Category: Windows Server

MCTS 70-646 Implement patch management strategy

Implement patch management strategy

Microsoft Baseline Security Analyser (MBSA) can be used to scan Windows operating systems for missing security patches and incorrectly configured settings which could render the Windows vulnerable to known attacks.

The System Center suite can be used to baseline and apply security patches.

Windows Server Update Services (WSUS) is a free patch deployment application available as a role in Windows Server 2008 R2 and a separate download for Windows Server 2008. The version of WSUS available for both revisions of Windows is 3.0 SP2 but note that upgrading a Windows Server 2008 computer running WSUS 3.0 SP2 to Windows Server 2008 R2 will fail.

WSUS 3.0 SP2 has support for the branch cache feature of Windows Server 2008 R2 and also support BITS peer caching, this allows Windows updates to be retrieve off neighbouring systems rather than directly from the WSUS server.

Approval deadlines can be used to force patches to be installed immediately; setting the deadline to a date in the past forces the Windows Update Agent (WUA) to install the update immediately.

Update strategy for roaming clients; point the clients to a DNS name and have that DNS resolve to the local site which the roaming client is currently located.

For application patch level maintenance you should consider looking at the System Center Configuration Manager editions.

More on WSUS here

MCTS 70-646 Plan and implement group policy strategy

Plan and implement group policy strategy

Starter Group Policy Objects (GPO)

Starter GPOs are baseline templates you can use when building GPOs. Starter GPOs can be exported to other domains too. Starter GPOs are backed up and restored using the backup all and manage backups via the starter GPOs node.

Starter GPOs can only contain administrative template settings.

Group Policy backup and Recovery

Standard group policies can be backed up and restored from within the group policy objects node.

Group Policy Strategy

The best advice with Group Policy is to keep it simple; avoid too much inheritance blocking, organisational units with lots of GPOs, many organisational units linking to the same GPO, monolithic GPOs which change frequently and implement functional GPO where necessary i.e. where changes are frequent; this will speed up the client side extension processing.

It is recommended you disable the user and computer configuration portion of a policy if it is not used; note this is unlikely to speed up processing, the group policy client still has to query Active Directory to check if that portion of the policy is disabled.

The Group Policy ADMX files should be stored in a central store this stores domain controllers storing redundant copies of the same data. The central store should be configured with sysvol; to configure the central store create a policyDefinitions folder and copy the admx policy files to it, create a en-us folder within the policyDefinitions folder and copy the adml language files.

Starter Group Policy Objects should be used to create standardised combinations of administrative templates.

Troubleshooting Group Policy

The first step is to check the core configuration i.e. the computer is connected to the network, can you ping it, can you resolve DNS names, is the system clock within the limits defined by kerberos. Some of the above checks will also test services e.g. resolving DNS confirms the DNS service is working, logging onto the domain confirms the AD DS is working. Remember the core services for group policy are AD DS, DNS and TCP/IP.

Tools such as gpotool.exe, rsop.msc and gpresult.exe can be used to verify what policies are being or not being applied. rsop.msc can point towards why policies are not applied. gpotool.exe can be used to verify policies are correct.

The operational logs within Windows event viewer are also very useful when reviewing which policies have been applied and how long they took.

When policies are not being applied or take an inordinate amount of time to apply it is always good to understand how the group policy process works.

First of all the group policy client queries the nearest Domain Controller to get a list of Group Policy Object which apply to the logged in user and computer.

Next the client side extension processing starts; the newer Windows operating systems use Network Location Awareness (NLA) to determine whether they’re within the domain or on a public internet connection. NLA uses the connection specific DNS information and the NetworkName registry key, if they’re the same the client attempts to query the domain controller using LDAP.

Once NLA deems the client computer to be in the domain the group policy client reads the CSE information from the registry then the group policy client uses LDAP to search for GPOs with the gpLink attribute.

The group policy client then checks whether the user or computer has permission to read the GPO, finally the group policy client reads the gpt.ini to determine if the policy has been updated; it uses information within the client registry to determine this.

MCTS 70-646 Plan for delegated administration

Plan for delegated administration

The main reason for delegation of administration is to give specific administrative rights to specific users or groups.

Delegated control

Delegation can be applied within AD DS by configuring access control entries on organisational units; this can be accomplished using the GUI (dsa.msc) or dsacls.exe or PowerShell Active Directory modules. Delegation can be configured using a wizard, this allows administrators to quickly apply delegation for common tasks. Alternatively you can configure the OU ACEs manually to create more granular and customised delegation. I’ve blogged previously about AD DS delegation see here Existing delegation configuration can be time consuming to troubleshoot if the delegation hasn’t been defined within a change control system for example. In this scenario you can reset the delegated settings to default. Use dsacls.exe “OU=[Name],DC=[Domain],DC=[Tld]” /resetDefaultDACL or Click default within the advanced security settings of a particular OU you wish to reset.

