. Add the sending servers to the allow list in the relay restrictions.

D. Enable LDAP Routing.

11. You must configure a website to allow Windows user credentials based on file system per-missions to provide access to a single virtual directory. Which authentication modules must you disable on the virtual directory if the IUSR_ServerName account has permissions on the site content?

A. Basic Authentication

B. Anonymous Authentication

C. Digest Authentication

D. Integrated Windows Authentication

12. You must restore the server’s configuration to before the last set of configuration changes you made. Which command should you run?

A. AppCmd restore backup “Last Backup”

B. AppCmd restore backup “CFGHISTORY_0000000001”

C. AppCmd restore backup “CFGHISTORY_0000000100”

D. AppCmd add backup “CFGHISTORY_0000000100”

61705flast.indd 38 6/27/08 9:36:06 AM

Assessment Test xxxix

13. You are the administrator for an engineering firm. The chief information officer (CIO) informs you that the president of the company wants to make a live broadcast to all employees. The CIO informs you that he does not want the employees to be able to record the broadcast or pause it. In addition, he wants you to reduce the impact that the broadcast will have on the server. What two options should you choose to meet the CIO’s requirements?

A. Deliver the content with a unicast stream.

B. Use on-demand publishing points.

C. Deliver the content with a multicast stream.

D. Use a broadcast publishing point.

14. Your company has a shared directory that contains files created with Word, Excel, Power-Point, and Publisher. The senior network administrator wants you to use the newly installed Windows 2008 Server to provide better control over who has access to those files and to limit the amount of time the files can be used. In addition, he wants you to reduce the amount of administration effort that is currently being spent used to change rights on user files. What options should you choose to install and configure? (Choose all that apply.)

A. Windows SharePoint Services

B. Active Directory Rights Management Service Role (AD RMS)

C. Configure Rights Policy Templates

D. Configure Active Directory Security Groups

15. After deploying your WSS 3.0 site, you get a request from management to create a docu-ment library for the human resources department. Management has also requested that the human resources department should only be able to view and add content to the site. What level of security permissions should you provide to the human resources group?

A. Owner

B. Visitor

C. Member

D. Administrator

16. You deploy a new WSS 3.0 site in your company intranet. The sales department asks you to create a new web application for this new site. After you create the new web application, users in the sales department report that they cannot access it. What step do you need to perform so that the application is available to your users in the sales department?

A. Manually reset IIS on all servers within your SharePoint farm.

B. Ask users in the sales department to log off and then log on to their workstations.

C. Change permissions on the sales user group to administrator level.

D. Give sales users site owners permissions to the web application.

17. When is an operating system Hyper-V hypervisor aware?

A. Automatically, if you install a Microsoft operating system

B. When you install the VM components

C. After you install the Integration Components

D. When you turn on hypervisor awareness in Hyper-V

61705flast.indd 39 6/27/08 9:36:06 AM

xl Assessment Test

18. What types of virtual hard disks can you configure in Hyper-V Manager? (Choose all that apply.)

A. Dynamically expanding

B. Fixed size

C. Differencing

D. Pass-through

19. What statement is correct when you create an internal only virtual network for your virtual machines on a Hyper-V server?

A. The virtual machines can communicate with each other and with the host machine.

B. The virtual machines can communicate with each other only.

C. The virtual machines can communicate with each other, with the host machine, and with the network.

D. The virtual machines cannot communicate with each other.

20. You are an IT administrator for a medium-size company. This company has 250 Vista com-puters and 15 Windows 2008 Server machines. One of your users puts in a service request stating that he is no longer able to open certain programs or access some functions. When the user logs into another machine, he is able to access the programs and features. He also states that he has been getting a Windows Activation popup from time to time. What would you do to resolve this issue?

A. Check the user’s permissions in Active Directory and assign admin rights to his machine.

B. Scan for viruses.

C. Activate his copy of Windows Vista.

D. Restore the machine from a backup.

21. The CIO of your company informs you that you have 80 machines to replace this year and every year going forward as part of the technology refresh program the company has just adopted. He also informs you that this needs to be done with your current staff and you need to stay within the budgeted hours. The CIO also wants you to find a way to enforce standards because he claims that many of the builds by some of the new technicians are not up to company standards. Your company has 500 Windows XP machines and 10 Windows 2003 Server machines and two newly deployed Windows Server 2008 machines. How can you meet the CIO’s requests?

A. Install an RIS server and use Norton Ghost to create a image to be deployed to the new machines.

B. Install Windows 2008 Server on a machine and install the WDS role. Create images based on the company standards and then use those images to deploy the new machines.

C. Modify the ntuser file to meet the standards of the company. Then include this file in the users login script.

D. Have the vendor create a machine that includes all the standards required by the company.

61705flast.indd 40 6/27/08 9:36:07 AM

Assessment Test xli

22. To meet your company’s growing demands, you have installed WDS on a Windows Server 2008 machine. This machine is also used for DNS, DHCP, and print services. This WDS install will allow you to deploy images to new computers and servers and provide a tool for the help desk in case they need to reinstall the operating system. Your network administra-tor has created the proper images and placed them in the image folder. The administrator reports that he is not able to PXE boot into the WDS server. He is sure that the boot and deploy images are configured properly and in the right location. You check the services and they are all running. What could be the issue?

A. Check the DNS server to make sure its running.

B. Boot image has not been added to the server.

C. You need to run WDSUTIL /start-server.

D. Change the DHCP port.

23. A failover cluster contains two nodes, and a business requires the cluster’s application to remain active and not have a single point of failure. Which of the following quorum models would work in a two-node failover cluster? (Choose all that apply.)

A. No Majority: Disk Only

B. Node Majority

C. Node and Disk Majority

D. Node and File Share Majority

24. A two-node failover cluster has two clustered services. Each node should have only one clustered service running when both nodes are operational or have returned to operation. Which two options must be configured on each clustered service? (Choose all that apply.)

A. Set the Allow failback option.

B. Set the Prevent failback option.

C. Set each service to have a different preferred owner.

D. Set each resource to attempt restart on the current node.

25. An NLB cluster has three nodes. One of the cluster nodes has less hardware resources than the other two nodes and cannot handles as many connections. What would you need to do to reduce the number of connections that the NLB attempts to handle?

A. Change the port rules on each node and set an appropriate load.

B. Change the port rule on the underpowered server and set a higher number for load.

C. Change the port rule on the underpowered server and set a lower number for load.

D. Change the Affinity setting on the underpowered server to be Single.

61705flast.indd 41 6/27/08 9:36:07 AM

xlii Answers to Assessment Test

Answers to Assessment Test

1. B. Using RAID-1 is only correct option because OS files and boot files cannot reside on RAID-5 disks. Striped and simple volumes are not redundant.

2. D. A round robin configuration uses all available active paths and will distribute I/O in a balanced round robin fashion. Failover only uses a primary and standby paths, allowing for link failure. Weighted path assigns requests to the path with the least weight value. Dynamic Least Queue Depth routes requests to the path with the least number of outstanding requests.

3. D. To install an application that does not use an MSI package, you must change the server mode to install mode. After the installation is complete, the server must be placed back in execute mode. A is incorrect because the disable command changes the mode so the user cannot establish a connection to the terminal server. B is incorrect because installing an application from the administrator’s session does not place the server into the correct mode. C is incorrect because the commands are in reversed order.

4. C. Because the original RDP files where created on TSrv1, they will connect only to TSrv1, thus new RDP files will have to be created and distributed from TSrv2. Copying or re-creating the RDP files from TSrv1 won’t work because it will not change the connection path for the users. Configuring TS Session Broker Load Balancing won’t work because all the RDP files would have to point to the terminal server farm name.

5. A. To enable Media Player 11 for the remote clients, the Desktop Experience feature must be installed. B and C are incorrect because they involve setting up the Aero desktop for remote desktop sessions. D is incorrect because there is no need for Media Server on the server.

6. B. Per User CALs are available if only the TS license server is a member of a domain.

7. C. If you enable and configure Set time limit for disconnected sessions, a time limit for disconnected session will be set and when the time limit is reached the session will be deleted from the server. The policy is useful to ensure that resources are released on the server. Although option A is possible, it is not the best way to accomplish this task. Restricting the user’s remote session will remove disconnected sessions. Putting the server in drain mode will not allow users to connect at all.

8. A. The automatic connection requires an SSL connection (TCP port 443) to activate the license server with Microsoft Clearinghouse over the Internet.

9. B. Medium and lower trust levels do not allow access to the Registry, so they would not be suitable levels for this application. High is the first level that allows the required access. Full allows too much access, so it is also not a valid answer.

10. C. The messages are not being delivered because the default setting is to not allow relaying. The sending servers must be added to be allowed to relay. Enabling TLS encryption may secure the SMTP transmission, but it will not affect message delivery. Adding the servers to the excep-tions will not allow the servers to communicate to the SMTP server at all. Enabling LDAP routing will allow email address lookups but will not affect delivery of email to the Internet.

61705flast.indd 42 6/27/08 9:36:07 AM

Answers to Assessment Test xliii

11. B. Since the IUSR_ServerName account has permission, Anonymous authentication will keep the server for prompting for credentials.

12. C. The highest configuration number is the latest backup, so that would be correct backup to restore. The backup set named “Last Backup” would not be correct as it would have been manually run instead of done when a configuration change was made. When AppCmd add backup is run, it creates a new backup, not a restore, so it would also be an incorrect choice.

13. C, D. C and D are correct because multicast streams reduce the impact on the server by producing a single stream that multiple users can connect to and broadcast publishing only allows the user to play the content. A and B are incorrect because unicast streams would not decrease the load on the server and on-demand publishing is for delivering content that the users can control.

14. B, C. B and C are correct because AD RMS is the role that allows for better control of files and configuring rights policy templates would reduce the amount of administration needed because it allows the user to apply a preconfigured rights template. A is incorrect because, while SharePoint can control content access, it is not used to limit the amount of time a file is on a user’s computer or can be accessed. D is wrong because Active Directory Security Groups would still have to be administered by the IT staff and wouldn’t reduce the time spent on rights management.

15. C. Options A and D would give the group more than the requested permissions. Option B would not allow the group to add content. Option C would allow them to contribute content.

16. A. Option A is correct because any new applications require an IIS reset before they will be available to the end user. Option B is wrong because it is related to the Active Directory account and not the web application. Options C and D are incorrect because if the problem have been related to permissions, the WSS page that the users saw would have stated that they did not have permission to view this page.

17. C. An operating system running in a virtual machine gets hypervisor aware once the Hyper-V Integration Components or Services are installed because it will support using the VMBus.

18. A, B, C, D. All options are correct.

19. A. The virtual machines can communicate with each other and with the host machine. That’s the definition for an internal only network. If they communicate only with each other, that’s called a private virtual network. If the virtual machines also can communicate with the external network, that’s called external. The last option assumes that no virtual network is configured at all, thus virtual machines cannot communicate with each other

20. C. C is the correct answer because when a Windows Vista product is not activated, it will reduce the functionality of the machine until it is activated. Option A is incorrect because we have no indication that this is related to his user account. B is wrong because there is no solid evidence that this user has a virus. D is incorrect because this would not solve the issue of loss of functions.

61705flast.indd 43 6/27/08 9:36:07 AM

xliv Answers to Assessment Test

21. B. A and D are incorrect because they do not meet the request by the CIO to stay with normal budget. C is wrong because it would not reduce the time to install the operating systems. B is correct because it would meet the needs of the CIO.

22. D. When WDS and DHCP are running on the same machine, it causes a conflict. Chang-ing the port in the WDS server properties will resolve the issue. B and C are wrong because the image was added to the server and running WDSUTIL /start-server will start all the WDS services, but you have confirmed them as running. Option A is wrong because you have not been informed of any other issues related to DNS.

23. C, D. Node and Disk Majority and Node and File Share Majority both allow for one of the nodes to be offline and still have quorum. Although No Majority: Disk Only allows for a node to be offline, the quorum shared disk is a single point of failure. Since there are only two nodes, both nodes have to be up if only Node Majority were chosen.

24. A, C. The preferred owner would need to be set for each clustered service so that each ser-vice would have a different preferred owner. Also, the allow failback would have to be set to make sure that after a failure has been recovered, the clustered service would automati-cally fail back to the preferred owner. The prevent failback option would not allow the clus-tered service to automatically fail back to the preferred owner. Also, setting the resources to attempt to restart on the current node will not ensure that the clustered application is on the preferred node.

25. A. For the load to be changed, each node would need to have compatible load settings. If load was changed on only one of the nodes, convergence would never complete. Also, changing the Affinity setting does not affect the number of connections to a particular node.

61705flast.indd 44 6/27/08 9:36:07 AM

Chapter

1Windows Server 2008 Storage Services

MicroSoft ExaM objEctivES covErEd in thiS chaptEr:

Configure storage. May include but is not limited to: ÛÛRAID types, Virtual Disk Specification (VDS) API, Net-work Attached Storage, iSCSI and fibre channel Storage Area Networks, mount points.

61705c01.indd 1 6/27/08 10:21:44 AM

Disk storage is a requirement for just about every computer and application used in any corporate environment. Administrators have some familiarity with storage, whether it is internal stor-

age, a locally attached set of disks, or network attached storage (NAS). In this chapter, we will examine the various aspects of Windows Server 2008 Storage Services. We’ll discuss the vari-ous types of storage technologies, but this chapter will primarily focus on iSCSI because of the new native features in Windows Server 2008. This chapter includes the following main topics:

Initializing disksÛN

Dynamic and basic disksÛN

Volume setsÛN

RAID typesÛN

Mount pointsÛN

Storage technologies (iSCSI, Fibre Channel, NAS)ÛN

Virtual Disk Specification (VDS)ÛN

Storage Manager for SANSÛN

Storage ExplorerÛN

Storage in Windows Server 2008What type of disks should be used? What type of RAID sets should be made? What type of hardware platform should be purchased? These are all questions that many adminis-trators have to make when planning for storage in Windows Server 2008. In the follow-ing sections, we will attempt to answer these questions so that administrators can make the best decisions for their storage environment. We’ll cover the basics to prepare you to make these decisions when you’re either purchasing or configuring your storage solutions.

Initializing DisksTo begin this section, we must first discuss how to add disk drives to a server. Once a disk drive has been installed, it must be initialized by selecting the type of partition. There are

61705c01.indd 2 6/27/08 10:21:45 AM

Storage in Windows Server 2008 3

two types of partition styles used to initialize disks: Master Boot Record (MBR) and GUID Partition Table (GPT).

MBR has a partition table that indicates where the partitions are located on the disk drive, and with this particular partition style, only volumes up to two terabytes (1,024 gigabytes) are supported. An MBR drive can have up to four primary partitions or three primary parti-tions and one extended partition that can be divided into unlimited logical drives. Windows Server 2008 can boot off only an MBR disk unless it is based on the Extensible Firmware Interface (EFI); then it can boot from GPT. An Itanium server is an example of EFI-based system. GPT is not constrained by the same limitations MBR is. In fact, a GPT disk drive can support volumes of up to 18 exabytes (1 million terabytes) and 128 partitions. As a result, GPT is recommended for disks larger than 2TB or disks used on Itanium-based computers. Exercise 1.1 demonstrates the process of initializing additional disk drives to an active com-puter running Windows Server 2008.

E x E r c i S E 1 .1

initializing disk drives

Follow these steps to initialize disk drives:

1. Click Start Administrative Tools Server Manager.

2. Click and then expand Storage.

3. Select Disk Management.

4. After disk drives have been installed, right-click Disk Management and select Rescan Disks.

61705c01.indd 3 6/27/08 10:21:45 AM

4 Chapter 1 N Windows Server 2008 Storage Services

E x E r c i S E 1 .1 ( c ont inue d )

5. A pop-up box appears indicating that the server is scanning for new disks.

6. After the server has completed the scan, the new disk appears as Unknown.

7. Right-click the Unknown disk and select Initialize Disk.

61705c01.indd 4 6/27/08 10:21:45 AM



8. A pop-up box appears asking for the partition style. For this exercise, choose MBR.

9. Click OK.

The disk will now appear online as a basic disk with unallocated space.

Working with Basic and Dynamic DisksWindows Server 2008 supports two types of disk configurations: basic and dynamic. Basic disks are divided into partitions and can be used with previous versions of Windows. Dynamic disks are divided into volumes and can be used with Windows 2000 Server and later releases. When a disk is initialized, it is automatically created as a basic disk, but when a new fault-tolerant volume set is created, the disks in the set are converted to dynamic disks. Fault-tolerance features and the ability to modify disks without having to reboot the server are what distinguish dynamic disks from basic disks.

A basic disk can simply be converted to a dynamic disk without loss of data. When a basic disk is converted, the partitions are automatically changed to the appropriate vol-umes. However, converting a dynamic disk back to a basic disk is not as simple. First, all the data on the dynamic disk must be backed up or moved. Then all the volumes on the dynamic disk have to be deleted. The dynamic disk can then be converted to a basic disk. Partitions and logical drives can be created and the data restored.

The following are actions that can be performed on basic disks:

Format partitions.ÛN

Mark partitions as active.ÛN

Create and delete primary and extended partitions.ÛN

Create and delete logical drives.ÛN

Convert from a basic disk to a dynamic disk.ÛN

61705c01.indd 5 6/27/08 10:21:45 AM


The following are actions that can be performed on dynamic disks:

Create and delete simple, striped, spanned, mirrored, or RAID-5 volumes.ÛN

Remove or break a mirrored volume.ÛN

Extend simple or spanned volumes.ÛN

Repair mirrored or RAID-5 volumes.ÛN

Convert from a dynamic disk to basic after deleting all volumes.ÛN

In Exercise 1.2, you’ll convert a basic disk to a dynamic disk.

E x E r c i S E 1 . 2

converting a basic disk to a dynamic disk

Follow these steps to convert a basic disk to a dynamic disk:




4. Right-click a basic disk that you want to convert and select Convert to Dynamic Disk.

61705c01.indd 6 6/27/08 10:21:45 AM


E x E r c i S E 1 . 2 ( c ont inue d )

5. The Convert to Dynamic Disk dialog box appears. From here, select all the disks that you want to convert to dynamic disks. In this exercise, only Disk 2 will be converted.

6. Click OK.

7. The Convert to Dynamic Disk dialog box changes to the Disks to Convert dialog box and show the disk/disks that will be converted to dynamic disks.

8. Click Convert.

9. Disk Management will warn that if you convert the disk to dynamic, you will not be able to start the installed operating system from any volume on the disk (except the current boot volume).

10. Click Yes.

The converted disk will now show as dynamic in Disk Management.

61705c01.indd 7 6/27/08 10:21:46 AM



Microsoft recommends using basic disks if you do not require spanned volumes, striped volumes, mirrored volumes, or RAID-5 volume sets.

Working with Volume SetsA volume set is created from volumes that span multiple drives by using the free space from those drives to construct what will appear to be a single drive. The following list includes the various types of volume sets and their definitions:

Simple volume uses only one disk or a portion of a disk.

Spanned volume is a simple volume that spans multiple disks, with a maximum of 32. Use a spanned volume if the volume needs are too great for a single disk.

Striped volume stores data in stripes across two or more disks. A striped volume gives you fast access to data but is not fault tolerant, nor can it be extended or mirrored. If one disk in the striped set fails, the entire volume fails.

61705c01.indd 8 6/27/08 10:21:46 AM


Mirrored volume duplicates data across two disks. This type of volume is fault tolerant because if one drive fails, the data on the other disk is unaffected.

RAID-5 volume stores data in stripes across three or more disks. This type of volume is fault tolerant because if a drive fails, the data can be re-created from the parity off the remaining disk drives. Operating system files and boot files cannot reside on the RAID-5 disks.

Exercise 1.3 illustrates the procedure for creating a volume set.

E x E r c i S E 1 . 3

creating a volume Set

Follow these steps to create a volume set:




4. Select and right-click a disk that has unallocated space. If there are no disk drives available for a particular volume set, that volume set will be grayed out as a select-able option. In this exercise, you’ll choose a spanned volume set, but the process after the volume set selection is the same regardless of which kind you choose. The only thing that differs is the amount of disk drives chosen.

61705c01.indd 9 6/27/08 10:21:46 AM



5. The Welcome page of the New Spanned Volume Wizard appears and explains the type of volume set chosen. Click Next.

6. The Select Disks page appears. Select the disk that will be included with the volume set and click Add. Repeat this process until all the desired disks have been added. Click Next.

7. The Assign Drive Letter or Path page appears. From here you can select the desired drive letter for the volume, mount the volume in an empty NTFS folder, or choose to not assign a drive letter. The new volume is labeled as E. Click Next.

8. The Format Volume page appears. Choose to format the new volume. Click Next.

9. Click Finish.

10. If the disks have not been converted to dynamic, you will be asked to convert the disks. Click Yes.

The new volume will appear as a healthy spanned dynamic volume with the new available disk space of new volume set.

61705c01.indd 10 6/27/08 10:21:46 AM



RAIDBuilt into Windows Server 2008 is the ability to support drive sets and arrays using Redun-dant Array of Independent Disks (RAID) technology. RAID can be used to enhance data performance, or it can be used to provide fault tolerance to maintain data integrity in case of a hard disk failure. Windows Server 2008 supports three different types of RAID tech-nologies: RAID-0, RAID-1, and RAID-5.

RAID-0 is also known as disk striping. Disk striping is using two or more volumes on independent disks created as a single striped set. There can be a maximum of 32 disks. In a striped set, data is divided into blocks that are disturbed sequentially across all the drives in the set. With RAID-0, disk striping, you get very fast read and write performance because multiple blocks of data can be accessed off of multiple drives simultaneously. However, RAID-0 does not offer the ability to maintain data integrity during a single disk failure. In other words, RAID-0 is not fault tolerant; a single disk event will cause the entire striped set to be lost, and it will have to be re-created through some type of recovery process, such as a tape backup.

61705c01.indd 11 6/27/08 10:21:47 AM


RAID-1 is also known as disk mirroring. Disk mirroring is two logical volumes on two separate identical disks created as a duplicate disk set. Data is written on two disks at the same time; that way, in the event of a disk failure, data integrity is maintained and avail-able. Although this fault tolerance gives administrators data redundancy, it comes with a price because it diminishes the amount of available storage space by half. For example, if an administrator wants to create a 300GB mirrored set, they would have to install two 300GB hard drives into the server, thus doubling the cost for the same available space.

RAID-5 is also known as disk striping with parity. With disk striping with parity, you use three or more disks (with a maximum of 32) striped across all the disks with an addi-tional block of error-correction called parity, which is used to reconstruct the data in the event of a disk failure. RAID-5 has slower write performance than the other RAID types because the OS must calculate the parity information for each stripe that is written, but the read performance is equivalent to a stripe set, RAID-0, because the parity informa-tion is not read. Like RAID-1, RAID-5 comes with additional cost considerations. For every RAID-5 set, roughly an entire hard disk is consumed for storing the parity informa-tion. For example, a minimum RAID-5 set requires three hard disks, and if those disks are 300GB each, approximately 600GB of disk space is available to the OS and 300GB is consumed by parity information, which equates to 33.3 percent of the available space. Similarly, in a five-disk RAID-5 set of 300GB disks, approximately 1200GB of disk space is available to the OS, which means that 20 percent of the total available space is consumed by the parity information. The words roughly and approximately are used when calculating disk space because a 300GB disk will really be only about 279GB of space. This is because vendors define a gigabyte as one billion bytes, but the OS defines it as 2^30(1,073,741,824) bytes. Also remember that file systems and volume managers have overhead as well.

Table 1.1 breaks down the various aspects of the supported RAID types in Window Server 2008.

ta b lE 1.1 Supported RAID Level Properties on Windows Server 2008

RAID Level

RAID Type

Fault Tolerant Advantages

Minimum Number of Disks

Maximum Number of Disks

0 Disk striping

No Fast reads and writes 2 32

1 Disk mirroring

Yes Data redundancy and faster writes than RAID-5

2 2

5 Disk strip-ing with parity

Yes Data redundancy with less overhead and faster reads than RAID-1

3 32

61705c01.indd 12 6/27/08 10:21:47 AM


RAID-1 total available disk space is calculated by taking one half of the sum of both disks in the disk set, and RAID-5 total available disk space is calculated by subtracting the space of one entire disk from the sum of all the disks in the disk set.

Creating RAID SetsNow that you understand the fundamental concepts of RAID sets and how to use them, we can now look at the creation of RAID sets in Windows Server 2008. The process of creating a RAID set is the same as the process for creating a simple or spanned volume set except for the minimum disk requirements associated with each RAID type. Creating a mirrored volume set is the same as creating a volume set, as shown in Exercise 1.3, except you will select New Mirrored Volume in the fourth step. It is after the disk select wizard appears that you’ll begin to see the difference. Since a new mirrored volume is being created, the volume requires two disks. During the disk select process, if only one disk is selected, the Next button will be unavailable because the disk minimum has not been met. Refer to Figure 1.1 to view the Select Disks page of the New Mirrored Wizard during the creation of a new mirrored volume and notice that the Next button is not available.

f i gu r E 1.1 Select Disks page of the New Mirrored Volume Wizard

To complete the process, you must select a second disk by highlighting the appropriate disk and adding it to the volume set. Once the second disk has been added, the Add button becomes unavailable and the Next button is available to complete the mirrored volume set creation (see Figure 1.2).

61705c01.indd 13 6/27/08 10:21:47 AM


f i gu r E 1. 2 Adding the second disk to complete a mirrored volume set

After you clicking Next, the creation of the Mirrored Volume set is again just like the rest of the steps, 7 through 11, in Exercise 1.3. A drive letter will have to be assigned and the volume will need to be formatted. The new mirrored volume set will appear in Disk Management. In Figure 1.3, notice that the capacity of the volume equals one disk even though two has been selected.

f i gu r E 1. 3 Newly created mirrored volume set

61705c01.indd 14 6/27/08 10:21:47 AM


To create a RAID-5 volume set, you use the same process you use to create a mirrored volume set. The only difference is that a RAID-5 volume set requires that a minimum of three disks be selected to complete the volume creation. The process is simple: Select New RAID-5 Volume and then select the three disks that will be used in the volume set. Assign a drive letter and format the volume. Figure 1.4 shows a newly created RAID-5 volume set in Disk Management.

f i gu r E 1. 4 Newly created RAID-5 volume set

Mount PointsWith the ever increasing demands of storage, mount points are used to surpass the limita-tion of 26 drive letters and to join to volumes into a folder on a separate physical disk drive. A mount point allows you to configure a volume to be accessed from a folder on another existing disk. Through Disk Management, a mount point folder can be assigned to a drive instead of using a drive letter and can be used on basic or dynamic volumes that are for-matted with NTFS. However, mount point folders can be created only on empty folders within a volume. Additionally, mount point folder paths cannot be modified; they can only be removed once they have been created. Exercise 1.4 shows steps to create a mount point.

61705c01.indd 15 6/27/08 10:21:47 AM


E x E r c i S E 1 . 4

creating Mount points

Follow these steps to create a mount point:




4. Right-click the volume where the mount point folder will be assigned and select Change Drive Letter and Paths.

5. Click Add.

6. Either type the path to an empty folder on an NTFS volume or click Browse to select or make a new folder for the mount point.

When you explore the drive, you’ll see the new Folder created. Notice that the icon indi-cates that it is a mount point.

61705c01.indd 16 6/27/08 10:21:47 AM


Microsoft MPIO (Multipath I/O)Multipath I/O (MPIO) is associated with high availability because a computer will be able to use a solution with redundant physical paths connected to a storage device. So if one path fails, an application will continue to run because it can access the data across the other path. The MPIO software provides the functionality needed for the computer to take advantage of the redundant storage paths. MPIO solutions can also load-balance data traf-fic across both paths to the storage device, virtually eliminating bandwidth bottlenecks to the computer. What allows MPIO to provide this functionality is the new native Microsoft Drive Specific Module (Microsoft DSM). The Microsoft DSM is a driver that communi-cates with storage devices—iSCSI, Fibre Channel or SAS—and provides the chosen load-balancing policies. Windows Server 2008 supports the following load-balancing policies:

Failover In a failover configuration, there is no load balancing. There is a primary path that is established for all requests and subsequent standby paths. If the primary path fails, one of the standby paths will be used.

Failback This is similar to failover in that it has primary and standby paths. However, with failback you designate a preferred path that will handle all process requests until it fails, after which, the standby path will become active until the primary reestablishes a connection and will automatically regain control.

Round robin In a round robin configuration, all available paths will be active and will be used to distribute I/O in a balanced round robin fashion.

Round robin with a subset of paths In this configuration, a specific set of paths will be designated as a primary set and another as standby paths. All I/O will use the primary set of paths in a round robin fashion until all the sets fail. Only at this time will the standby paths become active.

Dynamic Least Queue Depth In a Dynamic Least Queue Depth configuration, I/O will route to the path with the least number of outstanding requests.

Weighted path In a weighted path configuration, paths are assigned a numbered weight. I/O requests will use the path with the least weight. The higher the number, the lower the priority.

Exercise 1.5 demonstrates the process of installing the Microsoft MPIO feature for Window Server 2008.

E x E r c i S E 1 . 5

installing Microsoft Mpio

Follow these steps to install Microsoft MPIO:


2. Right-click Features and select Add Features.

61705c01.indd 17 6/27/08 10:21:47 AM



3. In the Add Features Wizard, check Multipath I/O and click Next.

4. On the Confirm Installation Selections page, verify that Multipath I/O is the feature that will be installed. Click Install.

5. After the installation completes, the Installation Results page appears stating that the server must be rebooted to finish the installation process.

6. Click Close.

7. Click Yes to restart.

8. After the restart, the installation will resume. Once it’s complete, click Close.

9. To open MPIO, click Start Administrative Tools MPIO.

Typically, most storage arrays work with the Microsoft DSM. However, some hardware vendors require DSM software that is specific to their products. Third-party DSM software is installed through the MPIO utility:

1. Click Start Administrative Tools MPIO.

2. Select the DSM Install tab (Figure 1.5).

3. Add the path of the INF file and click Install.

61705c01.indd 18 6/27/08 10:21:48 AM


f i gu r E 1.5 The DSM Install tab on the MPIO Properties dialog box

iSCSIInternet Small Computer System Interface (iSCSI) is an interconnect protocol used to estab-lish and manage a connection between a computer (initiator) and a storage device (target) by using an existing network through TCP port 3260, which allows it to be used over a LAN, a WAN, or the Internet. Each initiator is identified by its iSCSI Qualified Name (iqn) and is used to establish its connection to an iSCSI target. iSCSI was developed to allow block-level access to a storage device over a network instead of using a Network Attached Storage (NAS) device that connects with through the use of Common Internet File System (CIFS) or Network File System (NFS). Block-level access is important to many applica-tions that require direct access to storage, applications like MS Exchange and MS SQL, for example. By being able to leverage the existing network infrastructure, iSCSI was also developed as an alternative to Fibre Channel storage by alleviating the additional hardware costs associated with a Fibre Channel storage solution. iSCSI also has another advantage over Fibre Channel in that it can provide security for the storage devices by using Challenge Handshake Authentication Protocol (CHAP) for authentication and Internet Protocol secu-rity (IPSec) for encryption. Windows Server 2008 is able to connect an iSCSI storage device out of the box with no additional software that needs to be downloaded. This is because the Microsoft iSCSI initiator is built into the operating system.

Windows Server 2008 supports two different ways to initiate an iSCSI session.

Through the native Microsoft iSCSI software initiator that resides on Windows ÛN

Server 2008.

Through using a hardware iSCSI host bus adapter (HBA) that is installed in the computer. ÛN

61705c01.indd 19 6/27/08 10:21:48 AM


Both the Microsoft iSCSI software initiator and iSCSI HBA present an iSCSI Qualified Name (iqn) that identifies the host initiator. When the Microsoft iSCSI software initiator is used, the CPU utilization may be as much as 30 percent higher than on a computer with a hardware iSCSI HBA. This is because all of the iSCSI process requests are handled within the operating system. Using a hardware iSCSI HBA, process requests can be offloaded to the adapter, thus freeing the CPU overhead associated with the Microsoft iSCSI software initiator. However, iSCSI HBAs can be expensive, whereas the Microsoft iSCSI software initiator is free. It is worthwhile to install the Microsoft iSCSI software initiator and per-form load testing to see how much overhead the computer will have prior to purchasing an iSCSI HBA or HBAs, depending on the redundancy level. Exercise 1.6 explains how to install and configure an iSCSI connection.

E x E r c i S E 1 . 6

configuring iScSi Storage connection

Follow these steps to configure iSCSI storage connection:

1. Click Start Administrative Tools iSCSI Initiator.

2. Click the Discovery tab.

3. In the Target Portals portion of the tab, click Add Portal.

61705c01.indd 20 6/27/08 10:21:48 AM



4. Enter the IP address of the target portal and click OK.

5. The IP address of the target portal appears in the Target Portals box.

61705c01.indd 21 6/27/08 10:21:48 AM



6. Next select the Targets tab and then click the Refresh button. The iqn of the target appears. Notice that the target’s status is Inactive.

7. Select the iqn and click the Log On button.

8. Check Automatically Restore This Connection When the Computer Starts. Don’t check Enable Multi-Path. Remember, only select Enable Multi-Path if the iSCSI multi-path software has already been installed. Refer to Exercise 1.5 for details on how to install the MPIO feature for Windows Server 2008.

9. Click OK.

61705c01.indd 22 6/27/08 10:21:48 AM



Notice that the target’s status has now changed to Connected.

To use the storage that has now been presented to the server, you must create a volume on it and format the space. Refer to Exercise 1.3 to review this process.

Internet Storage Name Service (iSNS)Internet Storage Naming Service (iSNS) allows for central registration of an iSCSI environment because it automatically discovers available targets on the network. The purpose of iSNS is to help find available targets on a large iSCSI network. The Microsoft iSCSI initiator includes an iSNS client that is used to register with the iSNS. The iSNS feature maintains a database of clients that it has registered either through DCHP discovery or through manual registration. iSNS DHCP is available after the installation of the service and used to allow iSNS clients to discover the location of the iSNS. However, if iSNS DHCP is not configured, iSNS clients must be registered manually with the iscsicli command.

To execute the command, launch a command prompt on a computer hosting the Microsoft iSCSI and type the following: iscsicli addisnsserver <servername>, where <servername> is the name of the computer hosting iSNS. Exercise 1.7 walks through the steps to install the iSNS feature on Windows Server 2008.

61705c01.indd 23 6/27/08 10:21:48 AM


E x E r c i S E 1 . 7

installing the iSnS feature on Windows Server 2008

Follow these steps to install the iSNS feature on Windows Server 2008:



3. In the Add Features Wizard, check Internet Storage Name Server and click Next.

4. On the Confirm Installation Selections page, verify that Internet Storage Name Server is the feature that will be installed. Click Install.

5. After the installation completes and the Installation Results page appears, verify that the installation was successful and click Close.

6. Launch iSNS Server by clicking Start Administrative Tools iSNS Server.

61705c01.indd 24 6/27/08 10:21:49 AM



7. Click the General tab. This tab displays the list of registered initiators and targets. In addition to their iSCSI Qualified Name (iqn), it lists storage node type (Target or Initia-tor), alias string, and entity identifier (the Fully Qualified Domain Name (FQDN) of the machine hosting the iSNS client).

8. Click the Discovery Domains tab. The purpose of Discovery Domains is to provide a way to separate and group nodes. This is very similar to zoning in Fibre Channel. The following options are available on the Discovery Domains tab:

Create Used to create a new discovery domain.

Refresh Used to repopulate the Discovery Domain drop-down list.

Delete Used to delete the currently selected discovery domain.

Add Used to add nodes that are already registered in iSNS to the currently selected discovery domain.

Add New Used to add nodes by entering the iSCSI Qualified Name (iqn) of the node. These nodes do not have to be currently registered.

Remove Used to remove selected nodes from the discovery domain.

61705c01.indd 25 6/27/08 10:21:49 AM



9. Click the Discovery Domain Sets tab. The purpose of discovery domain sets is to further separate discovery domains. Discovery domains can be enabled or disabled, giving administrators the ability to further restrict the visibility of all initiators and targets. The options on the Discovery Domain Sets tab are as follows:

Enable A check box used to indicate the status of the discovery domain sets and to turn them off and on.

Create Used to create new discovery domain sets.

Refresh Used to repopulate the Discovery Domain Sets drop-down list.

Delete Used to delete the currently selected discovery domain set.

Add Used to add discovery domains to the currently selected discovery domain set.

Remove Used to remove selected nodes from the discovery domain sets.

61705c01.indd 26 6/27/08 10:21:49 AM



Fibre ChannelFibre Channel storage devices are similar to iSCSI storage devices in that they both allow block-level access to their data sets and can provide MPIO policies with the proper hard-ware configurations. However, Fibre Channel requires a Fibre Channel HBA, fibre optic cables, and Fibre Channel switches to connect to a storage device. A World Wide Name (WWN) from the Fibre Channel HBA is used from the host and device so they can com-municate directly with each other, similar to using a NIC’s MAC address. In other words, a logical unit number (LUN) is presented from a Fibre Channel storage device to the WWN of the host’s HBA. Fibre Channel has been the preferred method of storage because of the available connection bandwidth between the storage and the host. Fibre Channel devices supports 1Gb/s, 2Gb/s, and 4Gb/s connections and soon will support 8Gb/s connections, but now that 10Gb/s Ethernet networks are becoming more prevalent in many datacenters, iSCSI can be a suitable alternative. It is important to consider that 10Gb/s network switches can be more expensive than comparable Fibre Channel switches.

61705c01.indd 27 6/27/08 10:21:49 AM


Network Attached Storage (NAS)The concept of a Network Attached Storage (NAS) solution is that it is a low-cost device for storing data and serving files through the use of an Ethernet LAN connection. A NAS device accesses data at the file level via a communication protocol such as NFS, CIFS, or even HTTP, which is very different from iSCSI or FC Fibre Channel storage devices that access the data at the block level. NAS devices are best used in file storing applications, and it does not require a storage expert to install and maintain the device. In most cases, the only setup that is required is an IP address and an Ethernet connection.

Managing SANsIn the following sections, we will discuss the tools in Windows Server 2008 that will help manage the various aspects of storage: Storage Manager for SANs (SMfS) and Storage Explorer. These tools are used independently of one another, but they both provide a very powerful and centralized interface to administer a storage environment. Storage Manager for SANs manages the physical storage arrays; conversely, Storage Explorer views and man-ages the Fibre Channel and iSCSI connections available in the environment.

Virtual Disk Service (VDS)Virtual Disk Server (VDS) has been created to ease the administration efforts of managing all the various type of storage devices. Many storage hardware providers used their own applications for installation and management, and this made administering all these vari-ous devices very cumbersome. VDS is a set of application programming interfaces (APIs) that provide a centralized interface for managing all the various storage devices. The native VDS API enables the management of disks and volumes at an OS level, and hardware-vendor-supplied APIs manage the storage devices at a RAID level. These are known as soft-ware and hardware providers.

A software provider is host based and interacts with Plug and Play Manager because each disk is discovered and operates on volumes, disks, and disk partitions. VDS includes two software providers: basic and dynamic. The basic software provider manages basic disks with no fault tolerance, whereas the dynamic software providers manage dynamic disks with fault management. A hardware provider translates the VDS APIs into instructions specific to the storage hardware. This how storage management applications are able to communicate with the storage hardware to create LUNs or Fibre Channel HBAs to view the WWN. The following are Windows Server 2008 storage management applications that use VDS:

Disk Management snap-in This application configures and manages the disk drives on the host computer. You have already seen this application in use when you initialized disks and created volume sets.

61705c01.indd 28 6/27/08 10:21:49 AM

Managing SANs 29

DiskPart is a command-line utility that configures and manages disks, volumes, and par-titions on the host computer. It can also be used to script many of the storage management commands. DiskPart is a very robust tool and should be studied on your own because it beyond the scope of this book. Figure 1.6 shows the various commands and their function for the DiskPart utility.

f i gu r E 1.6 DiskPart commands

DiskRAID is also a scriptable command-line utility that configures and manages hardware RAID storage systems. However, at least one VDS hardware provider must be installed for DiskRAID to be functional. DiskRAID is another useful utility and should be studied on your own because it’s beyond the scope of this book.

Storage Manager for SANs Storage Manager for SANs is a graphical user interface utility that is used to manage SANs. It will be discussed further in the following section.

Storage Manger for SANs (SMfS)Storage Manager for SANs is a utility that is used to create and manage LUNs on both Fibre Channel and iSCSI storage arrays that support Virtual Disk Service (VDS). A LUN is similar to a volume in that it is a logical representation of a disk drive that is a part of a storage array. A SAN using Storage Manager simplifies the management of these resources in a SAN environment because it is a centralized location were LUNs can be assigned

61705c01.indd 29 6/27/08 10:21:49 AM


access and control privileges even though Fibre Channel and iSCSI use different types of hardware and network protocols.

To use Storage Manager for SANs, you must make sure the server and the storage array meet the following requirements:

The server must have the Storage Manager for SANs feature installed.ÛN

The storage array must support VDS.ÛN

The VDS hardware provider’s software for the storage array must be installed on the ÛN

server.

The storage array must be directly attached or accessible over the network.ÛN

In order to manage an iSCSI array through Storage Manager for SANs, you must ÛN

install an iSCSI initiator on the server.

Exercise 1.8 demonstrates the procedures for installing the Storage Manager for SANs feature on Windows Server 2008.

E x E r c i S E 1 . 8

installing Storage Manager for Sans

Follow these steps to install Storage Manager for SANs:



3. In the Add Features Wizard, check Storage Manager for SANs and click Next.

61705c01.indd 30 6/27/08 10:21:49 AM

Managing SANs 31


4. On the Confirm Installation Selections page, verify that Storage Manager for SANs is the feature that will be installed. Click Install.

5. After the installation, when the Installation Results page appears, verify that the installation was successful and click Close.

6. To launch Storage Manager for SANs, click Start Administrative Tools Storage Manager for SANs.

Opening Storage Manager for SANs, you will notice three main sections: LUN Manage-ment, Subsystems, and Drives. All the tasks that can be preformed are performed within these three sections.

In the LUN Management section, the following tasks can be preformed:

View information about the LUNs on your Fibre Channel and iSCSI storage systems.ÛN

Create, rename, extend, delete, assign, and unassign LUNs.ÛN

Add servers to your SAN and enable HBAs and iSCSI initiators.ÛN

Create, remove, and configure security settings and log on to iSCSI targets.ÛN

61705c01.indd 31 6/27/08 10:21:49 AM


In the Subsystems section, the following tasks can be preformed:

View information about the storage systems that have been discovered by VDS.ÛN

Rename a storage system.ÛN

In the Drives section, the following tasks can be preformed:

View information about the disk drives in the storage systems that have been ÛN

discovered.

Make a drive light blink.ÛN

Storage ExplorerStorage Explorer is used by administrators to view and manage Fibre Channel and iSCSI fabrics available in the environment. The Storage Explorer interface provides a tree-struc-tured view of the components by using APIs to collect data about the storage devices. The following detailed information can be found in Storage Explorer:

HBA informationÛN

Fibre Channel switchesÛN

iSCSI initiatorsÛN

iSCSI targetsÛN

An administrator can also perform various iSCSI-related tasks from Storage Explorer:

Log on to iSCSI targets.ÛN

Configure iSCSI security.ÛN

Add iSCSI target portals.ÛN

Add iSNS servers.ÛN

Manage discovery domains.ÛN

Manage discovery domain sets.ÛN

Figure 1.7 shows the Storage Explorer interface with an iSCSI initiator selected and also illustrates the management options that are available.

61705c01.indd 32 6/27/08 10:21:50 AM

Summary 33

f i gu r E 1.7 Storage Explorer interface

SummaryIn this chapter, we examined the various aspects of Windows Server 2008 Storage Services as well as the various types of storage technologies and native Windows Server 2008 storage management tools. We started the chapter with initializing disks and choosing a partition type, MBR or GPT. We then discussed the types of disk configurations, dynamic and basic, that are supported in Windows Server 2008. You learned that there are various properties associated with each type of configuration. Then we discussed the different types of RAID and the properties of each.

The next section explored storage technologies, namely iSCSI, Fibre Channel, and NAS. We primarily focused on iSCSI because of the native support in Window Server 2008. You learned how to configure an iSCSI initiator and a connection to an iSCSI target. After that we looked at its iSNS server and how to configure it. We concluded the chapter by looking at Storage Manager for SANs and Storage Explorer, which are built-in management tools in Windows Server 2008 for storage devices.

61705c01.indd 33 6/27/08 10:21:50 AM


Exam Essentials

Know the disk types. Know how to initialize disks and the type of partitioning to chose. Also know the difference between dynamic and basic disks and when to use them.

Understand what RAID is and how it works. Know the various RAID types, the require-ments for each, and when it is appropriate to use each type.

Know the storage technologies. Understand how to use the storage technologies Fibre Channel, iSCSI, and NAS. Know how to configure an iSCSI initiator and how to establish a connection to a target. Know the various MPIO policies.

Know how to manage storage. Know want type of administrative features are available for Storage Manager for SANs and Storage Explorer.

61705c01.indd 34 6/27/08 10:21:50 AM

Review Questions 35

Review Questions

1. What are the various supported RAID types in Windows Server 2008? (Choose three.)

A. RAID-5

B. RAID-1

C. RAID-0

D. RAID-1+0

2. What type of MPIO policy allows load balancing across multiple active paths?

A. Failover

B. Round robin

C. Dynamic Least Queue Depth

D. Weighted path

3. What is the minimum number of disks required in a RAID-5 set?

A. One

B. Two

C. Three

D. Four

4. What is the minimum number of disks required in a RAID-1 set?

A. One

B. Two

C. Three

D. Four

5. What is the default TCP port for iSCSI?

A. 3389

B. 1433

C. 21

D. 3260

6. What is the largest partition size available for MBR?

A. 1TB

B. 2TB

C. 3TB

D. 4TB

61705c01.indd 35 6/27/08 10:21:50 AM


7. How many primary partitions can be made on a disk drive with MBR?

A. One

B. Two

C. Three

D. Four

8. Which of the following names/terms identifies a Fibre Channel HBA?

A. WWN

B. iqn

C. UNC

D. MAC

9. True/False: A basic disk can be configured in a RAID-5 volume set.

A. True

B. False

10. Five 100GB disk drive are used in a RAID-5 set. Approximately how much disk space is available?

A. 200GB

B. 100GB

C. 500GB

D. 400GB

E. 300GB

11. Calculate the available disk space on RAID 1 set using 100GB disk drives.

A. 200GB

B. 100GB

C. 500GB

D. 400GB

E. 300GB

12. If an administrator would like to create a LUN on a storage device, what management tool would they use?

A. Storage Explorer

B. MPIO

C. Storage Manager for SANs

D. iSCSI initiator

61705c01.indd 36 6/27/08 10:21:50 AM

Review Questions 37

13. Which of the following is an alternative term used for RAID-0?

A. Disk striping

B. Disk striping with parity

C. Disk mirroring

D. Disk mirroring in a striped set

14. True/False: A computer with the Microsoft iSCSI software initiator has less CPU overhead than a computer using an iSCSI HBA.

A. True

B. False

15. Which of the follow management tools is used to log off of a current iSCSI connection?

A. MPIO

B. iSNS

C. iSCSI initiator

D. Storage Manager for SANs

16. True/False: VDS is a set of APIs that provide a centralized interface for managing all the various storage devices.

A. True

B. False

17. What command would be used to manually register an iSCSI initiator to an iSNS server?

A. iscsicli refreshisnsserver <servername>

B. iscsicli listisnsservers <servername>

C. iscsicli removeisnsserver <servername>

D. iscsicli addisnsserver <servername>

18. True/False: Mount points are assigned drive letters.

A. True

B. False

19. Each iSCSI initiator and target must have a unique name. What is the designation of this name?

A. WWN

B. MAC

C. iqn

D. SCSI ID

20. True/False: The Microsoft iSCSI initiator does not have built-in security features.

A. True

B. False

61705c01.indd 37 6/27/08 10:21:50 AM


Answers to Review Questions

1. A, B, C. Windows Server 2008 supports only software RAID levels 0, 1, and 5. Other types of RAID, such as RAID-1+0, are available with hardware RAID controllers.

2. B. Round robin uses all available paths and all paths will be active. Failover, Dynamic Least Queue Depth, and weighted path will not load-balance across the paths.

3. C. The minimum number disks required in a RAID-5 set is three.

4. B. The minimum number of disks requires in a RAID-1 set is 2.

5. D. The iSCSI default port is TCP 3260. Port 3389 is used for RDP, port 1433 is used for MS SQL, and port 21 is used for FTP.

6. B. The largest available partition available with MBR is 2 terabytes.

7. D. MBR supports only primary partitions, but the fourth partition can be made into an extended partition when many logical partitions can be created.

8. A. Fibre Channel HBAs use the WWN (World Wide Name) to identify itself from other HBAs in a Fibre Channel fabric. An iqn is used by iSCSI initiators to identify themselves. MAC addresses are used with NICs. A UNC (Universal Naming Convention) is use to designate file locations on a network.

9. B. When you’re creating a RAID-5 volume set, a basic disk will be converted into a dynamic disk.

10. D. To calculate RAID-5 disk space, add the total available space across all disks and subtract the space of one disk. In this case, 500 - 100 = 400.

11. B. A RAID-1 set uses only two disks, and the available disk space is only on one of the disks.

12. C. Storage Manager for SANs is used to manage the actual storage devices. Storage Explorer is used to manger the fabric. MPIO is used to manage the multipath software. iSCSI initiator is used to configure the host’s iSCSI settings.

13. A. RAID-0 is disk striping. RAID-5 is disk striping with parity. RAID-1 is disk mirroring. RAID-1+0 is disk mirroring in a striped set.

14. B. A computer uses an iSCSI HBA to offload the iSCSI request to the card so it will not consume any extra CPU cycles.

15. C. iSCSI initiator is used to log off and on of iSCSI connections. iSNS is used to register iSCSI initiators. MPIO is used to manage the multipath software. Storage Manager for SANs is used to manage storage devices.

16. A. VDS is used in conjunction with Storage Manager for SANs to manage storage devices.

61705c01.indd 38 6/27/08 10:21:50 AM

Answers to Review Questions 39

17. D. The iscsicli addisnsserver <servername> command manually registers the host server to an iSNS server. refreshisnsserver refreshes the list of available servers. removeisnsserver removes the host from the iSNS server. listisnsservers lists the available iSNS servers.

18. B. The purpose of a mount point is to logically assign a path to an existing drive without using a drive letter.

19. C. The iqn (iSCSI Qualified Name) applies to all iSCSI HBAs and the Microsoft iSCSI software initiator. MACs are associated with NICs, and WWN names are associated with FC HBAs.

20. B. The Microsoft iSCSI initiator supports both CHAP and IPSec.

61705c01.indd 39 6/27/08 10:21:50 AM

61705c01.indd 40 6/27/08 10:21:50 AM

Chapter

2Exploring Terminal Services in Windows Server 2008

MicroSofT ExaM objEcTivES covErEd in ThiS chapTEr:

Configure Terminal Services client connections. May ÛÛinclude but is not limited to: connecting local devices and resources to a session, Terminal Services profiles, Terminal Services home folders, Remote Desktop Con-nection (RDC), single sign-on, Remote Desktop Snap-In, MSTSC.exe

Configure Windows Server 2008 Terminal Services ÛÛRemoteApp (TS RemoteApp). May include but is not limited to: Configuring Terminal Services Web Access, configuring Terminal Services Remote Desktop Web Connection

Configure Terminal Services Gateway. May include but ÛÛis not limited to: certificate configuration, Terminal Services Gateway Manager (TS Gateway Manager), specifying resources that users can access through TS Gateway by using Terminal Services resource authori-zation policy (TS RAP) and Terminal Services connec-tion authorization policy (TS CAP)

Configure Terminal Services load balancing. May ÛÛinclude but is not limited to: Terminal Services Session Broker redirection modes, DNS registration; setting through group policy

61705c02.indd 41 6/27/08 10:35:55 AM

Whether it’s publishing a remote desktop or remotely logging into a server for maintenance, you have probably used or heard of Terminal Services for Windows. In Windows NT 4 Terminal

Server Edition, using the services for business applications without third-party tools was very cumbersome. With advances over the years and even updates in Windows Server 2003 to the previous version of Terminal Services, Terminal Services for Windows Server 2008 is a much more attractive option for some business applications or, at the very least, worth a look. The client computer communicates to a terminal server over TCP port 3389 using client software called Remote Desktop Connection (RDC). Many of the new features avail-able with Windows Server 2008 require the most recent update to the RDC client software, although older RDC clients will continue to work. These older RDC clients will have more or less the same functionality as Terminal Services for Windows Server 2003. If you are using Windows Vista pre Service Pack 1, the client is RDC 6.0 (Control Version 6.0.6000). The client will be able to connect to Terminal Services Server on Windows Server 2008 and have some of the same functionality, but not all the functionality is available. For example, to access TS RemoteApp programs through TS Web Access, the client computer must be running RDC 6.1, but higher resolutions, monitor spanning, font smoothing, and Desk-top Experience are all available on both RDC 6.0 and RDC 6.1. RDC 6.1, which supports Remote Desktop Protocol version 6.1, is available with Windows Server 2008, Windows Vista Service Pack 1, and Windows XP Service Pack 3.

To find out the version of RDC that is installed, open the Remote Desktop Connection client by clicking Start All Programs Accessories Remote Desktop Connection. Once the client is open, right-click the compute icon in the upper-left corner and choose About. A dialog box appears with version information and supported features on the RDC client installed, such as Network Level Authentication. Figure 2.1 shows the version infor-mation of an RDC 6.1 client.

RDC 6.1 (Control Version 6.0.6001) supports Remote Desktop Protocol 6.1.

61705c02.indd 42 6/27/08 10:35:55 AM

Remote Desktop Connection Display 43

f i gu r E 2 .1 RDC version information

Remote Desktop Connection DisplayThe new RDC software enables the use of higher-resolution displays with multiple-monitor spanning on the client computer and clearer text with font smoothing. In conjunction with Terminal Server running Windows Server 2008, the new RDC software will give the users a Windows Vista look and feel with the new Desktop Experience. In addition, Display Data Prioritization will give display, mouse, and keyboard traffic better performance.

Custom Display ResolutionsIn previous versions, the only supported display resolution was 4:3 with the maximum resolution of 1600×1200. Now, with widescreen monitors, 16:9 and 16:10 are available with resolutions of 1680×1050 and 1920×1200 and a new maximum supported resolution of 4096×2048. Figure 2.2 shows the Display tab of the Remote Desktop Connection client, accessed via the Options button.

61705c02.indd 43 6/27/08 10:35:55 AM

44 Chapter 2 n Exploring Terminal Services in Windows Server 2008

f i gu r E 2 . 2 The RDC Display tab

Custom display resolutions can also be set in an RDP file or from a command prompt:

Open the RDP file in a text editor and edit the following settings, where Ûn <value> is the resolution (for example, 1920 or 1200):

desktopwidth:i:<value>

desktopheight:i:<value>

Use Ûn mstsc.exe at the command prompt with the following settings:

mstsc.exe /w:<width> /h:<height>

Monitor SpanningMonitor spanning allows the display of the remote desktop session to stretch across multiple monitors. For monitor spanning to function, all the monitors must have the same resolution and their total resolution cannot exceed 4096×2048. Another limitation is that spanning only occurs horizontally (side by side), not vertically.

You can set monitor spanning in an RDP file or from a command prompt.

Open the RDP file in a text editor. Change the following setting, where <value> = 0 Ûn

indicates that monitor spanning is disabled and <value> = 1 indicates that monitor spanning is enabled:

Span:i:<value>

Use Ûn mstsc.exe at the command prompt with the following settings:

mstsc.exe /span

61705c02.indd 44 6/27/08 10:35:56 AM


Font SmoothingIf you’re using an LCD monitor, font smoothing is a feature that will be of interest. Win-dows Server 2008 now supports ClearType, which is a Microsoft technique that improves the readability of text. For users to take advantage of this feature, terminal servers must have ClearType enabled and font smoothing must be enabled in the RDC client.

The following operating systems support font smoothing:

Windows VistaÛn

Windows Server 2003 Service Pack 1 or 2 with RDC 6.0Ûn

Windows XP Service Pack 2 with RDC 6.0Ûn

In Exercise 2.1, you’ll enable font smoothing on a Windows Vista client.


Enabling font Smoothing on a client computer

Follow these steps to enable font smoothing on a Windows Vista client:

1. Click Start All Programs Accessories Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the Run line.)

2. In the Remote Desktop Connection dialog box, click Options.

3. On the Experience tab, check Font Smoothing.

4. Click Connect to launch the new session.

61705c02.indd 45 6/27/08 10:35:56 AM


By default, ClearType is enabled in Windows Server 2008. To ensure that ClearType is enabled, follow the steps in Exercise 2.2.

E x E r c i S E 2 . 2

verifying clearType settings on Window Server 2008

Follow these steps to verify ClearType is enabled:

1. Click Start Control Panel Personalization Window Color and Appearance.

2. On the Appearance tab, select Effects.

3. Check the Use the Following Method to Smooth Edges of Screen Fonts check box,

4. Select ClearType from the drop-down menu.

5. Click OK.

Although ClearType increases the overall user experience, enabling it will increase the bandwidth consumed between 4 to 10 times over a similarly configured TS server with ClearType disabled.

Display Data PrioritizationAnother new feature to help with network utilization is Display Data Prioritization. Display Data Prioritization automatically controls and sets the precedence higher for the display, keyboard, and mouse virtual channel traffic than it is for virtual channel traffic for copying

61705c02.indd 46 6/27/08 10:35:56 AM


files and printing. This alleviates the issue of having a slow or unresponsive mouse cursor after sending a large print job.

By default, the Display Data Prioritization bandwidth ratio is 70:30. Seventy percent of the available bandwidth goes to operations in which data is input, such as display, mouse, and keyboard operations, while file transfers, print jobs, and Clipboard operations can consume only 30 percent. Of course, these settings are modifiable by editing the Registry and changing the DWORD entry values located under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD subkey. Here is a list the values and the characteristics of each:

FlowControlDisable Default value is 0. To disable Display Prioritization, set this value to 1. Once it’s disabled, all requests are first in, first out.

FlowControlDisplayBandwidth Default value is 70. This value changes the relative band-width priority for display and other input data. The maximum allowed value is 255.

FlowControlChannelBandwidth Default value is 30. This value changes the relative bandwidth priority for Clipboard operations, file transfers, and print jobs. The maximum allowed value is 255.

FlowControlChargePostCompression This value determines if flow control calculates the bandwidth allocation based on precompression or postcompression bytes. The default is precompression, which is 0.

Display Data Prioritization is based on the ratio of the Registry values FlowControlDis-playBandwidth and FlowControlChannelBandwidth. For example, if FlowControlDisplay-Bandwidth is set to 200 and FlowControlChannelBandwidth is set 50, the Display Data Prioritization ratio is 200:50, so 80 percent of the available bandwidth will go to display and other input data. Remember that the default ratio is 70:30, so 70 percent of the avail-able bandwidth will go to display and other input data.

Desktop ExperienceIn previous versions of Terminal Services, the Desktop was bland and dull and had limited features. Terminal Services for Windows Server 2008 and Remote Desktop Connection 6.0 gives users features like an improved Desktop that can be customized using themes, Windows Media Player 11, and even photo management. For a user to benefit from the new Desktop experience, the client computer must have the Remote Desktop Connection 6.0 software, at a minimum, and the Windows Server 2008 Terminal Server must have the Desktop Experience feature enabled, which will be covered later in this section.

To complete the desktop experience, Microsoft has introduced Desktop Composition in Windows Server 2008. Windows 2008 Terminal Server is configurable to provide the functionality of a Windows Aero desktop by using Remote Desktop Connection with a Win-dows Vista client computer. With features such as Windows Flip 3D, translucent windows (Aero glass), and thumbnail-sized Taskbar button window previews, a user no longer has to look at a dull lifeless Desktop. However, with this new functionality also come limita-tions because Desktop Composition is supported only when you’re connecting to a Windows 2008 TS server running in single-user mode or with a host client running Windows Vista.

61705c02.indd 47 6/27/08 10:35:56 AM


Three things must occur to enable Desktop Composition. First, you must enable Desk-top Experience on the Windows 2008 Terminal Services server. Second, you must use the Windows Vista theme on the Windows 2008 TS server. Third, you must enable Desktop Composition on the Windows Vista host client.

It is important to note that the Windows Vista client must have the hard-ware capable of supporting Windows Aero to benefit from the Desktop Composition feature. However, the 2008 TS server does not need to have hardware that is capable of running Windows Aero.

Exercises 2.3, 2.4, 2.5, and 2.6 walk you through the necessary steps to enable Desktop Experience for Terminal Services on Windows Server 2008.

E x E r c i S E 2 . 3

Enabling the desktop Experience feature

Follow these steps to install Desktop Experience on Windows Server 2008

1. Open Server Manager. Click Start Administrative Tools Server Manager.

2. Right-click Features and select Add Feature from the menu.

3. Check Desktop Experience in the Feature Wizard.

4. Click Next.

5. Verify that the Desktop Experience feature is checked and click Install.

6. Reboot after installation is complete.

61705c02.indd 48 6/27/08 10:35:56 AM


In Exercise 2.4, you’ll continue the configuration of the Desktop Experience by enabling the Themes service.

E x E r c i S E 2 . 4

Starting the Themes Service

Follow these steps to start the Themes service for Windows Server 2008

1. Click Start Administrative Tools Services.

2. Right-click Themes and choose Properties.

3. On the General tab, change the startup type to Automatic.

4. Click Apply.

5. Click Administrative Tools Services.

6. Double-click Themes.

7. On the General tab, change the startup type to Automatic.

8. Click OK.

9. Right-click Themes and choose Start to start the Themes service.

Now that you have enabled the Themes service, you must select the Windows Vista theme (Exercise 2.5).

E x E r c i S E 2 . 5

Setting the Theme on Windows Server 2008

Follow these steps to set the Theme on Windows Server 2008

1. Click Start Control Panel Personalization Theme.

2. On the Themes tab, change the theme to Windows Vista.

61705c02.indd 49 6/27/08 10:35:56 AM



3. Click OK.

The final step is to enable Desktop Composition and Themes on the client. Exercise 2.6 shows you how.

E x E r c i S E 2 . 6

Making desktop composition available on a vista client

Follow these steps to enable Desktop Composition on a Vista client

1. Click Start All Programs Accessories Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the run line.)


3. On the Experience tab, check Desktop Composition and Themes.

61705c02.indd 50 6/27/08 10:35:56 AM




Remember that Windows Aero will require more resources on your terminal server, so careful consideration must be made on how many concurrent user connections a single terminal server’s hardware will be able to support. This will be critical to overall user experience and server performance.

Device RedirectionThe following sections are about the device redirection framework for Windows Server 2008. Device redirection gives users the ability to connect physical devices on their local computer and use them within their Terminal Services session. The first section discusses Plug and Play device redirection for media players and digital cameras based on the Picture Transfer Proto-col (PTP). The second section introduces Microsoft Point of Services for .NET device redirec-tion. In third section, we discuss printing redirection with TS Easy Print.

Plug and Play Device Redirection for Media Players and Digital Cameras New to Windows Server 2008 and RDC 6.0 is the ability to redirect specific Plug and Play (PNP) Windows portable devices. These devices include media players and digital cameras

61705c02.indd 51 6/27/08 10:35:57 AM


based on the Media Transfer Protocol (MTP) and the Picture Transfer Protocol (PTP), respectively. Plug and Play device redirection allows applications to access devices whether the application is running in a TS remote desktop or with TS RemoteApp.

Another new feature is the ability to attach Plug And Play devices after a session has already been established with the Devices that I plug in later option within the Remote Desktop Connection client software. When a new session is launched, Plug and Play noti-fications will appear in the Taskbar on the client computer. The newly detected device is attached to that particular session and is not accessible from any other session. Exercise 2.7 walks us through the process of enabling Plug and Play device redirection.

E x E r c i S E 2 . 7

redirect plug and play devices

Follow these steps to enable Plug and Play device redirection.

1. Click Start All Programs Accessories Remote Desktop Connection. (It is also possible to start the RDC client software by typing mstsc in the run line.)


3. On the Local Resources tab, click More.

4. Under Local devices and resources expand Supported Plug and Play Devices.

5. Choose the device you want to redirect.

6. To make Plug and Play device that you will plug in later available, select the Devices that I plug in later check box.


61705c02.indd 52 6/27/08 10:35:57 AM


It is also possible to redirect drives that have been connected after a new session has been established by selecting the Drives that I connect to later check box.

Microsoft Point of Service for .NET Device RedirectionMicrosoft Point of Service (POS) for .NET Device Redirection allows peripheral devices such as bar code scanners and magnetic card readers to interface with Terminal Services for Windows 2008. Microsoft POS for .NET 1.1 is available to download at the Microsoft Download Center. Once it’s installed, the Terminal Services UserMode Port Redirector service must be restarted.

Microsoft Point of Service for .NET Device Redirection is supported only when you’re running the x86 version of Windows Server 2008.

Terminal Services Easy PrintMicrosoft has improved printing in Terminal Services for Windows 2008 by adding Ter-minal Services Easy Print and group polices that enable the redirection of only the default client printer. In the past, the client computer and the Terminal Services server had to have the proper driver installed in order to successfully print. Now matching the drivers on the two different systems is no longer necessary because the TS Easy Print driver proxies all requests to the client’s actual driver. This feature will please many administrators who had to support printer drivers in the previous version of Terminal Services. Another perk for administrators is that TS Easy Print will increase the scalability and decrease the complex-ity of the TS server by limiting the number of printers the spooler has to enumerate. When a TS session is created, Winlogon will redirect a particular printer instead of redirecting all printers. The last benefit of TS Easy Print is that administrators will appreciate the support for legacy print drivers.

Although TS Easy Print has decreased administrator headaches with printing in Ter-minal Services, only a select client base will receive its benefit. TS Easy Print is available only on client computers running Windows Vista SP1 or Windows Server 2008 using the RDC 6.1 and either the Microsoft .NET Framework 3.0 Service Pack 1 or Microsoft .NET Framework 3.5 or later.

Terminal Services Easy Print is enabled by default.

61705c02.indd 53 6/27/08 10:35:57 AM


Single Sign-On for Terminal Services With Single Sign-On for Terminal Services, a domain user can enter their credentials once and gain access to a terminal server or their remote application. The current credentials of the logged-on user will be passed to the connecting TS server without the user having to retype their password. To use Single Sign-On (SSO), the client must be running on Win-dows Vista or another Windows 2008 Server machine, the user must have the appropri-ate rights to log on, and the client computer and TS server must be in the same domain. Exercise 2.8 demonstrates the process to configuring the Authentication level of Windows Server 2008.

E x E r c i S E 2 . 8

configuring authentication of a Windows 2008 Terminal Server

Follow these steps to set Authentication type for Window Sever 2008 Terminal Server.

1. Open Terminal Server Configuration. Click Start Administrative Tools Terminal Services Terminal Services Configuration.

2. Under Connections, right-click RDP-TCP and choose Properties.

3. On the General tab, verify that the Security Layer value is either Negotiate or SSL (TLS 1.0) and then click OK.

61705c02.indd 54 6/27/08 10:35:57 AM


Exercise 2.9 walks us through the procedures to configure Single Sign-On on a Windows Vista computer.

E x E r c i S E 2 . 9

configuring SSo on a client computer

Follow these steps to configure Single Sign-On on a Windows Vista computer.

1. Open Local Group Policy Editor. Click Start Run type gpedit.msc, and press Enter.

2. Expand and navigate to Computer Configuration Administrative Templates Sys-tem Credentials Delegation.

3. Double-click Allow Delegating Default Credentials.

4. In Properties on the Setting tab, click Enable and click Show.

5. In Show Contents, click Add and add the terminal servers to the policy list by typing the prefix termsrv/ in front of the server name (for example, termsrv/TServ1).

6. Click OK three times to close all the dialog boxes.

Prepare and Configure the Use of Terminal Services RemoteApp (TS RemoteApp)In the following sections, we’ll discuss a new feature of Terminal Services for Windows 2008 called Terminal Services RemoteApp (TS RemoteApp). In previous versions of Termi-nal Services, the only option was to publish the full Desktop, but with TS RemoteApp, now individual applications can be published. What this means is that, instead of launching a new Desktop session to run an application that is running on the terminal server, you can publish an individual application from the terminal server and it will appear as if is it is running on the client’s local computer. No longer will users have to deal with the confusion of running two different Desktops to run all their applications. Before we dive too deep into TS RemoteApp and its features, we need to install the Terminal Server role on our Windows 2008 server.

61705c02.indd 55 6/27/08 10:35:57 AM


Installing Programs to Be Used with TS RemoteAppTS RemoteApp is made available through the installation of Terminal Services on Windows Server 2008. As the administrator of the server installs applications on the server, they can be added to a published list of programs that users will be able to access. In Exercise 2.10, you’ll install the Terminal Services role and change the user mode to allow applications to be installed correctly on a TS server.

E x E r c i S E 2 .10

installing the Terminal Services role

Follow these steps to install the Terminal Services Role for Window Server 2008.


2. Under Roles Summary, click Add Roles.

3. In the Add Role Wizard, on the Before You Begin page, click Next.

4. On the Select Server Roles page, check Terminal Services. If Terminal Services is already installed, this check box will be grayed out.

61705c02.indd 56 6/27/08 10:35:58 AM



5. Click Next.

6. On the Introduction to Terminal Services page, click Next.

7. On the Select Role Services page, select Terminal Server and click Next.

8. On the Uninstall and Reinstall Applications for Compatibility page, click Next.

9. On the Specify Authentication Method for Terminal Server page, select the authenti-cation you will be using and click Next. If you select Require Network Level Authen-tication, only computers running Windows Vista with RDC 6.0 or higher will be allowed to connect to the server. If you select Do Not Require Network Level Authen-tication, any RDC client can connect to the TS server.

61705c02.indd 57 6/27/08 10:35:58 AM



10. On the Specify Licensing Mode page, select the licensing mode you will be using and click Next.

61705c02.indd 58 6/27/08 10:35:58 AM



11. On the Select User Groups Allowed Access to this Terminal Server page, add the users or groups that you will allow to connect and click Next.

12. On the Confirm Installation Selections page, verify settings and click Install.

13. After the installation, you will be prompted to restart the server to finish the installa-tion process. Click Close and Yes to restart the server.

After you install the Terminal Services role, you need to install the programs that are going to be published. Before you install a program on a terminal server, the server needs to be placed in install mode, and after installation is complete, the server needs to placed back into execute mode (see Figure 2.3).

To change the system to install mode, type Ûn change user /install at the command prompt.

To change the system to execute mode, type Ûn change user /execute at the command prompt.

To get additional information or help, type Ûn change user or change user /? at the command prompt.

61705c02.indd 59 6/27/08 10:35:58 AM


f i gu r E 2 . 3 User mode commands

Configuring Remote Programs to Be Used with TS RemoteAppNow that the Terminal Services role is installed and you know how to change the user mode to install an application, you need to make an application available for remote users by adding the program to the RemoteApps list. To add a program, you’ll use TS Remote-App Manager, which specifies the programs installed on the terminal server that users will be able to access. Exercise 2.11 walks you through the process of adding a program to the RemoteApps list.

E x E r c i S E 2 .11

adding an application to the TS remoteapp program List

Follow these steps to add an application to the TS RemoteApp Program List.

1. Launch Server Manager. Click Start Administrative Tools Server Manager.

2. Expand Roles. Expand Terminal Services.

3. Click TS RemoteApp Manager.

61705c02.indd 60 6/27/08 10:35:58 AM



4. In the Actions pane, click Add RemoteApp Programs.

5. In the RemoteApp Wizard, click Next.

6. Select the application to add to the RemoteApp program list and click Next.

7. Click Finish.

8. If you examine the TS RemoteApp Manager, you’ll see that the programs that have been added to the TS RemoteApp program list are now visible. You will notice here that TS Web Access is enabled. It’s enabled by default; we’ll discuss TS Web Access later in this chapter in “Distributing RemoteApp Applications.” If you double-click a RemoteApp program, a new Actions pane will appear on the right. This is where you can change the properties of the program, disable TS Web Access, create an RDP file or an MSI installer package, and even remove the RemoteApp program.

61705c02.indd 61 6/27/08 10:35:58 AM



9. Clicking Properties in the Actions pane shows various attributes of the RemoteApp program. From the Properties tab, you can see the RemoteApp program name, its location, whether it is available through TS Web Access, and what command-line arguments are available.

61705c02.indd 62 6/27/08 10:35:58 AM


Creating and Deploying a Windows Installer Package for TS RemoteApp ProgramsNow that you have installed an application that will be used for a TS RemoteApp program, you need to know how to deploy a package that contains the TS RemoteApp program con-nection information. There are two different ways to package TS RemoteApp programs: a Windows Installer file (MSI) or a Remote Desktop file (RDP). The focus in this section will be on using an MSI file because most administrators are used to using group policies to deploy Windows Installer packages to client computers. In order for the client computer to run these packages, they must be running RDC 6.0 or 6.1. In Exercise 2.12, you will follow the procedures to package TS RemoteApp programs.

E x E r c i S E 2 .12

packaging a TS remoteapp program

Follow these steps to package a TS RemoteApp Program.

1. In TS RemoteApp Manager, under RemoteApp Programs, select the application for which you will create a package.

2. In the Actions pane, click Create Windows Installer Package.

3. In the RemoteApp Wizard, click Next on the Welcome screen.

4. On the Specify Package Settings screen, you can change the default location to save packages to as well as the server name, the RDP port, the TS Gateway setting and cer-tificate settings. (TS Gateway and certificate settings are discussed later in this chapter.)

61705c02.indd 63 6/27/08 10:35:59 AM



5. Click Next.

6. On the Configure Distribution Package page, you will place the RemoteApp program into the user’s Start menu under a folder named Remote Programs, and you can also select Desktop. This screen also specifies whether or not to take over client exten-sions. What this means is that whenever the user opens a file with this extension, it will automatically launch the RemoteApp program. This setting is necessary only when the application is not installed locally on the client.

7. Click Next.

8. Review Settings, click Finish.

By default, the package will be save in C:\Program Files\Pack Programs with a .rap .msi filename extension. Now that you have the .rap.msi file, Group Policy procedures can be used to deploy the package to users within the domain.

61705c02.indd 64 6/27/08 10:35:59 AM


using TS remoteapp in large environments

There are some rules that should be considered when using TS RemoteApp in a large server farm. First, think about applications that are similar in nature or share data using Dynamic Data Exchange, DDE (for example, copy and paste); these should reside on the same server. Second, place silo applications that conflict with other applications onto separate terminal servers; your users will thank you in long run by not complaining about poor performance or errors in their sessions. Third, consider other factors that are not technology related, such as groups like HR always wanting their applications segregated from everyone else. A good rule of thumb is an 80/20 split. Try to maintain and keep the software consistent on the majority of the terminal servers with the main subset of your applications, usually MS Office and the like.

Export or Import RemoteApp Programs and SettingsWith Terminal Services for Windows 2008, you have the ability to export and import the RemoteApp Programs list from one TS server to another. This is a benefit when you have to configure a larger server farm with an identical RemoteApp Programs list. Any RDP or MSI packages that were created will not be exported or imported and will have to be re-created to reflect the name of the terminal server. However, if a server is a member of a TS server farm and during the creation of the packages the farm name was specified instead of the name of an individual server, you can manually copy the packages. In Exercise 2.13, you will to export the RemoteApp Programs list and deployment settings.

E x E r c i S E 2 .13

Exporting the remoteapp programs List and deployment Settings

Follow these steps to Export the TS Remote program list and deployment settings to other Windows Server 2008 Terminal Servers.

1. Start TS RemoteApp Manager.

61705c02.indd 65 6/27/08 10:35:59 AM



2. In the Actions pane, click Export RemoteApp Settings.

3. Select Export the RemoteApp Program List and Settings to Another Terminal Server or Export the RemoteApp Programs List and Settings to a File.

4. Click OK.

61705c02.indd 66 6/27/08 10:35:59 AM


When the TS ReportApp settings are exported to a file, the location is specified by the administrator and the file itself is saved with the .tspub extension. To import the TS RemoteApp programs list and deployment settings, use the same procedure except use Import RemoteApp settings instead. It is important to note that importing the settings to another server will overwrite the settings.

Distributing RemoteApp ApplicationsThere are several ways to deploy RemoteApps, and we have already touched on two of them: distributing an RDP file through a file share or distributing a MSI through a GPO. In the following sections, you’ll learn about distributing TS RemoteApp programs with Terminal Services Web Access. Microsoft has enhanced Terminal Services Web Access (TS Web Access) in Windows 2008 by imbedding the ActiveX controls into a web page hosted on Internet Information Services (IIS). A user can create a session using the client’s web browser. To take advantage of TS Web Access, the client computer must be running Remote Desktop Client (RDC) 6.1, which is available on Windows Server 2008, Windows Vista SP1, and Windows XP SP3.

Installing TS Web AccessTS Web Access must be installed as a role on a server that users will to connect to access their RemoteApp programs. As result of installing TS Web Access as a role, Internet Infor-mation Services 7.0 is also installed. The server that has the TS Web Access role acts as a web server and does not have to be a terminal server. In Exercise 2.14, you’ll install TS Web Access.

E x E r c i S E 2 .14

installing TS Web access

Follow these steps to install TS Web Access.


2. Click Roles and Expand.

3. Right click Terminal Server and click Add Roles Services.

61705c02.indd 67 6/27/08 10:35:59 AM



4. Select TS Web Access. If all the roles required for TS Web Access are not installed, you will receive a prompt to install them. Click Add Required Role Services.

5. Click Next.

6. If installing IIS is required, click Next on the Introduction to Web Server page.

7. On the Roles Services Selections for IIS page, click Next.

61705c02.indd 68 6/27/08 10:36:00 AM



8. On the Confirm Installation Selections page, click Install.

9. On the Installation Results page, verify that the installation was successful and click Close.

If the TS RemoteApp server and the TS Web Access server are separate, the computer account of the TS Web Access server must be added the TS Web Access Computer security group on the TS RemoteApp server. In Exercise 2.15, you’ll add the computer account to the TS Web Access group.

61705c02.indd 69 6/27/08 10:36:00 AM


E x E r c i S E 2 .15

adding the computer account of the TS Web access Server to the TS remoteapp Server

Follow these steps to add the computer account to the TS Web Access group.

1. Click Start Administrative Tools Computer Management.

2. Expand Local Users and Groups and click Groups.

3. Double-click TS Web Access Computers.

4. Click Add.

5. Click Objects Types, select Computers, and click OK.

6. Type the computer name of the TS Web Access server and click OK.

7. Click OK.

By default, the TS Web Access website is http://<server_name>/ts, where <server_name> is the NetBIOS or the fully qualified domain name of the TS Web Access server. Launching the site, you can see the TS RemoteApp programs that are TS Web Access enabled. Figure 2.4 shows the TS Web Access page with the available program list.

f i gu r E 2 . 4 TS Web Access published application list

61705c02.indd 70 6/27/08 10:36:00 AM


When you launch an application as a TS RemoteApp and launch an application from the local computer, it becomes very difficult to tell the difference between the TS RemoteApp and the local application. Figure 2.5 shows WordPad launched as a TS RemoteApp and launched locally.

f i gu r E 2 .5 Side-by-side comparison of a RemoteApp and a local application

Using Task Manager, you can see which application is running locally and which appli-cation is running as a TS RemoteApp. Figure 2.6 shows the WordPad in Task Manager and indicates which application is running remotely.

f i gu r E 2 .6 Task Manager view of a RemoteApp

61705c02.indd 71 6/27/08 10:36:00 AM


Prepare and Configure Terminal Services Gateway (TS Gateway)Terminal Services Gateway is a role for Windows Server 2008 that encapsulates Remote Desktop Protocol (RDP) traffic over HTTP with SSL encryption (HTTPS) and provides a secure link for authorized remote users on the Internet to access internal terminal server applications without creating a virtual private network (VPN) connection. Instead of using TCP port 3389, TS Gateway transmits the RDP traffic over TCP port 443, so little or no modification is needed to the external firewall because this port is usually already open for other HTTPS traffic. The TS Gateway server sits behind the external firewall, and when the firewall receives RDP over HTTP traffic, it strips off the HTTP header and passes the RDP packets to the TS Gateway sever. The TS Gateway server will then check the Network Policy Server (NPS) service and Active Directory to authenticate the remote user. Once authentication has completed, the user will be allowed access to the internal terminal serv-ers to run the TS Web Access–enabled TS RemoteApp programs.

Preparing the Necessary TS Gateway Role ServicesVery similar to installing TS RemoteApps, TS Gateway requires that additional roles be installed on the Windows 2008 server. To install the TS Gateway role, the following roles services are also required:

Remote Procedure Call (RPC) over HTTP ProxyÛn

Web Server (Internet Information Services 7.0)Ûn

Network Policy and Access ServicesÛn

Exercise 2.16 explains how to install and configure the TS Gateway role.

