You are on page 1of 43

Windows Server 2008 R2: Summary of Changes from R1 to R2

Windows Server 2008 R2


Summary of Changes from R1 to R2
Windows Server 2008 was Microsofts most ambitious server operating system update since Windows
2000 Server. Windows Server 2008 R2 improves upon the original release of Windows Server 2008 in
many key areas. Some of the changes, which enhance functionality, can be clearly seen in the user
interface: others are subtle, behind-the-scenes changes that improve reliability, security, and performance.
This supplementary document is intended to be used with the Microsoft Windows Server 2008 books
published by Course Technology that prepare students for the Microsoft MCTS and MCITP certification
exams. This document is organized according to the objectives of the 70-640, 70-642, and 70-643 MCTS
certification exams. Because the MCITP exams (70-646 and 70-647) focus on planning and implementing
the technologies covered in the MCTS exams instead of introduce new technologies, the MCITP exam
objectives are not explicitly covered, but they are covered implicitly. Changes that do not fit neatly with a
particular exam objective are covered in the section General Changes from Windows Server 2008 to
Windows Server 2008 R2.
This document does not attempt to be exhaustive in its coverage of R2 changes; rather, it focuses on
changes that most pertain to the certification exams and changes that most affect a reader's ability to work
with Windows Server 2008.

General Changes from Windows Server 2008 R1 to Windows Server 2008 R2


Changes between Windows Server 2008 and Windows Server 2008 R2 that are not necessarily related to a
particular certification exam objective include:

Windows Server 2008 R2: Summary of Changes from R1 to R2

Windows Server 2008 Foundation editionIn addition to the usual Standard, Enterprise, and
Datacenter editions, Microsoft introduced Windows Server 2008 R2 Foundation edition. This is
designed to be pre-installed on original equipment manufacturer (OEM) servers and used in businesses
with 15 or fewer users. Windows Server 2008 R2 Foundation does not require client access licenses
and cannot operate in multi-domain forests. For more on Windows Server 2008 R2 Foundation, see
www.microsoft.com/windowsserver2008/en/us/foundation.aspx.
64-bit onlyWith Windows Server 2008 R2, Microsoft has made the plunge into an exclusively 64-bit
OS. All editions of Windows Server 2008 R2 are 64-bit OSs and can only be run on a 64-bit CPU. If
you are running older 32-bit hardware, you cannot upgrade to Windows Server 2008 R2 on that
hardware. In most cases, this limitation will not be a problem because all modern CPUs since about
2005, particularly those designed for servers, are 64-bit CPUs. However, this 64-bit-only limitation
does not apply to the Windows client line of OSs as of this writing.
256 CPU cores supportedUp from 64 CPU cores supported in the original Windows Server 2008,
Windows Server 2008 R2 supports 256 CPU cores.
Server Manager enhancementsServer Manager has undergone some changesmost notably, the
ability to use it to remotely manage a Windows Server 2008 R2 server. This allows you to connect
Server Manager to a remote server running Windows Server 2008 R2. You can create a custom MMC
and add multiple instances of the Server Manager snap-in, with each instance connected to a different
server. Figure 1 shows a custom MMC with three instances of Server Manager, each connected to a
different server.

Windows Server 2008 R2: Summary of Changes from R1 to R2

Figure 1. Server Manager remote management with a custom MMC

Other Server Manager enhancements include the Best Practices Analyzer, additional Windows
PowerShell cmdlets, and additional roles and features that can be installed from Server Manager. The
Best Practices Analyzer (BPA), available for selected roles, provides administrators with a report that
lists violations to best practices for the installation and configuration for the selected role. Figure 2
shows an example of a report produced by the BPA for the Active Directory Domain Services role.

Windows Server 2008 R2: Summary of Changes from R1 to R2

Figure 2. Best Practices Analyzer in Server Manager

Windows PowerShell 2.0, now installed by default on Windows Server 2008 R2, contains new
cmdlets for managing Windows Server 2008 R2, including the ability to install, uninstall, and view
information about roles and features. These cmdlets are: Add-WindowsFeature, Get-WindowsFeature,
and Remove-WindowsFeature.
Changes to the available roles and features in Server Manager include the renaming of Terminal
Services to Remote Desktop Services which now supports the Aero Glass UI, multiple monitors and
Direct X versions 9-11, and the renaming of Print Services to Print and Document Services. Windows
Software Update Services (WSUS) can now be installed using Server Manager instead of requiring a
separate download. Several new features are available in Windows Server 2008 R2 and can be
installed using Server Manager. They are discussed in the appropriate sections of this document.
Server Core supports the .NET frameworkThe Server Core installation option of Windows Server
2008 R2 now supports a subset of the .NET framework, which, among other things, allows Server
Core to run PowerShell 2.0 and ASP.NET applications.
User Account Control (UAC) changesUAC was introduced in Windows Vista and Windows Server
2008 and is designed to reduce the likelihood that malicious software will be inadvertently installed.
However, some users and administrators felt that the number of prompts they had to answer to perform
common tasks was excessive. UAC in Windows Server 2008 R2 is improved by increasing the number
of tasks that can be performed without administrator approval. The new and improved UAC also

Windows Server 2008 R2: Summary of Changes from R1 to R2

allows administrators to configure UAC in Control Panel (see Figure 3) to choose aspects of its
behavior, such as when and if the desktop should be dimmed and whether UAC should prompt when
making changes to Windows settings.