Group membership delegation

Group membership delegation can be configured by assigning the managed by attribute; In Windows Server 2008 this can be a group, Windows Server 2003 only allows users or contacts.

Delegated Authentication

This allows a computer to impersonate a user to access resources. When the domain and forest functional level are at least Windows Server 2003 then the computer objects have a delegation tab; this allows you to trust the computer for delegation to any service using kerberos or specific services; selecting specific services is known as constrained delegation. An account which has been marked sensitive cannot be delegated; this should be the configuration applied to administrative accounts.

Role-based Access Control (RBAC)

Microsoft products such as Exchange Server, SQL Server and System Center Operations Manager 2007 R2 have RBAC; this allows you to assign administrative privileges within an application to standard Windows accounts.

Microsoft IIS 7 and 7.5 have configuration delegation functionality allowing a web site owner or application owner to have full control over their portion of the web server within reducing security.

Authorisation Manager

Authorisation Manager allows developers to create roles and scopes for their applications; applying the principles of role-based access control. Authorisation Manager can use SQL Server databases, AD DS, AD LDS or XML to store the roles, scopes, role membership etc.

MCTS 70-646 Plan server management strategies

Plan server management strategies

Server Manager Console

Displays the roles and features that are installed on that particular computer.

ServerManagercmd

servermanagercmd is the command line version of server manager but Microsoft are pushing Windows PowerShell and the ServerManager module instead.

Microsoft Management Console

Microsoft Management Snap-ins are available for all roles and features that are installed; some roles will require Remote Server Administration Toolkit (RSAT) to be installed e.g. Active Directory users and computers etc.

Emergency Management Services (EMS)

EMS allows you to connect to a system via serial using telnet or similar (Hyper terminal). EMS can be used when a computer has frozen or locked up on start up or shutdown; may be a runaway process has made the computer unresponsive.

EMS must be enabled before you need to use it, ideally before it is deployed into production. EMS is enabled using BCDEDIT.

Remote Desktop

Remote Desktop allows members of the administrators and remote desktop users group to remotely connect; this doesn’t apply to domain controllers though, only administrators can connect remotely.

Remote desktop for administration allows two concurrent connections. If the computer you’re connecting to has Remote Desktop Services installed then use /admin to connect to an administrative session; if Remote Desktop Services is not installed then /admin is not needed.

You must be a member of the local administrators group to connect to an administrative session.

More information here

PowerShell Remoting

PowerShell remoting improves classic remoting functionality; classic remoting uses remoting built into the cmdlets, the remoting technology is generally (RPC) Remote Procedure Call and (DCOM) Distributed COM. Classic remoting also uses transparent authentication i.e. it uses the credentials used to run the PowerShell code.

You can identity classic remoting cmdlets using

Get-Help * -Parameter ComputerName

Alternatively you can use:

Get-Command Where-Object {$_.Parameters.Keys -contains ‘ComputerName’ -and $_.Parameters.Keys -notcontains ‘Sessions’}

The alternative command will filter out Windows PowerShell remoting cmdlets.

Windows PowerShell remoting uses the WinRM service to execute PowerShell code in a separate session on the remote system; Windows PowerShell remoting is enabled by running Enable-PSRemoting from an elevated prompt. Enable-PSRemoting starts the WinRM service if it is not running, sets up a listener on TCP 5985 and creates a firewall exception for inbound connections.

Windows PowerShell remoting uses Kerberos Authentication by default but if you’re using a peer-to-peer network or connecting to hosts outside of your trusted domain you’ll need to define a trusted host or connect via HTTPS.

Trusted hosts can be added to the trustedhosts file using

Set-Item wsman:\localhost\client\trustedhosts * -Force

Windows PowerShell remoting uses either invoke-command, Enter-PSSession or New-PSSession; New-PSSession allows you to use implicit remoting with the help of Enter-PSSession whereas invoke-command is explicit remoting.

Remote Administration Tools for Non-Administrators

In general non-administrators should be provided with MMC console snapins to administer servers rather than giving non-administrators remote desktop access.

Another method would be Telnet; Telnet is ideal for low bandwidth connections. Telnet Server can be configured by running tlntadmn.exe once the feature has been installed.

Windows Event Logs

More on Windows Event logs can be found here.

