Plan file and print server roles
Share permissions apply to remote users and NTFS permissions apply to both remote and local users; a remote user will be restricted to the most restrictive permission. NTFS permissions can be cumulative i.e. a user has specific permissions but that user is also a member of a group with other defined permissions. Permissions applied to the user override group permissions if there is a conflict and deny permissions override allow permissions.
Windows Server 2008 file services also has Access Based Enumeration (ABE); this functionality hides files and or folders from users who have no access to them.
Printer management requires Manage Printers, Print, Manage Documents and Manage Server. Printer queue management just requires Manage Documents, Manage Printers and Print.
Storage quota are defined at the disk level, quota can be defined for specific users or groups or completed disabled for a user or group.
Quotas have hard and soft limits; hard limits stop users saving or copying files to a volume when over quota whereas soft limits just warn users.
Quotas can be defined on folders using FSRM; FSRM has hard and soft limits too but also can be defined on volumes, folders and shares. FSRM quotas should be defined via templates i.e. that is the best practice.
DFS-R is used to replicate data; it can be used with or without DFS-N e.g. replicating web content between servers within a web farm.
DFS-R uses Remote Differential Compression (RDC) to minimise the data replicated e.g. modifications to data are replicated not the whole file. Cross file RDC can use other files to construct a file to minimise WAN replication traffic; cross file RDC is only supported in Enterprise and Datacenter editions.
The Windows Search service in Windows Server 2008 and 2008 R2 replaces the legacy indexing service; the legacy indexing service should only be used if you have bespoke applications that depend on it. Microsoft Windows Vista and Windows 7 clients work out-of-the-box with the Windows Search service whereas earlier client such as XP require the ‘Microsoft Search Client’. Indexing should only be configured on storage which contains shares or file shares. Indexing is configured via the Control Panel > Indexing Options.
File storage policy
FSRM has file screening functionality which can be used to define what can and cannot be stored on the file system e.g. mp3s but you could also define an exception for a particular group.
Storage reports can be configured to the show largest files, most accessed files, duplicates etc, you may be able to use this for scheduling maintenance.
Offline files allow access to network content whilst you’re offline; useful say if you’re working on a large file you can forcefully go offline, work on the file and then go back online to sync the changes. Internet Information Services shared configuration can benefit from offline file functionality too.
Offline files are configured via the share advanced share settings caching options. Note that redirected folders are automatically configured as offline.
You can encrypt offline files via Sync Center > Manage Offline Files > Encryption or Computer Configuration\Administrative Templates\Network\Offline Files\Encrypt the Offline Files cache.
Offline files enhancements in Windows Server 2008 R2
- Fast first logon
- Background sync
- Exclusion list
- Transparent caching
Distributed File System Namespaces (DFS-N) and Distributed File System Replication (DFS-R) can be used together to provide file share availability locally and geographically.
DFS-N allows you to consolidate multiple file shares from multiple servers into a single namespace. You can then use DFS-R to replicate this file share content to other file servers.
Geographic DFS namespaces can be used so users access their local file server to access content replicated from other sites.
Printer pooling allows you to effectively load balance printing; If you have the same printer or at least the printers which can use the same printer driver then you can pool printers. These printers are managed via one queue and can survive printers failing i.e. one printer breaking will not stop the printer pool working.
Render print job on the client; this is the default an the most efficient; if you leave this to the print server then you could end up over burdening the print server.
Print filters can be configured to report on specific printer states e.g. printers with paper jams, offline or error. Print filters are only available to Windows Server 2008 and 2008 R2.
Printer can be published to Active Directory automatically if the print server is Windows Server 2008 R2 and the group policies ‘Automatically publish new printers in Active Directory’ and ‘Allow printers to be published’ are enabled.
Alternatively you can publish printers to Active Directory using the list in directory option; this will make it searchable or Deploy using Group Policy; here you can deploy it to the whole domain or specific OUs.