E x E r c i S E 2 .16

installing the TS gateway role Service

Follow these steps to install the TS Gateway Role Server on Windows Server 2008.1. Open Server Manager.

2. Right-click Roles Add Role.

3. Under Select Server Roles, check Terminal Services and click Next.

4. Click Next on the Introduction to Terminal Services page.

5. Under Select the Role Services to Install for Terminal Services, check TS Gateway. An Add Roles Wizard appears to install the required role services and features. Click Add Required Role Services.

61705c02.indd 72 6/27/08 10:36:00 AM



6. Click Next.

7. On the Choose a Server Authentication Certificate for SSL Encryption page, select the appropriate SSL encryption. (In the next section, we will discuss how to create, obtain, and configure a certificate.)

61705c02.indd 73 6/27/08 10:36:00 AM



8. Click Next.

9. On the Create Authorization Polices for TS Gateway page, accept the default to create authorization polices now. Click Next.

10. Select the user groups that can connect through TS Gateway by clicking Add. Then click Next.

11. On the Create a TS CAP for TS Gateway page, accept the default name TS_CAP_01 or specify a new name, select supported Windows authentication methods, and then click Next.

12. On the Create a TS RAP for TS Gateway page, accept the default name TS_RAP_01 or specify a new name. Then either specify whether to allow users to connect only to computers in one or more computer groups, and then specify the computer groups, or specify that users can connect to any computer on the network. Click Next.

13. On the Network Policy and Access Services page, click Next.

14. Verify that the Network Policy Server role service is selected and click Next.

15. On the Web Server (IIS) page, click Next.

16. Accept the default roles to install for Web Server (IIS). Click Next.

17. Confirm the installation selections and click Install.

Obtaining and Configuring a Certificate for TS GatewayTS Gateway requires a valid digital certificate so that it can use SSL to encrypt the traffic to the remote clients. The purpose of the digital certificate is to prove the identity of a remote person or a remote resource. In TS Gateway, there are two methods of obtaining a certifi-cate. The first is to purchase a digital certificate from a third-party certificate authority (CA). Microsoft has a list of approved CAs at the following site: http://support.microsoft .com/kb/931125. The second option is to create a self-signed certificate. Although the option to create a self-signed certificate is available, it not recommend for other than testing and evolution purposes because the certificate must be copied and installed in the Trusted Root Certification Authorities store on each client computer. Exercise 2.17 walks you through the installation of a certificate on a TS Gateway server.

The procedure in Exercise 2.17 is not required if you have created a self-signed certificate.

61705c02.indd 74 6/27/08 10:36:00 AM


E x E r c i S E 2 .17

installing a certificate on the TS gateway Server

Follow these steps to install a certificate on a TS Gateway server.

1. Click Start Run. Type mmc and press Enter.

2. On the File menu, click Add/Remove Snap In.

3. From the available snap-ins, select Certificates and click Add.

4. In Certificates Snap-in, select Computer Account and click Finish.

5. Click OK.

6. Expand Certificates.

7. Right-click Personal All Tasks Import.

8. On the Welcome to the Certificate Import Wizard page, click Next.

9. On the File to Import page, enter the name of the certificate that will be imported. Click Next.

10. On the Password page, do the following:

If you specified a password for the private key associated with the certificate earlier, Ûn

type the password.

If you want to mark the private key for the certificate as exportable, ensure that Ûn

Mark This Key as Exportable is selected.

If you want to include all extended properties for the certificate, ensure that Ûn

Include All Extended Properties is selected.

11. Click Next.

12. On the Certificate Store page, accept the defaults and click Next.

13. Confirm that the correct certificate has been selected and click Finish.

14. A confirmation message appears when the certificate has been imported successfully.

Exercise 2.18 guides you through the mapping of the certificate to the TS Gateway server.

61705c02.indd 75 6/27/08 10:36:01 AM


E x E r c i S E 2 .18

Mapping the certificate to the TS gateway Server

Follow these steps to map a certificate to a TS Gateway server.

1. Open TS Gateway Manager. Click Start Administrative Tools Terminal Services TS Gateway Manager.

2. Right-click the TS Gateway server and choose Properties.

3. On the SSL Certificate tab, click Select an Existing Certificate for SSL Encryption.

4. Click Browse Certificates.

5. Click the appropriate certificate, and click Install.

61705c02.indd 76 6/27/08 10:36:01 AM



6. Click OK.

Creating Terminal Services Connection Authorization Policies (TS CAPs)Terminal Services connection authorization policies (TS CAPs) must be created after the TS Gateway role service has been installed. The purpose of TS CAPs is to set conditions that remote users must meet in order to gain access to a TS Gateway server. You can set criteria such as whether users connecting must be a member of a particular security group, whether computers requesting a connection must be a member of a security group, and who has the ability to disable some or all device redirections. Polices are placed in numerical order, which are shown in TS Gateway Manager. Access to the TS Gateway server is granted by matching the first policy that meets all the set conditions. For example, if a remote client does not meet the requirements of the first TS CAP in the list, it will move to the second TS CAP and will keep going down the list until it locates a TS CAP whose requirements it matches. If a remote client does not meet any of the requirements in the TS CAPs list, TS Gateway denies access. Exercise 2.19 shows you how to create a TS CAP for the TS Gate-way server.

E x E r c i S E 2 .19

creating a TS cap for the TS gateway Server

Follow these steps create a TS CAP for a TS Gateway server.


61705c02.indd 77 6/27/08 10:36:01 AM



2. Expand the TS Gateway server.

3. Expand Policies and click Connection Authorization Policies.

4. In the Actions pane, click Create New Policy and select Custom.

5. On the General tab, type the name of the policy, and verify that Enable This policy is checked.

6. On the Requirements tab, check the Supported Windows authentication methods, either Password or Smart Card or both.

7. In User Group Membership, click Add Group to specify the user group(s) that can connect to the TS Gateway server. Note that at least one user group must be listed.

61705c02.indd 78 6/27/08 10:36:01 AM



8. In Client Computer Group Membership, click Add Group if computer groups are going to be users. Computer groups are optional.

9. On the Device Redirection tab, enable or disable the redirection for client devices. The following screen shot shows one possible configuration for device redirection.

61705c02.indd 79 6/27/08 10:36:01 AM



10. Click OK.

11. The policy will appear in the Connection Authorization Policies pane.

Creating Terminal Services Resource Authorization Policies (TS RAPs)Like TS CAPs, Terminal Services resource authorization polices (TS RAPs) also must be created after the TS Gateway role service has been installed. The purpose of TS RAPs is to specify computers that remote users can connect to through the TS Gateway server. TS RAPs associates specific user groups with computer groups, which grants access to the computers listed in the group. For example, members of the Accounting Users user group are allowed to connect only to computers that are members of the Accounting Comput-ers computer group. Exercise 2.20 shows you how to create a TS RAP for the TS Gateway server.

Remote users connecting through a TS Gateway server are granted access only when they meet at least one TS CAP and one TS RAP.

E x E r c i S E 2 . 2 0

creating a TS rap and Specifying computers

Follow these steps to create a TS RAP for a TS Gateway server and add computers to the policy.


2. Expand the TS Gateway server.

3. Expand Policies and click Resource Authorization Polices.

4. In the Actions pane, click Create New Policy and select Custom.

5. On the General tab, type the name of the policy, add a brief description, and verify that Enable This Policy is checked.

61705c02.indd 80 6/27/08 10:36:01 AM


E x E r c i S E 2 . 2 0 ( c ont inue d )

6. On the User Groups tab, click Add to select the user groups.

7. On the Computer Group tab, specify the computer group that the users will connect to through TS Gateway.

61705c02.indd 81 6/27/08 10:36:01 AM



8. On Allowed Ports tab, specify the TCP ports users will be using.

9. Click OK. The new TS RAP appears in the Resource Authorization Policies pane.

Configuring the Terminal Services Client for TS GatewayThe client computer must verify and trust the TS Gateway server before a user can complete their authentication. They must have the CA of the TS Gateway server in their Trusted Root Certification Authorities store. This is accomplished in a similar manner that’s similar to importing the CA to TS Gateway through the use of the Certificates snap-in on the client computer. Remember, if a CA is issued by a third-party certificate authority, the digital certificate does not need to be added to the client’s Trusted Root Certification Authorities store. In Exercise 2.21, we will walk through the client’s Remote Desktop Connection settings to established a connection through the TS Gateway server.

61705c02.indd 82 6/27/08 10:36:02 AM


E x E r c i S E 2 . 2 1

configuring the Terminal Services client for TS gateway

Follow these steps configure RDC connection properties for TS Gateway.

1. Click Start All Programs Accessories Remote Desktop Connection.


3. On the Advanced tab, under the Connect from Anywhere section, click Settings.

4. On the TS Gateway Server Settings page, select the appropriate option.

Automatically Detect TS Gateway Server Settings is the default. The option is Ûn

used if the client is configured to use Group Policy settings. Group Policy settings will be covered in the next chapter.

Use These TS Gateway Server Settings is used if the TS Gateway server name Ûn

or TS Gateway server farm and a logon method are not being enforced by a Group Policy.

Do Not Use a TS Gateway Server is used if the client is always connected to the Ûn

LAN or if the client does not need to pass through a firewall.

5. Click OK.


61705c02.indd 83 6/27/08 10:36:02 AM


Configuring Terminal Services Load BalancingTerminal Services Session Broker (TS Session Broker) is new and improved in Windows Server 2008. Many of you will remember this feature from Windows Server 2003 as Ter-minal Services Session Directory. In its latest incarnation, it allows users to reconnect to a disconnected session in a load-balanced terminal server farm. TS Session Broker stores various session state information, like session ID and user name, so a user can reconnect and resume work right where they left off even if the user has reconnected from a different client computer. With Windows Server 2003, Session Directory required the Enterprise Edi-tion, but TS Session Broker is available on the Standard Edition of Windows Server 2008 and on Windows Server 2008 Enterprise and Datacenter editions.

Another change to the feature is that Windows Server 2008 has integrated the TS Ses-sion Broker Load Balancing feature to include out-of-the-box load balancing designed to replace Microsoft Network Load Balancing (NLB), although TS Session Broker will continue to work with other third-party solutions, like hardware load balancers, and with Microsoft NLB. The final new feature introduced with TS Session Broker is Terminal Server Draining; a terminal server in a TS Session Broker load-balanced terminal server farm can be placed in drain mode, aka maintenance mode, where users can reconnect to disconnected sessions but not establish new sessions.

Configuring a Terminal Server Farm with TS Session BrokerTS Session Broker Load Balancing works in two stages: DNS Load Balancing (DNS round robin) or Microsoft Network Load Balancing (NLB) and a query to the TS Broker server to determine user redirection. After the initial connection is made with DNS round robin or NLB, the TS Session Broker checks for the existence of a user session. If the user has an existing session, they will connect back to the same terminal server and continue working in their original session, whereas if there is no existing session, the user will connect to the terminal server that has the fewest sessions and create a new session. To prevent a single server from being overwhelmed by new logon requests, TS Session Broker Load Balancing sets a limit of 16 maximum pending logon requests to any one terminal server. It is impor-tant to note that when using DNS round robin, the client will connect to the first DNS record initially but the TS Session Broker service will direct the connection to the appropri-ate server based on the farm settings.

It is also possible to assign a relative weight value to each server that can help distribute the load of the servers within the terminal server farm. The default relative weight value is 100. When you change the relative weight value to 200, the server with the new value of 200 will receive twice as many connections. This is a way to distribute users to servers that have greater hardware capabilities.

61705c02.indd 84 6/27/08 10:36:02 AM

Configuring Terminal Services Load Balancing 85

There are some specific requirements to utilize TS Session Broker Load Balancing. A TS Session Broker server and terminal servers in the farm all must be running Windows Server 2008 to participate in TS Session Broker Load Balancing. All the terminals must have iden-tical RemoteApp program lists, they must have the same server configuration, and they must be in the same domain. The client computers must be running RDC 5.2 or later.

Now that you have an understanding of what TS Session Broker Load Balancing is, you need to learn how to deploy it. There are four tasks to complete the install and setup:

1. Install the TS Session Broker role.

2. Add terminal servers in the farm to the Session Directory Computers local group on the TS Session Broker server.

3. Configure the terminal servers to join a farm and participate in load balancing.

4. Configure DNS for TS Session Broker Load Balancing.

You cannot use the TS Session Broker Load Balancing feature on Windows Server 2003 terminal servers.

Installing the TS Session Broker Role ServiceThe Session Broker server tracks and manages load balancing based on the number of user sessions. Once a TS server researches the maximum session limit, users will no longer be able to establish sessions with that TS server. The maximum session limit is the maximum amount of sessions a particular TS server can host. This setting is disabled by default and has to be configured manually in the Registry by creating and setting the value of the following key: HKLM\System\CurrentControlsSet\Control\Terminal Server\ UserSessionLimit.

The TS Session Broker server does not have to have to be a terminal server, but it does have to be a member of the domain. Additionally, the TS Session Broker role can be installed on a domain controller. In Exercise 2.22, you’ll install TS Session Broker.

E x E r c i S E 2 . 2 2

installing TS Session broker

Follow these steps to install TS Session Broker for Windows Server 2008.


2. Right-click Roles Add Role.

3. Under Select Server Roles, check Terminal Services and click Next.

4. Click Next on the Introduction to Terminal Services page.

61705c02.indd 85 6/27/08 10:36:02 AM



5. On the Select Role Services page, check TS Session Broker.


7. Confirm the installation results and click Close.

Now that the TS Session Broker has been installed, you need to add the terminal servers to the Session Directory Computer local group. This group is created during the installation of the TS Session Broker role. Exercise 2.23 walks you through the process.

E x E r c i S E 2 . 2 3

adding Terminal Servers to the Session directory computers Local group

Follow these steps to add Terminal Servers to the Session Directory Computer Local Group.

1. Click Start Administrative Tools Computer Management.

2. Expand Local Users and Groups and click on Groups.

3. Open Session Directory Computers.

61705c02.indd 86 6/27/08 10:36:02 AM



4. Click Add.

5. In the Select Users, Computers or Groups window, click Object Types.

6. Check Computers.

7. Add the computer accounts for each terminal server.

8. Click OK.

For a TS server to join a TS Session Broker farm, you must know the following:

TS Session Broker server name or IP address. This is the name or the IP address of the Ûn

TS Session Broker server.

TS Session Broker farm name. This is the name of the farm that you want to join in.Ûn

TS Session Broker uses a farm name to determine which servers are in the farm. The same farm name must be use for all server that are participating in the same load-balanced farm. In Exercise 2.24, you’ll use the Terminal Services Configuration tool to configure a TS server to join a TS Session Broker farm and to participate in TS Session Broker Load Balancing.

E x E r c i S E 2 . 2 4

configuring the Terminal Servers to join a farm and participate in Load balancing

Follow these steps to configure Terminal Servers to join a TS Broker Farm and participate in TS Session Broker Load Balancing.

1. Start Terminal Service Configuration. Click Start Administrative Tools Terminal Services Terminal Services Manager.

2. In Edit Settings, under TS Session Broker, double-click Member of Farm in TS Ses-sion Broker.

On the TS Session Broker tab, select the Join a Farm in TS Session Broker check box. Ûn

In the TS Session Broker Server Name or IP Address text box, type the name or Ûn

the IP address of the TS Session Broker server.

In the Farm Name in TS Session Broker text box, type the name of the farm that Ûn

you want to join in TS Session Broker.

In the Select IP Addresses to Be Used for Reconnection list, select the check box Ûn

next to each IP address that you want to use.

61705c02.indd 87 6/27/08 10:36:02 AM



3. Click OK.

The next step in the configuration of TS Session Broker is to configure DNS. Exercise 2.25 shows you how to configure DNS for TS Session Broker Load Balancing.

E x E r c i S E 2 . 2 5

configuring dnS for TS Session broker Load balancing

Follow these steps to configure DNS for TS Session Broker Load Balanicng.

1. Click Start Administrative Tools DNS.

2. Expand Server Name.

3. Expand Forward Lookup Zones.

4. Right-click the zone, and select New Host (A or AAAA).

5. In the Name (use parent domain if blank) field, type the terminal server farm name. Do not use the name of an existing server for the farm name.

6. In the IP Address field, type the IP address of the terminal server in the farm.

7. Click Add Host.

61705c02.indd 88 6/27/08 10:36:02 AM



8. Click OK when the message host record is successfully created.

9. Add each terminal server that is in the farm. If you have six terminal servers in the farm, you should have six farm entries.

10. Click Done.

Configuring Network Load BalancingAs stated previously, TS Session Broker can also take advantage of Microsoft NLB instead of DNS round robin to distribute clients over the terminals. The requirements for NLB are as follows:

All hosts in the NLB cluster must reside on the same subnet.Ûn

The cluster’s clients must be able to access that subnet.Ûn

All terminal servers in the TS farm are in the same domain.Ûn

Just as we did in the section on TS Session Broker Load Balancing, we can break down the installation of TS Session Broker with Microsoft NLB into separate tasks:

1. Set up a terminal server farm with TS Session Broker. Refer to Exercise 2.22 for how to install TS Session Broker. Remember that the IP address used for reconnection must not be the same as the cluster IP address.

2. Install NLB.

3. Create an NLB cluster.

Exercise 2.26 will walk you through the process of installing Microsoft NLB and creat-ing an NLB cluster.

E x E r c i S E 2 . 2 6

installing nLb and creating an nLb cluster

Follow these steps to install NLB and create an NLB Cluster.

1. Open Server Manger. Click Start Administrative Tools Server Manager.

2. Right-click Features and choose Add Features.

3. Check Network Load Balancing.

4. Click Next.

61705c02.indd 89 6/27/08 10:36:03 AM




6. Confirm the installation results and click Close.

7. Open Network Balancing Manager. Click Start Administrative Tools Network Load Balancing Manager.

8. Rick-click Network Load Balancing Clusters and choose New Cluster.

9. Enter the hostname and click Connect.

10. Select the interface you want to cluster.

11. Click Next.

12. In the Host Parameters , select Priority (Unique Host Identifier). This value is a unique ID for each host. Click Next.

13. In the Cluster IP Address , click Add to enter the IP address that will be shared with all terminal servers in the farm. Click Next.

14. In the Cluster Parameter , verify that Unicast is selected and click Next.

15. In the Port Rules , click Edit and configure the following:

Port Range: 3389 to 3389Ûn

Protocols: TCPÛn

Filtering Mode: Multiple HostÛn

Affinity: NoneÛn

16. Click OK.

17. Click Finish.

18. To add more hosts to the cluster, right-click the new cluster and then click Add Host to Cluster. Do this for every terminal server in the farm.

61705c02.indd 90 6/27/08 10:36:03 AM

Summary 91

SummaryIn this chapter, we discussed the features, roles, and enhancements in Windows Server 2008 Terminal Services. The first section of this chapter focused on new RDC display fea-tures, new device redirection features, and Single Sign-On. The new RDC display features discussed in this chapter include monitor spanning, support for higher resolutions, font smoothing, Display Data Prioritization, and the new Desktop Experience. Device redi-rection includes Plug and Play device redirection for media players and digital cameras, Microsoft Point of Service (POS) for .NET, and TS Easy Print. We rounded out discussion of Windows Server 2008 features with the topic of Single Sign-On, which is method of authentication that allows user to only log on once. All these new improvements in Win-dows Server 2008 give users options and customization within their sessions that will ulti-mately increase their experience working in a terminal server environment.

We looked at roles and features included with Windows Server 2008. The section started by introducing TS RemoteApps, which allows users to access applications from their cli-ent computer and makes it appear as if the application is running locally. You learned how to install the Terminal Services roles and configure the Remote Programs list through TS RemoteApp Manager as well as export and import the TS RemoteApp settings from one server to another. And we explored the different ways to distribute remote applications using an MSI or RDP file or using a web browser to launch an application through TS Web Access.

This chapter also discussed securing your Terminal Server environment by utilizing TS Gateway. TS Gateway encapsulates Remote Desktop Protocol (RDP) traffic over HTTP with SSL encryption (HTTPS) and provides a secure link for authorized remote users on the Internet to access internal terminal server applications without creating a virtual pri-vate network (VPN) connection. We installed and discussed the various roles as well how to configure a TS Gateway server through the TS Gateway Manger. You learned how to obtain and configure a digital certificate for the TS Gateway server. And you learned how to create TS CAPs and TS RAPs that ensure that the client computers comply with the busi-nesses security standards.

The chapter concluded with a discussion of TS Session Broker and how to provide load balancing to the Terminal Server environment. The TS Session Broker enables users to reconnect to an existing session in a load-balanced environment as well as evenly distribut-ing the session load across the terminal servers. We explored how to configure and join a TS Session Broker farm using the Terminal Services Configuration utility. Finally, we set up two different options for load balancing with TS Session Broker: DNS Load Balancing and Microsoft NLB. With all the new features, Terminals Services for Windows 2008 has made huge leaps over the previous versions. It is a much more appealing offering and a viable solution for many businesses. We believe Microsoft is heading the right direction with the continuing development of Terminal Services; it will be interesting to see what the next steps in the product’s evolution will be.

61705c02.indd 91 6/27/08 10:36:03 AM


Exam Essentials

Know the RDC Client settings. It is important to know all the client setting tabs and how to use the settings. Also remember that there are different client versions and which one works with the appropriate Terminal Services features.

Know how to use TS RemoteApps. TS RemoteApps is a great new feature in Windows Server 2008. Know how to configure and maintain the remote programs list. It’s also important to know how to export and import the RemoteApp settings and as well as knowing the different ways to deploy the RemoteApp programs.

Know how to use TS Gateway. TS Gateway is a wonderful way to secure your Terminal Services environment. You should know how to use the TS Gateway Manager to configure and maintain the connections to the TS Gateway server. Also know how to get and config-ure a digital certificate for your TS Gateway server. Last, know how to configure and main-tain your TS CAPs and TS RAPs.

Know TS Session Broker. Know how a user can reconnect to a session and how to set up NLB for a terminal server farm. Remember that there are different ways to accomplish load balancing with TS Session Broker and know how to configure them.

61705c02.indd 92 6/27/08 10:36:03 AM

Review Questions 93

Review Questions

1. What is the default TCP port for the Remote Desktop Protocol?

A. 1337

B. 1494

C. 3389

D. 2598

2. What it the default website for TS Web Access?

A. http://server_name

B. http://ts

C. http://server_name/ts

D. http://server_name/terminal

3. What does TS Gateway require so that it can use SSL to encrypt traffic to remote clients?

A. A valid digital certificate

B. Digitally signed files

C. USB Token

D. Firewall

4. When you’re using TS Web Access, the client must have what version on the Remote Desk-top client to establish a connection?

A. 6.0

B. 5.2

C. 3.14

D. 6.1

5. What is the name of the Windows Server 2008 feature that allows users to reconnect to a disconnected session in a load-balanced terminal server farm?

A. TS Gateway

B. TS Session Broker

C. TS Web Access

D. TS RemoteApp

6. True/False: Monitor spanning support vertical displays.

A. True

B. False

61705c02.indd 93 6/27/08 10:36:03 AM


7. So users can take advantage of the Aero desktop when connecting to a remote desktop, what feature must be installed on the Windows Server 2008 computer?

A. High-performance video card

B. Desktop Experience

C. 2GB of memory

D. Updated video drivers

8. True/False: One of the new features for RDC and Terminal Services for Window Server 2008 is the ability to connect and use a USB drive after a Remote Desktop session has already been established.

A. True

B. False

9. When deploying a TS RemoteApp, what that are the two packaging methods? (Choose two.)

A. MSI file

B. MSA file

C. RDP file

D. Zip file

10. What TCP port does TS Gateway use to create a secure connection with the remote client?

A. 1433

B. 443

C. 6453

D. 22

11. What is the command to switch the Terminal Server modes to be able to install an application?

A. change user /execute

B. change user /add

C. change user /install

D. change user /mode

12. When you’re connecting to TS Gateway, what are the two type of policies that a must match in order to gain access? (Choose two.)

A. TS CAP

B. TS RAP

C. TS SSL

D. TS CAT

13. True/False: Servers in a terminal server farm that participate in Terminal Server Session Broker Load Balancing do not have to be in the same domain.

A. True

B. False

61705c02.indd 94 6/27/08 10:36:03 AM

Review Questions 95

14. Font smoothing is support on which of the follow operating systems? (Choose all that apply.)

A. Windows Vista

B. Windows Vista SP1

C. Windows XP SP3

D. Windows XP SP2

E. Windows Server 2008

15. True/False: Applications listed in the TS RemoteApp Programs list are by default enabled for TS Web Access?

A. True

B. False

16. If the TS RemoteApp server and the TS Web Access server are separate servers, to what local group must the TS Web Access server computer account be added on the TS Remote-App server?

A. Remote Desktop User

B. TS Web Access Computer Security

C. Administrators

D. Session Directory Computers

17. True/False: TS Session Broker requires Windows Server 2008 Enterprise Edition.

A. True

B. False

18. Single Sign-On is supported on which of the following operating systems? (Choose all that apply.)

A. Windows XP

B. Windows Vista

C. Windows Server 2003

D. Windows Server 2008

19. True/False: The use of ClearType decreases the bandwidth between the client computer and the terminal server.

A. True

B. False

20. What is the new service role for Windows Server 2008 that allows users to access applica-tions without using a published desktop?

A. TS RemoteApp

B. TS Session Broker

C. TS PublishedApp

D. TS Gateway

61705c02.indd 95 6/27/08 10:36:03 AM



1. C. The default port for RDP is 3389. Port 80 is the common port for HTTP traffic. Ports 1494 and 2598 are ports Citrix Presentation server use. Port 1337 is not a common port associated with any application.

2. C. The default website for TS Web Access is http://server_name/ts.

3. A. The digital certificate proves the identity of a remote person or remote resource.

4. D. RDC 6.1 is required to connect to TS Web Access. RDC 6.1 is available on Windows Vista SP1, Windows XP SP3, and Windows Server 2008.

5. B. TS Session Broker allows users to reconnect to a disconnected session in a load-bal-anced terminal server farm.

6. B. False. Monitor spanning supports only horizontal displays (i.e., side-by-side displays).

7. B. For users to receive the windows Vista Aero desktop, the Desktop Experience feature must be installed in Server Manger and the Windows Vista theme must be set.

8. A. True. With the Drives I Connect Later setting on the Remote Desktop client, a user can connect a USB drive after the connection has already been established.

9. B, C. In the TS RemoteApp Manager, the only two options available to package a remote application is to create an MSI file or an RDP file.

10. B. TCP port 443 is used to establish an HTTPS connection between the client and the TS Gateway server.

11. C. For an application not packaged with MSI Installer to be installed on a terminal server, the mode must be changed from execute to install. After installation is complete, the mode needs be change back to execute.

12. A, B. A user must match at least one policy in each of the TS CAPs and TS RAPs to gain access to the internal terminal servers.

13. B. False. All servers participating in Terminal Server Session Broker Load Balancing have to be in the same domain.

14. A, B, C, D, E. Font smoothing is available for any client running RDC 6.0.

15. A. True. To change the default setting for web access, you have to disable TS Web Access in the programs’ properties in TS RemoteApp Manager.

16. B. To present a published application, the TS Access Web server computer account has to be in the local security group TS Web Access Computer Security on the TS RemoteApp server.

17. B. False. TS Session Broker requires only Windows Server 2008 Standard Edition. In fact, all the terminal server roles are available with the standard edition.

61705c02.indd 96 6/27/08 10:36:03 AM


18. B, D. To use SSO, the client must be Windows Vista or another Windows 2008 server, the user must have the appropriate rights to log on, and the client computer and TS server must be in the same domain.

19. B. False. ClearType can increase the bandwidth to from 4 to 10 times than terminal serv-ers with ClearType disabled.

20. A. TS RemoteApp is the new feature that will publish an individual application from the terminal server so it appears as if is it is running on the client’s local computer.

61705c02.indd 97 6/27/08 10:36:03 AM

61705c02.indd 98 6/27/08 10:36:03 AM

Chapter

3Terminal Services Licensing, Advance Configuration, and Monitoring for Terminal Services

MiCroSofT ExAM objECTivES CovErEd in ThiS ChApTEr:

ÛÛ Configure Terminal Services licensing. May include but is not limited to: deploy licensing server, connec-tivity between terminal servers and Terminal Services licensing server, recovering Terminal Services licens-ing server, managing Terminal Services client access licenses (TS CALs)

Configure and monitor Terminal Services resources. ÛÛMay include but is not limited to: allocate resources by using Windows Server Resource Manager, configure application logging

Configure Terminal Services server options. May include ÛÛbut is not limited to: logoff, disconnect, reset, remote control, monitor, Remote Desktop Protocol (RDP) permissions, connection limits, session time limits, managing by using GPOs, viewing processes, session permissions, display data prioritization

Configure Terminal Services client connections. May ÛÛinclude but is not limited to: connecting local devices and resources to a session, Terminal Services profiles, Terminal Services home folders, Remote Desktop Con-nection (RDC), single sign-on, Remote Desktop Snap-In, MSTSC.exe

61705c03.indd 99 6/27/08 10:51:06 AM

In the previous chapter we discussed the new features of Ter-minal Services for Windows Server 2008, installed various server roles, and then configured them. These roles give us the

functionality we need for users to access their applications remotely, but without proper man-agement of the server roles, a Terminal Server environment can quickly get out of hand and become an administrative nightmare. This chapter shows you how to alleviate headaches by managing TS CALs, how to perform advanced configurations on the clients and servers, and how to customize your Terminal Server environment.

In this chapter, we will cover the following topics:

Configuring Terminal Services LicensingÛN

Managing through Group PolicyÛN

Configuring global deployment settings for TS RemoteAppÛN

Monitoring TS Gateway using TS Gateway ManagerÛN

Resource allocation for Terminal ServicesÛN

Configuring Terminal Services LicensingTerminal Services Licensing (TS Licensing) is one of those necessary evils that we all want to dismiss, but without proper licensing, your terminal server will stop accepting connec-tions after a period of time. This time period depends on the OS version you are using. What TS Licensing does is manage the client access licenses (TS CALs) that are required of a user or a device to connect to a terminal server. TS Licensing in Windows Server 2008 has some new features that will ease management, enable the administrator to revoke licenses, and provide more effective ways to diagnose licensing issues.

Terminal Services Client Access Licenses (TS CALs)There are two types of client access licenses (CALs), TS Per Device CALs and TS Per User CALs, and they must match the licensing mode that has been configured on the Terminal Services license server. With the Per Device licensing mode, a client computer connecting for the first time is issued a temporary license. At the next connection, the license server verifies that there are enough TS Per Device CALs and issues the client computer a perma-nent CAL. Inversely, TS Per User CALs give users the ability to connect to a terminal server

61705c03.indd 100 6/27/08 10:51:06 AM

Configuring Terminal Services Licensing 101

from any client computer and are not enforced by the TS license server. To ensure that you are complaint with the license terms, you can use the TS Licensing Manager tool to track and generate reports of the TS Per User CALS that have been issued by the TS license server. This will be covered later in the chapter when we learn how to create TS Per CAL usage reports.

Installing TS Licensing and TS Client Access Licenses (CALs)To use Terminal Services, there must be at least one license server deployed in the environ-ment. As mentioned earlier, there is a licensing grace period within which the license server will issue temporary TS CALs and does not have to be activated. The grace period begins when a terminal server accepts its first client connection and ends when the number of days in the grace period is exceeded or when the first permanent TS CAL is issued by the license server. The length of the grace period is dependent on the OS the terminal server is running (see Table 3.1). Before the grace period ends, the appropriate number of TS CALs must be purchases and installed. A message stating the number of days left in the licensing grace period appears in the lower-right corner of a terminal server’s desktop when an administrator logs on.

TA b LE 3 .1 Licensing Grace Periods of Terminal Services by OS

Operating System Grace Period

Windows Server 2008 120 days

Windows Server 2003 R2 120 days

Windows Server 2003 120 days

Windows 2000 90 days

Remote Desktop supports two concurrent connections for remote adminis-tration that do not require licenses.

Terminal Services License Server DiscoveryBefore you install a TS license server, you need to decide on the type of discovery scope you will select during the installation of the TS Licensing role service. Terminal Services license server discovery determines how the license server will be discovered by terminal servers. There are three discovery scopes available: Workgroup, Domain, and Forest. If the

61705c03.indd 101 6/27/08 10:51:07 AM

102 Chapter 3 N Terminal Services Licensing, Advance Configuration, and Monitoring

TS Licensing role service is being installed on a computer that is not a member of a domain, choose the Workgroup discovery scope. In this scenario, terminal servers and the license servers have to be in the same workgroup and on the same local subnet for the autodiscovery process to work. However, if the license server is later joined to a domain, the discovery scope will be changed from Workgroup to Domain.

Domain and Forest discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members. For terminal servers to automatically discover a license server with the Domain discovery scope, the license server must be installed on a domain controller and the person installing the role must have domain administrator creden-tials. It is possible to install the TS Licensing role service on a computer that doesn’t serve as a domain controller; however, the terminal servers in the domain will not automatically discover the license server. License servers configured with the Forest discovery scope are published in Active Directory Domain Services, which allows terminal servers within the same forest to discover the license server automatically. To install the license server with the Forest discovery scope, the person installing the role must have enterprise administrator’s credentials. Regard-less of the discovery scope type, Domain or Forest, a license server issuing TS Per User CALs must be a member of the Terminal Server License Servers group.

TS servers attempt to contact license servers in the follow order:

1. License servers in Terminal Services Configuration tool or using GPOs.

2. License servers installed on the same computer as the TS server.

3. License servers published in Active Directory Domain Services.

4. License servers installed on domain controllers in the same domain as the TS server.

Once you have decided what type of TS CALs to use, purchased the type and number of TS CALs required in the environment, and determined the method of license server discovery, you need to ensure that the license server is supported by the terminal server OS. A terminal server running Windows Server 2008 is able to talk to only a license server running Windows Server 2008. However, a Windows Server 2008 TS Licensing Server supports terminal servers on the following operating systems:

Windows Server 2008ÛN

Windows Server 2003 R2ÛN



Installing TS Licensing Role ServiceNow that we have discussed TS CALs and how Terminal Services License Server Discovery works, you can begin installing the TS Licensing role server (see Exercise 3.1).

61705c03.indd 102 6/27/08 10:51:07 AM


E x E r C i S E 3 .1

installing TS Licensing role Service

Follow these steps to install the TS Licensing role service:

1. Click Start Administrative Tools Server Manger.

2. Right-click Roles and choose Add Roles.

3. On the Select Server Roles page of the Add Roles Wizard, select Terminal Services.

4. Click Next.

5. On the Introduction to Terminal Services page, click Next.

6. On the Select Role Services page, select TS Licensing.

61705c03.indd 103 6/27/08 10:51:07 AM


E x E r C i S E 3 .1 ( c ont inue d )

7. Click Next.

8. On the Configure Discovery Scope for TS Licensing page, select the appropriate dis-covery scope for your installation. Leave the TS Licensing database location as the default, C:\Windows\system32\LServer.

61705c03.indd 104 6/27/08 10:51:08 AM



9. Click Next.

10. On the Confirm Installation Selections page, review the TS Licensing information that has been selected.

11. Click Install.

12. On the Installation Results page, verify that the TS Licensing role service installation succeeded.

13. Click Close.

Connecting to the license server in Windows Server 2008 is done through the TS Licens-ing Manager tool, which is automatically installed when the TS Licensing role service has been installed. However, you can manage the license server from a remote computer running Windows Server 2008 by adding the TS Licensing Manager feature from Server Manager. Exercise 3.2 demonstrates how to install TS Licensing Manager as a feature.

E x E r C i S E 3 . 2

installing TS Licensing Manager as a feature

Follow these steps to install TS Licensing Manager as a Feature in Windows Server 2008:

1. Click Start Administrative Tools Server Manger.

2. Right-click Features and choose Add Features.

61705c03.indd 105 6/27/08 10:51:08 AM


E x E r C i S E 3 . 2 ( c ont inue d )

3. On the Select Features page of the Add Features Wizard, expand Remote Server Administration Tools.

4. Expand Role Administration Tools.

5. Expand Terminal Services Tools.

6. Select TS Licensing Tools.

7. Click Next.


11. On the Installation Results page, verify that the installation of TS Licensing Tools succeeded.

12. Click Close.

13. To Start TS Licensing Manager, click Start Administrative Tools Terminal Services TS Licensing Manager.

61705c03.indd 106 6/27/08 10:51:08 AM


Activating Terminal Services License ServerAs you know, a Terminal Services license server must be activated to issue TS CALs. The activation process uses the Activate Server Wizard within the TS Licensing Manager tool. There are three methods to activate a license server:

Automatic connection Microsoft recommends using this method to activate the license server. However, it requires an SSL connection (TCP port 443) because the license server will connect to the Microsoft Clearinghouse over the Internet.

Web browser This method is used when the license server does not have Internet access. A URL to the Microsoft Clearinghouse is displayed in the Activate Server Wizard and accessed through a computer that does have Internet access.

Telephone This method is used is used if no Internet access is available. The telephone number is displayed in the Activate Server Wizard after the appropriate country or region is selected.

The following exercise, Exercise 3.3, illustrates the process for activating a TS license server.

E x E r C i S E 3 . 3

Activating a TS License Server

Follow these steps to activate a TS license server:

1. Click Start Administrative Tools Terminal Services TS Licensing Manager.

2. Right-click the license server that requires activation and click Activate Server. Notice that the server will have a red X and that Activation Status is set to Not Activated.

3. On the first page of the Activate Server Wizard, click Next.

4. On the Connection Method page, select the appropriate method for your environment.

61705c03.indd 107 6/27/08 10:51:08 AM



5. Click Next. (From here it will depend on the method chosen. In this scenario, the chosen method is Web Browser.)

6. On the License Server Activation page, copy the product ID.

7. From a computer with Internet access, use the URL provided to go to the Terminal Server Licensing website.

8. On the Terminal Server Licensing website, select your language and activate a license server.

61705c03.indd 108 6/27/08 10:51:09 AM



9. Click Next.

10. Enter all the required information.

11. Click next.

12. Review and confirm all the information that you provided. Click Next.

13. You will now receive your license server ID, which you enter into the Terminal Server License Server Activation Wizard. Copy or print this web page so that you have the information.

14. At this point you can request the license tokens by clicking Yes. We are going to click No because we will install the tokens in Exercise 3.4.

15. Go back to the TS Licensing Manager and Activate Server Wizard.

16. Enter the license server ID you received from the Terminal Server Licensing website. Refer to step 6 of this exercise.

17. Click Next.

18. On the Completing the Activate Server Wizard page, you will see the status message “The license server has been successfully activated.” Uncheck Start Install Licenses Wizard Now, for we will be installing the TS CALs later.

61705c03.indd 109 6/27/08 10:51:09 AM



19. Click Finish.

20. Notice that in the TS Licensing Manager, the red X has changed to a green check mark and the activation status has changed to Activated.

Installing Terminal Services Client Access LicensesThe same three methods you use when you activate a Terminal Services license server apply when installing Terminal Services client access licenses. However, when you’re installing licenses, the Install Licenses Wizard retains the connection method used when you activated the license server. In our case, the connection method is web browser. The connection method can be changed in TS Licensing Manager by right-clicking the appropriate server and selecting Properties. The three methods (automatic connection, web browser, and telephone) are available under the Connection Method tab. You must activate the TS license server have the license code to install TS CALs. Exercises 3.4 walks you through the process.

61705c03.indd 110 6/27/08 10:51:09 AM


E x E r C i S E 3 . 4

install Terminal Services Client Access Licenses

Follow these steps to install TS CALs:

1. Start TS Licensing Manager by clicking Start Administrative Tools Terminal Services TS Licensing Manager.

2. Right-click the license server and choose Install Licenses.

3. On the Welcome to the Install Licenses Wizard page, click Next. Notice that the con-nection method is Web Browser.

4. On the Obtain Client License Key Pack page, copy the license server ID and go to the Terminal Services Licensing website from a computer with Internet access.

61705c03.indd 111 6/27/08 10:51:09 AM


E x E r C i S E 3 . 4 ( c ont i nue d )

5. On the Terminal Services Licensing website, select the appropriate language and select Install Client Access License Tokens.

61705c03.indd 112 6/27/08 10:51:09 AM



6. Click Next.

7. Enter all the required fields, including the license server ID, and select the license program. Notice that there are number of choices for the license program.

8. Click Next.

9. The license program you chose in step 7 determines what information will be needed on this page. Normally a license code or an agreement number is all that will be required. Also, you must select the type and quantity of TS CALs to install on the license server.

61705c03.indd 113 6/27/08 10:51:09 AM



10. Click Next.

11. The web page displays a key pack ID generated by the Microsoft Clearinghouse. Make sure you keep a copy in case assistance is needed recovering TS CALs.

12. Go back to the TS Licensing Manager and the Activate Server Wizard.

13. Enter the license key pack ID you received from the Terminal Server Licensing website. Refer to step 4.

14. Click Next.

15. On the Completing the Install License Wizard page, click Finish. The TS license server can now issues TS CALs to clients.

Configuring License Settings on a Terminal ServerNow that the TS license server has been installed and activated, you can specify the Terminal Services licensing mode and discovery mode. Remember, the TS licensing mode determines the type of TS CALs a terminal server requests for a connecting client; a terminal server must also be configured to match the type of TS CAL available from the TS license server. The discovery mode determines how a terminal server will find the TS license servers so it can request TS CALs for the connecting clients.

Specifying the TS Licensing ModeThe TS licensing mode can be configured in three ways. The first way is to set the licensing mode during the installation of the Terminal Services role (see Figure 3.1).

The second way is to configure the TS licensing mode is to use the Terminal Services Configuration tool.

1. Open the Terminal Services Configuration tool by clicking Start Administrative Tools Terminal Services Terminal Services Configuration.

2. In the center frame in the Edit settings area on the General tab, double-click User Logon Mode or right-click User Logon mode and select Properties.

3. On the Licensing tab, specify the Terminal Services licensing mode, either Per Device or Per User. See Figure 3.2.

61705c03.indd 114 6/27/08 10:51:09 AM


f i gu r E 3 .1 Specifying the licensing mode when installing the TS server role

f i gu r E 3 . 2 Specifying the licensing mode from the Terminal Services Configuration tool

61705c03.indd 115 6/27/08 10:51:10 AM


The third way to configure the TS licensing mode is to enable the Set Terminal Service licensing mode group policy. It is important to note that Group Policy settings will take precedence over the settings in the Terminal Services Configuration tool.

1. Open Group Policy Management Editor. This can be done through the Local Group Policy Editor or the Group Policy Management Console.

2. Navigate to Computer Configuration Administrative Templates Windows Compo-nents Terminal Services Terminal Server Licensing Set the Terminal Service licensing mode. See Figure 3.3.

f i gu r E 3 . 3 Terminal Services licensing mode Group Policy

3. Double-click Set the Terminal Service licensing mode.

4. Click Enabled. See Figure 3.4

5. Specify the licensing mode for the terminal server. (Per Device or Per User).

6. Click OK.

Specifying the TS License Server Discovery ModeThe TS License server discovery mode can be set two ways. The first way is to use the Terminal Services Configuration tool.

1. Click Start Administrative Tools Terminal Services Terminal Services Configuration.

2. In the center frame in the Edit settings area on the General tab, double-click User Logon Mode or right-click User Logon Mode and select Properties.

61705c03.indd 116 6/27/08 10:51:10 AM


f i gu r E 3 . 4 Settings for the Set Terminal Services licensing mode Group Policy

3. On the Licensing tab, specify the license server discovery mode. Either select Automati-cally Discover a License Server or identify a particular server by typing its name within the Use the Specified License Server box.

4. Click OK.

The second way to configure the TS discovery mode is to set it with the Use the specified Terminal Services license servers group policy.

1. Open Group Policy Management Editor. This can be done through the Local Group Policy Editor or the Group Policy Management Console.

2. Navigate to Computer Configuration Administrative Templates Windows Compo-nents Terminal Services Terminal Server Licensing Use the specified Terminal Services license servers. See Figure 3.5.

3. Double-click Use the specified Terminal Services license servers.

4. Click Enabled and enter the name of the license servers. See Figure 3.6.

5. Click OK.

Tracking the Issuance of Terminal Services Per User Client Access LicensesNew to Windows Server 2008 is the ability to track the TS Per User CALs that have been issued by a TS license server. TS Per User CALs can be tracked only if the terminal server and TS license server are members of a domain. Therefore, Workgroup mode is not supported when tracking and reporting TS Per User CALs. When a user logs into a terminal server, the terminal server checks the license server mode and then checks in with the license server. The license server modifies the terminalServer attribute for the user within Active Directory and the CAL becomes associated with the user account object. This is why the license server must be a member of the Terminal Server License Servers security group in the domain because

61705c03.indd 117 6/27/08 10:51:10 AM


this group grants the right to modify user attributes within Active Directory. If a license server is going to be used in multiple domains, it must be a member of the Terminal Server License Servers group for each domain. Because the issued Per User CALs are stored in Active Directory Domain Services (AD DS), the only way to obtain the most current information is to create a report using the TS Licensing Manager. Exercise 3.5 walks you through the pro-cess of creating a report for TS Per User Cal issuance.

f i gu r E 3 .5 Specifying the Terminal Services license servers with a Group Policy

f i gu r E 3 .6 Settings for the Use the specified Terminal Services license servers Group Policy

61705c03.indd 118 6/27/08 10:51:10 AM


E x E r C i S E 3 . 5

Creating a report for TS per user CAL issuance

Follow these steps to create a TS Per User CAL issuance report:

1. Click Start Administrative Tools Terminal Services TS Licensing Manager.

2. Select the license server. Right-click the server and select Create Report.

3. Click Per User CAL-Usage.

4. Select how the report will search Active Directory. There are three options:

Entire Domain. This will create a report based on the domain in which the license ÛN

server is a domain member.

Organizational Unit. This will create a report based on a specific OU in the domain ÛN

in which the license sever is a domain member.

Entire Domain and All Trusted Domains. This will only create a report on license ÛN

servers that are in that are in the Terminal Server License Server security group.

5. Click Create Report. The created report will be in the Reports section under the license server. The report provides the following information:

Report dateÛN

Report scope (domain, OU, or all trusted domains)ÛN

TS CAL typeÛN

Installed TS CALsÛN

TS CALs in useÛN

TS CAL availabilityÛN

61705c03.indd 119 6/27/08 10:51:10 AM



It is also possible to save a report as a comma-delimited file (CSV). To save the report as a CSV, right-click the report choose and Save As. Enter a filename and a location. The CSV file includes additional information about the TS Per User CALs issued, as shown in Figure 3.7.

Issued to UserÛN

TS CAL VersionÛN

Expires OnÛN

f i gu r E 3 .7 CSV output for TS Per User CAL report

61705c03.indd 120 6/27/08 10:51:11 AM


Revocation of Client Access LicensesBefore Windows Server 2008, there was no way to revoke issued licenses from systems that have been replaced and no way to make those licenses available immediately. Issued licenses would expire in 52 to 89 days, and after that they would become part of the available license pool. To address this, Microsoft has introduced a method to revoke licenses manually in Windows Server 2008. However, there are some small caveats to the revocation process. The revocation process supports only Per Device CALs, and you can revoke only a maximum of 20 percent of a specific version. For example, if you have 100 Windows Server 2008 Per Device CALs and 50 Windows Server 2003 CALs installed on your license server, you can revoke 20 of the Windows Server 2008 CALs and 10 of the Windows Server 2003 CALs; each type of Per Device CAL can be revoked at any time because operating system Per Device CALs are independent of each other. Exercise 3.6 demonstrates the revocation process for Per Device CALs.

Although the CAL revocation is very handy and certainly alleviates some administrative headaches, it is not a substitute for proper planning and ensuring that there are enough CALs for your environment.

E x E r C i S E 3 . 6

revocation of per device CALs

Follow these steps to revoke Per Device CALs:

1. Start Administrative Tools Terminal Services TS Licensing Manager.

2. Expand the license server for which you want to revoke licenses.

3. Right-click on the CAL you want revoke and choose Revoke CAL.

4. The revoked CAL is now available. Its status has changed from Active to Revoked.

Terminal Services Licensing DiagnosisWith Windows Server 2008, Microsoft has introduced a Licensing Diagnosis tool that will help manage and identify possible licensing problems by analyzing and highlighting potential terminal server configuration issues. Terminal Services Licensing Diagnosis can also determine the license servers that are discoverable by the Terminal Services server. It can also provide suggested resolutions to specific problems for a license server. Exercise 3.7 shows the procedures to run the Terminal Services Licensing Diagnosis tool.

61705c03.indd 121 6/27/08 10:51:11 AM


E x E r C i S E 3 . 7

running Licensing diagnosis

Follow these steps to run licensing diagnosis:

1. Click Start Administrative Tools Terminal Services Terminal Services Configuration.

2. Click Licensing Diagnosis in the left pane. The Licensing Diagnosis tool automatically discovers the license servers and identifies licensing configuration problems and dis-play the results. License Diagnosis is split into four sections:

Terminal Server Configuration Details displays status and configuration informa-ÛN

tion for the Terminal Services server.

Licensing Diagnosis Information displays licensing problems and suggests ÛN

resolutions.

Terminal Services License Server Information displays license servers that are ÛN

discoverable by the Terminal Services server.

61705c03.indd 122 6/27/08 10:51:11 AM



License Server Configuration Details displays status and configuration informa-ÛN

tion about the TS license server.

How Do I Remotely Administer Windows Server 2008?Now that know how to install and configure Terminal Services and TS Licensing, we’ll look at how you connect to remotely administer your servers running Windows Server 2008. Remote administration in Windows Server 2008 is changing. In Windows Server 2003, to remotely connect a Terminal Services server, you would use RDC with mstsc.exe /console and this would give you access to the console session on the server. With Window Server 2008, the /console switch is ignored and replaced with RDC switch mstsc.exe /admin, which will allow you to administer the server. The /admin switch has been intro-duced with RDC 6.1 and is available only on Windows Server 2008, Windows Vista Service Pack 1, and Windows XP Service Pack 3. To start a remote administration session, you

61705c03.indd 123 6/27/08 10:51:11 AM


must be a member of the Administrators groups on the server. After you start your remote administration session with /admin, the following are true:

There can be two active remote administration sessions and they do not require a ÛN

TS CAL.

Time zone redirection is disabled.ÛN

TS Session Broker redirection is disabled.ÛN

Plug and Play device redirection is disabled.ÛN

The remote session theme is changed to Windows Classic.ÛN

Terminal Services Easy Print is disabled.ÛN

Why the change? In Windows Server 2003, all services and some user applications ran in the same session as the first user who logged on to the console, which is called Session 0. Session 0, or console session, is always the first to load and is configured with Windows display, mouse, and keyboard drivers. After creating Session 0, the terminal server calls Windows Session Manager (smss.exe); the Session Manager is what creates and manages all sessions. The Session Manager would then start the Client-Server Runtime Subsystem (csrss.exe), which in turn invokes the Winlogon process (winlogon.exe). The Client-Server Runtime Subsystem manages all the process and threads for all logon sessions, and Winlogon handles all user logons and logoffs and is responsible for starting the Windows shell, explorer.exe. Winlogon now launches the Local Security Authority Subsystem Service (lsass.exe) and the Service Control Manager (services.exe). The Local Security Authority Subsystem Service is responsible for enforcing the security policies on the system, and the Service Control Manager manages the all the Windows services. What does all this really mean? Here’s an example.

In this scenario, we have a service belonging to a particular application and it gener-ates a dialog box that requires user interaction on Session 0, such as click OK or Cancel. The application is now waiting on this user interaction to proceed, and the only way to see the dialog box is to log on with /console. From the perspective of the other clients logged on to the server, the application appears to be hung when in fact it is waiting for a user response. So to alleviate those types of issues, Microsoft has made Session 0 noninterac-tive in Windows Server 2008, but by doing so, it has made us have to change the way we administer our servers.

How are things different in Windows Server 2008? As in previous versions, the Session Manager (smss.exe) is still the first process created during the boot process. However, the Session Manager now launches a second instance of itself, making a dedi-cated Session 0 process. This dedicated process in Session 0 then launches the Windows Startup Application (wininit.exe) and a Client-Server Runtime System (csrss.exe) for Session 0. The Client-Server Runtime System exits, but the Windows Startup Applica-tion continues by starting the Service Control Manager (services.exe) and the Local Security Authority Subsystem Service (lsass.exe) as well as a new process called the Local Session Manager (lsm.exe). The Local Session Manager administers TS Server

61705c03.indd 124 6/27/08 10:51:11 AM

Managing Terminal Services through Group Policy 125

connections for the computer. While all this happening, a console session is also being initialized. Just as with Session 0, the Session Manager creates a new instance and starts the Client-Server Runtime System and the Winlogon process (winlogon.exe). The console’s Winlogon process now launches the Logon User Interface Host (logonui.exe) and displays the Ctrl+Alt+Delete logon to the users.

Managing Terminal Services through Group PolicyA Terminal Services server is different than other servers in that it also acts as a user workstation. In the following sections, we are going to discuss how to utilize Group Policy Objects (GPO) to help administer the Terminal Services server in your environment. The topics that we will discuss include Group Policy settings for Terminal Services, TS Gate-way, TS RemoteApp, and TS Session Broker.

Group Policy Settings for Terminal ServicesIn this section, you’ll learn about some of the generic settings for Terminal Services that will help you administer the server. These include user disconnects, remote control, RDP permissions, con-nection limits, and session time limits. For simplicity, the section is written with the assumption that you already know the basics of Group Policy and Active Directory configurations. All of the policies for Terminal Services can be found in Group Policy Management Editor under Computer Configuration\Administrative Templates\Windows Components\Terminal Services or under User Configuration\Administrative Templates\Windows Components\Terminal Services. There are a number of policy settings under the Terminal Services location and we will not be able to cover them all, so we will just highlight the most common settings.

We will begin by looking at the policies under Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Connections. These policies are as follows:

Automatic reconnection Enabling this policy allows clients to reconnect to a disconnected session if the network link go down. By default, the terminal server tries to reconnect every 5 seconds and continues trying up to 20 times. This policy should be used in conjuction with the next policy, Configure keep-alive connection interval.

Configure keep-alive connection interval This policy is a useful setting for networks that are unreliable, such as WAN links, and will set how often, in minutes, the server checks the session state. If this policy is left disabled or not configured, the server will not check the ses-sion state. See Figure 3.8.

61705c03.indd 125 6/27/08 10:51:11 AM


f i gu r E 3 . 8 Keep-alive connection interval properties

Set rules for remote control of Terminal Services user sessions This sets the level of remote control for a session. If it’s left disabled or not configured, remote control rules are determined by the Terminal Services Configuration tool. See Figure 3.9.

Restrict Terminal Service users to a remote session This policy can limit the resources used by limiting users to one session on the terminal server. If it’s left disabled, users are allowed unlimited concurrent remote connections.

f i gu r E 3 . 9 Set rules for remote control of Terminal Services user sessions properties

61705c03.indd 126 6/27/08 10:51:12 AM


Some policies can be set in both Computer Configuration and User Con-figuration. If both policies are set, the Computer Configuration policy takes precedence.

The next set of policies that we will examine is under Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Session Environment:

Limit maximum color depth By setting this policy, you can reduce network bandwidth and also decrease the resource load on the terminal server. The setting specifies the maxi-mum color depth allowed for a session. If Client Compatible is selected, the highest color depth supported by the client will be used. See Figure 3.10.

f i gu r E 3 .10 Properties for Limit maximum color depth

Remove “Disconnect” option from Shut Down dialog Enabling this policy removes the Disconnect option from the Shut Down Windows dialog box. The reason for this is to pre-vent users from disconnecting the session instead of terminating the session. If a session is in a disconnected state, the session continues to run and consume server resources.

After a user connects to a terminal server, it’s a good idea to change their profile path and home directory. This is done through Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles. These policies are as follows:

Set TS User Home Directory Enabling this policy specifies whether Terminal Services uses a network or a local drive for a user’s home directory. You must choose a location on the network or the local machine by designating the location with a UNC path or local drive.

61705c03.indd 127 6/27/08 10:51:12 AM


If you chose On the Network, you must also specify the drive letter that the user’s session will use.

Use mandatory profiles on the terminal server Enabling this policy allows the terminal server to enforce a mandatory profile for all users connecting to the terminal server. If you enable this policy, you must all enable the Set path for TS Roaming User Profile policy.

Set path for TS Roaming User Profile By default, Terminal Services stores all user pro-files locally. Enabling this policy allows the administrator to set a specific network path for roaming user profiles. The profile path is set with a UNC path, \\Computername\Sharename.

Moving down the policy list, the next set will be Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\Session Time Limits:

Set time limit for disconnected sessions If this policy is enabled, a time limit for discon-nected session will be set and when the time limit is reached the session will be deleted from the server. The policy is useful to ensure that resources are released on the server. See Figure 3.11.

f i gu r E 3 .11 Properties for Set time limit for disconnected sessions

Set time limit for active but idle Terminal Services sessions Enabling this policy will put idle session into a disconnected state after a period of time. It’s similar to the time limits that are available in the preceding policy.

61705c03.indd 128 6/27/08 10:51:12 AM


Set time limit for logoff of RemoteApp sessions Enabling this policy specifies how long a RemoteApp session will remain in a disconnected state before the session in logged off. If this policy is disabled or not configured, a closed RemoteApp will be disconnected from the terminal server.

Before moving on, we need to mention that the TS Session Broker policies are also avail-able is this area. The TS Session Broker policies are located under Computer Configuration\ Administrative Templates\Windows Components\Terminal Services\TS Session Broker. Here are the available TS Session Broker policies:

Join TS Session Broker Enabling this policy tell the terminal server to join the farm that is specified in the Configure TS Session Broker farm name policy.

Configure TS Session Broker farm name Enabling this policy specifies the name of the farm for TS Session Broker.

Use IP Address Redirection Enabling this policy specifies the redirection method used when a client reconnects to an existing session. This setting applies to a terminal server that is configured to use TS Session Broker, not the TS Session Broker server.

Configure TS Session Broker server name Enabling this policy specifies the TS Session Broker server that the terminal servers will use to track and redirect user session in a load-balanced terminal server farm.

Use TS Session Broker load balancing Enabling this policy specifies whether to use the TS Session Broker load balancing feature. It is important to note that when you enable this policy, you must also enable and configure the Join TS Session Broker, Configure TS Ses-sion Broker server name, and Configure TS Session Broker farm name group policies.

To configure the TS Gateway settings through Group Policy, you must use the User Configuration settings for Terminal Services, which are located under User Configuration\ Administrative Templates\Windows Components\Terminal Services\TS Gateway. Here are the available TS Gateway policies:

Enable connection through TS Gateway Enabling this policy will cause clients to attempt to connect to the TS Gateway server that is specified in the Set TS Gateway server address policy.

Set TS Gateway authentication method Enabling this policy specifies the authentication method used when a user is connected to a terminal server through a TS Gateway server. If this policy is disabled or not configured, the authentication method specified by the user is used, and if the user has not specified a method, the NTLM protocol that is enabled on the client or a smart card can be used. See Figure 3.12.

Set TS Gateway server address Enabling this policy specifies the address of the TS Gate-way server that the clients will use when connecting to a terminal server.

61705c03.indd 129 6/27/08 10:51:12 AM


f i gu r E 3 .12 Properties for Set TS Gateway authentication method

Configuring Global Deployment Settings for TS RemoteAppWe have already configured the basics to publish a TS RemoteApp. In the following sec-tions, we will discuss the options available for configuring the global deployment settings that apply to all RemoteApp programs. The following settings are global deployment settings:

Terminal server settingsÛN

TS Gateway settingsÛN

Remote Desktop Protocol (RDP) settingsÛN

Digital signature settingsÛN

Configuring Terminal Server SettingsIn this section, we will discuss how to configure the following RemoteApp deployment settings:

Server nameÛN

RDP portÛN

Remote desktop accessÛN

Access to unlisted programsÛN

61705c03.indd 130 6/27/08 10:51:12 AM


The settings in Exercise 3.8 define how users connect to a terminal server to access TS RemoteApp programs.

E x E r C i S E 3 . 8

TS remoteApp global deployment Settings

Follow these steps to configure TS RemoteApp global deployment settings:

1. Click Start Administrative Tools Terminal Services TS RemoteApp Manager.

2. In the Actions pane, click Terminal Server Settings.

3. On the Terminal Server tab under Connection Settings, you can change the server name, RDP port, and whether or not server authentication is required.

4. Under Remote Desktop Access, check Show a Remote Desktop Connection to This Terminal Server in TS Web Access if you would like to provide a link to the full terminal server desktop through TS Web Access.

5. Under Access to Unlisted Programs, choose either Do Not Allow Users to Start Unlisted Programs on Initial Connection or Allow Users to Start Both Listed and Unlisted Pro-grams on Initial Connection. By not allowing users to start unlisted programs, you help protect against users starting a program from an RDP file.

61705c03.indd 131 6/27/08 10:51:12 AM



Remember, you can use Group Policy and AD DS to centralize and simplify the administration of the client settings.

Configuring TS Gateway SettingsThe TS Gateway settings define how clients will connect to the TS Gateway server when using TS RemoteApp programs on the terminal server, as shown in Exercise 3.9. There are three TS Gateway settings that are configurable:

Automatically Detect TS Gateway Server Settings.ÛN

Use the TS Gateway Server Settings.ÛN

Do Not Use a TS Gateway Server.ÛN

E x E r C i S E 3 . 9

TS remoteApp TS gateway global deployment Settings

Follow these steps to configure TS RemoteApp’s TS Gateway global deployment settings:


2. In the Actions pane, click TS Gateway Settings.

61705c03.indd 132 6/27/08 10:51:12 AM



3. On the TS Gateway tab, there are three server settings.

Automatically Detect TS Gateway Server Settings. If this is selected, the client ÛN

tries to use Group Policy settings to determine the behavior of the client connec-tion to the TS Gateway server.

Use These TS Gateway Server Settings. This selection will allow you to configure ÛN

the TS Gateway server name and logon method. The server name must match the SSL certificate you acquired for the TS Gateway server.

Do Not Use a TS Gateway Server. Use this selection if the client is not accessing ÛN

the TS servers from the Internet.

Configuring RDP SettingsUsing these RDP selections will specify settings users will get when connecting to a Remote-App, such as device and resource redirection and some display settings. Exercise 3.10 shows the available user RDP selections.

E x E r C i S E 3 .10

TS remoteApp Common rdp global deployment Settings

Follow these steps to configure TS RemoteApp’s common RDP global deployment settings:


2. In the Actions pane, click Terminal Server Settings and then click the Common RDP Settings tab.

61705c03.indd 133 6/27/08 10:51:13 AM



3. Under the Devices and Resources section, you can choose what will be available when a user connects to a remote session:

PrintersÛN

Disk drivesÛN

ClipboardÛN

Smart cardsÛN

Supported Plug and Play devicesÛN

4. Under User Experience, you can select Allow Font Smoothing as well as the color depth for the remote session.

Configuring Digital Signature SettingsThe digital signature settings allow the digital certificate signing of RDP files that are use for RemoteApp connections. By using a server authentication certificate (SSL certificate) or a code signing certificate, you can better protect the server from malicious users and applications. If you’re already using an SSL certificate for a terminal server or TS Gateway server, you can use the same certificate to sign the RDP files. Exercise 3.11 explains how to configure TS RemoteApp Digital Signature global deployment settings.

61705c03.indd 134 6/27/08 10:51:13 AM


E x E r C i S E 3 .11

TS remoteApp digital Signature global deployment Settings

Follow these steps to configure TS RemoteApp Digital Signature global deployment settings:


2. In the Actions pane, click Digital Signature Settings.

3. Select Sign with a Digital Certificate.

4. In the Digital Certificate detail box, click Change.

5. In the Select Certificate dialog box, chose the certificate you want to use.

Monitoring TS Gateway Using TS Gateway ManagerAfter completing the configuration options for the client connections to TS Gateway, it is important to know how to monitor active connections and look for errors specific to the TS Gateway server. This discussion will be focused on the events that will be logged and how to view active connections using TS Gateway Manager. The discussion will be split into the following topics:

Specifying TS Gateway events to log.ÛN

Viewing details about active connections through a TS Gateway server.ÛN

Specifying TS Gateway Events to LogThe TS Gateway Manager is used to specify the type of events that will be monitored, and when an event does occur, the event can be viewed with Windows Event Viewer. TS Gate-way server events are located under Application and Service Logs\Microsoft\Windows\TerminalServices-Gateway. Exercise 3.12 shows how to select which events will be logged as TS Gateway events.

E x E r C i S E 3 .12

Specifying TS gateway Events to Log

Follow these steps to specify TS Gateway events logs:

1. Click Start Administrative Tools Terminal Services TS Gateway Manager.

2. Select the TS Gateway server.

3. Right-click the name of the server and choose Properties.

61705c03.indd 135 6/27/08 10:51:13 AM



4. On the Auditing tab, select the appropriate events to monitor.

Table 3.2 shows the name, description, and event ID of the various TS Gateway event types.

TA b LE 3 . 2 TS Gateway Event Types

Event Name Description Event ID

Successful User Disconnec-tion from the Resource

This event allows you to verify the user session time and the amount of data (in kilobytes) that was sent and received by the remote client through the TS Gateway server.

303: When the client disconnects from the resource 202: When an administrator dis-connects the client

Failed User Connection to the Resource

The client met the conditions for the TS CAP and TS RAP but could not connect to a computer because it was unavailable.

304

Failed Connection Authorization

The client could not connect because it did not meet the conditions of the TS CAPs.

201

61705c03.indd 136 6/27/08 10:51:13 AM


TA b LE 3 . 2 TS Gateway Event Types (continued)

Event Name Description Event ID

Failed Resource Authorization

The remote client could not connect to the specified computer because no TS RAPs are configured to allow the user access to it.

301

Successful User Connection to the Resource

The remote client successfully con-nected to a computer.

302

Successful Connection Authorization

The client met the condition of one TS CAP and connected successfully.

200

Successful Resource Authorization

The client met the condition of one TS RAP and connected successfully.

300

Viewing Details about Active Connection through a TS Gateway ServerAnother use of TS Gateway Manager is to view detailed information about the user con-nections that have been granted access. Administrators can use the information displayed in the TS Gateway Manager to troubleshoot specific user connection issues. Exercise 3.13 details the steps to view user connection information through TS Gateway Manager as well as the type of information that is displayed.

E x E r C i S E 3 .13

viewing user Connection information through TS gateway Manager

1. Click Start Administrative Tools Terminal Services TS Gateway Manager.

2. Select the TS Gateway server.

3. Expand the server and select Monitoring. In the Results pane, a summary of the num-ber of connections will be displayed. When you select a connection, the connection detail will appear in the lower pane. For this exercise, disconnect a specific connec-tion or all the connections for a user.

4. To refresh the connections display, click Refresh in the Actions pane. The following information is displayed in the Monitoring pane:

Connection IDÛN

User IDÛN

User NameÛN

61705c03.indd 137 6/27/08 10:51:13 AM



Connected OnÛN

Connection DurationÛN

Idle TimeÛN

Target ComputerÛN

Client IP AddressÛN

Target Port ÛN

Resource Allocation for Terminal ServicesWindows System Resource Manager (WSRM) is a feature of Windows Server 2008 that can control how CPU and memory resources are allocated to applications, services, and processes. WSRM is not a feature of Terminal Services, but if it’s used on a terminal server, the ability to control resource allocation will give the users a better experience. This is accomplished through resource allocation policies that determine how computer resources are used. When installed on a terminal server, WSRM presents two policies:

Equal_Per_User CPU allocation is divided into equal shares among the users, and pro-cesses created by the user are able to consume only as much as the total CPU allocation reserved for that user.

Equal_Per_Session New to Windows Server 2008, this policy allocates an equal share of CPU resources among each user session.

For example, there is a user that has two sessions running on the same terminal server and a second user running one session. When you use the Equal_Per_User resource allocation policy, the user with two sessions will get the same amount of CPU resources as the user with only one session. If you use the Equal_Per_Session resource allocation policy, the user with two sessions will receive twice the CPU resource allocation as the user with only one session. Exercise 3.14 walks through the process of installing Windows System Resource Manager.

E x E r C i S E 3 .14

installing Windows System resource Manager

Follow these steps to install Windows System Resource Manager:


2. Right-click Features.

61705c03.indd 138 6/27/08 10:51:13 AM

Summary 139


3. Select Add Features.

4. On the Select Features page, select Windows System Resource Manager.

5. A dialog box appears stating that Windows Internal Database also needs to be installed.

6. Click Add Required Features.

7. Click Next.


9. On the Installation Results page, click Close.

Exercise 3.15 demonstrates how to configure WSRM for Terminal Services by setting either the Equal_Per_User or Equal_Per_Session resource allocation policy.

E x E r C i S E 3 .15

Configuring WSrM for Terminal Services

Follow these steps to configure WSRM for Terminal Services:

1. Start Administrative Tools Windows System Resource Manager.

2. On the Connect to Computer page, select This Computer. Click Connect.

3. Expand the Resource Allocation Policies node.

4. Right-click Equal_Per_User or Equal_Per_Session, and then click Set as Managing Policy.

5. A dialog box appears warning that the calendar will be disabled. Click OK.

SummaryIn this chapter, we examined various aspects of TS license servers as well as the different deployment configurations for TS RemoteApps. We started the chapter by looking at the various configuration aspects of a TS license server, and then we examined TS CALs and the differences between TS Per User CALs and TS Per Device CALs. Next we discussed the

61705c03.indd 139 6/27/08 10:51:13 AM


temporary grace period prior to activating a TS license server. After that we studied the TS license server discovery process for workgroups, domains, and forests.

After we discussed the various aspects of TS CALs and the discovery process, we moved on to the actual installation and activation of a TS license server. We first walked through the process of installing the TS Licensing service role and the installation of the TS Licens-ing Manager tool. We then stepped through the process of activating the TS license server and installing the appropriate TS CALs. Next we looked at the TS Licensing discovery mode and the different ways to configure it.

You then learned how to track and report TS Per User CALs and how to revoke TS device CALs. We looked at some of the more common GPO settings and what value they provided. After that we looked the different configuration options with the Terminal Sever settings, TS Gateway settings, and RDP settings. Finally, we looked at how to monitor TS Gateway and how to control resource allocation in Terminal Services through Windows System Resource Manger.

Exam Essentials

Know the features of Terminal Services licensing. Understand all the different discovery options and the processes to activate the server and TS CALs.

Know TS remote program settings. It is important to understand all the different configu-ration options that are available in TS RemoteApp Manager.

Know TS Gateway monitoring and events. Remember how to set the event logging fea-tures and where to find them when events do occur.

Know Windows System Resource Manager (WSRM). Understand how WSRM is used in a Terminal Services server environment.

61705c03.indd 140 6/27/08 10:51:14 AM

Review Questions 141

Review Questions

1. Which of the following operating systems has the incorrect licensing grace period?

A. Windows Server 2008 - 120 days

B. Windows Server 2003 - 120 days

C. Windows Server 2003 R2 - 120 days

D. Windows Server 2000 - 120 days

2. What are the three ways to activate a TS license server? (Choose three.)

A. Telephone

B. Purchasing the licensing from a retail store

C. Web browser

D. Automatic connection

3. When viewing user the connections through TS Gateway Manager, which of the following is information will be displayed? (Choose all that apply.)

A. Connection ID

B. Idle Time

C. Client IP Address

D. User Name

E. Target Computer

4. When configuring the TS Session Broker group policy Use TS Session Broker load balancing, which of the following Group Policy objects must also be configured? (Choose three.)

A. Join TS Session Broker

B. Configure TS Session Broker server name

C. Configure TS Session Broker farm name

D. Use IP Address Redirection

5. TS Licensing Manager can create a TS Per User CAL issuance report by all of the following organizational specifications except which one?

A. Organizational unit

B. Entire domain

C. Work group

D. Entire domain and all trusted domains

6. True/False: To remotely administer Windows Server 2008, the following command is used: mstsc.exe /console.

A. True

B. False

61705c03.indd 141 6/27/08 10:51:14 AM


7. True/False: The revocation process works on all TS Per User CALs.

A. True

B. False

8. In TS RemoteApp Manager, it is possible to set the properties a user will receive when connect-ing to a RemoteApp. Which of the following is not configurable in TS RemoteApp Manager?

A. Supported Plug and Play devices

B. Disk drives

C. COM port

D. Printers

9. When using TS RemoteApp Manager to configure the deployment settings, where can you set the RDP port?

A. Terminal Server tab

B. TS Gateway tab

C. Digital Signature tab

D. Common RDP Settings tab

10. What Windows System Resource Manger resource allocation policy is new to Windows Server 2008 Terminal Services?

A. Equal_Per_Process

B. Equal_Per_User

C. Equal_Per_IISAppPool

D. Equal_Per_Session

11. What are the two ways the Terminal Services discovery mode can be set? (Choose two.)

A. Through the Terminal Services Configuration tool

B. Through TS Licensing Manager

C. Through the Group Policy Management Console

D. Through TS Gateway Manger

12. What is the maximum percentage of Per Device CALs that can be manually revoked?

A. 25%

B. 20%

C. 10%

D. 15%

13. True/False: A TS license server can be remotely administered for any other server running Windows Server 2008.

A. True

B. False

61705c03.indd 142 6/27/08 10:51:14 AM


14. How many concurrent administration sessions can be active without requiring a TS CAL?

A. 1

B. 2

C. 3

D. 4

15. True/False: All events for TS Gateway are viewed in the TS Gateway Manager.

A. True

B. False

16. True/False: The GPO Set time limit for disconnected session deletes a session when a time limit has been reached.

A. True

B. False

17. Which two discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members? (Choose two.)

A. Workgroup

B. Domain

C. Forest

18. In the TS Licensing Manger, what does a red X on the license server indicate?

A. The server has been activated.

B. The server has not been activated.

C. The server is out of licenses.

D. The server must be restarted.

19. In what order should the following options be to indicate the order in which terminal servers attempt to contact a license server?

A. License server installed on the same computer as the TS server

B. License servers published in Active Directory Domain Services

C. License servers listed in the Terminal Services Configuration tool or group policies

D. License servers installed on domain controllers in the same domain as the TS server

20. Regardless of the discovery scope type, Domain or Forest, a license server issuing TS Per User CALs must be a member of which AD security group?

A. Administrators

B. Remote Desktop Users

C. Terminal Server License Servers

D. Window Authorization Access Group

61705c03.indd 143 6/27/08 10:51:14 AM



1. D. Windows Server 2000 has only a 90-day grace period before the licensing server becomes inactive. The grace period for all the other operating systems is correct.

2. A, C, D. A licensing server can be activated by automatic connection through the Internet, using a web browser to activate the product ID through a website, or calling the Microsoft Clearinghouse by telephone.

3. A, B, C, D, E. All of the information listed is displayed when you’re viewing user connec-tions through the TS Gateway Manager.

4. A, B, C. The Join TS Session Broker, TS Session Broker server name, and TS Session Broker farm name must also be configured and enabled when the Use TS Session Broker load balanc-ing group policy is configured. Use IP Address Redirection is used to set the method of redi-rection when the server is use TS Session Broker not the TS Session Broker server name.

5. C. TS Per User CAL reporting supports only license servers that are in a domain.

6. B. With RDP 6.0, the /console command has been replaced with /admin.

7. B. The revocation process works only on TS Per Device CALs, not TS Per User CALs.

8. C. Supported Plug and Play devices, disk drives, and the printer are configurable in TS RemoteApp Manager. COM port connections are configured in Terminal Services Configuration Manger.

9. A. The Terminal Server tab in the deployment setting is where the RDP port can be changed. All the other tabs are used for other configuration settings.

10. D. Equal_Per_Session allocates an equal share of CPU resources to each user session and is new to Windows Server 2008 Terminal Services. Equal_Per_Process and Equal_ Per_IISAppPool are not Terminal Services specific.

11. A, C. The two ways to set the discovery mode are through the Terminal Services Configu-ration tool or the Group Policy Management Console. TS Licensing Manager is incorrect because it manages the license server itself. TS Gateway Manager has nothing to do with the terminal server license server discovery process.

12. B. The revocation process supports only Per Device CALs and only a maximum of 20 per-cent of a specific version of a CAL can be revoked.

13. A. Managing the license server from a remote computer running Windows Server 2008 can be done by adding the feature from Server Manager.

14. B. Remote Desktop supports two concurrent connections that do not require licenses for remote administration.

15. B. All TS Gateway events are viewed with Windows Event Viewer and are located under Application and Service\Logs\Microsoft\Windows\TerminalServices-Gateway.

61705c03.indd 144 6/27/08 10:51:14 AM


16. A. When this policy is enabled, disconnected sessions will reach a time limit and will be deleted from the server. The policy is useful to ensure that resources are released on the server.

17. B, C. Domain and Forest discovery scopes are available only if the TS Licensing service role is installed on servers that are domain members. However, if the licensing server with the Workgroup discovery scope is later joined to a domain, the discovery scope will be changed from Workgroup to Domain.

18. B. When the server changes to a green check mark, it indicates that the license server has been activated.

19. C, A, B, D. Terminal servers first attempt to contact license server listed in the Terminal Services Configuration tool or group polices. Next, they try contact the license server installed on the same computer as the TS server. Then they try to contact license server published in Active Directory Domain services. Finally, terminal servers try to contact a license server install on domain controllers in the domain.

20. C. When a user logs into a terminal server, the terminal servers checks the license server and the license server then modifies the terminalServer attribute for the user within Active Directory. The CAL then becomes associated with the user account object. This is why the license server must be a member of the Terminal Server License Servers security group in the domain. This group grants the right to modify user attributes within Active Directory.

61705c03.indd 145 6/27/08 10:51:14 AM

61705c03.indd 146 6/27/08 10:51:14 AM

Chapter

4Configuring Web Services Infrastructure

MICroSoft ExaM objECtIvES CovErEd In thIS ChaptEr:

Configure Web applications. May include but is not lim-ÛÛited to: directory-dependent; publishing; URL-specified configuration; Microsoft .NET components, for example, .NET and aspx; configure application pools

Manage Web sites. May include but is not limited to: ÛÛmigrate sites and Web applications; publish IIS Web sites; configure virtual directories

Configure a File Transfer Protocol (FTP) server. May ÛÛinclude but is not limited to: configure for extranet users; configure permissions

Configure Simple Mail Transfer Protocol (SMTP). May ÛÛinclude but is not limited to: setting up smart hosts; configuring size limitations; setting up security and authentication to the delivering server; creating proper service accounts; authentication; SMTP relay

61705c04.indd 147 6/27/08 11:15:41 AM

Windows Server 2008 introduces a new version of Internet Information Services (IIS). IIS 7.0 has a completely new man-agement interface and is more flexible and more tightly inte-

grated with the .NET Framework. This chapter will cover how to configure and manage websites, FTP services, and Simple Mail Transport Protocol (SMTP) servers.

This chapter covers the following topics:

Configuring Web applications■■

Configuring a File Transfer Protocol (FTP) Server■■

Configuring Simple Mail Transfer Protocol (SMTP)■■

Configuring Web ApplicationsAt the heart of IIS are web applications. A web application may not be what you might think it is. In IIS 7.0, a web application is a collection of files that delivers content. It may be a virtual directory with a specific set of files and configuration. Although there are a lot of complex and advanced things IIS can do, creating and managing websites are the most basic tasks. Previous versions of IIS all had very similar management interfaces, and it was a pretty smooth transition between versions for administrators because even though the inner workings of IIS changed, the changes to the management interface were not that sig-nificant. In this version, however, both have changed significantly.

The first change that takes some getting used to is that IIS is now based on small single-purposed loadable components called modules. Modules are loaded to add features and functionality. The modules are loaded as role features in Server Manager. Rather than building all of the functionality of IIS into just a couple of core modules, Microsoft pro-vided over 30 built-in modules. Using modules instead of creating a monolithic stack has quite a few advantages:

It’s easier for administrators to control which modules should be running.ÛN

Modules can be replaced with custom modules to change behavior and/or add features.ÛN

Higher security is possible if unnecessary modules are removed because there are fewer ÛN

possible vulnerabilities.

There is less administrative and system resource overhead when unnecessary modules ÛN

are removed.

61705c04.indd 148 6/27/08 11:15:41 AM

Configuring Web Applications 149

To find out more about the available IIS 7.0 modules, go to http://learn.iis .net/page.aspx/101/introduction-to-iis7-architecture/.

First, the type of web applications and the functions required needs to be determined. Then, during the installation of IIS, the required modules can be selected.

The second change that takes some getting used to is all of the IIS configuration is now stored in XML-based files. Gone are the days of the notorious metabase that plagued admin-istrators trying to run a Web farm in previous versions of IIS with complexity and difficulty.