Figure 3. User Account Control configuration

Core parkingMost systems today run one or more CPUs with multiple cores. Core parking enables
the OS to suspend cores that are not in use, thereby reducing power consumption. When CPU
requirements increase, suspended cores can be reactivated immediately to meet the increase in
performance requirements.

Windows Server 2008 R2: Summary of Changes from R1 to R2

70-640 Exam Objectives R2 Changes


We will now cover the most important changes in Windows Server 2008 R2 as they pertain to the 70-640:
Windows Server 2008 Active Directory, Configuring MCTS exam. The first section discuses general
changes that apply to Active Directory administration but do not fit directly with an exam objective. The
subsequent sections are organized by the individual exam objectives. If no relevant changes apply to an
exam objective, the objective is omitted.

General Changes that Pertain to 70-640 Exam Content


The following subsections describe changes in Windows Server 2008 R2 that pertain to the 70-640 exam
but do not fit a specific exam objective; instead, they apply to Active Directory configuration in general:
Active Directory Administrative Center (ADAC)
Active Directory Web Service (ADWS)
Active Directory PowerShell 2.0 New Cmdlets
Active Directory Administrative Center (ADAC)
Perhaps the biggest visual change in Active Directory configuration is the new Active Directory
Administrative Center. Whereas Active Directory Users and Computers is a more data-oriented tool,
ADAC is task-oriented, providing administrators with easy access to commonly performed tasks. The
initial screen of ADAC, shown in Figure 4, illustrates the task-oriented nature of this new tool, giving
administrators quick access to password changes and Active Directory search. ADAC does not replace
Active Directory Users and Computers or the other Active Directory-specific management consoles, but it
will eventually include functions for Active Directory Domains and Trusts and Active Directory Sites and
Services as well as provide graphical interfaces to functions such as the new Active Directory Recycle Bin
and fine-grained password policies. Built on Windows PowerShell, this new tool will give administrators a
single interface to manage almost every aspect of their Active Directory infrastructure. For now,
administrators can perform most of the functions provided in Active Directory Users and Computers, but
with a new task-oriented interface. The tasks that can be performed include:
Connecting to and managing remote domains and domain controllers

Windows Server 2008 R2: Summary of Changes from R1 to R2

Filtering Active Directory data


Creating new and managing existing user, group, and computer accounts
Creating new and managing existing organizational units
In addition to running on Windows Server 2008 R2, ADAC can be installed on Windows 7 as part of
the Remote Server Administration Tools (RSAT) available on the Microsoft download site.

Figure 4. Active Directory Administrative Center


Active Directory Web Service (ADWS)
Active Directory Web Service (ADWS) is a new service that provides a Web interface to Active Directory
domains, Active Directory Lightweight Directory Services (ADLDS) instances, and Active Directory
Database Mounting Tool instances. Both the Active Directory Windows PowerShell module and ADAC

Windows Server 2008 R2: Summary of Changes from R1 to R2

depend on this service, so it is installed and enabled by default when Active Directory or ADLDS instances
are installed. ADWS requires TCP port 9389 to be open, and a Windows firewall exception is
automatically created. However, if Group Policy is used to configure the server firewall, the relevant GPO
must be edited to allow this exception. ADWS (referred to as Active Directory Management Gateway
Service) can be installed as an update for Windows Server 2008 and Windows Server 2003 servers.
Active Directory PowerShell 2.0 New Cmdlets
The Active Directory module for Windows PowerShell provides over 75 new cmdlets for managing Active
Directory and Active Directory objects. These new cmdlets allow administrators to perform a host of
configuration, administration, and diagnostic tasks in the Active Directory (and ADLDS) environment.
Although the cmdlets are too numerous to list here, the following list describes a few of the tasks that can
be performed using PowerShell:
Unlock-ADAccountUnlock an account
Set-ADAccountPasswordChange an account password
New-ADComputerCreate a new computer account
Set-ADDefaultDomainPasswordPolicyChange the default password policy
Set-ADDomainModeSet the domain functional level
Set-ADFineGrainedPasswordPolicyModify a fine-grained password policy
New-ADGroupCreate a new group account
New-ADUserCreate a new user account
For a complete list of cmdlets available with PowerShell 2.0 and the Active Directory module, see
http://technet.microsoft.com/en-us/library/ee617195.aspx.

Configuring DNS for Active Directory


DNS configuration and management is a topic in the 70-640 and 70-642 exams. Most of the changes in
DNS relate to the DNS service in general and are covered under Configuring Names Resolution in the 70642 section of this document. The DNS topics covered might pertain to both exams, however, so if you are

Windows Server 2008 R2: Summary of Changes from R1 to R2

preparing for the 70-640 exam, you should study the DNS changes outlined in that section. The DNS topics
discussed in that section are:
DNS Security Extensions
DNS Cache Locking
DNS Socket Pool
DNS Devolution