Plan application servers and services
Planning Remote Desktop Infrastructure
Remote Desktop Services has the following benefits:
- User workstations run a minimal amount of software.
- Data is centralised i.e. may be at HQ rather at the branch office.
- The host operating system updates, anti-virus and anti-spyware updates are deployed at the Remote Desktop session host server.
- Application updates are performed centrally.
Depending on the number of users and the applications hosted you may need one or more RD session host servers in one or more locations e.g. a heavily utilised, high bandwidth application used by 20 branch office staff would more than likely warrant a RD session host server at the branch office, whereas 10 users running a word processing application would probably be accessed across the WAN.
Planning RD session host server software
Application compatibility is paramount if you’re to successfully deploy remote applications.
Applications should be installed using change usermode but most applications will auto detect they’re being installed on a RD session server.
Applications which are RD compatible have the following characteristics
- Multi user
- Application configuration should be saved to the users profile
- No users can write to the HKLM registry key
Licensing server scopes
- only available to workgroup computers, workgroup servers and clients can discover the licence server automatically
- Domain RD session host computers and clients can automatically acquire Client Access Licences.
- Forest RD session host computers and client can automatically acquire Client Access Licences; this is the recommended for central licence management.
licence server activation installs a digital certificate to validate the server ownership and identity. The methods of activation are:
- Automatic (requires SSL)
- Web browser (must browse to a web page) – cannot be used with deactivation
Temporary licenses are valid for 90 days
- Device – assigned to a device; can be reclaimed 52 to 89 days after being issued. 20% of licenses issued to a particular operating system can be revoked at any one time.
- User – assigned to a user; user CALs are not enforced by RD licensing.
When a licence server has been restored any unissued licenses will need re-validating.
A Windows Server 2008 R2 licence server is backwards compatible with Windows Server 2008, Windows Server 2003 and Windows 2000 Server Terminal Services session host servers.
RD Session Host Configuration
Configuration of the RD session host is performed within the RD session host configuration > RDP-TCP > Properties window.
The default security layer is negotiate; negotiate will use SSL if a certificate is installed, the default encryption level is client compatible; client compatible negotiates an encryption level that both the client and server support. High encryption uses 128 bit encryption and is supported by RDC 5.2 client software. Low encryption only encrypts data between client and server.
The no. of sessions and the network adapter which RDS will respond on is configured within the network adapter tab.
When performing maintenance the user logon mode should be changed to ‘prevent new logons’ within the RD session host configuration > edit settings.
One of the most important configurations is connection and session configuration as these directly affect the capacity of the RD session host. Session configuration determines when Active, Idle or disconnected sessions should be disconnected or ended respectively.
Group Policy objects
Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Services/RD Session Host to configure Connections, device and resource redirection, licensing, printer redirection, profiles, remote session environment, security, session limits, temporary folders and RD connection broker.
RD Web Access
This role service allows client to connect to a RD session host via a browser. The role service requires IIS and the Windows Process Activation service.
Compatible clients are XP SP2 and later.
RD Connection broker
This role service maintains user sessions within a database, so if a user is disconnected they will be reconnected. RD connection broker is used in conjunction with DNS round robin, Microsoft NLB or hardware load balancers which support RD connection broker routing tokens. If you’re using a hardware load balancer then then RD connection broker should use token redirection not IP address redirection.
Connection broker can only load balance Windows Server 2008 or 2008 R2 Terminal / Remote Desktop session host servers. Connection broker requires clients be using at least RDC 5.2.
The RD session servers must be made a member of the Session Directory computers group.
RD Virtualisation Host
This role service allows you to present Hyper-V virtual machines as virtual desktops via Remote Desktop Services.
RDS can be monitored using either performance monitor (perfmon) or (WSRM) Windows System Resource Manager.
Performance monitor provides a number of counters to track memory and processor usage per session and active, inactive and total sessions.
WSRM provides a means of distribute the load evenly e.g
- Equal_Per_User ensures each user is allocated equal resources; useful when users can have more than one session.