The following list describes the main configuration settings and which file they are stored in:

Global (computer-wide) settingsÛN

System.applicationHostÛN . Contains configuration settings for sites, applications, virtual directories, and application pools.

System.webServerÛN . Contains configuration settings such as security, HTTP com-pression, and logging.

Website, application, and directory settings ÛN

Web.configÛN (in root of each website or directory).

Lets you define settings for individual websites, web applications, or directories. ÛN

You can store this file in the same directory with application code and content. The settings can be overridden or locked from higher levels.

.NET Framework configurationÛN

%windir%\Microsoft.NET\Framework\<Version Number>\config\machine.config.ÛN

This contains settings for the entire server. The settings are inherited by all other ÛN

.NET configuration files, including IIS configuration files.

ASP.NET configurationÛN

%windir%\Microsoft.NET\Framework\<Version Number>\config\web.configÛN

This defines the default settings for individual websites, web applications, or direc-ÛN

tories. This file can also be stored in the same directory with the application code and content.

FTP settingsÛN

Original version is stored in IIS 6.0–style metabase.bin.ÛN

Updated version is stored in ÛN %windir%\system32\inetsrv\config\ ApplicationHost.config.

Knowing where settings are stored is important as you dig further into configuration tasks. This will help to determine how settings affect one another and the object that must be configured.

61705c04.indd 149 6/27/08 11:15:41 AM

150 Chapter 4 N Configuring Web Services Infrastructure

Installing IIS 7.0Installing IIS 7.0 is similar to installing other Windows Server 2008 roles. The process is started from within Server Manager and the Add Roles Wizard is used to select the Web Server (IIS) role. If any dependant feature or role service is required, you will be prompted to add them. Exercise 4.1 walks through the basic installation of IIS.

E x E r C I S E 4 .1

Installing IIS 7.0

Follow these steps to install Internet Information Services (IIS) 7.0:


2. From the Action menu, choose Add Roles.

3. Click Next on the Before You Begin window.

4. Select Web Server (IIS) from the list of available roles.

5. Click Add Required Features on the modal box that prompts the user to add the fea-tures required to support IIS.

61705c04.indd 150 6/27/08 11:15:41 AM


E x E r C I S E 4 .1 ( c ont inue d )

6. Click Next on the Select Server Roles page.

7. Click Next on the Web Server (IIS) page.

8. On the Select Role Services page, select any additional role services and any required dependencies (for example, FTP or ASP.NET) that will be required and click Next.

61705c04.indd 151 6/27/08 11:15:42 AM


E x E r C I S E 4 .1 ( c ont inue d )

9. Click Install and wait for the installation to complete.

10. Click Close.

Testing the installation is as simple as opening a web browser and typing in http://127.0.0.1. During the installation of IIS 7, a default web page is added to the root directory of the Default Web Site. As shown in Figure 4.1, the displayed default web page confirms that the installation was successful.

Creating and Configuring WebsitesOnce IIS is installed, the server is able to serve Web content to clients. A default website is created when IIS is installed. It can be modified and used to serve content, and additional websites can be created as long as each site has a unique binding. A basic binding consists of an IP address and a TCP port. The well-known port for Hypertext Transfer Protocol (HTTP), the protocol used to transfer web pages, is 80. Also, the well-known port for Secure Hypertext Transfer Protocol (HTTPS) is 443. HTTPS uses certificates to provide authenticated and encrypted website data. When a website is hosted on TCP port 80, no port needs to be specified in the web browser because if no port is specified, port 80 is

61705c04.indd 152 6/27/08 11:15:42 AM


assumed. The Default Web Site, created during the installation, is set to bind to port 80 on all IP addresses assigned to the server that aren’t already bound to another Web site. A binding configures the server to listen for clients to request information on that IP address and at that port. The Default Web Site bindings, which includes the IP addresses and ports the site is bound to, are shown in Figure 4.2.

f I gu r E 4 .1 The displayed default web page confirming installation was successful

f I gu r E 4 . 2 Default Web Site bindings

Creating a New Website from Internet Information Services (IIS) ManagerTo create a new website from Internet Information Services (IIS) Manager, select the Sites node underneath the local server from the Connections pane and then click the Add Web Site option in the Actions pane. You will be prompted to provide a name for the website, the path to where the content will be stored, and the IP binding information.

61705c04.indd 153 6/27/08 11:15:42 AM


When you’re adding websites to a server, you will need to provide a unique binding from other websites that are already configured. It is possible to bind additional sites at other unused TCP ports; however, this is not a recommended solution, especially for websites acces-sible from the Internet. In most cases, another IP address can be added to the network adapter of the server, and that IP address can be bound to the new site.

For example, WebServer1 has a base IP address of 192.168.19.66 and the Default Web Site is already hosting content. To add another site, you can add another available IP address to the server, like 192.168.19. 91, and then the new website can be created with a binding for the new IP address and port 80, as shown in Figure 4.3.

f I gu r E 4 . 3 Viewing website bindings

Using Host HeadersThere is actually one more way to create a unique binding, by using what are called host headers. Host headers allow multiple sites to share a single IP address and port for sites that do not require Secure HTTP connections. IIS listens for connections on the assigned IP address and port and then inspects the Uniform Resource Locator (URL) requested. It then directs the request to the website with the configured binding information. Since host headers rely on the name in the URL, the name of the site must resolve in DNS to the server IP address. Many low-cost web-hosting companies employ host headers to reduce the number of IP addresses that are needed. As mentioned, however, HTTPS does not support host headers, so if any site on the server requires HTTPS, a dedicated IP address should be assigned.

In Exercise 4.2, you will be creating a second website using host headers for a help desk application called helpdesk.mcts.local on an internal Web server. The DNS entry for help-desk.mcts.local has already been created.

61705c04.indd 154 6/27/08 11:15:42 AM


E x E r C I S E 4 . 2

Creating a Site using host headers

Follow these steps to create a site using host headers:

1. Click Start Administrative Tools Internet Information Services (IIS) Manager.

2. In the Connections pane, select Sites under the server name.

3. In the Actions pane, click Add Web Site.

4. In the Add Web Site dialog box, type the following information:

Site name: ÛN help desk

Physical Path: ÛN C:\inetpub\helpdesk

Host name: ÛN helpdesk.mcts.local

5. Click OK

Configuring Virtual DirectoriesVirtual directories are directories underneath the root of the site. They might contain distinct web applications or just additional content, much like directories on a hard drive. If the root site is www.microsoft.com a virtual directory might be /windows. To connect to this virtual directory and view the content, the end users would specify www.microsoft[.com]/windows. Virtual directories can be located on a different drive or network share than the root of the site, and certain configuration settings can be adjusted. Virtual directories can also be nested;

61705c04.indd 155 6/27/08 11:15:42 AM


for example, at www.microsoft.com/windows/downloads, /downloads is a nested virtual directory underneath the /windows virtual directory.

To create a virtual directory, do this in the Connections pane:

1. Right-click on the website or virtual directory underneath which you’re creating the new virtual directory.

2. Choose Add Virtual Directory.

3. From there, you will be prompted to provide a virtual directory name and the physical path to the files.

Similar to virtual directories in function are web applications. They are created in the same way, although unlike virtual directories, applications contain another set of content as well as code. To configure how the code will run, you create an application in IIS.

Configuring RedirectionRedirection is used to send users from one site or URL to a new URL. In previous versions of IIS, redirecting a site or directory was as easy as modifying the virtual directory or web-site settings. This is especially useful during migrations and software upgrades. Often com-panies will change their websites to add fresh content or a new look. This can break the old links that customers have saved. One way to help users trying to navigate to old links is to use a redirect to guide them to the new URL.

Since IIS 7.0 is modular, the first step to enable redirection is to install the HTTP Redi-rection module. Exercise 4.3 shows the steps required. This exercise specifically installs the HTTP Redirection module; to install other modules, follow the same steps but choose the module that is required.

E x E r C I S E 4 . 3

Installing IIS Modules

Use the following steps to install an IIS module:


2. In the Server Manager pane, select Web Server under Roles.

3. In the Content pane, click Add Role Services.

4. Select the module or modules that need to be installed. In this case, select HTTP Redirection under Common HTTP Features (Installed) and click Next.

61705c04.indd 156 6/27/08 11:15:42 AM


E x E r C I S E 4 . 3 ( c ont inue d )

5. Confirm the selections and click Install.

6. Click Close.

Once the HTTP Redirection module is installed, a new HTTP Redirect option will be available for each website, virtual directory, and web application. This option is shown in Figure 4.4.

The options for redirecting using the HTTP Redirection module are shown in Figure 4.5:

Redirect Requests to This Destination This is the URL that the clients will be redirected to. This can be another site, another page, or another virtual directory in the same site.

Redirect All requests to Exact Destination (Instead of relative to Destination) This option is selected to redirect to the exact URL listed in the first text box regardless of the original URL. If this option is unchecked, the portion of the request URL after the redirection will be appended to the redirected URL. Leaving this option unchecked would be great if an application was moved from one server to another. If the user requests http://oldserver .sybex.com/books/ExchangeServer.apx and the redirect was put on the book’s virtual direc-tory set to http://newserver.sybex.com/books, the user would be redirected to http://newserver.sybex.com/books/ExchangeServer.aspx. This would bring the user to a list of the books they are interested in. If this option was checked in this scenario, the user would be redirected to http://newserver.sybex.com/books and would be given a list of all books rather than what he was looking for.

61705c04.indd 157 6/27/08 11:15:43 AM


f I gu r E 4 . 4 Using HTTP Redirect option

Only Redirect Requests to Content in This Directory (Not Subdirectories) This option can be used when the preceding option is not enabled. When this option is enabled, any requests that are for subdirectories of the redirected directory will not be redirected but will be served by the local web server.

Status Code There are three options for status code, and they affect the status code that is returned to the browser as it is being redirected.

Found (302) Notifies the browser to request the new location.

Permanent (301) Notifies the browser that this new location is a permanent redirection.

Temporary (307) Notifies the browser that this new location is temporary and allows any HTTP POST request to retain data for the redirection.

Setting Website LimitsWhen you’re hosting a number of websites on one server, it may be advantageous to limit the number of connections a site may have. This will help to limit the amount of resources the site can consume. Restrictions can be set on the following criteria:

The amount of bandwidth the website can use.ÛN

The number of concurrent connections to the website.ÛN

The time before an inactive connection is disconnected from the server.ÛN

61705c04.indd 158 6/27/08 11:15:43 AM


f I gu r E 4 .5 Configuring a HTTP redirect

The default setting is to not limit the amount of bandwidth or the number of con-nections to the website; however, the default time-out for idle sessions is 120 seconds. When a bandwidth limit is reached, no additional bandwidth will be available to service requests. Similar too, when a connection limit is reached, new connections cannot be made until the number of sessions fall below the limit. Figure 4.6 shows an example of configuring these settings.

f I gu r E 4 .6 Setting website limits

61705c04.indd 159 6/27/08 11:15:43 AM


Microsoft .NET ComponentsMany people that use IIS will leverage the .NET Framework for developing applications. Many of the options set in the Internet Information Services (IIS) Manager tool will modify settings for how .NET components function, such as .NET Compilation, Globalization, Profiles, Roles, Users, Applications Pools, and the list goes on and on. The next two sections will cover .NET trust levels and application pools in more detail.

.NET Trust Levels

.NET trust levels set the level of code access security (CAS). Using code access security is a way of controlling the access that an application has as it runs. The rule of thumb is to provide an application with the least amount of access required. Application developers should be able to help qualify the specific actions or functions the application requires, which should help to determine which .NET trust level is required.

Trust levels are configured in the Internet Information Services (IIS) Manager; however, the information is stored in the applicationHost.config file. To set the .NET trust levels, you must select one of the following options:

Full This option sets unrestricted permissions. The ASP.NET application has permissions to access any resource that is subject to operating system security. All privileged operations are supported.High This option sets a high level of code access security so that the application is unable to do any one of the following:

Run unmanaged code.ÛN

Write to the event log.ÛN

Access Message Queuing service queues.ÛN

Call serviced components.ÛN

Access data sources.ÛN

Medium This option sets a medium level of code access security that, in addition to the High trust level restrictions, prevent the ASP.NET application from doing any of the following:

Access files outside the application directory.ÛN

Access the Registry.ÛN

Make network or web service calls. ÛN

Low This option sets a low level of code access security that, in addition to the Medium trust level restrictions, prevents the application from doing any of the following:

Write to the file system.ÛN

Call the Assert method. ÛN

Minimal This option sets a minimal level of code access security so that the application has only execute permissions.

The .NET trust level is set by selecting one of the options in Figure 4.7.

61705c04.indd 160 6/27/08 11:15:43 AM


f I gu r E 4 .7 Setting the .NET trust level

Configuring Application Pools

An application pool is a collection of web applications that share a worker process or a set of worker processes. An application pool segments the applications so that they are unable to affect applications in other application pools. Although application pools can contain .NET applications, they can also be used to group non-.NET (nonmanaged code) applica-tions as well. Application pools have several real benefits. They allow an administrator to do the following:

Dedicate an application pool for applications that require a higher number of resources ÛN

so that the performance of other applications does not decrease.

Isolate unstable applications so when the application fails, it does not also take down ÛN

other applications.

Configure application pools to automatically restart when memory, time, or other ÛN

performance indicators are met, improving recovery and application stability.

Application pools are configured in the Internet Information Services (IIS) Manager; however the information is stored in the applicationHost.config file. To create an appli-cation pool, select the Application Pools folder in the Connections pane of Internet Infor-mation Services (IIS) Manager and then click Add Application Pool from the Actions pane. As shown in Figure 4.8, there are four options in the Add Application Pool dialog box.

Name This text box is for the name of the application pool that is being created.

.NET Framework Version This option defines either the version of .NET Framework all of the applications in the application pool will run that no managed code will be used in the application pool.

61705c04.indd 161 6/27/08 11:15:43 AM


Managed Pipeline Mode This option sets whether the application will run in integrated or classic mode. If an application is set to Integrated mode, the integrated request-processing pipelines of IIS and ASP.NET will be used to handle requests. If an application is set to Classic mode, the server will process requests through the Aspnet_isapi.dll library, as was done in IIS 6.0. The Classic mode should be used only with legacy applications that do not work in Integrated mode.

Start Application Pool Immediately This sets whether the application will be started when the Windows Process Activation Service (WPAS) is started. If this is not set, the application pool will need to be started manually before any applications in the pool will run.

f I gu r E 4 . 8 Creating an application pool

Once an application pool is created, a number of other settings are available to wrangle the applications in the pool into submission. If the applications in the pool are misbehaving due to bad code, database connection problems, or user error, there are a number of methods to have IIS automatically recover from those problems. One way is to set the recycling condi-tions of the application pool. To configure the recycling conditions in Internet Information Services (IIS) Manager, complete the following steps:

1. Select the Application Pools folder in the Connections pane.

2. Select the application pool that you want to adjust in the Content pane.

3. Click Recycling in the Actions pane.

The options available on the first page of the Edit Application Pool Recycling Settings Wizard are shown in Figure 4.9.

The options are as follows:

Regular Time Intervals (in Minutes) This option specifies the length of time, in minutes, that the application pool worker process should be restarted. This is ideal for applications that tend to perform worse after a long period of time.

Fixed Number of Requests This option specifies the number of requests that should be taken by the application pool before recycling the worker process. This is ideal for applica-tions that tend to perform worse after a certain number of requests are handled.

Specific Time(s) This option can be used to specify the time or times that the worker process should be recycled. This is ideal for problematic applications that can benefit from having the worker process restarted at specific times.

61705c04.indd 162 6/27/08 11:15:43 AM


f I gu r E 4 . 9 Edit Application Pool Recycling Settings Wizard

Virtual Memory Usage (in KB) This option can be used to specify the maximum amount of virtual memory that can be used by the worker process before it is recycled. This is ideal for applications that tend to continue to consume memory and perform worse until they are recycled.

Private Memory Usage (in KB) This option can be used to specify the maximum amount of private memory can be used by the worker process before it is recycled. This is ideal for appli-cations that tend to continue to consume memory and perform worse until they are recycled.

On the second page, you can configure the options selected on the previous page to generate event log entries when the application pool is recycled, as shown in Figure 4.10.

f I gu r E 4 .10 The event log settings for recycling events

61705c04.indd 163 6/27/08 11:15:44 AM


Configuring a Web FarmA web farm is a collection of servers that have the same configuration so they can be load bal-anced for redundancy and additional performance. In previous versions of IIS, the metabase needed to be restored to each server and then modified extensively, or a custom provisioning tool needed to be leveraged in order to create a Web farm. Products like Microsoft Applica-tion Center 2000 tried to address the problem of synchronizing and configuring a web farm, but it was far from perfect. IIS 7 provides true “Robocopy deployment,” the ability to copy a set of files to a share or between servers to configure the websites and application settings.

To create a web farm, you should create a network load balanced cluster so that net-work traffic is loaded across the servers. (More information about NLB can be found in Chapter 10.) After you create an NLB cluster, the servers need to be configured with the websites that will be hosted.

IIS 7.0 has a built-in featured called Shared Configuration. This allows an administra-tor to publish the server configuration to a network share for all of the servers to use. The websites can be configured on this one server and then exported to the file share for other servers to use.

To have each of the servers in the web farm use the shared configuration, you need to configure the %windir%\system32\inetsrv\config\redirection.config file to point to the shared configuration. Last, the web content will need to be either on a file share or copied to each web server.

Configuring a File Transfer Protocol (FTP) ServerFTP is used to provide file transfers, usually across the Internet. Permissions can be set to allow all users or specific users to have permissions to files. With all of the advancements made in IIS 7, there was very little time for Microsoft to improve the already feature-sparse FTP services that IIS 6.0 contained before releasing Windows Server 2008. If you are familiar with FTP services in IIS 6.0, you should have no problem working with built-in FTP services for IIS 7. To add FTP services to a server that already has the Web Services (IIS) role installed, you must add the FTP Server Role Service. After installation of the FTP Service, all manage-ment is done through the Internet Information Services (IIS) 6.0 Manager. If you are fond of the IIS 6.0 management tools, welcome home.

After the installation of the built-in FTP Server is complete, the Default FTP Site is stopped. To start using FTP, you will need to restart it.

61705c04.indd 164 6/27/08 11:15:44 AM

Configuring a File Transfer Protocol (FTP) Server 165

On the same day Windows Server 2008 was released to the public, an update was released for IIS 7.0 to include a more feature-rich version of the FTP Server. Here are some of the key features of this updated version:

Integrated Management The new IIS Management tools are used to manage the FTP service.

Secure Publishing FTP over SSL (FTPS) is now supported.

Virtual Host Names Allows multiple FTP sites with different domain names to be hosted on the same IP address. This is similar to the Web Host Headers functionality.

User Isolation This feature redirects users to a directory that matches the logon account without having to create a physical directory. This keeps users files hidden from each other.

Non-Windows Authentication This allows IIS Web Manager and ASP.NET Membership accounts to log in and use FTP services. Windows accounts are no longer required.

To install the updated FTP Service for IIS 7.0, you must first install IIS 7.0 without the built-in FTP Publishing Service. Then the installation package can be downloaded from the Microsoft website. The 32-bit installation package for x86 editions of Windows Server 2008 is available here: go.microsoft.com/fwlink/?LinkId=87847. The 64-bit installa-tion package for x64 editions of Windows Server 2008 is available here: go.microsoft.com/fwlink/?LinkId=89114. The following sections will deal specifically with the updated version of the FTP Publishing Service for IIS 7.0.

Configuring PermissionsTo configure the permissions that groups of users have, you must use FTP authorization rules. An Allow authorization rule can be applied to the following:

All UsersÛN

All Anonymous UsersÛN

Specified Roles or user groupsÛN

Specified UsersÛN

Also, the group or users that are defined in the authorization rule can be given read or write permissions. These same criteria can be used to deny users from accessing the content as well, as shown in Figure 4.11.

Once a user has access to the files and has been authorized, permissions are based on file system permissions; the more restrictive permissions are combined with the permissions assigned by the authorization rules. If domain accounts are used to log on to the FTP site, assign the file system permissions as you would for other file shares.

Configuring FTP Site for Extranet UsersOne feature that was lacking in previous versions of the FTP services is that users outside the company had to have either a local Windows account or domain accounts. This was a

61705c04.indd 165 6/27/08 11:15:44 AM


messy security problem since you really do not want to give FTP users a domain account. The solution is to leverage the IIS 7.0 Management Service or ASP.NET users.

f I gu r E 4 .11 Creating an Allow authorization rule

The high-level process for configuring the IIS 7.0 Management Service to handle FTP logons is as follows:

1. Install FTP Service for IIS 7.0.

2. Grant the Network Service read access to the IIS configuration.

3. Add the IIS Management Service Role Service.

4. Create a new FTP site.

5. Configured Basic Authentication.

6. Configure the FTP site to use an IIS 7.0 Manager account.

7. Enable IIS 7.0 Manager authentication.

8. Grant access to the site for an IIS 7.0 Manager account.

9. Create an authorization rule to allow the IIS 7.0 Manager account appropriate permis-sions to the FTP site.

FTP IPv4 and Domain RestrictionsTo restrict which servers can connect to the FTP site at a protocol level, IPv4 and domain restrictions can be used. The default is to allow all unspecified IP addresses to access the FTP server. To change the setting so that all IP addresses are denied except those listed, on the FTP IPv4 Address and Domain Restrictions feature page, click Edit Feature Settings on the Actions pane. This will bring up the dialog box shown in Figure 4.12, where you can choose whether unspecified clients will be allowed or denied.

61705c04.indd 166 6/27/08 11:15:44 AM

Configuring a Simple Mail Transfer Protocol (SMTP) Server 167

f I gu r E 4 .12 The Edit IPv4 Address and Domain Restrictions Settings dialog box

Also, from this dialog box you can enable domain name restrictions so that domain names can be added to allow and deny lists rather than specifying a specific IP address. Figure 4.13 shows an example of adding a Deny Restriction rule based on a domain name.

f I gu r E 4 .13 Adding a Deny Restriction rule based on a domain name

Configuring a Simple Mail Transfer Protocol (SMTP) ServerSimple Mail Transfer Protocol (SMTP) is the email protocol for Internet-based messaging. Just like the built-in FTP services, the SMTP server is largely unchanged from previous ver-sions of IIS. Unlike FTP, however, the SMTP server that has been included in IIS and the base that Exchange 2000 Server and Exchange Server 2003 is built on have a healthy set of features and excellent performance. To install the SMTP server on a Windows Server 2008 computer, you must install the SMTP Server feature. When the SMTP Server feature is installed, the IIS 6.0 Management tools are also installed because they are required to perform configuration.

61705c04.indd 167 6/27/08 11:15:44 AM


do I need a better SMtp Server?

Often people get caught up with judging whether a product works well or not based on its cost. On a number of occasions, customers have tried to determine the best way to send a large amount of legitimate email. One such company was generating a bunch of email messages because of the number of orders its site was processing. A number of SMTP products were reviewed, but IIS was chosen. Using just IIS, the server was able to deliver the entire amount of messages generated by the site, and the company didn’t need to purchase additional hardware or software. If you need a high-performance SMTP server, you should consider IIS.

The SMTP server is a single-purpose message transport agent (MTA); it sends and receives SMTP-based email. It does not generate email, nor does it provide any sort of client connectivity; it just routes email. In the next few sections, we will cover the main areas of the SMTP server that can be configured and when you might want to make the changes.

Configuring General SMTP Virtual Server PropertiesThe management interface for the SMTP server is basic and straightforward. As shown in Figure 4.14, the left pane lists the SMTP virtual servers that are configured on the connected server. To make changes to the SMTP virtual server, right-click and choose Properties.

f I gu r E 4 .14 Configuring the SMTP virtual server

61705c04.indd 168 6/27/08 11:15:44 AM


The General tab, shown in Figure 4.15, includes options to bind the SMTP virtual server to a specific IP address and port number, limit the number of connections to the SMTP virtual server, change the idle time-out time, and enable protocol logging.

f I gu r E 4 .15 Configuring General properties of the SMTP virtual server

As with websites, it may be important to limit the number of connections and the con-nection time-out values to keep the SMTP virtual server from negatively impacting other processes on the server. Enabling protocol logging on the SMTP virtual server can aid with troubleshooting delivery problems because it documents the SMTP session information down to the exact information sent and received. These logs are, by default, written in W3C Extended Log format and can be read in any text editor or one of the many W3C log viewers.

Configuring AccessYou many need to configure access to the SMTP virtual server to restrict the servers or users that connect to it, to configure the type of authentication used, to enable Transport Layer Security (TLS) encryption, or to restrict the users or servers that can relay email through it. All of these can be accomplished from the Access tab on the virtual server Prop-erties dialog box, as shown in Figure 4.16.

The default authentication method for an SMTP virtual server is Anonymous access. This means that the SMTP virtual server will not accept any sort of logon attempt and that all anonymous users have access to send email to the server. With Basic authentication enabled, the server will accept Windows or domain usernames and passwords in cleartext for authentication. This is discouraged without first requiring Transport Layer Security (TLS) to encrypt the SMTP conversation and the username and password. The last option is Integrated Windows Authentication, which allows Windows to provide credentials with-out having to pass them in cleartext. The configuration types are shown in Figure 4.17.

61705c04.indd 169 6/27/08 11:15:45 AM


f I gu r E 4 .16 Configuring access properties on an SMTP virtual server

f I gu r E 4 .17 Configuring authentication types

As mentioned in the previous paragraph, TLS is recommended to protect usernames and passwords from being transmitted in cleartext. To use TLS, you must first install a certifi-cate on the server. Once the certificate is installed, it can be assigned to the SMTP virtual server. It is even possible to require that all connections to the SMTP virtual server be encrypted with TLS.

It may be that this server is intended only to transfer email between a limited number of servers or between servers on a specific network. If this is the case, connection control can be set to limit the servers that are allowed to connect by IP address or domain name. As shown in Figure 4.18, there are two options for restricting access: either all servers are allowed except those explicitly defined, or no server has access except those explicitly defined.

61705c04.indd 170 6/27/08 11:15:45 AM


f I gu r E 4 .18 Configuring connection control

Relaying is a term that means sending email to an SMTP server that will forward the message to its destination. The default setting is to not allow any relaying because relaying is what many spammers use to deliver email. If you decide to allow any type of relaying, be careful not to leave any openings that might allow a spammer to use your server for nefarious purposes. That doesn’t mean that relaying is a bad thing; there are a number of legitimate uses. One such use is to have one server in the datacenter that is allowed access to send SMTP email out through the firewall. You will need to allow the authorized SMTP servers to relay through the authorized server. Relay authorization settings are similar to the connection control settings because you can either allow all servers to relay through with a list of exceptions or deny all relays with a list of exceptions, as shown in Figure 4.19.

f I gu r E 4 .19 Configuring relay restrictions

Configuring Message Size and Transfer LimitsThe next configuration options are on the Messages tab. These options help to control the size and number of messages that can be delivered. In many cases, the default settings will

61705c04.indd 171 6/27/08 11:15:45 AM


be adequate because many email systems today provide similar limits to protect the stability of the server and control bandwidth congestions. The configuration settings control the fol-lowing options for both receiving and sending messages:

The size of a single message.ÛN

The size of all messages delivered in a single SMTP session.ÛN

The number of messages sent in a single SMTP session.ÛN

The number of recipients in a single email message.ÛN

An email address to send all nondelivery reports.ÛN

The directory to store all email messages that could not be delivered.ÛN

These message options are shown in Figure 4.20.

f I gu r E 4 . 20 Configuring message options

Configuring Delivery OptionsThere are a number of options that control how email messages are delivered and how long to continue to attempt to deliver messages.

The Delivery tab has the following options:

First retry Interval This is the length of time the server waits before attempting to resend a message after the initial failure. This is usually a fairly short time frame because transient problems can cause failures.

Second Retry Interval This is the length of time the server waits before attempting to resend a message after the second failure.

61705c04.indd 172 6/27/08 11:15:45 AM


Third Retry Interval This is the length of time the server waits before attempting to resend a message after the third failure.

Subsequent Retry Interval This is the length of time the server waits after the fourth fail-ure, until either the message is delivered or expires.

Delay Notification This is the length of time a message will sit in the outbound message queue before an email message is sent to the originator of the message notifying them that the message is still queued.

Expiration Timeout This is the length of time a message can be queued before it is removed.

These settings, shown in Figure 4.21, can greatly affect the number of messages that are queued on the server. If the email being sent is extremely time sensitive, it may not be important to continue to attempt to retry delivery for two days. On the other hand, if the email messages being sent are important, it may be better to increase the expiration time. This allows for the case when a remote server is down for extended maintenance, because the server will queue the mail until either the server is again available or the expiration time-out is reached.

f I gu r E 4 . 21 Configuring delivery options

Outbound SecurityWe discussed the Access tab in the section “Configuring Access.” The Access tab is where the allowed inbound authentication methods are available. In this case, the outbound secu-rity option on the Delivery tab allows what options will be used to connect to other SMTP servers. The options for outbound security are as follows:

Anonymous This option provides no user authentication when sending messages. This is the default option and is suitable for most Internet communications.

61705c04.indd 173 6/27/08 11:15:45 AM


Basic Authentication This option allows a user and password to be specified to authenti-cate against the remote SMTP server. It is important to use TLS encryption to protect the username and password.

Integrated Windows Authentication This option allows you to select a user from the domain or from the local server to authenticate. This method does not pass cleartext user-names and passwords, but it still should be protected with TLS encryption.

TLS Encryption This option enables TLS encryption for the session. TLS encryption encrypts the entire session with a certificate on the remote SMTP server.

Outbound ConnectionsThe Outbound Connections option that is available at the bottom of the Delivery tab allows you to configure the number of connections, time-out settings, and the TCP/IP port that will be used for outbound SMTP sessions. Figure 4.22 shows the dialog box that appears when you click Outbound Connections.

f I gu r E 4 . 22 Configuring outbound connection settings

These settings will normally stay at the default configuration. It may be necessary to modify the number of connections to tweak the number of messages the server can send at one time. It may be that the server and the bandwidth you have can handle more than the 1,000 concurrent outbound connections and can deliver messages more quickly if the limit was increased to 5,000 connections.

Advanced Delivery OptionsThe advanced delivery options accessed by clicking the Advanced button at the bottom of the Delivery tab are shown in Figure 4.23. These are very powerful options that often require adjusting.

Maximum Hop Count This setting helps to prevent email loops. No, the hop count isn’t the number of people that can attend a 1950s dance party; it is the number of times a mes-sage can traverse any SMTP server. If the SMTP server receives the message and the email has already traversed the number of servers in the limit, the email will be deleted.

Masquerade Domain This option can be set to replace the local domain name in the From address field to the domain listed here. This is useful if email from the local server needs to appear as if it comes from another business unit or company.

61705c04.indd 174 6/27/08 11:15:45 AM


f I gu r E 4 . 23 Configuring Advanced Delivery options

Fully-Qualified Domain Name This option is by default the name of the server. The name listed here is what is announced to other SMTP servers, either when a client connects to it or when it is sending email out. This is important because if you are sending email out to the Internet and the internal server reports its name as WebServer10.MyInternalDomain.local, the receiving server has no way to verify whether your server is valid or you are a fly-by-night spammer. It would be better to replace this name with a name that would be able to be resolved by DNS externally, such as email.sybex.com. Some anti-spam vendors will attempt to resolve the sending servers name in DNS; check to see if that host has an MX record because presumably the server that is sending out email should be listed as a mail server for the domain.

Smart Host If a smart host is not listed, the server will attempt to deliver the email by look-ing up the domain names in DNS; however, if a smart host is listed, all email is sent directly to that host or list of hosts for delivery. The check box can also be selected to attempt to use DNS to deliver the message first, and if that is unsuccessful, to send it to the smart host. If you list multiple servers, they should be separated by a comma. If you list servers by their IP address, you must enclose the IP address in brackets, such as, for example, [192.168.19.98].

Perform Reverse DNS Lookup on Incoming Messages This option is often thought of as being an anti-spam measure, but it is not. It will attempt to perform a reverse DNS lookup on the SMTP client’s IP address to see if it matches the server name announced by the client. If the lookup is successful, the messages remain unchanged. If the verification fails, “unverified” appears after the IP address in the message header. If DNS lookup fails completely, “RDNS failed” will appear in the message header. Since this process is done on all incoming messages, it can have a negative impact on server performance.

LDAP RoutingThe default method for delivering SMTP email is to look up the MX records for the des-tination domain in DNS. Figure 4.24 shows the Lightweight Directory Access Protocol

61705c04.indd 175 6/27/08 11:15:46 AM


(LDAP) Routing tab in the SMTP virtual server that provides options for using an LDAP server for resolving senders and recipients.

f I gu r E 4 . 24 Configuring LDAP routing

The following is a list of the options that must be configured to enable LDAP routing:

Server This option specifies the server that will be used as the LDAP directory. This field should not be necessary when using Active Directory because the server will be able to find the nearest domain controller.

Schema This option is used to select the directory service that is being used. The available types are as follows:

Active DirectoryÛN

Site Server Membership DirectoryÛN

Exchange LDAP ServiceÛN

Binding This option sets the binding type. The binding type specifies how the SMTP vir-tual server is authenticated by the directory service. The available types are as follows:

Anonymous ÛN

PlaintextÛN

Windows SSPIÛN

Service accountÛN

Domain This sets the domain of the account you want to use to bind to the LDAP direc-tory if you are using the plaintext or Windows SSPI binding types.

User Name This options specifies the distinguished name (DN) of the account being used to bind to the LDAP directory if you are using the plaintext or Windows SSPI binding types.

61705c04.indd 176 6/27/08 11:15:46 AM

Summary 177

Password This sets the password that is used for logging on to the directory service if you are using the plaintext or Windows SSPI binding types.

Base This options specifies the distinguished name of a container in the directory service that will be searched.

Configuring DomainsWhen the SMTP Server feature is installed, a default domain is created and placed in the Domains node that is identical to the local server name. This domain is used to route mail. It is possible to create additional domains as well, as shown in Figure 4.25, if custom settings are required. The domain configuration allows a smart host to be configured for specific domains. This may be beneficial if most email should be sent using DNS with the exception of email that is sent to an internal domain that should be sent to a specific server. A domain can also be used to create outbound security settings that are specific for that domain.

f I gu r E 4 . 25 Configuring an additional domain

SummaryInternet Information Services 7.0 web services have been completely rewritten from IIS 6.0. Improvements have been made to the configuration that include moving configuration to XML-based files from the metabase. This opens up simple and flexible administration. IIS 7.0 web services are also based on modules. Modules are installed to add functionality. Only the required modules are installed to reduce on server hardware and maintenance. This

61705c04.indd 177 6/27/08 11:15:46 AM


chapter covered creating websites, applications, virtual directories, and application pools and other configuration tasks.

There are two FTP servers available for Windows Server 2008; the one that comes on the installation media, which is very similar to previous versions, and the downloadable update to the FTP service that fully integrates with IIS 7.0 and provides enhanced function-ality such as Secure FTP.

Although the SMTP server is largely unchanged from previous versions, it provides valuable functionality. This chapter covered configuration for sending and relaying email. Although configuration is simple and straightforward, there are a number of settings that can be used to customize how the SMTP server behaves.

Exam Essentials

Know how to add modules. IIS 7.0 has over 30 modules included. To add functionality, you must add modules to IIS.

Know when to use application pools. Application pools are used for application isolation, security, and stability. Know why they are created and some basic settings.

Know how to configure an SMTP server for relay and smart hosts. Know what the SMTP server does and how to configure it to relay email and to send mail to a smart host.

Know what .NET trust levels are. Security is a big problem in today’s environment. Know what the .NET trust levels are and what level of access each provides to .NET code.

61705c04.indd 178 6/27/08 11:15:46 AM


Review Questions

1. Which of the following options is used to deliver email when DNS lookup is not available?

A. Assign a masquerade domain.

B. Adjust the fully qualified domain name.

C. Do not perform DNS lookup on incoming messages.

D. Assign a smart host.

2. Which of the following are valid reasons for creating a separate application pool for two web applications? (Choose three.)

A. To keep applications from affecting each other.

B. To reduce overall memory usage.

C. To increase security.

D. To create different recovery settings.

3. What benefits are gained from using modules for IIS 7.0? (Choose two.)

A. Reduced management control

B. Reduced patching requirements

C. Increased flexibility

D. Increased system resource

4. How many built-in modules are available for IIS 7.0?

A. Less than 15

B. 16 to 25

C. 25 to 30

D. More than 30

5. Which configuration file contains the global IIS settings such as website and logging configuration?

A. ApplicationHost.config

B. Web.config

C. Machine.config

D. Metabase.bin

6. Which of the following files contains the settings for the SMTP configuration?

A. ApplicationHost.config

B. Web.config

C. Machine.config

D. Metabase.bin

61705c04.indd 179 6/27/08 11:15:46 AM


7. Which of the followings TCP/IP ports is used for Secure HTTP communication?

A. 25

B. 80

C. 443

D. 3389

8. You have a web server at your hosting provider and do not have any additional IP addresses to assign. You need to create another website for the company’s marketing department. Which of the following bindings will allow users to access the site from the Internet?

A. Bind the website to 127.0.01 on port 80.

B. Bind the website to the same IP address as the original site and use host headers for both.

C. Bind the website to the same IP address as the original and use Port 8080.

D. Bind the website to the same IP address as the original and use port 80.

9. A new web server has been deployed with a new domain name. All of the content on the new server is identical to the old server. What should be put in place to notify the user of the new URL?

A. Application pool

B. Virtual directory

C. Redirect

D. Limit

10. Which of the following can be set to limit resources on a website?

A. Bandwidth

B. Concurrent connections

C. Number of pages downloaded

D. CPU usage

11. Which of the following .NET trust levels provides the application with the least restrictions?

A. High

B. Medium

C. Low

D. Minimal

12. To create a web farm, which of the following steps must be taken? (Choose all that apply.)

A. Create a redirection.config file for each node.

B. Create a load-balanced cluster.

C. Provide each node with access to the website code.

D. Export a valid configuration to a network share for all nodes to use.

61705c04.indd 180 6/27/08 11:15:46 AM


13. To restrict connections that can be made to an FTP server based on a DNS name, what must be enabled?

A. IIS Management

B. FTP authorization rules

C. Domain name restrictions

D. TLS encryption

14. To protect plaintext username and passwords in an SMTP session, what also must be enabled?

A. Basic authentication

B. LDAP routing

C. TLS

D. Anonymous authentication

15. Which setting will configure the number of times an email has been sent through a server before it is removed?

A. Hop Count

B. Expiration Time-Out

C. Delay Notification

D. Smart Host

16. Which of the following options acts as an anti-spam filter?

A. Smart host

B. Masquerade domain

C. Performing reverse DNS lookup on incoming messages

D. None of the above

17. Which of the following are new features of FTP for IIS 7.0? (Choose three.)

A. Download resume

B. Secure FTP

C. Virtual hostnames

D. User isolation

18. After installing the built-in version of FTP Server, what must be done to use the Default FTP Site?

A. Create the Default FTP Site.

B. Start the Default FTP Site.

C. Start the FTP service.

D. Reboot the server.

61705c04.indd 181 6/27/08 11:15:46 AM


19. Which of the following tools can be used to create a Windows Server 2008 web farm?

A. Microsoft Application Center

B. Robocopy

C. Microsoft Operations Manager

D. Server Manager

20. How do you install IIS 7.0 modules?

A. Add a feature.

B. Add a role.

C. Add a role service.

D. Windows Update.

61705c04.indd 182 6/27/08 11:15:46 AM



1. D. A smart host defines a server that can be used to deliver messages.

2. A, B, D. Creating two application pools allows segregation of the applications to a point where they should not be able to affect each other or access each other’s data, which improves security. Also, separate application pools allow different recovery settings to be chosen. Creat-ing separate application pools does not decrease the overall memory usage for the server.

3. B, C. Using modules to build IIS 7.0 allows administrators to install only the modules required; only the modules installed will need to be patched. Also, since modules can be replaced with custom-written functionality, they are very flexible.

4. D. There are more than 30 built-in IIS modules.

5. A. The ApplicationHost.config file contains the global IIS settings.

6. D. The SMTP server still uses the legacy metabase.bin file to store configuration information.

7. C. TCP/IP port 443 is used for HTTPS communications.

8. B. Host headers allow multiple sites to be bound to the same IP address and port and both function. Although binding the site to a nonstandard port will work, it is not best practice because websites running on nonstandard ports require a user to know the port.

9. C. A redirect can notify the end user of the new server name.

10. A, B. Both the amount of bandwidth and the number of active connections can be limited in IIS.

11. A. The High .NET trust level provides a high level of trust for the application and has fewer limits on what the application can do.

12. A, B, C ,D. All of these steps must be taken to create a web farm.

13. C. To allow DNS lookups for connection restrictions, domain name restrictions must be enabled.

14. C. Transport Layer Security (TLS) provides encryption of the SMTP session.

15. A. The hop count controls the number of time an email can traverse a server before it is removed.

16. D. There are no built-in anti-spam features in the SMTP server that comes with IIS.

17. B, C, D. Secure FTP, virtual hostnames, and user isolation are all new features. This version of FTP still does not have download resume.

61705c04.indd 183 6/27/08 11:15:46 AM


18. B. With the built-in version of the FTP Server, the installation creates the Default FTP Site; however, it must be started to begin to function.

19. B. Now that IIS 7.0 is based on text files, Robocopy can be used to create a web farm. Application Center is not supported on Windows Server 2008.

20. C. To install IIS modules, the Add a Role service action is used.

61705c04.indd 184 6/27/08 11:15:47 AM

Chapter

5Advanced Web Infrastructure Configuration

MICrosoft ExAM objECtIvEs CovErEd In thIs ChAptEr:

Manage Internet Information Services (IIS). May ÛÛinclude but is not limited to: Web site content backup and restore; IIS configuration backup; monitor IIS; configure logging; delegation of administrative rights

Configure SSL security. May include but is not limited ÛÛto: configure certificates; requesting SSL certificate; renewing SSL certificate; exporting and importing certificates

Configure Web site authentication and permissions. May ÛÛinclude but is not limited to: configure site permissions and authentication; configure application permissions; client certificate mappings

61705c05.indd 185 6/27/08 11:21:02 AM

Chapter 4, “Configuring Web Services Infrastructure,” covered the very basic concepts and tasks for IIS 7. Although not overly complex, IIS is a powerful tool with a lot of functionality. Many

volumes can be filled with information about best practices and in-depth tweaking and con-figuration. This chapter will focus on a number of more advanced IIS functionality:

Backup and recoveryÛN

Delegation of Administrative rightsÛN

Configuring SSL and authenticationÛN

Managing Internet Information Services (IIS)In the previous chapter, we covered some of the basics of configuration and management of the IIS components. We’ll now go into more detail on these topics, focusing on monitoring, management logging, and backing up and restoring.

In the previous chapter we used only Internet Information Services (IIS) Manager to configure IIS. There is also a command-line configuration tool called AppCmd.exe (or App-Cmd). This tool is used to view and configure IIS settings. There are even tasks that must be done in AppCmd, such as setting the automatic history backup and performing a man-ual configuration backup, both of which we will cover later in this chapter. Even though AppCmd is a command-line administrative tool, it is not based on Windows PowerShell. The AppCmd utility was created before PowerShell was put in to Windows Server 2008. Exercise 5.1 demonstrates how to use AppCmd to list the currently configured websites.

E x E r C I s E 5 .1

Using AppCmd.exe to List Configured Websites

Follow these steps to use AppCmd.exe to list configured websites:

1. Open an elevated command prompt.

2. Change to %System%\System32\InetSrv, the directory where AppCmd.exe resides.

61705c05.indd 186 6/27/08 11:21:02 AM

Managing Internet Information Services (IIS) 187

E x E r C I s E 5 .1 ( c ont inue d )

3. Run appcmd list sites to list configured sites.

The following objects are available for administration with AppCmd.exe:

Site - Manage Web sitesÛN

App - Manage applicationsÛN

VDir - Manage virtual directoriesÛN

AppPool - Manage application poolsÛN

Config - Mange server configurationÛN

WP - Mange worker processesÛN

Request - Manage request settingsÛN

Module - Manage loaded modulesÛN

Backup - Manage backup and restoresÛN

Trace - Manage trace settings.ÛN

61705c05.indd 187 6/27/08 11:21:02 AM

188 Chapter 5 N Advanced Web Infrastructure Configuration

Many of the options available in AppCmd were covered using the Internet Information Services (IIS) Manager in Chapter 4. For more information on these actions, please refer to Chapter 4. Using Back and Trace will be covered later in this chapter.

Each object has a set of commands that can be run to configure it. For example, the Site object has the following available commands: list, set, add, delete, start, and stop. To get a list of the available actions for a specific object, type AppCmd.exe <objectname> /?.

Configuring Monitoring and LoggingTo provide a consistent reliable service, it’s essential to monitor performance. Chapter 11, “Monitoring Windows Server 2008 for High Availability,” covers how to use new tools such as the Windows Performance Diagnostic Console and the Reliability Monitor and the Windows event logs in Windows Server 2008 to monitor performance and stability.

Trace LoggingOne of the more troublesome tasks is figuring out what exactly is happening when a failure occurs. This can be because the problem is occurring sporadically, or perhaps there are thousands of users connecting to the server simultaneously. Trace logging helps to rectify this problem by watching requests and, if a defined failure occurs, writing a log of the request and the actions involved in the request. Each failed request is stored in a separate XML-based file that is sequentially numbered. The XML file can be opened in Internet Explorer or other XML-capable readers.

To use trace logging, you must install the Tracing role service. After the Tracing role service is installed, you can enable failed request tracing for a particular website. See Exercise 5.2.

E x E r C I s E 5 . 2

Enabling failed request tracing

Follow these steps to enable failed request tracing:

1. Click Start Administrative Tools Internet Information Services (IIS) Manager.

2. In the Connections pane, expand the server name, then expand Sites and click on Default Web Site.

3. In the Actions pane, click Failed Request Tracing.

61705c05.indd 188 6/27/08 11:21:02 AM


E x E r C I s E 5 . 2 ( c ont inue d )

4. Check the Enable box and type in the name of the directory in which you want to save the log files.

After you enable failed request tracing and define the number of trace files to keep, you must create failure definitions to specify what failures should be logged. For example, if a 500 error occur intermittently in the .NET application on the website, you could create a failed request tracing rule to watch for a status code of 500 on all files with an .aspx filename extension. Failed request tracing rules can be created at the server, website, or virtual directory level. The rules are always inherited from the parent container. You will want to be careful about enabling the rule closest to the problem directory or application because failed request tracing can have a negative impact on server performance.

61705c05.indd 189 6/27/08 11:21:03 AM


The three criteria for a creating a rule are content, conditions, and trace provider, as shown in Figure 5.1. The content criterion specifies the name of the files or path that should be traced. There are four options:

All content (*)ÛN

ASP.NET (*.aspx)ÛN

ASP (*.asp)ÛN

Custom ÛN

f I gU r E 5 .1 Specifying content to trace

Content

With the first three content options, it is easy to identify what is going to be traced. The All Content (*) option specifies watching all content below where the rule is created. The ASP.NET (*.aspx) option specifies tracing only requested URLs that end with .aspx, and the ASP (*.asp) option specifies tracing only requested URLs that end in .asp. The last option, Custom, allows you to be more specific. You can specify watching Web pages with a name that has a specific beginning or end. If you need to watch all pages that started with forum, like forum.aspx or forumLogin.aspx, you could add forum* in the Custom field. Of note, though, is that you are allowed only one wild card in this field, meaning you could not add in *forum* to be able to trace StartForumLogin.aspx. Instead, you would need to find a more generic option to trace code on that Web page.

61705c05.indd 190 6/27/08 11:21:03 AM


Condition

The next criterion that needs to be specified is the condition or conditions that would con-stitute a failure. If more than one condition is specified, the first condition that is matched will generate the log files. There is no way to specify that multiple conditions must be met to generate the file. You can select three options for conditions:

Status Code(s) This option should be selected when you want to generate a trace log based on an HTTP response code. Multiple status codes can be entered; however, they must be separated by commas.

Time Taken (in Seconds) This option should be selected when you want to generate a trace log when a specific request takes longer to process than expected. If this is selected, a time interval must also be entered in seconds.

Event Severity This option should be selected when you want to generate a trace log based on the severity of an error that occurs. If this is chosen, one of the following options must also be chosen:

Error This will provide information when components generate errors and do not con-tinue to process requests.

Critical Error This will provide information when components cause a process to end.

Warning This will provide information when components experience an error and con-tinue to process requests.

You can see these options in Figure 5.2.

f I gU r E 5 . 2 Defining trace conditions

61705c05.indd 191 6/27/08 11:21:03 AM


Trace Provider

The last criterion that must be defined is which trace providers should be used and at which verbosity. There are a number of differences that are not all that obvious. The following four built-in trace providers are shown in Figure 5.3:

ASPÛN

ASPNET ÛN

ISAPI ExtensionÛN

WWW ServerÛN

f I gU r E 5 . 3 Selecting trace providers

As is the case with ASPNET and WWW Server, you are given the option to specify areas that should also be traced. With the ASPNET provider, you can specify the following areas:

Infrastructure This option traces requests when the request is going between different tracing areas within ASP.NET.

Module This option traces the requests through the HTTP pipeline or managed modules.

Page This option traces page events and can also capture Trace.Write and Trace.Warn events.

AppServices This option traces the requests through application services.

WWW Server has the following areas:

Authentication This option traces authentication attempts and includes the authenticated user, the scheme (such as Anonymous or Basic), and the results of the attempt.

Security This option traces events when the server rejects the requests for security or permission reasons.

61705c05.indd 192 6/27/08 11:21:03 AM


Filter This option traces how long it takes an ISAPI filter to process a request.

StaticFile This option traces how long static file requests take to be completed.

CGI This option traces when a request is made to the CGI Module.

Compression This option traces through the compression modules.

Cache This option traces through the cache compression modules.

RequestNotifications This option traces all request notifications, both on entrance and on exit.

Module This option traces the requests through the HTTP pipeline or managed modules.

There are also six verbosity settings for each of the providers. To get the information required to pinpoint the problem, you will want to select the minimum verbosity to reduce the impact on the server. In the following list, the verbosity levels are listed in order; the first level results in the least amount of data and the last in the most:

GeneralÛN

Critical ErrorsÛN

ErrorsÛN

WarningsÛN

InformationÛN

VerboseÛN

Tracing failed requests can have a negative impact on server performance. If you must use tracing on a production server, be aware of the impact. Test the configuration in a test lab under load while monitoring standard metrics such as CPU, memory, disk I/O, and application response time.

Access LoggingWho is visiting a website and what they are doing when they are there is something most web developers want to know so they can provide a experience to the end user, see how good a job they are doing at getting people to visit the site, and determine how users were referred to the site. This is where access logging is useful. Server administrators can use it too, to determine if there are errors and when the busiest times are for the server. Also, a period when the server is at its least busy so that maintenance can be scheduled, this period is often called a change window.

Access logs files store the request activity for each request—information such as time, soft-ware client used, amount of data transferred, and the status code from the server. The exact attributes of the request can be modified to meet the needs of your business for reporting and auditing. Access logs can be processed by reporting software to allow a more user-friendly

61705c05.indd 193 6/27/08 11:21:04 AM


and more digestible way of viewing the data. There are now two main ways of storing access logs, on a per-server and on a per-site basis.

Per-server logging Per-server logging creates a single log for all of the sites on the server. There are two options to choose from: Centralized Binary Logging and Centralized World Wide Web Consortium (W3C) Extended Log. Binary logging is written in the Internet Binary Log format, which isn’t readable with common text editors but can be read by third-party tools as well as LogParser, which is available from Microsoft. The W3C extended log is written in a text format and can be read with common text editing software.

Per-site access logging Per-site access logging, which is similar to the method used in previ-ous versions of IIS, is per-site access logging. There are four types of built-in per-site logging: National Center for Supercomputing Applications (NCSA) Common, Microsoft Internet Information Services (IIS), World Wide Web Consortium (W3C) Extended, and Custom (ODBC) Logging. Both W3C and Custom logging allow configuration of the information that will stored in the access log. Modifying the type of information that will be logged is sometimes necessary for some reporting software to be able to deliver detailed reports.

Per-server logging and the default per-site configuration is completed at the server level using the Logging Features options. At the site level, the Logging feature can be used to cus-tomize per-site configuration settings. Whether you choose per-server or per-site logging, the base directory for storing the files is %SytemDrive%\inetpub\Logs\Logfiles\W3SVC. If you choose per-site, however, the individual site log files are placed in a directory based on the site number. For example, website 1 would be stored in %SytemDrive%\inetpub\Logs\Logfiles\W3SVC1. The log file names in those directories depend on the format chosen and rollover settings. Log file rollover sets the criteria for when a log file should split. There are four main rollover criteria:

Schedule This option should be selected if a new log file should be created by one of the following time schedules:

HourlyÛN

DailyÛN

WeeklyÛN

MonthlyÛN

Maximum File Size (in Bytes) This option should be selected if the log file should reach a specific size before a new one is created.

Do Not Create New Log Files This option should be selected if a single log file should be created. Often this is used with legacy web reporting software that has to reference a single filename to create reports.

Use Local Time for File Naming and Rollover This option should be selected if the local time should be used. The default is to use Coordinated Universal Time (UTC-Temps Universel Coordonné) for rollover and file naming.

61705c05.indd 194 6/27/08 11:21:04 AM


Logging can be stored in either the Unicode Transformation Format (UTF-8) or the ANSI format; however, it can only be selected at the server level. The server format controls all site logging formats.

When log settings are changed, the site must be restarted to activate the new settings.

Backup and RestoreOne of the most important configuration and setup steps is to make sure that restores work because doing a backup is useless unless a restore can be accomplished. mentioned in Chapter 4, the configuration for IIS is stored in a number of XML-based files. These files can be backed up and then restored to return the server’s configuration to the point in time the configuration was created.

Since an errant configuration change can negatively impact the server’s functionality, a backup is made of the server configuration when an administrator makes changes. The default setting keeps up to 10 configuration backup sets in a uniquely named subdirectory of %SystemDrive%\Inetpub\History before removing the oldest automatic backup. The backup is completed by default every 2 minutes as changes are made. This avoids the need for having a backup for each check box selected and setting tweaked; instead, all changes during the 2 minutes are committed at the same time, with a single backup done.

Configuration backups protect only the server configuration files. They do not back up application Web.config files, nor do they back up website content.

The number of configuration backups is controlled by the maxHistories attribute of the configHistory section of the applicationHost.config file and the interval that the con-figuration file is backed up is controlled by the Period attribute. The period is specified in the hours:minutes:seconds format. If you want to specify a 10-minute period, you would use 00:10:00. The AppCmd.exe utility can be used to modify both of these attributes. Exercise 5.3 walks you through changing these settings.

E x E r C I s E 5 . 3

Modifying Configuration history settings

Follow these steps to modify configuration history settings.

1. Open an elevated command prompt.

2. Change to %System%\System32\InetSrv, the directory where AppCmd.exe resides.

61705c05.indd 195 6/27/08 11:21:04 AM



3. Run appcmd set config /section:configHistory /maxHistories:50 /period :00:10:00 to set the maximum number of history backups to 50 with a save interval of 10 minutes.

What if you want to make a manual backup of the configuration to keep for future recovery? This too can be done with the AppCmd.exe utility. Figure 5.4 shows AppCmd.exe being run to manually generate a backup called Server Backup 1.

f I gU r E 5 . 4 Manually creating a server configuration backup

To list the automatic and manual configuration backups that have been completed, you would run AppCmd.exe list backups. Figure 5.5 shows the results of running this command.

Now you have configuration backups, but what use are they unless you can perform a restore? When you restore the configuration, you restore IIS settings for all of the sites, application pools, virtual directories, and applications. Figure 5.6 shows an example of running a restore of a manual backup named Server Backup 1 by running AppCmd restore backup “Server Backup 1”.

61705c05.indd 196 6/27/08 11:21:04 AM


f I gU r E 5 .5 Listing available backups

f I gU r E 5 .6 Restoring the configuration from a backup

Now that the server configuration is being protected, the next step is to ensure that the content of the websites are protected. There isn’t a whole lot of IIS-specific magic when it comes to backing up content. The new Windows Server Backup feature should be used to perform regular backups of site content, which would include any Web.config files that contain configuration data not captured by the IIS configuration backup.

The Windows Server Backup feature is installed from Server Manager by selecting Add Features from the Action menu.

Delegating Administrative RightsTo allow developers, help desk personnel, or non-IT staff to perform specific administrative functions, IIS 7 had feature delegation. Authentication for feature delegation is done by default with Windows credentials; alternatively, IIS Manager credentials can be configured as well.

To start off with feature delegation, first the IIS Management Service role service must be installed. The role service can be added using Server Manager. The Management Service role service is used to allow remote administration of IIS, which is the method that delegated IIS administrators must use to connect to get delegated feature rights.

61705c05.indd 197 6/27/08 11:21:04 AM


There are two forms of administrative rights that can be delegated, IIS management and feature management. Either form of delegation affects all sites, directories, or applications below where the delegation takes place. IIS management delegation grants permissions to allow a user to be able to manage specific sites or applications. Exercise 5.4 will demonstrate how to grant a user IIS Manager permissions to manage an entire website remotely.

E x E r C I s E 5 . 4

delegating Administrative permissions for remote Administration of a Website

Follow these steps to delegate administrative permissions for remote administration of a website:

1. Click Start Administrative Tools Internet Information Services (IIS) Management.

2. Select Default Web Site in the Connections pane.

3. In the Content pane, double-click on IIS Manager Permissions.

61705c05.indd 198 6/27/08 11:21:05 AM



4. In the Actions pane, click Allow User.

5. In the Allow User dialog box, type or select the user that you want to grant access to and click OK.

The more granular delegation option available is feature delegation. It allows you to spec-ify whether the feature’s related configuration is locked or unlocked. When a feature is locked the configuration is enforced to all lower levels. Locking a feature is used when you want all conflicting configurations in Web.config files below to be overridden. This may be important for specific features to block developers or administrators from overriding standards that have been set. The default for all feature delegation is to user lower-level configuration files for feature configuration settings.

IIS Manager permissions are delegated for a site or an application because computer administrators automatically have permission at the server level.

Feature delegation is done from the server level; however, the features can be delegated at a variety of levels. To configure feature delegation for all sites on the server, as you would do when you give a user or set of users access to administer all sites, you would perform the delegation at the server level. If you are delegating rights on only a particular site, you would start the delegation at that site. To manage feature delegation, select the local server in the Connections pane and double-click the Feature Delegation icon in the Content pane (Figure 5.7).

There are three general settings and one action for each feature:

Read/Write This sets the feature to unlocked and allows features to be changed in lower-level Web.config files for the sites and applications below. This also allows all non-administrators to configure the feature in IIS Manager if they have been given permissions to connect.

61705c05.indd 199 6/27/08 11:21:05 AM


f I gU r E 5 .7 Managing feature delegation

Read Only This locks the feature’s configuration to the server-level configuration file. The configuration cannot be overridden by any lower-level Web.config files. It also denies all non-administrators the ability to configure these features in IIS Manager; however, the user will be able to view the configuration.

Not Delegated This locks the feature’s configuration to the server-level configuration file. The configuration cannot be overridden by any lower-level Web.config files. It also denies all non-administrators from being able to see or modify the feature in IIS Manager.

Reset to Inherited This action sets the delegation state to what it is set to at the parent level.

Two exceptions are .NET Users and .NET Roles. These features are assigned either Configuration Read/Write or Configuration Read Only and Reset All Delegation. and They are similar to the preceding features except that they affect the configuration for the feature, not the data the feature uses. Figure 5.8 shows an example of configuring the feature delegation options.

61705c05.indd 200 6/27/08 11:21:05 AM

Configuring Secure Sockets Layer (SSL) Security 201

f I gU r E 5 . 8 Configuring feature delegation

Configuring Secure Sockets Layer (SSL) SecuritySecurity is something that is extremely important to companies today. Improperly protect-ing sensitive user data can destroy a company’s reputation. Secure Sockets Layer (SSL) is a method of encrypting and authenticating client-to-server communications. It provides rea-sonable assurance that the information being exchanged between the client and the server is safe from prying eyes.

To provide SSL communication, you must install a certificate on the server. SSL certifi-cates are based on Public Key Infrastructure (PKI), which consists of a private key, a public key, and a certificate authority (CA) that is able to validate the keys.

61705c05.indd 201 6/27/08 11:21:05 AM


The public keys provide details about the owner of the certificate, whether it is valid, and how the certificate can be used. The public key is, as its name suggests, public and can be distributed anyone who requests it. The private key, however, should be kept secure and only stored on the server or servers that require it. If the private key is made public or com-promised in another way, the certificate should be discarded and a new one generated.

The public and private keys are a matched pair of numbers used in asymmetrical computations. It would be like having one key that locks the door and another key that unlocks it. For the certificate, when one key is used to encrypt the data, the other must be is used to decrypt it. If one of the keys is missing, the encryption or authorization process cannot complete.

The certificates are authenticated and issued by a CA. A CA can be likened to a passport agency. The passport agency verifies the information the requestor provides and then issues a passport that is valid for a specific period. When a passport holder travels, they provide the passport as a means of identification because governments trust that the government that issued passport has properly verified the identity of the holder. Similarly, when a CA issues a certificate, it verifies that you are who you purport to be by verifying specific infor-mation and often requesting documentation. Once the verification is complete, the certifi-cate is issued.

For a certificate to be valid, all parties must trust the CA. Windows Server 2008 includes Active Directory Certificate Services (AD CS) as an available role that can act as a CA and issue certificates. If you create your own CA, users on the Internet will not auto-matically trust your CA and will receive errors when trying to access your site. Using AD CS may be a valid option if all users are under your control or in your domain because you can use Group Policy to force the machines to trust your CA.

Third parties such as VeriSign, GeoTrust, and Thawte operate CAs that are trusted by many major operating systems like Windows Server 2008. When you’re requesting a certificate for a website, it is best to obtain the certificate from a widely trusted third party so that Internet users do not have problems when visiting your site.

Requesting and Renewing SSL CertificatesThe first step in configuring SSL on a website is to obtain a certificate. To protect the private key, a request must be generated and the pertinent information sent to a CA so that the certificate can be generated with the public key. To create a simple certificate request from IIS Manager, follow the steps listed in below.

1. Choose the server name in the Connections pane and then double-click on the Server Certificates icon.

2. Choose Create Certificate Request from the Actions menu (Figure 5.9).

61705c05.indd 202 6/27/08 11:21:05 AM


f I gU r E 5 . 9 Managing server certificates

3. In the Request Certificate dialog box, provide information specific to your organiza-tion. This information is used by the CA to determine if you are eligible to request a certificate for this organization. Note that the common name must match the host-name of the server. Click Next. (Figure 5.10)

f I gU r E 5 .10 Entering Certificate Details

61705c05.indd 203 6/27/08 11:21:05 AM


4. On the Cryptographic Service Provide Properties page (Figure 5.11), choose the encryp-tion service provider and the bit length of the encryption. The bit lengths available in this step range from 384 to 16384. The larger the bit length, the higher the level of encryption, but a higher level of encryption also puts more load on the server because the encryption and decryption process requires complicated mathematical functions to complete. It will also require more information to be exchanged between the server and client.

f I gU r E 5 .11 Setting the cryptographic service provider Properties

5. Provide a location to save the certificate request and click Finish.

The process is not over. The next step is to take the certificate request file and submit it along with any other documentation to the CA so that the certificate can be issued. After the CA processes the request, you must use the response to complete the certificate. From Server Certificates in IIS Manager on the server from which the request was generated, choose Complete Certificate Request from the Actions pane.

As shown in Figure 5.12, on the Specify Certificate Authority Response dialog, enter the location of the text file containing the response from the CA, assign a name for the certificate, and then click OK.

To do testing with SSL certificates, you can also create a self-signed SSL certificate. Since there is no trusted certificate authority, no one other than the server will automatically trust the certificate. To create a self-signed certificate, simply select Create Self-Signed Certificate from the Actions pane from Server Certificates in IIS Manager.

After the certificate is issued, it is valid for only a specific amount of time. To renew the certificate, you must generate a renewal request. This request can then be given to the CA, and the CA will issue a new response, which in turn will generate a new certificate.

61705c05.indd 204 6/27/08 11:21:05 AM


f I gU r E 5 .12 Completing a certificate request

Enabling SSL on a WebsiteOnce you have a valid certificate on the server—one issued from a trusted third-party CA, one from a local AD CS server, or a self-signed certificate—you must assign it to a website to enable SSL.

E x E r C I s E 5 . 5

Enabling ssL on a Web server:

1. Select the website for which you would like to enable SSL.

2. Choose Bindings from the Actions pane.

3. Click Add in the Site Binding dialog box.

4. In the Add Site Binding dialog box, set the type to https and select an IP address to bind to if you’re not using the default.

5. Select the SSL certificate from the drop-down list and click OK.

61705c05.indd 205 6/27/08 11:21:06 AM


After SSL has been enabled, you should be able to visit the site from a browser using https://<sitename>/. If you want to require that all clients connect to a site or virtual directory with SSL, navigate to where you want to enforce SSL in the Connections pane and then double-click on SSL Settings in the Content pane. As shown in Figure 5.13, enable Require SSL and, if needed, Require 128-bit SSL to ensure that a stronger encryption stan-dard is met.

f I gU r E 5 .13 Configuring the Require SSL setting

Exporting and Importing CertificatesYou may need to export a certificate from one server to another when multiple web servers in a web farm must host the same SSL secured site. When you export a certificate, the private key is also exported, so the exported data should be protected. Allowing the private key for the site to fall into the wrong hands increases the likelihood of compromising the integrity of the certificate.

To export a certificate, select the server in the Connections pane and then double-click on Server Certificates in the Content pane. Then choose Export from the Actions pane. As shown in Figure 5.14, specify a filename and a password to protect the certificate.

61705c05.indd 206 6/27/08 11:21:06 AM

Configuring Website Authentication and Permissions 207

f I gU r E 5 .14 Exporting a certificate

To import a certificate, you follow a similar procedure. Select the server in the Connec-tions pane and then double-click on Server Certificates in the Content pane. Then choose Import from the Actions pane. As shown in Figure 5.15, select the certificate file, type in the password and then select whether you would like the certificate to be exportable from this server.

f I gU r E 5 .15 Importing a certificate

Configuring Website Authentication and PermissionsA number of authentication types are available for IIS 7.0 to meet the needs of your application. A number of native authentication modules are available that enable specific authentication types.

AD Client Certificate Authentication This allows authentication using certificates stored in Active Directory.

Anonymous Authentication This allows any user who can access the site to view content without having to authenticate. The IUSR[_ServerName] account is used by IIS to access the content on the server.

61705c05.indd 207 6/27/08 11:21:06 AM


ASP.NET Impersonation This allows an ASP.NET application to run under accounts other than the default ASPNET account.

Basic Authentication This allows users to access content after providing a username and password. Basic authentication transmits the username and password with weak encryption, so it is best to use this on a trusted network or to provide additional encryption using SSL.

Digest Authentication This allows using domain credentials to authenticate; however, all passwords must be stored with reversible encryption.

Forms Authentication This uses an HTML form to request credentials from a user. The credentials can be validated to a number of sources, including Active Directory or another database. The username and password are sent in plain text, and it is recommended that you use SSL to provide protection.

Windows Authentication This allows authentication with NTLM or Kerberos to domain or local accounts.

By default, Anonymous authentication is enabled. If Anonymous is enabled along with other authentication modules, users will be able to view all publicly available content. If someone attempts to access content that isn’t publicly available, they are prompted to provide credentials. To enable an authentication module, you must first install it. All of the authentications modules are listed under the security heading when role services are installed, as shown in Figure 5.16.

f I gU r E 5 .16 Adding authentication modules

61705c05.indd 208 6/27/08 11:21:06 AM

Configuring Website Authentication and Permissions 209

Once you have installed the modules required to provide authentication for your site, only Anonymous authentication is enabled by default. To enable other authentication, navi-gate to the server, site, or applications for which you want to enable the authentication type in the Connections pane. From there, double-click on Authentication in the Content pane. As shown in Figure 5.17, you will be able to view a list of available authentication types and then enable, disable, and configure each authentication type as needed.

f I gU r E 5 .17 Configuring authentication

Configuring Application AccessAuthorization rules can be used to control access to a website. They can be specific to users, groups, or roles that have access to the site and can optionally apply to specific HTTP com-mands (verbs). This can be done by creating either an allow or a deny authorization rule.

To use authorization rules, you must install the URL Authorization module. The autho-rization rule is then created at the site or application on which it should be enforced and affects all down-level content unless specifically removed. The Entry Type column lists Inherited for rules applied from the parent and Local for rules created at the selected level. Figure 5.18 shows several inherited rules from the parent container as well as a single rule created at the selected level.

61705c05.indd 209 6/27/08 11:21:06 AM


f I gU r E 5 .18 Viewing authorization rules

An authorization rule is applied to one of the following:

All usersÛN

All anonymous usersÛN

Specified user groups or ASP.NET rolesÛN

Specified usersÛN

When creating an authorization rule, you have the option of applying this allow or deny rule to specific HTTP commands known as verbs. You can see these options in Figure 5.19.

f I gU r E 5 .19 Creating an authorization rule

61705c05.indd 210 6/27/08 11:21:07 AM

Summary 211

Client Certificate MappingClient certificates allow a user to authenticate with the site. To enable a website to accept certificates, you must first install the AD Client Certificate Authentication modules and enable them at the server level. To allow a website or application to accept client certifi-cates, you must configure the SSL settings.

To do this, select the site or application in the Connections pane and then double-click on SSL Settings in the Content pane. Then under Client Certificates in the Content pane, choose Accept or Require as shown in Figure 5.20. Choose to accept client certificates if not all users have certificates to authenticate, and choose Require if you want to enforce all users to authenticate with a certificate. If you choose Require, you must also require SSL to connect to the site or applications.

f I gU r E 5 . 20 Configuring client certificate settings

SummaryAlthough IIS can be very easy to use and configure, there are a number of more advanced topics that warrant consideration. In this chapter we covered advanced management tasks like backup and restoring, configuring SSL certificates, and configuring authentication types.

In several examples, we used the AppCmd.exe command-line tool to work with configu-ration backup, restores, and configuration history. We also discussed creating failed request tracing rules to be able to pinpoint problems within a web application.

61705c05.indd 211 6/27/08 11:21:07 AM


Access logging can be configured either per site or per server to provide detailed logs that track client access to the site. These logs can be used to identify the popularity of a web application or to determine usage patterns. Feature delegation is used to control the features that can be configured or to allow feature settings to be overridden that are configured at higher levels in the configuration.

Next, the chapter covered authentication settings to control access and methods of authenticating users. Last, we discussed requesting, binding, and exporting certificates.

Exam Essentials

Know how to perform a manual backup and restore. Using AppCmd to complete backups and restores is important. Know what syntax to use and what scenarios that you would be required to perform a backup or a restore do.

Know what an SSL certificate is and how to request a new one. Certificates are used to encrypt and authenticate communications between the server and client. Know the steps required to secure a website and where to obtain an SSL certificate.

Know which modules are used for authentications. IIS 7.0 has a number of modules used for authentication. Know which modules to use in specific instances. Know which authenti-cation modules are used for different authentication requirements.

61705c05.indd 212 6/27/08 11:21:07 AM


Review Questions

1. What is the name of the tool used to view and configure IIS settings?

A. Computer Manager

B. WDSUTIL

C. AppCmd

D. IISmgt

2. In order to troubleshoot and monitor failures in IIS, what role service needs to be installed?

A. Monitoring

B. Tracing

C. Event Viewer Service

D. File Sharing

3. What must be created to define which failures should be logged?

A. Event viewer filter

B. Event view monitor

C. System task to monitor log files

D. Failed request tracing rule

4. What are three criteria for creating a trace rule?

A. Content

B. Trace provider

C. Event ID

D. Conditions

5. Which of the following trace providers are built in?

A. .NET

B. ASP

C. HTML

D. PHP

6. What log files are used to determine information such as time, software client used, amount of data transferred, and status codes?

A. Access log

B. Application logs

C. Event view log

D. System logs

61705c05.indd 213 6/27/08 11:21:07 AM


7. If you have more than one site on your server and you want to keep all the logs in a single file, what type of logging will you use?

A. Single access log

B. Combined log

C. Per-server logging

D. Per-domain logging

8. What is the location where the log files are stored regardless of whether you use per-server or per-site logging?

A. %SystemDrive%\inetpub\Logs\Logfiles\W3SVC

B. %SystemDrive%\inetpub\Logs\Logfiles

C. %SystemDrive%\inetpub\Logs

D. %SystemDrive%\Windows\System32\LogFiles

9. What tool is used to create a manual backup of the IIS server configuration?

A. WDSUTIL

B. NTBACKUP

C. AppCmd

D. IISState

10. Before you can use the IIS feature delegation, what role needs to be installed?

A. IIS Management Service

B. Permissions Verifier

C. Active Directory Certificate Service

D. Network Policy and Access Service

11. At what level is feature delegation preformed?

A. Application level

B. Workstation level

C. User level

D. Server level

12. What method is used to encrypt and provide authentication for client and server communications?

A. DRM

B. SSL

C. Bit Level

D. NTFS

61705c05.indd 214 6/27/08 11:21:07 AM


13. What needs to be installed on a server before it can provide SSL communication?

A. Bit-level encryption

B. NTFS

C. DHCP

D. SSL certificate

14. If the ___________________ is compromised, the SSL certificate must be replaced.

A. Private key

B. Public key

C. Server key

D. Domain key

15. In order for a certificate to be valid, what must happen?

A. It must be issued by Microsoft.

B. It must be at least one year old.

C. It must be trusted by all parties.

D. It must be created by an administrator.

16. What are the limitations of creating your own CA?

A. None

B. Users on the Internet will not automatically trust your CA and will receive errors when trying to access your site.

C. You cannot create your own CA. It will cause errors in the Event Viewer.

D. You will not be able to generate TLS certificates.

17. What are public and private keys?

A. Matched pairs of numbers used in asymmetrical computations.

B. Serial numbers used to activate an operating system.

C. Encryption types.

D. Keys that are listed on public domains and private domains.

18. What information is listed in public keys? (Choose all that apply.)

A. No information is supplied.

B. The private encryption key

C. Owner of the certificate.

D. How the certificate can be used.

61705c05.indd 215 6/27/08 11:21:07 AM


19. What two forms of administrative rights can be delegated in IIS?

A. IIS management

B. Feature management

C. Active Directory groups

D. User creation

20. When changes are made to IIS, what is the default backup schedule?

A. 10 minutes

B. 2 minutes

C. 30 minutes

D. 60 minutes

61705c05.indd 216 6/27/08 11:21:07 AM



1. C. The AppCmd tool is used to configure and view the settings for IIS.

2. B. The Tracing role service needs to be installed in order to monitor when failures occur.

3. D. Failed request tracing rules will monitor for failures you define.

4. A, B, D. The criteria for creating a rule are content, conditions, and trace provider.

5. B. ASP is a built-in trace provider.

6. A. Access logs are used to collect data that may include time, software client used, amount of data transferred, and status codes.

7. C. Per-server logging is used when you have multiple sites on a single server and you want a single log for all sites.

8. D. Log files are located at %SystemDrive%\inetpub\Logs\Logfiles\W3SVC.

9. C. AppCmd is used to create a manual backup of the server configuration.

10. A. IIS Management Service is required for IIS feature delegation.

11. D. All feature delegation is done at the server level.

12. B. SSL is a method of encrypting and authenticating client-to-server communications.

13. D. An SSL certificate must be installed on a server before it can provide SSL communication.

14. A. If the private key is exposed to the public, the SSL certificate must be replaced.

15. C. For a certificate to be valid, all parties must trust the CA.

16. B. If you create your own CA, users on the Internet will not automatically trust your CA and will receive errors when trying to access your site. Windows Server 2008, Active Directory Certification Services allows generation of TLS and other types of certificates on the proper edition on the product.

17. A. Public and private keys are matched pairs of numbers used in asymmetrical computations.

18. C, D. The public keys provide details about the owner of the certificate, whether it is valid, and how the certificate can be used. The private key is kept separate from the public key and is protected from public access.

19. A, B. There are two forms of administrative rights that can be delegated, IIS management and feature management.

20. B. Backups are completed by default every 2 minutes as changes are made.

61705c05.indd 217 6/27/08 11:21:07 AM

61705c05.indd 218 6/27/08 11:21:07 AM

Chapter

6Configuring Additional Communication Services

MiCroSoft ExAM objECtivES CovErEd in thiS ChAptEr:

Configure Windows Media server. May include but is ÛÛnot limited to: on-demand replication; configure time-sensitive content; caching and proxy

Configure Digital Rights Management (DRM). May ÛÛinclude but is not limited to: encryption; sharing busi-ness rules; configuring license delivery; configuring policy templates

61705c06.indd 219 6/27/08 11:29:37 AM

Windows Server 2008 includes communication services that can benefit your organization, like fax services. Additional services can prove to be valuable to any organization that looks to man-

age both delivering live or on-demand digital media and sending and receiving faxes.Learning about these services is important not only for the exam, but for real-life appli-

cations as well. As organizations grow, the need for better communication management becomes a necessity. IT administrators who not only want to keep pace with the industry but want their organizations to use their resources to the fullest will devote the time needed to configure communication services. In addition to configuration, time should be devoted to understanding each organization’s needs and how it will benefit from these additional tools.

Many may argue that the time spent on these additional services is wasted. Anyone who has ever had to work to make a company’s fax services work or figure out how to record meetings and then replay them in either audio or video form will disagree. Most likely the majority of the companies in today’s workforce do value communication services, and this is where the IT administrator can shine. Want to show your employer that you are truly a valuable asset? Take some time to understand the additional communication services and think about how they can make your organization more efficient and productive. This chapter covers the following topics:

Configuring Fax Services, including configuring local fax properties and defining a fax ÛN

routing location

Configuring Media Services, including configuring basic streaming solutions ÛN

and options for configuring security in a Windows Media Server

Configuring Digital Rights Management (DRM), including DRM encryption and ÛN

DRM business rules

For this chapter, we assume you have a basic understanding of Windows Server 2008 and that you understand how to use Server Manager.

Configuring Fax ServicesFax services for Windows Server have been around since the days of Windows NT. It has always left something to be desired in becoming an enterprise faxing solution, but over the years it has shown improvements in both features and in instructions on how an IT admin-istrator can configure it.

61705c06.indd 220 6/27/08 11:29:37 AM

Configuring Fax Services 221

Is a faxing service still needed, however? Simply put, yes. Even in a world where every-thing moves at a fast pace and more communication is done via email, faxing is still the first choice in many communications tasks. Perhaps this is because people still like the feel of paper in their hands. In any case, fax services will not be going away anytime soon.

Microsoft continues to support this older, but still heavily relied upon, resource. We will endeavor to show you how to configure this service in Windows Server 2008.

We assume you have already installed the Fax Service role using Server Manager. After you have completed the installation of the Fax Server Role, can use the Fax Service Manager to do the following:

Manage usersÛN

Configure fax devicesÛN

Set up routing polices for faxesÛN

Create rules for outgoing faxesÛN

Archive received or sent faxesÛN

Track the use of fax resourcesÛN

It is recommended you install the Windows Fax and Scan on your Windows 2008 Server machine because it will allow you to monitor the activity in the Incoming, Inbox, and Out-box folders. To install the Windows Fax and Scan role from the Server Manager, complete the following steps:

1. In the left pane, click Features, and then in the right pane, click Add Features (Figure 6.1).

f i gu r E 6 .1 Server Manager

61705c06.indd 221 6/27/08 11:29:37 AM

222 Chapter 6 N Configuring Additional Communication Services

2. In the Select Features section, select Desktop Experience and click Next.

3. On the next screen, choose Install.

If your users are using Microsoft’s Windows Vista, they can send and receive faxes using the built-in Windows Fax and Scan utility. Windows XP users can send faxes using the Fax Console utility.

Configuring Fax (Local) PropertiesAfter installing the Fax Service role on your Windows Server 2008 machine, it will auto-matically detect and install any fax device that has been attached to the server. If a fax device does not already exist, a local fax printer connection is created. This fax device represents all the physical fax devices that are connected to the server.

By default, all detected fax devices are enabled for sending faxes but not for receiving them. You must specifically enable each device to receive faxes. Server Manager will be used to enable these devices.

After you install the Fax Service role, sharing is not enabled by default. You can share a Fax device within the printers option in Control Panel.

In Exercise 6.1, you will use Server Manager to configure the properties of a fax device and enable it to receive faxes.

E x E r C i S E 6 .1

Configuring a fax device to receive faxes

To enable your Fax Device to receive faxes, do the following steps:

1. In the left pane in Server Manager, expand Roles and expand Fax Server.

2. Expand Devices and Providers, and click Devices.

61705c06.indd 222 6/27/08 11:29:38 AM



3. In the Content pane, right-click the device you want to configure and then choose whether you want the device to automatically answer a fax call or if the users must manually answer.