Configuring the Active Directory Infrastructure


Most of the R2 changes that pertain to the Configuring the Active Directory Infrastructure section of the
70-640 exam objectives are related to the sub-objective Configure a forest or domain, as detailed in the
following section.
Configure a Forest or Domain
The R2 changes that affect this objective pertain to these new Windows Server 2008 R2 functional levels:
Windows Server 2008 R2 domain functional levelWith Windows Server 2008 R2 comes the
Windows Server 2008 R2 domain functional level. By upgrading your domain to the new R2
functional level, your domain controllers can take advantage of the new authentication mechanism
assurance feature (discussed under Configuring Active Directory Certificate 2.0 Services) and
managed service accounts (discussed under Creating and Maintaining Active Directory Objects). All
domain controllers in the domain must be running Windows Server 2008 R2 in order to raise the
functional level. In the past, it was impossible to revert to an earlier functional level once it was raised.
With Windows Server 2008 R2, there is one exception to this rule: If the forest functional level is
lower than Windows Server 2008 R2, you can revert the domain functional level from Windows
Server 2008 R2 to Windows Server 2008.
Windows Server 2008 R2 forest functional levelThe R2 forest functional level brings with it one
new feature: the Active Directory Recycle Bin, discussed under Maintaining the Active Directory
Environment. You can raise the forest functional level to Windows Server 2008 R2 if all domain
controllers in all domains are running Windows Server 2008 R2. As with the R2 domain functional
level, you can roll back the forest functional level from Windows Server 2008 R2 to Windows Server

Windows Server 2008 R2: Summary of Changes from R1 to R2

10

2008, but only if the Active Directory Recycle Bin feature has not been enabled. Once it has been
enabled, the forest functional level cannot be changed to Windows Server 2008.

Configuring Active Directory Roles and Services


This 70-640 objective encompasses Active Directory Lightweight Directory Service (ADLDS), Active
Directory Rights Management Services (ADRMS), Read-Only Domain Controllers (RODCs), and Active
Directory Federation Services (ADFSv2).
Configure Active Directory Lightweight Directory Service (ADLDS)
ADLDS is affected by the changes in functional level afforded by Windows Server 2008 R2. In particular,
by raising the functional level of your ADLDS instance, you can take advantage of the new AD Recycle
Bin. ADLDS can also take advantage of the new PowerShell tools made available in PowerShell 2.0 and
ADWS, allowing you to manage ADLDS objects using PowerShell cmdlets.
Configure Active Directory Rights Management Service (ADRMS)
No major changes to this Active Directory role have been made aside from the ability of administrators to
manage ADRMS from the command line using PowerShell cmdlets. PowerShell cmdlets are available to
install and provision the ADRMS role and administer most aspects of the role once installed.
Configure the Read-Only Domain Controller (RODC)
On Windows Server 2008, changes could be made to the SYSVOL folder on a RODC, potentially causing
problems until the folder was overwritten by a read-write DC. On Windows Server 2008 R2, the SYSVOL
folder is read-only, preventing changes to the folder except by the replication process.
Configure Active Directory Federation Services (ADFSv2)
The ADFS role has not substantially changed, but administrators who deploy ADFS using certificate-based
authentication will be interested in the new authentication mechanism assurance feature used to
differentiate users who authenticate using certificates versus other methods. Authentication mechanism
assurance is discussed in more detail under Configuring Active Directory Certificate 2.0 Services.

Creating and Maintaining Active Directory Objects

Windows Server 2008 R2: Summary of Changes from R1 to R2

11

R2 introduces several changes in Active Directory object maintenance and group policy. Some changes
have already been discussed, such as the plethora of PowerShell cmdlets available for managing Active
Directory objects. The following sections discuss other changes as they pertain to this objective.
Automate Creation of Active Directory Accounts
A new process for joining Windows 7 or Windows Server 2008 R2 computers to a domain, called offline
domain join, has been introduced to allow administrators to join computers without network connectivity
to a domain. Computers can be joined to the domain the first time they start up after a new OS installation,
and they do not require a restart. The command-line program djoin.exe is used to preprovision the accounts
in Active Directory. The steps for performing an offline domain join can be found at
http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx, or you can
go to the Microsoft Technet site and search for "offline domain join."
Maintain Active Directory Accounts
Most services installed on a server require access to system and/or network resources. To gain access to a
resource, a running service, just like a user, must logon to the system and have the appropriate rights and
permissions granted. Windows Server 2008 has two built-in accounts that have sufficed for this purpose:
the Local System Account and the Network Service Account. However, using these two accounts for each
and every running service poses some security problems. Running services are likely to have more
privileges than they actually need, and system auditing becomes more difficult when a single account is
involved in many different types of actions.
Although you can often create a domain account for some services to use and then assign only the
necessary privileges to that account, there are problems with that solution. The biggest problem is that of
the account password. The built-in accounts automatically change their password periodically, but a
managed domain account must either have its password changed manually when the password expires or
have its password set to never expire. Both scenarios can be problematic. If an administrator must manually
change the password for an account used by a service and yet fails to do so, the service will fail to run if the
password expires. If the administrator sets the account password to never expire, the system will likely fail
a security audit. To resolve these dilemmas, Microsoft introduced managed service accounts (MSAs) in
Windows Server 2008 R2.

Windows Server 2008 R2: Summary of Changes from R1 to R2

12

MSAs are accounts you can create using the New-ADServiceAccount PowerShell cmdlet. You cannot
use the GUI to create MSAs. MSAs solve the password problem by using automated password
regeneration provided by the netlogon service. MSA passwords are changed every 30 days and are 240
random characters in length. You can only use MSAs on a server running Windows Server 2008 R2 or a
computer running Windows 7; however ,neither the domain nor the forest functional level need be R2. To
use MSAs, you must first run adprep /forestprep at the forest level and adprep /domainprep in each domain
where you will use MSAs. New MSAs are located in a new Active Directory folder named Managed
Service Accounts located at the root of the domain in Active Directory Users and Computers or ADAC.
You can create an MSA for as many services as you wish and assign individual permissions and rights to
each account according to the needs of the particular service. For more information on MSAs, see
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx.
Similar to a managed service account, a virtual account is designed primarily to be used in place of
the Network Service Account. Virtual accounts use the computer account's credentials to access the
network in a domain environment. You don't create virtual accounts like you do MSAs, however. Virtual
accounts are created automatically when you configure a service by specifying "NT Service\ServiceName"
on the Log On tab of a service's properties and restarting the service. The service name can be found on the
General tab of the service's properties page. Both password fields must remain blank as the password is
automatically generated (see Figure 5). As with MSAs, virtual accounts can only be used on Windows
Server 2008 R2 or Windows 7 systems, but no change to the Active Directory schema is necessary. For
more

information

on

us/library/dd548356(WS.10).aspx.