- Weighted_Remote_Sessions allow processes to be grouped according to the priority assigned to the user account.
- Equal_Per_Session ensures each session is allocated equal resources; should be used in conjunction with limiting users to a single session.
Plan infrastructure services server roles
IPv4 / IPv6
IPv4 and IPv6 can be found here
IPv6 stateless autoconfiguration:
Generates a link-local address
Test whether the link-local address is unique within that subnet (DAD) (Duplicate Address Detection)
If it is unique then it assigns itself that address
Contacts the local router (Router Solicitation Message)
Gets network prefix, address lifetime, next hop etc. from router advertisement. (DAD occurs again to ensure the auto configured global address is unique)
Stateless configuration doesn’t assign DNS server addresses, for this purpose DHCPv6 can be configured to assign DNS server addresses.
Dual stack v4 and v6 addresses.
Use transition technologies – Internet (teredo and 6to4) intranet (ISATAP)
DNS in Windows Server 2008 R2 has DHCP filters which allows the administrator to filter out MAC addresses which can or cannot get an IP address from DHCP.
DHCP can be configured to dish out IPv6 DNS server addresses and DNS domain names in a stateless environment whereas in a stateful IPv6 environment DHCPv6 can dish out IP addresses, gateway address, DNS server addresses etc.
Primary read-only zones are new and used when a RODC is deployed.
DNS client cache refreshes every 15 minutes.
DNS stub zones contain the Name Server record and Start of Authority record for a delegated DNS zone. The A glue record contains the Name Server IP address. Stub zones minimise the replication of zones; the local DNS server maintains a list of NS and glue A records.
DNS now supports DNS background zone loading; this allows the DNS server to service requests whilst the zone is still loading; incoming client requests are prioritised and loaded on demand.
Microsoft attempt to finally replace WINS in GlobalNames; this functionality allows you to map a flat name to a FQDN within DNS. GlobalNames are not dynamically updated thus should be used where IP addresses are static. Other use cases are: applications cannot support FQDNs, DNS servers are running Windows Server 2008 / 2008 R2 or you’re decomissioning WINS.
GlobalNames is enabled as follows:
dnscmd . /config /enableglobalnamessupport 1
Network Access Control
Network Access Protection is a features in Windows Server 2008 that controls access to network resources based on a client computers identity and compliance.
NAP uses the clients security center (Vista / XP SP3) as reference e.g. is the Windows firewall enabled etc.
NAP enforcement is configured via group policy (Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients and Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Network Access Protection Agent); create a group which contains the NAP client computers and filter the GPO using GPO security filtering. The configuration can be viewed on the client by running netsh as below.
netsh nap client show state
NAP events can be viewed via Event Viewer\Application and Service Logs\Microsoft\Windows\Network Access Protection\Operational
DHCP enforcement ensure clients are healthy i.e. they have met the health policy requirements before being given an IP address lease; the caveat of this enforcement method is a user with adminisrator privileges could statically assign themselves an IP address to bypass this enforcement method.
DHCP enforcement requires DHCP server options from the Default Network Access Protection and Default User Classes. If the DHCP server is installed on a different server to the NPS role, then the DHCP server should be configured as a remote RADIUS client.
Non compliant and non NAP capable client should have defined remediation servers which allow access to resources which they can use to become healthy or NAP capable e.g. a workgroup client computer receiving DHCP leases from a NAP scope will be deemed non NAP capable until it has been joined to the domain and downloaded the necessary policies and has the necessary group membership.
IPsec enforcement ensures computers are healthy before being able to communicate with corporate resources; this enforcement method is tamper resistant as the client computer requires a health certificate from a Health Registration Authority CA. This method allows end-to-end encryption too.
IPsec enforcement requires a Domain Controller, preferably an Enterprise Certificate Authority and a standalone issuing Certificate Authority, Health Registration Authority (HRA) and Network Policy Server. The standalone CA issues system health authentication certificates via the HRA server.