4. Choose OK.

The next step is to configure the properties of the fax server. The following tabs are found in the Fax Properties dialog box:

General Within this tab, you can review the current activity and disable sending and/or receiving faxes.

Receipts This tab allows you to configure delivery options.

Event Reports This is where you specify event tracking levels.

Activity Logging This section allows you to choose to log incoming and outgoing fax activity.

61705c06.indd 223 6/27/08 11:29:38 AM


Outbox This is the were you can configure the options for the queue of all outgoing faxes.

Archives Here you can configure your archive settings for sent and received faxes.

Accounts Here you can choose to assign messages to individual accounts.

Security This section allows you to set permissions for users or groups for fax configura-tions and documents.

In Exercise 6.2, you’ll configure the settings for the most common features within the Fax Properties dialog box.

E x E r C i S E 6 . 2

Configuring fax properties

To configure the Fax properties, follow the steps below:

1. Within Server Manager, expand Roles and then expand Fax Server.

2. Right-click Fax and choose Properties.

3. On the Receipts tab, click the box labeled Enable SMTP E-Mail Receipts Delivery and enter a From e-mail address, SMTP server address, and port number.

4. Select the Activity Logging tab. Click the boxes next to Log Incoming Fax Activity and Log Outgoing Fax Activity.

61705c06.indd 224 6/27/08 11:29:38 AM



5. In the Activity Log Folder text box, enter the path to store the activity log. The default location is C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog.

6. Select the Outbox tab, check the Automatically Delete Faxes Older Than option and then choose the number of days to keep faxes.

7. Select the Archives tab and then check Archive All Faxes to This Folder.

8. Browse to the location that should be used to store archived faxes. The default is C:\ProgramData\Microsoft\Windows NT\MSFax.

9. To allow faxes to be reassigned, select the Accounts tab and then check the On box under Reassign Settings.

10. Click OK.

Defining a Dialing RuleSetting up dialing rules will help the fax server understand what your area requires. For example, most locations in the United States require dialing a 1 before dialing a number outside a local area code. When dialing within an area code, only 7 digits are needed. Alternatively, if a local area uses 10-digit dialing, a user has to put in an area code plus the 7-digit phone number. As you can see, by setting up the dialing rules first, you keep your users from having to enter numbers such as 1 before the area code.

61705c06.indd 225 6/27/08 11:29:38 AM


The you can configure the following options for dialing rules:

Dialed Number You can enter a region code and area code.

Target Device Choose to apply your rule to devices.

To configure these options follow the steps in Exercise 6.3.

E x E r C i S E 6 . 3

Configuring a dialing rule

Dialing rules can be configured with the following steps:

1. Under Fax Server in Server Manager, expand Outgoing Routing.

2. Right-click on Rules and choose New and then Rule.

3. In the Dialed Number section of the Add New Rule dialog box, enter your region code. If you are unsure, click Select and then choose from the list.

4. In the Target Device section, choose whether you want this rule to apply to a device or a routing group and then choose from the list in the drop-down box.

5. Click OK.

61705c06.indd 226 6/27/08 11:29:38 AM


Defining a Fax Routing LocationAs the administrator, you can configure both the incoming and outgoing fax routes. You can route incoming faxes to a particular user group or an individual user. In the Fax Service Man-ager, you can configure routing extensions that are global, which means they’re applied to all devices, and you can configure others that are associated with only individual devices. For global methods, you can set the order in which they are applied to a received fax. For example, you could have a fax routed first to an email address, then printed, then stored in a folder. For individual routing methods, these are configured per device. After you configure a method, it can be enabled or disabled. More than one incoming route can be applied to a fax.

You can configure the following default incoming routing methods:

Route through E-Mail You can specify the address for receiving incoming faxes.

Store in Folder Choose the folder to store a copy of the incoming fax.

Print Define the path to which you want the incoming fax printed.

Exercise 6.4 shows you how to configure an incoming fax routing method.

E x E r C i S E 6 . 4

Configuring incoming fax routing

The next steps will configure Incoming Fax routing:

1. Open the Server Manager.

2. On the left side, expand Fax and then click on Devices and Providers.

61705c06.indd 227 6/27/08 11:29:39 AM



3. Now click on Devices, double-click on the device you want to configure, and choose Incoming Methods.

4. In the Content pane, right-click on the method you want to configure and choose Properties.

5. Now click the Store in Folder tab, and then either enter the Universal Naming Con-vention (UNC) path or click Browse to choose the folder.

6. To configure the routing, choose the Route through E-Mail method and click the Email tab. Type in the address to which you want incoming faxes to be delivered.

7. For the Print method, click the Print tab and type in the UNC path of the printer you want faxes to be printed to.

8. After you have configured your incoming methods, you must right-click each method in the Details pane and click Enable.

9. Click OK.

For outgoing faxes you can also create rules, which will allow you to optimize the use of available fax devices. You can create rules that get associated with a device or group of devices and have faxes sent to a specific domestic area code or specific region.

For example, if you have many faxes that go to a vendor in China, you can create a rule that will send faxes to this vendor from a specific device. Meanwhile, your other devices can continue to service other areas or regions and not be affected by the heavy fax traffic to China.

Using rules will help ensure that your fax resources are being used efficiently instead of having your faxes sit in long queues.

Exercise 6.5 walks you through adding a routing rule for outgoing faxes.

E x E r C i S E 6 . 5

Adding a routing rule

Follow these steps to add a Routing rule:

1. Open Server Manager.

2. Expand Fax Server and then expand Fax.

3. Click on Outgoing Routing.

4. Right-click on Rules, then New, and then Rule.

61705c06.indd 228 6/27/08 11:29:39 AM

Configuring Media Server 229


5. Add the country/region code and the local area code in the Dialed Number section.

6. Next, choose the target device or routing group in the Target Device section.

7. Click OK.

Configuring Media ServerFax Server Role not the only valuable service that Windows Server 2008 can provide. Windows Media Server can improve communication and instruction in a organization.

A Windows media server delivers digital media to clients across a network using Win-dows Media Services 2008. What this service does is translate a client’s request for media into a physical path on the server that is hosting the content.

Windows Media Services delivers basic streaming functionality, like unicast streaming, and server-side playlists and is included in the following Windows Server editions:

Windows Server 2008 StandardÛN

Windows Web Server 2008ÛN

61705c06.indd 229 6/27/08 11:29:39 AM


fax routing and Archiving

When would these features be practical? Well, say your client receives many faxes throughout a given week. These faxes must be acknowledged, processed, completed, and then stored. This can be a time-consuming process when it’s done manually. How-ever, the benefits of using the Fax Service role is that you are able to provide all the steps but in a digital form.

If you configure your fax routing to first print to a printer in your sales department, this would allow your sales department to get an immediate hard copy of the order. In the manual process, this document would have to be scanned into an image file and emailed to your processing dept. However, you configure the second step in routing to email a copy to the processing dept. This allows them to get an email instantly after the copy is printed. Now normally this fax would be put into a folder for filing, but again you have configured archiving of faxes on your fax server and the fax is copied to a designated folder on your server.

Not only did you reduce the amount of effort required to take an order from a fax, you also just decreased the amount of time before that faxed-in order can be shipped. This results in efficient workflow and happier customers.

It will provide advanced features such as multicast streaming when installed on the following operating systems:

Windows Server 2008 EnterpriseÛN

Windows Server 2008 DatacenterÛN

Table 6.1 provides an overview of available features based on what server version is installed.

tA b lE 6 .1 Media Services Features

Feature Windows Server 2008 Standard and Web

Windows Server 2008 Enterprise and Datacenter

Absolute Playlist Time Yes Yes

Advanced Fast Start Yes Yes

Advanced FF/RW No Yes

Advertising server support Yes Yes

Broadcast Auto-Start Yes Yes

61705c06.indd 230 6/27/08 11:29:39 AM


tA b lE 6 .1 Media Services Features (continued)

Feature Windows Server 2008 Standard and Web

Windows Server 2008 Enterprise and Datacenter

Cache/Proxy Yes Yes

Custom Plug-In Yes Yes

Event-based scripting Yes Yes

Fast Cache Yes Yes

Fast Reconnect Yes Yes

Fast Start Yes Yes

Fast Streaming Yes Yes

Internet authentication Yes Yes

Internet Group Management No Yes

IPv6 Yes Yes

Intranet authentication Yes Yes

Multicast No Yes

Multiple authorization Yes Yes

Multiple control protocol Yes Yes

Multiple media parser Yes Yes

Multiple playlist parser Yes Yes

Play while archiving No Yes

RTSP streaming Yes Yes

Robust event notification Yes Yes

Repacketization Yes Yes

Unicast Yes Yes

61705c06.indd 231 6/27/08 11:29:39 AM


By default, in Windows Server 2008, Streaming Media Services Role is not available using the Add Roles Wizard. You must download this service add-in from Microsoft’s website at http://microsoft.com/downloads/details.aspx?FamilyID=9ccf6312-723b-4577-be58-7caab2e1c5b7&displaylang=en.

Before installing Media Services, be sure the server meets the following system requirements:

Processor One or more processors with a recommended speed of 550MHz; minimum supported speed is 133MHz.

Memory 512MB of RAM, minimum of 256MB.

Hard disk space 2GB of free space.

File system configuration NTFS.

Configuring Basic Streaming SolutionsWhen you think about streaming media basics, you might have a few questions:

What is streaming media? ÛN

How do I create content?ÛN

How do I make this content available to my users?ÛN

The following sections will answer those questions and show you how to configure the basic options.

What Is Streaming Media? Let’s look at our first question.

What is streaming media? It’s any media that is displayed to the end user while it’s being delivered by a provider. It can be live or prerecorded, and unlike a file that you might down-load, no data is saved to the user’s hard disk when the content has finished streaming. Like television or radio, the term streaming media refers more to the delivery method than to the actual medium itself. Attempts to display media this way date back to the mid-1900s, but little progress was made for a long time due to the limits in computer hardware and networks.

How Do I Create Content for My Users?Windows Media Encoder, Microsoft Producer, and Windows Movie Maker can create and compress your audio and video content into the Windows Media format so you can create content for users. Table 6.2 shows the tools that are available from Microsoft.

61705c06.indd 232 6/27/08 11:29:39 AM


tA b lE 6 . 2 Tools to Create Content

Tool Description

Windows Media Player Rip content from a CD.

Windows Media Encoder Convert live and recorded content.

Windows Movie Maker Use for simple editing of audio and video.

Windows Media Stream Editor Combine or split streams in existing Media files.

Many third-party programs in addition to the ones listed in Table 6.2 will allow you to encode media as a Windows Media file. Check with your ven-dor for details on how to perform the encoding.

How Do I Make This Content Available to My Users?Now you understand what streaming media is and how to create it, but how do you make it available to your users or clients? Simply put, you place the content into a directory, create a reference point called a publishing point for the content, and then create an announce-ment to tell your users about the content. Windows Media Services uses these publishing points to tell a client how to reach the content. After that, the media server manages the connection and streams the content.

There are two types of publishing points: broadcast and on-demand. You can use two methods to get the content to your users: unicast stream and multicast stream.

In this section, we will look at four basic areas that will allow you to get the content to your users:

1. Using broadcast publishing points

2. Using on-demand publishing points

3. Delivering content as a unicast stream

4. Delivering content as a multicast stream

Let’s first look at broadcast publishing points. If you are looking for a solution to provide content similar to a television or radio show, then you will choose broadcast publishing. This allows the server to control the content. Most of the time, this would be what you see in a live broadcast of a company meeting. Because it is controlled at the server, a user can join the session and hear the content but they cannot rewind or fast forward. Therefore, users have no control over the session; they can only start and stop the feed.

61705c06.indd 233 6/27/08 11:29:39 AM


Using on-demand publishing points, users are able to stream a video file whenever they want. This means that the content is streamed to the client only when they are connected, and therefore, the server has a separate connection with each client. This is best used when you want your clients or users to be able to have more control over the session. With on-demand publishing, users can stop, rewind, pause, fast-forward, and skip the content at their leisure. When would this be used? Many companies record training material that they want the users or instructors to be able to control. On-demand publishing would be a good fit for this type of use.

On-demand publishing points can also be used to stream media from a remote server or another publishing point. These can be part of a playlist or just content on another server. However, when the media resides on another server, the users will not be able to use the playback controls, such as pause, fast-forward, skip, and rewind.

By default, Windows Media Services uses unicast streaming. The stream is a one-to-one connection between the server and the client. Only those clients that request a specific stream will receive it. You can use both on-demand and broadcast publishing points. The benefit of using this type of streaming is that it is easier to set up and will work in environ-ments that are not set up for multicast streaming. The drawback of unicast is that because it’s a one-to-one connection, it will be limited by the speed of the server and the network. If your content is going to be viewed simultaneously by a large number of clients, you will want to monitor your server to ensure that it is not overwhelmed.

You would want to consider using unicast if the following applies to you:

You require a detailed client log.ÛN

Your audience is small or the content is small enough to be compatible with your net-ÛN

work and server.

Your network is not multicast enabled.ÛN

Multicast is the ability to stream media from a single server to many clients at the same time. The server streams the content to a multicast IP address on the network, and all clients receive the same stream by using that IP address. Unlike unicast streaming, multicast stream-ing can only be done from a broadcast publishing point. The hardware and network must be multicast enabled; they have to be able to transmit a Class D IP address (224.0.0.0 to 239.255.255.255). If you are unsure if the network hardware, like routers and firewalls, can transmit this type of address, check with your hardware vendors before attempting a multicast stream. The benefit of using this type of streaming is that, if the network allows, there is only one stream from the server no matter how many clients you have; it requires the same amount of bandwidth as a unicast stream. This will preserve network bandwidth and can be used if your network bandwidth is low.

Multicast on the Internet is generally not a viable option since only small portions are multicast enabled. Multicast is best used in a corporate envi-ronment where all routers can be multicast enabled.

61705c06.indd 234 6/27/08 11:29:39 AM


Multicast might be a good solution if the following applies:

You’re broadcasting to a large audience.ÛN

Network and server capacities are limited.ÛN

The entire network is multicast enabled.ÛN

In Exercise 6.6, you will learn how to create a broadcast publishing point, and then in Exercise 6.7, you will configure a multicast stream from that publishing point.

E x E r C i S E 6 . 7

Creating a broadcast publishing point

The following steps will aid you in creating a Broadcast Publishing Point:

1. In Server Manager, expand Roles\Streaming Media Services\<server name>\ Publishing Points.

2. Choose Add Publishing Point (Wizard).

3. On the Welcome to the Add Publishing Point Wizard screen, click Next.

4. Now choose a name for the publishing point and click Next.

61705c06.indd 235 6/27/08 11:29:40 AM



5. On the following page, choose the option that fits your content type and then click Next.

6. Now choose how you want your content to be delivered and then click Next. You have the option to choose Unicast (each client connects to the server) or Multicast (requires a multicast router between the server and clients). For this exercise, choose Unicast, which is selected by default.

7. On the next screen, enter the encoder URL. An example would be http://encoder, and it would match the name of the server doing the encoding.

8. Check Enable Logging on This Publishing Point, if you want to log data about the cli-ents that are connecting. Click Next

9. On the Summary page, review the selections, and if you want to publish this content right away, check Start Publishing Point When Wizard Finishes. Click Next

10. Now you are at the Completing the Add Publishing Point Wizard page. Here you can create the announcement for the stream. Check After the Wizard Finishes and choose the type of announcement to make. If you are unsure, leave the default box checked, which is Create an Announcement File (.asx) or Web Page (.htm).

11. Click Finish.

12. Since the Unicast stream option was chosen in step 6, the Unicast Announcement Wizard appears. Click Next.

61705c06.indd 236 6/27/08 11:29:40 AM



13. Review the Access to the Content page to ensure that the URL is pointing to the pub-lishing point that was created in step 4. If it is not correct, click Modify and enter the server name or IP address.

14. On the Save Announcement page, make sure the announcement file is correctly pointing to the publishing point that was created in step 4. If not, click the Browse button and choose the location of the file. Click Next.

15. Edit any metadata on the next screen, where you can add a title, author name, and a copyright notice to the file. When finished, click Next.

16. Click Finish.

17. If everything completed successfully, you will be able to test your new content at the next screen.

Now that you have created the broadcast publishing point, you want to change the streaming type to make it a multicast stream, which will conserve network bandwidth and server load, as shown in Exercise 6.7.

E x E r C i S E 6 . 7

Configuring a Multicast Stream

The next steps can be used to configure a Multicast Stream:


2. Click on the publishing point you created in Exercise 6.5, step 12.

61705c06.indd 237 6/27/08 11:29:40 AM



3. In the Content pane, click the Properties tab.

4. In the Category section, click Multicast Streaming.

5. In the Plug-In section, click WMS Multicast Data Writer and then right click and click Properties.

61705c06.indd 238 6/27/08 11:29:40 AM



6. In the Destination Multicast IP Address and Port section, specify the following settings:

IP address: Type in the multicast address.ÛN

Port: This is the port from which the content will be streamed.ÛN

Time-to-Live (TTL): Here you enter the number of routers your multicast stream ÛN

pass through before timing out.

7. Click the Advanced tab if you have multiple network adapters on your server.

8. Click the IP address you want to use in the drop-down box.

9. In the Logging URL box, enter the URL to the logging directory and click OK.

10. To start this publishing point, right-click on it and choose Start.

61705c06.indd 239 6/27/08 11:29:40 AM


Configuring Advanced Streaming SolutionsWindows Media Services allow you to control most aspects of how you stream content to your users. If you just need to get a small video out to a limited number of users, the default settings will most likely accomplish the task. However, if you have a media server that gets a lot of traffic, it might be to your benefit to change some of the more advanced options.

In this section, we will review two areas:

Intelligent streamingÛN

Fast streamingÛN

The method that your server uses with Windows Media Player to detect and adjust the properties of a stream automatically is called intelligent streaming. This type of streaming allows for a continuous flow of content that is set according to the user’s connection speed. A user’s media player will respond to having low bandwidth by requesting that the server reduce the bit rate. For the most part, intelligent streaming is completely automatic and requires no additional configuration.

Fast streaming refers to a group of features that Windows Media Services includes to improve the quality of the user’s session:

Fast CacheÛN

Fast StartÛN

Advanced Fast StartÛN

Fast RecoveryÛN

Fast ReconnectÛN

Fast CacheFast caching is a way for the Windows Media Services and Windows media players to stream the content to the clients faster than the specified rate. So if you have a 128 kilobits per second (Kbps) stream, using Fast Cache you can stream it at 700Kbps. This is accom-plished by streaming the content to the client machine and then the Windows Media Player is able to buffer it before playing at the specified data rate.

This is extremely useful when streaming over wireless networks that have high latency or when the quality of the content received is of top priority.

When Fast Cache is enabled, intelligent streaming cannot be used. In addi-tion, Fast Cache is used only by clients that connect to a unicast stream.

Exercise 6.8 shows you how to enable Fast Cache.

61705c06.indd 240 6/27/08 11:29:41 AM


E x E r C i S E 6 . 8

Enabling fast Cache

Do the following to enable Fast Cache:

1. In Server Manager expand Roles\Streaming Media Services\Windows Media Services\<server name>\Publishing Points.

2. Click on your broadcast and click the Properties tab in the Content pane.

3. Now click on General in the Category section.

4. In the Property section, right-click Enable Fast Cache and choose Enable. (In the fol-lowing screen shot, the Enable option is grayed out because Fast Cache is already enabled.)

Fast StartFast Start allows users to start to receive content more quickly. It does this by allowing the player to provide data directly to the buffer at higher speeds than the request bit rate. This option is available to users with Windows Media Player for Windows XP or later. It helps reduce the delays and re-buffering that occur when a user fast-forwards and rewinds con-tent. It also aids in a smoother transition between content items. Fast Start also reduces the amount of playback errors due to packet loss as it pre-buffers data.

61705c06.indd 241 6/27/08 11:29:41 AM


Advanced Fast StartAdvanced Fast Start is used for reducing startup times in Windows Media Player 10 and higher. It has all the same features and benefits as Fast Start but can start to play a stream before its buffer is full, unlike the Fast Start option, which makes the user must wait until the buffer is full. With Advanced Fast Start, as soon as the player receives the minimum amount of data, playback will begin. While the content is being played, the buffer will continue to fill at an advanced rate until full. Once the buffer is full, the acceleration stops and the stream continues to be received and played at its specified rate. Advanced Fast Start must be enabled because it is disabled by default (see Exercise 6.9).

E x E r C i S E 6 . 9

Enabling Advanced fast Start

Advanced Fast Start will be enabled in the following steps:


2. Click on the broadcast and click the Properties tab.

3. Click on General in the Category section.

4. In the Property section, right-click on Enable Advanced Fast Start and choose Enable.

61705c06.indd 242 6/27/08 11:29:41 AM


Fast Recovery and Fast Reconnect Fast Recovery and Fast Reconnect are similar in that they allow a media player to resume in case of corruption or network outage.

Fast Recovery is used when a media player receives lost or damaged data packets. If this occurs, the player does not have to request that the server resend the data. It can recover the lost or damaged data itself. To utilize this feature, you should enable forward error cor-rection (FEC) on a publishing point. Enabling FEC will help in networks where packet loss or corruption frequently occurs, such as wireless networks and satellite connections.

Exercise 6.10 shows you how to enable FEC on a publishing point.

E x E r C i S E 6 .10

Enabling fEC

To enable FEC, do the following steps:

1. In Server Manager, expand Roles\Streaming Media Services\<server name>\Publish-ing Points.

2. Click on your broadcast and click the Properties tab.

3. Now click on Wireless in the Category section.

4. Right-click Enable Forward Error Correction and choose Enable.

61705c06.indd 243 6/27/08 11:29:41 AM


Fast Reconnect will reconnect a media session in case of temporary network outage. When a client loses its connection to a media server, Fast Reconnect enables the client to reconnect to the server automatically and restart the streaming. How it affects the playback to the user depends on following two factors:

Connected to an on-demand publishing point The client restarts the playback at the point the connection was lost.

Connected to a broadcast publishing point Client reconnects to the broadcast in progress. The user may experience a gap in the broadcast.

In Exercise 6.11, you’ll set the number of times a client can attempt a reconnect.

E x E r C i S E 6 .11

Setting Client Connect Attempts

Configure client connect attempt with the following steps:


2. Click on your broadcast and click the Source tab.

3. In the Content Source section, click Change.

61705c06.indd 244 6/27/08 11:29:41 AM



4. In the location box, add ?WMReconnect=3 to the end of your location. This will allow the clients to attempt a reconnect three times.

5. Click OK.

Options for Configuring Security in a Windows Media ServerThe content you provide to your users can be very valuable to your organization. Much time and money has been spent to create this content, and one of the more important tasks that you can do is control access to it. It is therefore important that you configure the security options of your media server. This will ensure that your company’s valuable media is pro-tected from unauthorized access.

The following sections will cover these topics:

AuthenticationÛN

AuthorizationÛN

AuthenticationAuthentication confirms the identity of a user who is trying to gain access to a resource. After a user is authenticated, authorization occurs so that the user gains proper access to the con-tent. When the user attempts to gain access, the server attempts to authenticate through the anonymous authentication plug-in. You would use this type of anonymous authentication if you do not want the users to have to enter a username and password. This is configured by default, but if you want to change the Anonymous account, you must make sure the account you use has read permissions for any files and folders that will be streamed.

In Exercise 6.12, you’ll change the Anonymous account.

E x E r C i S E 6 .12

Changing the Anonymous Account

To change the Anonymous account, follow these steps:



3. In the Category section, click Authentication.

4. In the Plug-In section, click on WMS Anonymous User Authentication.

61705c06.indd 245 6/27/08 11:29:41 AM



5. Click the Properties button.

6. In the User Name box, type the account name you want anonymous users to use.

7. In the Password box, enter the password for the account.

8. In the Confirm box, reenter the password.

9. Click OK.

10. Right-click WMS Anonymous User Authentication and choose Enable.

Authorization and Authentication work hand in hand to grant access to the media on your server. If Authorization is enabled but Authentication is dis-abled, clients cannot access the server.

AuthorizationAuthorization takes information it receives from the authentication process and uses it to grant or deny access to the content. Authorization occurs only after authentication is suc-cessful. During this process, the server checks the user against the access permissions set on the resource.

61705c06.indd 246 6/27/08 11:29:42 AM


Authorization uses the following three plug-ins:

WMS NTFS ACL Authorization If you use NTFS, you can enable this feature to enforce the permissions.

WMS IP Address Authorization You can allow or deny access based on IP address.

WMS Publishing Points ACL Authorization You can create access control lists (ACLs) for your publishing points and assign access permissions to users or groups.

To configure these plug-ins, you will again use Server Manager (Exercise 6.13).

E x E r C i S E 6 .13

Enabling ACl Authorization

To enable WMS NTFS ACL authorization, follow these steps:

1. In Server Manager expand Roles\Streaming Media Services\<server name>\ Publishing Points.


3. In the Category section, click Authorization.

4. Right-click WMS NTFS ACL Authorization and choose Enable.

To allow or deny access by IP address, you need to configure the WMS IP Address Authorization plug-in (see Exercise 6.14).

E x E r C i S E 6 .14

Allowing or denying ip Addresses

To allow or deny IP addresses, follow these steps:




4. Right-click on WMS IP Address Authorization and choose Properties.

5. Now choose one of the following options:

Allow All Except Those in the Deny ListÛN

Deny All Except Those in the Allow ListÛN

Restrict as Specified in the Following ListÛN

61705c06.indd 247 6/27/08 11:29:42 AM



6. After making the choices and filling in the IP addresses, click OK.

At times you will want to create ACL lists for publishing points on your sever. Config-uring the ACL list will allow you to grant or deny access to users or clients. Exercise 6.15 walks you through creating an ACL list.

E x E r C i S E 6 .15

Creating an ACl list

ACL list can be configured by following these steps:

1. In Server Manager expand Roles\Streaming Media Services\<server name>\ Publishing Points.



4. Right-click on WMS Publishing Points ACL Authorization and click properties.

5. On the Properties dialog box, you can do the following:

Add or remove a user or groupÛN

Set permissions for a new user or groupÛN

Change the permissions for a groupÛN

61705c06.indd 248 6/27/08 11:29:42 AM

Configuring Digital Rights Management (DRM) 249


6. Click OK.

Configuring Digital Rights Management (DRM)Digital Rights Management, or DRM, is a technology that allows the owner of some forms of media to enforce the terms to the people who have access to use it. Those who own the copyright to music, film, books, and video commonly use DRM to protect their property.

You or your company may own media that you deliver on your media server or provide in email or SharePoint sites. It’s important to protect it. It is common for confidential and critical information to be sent from one company to a competing company or media outlet. This can cause public relations, legal, or competition problems for an organization. For example, a company may create a widget that is far superior to the competitor’s widgets. The company has spent thousands of man hours and millions of dollars to create and docu-ment this new widget. A disgruntled employee could easily send these documents to the competitor or post them to a weblog for the world to see. If the company protected these documents using a DRM solution, it would be able to avoid theft.

61705c06.indd 249 6/27/08 11:29:42 AM


drM Controversy

Much debate has sprung from companies using DRM to protect the media they own. This is especially true of the entertainment industry. Over the past five years, controversy over audio files such as MP3s—more specifically, the sharing of these files—has lead the indus-try to adopt DRM protection.

Those in favor of DRM state that it is necessary for the copyright holders to be able to prevent others from duplicating and sharing their work illegally. Those opposed take the stand that as long as they are not using the media in a way that would violate commercial use, they should not have restrictions on content that they have purchased.

Despite the controversy around DRM, companies like Apple and Microsoft continue to use this form of protection. It allows the companies to provide content, such as music, on a subscription basis. Some companies are listening to the cries of the users and are now are providing content that is DRM free.

As bandwidth speeds increase to consumers’ homes, the availability of video and movies appear to be heading to a similar pay-per-view model. Will DRM continue to be a method to protect the rights of those who create or publish the content? Time will tell.

Although music and videos are often in the middle of this controversy, many companies are adopting DRM to protect internal documentation from prying eyes.

How Does DRM work? When media is created, it is encrypted in order to protect it. For a user to access this encrypted media, they have to have a license. This license contains information such as the following:

How long the content can be usedÛN

What actions can be done on the mediaÛN

Simply put, the license or key unlocks the content and allows it to be played. The nice thing about DRM is that you get to control how long it will be unlocked. For example, say you want to provide content as a promotion that lasts only five days. With DRM protec-tion, you can set the key to expire in five days. With DRM you don’t have to worry about users copying material and giving it to others because no matter who plays the content, they still need to acquire a key or license.

DRM rights are stored in the key and not the content. This means that you can create different keys for the same file. A normal DRM scenario would be that you encode con-tent with DRM protection. Then it would be posted so that users could download it. After the content is downloaded, the user’s player sees that it is protected and connects to your license provider site to get the needed key. After the user pays for the key, they are able to play the content.

61705c06.indd 250 6/27/08 11:29:42 AM


DRM also can be used to protect other types of files:

Office documentsÛN

EmailÛN

Word, Excel, PowerPoint, and other important company files can be protected using Active Directory Rights Management Service (AD RMS). A typical example would be using a SharePoint intranet that has or allows external users to view content.

The following sections, it is assumes that you have installed the AD RMS role and have reviewed the event log for any errors.

EncryptionBefore the Internet boom, encryption was mainly used by the military to protect data. However, today encryption is a normal and needed protection against theft of content or documents.

What is encryption? It is locking up data through the use of electronic keys. It is similar to locking the doors on your home. You need a key to lock and unlock your door locks. It is doubtful you would ever consider having a home without any locks or leaving the doors open and going away for six months. If you did, you wouldn’t be surprised if your valuables were stolen. Some people even pay large amounts of money to purchase high-end security alarms to ensure that they have the best protection for their home. The same is true of your data; without locking it with a lock and key, you are inviting anyone to take it.

AD RMS encrypts data by keeping out people who do not have proper keys. With AD RMS, only trusted entities are granted access rights, just like giving someone you trust a key to your home.

In addition to the AD RMS clients installed on a computer, AD RMS can be used in specialized applications, these are enabled to enforce the usage rights. The following appli-cations are AD RMS enabled:

Microsoft Office 2003ÛN

Office 2007ÛN

Windows Mobile 6ÛN

The AD RMS client is included with Windows Vista and Windows Server 2008. If you are using Windows 2000 Server, Windows XP, or another operating system, you can download the AD RMS client from the Microsoft Download Center at www.microsoft.com/downloads/details.aspx?FamilyId=02DA5107-2919-414B-A5A3-3102C7447838&displaylang=en.

For AD RMS to encrypt your data, you need to both have the AD RMS client installed and have an AD RMS–enabled application. However, to be able to create protected content you need to have the following:

Office 2007 EnterpriseÛN

Office 2007 ProfessionalÛN

Office 2007 UltimateÛN

Exercise 6.16 will demonstrate how to create a protected document.

61705c06.indd 251 6/27/08 11:29:42 AM


E x E r C i S E 6 .16

using Ad drM to protect a document

Protecting a document can be done by following these steps:

1. Open Microsoft Word 2007.

2. Open a document you want AD RMS to protect.

3. Click the Microsoft button in the top-left corner of the screen.

4. Click Prepare.

5. Click Restrict Permissions.

6. Click Restrict Access.

7. Now click Restrict Permission to This Document.

8. In the Read box, type in the name of the group that you want to allow read permissions.

9. Now save this document in your network location.

The group you specified can only view this document now. They will not be able to change, print, or even copy it.

Sharing Business RulesBusiness rules are no different than policies. Business rules allow you, the administrator, to tell the user or client how they can use protected content.

Once you have created and protected your content, it is time to distribute it. For others to be able to view the content, they need access to your business rules. This means that you have to share your business rules with the license issuer. In this case, the license issuer would be your AD RMS server, so it would need to have access to these rules or policies.

Business rules can consist of the following:

SeedÛN

Public keyÛN

Specific rulesÛN

When you create protected content, you will choose a set of rules to do the following:

Specify when the document expires ÛN

Allow printingÛN

Allow copyingÛN

61705c06.indd 252 6/27/08 11:29:42 AM


Specify whether users can request additional permissionsÛN

Give users and groups permissions to the documentÛN

This information gets stored within a license and is considered a rule because it states what the user can or cannot do. If you create the permission in an AD RMS application, such as Microsoft Word, your client machine has the rules. Now when you save the data, the rules are shared with the RMS server. When another user wants to view the content, their applica-tion recognizes that the content is protected and requests the license or set of business rules. If they have been given permissions to view the content, the content will open.

Sharing business rules is something that happens automatically when you create protected content in an environment where AD RMS is running. Sharing is done between the client and the server and requires no interaction from the user or administrator unless the content business rule requires the user to pay for the use.

Configuring License DeliveryWhen a user tries to open a file that is protected by AD RMS, it requests a license. The AD RMS server must look up the license information and then pass that along to the client. This allows the client to play the protected content.

This means that the user must have access to the license server to receive the license. You can control who has access to receive the license by configuring the exclusions policies (Exercise 6.17).

E x E r C i S E 6 .17

Configuring users’ Exclusions

To configure Users’ Exclusions, do the following steps:

1. Open the Active Directory Rights Management Services console by clicking Start\Administrative tools\Active Directory Rights Management Services.

2. Expand the local server and select Exclusion Polices.

3. From here you have the option to exclude the following:

UsersÛN

ApplicationsÛN

Windows versionsÛN

LockboxÛN

4. To exclude users, first right-click on Users in the left pane and choose Enable.

5. In the Actions pane, click Exclude User.

61705c06.indd 253 6/27/08 11:29:42 AM



6. In the Exclude User Wizard that opens, check the box Use this option for excluding rights accounts certificates of internal users who have a Active Directory Domain Services account.

7. Enter the username of the account you want to exclude from having access to the license server.

8. If you’re unsure of the username, click the Browse button and choose the user account.

9. After entering the username, click Finish.

You can also exclude certain applications from receiving access to the license server. This is useful when you want users to be able to receive access to content such as Word, Excel, and PowerPoint documents but do not want them to be able to use a media player to play media content in the protected library.

Exercise 6.18 shows you how to exclude an application.

61705c06.indd 254 6/27/08 11:29:43 AM


E x E r C i S E 6 .18

Configuring Application Exclusions

Follow these steps to configure Application Exclusions:

1. Open the Active Directory Rights Management Services console by clicking Start\Administrative tools\Active Directory Rights Management Services.

2. Expand the local server and select Exclusion Polices.

3. In the Content pane, right-click on Applications and choose Enable.

4. In the Actions pane, click Exclude Applications.

5. On the Exclude Application page, enter the application filename and versions you want to exclude.

61705c06.indd 255 6/27/08 11:29:43 AM



6. Click Finish.

Configuring Policy TemplatesPolicy templates help administrators set a standard for user access when it comes to con-tent. In the past, this would have been done with NTFS rights and folders. Before AD RMS and DRM, administrators would create a network folder and then set access control rights on the folder. With AD RMS, you can reduce your workload and have users assign this control themselves. For example, policy templates can make sure that users do not, remove the administrator ability to move, copy or backup the content.

While creating policies is a relatively simple process, care is needed to ensure that your templates meet your users’ needs. This will require that you spend some time with your users and try to understand the needs of your company. Here are some of the things you want to consider:

Needs of individual usersÛN

Needs of groups of usersÛN

Department accessÛN

Client accessÛN

How this affects network administratorsÛN

61705c06.indd 256 6/27/08 11:29:43 AM


After spending time figuring out your company’s requirements, you can create policy templates so that when users create protected content, they can select your pre-configured templates.

Templates can be made available for users who might not be connected to the network when they create their content. This is accomplished by deploying your templates from a shared folder. The AD RMS client will then store copies of the policies on the local machine. This still allows you to change a policy that is in a shared folder, and then when the AD RMS client (which is installed on the client machines) polls the AD RMS server it will detect that a change has occurred in the templates and download it to the local machine.

To configure policy templates, open the Active Directory Rights Management Services console by clicking Start, then choosing Administrative Tools and then Active Directory Rights Management Services. Then follow the steps in Exercise 6.19.

E x E r C i S E 6 .19

Configuring policy template

To configure a Policy Template, do the following:

1. Expand the local server.

2. Click on Rights Policy Templates.

61705c06.indd 257 6/27/08 11:29:43 AM



3. In the Actions pane, click Create Distributed Right Policy Template.

4. In the Template Identification page, click Add.

5. In the Name box, enter the name for this policy.

6. In the Description box, enter a description for this policy.

7. Click Add.

8. Back at the Template Identification page, click Next.

9. On the Add User Rights page, add the users and permissions required.

61705c06.indd 258 6/27/08 11:29:43 AM



10. When finished, click Next.

11. Next, you are able to specify an expiration policy. Enter the dates, if any, on which you want the content being protected by this policy to expire.

12. Click Next.

13 On the Specify Extended Policy page, choose any additional conditions that you require for this template.

14. Click Next.

15. In the Specify Revocation Policy page, check the box next to Require Revocation if you need to deny permission based on other factors. Those factors can include users, application, content ID, or operating systems.

16. Click Finish to create the template.

61705c06.indd 259 6/27/08 11:29:44 AM


SummaryFax services are still a solution that companies, big and small, rely on to maintain and increase business. It is important that you do not overlook this technology. Spending time to configure routing rules will increase the productivity of your users because it can auto-mate the process of scanning, emailing, and filing faxes.

After spending time understanding Windows Media Services, you should have an appre-ciation for how it can help an organization to create, distribute, and publish content. Many options exist beyond the basics. Looking at the advanced options helped you to understand that you can optimize the way you deliver the content to the user.

Digital Rights Management is something to take seriously as in this day and age. If you don’t protect your data, chances are someone will acquire it. Protecting data is just smart management. AD RMS allows an administrator to protect files such as those cre-ated in Word, Excel, and PowerPoint. This is a great feature in Windows Server 2008, allowing users to protect data stored on a network share was something that administra-tors were reluctant to do. This was typically something that administrators would per-form themselves. Now with AD RMS and policy template, administrators can create a policy for protection and access control and the end user can apply that to their content, thus freeing up IT staff to perform other tasks.

Exam Essentials

Understand Fax Server options. Review how to configure dialing rules and routing rules. Understand how to set up a local fax and how to configure its properties.

Know how to configure basic media streaming solutions. It is important that you know when to use multicast and when to use unicast streaming, what publishing points are, and the difference between broadcast and on-demand publishing and when to use each.

When to use multicast and when to use unicast streaming:ÛN

Publishing pointsÛN

The difference between broadcast and on-demand publishing and when to use eachÛN

Understand advanced options for media streaming. Understand topics such as fast cach-ing, intelligent streaming and Fast Reconnect.

Know how DRM and AD RMS protect content. Review all forms of rights protection. Understanding terms like business rules and policies is important. Know how to configure a policy template and why they are needed.

61705c06.indd 260 6/27/08 11:29:44 AM


Review Questions

1. To monitor activity in the Incoming, Inbox and Outbox folders of a fax server, it is recom-mended that you install Windows Fax and Scan. What feature should be installed for that software to be available?

A. Print Services

B. Fax Service

C. Media Services

D. Desktop Experience

2. How do you install fax devices that were used on the server prior to installation of the Fax Services role?

A. Rerun the Install Printer Wizard.

B. Do nothing. Fax devices are detected when the role is installed.

C. Consult the fax device vendor for installation instructions specific to your device.

D. Use the windows update service to re-install the device with the drives needed for Fax Services.

3. When a fax device is detected and installed, it is automatically configured to do what?

A. Send faxes.

B. Receive faxes.

C. Send and receive faxes.

D. Nothing is enabled by default.

4. How is individual fax routing configured?

A. Per printer

B. Per fax device

C. Based on clients

D. Depends on volume

5. How would you ensure that faxes going to a certain area code are sent from only a particu-lar fax device?

A. Instruct users to choose the device for that area code.

B. Configure the users’ computers to only use one device.

C. Create a fax rule that specifies a device to use a certain area code.

D. Install advanced fax software on your users’ computers and configure it to send faxes to the right device.

61705c06.indd 261 6/27/08 11:29:44 AM


6. Which editions of Windows Server 2008 will allow advanced features such as multicast streaming?

A. Windows Server 2008 Standard

B. Windows Web Server 2008

C. Windows Server 2008 Core

D. Windows Server 2008 Enterprise

7. Which of the following is a correct procedure to install Windows Media Services?

A. Add Roles wizard.

B. Add Features wizard.

C. It must be downloaded and installed from Microsoft’s website as a service add-in.

D. Use Add/Remove Programs in Control Panel.

8. What are the system requirements for installing Windows Media Services?

A. One or more processors with a minimum speed of 550MHz

B. One or more processors with a minimum speed of 133MHz

C. 1GB of RAM

D. 5GB of free space

9. Which of the following correctly describes the term streaming media?

A. Media that is newer than 2003

B. Media that is created by Microsoft

C. Media that is displayed to the end user as it is being delivered from a server

D. Any media that contains audio

10. What does Media Services use publishing points for?

A. To stream Microsoft Publisher files

B. To tell clients how to reach content

C. To allow network users to use Microsoft Publisher without having the program installed

D. To hold content directories

11. What type of publishing point would you use to allow the users to control the fast-forward and rewind features for content?

A. Broadcast

B. Pay per view

C. On-demand

D. Silent

61705c06.indd 262 6/27/08 11:29:44 AM


12. By default, what type of streaming does Media Services use?

A. Unicast

B. Single

C. Multicast

D. Multipoint

13. What type of streaming allows streaming from a single server to many clients?

A. Unicast

B. Multicast

C. Multipoint

D. Dual connection

14. When would you consider using Multicast streaming? (Choose all that apply.)

A. When your switches have unicast support

B. When you have only two media servers

C. When you’re broadcasting to a large audience

D. When your network is multicast enabled

15. What wizard is used to create a publishing point?

A. Media Services

B. Add/Remove Programs

C. Add Publishing Point

D. Add a Feature

16. When you enable Fast Cache, what other method cannot be used?

A. Intelligent streaming

B. Fast Start

C. Fast Reconnect

D. Fast Recovery

17. When Authorization is enabled on a media server but Authentication is disabled, what happens to the client’s request for access?

A. Nothing.

B. Clients are notified that Authentication is disabled.

C. Clients are not able to access the server.

D. Client requests are not affected.

61705c06.indd 263 6/27/08 11:29:44 AM


18. AD RMS can protect what types of files?

A. Office documents

B. SharePoint files

C. Email

D. All of the above

19. The method to protect or lock up content with a electronic key is known as___________________?

A. Intelligent protection

B. Encryption

C. DRM security

D. Lock and key

20. Which of the following is requested by a client computer when a user tries to open a pro-tected file from Windows Server 2008?

A. Code

B. Authorization

C. License

D. Authentication

61705c06.indd 264 6/27/08 11:29:44 AM



1. D. When the Desktop Experience feature is installed, it installs Windows Fax and Scan by default.

2. B. When the Fax Server role is installed, any devices already connected to the server are detected and installed.

3. A. After installation of a fax device, the fax server configures the device to send faxes.

4. B. Individual fax routing is configured on a per-device basis.

5. C. Fax rules allow you to optimize the use of faxes by associating a rule with a fax device and an area code or region.

6. D. Advanced features for Windows media servers are available on only Windows Server 2008 Enterprise and Datacenter editions.

7. C. Windows Media Services is not available from the Add Roles Wizard. It must be downloaded and installed from Microsoft’s website.

8. B. Windows Media Services require a minimum processor speed of 133MHz.

9. C. Any media that is played in a user’s player but resides on a server would be con-sidered streaming.

10. B. Publishing points are used to tell clients how to find content.

11. C. On-demand broadcast allows the user to control the media. The user can stop, pause, rewind, and fast-forward the content.

12. A. Windows Media Services uses, by default, unicast streaming.

13. B. Multicast streaming allows the streaming of media from a single server to multiple clients.

14. C, D. You would consider using multicast if you need to deliver content to a large audience. Your network must be multicast enabled.

15. C. The Add Publishing Point Wizard is used to create publishing points.

16. A. When you use Fast Cache, you are not able to use intelligent streaming.

17. C. When Authentication is disabled, clients will not be able to access the server because both Authorization and Authentication is needed to grant a client’s request.

18. D. AD RMS can protect Office documents, SharePoint libraries, and email.

19. B. Encryption is the locking or protecting data by using electronic keys.

20. C. A user will request a license from the server to view protected content.

61705c06.indd 265 6/27/08 11:29:44 AM

61705c06.indd 266 6/27/08 11:29:44 AM

Chapter

7Configuring Windows SharePoint Services (WSS)

MiCroSoft ExaM objECtivES CovErEd in thiS ChaPtEr:

Configuring Network Application Services ÛÛ

Configure Microsoft Windows SharePoint Services server ÛN

options. May include but is not limited to: site permis-sions; backup; antivirus; configuring Windows SharePoint Services service accounts

61705c07.indd 267 6/27/08 4:26:25 PM

Windows SharePoint Services offers businesses a simple and cost-effective solution to collaborate and to manage knowl-edge, such as user forums, company libraries, and professional

training. Microsoft provides this as a free add-on, starting with Windows Server 2003. Windows SharePoint Services, or WSS 3.0 as it will be referred to in the rest of the chapter, has had a major overhaul since its previous version, WSS 2.0, starting with using the .NET Framework 3.0. WSS 3.0 has also closed many of the gaps that WSS 2.0 had in ease of use and functionality. This makes WSS 3.0 a secure and simple-to-deploy option for any com-pany looking to increase its efficiency in business processes. In short, WSS can give your people the access to information they need when they need it.

This chapter will give you the information you need to configure some key options of WSS, such as:

Configuring Windows SharePoint Services, including incoming and ■■

outgoing email settings, workflow settings, antivirus configuration.

Configuring Windows SharePoint Services Sites, including upgrading ■■

from WSS 2.0, creating or extending web applications.

Configuring Authentication for Windows SharePoint Services, ■■

including authentication for WSS, Digest Authentication, and Web Single Sign-On.

This chapter assumes that you have already met the prerequisites and have already installed WSS 3.0 on your server per the Microsoft readme and deployment documents.

Installation files, deployment documentation, and readme files are available from Microsoft TechNet site for WSS 3.0 at www.microsoft.com/technet/ windowsserver/sharepoint/default.mspx. You must install WSS 3.0 with Service Pack 1 on Windows Server 2008 as WSS 3.0 is not supported, more information about this can be found at http://support.microsoft.com/kb/943587.

The configurations and labs in this chapter are typical setups using Microsoft default settings. This is known as an out-of-the-box installation of WSS 3.0 on a Windows Server 2008 domain member server. Many of the steps explained here can also be used on a simi-lar Windows Server 2003 Service Pack 1 (SP1) installation.

61705c07.indd 268 6/27/08 4:26:28 PM

Configuring Windows SharePoint Services 269

Configuring Windows SharePoint ServicesEmail, workflow, logging, and anti-virus settings allow your WSS site to provide superior functionality, thus increasing workflow and productivity. You don’t need to be an expert web designer to configure these options. You will, however, need information on your cur-rent email server to proceed.

For the following sections, you will need the email server display address (@yourcompany.com) and the outbound SMTP (Simple Mail Transfer Proto-col) server address.

The WSS 3.0 Central Administration site will be used to configure the options in the fol-lowing sections (Figure 7.1).

To open the Central Administration site on your WSS server, choose Start All Pro-grams Administrative Tools and click on SharePoint 3.0 Central Administration.

f i gu r E 7.1 WSS Central Administration site

61705c07.indd 269 6/27/08 4:26:28 PM

270 Chapter 7 N Configuring Windows SharePoint Services (WSS)

On this central site is an Administrator Tasks checklist. It provides you with prioritized tasks, which will aid you in a successful setup. It is best if you take some time to familiarize yourself with the first item, “READ FIRST - Click this link for deployment instructions,” which is displayed on the Central Administration home page.

The quick start guide will help you understand how to deploy WSS in different deployment scenarios, such as deploying in server farm environments.

Configuring Incoming Email SettingsBefore you enable incoming email, you must have preinstalled the Internet Informa-tion Services (IIS6 or newer is required for WSS 3.0) and Simple Mail Transfer Protocol (SMTP) server. This can be done from the Add/Remove programs option in Control Panel on your server.

Why do you need to bother with using the incoming email settings section? Say your users have started to use your new SharePoint site only to find out that in order for them to store email from other teams, they have to open the SharePoint site and upload the con-tent. This would not only decrease productivity, it would also discourage users from using the information management features. Configuring this feature will allow your users to store their email-based information in lists and libraries and allows the site to receive email directly. The lists and libraries can be assigned an email address that will make the team sites more efficient in managing their information. Do you have a need to receive or offer support in your organization? Perhaps you could create a form for IT support. Configuring incoming email would allow your users to create an email message that can be sent to your staff. With some custom coding, you could use this feature to trace the progress of requests and have WSS alert them anytime a change is made to a request. And there are other ben-efits of configuring incoming email settings:

Archiving emailÛN

Creating a place to share informationÛN

Adding content via emailÛN

To configure the incoming email settings, you need to locate the configuration page for incoming email. This page is found by following these steps:

1. On the navigation bar on the Central Administration site, click Operations.

2. Locate the Topology and Services section and select Incoming E-Mail settings, which will take you to the Configure Incoming E-mail Settings page (Figure 7.2).

61705c07.indd 270 6/27/08 4:26:29 PM


f i gu r E 7. 2 Configuring email settings

There are four different sections that you should understand how to configure:

Enable Incoming E-Mail When incoming email is enabled, sites can accept email and store incoming messages in list and libraries.

Directory Management Service This is how SharePoint connects your SharePoint site to your users’ organization directory. When active, it provides enhanced email features like creation and management of email distribution groups, creation of contacts in users’ direc-tories, and allowing users to find email-enabled SharePoint lists in their address book.

Incoming E-Mail Server Display Address This is usually something like @yourcompany.com.

Safe E-Mail Servers This is where you specify if you want to lock down your SharePoint environment to just certain email servers or if you want to allow any email server to be able to route email to your site.

Now that you have a basic overview of the options, you’ll choose the options for the example scenario. In Exercise 7.1, you’ll configure the incoming email settings.

61705c07.indd 271 6/27/08 4:26:29 PM


E x E r C i S E 7.1

Configuring incoming Email Settings

To configure the incoming email settings, follow these steps:

1. Open the Central Administration site by choosing Start All Programs Administra-tive Tools and clicking SharePoint 3.0 Central Administration.

2. On the navigation bar on the Central Administration site, click Operations.

3. In the Topology and Services section, select Incoming E-Mail Settings.

4. In the Enable Incoming E-Mail section, choose Yes.

5. Select Automatic in the Enable Incoming E-Mail section.

6. In the Directory Management Service section, select No.

7. In the E-Mail Server Display Address box, type the email server name in the form @mycompany.com.

8. In the Safe E-Mail Servers section, select Accept mail from All E-Mail Servers.

9. Click OK.

61705c07.indd 272 6/27/08 4:26:29 PM


E x E r C i S E 7.1 ( c ont inue d )

Specify the email server address that which is displayed when users create an incoming email address for a list or group. Use this setting in conjunc-tion with the SharePoint Directory Management Service to provide an email server address that is more user friendly.

If you select Advanced for the Enable Incoming E-Mail option, you can spec-ify a folder that the emails will be “dropped” into instead of using an SMTP server.

In this scenario, we know that we have only one email server in production, so there is no need to block other servers. However, if you choose to enable the Accept Mail from These Safe E-Mail Servers option, then type the IP addresses (one per line) of the email servers that you want to specify as safe in the corresponding box.

Configuring Outgoing Email SettingsOutgoing email settings are the building blocks administrators can use for several different email notification features. fact, without proper configuration of the outgoing email set-tings, you will not be able to utilize alerts or application notification.

Similar to when you configured incoming email settings, you must have preinstalled the Internet Information Services (IIS6 or newer is required for WSS 3.0) and Simple Mail Transfer Protocol (SMTP) server.

So where would you use these features? As a company grows, it has a greater need to get key information to its users fast. Therefore, here are a few ways you could use alerts and notifications:

Alerts Users can have the WSS site alert them when updates to lists, discussions, libraries, and other parts of the site are updated. This works out nicely when you have two differ-ent groups working on the same documents, list, or libraries. Users can configure alerts to notify them when changes are made to the documents they are responsible for. As users are able to manage this configuration, this reduces the amount of administration effort.

If your users are not able to configure alerts, check your permissions on the site. Users must have at least View permissions.

Notifications or administration notices As a site administrator, you could use these to receive emails when a user requests access to a site or if you want to know when someone has gone over their storage quota. This would help simplify the process for your users and reduce the impact on your help desk.

61705c07.indd 273 6/27/08 4:26:30 PM


WSS Email benefits

About a year ago, we came across a client who was looking for a low-cost application that would allow them to create a purchase order form. They said that this application must send out email alerts to the approving manager and the user who submitted the purchase order. They wanted it to pull the user’s information from Active Directory and populate it on the form, which would save the user time and make sure the information on the request was standard.

We looked into several different applications to accomplish this task. After some additional research, we realized that WSS and the outgoing email feature would be exactly the foun-dation we would need to accomplish what the client wanted.

While this required some additional programming on our part, it was nice that we only had to configure the outgoing email settings to send alerts to the proper people. After setting up the outgoing email, we created the forms they wanted and linked certain dialog boxes to populate their Active Directory user account.

We were able to do all of this while staying in the client’s modest budget. The best part is that we are now able to take the code we used for this client and sell it to other clients as an already finished product.

Let’s review a few requirements that must be met before you can configure the settings because outgoing email relies on several components that you must consider.

The From email address is used to help identify the sender of the message you receive. ÛN

This can be something like [email protected].

AÛN Reply-To address is needed. This will be the address that your users reply to when they get an alert or administrator notification.

Many companies use [email protected] or something similar as a Reply-To address because they do not monitor this email address and thus do not want users to reply to an alert or system notice.

SMTP service installed. You will need to know the DNS name or IP address of the SMTP ÛN

server you plan to use. Some SMTP mail servers require usernames and passwords that you have to configure to allow your WSS site to use SMTP to send mail.

Character set. You need to know what language set to use in the body of your alert ÛN

email. If you do not know, use the default language.

Now that you are armed with the requirements, you can proceed to Exercise 7.2.

61705c07.indd 274 6/27/08 4:26:30 PM


E x E r C i S E 7. 2

Configuring outgoing Email Settings

Follow these steps to configure outgoing email settings:

1. Choose Start All Programs Administrative Tools and click SharePoint 3.0 Central Administration.

2. On the navigation bar in the upper-left side of your screen, choose Operations.

3. Under the Topology and Services section, choose Outgoing E-Mail Settings to configure your mail settings.

4. In the Outbound SMTP Server box, enter your SMTP server address or IP address (for example, mailer.yourcompany.net).

5. In the From Address field, put in the address you want people to see when they get an email alert (for example, [email protected]).

6. In the Reply-To Address box, enter the email address you want people to use to reply (for example, [email protected]).

7. For the Character Set option, leave the default selected, which is 65001 (Unicode UTF-8).

8. Now click OK.

61705c07.indd 275 6/27/08 4:26:30 PM


Configuring Outgoing Email Settings for a Specific Web ApplicationNow that you have configured the outgoing email for your WSS site applications, you might have a need for different settings for a specific web application. WSS gives you the ability to have two different applications send out email using different email addresses. For example, you can have an application in your HR department that sends out emails and an application on your news page that sends out alerts. You can configure each application to use a different From and Reply-To address.

Exercise 7.3 shows how to configure the settings for a specific application. In the exercise, the same SMTP settings that were used in Exercise 7.2 will be used again.


Configuring outgoing Email Settings for a Specific Web application

To change the outgoing email settings for a web application, follow these steps:


2. On the navigation bar at the upper-left side of your screen, choose Application Management.

3. Under the SharePoint Web Application Management section, choose Web Applica-tion Outgoing Email Settings.

61705c07.indd 276 6/27/08 4:26:31 PM


E x E r C i S E 7. 3 ( c ont inue d )

4. In the Web Application section, select the application from the drop-down list.

5. Now, the first option in the Mail Settings section is Outbound SMTP Server. Input the same information you entered in. If you plan to use an SMTP server other than the default, enter the new server DNS name or IP address here.

6. Enter the From and Reply-to addresses you plan to use for this specific application. The From address is the address that will appear to your email recipients. The Reply-to address is the address your users will send to when they choose Reply.

7. The character set can remain at the default setting or one that is appropriate for your language.

8. Click OK.

Configuring Workflow SettingsWorkflow settings are configured at the application level. This allows the site administrator or your end users to create their own application-specific workflows. You can have different workflows for each application.

You can choose to control whether end users or site administrators will configure these settings. Allowing your users to configure them can greatly reduce your administrators’ involvement, but it can increase the risk of nonstandard workflows entering your work environment. By default, your users can create their own workflows using only code that your site administrators deploy.

You also have the option to choose whether you want internal or external users to receive alerts when they are assigned a task. If you want external users to participate in the work-flow process, then WSS will send them a copy of the document assigned to them.

As mentioned, the workflow is application specific and you will most likely configure these options after you have developed your applications. The Central Administration site will allow you to configure the workflow settings. You can configure these settings by fol-lowing these steps:

1. From the Central Administration site, click Application Management on the navigation bar in the upper-left portion of the screen.

2. Choose Workflow Settings.

3. In the Web Application section, choose your application.

4. Under User-Defined Workflows, select Yes or No.

5. For Workflow Task Notifications, you have the option of choosing Yes or No to send alerts to your users when they assigned a task and if you want external users to be sent a copy of any documents assigned to them.

6. Click OK.

61705c07.indd 277 6/27/08 4:26:31 PM


Configuring Diagnostic Logging SettingsIn this section, you have to make some basic decisions about what you want to log and how much you want to share with Microsoft. We will cover the following topics:

Error reportingÛN

Microsoft Customer Experience Improvement Program (CEIP) ÛN

Event throttlingÛN

When software is being set up, one of the least-configured settings is logging, which pro-vides valuable data for both the IT professional and the application vendor. Taking some time to configure these options can save many hours of troubleshooting. In addition, if you choose to share this information with Microsoft, it will help the developers produce a better product. Providing this information to Microsoft is optional. We will review each of these options so you can make an informed decision.

Error reporting When you have any issues with your application or hardware or encoun-ter a problem, error reporting will create an error report or log information in a system log for you to review. The following list includes some of the items WSS collects:

IP address of the serverÛN

Product IDÛN

Condition of server when problem occurredÛN

Hardware your server is usingÛN

Software versionÛN

While Microsoft does not try to collect personal information, it is entirely possible that such information could be included in the report. Personal information can include, but is not limited to, usernames, email addresses, URLs, and IP addresses. Microsoft states that it uses this information only to help determine the problem and how to solve it, but you will have to whether you want Microsoft to have it. You can choose to either send these error reports periodically or have this information sent silently. Please review any policies your corporation may have on sharing of information.

Microsoft Customer Experience Improvement Program (CEIP) If you agree to allow the sharing of information with Microsoft, it will use the information to improve the stability, functionality, and performance of the WSS product.

Event throttling When you choose to log events, it is important that you manage not only what type of information is put into the logs, but also how big in size the logs can become. If you don’t configure these settings, you run the risk of the files growing out of control. You can choose to have this information logged into the Windows event log or trace logs.

You have a lot of control in WSS 3.0 when it comes to event throttling. You will have to decide the level of importance of each event because WSS has settings that specify how critical

61705c07.indd 278 6/27/08 4:26:31 PM


each event is. WSS breaks up the events into categories and you can decide to throttle them all or just throttle a single event.

Categories such as the following are defined by different services or common events in Windows SharePoint:

AllÛN

By productÛN

FeaturesÛN

SharePoint servicesÛN

Administration functionsÛN

Shared servicesÛN

After choosing the type of category you want to log, you will want to choose the level of events to include in the log. The options for logging Windows events are as follows:

NoneÛN

ErrorÛN

WarningÛN

Audit failureÛN

Audit successÛN

InformationÛN

When choosing the level of events to log, keep in mind that you want to always choose the least critical event to monitor. WSS will record events that are equal to or greater than the selected event. This applies to both Windows events and trace logs. For more information on Windows event logs, please review the documentation that comes with your server.

The following options are available when using trace logs:

NoneÛN

UnexpectedÛN

MonitorableÛN

HighÛN

MediumÛN

VerboseÛN

In Exercise 7.4, we will show you how to configure the diagnostic settings.

61705c07.indd 279 6/27/08 4:26:31 PM



Configuring diagnostic Log Settings

To configure diagnostic logging, follow these steps:


2. On the navigation bar in the upper-left portions of your screen, choose Operations.

3. In the Logging and Reporting section, click Diagnostic Logging.

4. Choose Yes or No in the Customer Experience Improvement Program section.

5. In the Error Report section, choose to collect the error reports or to ignore them. If you choose to collect reports, decide if you want to periodically download or silently send the reports to Microsoft.

6. In the Event Throttling section, click on the drop-down box to select your category of events. In the Least Critical Event menus, choose the event equal to the lowest level you want to monitor.

7. In the Trace Log section, add the path to the location in which you want the log files to reside. If your WSS is in a server farm configuration, make sure the location you choose is available on all servers.

61705c07.indd 280 6/27/08 4:26:31 PM



8. In the Number of Log Files box, enter the number of files you want to retain. If you are unsure, leave the default.

9. Change the number of minutes to use the log files.

10. Click OK.

Configuring Antivirus SettingsIn today’s world, running your WSS server, or any other server for that matter, without an antivirus product is playing a dangerous game. It will only be a matter of time until a user uploads a virus and distributes it to others. It is best practice to install an antivirus product on all servers in a server farm.

After you install an antivirus product on the WSS server, it is important to configure the antivirus settings.

In a server farm, all web servers with documents must have the antivirus product installed before these settings will take effect.

There are four antivirus settings we can configure:

Scan Documents on Upload When a user uploads a document to your WSS site, your antivirus product will scan it to ensure that it does not contain viruses. This will help pro-tect from spreading viruses to other users.

Scan Documents on Download When selected, this feature will scan a document before it is downloaded to a user’s computer. It will prompt the user about an infection and allow them to decide to continue or not, unless you check the next option.

Allow Users to Download Infected Documents When this option is selected, it allows users to download infected documents to their local computer. This is not a recommended option to select unless you have a specific reason to, like troubleshooting a document.

Attempt to Clean Infected Documents If a virus is found during the scanning process, this option will allow the antivirus product to clean it automatically.

To locate these options, follow these steps:

1. Open the Central Administration site by choosing Start All Programs Administra-tive Tools and clicking SharePoint 3.0 Central Administration.

2. On the top navigation bar, click Operations.

3. In the Security Configuration section, click Antivirus. Use this page, seen in Figure 7.3, to configure your antivirus options.

61705c07.indd 281 6/27/08 4:26:32 PM


f i gu r E 7. 3 Antivirus options

Using the Best Practices Analyzer ToolThe Best Practices Analyzer tool is used to check for common problems and to determine if your WSS installation contains the best security practices. The tool is also used to help you fine-tune your WSS installation so that it is optimized for performance.

To use the tool, download it and install on your server. After it’s installed, you can check your site’s configuration by opening a command prompt and then switching to the location that contains the Best Practice Analyzer. By default this is C:\BPA.

Now follow these steps:

1. Type sharepointbpa.exe -cmd analyze -substitutions SERVER_NAME CentralAdministrationServer and press Enter.

Replace CentralAdministrationServer with the name of your server. You need to keep SERVER_NAME in capital letters.

2. After the Best Practice Analyzer tool has finished analyzing your site, open share-pointbpa.report.htm in a web browser to view the results. This file will be located in the same location as the installation. The default is C:\BPA.

You can download the tool at the following link: http://go.microsoft.com/ fwlink/?LinkID=83335&clcid=0x409.

61705c07.indd 282 6/27/08 4:26:32 PM

Configuring Windows SharePoint Services (WSS) Sites 283

Configuring Windows SharePoint Services (WSS) SitesWith the installation of your default WSS 3.0 site is complete, you are ready to start creating additional sites.

In the following sections, you will learn about these topics:

Upgrading from WSS 2.0 Careful planning and preparation is needed to successfully upgrade a WSS 2.0 installation.

Create or extend web applications You must create applications before sites can be cre-ated. You will learn how to create and extend Web applications.

Configure alternate access mapping This allows you to assign different URLs to the same site.

Create zones for web applications A default zone is automatically created when you create a web application. We will explain how to add additional zones.

Create quota templates With quota templates, you can control how large a site collection can become. You will learn how to configure the quota templates.

Create site collections We will show you how to create a site collection and assign the pri-mary and secondary owners.

Enable access for end users After the creation of a site is completed, access will need to be granted to your users.

Add site content After site collections are created, content can be added.

Upgrading from WSS 2.0Performing an upgrade from WSS 2.0 to WSS 3.0 is not a simple process. Because each envi-ronment is different, as are the WSS applications, you must plan accordingly. It is also impor-tant that you not only give consideration to the initial software upgrade but also think about any issues that might come up after the upgrade.

First, Service Pack 2 for SharePoint Services 2.0 must be installed. Then the remaining prerequisites must also be met as follows:

Install Microsoft .NET Framework 3.0.ÛN

Enable Microsoft ASP.NET 2.0.ÛN

Application and web server must be running Windows Server 2003 with Service ÛN

Pack 1 (SP1).

Next, make sure that a full backup of the assigned SQL server has been completed. This will ensure that a recovery can be completed in case something goes wrong with the upgrade. WSS 2.0 uses two types of databases, a configuration database and a content database.

61705c07.indd 283 6/27/08 4:26:32 PM


Microsoft has provided a pre-upgrade tool to scan the site that will be upgraded and then fix any errors before attempting the upgrade. During the installation of the WSS 3.0 upgrade, the installation wizard will exit and prompt you to run this tool. It is a good idea to run the tool each time that an error is fixed to make sure no additional issues have appeared.

For more information on the WSS 2.0 upgrade tool and the upgrade procedures, visit http://technet2.microsoft.com/windowsserver/WSS/en/library/700c3d60-f394-4ca9-a6d8-ab597fc3c31b1033.mspx?mfr=true.

If any custom Web Parts have been created for the site that will be upgraded, especially if ASP.NET 2.0 was used, you will need to test and verify that the Web Parts will work in the upgraded environment. If these parts were created with ASP.NET 1.1, they must be rebuilt using ASP.NET 2.0 before you attempt an upgrade.

You are now ready to perform the upgrade. We will cover only an in-place upgrade, so please consult the Microsoft TechNet articles from the above link for other upgrade options. Other options include a gradual upgrade and database migration.

Performing an in-place upgrade is the simplest option. In-place upgrades will update all content and configuration data at the same time. Keep in mind that while this upgrade is running, your users will not be able to access the web server; make sure you inform your users of this downtime. An in-place upgrade is best when you have a single server or a small farm with little to no custom applications. If you are in a medium to large server farm or have heavy customization, you are better off using a gradual upgrade, which would reduce the impact on your users. The process of upgrading includes the following steps:

Install Windows SharePoint Services Version 3.0: ÛN This will perform an automated in-place upgrade.

Run the Configuration Wizard: ÛN This will finish your upgrade and install the Central Administration web application.

Review log files and resolve any issuesÛN : Log files can be located at %commonprogramfiles%\Microsoft Shared\web server extensions\12\LOGS.

When the upgrade is finished, review and perform any post-upgrade steps found in the Microsoft TechNet article referenced in this section.

Creating or Extending Web ApplicationsA web application is an IIS site with a unique application pool. Before creating sites or site collections, you first must create a web application. When you create a new application, a new database will also be created and the methods used to authenticate your connection to the database will be defined.

If you have a need to broaden your web application to users that are not on your domain, you will have to extend your application to another IIS website.

61705c07.indd 284 6/27/08 4:26:32 PM


Performing an in-Place upgrade

We recently did an in-place upgrade from WSS 2.0 to WSS 3.0 for a client that had about 250 users. The users had become very accustomed to using the WSS 2.0 site and found that the tool was valuable to their organization. The client asked for some additional fea-tures, such as allowing extranet users, blogging, and some additional forms that would be linked to their Internet site.

All of the custom applications were designed using WSS 2.0, and that was a cause for concern. We wanted to minimize the amount of development work needed to upgrade them to WSS 3.0. We decided to go ahead with the upgrade plans because the increased functionality and the ease of use were very appealing to both their administrators and end users. In addition, WSS 3.0 has features that would allow them to have extranet users and reduce the administration needed.

Following the Microsoft TechNet articles for Windows SharePoint Service 3.0 proved invalu-able to having a successful upgrade. We determined to make images of the server before attempting the upgrade, which we highly recommend. After the images were created (we created an image of a domain controller for Active Directory access), we converted them to virtual machines. We’re glad we took the time to create the virtual machines because it allowed us to attempt several upgrades. We say several because the first time we preformed an upgrade to WSS 3.0, the upgrade failed. Just a tip: make sure you install all the prerequi-sites listed on the site. We had failed to upgrade ASP.NET from 2.0 to 3.0.

After the upgrade was completed, our development staff had to update some of our custom applications. They would not work after the upgrade because the applications were devel-oped in ASP.NET 2.0. Overall the upgrade was a success and we learned a lot in the process.

Follow these steps to create a new Web application:


2. On the top navigation bar, click Application Management.

3. Choose Create or Extend Web Applications and then choose Create a New Web Application (Figure 7.4).

4. After you choose Create a New Web Application, the next page will allow you to choose to use an existing IIS site or create a new site. These options are found in the IIS Web Site section of the Create New Web Application page.

5. On the Create New Web Application page, enter your host header info and port number.

6. In the Security Configuration section, choose an authentication provider and whether you want to allow Anonymous access. If you are unsure, leave the defaults.

61705c07.indd 285 6/27/08 4:26:32 PM


f i gu r E 7. 4 Creating a new web application

7. When SSL is chosen, remember to add an appropriate certificate on each server.

8. In the Load Balanced URL section, add the URL that all sites will use as links on their pages. By default, the box will add the current server name and port.

9. Choose an already existing application pool or make a new one. If you want to use an existing pool, then just choose that pool from the menu list. To create a new pool, click Create New Application Pool.

Type the name of the pool in the Application Pool Name box.ÛN

Choose Predefined to use an existing application pool security account.ÛN

If you want to use an account for security that is not currently being used, type the ÛN

username in the User Name box and the password in the Password box.

10. In the section titled Reset Internet Information Services, choose whether you want to allow SharePoint to restart IIS. If you choose not to allow SharePoint to restart the IIS service, this procedure must be preformed manually, which can be done by running iisreset /noforce on each web server in the farm. Your new site will not be func-tional until after you restart the IIS service.

11. Now choose your database server, database name, and the method of authentication for the web application.

12. Click OK to create the new application.

61705c07.indd 286 6/27/08 4:26:33 PM


To extend an existing web application, follow these steps:

1. Click Create or Extend Web application in the Web Application Management section.

2. Next, choose Extend an Existing Web Application.

3. In the Web Application section, choose a web application in the drop-down menu.

4. In the IIS Web Site section, choose whether you want to use an existing site or create a new one. The boxes below—Description, Port, and Path—will populate with default information. You can choose to keep the default information or enter your own.

5. In the Security Configuration section, configure the authentication and encryption options. If unsure, leave the default options.

6. Next, in the Use Secure Sockets section, choose whether you want to use Secure Sockets Layer (SSL). If you choose this option, an SSL certificate must also be installed.

7. In the Load Balanced URL section, add the URL that all sites will use as links on their pages. By default, the box will add the current server name and port.

8. In the same section, under Zone, select the zone for the extended web application. Options are Intranet, Internet, Custom, and Extranet.

9. Click OK.

Configuring Alternate Access MappingAlternate access mapping is one of the more powerful features in WSS 3.0. Yet, for what-ever reason, it is also one of the least understood.

Where does this feature shine? Do you have a reverse proxy or load balancing needs? Then this feature will benefit you.

But just what is alternate access mapping? Simply put, it tells SharePoint how to map a request from a web browser to the proper web application. This is needed so that Share-Point can give the correct content back to you. It then tells WSS what URL the user should be directed to.

One of the biggest reasons you would want to configure alternate access mapping is when the URL of a web request received by IIS is not the same URL that the user entered.

Each web application can support five collections of mappings per URL. They correspond to the five zones: default, intranet, extranet, Internet, and custom.

You will now learn how to add an internal URL, edit or delete an internal URL, map to an external source, and edit public URLs:


2. On the top navigation bar, click Operations and then choose Alternate Access Mappings.

To add an internal URL, follow these steps:

1. Click Add Internal URLs on the Alternate Access Mappings page (Figure 7.5).

61705c07.indd 287 6/27/08 4:26:33 PM


f i gu r E 7.5 Add Internal URL

2. If your collection is not specified in the Alternate Access Mapping Collection, choose the collection from the drop-down menu.

3. Add the new URL in the next box and choose your zone.

4. Click Save.

To edit or delete an Internal URL, follow these steps:

1. In the Alternate Access Mappings page, click on the URL you want to edit or delete.

2. Modify the URL and or the zone.

3. If the URL needs to be deleted, click Delete at the bottom of the screen.

4. If you made any changes to the URL, click Save.

You cannot delete the last URL because there should always be at least one URL for the default zone.

To edit public URLs, follow these steps:

1. Back on the Alternate Access Mappings page, click Edit Public Zone URLs.

2. Select a collection from the Alternate Access Mapping Collection menu box. See Figure 7.6

61705c07.indd 288 6/27/08 4:26:33 PM


f i gu r E 7.6 Edit Public Zone URLs

3. Modify or add URLs in the Public URLs section.

4. Click Save.

WSS 3.0 allows you to define resources that are outside of an internal application, but you need to make sure the URL is unique to your server farm.

To map to an external source, follow these steps:

1. On the Alternate Access Mappings page, click Map to External Resource. The Create External Resource Mapping page is shown in Figure 7.7.

2. Type a unique resource name and add a new URL in the boxes in the External Resource Mapping section.

3. Click Save.

Creating Zones for Web Applications Use the procedure outlined in the section “Creating or Extending Web Applications” to create a new zone. A new zone is created when you extend an existing Web application.

61705c07.indd 289 6/27/08 4:26:34 PM


f i gu r E 7.7 The Create External Resource Mapping page.

Creating Quota Templates As users get used to using your WSS site, they will naturally start storing more and more data on it. This can be a blessing because you are finally getting them to use your new data management tool. However, caution is needed because a database can grow out of control. Quota templates are a solution to this problem. With these templates, you can add storage limits on a site collection. This feature can trigger an email alert to your administrators when this size limit is reached.

You can apply these quotas to any site collection in a server farm. The quota will apply to the top-level site and all other sites under it.

To create a new quota template, follow these steps:

1. Open the Central Administration site by clicking Start All Programs Administra-tive Tools and clicking SharePoint 3.0 Central Administration.

2. Click Application Management.

3. Under the SharePoint Site Management section, choose Quota Templates (Figure 7.8).

61705c07.indd 290 6/27/08 4:26:34 PM


f i gu r E 7. 8 Creating a quota template

4. Choose Create a New Quota Template in the Template Name section. (From this sec-tion, you can also choose to edit an existing template or delete an existing template). You can create this template using an existing quota template or just choose a new blank one. Name the new template.

5. In the Storage Limit Values section, set the limits for data storage and the threshold for sending an alert email.

6. Click OK.

Creating Site Collections When you create a new site collection, you are also creating a top-level website for WSS. You will have the option to choose several templates for the site, such as templates for doc-ument libraries, help desk, knowledge bases, room and equipment reservations, team sites, wikis, and blogs.

To create a new site collection, you will need to navigate to the Application Management page, which can be done by choosing Start All Programs Administrative Tools and clicking SharePoint 3.0 Central Administration. Then, follow these steps:

1. Click Application Management, and in the SharePoint Site Management section, click Create Site Collection. The Create Site Collection page is shown in Figure 7.9.

61705c07.indd 291 6/27/08 4:26:34 PM


f i gu r E 7. 9 Creating a new site

2. Make sure the web application is selected in the Web Application drop-down box.

3. Give the collection a title and description, and then add a URL in the URL box.

4. Choose a template in the Template Selection section.

5. Next, add a primary and secondary site administrators.

6. Select a quota template.

7. Click OK.

Enabling Access For End UsersNow that the WSS site is created, you can give access to your users. This section will help you understand how to give access to site administrators, collection administrators, site owners, and, most important, end users. Without proper access planning, you can find yourself taking away or add access needlessly.

For more information on planning site security, visit http://technet .microsoft.com/en-us/library/cc288189.aspx.

61705c07.indd 292 6/27/08 4:26:34 PM


Within a site collection, you can configure access to sites, libraries, folders, documents, and items. Most of the configuration of user access will take place in the site collection and not from the Central Administration page.

First add site collection administrators to your site. This portion is done from the Central Administration site by choosing Start All Programs Administrative Tools and clicking SharePoint 3.0 Central Administration. Then, just follow these steps:

1. Choose Application Management from the navigation bar.

2. In the SharePoint Site Management section, click Site Collection Administrators. Figure 7.10 shows the Site Collection Administrators page.

f i gu r E 7.10 The Site Collection Administrators page

3. Select a site collection from the drop-down menu.

4. In the following two boxes, add primary and secondary site collection administrators.

5. Click OK.

You are now ready to give site owners, visitors, and other groups access to your site.

When assigning access, it is a good practice to add groups for access instead of individual users. This makes administration of security easier to manage.

61705c07.indd 293 6/27/08 4:26:35 PM


First we’ll show you how to set up groups and then how to add users to those groups. Navigate to your site, and on the home page, select Site Settings from the Site Action menu. Then follow these steps:

1. Click People and Groups. Figure 7.11 shows the resulting page.

f i gu r E 7.11 Adding users and groups

2. From this page, choose Groups from the Settings menu.

3. From the Settings menu drop down, click Set Up Groups.

4. From this page, you can set up or change users and groups. You can also create a new group.

Now that you have your groups set up, you can add users groups and give them proper permissions:

1. On the People and Groups page, click on the new group that was created.

2. Choose New on the navigation bar and select Add Users.

3. On the Add Users page, type the name of the accounts to add. You can browse for users in Active Directory.

4. In the Give Permissions section, add the level of permissions you want the users to have. Make sure you have selected Add Users to a SharePoint Group and that you select the correct group.

5. Finally, choose whether you want to have a welcome email sent to the new user and any personal message.

6. Click OK.

61705c07.indd 294 6/27/08 4:26:35 PM

Configuring Authentication for WSS 295

Adding Site Content There are three main ways you can add content to your WSS sites:

Allow users to add content.ÛN

Use web designers to create content.ÛN

Migrate content from another site.ÛN

There are some things to consider when choosing what option you will use for adding site content:

Will the public see this content?ÛN

Is the site for a large organization?ÛN

Are you redesigning or reorganizing another site?ÛN

Will the site be a collaboration site, which might include wikis, blogs, or other user-ÛN

created content?

Here are two of the more popular choices for adding content to a WSS site:

User-added content You can immediately allow users and site owners to add content to the WSS sites by following the steps in the section “Enabling Access For End Users” earlier in this chapter.

The benefit of allowing user-added content is it involves users immediately, and they tend to want to add and update the content on a regular basis.

Migrate content You have a couple of options to migrate content from a different site. One option is to use the Export and Import operations of the Stsadm tool. The other option is to use the Central Administration page to perform a migration.

Read more about the Stsadm tool and the Central Administration options for migrating content by visiting the Windows SharePoint Services 3.0 Techni-cal Library at http://technet.microsoft.com/en-us/library/cc288664.aspx.

Configuring Authentication for WSSAuthentication is the process of validating a user’s rights to log into your WSS site and verifying the level of access they should have. WSS uses IIS to manage user authentication. After IIS has determined that the user is authentic, WSS will perform the authorization. WSS will then allow the user to access the resources on the WSS site to which they have been given access.

61705c07.indd 295 6/27/08 4:26:35 PM


WSS has provided support for federated authorization, also known as Web Single Sign On (Web SSO). This means that the authentication system is not local to the computer that hosts Windows SharePoint Services 3.0.

WSS provides for several other authentication scenarios:

Standard Windows authentication.ÛN

Simple database containing usernames and passwords.ÛN

Integrating directly into your company’s identity management system.ÛN

Using several systems together. This would allow for a company identity system to ÛN

authenticate partner employees but another system to authenticate internal employees.

Table 7.1 shows the supported authentication methods.

ta b LE 7.1 Supported Authentication Methods

Authentication Methods Description Examples

Windows These are standard IIS windows authentication methods.

Basic Anonymous Digest Certificates Kerberos (Integrated Windows) NTLM (Integrated Windows)

ASP.NET forms WSS 3.0 adds support for identity management systems by adding ASP.NET-based forms authentication.