virtual

accounts,

see

http://technet.microsoft.com/en-

Windows Server 2008 R2: Summary of Changes from R1 to R2

13

Figure 5. Creating a virtual account

Create and Apply Group Policy Objects


Changes in the creation and application of GPOs can be broken into three categories:
Group Policy PreferencesWindows Server 2008 R2 adds several new Group Policy Preference
items. New power plan options improve flexibility in assigning power options to domain computers. A
Scheduled Task preference item can be used to create, update, and delete scheduled tasks on domain
computers running Windows Vista, Windows 7, and Windows Server 2008. In addition, an Immediate
Task preference item has been added to allow administrators to create tasks that are run immediately
after the next Group Policy refresh. The task is run once and then removed. Internet Explorer 8
preference items have been added to support IE8.

Windows Server 2008 R2: Summary of Changes from R1 to R2

14

Starter GPOsA number of new Starter GPOs are available in Windows Server 2008 R2 that contain
recommended Group Policy settings for the Windows Vista Enterprise Client, Windows XP SP2
Enterprise Client, and several others. These Starter GPOs can be downloaded in Windows Server 2008
but are included in R2.
Administrative TemplatesThe primary change in Administrative Templates is an improved user
interface in which the tabbed interface (consisting of Setting, Explain, and Comment) is replaced by a
single box showing the content of all three tabs, as shown in Figure 6. Over 300 policy settings have
been added for Windows Server 2008 R2 and Windows 7.
Group Policy PowerShell cmdletsOver 25 new cmdlets are available in PowerShell to automate
Group Policy tasks, including GPO creation and deletion, GPO linking, and creating and editing
Starter GPOs.

Windows Server 2008 R2: Summary of Changes from R1 to R2

15

Figure 6. New look for Group Policy Administrative Templates

Deploy and Manage Software by Using Group Policy Objects


The new Application Control Policies (or AppLocker) section of a GPO replaces the Software Restriction
Policies. However, the Software Restriction Policies is still available for older Windows OSs, because
AppLocker is only available for Windows Server 2008 R2 and Windows 7 systems.
AppLocker reduces overhead for administrators who need to restrict which applications can be used
by users in their organization. AppLocker allows administrators to define application rules based on the
application's digital signature, publisher, name, file name, and version. Rules can be assigned to individual

Windows Server 2008 R2: Summary of Changes from R1 to R2

16

users or security groups, and exceptions can be created for specific .exe files. An audit-only mode allows
you to see what files would be affected by the policy without actually enabling it live in the domain.
Configure Audit Policy by Using Group Policy Objects
Security auditing has been improved in Windows Server 2008 R2 by giving administrators an increased
level of detail in the information contained in auditing logs and by simplifying the deployment of auditing
policies. The new features in security auditing policy are:
Advanced audit policy settingsThere are 53 audit policy settings in 10 categories available under the
Advanced Audit Policy Configuration node of a GPO (see Figure 7). The original nine audit policy
settings found under Local Policies/Audit Policy should not be used if these settings are configured.
Details on all the settings under each category can be found at http://technet.microsoft.com/enus/library/dd772712(WS.10).aspx.

Figure 7. Advanced Audit Policy Configuration node

Windows Server 2008 R2: Summary of Changes from R1 to R2

17

Global Object Access AuditingOne of the 10 categories of advanced audit policies, Global Object
Access Auditing allows the creation of System Access Control Lists (SACLs) on files or registry keys
for an entire computer (or all computers in the scope of the GPO) rather than the administrator having
to set audit policies on individual files. Keep in mind that auditing of the file system or registry must
also be enabled for auditing events to be created. You do this by enabling the Object Access\Audit File
System or Object Access\Audit Registry policies. Figure 8 shows the relevant dialogs involved in
enabling Global Object Access Auditing.

Figure 8. Global Object Access Auditing

Windows Server 2008 R2: Summary of Changes from R1 to R2

18

Reason-for-access reportingWhen an audited object access is allowed or denied, the event


information now includes the relevant permissions that caused the object access audit event.