MCTS 70-646 Plan high availability

Plan high availability

Service redundancy

More on Microsoft failover clustering here

Microsoft failover clustering no longer supports direct parallel SCSI and requires shared storage that is SCSI Primary Commands (SPC-3) compatible i.e. uses SCSI-3 persistent reservations.

Service availability

More on Microsoft Load balancing and DNS round robin here

Mixed-mode clusters are possible but it is recommended that all cluster  nodes are running the same operating system.

If IGMP multicast mode is used then IGMP snooping must be enabled on the switch.

Each cluster host sends a heartbeat every second, if five consecutive heartbeats are missed then the cluster converges removing the failed host.

The MCITP self-paced training kit for Windows Server 2008 administrator seems to suggest that Microsoft testing has found that NLB clusters with more than 8 nodes are not efficient. If you need more than 8 nodes consider multiple NLB clusters which use DNS round robin.

DNS round robin is enabled by default, remember than netmask ordering is enabled by default too; netmask ordering will return the ip address of a particular record which is within the same subnet. DNS netmask ordering uses class C to determine whether the network is local.

MCTS 70-646 Provision data

Provision data

Data availability can be achieved through…

…hardware redundancy e.g. RAID, multiple power supplies which connect to different power feeds which are protected by different UPSs. Network redundancy should be configured too e.g. multiple network cards (possibly teamed) to different switches (think you need 802.3ad / 802.1ax support).

…server redundancy e.g. using DFS, application replication e.g. Microsoft SQL server database mirroring or failover clustering.

…site redundancy e.g. redundant connectivity links or maybe DFS namespace configuration with replication.

Shared resources

Data availability through shared resources using DFS namespaces and DFS replication; more here

Another way to share and collaborate would be using SharePoint; SharePoint 2010 foundation is available as part of Windows Server 2008 R2 licence.

Offline data access

Data availability through offline files; more here

MCTS 70-646 Plan for backup and recovery

Plan for backup and recovery

Major changes since NTBackup

  • Windows Server backup no longer supports tape media
  • Windows Server backup on Windows Server 2008 does not support scheduled optical or remote share backups; Windows Server 2008 R2 does support scheduled remote share backups but with the caveat of only one backup being stored.
  • The smallest backup object is a volume
  • Only NTFS volumes can be backed up
  • Backups are stored as VHD files
  • Windows Server backup on Windows Server 2008 R2…
  • …supports the inclusion or exclusion of files, file types and paths.
  • …incremental backup forever
  • …system state backup use shadow copy versions to minimise the backup set size

The backup operator role can only schedule adhoc backups; full administrator rights are required to configured scheduled backups.

Ideally backup sets should be kept offsite and where data is encrypted, encryption recovery keys should be kept with the backup set too. If using a disaster recovery site then adequate resource should be available; one benefit of Windows Server backup is that backup files are stored as VHD files, so virtualisation at the disaster recovery site is a viable solution.

Recovery strategy

Windows Server backup can restore applications that have Volume Shadow Service writer functionality in a more simplified manner; Windows Server backup will restore the application data, configuration settings and application program.

File recovery where duplicates exists will either overwrite, make a copy or ignore.

Server Recover Strategy

Complete server recovery requires you boot from the installation DVD and select repair; this will enter into Windows Recovery Environment (WinRE), from here you can select a backup to restore. This restore can also be used on differing hardware. NOTE full recovery requires the new disk be at least the same size as the original.

Directory Service Recovery strategy

Active Directory Authoritative restores require you restart the domain controller in Directory Services Restore Mode. Once in *DSRM restore the system state backup then start ntdsutil activating the ntds instance. Type authoritative restore, restore subtree “OU=OUName,DC=Domain,DC=com”, once the **authoritative restore is complete restart the domain controller. NOTE: authoritative restores are only valid if you have more than one domain controller i.e a non-authoritative restore would do the trick.

*an easy way to get into DSRM is by modifying the boot database, use:

bcdedit /set safeboot dsrepair

then when the restore is complete

bcdedit /deletevalue safeboot

**During a authoritative restore you will be notified of numerous ldif files which contain back links i.e. group membership, etc. note these then use:

ldifde.exe -L -K [path to file]\ldif.filename

Tombstone lifetime by default is 180 days, you cannot recover anything older than the tombstone lifetime. The tombstone lifetime was previously 60 days in Windows Server 2003 RTM.

References

Performing Authoritative Restore of Active Directory Objects

Object level recovery

Volume shadow copies for shared folders functionality allows end users to recover deleted or corrupted files. Shadow copies can be used on non-shared folders too.