LDAP (Lightweight Directory Access Protocol) SQL Database or other databases Other ASP.NET-based forms

Web Single Sign-On (SSO) Enables SSO in environments that are on disparate platforms.

ADFS (Active Directory Federation Services) Additional identity man-agement systems

The following sections will cover a couple of the configuration options:

Digest authenticationÛN

Web Single Sign-On (Web SSO) using Active Directory Federation Services (ADFS)ÛN

61705c07.indd 296 6/27/08 4:26:35 PM


Configure Digest AuthenticationDigest authentication is similar to Basic authentication. The main difference is that Digest authentication is more secure. How does Basic authentication work?

First, Windows account credentials must have been previously assigned. Then, Basic authentication allows credentials to be passed on over a web browser. Basic authentica-tion. however, lacks security because user credentials are passed over the network in plain text and over an unsecure HTTP session. You are able to increase security by using SSL encryption.

Digest authentication provides increased security because user credentials are encrypted before being sent over the network. Digest uses a challenge/response protocol, which means that the authentication requestor will have to correctly answer a challenge from the server. To do this, the client has to supply a correct shared secret password string.

To use Digest authentication, you have to meet the following requirements:

Users and the IIS server must be on the same domain or have a trust relationship.ÛN

You must have a valid user account in Active Directory.ÛN

You must have at least one Windows Server 2003 server in the domain. ÛN

You must install the ÛN IISSuba.dll file on the domain controller. This file is automati-cally copied to the server when you install a Windows Server 2003 server.

Windows Server 2003 must have SP2 installed.ÛN

A hot fix is needed if you are using a web browser that is not Internet Explorer 6.0 ÛN

or 7.0.

Users can be configured for authentication within a zone of a web application. The zones are as follows:

Internet For your customers

Intranet For your internal users

Default For your remote employees

Custom For your administrators

Extranet For your partners

Both WSS and IIS must be configured to use Digest authentication. Exercise 7.5 shows how to configure Digest authentication.


Configuring digest authentication

To configure Digest Authentication, follow these steps:


61705c07.indd 297 6/27/08 4:26:35 PM



2. On the navigation bar in the upper-left side of your screen, choose Application Man-agement.

3. In the Application Security section, choose Authentication providers.

4. On the Authentication Providers page, make sure the application you want to configure is listed and then click on it.

5. Click the zone of the web application for which you want to enable Digest authentication.

6. In the IIS Authentication section of the Edit Authentication page, clear the Integrated Windows Authentication and Basic Authentication boxes.

7. Click Save.

61705c07.indd 298 6/27/08 4:26:35 PM



Now we will use the IIS management console to enable Digest authentication in IIS:

8. Choose Start All Programs Administrative Tools and click Internet Information Services.

9. In the connections pane, under sites, click on the IIS site that corresponds to the web application zone for which you want to configure Digest authentication. In the features view, in the center of the screen under IIS, double-click Authentication.

10. Highlight Digest Authentication, and then right click on Digest Authentication, choose Enable. This will enable Digest authentication with the default settings.

61705c07.indd 299 6/27/08 4:26:36 PM



11. Optionally, in the Actions section, click the Edit button to enter a realm name.

12. Enter the realm that is appropriate and click OK.

13. Click OK on any remaining dialog boxes.

Configuring Web SSO Authentication by Using ADFS Web Single Sign On (SSO) will allow users in a company different than your own to access servers hosted by you. It accomplishes this by using their existing Active Directory accounts. Web SSO relies on Active Directory Federation Services (ADFS) to create a trust relationship between two companies, which results in a one-time logon for end users. After a user is authenticated, they are given an authentication token (cookie).

The Microsoft SharePoint blog has some good information about configuring multiple authentication providers. The URL is http://blogs.msdn.com/ sharepoint/archive/2006/08/16/configuring-multiple-authentication- providers-for-sharepoint-2007.aspx.

61705c07.indd 300 6/27/08 4:26:36 PM


To complete Exercise 7.6, you should have already installed the Web Agent for Claims Aware Applications, installed the hot fix for ADFS (it’s included in Windows 2003 Service Pack 2), and created a web application. The web application needs to be configured to use Windows authentication.

In this exercise, you’ll configure your extranet web application so that it will use Web SSO.


Configuring Web SSo authentication

Web SSO authentication will be configured by performing the following steps:

1. First, extend the web application. This can be done from the Central Administration site.

2. Open the Central Administration site by choosing Start All Programs Adminis-trative Tools and clicking on SharePoint 3.0 Central Administration.

3. On the navigation bar, choose Application Management.

4. Click Create or Extend Web Applications and then click Extend an Existing Web Application.

5. Make sure the application is selected in the Web Application menu.

6. In the IIS Web Site section, add a host header (for example, extranet.myresearch.net).

61705c07.indd 301 6/27/08 4:26:36 PM



7. Now change the zone to Extranet.

8. Give the site a host header name. This will be what you will configure DNS to resolve against.

9. Check the box to use SSL.

10. Change the port number to 443 (it is required by ADFS).

11. In the Load Balanced URL box, delete the :443 text string.

12. Finish extending the web application by clicking OK.

13. Verity that the URLs on the Alternate Access Mappings page are correct. (See Figure 7.5 earlier in this chapter.)

14. You will now need to add an SSL certificate. This certificate should be issued to the name that clients will use. You added this same name as a host header.

61705c07.indd 302 6/27/08 4:26:36 PM



You will now configure the authentication provider for the extranet zone so that is uses Web SSO:

15. Under the Application Security section on the Application Management page, click Authentication Providers.

16. From the menu bar labeled Web Application, select your application from the drop down menu.

17. You should now see two mapped zones for this application. Click the Windows link for the Extranet zone.

18. Choose Web Single Sign On in the Authentication Type section.

61705c07.indd 303 6/27/08 4:26:36 PM



19. In the Membership Provider Name box, add the following: SingleSignonMembershipProvider2. Keep this value because you will need it when you edit the web.config file.

20. Add SingleSignonroleProvider2 in the Role Manager box. Remember this value also for editing the web.config file.

21. Check to make sure the Enable Client Integration setting is set to No.

22. Click Save.

Now the application has been configured to use Web SSO. However, permissions still need to be assigned to the users so they can access this site.

To find out how to configure user permissions for extranet websites, please review the documentation found at the following URL: http://technet .microsoft.com/en-us/windowsserver/sharepoint/default.aspx.

61705c07.indd 304 6/27/08 4:26:36 PM

Exam Essentials 305

SummaryProper configuration of email, logging, alerts, and workflow settings is vital to a productive WSS installation. Taking the time to configure these settings, as well as antivirus settings, will ensure that all WSS sites are running at peak performance. When you’re finished with the configuration of these settings, run the Best Practices Analyzer tool.

In this chapter, you saw how powerful an application WSS can become when you create and extend web applications. Never overlook the value of quota templates to ensure that site collections do not grow out of control. This chapter also stressed the importance of a properly planned and executed upgrade from WSS 2.0 to 3.0.

As you plan a WSS 3.0 installation, time should be devoted to how users will be authenti-cated. WSS 3.0 supports several security scenarios, such as standard Windows authentication, simple database, using a company identity management system, and Web Single Sign On.

Exam Essentials

Understand how to perform an upgrade. It is important for you to be familiar with the recommended upgrade procedures. Knowing what the prerequisites are will prove valuable.

Know authentication types. Review all forms of authentication and the differences between basic, digest, NTLM, and ADFM. It’s important to know when and why to use each type.

Understand logging. Know where you would look to find event logs for WSS events. Review what information is collected and how to set up trace logging.

Configuring incoming and outgoing email. Review and understand how to configure both incoming and outgoing email settings. Understand how a WSS 3.0 site can benefit from using these features.

61705c07.indd 305 6/27/08 4:26:37 PM


Review Questions

1. Where can you configure email, workflow, and logging settings?

A. SharePoint Community Portal

B. SharePoint Central Administration site

C. Site actions

D. Team site

2. The term safe email servers refers to what?

A. Email servers that are configured properly

B. Email servers that are not on the DNS blacklist

C. Servers you deem safe to receive emails from

D. Servers that are on the same Active Directory domain

3. For users to be able to configure email alerts, they must have at least what level of permissions?

A. Site administrator

B. Read and Write

C. Full

D. View

4. What service must be installed before you can send out emails and alerts from your WSS server?

A. DNS

B. SMTP

C. Active Directory

D. SNMB

5. What are some of the errors that diagnostic logging will record? (Choose all that apply.)

A. Product ID

B. IP address of server

C. Software version

D. Condition of your server at time of error

6. What categories are defined in WSS event throttling? (Choose all that apply.)

A. Features

B. By product

C. Workstations

D. Active Directory users

61705c07.indd 306 6/27/08 4:26:37 PM


7. When choosing the level of event to log, what should you keep in mind?

A. WSS will record events that are greater than or equal to the selected event.

B. How many users will be accessing your WSS site?

C. How much free space is left on your WSS server hard drives?

D. WSS will record events that are equal to or less than the selected event.

8. What options do you have when using trace logs? (Choose all that apply).

A. High

B. Medium

C. Unnecessary

D. None

9. On a properly configured WSS server using an anti-virus solution, when would you allow users to download infected documents?

A. When users complain that they need the document for a project deadline.

B. Always, because most all of the warnings in a WSS site are considered false positives.

C. Only when you have a specific reason such as troubleshooting a virus on your system.

D. Only when you have an antivirus solution on the end users’ computers.

10. When should you use the Best Practices Analyzer tool?

A. When you need to check for common problems and determine if your installation is configured with the best security practices

B. Only when you have an issue with a web application

C. Only when you want to use this tool in a server farm network

D. Only when you are using Exchange servers

11. What does alternate access mapping allow you to do?

A. Create a specific web zone.

B. Control how large your site collections become.

C. Add different UNC paths.

D. Assign different URLs to the same site.

12. What are the prerequisites for upgrading from WSS 2.0? (Choose all that apply.)

A. Microsoft .NET Framework 3.0.

B. Service Pack 2 for SharePoint Services 2.0.

C. 100GB of free space for the upgraded database.

D. Nothing; you cannot upgrade SharePoint services 2.0 to WSS 3.0.

61705c07.indd 307 6/27/08 4:26:37 PM


13. Before performing an upgrade from a 2.0 WSS site to 3.0, what type of backup should be preformed?

A. Full

B. Not needed because it is preformed during upgrade.

C. Partial

D. Differential

14. When must you rebuild your Web Parts before you perform an upgrade?

A. When the web parts were created with ASP.NET 1.1.

B. It is not required to rebuild Web Parts because the upgrade will rebuild the application.

C. When the Web Parts were created with ASP.NET 2.0.

D. Only when the Web Parts contain workflow settings.

15. True/False: Quota templates are used to manage a site’s template library.

A. True

B. False

16. When you create a new site collection you are also creating a top-level ___________________ .

A. Application

B. Library

C. Website

D. Extranet site

17. What items can you configure access for within a site collection? (Choose all that apply.)

A. Library

B. Folder

C. Item

D. Document

18. The majority of the configuration of user access is configured within ___________________ .

A. Central Administration site

B. Site collection

C. Active Directory

D. User groups

61705c07.indd 308 6/27/08 4:26:37 PM


19. It is good practice, when giving users access, to assign access by ___________________ .

A. Individual users

B. NTFS

C. Groups

D. NDS

20. While WSS allows for Basic authentication, why is it not recommended?

A. Lacks security.

B. IIS does not support it.

C. Will not authenticate with Active Directory users.

D. It is only for NDS networks.

61705c07.indd 309 6/27/08 4:26:37 PM



1. B. Email, workflow, and logging are configured from the WSS 3.0 Central Administra-tion site.

2. C. When you configure incoming email settings, you enter the DNS names or IP addresses of servers from which you can safely receive incoming email.

3. D. Users must have at least View permissions to configure alerts.

4. B. Before you can enable outgoing email, you must install the SMTP service. The SMTP service is a component of IIS and must be running on at least one server in your farm.

5. A, B, C, D. All of the items listed are logged into an error report or system log when diagnostic logging is configured properly.

6. A, B. Categories are defined by services or common events. Workstations and Active Directory users are not events or services. However, defining by features or by products is supported.

7. A. You always want to choose the least-critical event to monitor because WSS will record only events that are greater than or equal to the selected event.

8. A, B, D. Your options when using trace logs include None, Unexpected, Monitorable, High, Medium, and Verbose.

9. C. You should enable the feature to download infected documents only when you are troubleshooting a virus or if you have a specific reason. By default, you want to disable this feature.

10. A. This tool can be used for troubleshooting common problems and to determine if you have the best security configuration. It can also be used to optimize your configuration.

11. D. Alternate access mapping allows you to give different URLs to the same site.

12. A, B. Before you can upgrade to WSS 3.0, you have to install .NET 3.0, enable ASP.Net 2.0, and install Service Pack 2 for SharePoint Services 2.0, and your application and web server must be on Service Pack 1 of Windows 2003.

13. A. To ensure that you can recover your current installation of SharePoint Services, you always want to have a current full backup of your SQL database.

14. A. If any custom Web Part was created with ASP.NET 1.1, you must first rebuild the part with ASP.NET 2.0 and then perform an upgrade.

15. B. Quota templates are used to add storage limits on your site collections.

16. C. A top-level website is also created when you create a new site collection.

61705c07.indd 310 6/27/08 4:26:37 PM


17. A, B, C, D. Within a site collection you have the ability to configure access to libraries, folders, items, and documents.

18. B. User access is configured within the site collections.

19. C. When you plan for and give access to users for site collections, it is best practice to create groups and assign groups access.

20. A. WSS will support Basic authentication but lacks security because it passes the user’s information over the network in clear text.

61705c07.indd 311 6/27/08 4:26:37 PM

61705c07.indd 312 6/27/08 4:26:37 PM

Chapter

8Using Virtualization In Windows Server 2008

MIcroSoft ExaM objEctIVES coVErEd In thIS chaptEr:

Configure Windows Server Hyper-V and virtual ÛÛmachines. May include but is not limited to:

Virtual networking, virtualization hardware require-ÛN

ments, Virtual Hard Disks, migrate from physical to virtual, VM additions, backup, optimization, server core

61705c08.indd 313 6/27/08 4:34:12 PM

Hyper-V is a new server role in Windows Server 2008 that allows you to virtualized your environment and therefore run multiple virtual operating system instances on a physical

server simultaneously. This not only helps you to improve server utilization, it helps you to create a more cost effective and dynamic system.

In this chapter, you will learn the basic concepts and features of Hyper-V that a Win-dows Server 2008 technical specialist must know. You will also get a solid understanding of what is important in virtualization and in what areas of your work life you can use it.

As this chapter is being written, Hyper-V is not yet final. All testing, pic-tures and screen shots in this chapter have been made with the Hyper-V Release Candidate 0 version.

This chapter will cover the following topics:

Hyper-V overviewÛN

Hyper-V installation and configurationÛN

Configure virtual machinesÛN

Hyper-V OverviewIn the following sections, we’ll introduce you the Hyper-V. To begin, we’ll take a look at virtualization and what types of virtualization exist. We will then discuss Hyper-V features and the Hyper-V architecture before finishing up with the Hyper-V requirements for soft-ware and hardware.

What Is Virtualization?Virtualization is a method for abstracting physical resources from the way they interact with other resources. For example, if you abstract the physical hardware from the operat-ing system, you get the benefit of being able to move the operating system between differ-ent physical systems. This is called server virtualization. But there are also other forms of virtualization available, such as presentation virtualization, desktop virtualization, and

61705c08.indd 314 6/27/08 4:34:12 PM

Hyper-V Overview 315

application virtualization. We will now briefly explain the differences between these forms of virtualization:

Server virtualization This basically enables multiple servers to run on the same physical server. Hyper-V is a server virtualization tool that allows you to move physical machines to virtual machines and manage them on a few physical servers. Thus, you will be able to consolidate physical servers.

Presentation virtualization When you use presentation virtualization, your applica-tions run on a different computer and only the screen information is transferred to your computer. An example for presentation virtualization is Microsoft Terminal Services in Windows Server 2008.

Desktop virtualization This provides you with a virtual machine on your desktop, com-parable to server virtualization. You run your complete operating system and applications in a virtual machine, so your local physical machine just needs to run a very basic operat-ing system. An example for this form of virtualization is Microsoft Virtual PC.

Application virtualization Application virtualization helps to prevent conflicts between applications on the same PC. Thus it helps you to isolate the application running environ-ment from the operating system installation requirements by creating application-specific copies of all shared resources and helps reduce application-to-application incompatibility and testing needs. An example of an application virtualization tool is Microsoft SoftGrid Application Virtualization.

Hyper-V FeaturesAs a lead-in to the virtualization topic and Hyper-V, we will start with a list of key features, followed by a list of supported guest operating systems. This should provide you with a quick high-level view on this feature before we dig deeper into the technology.

Key Features of Hyper-VThe following list provides the key features of Hyper-V:

New architecture The hypervisor-based architecture that has a 64-bit micro-kernel pro-vides a new array of device support as well as performance and security improvements.

Operating system support 32-bit and 64-bit operating systems can run simultaneous in Hyper-V. Also different platforms like Windows, Linux and others are supported.

Support for Symmetric Multiprocessors (SMP) Support for up to four processors in a virtual machine environment provides you with the ability to run applications as well as multiple virtual machines faster.

Network load balancing Hyper-V provides support for Windows Network Load Balancing (NLB) to balance the network load across virtual machines on different servers.

61705c08.indd 315 6/27/08 4:34:12 PM

316 Chapter 8 N Using Virtualization In Windows Server 2008

New hardware architecture Hyper-V’s new architecture provides improved utilization of resources like networking and disks.

Quick migration Hyper-V’s quick migration feature provides you with the functionality to run virtual machines in a clustered environment with switch-over capabilities when there is a failure. Thus you can reduce downtime and achieve higher availability of your virtual machines.

Virtual machine snapshot You can take snapshots of running virtual machines, which provides you with the capability to easily recover to any previous virtual machine snapshot state quickly.

Scripting Using the Windows Management Instrumentation (WMI) interfaces and APIs, you can easily build custom scripts to automate processes in your virtual machines.

Supported Guest Operating SystemsThe following guest operating systems have been successfully tested on Hyper-V and are hypervisor aware:

Windows Server 2008 x86 (VM configured as 1-, 2-, or 4-way SMP)ÛN

Windows Server 2008 x64 (VM configured as 1-, 2-, or 4-way SMP)ÛN

Windows Server 2003 x86 (VMs configured as 1- or 2-way SMP only)ÛN

Windows Server 2003 x64 (VMs configured as 1-way only)ÛN

Windows Vista x86 with Service Pack 1 (VMs configured as 1-way only)ÛN

Windows XP x86 with Service Pack 3 (VMs configured as 1-way only)ÛN

SUSE Linux Enterprise Server 10 with Service Pack 1 x86 EditionÛN

SUSE Linux Enterprise Server 10 with Service Pack 1 x64 EditionÛN

The list of supported guest operating systems might be extended once Hyper-V is released. Please check the official Microsoft Hyper-V site to get an accurate list of supported operating systems: www.microsoft.com/virtualization.

Hyper-V ArchitectureThis section will provide you with an overview of the Hyper-V architecture (see Figure 8.1). We’ll explain the differences between a hypervisor-aware and non-hypervisor-aware child partition.

61705c08.indd 316 6/27/08 4:34:13 PM


f I gU r E 8 .1 Hyper-V architecture

Parent partition Child partitions

Virtualization stackWMI provider

VM service

VM workerprocess

User mode

Kernel mode

Windows Server2008

Windows kernel VSP

Applications

Windows kernel

Hypervisor-awareOS (e.g., WindowsServer 2003, 2008)

Integrationcomponents

Applications

Linux Integrationcomponents

Applications

Xen-enabled Linuxkernel

Non-hypervisor-aware OS

EmulationVMBus

Hyper-V hypervisor

Hardware

As you can see, Hyper-V is based on the new microkernel architecture. Hyper-V provides a virtualization layer called a hypervisor that runs directly on the system hardware. You can see that the hypervisor is similar to what the kernel is to Windows. It is a software layer responsible for the interaction with the core hardware and works in conjunction with an optimized instance of Windows Server 2008 that allows running multiple operating systems on a physical server simultaneously. The Hyper-V architecture consists of the hypervisor and parent and child partitions.

The Windows Server 2008 operating system runs in the parent partition and provides the WMI provider for scripting as well as the VM service.

Virtual machines run each in their own child partitions. Child partitions do not have direct access to hardware resources; instead, they have a virtual view of the resources, which are called virtual devices.

If you’re running a hypervisor-aware operating system like Windows Server 2003 or Win-dows Server 2008 in your virtual machine, any request to the virtual devices is redirected via the high-speed Imbues to the devices in the parent partition, which will manage the requests. By default, only Windows Server 2008 is a hypervisor-aware operating system. Once you install the Hyper-V integration components on the operating system other than Windows Server 2008, it will be hypervisor aware. Microsoft provides a hypervisor adapter to make Linux hypervisor aware.

Non-hypervisor-aware operating systems (e.g., Windows NT 4.0) use an emulator to communicate with the Windows hypervisor, which is slower than using the Imbues.

61705c08.indd 317 6/27/08 4:34:13 PM


Hyper-V RequirementsThe following sections will describe the hardware and software requirements for installing the Hyper-V server role. It is important to understand these requirements for your software license as well as for planning for server hardware. When you understand the require-ments, you can design and configure a Hyper-V solution that will meet the needs of your applications.

Hardware RequirementsIn addition to the basic hardware requirements for Windows Server 2008, there are requirements that are needed to run the Hyper-V server role on your Windows server. They are listed in Table 8.1.

ta b lE 8 .1 Hardware Requirements for Hyper-V

Requirement Area Definition

CPU

Hardware Data Execution Protection (DEP) must be available and enabled. Specifically, you must enable Intel XD bit (execute disable bit) or AMD NX bit (no execute bit).

Hardware-assisted virtualization. This is available in processors that include a virtualization option, specifically, Intel VT and AMD Virtualization (AMD-V)

An x64-based processor (Intel or AMD). Remember that Hyper-V does not support Itanium (IA-64) processors.

Memory

Additional memory is required for each virtual machine, depending on the operating system you want to run.

512MB minimum for the operating system.

Hard disk

Additional space is required for each virtual machine, depending on the operating system you want to run.

8GB for operating system.

61705c08.indd 318 6/27/08 4:34:13 PM


The Add Roles Wizard in Server Manager additionally verifies the hardware requirements. A good starting point is to check your hardware against the Microsoft hardware list to make sure your hardware is supported by Windows Server 2008. If you try to install the Hyper-V server role on a computer that does not meet the CPU requirements, you get a warning window that looks like Figure 8.2.

f I gU r E 8 . 2 Warning window that Hyper-V cannot be installed

Verifying Hyper-V’s CPU requirements is not that easy, especially if you don’t know exactly where to look. We found a freeware tool called Secur-able that you can use to check your CPU to make sure it meets Hyper-V’s requirements. You can download it from the following page: http://www.grc .com/securable.htm.

Software RequirementsTo use virtualization in Windows Server 2008, you need to consider the basic software requirements for Hyper-V. Hyper-V runs only on the following editions of the Windows Server 2008 operating system:

Windows Server 2008 Standard (x64 based)ÛN

Windows Server 2008 Enterprise (x64 based)ÛN

Windows Server 2008 Datacenter (x64 based)ÛN

It’s important to understand for your exam that Windows Server 2008 Web edition, any Windows Server 2008 x86-based editions, and Windows Server 2008 editions without Hyper-V do not support the Hyper-V server role. Also, Hyper-V is not available on the Windows Server 2008 for Itanium-Based Systems edition.

61705c08.indd 319 6/27/08 4:34:14 PM


For the exam, you should know what Windows Server 2008 editions will support Hyper-V. Also remember that Hyper-V can be installed on Full and Server Core installation options.

Hyper-V Installation and ConfigurationThe following sections explain how to install the Hyper-V role using Server Manager in Windows Server 2008 full installation mode or the command line in Windows Server 2008 server core. We will then take a look at Hyper-V as part of Server Manager before discussing how to use the Hyper-V Manager. Finally, we will look at the Hyper-V server settings and then cover two important areas for Hyper-V: virtual networks and virtual hard disks.

Install Hyper-V RoleNow it’s time to see how to install the Hyper-V server role on the two installation options of Windows Server 2008, namely, a full as well as Server Core.

Installing Hyper-V on Full Installation ModeYou can install the Hyper-V server role on any Windows Server 2008 installation for which the Full option was chosen. In addition, the server must meet both the hardware and soft-ware requirements. The installation process is as simple, as Exercise 8.1 shows.

E x E r c I S E 8 .1

Installing hyper-V on full Installation Mode

Complete the following steps to install Hyper-V on Windows Server 2008:


2. In Server Manager, click Roles Add Roles.

3. On the Select Server Roles page, check Hyper-V and click next.

61705c08.indd 320 6/27/08 4:34:14 PM

Hyper-V Installation and Configuration 321

E x E r c I S E 8 .1 ( c ont inue d )

4. On the Hyper-V page, click next.

5. On the Create Virtual Networks page, leave Local Area Connection unchecked, and click next.

61705c08.indd 321 6/27/08 4:34:14 PM


E x E r c I S E 8 .1 ( c ont inue d )

6. On the Confirm Installation Selections page, review the selection and then click Install.

7. After the installation is finished, click the Close button.

8. Now the Add Roles Wizard will pop up and ask you to restart the system. Click yes to perform a restart.

9. After the system restarts and you log in again, the Resume Configuration Wizard appears and finishes the installation. Once the Installation Results page appears click close.

Install Hyper-V on Server CoreNew to Windows Server 2008 is the Server Core installation option, which creates an oper-ating system installation without a GUI shell. You can either manage the server remotely from another system or use the server core’s command-line interface.

This installation option provides the following benefits:

Reduces attack surface (because fewer applications are running on the server)ÛN

Reduces maintenance and management (because only the required options are installed)ÛN

Requires less disk space and produces less processor utilization ÛN

Provides a minimal parent partition ÛN

Reduces system resources required by the operating system as well as the attack surface ÛN

61705c08.indd 322 6/27/08 4:34:14 PM


Using Hyper-V on a server core installation, you can fundamentally improve availability because the attack surface is reduced and downtime due to patches is optimized. It will thus be more secure and reliable with less management.

To install Hyper-V on your Windows installation, you must execute the following com-mand in the command-line interface:start /w ocsetup Microsoft-Hyper-V

Because the OCSETUP command is case sensitive, make sure you write Microsoft-Hyper-V exactly as shown. Otherwise you will get an error message and Hyper-V won’t be added as a server role.

Hyper-V in Server ManagerAs with all the other Windows Server 2008 roles, the Hyper-V role neatly integrates into Server Manager. Server Manager filters the information just for the specific role and thus displays only the required information. As you can see in Figure 8.3, the Hyper-V Summary page shows related event log entries, the state of the system services for Hyper-V, and useful resources and support.

f I gU r E 8 . 3 Hyper-V in Server Manager

61705c08.indd 323 6/27/08 4:34:15 PM


Using Hyper-V ManagerHyper-V Manager is the central management console to configure your server and create and manage your virtual machines, virtual networks, and virtual hard disks. Unlike Virtual Server 2005, where you managed all virtual machines through a web interface, Hyper-V Manager is managed through a Microsoft Management Console (MMC) snap-in. You can access it either in Server Manager or by using Start Administrative Tools Hyper-V Manager. Figure 8.4 shows how Hyper-V Manager looks once you start it.

f I gU r E 8 . 4 Hyper-V Manager

Hyper-V Manager is available for the following operating systems:


Windows Vista with Service Pack 1(SP1)ÛN

Hyper-V Manager is only installed on a Windows Server 2008 machine when you install Hyper-V on it. On Windows Vista, you will need to install the Hyper-V Manager MMC for Vista SP1 to manage Hyper-V from your Vista client. Hyper-V Manager can be installed only on the following versions of Windows Vista:

BusinessÛN

EnterpriseÛN

UltimateÛN

61705c08.indd 324 6/27/08 4:34:15 PM


To download Vista Hyper-V Manager, use the following URLs:

For Windows Vista x64: ÛN www.microsoft.com/downloads/details.aspx?FamilyId=450931F5-

EBEC-4C0B-95BD-E3BA19D296B1&displaylang=en

For Windows Vista x86: ÛN www.microsoft.com/downloads/details.aspx?FamilyId=BC3D09CC-

3752-4934-B84C-905E78BE50A1&displaylang=en

It’s important to understand that there will be no version of Hyper-V Manager for Windows XP or Windows Server 2003. Thus, you might need to use a remote control solution like Remote Desktop Connection to a computer that can run Hyper-V Manager in order to manage it from your desktop.

You can use Hyper-V Manager to connect to any Full or Server Core installation remotely. Besides Hyper-V Manager, you can use the WMI interface for scripting Hyper-V.

Configure Hyper-V SettingsIn this section, you will get an overview of the available Hyper-V settings for the server. You configure all server-side default configuration settings like default locations of your configuration files or the release key. You can open the Hyper-V Settings page (Figure 8.5) in Hyper-V Manager by clicking Hyper-V Settings in the Actions pane.

f I gU r E 8 .5 Hyper-V settings

61705c08.indd 325 6/27/08 4:34:15 PM


The Hyper-V Settings page includes the following settings:

Virtual Hard Disks Specifies the default location of your virtual hard disk files (.vhd).

Virtual Machines Specifies the default location of your virtual machine configuration files. It includes the Virtual Machine XML configuration files (part of the Virtual Machines folder) as well as related snapshots (part of the Snapshot folder).

Keyboard Defines how to use Windows key combinations. Options are Physical Com-puter, Virtual Machine, and Virtual Machine only when running full screen.

Release Key Specifies the key combination to release the mouse in your virtual machine. Options are Ctrl+Alt+left arrow, Ctrl+Alt+right arrow, Ctrl+Alt+space, and Ctrl+Alt+Shift.

User Credentials Specifies whether you want to use your default credentials to connect to a running virtual machine.

Delete Saved Credentials Deletes any saved credentials stored on this computer.

Reset Check Boxes Resets any check boxes that hide pages and messages when checked. This will bring up again any window on which you checked the Do Not Show This Window Again check box.

Manage Virtual NetworksA virtual network provides the virtual links between nodes in either a virtual or a physical network. Virtual networking in Hyper-V is provided in a secure and dynamic way because you can granularly define virtual network switches for their required usage. For example, you can define a private or internal virtual network if you don’t want to allow your virtual machines to send packages to the physical network.

In order to allow your virtual machines to communicate with each other, you need virtual networks. Just like normal networks, virtual networks exist only on the host computer and allow you to configure how virtual machines communicate with each other, with the host, and with the network or Internet. You manage virtual networks in Hyper-V using Virtual Network Manager, shown in Figure 8.6.

Using Virtual Network Manager, you can create, manage, and delete virtual networks, sometimes also called virtual switches. You can define the network type as external, internal only, or private:

External Any virtual machine connected to this virtual switch can access the physical network. You would use this option if you want to allow your virtual machines to access, for example, other servers on the network or the Internet. This option is used in production environments where your clients connect directly to the virtual machines.

Internal Only This option allows virtual machines to communicate with each other as well as the host system, but not with the physical network. When you create an internal network, it also creates a local area connection in Network Connections that allows the host machine to communicate with the virtual machines. You can use this if you want to separate your host’s network from your virtual networks.

61705c08.indd 326 6/27/08 4:34:15 PM


f I gU r E 8 .6 Virtual Network Manager

Private virtual machine network When you use this option, virtual machines can commu-nicate with each other but not to the host system or the physical network, thus no network packets are hitting the wire. You can use this to define internal virtual networks for test environments or labs, for example.

It is of the utmost importance that you understand the different virtual network types because it is highly likely that there will be a question about them on the exam.

On the external and internal only virtual networks, you also can enable virtual LAN (VLAN) identification. You can use VLAN to partition your network into multiple subnets using a VLAN ID. When you enable virtual LAN identification, the NIC connected to the switch will never see packets tagged with VLAN IDs. Instead, all packets traveling from the NIC to the switch will be tagged with the access mode VLAN ID as they leave the switch port. All packets traveling from the switch port to the NIC will have their VLAN tags removed. You can use this if you are already logically segmenting your physical machines, also for your virtual ones.

Exercise 8.2 explains how to create an internal only virtual network switch.

61705c08.indd 327 6/27/08 4:34:16 PM


E x E r c I S E 8 . 2

creating an internal Virtual network

Follow these steps to create an internal virtual network so you can communicate between the virtual machine and the host computer:

1. Click Start Administrative Tools Hyper-V Manager.

2. In Hyper-V Manager, in the Actions pane, click Virtual Network Manager.

3. On the Create Virtual Network page, select Internal and click the Add button.

4. On the New Virtual Network page, enter Internal Virtual Network in the Name field.

5. Click OK.

When you create the internal virtual network, a network device is created in Network Connections, as shown in Figure 8.7.

f I gU r E 8 .7 Virtual network card

This is also the case when you create an external virtual network because it will replace the physical network card of the host machine to give the parent partition a virtual network card that is also used in the child partitions.

Unlike with Virtual Server 2005, Hyper-V binds the virtual network service to a physical network adapter only when an external virtual network is created. The benefit for this is that the performance is better if you do not use the external virtual network option. The down-side, however, is that there will be a network disruption when you create or delete an external virtual network.

61705c08.indd 328 6/27/08 4:34:16 PM


Communication between the virtual machine and the local host computer is not configured automatically. Once you install a virtual machine, you need to make sure the TCP/IP settings are in correspondence with the settings you define in the virtual network card. Start with a ping from your host machine to the virtual machines in order to verify that communication is working.

Managing Virtual Hard DisksIn addition to virtual networks, you also need to manage virtual hard disks that you attach to your virtual machines. A virtual hard disk in Hyper-V, apart from a pass-through disk, is a VHD file that basically simulates a hard drive to your virtual machine.

The following sections will first show you what types of virtual hard disks are available and then show you how to create them. You will also learn about what options are available to manage virtual hard disks.

Types of Hard DisksDepending on how you want to use the disk, Hyper-V offers various types, as described in Table 8.2.

ta b lE 8 . 2 Virtual Hard Disks in Hyper-V

Type of Disk Description When to Use It

Dynamically expanding This disk starts with a small VHD file and expands it on demand once an installa-tion takes place. It can grow to the maximum size you defined during creation. You can use this type of disk to clone a local hard drive dur-ing creation.

This option is effective when you don’t know the exact space needed on the disk and when you want to pre-serve hard disk space on the host machine. Unfortunately, it is the slowest disk type.

Fixed size The size of the VHD file is fixed to the size specified when the disk is created. This option is faster than a dynamically expanding disk. However, a fixed size disk uses up the maximum defined space immediately. This type is ideal for cloning a local hard drive.

A fixed size provides faster access than dynamically expanding or differencing disks but is slower than a physical disk.

61705c08.indd 329 6/27/08 4:34:16 PM


ta b lE 8 . 2 Virtual Hard Disks in Hyper-V (continued)

Type of Disk Description When to Use It

Differencing This type of disk is associ-ated in a parent-child rela-tionship with another disk. The differencing disk is the child and the associated virtual disk is the parent. Dif-ferencing disks include only the differences to the parent disk. By using this type, you can save a lot of disk space in similar virtual machines. This option is suitable if you have multiple virtual machines with similar oper-ating systems.

Differencing disks are most commonly found in test envi-ronments and should not be used in production environ-ments.

Physical (or pass- through disk)

The virtual machine receives direct pass-through access to the physical disk for exclusive use. This type provides the highest per-formance of all disk types and thus should be used for production servers where performance is top priority. The drive is not available for other guest systems.

This type is used in high-end datacenters to provide opti-mum performance for VMs. Also in failover cluster envi-ronments.

You should make sure you understand the different virtual hard disk types by heart because there are often questions about them!

Creating Virtual Hard DisksTo help you gain practice in creating virtual hard disks, the following three exercises will teach you how to create a differencing hard disk, how to clone an existing disk by creating a new disk, and how to configure a physical or pass-through disk to your virtual machine. First, in Exercise 8.3, you will learn how to create a differencing virtual hard disk.

61705c08.indd 330 6/27/08 4:34:16 PM


E x E r c I S E 8 . 3

creating a differencing hard disk

Follow these steps to create a differencing disk:


2. In Hyper-V Manager, on the Actions pane, click New Hard Disk.

3. In the New Virtual Hard Disk Wizard, click Next on the Before You Begin page.

4. On the Choose Disk Type page, select Differencing and click Next.

5. On the Specify Name and Location page, enter the new name of the child disk (for example, child-disk.vhd). You can also modify the default location of the new VHD file if you want. Click Next to continue.

6. Next, on the Configure Disk page, you need to specify the parent VHD file. This will be the basis for your differencing disk. For example, a complete installation of Win-dows Server 2008 is a good parent. Click Next to continue.

61705c08.indd 331 6/27/08 4:34:16 PM


E x E r c I S E 8 . 3 ( c ont inue d )

7. On the Completing the New Virtual Hard Disk Wizard page, verify that all settings are correct and click Finish to create the hard disk.

Exercise 8.4 will show you how to create a fixed disk based on a local hard drive. Please remember that only fixed size or dynamically expanding disks can be used to clone a local hard drive during creation.

E x E r c I S E 8 . 4

creating a fixed Size disk and cloning a local drive

Follow these steps to create a fixed hard disk and migrate a physical disk to it:


2. In Hyper-V Manager, on the Actions pane, click New Hard Disk.

3. In the New Virtual Hard Disk Wizard, click Next on the Before You Begin page.

4. On the Choose Disk Type page, select Fixed Size and click Next.

5. On the Specify Name and Location page, enter the new name of the virtual hard disk (for example, clone.vhd). You can also modify the default location of the new VHD file if you want. Click Next to continue.

61705c08.indd 332 6/27/08 4:34:16 PM



6. Next, on the Configure Disk page, you can decide if you want to create a blank vir-tual hard disk with a specified size or if you want to copy the contents of a hard disk to the virtual disk. For this exercise, select Copy the Contents of the Specified Physi-cal Disk and select a physical drive on which to copy to the virtual disk. Then click Next to continue.

7. On the Completing the New Virtual Hard Disk Wizard page, verify that all settings are correct and click Finish to create the virtual hard disk and start the copy process.

61705c08.indd 333 6/27/08 4:34:17 PM


Because the process to copy a physical drive to a virtual disk is just a normal copy process, you should allow enough time to complete it. The time varies depending on the size of your physical disk.

The process to add a physical or pass-through disk to a virtual machine is quite different. For this, you first need to create the virtual machine, and then you open the Virtual Machine Settings to configure the physical disk. If you did not yet create a virtual machine in Hyper-V Manager, you should complete Exercise 8.6 to create one and come back to this section.

If you want to add a physical disk to a virtual machine, the physical disk must be set as Offline in Disk Management, as shown in Figure 8.8.

f I gU r E 8 . 8 Disk Management you can set disks offline

To access Disk Management, click the Start button, right-click on Computer, select Manage, and then expand Storage in the left pane and click Disk Management.

You cannot share a physical disk among multiple virtual machines or with the host system.

Now we will continue our excursion in the world of virtual disks by adding a physical or pass-through disk to a virtual machine.

61705c08.indd 334 6/27/08 4:34:17 PM


E x E r c I S E 8 . 5

adding a pass-through disk to a Virtual Machine

To add a physical or pass-through disk to your virtual machine, follow these steps:


2. In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine you want to add a physical drive to and then click Settings. Remember, the virtual machine state must be set to Off to configure hard drive settings.

3. In the Settings window, in the Hardware pane, click on IDE Controller 0.

4. In the IDE Controller pane, select Hard Drive and click the Add button.

5. In the Hard Drive pane, you now need to select Physical Hard Disk and select the appropriate disk drive in the drop-down list.

6. Click OK.

61705c08.indd 335 6/27/08 4:34:17 PM


Physical or pass-through disks might not be that important if your use for virtualization is based on test environments, but it gets crucial when you need to plan for highly available virtual datacenters. This is especially true if you consider using failover clusters to provide the Quick Migration feature, which is when you should consider matching one logical unit number (LUN) from your enterprise storage system or storage area network (SAN) as one physical disk. This provides you with the optimum performance you need in such an environment.

Managing Virtual Hard DisksHyper-V also provides two tools to manage virtual hard disks: Inspect Disk and Edit Disk. These tools are available on Actions pane in Hyper-V Manager:

Inspect Disk Provides you with information about the virtual disk. It shows you not only the type of the disk but also information like the maximum size for dynamically expanding disks and the parent VHD for differencing disks.

Edit Disk Provides you with the Edit Virtual Hard Disk Wizard, which you can use to compact, convert, expand, merge, and reconnect hard disks. Figure 8.9 shows you the wizard’s options when you select a dynamically expanding disk.

f I gU r E 8 . 9 The Edit Virtual Hard Disk Wizard

Table 8.3 provides you with an overview of what you can do with the wizard.

61705c08.indd 336 6/27/08 4:34:17 PM

Configuring Virtual Machines 337

ta b lE 8 . 3 Edit Disk Overview

Action Description

Compact Reduces the size of a dynamically expanding or differencing disk by removing blank space from deleted files.

Convert Converts a dynamically expanding disk to a fixed disk or vice versa.

Expand Increases the storage capacity of a dynamically expanding disk or a fixed virtual hard disk.

Merge Merges the changes from a differencing disk into either the parent disk or another disk (applies to differencing disks only!).

Reconnect If a differencing disk does not find its referring parent disk any-more, this option can reconnect the parent to the disk again.

Configuring Virtual MachinesThe following sections cover the topics of creating and managing virtual machines as well as how to back up and restore virtual machines using features like Import and Export and Snapshot. We’ll also briefly cover Hyper-V’s Quick Migration feature.

Creating and Managing Virtual MachinesIt is important to learn how to create a virtual machine, how to change its configuration, and how to delete it. We will take a look at the Virtual Machine Connection tool and install the Hyper-V Integration Components to a virtual machine.

Virtual MachinesVirtual machines define the child partitions in which you run operating system instances. Each virtual machine is separate and can only communicate with the others using a virtual network. You can assign hard drive(s), virtual network(s), DVD drives, and other system components to it. A virtual machine is similar to an existing physical server, but it doesn’t run on dedicated hardware anymore but shares the hardware of the host system with the other virtual machines that run on the host.

Exercise 8.6 shows you how to create a new virtual machine.

61705c08.indd 337 6/27/08 4:34:17 PM


E x E r c I S E 8 . 6

creating a new Virtual Machine

Follow these steps to create a new virtual machine:


2. In Hyper-V Manager, on the Actions pane, click New Virtual Machine.

3. In the New Virtual Machine Wizard, click Next on the Before You Begin page.

4. On the Specify Name and Location page, give your virtual machine a name and change the default location of the virtual machine configuration files. Click Next to continue.

5. On the Assign Memory page, define how much of your host computer’s memory you want to assign to this virtual machine. Remember that once your virtual machine uses up all your physical memory, they will start swapping to disk, thus reducing the performance of all virtual machines. Click Next to continue.

6. On the Configure Networking page, select the virtual network that you previously configured using Virtual Network Manager. Click Next to continue.

61705c08.indd 338 6/27/08 4:34:18 PM



7. On the next page, you configure your virtual hard disk. You can create a new virtual hard disk, select an existing disk, or choose to attach the hard disk later. Be aware that you can create only a dynamically expanding virtual disk on this page; you cannot create a differencing, physical, or fixed virtual hard disk here. However, if you created the virtual hard disk already, you can select of course it. Click Next to continue.

61705c08.indd 339 6/27/08 4:34:18 PM



8. On the Installation Options page, you can select how you want to install your operat-ing system. You have the option to install an operating system later, install the oper-ating system from a boot CD/DVD-ROM where you can select a physical device or an image file (ISO file), install an operating system from a floppy disk image (VFD file, or a virtual boot floppy disk), or install an operating system from a network-based installation server. The last option will install a legacy network adapter to your virtual machine so you can boot from the network adapter. Select Install an operating sys-tem later and then click on Next.

9. On the Completing the New Virtual Machine Wizard summary page, verify that all settings are correct. You also have the option to immediately start the virtual machine after creation. Click Next to create the virtual machine.

After completing Exercise 8.6, you will have a virtual machine available in Hyper-V Manager. Initially, the state of the virtual machine will be Off. Virtual machines can have the following states: Off, Starting, Running, Paused, and Saved. You can change the state of a virtual machine in the Virtual Machines pane by right-clicking on the virtual machine’s name, as seen in Figure 8.10, or by using the virtual machine connection window.

61705c08.indd 340 6/27/08 4:34:18 PM


f I gU r E 8 .10 Options available when right-clicking on a virtual machine

Here is a list of all state options you have available for a virtual machine:

Start Turn on the virtual machine. This is similar to pressing the power button when the machine is turned off. This option is available when your virtual machine is off or in saved state.

Turn Off Turn off the virtual machine. This is similar to pressing the power off button on the computer. This option is available when your virtual machine is in running, saved, or paused.

Shut Down This option shuts down your operating system. You need to have the Hyper-V Integration Components installed on the operating system; otherwise Hyper-V will not be able to shut down the system. You will read about the Hyper-V Integration Components in the section “Installing Hyper-V Integration Components” later in this chapter.

Save The virtual machine is saved to disk in its current state. This option is available when your virtual machine is running or in paused state.

Pause Pause the current virtual machine, but do not save the state to disk. You can use this option to quickly release processor utilization from this virtual machine to the host system.

61705c08.indd 341 6/27/08 4:34:18 PM


Reset Reset the virtual machine. This is like pressing the reset button on your computer. You will lose the current state and any unsaved data in the virtual machine. This option is available when your virtual machine is running or in paused state.

Resume When your virtual machine is paused, you can resume it and bring it online again.

Change Configuration on an Existing Virtual MachineTo change the configuration settings on an existing virtual machine, you right-click on your virtual machine’s name in the Virtual Machines pane in Hyper-V Manager and choose Set-tings. You can change settings like memory allocation and hard drive configuration. All items that you can configure are described in the following list:

Add Hardware Add devices to your virtual machine, namely a SCSI controller, a network adapter, or a legacy network adapter. A legacy network adapter is required if you want to perform a network-based installation of an operating system.

BIOS This is the replacement of the virtual machine’s BIOS. Because you cannot enter the BIOS during startup anymore, you need to configure it with this setting. You can turn Num Lock on or off and change the basic startup order of the devices.

Memory Change the amount of random access memory (RAM) allocated to the virtual machine.

Processor Change the number of logical processors this virtual machine can use as well as define resource control to balance resources among virtual machine by using a relative weight.

IDE Controller Add/change and remove devices from the IDE controller. You can have hard drives or DVD drives as devices. Every IDE controller can have up to two devices attached, and by default you have two IDE controllers available.

Hard Drive Select a controller to attach to this device as well as specify the media to use with your virtual hard disk. The available options are Virtual hard disk (.vhd) file (with additional buttons labeled New, Edit, Inspect, and Browse that are explained in the virtual hard disk section) and Physical hard disk. You can also remove the device here.

DVD Drive Select a controller to attach to this device as well as specify the media to use with your virtual CD/DVD drive. The available options are None, Image file (ISO image), and Physical CD/DVD drive connected to the host computer. You also can remove the device here.

SCSI Controller Configure all hard drives that are connected to the SCSI controller. You can add up to 63 hard drives to each SCSI controller, and you can have multiple SCSI con-trollers available.

Network Adapter Specify the configuration of the network adapter or remove it. You can also configure for each adapter the virtual network and MAC address and enable virtual LAN identification.

61705c08.indd 342 6/27/08 4:34:18 PM


COM 1 Configure the virtual COM port to communicate with the physical computer through a named pipe. You have COM1 and COM2 available.

Diskette Drive Specify a virtual floppy disk file to use.

Name Edit the name of the virtual machine and provide some notes about it.

Integration Services Define what integration services are available to your virtual machine. Options are Operating system shutdown, Time synchronization, Data Exchange, Heartbeat, and Backup (volume snapshot).

Snapshot File Location Define the default file location of your snapshot files.

Automatic Start Action Define what this virtual machine will do when the physical computer starts. Options are Nothing, Automatically start if the service was running, and Always start this virtual machine. You also can define a start delay here.

Automatic Stop Action Define what this virtual machine will do when the physical com-puter shuts down. Options are Save State, Turn Off, and Shut down.

Please be aware that only some settings can be changed when the virtual machine’s state is Running. It is best practice to shut down the virtual machine before you want to modify any setting.

Deleting Virtual MachinesYou can also delete virtual machines using Hyper-V Manager. However, this only deletes the configuration files, not any related virtual disks, as seen in Figure 8.11.

f I gU r E 8 .11 Delete virtual machine warning window

Make sure you manually delete any virtual disks that were part of the virtual machines in order to free up disk space.

Virtual Machine ConnectionSimilar to the Virtual Machine Remote Control (VMRC) client that was available with Virtual Server 2005 R2 and previous versions, Hyper-V comes with Virtual Machine Con-nection to connect to virtual machines that run on a local or remote server. You can use it to log onto the virtual machine and use your computer’s mouse and keyboard to interact

61705c08.indd 343 6/27/08 4:34:18 PM


with the virtual machine. You can open Virtual Machine Connection in Hyper-V Manager by double-clicking on a virtual machine or right-click on a virtual machine and select Con-nect. If your virtual machine is turned off, you might see a window similar to the one in Figure 8.12.

f I gU r E 8 .12 Virtual Machine Connection window when the machine is turned off

Virtual Machine Connection provides you with functionality similar Hyper-V Manager, such as being able to change the state of a virtual machine, but it also provides you with addi-tional features that are especially useful when you want to work with a virtual machine:

File Access settings or exit Virtual Machine Connection.

Action Change the state of a virtual machine and create or revert a snapshot. Addition-ally, you have the options to send Ctrl+Alt+Delete to your virtual machine and Insert Inte-gration Services Setup Disk.

Media Insert or eject a DVD or floppy media.

Clipboard Type the text that is on the Clipboard in virtual machine or capture screen of the machine.

Context-sensitive buttons are available to provide you with quick access to the most important features under the menu bar, as you can see in Figure 8.13.

61705c08.indd 344 6/27/08 4:34:19 PM


f I gU r E 8 .13 Virtual Machine Connection window showing a running Windows Server 2003 virtual machine

Installing Hyper-V Integration ComponentsHyper-V Integration Components, also called Integration Services, are required to make your guest operating system “hypervisor aware.” Similar to the VM Additions that were part of Microsoft Virtual Server 2005, the components improve the performance of the guest operating system once the components are installed. On the architectural perspective, virtual devices are redirected directly via the VMBus, thus quicker access to resources and devices is provided.

If you do not install the Hyper-V Integration Components, the guest operating system uses emulation to communicate with the host’s devices, which of course makes the guest operating system slower.

Hyper-V Integration Components are currently available for the following operating systems:

Windows Vista SP1 (x86) ÛN

Windows XP SP3 (x86)ÛN

61705c08.indd 345 6/27/08 4:34:19 PM



Windows Server 2008 ÛN

SUSE Linux Enterprise Server 10 SP1 or XEN-Enabled LinuxÛN

As this chapter was being written, Microsoft had not announced any other operating systems that support the Hyper-V Integration Components. This is subject to change quite quickly, so you should use this list as a refer-ence. Please check the official Microsoft Hyper-V site at www.microsoft .com/virtualization for any new announcements.

Exercise 8.7 shows you how to install Hyper-V Integration Components on one of your virtual machines running Windows Server 2003.

E x E r c I S E 8 . 7

Installing hyper-V Integration components

Follow these steps to install the Hyper-V Integration Components in a virtual machine running Windows Server 2003 or 2008:


2. In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine on which you want to install Hyper-V Integration Components and select Start.

3. Right-click the virtual machine again and select Connect to Open a Virtual Machine Connection. Meanwhile, your virtual machine should be already booting.

4. If you need to log in to the operating system of your virtual machine, you should do so.

5. Once the Windows Desktop appears, you need to select Insert Integration Services Setup Disk from the Actions menu of your Virtual Machine Connection window.

6. Once the Hyper-V Integration Components are installed, you are asked to perform a reboot.

61705c08.indd 346 6/27/08 4:34:19 PM



After the reboot, Hyper-V Integration Components are installed on your operating system and you will be able to use them.

Back Up and Restore Virtual MachinesThe following sections cover exporting and importing virtual machines between host machines as well as taking a snapshot to back up a certain state of your virtual machine. We will also briefly discuss what Quick Migration is and how Hyper-V uses it.

Exporting and Importing Virtual MachinesThis section will explain how to move virtual machines between host computers or move them to a different drive. This is quite different to previous versions of Microsoft’s virtualiza-tion software. To move a virtual machine in Virtual Server 2005, you stopped the machine

61705c08.indd 347 6/27/08 4:34:19 PM


and moved its configuration file (VMC) as well as its virtual hard disk file (VHD) to the tar-get location and then changed the VMC file to point to the VHD file.

Using Hyper-V, you cannot move the configuration files anymore. You need to use the Export feature to export the virtual machine and then use Import on the target machine to import the virtual machine to Hyper-V.

To export a virtual machine, it must be either in Off or Saved state. Open Hyper-V Manager, select the virtual machine you want to export and either right-click on the virtual machine and select Export or click on Export on the virtual machine name’s pane. You will see the Export Virtual Machine dialog box, shown in Figure 8.14.

f I gU r E 8 .14 Export Virtual Machine window

In this dialog box, you can set the export path for the virtual machine and choose whether to export your virtual machine state data or not.

Because Hyper-V will use the exported files after importing them, you should store the export directly on the target machine’s disks and not on a file share.

61705c08.indd 348 6/27/08 4:34:19 PM


Once you check Don’t Export Virtual Machine State Data, only the virtual machine’s con-figuration files will be exported. The virtual hard disk and snapshots will not be exported.

In the export path, a folder with the name of the virtual machine is created along with the following subfolders:

Virtual Machines This includes the virtual machine configuration files as well as the vir-tual machine state if the machine is saved.

Virtual Hard Disks If you exported the state data, this folder will include your virtual hard disks VHD file(s).

Snapshots If you exported the state data, this folder will include all snapshot files.

Once the virtual machine finishes exporting, you can move the export folder to the tar-get machine if you did not store it directly on the server’s disks. Open Hyper-V Manager and click Import Virtual Machine, which is located in Actions pane.

The Import Virtual Machine dialog box asks you for the path to the exported virtual machine and allows you to decide if you want to reuse the old virtual machine ID as shown in Figure 8.15.

f I gU r E 8 .15 The Import Virtual Machine dialog box

You want to reuse old virtual machine IDs if you’re moving all virtual machines from a host to a new target machine. The virtual machines are practically the same as on the source system. However, you do not want to reuse old virtual machine IDs if you used Export to clone a virtual machine.

Because Hyper-V uses the import folder as the new target folder for the imported virtual machine, an exported virtual machine can be imported only once. Of course, if you copy the files to a different location before importing them, you can overcome this limitation.

When you import a virtual machine with state data, Hyper-V will use the import path for the virtual hard disks as well as snapshots in its virtual machine configuration XML. Thus, you’re able to import an exported machine only once. For that reason, the import folder should already be on the host’s target disk.

61705c08.indd 349 6/27/08 4:34:19 PM


If you import only the virtual machine configuration, without the state data or hard disks, you will receive a warning message like the one in Figure 8.16.

f I gU r E 8 .16 Import warning message

You receive this warning because the virtual machine has probably one or more hard drives configured that now point to no VHD file. You need to correct these settings before starting the virtual machine to have this work.

Managing SnapshotsWith virtual machine snapshots, you can save a copy of the virtual machine at any point in time, including while the virtual machine is running. You can take multiple snapshots of a virtual machine and then revert it to any previous state by applying a snapshot.

Using snapshots makes it easier to diagnose the cause of errors by reducing the number of times you need to repeat a task or sequence within a virtual machine. The benefit is obvious; if you use snapshots to revert to a previous virtual machine configuration, you do not need to copy virtual machines to keep a state. Thus it is a quick and easy way to back up a certain state of your virtual machine.

You can create a snapshot when a virtual machine is in a running, saved, or turned-off state. It’s only from a paused state that you cannot perform a snapshot.

Snapshots are extremely useful in training classes or testing environments. When your company goes to test new software, you can make sure to do snapshots at every single step so you can immediately go back if some problems or issues arise. In training classes, you can prepare each virtual machine for your students according to your special require-ments, and once the course is finished, you just revert all virtual machines to their initial configuration. No hassles with experienced users that change your configuration without letting you know anymore.

In Exercise 8.8. you’ll create and rename a snapshot.

61705c08.indd 350 6/27/08 4:34:20 PM


E x E r c I S E 8 . 8

creating a Snapshot of a Virtual Machine

Follow these steps to create and rename a snapshot of a virtual machine using Hyper-V Manager:


2. In Hyper-V Manager, in the Virtual Machines pane, right-click the virtual machine.

3. In the Actions pane, select Snapshot.

4. Once the snapshot is taken, it should appear in the Snapshots pane in Hyper-V Manager. Right-click the snapshot and select Settings.

5. In the Settings window, on the Management pane, click Name and type in first Snapshot as the name. You can also add some notes to make it easy to identify.

61705c08.indd 351 6/27/08 4:34:20 PM



6. Click OK to apply the changes.

61705c08.indd 352 6/27/08 4:34:20 PM


Technically speaking, when you make a snapshot, the following files will be created in the virtual machine’s snapshot folder:

A virtual machine configuration fileÛN

Virtual machine saved state filesÛN

Snapshot differencing disks (AVHDs)ÛN

Once you create a snapshot for a virtual machine, you will also have the Revert option available in the virtual machine name’s pane in Hyper-V Manager. Reverting basically means that you restore the last snapshot made. You also see the last snapshot taken marked with a green arrow in the Snapshots pane (Figure 8.17).

f I gU r E 8 .17 Revert Option in Hyper-V

However, you will also have options available directly on the snapshot level that let you perform certain actions:

Settings This opens the settings window of the virtual machine. The only settings you can change are the name and the notes field. All others are read-only.

Apply Applying a snapshot to a virtual machine technically means that you copy the vir-tual machine state from the snapshot to the active virtual machine. You can look at this as a “restore this snapshot” option. Because you would lose all unsaved data and settings from the active virtual machine, you will be asked if you want to create another snapshot before you apply this snapshot. If you just click Apply, the active machine will be overwritten and reverted back to the state it was in when the snapshot was made. This snapshot will not be removed. Figure 8.18 shows you the warning message that appears when you apply a snapshot.

61705c08.indd 353 6/27/08 4:34:20 PM


f I gU r E 8 .18 Window that appears when you Apply a Snapshot

Rename You can change the name of the snapshot without the need to open settings.

Delete Snapshot Deleting a snapshot is like deleting a backup file. You will be no longer able to restore to that point in time. Deleting a single snapshot does not affect any other snapshots that you made for this virtual machine. You will delete only the selected snap-shot. However, sometimes when you do delete a snapshot, the system needs to merge the differencing disks. This occurs in the background when the virtual machine is not running. The user does not see when it happens.

Delete Snapshot Subtree This will delete the selected snapshot and all snapshots that are hierarchically underneath it. If you delete a snapshot with only one sub-snapshot, the con-figuration and saved state files for the snapshot will be deleted and the snapshot’s differenc-ing disks will be merged. If you have more sub-snapshots, merging will not take place.

In Exercise 8.9, you will apply a snapshot thus revert to a previous virtual machine state.

E x E r c I S E 8 . 9

applying a Snapshot

To recover a snapshot, follow these steps.


2. In Hyper-V Manager, in the Virtual Machines pane, click the virtual machine for which you created a snapshot.

3. In the Snapshots pane, select First Snapshot.

4. In the First Snapshot pane, under Actions pane, click Apply.

5. In the Apply Snapshot window, click Apply.

Quick MigrationIn combination with Windows Server 2008’s clustering support in Enterprise and Data-center editions, Quick Migration enables high availability features for virtual machines, so if one server fails, its workload can be picked up by another node member with minimal interruption in user access.

61705c08.indd 354 6/27/08 4:34:21 PM

Exam Essentials 355

Basically, each virtual machine is defined as a virtual machine application on a cluster node. Once the cluster node goes down, another cluster node can take over the virtual machine. Unfortunately this means that in the event of failure, the system state of the virtual machine is lost because it does a normal bootup with the virtual machine. Planned failover saves the current state, moves it, and then restores it on the target side correctly.

This topic is too complicated for the 70-643 exam, but we wanted you to understand the basic concept so you would know that this feature is available in Hyper-V.

SummaryVirtualization is quickly becoming a hot topic. The potential for consolidation is tremen-dous, thus it will get more and more important.

After reading this chapter, you should have a good understanding of the Hyper-V archi-tecture and what it requires to install Hyper-V.

The section about installation and configuration covered various basic aspects of config-uring the virtualization environment. You learned about the different types of virtual net-works that are available, the options for installing the Hyper-V role, and the various types of virtual hard disks that you can use to optimize virtualization for your specific scenario.

You also learned how to configure virtual machines using the Hyper-V environment and how to create your own virtual datacenter on top of your Hyper-V machines. We showed you how to create and manage virtual machines, how to use Virtual Machine Connection to remotely control a virtual machine, and how to install Hyper-V Integration Components. And you learned how to export and import virtual machines as well as how to do snapshots of your virtual machine.

If you have never worked with virtualization software before, the information in this chapter may have been completely new to you. You should now be well prepared to try out Hyper-V in your own environment.

Exam Essentials

Understand Hyper-V’s architecture. When you have a good understanding of Hyper-V’s architecture, especially when an operating system in a virtual machine is hypervisor aware versus non-hypervisor aware, you have a solid understanding of what is important from an architectural perspective. You should know about the Hyper-V Integration Components and how they change the behavior of a virtual machine. Also know which operating systems the integration components are available for.

Know Hyper-V’s requirements and how to install it. Know the hardware and software requirements as well as how to install Hyper-V. Hyper-V requires an x64-based processor and Data Execution Protection (DEP), and hardware assisted virtualization must enabled.

61705c08.indd 355 6/27/08 4:34:21 PM


Don’t forget this! Also remember that you can install Hyper-V two ways: using Server Manager or using the command line in Server Core.

Understand virtual networks and virtual hard disks. Virtual networks and hard disks are the two most tested topics. You definitely should know the types of virtual networks available (i.e., external, internal only, and private virtual network) as well as all types of virtual hard disks (i.e., dynamically expanding, fixed size, differential, and physical or pass-through). You should be able to apply the correct one when needed. Don’t forget the Edit Virtual Hard Disk Wizard, which is also a good source for questions in the exam.

Know how to create and manage virtual machines. You should be able to explain how to create a virtual machine, what options you have to install an operating system in a virtual machine, and how to install the Hyper-V Integration Components on a virtual machine. Don’t forget about the virtual machine states and the virtual machine settings!

Understand how to back up and restore virtual machines. Have a good understanding of the concept of exporting and importing virtual machines, how snapshots work, and what lies behind a Quick Migration. Understand how you can export a virtual machine, what you should consider when moving it to a new host machine, and what happens after importing it to the import folder. The same applies to snapshots: You need to know what options you have available and what each option will do. Especially recognize the differ-ence between applying and reverting a snapshot.

61705c08.indd 356 6/27/08 4:34:21 PM


Review Questions

1. On which of the following x64 editions of Windows Server 2008 does Hyper-V run? (Choose all that apply.)

A. Windows Server 2008, Web Edition

B. Windows Server 2008, Standard Edition

C. Windows Server 2008, Enterprise Edition

D. Windows Server 2008, Datacenter Edition

2. You want to build a test environment based on virtual machines on a single Windows Server 2008 machine, but you also want to make sure that the virtual machines communi-cate with only each other. What type of virtual network do you need to configure?

A. External

B. Internal only

C. Private virtual machine network

D. Public virtual machine network

3. Andy wants to change the memory of a virtual machine that is currently powered up. What does he need to do?

A. Shut down the virtual machine, use virtual machine’s settings to change the memory, and start it again.

B. Use the virtual machine’s settings to change the memory.

C. Pause the virtual machine, use virtual machine’s settings to change the memory, and resume it again.

D. Save the virtual machine, use virtual machine’s settings to change the memory, and resume it again.

4. You want to make sure the hard disk space for your virtual machines is only occupied once needed. What type of virtual hard disk would you recommend?

A. Dynamically expanding disk

B. Fixed size disk

C. Differencing disk

D. Physical or pass-through disk

5. How do you add a physical disk to a virtual machine?

A. Use the Virtual Hard Disk Wizard.

B. Use the Edit Virtual Hard Disk Wizard.

C. Use the virtual machine’s settings.

D. Use the New Virtual Machine Wizard.

61705c08.indd 357 6/27/08 4:34:21 PM


6. Sigi bought a new server with an Itanium IA-64 processor, 4GB RAM and a SAN that pro-vides 1TB hard disk space. After installing Windows Server 2008 for Itanium-Based Systems, he wants to install Hyper-V on this server. Can Hyper-V be installed on this system?

A. Yes

B. No

7. What are the minimum CPU requirements for running Hyper-V on a machine? (Choose all that apply.)

A. An x64-based processor (Intel or AMD).

B. Hardware Data Execution Protection (DEP) must be enabled.

C. Hardware-assisted virtualization must be enabled.

D. The processor must at least have a dual core.

8. What is the command to install Hyper-V on a Windows Server 2008 machine that was installed in Server Core?

A. start /w ocsetup Hyper-V

B. start /w ocsetup microsoft-hyper-v

C. start /w ocsetup Microsoft-Hyper-V

D. start /w ocsetup hyper-v

9. On what operating systems can you install the Hyper-V Manager MMC? (Choose all that apply.)

A. Windows Server 2008

B. Windows Server 2003

C. Windows XP SP3

D. Windows Vista SP1

10. What statement is correct for an external virtual network?

A. The virtual machines can communicate with each other and with the host machine.

B. The virtual machines can communicate with each other only.

C. The virtual machines can communicate with each other, with the host machine, and with an external network.

D. The virtual machines cannot communicate with each other.

11. In your test lab, Carola wants to save hard disk space and therefore creates a master virtual disk that should be used as the basis for the virtual machines. What type of virtual hard disks should she create for the virtual machines?


B. Fixed size

C. Differencing

D. Physical or pass-through

61705c08.indd 358 6/27/08 4:34:21 PM


12. You want to create a virtual disk that clones a local drive available on your host machine. What types of disk can you use to be able to copy a physical disk to a virtual disk using Hyper-V Manager? (Choose all that apply.)


B. Fixed size

C. Differencing


13. Joel wants to use the fastest option of virtual hard disks available because he needs excellent performance for his virtual machines. What is the best choice for him?


B. Fixed size

C. Differencing


14. What is a legacy network adapter in Hyper-V?

A. A virtual network adapter that can be configured when the Hyper-V Integration Com-ponents are installed

B. A virtual network adapter that can connect to the virtual networks

C. A virtual network adapter that you need in order to boot from the network

D. A virtual network adapter that connects your virtual machine to the host machine

15. You run an operating system like Windows NT 4.0 in a virtual machine where you do not have the Hyper-V Integration Components available. What statement about this situation is correct?

A. The operating system will not run in the virtual machine.

B. The operating system will run in the virtual machine and use the Imbues to communicate with the hypervisor.

C. The operating system will run in the virtual machine but needs a separate hypervisor to be installed.

D. The operating system will run in the virtual machine but uses emulation to communicate with the hypervisor.

16. How do you move virtual machines between host machines?

A. Use the Export and Import Virtual Machine command in Hyper-V.

B. Move the virtual machine files to the target host and add them to Hyper-V.

C. Create a snapshot of the virtual machine and apply it to a different machine.

D. Use the Save command in Hyper-V.

61705c08.indd 359 6/27/08 4:34:21 PM


17. Jan does an export of a virtual machine. He checks the Don’t Export Virtual Machine State Data option. Considering this, what folder(s) will be available in the export?

A. Virtual Machines

B. Virtual Hard Disks

C. Snapshots

D. VM Configuration

18. Once you create a snapshot, what options do you have available for it? (Choose all that apply.)

A. Settings

B. Apply

C. Delete Snapshot

D. Revert

19. You are using a differencing disk for your virtual machine. When you use the Edit Virtual Hard Disk Wizard in Hyper-V, what options do you have available with this type of disk? (Choose all that apply.)

A. Compact

B. Convert

C. Expand

D. Merge

20. Robert is administrator of a Hyper-V machine that hosts many virtual machines. He cre-ated five snapshots for a single virtual machine on which he is currently installing software. Now he wants to go back to snapshot no. 3 without losing the other snapshots. What state-ments are correct considering that he applies snapshot no.3? (Choose all that apply.)

A. After snapshot no.3 is applied, all later snapshots are deleted.

B. After snapshot no.3 is applied, he is still able to go back to snapshot no.5.

C. After snapshot no.3 is applied, snapshot no.3 will be deleted.

D. After snapshot no.3 is applied, the active virtual machine will be in the exact state of snapshot no.3.

61705c08.indd 360 6/27/08 4:34:21 PM



1. B, C, D. Hyper-V can be installed on Standard, Enterprise, or Datacenter Edition of Windows Server 2008 x64 editions. Itanium, x86, and Web Editions are not supported.

2. C. The external virtual network type will allow the virtual machine to communicate with the external network as it would with the Internet, so A is wrong. The internal only network type allows communication between the virtual machines and the host machine. Because the question says that only communication between the virtual machines should be allowed, the only valid answer is private virtual machine network. The last option, public virtual machine network, does not exist in Hyper-V.

3. A. This question focuses on the fact that you cannot change the memory if the virtual machine is running, paused, or saved. The only valid answer is to shut it down and then change the memory.

4. A. The only virtual hard disk that increases in size is the dynamically expanding disk. Thus this is the only valid answer to this question. The fixed size disk creates a disk of the size you specify, the differencing disk is a special disk that stores only the differences between it and a parent disk, and the physical disk uses a physical drive and makes it avail-able to the virtual machine.

5. C. Physical hard disks cannot be configured using the Virtual Hard Disk Wizard, the Edit Virtual Hard Disk Wizard, or the New Virtual Machine Wizard. You can only configure and attach a physical disk using the virtual machine’s settings.

6. B. Hyper-V is not supported on Itanium-based systems, thus he cannot install it.

7. A, B, C. The minimum CPU requirement for running Hyper-V is a x64-based proces-sor (Itanium is not supported), hardware Data Execution Protection must be enabled, and hardware-assisted virtualization must be enabled. There is no minimum requirement for a dual-core processor.

8. C. This question is regarding the setup command to install the Hyper-V server role on a Server Core machine. It’s important to remember that housetop commands are case sensi-tive and that the correct command is start /w ocsetup Microsoft-Hyper-V, which is option C. All other commands will fail to install Hyper-V on a Server Core machine.

9. A, D. The Hyper-V Manager is available only for Windows Server 2008 and Windows Vista SP1. There is no version available that runs on Windows Server 2003 or on Windows XP SP3.

10. C. The virtual network type in which the machines communicate with each other and with the host machine is called internal only. In a private virtual network, the virtual machines can communicate only with each other, but not with the network or the host machine. The external network type defines a network where the virtual machines can communicate with each other, with the host machine, and with an external network like the Internet. Thus, C is the correct answer. Once you define a virtual network, the virtual machines can commu-nicate with each other. So the only scenario in which the virtual machines cannot communi-cate with each other is when they don’t have a virtual network defined.

61705c08.indd 361 6/27/08 4:34:21 PM


11. C. Only the differencing hard disk is associated in a parent-child relationship with another disk. Dynamically expanding starts with a small VHD file and expands it on demand once an installation takes place. The fixed size disk sets a fixed size on the VHD file. The physical disk is a physical drive on the host machine, so it doesn’t support a parent-child relationship with another disk.

12. A, B. Hyper-V Manager support only copying a physical disk to a virtual disk using dynam-ically expanding or fixed size virtual hard disks. You can perform this task in the New Vir-tual Hard Disk Wizard. Differencing and physical disks are not available for this feature.

13. D. The fastest virtual hard disk is the physical or pass-through disk because it directly uses the physical disk. The fixed size disk is the fastest option using a VHD file. Dynami-cally expanding and differencing disks are slower, so they are not recommended for use in production datacenters.

14. C. A legacy network adapter is a virtual network adapter that allows you to boot from the network. All other options are misleading and only point to different virtual network types.

15. D. All operating systems that do not have the Hyper-V Integration Components available will not be hypervisor aware. For this reason, they cannot use the Imbues but need emulation to communicate with the hypervisor. The operating system will still run, but it will be slower.

16. A. The only supported way to move virtual machines between host machines listed here is to use Export and Import Virtual Machine. The option to move the virtual machine files can-not be used anymore because you will lose the configuration of your virtual machines. You cannot apply a snapshot to a different host machine, nor is a Save command available in Hyper-V.

17. A. As the virtual machine state data is not exported, only the Virtual Machines folder will be available in the export folder. Virtual Hard Disks and Snapshots are created only when you export the machine state data. VM Configuration doesn’t exist.

18. A, B, C. Only Revert is wrong, as this option applies to the virtual machine, not to the snapshot. Settings, Apply, and Delete Snapshot are all valid options for a snapshot.

19. A, D. When you use a differencing disk, you have only the option to compact, meaning to remove blank space from the VHD file, and to merge, meaning to merge the changes from the differencing disk directly into the parent or another disk.

20. B, D. When Robert applies one snapshot, all earlier or later snapshots, as well as the snap-shot that he applies, are not affected. Thus options A and C are wrong. Because Hyper-V keeps later snapshots, he is able to apply one. Also, the basic concept of snapshots is they act as the active virtual machine state once you apply them.

61705c08.indd 362 6/27/08 4:34:22 PM

Chapter

9Deploying Servers

MicroSoft ExaM objEctivES covErED in thiS chaptEr:

Configuring Windows Deployment Services, Install from ÛÛmedia (IFM), capture Windows Deployment Services images, deploy Windows Deployment Services images, server core

Deploy images using Windows Deployment Services. ÛÛMay include but is not limited to: Install from media (IFM); configure Windows Deployment Services; capture Windows Deployment Services images; deploy Windows Deployment Services images; server core

Configure Microsoft Windows activation. May include ÛÛbut is not limited to: install a KMS server; create a DNS SRV record, replicate volume license data

61705c09.indd 363 6/27/08 11:50:51 AM

Windows Deployment Services is a tool that allows adminis-trators to easily deploy and manage images, scripts, and the unattended installation of computer systems. This service

can prove to be invaluable to those tasked with the administration of a medium or large corporate network.

Windows Deployment Services can help with basic tasks such as formatting and partition-ing a physical system, deploying a consistent set of standards across the network, simplifying the installation of operating systems, and performing post-installation tasks.

In this chapter, we will cover the following areas:

Deploying imagesÛN

Installing from mediaÛN

Configuring Windows Deployment Services (WDS)ÛN

Deploying Server CoreÛN

Configuring Windows ActivationÛN

Installing and configuring KMSÛN

Windows Deployment ServicesBefore the development of tools such as Microsoft Windows Deployment Services (WDS), a network administrator was tasked with manually configuring all of the systems in a network to upgrade or install an operating system. This would involve many man-hours, costing organizations time and money. Deployment Services reduces that need to physically install or upgrade systems, allowing IT administrators to manage the installation of systems from a central location, which can result in more time to devote to other, more important tasks.

Several modifications have been made to Windows Deployment Services from the previ-ous version, which was known as Remote Installation Services (RIS) and Windows Deploy-ment Services on Windows Server 2003. WDS now includes the following:

Ability to deploy Windows Vista and Windows Server 2008ÛN

Support for Windows PE as a boot operating systemÛN

Ability to transmit data and images by use of multicastÛN

Support for network boot of x64-bit operating systemsÛN

61705c09.indd 364 6/27/08 11:50:51 AM

Deploying Images by Using Windows Deployment Services 365

To fully explore the latest version of WDS, you should be familiar with the following topics:

Windows image (.wim) format ÛN

Windows Pre-boot Execution Environment (PXE)ÛN

Active DirectoryÛN

Dynamic Host Configuration Protocol (DHCP)ÛN

Windows Preinstallation Environment (WinPE) ÛN

For many small shops, and in previous years, server installations were done by manually installing the operating system. This means that an administrator would have to manually monitor and configure each server install. As the resources to deploy images have improved, it has opened the way for a simplified deployment of servers, one that an IT administrator can trust. The benefit of WDS goes beyond just freeing up time; it takes a major step for-ward in assuring company standards when it comes to how servers are built and configured.

If you are not familiar with these terms and components, we recommend that you spend some time studying them before attempting to deploy system images in a production environment.

You can find more information on Windows Imaging from Microsoft TechNet: http://technet2.microsoft.com/windowsserver2008/en/library/fbd2d37b-4127-43fd-a079-f78bbd44b7601033.mspx?mfr=true.

While WDS can deploy an operating system to your workstation environment, this chapter will focus on using WDS to deploy servers.

Deploying Images by Using Windows Deployment ServicesWindows Deployment Services include several components that can help a network admin-istrator quickly, easily, and effectively install operating systems to servers:

Management Tools These are the tools you will use to create system images and manage the server and client machine accounts.

Server components The server components are the items needed to boot a client computer and install an operating system on a client machine. will be created to keep the data needed for the network boot, such as boot and install images.

Client components These components are needed for the client machine to communicate with the server so that the proper items are installed and configured. The Windows PE interface is a client component.

61705c09.indd 365 6/27/08 11:50:51 AM

366 Chapter 9 N Deploying Servers

To understand these components, you must understand first what an image is. Simply put, in this context, it’s a snapshot of a server that was built to your specifications. WDS uses two types of images:

Install image This contains the operating system you want to deploy to a server.

Boot Image This is the image that a client computer or server will boot to before you install the install image.

Think of these images this way: a boot image is like a car and the install image is like a resort. Before you can sit in the comfort of the resort, you have to know how to get there and then have some means to travel to it. The car is what gets you to your destination; it knows the distance, direction, and speed it takes to get you there.

With WDS, you are able to customize your images so they have exactly the configura-tion required by company standards. This will save time and money because you only need to set up the images, not babysit each server install.

Before you can take advantage of this powerful tool, a proper installation and configura-tion is vital. Windows Deployment Services will not successfully deploy an operating sys-tem if the required components are not configured properly.

The next section will guide you through the recommended installation of Windows Deployment Services and show you how configure them.

Using Windows Deployment ServicesBefore you can start to deploy servers, you must configure Windows Deployment Services and create images. A check list can assist you in making sure your installation is completed correctly. Here are some things to be sure your check list includes:

Active Directory The WDS server must at least be a member server in an Active Directory domain.

DHCP and DNS WDS relies on DHCP and DNS for both IP addresses and name resolution.

NTFS The WDS server requires the NTFS filesystem.

Credentials The user account that will be used to perform the install and related tasks must be a member of the local Administrators group.

Make sure the server you plan to use for WDS has these items installed and properly configured. When time is taken to ensure that the server is properly prepared, it will result in a trouble-free installation and configuration of WDS.

After you have met the prerequisites for the server build, WDS must be installed as a role (Exercise 9.1).

61705c09.indd 366 6/27/08 11:50:52 AM

Using Windows Deployment Services 367

benefit of images

Recently a client had an increasing need to improve the quality of their machine builds and reduce the time that was spent deploying new machines. This client had 250 comput-ers in five locations and two states. They had just signed an agreement to refresh one-third of their machines, and because this was a leasing program, they would be doing this every year.

The current standard operating procedure was to build each machine by hand, which would result in an IT administrator or specialist spending 3 to 5 hours per machine. Each phase of the technical refresh program would have around 80 machines. Simple math tells you that this would require 240 to 400 hours spent on just building the machines, which is not efficient.

A plan was developed to create system images and then deploy them with the earlier version of WDS, which was called Remote Installation Service, or RIS. While RIS was not as easy to use or set up as WDS, it did show how valuable images really are.

They decided to create three separate images, each with various applications installed based on the departments. A lot of time was spent working with department heads to determine what exactly the images would contain, which allowed us to create base images that needed very little additional attention after they were installed.

While we knew that this would reduce the time needed to deploy a machine and would create a standard build, a side benefit turned out to be using the images to assist the help desk. If the help desk encountered an issue that would normally result in them deploying someone to rebuild the machine, they would instead deploy the build image. Overall, the use of images saved many man-hours and saved the organization money.


installing the WDS role

Follow these steps to install the Window Deployment Services role:

1. To open Server Manager, click Start All Programs Administrative Tools Server Manager.

2. In the left pane, click Roles.

3. In the Roles Summary section, choose Add Roles.

4. Click Next on the Before You Begin screen.

5. On the Select Server Roles page, check the box next to Windows Deployment Services.

61705c09.indd 367 6/27/08 11:50:52 AM



6. Click Next on the Overview of Windows Deployment Services page.

7. On the Select Role Services, check the Deployment Server and Transport Server boxes.

61705c09.indd 368 6/27/08 11:50:52 AM



8. Review the selections on the Confirm Installation Selections page.

9. After reviewing the selections, click Install.

During the installation of WDS, the deployment server and transportation server were chosen. The following paragraphs briefly explain these two services:

Transportation Server This option can be chosen without choosing the Deployment Server option. It is used to create a namespace to transmit data from a single server. When just this feature is installed, the server does not need Active Directory, DHCP, or DNS. This option would be selected by itself when you are doing a custom deployment solu-tion. While some advanced options can be configured, such as using a defined range of IP address or setting up the UDP port, the standard installation does not require any addi-tional configuration.