Maintaining the Active Directory Environment


This section details changes in R2 that pertain to the Maintaining the Active Directory Environment exam
objective and its sub-objectives.
Configure Backup and Recovery
The addition of the new Active Directory Recycle Bin is perhaps the most heralded of enhancements in
Windows Server 2008 R2. The Active Directory Recycle Bin allows administrators to recover deleted
Active Directory and ADLDS objects without having to perform a DS restore operation or tombstone
reanimation procedure. In addition, no restart of Active Directory or reboot of domain controllers is
necessary to restore deleted objects.
When the Active Directory Recycle Bin is enabled, deleted Active Directory objects can be restored in
their entirety, including all attributes and linked values. For example, if a user account is restored, the
account's group memberships are also restored.
The Active Directory Recycle Bin is disabled by default and can only be enabled if the forest
functional level is Windows Server 2008 R2. Once enabled, the Recycle Bin cannot be disabled, and the
forest functional level cannot be rolled back. Active Directory Objects that are deleted undergo a series of
state changes over time. Initially, a deleted object enters the logically deleted state in which it is stored in
the Deleted Objects container and all attributes and linked values (such as group memberships) are
preserved. The length of time a logically deleted object remains in the Deleted Objects container is
determined by the deleted object lifetime, which is a value stored in the msDS-deletedObjectLifetime
attribute. It is only during this period that a deleted object can be restored using the Recycle Bin. The
default deleted object lifetime is 180 days. Once the deleted object lifetime expires, the object enters the
recycled object state. Most of the attributes and linked values of a recycled object are deleted. When a
recycled object's lifetime expires, the garbage collection process will completely remove the object from
the Active Directory database.
To enable the Active Directory Recycle Bin, the Active Directory schema must be changed. If the
forest was installed using Windows Server 2008 R2 domain controllers from scratch, there is no need to

Windows Server 2008 R2: Summary of Changes from R1 to R2

19

manually change the schema, but if the forest was upgraded from earlier versions, you must run adprep
/forestprep on the schema operations master. Next, prepare the domain by running adprep /domainprep
/gpprep on the infrastructure operations master in each domain. On RODCs, you must also run adprep
/rodcprep. Additionally, the forest functional level must be set to Windows Server 2008 R2. To enable the
Active Directory Recycle Bin once the forest and domain have been prepared at the R2 functional level,
you start the Active Directory Module for Windows PowerShell and enter the following command:

Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional


Features,CN=Directory
NT,CN=Services,CN=Configuration,DC=domain,

Service,CN=Windows
DC=top-level-domain

Scope

ForestOrConfigurationSet Target fullyqualifieddomainname

In this command, the italicized arguments are replaced by the appropriate domain components. For
example, if your domain name is allaboutcomputernetworks.com, you will replace domain with
allaboutcomputernetworks and top-level-domain with com. The argument fullyqualifieddomainname is
replaced by allaboutcomputernetworks.com.
Note: You start the Active Directory Module for Windows PowerShell on a
Windows Server 2008 R2 domain controller by going to Start/Administrative
Tools, right-clicking Active Directory Module for Windows PowerShell, and
clicking Run as administrator. Also note that you must run all the commands
discussed in this section as a member of Enterprise Admins.

For more information on how the Active Directory Recycle Bin works and how to use it, see
http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx.
Monitor Active Directory
The major change in an administrator's ability to monitor Active Directory comes with the new Active
Directory Best Practices Analyzer (BPA), discussed earlier, and the new cmdlets for the Active Directory
Module for Windows PowerShell. The BPA is available for Active Directory Domain Services (ADDS),
DNS Server, Remote Desktop Services, and Active Directory Certificate Services (ADCS). The BPA can
be run using Server Manager or PowerShell cmdlets.

Windows Server 2008 R2: Summary of Changes from R1 to R2

20

The BPA works by comparing actual configuration information of installed services to a set of rules
that defines a best-practices configuration. A report is generated showing discrepancies between the actual
configuration and the best-practices configuration. The configuration settings verified include:
DNS configurationVerifies that all required host (A or AAAA), global service (SRV), and alias
(CNAME) records exist and that the DNS server can be reached by the domain controller.
FSMOsVerifies all operations masters are present and reachable.
Two DCs are presentVerifies that two domain controllers for the domain are present and reachable.
Required servicesVerifies that all required services are present and running, including ADDS,
ADWS, and the Active Directory Module for PowerShell.
BackupVerifies that critical partitions have been backed up and that OUs are protected from
deletion.
For more information on the Best Practices Analyzer, see http://technet.microsoft.com/enus/library/dd759260.aspx.

Configuring Active Directory Certificate Services


Most of the changes related to Active Directory Certificate Services (ADCS) are related to enrollment
management and authentication. In general, ADCS in Windows Server 2008 R2 makes your PKI
deployment more flexible and provides better Network Access Protection (NAP) support. The following
section discusses specific changes related to certificate enrollments and related authentication.
Manage Enrollments
New role services called Certificate Enrollment Web Service and Certificate Enrollment Policy Web
Service enable certificate enrollment over HTTP. Certificate enrollment can occur over the Internet and
across forests that have established a two-way trust because the Web services act as a proxy between the
certificate authority and the client. This allows administrators to consolidate their PKI infrastructure in a
multi-forest network.

Windows Server 2008 R2: Summary of Changes from R1 to R2

21

In addition, organizations that use NAP with IPSec, which generally results in high-volume CAs with
large databases, can choose to bypass some of the standard CA database operations. The result is smaller
database sizes and higher performance certificate operations.
Authentication mechanism assurance is designed for domains that utilize federation services
(ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This
mechanism adds information to the users kerberos token about the type of authentication used. This allows
administrators to modify permissions based on how the user authenticates. For example, users can have
access to different resources if they log in with certificates versus when they log in with just their
usernames and passwords.
When authentication mechanism assurance is enabled and a user authenticates using a certificate, a
universal group membership is added to the user's kerberos access token. This universal group can be used
to assign permissions and rights to users based on the fact that they authenticated via a certificate they
wouldnt have if they authenticated using some other method. To learn more about this feature, see
http://technet.microsoft.com/en-us/library/dd391847(WS.10).aspx.