Client or server computers which are exempt from IPsec communication should have the system health authentication certificate auto-enrolled.
The NPS server should have a computer certificate enrolled to encrypt communication with the HRA website; this website has two roles, one to authenticate domain computers using Windows Authentication and two non domain computers using Anonymous authentication. Anonymous clients will need to trust the Root certificate authority or which ever CA issued the SSL certificate for the HRA website.
When configuring NAP you would need to configure a RADIUS client if the HRA role is installed anywhere other than where the NPS role is installed.
NAP IPsec enforcement requires an additional group policy object configuring (Computer Configuration\Policies\Windows Settings\Security Settings\NAP Client Configuration\Trusted Server Groups\) with the Url of the HRA server e.g. https://%5Bfqdn%5D/DomainHRA/hcsrvext.dll.
It is possible to configure HRA auto-discovery but this requires DNS srv records and auto-discovery registry keys configured on the client.
VPN enforcement ensures computers are healthy before allowing them to access the corporate network via the VPN server.
VPN enforcement requires a domain controller, Certificate services, RADIUS server (NPS), VPN (RRAS) and DHCP to issue IP addresses to VPN clients.
VPN enforcement client settings configured via group policy depend on the client operating systems (Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients\Remote Access Enforcement Client (XP/Vista) and \EAP Quarantine Enforcement Client (Windows 7))
Step-by-step guides here
more information here too.
- PPTP – lowest security, easiest to configure and uses MS-CHAPv2
- L2TP – requires computer certificates, works with IPv6 and uses IPsec for authentication, data integrity and encryption. Heterogeneous.
- SSTP – requires the endpoint certificate be trusted by client machines, uses SSL for authentication, data integrity and encryption thus uses TCP port 443 which allows the VPN to traverse proxies, NAT and firewalls; requires Windows Server 2008 and Vista SP1 and later though. The CRL distribution point must be accessible from the internet.
- IKEv2 – Enables clients to utilise VPN reconnect functionality. Requires at least Windows 7 and Windows Server 2008 R2. Uses UDP port 500. IKEv2 is the default connection the Windows 7 VPN client will try.
By default a VPN client will access all of its resources via the VPN tunnel, if you want to use split tunnelling configure the VPN connection TCP/IP properties to not use the default gateway on the remote network.
If you’re using DHCP to issue VPN clients with an address you can use the ‘Default Routing and Remote Access Class’ options.
EAP-TLS – requires the RAS server be a member of the domain.
MS-CHAPv2 – default authentication and encryption protocol.
EAP-MD5-CHAP – generally used with non-Microsoft clients.
Certificate service can issue certificate which are used for code signing, driver signing, email signing, web site traffic encryption, data encryption i.e. IPsec and EFS, wireless authentication and smartcards.
Key differences between external and internal certificate authorities
- external certificate authorities are commonly trusted i.e. the root certificates are shipped with the major operating system vendors.
Internal certificate authorities
- No AD DS requirement
- manual requests and manual approval
- no certificate templates
- manually install root certificate in client computer stores
- generally the root certificate authority which is switched off once subordinate certificates have been issued
- Requires AD DS which in turn supports auto enrolment
- smartcards and authentication tokens can be issued to validate user credentials
- certificates and certificate revocation lists are published to AD DS
- certificate template types 2 and 3 are available for customising certificates
- certificate requests can get information from AD DS in order to submit the certificate request on behalf of the client
Certificate authority certificates
NOTE: No certificate can be issued an expiry date which exceeds the certificate in the chain above it.
The root certificate should use a strong hash algorithm e.g. SHA256 (XP has issues with SHA2 algorithms) and a 4096 bit key length (unless using legacy applications might have to use 2048 bit). The validity of the certificate should be less than its expected lifetime.