Deployment Server The Deployment Server option gives WDS full functionality. When this option is checked during installation, the transportation server must be installed along with it. This end-to-end solution brings the following functionality:

Support for network boot (PXE server)ÛN

Location to store imagesÛN

MulticastÛN

Monitor for clients installsÛN

Management toolÛN

With the installation of the WDS role completed, the next section will explain how to configure the WDS settings.

Configuring WDSOne of the nice things about WDS is that it is included as a role that you choose to install. After the role is installed, it requires very little configuration. This means you are able to start creating your deployments within a short period of time.

It is necessary to configure WDS before you use it the first time. The following options are among those that can be configured:

Create a shared folder that will be used to store the install images, PXE boot files, and ÛN

the files for Windows PE booting.

Answer settings for how the server handles incoming client boot requests.ÛN

Add a DHCP tag, which is needed so that the clients know what port the WDS server ÛN

is listening on.

Set boot client options so boot clients can find the DHCP server.ÛN

61705c09.indd 369 6/27/08 11:50:52 AM


Microsoft allows WDS to be configured in two ways:

Using the Windows Deployment Services Configuration WizardÛN

Using a command line and the WDSUTILÛN

In Exercise 9.2, you’ll configure WDS for first use.

E x E r c i S E 9 . 2

configuring WDS Server for first Use

Follow these steps to configure WDS Server for first use:

1. Choose Start All Programs Administrative Tools Windows Deployment Services.

2. In the left pane, expand the Servers node.

3. Right-click on the server name and choose Configure Server. This will open the Windows Deployment Services Configuration Wizard.

4. On the Welcome Page, click Next.

5. On the Remote Installation Folder Location screen, choose the folder that will hold the images.

6. Choose the answer policy on the PXE Server Initial Settings screen. For this exercise, choose Do not respond to any client computer.

61705c09.indd 370 6/27/08 11:50:53 AM



Three options are presented to you on the PXE Server Initial Settings screen:

Do Not Respond to Any Client Computer Use this option if you do not want the WDS server to respond to any clients.

Respond Only to Known Client Computers If the client is not prestaged in Active Directory, which means you will have to add the computer to AD before PXE boot to a machine, then selecting this option will prevent them from PXE boot to the WDS server.

Respond to All (Known and Unknown) Client Computers This will allow all clients to boot to the WDS server. Additionally, checking the box “For unknown clients, notify administrator and respond after approval” will require that an administrator approve new clients before allowing them to receive the boot service.

7. Click Finish.

8. On the Configuration Complete screen, choose to either add images now or add them later with the Add Image Wizard.

9. Click Finish.

After completing the basic configuration, you can configure the server properties. The options that can be configured are as follows:

PXE response settingsÛN

Directory ServicesÛN

61705c09.indd 371 6/27/08 11:50:53 AM


BootÛN

ClientÛN

DHCPÛN

Network SettingsÛN

AdvancedÛN

The configuration wizard sets up the basic settings like the PXE response settings, but there are some common settings that need to be looked at or configured. They’re on the following tabs:

Boot tab When the client wants to interact with the server, it will follow the settings on this tab. By default, the configuration wizard configures the PXE boot to require the clients to press F12 for the boot to start. This can be changed so that the PXE boot begins imme-diately. This might be a great option if you are doing a large-scale migration that occurs after hours when you don’t want to have to press F12 on each client.

Network Settings tab On this tab, you can configure the Multicast IP address, the UDP port range, and the network profile. If any changes are made in this tab, you must restart the service.

DHCP tab If the WDS server is installed on a server running DHCP, it will cause a con-flict because both WDS and DHCP by default listen on port 67. This tab will allow you to change the settings so that WDS will not listen on port 67.

In Exercise 9.3, you’ll configure some server properties.

E x E r c i S E 9 . 3

configuring WDS Server properties

Follow these steps to configure WDS server properties:


2. In the left pane, expand Servers.

3. Right-click on the WDS server and choose Properties.

61705c09.indd 372 6/27/08 11:50:53 AM



4. In the server’s Properties dialog box, click the Boot tab.

5. On the Boot tab, make any necessary changes to the boot program or add a default boot image.

61705c09.indd 373 6/27/08 11:50:53 AM



6. On the Network Settings tab, determine what the multicast IP address will be or set it to be obtained from a DHCP server. Microsoft doesn’t recommend changing the default IP address range (unless your network needs a different range). The UDP port range and network profile can be changed on this tab.

7. If the WDS server is running DHCP, click on the DHCP tab, check the Do Not Listen on Port 67 and Configure DHCP Option 60 to PXEClient.

8. Click OK to finish.

61705c09.indd 374 6/27/08 11:50:54 AM


Capturing ImagesMany IT administrators are familiar with the concept of system images. When most think of system images, they think of products such as Symantec Ghost or Acronis True Image. When you use images, you are essentially using an existing operating system configuration and creating a copy or a clone of it. Then this clone can be used to restore the computer or deploy it to additional computers to give them the same configuration.

So what do we mean when we talk about capturing images specifically for WDS? Normally, when a image is deployed it will start up to a operating system setup wizard. Capturing images will start the image to a capture wizard instead, thus allowing the image to be saved as a WIM file (with a .wim filename extension).

What is involved in creating an image? Here’s a high-level overview:

1. Install an operating system on a server or computer.

2. Make any custom changes needed, such as installing software, specific drivers, or any-thing else specific to your organization.

3. Sysprep the server or computer.

4. Reboot into Windows Preinstallation Environment (WinPE).

5. Capture the offline image into a WIM file.

6. Store the image in WDS the image store.

That is a high-level overview of the imaging process in WDS; let’s look at what WDS image capture utility does:

1. WinPE boots and the WDS image capture utility is started.

2. WDSCapture.exe looks for the WDSCapture.inf file. This file will contain answers to the questions asked in the GUI during installation. If this file does not exist, you will have to manually enter the answers.

3. Drives are then scanned for a sysprep offline image.

4. Metadata is extracted from the data points in the image. This data will contain infor-mation such as HAL type, architecture, product name, OS version, and language.

5. The volume in which to save the WIM file is selected.

6. The image is updated with the information that was extracted in step 4 and any other values that are entered by the user.

7. The image is uploaded to the WDS server.

An image can be captured both from the wizard and using a command-line tool. Exercises 9.4 and 9.5 will show you how to use both.

Exercise 9.4 assumes you have already created a sysprep image and have added it to the Install Image folder. It also assumes you have added a boot image to the Boot Image folder.

61705c09.indd 375 6/27/08 11:50:54 AM


E x E r c i S E 9 . 4

creating a capture image Using the Wizard

Follow these steps to create a capture image using the wizard:


2. In the left pane, expand Servers.

3. Expand your WDS server and then expand Install Images.

4. Expand the Boot Image folder and right-click on the image.

5. Choose Create Capture Boot Image.

61705c09.indd 376 6/27/08 11:50:54 AM



6. In the Create Capture Image Wizard, on the Capture Image Metadata page, enter a name, description, and location.

61705c09.indd 377 6/27/08 11:50:54 AM



7. Click Next to create the capture image.

8. Right-click on the Boot Image folder.

9. Click Add Boot Image.

10. Browse and choose the capture image that was just created.

11. Click Next.

12. Enter the image name and description and click Next.

13. Review the selections on the Summary screen and click Next.

14. After the image is added, click Finish.

15. Create a machine that will be used for the image. Install the operating system, add your applications, and customize it to your standards.

16. Sysprep the computer.

17. When sysprep is finished, restart the computer and press F12.

18. On the Boot Manager Screen, select the capture image and click Next.

19. Choose the correct drive, add a name and description, and click Next.

20. Select the location to store the image and click Save.

21. Click Upload Image to WDS Server.

22. Provide the name of the WDS server, and then click Connect. If prompted for creden-tials, enter the username and password with rights to the WDS server.

23. Choose the image group in which to store the image.

24. Click Finish.

To create a sysprep image and add to WDS image store, please refer to the Microsoft TechNet article at http://technet2.microsoft.com/win-dowsserver2008/en/library/b7978b72-3b39-441d-924c-4b7a2fd96c371033.mspx?mfr=true.

Exercise 9.5 shows the steps involved in using the command-line utility named WDSUTIL to create a capture image.

61705c09.indd 378 6/27/08 11:50:54 AM


E x E r c i S E 9 . 5

Using WDSUtiL to create a capture image

Follow these steps to use WDSUTIL to create a capture image:

1. Click Start, right-click Command Prompt, and choose Run as Administrator.

2. Within the command prompt, type the following:

WDSUTIL /New-CaptureImage /Image:<boot image> /Architecture:x86 /Filepath:<capture image>

Replace <boot image> with the name of the boot image you want to use to create the capture image and <capture image> with the file location and name of the new capture image.

3. Type the following:

WDSUTIL /Add-Image /Imagefile:<capture image> /ImageType:boot

Replace <capture image> with the filename and location of the capture image you want to add to the image store.

4. After the capture image has been created, follow steps 8 through 22 in Exercise 9.4 to boot the computer to the capture image and capture the operating system.

61705c09.indd 379 6/27/08 11:50:54 AM


Deploying Server CoreA new feature introduced with Windows Server 2008 is Server Core. Server Core is a bare-bones installation of Windows Server 2008. You can think of it this way: If Windows Server 2008 is a top-of-the-line luxury car, then Windows Server 2008 Server Core is the stripped-down “no air conditioning, manual windows, with cloth seats” model. It might not be pretty to look at, but it gets the job done.

Server core supports a limited amount of roles:

Active Directory Domain ServicesÛN

Active Directory Lightweight Directory ServicesÛN

DHCPÛN

DNSÛN

File ServicesÛN

Print ServicesÛN

Windows VirtualizationÛN

Streaming Media ServicesÛN

Internet Information Services (IIS)ÛN

Server Core does not have the normal Windows interface or GUI. Most everything has to be configured via the command line or in some cases using Remote Server Administra-tion Tools from a full version of Windows Server 2008 or Windows Vista. While this might scare some administrators off, it has many benefits:

Reduced management Because Server Core has a minimum number of applications installed, it reduces management.

Minimal maintenance Only basic systems can be installed on Server Core, so it reduces the upkeep you would need in a normal server installation.

Smaller footprint Server Core requires only 1GB of disk space to install and 2GB free space for operations.

Tighter security With only a few applications running on a server, it is less vulnerable to attacks.

The prerequisites for Server Core are basic. It requires the Windows Server 2008 instal-lation media, the product key, and the hardware on which to install it.

It only takes a few minutes, depending on hardware, to install Server Core. One of the things to keep in mind is that you cannot upgrade or downgrade to Server Core. Server Core requires a clean installation. There are three editions available for Server Core installations:

Windows Server 2008 StandardÛN

Windows Server 2008 EnterpriseÛN

Windows Server 2008 DatacenterÛN

Following the steps in Exercise 9.6 will result in the base install of Server Core.

61705c09.indd 380 6/27/08 11:50:55 AM

Configuring Microsoft Windows Activation 381

E x E r c i S E 9 . 6

installing Server core

Follow these steps to install Server Core:

1. Insert the Windows Server 2008 CD and boot to the CD.

2. At the Install Windows screen, choose the language, time format, and keyboard method that is relevant to your location and click Next.

3. Click Install Now.

4. Type in your product key and click Next.

5. At the Select the Edition of Windows You Purchased screen, choose the Windows version and click Next.

6. Accept the license terms and click Next.

7. The only option available at the next screen will be Custom (Advanced).Click that option.

8. Choose the disk on which to install Server Core and click Next.

9. Allow setup to complete.

10. After setup is finished, click Other User and type administrator with no password.

11. Press Enter.

12. Enter a password for the Administrator account.

After you install the base operating system, you use the command-line or remote admin-istrative tools to configure the network settings, add the machine to the domain, create and format disks, and install roles and features.

Configuring Microsoft Windows ActivationWindows Product Activation (WPA) was introduced with the release of Windows XP. The early versions required a 25-character alphanumeric format, and then starting with Windows XP SP2, it added a physical key (which is identified by the hardware). Large corporations, however, used a different set of rules. In the beginning, they were given OEM copies of the software, which did not require activation. Over time, these copies were leaked to other users

61705c09.indd 381 6/27/08 11:50:55 AM


and then the Internet. Microsoft worked hard to combat this by introducing Windows Genu-ine Advantage, which, when the user opts to use it, will allow them to download updates and content from Microsoft’s websites.

Starting with Windows Vista, if a user does not have a product key, it will result in loss of some of the functions, and that will eventually lead to most of the features being disabled.

Microsoft understands that companies still use volume keys and need to reduce any loss of production due to product activation. In an effort to make activation easier for compa-nies, Microsoft has allowed for the installation of Key Management Services (KMS). When KMS is installed or activated on a host machine, it becomes the centralized location from which Windows client machines can activate. This reduces the time to activate your prod-ucts and reduces the impact on your bandwidth. When a KMS host is created with a KMS key, that machine will activate with Microsoft. Then in turn, when machines in your local network need to activate, they activate with the KMS host on your network.

Windows activation backlash

When Windows Product Activation (WPA) was first announced by Microsoft in 2001 as a means to prevent piracy, it was received with mixed reviews. Other than Microsoft itself, hardly anyone was in favor of it.

Companies were not in favor of this new product activation feature because they were unsure of how it would affect their organization. They were used to having a single install disk without any restrictions, and each individual company had its own specific deploy-ment needs.

Home users were also concerned about the implications of the new activation feature. Would their private information be sent to Microsoft? Would Microsoft monitor their activity? How much change in hardware was required to trigger a new activation?

The initial primary focus for Windows Activation was to discourage casual copying of Microsoft’s products, such as when one person purchases a copy of Microsoft Office and lets a friend install it on their machine. When Product Activation, what Windows Activation was then called, was introduced, it was reported that 50 percent of all piracy was casual copying.

Over time, Windows Activation has gained not so much an acceptance but more of a tol-erance by users. Microsoft has continued to refine the process to seem less of a bother to people, and in general, people have started to purchase their own copies of software.

KMS has the following prerequisites:

The KMS host must have the appropriate volume license.ÛN

Machines on your network or KMS clients must also have the proper volume license.ÛN

s

61705c09.indd 382 6/27/08 11:50:55 AM


KMS clients need access to the KMS server. The KMS server uses TCP port 1688 ÛN

by default.

Applications and services logs to be configured to handle the volume in your organiza-ÛN

tion. Log sizes can be set in the Log Properties dialog box.

When planning to use a KMS host on your network, it is good to keep a few things in mind:

KMS host changes The KMS host has the same rules as all other computers. If major hardware changes are made to the KMS server or it is on a virtual machine and is trans-ferred to another computer, the KMS host will be required to reactivate with Microsoft.

KMS key It is best to use the KMS key from the highest product group that your company has licensed.

Volume licenses If you upgrade your product group or purchase a new volume license, you need to upgrade your existing KMS host.

KMS requires a minimum number of physical servers on the network before it will start activating client machines. This is called the activation threshold. The thresholds are as follows:

Windows Vista Requires 25 physical computers

Windows Server 2008 Requires 5 servers

How do the requirement thresholds work? A KMS host will count the number of physical computers that are requesting activation. The count is a combination of both Windows Vista machines and Windows Server 2008.

For example, a company has 10 computers. Of the 10 computers, 8 are Windows Vista and 2 are Windows Server 2008. When these computers request activation, they are given an activation number, so the first computer that is running Vista is given the number 1. The next two computers are given numbers 2 and 3. The fourth computer is Windows Server 2008 and is given number 4, but none of the computers can be activated yet. The next com-puter to request activation is another Windows Server 2008 computer, and because it gets a number 5, it activates; however, the Vista computer will not activate until the number of total physical computers has reached 25. Therefore, this company has enough computers to reach the activation threshold for Windows Server 2008 but not for Windows Vista.

Once the thresholds are met, the KMS server will activate virtual machines, but until the numbers are reached, the virtual machines will not count toward the total number of machines needed to cross the threshold. It is thus important to have met these thresholds before the expiration period so that the computers can be activated.

The grace period for meeting the KMS threshold requirements for all editions of Windows Vista is 30 days. The grace period for Windows Server 2008 is 60 days.

61705c09.indd 383 6/27/08 11:50:55 AM


Installing KMSStarting with Windows Server 2008, KMS is automatically included. However, the first KMS host needs a KMS key installed and then activated with Microsoft. After this initial activation, the KMS host does not communicate any further information to Microsoft. The following information is sent to Microsoft when you active the first KMS host:

IP addressÛN

Product keyÛN

Language settingsÛN

Edition of the operating systemÛN

Hardware ID hashÛN

Current dateÛN

License and activation conditionÛN

Microsoft recommends having a minimum of two KMS host machines. This will ensure a failover to one or the other host in case of loss of connectivity.

The KMS service does not require a backup because it does not contain any data that can be lost. If a KMS host is lost, the replacement server will require the same configuration and hostname as the previous KMS host. The new host will then start to collect the activation request until it reaches the minimum threshold. You can keep a record of the KMS activations by saving the Key Management Service logs that will appear in the applications and services logs.

KMS can be installed on any physical machine running Windows Vista, Windows Server 2008, or Windows Server 2003. A KMS host installed on a Vista machine can only activate other Vista machines, so planning is needed for your environment.

After the first KMS host is activated with Microsoft, the additional KMS host will acti-vate to the first KMS host.

A KMS key can be used to activate up to five more KMS hosts on a net-work. Each KMS host can then be activated up to nine more times with the same key. If your company requires more than six KMS hosts, you can request additional activations. For more information, see the Volume Licensing website at http://go.microsoft.com/fwlink/?LinkID=73076.

In Exercise 9.7, you’ll install a KMS host on a Windows 2008 Server machine.

61705c09.indd 384 6/27/08 11:50:55 AM


E x E r c i S E 9 . 7

installing a KMS host

Follow these steps to install a KMS host:


2. To your KMS key, type the following and press enter:

cscript C:\windows\system32\slmgr.vbs /ipk <KmsKey>

Replace <KmsKey> with your License key

3. To activate your KMS host, you have two options

a. To active online, type the following and press enter:

cscript C:\windows\system32\slmgr.vbs /ato

b. To active over the phone, type the following and press Enter:

slui.exe 4

4. When the activation completes, restart the Software Licensing Service.

When you install a new KMS key, it will reset your activation count. The KMS count will need to be rebuilt before the KMS host can serve client machines. This will be done auto-matically because client machines will check back with the KMS server on a regular basis.

Configuring KMSAfter a KMS host is enabled and activated, no additional configuration is required. There are a number of options that can be configured if your environment has special needs. Table 9.1 lists some provided scripts that can be run in a elevated command prompt to modify the standard configuration.

ta b LE 9 .1 Optional KMS Settings

Description Cscript

Configure the TCP port used by the KMS host

Cscript C:\windows\system32\slmgr.vbs /sprt <port>

Disable DNS publishing Cscript C:\windows\system32\slmgr.vbs /cdns

Re-enable DNS publishing Cscript C:\windows\system32\slmgr.vbs /sdns

61705c09.indd 385 6/27/08 11:50:55 AM


ta b LE 9 .1 Optional KMS Settings (continued)

Description Cscript

Set KMS host process to a lower priority

Cscript C:\windows\system32\slmgr.vbs /cpri

Set KMS host process to normal priority

Cscript C:\windows\system32\slmgr.vbs /spri

Change activation interval for clients not activated

Cscript C:\windows\system32\slmgr.vbs /sai <ActivationInteraval>

Change activation renewal interval Cscript C:\windows\system32\slmgr.vbs /sri <RenewalInterval>

After changing any of the default settings, it is recommended to restart the KMS service or reboot the computer.

A very important item to review and make any needed changes to is DNS. If your envi-ronment uses Dynamic DNS, which most Active Directory domains do, and you plan to have only a single KMS host, then you might not require any further configuration. How-ever, if your network does not have Dynamic DNS or you have multiple KMS servers, some changes may be needed for KMS clients to receive updated information from DNS.

When a domain contains multiple KMS hosts, only one KMS host can update the DNS entries. Any additional KMS hosts will be unable to change or update the SRV records unless changes are made to the DNS server. Think of it this way: For a house to receive mail and packages, it is given a unique address. Only that one house receives that address, and it stays with that house so that delivery services know where to find it. A normal person cannot change that address. Similarly, the first KMS host to record its DNS information becomes the owner of that DNS record. When an environment has more than one KMS host, it requires that we give permission to all the KMS hosts to change or update infor-mation. This can be accomplished in two ways: manually change the DNS SRV record or change the default SRV permission on the DNS server.

DNS publishing is enabled by default. For KMS publishing to work, the network must support SRV publishing. Many organizations prevent this for security reasons. If this is the case, then it is necessary to create or copy the SRV record manually.

If it all possible, it is recommended that you use the KMS publishing in DNS. Using this method will allow the KMS host to make changes in DNS; some of the changes include IP address, computer name, and TCP port. The KMS host will update its record once a day just in case DNS scavenges the information.

To configure permissions on the DNS server to allow KMS host to publish SRV informa-tion in a single DNS domain, complete Exercise 9.8.

61705c09.indd 386 6/27/08 11:50:55 AM


E x E r c i S E 9 . 8

configuring DnS permissions for a KMS host

Follow these steps to configure DNS permissions for a KMS host:

1. Choose Start All Programs Administrative Tools Active Directory Users and Computers.

2. Expand your organization, right-click on Users, and choose New and then Group.

3. Provide a name for the KMS host group and ensure that the group type is Global.

61705c09.indd 387 6/27/08 11:50:56 AM



4. Click OK.

5. Right-click on the newly created group and choose Properties.

6. Click on the Members tab and then click Add.

7. In the Select Users box that opens, click Object Types.

8. In the Object Types box, check Computers and then click OK.

9. In the Enter Object Names box, input the names of the KMS host machines and click OK.

10. Click Apply and OK, which will then close the AD group Properties dialog box.

11. Close the Active Directory Users and Computers MMC.

12. Open Windows DNS Manager by choosing, Start All Programs Administrative Tools DNS.

13. Right-click the DNS server and choose Properties.

14. Click the Security tab and then click Add.

61705c09.indd 388 6/27/08 11:50:56 AM



15. Enter the security group that was created in step 4.

16. Give the group that was just added permissions to allow updates on the DNS server.


At times, organizations will have more than one DNS domain. If this is the case, you can create a list of DNS domains that the KMS host can use when publishing it records.

By default, a KMS host will publish information only to the primary DNS domain. This behavior is modified by editing the Registry. Remember that editing the Registry can lead to serious damage to the operating system if not done properly. As a general practice, you should have a proper backup of the server and the Registry settings before editing the Registry.

To change the KMS host to publish in multiple domains, follow the steps outlined in Exercise 9.9.

E x E r c i S E 9 . 9

publishing in Multiple Domains

To configure a KMS host to publish in multiple domains, complete the following steps:


2. Type regedit.exe and then press Enter.

61705c09.indd 389 6/27/08 11:50:56 AM



3. Navigate to the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SL

4. Right-click on SL and choose New and then Multi-String Value.

61705c09.indd 390 6/27/08 11:50:56 AM



5. For the name of the new value, type DnsDomainpublishList and press Enter.

6. Right-click DnsDomainPublishList and choose Modify.

7. In the Value Data section, type each DNS domain suffix that you want the KMS host to publish to; each one should be on a separate line.


9. Restart the Software Licensing Service.

61705c09.indd 391 6/27/08 11:50:56 AM


If your environment has security policies or anything else that would block the KMS host from creating and updating the DNS SVR record, you will need to manually create the entry. If the KMS host is not allowed to create or update the SVR record, then it is recom-mended that you disable the auto-publishing on all KMS hosts.

Exercise 9.10 will walk you through creating a KMS SVR record in a Microsoft DNS server.

E x E r c i S E 9 .10

creating a KMS Svr record

Follow these steps to manually create a KMS SVR record in a DNS server:

1. Choose, Start All Programs Administrative Tools DNS.

2. Expand the DNS server and expand Forward Lookup Zones.

3. As seen in the following screen shot, right-click on the first domain that will contain the SRV record and choose Other New Records.

4. Scroll down and click on Service Location (SRV).

61705c09.indd 392 6/27/08 11:50:57 AM



5. Click Create Record.

6. In the New Resource Record dialog box, enter the following:

Service: _VLMCS

Protocol: _TCP

Port Number: 1688

Host Offering This Service: <FQDN> (This is the Full Qualified Domain Name of your server.)

7. Click OK and then Done.

61705c09.indd 393 6/27/08 11:50:57 AM


Install from MediaWhen you’re planning to use WDS to deploy a server, using Install from Media (IFM) can create a copy of the Active Directory data to reduce synchronization for the new domain controller. IFM can create install media for writeable (full) and read-only domain controllers (RODC). Although this section may seem to be out of place for a chapter on deploying servers, using IFM can speed up the deployment of Active Directory servers. Knowing how to use IFM is important for passing the 70-643 exam; however, knowing how Active Directory works and how to manage it is outside the scope of this book.

IFM uses the ntdsutil utility and is a subcommand of that utility. This utility is built into Windows Server 2008 and is available if you have one of the following two roles installed:

Active Directory Domain Services (AD DS)ÛN

Active Directory Lightweight Directory Services (AD LDS)ÛN

Earlier versions of IFM required several steps to create the media, including a backup and restore, but in Windows 2008, it is possible to create an IFM set in one step. Again, the NTDSUTIL is used to create the media, with or without the SYSVOL. NTDSUTIL uses Volume Shadow Copy to create a snapshot of AD from a running domain controller; then it defrags the database and replays its logs.

When would this feature be of benefit? One example would be when you’re deploying servers to branch offices. In many cases, branch offices have slower WAN links, which in turn may make it take a considerable amount of time and bandwidth to replicate the data. In short, using IFM can deploy domain controllers more quickly and efficiently.

There are a number of facts to keep in mind when using IFM:

You can use a 32-bit domain controller with Windows Server 2008 to create installation ÛN

media for a 64-bit DC.

Using the NTDSUTIL to create RODC is safe. It will remove any cached secrets like ÛN

passwords from the media. However, you still want to keep the media in a safe location because it includes the information to create a DC in your network.

Full AD DS installation media includes the Registry and SYSVOL data, if that option ÛN

in chosen.

If the during the creation of the IFM media you press Ctrl+C or it gets interrupted in ÛN

other manners, be sure to remove the temp log files before trying again.

IFM cannot be run on a DC that runs Windows 2003. ÛN

When you install AD DS on another DC, be sure to specify the same subfolder used ÛN

when running the IFM command.

When a server is deployed using IFM, it will only need to replicate any changes to objects in AD since the IFM media was created. This means that the amount of time that has passed since the creation of the media would affect how much data will be replicated. IFM media is thus time sensitive and is no longer valid after 60 days by default because the domain tombstone threshold would have passed.

61705c09.indd 394 6/27/08 11:50:57 AM


Exercise 9.11 will show you how to capture data for IFM:

E x E r c i S E 9 .11

capturing data for install from Media

To create IFM media, follow these steps:


2. Type ntdsutil and press Enter.

61705c09.indd 395 6/27/08 11:50:57 AM



3. Type ifM and press Enter.

4. To create an RODC, type Create rodc c:\installfrommedialocation.

C:\installfrommedia is the location where you want the media to be created.

This will create a installation that does not include SYSVOL. To create an installation that contains SYSVOL, add sysvol after typing create. Here’s an example:

Create sysvol rodc c:\installfrommedialocation

5. When the media creation is successful, you’ll see the message “IFM media created successfully in <your media location>.”

61705c09.indd 396 6/27/08 11:50:57 AM

Exam Essentials 397

SummaryWindows Deployment Services can provide an immediate value to both an IT administra-tor and an organization. It makes images or exact copies of a properly prepared machine that can be used to clone other machines. This allows for increased efficiency and results in standardization in machine builds. Time should be devoted to planning and configuring the WDS server and creating proper build images.

An exciting new feature was introduced called Windows 2008 Server Core. This edition of the server family provides a simplified version of the full product. You saw how fast and simple it was to install Server Core in Exercise 9.6. We also reviewed the benefits of having a simple version of Windows Server 2008.

The importance of Windows Product Activation (WPA) was stressed when we looked at Key Management Services (KMS). If a product is not properly activated, it functionality will become limited. This reduction in functionality will continue until a user can use a web browser for only 60 minutes. A KMS host server can reduce the footprint of activation on an organization’s network and allow them to continue to use volume license keys.

Exam Essentials

Understand how to use images. Know how to capture, prepare, and deploy images. A understanding of the build process works will be beneficial. You should also know when to create an image and how to prepare one. Take the time to get familiar with IFM and the types of IFM you can create along with when you would use each type.

Understand how to Deploying Images. Understand how the deployment process works and how to deploy an image to multiple machines at the same time.

Understand the Server Core basics. Learn the steps needed to install Server Core and when deploying it would make the most sense. Understand the basic features as well as the perquisites that are necessary for installation.

Understand the importance of Windows Activation. Have a thorough knowledge of how KMS works and why it is needed. Understand how it interacts with DNS and how to config-ure or create SVR records. Take some time to study how to install or enable KMS with a license key.

61705c09.indd 397 6/27/08 11:50:57 AM


Review Questions

1. What changes have been make in WDS? (Choose all that apply.)

A. Support for WinPE as a boot operating system

B. Support for x64-bit systems

C. Can be used to deploy Norton Ghost images

D. Removed the ability to use multicast

2. What is an install image?

A. This is the image a client machine will boot into.

B. This is the CD that contains the installation media.

C. This is the image that contains the operating system you want to deploy.

D. This is a backup image that is used to restore single files.

3. What two components does WDS rely on for IP addresses and name resolution?

A. NTFS

B. DNS

C. KMS

D. DHCP

4. What is the difference between a transportation server and deployment server when discussing WDS?

A. A deployment server gives WDS full functionality.

B. There is no difference as they are both services of WDS.

C. A deployment server does not need AD.

D. A transportation server provides full WDS functions.

5. What is the name of the utility that Microsoft provides, besides a wizard, to configure WDS?

A. Command prompt

B. DNSLint

C. FCIV

D. WDSUTIL

6. What are some of the options that can be configured in WDS Properties? (Choose all that apply.)

A. Boot settings

B. Transportation rules

C. DHCP port

D. Activation

61705c09.indd 398 6/27/08 11:50:57 AM


7. Which role must be installed on a server to use IFM?

A. Fax

B. Active Directory Domain Services

C. DNS

D. DHCP

8. What is RODC?

A. The protocol in which a domain controller replicates

B. Redundant Domain Controller

C. Read-only Domain Controller

D. Writeable Domain Controller

9. If the process of creating the IFM media gets interrupted, what files should be deleted before trying again?

A. Temp log files

B. Install files

C. WIM files

D. PST files

10. What tool or utility is used to configure Windows Server Core?

A. COREUtil

B. WDSUTIL

C. Server manager

D. Command line

11. What roles are supported by Server Core? (Choose all that apply.)

A. DHCP

B. Streaming Media Services

C. .NET

D. Desktop Experience

12. How much memory is required to install Server Core?

A. 2GB

B. 512MB

C. 256MB

D. 1GB

13. How much free space does Server Core require to install?

A. 2GB

B. 4GB

C. 1GB

D. 8GB

61705c09.indd 399 6/27/08 11:50:58 AM


14. What is a prerequisite for a KMS installation?

A. 2GB of free space

B. 512MB RAM

C. Volume license key

D. Windows Installation media

15. What are the activation thresholds for KMS before it will start activating clients? (Choose all that apply.)

A. 50 physical Vista computers

B. 25 physical Vista computers

C. 100 physical Vista computers or servers

D. 5 physical Windows 2008 servers

16. What information is sent to Microsoft when you activate the first KMS host?

A. Web activity

B. DOC file numbers

C. Product key

D. Number of computers on the network

17. How do you back up a KMS host?

A. No backup is needed.

B. Use NTBACKUP.

C. Use a third-party backup program.

D. Microsoft will provide the backup utility when you purchase the KMS key.

18. What operating systems can a KMS host be installed on? (Choose all that apply.)

A. Windows Server 2000

B. Windows Vista

C. Windows 2008 Server

D. Windows XP

19. How many other KMS host can the first KMS host activate?

A. 5

B. 9

C. 1

D. 7

20. To run the scripts to configure additional settings in KMS, what utility should be used?

A. Command prompt

B. KMSUTIL

C. Elevated command prompt

D. WDSUTIL

61705c09.indd 400 6/27/08 11:50:58 AM



1. A, B. WDS changes include support for WinPE and the ability to support x64 bit systems.

2. C. Install images contain the operating system that you want to deploy to a machine.

3. B, D. WDS relies on DHCP and DNS to provide IP addresses and name resolution.

4. A. When the Deployment Server option has been selected, it provides full functionality to the WDS server.

5. D. Microsoft provides the WDSUTIL utility to configure the WDS server.

6. A, C. You can configure the boot settings and change the DHCP port within WDS server properties.

7. B. To use the IFM utility, you must install the AD DS role or the AD LDS role.

8. C. An RODC is a read-only domain controller.

9. A. Delete the temp log files before attempting to retry a failed IFM creation.

10. D. As Server Core does not contain a GUI, configuration is accomplished by using the command line.

11. A, B. Server Core supports DHCP and Streaming Media Services.

12. B. Server Core requires 512MB of RAM for installation..

13. C. Server Core requires 1GB of free space to install.

14. C. You must have a valid volume license key to enable KMS.

15. B, D. KMS requires 25 physical Vista computers and 5 Windows 2008 servers before it will activate clients.

16. C. One of the items that is sent to Microsoft when you activate the first KMS host is the product key.

17. A. It is not necessary to back up a KMS host because it contains only activation logs.

18. B, C. A KMS host can be installed on both a Windows Vista and a Windows Server 2008 machine.

19. A. KMS key can activate up to five more hosts on a network.

20. C. You must run the scripts from an elevated command prompt.

61705c09.indd 401 6/27/08 11:50:58 AM

61705c09.indd 402 6/27/08 11:50:58 AM

Chapter

10Configuring High Availability in Windows Server 2008

MiCroSoft ExAM objECtivES CovErEd in tHiS CHAptEr:

Configure high availability. May include but is not limited ÛÛto: failover clustering, Network Load Balancing, hard-ware redundancy

61705c10.indd 403 6/27/08 11:57:17 AM

Windows Server 2008 has improved the options for high availability as well as the ease of configuring them. High avail-ability can be better achieved with Windows Server 2008’s

superior software stability and improved failover and network load balanced clustering. The exam will cover the basic configuration and operational functions for both a failover cluster and network load balancing. This chapter will give an introduction to achieving high availability with hardware and operational changes as well as using the high availabil-ity features of Windows Server 2008.

This chapter will cover the following topics:

Components of high availabilityÛN

Achieving high availability with failover clusteringÛN

Achieving high availability with network load balancingÛN

Components of High AvailabilityHigh availability is a buzzword that many application and hardware vendors like to throw around to get you to purchase their product. Many different options are available to achieve high availability, and there also seem to be a number of different definitions and variations that help vendors sell their products as high availability solutions. But when it comes down to it, high availability is simply providing services with maximum uptime by avoiding unplanned downtime. Often disaster recovery (DR) is also closely lumped into dis-cussions of high availability, but DR encompasses the business and technical processes that are used to recover once a disaster has happened.

Defining a high availability plan usually starts with a Service Level Agreement (SLA). At its base, an SLA defines the services and metrics that must be met for availability and performance of an application or service. Often an SLA is created for an IT department or service provider to provide a specific level of service. An example of this might be an SLA for a Microsoft Exchange server. The SLA agreement for an Exchange server might have uptime metrics on how much time during the month the mailboxes need to be available to end users, or it might define performance metrics for the amount of time that it takes for email messages to be delivered.

When determining an SLA, two other factors need to be considered, but often you will see them discussed when only in the context of disaster recovery even though they are important for designing a highly available solution. These factors are recovery point objec-tive (RPO) and recovery time objective (RTO). An RTO is the length of time an application

61705c10.indd 404 6/27/08 11:57:17 AM

Achieving High Availability 405

can be unavailable before service must be restored to meet the SLA. For example, a single component failure would have an RTO of less than 5 minutes, and a full-site failure might have an RTO of 3 hours. An RPO is essentially the amount of data that must be restored for a failure. For example, in a single server or component failure, the RPO would be 0, but in a site failure, the RPO might allow for up to 20 minutes of lost data.

SLAs, on the other hand, are usually expressed in percentages of the time the application is available. These percentages are also often referred to as the number of nines the percentage has, as shown in Table 10.1.

tA b lE 10 .1 Availability Percentages

Availability Rating Allowed Unplanned Downtime/year

99% 3.7 days

99.9% 8.8 hours

99.99% 53 minutes

99.999% 5.3 minutes

Two important factors that affect an SLA are the mean time between failure (MTBF) and the mean time to recover (MTTR). To be able to reduce the amount of unplanned downtime, the time between failures must be increased and the time it takes to recover must be reduced. Modifying these two factors will be covered in the next several sections of this chapter.

Achieving High AvailabilityAs the information presented during the Windows installation states, Windows Server 2008 is the most secure and reliable Windows version to date. It also is the most stable, mature, and capable of any version of Windows. Although we have seen similar claims in previous versions of Windows Server, we can be sure that Windows Server 2008 is much better than previous versions for a variety of reasons. An honest look at the feature set and real-world experience should prove that this version of Windows provides the most suitable foundation for creating a highly available solution. However, more than just good software is needed to be able to offer high availability for applications.

Just as a house needs a good foundation, a highly available Windows Server needs a stable and reliable hardware platform to run on. Although Windows Server 2008 will technically run on desktop-class hardware, high availability is more easily achieved with server-class hardware. What differentiates desktop-class and server-class hardware? Server-class hardware has more management and monitoring features built in so that the health

61705c10.indd 405 6/27/08 11:57:17 AM

406 Chapter 10 N Configuring High Availability in Windows Server 2008

of the hardware is able to be monitored and maintained. Another large difference is that server-class hardware has redundancy options. Server-class hardware often has options to protect from drive failures, such as RAID controllers, and to protect against power supply failures, such as multiple power supplies. And enterprise-class servers have more.

More needs to be done than just installing Windows Server 2008 to ensure that the applications stay running with the best availability possible. A house needs maintenance and upkeep to keep the structure in proper repair, as does a server. In the case of a highly available server, this means patch management. Microsoft releases monthly security updates to fix security problems with its software, both for operating system fixes and for applications. To ensure that your highly available applications are immune to known vulnerabilities, these patches need to be applied in a timely manner during a schedule maintenance window. Also, to address stability and performance issues, updates and service packs are released regularly for many applications, such as Microsoft SQL Server, Exchange Server, and SharePoint Portal Server. Many companies have a set schedule—daily, weekly, or monthly—to apply these patches and updates after they are tested and approved.

To continue even further with the house analogy, if you were planning to have crown molding installed, would you rather hire a college student on spring break looking to make some extra money to do the job or a seasoned artisan? Of course you would want someone with experience and a proven record of accomplishment to install your expensive crown molding. Likewise, with any work that needs to be done on your highly available applica-tions, it’s best to hire only adequately qualified individuals. This is why obtaining a Micro-soft certification is definitely an excellent start in becoming qualified to properly configure a server to be highly available. There is no substitute for real-life and hands-on experience. Working with highly available configurations in a lab and in production will help you to know not only what configurations are available, but also how the changes should be made. For example, it may be possible to use failover clustering for a WINS server, but in practice it may be easier to support and less expensive in hardware cost to use WINS replication to provide high availability. This is something you would know only if you had enough expe-rience to make this decision.

As with your house, once you have a firm and stable foundation built by skilled artisans and a maintenance plan has been put into place, you need to ascertain what more is needed. If you can’t achieve enough uptime with proper server configuration and mature opera-tional processes, a cluster may be needed. Windows Server 2008 provides for two types of clustering: failover clustering and Network Load Balancing (NLB). Failover clustering is used for applications and services such as SQL Server and Exchange Server. Network Load Balancing is used for network-based services such as web and FTP servers. The remaining sections of the chapter will cover both of these clustering options in detail.

61705c10.indd 406 6/27/08 11:57:17 AM

Achieving High Availability with Failover Clustering 407

to Cluster or not to Cluster

Clustering is often thrown into the mix when someone wants to achieve higher availability. This is often a good step toward improved availability, but at times the return on the invest-ment of a cluster doesn’t always add up. Although Windows Server 2008 greatly simplifies both the creation and management of a failover cluster, there is added complexity and cost in hardware, software, and personnel.

How do you determine whether to cluster applications? Sometimes even though it is pos-sible to cluster applications, they perform worse when clustered. Other times only a small improvement is made when a cluster is created. You have to balance the slight improve-ment over the increased hardware cost, increased complexity, and the increased level of training required for the administrators.

Achieving High Availability with Failover ClusteringTaking high availability to the next level for enterprise services often means creating a failover cluster. In a failover cluster, all of the clustered application or service resources are assigned to one node or server in the cluster. Commonly clustered applications are SQL Server and Exchange Server; commonly clustered services are File and Print. Since the differences between a clustered application and a clustered service are primarily related to the number of functions or features, for simplicity we will refer to both as clustered applications. If there is a failure of the primary node, or if the primary node is taken offline for maintenance, the clustered application is started on another cluster node. The client requests are then automatically redirected to the new cluster node to minimize the impact of the failure.

How does failover clustering improve availability? By increasing the number of server nodes that the application has available to run on, you can move the application to a healthy server if there is a problem, if maintenance needs to be completed on the hardware or the operating system, or if patches need to be applied. The clustered application can be moved from node to node without having to restart. Usually, moving an application between nodes is transparent to the clients. Only severe node failures will require the application to be restarted before it is able to service clients. Figure 10.1 shows an example of SQL Server running on the first node of a Windows Server 2008 failover cluster.

61705c10.indd 407 6/27/08 11:57:17 AM


f i gu r E 10 .1 Using failover clustering to cluster SQL Server

Node B

Passive

Node A

SQL Server

Active

Clients

SAN

The clustered SQL Server in Figure 10.2 can be failed over to another node in the cluster and still service database requests.

f i gu r E 10 . 2 Failing the SQL Server service to another node

Node BNode A

SQL Server

Clients

SAN

Passive Active

Failover clustering is notorious for being complicated and expensive. Windows Server 2008 makes strides to remove both of these concerns. Troubleshooting and other advanced concepts are outside the scope of the 70-643 exam and thus this book, so we will cover only the basic requirements and concepts need to configure a failover cluster.

61705c10.indd 408 6/27/08 11:57:19 AM


Failover Clustering RequirementsTo be able to configure a failover cluster, first you must have the required components. The first requirement is that the correct Windows Server 2008 edition has been installed. Only the Windows Server 2008 Enterprise Edition and Windows Server 2008 Datacenter Edition are allowed to participate in a failover cluster. A single failover cluster can have up to 16 nodes when using the x64 installation and up to 8 nodes when using the x86 installation; however, the clustered service or application must support that number of nodes.

The appropriate server hardware is also required. Although the exact hardware will depend on the clustered application, there are a few requirements that are standard.

The basic hardware requirements are as follows:

Server components must be marked with the “Certified for Windows Server 2008” logo.ÛN

Server hardware should match and contain the same or similar components.ÛN

All of the Validate a Configuration Wizard tests must pass.ÛN

All servers in a cluster must run the same processor architecture, such as 32-bit, ÛN

x64-based, or Itanium-based architecture.

The requirements for failover clustering storage have changed from previous versions of Windows. For example, Parallel SCSI is no longer a supported storage technology for any of the clustered disks. There are, however, additional requirements that need to be met for the storage components:

Disks available for the cluster must be Fibre Channel, iSCSI, SAS, or SATA-based disk. ÛN

Each cluster node must have a dedicated network interface card for iSCSI connectivity.ÛN

Multipath software must be based on Multipath I/O (MPIO).ÛN

Storage drivers must be based on ÛN storport.sys.

Drivers and firmware for the storage controllers on each server node in the cluster ÛN

should be the identical.

Storage components must be marked with the “Certified for Windows Server 2008” logo.ÛN

In addition, there are network requirements that must be met for failover clustering:

Cluster nodes should be connected to multiple networks for communication redundancy.ÛN

Network adapters should be the same make, use the same driver, and have the firmware ÛN

version in each cluster node.

Network components must be marked with the “Certified for Windows Server ÛN

2008” logo.

There are two types of network connections in a failover cluster. These should have adequate redundancy as total failure of either could cause loss of functionality of the cluster. The two types are as follows:

Public networkÛN . This is the network through which clients are able to connect to the clustered service application.

Private networkÛN . This is the network used by the nodes to communicate to each other.

61705c10.indd 409 6/27/08 11:57:19 AM


To provide redundancy for these two network types, additional network adapters would need to be added to the node and configured to connect to the networks.

In previous versions of Windows Server, support was given only when the entire cluster configuration was tested and listed on the HCL. The tested configuration listed the server and storage configuration down to the firmware and driver versions. This proved to be very difficult and expensive from both a vendor and consumer perspective to deploy supported Windows clusters. When problems did arise and Microsoft support was needed, it caused undue troubleshooting complexity as well. With Windows Server 2008 failover clustering, simplified requirements, including the “Certified for Windows Server 2008” logo program and the Validate a Configuration Wizard, all but eliminate the guesswork that was put into getting the cluster components configured in a way that will follow best practices and allow for Microsoft support to easily assist in a case it might be needed.

Cluster QuorumWhen a group of people sets out to accomplish a single task or goal, a method for settling disagreements and for making decisions is required. In the case of a cluster, the goal is to provide a highly available service in spite of failures. When a problem occurs and a cluster node loses communication with the other nodes due to a network error, the functioning nodes are supposed to try to bring the redundant service back online. How, though, is it determined which node should bring the clustered service back online? If all of the nodes are functional despite the network communications issue, each one might try. Just like a group of people with their own ideas, a method must be put in place to determine which idea, or node, to allow control of the cluster. Windows Server 2008 failover clustering, like other clustering technologies, requires that a quorum exist between the cluster nodes before a cluster becomes available. A quorum is a consensus of the status of each of the nodes in the cluster. Quorum must be achieved in order for a clustered application to come online by obtaining a majority of the votes available. Windows Server 2008 has four quorum mod-els, or methods for determining quorum and for adjusting the number and types of votes available:

Node MajorityÛN

Node and Disk MajorityÛN

Node and File Share MajorityÛN

No Majority: Disk OnlyÛN

Node Majority, shown in Figure 10.3, allows only the cluster nodes to vote to obtain quorum. Node Majority is recommended for clusters with an odd number of nodes. When this quorum model is chosen, the cluster can sustain failures of up to one less than half of the nodes. For example, a five-node cluster can sustain two node failures.

Node and Disk Majority, shown in Figure 10.4, allows the cluster nodes and a disk on shared storage to vote to obtain quorum. Node and Disk Majority is recommended for clusters with an even number of nodes. When this quorum method is chosen, the cluster can sustain failures of up to half the nodes if the witness disk remains online. For example, an eight-node

61705c10.indd 410 6/27/08 11:57:19 AM


cluster with the witness disk online could sustain four node failures. Similar to a Node Major-ity quorum, this model can sustain failures of up to one less than half of the nodes if the witness disk goes offline or fails.

f i gu r E 10 . 3 Node Majority cluster

x

xxxWhen a majority of the nodes are not communicating, the cluster stops.

When a majority of the nodes are communicating, the cluster is functional.

f i gu r E 10 . 4 Node and Disk Majority cluster

x x

x x

x x x

When only one of the four nodes and the witness disk communicate, the cluster is down.

When two out of the four nodes and the witness disk communicate, the cluster is running.

When three out of the four nodes communicate, the cluster is running.

61705c10.indd 411 6/27/08 11:57:21 AM


Node and File Share Majority allows the cluster nodes and a file share to vote to obtain quorum. Node and File Share Majority is recommended for clusters with non-shared disk configurations such as Exchange Server 2007 Clustered Continuous Replication (CCR) clusters or multi-site clusters. This quorum works in a similar way to Node and Disk Majority, but instead of a witness disk, this cluster uses a witness file share.

No Majority: Disk Only, shown in Figure 10.5, uses only a shared disk to obtain quorum. This quorum type is similar to legacy Windows Server cluster types and is not a recommended solution because the shared disk is a single point of failure. If the shared disk fails, none of the clustered applications can come online. It can, however, sustain failures of all nodes except one, assuming the shared disk is online.

f i gu r E 10 .5 No Majority: Disk Only cluster

x x

x

When one node and the disk are communicating, the disk is running.

When all three of the nodes are communicating with each other but not with the disk, the cluster stops.

Validating a Cluster ConfigurationConfiguring a failover cluster in Windows Server 2008 is much simpler than in previous ver-sions of Windows Server. Before a cluster can be configured, the Validate a Configuration Wizard should be run to verify that the hardware is configured in a fashion that is support-able. Before you can run the Validate a Configuration Wizard, however, the Failover Cluster-ing feature needs to be installed using Server Manager. The account that is used to create a cluster must have administrative rights on each of the cluster nodes and have permissions to create a cluster name object in Active Directory. Follow these steps:

1. Prepare hardware and software perquisites.

2. Install the Failover Clustering feature on each server.

3. Log in with appropriate user ID and run the Validate a Configuration Wizard.

4. Create a cluster.

5. Install and cluster applications and services.

61705c10.indd 412 6/27/08 11:57:23 AM


To install the Failover Clustering feature on a cluster node, follow the steps outlined in Exercise 10.1.

E x E r C i S E 10 .1

installing the failover Cluster feature

Follow these steps to install the Failover Cluster feature:


2. Select Add Features, located in the Features Summary section of Server Manager.

3. Select the Failover Clustering feature from the displayed list and click Next.

4. In the Confirm Installation Selections page, review the selection and then click Install.

5. When the installation process completes, click Close.

Using the Validate a Configuration Wizard before creating a cluster is highly recommended. This wizard validates that the hardware and software configuration for the potential cluster nodes are in a supported configuration. Even if the configuration passes the tests, care should be taken to review all warnings and informational messages so that they can be addressed or documented before the cluster is created.

Running the Validate a Configuration Wizard does the following:

Conducts four types of tests: Software and Hardware Inventory, Network, Storage, ÛN

and System Configuration.

Confirms that the hardware and software settings are supportable by Microsoft ÛN

support staff.

You should run Validate a Configuration Wizard before creating a cluster or after any major hardware or software changes to the cluster. Doing this will help identify any mis-configurations that could cause problems with the failover cluster.

In the next section, we will cover the process for running the Validate a Configuration Wizard.

Running the Validate a Configuration WizardThe Validate a Configuration Wizard, shown in Figure 10.6, is simple and straightforward to use, as its “wizard” name would suggest. It must be run after the Failover Clustering feature has been installed on each of the cluster nodes and can be run as many times as required.

When you are troubleshooting cluster problems or have changed the configuration of the cluster hardware, it is a good idea to run the Validate a Configuration Wizard again to help pinpoint potential cluster configura-tion problems.

61705c10.indd 413 6/27/08 11:57:23 AM


f i gu r E 10 .6 The Validate a Configuration Wizard

If you already have a cluster configured and want to run the Validate a Configura-tion Wizard, you can do so; however, you will not be able to run all of the storage tests without taking the clustered resources offline. As shown in Figure 10.7, you will be prompted to either skip the disruptive tests or take the clustered resources offline so the tests can complete.

f i gu r E 10 .7 Validating a running cluster

61705c10.indd 414 6/27/08 11:57:23 AM


Exercise 10.2 shows the exact steps to successfully run the Validate a Configuration Wizard on two servers, named NODEA and NODEB, that are not yet clustered.

E x E r C i S E 10 . 2

running the validate a Configuration Wizard

Follow these steps to run the Validate a Configuration Wizard:

1. Click Start Administrative Tools Failover Cluster Management.

2. In the Actions pane, click Validate a Configuration and click Next.

3. Type nodEA in the Enter Name field and click Add.

61705c10.indd 415 6/27/08 11:57:23 AM



4. Type nodEb in the Enter Name field and click Add.

5. Click Next.

6. Leave Run All Tests (Recommended) selected and click Next.

7. Click Next.

8. Let the test complete and review the report in the Summary window, and then click Finish.

61705c10.indd 416 6/27/08 11:57:24 AM


Addressing Problems Reported by the Validate a Configuration WizardAfter the Validate a Configuration Wizard has been run, it will show the results, as shown in Figure 10.8. This report can also be viewed in detail later using a web browser. The report is named with the date and time the wizard was run and is stored in %windir%\ cluster\Reports.

f i gu r E 10 . 8 Validate a Configuration Wizard results

How should errors listed in the report be addressed? Often the errors reported by the Validate a Configuration Wizard are self-explanatory; however, there are times when addi-tional help is required. The following three guidelines should help troubleshoot the errors:

Read all of the errors because multiple errors may be related.ÛN

Use the check lists available in the Windows Server help files to ensure that all steps ÛN

have been completed.

Contact the hardware vendor for updated drivers and firmware and guidance for using ÛN

the hardware in a cluster.

Creating a ClusterAfter you have successfully validated a configuration and the cluster hardware is in a sup-portable state, you can create a cluster. The process for creating a cluster is straightforward and similar to process of running the Validate a Configuration Wizard. To create a cluster with NODEA and NODEB, follow the instructions in Exercise 10.3.

61705c10.indd 417 6/27/08 11:57:24 AM


E x E r C i S E 10 . 3

Creating a Cluster

Follow these steps to create a cluster:


2. In the Management section of the center pane, select Create a Cluster.

3. Read the Before You Begin information and click Next.

4. In the Enter Server Name box, type nodEA, and then click Add.

5. Again in the Enter Server Name box, type nodEb, and then click Add.

6. Verify the entries, and then click Next.

7. In the Access Point for Administering the Cluster section, enter Cluster1 for the cluster name.

8. Type 10.10.1.96 as the IP address, type 255.255.255.0 as the subnet mask, and then click Next.

9. In the Confirmation dialog box, verify the information, and then click Next.

10. On the Summary page, click Finish.

61705c10.indd 418 6/27/08 11:57:24 AM



By creating a cluster, you have established the foundation for your clustered applications. At this point in the configuration, however, there are only a couple of activities that can be completed, such as adding, pausing, and evicting cluster nodes. One of the configuration settings you can change at this point is the quorum type of the cluster. During the setup of the cluster, the best quorum model is chosen based on the number of cluster nodes and the disk configuration. To change the quorum type, in Failover Cluster Management, choose the cluster name from the Connections pane and then click Quorum Settings from the Actions pane. As shown in Figure 10.9, this will allow you to choose a valid quorum model based on the current cluster configuration.

Working with Cluster NodesOnce a cluster is created, there are a couple actions that are available. First, you can add another node to the cluster by using the Add Node Wizard from the Failover Cluster Man-agement Actions pane.

Also at this point, you have the option to pause a node, which prevents resources from being failed over or moved to the node. You typically would pause a node when the node is involved in maintenance or troubleshooting. After a node is paused, it must be resumed to allow resources to again be run on it.

Another action available to perform on a node at this time is evict. Eviction is a reversible process. Once you evict the node, it must be re-added to the cluster. You would evict a node when it is damaged beyond repair or is no longer needed in the cluster. If you evict a damaged node, you can repair or rebuild it and then add it back to the cluster using the Add Node Wizard.

61705c10.indd 419 6/27/08 11:57:24 AM


f i gu r E 10 . 9 Changing the quorum model

Clustering Roles, Services, and ApplicationsOnce the cluster is created, applications, services, and roles can be clustered. Windows Server 2008 includes a number of built-in roles and features that can be clustered.

The following roles and features can be clustered in Windows Server 2008:

Virtual Machines File ServicesÛN

Print ServicesÛN

DHCP ServerÛN

Windows Internet Naming Services (WINS)ÛN

In addition, other common services and applications are clustered on Windows Server 2008 clusters:

Enterprise database services such as Microsoft SQL ServerÛN

Enterprise messaging services such as Microsoft Exchange ServerÛN

To cluster a role or feature such as Print Services, the first step is to install the role or feature on each node of the cluster. The next step is to use the Configure a Service or Appli-cation Wizard in the Failover Cluster Management tool. Exercise 10.4 shows how to cluster the Print Services role once an appropriate disk has been presented to the cluster.

E x E r C i S E 10 . 4

Clustering the print Service

Follow these steps to cluster the Print Service:


61705c10.indd 420 6/27/08 11:57:24 AM



2. In the console tree, click the plus sign next to the cluster name to expand the items underneath it.

3. In the Actions pane, click Configure a Service or Application and click Next on the Before You Begin page.

4. Click Print Server in the Select Service or Application Page, and then click Next.

61705c10.indd 421 6/27/08 11:57:24 AM



5. Type the name of the print server, such as Print1, and type in the IP address that will be used to access the print service, such as 192.168.1.108. Then click Next.

6. Select Cluster Disk 1 in the Select Storage page as the storage volume for the print server and then click Next.

7. Click Next again.

8. After the wizard runs and the Summary page appears, you can view a report of the tasks the wizard performed by clicking View Report.

9. Close the report and click Finish.

The built-in roles and features all are configured in a similar fashion. Other applications such as Microsoft Exchange Server 2007 have specialized cluster configuration routines that are outside the scope of this exam. Applications that are not developed to be clustered can also be clustered using the Generic Application, Generic Script, or Generic Service option in the Configure a Service or Application Wizard, as shown in Figure 10.10.

Clustered Application SettingsWindows Server 2008 has options that allow an administrator to fine-tune the failover pro-cess to meet the needs of their business. In the next few sections, we’ll cover those options.

61705c10.indd 422 6/27/08 11:57:25 AM


f i gu r E 10 .10 Configuring a generic application

Failover is when a clustered application or service moves from one node to another. The process can be triggered automatically due to a failure or server maintenance or manually by an administrator. The failover process works as follows:

1. The cluster service takes all the resources in the application offline in the order set in the dependency hierarchy.

2. The cluster service transfers the application to the node that is listed next on the appli-cation’s list of preferred host nodes.

3. The cluster service attempts to bring all of the application’s resources online, starting at the bottom of the dependency hierarchy.

In a cluster that is hosting multiple applications, it may be important to set specific nodes to be primarily responsible for each clustered application. This can be helpful from a troubleshooting perspective since a specific node is targeted for hosting service. To set a preferred node and an order of preference for failover, use the General tab on the Properties dialog box of the clustered application. Also, the order of failover is set in this same dialog box by moving the order in which the nodes are listed. If NODEA should be the primary node and NODEC should be the server that the application fails to first, NODEA should be listed first and selected as the preferred owner. NODEC should be listed second, and the remaining cluster nodes would be listed after NODEC.

As shown in Figure 10.11, there are a number of failover settings that can be configured for the clustered service. The failover settings control the number of times a clustered applica-tion can fail in a period of time before the cluster does not try to restart it. Typically, if a clus-tered application fails a number of times, some sort of manual intervention will be required to return the application to a stable state. Specifying the maximum number of failures will keep

61705c10.indd 423 6/27/08 11:57:25 AM


the application from trying to restart until it is manually brought back online after the prob-lem has been resolved. This is beneficial because if the application continues to be brought online and then fails, it may show as being functional to the monitoring system even though it continues to fail. After the application is put in a failed state, the monitoring system would not be able to contact the application and should report it as being offline.

f i gu r E 10 .11 Clustered application failover settings

Figure 10.11 also shows the Failback settings for Print1. Failback settings control whether or not and when a clustered application would fail back to the preferred cluster node once it becomes available. The default setting is Prevent Failback. If failback is allowed, two additional options are available, either to fail back immediately after the pre-ferred node is available or to fail back within a specified time. The time is specified in the 24-hour format. If you want to allow failback between 10:00 p.m. and 11:00 p.m., you would set the failback time to be between 22 and 23. Setting a failback time to off hours is an excellent way to ensure that your clustered applications are running on the designated nodes and automatically scheduling the failover process for a time when it will impact the fewest users.

One tool that is valuable in determining how resources affect other resources is the dependency viewer. The dependency viewer is a tool that visualizes the dependency hier-archy created for an application or service. Using this tool can help when troubleshooting why specific resources are causing failures and help an administrator better visualize the current configuration and adjust it to meet business needs. Exercise 10.5 will show you how to run the dependency viewer.

61705c10.indd 424 6/27/08 11:57:25 AM


E x E r C i S E 10 . 5

using the dependency viewer

Follow these steps to run the dependency viewer:

1. Choose Start Administrative Tool Failover Cluster Management.

2. In the console tree, click the plus sign to expand the cluster.

3. Under the cluster name, click the plus sign to expand Services and Applications.

4. In Services and Applications, select a service or application such as Print1.

5. In the Actions pane, click Show Dependency Report.

6. Review the dependency report.

7. Close Internet Explorer.

Exercise 10.5 generated a dependency report that shows how the print service is dependent on a network name and a clustered disk resource. The network name is then dependent on an IP address.

61705c10.indd 425 6/27/08 11:57:25 AM


Resource PropertiesResources are physical or logical objects, like a file share or IP address, that the failover cluster manages. They may be a service or application available to clients or they may be part of the cluster. Resources include physical hardware devices such as disks and logical items such as network names. They are the smallest configurable unit in a cluster and can run on only a single node in a cluster at a time.

Like clustered applications, resources have a number of properties available to meet-ing business requirements for high availability. This section covers resource dependen-cies and policies.

Dependencies can be set on individual resources and control how resources are brought online and offline. Simply put, a dependent resource is brought online after the resources that it depends on and is taken offline before those resources. As shown in Figure 10.12, dependencies can be set on a specific resource, such as the print spooler.

f i gu r E 10 .12 Resource dependencies

Resource policies are settings that control how resources respond when a failure occurs and how resources are monitored for failures. The Policies tab of a resource’s Properties dialog box is shown in Figure 10.13.

61705c10.indd 426 6/27/08 11:57:25 AM


f i gu r E 10 .13 Resource Policies

The Policies tab sets configuration options for how a resource should respond in the event of a failure. The options available are as follows:

If Resource Fails, Do Not Restart This option, as it would lead you to believe, leaves the failed resource offline.

If Resource Fails, Attempt Restart on Current Node With this option set, the resource tries to restart if it fails on the node on which it is currently running. There are two addi-tional options if this is selected so that the number of restarts can be limited. They set the number of time the resource should restart on the current node in a specified length of time. For example, if you specify 5 for maximum restarts in the specified period and 10:00 (mm:ss) for the period, the cluster service will try to restart the resource five times during that 10-minute period. After the fifth restart, the cluster service will no longer attempt to restart the service on the active node.

If Restart Is Unsuccessful, Fail Over All Resources in This Service or Application If this option is selected, when the cluster service is no longer trying to restart the resource on the active node, it will fail the entire service or application to another cluster node. If you wanted to leave the application or service with a failed resource on the current node, you would clear this check box.

If All the Restart Attempts Fail, Begin Restarting Again after the Specified Period (hh:mm) If this option is selected, the cluster service will restart the resource at a specified interval if all previous attempts have failed.

61705c10.indd 427 6/27/08 11:57:25 AM


Pending Timeout This option is used to set the amount of time in minutes and seconds that the cluster service should wait for this resource to respond to changing in states. If a resource takes longer than the cluster expects to change states, the cluster will mark it as having failed. If a resource consistently takes longer than this timer and the problem cannot be resolved, you may need to increase this value.

The Advanced Policies tab is shown in Figure 10.14.

f i gu r E 10 .14 Resource Advanced Policies

The options available on the Advanced Policies tab are as follows:

Possible Owners This option allows an administrator to remove specific cluster nodes from running this resource. Using this option is valuable when there are issues with resource on a particular node and the administrator wants to keep the applications from failing over to that node until the problem can be repaired.

Basic Resource Health Check Interval This option allows an administrator to customize the health check interval for this resource.

Thorough Resource Health Check Interval This options allows an administrator to customize the thorough heath check interval for this resource.

Run This Resource in a Separate Resource Monitor If the resource needs to be debugged by a support engineer, or if the resource conflicts with other resources, this option may need to be used.

61705c10.indd 428 6/27/08 11:57:25 AM

Achieving High Availability with Network Load Balancing 429

Achieving High Availability with Network Load BalancingSome applications that need to be highly available do not require failover clustering, such as applications based on web services. These applications typically are able to use Network Load Balancing to balance connections across a number of server nodes. This is more easily done with applications that are session-less or have a minimal amount of session data. An NLB cluster load-balances client TCP/IP connections between cluster nodes and does not share any application data between nodes. If application data needs to be shared between cluster nodes, another facility such as replicaton will need to be used, or the application will need to be able to retrieve this data. This can be accomplished with data replication, accessing data from a centralized location, or other methods.

Network Load Balancing is used both for fault tolerance and for scalability. When it’s used for fault tolerance, a failed node can be removed from the cluster and another node will automatically start servicing requests that were handled by the failed node. In some cases, one server does not have enough resources to handle all of the request; when this occurs, NLB can be used to spread the connection load across multiple nodes. When NLB is configured this way, it is configured for scalability.

How Does Network Load Balancing Work?As the name suggests, an NLB cluster uses the network to provide load balancing and redundancy. It is able to accomplish this using a virtual IP address and a virtual media access control (MAC) address that is shared between all of the nodes in the cluster. Client connections are all made to this virtual IP address, as shown in Figure 10.15. When an incoming packet is addressed to the virtual IP address, all of the NLB nodes receive it, but only the appropriate node responds.

When a client request arrives, all hosts simultaneously perform a calculation in order to determine which node should handle the request. The chosen node then accepts and responds to the client request and the other cluster nodes discard it.

If all nodes are configured identically, the same percentage of client requests will be load-balanced to each node; however, this can be customized to match server capabilities. All nodes synchronize their data about which node should respond to each request and which nodes are active members of the cluster. There are a number of significant improve-ments to NLB in Windows Server 2008 and they are as follows:

Support for IPv6 addresses. ÛN

Support of Network Driver Interface Specification (NDIS) 6.0 with compatibility with ÛN

older versions.

Network Load Balancing can detect and notify applications of excessive load or attack ÛN

scenarios.

Rolling upgrades can be done from Windows Server 2003 to Windows Server 2008.ÛN

61705c10.indd 429 6/27/08 11:57:26 AM


f i gu r E 10 .15 Network load balanced cluster

One of the advance features of Network Load Balancing is to create port rules. Port rules specify how requests to a specific port range are sent to the NLB cluster. This allows you to specify which nodes will receive traffic for specific TCP/IP ports. For example, say you have an NLB cluster consisting of four servers and it needs to load-balance a web server and an FTP site. The website that runs on TCP port 80 can be limited to use only three of the NLB nodes and the FTP server can be set to only run on two nodes of the NLB cluster. This will help reduce the number of nodes the FTP services would impact when under load.

Network Load Balancing RequirementsFailover clusters require that all of the cluster nodes run either the Enterprise or Datacenter edition of Windows Server 2008. Network Load Balancing is a feature that is available in all editions of Windows Server 2008. However, when you’re using x86 editions of Windows Server 2008, the NLB cluster is limited to 8 nodes. When x64 editions of Windows Server 2008 are used, up to 32 nodes can be achieved.

What sort of hardware is required to leverage NLB? The recommended configuration uses two network adapters on each node in the cluster. The primary network adapter is used for client communication and the second network adapter facilitates the communication between the cluster nodes. In some configurations, a single network adapter can be used, but the network hardware must support multicast traffic.

If multicast is chosen, additional network hardware requirements must be taken into con-sideration. For instance, upstream network hardware might need the multicast MAC address statically entered in the Address Resolution Protocol (ARP) table. This is because some net-work hardware does not accept an ARP response that resolves unicast IP addresses to

61705c10.indd 430 6/27/08 11:57:26 AM


multicast MAC addresses. Also, using the Internet Group Management Protocol (IGMP) multicast option enables IGMP support for limiting switch flooding by limiting traffic to Network Load Balancing ports only. This ensures that traffic intended for an NLB cluster passes through only those network ports serving the cluster hosts and not all ports. If stan-dard multicasting is used, switches might require additional configuration to set the ports that are used for the multicast traffic.

Creating an NLB ClusterThe first step in creating an NLB cluster is to prepare each cluster node. In our example, we are going to use two servers, each with two network adapters. The network adapter that will host the load-balanced virtual IP and is used for client connections is renamed Client Net-work, and the network adapter used for cluster communications is renamed Cluster Network. Last, the Network Load Balancing feature is installed on both servers to prepare for configu-ration. Exercise 10.6 walks you through creating a simple NLB cluster.

E x E r C i S E 10 . 6

Creating a network load balancing Cluster

Follow these steps to create a network load-balanced cluster:

1. Click Start Administrative Tools Network Load Balancing Manager.

2. In the left pane, right-click Network Load Balancing Clusters, and then click New Cluster.

3. In the Host field, type nodEA, and then click Connect.

61705c10.indd 431 6/27/08 11:57:26 AM



4. Click Client Network, and then click Next.

5. Click Next to accept the default values for host parameters.

6. Click Add to add a cluster IP address.

7. In the IPv4 address field, type 10.10.0.100.

8. In the Subnet mask field, type 255.255.0.0, click OK, and then click Next.

9. In the Full Internet name field, type webapp.sybex.com.

10. Select Unicast, click Next, and then click Finish.

61705c10.indd 432 6/27/08 11:57:26 AM



11. Right-click webapp.sybex.com, and then click Add Host to Cluster.

12. In the Host field, type nodEb, and then click Connect.

13. Click Client Network, and then click Next.

14. Click Next to accept the default values for host parameters, and then click Finish.

Modifying Cluster PropertiesAs mentioned earlier, port rules modify how traffic is directed to NLB cluster nodes. The filtering mode in a port rule defines how request are distributed among nodes in the NLB cluster.

You have the following options for filtering modes, as shown in Figure 10.16:

Multiple Host By default, this option is set. It configures all NLB nodes to respond based on the weight assigned to each node. This spreads the load across multiple cluster nodes to increase scalability. If this option is selected, one of the Affinity options also needs to be selected. The higher the weight setting, the more load the node will handle.

f i gu r E 10 .16 NLB port rules

61705c10.indd 433 6/27/08 11:57:26 AM


Single Host This option, when configured, makes it so only the NLB node with the high-est priority responds. If the highest-priority node fails, then the next highest-priority node begins to respond. Sending requests to a single node increases availability but does not increase scalability.

Disable This Port Range This option blocks all packets for this port range. This option is used when the cluster does not run any applications on a specific port range.

The Affinity options, available when the Multiple Host option is selected in the filter, control how requests are distributed to the available cluster nodes. The options for Affinity are as follows:

None When this option is set, any available node can respond to any client request. This is suitable for applications such as static web pages that don’t require state information to be saved. For example, the client may retrieve the first web page from Node A and the sec-ond web page from Node B.

Single When this option is set, a single node responds to all requests from a single client IP address. This is required for applications that you must authenticate, require session state, or encryption. This would be important for web applications that have user session variables like shopping carts.

Network. When this option is set, a single node responds to all requests from a specific Class C network. This is useful when clients are accessing the NLB cluster from behind a group of proxy servers. This option ensures that a client connection can be maintained to a specific server even when the source IP address varies within the same subnet.

When changing port rules for a specific node, make sure the changes are reflected on the other nodes, otherwise the cluster nodes may never complete convergence, which is needed for all the available cluster nodes to work properly.

Managing NLB ClustersThe Network Load Balancing Manager is the graphical interface used to configure and manage NLB clusters and nlb.exe is the command-line counterpart.

As shown in Figure 10.17, there are five main functions that can be performed on active NLB cluster nodes: Start, Stop, Drainstop, Suspend, and Resume.

These actions are used when managing an NLB cluster. Each of the options has a slightly different function and reason to use:

Start This action starts a stopped NLB cluster node so that it can handle NLB traffic.

Stop This action stops the node temporarily from participating in the cluster and handling NLB traffic.

Drainstop This action stops the node from taking new sessions and then waits for active sessions to end before completely stopping participation in the cluster.

61705c10.indd 434 6/27/08 11:57:26 AM

Summary 435

f i gu r E 10 .17 Managing an NLB cluster node

Suspend This action is different from Stop because suspending NLB stops NLB on the node and suspends all NLB cluster-control commands on the node except for the resume and query commands.

Resume This action will start NLB on a node that has been suspended.

After the NLB cluster is created and configured, the application also needs to be installed and configured on each server. In the case of a website, it would need to be created on each server and then the content either copied or provided over a network connection to be served.

SummaryHigh availability is more than just clustering. It is achieved through improved hardware, software, and processes. This chapter focused on how to configure failover clustering and Network Load Balancing (NLB) to achieve high availability and scalability.

High availability should be approached through proper hardware configuration, training, and operational discipline. Failover clustering provides a highly available base for many appli-cations such as databases and mail servers. These clusters require either the Enterprise or Data-center edition of Windows Server 2008. Network load balanced clusters are used to provide high availability and scalability for network-based applications such as VPNs and web servers. Network load balanced clusters can be configured with any edition of Windows Server 2008.

61705c10.indd 435 6/27/08 11:57:27 AM


Exam Essentials

Know how to modify failover and failback settings. These settings are set on the clustered service or application but can be modified by settings on the resources.

Know the hardware requirements for failover clustering and Network Load Balancing. Failover clustering and Network Load Balancing have distinct hardware requirements. Know the differences.

Know which applications work with Network Load Balancing and which ones work in a failover cluster. Failover clustering is required for applications and services such as file services and database servers, and NLB is suited for network and web services. Know the differences.

61705c10.indd 436 6/27/08 11:57:27 AM


Review Questions

1. Which of the following editions of Windows Server 2008 can be configured in a failover cluster? (Choose all that apply.)

A. Windows Server 2008 Web Edition

B. Windows Server 2008 Standard Edition

C. Windows Server 2008 Enterprise Edition

D. Windows Server 2008 Datacenter Edition

2. Which of the following editions of Windows Server 2008 can be configured in a Network Load Balancing cluster? (Choose all that apply.)

A. Windows Server 2008 Web Edition

B. Windows Server 2008 Standard Edition

C. Windows Server 2008 Enterprise Edition

D. Windows Server 2008 Datacenter Edition

3. What is the maximum number of nodes that can participate in a Windows Server 2008 failover cluster? (Choose all that apply.)

A. 2

B. 4

C. 8

D. 16

4. Which of the following actions should be performed against an NLB cluster node if mainte-nance needs to be performed while not terminating current connections?

A. Evict

B. Drainstop

C. Pause

D. Stop

5. What is the maximum number of nodes that can participate in a Windows Server 2008 NLB cluster? (Choose all that apply.)

A. 4

B. 8

C. 16

D. 32

61705c10.indd 437 6/27/08 11:57:27 AM


6. Which of the following applications would be better suited on a failover cluster instead of a network load balanced cluster? (Choose all that apply.)

A. SQL Server

B. Website

C. Exchange Mailbox Server

D. VPN Services

7. Which of the following applications would be better suited on a Network Load Balancing cluster instead of a failover cluster? (Choose all that apply.)

A. SQL Server

B. Website

C. Exchange Client Access Server

D. Terminal Services

8. To configure an NLB cluster with unicast, what is the minimum number of network adapt-ers required in each node?

A. 1

B. 2

C. 3

D. 6

9. Which of the following will help improve the mean time between failure of a server? (Choose all that apply.)

A. Use RAID-5 set for data storage.

B. Perform data backup.

C. Install multiple power supplies.

D. Use RAID-0 set for data storage.

10. In a three-node cluster set to a Node Majority quorum model, how many cluster nodes can be offline before quorum is lost?

A. 0

B. 1

C. 2

D. 3

11. In a four-node cluster set to a Node and File Share Majority quorum model, how many votes can be lost before quorum is lost?

A. 1

B. 2

C. 3

D. 4

61705c10.indd 438 6/27/08 11:57:27 AM


12. In a six-node cluster set to a No Majority: Disk Only quorum model, how many nodes can be lost before quorum is lost?

A. 3

B. 5

C. 2

D. 1

13. After installing the operating system and configuring the hardware, what is the first step that should be taken to create a failover cluster.

A. Install the Failover Cluster feature.

B. Run the Validate a Configuration Wizard.

C. Install a clustered application.

D. Install the Remote Server Administration Tools.

14. When creating a cluster, after successfully completing the Validate a Configuration Wizard, what next step should be taken?

A. Run the Create a Cluster Wizard.

B. Run the Configure a Service or Application Wizard.

C. Install the application that will be clustered.

D. Reboot each node individually.

15. During a series of troubleshooting events, an administrator evicted one of the cluster nodes. How can the evicted node be made active again in the cluster?

A. The cluster should be deleted and re-created with all required nodes.

B. Reboot all cluster nodes simultaneously to restart the cluster.

C. Use the Add Node Action to add the evicted node.

D. Pause the remaining nodes of the cluster and resume one at a time.

16. You have just created an NLB cluster for a web site. What other steps must be completed so that end users can access the load-balanced web site? (Choose all that apply.)

A. Create a website on each node.

B. Copy or share web content for each node.

C. Create a DNS entry for each node.

D. Create a DNS entry for the NLB cluster IP address.

17. Users that are connecting to an NLB cluster have been complaining that after using the site for a few minutes they are prompted to log in using their username. What should you do to fix the problem and retain scalability?

A. Create a port rule to allow only ports 80 and 443.

B. Set the cluster affinity to None.

C. Set the filtering mode to Single Host.

D. Set the cluster affinity to Single.

61705c10.indd 439 6/27/08 11:57:27 AM


18. You have a two-node cluster and have a specific resource that fails often but is not crucial to the functionality. What would you do to keep the resource from causing the entire appli-cation from failing to the other node while still providing redundancy for the application when needed?

A. Remove one node of the possible owners from the cluster nodes.

B. Select the option to run the resource in a separate resource monitor.

C. Unselect the option to allow the resource to fail over the service or application.

D. Select the option to allow the resource to fail over the service or application.

19. You have a custom application with custom resources. Several times when the application has started the resources failed initially and then started later after the disk resource came online. What can be done to make the custom resource start after the disk resource comes online?

A. Increase the pending time-out of the custom resource.

B. Make the custom resource dependant on the disk resource.

C. Make the disk resource dependant on the custom resource.

D. Decrease the pending time-out of the disk resource.

20. If you have a running cluster and need to run the Validate a Configuration Wizard again, which of the following tests may require cluster resources to be taken offline?

A. Network tests

B. Storage tests

C. System Configuration tests

D. Inventory tests

61705c10.indd 440 6/27/08 11:57:27 AM



1. C, D. Only the Enterprise and Datacenter editions of Windows Server 2008 can partici-pate in a failover cluster.

2. A, B, C, D. All editions of Windows Server 2008 can be configured in an NLB cluster.

3. C, D. A Windows Server 2008 cluster consisting of servers running the x64 version can contain up to 16 nodes, whereas a cluster consisting of servers running the x86 version can contain up to 8 nodes.

4. B. Drainstop is the function that allows the current session to end before stopping the clus-ter on the node. Evict is used to completely remove a node from failover cluster. Pause is used to keep resources from failing over to a failover cluster node. Stop will immediately end the cluster service on the NLB cluster node, not allowing the current sessions to complete.

5. B, D. A Windows Server 2008 cluster consisting of servers running the x64 version can contain up to 32 nodes, whereas a cluster consisting of servers running the x86 versions can contain up to 8 nodes.

6. A, C. SQL servers and Exchange servers are only supported on failover clusters. Websites and VPN services are network-based services, so they are better suited for NLB clusters.

7. B, C, D. Websites, Exchange Server 2007 Client Access Server, and Terminal Services are all designed to work with NLB clusters. Database servers like SQL do not work on NLB clusters.

8. B. To use unicast communication between NLB cluster nodes, each node must have a minimum of two network adapters.

9. A, C. Using a RAID-5 set for data storage will survive a disk failure and extend the over-all MTBF for the server. Also, adding a second power supply can improve MTBF. Perform-ing backup tasks is important but does not improve MTBF. RAID-0 does not provide any protection from failures.

10. B. In a three-node cluster, only one node can be offline before quorum is lost because a majority of the votes must be available to achieve quorum.

11. B. Up to two votes can be lost before quorum is no longer able to be achieved. These votes can come from the file share witness or a cluster node.

12. B. In a No Majority: Disk Only quorum model cluster, quorum is solely based on access to the quorum disk. Therefore, only one cluster node must be online and have access to the quorum disk to obtain quorum.

13. A. To create a failover cluster, the first step is to install the Failover Cluster feature.

14. A. After validating the configuration for a cluster, you should create a cluster. After the cluster is created, the applications can be added. A reboot does not need to be done after completing the validation.