70-642 Exam Objectives R2 Changes


We will now cover the most important changes in Windows Server 2008 R2 that pertain to the 70-642:
Windows Server 2008 Network Infrastructure, Configuring MCTS exam. The first section discuses general
changes that apply to configuring the network infrastructure but do not fit directly with an exam objective.
The subsequent sections are organized by the individual exam objectives. If no relevant changes apply to an
exam objective, the objective is omitted.

General Changes that Pertain to 70-642 Exam Content


The following subsections describe changes in Windows Server 2008 R2 that pertain to the 70-640 exam
but do not fit a specific exam objective; instead, they apply to network infrastructure configuration in
general:
URL-based QoSQoS has typically been based on IP addresses and port numbers contained in the
packet headers. URL-based QoS allows administrators to prioritize packets based on the source URL

Windows Server 2008 R2: Summary of Changes from R1 to R2

22

so that important Web traffic is routed first and less-important or non-work-related Web traffic can be
assigned a lower priority.
Multiple active firewall profilesIn Windows Server 2008 and Windows Vista, only a single firewall
profile can be active at a time. A system with multiple network adapters connected to two different
networks (e.g., one domain and one public) can only have one firewall profile active the most
restrictive, which in this example would be the public profile. With this new feature in Windows
Server 2008 R2 (and Windows 7), traffic coming into the domain network is protected by the domain
profile and traffic coming into the public network is protected by the public profile.
TCP chimney offloadThis performance enhancement for Windows Server 2008 R2 and Windows 7
allows an administrator to configure some of the TCP processing to occur on a compliant network
interface rather than on the computers CPU. The feature is enabled by default on 10 GB Ethernet
adapters. To enable it on capable 1 GB Ethernet adapters, the administrator must enter the following
command at an administrator command prompt: nets hint tcp set global
chimney=enabled.

Configuring Names Resolution


Changes to names resolution are primarily related to DNS security, although one change is specific to the
way the DNS resolver handles DNS queries. These changes are detailed in the following two subsections.
Configure a Doman Name System (DNS) Server
At the DNS Server level, there are two security enhancements:
DNS Cache LockingA DNS server's cache is used to store recently resolved queries from recursive
lookups. The results of the recent queries are stored in cache so that subsequent identical queries can
be resolved immediately from the server's cache rather than after a time-consuming recursive lookup.
A cached entry remains in cache until the entry's TTL expires. However, a technique called DNS cache
poisoning can be employed by an attacker to change the cached information, therefore providing an
incorrect response to queries. The incorrect information can redirect network traffic to malicious sites.
DNS cache locking prevents the cached record from being overwritten until the TTL expires. Once the
TTL expires, the record is deleted and is only added back to the cache as a result of an authoritative

Windows Server 2008 R2: Summary of Changes from R1 to R2

23

lookup. Cache locking can be configured as a percentage of the TTL. By default, the value is set to
100, which means cached entries cannot be overwritten for the entire TTL duration. A value of 50
would cause the cache to be locked until half the TTL time elapsed. Configuration is done by changing
the value stored by the CacheLockingPercent registry key.
DNS Socket PoolDNS socket pools cause the DNS server to choose a random source port from a
pool rather than use a predictable source port. A predictable source port makes the server susceptible to
DNS cache-poisoning attacks by allowing an attacker to send a spoofed response to a DNS server. This
feature is enabled by default on servers with security update MS08-037 installed. The dnscmd.exe
command-line program can be used to configure the size of the socket pool and excluded port ranges.

Configure DNS Zones


DNS zone security is enhanced by the DNS security extensions (DNSSEC). DNSSEC is an Internet
standard set of DNS security enhancements defined by RFCs 40334035. In a nutshell, DNSSEC uses
public key cryptography and digital signatures to validate the identity of a server providing a DNS
response. DNSSEC requires four new record types to facilitate public key cryptography. A DNS Public
Key (DNSKEY) record holds the zone's public key. The RRSIG record holds the digital signature of the
DNS response. Delegation Signer (DS) records are used between parent and child zones that are DNSSEC
enabled. And the NSEC, or Next Secure, record allows zones to authenticate denial of existence responses.
A denial of existence response is a signed positive response returned when a queried record does not exist.
DNSSEC can be used in both standard and Active Directory-integrated zones and is effective in preventing
man-in-the-middle, spoofing, and cache-poisoning attacks that non-DNSSEC-enabled DNS zones are
vulnerable

to.

For

details

on

deploying

DNSSEC,

see

http://technet.microsoft.com/en-

us/library/ee649268(WS.10).aspx.
Configure Name Resolution for Client Computers
DNS devolution is a new feature on Windows Server 2008 R2 and Windows 7 DNS resolvers that allows
administrators to configure how the DNS resolver devolves DNS queries. DNS devolution is the process of
a DNS resolver climbing up the DNS namespace until a match is found or the maximum number of
devolutions is reached. For example, suppose a host named ServerA is a resource in the
SUVS.NA.Honda.com namespace. My computer is a member of the CRV.SUVS.NA.Honda.com domain.

Windows Server 2008 R2: Summary of Changes from R1 to R2

24

My domain suffix is set to CRV.SUVS.NA.Honda.com, so when my computer generates a DNS query for
ServerA, by default the query generated will be ServerA.CRV.SUVS.NA.Honda.com. When that query
produces a negative result, the resolver devolves the query by using the next part of the DNS namespace
namely, SUVS.NA.Honda.com. The number of domain components (not including the host name) present
in the query is called the devolution level. So a query of ServerA.NA.Honda.com represents a devolution
level of 3, and a query of ServerA.Honda.com is devolution level 2. Whats new is that administrators can
set the devolution level on DNS clients using Group Policy, thereby controlling to which level the DNS
resolver will attempt a query before giving up.