Intermediate certificate (subordinate)
Intermediate certificate authorities should use a smaller key length and less computational hash algorithm than the root certificate but the validity should be significantly less too. Should be okay to reuse the same key.
Issuing certificate (subordinate)
Issuing certificate authorities should use smaller key length (if applicable) and less computational hash algorithm, again validity should be significantly less. It is also a good idea to issue a new key when renewing the issuing certificate this creates a new certificate revocation list which should speed up crl look ups.
Expiring and newly generated certificates can co-exist which allows you to renew the root, intermediate or issuing certificates before they expire.
This allows user certificates and private keys to roam with the user i.e. the desktops they logon to. So when that user encrypts a document, connects to a wireless network which is secured using certificates and RADIUS or connects a website which requires client certificates for authentication the same certificate is used no matter which desktop they use.
Credential roaming only works with x.509 type 3 certificates (these are new in Server 2008) that have RSA or DSA key pairs; I think the following cryptographic providers are all use RSA or DSA:
- Microsoft Base Cryptographic Provider
- Microsoft Enhanced Cryptographic Provider
- Microsoft DSS Cryptographic Provider
- Microsoft Base and Diffie-Hellman Cryptographic Provider
- sChannel Cryptographic Provider
Credential roaming is implemented by turning on a user group policy object i.e. User Configuration > Windows Settings > Public Key Policies > Certificates Services Client – Credential Roaming. More information here and here.
When the user logs off a particular desktop their certificates, private keys and credentials are removed too.
By default a standalone CA is configured to mark certificate requests as pending.
Certificate autoenrollment allows certificates to be deployed to computers, service account and users without their knowledge. To configure autoenrollment you must have enterprise or domain administrator privleges.
The first step to configuring auto-enrollment is by configuring certificate templates with AD CS with read, enroll and autoenroll permissions. If a certificate is being renewed then read and enroll the only permissions required. There is more information in the certificates template section.
Finally configure a autoenrollment policy within the domain i.e. configure a GPO for Certificate Services Client – Auto-Enrollment.
Authority Information Access is used by clients to build a certificate chain for a particular certificate. AIA is also used to publish information about the OCSP.
Certificate revocation distribution points must be configured before issuing any certificates in order for the distribution points to be included in the issued certificates.
The CRL contains the whole revocation list and the delta CRL contains the revocation changes.
When you revoke a certificate you are unable to unrevoke it unless the certificate was revoked with the reason of ‘Certificate Hold’.
OCSP – to retrieve a OCSP response signing certificate the OCSP service account should be granted enroll permission.
Microsoft’s online responder service uses Online Certificate Status Protocol (OCSP) to manage certificate revocation in diverse environments.
OSCP is used mostly where:
- clients do not have high speed connections to download CRLs or for clients who connect remotely.
- certificate revocation checking activity peaks at specific times e.g. user logon or sending signed email.
- a non-Microsoft CA is used.
- information about all revoked or suspended certificate should be limited and certificate revocation information should be provided on a request by request basis.
Basics of the online responder
- Receives certificate revocation check, decodes and verifies the request (after local cache and OCSP cache has been checked)
- OCSP checks local CRL and a cached copy of the most recent CRL issued by the CA
- If the above step fails the OCSP retrieves a CRL from the CA
- OCSP Web proxy encodes the response and sends the information back to the client
General properties of the certificate template allows you to configure whether to publish issued certificates to Active Directory, this allows user to locate another users public key before they encrypt a file or email or to stop duplicate certificates being issued to users and computers for the same purpose. AD DS can also be used to populate information required for the certificate request such as the common name and publish the CRL too.
You can configured the validity and renewal periods too.
The certificate template extensions determine the certificate template rules (assurance), application policy (what the certificate can be used for e.g. web server), key usage (what specific task is can be used for e.g. server authentication / client authentication), key archival (are the keys for this certificate archived in the CA database should the private key be lost? useful for EFS certificate templates where you have key recovery agent in place) and basic constraints which e.g. define that an issuing CA can only issue user certificates not CA certificates.