61705c10.indd 441 6/27/08 11:57:27 AM


15. C. To add an evicted node back into the cluster, use the Add Node action in the Failover Cluster Management tool.

16. A, B, C. To allow end users to access the website, the first step would be to create a DNS entry for the cluster IP address. Then each node would need a website and content created.

17. D. Setting the cluster affinity to Single will send all traffic from a specific IP address to a single cluster node. Doing this will keep a client on a specific node where the client should not have to authenticate again. Setting the filtering mode to Single would remove the authentication problem but would not distribute the load to other servers unless the initial server were down. This is not a scalable solution. Creating a port rule for 80 and 443 will not change anything since these ports are already working, judging by the fact that users can access the site. Setting cluster affinity to None is probably what the cluster is set since there is no preference for keeping a client connected to the same node, which may cause additional login prompts.

18. C. To keep the failed resource from causing the entire application to fail over, this option must be unchecked. Removing the possible owners from the clustered application would keep the application from failover even when needed. Running the resource in a separate resource monitor does not change how it affects the failover of the application.

19. B. To start the custom resource after the disk resource, it should be made dependant on the disk resource. Changing the pending time-out will not have any affect if the resource fails because it only affects resources that take longer to respond.

20. B. The storage tests require the clustered disk resource to be offline. If you need to run the storage tests, the Validate a Configuration Wizard will prompt to make sure you want to take the resources offline.

61705c10.indd 442 6/27/08 11:57:27 AM

Chapter

11Monitoring Windows Server 2008 for High Availability

MicroSoft ExAM objEctivES covErEd in tHiS cHAptEr:

Configure high availability. May include but is not ÛÛlimited to: failover clustering, Network Load Balancing, hardware redundancy

61705c11.indd 443 6/27/08 12:05:23 PM

Two of the most potent indicators of availability across your network are the performance of the operating system and its reliability. Performance is most commonly represented by

the speed at which certain application and system tasks can be completed and hence also the number of tasks that can be completed in a given period of time. A system’s performance can be significantly determined by its hardware configuration, such as the clock speed of the processor, the access speed of the physical hard disk, and the amount of available memory. Therefore, access to such information is crucial for IT professionals to gauge the availability of the system and to decide on the necessary maintenance tasks, configuration changes, and hardware upgrades, if necessary.

Reliability, on the other hand, is represented by the ability of the system to perform desir-ably on a consistent basis. Reliability is hindered when applications, services, or drivers fail to run smoothly and, worst of all, when the operating system itself fails. The Windows Reliability and Performance Monitor, event logs, and Task Scheduler are the vital features of Windows Server 2008 that enable IT professionals to monitor and maintain the performance and avail-ability of the systems.

Monitoring Servers Using Performance Data To monitor the availability of a system across the network, it’s crucial to have access to data relating to the performance and configuration of the system as well as application errors and hardware failures. By using the Windows Reliability and Performance Monitor, IT profes-sionals can get an overview of the major components of the system that affect system avail-ability. These include the utilization of the CPU, the physical hard disk, and network and system memory along with records of key events such as failures and changes to the system configuration.

More importantly, the Windows Reliability and Performance Monitor helps you detect and dissect the cause of performance errors in addition to obtaining performance data. It is also a good tool for tasks such as creating performance baselines and troubleshooting.

61705c11.indd 444 6/27/08 12:05:23 PM

Monitoring Servers Using Performance Data 445

The Windows Reliability and Performance Monitor is a Microsoft Management Console (MMC) snap-in that includes the following components (please refer to Figure 11.1):

Resource OverviewÛN

Performance MonitorÛN

Reliability MonitorÛN

Data collector setsÛN

Reports ÛN

f i gu r E 11.1 Windows Reliability and Performance Monitor main view

The following features are new to the Windows Reliability and Performance Monitor in Windows Server 2008:

Data collector sets ÛN

Resource Overview ÛN

Reliability MonitorÛN

User-friendly diagnosis reportsÛN

Unified property configuration for all data collection, including schedulingÛN

Wizards and templates for creating logsÛN

61705c11.indd 445 6/27/08 12:05:23 PM

446 Chapter 11 N Monitoring Windows Server 2008 for High Availability

Working with Data Collector Sets A data collector set (DCS) is a collection of counters to diagnose and monitor anything related to the operating system and applications. DCS is a new feature and is included with Windows Server 2008 and Windows Vista. In the past, gathering different types of data statistics required extra time because counters needed to be re-created. With DCS, however, counters can be created once and scheduled for running through the use of Task Scheduler. A major advantage of DCSs is that they allows for greater control over perfor-mance monitoring and data gathering.

There are three types of data collector sets:

User-defined Created and configured by the user.

System XML data collector set templates that are included with Windows Server 2008 and are saved in Windows\PLA\System.

Event trace sessions Configured for Event Tracing for Windows (ETW).

Before creating a data collector set, make sure one of the following requirements is met:

The logged-on user is part of the Local Administrators group.ÛN

The logged-on user is part of the Performance Log Users group. However, please ensure ÛN

that the user has been assigned the “Log on as a batch job” user right. (see Exercise 11.1).

Exercise 11.1 will help you assign the “Log on as a batch job” user right to the Perfor-mance Log Users group. Providing the “Log on as a batch job” user right allows users to manage performance logs, counters and alerts.

E x E r c i S E 11 .1

Assigning the “Log on as a batch job” user right

Normal users would not be able to create or manage data collector set by default, until “Log On as a Batch Job” user right has been assigned. To assign the log on as batch job user right complete the following procedures:

1. Click Start, select Run, type secpol.msc in the Run command dialog, and press Enter. This will open the Local Security Policy snap-in.

2. In the left pane, expand Local Policies, and click User Rights Assignment.

3. In the console pane, right-click Log On as a Batch Job, then click Properties.

61705c11.indd 446 6/27/08 12:05:23 PM



4. In the Log On as a Batch Job Properties window, click Add User or Group.

5. In the Select Users or Groups dialog box, click Object Types.

6. In the Object Types dialog box, check Groups and click OK.

7. Return to the Log On as a Batch Job Properties window and click OK.

Exercise 11.2 will walk you through creating a new data collector set. Creating new data collector sets allows system administrators to monitor system performance and simplify troubleshooting of server systems.

E x E r c i S E 11 . 2

creating a data collector Set

As the first step of collecting performance data automatically through Performance Monitor, Data Collector Set needs to be created. To create a Data Collector Set complete the following:

1. Open the Reliability and Performance Monitor by clicking Start Control Panel Administrative Tools Reliability and Performance Monitor, or click Start, then select Run, type perfmon.msc in the Run command dialog, and press Enter.

2. In the left pane, expand Data Collector Sets, and select User Defined.

61705c11.indd 447 6/27/08 12:05:24 PM



3. Right-click on the area in the right pane and select New Data Collector Set. This launches the Create New Data Collector Set Wizard.

4. Enter a name for the new data collector set and choose from creating from a template and creating manually.

The simplest way to create a new data collector set is by using one of the preconfigured templates listed in the Create New Data Collector Set Wizard. The templates are developed based on the most common monitoring scenarios and are included in Windows Server 2008 to inject speed and convenience in performance and availability monitoring. Three precon-figured templates for creating data collector sets are built into Windows Server 2008. The preconfigured templates create the following sets:

Basic In this DCS, user-defined data collectors will be added on by the user.

System Diagnostics This DCS includes pre-defined data collectors that help the user maximize system performance and streamline system operation. It generates a report of the status of local hardware resources, system response times, and processes on the local computer as well as sys-tem information and configuration data.

System Performance Predefined data collectors are included here, which help the user iden-tify possible causes of performance issues. It generates a report of the status of local hardware resources, system response times, and processes on the local computer.

61705c11.indd 448 6/27/08 12:05:24 PM


In Exercise 11.3, you’ll create a new data collector set from a template by continuing the steps followed in Exercise 11.2.

E x E r c i S E 11 . 3

creating a new data collector Set from a template

Continuing the steps followed in Exercise 11.2, Data Collector Set will be created base on a template. To create a new Data Collector Set from a template complete the following steps:

1. In the Create New Data Collector Set Wizard , after entering a name for the data col-lector set, select Create from a Template and click Next.

2. Choose a template and click Finish to save the data in the default root directory, which is %systemdrive%\perflogs\<User-defined data collector set name>; otherwise, click Next to browse and select the preferred directory or enter the direc-tory name. Please note that if you enter the directory name manually, you must not type a backslash at the end of the directory name.

3. Click Next if the user intends to run the data collector set as a specific user, which can be done by clicking the Change button and entering the username and password of the specific user if it’s different than the default user listed.

4. Click Finish to complete the wizard. The user can select Open Properties for This Data Collector Set to view the properties of the data collector set or select Start This Data Collector Set Now to start the data collection immediately. The user can also select Save and Close to save the data collector set without starting collection.

61705c11.indd 449 6/27/08 12:05:24 PM


Members of the Performance Log Users group must configure the newly created data collector sets to run under their own credentials.

Exercise 11.4 shows you how to create a new data collector set manually.

E x E r c i S E 11 . 4

Manually creating a new data collector Set

Data Collector Set could be created from scratch, without using a template. To manually create a new Data Collector Set use the following steps:

1. In the Create New Data Collector Set Wizard, after entering a name for the data collector set, select Create Manually and click Next.

2. To create data logs, select Create Data Logs and then select one or more of the types of logs to be created (Performance Counter, Event Trace Data, and System Configura-tion Information). Alternatively, select Performance Counter Alert if the above data logs doesn’t want to be created. Click Next. The continuing steps in Exercise 11.4 will varies according to what type of logs are selected to be created in this step.

3. To create Performance Counter data logs, select the performance counters, if any, that will be collected and click Next.

4. To create Event Trace Data logs, select the event trace providers, if any, to be enabled and click Next.

5. To create System Configuration Information data logs, select the Registry keys, if any, to be recorded and click Next.

61705c11.indd 450 6/27/08 12:05:24 PM



6. Browse and select the preferred root directory in which the data will be saved if the user is not in favor of using the default root directory of %systemdrive%\perflogs\<User-defined data collector set name>. Click Next.

7. Choose the specific user who will run the data collector set, which can be done by clicking the Change button and entering the username and password of the specific user if it’s different than the default user listed. Select one out of the options (Open Properties for This Data Collector Set, Start This Data Collector Set Now, or “Save and Close) and click Finish.

Once the data collector sets are created and selected by the user to help keep track of system performance, the data can be stored as logs for future review. The logs can be further managed and organized into schedules by configuring the properties of the data collector sets and by utilizing the built-in Data Manager in the Windows Reliability and Performance Monitor.

A log file is generated automatically by a data collector set. Data management procedures can then be used to configure the storage options for each data collector set. Through data management, the user is able to include information about the log in the filename, choose to overwrite or append data, and limit the file size of individual logs. A Data Manager is included in each data collector set and controls its data management tasks, which consist of conditions/actions, data retention policy, data transfer, and report generation. Once the Data Manager is enabled, a Server Performance Advisor (SPA) overview report is generated to summarize data results upon the completion of data collection.

Before creating logs from a data collector set, make sure the following requirements are met:


If the logged-on user is not part of the Local Administrators group, the user must be ÛN

part of the Performance Log Users group. However, please ensure that the user has been assigned the “Log on as a batch job” user right.

At least one data collector set has been created. ÛN

In Exercise 11.5, you’ll schedule the Start condition for a data collector set.

E x E r c i S E 11 . 5

Scheduling the Start condition for a data collector Set

Data Collector Set needs to be started to collect performance data. To schedule the start condition for a data collector set, please complete the following:

1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.

2. Right-click the data collector set to be scheduled, and click Properties.

61705c11.indd 451 6/27/08 12:05:25 PM



3. In the Properties window, select the Schedule tab.

4. Click Add to configure a starting date and the day or time for data collection. When a new data collector set is being configured, the starting date must be after the current date and time.

5. If the user wishes to stop the data collection after a certain date, select an expira-tion date. On a side note, data collection does not stop on the expiration date itself, though new data will not be collected after that date. To further configure how data collection is stopped, select the Stop Condition tab.

6. Click OK when you’re finished.

In Exercise 11.6, you’ll schedule the Stop condition for a data collector set.

61705c11.indd 452 6/27/08 12:05:25 PM


E x E r c i S E 11 . 6

Scheduling the Stop condition for a data collector Set

Data Collector Set needs to be stopped after an interval of time. System performance will be affected if Data Collector Set runs continuously, especially on busy hours. To schedule the stop condition for a data collector set, use the following steps:

1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand User Defined.

2. Right-click the data collector set to be scheduled, and click Properties.

3. In the Properties window, select the Stop Condition tab.

4. To stop data collection after a specific time period, select Overall Duration and choose the quantity (Time) and unit (Seconds/Minutes/Hours). However, if data collection is to be done indefinitely, the Overall Duration check box needs to be unchecked.

5. To divide the collected data into separate logs, select “When a limit is reached, restart the data collector set” to specify the desired limits in duration and/or maximum size.

A. Select Duration to specify a time period for data collection to write into a single log.

B. Select Maximum Size, in megabytes (MB), to restart the data collector set or to stop data collection when the limit is reached.

Please note that Overall Duration, if selected, will override limits. If both types of limits are selected, data collection will be stopped or restarted once the first limit is reached.

6. If an overall duration is configured, the user can select “Stop when all data collectors have finished” to enable all data collectors to finish logging the most recent values before the data collector set is stopped.

7. Click OK.

The use of limits to automatically organize logs into segments is recom-mended because large log files slow down the report generation process.

Managing Logs for a Data Collector SetAs time passes, logs will grow quickly. It is wise to plan and configure the logs before a data collector set is used. In Exercise 11.7, you’ll configure data management for a data collector set.

61705c11.indd 453 6/27/08 12:05:25 PM


E x E r c i S E 11 . 7

configuring data Management for a data collector Set

Every data collector set could have their own data management settings. Data manage-ment settings allow each data collector set to have its own policies. To configure data management for a data collector set, complete these steps:

1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collec-tor Sets and expand User Defined.

2. Right-click the data collector set to be configured, and click Data Manager.

3. On the Data Manager tab, you can make changes according to the user’s data reten-tion policy. Refer to Table 10.1 for details of each option.

A. When Minimum Free Disk or Maximum Folders is selected, previous data will be deleted according to the selected resource policy (Delete Largest or Delete Oldest) setting as part of the data collector set’s Data Manager tab when the limit is reached.

B. When “Apply policy before the data collector set starts” is selected, previous data will be deleted according to the selected resource policy before the data collector set generates its next log file.

C. When Maximum Root Path Size is selected, previous data will be deleted accord-ing to the selected resource policy when the root log folder size limit is reached.

Please note that Resource Policy is used to define how long a data can be stored before it is deleted, to save storage space. Resource Policy actions are carried out on a folder basis rather than a file basis.

61705c11.indd 454 6/27/08 12:05:25 PM



4. On the Actions tab, you can choose to perform folder actions when specified data manager conditions are met. New actions can be configured by clicking Add, while existing actions can be changed or removed by clicking Edit or Remove. Folder actions enable the user to configure the way in which data is archived before it is per-manently deleted according to the resource policy. Refer to Table 10.2 for details of each option.

5. When all the desired changes are made, click OK.

If the user prefers to manage data with folder actions, the user may choose to disable the Data Manager limits.

Table 11.1 lists and describes the data management options available in the Data Manager tab. Data size limitation can be configured on individual data collector sets through this tab.

tA b LE 11.1 Data Management Options Available in the Data Manager Tab

Option Description

Minimum Free Disk The amount of disk space that is mandatory on the drive where log data is stored. If this option is selected, previous data will be deleted according to the selected resource policy when the limit is reached.

Maximum Folders The number of subfolders that can be included in the data collector set data directory. If this option is selected, previous data will be deleted according to the selected resource policy when the limit is reached.

Resource Policy Specifies whether to delete the largest or oldest folder within the data collector set’s root folder when limits are reached.

Maximum Root Path Size The maximum size of the data directory for the data collec-tor set, including all subfolders. If this option is selected, the minimum free disk and maximum folders limits will be over-ridden and previous data will be deleted according to the selected resource policy when the root log folder size limit is reached.

Table 11.2 lists and describes the data management options available in the Actions tab. Conditions and actions of a data collector set can be configured through this tab.

61705c11.indd 455 6/27/08 12:05:25 PM


tA b LE 11. 2 Data Management Options Available in the Actions Tab

Option Description

Age A condition based on the age of the data file, in units of either days or weeks. If the value is 0, the criterion will not be used.

Size A condition based on the size of the folder where the log data is stored in megabytes (MB). If the value is 0, the criterion will not be used.

Cab A cabinet (.cab) file. These archive files can be created from raw log data and extracted to be used when necessary. Choose to create or delete cabinet files based on the age or size criteria.

Data Raw log data collected by the data collector set. The data can be deleted after a cabinet file is created. A backup of the original data will be retained.

Report The report file generated by Windows Reliability and Performance Monitor from raw log data. Report files can be retained even after the raw log data or cabinet file has been deleted.

Log Data in Performance MonitorThe collected logs in Windows Reliability and Performance Monitor can be viewed as reports or as Performance Monitor data. All of the display options included in real-time monitoring with Performance Monitor can be viewed as log data. New in the Performance Monitor in Windows Server 2008 is the availability of several view modes to facilitate con-venient viewing of log data. The three view modes can be selected in the shortcut menu of each data collector listed under the data collector set in the Reports node on the left pane:

Report view If Data Manager is enabled for the selected data collector set, Report view is available and accessible as the Report option when View is highlighted in the shortcut menu, which is opened by clicking and then right-clicking the data collector set in the Reports node. If Data Manager is disabled, the Report option will be inaccessible. The Data Manager report is a Server Performance Advisor (SPA) report that presents a summary of the logged performance data. The Application Counters section can be expanded to show a summarized view of the Mean, Minimum, and Maximum data values from the data collector. The report is saved as an XML file in the Data Collector Set folder associated with the selected data col-lector. See Figure 11.2.

Performance Monitor view If the Performance Monitor view is selected, the Performance Monitor log file is displayed in a line graph by default, with all the configured counters. See Figure 11.3.

Folder view If the Folder view is selected, the folder containing all the files of the selected data collector set is displayed. See Figure 11.4.

61705c11.indd 456 6/27/08 12:05:25 PM


f i gu r E 11. 2 Report view of a report generated by a data collector set

f i gu r E 11. 3 Performance Monitor view of a report generated by a data collector set

61705c11.indd 457 6/27/08 12:05:26 PM


f i gu r E 11. 4 Folder view of a report generated by a data collector set

Before viewing log data in Performance Monitor, make sure the following requirements are met:


If the logged-on user is not part of the Local Administrators group, the user must ÛN

be part of the Performance Log Users group. You must ensure that the user has been assigned the “Log on as a batch job” user right.

At least one log file is generated from a data collector set.ÛN

Exercise 11.8 will show you how to load log data in Performance Monitor.

E x E r c i S E 11 . 8

Loading Log data in performance Monitor

Once logs have been created by Data Collector Set, it needs to be loaded into Performance Monitor for viewing by the system administrator. To load the log data in Performance Moni-tor, please execute the following tasks:

1. In the left pane of Windows Reliability and Performance Monitor, expand Reports and expand User Defined.

2. Expand the data collector set whose log data you will view.

3. Select the log file to view.

4. To change view modes, right-click the log file in the left pane, select View, and select Performance Monitor to display the Performance Monitor view or Folder to display the Folder view.

61705c11.indd 458 6/27/08 12:05:26 PM



Exercise 11.9 shows you how to navigate the log view in Performance Monitor.

E x E r c i S E 11 . 9

navigating the Log view in performance Monitor

Viewing and using the Log View could be confusing for inexperience users. To navigate the Log View in Performance Monitor, please execute the following steps:

1. Log data is displayed in a line chart by default. In the chart, the x-axis of the graph represents the total time included in the log.

2. To view a specific time frame in the display, click and highlight a section in the chart, and then click the Zoom button or press Ctrl+Z.

3. Other viewing options are available, and actions can be taken to add performance counters in the log view. For descriptions of the viewing options and actions, refer to the following sections.

Diagnosis ReportTwo system reports are built into Windows Reliability and Performance Monitor in order to assess the health of the system and to diagnose issues pertaining to system performance. The System Diagnostics report can be viewed once the required data has been collected.

61705c11.indd 459 6/27/08 12:05:26 PM


Before running any data collector set reports, make sure either one of the following requirements are met:


The logged-on user starts Windows Reliability and Performance Monitor with elevated ÛN

privileges.

The System Diagnostics report utilizes the Windows Kernel Trace Provider, which can only be accessed by the Local Administrators Group members.

Exercise 11.10 shows you how to view the system diagnostics report.

E x E r c i S E 11 .10

viewing the System diagnostics report

The default system reports built into Windows Reliability and Performance Monitor offers a deep level of system diagnostics details. To view the System Diagnostics Report, please execute the following steps:

1. In the left pane of Windows Reliability and Performance Monitor, expand Data Collector Sets and expand System.

2. Right-click System Diagnostics and click Start to begin collecting data.

3. In the left pane, expand Reports, expand System, expand System Diagnostics, and click on a date to view the report, which will appear on the console pane.

61705c11.indd 460 6/27/08 12:05:26 PM


The System Diagnostics report collects data for 60 seconds, and an addi-tional 60 seconds may be required for the report to be generated.

View System Stability with Reliability MonitorThe Reliability Monitor (as shown in Figure 11.5) provides an overview of system avail-ability as well as trend analysis with detailed information on events that can affect the over-all availability of the system. Data collection for Reliability Monitor begins at the time of system installation. The data is then presented in the form of a chart that can be utilized to identify the applications, drivers, or hardware that are hampering the reliability and avail-ability of the system.

Several categories of events will be recorded in Reliability Monitor:

Software installations and removalsÛN

Application failuresÛN

Hardware failuresÛN

Windows failuresÛN

Miscellaneous failuresÛN

f i gu r E 11.5 Reliability Monitor main view

61705c11.indd 461 6/27/08 12:05:26 PM


Several vital features are included in Reliability Monitor: automatic data collection and processing, the System Stability Chart, the Stability Index, and the System Stability Report.

Automatic Data Collection and ProcessingData collection and processing is carried out by Reliability Monitor through the Reliability Analysis Component (RAC). Data is automatically gathered by the availability analysis metrics calculation executable (racagent.exe), which processes the data based on its analysis, aggre-gation, and correlation of user disruptions in the operating system, programs, and services into availability metrics.

The availability analysis metrics calculation executable runs as a hidden scheduled task named RACAgent to collect specific events from the event log. The RACAgent task runs hourly and processes the acquired data daily.

The availability index number that is generated after data processing by the RACAgent task varies on a scale from 0 to 10, with 0 representing the least reliable and 10 represent-ing the most reliable. The availability index, as well as the results of the event tracing, is then displayed in the System Stability Chart in the Windows Reliability and Performance Monitor.

System Stability ChartThe System Stability Chart is presented in the Reliability Monitor window together with a calendar control that can be used to select the time range to view. The System Stability Chart can be used to assess the consistency of system availability within a certain time period, as represented by the consistency of the availability index. System availability and availability events of up to one year will be displayed in the System Stability Chart.

Stability IndexAs mentioned previously, reliability/availability of the system is translated into the form of ratings and is represented by the Stability Index. The index, which ranges from 0 to 10, is generated according to the data that is gathered and processed by Reliability Monitor.

Reliability Monitor traces every instance of user disruptions and remembers the number of occurrences each day over a 28-day rolling window period, with the latest day of the roll-ing window being the current day. Before data collection of 28 days is completed, the Stability Index is displayed as a dotted line in the System Stability Chart as it has yet to establish a valid baseline for calculation. A real number with two decimal places is used as the Stability Index.

System Stability ReportThe System Stability Report found below the System Stability Chart in the Reliability Monitor window contains the details of the events of the selected date or date range. The report details the application, driver, or other system component that is affecting the sys-tem availability index. The report can be used to identify changes in system state that may contribute to system unavailability.

61705c11.indd 462 6/27/08 12:05:26 PM


The data files that are created and accessed by the Reliability Monitor are stored in the following folders:\ProgramData\Microsoft\RAC\PublishedData

\ProgramData\Microsoft\RAC\StateData

When the files in the two folders are deleted, Reliability Monitor will be reset to its default state with no availability information displayed. The files will be re-created with current availability information once the RACAgent schedules its next task run.

The data presented in the default and time-specific views of Reliability Monitor are taken from HTML pages that are created by Reliability Monitor before it displays a particular view. The HTML files, named Rmo(4-digit random number).tmp.htm, are created in the \Users\<username>\AppData\Local\Temp folder. The files can be used for trend analysis.

The HTML files will be automatically deleted once Reliability Monitor is closed. Also, trend analysis is a method to determine and compare the sys-tem availability and availability over a time period. It can also be used to determine the Service Level Agreement (SLA) of the systems.

Availability

Before viewing system availability with Reliability Monitor, make sure the following requirements are met:

The computer has been running for a minimum of 24 hours since the installation of the ÛN

operating system.

The RACAgent scheduled task is running. The task runs by default unless it is manually ÛN

stopped or disabled.

In Exercise 11.11, you’ll view system availability with Reliability Monitor.

E x E r c i S E 11 .11

viewing System Availability in performance Monitor

It is possible to do a quick system availability overview through Performance Monitor. To view System Availability in Performance Monitor, please execute the following steps:

1. In the left pane of Windows Reliability and Performance Monitor, expand Monitoring Tools and click Reliability Monitor.

2. View the System Stability Chart on the top half of the console pane, or expand the sections of the System Stability Report below the chart. Refer to the following sec-tions for descriptions of the viewing options and actions.

61705c11.indd 463 6/27/08 12:05:27 PM


The following points will help you make sense of the System Stability Chart:

The date range is represented by the x-axis, while the Stability Index number is repre-ÛN

sented by the y-axis.

If more than 30 days of data have been recorded, the scroll bar at the bottom of the ÛN

chart can be used to navigate to the desired date or period if it’s not visible by default.

Within the System Stability Chart, as seen below, records of events that disrupt ÛN

the availability of the system, as well as installations and removals of software, are presented in five rows of information.

The following points will help you understand the System Stability Report:

When all dates are selected, the reports are sorted first by date in descending order and ÛN

then by the application or driver name in ascending alphabetical order. When a single date is selected, the reports are sorted by the application or driver name in ascending alphabetical order.

The reports are based on specific event data that is organized into the following cat-ÛN

egories: System Clock Changes, Software (Un)Installs, Application Failures, Hardware Failures, Window Failures, and Miscellaneous Failures.

System Clock Changes

Significant changes to the system clock are recorded in this category. Information on clock changes is available only if at least one major clock change has been made on the system. Table 11.3 details the information available in the System Clock Changes report.

61705c11.indd 464 6/27/08 12:05:27 PM


tA b LE 11. 3 Information in the System Clock Changes Report

Data Type Description

Old Time Specifies the previous date and time before the clock change.

New Time Specifies the selected date and time during the clock change.

Date Specifies the date in which the clock change is made.

The System Clock Changes category appears in the System Stability Report only when a date in which a significant clock change has occurred is selected. Any date that records a significant clock change will be indi-cated by an information icon on the System Stability graph.

Software (Un)Installs

Installations and removals as well as configuration changes and updates of applica-tions, drivers, system components, and Windows Updates are recorded in this category. Table 11.4 details the information available in the Software (Un)Installs report.

tA b LE 11. 4 Information in the Software (Un)Installs Report


Software Specifies name of the operating system, the affected application, the affected driver, or the affected Windows Update.

Version Specifies the operating system, application, or driver version. This field is not applicable to Windows Updates.

Activity Indicates whether the event is an installation or removal (uninstall).

Activity Status Indicates whether the event is a success or a failure.

Date Specifies the date of the installation or removal.

Application Failures

Application hangs and crashes, including the termination of a nonresponding application, are recorded in this category. Table 11.5 lists the information listed in the Application Failures report.

61705c11.indd 465 6/27/08 12:05:27 PM


tA b LE 11.5 Information in the Application Failures Report


Application Specifies the name of the executable file of the failed application.

Version Specifies the version number of the failed application.

Failure Type Indicates whether the application stopped responding or stopped working.

Date Specifies the date on which application failure occurred.

Hardware Failures

Disk and memory failures are recorded in this category. The information available in the Hardware Failures report is listed in Table 11.6.

tA b LE 11.6 Information in the Hardware Failures Report


Component Type Indicates whether the failure occurred in the hard drive or the memory.

Device Specifies the failed device.

Failure Type Indicates whether the failure is caused by a bad disk or by faulty memory.

Date Specifies the date on which the hardware failure occurred.

Windows Failures

Operating system boot failures, crashes, and sleep failures are recorded in this category. Information listed in the Windows Failures report appears in Table 11.7.

tA b LE 11.7 Information in the Windows Failures Report


Failure Type Indicates whether the event is a boot failure or an operating system crash.

Version Specifies the version number of the operating system and service pack.

61705c11.indd 466 6/27/08 12:05:27 PM

Monitoring Servers Using Event Logs 467

tA b LE 11.7 Information in the Windows Failures Report (continued)


Details Indicates whether the event is an operating system failure, a boot failure, or a sleep failure. An operating system failure is indicated by the stop code, a boot failure is indicated by the reason code, and a sleep failure is indicated by the component veto or failure to enter hibernation.

Date Specifies the date on which the Windows failure occurred.

Miscellaneous Failures

Unexpected system shutdowns as well as other system failures that do not fall under previ-ous categories are recorded in this category. Table 11.8 lists the information available in the Miscellaneous Failures report.

tA b LE 11. 8 : Information in the Miscellaneous Failures Report


Failure Type Indicates an event of disruptive shutdown.

Version Specifies the version number of the operating system and service pack.

Failure Detail Indicates an event in which the computer is not shut down normally.

Date Specifies the date on which the miscellaneous failure occurred.

Monitoring Servers Using Event LogsLike performance and reliability monitoring, the Windows Eventing features that are avail-able in Windows Server 2008 are used by IT professionals to gather essential information on the state of the hardware, the software, and the system as a whole. While the Performance and Reliability Monitor provides IT professionals with statistics and real-time information on system availability, the Event Viewer provides users with in-depth information and detailed logs of events affecting system health.

Event Viewer is used to browse and manage event logs, which contain information on hardware and software problems as well as security events of the system. Event Viewer is thus a valuable tool for troubleshooting issues pertaining to system availability and perfor-mance. To see what the Event Viewer looks like, see Figure 11.6.

61705c11.indd 467 6/27/08 12:05:27 PM


In Windows Server 2008, the Event Viewer enables access to component-specific logs that mostly contain operational, analytic, and debug events that are non-administrative. The non-administrative events, which are usually non-actionable and more verbose, are included for the purpose of tracing normal operations and obtaining more details on poten-tial problems.

Administrative events are still usually logged in the application or system log. However, cases in which significant volumes of administrative events are associated with certain com-ponents or applications will lead to such events being logged in separate component-specific administrative logs.

Unlike in previous Windows Server versions, the Event Viewer in Windows Server 2008 is easier to navigate while packing more detailed information and providing easier filter-ing of events. The updated Windows Eventing 6.0 event log service in Windows Server 2008 is aimed at providing the following services for administrators, developers, and IT professionals:

Custom views of event logsÛN

Forwarding events using industry-standard protocols ÛN

Local and remote subscription to eventsÛN

Query and selection of events for analysis, diagnostics, and monitoringÛN

f i gu r E 11.6 Event Viewer

61705c11.indd 468 6/27/08 12:05:27 PM


Using wevtutil.exe to Manage Event LogsEvent logs in Windows Server 2008 are divided into two main categories: Windows logs and application and services logs. Apart from the Event Viewer, the wevtutil.exe com-mand-line tool can also be used to manage event logs. If wevtutil.exe is used to manage event logs, the user has to be aware that the messages in wevtutil.exe might refer to event logs as channels. Please refer to the following list here of all available logs which is built in Windows Server 2008.

Windows Logs Windows logs are directed to store events from legacy applications and events that apply to the entire system. The Windows Logs category in Event Viewer includes the following logs:

Application log The application log comprises events logged by applications or programs. For example, a database program might record a file error in the application log, while pro-gram developers would decide which events to log.

Security log The security log consists of events such as valid and invalid logon attempts as well as events related to resource use, such as creation, deletion, and opening of files or other objects. For example, the assignment of special privileges to a newly logged-on user is recorded in the security log.

Setup log The setup log comprises events related to application setup.

System log The system log includes events logged by Windows system components, and the event types are predetermined by Windows. For example, failure of the print spooler to reopen an existing connection is recoded in the system log.

Forwarded events log The forwarded events log is made up of events collected from remote computers.

Application and services logs Application and services logs contain events from a single application or component rather than events that affect the entire system. The Application and Services Logs category in Event Viewer includes the following types of logs:

Admin Admin logs comprise events that indicate the problems and well-defined solu-tions that an administrator can act on. The events are either well documented or come with direct instructions of what must be done to rectify the problem. Error and warn-ing events, for example, are always logged in an admin log, and information events that indicate a service’s return to a healthy state can also be recorded in an admin log.

Analytic Analytics logs are made up of events that are used in problem diagnosis or performance analysis. Analytic logs provide information on program operation and indi-cate problems that cannot be handled by user intervention. They are also known as trace logs and are mainly disabled by default.

Debug Debug logs include events that are used by developers for troubleshooting purposes. Debug logs are hidden and disabled by default.

61705c11.indd 469 6/27/08 12:05:28 PM


Operational Operational logs are typically made out of private logs in which compo-nents can log events that are helpful for troubleshooting or launching automated actions. Operational logs are normally used to analyze or diagnose a problem or occurrence. Most information events are recorded in operational logs, which are enabled by default.

Within every log category in Event Viewer are subcategories of event attributes that enable administrators and tools to filter the events and automate tasks. The event attributes are as follows:

Level The Level column indicates whether the event was critical, an error, a warning, or a routine action presented as information.

Keyword Keyword refers to the set of categories or tags that can be used to filter or search on events. Keywords are assigned to security logs which, unlike other logs, are not catego-rized by levels.

Date and Time The Date and Time column indicates the date and time in which the event occurred.

Source Source refers to the name of the component that published the event.

Event ID Event ID refers to the numeric ID unique to a specific event or source.

Configuring Computers to Forward and Collect EventsBefore events can be collected and organized in the computer, subscriptions to events have to be made, and before subscriptions can be made, the collecting computer as well as each computer from which events will be collected has to be configured.

To learn how to configure computers to forward and collect events, see Exercise 11.12.

E x E r c i S E 11 .12

configuring computers to forward and collect Events

Before forwarding and collecting of events work, both forwarding and collecting com-puters need to be configured. To configure computers to forward and collect events, please execute the following steps:

1. Log on to the collecting computer and all source computers. It is recommended that a domain account with administrative privileges is used to perform the tasks.

2. On each source computer, click Start, select Run, and type cmd in the Run command dialog. Then press Enter to open the command prompt.

3. In the command prompt, type winrm quickconfig and press Enter. Please note that if the user intends to specify an event delivery optimization of Minimize Bandwidth or Minimize Latency, this command must also be run on the collecting computer.

61705c11.indd 470 6/27/08 12:05:28 PM



4. On the collecting computer, open the command prompt, type in wecutil qc, and press Enter.

5. On each source computer, add the account of the collecting computer to the Admin-istrators group.

6. The computers are now configured to forward and collect events.

Running winrm quickconfig will set the startup type for both services Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) to Automatic. Both of these services are needed for forwarding/collecting of events to work.

61705c11.indd 471 6/27/08 12:05:28 PM


In addition to the steps in Exercise 11.12, there are a number of considerations that the user has to take note of. When working in a workgroup environment, there are several additional steps and considerations:

A Windows Firewall exception for Remote Event Log Management has to be added on ÛN

each source computer.

An account with administrator privileges must be added to the Event Log Readers group ÛN

on each source computer. The account must be specified in the Configure Advanced Sub-scription Settings dialog when a subscription is created on the collecting computer.

On the collecting computer, type ÛN winrm set winrm/config/client @

{TrustedHosts=“<sources>”} in the command prompt to allow all source computers to use NTLM authentication when communicating with WinRM on the collecting computer. The names of all the participating source computers in the workgroup, separated by commas, are entered in place of <sources>. Alternately, wildcards can be used to match the names of all the source computers. This command is run only once. For more information on this command, type winrm help config in the com-mand prompt.

Only Normal mode (Pull) subscriptions can be used. ÛN

To specify a user account by using the Specific User option in Advanced Subscription Set-tings when adding a subscription, you must ensure that the user account is part of the local Administrators group on each of the source computers in step 4. Alternately, the Windows Event Log command-line utility can be used to grant account access to individual logs. For more information on the command-line utility, type wevtutil sl -? in the command prompt.

If a subscription is configured to utilize the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings, corresponding Windows Firewall exceptions for port 443 must be set. For a subscription that uses Normal delivery optimization (PULL mode), the exception must be set only on the source computers. For a subscription that uses Minimize Bandwidth or Minimize Latency delivery optimization (PUSH mode), the exception must be set on source computers and the collecting computer.

Reading Events through Custom ViewsEvent Viewer in Windows Server 2008 has increased the amount of events to log. This poses a challenge when searching through the many events that are logged.

Because Event Viewer is now XML based, searching through the Event Viewer could become easy by creating custom views. Custom views allow filtering of events, thus users will see only the events they are interested in.

Windows Server 2008 by default has an Administrative Events custom view. If server roles are installed, each one will have its own custom view automatically created by Win-dows Server 2008. See Figure 11.7.

61705c11.indd 472 6/27/08 12:05:28 PM


f i gu r E 11.7 Administrative Events custom view

There are two ways to filter events: filter the current log or create a custom view. Exer-cise 11.13 explains the steps required to filter events within a specific log in Event Viewer.

E x E r c i S E 11 .13

filtering only informational Events in the current Log

Finding useful information from a comprehensive log will take a lot of time, and it would be more productive to only show the needed logs. To show only the informational events, please execute the following steps:

1. Open up the event log that needs to be filtered.

2. With the event log displayed on the screen, under the Actions pane, select Filter Current Log.

3. The Filter Current Log window appears. Filter Current Log supports filtering based on time, event level, event logs, event sources, event IDs, task category, keywords, user, and computers.

61705c11.indd 473 6/27/08 12:05:28 PM



4. When you click OK, Event Viewer will show only the informational events.

Events can also be filtered through XML’s XPath. XPath is a language for finding information in an XML document. XPath is used to navigate through elements and attributes in an XML document. For more information about XPath, see http://msdn.microsoft.com/en-us/library/ms256115.aspx and www.w3.org/TR/xpath.

The second method for displaying events is through custom views. Custom views can be very useful for administrators because they speed up the troubleshooting process. However, it is best to have fewer than 30 custom views or productivity could be decreased.

The Create Custom View window allows the same filtering of data. To create custom view, complete Exercise 11.14.

E x E r c i S E 11 .14

creating a custom view

If flexibility in filtering logs is needed, it can be accomplished through the use of custom view. To create a custom view, please execute the following steps:

1. In Event Viewer, in the navigation pane, right-click on Custom Views, and select Create Custom View.

61705c11.indd 474 6/27/08 12:05:28 PM

Monitoring Using Task Scheduler 475


2. The Create Custom View window appears. As with the Filter Current Log feature, Create Custom View also supports event filtering based on time, event level, event logs, event sources, event IDs, task category, keywords, user, and computers.

3. Specify a name and a description (optional) of the custom view and click OK.

4. A new custom view is now created and is shown in the navigation pane.

Monitoring Using Task SchedulerTask Scheduler enables the user to perform automated tasks on the system. In this sce-nario, Task Scheduler is used by IT professionals to monitor server performance by config-uring system assessment tasks that will run automatically.

Task Scheduler maintains a collection of all scheduled tasks in the Task Scheduler Library presented in an organized view. The user can use Task Scheduler to run, disable, modify, and delete tasks. Any program can be scheduled to run at any time or when a specific event occurs. The selected time and event criteria are monitored by the Task Scheduler, which will execute the task when the criteria are met. See Figure 11.8.

61705c11.indd 475 6/27/08 12:05:28 PM


f i gu r E 11. 8 Task Scheduler

Task Scheduler in Windows Server 2008 is loaded with improvements in the following key areas:

User interface A new Task Scheduler user interface based on the Microsoft Management Console (MMC) is presented in Windows Server 2008. The interface is enhanced with a number of new conditions and filters that are helpful for administrators in defining and managing scheduled tasks.

Administrative Task status monitoring has been improved with detailed failure reporting and comprehensive task history. Status feedback has also been significantly improved. An email that includes the complete runtime history of an event can be sent to the administrator in the event of a failure. The complete history of executed scheduled tasks, as well as the list of currently running tasks, can be easily accessed and reviewed by the administrator at any time. Tasks can also be run and stopped on demand.

The Task Scheduler API is now fully available to scripting languages, which is extremely helpful for administrators in scripting complex tasks.

Platform and manageability Hosting and activation of troubleshooters and other correc-tive actions are now enabled with the use of Task Scheduler. Periodic data collection has been implemented in order to improve event detection. Quotas may now be assigned in task process prioritization. Computer resources are more efficiently utilized because tasks are activated based on a true idle state, which is defined by CPU, memory, and I/O usage; user presence; and non-presentation mode.

61705c11.indd 476 6/27/08 12:05:29 PM


Scheduling The time-based task launch has been improved with enhanced scheduling options as well as higher granularity. In a noticeable improvement, the user is now allowed to chain a series of actions together as opposed to creating multiple scheduled tasks one by one.

Tasks can be scheduled on demand for execution when a specific event is logged to an event log. Scheduled tasks can be configured to run when the computer is idle or to wake a com-puter from sleep or hibernation. Previously scheduled tasks can also be executed when a powered-down computer is turned back on.

Scalability has also been improved as limitations on the number of registered tasks have been removed and multiple instances of a task have been allowed to run in parallel or in sequence.

Security New security features are represented by the ability to securely store passwords needed for running tasks with the use of Credentials Manager and the ability to run Service for User (S4U) for scenarios such that passwords do not need to be stored at all.

To further strengthen security, scheduled tasks are now executed in separate sessions instead of the same session as the current user or system services. Therefore, system tasks are executed in the system session (session 0), while user tasks are executed in the user’s session. Separate per-user credentials are required for Winstations and desktops.

Scheduling a TaskA task can be scheduled either by creating a basic task with the Create Basic Task Wizard or by creating a task manually by supplying task information in the Create Task dialog box. A task can also be scheduled by using a command line.

If the Create Basic Task Wizard is used, most of the task properties will be set accord-ing to default values and the trigger for the task will be chosen from the most commonly used triggers.

To use a wizard to schedule a basic task, complete Exercise 11.15.

E x E r c i S E 11 .15

Scheduling a basic task by using a Wizard

Scheduling a task is just a step by step wizard in Windows Server 2008. To schedule a basic task using a wizard, please execute the following steps:

1. Start Task Scheduler by clicking Start Control Panel Administrative Tools and then double-clicking Task Scheduler.

2. In the left pane, select the task folder in which the new task is to be created.

3. In the Actions pane on the right, click Create Basic Task.

4. Type a name for the task and a description, if required, and then click Next.

61705c11.indd 477 6/27/08 12:05:29 PM



5. Select a trigger to determine when the task will start, and then click Next. Refer to Table 11.9 for more information on trigger options.

6. If prompted, fill in the details for the selected trigger. If not, skip to the next step.

7. Select an action to be performed by the task. The options are Start a Program, Send an E-Mail, and Display a Message. Then click Next.

8. Fill in the details for the selected action, and then click Next.

9. Confirm the details of the task in the summary, and then click Finish.

A new task folder can be created if existing folders are not going to be used. To create a new task folder, click Action on the main menu; then click New Folder and enter a name before clicking OK.

To see a listing of triggers for a task, see Table 11.9.

61705c11.indd 478 6/27/08 12:05:29 PM


tA b LE 11. 9 Triggers for a Task

Trigger Name Description

On a schedule Runs the task according to a specified schedule. Options are available to schedule the tasks to run one time or on a daily, weekly, or monthly schedule.

The time that is set by the user is relative to the time zone that is set on the computer that runs the task. If a set of tasks is to be scheduled to run simultaneously in multiple time zones, the Universal check box has to be selected because the time needs to be made relative to Coordinated Universal Time (UTC). The UTC abbreviation corresponds to the French version of the term.

At log on Runs the task when a user logs on to the computer. Options are available to specify whether the task will be triggered when any user logs on or when a specific user or user group member logs on to the computer.

At startup Runs the task when the computer starts up.

On idle Runs the task after the computer enters an idle state. The idle settings can be configured on the Conditions tab in the Create Task or Task Properties dialog box.

On an event Runs the task when specific event entries are added to an event log. Basic and custom options are available to con-figure the trigger settings. If basic settings are chosen, the task will be triggered by a single event from a specific event log. If custom settings are chosen, the task will be triggered by events matched by a specified custom event viewer query or XML event query.

At task creation/modification Runs the task as soon as it is created or modified.

On connection to user session

Runs the task when a user session is connected from a local computer or from a remote desktop connection. Options are available to specify whether the task will be triggered when any user connects to a user session or when a specific user or member of a specific user group connects.

On disconnect from user session

Runs the task when a user session is disconnected from a local computer or from a remote desktop connection. Options are available to specify whether the task will be trig-gered when any user disconnects to a user session or when a specific user or member of a specific user group disconnects.

61705c11.indd 479 6/27/08 12:05:29 PM


tA b LE 11. 9 Triggers for a Task (continued)

Trigger Name Description

On workstation lock Runs the task when the computer is locked. Options are available to specify whether the task will be triggered when any user or when a specific user or member of a specific user group locks the computer.

On workstation unlock Runs the task when the computer is unlocked. Options are available to specify whether the task will be triggered when any user or when a specific user or member of a specific user group unlocks the computer.

Exercise 11.16 shows you how to schedule a task manually by using the Windows interface.

E x E r c i S E 11 .16

Scheduling a task Manually by using the Windows interface

Advance users who wants a fast and straightforward way to schedule a task, can schedule a task without wizards. To schedule a task manually using Windows interface, please execute the following steps:

1. Start task Scheduler.

2. In the left pane, select the task folder in which the new task is to be created.

3. In the Actions pane on the right, click Create Task. The Create Task dialog box opens.

4. On the General tab, type a name and, optionally, a description for the task, and specify the desired Security options.

61705c11.indd 480 6/27/08 12:05:29 PM



5. On the Triggers tab, click the New button to add a trigger for the task.

6. On the Actions tab, click the New button to add an action for the task.

7. (Optional) On the Conditions tab, specify conditions for the task.

8. (Optional) On the Settings tab, change the settings for the task.

9. Click OK.

To schedule a task by using a command line, complete the steps in Exercise 11.17.

E x E r c i S E 11 .17

Scheduling a task Manually by using the command Line

Scheduling of a task can be scripted using command line. To schedule a task manually using the command line, please execute the following steps:

1. Click Start, select Run, and type cmd in the Run command dialog and then press Enter to open command prompt.

2. Type the following command:

schtasks /Create [/S <system> [/U <username> [/P [<password>]]]] [/RU <username> [/RP <password>]] /SC <schedule> [/MO <modifier>] [/D <day>]

[/M <months>] [/I <idletime>] /TN <taskname> /TR <taskrun> [/ST <starttime>] [/RI <interval>] [ {/ET <endtime> | /DU <duration>} [/K] [/XML <xmlfile>]

[/V1]] [/SD <startdate>] [/ED <enddate>] [/IT] [/Z] [/F]

3. To view the help topics for this command, type the following command:

schtasks /Create /?

Refer to the section “Using the Command-Line Tool Schtasks.exe” for information on the Schtasks.exe command line tool.

Managing a TaskTask management and monitoring is made simple in the Task Scheduler with options to display all running tasks, export tasks, import tasks, and view task history. When you open

61705c11.indd 481 6/27/08 12:05:30 PM


Task Scheduler in Windows Server 2008, you’ll see detailed task information next to all the tasks. Status and last run results will also be shown so administrators would be able to identify problems immediately.

Exercise 11.18 shows you how to display and/or end running tasks.

E x E r c i S E 11 .18

displaying All running tasks

Monitoring running tasks can be done through task manager. To display all running tasks, please execute the following steps:


2. In the Actions pane on the right, click Display All Running Tasks. The All Running Tasks window opens.

3. To manually refresh the display, click the Refresh button.

4. To stop one or more tasks on demand, select the running task(s) and click the End Task button.

Tasks can be saved and exported to an XML file and then imported when necessary, on either the same computer or on a different computer. The portability of tasks is enhanced by this feature. Exercise 11.19 shows you how to export tasks.

61705c11.indd 482 6/27/08 12:05:30 PM


E x E r c i S E 11 .19

Exporting tasks

Migration or backing up of tasks could be done by exporting the tasks from task manager. To export tasks, please execute the following steps:


2. In the console pane on the center, right-click the task to be exported and select Export.

3. Browse for a location in which to save the file, type a name for the file, and then click Save.

Tasks that have been exported can be easily imported to the same computer as well as to another computer (see Exercise 11.20).

E x E r c i S E 11 . 2 0

importing tasks

If tasks need to be imported into a newly built or existing server, it could be done through task manager. To import tasks, please execute the following steps:


61705c11.indd 483 6/27/08 12:05:30 PM



2. Under the Task Scheduler Library in the left pane, right-click the desired task folder and select Import Task.

3. Browse for the location in which the XML file is stored, select the file, and click Open.

On the History tab of a task in Task Scheduler, all known events for that task are dis-played, allowing you to quickly view the previous status and running time. Only events related to the currently selected task will be displayed. There is no longer an need to review the Task Scheduler event log for individual events from specific tasks.

In Exercise 11.21, you’ll view the history of a task.

E x E r c i S E 11 . 2 1

viewing the History of a task

Monitoring of the past history of a task is important when it comes to server auditing. To view the history of a task, please execute the following steps:


2. In the left pane, select the task folder that contains the task you want to view.

3. In the console pane in the center, select the task.

61705c11.indd 484 6/27/08 12:05:30 PM



4. Click the History tab to view the history of the task. In the history list, select an event to view the event description.

Managing or Creating a Task on a Remote ComputerYou can use the Task Scheduler interface to connect to a remote computer and create and manage tasks. The name or IP address of the remote computer must be specified. The user credential that is used to connect to a remote computer must be part of the Administrators group on the remote computer.

If the computer you will be connected to is running Windows Server 2008 or Windows Vista, the Remote Scheduled Tasks Management firewall exception must be enabled on the remote computer. If the computer you will be connected to is running Windows Server 2003 or Windows XP, the File and Printer Sharing firewall exception must be enabled on the remote computer.

Exercise 11.22 shows you how to manage and create a task on a remote computer.

E x E r c i S E 11 . 2 2

Managing or creating a task on a remote computer using task Scheduler

Task Scheduler could be managed remotely, without logging onto the console or doing it on-site. To manage or create a task on a remote computer using Task Scheduler, please execute the following steps:


61705c11.indd 485 6/27/08 12:05:30 PM



2. In the left pane, select Task Scheduler.

3. In the Actions pane on the right, click Connect to Another Computer. The Select Com-puter dialog box opens.

4. In the Select Computer dialog box, select Another Computer.

5. Enter the name or IP address of the remote computer in the text box or click Browse to search for a remote computer.

6. (Optional) You can use credentials other than those for the current user to connect to the remote computer. Select the Connect as Another User check box and click Set User. Enter the username and password.

7. When the remote computer is specified, click OK.

8. Once the remote computer is connected, you can manage and create tasks by using the same procedures that are performed on a local computer.

Exercise 11.23 shows you how to manage or create a task on a remote computer by the using command line.

E x E r c i S E 11 . 2 3

Managing or creating task on a remote computer using command Line

An alternative method of managing or creating task on a remote computer is to use com-mand line. To manage or create a task on a remote computer using command line, please execute the following steps:


61705c11.indd 486 6/27/08 12:05:30 PM



2. Use the Schtasks.exe tool to manage or create a task. Specify the name or IP address of the remote computer in the /S system argument, the username that is used to con-nect to the remote computer in the /U username argument, and the password for the user in the /P password argument. Refer to the following section for information on the Schtasks.exe command-line tool.

3. To view the help topics for this command, type the following:

schtasks /Create /?

Schtasks /Run /?

Schtasks /End /?

Schtasks /Delete /?

Schtasks /Change /?

Using the Command-Line Tool Schtasks.exe Schtasks.exe is the command-line tool used to perform Task Scheduler actions in the command prompt. The Schtasks.exe command-line tool enables administrators to create, delete, change, run, end, and query scheduled tasks on a local or remote computer.

The following command syntax is used by the Schtasks.exe command interface:

schtasks /<parameter> [arguments]

The command parameters used by the Schtasks.exe command interface are as follows:

/Create Create a new scheduled task.

/Delete Delete the scheduled task(s).

/Change Change the properties of scheduled task.

/Run Run the scheduled task immediately.

/End Stop the running scheduled task.

/Query Display all scheduled tasks.

You can use Schtasks.exe on various tasks:

Click Start, select Run, and type ÛN cmd in the Run command dialog and then press Enter to open a command prompt.

To delete tasks, type this: ÛN

schtasks /Delete [/S <system> [/U <username> [/P [<password>]]]]

/TN <taskname> [F]

61705c11.indd 487 6/27/08 12:05:31 PM


To change tasks, type the following;ÛN

schtasks /Change [/S <system> [/U <username> [/P [<password>]]]]

/TN <taskname> {[/RU <username>][/RP <password>][/TR <taskrun>]

[/ST <starttime>][/RI <interval>]

[ {/ET <endtime> |/DU <duration>} [/K]] [/SD <startdate>] [/ED <enddate>][/ENABLE\/DISABLE]

[/IT] [/Z]}

To run tasks, type this:ÛN

schtasks /Run [/S <system> [/U <username> [/P [<password>]]]] /TN <taskname>

To end tasks:ÛN

schtasks /End [/S <system> [/U <username> [/P [<password>]]]] /TN <taskname>

To query tasks:ÛN

schtasks /Query [/S <system> [/U <username> [/P [<password>]]]]

[/FO<format> [/NH] [/V] [/?]

Running a Task in Response to a Given EventThe ability to run a task in response to a given event is the result of the integration of Task Scheduler with the Event Viewer. Tasks are configured to run in such a way in order to diagnose and troubleshoot a given event immediately.

Exercise 11.24 shows you how to run a task in response to an event.

E x E r c i S E 11 . 2 4

running a task in response to an Event

Sometimes it is useful to run a script if an error occurs, maybe to notify the system administrator or generate error reports. To run a task as a response to an event, please execute the following steps:


2. In the left pane, select the task folder in which the new task will be created.

3. In the Actions pane on the right, click Create Task. The Create Task dialog box opens.

4. On the General tab, type a name and, optionally, a description for the task, and specify the desired security options.

5. On the Triggers tab, click the New button.

6. In the New Trigger dialog box, select On an Event in the Begin the Task drop-down list.

61705c11.indd 488 6/27/08 12:05:31 PM



7. To run the task in response to a basic system-created event log, select the Basic bullet box.

8. In the Log drop-down list, select the event log in which the event is found.

9. In the Source drop-down list, select the component that published the event to narrow down the criteria. In this example, Source is set to EventCollector.

10. In the Event ID box, enter the unique ID of the specific event to further narrow down the criteria. A list of Event IDs can be found from www.eventid.net.

11. To run the task in response to a new custom event log, select the Custom bullet box and click the New Event Filter button to create a new custom view. Refer to section ”Reading Events Through Custom View” for the step-by-step procedure.

12. On the Actions tab, click the New button to add an action for the task.

13. (Optional) On the Conditions tab, specify conditions for the task.

14. (Optional) On the Settings tab, change the settings for the task.

15. Click OK.

61705c11.indd 489 6/27/08 12:05:31 PM


Monitoring System ActivityIn Windows Server 2008, the Performance Monitor and the Reliability Monitor, which are essential to performance and availability monitoring tasks, are major components of the Win-dows Performance Diagnostic Console, a Microsoft Management Console (MMC) snap-in.

The Windows Performance Diagnostic Console allows the user to perform a number of crucial system activity monitoring tasks:

Customization of data collectionÛN

Customized viewing of past performance dataÛN

Definition of thresholds for alerts and automatic actionsÛN

Real-time system monitoringÛN

Report generation ÛN

System activity monitoring can now be more efficiently and speedily done with the intro-duction of a new Resource View screen and an improved graphical interface in Performance Monitor. The user can choose to monitor system activities in general by using Resource View or to monitor specific system activities by using the Performance Monitor.

Monitoring General System Activity Using Resource MonitorThe Resource Monitor is the default page of the Windows Performance Diagnostic Con-sole, which provides a real-time graphical overview of CPU, disk, network, and memory utilization. Details of the specific processes that are utilizing specific resources can be accessed by expanding the four sections. Figure 11.9 shows the Resource View.

f i gu r E 11. 9 Resource View in action

61705c11.indd 490 6/27/08 12:05:31 PM

Monitoring System Activity 491

To monitor general system activity using Resource Monitor (Exercise 11.25), you must first ensure that the logged on user is a member of the local Administrators group.

E x E r c i S E 11 . 2 5

Monitoring general System Activity using resource Monitor

Resource Monitor provides a quick overview of the health of the system. To monitor gen-eral system activity using Resource Monitor, please execute the following steps:

1. Click Start Control Panel Administrative Tools Reliability and Performance Monitor. Or you can click Start Run, type perfmon.msc in the Run dialog box and press Enter.

2. Obtain a summary of real-time information of CPU, disk, network, and memory utili-zation on the local computer by viewing the graphs in the Resource Overview pane.

3. Click a graph to expand its corresponding details.

4. Obtain process-level details on each resource by expanding the labeled sections below the graphs.

5. Refer to Tables 11.10 through 11.15 for information on navigating Resource View.

To open Resource View in its own window when it is started, type perfmon /res at a command prompt.

Resource View provides a very brief and general outline of how the system is doing. Through Resource View, it is possible to determine if there are potential bottlenecks being created on any of the four core system components.

Table 11.10 shows the four system components.

tA b LE 11.10 Resource View Details

Label Description

CPU Total percentage of CPU capacity currently in use is displayed in green. Maximum frequency of CPU is displayed in blue.

Disk Total current I/O is displayed in green. Percentage of highest active time is displayed in blue.

61705c11.indd 491 6/27/08 12:05:31 PM


tA b LE 11.10 Resource View Details (continued)

Label Description

Network Current total network traffic is displayed in green. Percentage of network capacity currently in use is displayed in blue.

Memory Current hard faults per second is displayed in green. Percentage of physical memory currently in use is displayed in blue.

CPU Resource View works similar to Task Manager’s Process tab. The only difference is that by default, threads and CPU average are not shown in Task Manager’s Process tab, but it is shown under CPU Resource View.

If any process is holding a high amount (80 percent and above) of CPU resources for a period of 30 seconds or more, you will need to start monitoring the process. Table 11.11 shows the individual details as part of CPU Resource View.

tA b LE 11.11 CPU Resource View Details

Label Description

Image The application that is utilizing CPU resources

PID The process ID of the application instance

Description Description of the application

Threads The number of currently active threads from the application instance

CPU Currently active CPU cycles from the application instance

Average CPU The average CPU load resulting from the application instance

Disk Resource View shows the disk performance of all physical disks that are installed on the system. It shows the image (process) and the corresponding file’s read and write performance.

To find a bottleneck created by disks, depending on the disk configuration (RAID/Disk controller/iSCSI), or to monitor Read, Write, IO Priority and Response Time. Table 11.12 shows the individual details as part of Disk Resource View.

61705c11.indd 492 6/27/08 12:05:31 PM


tA b LE 11.12 Disk Resource View Details

Label Description

Image The application that is utilizing disk resources


File The file that is being read and/or written by the application instance

Read The current speed (bytes/min.) at which data is being read by the application instance

Write The current speed (bytes/min.) at which data is being written by the application instance

IO Priority The priority of the I/O task for the application

Response Time The response time of the disk activity in milliseconds

Network Resource View shows the network traffic transfers based on process (or image) and the network address the process is sending to or receiving from.

Network Resource View provides a graph showing only basic network traffic informa-tion. It is only useful for checking how much data is being transferred. If network trouble-shooting is needed, it is always wiser to stick to creating data collector sets. Table 11.13 shows the individual details as part of Network Resource View.

tA b LE 11.13 Network Resource View Details

Label Description

Image The application that is utilizing network resources


Address The network address from which information is exchanged with the local computer

Send The amount of data (in bytes/min.) that is currently being sent by the application instance from the local computer to the address

Receive The amount of data (in bytes/min.) that is currently being received by the application instance from the address

Total The total bandwidth (in bytes/min.) that is currently being sent and received by the application instance

61705c11.indd 493 6/27/08 12:05:31 PM


Memory Resource View shows a basic memory usage based on process (or image). To determine whether memory is the bottleneck of system performance, Memory Resource

View can provide some helpful guidance. However, this view will not show you whether read or write access is the bottleneck. It will only show whether the system has enough memory. Table 11.14 shows the individual details as part of Memory Resource View.

tA b LE 11.14 Memory Resource View Details

Label Description

Image The application that is utilizing memory resources


Hard Faults/min. The number of current hard faults per minute resulting from the application instance

Working Set (KB) The number of kilobytes for the application instance that are cur-rently residing in memory

Shareable (KB) The number of kilobytes of the application instance working set that may be available to be utilized by other applications

Private (KB) The number of kilobytes of the application instance working set that are dedicated to the process

Resource View is limited in this version, but you can sort columns and highlight pro-cesses (or images) for easier reading. Table 11.15 shows the actions which is supported by Resource View.

tA b LE 11.15 Resource View Navigation Tasks

Action Procedure

Highlight an application instance To keep highlighting when the application instance position changes in the display, click anywhere in the application instance row.

Sort columns by value To sort in ascending order, click the column header label once. To sort in descending order, click the column header label twice.

61705c11.indd 494 6/27/08 12:05:32 PM


Monitoring Specific System Activity Using Performance MonitorPerformance Monitor provides a graphical summary of system performance based on a number of built-in Windows performance counters, which can be viewed in real time or examined as historical data. By adding specific counters to Performance Monitor, you can monitor the activities and performances in specific areas of the system.

In Windows Server 2008, Performance Monitor has been upgraded to enable better views, easier navigation, and more precise control. Improvements have been made in the following areas:

Drag and drop functionalityÛN

New time range controlsÛN

Scale to fit optionÛN

Time-based algorithmsÛN

Tool tipsÛN

Zoom functionalityÛN

In the Performance Monitor log view, you can add preferred performance counters into the graph or report to observe specific data.

In Exercise 11.26, you’ll add counters to the current Performance Monitor view.

E x E r c i S E 11 . 2 6

Adding counters to the current performance Monitor view

It is possible to add additional counters into performance monitor view. To add counters to performance monitor view, please execute the following steps:


2. Expand the data collector set for which you want to view log data.

3. Right-click the data collector of the data collector set and select the Performance Monitor view.

4. Click the Add (+) button in the menu bar above the graph in the Performance Monitor view, or right-click anywhere in the graph and select Add Counters. This launches the Add Counters dialog box.

61705c11.indd 495 6/27/08 12:05:32 PM



5. In the Available Counters section, select the counters you want to display in Performance Monitor. Refer to Table 11.16 for details on the common tasks in the Add Counters dialog box.

6. When you have selected the counters, click OK.

61705c11.indd 496 6/27/08 12:05:32 PM


Some navigation tasks, such as displaying a description of a counter, cannot be done when Performance Monitor is displayed as a report view. They can only be done in the process of creating new data collector sets manually.

tA b LE 11.16 Navigation Tasks in the Add Counters Dialog Box

Task Procedure

Choose the source computer from counters

Select a computer from the Select Counters from Com-puter drop-down list or click Browse to select other com-puters. Counters can be added from the local computer or from another computer on the network the user has access to.

Display a description of the selected counter group

Select Show Description in the lower-left corner of the dialog box. The description will be updated when other counter groups are selected.

Add a group of counters Select by highlighting all counters under the counter group name and click Add.

Add individual counters Select by highlighting an individual counter under a coun-ter group and click Add.

Add certain instances of a counter

Select the required counter group or individual counter, then select the process from the list in the Instances of Selected Object box. The same counter can be created by multiple processes, though if you choose an instance, only the counters produced by the selected processes will be collected.

Search for instances of a counter

Select the required counter group or individual counter, then type the process name in the drop-down list below the Instances of Selected Object box and click Search. A valid process name will be available in the drop-down list to repeat the search with other counters. The search func-tion will not be available if there are no multiple instances of a counter group or counter.

With so many counters available, it could be confusing to decide which counter to con-figure to monitor the system performance. Table 11.17 lists recommended system counter thresholds for the commonly used counters.

61705c11.indd 497 6/27/08 12:05:32 PM


tA b LE 11.17 Recommended System Counter Thresholds

Resource Object Counter Threshold

Disk LogicalDisk %Free Space 15%

Disk LogicalDisk %Disk Time 80%

Memory Memory Available Bytes 16MB

Processor Processor % Processor Time 85%

Processor Processor Interrupts/sec 1500 per second

Table 11.17 lists only the most important and commonly used system counters. The recommended thresholds are only a guideline and might not work in every environment. Windows Server 2008 also comes with three preconfigured data collector sets (LAN, Sys-tem Diagnostics, and System Performance) with the necessary counters already added. The following list includes explanations of the recommended thresholds listed in Table 11.17:

LogicalDisk - %Free Space Depending on the server’s usage and configuration, some might disagree with the 15% threshold. But a threshold of 15% works on most machines.

LogicalDisk - %Disk Time Disk time is also known as the disk usage time. When a disk time is at 80% at a constant rate, the disk will experience hardware failure very easily due to crashing or overheating.

Memory - Available Bytes The server will start paging to hard disk as soon as the amount of available memory is reduced to less than 4MB. The server performance degrades due to excessive paging activities. Thus, it is wiser to have the threshold set higher, to 16MB, so system administrators can take action before it goes to 4MB or less.

Processor - % Processor Time Sometimes a sudden spike of CPU processor time is caused if SQL Server or Exchange Server is hosted on the server. But if the processor time doesn’t go down, it could cause the server to be unavailable. Use Task Manager to identify which process is using the CPU processor time constantly.

Processor - Interrupts/sec This counter can be used to signal hardware problems. If the counter increases dramatically without a corresponding increase in server activity, a piece of hardware is responsible for the flood in interrupts. A hardware failure involving the net-work card, hard disk controller, or another device needs to be investigated.

In the default line graph display in Reliability and Performance Monitor shown in Figure 11.10, two minutes of data is represented in a rolling format from left to right, labeled along the x-axis. With this view, changes in each counter’s activity compared with previous behavior over a short time period can be observed. The performance data can also be represented by other types of graphs as well as by a report.

61705c11.indd 498 6/27/08 12:05:32 PM


f i gu r E 11.10 The default line graph view of Performance Monitor

In Exercise 11.27, you’ll change the graph type for the log data in Performance Monitor.

E x E r c i S E 11 . 2 7

changing the graph type for the Log data in performance Monitor

Changing the graph type allows the system administrator to view the report in another perspective. To change the graph type for the log data, please execute the following steps:


2. Expand the data collector set whose log data you want to view.

3. Right-click the data collector of the data collector set and select the Performance Monitor view.

4. In the menu bar above the graph, click the Change Graph Type button to switch types or open the drop-down list and select from Histogram Bar, Report, Area, or Stacked Area.

61705c11.indd 499 6/27/08 12:05:33 PM


Configuring and Monitoring Using Simple Network Management Protocol (SNMP)Simple Network Management Protocol (SNMP) is, as its name suggests, a simple protocol that is commonly utilized in network management and monitoring. SNMP is the choice of IT professionals for network wide system monitoring tasks because it is easy to set up and easy to use.

SNMP is designed to integrate the management of TCP/IP-based networks in order to manage devices from a preferred central location. SNMP is used to facilitate data transfer from agent to host. The data is then centralized in logs for effective viewing and subse-quent analysis.

Install SNMP ServicesWindows Server 2008, just like its predecessors, does not have SNMP Services installed by default. To use SNMP Services, you will need to install the SNMP Services feature (Exercise 11.28).

E x E r c i S E 11 . 2 8

installing SnMp Services

SNMP Services is not installed by default in Windows Server. To install SNMP Services feature, please execute the following steps:

1. Click Start Server Manager.

2. In the left pane, select Features.

3. In the right pane, click Add Features. This launches the Add Features Wizard.

4. Under the Features list, select SNMP Services and click Next.

61705c11.indd 500 6/27/08 12:05:33 PM

Configuring and Monitoring Using Simple Network Management Protocol (SNMP) 501


5. A confirmation window appears with the features to be added. Click Install to start installing.

6. Once SNMP Services is installed, the results appear. Click Close to complete the installation.

To install the SNMP service in Windows Server 2008 Server Core, type the following in the command prompt:

start /w ocsetup SNMP-SC

Configuring Agent PropertiesOnce SNMP Services is installed, the next step is to configure the agent. Agents are servers or devices that will be reporting to the host, telling the host whether the agents are alive or dead. Agent properties also contain information such as the person responsible for managing the agent and the services the agent will interact with on the computer.

Exercise 11.29 shows you how to configure agent properties.

61705c11.indd 501 6/27/08 12:05:33 PM


E x E r c i S E 11 . 2 9

configuring Agent properties

To monitor the system using SNMP, the agent properties need to be configured. Agent, To configure the agent properties, please execute the following steps:


2. In the left pane, expand Configuration and select Services.

3. In the details pane, select SNMP Service.

4. Right-click SNMP Service and click Properties.

5. On the Agent tab, type the name of the user or administrator in the Contact box.

6. Type the physical location of the computer or the contact in the Location box.

7. Under Service, select the services that the agent is hosting, and click OK.

Changes to Contact or Location of the SNMP Agent take effect within a few minutes.

61705c11.indd 502 6/27/08 12:05:33 PM


Configuring TrapsAnother option you need to configure as part of SNMP Services is Traps. The Traps tab under the Agent properties dialog box is used to configure computers to which SNMP Services sends traps.

As part of the Traps properties, there will be two options that need to be configured: Community and Trap Destinations. A community is like a group, and each Community hosts one or more Trap Destinations. Trap Destinations can be Hostname, IP, or IPX Address.

Exercise 11.30 shows you how to configure traps.

E x E r c i S E 11 . 3 0

configuring traps

Traps, just like agent, needs to be configured for SNMP services to work. To configure traps, please execute the following steps:





5. On the Traps tab, in the Community Name text box, type a name for the community to which the computer will send trap messages (the name is case-sensitive).

61705c11.indd 503 6/27/08 12:05:33 PM



6. Under Trap Destinations, click Add.

7. In the SNMP Service Configuration dialog box, enter the name, the IP address, or the IPX address of the host, and click Add.

8. Repeat steps 5 through 7 until all the required communities and trap destinations are added.

Changes to SNMP settings take effect immediately.

Configuring SNMP Security PropertiesInformation generated by traps are just like any other data. When transferred across the net-work, the data could be sniffed by malicious users. Malicious users could also send unauthor-ized traps to legitimate communities. To prevent these issues from occurring, it is always wise to configure SNMP security (Exercise 11.31).

E x E r c i S E 11 . 3 1

configuring SnMp Security properties

Although configuring SNMP security properties is optional to get SNMP services work-ing, it is still recommended to configure for security reasons. To configure SNMP security properties, please execute the following steps:





5. On the Security tab, select Send Authentication Trap to send a trap message when-ever authentication fails.

61705c11.indd 504 6/27/08 12:05:33 PM



6. Under Accepted Community Names, click Add.

7. In the SNMP Service Configuration dialog box, select a permission level from the Community Rights drop-down list for the host to process SNMP requests from the specified community.

8. In the Community Name text box, type a case-sensitive community name, then click Add.

9. Specify which host(s) from which SNMP packets are accepted.

Accept SNMP Packets from Any Host: Select to accept SNMP requests from any ÛN

host on the network.

Accept SNMP Packets from These Hosts: Select to accept SNMP requests from a ÛN

limited number of preferred hosts. Click Add to enter the name, the IP address, or the IPX address of the host, and then click Add again.

10. Changes can be made to an entry by selecting the entry and clicking Edit. An entry can be deleted by selecting the entry and clicking Remove.

61705c11.indd 505 6/27/08 12:05:34 PM


Starting or Stopping the SNMP ServiceStarting or stopping the SNMP Service is just like starting or stopping other services. It can be done through Services.msc or through Server Manager (Windows Server 2008 only).

Exercise 11.32 shows you how to start or stop the SNMP Service using Server Manager.

E x E r c i S E 11 . 3 2

Starting or Stopping SnMp Service

SNMP Service could be started or stopped for troubleshooting purposes. To start or stop SNMP Service, please execute the following steps:


2. On the left pane, expand Configuration and select Services.

3. On the details pane, select SNMP Service.

4. Right-click SNMP Service and click Start, Stop, or Restart.

61705c11.indd 506 6/27/08 12:05:34 PM

Summary 507

Configuring Event to Trap Translator It is possible to trap events, convert the events into traps, and send that trap across the management systems specified in the Traps properties. To accomplish this, the events will need to be converted into traps, which is done through the trap translator.

To configure event to trap translator, see Exercise 11.33.

E x E r c i S E 11 . 3 3

configuring Event to trap translator

Trapping an event is important for SNMP host to receive server’s trapped events. To con-figure event to trap translator, please execute the following steps:


2. Type evntcmd /? for options and the syntax for the evntcmd command to configure the event to trap translator.

SummaryMonitoring a system proactively is a task that system administrators should do on a daily basis because it provides guidance on how applications and hardware should be configured. This does not mean that system administrators will need to monitor systems on their net-work manually. The proper way is to let the systems monitor themselves and report to the system administrators if any warnings or errors occur.

61705c11.indd 507 6/27/08 12:05:34 PM


Various monitoring tools are built into Windows Server, and it’s up to system adminis-trators to use them wisely:

Monitoring system performance through counters has improved in Windows Server ÛN

2008. Data collector sets make gathering and troubleshooting server performance data a very simple procedure. System Stability Index provides a quick summary of how a system is working and whether it has experienced any availability issues in the past.

Event Viewer is now much more robust and developers can write to Event Viewer ÛN

through the APIs. It is now XML based, which means easier searching and manipula-tion of the event logs. It is also possible to push and pull event logs to and from other computers with just a few simple clicks.

Task Scheduler has been enhanced in Windows Server 2008. Events can now trigger ÛN

and run a task , and Task Scheduler comes with a step-by-step wizard to create new tasks. The status of all tasks is also shown in Task Scheduler, increasing the productiv-ity of the system administrators.

SNMP Service is considered an old technology by some, but it is still one of the more ÛN

useful methods to monitor systems and devices.

With a good grip on how to set up and configure the tools we covered tools in this chapter, system administrators can allocate their resources for more important tasks.

61705c11.indd 508 6/27/08 12:05:34 PM


Review Questions

1. You want to provide a help desk user with the rights to create logs for data collector sets. What do you need to do? (Choose all that apply.)

A. Add the help desk user to Power Users group.

B. Assign the help desk user with “Log on as a batch job” user right.

C. Add the help desk user to the Administrators group.

D. Add the help desk user to the Domain Users group.

2. You want to use Reliability Monitor to monitor the health of the system. However, no data is shown in Reliability Monitor. What should you do?

A. Wait for 12 hours after Windows is installed.

B. Wait for 18 hours after Windows is installed.

C. Wait for 24 hours after Windows is installed.

D. Wait for 36 hours after Windows is installed.

3. You have SNMP configured. You want to ensure that only trusted traps are collected. What should you do?

A. Under the Agent tab of SNMP Service properties, deselect Internet.

B. Under the Agent tab of SNMP Service properties, deselect Datalink and Subnetwork.

C. Under Security tab of SNMP Service properties, select Send Authentication Trap.

D. Under Security tab of SNMP Service properties, select Accept SNMP Packets from These Hosts.

4. You want to change the default Disk Defragmenter schedule. Where do you change it?

A. Event Viewer

B. Task Scheduler

C. Performance Monitor

D. Reliability Monitor

5. You are creating a task to run a program in Task Scheduler. After creating the task, you found out that the program doesn’t run when the task is started. What is your next course of action?

A. Select Run with Highest Privileges.

B. Select Run Whether User Is Logged On or Not.

C. Use another user or group to run the task.

D. Select Run Task as Soon as Possible after a Scheduled Start Is Missed.

61705c11.indd 509 6/27/08 12:05:34 PM


6. What is the best way to share the same scheduled tasks?

A. Use the command line tool Schtasks.exe to export and import the tasks to other machines.

B. Use the Task Scheduler GUI to export and import the tasks to other machines.

C. Use Visual Studio to create a program to import the tasks.

D. Use Group Policy to push tasks to the users.

7. A user reports that her computer is always sluggish between 2:00 to 3:00 p.m. daily. What is the best way to troubleshoot the problem?

A. Create a data collector set, add all counters into it, and configure it to run from 2:00 to 3:00 p.m. daily.

B. Request a support personal to be on-site standby from 2:00 to 3:00 p.m.

C. Create an event-triggered task to collect data when warnings are logged.

D. Create a data collector set, add the memory counters into it, and set it to run from 2:00 to 3:00 p.m. daily.

8. A user reports that her computer is sluggish from time to time, inconsistently. What is the best way to troubleshoot the problem?

A. Create a data collector set, add only system performance counters into it, and set it to run 24/7.

B. Request a support personal to be on-site standby daily.

C. Create an event-triggered task to collect data when warnings are logged.

D. Create a data collector set, add the memory counters into it, and set it to run 24/7.

9. The company has a customized performance monitoring software using Windows Manage-ment Interface (WMI) to create and modify data collector sets. However, desktop users are unable to run the application when they log on as standard user. What do you do to enable them to use the performance monitoring software? (Choose all that apply.)

A. Add the desktop support technician user account to the Performance Log Users user group.

B. Add the desktop support technician user account to the Performance Monitor Users user group.

C. Open the Local Security Policy (secpol.msc) snap-in and add the desktop support technician user account under “Log on as a batch job.”

D. Open the Local Security Policy (secpol.msc) snap-in and add the desktop support technician user account under “Log on as a service.”

10. Your company hosts many applications for customers. However, customers are complaining that their hosted applications are running too slow. What is the first step to troubleshoot?

A. Run perfmon.msc and check Hard faults/min under Memory.

B. Run perfmon.msc and check Threads under CPU.

C. Run perfmon.msc and check I/O priority under CPU.

D. Run perfmon.msc and check Private (KB) under Memory.

61705c11.indd 510 6/27/08 12:05:34 PM


11. Your company has a Windows Server 2008 file server. Clients are experiencing slower than usual connection speed when they access their files shares on the file server. What can you do to troubleshoot this issue?

A. Run Performance Monitor and enable the Packets Received Discarded counter under Network Interface.

B. Run Performance Monitor and enable the Segments Received/sec counter under TCPv4.

C. Run Performance Monitor and enable the Connections Passive counter under TCPv4.

D. Run Performance Monitor and enable the Output Queue Length counter under Network Interface.

12. After upgrading from Windows XP to Windows Vista, users are reporting that it’s taking longer than expected to open files and applications. You need to identify the cause of the issue by running Reliability Monitor. What can you do to troubleshoot this issue? (Choose all that apply.)

A. Ensure that Windows Vista was installed more than 24 hours ago.

B. Ensure that every publisher is recognized for establishing a baseline to display on the System Stability chart.

C. Disable Reliability Analysis Component (RAC) if it is running.

D. Ensure that Reliability Monitor has 28 days of data to display the availability index as a valid baseline for the measurement.

E. Ensure that only users with administrator rights can access the data that Reliability Monitor uses.

13. You want to enable remote monitoring of performance and availability of the branch offices’ servers running Windows Server 2008. What do you need to do? (Choose all that apply.)

A. Enable the Routing and Remote Access Services policy at the main office computer.

B. Enable the Remote Registry Services policy at the branch office computers.

C. Ensure that the main office computer has RACAgent enabled in Scheduled Task.

D. Acquire the Local Administrators group permission to view Reliability Monitor on branch office computers.

E. Ensure that the Diagnostics Service Host Service policy is enabled on branch office computers.

14. How do you create a performance logging file (.blg) in an SQL format?

A. Open the data collector set report in Reliability and Performance Monitor. Then highlight date and time of issue and select Save Data As with the option Save as Type set to SQL.

B. Open the data collector set report, point to Properties, and click the Source tab. Under Database radio box, select SQL Server and Log Set.

C. Run Relog perfmon.blg –f sql –b M/d/yyyy h:mm:ss[AM|PM].

D. Run Relog perfmon.blg –f sql –b M/d/yyyy h:mm:ss[AM|PM]> –q.

61705c11.indd 511 6/27/08 12:05:34 PM


15. Your branch office is experiencing slow connection speed. All computers are configured as part of the same workgroup. You need to configure event forwarding to use the minimal bandwidth. What do you configure?