Configuring Network Access


Changes to remote access configuration involve all the following sub-objectives under this 70-642
objective, including an entirely new objective: Configure Direct Access.
Configure Remote Access
A helpful new feature for road warriors in Routing and Remote Access Services (RRAS) is called VPN
Reconnect. After an Internet connection disruption, VPN Reconnect automatically reestablishes a VPN
connection without requiring the user to reenter credentials. The user must be running Windows 7 and must
be connected to a Windows Server 2008 R2 RRAS VPN server.
Configure Network Access Protection
A new feature for Network Access Protection (NAP) in Windows Server 2008 R2 is the Multiconfiguration System Health Validator (SHV). Administrators can specify multiple SHV configurations
that can be selected when a health policy is configured. By allowing multiple SHVs, different types of
network clients can be assigned different policies. For example, a locally connected client can be subject to
a different set of policies than a VPN-connected client. For more about configuring SHVs, see
http://technet.microsoft.com/en-us/library/dd314150(WS.10).aspx.
Configure DirectAccess
DirectAccess is a new feature in Windows Server 2008 R2 that allows seamless, secure, and flexible client
connections from a Windows 7 Enterprise or Ultimate client to a Windows Server 2008 R2 DirectAccess
server.

Windows Server 2008 R2: Summary of Changes from R1 to R2

25

Note: You can also connect to DirectAccess from Windows Server 2008 R2.

DirectAccess-enabled Internet-connected client computers are constantly connected to the private network;
there is no need for manual connections. In addition, administrators can manage the remote computers as
long as they are connected to the Internet; there is no need for clients to have an active VPN connection as
is the case with traditional VPN remote access. This allows mobile computers to stay updated with current
policies and software updates transparently; users do not even have to be logged on for the computer to be
managed.
DirectAccess is built upon existing technologiesprimarily, IPSec and IPv6. IPSec is used to
authenticate the computer and the user so the computer is available to be managed before the user even logs
on. IPv6 is used for communication between the client computer and DirectAccess server through an IPSec
tunnel. Unlike with traditional VPNs, this process works even when the client computer is behind a
firewall. There are a number of configuration details involved in setting up a DirectAccess infrastructure
that are beyond the scope of this document. For a technical description of DirectAccess and setup details,
see http://technet.microsoft.com/en-us/library/dd637827(WS.10).aspx.
Configure Network Policy Server
Network Policy Server (NPS) improvements in Windows Server 2008 R2 are fairly minor, but heavy users
of NPS for centralizing the management of network access will benefit from these changes. NPS templates
can be used to configure elements of NPS, such as RADIUS. The templates can be used on NPS servers
and exported for use on other NPS servers, thus providing a more manageable and consistent NPS
environment. Improvements in RADIUS accounting allow easy configuration of either text file or
Microsoft SQL Server logging.

Configuring File and Print Services


A number of changes and enhancements to the file and print services role and related role services make
managing shared files and folders an easier task in Windows Server 2008 R2. The following subsections
discuss the major changes under each sub-objective.
Configure a File Server
Perhaps the biggest enhancement to the file server function of Windows Server 2008 R2 is the introduction
of a feature called BranchCache, which is available to Windows 7 client computers accessing Windows

Windows Server 2008 R2: Summary of Changes from R1 to R2

26

Server 2008 R2 servers. BranchCache uses the Background Intelligent Transfer Service (BITS) in a
domain-based environment. BranchCache allows clients located in branch offices to access copies of
shared files located in the cache of a local server rather than having to access remote servers across a
WAN. The first time a client accesses a file, the file is retrieved from the remote server hosting the file.
From that point on, subsequent requests for the file are served from the local BranchCache server until the
file changes. BranchCache works with both the HTTP and SMB protocols, so files from both Web and file
servers can be cached.
BranchCache has two operational modes:
Host cache modeCached files are stored on a local Windows Server 2008 R2 server and clients
access the files using a typical client/server model.
Distributed cache modeEach Windows 7 client computer hosts its own cache, and the Windows 7
clients operate in a peer-to-peer network model. When a Windows 7 client computer accesses a file for
the first time, the file is retrieved from the remote server and cached locally. The Windows 7 client
computer then makes the file available to other Windows 7 computers that request it.
Another file server enhancement will be useful for administrators using a combination of Windows,
Linux, Unix, and/or Mac OS in their networksnamely, Services for NFS, which adds several features to
enhance manageability and security. A feature called Netgroup allows administrators of the Service for
NFS on Windows Server 2008 R2 servers to create named groups of hosts that will simplify NFS login and
NFS access control lists. A remote procedure call (RPC) security feature called RPCSEC_GSS enables the
Service for NFS feature to use Kerberos authentication, thereby simplifying and improving security.
Administrators who like to take advantage of the scripting capabilities of Windows Management
Instrumentation (WMI) will be happy to know that Service for NFS can be managed using Web-Based
Enterprise Management (WBEM) through WMI.
Configure Distribute File System
A number of changes to Distributed File System (DFS) have found their way into Windows Server 2008
R2. Most of them focus on performance management and improved replication features. Here are short
descriptions of them:

