Tagged: BitLocker

MCTS 70-646 Plan server installations and upgrades

Plan Server installations and upgrades

Key differences between Microsoft Windows Server 2008 and Microsoft Windows Server 2008 R2.

  • 2008 R2 doesn’t support x86 processor architecture whereas 2008 supports x86, x64 and IA64.
  • 2008 R2 has a foundation edition.
  • Terminal Services has been renamed Remote Desktop Services in 2008 R2.
  • 2008 R2 has the Active Directory recycle bin funtionality.
  • 2008 R2 Hyper-V has dynamic memory functionality.
  • 2008 R2 has Managed Service Accounts functionality, Applocker, Direct Access, Branch Cache, IIS 7.5 and AD CS functionality for 2008 R2 core.

Edition differences.

  •  Standard
    • 32GB RAM, 4 sockets, one virtualisation licence
    • 250 incoming RAS or Remote Desktop gateway connections and base AD CS features i.e. no CA templates.
    • Predominantly used to deploy domain controllers, WINS, DNS, DHCP, file and print servers, certificate services and application / web servers.
  • Enterprise
    • 2TB RAM, 8 sockets, 4 virtualisation licenses
    • Failover clustering, AD FS functionality and fully featured AD CS incl CA templates. Hot add CPU and hot add memory.
    • Predominantly used to deploy failover cluster to support MS SQL or MS Exchange or where federated services are requied.
  • Datacenter
    • 2TB RAM, 64 sockets, unlimited virtualisation licenses.
    • Hot replace CPU and hot replace memory this uses dynamic hardware partitioning, see here
    • predominantly used to deploy Hyper-V hosts.
  • Web
    • 32GB RAM, 4 sockets, web server and DNS server roles.
    • predominantly used to deploy web and application servers.

Core edition benefits

  • Reduced updates because application has no GUI, so no updates for IE, media player etc.
  • Lower hardware requirements due to no GUI interface.
  • Reduced attack surface because fewer binaries are installed.

Scripting in Core

  • PowerShell support in Windows Server 2008 R2 core.
  • Windows Scripting host support, Visual Basic scripting support, registry editor GUI and notepad.

Installing roles and features in Core

  • oclist to generate list of installed and or available roles and features
  • ocsetup to install roles and features
  • In 2008 R2 both have been deprecated by servermanagercmd and servermanagercmd has been deprecated by PowerShell module ServerManager and the commands Get-WindowsFeature, Add-WindowsFeature and Remove-WindowsFeature.

Core role deployments

  • Domain controllers, lightweight directory services (AD LDS), DHCP, DNS, WINS, Windows Media services, file and print and Hyper-V.

Core administration

  • CLI or RSAT
  • CLI tools – netsh (networking command shell), netdom (rename computer, join computer to domain etc.), oclist and ocsetup as described above, slmgr.vbs (licensing and activation) and winrs (remote management configuration)

Upgrades

  • Core editions cannot be upgraded to full installations
  • Windows Server 2003 cannot be upgraded to Windows Server 2008 R2 Core
  • No upgrade path for x86 to x64
  • Upgrade to equivalent edition if processor architecture is the same i.e. x86 or x64 (remember no x86 version of Windows Server 2008 R2 available)
  • Windows Server 2008 core to Windows Server 2008 R2 core as long as processor architecture is the same
  • Windows Server 2003 must be SP1 and have 30GB of free space
  • When upgrading the Windows installer will produce a compatibility report

Upgrade rollback

  • Upgrade from Windows Server 2003 to Windows Server 2008 can be rolled back as long as no successful logons have occurred. 
  • To ensure you can rollback
    • Perform ASR backup of Windows Server 2003 (ASR via wizard creates a full backup too)
    • Perform system state backup incl files and folders
    • If you need to restore Windows Server 2003, restore Windows Server 2003 ASR, restore system state and full backup, reinstall any applications
  • P2V and then upgrade, test applications etc. (NOTE: doesn’t test hardware compatibility)

Bit Locker

Bitlocker is full disk encryption which uses either Trusted Platform Model 1.2 (TPM) or a USB flash drive. Windows Server 2008 R2 and Windows 7 (Enterprise and Ultimate) create a 1.5GB partition at the front of the disk for the boot files when BitLocker is enabled; this partition is unencrypted. For Vista and Windows Server 2008 use the BitLocker drive preparation tool.

The TPM uses a symmetric key to encrypt the data for encryption speed; the symmetric key within the TPM is encrypted with a asymmetric key. BitLocker keys can also be stored within AD DS and USB flash drives (NOTE: I think you need a password if you’re using a USB flash drive)

Activation

Methods

  • MAK – Multi Activation Key
    • One key per edition which can be activated multiple times.
    • MAK proxies are used to activate client with no direct internet access; MAK proxy is part of VAMT which uses a cil xml based file; the cil file is generated from within VAMT.
    • MAK keys are good for up to 25 desktop clients and 5 servers; above this use KMS keys.
    • VAMT requires TCP 1688 be open between the VAMT application and client in order to collect licensing information.
    • VAMT can be used to store and distribute MAK keys.
  • KMS – Key Management Service
    • Requires 5 server or 25 vista or windows 7 client before successful activation can take place; this threshold is physical machines too, virtual machine do not count until the threshold has been reached.
    • KMS key must be installed on Server 2008/R2 and can exist on 6 servers i.e. you can have 6 KMS servers; may be distributed around the enterprise.
    • clients contact the KMS server every 180 days; if the client doesn’t it is given a futher grace period.
    • KMS requires a DNS SRV records _vlmcs._tcp.domain.name.
    • TCP 1688 must be open between the KMS host and clients.
Advertisements