A. Use the Custom setting for event delivery optimization by typing wecutil ss SUBSCRIPTIONID /cm:custom /hi:100 at the command prompt.

B. Select the Normal setting for event delivery optimization on the subscription properties of the collecting computer.

C. Select the Minimize Latency setting for event delivery optimization on the subscription properties of the collecting computer.

D. Use the Minimize Bandwidth setting for event delivery optimization on the subscrip-tion properties of the collecting computer.

16. Your office has a slow connection speed to the remote office. The remote file server collects event forwarding logs from your office. The subscription log became corrupted and you re-create it. Users are now complaining that they are not able to access the remote file server. How do you restore the network connectivity? (Choose the best answer.)

A. Restart the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services.

B. On the subscription properties of the server, click Minimize Bandwidth.

C. On the subscription properties of the server, click Minimize Latency.

D. Restart the server.

17. You set up event forwarding on a source machine and a collecting machine. The collecting computer has a standard user set to run the subscription. The collecting computer displays the subscription status Trying. You need to ensure that the event forwarding works. What should you do?

A. Run the command wecutil.exe gr <subscriptionname>.

B. Ensure that the Windows Remote Management (WinRM) and Windows Event Collec-tor (Wecsvc) services are running on the collecting computer.

C. Add Log On As A Batch Job user right to the standard user account from Account Policy to which the event logs are received.

D. Add Event Log Readers to the standard user account to which the event logs are sent.

18. Your company has multiple branch offices, and all computers are connected in the same domain in Active Directory. Event logs are sent from the branch offices to the main office. You want to prevent hackers from sniffing the logs. What should you do?

A. Configure the Kerberos encryption for the user account in the event that you send by using Active Directory.

B. Install a web server certificate and set up the Secure Sockets Layer (SSL) encryption.

C. Configure the Encrypted File System (EFS) encryption by selecting the Encrypt Con-tents to Secure Data option on the properties of the event log file.

D. Set up the Pretty Good Privacy (PGP) encryption through PGP NetShare.

61705c11.indd 512 6/27/08 12:05:34 PM


19. You have a main office and a branch office. The computers are connected via a workgroup environment. You want to log all critical events from the branch office to a server at the main office. What should you do first?

A. Enable event forwarding by migrating to the domain environment.

B. Create a virtual private network (VPN) between the collecting computer at the main office and the server at the branch office.

C. Start the Windows Remote Management (WinRM) and Windows Event Collector (Wecsvc) services on the source and collecting computers.

D. Add the Event Log Readers group to the standard user account where the event logs are forwarded.

20. Your company has multiple branch offices. You monitor the main office server by using a system utility. The system utility uses an executable file to inject a DLL file into the explorer.exe process. You discover that the system utility terminates explorer.exe when you use the Run command to run explorer.exe. You need to stop the system utility with-out logging off users. What should you do?

A. End the looping task by using the Schtasks command.

B. Delete the executable file by using the Tasklist command.

C. Delete the looping task by using the Schtasks command.

D. Log off the user account by using the Shutdown command.

61705c11.indd 513 6/27/08 12:05:35 PM



1. B, C. You will need to assign the “Log on as a batch job” user right or add the help desk user to the Administrators group in order for a user to collect logs from data collector sets.

2. C. Windows will only generate system availability indexes 24 hours after it is installed.

3. D. You can configure which SNMP packets to collect by using the option Accept SNMP Packets from These Hosts.

4. B. Task Scheduler is now used to run Microsoft Windows services and schedules. Con-figuration can be modified by using Task Scheduler.

5. A. If the program that is set to run needs elevated privileges, it will not run without the Run with Highest Privilege option.

6. B. The best way is to export and reimport using the GUI. The Schtasks.exe command-line tool doesn’t support export/import of tasks, and there’s no way to push tasks through Group Policy.

7. A. Using a data collector set to collect data and statistics about the computer is the best way to gather information for troubleshooting. Collecting just memory data is not enough to troubleshoot.

8. A. Using a data collector set to collect data and statistics about the computer is the best way to gather information for troubleshooting.

9. A, C. The standard user will need to be added into Performance Log Users to create and modify collector sets through the use of WMI. And the user will need to have the permis-sion “Log on as a batch job” to have the proper rights to work on the custom application.

10. A. A high number of hard faults may explain the slow response time of an application if it must continually read data back from the disk rather than from physical memory.

11. D. Output Queue Length is the length of the output packet queue (in packets). If this is longer than two, there are delays. And the bottleneck should be found and elimi-nated, if possible.

12. A, D, E. To use the System Availability Chart, Windows installation must run 24 hours before data is collected. Stability Index will show dotted lines on the graph before 28 days to show that a valid baseline has not been established.

13. B, C. The RACAgent task needs to be running. Since Reliability Monitor data files are stored in the Registry, remote Registry access is needed.

14. C. You use the relog command to re-create the performance logging file in an SQL format.

15. B. Only the Normal setting work in a Workgroup environment.

61705c11.indd 514 6/27/08 12:05:35 PM


16. B. The Minimize Bandwidth setting uses the push delivery mode and sets a batch time-out of 6 hours and uses an interval of 6 hours.

17. A. The wecutil command-line tool provides the status of the subscription. Wecutil.exe gr <subscriptionname> provides the user with the subscription information. This will help you understand why the subscription status appears as Trying.

18. B. To set up encryption with event forwarding, the only available option is to use SSL, which requires installing the certificate on both computers before SSL can start working.

19. C. You need to start the WinRM and Wecsvc services because both do not run by default.

20. A. By stopping the task that runs the looping executable, you will stop the loop.

61705c11.indd 515 6/27/08 12:05:35 PM

61705c11.indd 516 6/27/08 12:05:35 PM

About the Companion CD

In thIs AppenDIx:

What you’ll find on the CDÛÛ

System requirementsÛÛ

Using the CD ÛÛ

TroubleshootingÛÛ

Appendix

A

61705book.indd 517 6/27/08 10:12:48 AM

What You’ll Find on the CDThe following sections are arranged by category and provide a summary of the software and other goodies you’ll find on the CD. If you need help with installing the items provided on the CD, refer to the installation instructions in the section “Using the CD”later in this appendix.

Some programs on the CD might fall into one of these categories:

Shareware programs are fully functional, free, trial versions of copyrighted programs. If you like particular programs, register with their authors for a nominal fee and receive licenses, enhanced versions, and technical support.

Freeware programs are free, copyrighted games, applications, and utilities. You can copy them to as many computers as you like—for free—but they offer no technical support.

GNU software is governed by its own license, which is included inside the folder of the GNU software. There are no restrictions on distribution of GNU software. See the GNU license at the root of the CD for more details.

Trial, demo, or evaluation versions of software are usually limited either by time or functionality (such as not letting you save a project after you create it).

Sybex Test EngineFor Windows

The CD contains the Sybex Test Engine, which includes all of the assessment test and chapter review questions in electronic format as well as two bonus exams located only on the CD.

PDF of the BookFor Windows

We have included an electronic version of the text in PDF format. You can view the electronic version of the book with Adobe Reader.

61705book.indd 518 6/27/08 10:12:49 AM

Using the CD 519

Adobe ReaderFor Windows

We’ve also included a copy of Adobe Reader so you can view PDF files of the book’s con-tent. For more information on Adobe Reader or to check for a newer version, visit Adobe’s website at http://www.adobe.com/products/reader/.

Electronic FlashcardsFor PC, Pocket PC, and Palm

These handy electronic flashcards are just what their name implies. One side contains a question or fill in the blank, and the other side shows the answer.

System RequirementsMake sure your computer meets the minimum system requirements shown in the following list. If your computer doesn’t match up to most of these requirements, you may have prob-lems using the software and files on the companion CD. For the latest and greatest infor-mation, please refer to the ReadMe file located at the root of the CD-ROM.

A PC running Microsoft Windows 98, Windows 2000, Windows NT4 (with SP4 or ÛN

later), Windows Me, Windows XP, or Windows Vista.

An Internet connectionÛN

A CD-ROM driveÛN

Using the CDTo install the items from the CD to your hard drive, follow these steps.

1. Insert the CD into your computer’s CD-ROM drive. The license agreement appears.

Windows users: The interface won’t launch if you have autorun disabled. In that case, click Start Run (for Windows Vista, Start All Programs Accessories Run). In the dialog box that appears, type D:\Start.exe. (Replace D with the proper letter if your CD drive uses a different letter. If you don’t know the letter, see how your CD drive is listed under My Com-puter.) Click OK.

61705book.indd 519 6/27/08 10:12:49 AM

520 Appendix A N About the Companion CD

2. Read through the license agreement, and then click the Accept button if you want to use the CD.

The CD interface appears. The interface allows you to access the content with just one or two clicks.

TroubleshootingWiley has attempted to provide programs that work on most computers with the minimum system requirements. Alas, your computer may differ, and some programs may not work properly for some reason.

The two likeliest problems are that you don’t have enough memory (RAM) for the pro-grams you want to use and you have other programs running that are affecting installation or running of a program. If you get an error message such as “Not enough memory” or “Setup cannot continue,” try one or more of the following suggestions and then try using the software again:

Turn off any antivirus software running on your computer. Installation programs sometimes mimic virus activity and may make your computer incorrectly believe that it’s being infected by a virus.

Close all running programs. The more programs you have running, the less memory is available to other programs. Installation programs typically update files and programs, so if you keep other programs running, installation may not work properly.

Have your local computer store add more RAM to your computer. This is, admittedly, a drastic and somewhat expensive step. However, adding more memory can really help the speed of your computer and allow more programs to run at the same time.

Customer CareIf you have trouble with the book’s companion CD-ROM, please call the Wiley Prod-uct Technical Support phone number at (800) 762-2974. Outside the United States, call +1(317) 572-3994. You can also contact Wiley Product Technical Support at http://sybex.custhelp.com. John Wiley & Sons will provide technical support only for installation and other general quality control items. For technical support on the applications themselves, consult the program’s vendor or author.

To place additional orders or to request information about other Wiley products, please call (877) 762-2974.

61705book.indd 520 6/27/08 10:12:49 AM

Glossary

61705book.indd 521 6/27/08 10:13:02 AM

522 Glossary

AActive Directory Federated Services (AD FS) A Windows Server 2008 role that provides Web SSO technologies to authenticate a user to multiple web applications over the life of a single online session.

Active Directory Rights Management Service (AD RMS) A Windows Server 2008 role that provides the ability to protect and control use of digital content.

Administrative Delegation Functionality provided by IIS 7.0 that allows administrators to manage a web server or website remotely.

Advanced Fast Start A Windows Server 2008 Media Services feature that reduces the time it takes between the time a media stream is accessed and the time that the media can be displayed in the viewer.

AppCmd.exe A command-line utility that is used to manage Internet Information Services (IIS) 7.0.

ASP.NET Microsoft’s server-based framework for running .NET code on web servers.

BBasic Disk A simple partitioning type used to create partitions, extended partitions, and logical drives.

Best Practices Analyzer tool A utility designed to discover and recommend changes to a SharePoint server.

DDigital Rights Management (DRM) A system that can provide copyright protection of data that is distributed.

discovery domain Provides a way to separate and group nodes in an iSNS database into more easily managed groups; similar to how zoning works with Fibre Channel

Display Data Prioritization A Terminal Services feature that helps network utilization, prioritizing keyboard, display, and mouse data over other traffic.

dynamic disk An advanced partitioning type used to create simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes. Dynamic disks allow for advanced features.

61705book.indd 522 6/27/08 10:13:03 AM

Glossary 523

Eencryption A way of creating information so that it cannot be read if it is intercepted by an untrusted party.

extranet A network that is accessible to computers outside of the company.

Ffailover The process of moving active clustered resources from one cluster node to another cluster node.

failover cluster A cluster type that provides redundancy for applications and services.

fax routing A method used to determine who should be the recipient for an incoming fax.

feature delegation Functionality provided by IIS 7.0 that allows specific options to be controlled by other administrators or by down-level configuration settings.

Fibre Channel A standard for sending SCSI commands at multi-gigabit speeds over either twisted pair or fiber-optic cable.

GGUID Partition Table (GPT) A method of creating a disk partition. A GPT disk can sup-port volumes up to 18 exabytes and 128 partitions. As a result, GPT is recommended for disks larger than 2TB or disks used on Itanium-based computers.

Hhost bus adapter (HBA) A network adapter that contains an iSCSI hardware initiator.

host headers A method for publishing multiple websites on a single IP address using the URL passed from the browser.

Hyper-V integration components Software installed on a guest machine that optimizes the operating system functions to work with Hyper-V.

hypervisor A virtualization interface that allows multiple operating systems to run on a single physical machine. In Windows Server 2008, the hypervisor is one of the main compo-nents of Hyper-V.

61705book.indd 523 6/27/08 10:13:03 AM

524 Glossary

IInternet SCSI (iSCSI) A protocol that allows an initiator to send SCSI (Small Computer System Interface) commands to storage devices over TCP/IP. This is used in storage area networks (SANs) as an alterative to Fibre Channel.

Internet Storage Name Server (iSNS) A protocol used for automated discovery, manage-ment, and configuration of both iSCSI and Fibre Channel devices. This service allows devices to register themselves on the server.

iSCSI initiator An iSCSI client that sends and receives the iSCSI commands over the net-work. An initiator can be either software based (using installed software on a computer) or hardware based and be installed in dedicated hardware similar to a network adapter.

iSCSI Qualified Name (iqn) A method of identifying targets and initiators on an iSCSI SAN, similar to a fully qualified domain name.

iSCSI target Storage resource located on the iSCSI SAN.

Lload balance Any method for evenly distributing processing or service requests across devices in a network.

logical unit number (LUN) An address that is assigned to a storage unit that is presented to a host.

MMaster Boot Record (MBR) A method of creating a disk partition. An MBR disk has a partition table that indicates where the partitions are located on the disk drive. With this particular partition style, only volumes up to two terabytes and four primary partitions or three primary partitions and one extended partition that can be divided into unlimited logical drives.

mean time between failures [MTBF] A calculation of the average time a component or system will fail.

mirrored volume A fault-tolerant storage unit that duplicates data onto two physical disks.

modules Discrete components that provide specific functionality in Internet Information Services (IIS) 7.0.

mount point A directory that allows a volume to be configured for access from within a directory on another existing disk.

61705book.indd 524 6/27/08 10:13:03 AM

Glossary 525

multicast A method of delivering content in which a single data stream is transmitted from a media server to multiple clients.

Multipath I/O (MPIO) A method for using multiple physical paths to storage such as in a storage area network (SAN) and providing fault tolerance and increased performance.

NNetwork Attached Storage (NAS) A type of storage that uses network file sharing proto-cols like Common Internet File System (CIFS) or Network File System (NFS) to provide access to storage.

Network Load Balancing (NLB) A shared nothing cluster type that provides redundancy and scalability for network-based services.

node A server that participates in a cluster and can host clustered resources.

Pport rule In a network load-balanced cluster, a port rule defines how specific TCP or UDP ports that will be handled.

Qquota template A predefined set of quotas to apply to a Windows SharePoint Services website.

RRAID-5 volume A fault-tolerant storage unit that stripes data and parity for the data across three or more disks.

recovery point objective (RPO) A disaster recovery term that defines the amount of data that can be lost when a disaster occurs.

recovery time objective (RTO) A disaster recovery term that defines the amount of time before a recovery must be complete.

relay Sending email to a server so that it will forward it to another server for delivery.

Remote Desktop Connection (RDC) Client software used to connect to a Terminal Services computer.

61705book.indd 525 6/27/08 10:13:03 AM

526 Glossary

Remote Desktop Protocol (RDP) The TCP/IP protocol used to provide Terminal Services.

resource A building block of a clustered application.

SService Level Agreement (SLA) An agreement with a provider—whether it be an internal department or external service provider—that defines services and availability levels of a defined set of services.

Simple Mail Transfer Protocol (SMTP) A protocol for sending (or relaying) email to a server. A TCP/IP-based protocol for sending (or relaying) e-mail to a server.

simple volume A storage unit that uses space from a single disk, either in contiguous or noncontiguous space.

smart host A server that is configured on an SMTP virtual server to accept all email.

spanned volume A storage unit that is created from multiple disks (up to a maximum of 32 disks).

Storage Explorer A management utility used by administrators to view and manage Fibre Channel and iSCSI fabrics available in the environment. The Storage Explorer interface provides a tree-structured view of the components by using APIs to collect data about the storage devices.

Storage Manger for SANs (SMfS) Utility that is used to create and manage logical unit numbers (LUNs) on both Fibre Channel and iSCSI storage arrays that support Virtual Disk Service (VDS).

streaming media Digital media that can be accessed while continuously being delivered across a network.

striped volume A storage unit that is created from two or more disks. Data is allocated alternately and evenly across each of the volumes.

TTerminal Services A component of Windows Server that allows users to access applica-tions and data remotely.

Terminal Services client access licenses (TS CALs) Licenses that are required for each device or user to connect to a terminal server.

61705book.indd 526 6/27/08 10:13:03 AM

Glossary 527

TS Easy Print A Terminal Server feature that allows proxying of print jobs from the terminal server to local client drivers, removing the need to install drivers on the terminal server.

TS Gateway A Windows Server 2008 role service that encapsulates Remote Desktop Protocol (RDP) traffic over HTTPS.

TS license server A Windows Server 2008 role service that manages the Terminal Services client access licenses.

TS RemoteApp A mode of Terminal Services in Windows Server 2008 where a session can connect to a specific application, making the remote applications appear to run locally to the client.

TS Session Broker A Windows Server 2008 role service that supports session load balancing between terminal servers and reconnection to an existing session.

TS Web Access A role service for Terminal Services that makes TS RemoteApp programs and remote desktop connections available from a Web browser.

Uunicast A method of delivering content across a network that is used by media servers for providing content to connected clients. Each client receives a discrete stream, and no other client has access to that stream.

Uniform Resource Locator (URL) A standard way to identify a resource on the Internet.

VVirtual Disk Service (VDS) A set of application programming interfaces (APIs) created by Microsoft to simplify management and configuration of storage devices.

virtualization A method for abstracting physical resources from the way they interact with other resources. Virtualization also makes a single physical resource to function as multiple resources, for example a single physical process can be shared among a number of virtualized computers.

VMBus The virtual machine bus used to handle high-speed requests from hypervisor-aware guest operating systems to the physical device in the parent partition.

volume set A collection of drives that can be combined to form a single volume.

61705book.indd 527 6/27/08 10:13:03 AM

528 Glossary

Wweb application A software application, executed by a web server that responds to dynamic web page requests over HTTP.

web parts A module that can be added to a Windows SharePoint Services website to increase functionality.

Web Single Sign On (Web SSO) A system that consists of an agent installed on web servers and an authentication directory to provide a way for users to not be required to log in with multiple sets of credentials.

World Wide Name (WWN) A method of identifying components on a Fibre Channel SAN, similar to how a MAC address works on an Ethernet network.

61705book.indd 528 6/27/08 10:13:03 AM

IndexNote to the Reader: Page numbers in bold indicate the principle discussion of a topic or the defi-nition of a term. Page numbers in italic indicate illustrations.

Aaccess control

applications, 209–210SMTP server access settings, 169–171WSS end users, 292–294

access logs, 193–195formats, 195overview of, 193–194per-site and per-server, 194rollover criteria, 194

ACLs (Access control Lists)creating, 248–249enabling ACL authorization, 247

activation. See WPA (Windows Product Activation)

Active Directory Certificate Services (AD CS), 202

Active Directory Federation Services (ADFS)

configuring Web SSO, 300–304Web SSO, 296

Active Directory Rights Management Service. See AD RMS (Active Directory Rights Management Service)

AD (Active Directory), WDS server as member of AD domain, 366

AD Client Certificate Authenticationclient certificate mapping, 211types of website authentication, 207

AD CS (Active Directory Certificate Services), 202

AD RMS (Active Directory Rights Management Service)

business rules, 252–253license required by, 253

overview of, 251–252policy templates, 256–259user exclusions, 253–254

Add Counters dialog box, 497Add Features Wizard, 17–18Add Node Wizard, 423Add Roles Wizard, 319ADFS (Active Directory

Federation Services)configuring Web SSO, 300–304Web SSO, 296

Admin logs, 469admin switch, mstc.exe, 123–124Administrative Events custom view,

472–473administrative notices, WSS e-mail

settings, 273administrators

event logs and, 472WDS and, 366

advanced delivery options, SMTP messages, 174–175

advanced streaming options, streaming media, 240

agent properties, SNMP, 501–502alerts, WSS outgoing e-mail settings, 273alternate access mapping, WSS, 287–289American National Standards Institute

(ANSI), 195Analytics logs, 469Anonymous authentication

creating Anonymous account, 245–246

types of website authentication, 207ANSI (American National Standards

Institute), 195antivirus settings, WSS, 281–282

61705bindex.indd 529 6/27/08 12:07:29 PM

530 AppCmd.exe – business rules

AppCmd.exe configuring IIS settings, 186listing and restoring backups,

196–197listing configured websites, 186–187objects available for administration by,

187–188application and services logs, Event

Viewer, 469application logs, 469application pools, 161–163application settings, failover clustering,

426–428application virtualization, 315applicationHost.config, 160applications

access control, 209–210DRM exclusions, 255–256monitoring failures, 465–466

architecture, Hyper-V, 316–317archiving, fax services and, 230ASP

trace content options, 190trace provider options, 192

ASP.NETconfiguration settings, 149trace content options, 190trace provider options, 192WSS supported authentication, 296

ASP.NET Impersonation, 208authentication

media services, 245–246non-windows, 165SMTP, 169–170, 174Terminal Services, 54–55,

129–130Web SSO (Web Single Sign On),

301–304website, 207–209

authentication, WSSDigest authentication, 297–300overview of, 295–296supported methods, 296

authorizationapplication access and, 209–210FTP, 165–166media services, 246–249TS CAPs (Terminal Services

Connection Authorization Policies), 77–80

TS RAPs (Terminal Services Resource Authorization Policies), 80–82

automatic reconnection, Terminal Services, 125

availability, 463–464. See also high availability

Bbackups, 195–197

history settings, 195–196listing and restoring with AppCmd.exe,

196–197manual, 196overview of, 195virtual machine snapshots. See

snapshots, of virtual machinesbandwidth

Display Data Prioritization and, 46–47website settings, 158

Basic authenticationSMTP, 174types of website authentication, 208

basic disksactions performed on, 5converting to dynamic, 6–8

Basic Input/Output System (BIOS), 342Best Practices Analyzer tool, 282BIOS (Basic Input/Output System), 342block-level access, iSCSI, 19Boot image, WDS image types, 366broadcast publishing

creating Broadcast Publishing Point, 235–237

for streaming media, 233–234business rules, DRM, 252–253

61705bindex.indd 530 6/27/08 12:07:29 PM

caching – console switch 531

Ccaching, fast, 240–241CAs (Certificate Authorities)

obtaining/installing certificates for TS Gateways, 74–75

SSL and, 201–202CEIP (Customer Experience Improvement

Program), 278Central Administration site, WSS

configuring diagnostic logging, 280–281

configuring incoming e-mail settings, 272–273

configuring outgoing e-mail settings, 275–276

configuring WSS, 269–270workflow options, 277

Certificate Authorities (CAs)obtaining/installing certificates for

TS Gateways, 74–75SSL and, 201–202

certificates, SSLclient certificate mapping, 211exporting/importing, 206–207requesting/renewing, 202–205

CHAP (Challenge Handshake Authentication Protocol), 19

ClearType, 46client access licenses. See TS CALs (client

access licenses)clients

configuring client for TS Gateway, 82–83

enabling font smoothing on, 45–46mapping client certificates, 211media services connection settings,

244–245WDS client components, 365

Client-Server Runtime Subsystem (csrss.exe), 124

cloning hard disks, 332–334

clusteringfailover. See failover clusteringNLB. See NLB (Network Load

Balancing)pros/cons, 411types of, 410

clusters, failoverclustered application settings, 426–428creating, 421–423print services, 424–426quorums, 414–416roles, 424validating configuration, 416–417working with cluster nodes, 423–424

clusters, NLBcreating, 89–90, 435–437managing, 438–439modifying properties, 437–438

color depth, Terminal Services settings, 127

COM ports, virtual machine configuration, 343

comma-delimited files (CSV), 120communication services

digital rights. See DRM (Digital Rights Management)

exam essentials, 260fax services. See fax servicesmedia servers. See media servicesoverview of, 219–220Q&As, 261–265summary, 260

computer accountsconnection authorization, 78–79resource authorization, 81

condition options, trace logs, 191configuration backup settings, 195–197Configuration Wizard, 306–311connections

authorization policies, 77–80timeout settings for websites, 158

console switch, mstc.exe, 124

61705bindex.indd 531 6/27/08 12:07:29 PM

532 content – dialing rules

contentadding to WSS sites, 295publishing options for streaming

media, 232–235trace logs, 190

copyrights, 250counters, Performance Monitor

adding, 495–497recommended system counter

thresholds, 498CPUs

Hyper-V hardware requirements, 319Performance Monitor counters for, 498resource allocation for Terminal

Services, 138SMP (Symmetric Multiprocessors), 315virtual machine configuration, 342

Create Capture Image Wizard, 377Create Task dialog, 480–481credentials, WDS, 366csrss.exe (Client-Server Runtime

Subsystem), 124CSV (comma-delimited files), 120Customer Experience Improvement

Program (CEIP), 278

Ddata collection, Reliability Monitor, 462Data Collector Sets. See DCS (Data

Collector Sets)data management settings, DCS (Data

Collector Sets), 454–456Data Manager, Windows Reliability and

Performance Monitor, 451, 454–456

DCS (Data Collector Sets)creating automatically, 447–449creating from a template, 449creating manually, 450–451data management, 454–456log management, 453

“Log On as a Batch Job” user right, 446–447

overview of, 446start condition, 451–452stop condition, 453

DDNS (dynamic DNS), 386Debug logs, 469delegation of administration,

197–201Feature delegation, 199–201overview of, 197–198remote administration permissions,

198–199delivery options, SMTP messages,

172–173dependency viewer, 429

overview of, 428running, 429

deploying images, WDS, 365–367deploying Server Core, 380–381deploying servers. See WDS (Windows

Deployment Services)deploying TS RemoteApps, 67Deployment Server, WDS, 369Deployment Services. See WDS (Windows

Deployment Services)Desktop Composition

making available on Vista client, 50–51

overview of, 50Desktop Experience

Desktop Composition, 50–51overview of, 48–49Themes, 49–50

desktop virtualization, 315device redirection, 51–53

overview of, 51Plug and Play and, 51–53POS (Point of Service) and, 53

DHCP (Dynamic Host Configuration Protocol), 366, 372

diagnostic logging, WSS, 278–281dialing rules, fax services, 225–226

61705bindex.indd 532 6/27/08 12:07:29 PM

differencing virtual hard disks – dynamic disks 533

differencing virtual hard diskscreating, 331–332description and use of, 330

Digest authenticationconfiguring, 297–300overview of, 297types of website authentication, 208

digital certificates. See also certificates, SSL

mapping certificate to TS Gateway server, 75–76

obtaining/installing certificate for TS Gateway, 74–75

Digital Rights Management. See DRM (Digital Rights Management)

digital signatures, 134–135Directory Management Service, WSS

e-mail, 271disaster recovery (DR), 408disconnect options, Terminal Service, 127Discovery Domains, 25–26discovery scopes, TS Licensing servers,

101–102disk drives

converting basic disks to dynamic, 6–8initializing, 3Performance Monitor counters, 498virtual hard disks. See virtual

hard disksvirtual machine configuration, 342

Disk Managementconverting basic disks to dynamic, 6–8creating mount points, 16creating volume sets, 9–11initializing disks and, 3

disk storage. See storage managementDiskPart utility, 29DiskRAID, 29Display Data Prioritization, 46–47displays, resolution options, 43–44DNS (Domain Name System)

KMS hosts and, 386–392reverse lookup, 175

TS Session Broker Load Balancing and, 88–89

WDS reliance on, 366domain controllers, deploying with

IFM, 394Domain Name System. See DNS (Domain

Name System)Domain scope, TS Licensing discovery,

101–102domains

configuring for routing SMTP mail, 177

FTP server and domain restrictions, 166–167

DR (disaster recovery), 408drive letters

assigning, 10mount points for overcoming

limitations of, 15Drive Specific Module (DSM)

installing third-party DSM software, 18–19

load balancing and, 17DRM (Digital Rights Management),

249–259application exclusions, 255–256business rules, 252–253controversy regarding, 250document protection, 252encryption, 251licensed-based delivery, 253overview of, 249–251policy templates, 256–259user exclusions, 253–254

DSM (Drive Specific Module)installing third-party DSM

software, 18–19load balancing and, 17

DVD drives, virtual machine configuration, 342

dynamic disksactions performed on, 6converting basic disks to, 6–8

61705bindex.indd 533 6/27/08 12:07:29 PM

534 dynamic DNS (DDNS) – Fast Start

dynamic DNS (DDNS), 386Dynamic Host Configuration Protocol

(DHCP), 366, 372Dynamic Least Queue, 17dynamically expanding hard disks, 329

EEasy Print, Terminal Services, 53e-mail, SMTP. See SMTP (Simple Mail

Transfer Protcol)e-mail, WSS

benefits of, 274incoming, 270–273outgoing, 273–275outgoing e-mail settings for specific

web application, 275–276encryption

DRM (Digital Rights Management), 251

TLS (Transport Layer Security), 169–170

end user access, WSS, 292–294Equal_Per_Session, CPU allocation, 138Equal_Per_User, CPU allocation, 138error reporting, WSS diagnostic

logging, 278event logs

configuring computers to forward and collect events, 470–472

custom views, 474–475filters, 473–474monitoring servers with Event Viewer,

467–468TS Gateway for specifying,

135–137wevtutil.exe for managing,

469–470WSS diagnostic logging, 278–279

event throttling, WSS diagnostic logging settings, 278

Event to Trap Translator, SNMP, 507

Event Viewerapplication and services logs, 469custom views for reading events,

472–475log subcategories, 470monitoring servers, 467–468Task Scheduler integrated with,

488–489Windows logs, 469

exclusion policiesapplication exclusions, 255–256user exclusions, 253–254

explorer.exe (Windows shell), 124external virtual network, 326extranet users, FTP server configured for,

165–166

Ffailback, 17failover clustering, 411–433

cluster quorums, 414–416cluster roles, services, and

applications, 424clustered application settings, 426–428clustering print services, 424–426creating clusters, 421–423dependency viewer and, 429installing Failover Cluster feature, 417overview of, 411–412requirements for, 413–414resource properties, 430–432Validate a Configuration Wizard,

417–421validating cluster configuration,

416–417working with cluster nodes, 423–424

failovers, 17Fast Cache, 240–241Fast Reconnect, 243Fast Recovery, 243Fast Start, 241–242

61705bindex.indd 534 6/27/08 12:07:30 PM

fast streaming – hardware 535

fast streaming, 240fault tolerance, NLB and, 433Fax Service Manager, 221fax services, 220–229

dialing rules, 225–226installing Windows Fax and Scan role,

221–222overview of, 220–221properties, 223–225receive configuration, 222–223routing options, 227–230

FEC (forward error correction), 243–244Fibre Channel

storage devices, 27Storage Explorer and, 32

File services, clustering and, 411File Transfer Protocol. See FTP (File

Transfer Protocol)filters

event log, 473–474NLB (Network Load Balancing),

437–438fixed size virtual hard disks

creating and migrating physical disk to it, 332–334

description and use of, 329Folder view, Performance Monitor,

456, 458font smoothing, 45–46Forest scope, TS Licensing discovery,

101–102Forms authentication

ASP.NET, 296types of website authentication, 208

forward error correction (FEC), 243–244forwarded event logs, 469FQDNs (Fully Qualified Domain

Names), 175FTP (File Transfer Protocol), 164–167

configuration settings, 149extranet users, 165–166IPv4 and domain restrictions, 166–167

overview of, 164–165permissions, 165

FTPS (Secure FTP), 165Fully Qualified Domain Names

(FQDNs), 175

Gglobal deployment settings, TS

RemoteAppdigital signatures, 134–135overview of, 130RDC (Remote Desktop Connection),

133–134Terminal server settings, 130–132TS Gateway, 132–133

GPOs (Group Policy Objects). See Group Policy

GPT (GUID Partition Table), 3graphs, Performance Monitor, 499Group Policy

configuring server discovery mode, 117configuring TS licensing mode, 116Terminal Services settings, 125–130

Group Policy Objects (GPOs). See Group Policy

groupsconnection authorization

policies, 78–79FTP authorization rules, 165–166

GUID Partition Table (GPT), 3

Hhard disks

Performance Monitor counters, 498virtual. See virtual hard disksvirtual machine configuration, 342

hardwareadding devices to virtual machines, 342monitoring failures, 466

61705bindex.indd 535 6/27/08 12:07:30 PM

536 hardware architecture – hypervisor layer

hardware architecture, Hyper-V, 316hardware requirements

failover clustering, 413Hyper-V, 318–319NLB (Network Load Balancing)

and, 434HBA (host bus adapter)

Fibre Channel, 27iSCSI and, 19–20

high availability, 407–446achieving, 409–411components of, 408–409exam essentials, 440with failover clustering. See

failover clusteringwith Network Load Balancing. See

NLB (Network Load Balancing)overview of, 407–408performance and reliability and, 444Q&As, 441–446Quick Migration and, 354summary, 439

home directory, Terminal Services, 127hop count, advanced delivery

options, 174host bus adapter (HBA)

Fibre Channel, 27iSCSI and, 19–20

host headers, website, 154–155HTTP (Hypertext Transfer

Protocol), 152HTTP Redirection module, 156–158HTTPS (Secure HTTP), 152, 154Hyper-V

adding physical (pass-through) disk to virtual machine, 335–336

applying snapshots, 354architecture, 316–317changing configuration of existing

virtual machine, 342–345configuring, 325–326creating differencing virtual hard disks,

331–332

creating fixed size hard disk and migrating physical disk to it, 332–334

creating snapshots, 351–354creating virtual machines, 338–342deleting virtual machines, 343exam essentials, 355–356exporting/importing virtual machines,

347–350hardware requirements, 318–319Hyper-V Manager, 324–325installing Integration Components,

345–347installing on Server Core, 322–323installing on Windows Server 2008,

320–322integration with Server Manager, 323key features, 315–316managing virtual hard disks, 336–337managing virtual networks, 326–328OSs supported, 316overview of, 314Q&As, 357–362Quick Migration, 354–355software requirements, 319summary, 355types of virtual hard disks, 329–330Virtual Machine Connection, 343–345virtual machines and, 337virtualization defined, 314–315

Hyper-V Managerconfiguring Hyper V, 325–326creating snapshots, 351–354creating virtual machines, 338–342installing Integration Components,

346–347managing virtual hard disks,

336–337overview of, 324–325Revert option, 353Virtual Machine Connection, 344

hypervisor layer, Hyper-V architecture, 317

61705bindex.indd 536 6/27/08 12:07:30 PM

IDE controllers – keyboard 537

IIDE controllers, virtual machine

configuration, 342IFM (Install from Media), 394–396

creating, 395–396overview of, 394

IGMP (Internet Group Management Protocol), 435

IIS (Internet Information Services). See also Web services infrastructure

AppCmd.exe for configuring, 186configuration settings, 149configuring WSS e-mail, 270FTP server features, 165–166installing, 150–152integration with .NET Framework, 148Shared Configuration, 164SMTP servers and, 167web applications, 148–149

IIS Management Service, 197–198IIS modules, installing, 156–158images, WDS. See system images, WDSincoming e-mail settings, WSS, 270–273incoming fax, routing, 227–228inheritance, delegation of administration

and, 200in-place upgrade, WSS 2.0 to 3.0, 285Install from Media. See IFM (Install

from Media)Install image, WDS, 366Integrated Windows Authentication,

169, 174Integration Components

Hyper-V, 345–347virtual machine configuration, 343

intelligent streaming, 240internal virtual network

creating, 328overview of, 326

Internet Group Management Protocol (IGMP), 435

Internet Information Services. See IIS (Internet Information Services)

Internet Information Services (IIS) Manager

application pool configuration, 161–163

certificate request by, 202–205creating website using host

headers, 155creating websites, 153–154.NET trust level configuration, 160

Internet Small Computer System Interface. See iSCSI (Internet Small Computer System Interface)

Internet Storage Naming Service. See iSNS (Internet Storage Naming Service)

IP address redirection, 129IP addresses, allowing/denying, 247–248IP Security (IPSec), 19IPSec (IP Security), 19IPv4, FTP server and, 166–167IPv6, NLB support for, 433iSCSI (Internet Small Computer

System Interface)configuring storage connections, 20–23initiating sessions, 19–20Storage Explorer and, 32

iSCSI Initiator, 20–23iscsicli command, 23iSNS (Internet Storage Naming

Service), 23–27installing, 24–27overview of, 23

Kkeep-alive connection interval, Terminal

Services, 125Key Management Services. See KMS (Key

Management Services)keyboard, Hyper-V settings, 326

61705bindex.indd 537 6/27/08 12:07:30 PM

538 KMS (Key Management Services) – media services

KMS (Key Management Services)configuring, 385–386creating KMS SVR record, 392–393DNS permissions, 387–389installing KMS host, 384–385prerequisites for, 382–383product activation and, 382publishing in multiple domains,

389–392

LLCD monitors, font smoothing and,

45–46LDAP (Lightweight Directory Access

Protocol), 175–177licensed-based delivery, DRM, 253licensing, Terminal Services. See

TS LicensingLicensing Diagnosis tool, Terminal

Services, 121–123licensing mode, Terminal Services,

114–116Lightweight Directory Access Protocol

(LDAP), 175–177Linux servers

Hyper-V Integration Component and, 346

Hyper-V support for, 316load balancing. See also NLB (Network

Load Balancing); TS Session Brokerconfiguring DNS for TS Session Load

Balancing, 88–89Group Policy settings for Terminal

Services, 129policies, 17

Local Security Authority Subsystem (lsass.exe), 124

Local Session Manager (lsm.exe), 124“Log On as a Batch Job” user right,

446–447

logical unit numbers (LUN)Fibre Channel, 27SMfS for managing, 29

Logon User Interface Host (logonui.exe), 125

logsaccess logs, 193–195diagnostic logging in WSS, 278–281managing DCS logs, 453–456Performance Monitor, 456–459reviewing log files during WSS

upgrade, 284trace logs. See trace logsTS Gateway for specifying event logs,

135–137lsass.exe (Local Security Authority

Subsystem), 124lsm.exe (Local Session Manager), 124LUN (logical unit numbers)

Fibre Channel, 27SMfS for managing, 29

MMAC (media access control) addresses,

433, 435management tools, WDS, 365mandatory profiles, Terminal Service, 128Master Boot Record (MBR), 3MBR (Master Boot Record), 3mean time between failure (MTBF), SLAs

and, 409mean time to recover (MTTR), SLAs

and, 409media access control (MAC) addresses,

433, 435media services, 229–249

advanced streaming options, 240authentication settings, 245–246authorization settings, 246–249client connection settings, 244–245

61705bindex.indd 538 6/27/08 12:07:30 PM

memory – network connections 539

content publishing options, 232–235creating broadcast publishing point,

235–237Fast Caching, 240–241Fast Recovery and Fast Reconnect, 243Fast Start, 241–242features, 230–231FEC (forward error correction),

243–244installation requirements, 232multicast streams, 237–239streaming options, 232Windows media services, 229–230

memory, virtual machine configuration, 342

memory counters, Performance Monitor, 498

message size, SMTP servers, 171–172message transport agents (MTA), 168Microsoft.NET Framework. See

.NET Frameworkmigration

content to WSS sites, 295Hyper-V Quick Migration feature, 316,

354–355mirrored volumes

creating RAID sets, 13–15overview of, 9

monitor spanning, RDC, 44monitoring performance

access logs, 193–195data collector sets. See DCS (Data

Collector Sets)logging events. See event logsQ&As, 509–515scheduling tasks. See Task SchedulerSNMP (Simple Management

Protocol). See SNMP (Simple Management Protocol)

summary, 507–508trace logs, 188–193

Windows Reliability and Performance Monitor. See Windows Reliability and Performance Monitor

mount pointscreating, 16overview of, 15

MP3s, file sharing controversy, 250MPIO (Multipath I/O)

installing, 17–18load balancing and, 17

MSI (Windows Installer files), 63–65mstc.exe, 123–124MTA (message transport agents), 168MTBF (mean time between failure), SLAs

and, 409MTTR (mean time to recover), SLAs

and, 409multicast addresses, WDS servers, 372multicast streams

configuring, 237–239overview of, 234–235

Multipath I/O (MPIO)installing, 17–18load balancing and, 17

NNAS (Network Attached Storage), 28.NET Device Redirection, 53.NET Framework

application pools and, 161components, 160configuration settings, 149IIS integration with, 148trust levels, 160–161

network adaptersfailover clustering and, 414virtual machine configuration, 342

Network Attached Storage (NAS), 28network connections, for failover

clusters, 413

61705bindex.indd 539 6/27/08 12:07:30 PM

540 Network Load Balancing – ports

Network Load Balancing. See NLB (Network Load Balancing)

Network Load Balancing Manager, 435network settings, WDS servers, 372, 374NLB (Network Load Balancing)

creating clusters, 89–90, 435–437how it works, 433–434Hyper-V support for, 315installing, 89–90managing clusters, 438–439modifying cluster properties, 437–438overview of, 433requirements for, 434–435web farms and, 164

nlb.exe, 438–439No Majority:Disk Only, cluster quorums,

414, 416Node and Disk Majority, cluster quorums,

414–415Node and File Share Majority, cluster

quorums, 414, 416Node Majority, cluster quorums, 414–415Not Delegated permission, delegation of

administration, 200notifications, WSS outgoing e-mail

settings, 273ntdsutil utility, 394NTFS filesystem, WDS and, 366

Oon-demand publishing, streaming media,

233–234operating systems (OSs)

font smoothing support, 45Hyper-V supported, 316

operational logs, 470OSs (operating systems)

font smoothing support, 45Hyper-V supported, 316

outbound connections, SMTP server, 174outbound security, SMTP server, 173–174outgoing e-mail settings, WSS, 273–275

Ppass-through (physical) virtual hard disks

adding to virtual machine, 332–334description and use of, 330

pass-through hard disk. See physical (pass-through) virtual hard disks

Per Device CALs. See TS Per Device CALs (client access licenses)

Per User CALs. See TS Per User CALs (client access licenses)

Performance Monitoradding counters, 495–497creating a Data Collector Set, 447–449graph options, 499loading log data, 458–459logs, 456–458monitoring specific system activity, 495navigating log view, 459recommended system counter

thresholds, 498viewing system availability, 463–464

Performance Monitor view, 456–457performance optimization, Best Practices

Analyzer tool, 282permissions

FTP server, 165remote administration, 198–199

physical (pass-through) virtual hard disksadding to virtual machine, 332–334description and use of, 330

PKI (Public Key Infrastructure), 201Plug and Play devices, 51–53Point of Service (POS), 53policies

load balancing, 17resource policies, 430–432

policy templates, DRM, 256–259port rules, NLB, 434ports

HTTP (80), 152HTTPS (443), 152resource authorization policies, 82

61705bindex.indd 540 6/27/08 12:07:31 PM

POS (Point of Service) – redirection 541

POS (Point of Service), 53presentation virtualization, 315Print services

clustering, 424–426clustering and, 411TS Easy Print, 53

private keys, SSL certificates, 201–202private networks, failover clustering, 413private virtual machine network, 327processor counters, Performance

Monitor, 498processors. See CPUsproperties

fax services, 223–225SMTP virtual server, 168–169WDS server, 372–374

Public Key Infrastructure (PKI), 201public keys, SSL certificates, 201–202public networks, failover clustering, 413publishing points, steaming media

enabling FEC on, 243types of, 233

PXE, WDS servers, 370–372

QQuick Migration, Hyper-V, 316, 354–355quota templates, WSS, 290–291

RRAC (Reliability Analysis

Component), 462RAID (Redundant Array of

Independent Disks)comparing RAID levels, 12creating RAID sets, 13–15high availability and, 410types of, 11–12

RAID-0 (disk striping), 11RAID-1 (disk mirroring), 12RAID-5 (disk striping with parity), 12

RDC (Remote Desktop Connection)ClearType settings, 46client software, 42Desktop Composition, 50–51device redirection, 51–53Display Data Prioritization, 46–47display resolution options, 43–44font smoothing, 45–46improvements to desktop experience,

48–49monitor spanning, 44overview of, 43SSO (Single Sign-On), 54–55Themes, 49–50TS Easy Print, 53

RDC switch, mstc.exe, 123RDP (Remote Desktop Protocol)

custom display resolutions, 44digital signatures, 134–135distributing RDP files, 67exporting TS RemoteApp program, 65global deployment settings, 133–134monitor spanning, 44packaging TS RemoteApp program, 63RDC (Remote Desktop Connection)

and, 42–43RDP-TCP properties, 54TS Gateway encapsulating RDP

traffic, 72Read Only permissions, delegation of

administration, 200read-only domain controllers

(RODCs), 394Read/Write permissions, delegation of

administration, 199–200receive configuration, fax services,

222–223recovery point objective (RPO), 408–409recovery time objective (RTO), 408–409redirection

configuring, 156Terminal Services settings, 129

redirection, device. See device redirection

61705bindex.indd 541 6/27/08 12:07:31 PM

542 Redundant Array of Independent Disks – SCSI controllers

Redundant Array of Independent Disks. See RAID (Redundant Array of Independent Disks)

redundant systems, 410. See also high availability

relaying, SMTP messages, 171release key, Hyper-V settings, 326Reliability Analysis Component

(RAC), 462Reliability Monitor

features, 462–463overview of, 461–462viewing system stability with, 463–464

remote administrationcreating/managing tasks, 485–487of licensing servers, 123–125permissions, 198–199

Remote Desktop Connection. See RDC (Remote Desktop Connection)

Remote Installation Services (RIS), 364remote sessions, Terminal Services

settings, 126RemoteApp. See TS RemoteAppsReport view, Performance Monitor, 456reports, Windows Reliability and

Performance Monitor, 459resolution options, displays, 43–44resource allocation, Terminal Services.

See WSRM (Windows System Resource Manager)

Resource Monitormonitoring general system activity,

491–494overview of, 490

resourcesauthorization policies, 80–82failover clustering, 430–432

restores, 196–197. See also backupsrestores, virtual machines. See snapshots,

of virtual machinesreverse lookup, DNS, 175Revert option, Hyper-V Manager, 353RIS (Remote Installation Services), 364

RODCs (read-only domain controllers), 394

role server installationAD RMS (Active Directory Rights

Management Service), 251–252Authentication, 208–209Hyper-V, 320–322IIS 7.0, 150–152IIS Management Service, 197–198Terminal Services, 56–60Tracing, 188TS Gateway, 72–74TS Licensing, 102–105TS Session Broker, 85–86TS Web Access, 67–71URL Authorization, 209Windows Deployment Services,

367–369Windows Fax and Scan, 221

round robin, 17routing options, fax services, 227–230

adding routing rules, 228–229archiving and, 230incoming faxes, 227–228

RPO (recovery point objective), 408–409RTO (recovery time objective), 408–409

SSANs (Storage Area Networks)

managing, 28SMfS (Storage Manager for SANs),

29–32scalability, NLB, 433scanning, for viruses, 281–282scheduling tasks. See Task SchedulerSchtasks.exe

creating task, 481managing tasks, 487–488managing tasks remotely, 487

scripting, Hyper-V, 316SCSI controllers, virtual machine

configuration, 342

61705bindex.indd 542 6/27/08 12:07:31 PM

Secure FTP (FTPS) – Simple Mail Transfer Protocol 543

Secure FTP (FTPS), 165Secure Sockets Layer. See SSL (Secure

Sockets Layer)security

logs, 469SMTP, 173–174SNMP, 504–505Task Scheduler improvements, 477Windows Media Server, 245

server components, WDS, 365Server Core

Hyper-V installation on, 322–323installing, 381overview of, 380

server deployment. See WDS (Windows Deployment Services)

server discovery mode, TS Licensing, 116–117

Server ManagerAdd Roles Wizard, 319allowing/denying IP addresses,

247–248configuring client connection settings,

244–245configuring fax device properties,

222–225configuring fax routing, 227–229configuring multicast streaming,

237–239configuring SNMP agents, 502configuring SNMP security, 504–505configuring SNMP traps, 503–504creating ACL list, 248–249creating Anonymous account, 245–246creating Broadcast Publishing Point,

235–237enabling ACL authorization, 247enabling Advanced Fast Start, 242enabling FEC, 243Hyper-V integration with, 323installing Failover Cluster feature, 417installing Hyper V, 320–322installing IIS 7.0, 150–152

installing IIS modules, 156–158installing SNMP Services, 500–501installing Windows Deployment

Services, 367–369installing Windows Fax and Scan,

221–222installing WSRM, 138–139starting/stopping SNMP Service, 506

Server Performance Advisor (SPA), 451server roles. See role server installationserver virtualization, 315servers

enabling SSL on Web servers, 205–206event logs for monitoring, 467–468remote administration, 123–125

servers, Terminal Servicesactivating TS Licensing, 107–110adding to Session Directory Computer

Local Group, 86–87adding to TS Broker Farm, 87–88discovery scopes for TS Licensing,

101–102global deployment settings, 130–133installing TS Licensing, 102–105mapping certificates to TS

Gateway, 75–76Service Control Manager

(services.exe), 124Service Level Agreements (SLAs),

408–409Service Location (SVR) record, 392–393Session Directory Computer Local

Group, 86–87Session Manager (smss.exe), 124session time limits, Terminal Service,

128–129setup logs, 469Shared Configuration, IIS 7.0, 164SharePoint Services. See WSS (Windows

SharePoint Services)Simple Mail Transfer Protocol. See SMTP

(Simple Mail Transfer Protcol)

61705bindex.indd 543 6/27/08 12:07:31 PM

544 Simple Management Protocol – storage management

Simple Management Protocol. See SNMP (Simple Management Protocol)

simple volumes, 8Single Sign-On (SSO). See also Web SSO

(Web Single Sign On)configuring on client computers, 55for Terminal Services, 54–55

site content, WSS, 295sites. See websitesSLAs (Service Level Agreements),

408–409smart hosts, advanced delivery

options, 175SMfS (Storage Manager for SANs), 29–32

installing, 30–31overview of, 29–30tasks performed with, 31–32

SMP (Symmetric Multiprocessors), 315smss.exe (Session Manager), 124SMTP (Simple Mail Transfer Protocol),

167–177access settings, 169–171advanced delivery options, 174–175configuring WSS e-mail and, 270delivery options, 172–173domain configuration, 177LDAP routing, 175–177message size and transfer limits,

171–172outbound connections, 174outbound security, 173–174overview of, 166–167virtual server general properties,

168–169snapshots, of virtual machines

applying, 354creating, 351–354exporting/importing virtual machines

and, 349file location, 343overview of, 316

SNMP (Simple Management Protocol)configuring agent properties, 501–502

configuring Event to Trap Translator, 507

configuring security settings, 504–505configuring traps, 503–504installing SNMP Services, 500–501overview of, 500starting/stopping SNMP Service, 506

software install/uninstall, monitoring, 465software requirements, Hyper-V, 319SPA (Server Performance Advisor), 451spanned volumes, 8SQL Server, failover clustering, 411–412SSL (Secure Sockets Layer)

digital signatures and, 134–135enabling on websites, 205–206exporting/importing certificates,

206–207FTPS (Secure FTP) and, 165overview of, 201–202requesting/renewing certificates,

202–205SSO (Single Sign-On)

configuring on client computers, 55for Terminal Services, 54–55

Stability Index, Reliability Monitor, 462start condition, DCS (Data Collector Sets),

451–452startup/shutdown, virtual machine

configuration, 343state options, virtual machines, 341–342stop condition, DCS (Data Collector

Sets), 453Storage Area Networks (SANs)

managing, 28SMfS (Storage Manager for SANs),

29–32Storage Explorer, 32–33storage management

basic disks, 5configuring iSCSI storage connections,

20–23converting basic disks to dynamic, 6–8creating RAID sets, 13–15

61705bindex.indd 544 6/27/08 12:07:31 PM

Storage Manager for SANs – Terminal Services 545

creating volume sets, 9–11dynamic disks, 6exam essentials, 34failover clustering, 413Fibre Channel, 27initialization disk drives, 2–5initiating iSCSI sessions, 19–20iSNS (Internet Storage Naming

Service), 23–27mount points and, 15–16MPIO (Multipath I/O), 17–19NAS (Network Attached Storage), 28RAID (Redundant Array of

Independent Disks), 11–12review Q&As, 35–39SANs (Storage Area Networks), 28SMfS (Storage Manager for SANs),

29–32Storage Explorer, 32–33summary, 33VDS (Virtual Disk Service), 28–29volumes, 8–9

Storage Manager for SANs. See SMfS (Storage Manager for SANs)

streaming mediaadvanced streaming options, 240content creation, 232–233content publishing options, 232–235creating Broadcast Publishing Point,

235–237multicast streams, 237–239overview of, 232

striped volumes, 8SVR (Service Location) record,

392–393Symmetric Multiprocessors (SMP), 315system availability, 463–464. See also

high availabilitysystem clock, monitoring changes to,

464–465System Diagnostics report, 459–461

overview of, 459–460viewing, 460–461

system images, WDSbenefits of, 367capturing with WDSUTIL, 379capturing with Wizard, 376–378creating, 375deploying, 365–367

system logs, 469system stability, 461System Stability Chart, Reliability

Monitor, 462System Stability Report, Reliability

Monitor, 462–463System.applicationHost, IIS settings, 149System.WebServer, IIS settings, 149

TTask Scheduler

creating/managing tasks remotely, 485–487

displaying all running tasks, 482exporting/importing tasks, 483–484integration with Event Viewer,

488–489managing tasks, 481–482overview of, 475–477scheduling tasks manually from

command line, 481scheduling tasks manually with

Windows interface, 480–481scheduling tasks with wizard, 477–478triggers for tasks, 479–480viewing task history, 484–485

templates, creating DCS from, 449Terminal Services

adding applications to TS Remote App program list, 60–62

adding servers to Session Directory Computer Local Group, 86–87

adding servers to TS Broker Farm, 87–88

ClearType settings, 46

61705bindex.indd 545 6/27/08 12:07:31 PM

546 Terminal Services client access licenses – triggers

configuring client for TS Gateway, 82–83

configuring DNS for TS Session Broker Load Balancing, 88–89

creating TS CAPs (Terminal Services Connection Authorization Policies), 77–80

creating TS RAPs (Terminal Services Resource Authorization Policies), 80–82

Desktop Composition, 50–51Desktop Experience, 48–49device redirection, 51–53Display Data Prioritization, 46–47display resolution options, 43–44distributing TS RemoteApp

applications, 67Easy Print, 53exam essentials, 92exporting/importing TS RemoteApp

programs and settings, 65–67font smoothing, 45–46Group Policy settings for, 125–130installing Terminal Services role,

56–60installing TS Gateway role, 72–74installing TS Session Broker role,

85–86installing TS Web Access role, 67–71load balancing, 84mapping certificate to TS Gateway

server, 75–76monitor spanning, 44NLB (Network Load Balancing),

89–90obtaining/installing certificate for TS

Gateway, 74–75overview of, 41–42packaging TS RemoteApp program,

63–65Q&As, 93–97RDC (Remote Desktop

Connection), 43

resource allocation. See WSRM (Windows System Resource Manager)

SSO (Single Sign-On), 54–55summary, 90–91Themes, 49–50

Terminal Services client access licenses. See TS CALs (client access licenses)

Terminal Services Configuration toolconfiguring licensing mode, 114–115configuring server discovery mode,

116–117running licensing diagnosis, 122–123

Terminal Services Connection Authorization Policies (TS CAPs), 77–80

Terminal Services Resource Authorization Policies (TS RAPs), 80–82

Terminal Services Role, installing, 56–60Themes service

setting new theme, 49–50starting, 49

TLS (Transport Layer Security)encrypting SMTP communication,

169–170SMTP outbound security, 174

trace logscondition options, 191content options, 190enabling failed request tracing,

188–190trace provider options, 192–193Windows event categories, 279

transfer limits, SMTP messages, 171–172Transport Layer Security (TLS)

encrypting SMTP communication, 169–170

SMTP outbound security, 174Transportation Server, WDS, 369traps, SNMP

configuring, 503–504Event to Trap Translator, 507

triggers, for tasks, 479–480

61705bindex.indd 546 6/27/08 12:07:32 PM

trust levels – TS RemoteApp Manager 547

trust levels, .NET Framework, 160–161TS CALs (client access licenses)

activating license servers, 107–110installing, 110–114revoking CALs, 121stored in Active Directory Domain

Services, 118tracking issuance of Per User CALs,

117–120TS CAPs (Terminal Services Connection

Authorization Policies), 77–80TS Easy Print, 53TS Gateway, 72–83

configuring client for, 82–83creating TS CAPs (Terminal Services

Connection Authorization Policies), 77–80

creating TS RAPs (Terminal Services Resource Authorization Policies), 80–82

global deployment settings, 132–133Group Policy settings, 129–130installing TS Gateway role, 72–74mapping certificates to server, 75–76monitoring, 135–137obtaining/installing

certificates, 74–75overview of, 72viewing user connection information,

137–138TS Gateway Manager

monitoring with, 135–137viewing user connection information

with, 137–138TS License server discovery mode,

116–117TS Licensing

activating license servers, 107–110client access licenses, 100–101configuring licensing mode, 114–116configuring server discovery mode,

116–117exam essentials, 140

installing, 101installing CALs, 110–114installing TS Licensing Manager,

105–106installing TS Licensing role service,

102–105Licensing Diagnosis tool, 121–123overview of, 99–100Q&As, 141–145remote administration of servers,

123–125revoking CALs, 121server discovery, 101–102summary, 139–140tracking TS Per User CALs, 117–120

TS Licensing Manageractivating license servers, 107–110connecting to license servers, 105installing, 105–106installing CALs, 111–114reports on CAL issuance, 119–120

TS licensing mode, 114–116TS Per Device CALs (client access licenses)

revoking, 121stored in Active Directory Domain

Services, 118types of client access licenses,

100–101TS Per User CALs (client access licenses)

reports on license issuance, 119–120stored in Active Directory Domain

Services, 118tracking issuance of, 117–118types of client access licenses, 100–101

TS RAPs (Terminal Services Resource Authorization Policies), 80–82

TS RemoteApp Manageradding applications to TS Remote App

program list, 60configuring digital signatures,

134–135RDP global deployment settings,

133–134

61705bindex.indd 547 6/27/08 12:07:32 PM

548 TS RemoteApps – Virtual Disk Service (VDS)

Terminal server global deployment settings, 130–132

TS Gateway global deployment settings, 132–133

TS RemoteApps, 55–72adding applications to program list,

60–62applying in large

environments, 65digital signature settings, 134–135distributing applications, 67exam essentials, 140exporting/importing programs and

settings, 65–67global deployment settings, 130–132installing Terminal Services Role,

56–59overview of, 55packaging programs, 63–65Q&As, 141–145RDP global deployment settings,

133–134summary, 139–140TS Gateway global deployment

settings, 132–133TS Session Broker

configuring DNS for load balancing, 88–89

configuring server farms, 84–85configuring servers to join farm

and participate in load balancing, 87–88

Group Policy settings, 129installing TS Session Broker Role

service, 85–86NLB (Network Load Balancing)

and, 89–90overview of, 84

TS Web Accessadding computer account to TS

RemoteApp server, 70–71installing, 67–69

Uunicast streaming, 234Unicode Transformation Format-8

(UTF-8), 195Uniform Resource Locators. See URLs

(Uniform Resource Locators)upgrades, WSS 2.0 to 3.0, 283–285URL Authorization module, 209URLs (Uniform Resource Locators)

alternate access mapping and, 287–289

host headers relying on, 154redirection and, 156

user connections, TS Gateway Manager for viewing, 137–138

user credentials, Hyper-V, 326user exclusions, DRM, 253–254user interface, Task Scheduler, 476user profiles, Terminal Service, 128user rights, “Log On as a Batch Job” user

right, 446–447user-added content, WSS sites, 295users

connection authorization policies, 78FTP authorization rules, 165–166resource authorization policies, 81

UTF-8 (Unicode Transformation Format-8), 195

VValidate a Configuration Wizard,

417–421addressing problems reported by, 421overview of, 417–419running, 419–420

VDS (Virtual Disk Service), 28–29VHD files, 329, 348. See also virtual

hard disksvirtual directories, 155–156Virtual Disk Service (VDS), 28–29

61705bindex.indd 548 6/27/08 12:07:32 PM

virtual hard disks – Web services infrastructure 549

virtual hard disksadding physical (pass-through) disk to

virtual machine, 335–336configuring, 326creating differencing disk, 331–332creating fixed size disk and migrating

physical disk to it, 332–334exporting/importing virtual machines

and, 349managing, 336–337types of, 329–330

virtual host names, 165virtual LAN (VLAN), 327Virtual Machine Connection, 343–345

functions of, 344overview of, 343–344window illustration, 345

Virtual Machine Remote Control (VMRC), 343

virtual machinesadding physical (pass-through) disk to,

335–336applying snapshots, 354changing configuration of existing,

342–345configuring, 326creating, 338–342creating snapshots, 351–354deleting, 343exporting/importing, 347–350installing Integration Components to

Windows Server, 346–347overview of, 337Virtual Machine Connection, 343–345

Virtual Network Manager, 326virtual networks, 326–328

creating internal virtual network, 328overview of, 326types of, 326–327

virtual server, SMTP, 168–169virtual switches. See virtual networksvirtualization, 314–315. See also Hyper-Vvirus scans, WSS, 281–282

VLAN (virtual LAN), 327VMC file, 348VMRC (Virtual Machine Remote

Control), 343volumes

creating volume sets, 9–11types of, 8–9

WWDS (Windows Deployment Services),

363–401capturing images with WDSUTIL, 379capturing images with Wizard,

376–378configuration settings, 369–370configuring WDS server for first use,

370–372configuring WDS server properties,

372–374creating images, 375deploying images, 365–367deploying Server Core, 380–381exam essentials, 397IFM (Install from Media), 394–396installing WDS role, 367–369overview of, 364–365Q&As, 397–401summary, 397

WDS image capture utility, 375WDSUTIL, 379web applications

configuring, 148–149creating zones for, 289–290creating/extending with WSS, 284–287

Web farms, configuring, 161–163Web servers, enabling SSL on, 205–206Web services infrastructure

application pools, 161–163configuring Web applications, 148–149creating/configuring websites, 152–153exam essentials, 178

61705bindex.indd 549 6/27/08 12:07:32 PM

550 Web services infrastructure – Windows Media Player

FTP service. See FTP (File Transfer Protocol)

host headers for creating websites, 154–155

installing IIS 7.0, 150–152installing IIS modules, 156–158Internet Services (IIS) Manager for

creating websites, 153–154.NET components, 160.NET trust levels, 160–161overview of, 147–148Q&As, 179–184redirection, 156SMTP service. See SMTP (Simple Mail

Transfer Protcol)summary, 177–178virtual directories, 155–156Web farm configuration, 161–163website limits, 158–159

Web services infrastructure, advancedaccess logs, 193–195AppCmd.exe for configuring IIS

settings, 186–188application access, 209–210backups and restores, 195client certificate mapping, 211configuration backup settings, 195–197delegation of administration, 197–201exam essentials, 212overview of, 185Q&As, 213–217SSL. See SSL (Secure Sockets Layer)summary, 211–212trace logs, 188–193website authentication, 207–209

Web SSO (Web Single Sign On). See also SSO (Single Sign-On)

configured by ADFS, 300–304federated authorization in WSS, 296

Web.config, IIS settings, 149websites

AppCmd.exe for listing, 186–187authentication, 207–209

creating/configuring, 152–153host headers for creating, 154–155Internet Services (IIS) Manager for

creating, 153–154resource limits, 158–159SSL enabled on, 205–206

websites, WSSadding content, 295alternate access mapping, 287–289configuring, 283creating site collections, 291–292creating/extending web applications,

284–287end user access, 292–294quota templates, 290–291upgrading WSS 2.0 and, 283–284zones for web applications,

289–290weighted paths, 17wevtutil.exe, 469–470WIM files, 375Windows authentication

types of website authentication, 208WSS and, 296

Windows Deployment Services. See WDS (Windows Deployment Services)

Windows Deployment Services Configuration Wizard, 370–372

Windows events, logging, 279Windows Fax and Scan role,

221–222Windows Firewall, 472Windows Installer files (MSI), 63–65Windows logs, Event Viewer, 469Windows Management Instrumentation

(WMI), 316Windows Media Encoder, 232–233Windows Media format, 232Windows Media Player

Advanced Fast Start, 242creating content, 232–233Fast Start, 241

61705bindex.indd 550 6/27/08 12:07:32 PM

Windows Media Services – WSRM (Windows System Resource Manager) 551

Windows Media Services. See also media services

Advanced Fast Start, 242advanced streaming options, 240Fast Cache, 240–241Fast Recovery and Fast Reconnect,

243–244Fast Start, 241overview of, 229–230security, 245unicast streaming, 234

Windows Media Stream Editor, 232–233Windows Movie Maker, 232–233Windows OSs

AD RMS support, 251fax services, 222Hyper-V availability, 324–325Hyper-V Integration Component,

345–346Hyper-V support, 316KMS support, 384managing tasks remotely, 485monitoring failures, 466–467

Windows PE, WDS interface, 366Windows Performance Diagnostic Console

monitoring general system activity, 491–494

overview of, 490Resource Monitor, 490–491

Windows Process Activation Service (WPAS), 162

Windows Product Activation (WPA)backlash to, 382configuring, 381–383

Windows Reliability and Performance Monitor

application failures, 465–466components and new features, 445data collector sets. See DCS (Data

Collector Sets)hardware failures, 466log data, 456–459miscellaneous failures, 467

overview of, 444Reliability Monitor features, 462–463reports, 459software install/uninstall, 465system clock changes, 464–465System Diagnostics report, 459–461viewing system availability, 463–464viewing system stability, 461Windows OS failures, 466–467

Windows Remote Management (WinRM), 471

Windows ServersHyper-V software

requirements, 319Hyper-V support for, 316media services and, 229–231

Windows shell (explorer.exe), 124Windows Startup Application

(wininit.exe), 124Windows System Resource Manager.

See WSRM (Windows System Resource Manager)

Winlogon (winlogon.exe), 124–125WinRM (Windows Remote

Management), 471WMI (Windows Management

Instrumentation), 316Word documents, AD RMS

protection, 252workflow options, WSS, 277Workgroup, TS Licensing discovery

scopes, 101–102World Wide Name (WWN), 27WPA (Windows Product Activation)

backlash to, 382configuring, 381–383

WPAS (Windows Process Activation Service), 162

WSRM (Windows System Resource Manager)

configuring, 139installing, 138–139overview of, 138

61705bindex.indd 551 6/27/08 12:07:32 PM

552 WSS (Windows SharePoint Services) – zones

WSS (Windows SharePoint Services), 267–311

alternate access mapping, 287–289antivirus settings, 281–282authentication, 295–296Best Practices Analyzer tool, 282configuring, 269–270configuring sites, 283configuring SSO, 300–304creating site collections, 291–292creating/extending web applications,

284–287diagnostic logging settings,

278–281Digest authentication, 297–300end user access, 292–294exam essentials, 305incoming e-mail settings, 270–273outgoing e-mail settings, 273–275

outgoing e-mail settings for specific web application, 275–276

overview of, 267–268Q&As, 306–311quota templates, 290–291site content, 295summary, 305upgrading version 2.0, 283–285workflow options, 277zones for web applications, 289–290

WWN (World Wide Name), 27WWW Server, 192

Zzones, web applications

authentication and, 297creating, 289–290

61705bindex.indd 552 6/27/08 12:07:32 PM

READ THIS. You should carefully read these terms and conditions before opening the software packet(s) included with this book “Book”. This is a license agreement “Agree-ment” between you and Wiley Publishing, Inc. “WPI”. By opening the accompanying software packet(s), you acknowledge that you have read and accept the following terms and conditions. If you do not agree and do not want to be bound by such terms and conditions, promptly return the Book and the unopened software packet(s) to the place you obtained them for a full refund.1. License Grant. WPI grants to you (either an individual or entity) a nonexclusive license to use one copy of the enclosed software program(s) (collectively, the “Software,” solely for your own personal or business purposes on a single computer (whether a standard computer or a work-station component of a multi-user network). The Software is in use on a computer when it is loaded into temporary memory (RAM) or installed into permanent memory (hard disk, CD-ROM, or other storage device). WPI reserves all rights not expressly granted herein.2. Ownership. WPI is the owner of all right, title, and inter-est, including copyright, in and to the compilation of the Software recorded on the physical packet included with this Book “Software Media”. Copyright to the individual programs recorded on the Software Media is owned by the author or other authorized copyright owner of each pro-gram. Ownership of the Software and all proprietary rights relating thereto remain with WPI and its licensers.3. Restrictions On Use and Transfer. (a) You may only (i) make one copy of the Software for backup or archival purposes, or (ii) transfer the Software to a single hard disk, provided that you keep the original for backup or archival purposes. You may not (i) rent or lease the Software, (ii) copy or reproduce the Software through a LAN or other network system or through any computer subscriber system or bulletin-board system, or (iii) modify, adapt, or create derivative works based on the Software.(b) You may not reverse engineer, decompile, or disas-semble the Software. You may transfer the Software and user documentation on a permanent basis, provided that the transferee agrees to accept the terms and conditions of this Agreement and you retain no copies. If the Software is an update or has been updated, any transfer must include the most recent update and all prior versions.4. Restrictions on Use of Individual Programs. You must follow the individual requirements and restrictions detailed for each individual program in the About the CD-ROM appendix of this Book or on the Software Media. These limitations are also contained in the individual license agreements recorded on the Software Media. These limi-tations may include a requirement that after using the program for a specified period of time, the user must pay a registration fee or discontinue use. By opening the Software packet(s), you will be agreeing to abide by the licenses and restrictions for these individual programs that are detailed in the About the CD-ROM appendix and/or on the Soft-ware Media. None of the material on this Software Media or listed in this Book may ever be redistributed, in original or modified form, for commercial purposes.5. Limited Warranty.(a) WPI warrants that the Software and Software Media are free from defects in materials and workmanship under normal use for a period of sixty (60) days from the date of purchase of this Book. If WPI receives notification within

the warranty period of defects in materials or workman-ship, WPI will replace the defective Software Media. (b) WPI AND THE AUTHOR(S) OF THE BOOK DIS-CLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE SOFTWARE, THE PROGRAMS, THE SOURCE CODE CONTAINED THEREIN, AND/OR THE TECHNIQUES DESCRIBED IN THIS BOOK. WPI DOES NOT WARRANT THAT THE FUNCTIONS CONTAINED IN THE SOFTWARE WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE SOFTWARE WILL BE ERROR FREE. (c) This limited warranty gives you specific legal rights, and you may have other rights that vary from jurisdiction to jurisdiction.6. Remedies. (a) WPI’s entire liability and your exclusive remedy for defects in materials and workmanship shall be limited to replacement of the Software Media, which may be returned to WPI with a copy of your receipt at the fol-lowing address: Software Media Fulfillment Department, Attn.: MCTS: Windows Server Applications Infrastruc-ture Configuration Study Guide, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, or call 1-800-762-2974. Please allow four to six weeks for deliv-ery. This Limited Warranty is void if failure of the Software Media has resulted from accident, abuse, or misapplication. Any replacement Software Media will be warranted for the remainder of the original warranty period or thirty (30) days, whichever is longer. (b) In no event shall WPI or the author be liable for any damages whatsoever (including without limitation dam-ages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising from the use of or inability to use the Book or the Software, even if WPI has been advised of the possibility of such damages. (c) Because some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation or exclusion may not apply to you.7. U.S. Government Restricted Rights. Use, duplication, or disclosure of the Software for or on behalf of the United States of America, its agencies and/or instrumentalities “U.S. Government” is subject to restrictions as stated in paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause of DFARS 252.227-7013, or subparagraphs (c) (1) and (2) of the Commercial Computer Software - Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR supplement, as applicable.8. General. This Agreement constitutes the entire under-standing of the parties and revokes and supersedes all prior agreements, oral or written, between them and may not be modified or amended except in a writing signed by both parties hereto that specifically refers to this Agreement. This Agreement shall take precedence over any other docu-ments that may be in conflict herewith. If any one or more provisions contained in this Agreement are held by any court or tribunal to be invalid, illegal, or otherwise unen-forceable, each and every other provision shall remain in full force and effect.

Wiley Publishing, Inc. End-User License Agreement

61705book.indd 553 6/27/08 9:15:57 AM

The Absolute MCTS: Windows Server 2008 Applications Infrastructure Configuration

Book/CD Package on the Market!Get ready for your Microsoft Certified Technology Specialist: Windows Server 2008 Applications Platform, Configuration or MCTIP: Enterprise or Server Administrator certifications with the most comprehensive and challenging sample tests anywhere!

The Sybex Test Engine features:

All the review questions, as covered in each Nchapter of the book

Challenging questions representative of Nthose you’ll find on the real exam

Two full-length bonus exams available only Non the CD

An Assessment Test to narrow your focus to Ncertain objective groups.

Use the Electronic Flashcards for PCs or Palm devices to jog your memory and prep last-minute for the exam!

Reinforce your understanding of key Nconcepts with these hardcore flash-card-style questions.

Download the Flashcards to your Palm Ndevice and go on the road. Now you can study for the MCTS: Windows Server 2008 Applications Platform, Configuring (70-643) exam any time, anywhere.

CD also includes the PrepLogic’s Nrobust Audio+ exam preparation product for Exam 70-643, exclusive for Sybex Study Guides.

Search through the complete book in PDF!

Access the entire N MCTS: Microsoft Win-dows Server 2008 Applications Platform Configuration Study Guide complete with figures and tables, in electronic format.

Search the N MCTS: Microsoft Windows Server 2008 Applications Platform Con-figuration Study Guide chapters to find information on any topic in seconds.

61705book.indd 554 6/27/08 10:13:20 AM

Try PrepLogic for FREE!Now you can enjoy our high-speed audio training for FREE. Visit PrepLogic today for over 80 free Quiz Me & Lecture Series sample lessons for the most challenging, popular and valuable certifications including MCSE, CCNA, A+, PMP, CISSP® and more.Try PrepLogic today for Free!

www.preplogic.com/freeaudio PrepLogic

Learn While... Driving to Work.Get certified more quickly than ever with PrepLogic audio training. Quiz Me & Lecture Series audio give you the freedom and flexibility to learn anywhere – driving to work, sipping morning coffee, or even walking your dog. Want to pass your exam in record time? Use audio training from PrepLogic.

PrepLogic Audio TrainingNow on CD or MP3!

PrepLogicw w w . p r e p l o g i c . c o m 1 - 8 0 0 - 4 1 8 - 6 7 8 9

61675badvert.indd 577 4/2/08 11:09:37 PM61705book.indd 555 6/27/08 9:16:29 AM

Preparing for your certification exams just got easier thanks to TestSuccess from Sybex. With 24-hour access to this online test prep environment, you can practice how you want, when you want, from wherever you can access the Internet. With your paid subscription you will be able to:

• Gain access to 200 questions per exam covering all exam subject areas

• Get explanations of questions and answers in Practice Mode

• Select your own questions

• Take your own customized practice exams

• Create a “quick” exam, pulling questions randomly from the entire test bank

• View detailed strength and weakness reports separated by subject area

• Compare your performance and scores to other users to see how you rank

Need More Practice?

Available exams:• CCNA: Cisco Certified Network

Associate (640-802)

• CompTIA A+ Essentials

• CompTIA A+ IT Technician

• Comp TIA Linux+

• CompTIA Network+

• CompTIA Security+

• MCTS: Microsoft Windows Vista Configuration (70-620)

• CISSP: Certified Information System Security Professional

• PHR/SPHR: Professional/Senior Professional in Human Resources

• PMP: Project Management Professional

Go to www.sybextestsuccess.com today for more information and to subscribe!

61705book.indd 556 6/27/08 9:16:29 AM

MCTS: Windows Server 2008 Applications Infrastructure Configuration Study GuideExam 70-643: TS: Windows Server 2008 Applications Infrastructure, Configuring Objectives

ObjeCTIve ChApTer

Deploying Servers

Deploy images by using Windows Deployment Services. May include but is not limited to: Install from media (IFM), configure Windows Deployment Services, capture Windows Deployment Services images, deploy Windows Deployment Services images, server core

Configuring Windows Deployment Services, capture Windows Deployment Services images, deploy Windows Deployment Services images, server core

9

Configure Microsoft Windows activation. May include but is not limited to: install a KMS server; create a DNS SRV record; replicate volume license data

9

Configure Windows Server Hyper-V and virtual machines. May include but is not limited to: virtual networking; virtualization hardware requirements; Virtual Hard Disks; migrate from physical to virtual; VM additions; backup; optimization; server core

8

Configure high availability. May include but is not limited to: failover clustering; Network Load Balancing; hardware redundancy

10, 11

Configure storage. May include but is not limited to: RAID types; Virtual Disk Specification (VDS) API; Network Attached Storage; iSCSI and fibre channel Storage Area Networks; mount points

1

Configuring Terminal Services

Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp). May include but is not limited to: Configuring Terminal Services Web Access; configuring Terminal Services Remote Desktop Web Connection

2

Configure Terminal Services Gateway. May include but is not limited to: certificate configuration; Terminal Services Gateway Manager (TS Gateway Manager); specifying resources that users can access through TS Gateway by using Terminal Services resource authorization policy (TS RAP) and Terminal Services connection authorization policy (TS CAP); Terminal Services group policy

2

Configure Terminal Services load balancing. May include but is not limited to: Terminal Services Session Broker redirection modes; DNS registration; setting through group policy

2

61705book.indd 2 6/27/08 10:13:32 AM

Exam objectives are subject to change at any time without prior notice and at Microsoft’s sole discretion. Please visit Microsoft’s website (www.microsoft.com/learning) for the most current listing of exam objectives.

ObjeCTIve ChApTer

Configure and monitor Terminal Services resources. May include but is not limited to: allocate resources by using Windows Server Resource Manager; configure application logging

3

Configure Terminal Services licensing. May include but is not limited to: deploy licensing server; connectivity between terminal servers and Terminal Services licensing server; recovering Terminal Services licensing server; managing Terminal Services client access licenses (TS CALs)

3

Configure Terminal Services client connections. May include but is not limited to: connecting local devices and resources to a session; Terminal Services profiles; Terminal Services home folders; Remote Desktop Connection (RDC); single sign-on; Remote Desktop Snap-In; MSTSC.exe

2, 3

Configure Terminal Services server options. May include but is not limited to: logoff; disconnect; reset; remote control; monitor; Remote Desktop Protocol (RDP) permissions; connection limits; session time limits; managing by using GPOs; viewing processes; session permissions; display data prioritization

3

Configuring a Web Services Infrastructure

Configure Web applications. May include but is not limited to: directory-dependent; publishing; URL-specified configuration; Microsoft .NET components, for example, .NET and aspx; configure application pools

4

Manage Web sites. May include but is not limited to: migrate sites and Web applications; publish IIS Web sites; configure virtual directories

4

Configure a File Transfer Protocol (FTP) server. May include but is not limited to: configure for extranet users; configure permissions

4

Configure Simple Mail Transfer Protocol (SMTP). May include but is not limited to: setting up smart hosts; configuring size limitations; setting up security and authentication to the delivering server; creating proper service accounts; authentication; SMTP relay

4

Manage Internet Information Services (IIS). May include but is not limited to: Web site content backup and restore; IIS configuration backup; monitor IIS; configure logging; delegation of administrative rights

5

Configure SSL security. May include but is not limited to: configure certificates; requesting SSL certificate; renewing SSL certificate; exporting and importing certificates

5

Configure Web site authentication and permissions. May include but is not limited to: configure site permissions and authentication; configure application permissions; client certificate mappings

5

61705book.indd 3 6/27/08 10:13:33 AM

ObjeCTIve ChApTer

Configuring Network Application Services

Configure Windows Media server. May include but is not limited to: on-demand replication; configure time-sensitive content; caching and proxy

6

Configure Digital Rights Management (DRM). May include but is not limited to: encryption; sharing business rules; configuring license delivery; configuring policy templates

6

Configure Microsoft Windows SharePoint Services server options. May include but is not limited to: site permissions; backup; antivirus; configuring Windows SharePoint Services service accounts

7

Configure Windows SharePoint Services e-mail integration. May include but is not limited to: configuring a document library to receive e-mail; configuring incoming vs. outgoing e-mail

7

61705book.indd 4 6/27/08 10:13:33 AM

Sybex mcts, windows server 2008 applications infrastructure configuration study guide (2008)

Technology

Transcript of Sybex mcts, windows server 2008 applications infrastructure configuration study guide (2008)