A maximum of 64 shadow copies can be created, if the disk holding the shadow copies is out of disk space then the oldest shadow copy will be deleted. The default space available for shadow copies is 10% of available disk space and the default schedule is 7am every weekday.

Active Directory objects can be restored individually using Active Directory snapshots created with ntdsutil or system state backups.

To restore an object from a system state backup first restore the system state redirecting the restore to an empty volume, then mount the ntds.dit database using dsamain.exe, use ldp.exe to restore the AD DS object.

To restore an object from a ntdsutil snapshot, mount the snapshot using ntdsutil, mount the ntds.dit database using dsamain.exe then use use ldp.exe to restore the AD DS object.

Object level recovery of objects using authoritative restores type restore object rather restore authoritative.

Windows Server 2008 R2 domain controllers running forest functional level Windows Server 2008 R2 have the AD recycle bin functionality; the recycle bin is enabled via PowerShell and requires you restore object using PowerShell; objects deleted before AD recycle bin was enabled will be missing linked value replication information i.e. group membership.

MCTS 70-646 Plan file and print server roles

Plan file and print server roles

Access permissions

Share permissions apply to remote users and NTFS permissions apply to both remote and local users; a remote user will be restricted to the most restrictive permission. NTFS permissions can be cumulative i.e. a user has specific permissions but that user is also a member of a group with other defined permissions. Permissions applied to the user override group permissions if there is a conflict and deny permissions override allow permissions.

Windows Server 2008 file services also has Access Based Enumeration (ABE); this functionality hides files and or folders from users who have no access to them.

Printer management requires Manage Printers, Print, Manage Documents and Manage Server. Printer queue management just requires Manage Documents, Manage Printers and Print.

Storage quotas

Storage quota are defined at the disk level, quota can be defined for specific users or groups or completed disabled for a user or group.

Quotas have hard and soft limits; hard limits stop users saving or copying files to a volume when over quota whereas soft limits just warn users.

Quotas can be defined on folders using FSRM; FSRM has hard and soft limits too but also can be defined on volumes, folders and shares. FSRM quotas should be defined via templates i.e. that is the best practice.

Replication

DFS-R is used to replicate data; it can be used with or without DFS-N e.g. replicating web content between servers within a web farm.

DFS-R uses Remote Differential Compression (RDC) to minimise the data replicated e.g. modifications to data are replicated not the whole file. Cross file RDC can use other files to construct a file to minimise WAN replication traffic; cross file RDC is only supported in Enterprise and Datacenter editions.

Indexing

The Windows Search service in Windows Server 2008 and 2008 R2 replaces the legacy indexing service; the legacy indexing service should only be used if you have bespoke applications that depend on it. Microsoft Windows Vista and Windows 7 clients work out-of-the-box with the Windows Search service whereas earlier client such as XP require the ‘Microsoft Search Client’. Indexing should only be configured on storage which contains shares or file shares. Indexing is configured via the Control Panel > Indexing Options.

File storage policy

FSRM has file screening functionality which can be used to define what can and cannot be stored on the file system e.g. mp3s but you could also define an exception for a particular group.

Storage reports can be configured to the show largest files, most accessed files, duplicates etc, you may be able to use this for scheduling maintenance.

Availability


Offline files allow access to network content whilst you’re offline; useful say if you’re working on a large file you can forcefully go offline, work on the file and then go back online to sync the changes. Internet Information Services shared configuration can benefit from offline file functionality too.

Offline files are configured via the share advanced share settings caching options. Note that redirected folders are automatically configured as offline.

You can encrypt offline files via Sync Center > Manage Offline Files > Encryption or Computer Configuration\Administrative Templates\Network\Offline Files\Encrypt the Offline Files cache.

Offline files enhancements in Windows Server 2008 R2

  • Fast first logon
  • Background sync
  • Exclusion list
  • Transparent caching

Distributed File System Namespaces (DFS-N) and Distributed File System Replication (DFS-R) can be used together to provide file share availability locally and geographically.

DFS-N allows you to consolidate multiple file shares from multiple servers into a single namespace. You can then use DFS-R to replicate this file share content to other file servers.

Geographic DFS namespaces can be used so users access their local file server to access content replicated from other sites.

Printer pooling allows you to effectively load balance printing; If you have the same printer or at least the printers which can use the same printer driver then you can pool printers. These printers are managed via one queue and can survive printers failing i.e. one printer breaking will not stop the printer pool working.

Printer publishing

Render print job on the client; this is the default an the most efficient; if you leave this to the print server then you could end up over burdening the print server.