The request handing of a certificate template determines its intended purpose (encryption, signature, both or signature and smartcard), its archive settings e.g. can the private key be exported, user input settings e.g. require input or enroll with no input), key size and cryptographic provider.
The cryptography of a certificate template determines its algorithm (RSA, DSA or ECDH), key size, providers, hash algorithms (SHA#, MD# or AES#) and
The subject names of a certificate template determines whether the subject name is built from AD DS i.e. common name and distinguished name or supplied in the certificate request.
You can configure the template for high volume scenario by selecting ‘do not store certificates and requests in the CA database’. These are primarily used with NAP and IPsec enforcement.
Active Directory components
- Forest – Contains one or more trees and makes up a single instance of Active Directory
- Trees – contiguous namespace i.e. domain.com > one.domain.com > corp.one.domain.com etc.
- Domains – security boundary for authentication etc.
- Sites – defined geographically locations within a domain
A global catalog is a distributed data repository which contains a partial representation of every object in every domain.
Must receive updates from a Windows Server 2008 writable domain controller which hosts the PDC emulator FSMO role.
Only one RODC can exist per domain per site.
Plan for automated server deployment
- Install From Media (IFM)
- Automated / Unattended using xml based answer files
- network install using winpe; this can be automated too
- Zero or lite touch (requires scripting skills)
- uses boot.wim and install.wim of Vista, Windows 7, Server 2008 and 2008 R2
- Automated installs using xml based answer files
- System Center Configuration Manager
- Zero touch
- Can perform upgrades too
XML answer files can be created using the System Image Manager (SIM) from the Windows Automated Installation Kit (WAIK). When pointing SIM at a wim file use the wim file off the DVD not the wim within WDS.
- NTFS volumes
- DHCP (if on same server WDS should be configured not to listen on UDP 67)
- AD DS
- client should have PXEclient option deployed via DHCP
- PXE boot
- respond to all
- respond to none
- respond to known i.e. prestaged within AD DS
- Multicast support
- multicast can be configured via the GUI or WDSUtil
- Scheduled or auto-cast; auto-cast starts when the first client requests an image, other clients can join at any point in the image deployment.
- multicast requires clients have disk space available to receive wim image (unicast deployment streams the image file)
- Imagex and peimg are used to customise images e.g. add drivers
- WIM files use single instance technology to reduce the amount of space required to store Windows Server images.
- Hardware independent
- non-destructive deployment
- Image types
- discover (for non-PXE network adapters)
- capture (capture syspreped images)
Plan Server installations and upgrades
Key differences between Microsoft Windows Server 2008 and Microsoft Windows Server 2008 R2.
- 2008 R2 doesn’t support x86 processor architecture whereas 2008 supports x86, x64 and IA64.
- 2008 R2 has a foundation edition.
- Terminal Services has been renamed Remote Desktop Services in 2008 R2.
- 2008 R2 has the Active Directory recycle bin funtionality.
- 2008 R2 Hyper-V has dynamic memory functionality.
- 2008 R2 has Managed Service Accounts functionality, Applocker, Direct Access, Branch Cache, IIS 7.5 and AD CS functionality for 2008 R2 core.
- 32GB RAM, 4 sockets, one virtualisation licence
- 250 incoming RAS or Remote Desktop gateway connections and base AD CS features i.e. no CA templates.
- Predominantly used to deploy domain controllers, WINS, DNS, DHCP, file and print servers, certificate services and application / web servers.
- 2TB RAM, 8 sockets, 4 virtualisation licenses
- Failover clustering, AD FS functionality and fully featured AD CS incl CA templates. Hot add CPU and hot add memory.
- Predominantly used to deploy failover cluster to support MS SQL or MS Exchange or where federated services are requied.
- 2TB RAM, 64 sockets, unlimited virtualisation licenses.