Print filters can be configured to report on specific printer states e.g. printers with paper jams, offline or error. Print filters are only available to Windows Server 2008 and 2008 R2.

Printer can be published to Active Directory automatically if the print server is Windows Server 2008 R2 and the group policies ‘Automatically publish new printers in Active Directory’ and ‘Allow printers to be published’ are enabled.

Alternatively you can publish printers to Active Directory using the list in directory option; this will make it searchable or Deploy using Group Policy; here you can deploy it to the whole domain or specific OUs.

MCTS 70-646 Plan Storage

Plan Storage

Storage Solutions

More on storage here

MPIO

Windows Server 2008 and 2008 R2 includes a (DSM) Device Specific Module that works with storage devices that support (ALUA) Asymmetric Logical Unit Access and Active / Active storage controllers. DSM have provided by the SAN vendor and interface with Windows Server MPIO and Storage Manager for SANs. The ALUA model allows the server to see the LUNs over both storage controllers but only one path should be preferred i.e. the one with direct access to the LUN; accessing the LUNs via the non-direct or unoptimised path can cause path thrashing.

Windows Server 2008 and 2008 R2 supports the following MPIO policies:

  • Failover – Uses one path for all storage I/O; all other paths are standby paths which are defined as most preferred to least preferred.
  • Failback – Uses one path for storage I/O; all other paths are standby paths. When the preferred path becomes available storage I/O is switched.
  • Round Robin – All paths are used for storage I/O.
  • Round Robin with a subset of paths – A defined set of paths are used for storage I/O with another set of paths defined for standby.
  • Dynamic least queue depth – storage I/O uses the path with the smallest outstanding I/O queue.
  • Weighted path – All paths are given a weighting, the path with the smallest weighting is used for storage I/O.

Block based storage

Device where raw volumes are created; the filesystem of the block storage is purely determined by the OS utilising the storage e.g. VMware vSphere would format the volume VMFS whereas Windows Server would format the volume NTFS. Access is handled by the operating system.

File based storage

Storage accessed via SMB / CIFS or NFS. The access is handle by the file based storage device.

Storage Management

Windows Server 2008 and 2008 R2 has Storage Manager for SANs and Storage Explorer. The link above has Storage Manager for SANs information. Storage Explorer uses (iSNS) Internet Storage Name Service to discover iSCSI fabric information and SNMP, telnet or http to discover and interface with Fibre Channel fabrics.

MCTS 70-646 Provision applications

Provisioning Applications

Application deployment

Installation methods range from manual installation through to using something like (SCCM) System Center Configuration Manager. Manual installations are impractical in large environments but may be suitable for installation of software in a small or branch office with no servers or domain. Scripted deployments can be used for zero or lite touch installations but requires good scripting skills and can be potentially time consuming to maintain.

Other automated deployment methods are (GPSI) Group Policy Software Installation and SCCM; group policy can be used to assign msi packages to AD DS user and computer accounts or publish msi packages to AD DS user accounts. GPSI doesn’t have any deployment scheduling or bandwidth throttling functionality.

SCCM can be used to deploy zero touch installations, upgrade Windows Server 2003 to Windows Server 2008, schedule application deployment using Wake On Lan (WOL) if required. SCCM can also deploy traditional executables.

Plan App-V deployment

App-V creates an separate partition space for each application; this allows conflicting and non-RD compatible applications to be deployed on the same RD session host.

App-V is part of the Microsoft Desktop Optimisation Pack. App-V applications can be deployed as msi installers thus making them compatible with GPSI.

App-V only streams the active part of the application to maximise the responsiveness.

Plan virtual application deployment

Remote App allows for applications to be accessed remotely but with the look and feel of a local installation. Remote App applications can be deployed to users and configured to trigger when a user opens a particular file e.g. Word would open when a user opened a .doc file; this functionality does require the Remote App to be deployed via a msi installer.

The Remote App applications are deployed on a RD session host so users will require ‘allow logon through RDS’ or be a member of the Remote Desktop Users group. Remote App applications can also be presented to the user as rdp shortcuts or via the RD Web Access website.

Plan web application deployment

Web Application deployment methods are WebDAV using HTTP or HTTPS and FTP (FTP in IIS 7.5 can utilise SSL).

WebDAV is a per site configuration and can be installed as a role in Windows Server 2008 R2.

FTP is a role service of the Web Server role; FTP can be configured on a per site basis or per server.

Microsoft Web Deploy 3.0  can be used to package visual studio applications for deployment as well as keep web farm in sync.

More Web Infrastructure information here