- Hot replace CPU and hot replace memory this uses dynamic hardware partitioning, see here
- predominantly used to deploy Hyper-V hosts.
- 32GB RAM, 4 sockets, web server and DNS server roles.
- predominantly used to deploy web and application servers.
Core edition benefits
- Reduced updates because application has no GUI, so no updates for IE, media player etc.
- Lower hardware requirements due to no GUI interface.
- Reduced attack surface because fewer binaries are installed.
Scripting in Core
- PowerShell support in Windows Server 2008 R2 core.
- Windows Scripting host support, Visual Basic scripting support, registry editor GUI and notepad.
Installing roles and features in Core
- oclist to generate list of installed and or available roles and features
- ocsetup to install roles and features
- In 2008 R2 both have been deprecated by servermanagercmd and servermanagercmd has been deprecated by PowerShell module ServerManager and the commands Get-WindowsFeature, Add-WindowsFeature and Remove-WindowsFeature.
Core role deployments
- Domain controllers, lightweight directory services (AD LDS), DHCP, DNS, WINS, Windows Media services, file and print and Hyper-V.
- CLI or RSAT
- CLI tools – netsh (networking command shell), netdom (rename computer, join computer to domain etc.), oclist and ocsetup as described above, slmgr.vbs (licensing and activation) and winrs (remote management configuration)
- Core editions cannot be upgraded to full installations
- Windows Server 2003 cannot be upgraded to Windows Server 2008 R2 Core
- No upgrade path for x86 to x64
- Upgrade to equivalent edition if processor architecture is the same i.e. x86 or x64 (remember no x86 version of Windows Server 2008 R2 available)
- Windows Server 2008 core to Windows Server 2008 R2 core as long as processor architecture is the same
- Windows Server 2003 must be SP1 and have 30GB of free space
- When upgrading the Windows installer will produce a compatibility report
- Upgrade from Windows Server 2003 to Windows Server 2008 can be rolled back as long as no successful logons have occurred.
- To ensure you can rollback
- Perform ASR backup of Windows Server 2003 (ASR via wizard creates a full backup too)
- Perform system state backup incl files and folders
- If you need to restore Windows Server 2003, restore Windows Server 2003 ASR, restore system state and full backup, reinstall any applications
- P2V and then upgrade, test applications etc. (NOTE: doesn’t test hardware compatibility)
Bitlocker is full disk encryption which uses either Trusted Platform Model 1.2 (TPM) or a USB flash drive. Windows Server 2008 R2 and Windows 7 (Enterprise and Ultimate) create a 1.5GB partition at the front of the disk for the boot files when BitLocker is enabled; this partition is unencrypted. For Vista and Windows Server 2008 use the BitLocker drive preparation tool.
The TPM uses a symmetric key to encrypt the data for encryption speed; the symmetric key within the TPM is encrypted with a asymmetric key. BitLocker keys can also be stored within AD DS and USB flash drives (NOTE: I think you need a password if you’re using a USB flash drive)
- MAK – Multi Activation Key
- One key per edition which can be activated multiple times.
- MAK proxies are used to activate client with no direct internet access; MAK proxy is part of VAMT which uses a cil xml based file; the cil file is generated from within VAMT.
- MAK keys are good for up to 25 desktop clients and 5 servers; above this use KMS keys.
- VAMT requires TCP 1688 be open between the VAMT application and client in order to collect licensing information.
- VAMT can be used to store and distribute MAK keys.
- KMS – Key Management Service
- Requires 5 server or 25 vista or windows 7 client before successful activation can take place; this threshold is physical machines too, virtual machine do not count until the threshold has been reached.
- KMS key must be installed on Server 2008/R2 and can exist on 6 servers i.e. you can have 6 KMS servers; may be distributed around the enterprise.
- clients contact the KMS server every 180 days; if the client doesn’t it is given a futher grace period.
- KMS requires a DNS SRV records _vlmcs._tcp.domain.name.
- TCP 1688 must be open between the KMS host and clients.