Windows Server 2008 R2: Summary of Changes from R1 to R2

27

Support for access-based enumerationAccess-based enumeration (ABE) is not new, but it is for
DFS. With ABE enabled on a DFS namespace, users can only see the folders in the namespace for
which they have at least Read permission. In the past, if a user had access to the namespace root, they
could see all the folders underneath the root whether they had permission or not.
Large namespace performance gainsNetworks with more than 5000 domain-based DFS folders will
see an improvement in the time it takes for the DFS Namespace service to start. Overall domain-based
DFS performance is improved when the number of DFS folders exceeds 50,000.
DFS replication on failover clustersFailover clusters can be added as members of a DFS replication
group, allowing DFS replication to failover to another server when the primary server fails.
Read-only replicated foldersThe ability to use DFS Management to mark a folder read-only, thereby
disallowing user changes to the files in that folder, has been added to DFS. Marking a replicated folder
as read-only can also be done using the command-line program Dfsradmin.
New performance countersYou can monitor DFS performance more closely using three new DFS
Namespace counters in Performance Monitor: DFS Namespace Service API Queue, DFS Namespace
Service API Requests, and DFS Namespace Service Referrals. For explanations about these counters,
open Performance Monitor, select the counter, and click Show description.

Configure Backup and Restore


Windows Server Backup in Windows Server 2008 R2 has some sorely needed enhancements to the backup
tool provided in Windows Server 2008. The changes make backing up your servers faster and considerably
more flexible. These changes include:
Incremental backupsAll backups are incremental except the initial backup, but each backup
functions like a full backup, allowing you to recover any file from a single backup. Windows Server
Backup also automatically manages disk space by deleting older backups as necessary to make room
for new backups.
No need for dedicated disksScheduled backups can be stored on a network share or local volume
that contains other data avoiding the need to dedicate an entire disk for backups.

Windows Server 2008 R2: Summary of Changes from R1 to R2

28

Selected folders and filesIndividual files and folders can be backed up rather than requiring fullvolume backups, and files or folders can be excluded from a backup.
System state backupsSystem state backups can be included with data backups and can be scheduled
from the Windows Server Backup program rather than requiring the command-line wbadmin program.

Configure and Monitor Print Services


The biggest change here is that the Print Services role in Windows Server 2008 has been changed and
expanded to the Print and Document Services role in Windows Server 2008 R2. Printer migration is made
easier and more flexible with the Printer Migration Wizard, which replaces the Printmig utility.
Printer administration can be delegated so that non-administrators can now be allowed to perform
specific printer tasks without wider permissions. Another new feature of interest to administrators with a
mobile workforce is location-aware printing. This feature allows mobile users to set different default
printers for the different networks they connect to.
Printer driver isolation allows printer drivers to run in a process isolated from the print spooler. The
isolation prevents misbehaving print drivers from bringing down the entire print spooler process. Printer
driver isolation is enabled by default and can be disabled through Group Policy.

Monitoring and Managing a Network Infrastructure


Three new network monitoring and diagnostic tools are available to help you troubleshoot and monitor
your Windows 7 network. Even though these changes are related to Windows 7, it is important for a
Windows Server 2008 R2 administrator to be able to use them:
Network Diagnostic Framework (NDF)NDF simplifies network troubleshooting by automating steps
in the troubleshooting process. Network events and packets can be logged in a single file, providing a
single location to analyze collected data. When a user runs a Windows Network Diagnostics session,
results are logged in Action Center/Troubleshooting/View History automatically.
Network TracingNetwork tracing, along with NDF, provides a more convenient method for
grouping network-related events. Grouped events are placed in an Event Trace Log (ETL), which can
then be analyzed using Network Monitor or Event Viewer.

Windows Server 2008 R2: Summary of Changes from R1 to R2

29

Netsh TraceThe familiar Netsh command includes a trace context that integrates with NDF and
network tracing and allows network packet capture and filtering. Using Netsh trace, particular network
components can be selected, such as TCP/IP or Wireless LAN Services to troubleshoot specific issues
related to those components.

70-643 Exam Objectives R2 Changes


We will now cover the most important changes in Windows Server 2008 R2 that pertain to the 70-643:
Windows Server 2008 Applications Infrastructure, Configuring MCTS exam. The sections are organized
by the individual exam objectives. If no relevant changes apply to an exam objective, the objective is
omitted.

Deploying Servers
The deployment of servers is a topic that covers quite a bit of ground. The most relevant changes made in
Windows Server 2008 R2 pertain to Windows Deployment Services, Hyper-V, high availability
configuration, and storage configuration, as detailed in the following sections.
Deploying Images by Using Windows Deployment Services
The process of deploying Windows Server 2008 R2 and Windows 7 images has been improved by several
new tools, including the following:
Windows Automated Installation Kit (WAIK)The WAIK has been improved with tools such as the
Deployment Image Servicing and Management command-line program that is used to add and remove
device drivers, enable/disable Windows features, configure updates, and add or remove language
packs. The User State Migration Tool (USMT) has been upgraded to version 4.0 and is now part of the
WAIK. USMT 4.0 makes migration of user accounts and their profiles to new Windows systems more
streamlined; and hard-link migration, a new feature in USMT, allows in-place migrations where the
old OS is removed and the new one installed on the same system. Finally, virtual hard disks (VHDs)
can be used to boot a system, obviating the need to image physical disks. Since a VHD is nothing more
than a large file, it can be deployed to compatible systems by simple file copies rather than the more
complex disk imaging process.

Windows Server 2008 R2: Summary of Changes from R1 to R2

30

Microsoft Deployment ToolkitThis collection of tools automates Windows installations using Zero
Touch Installation (ZTI), requiring no user interaction, or Lite Touch Installation (LTI), using
minimal user interaction. ZTI requires the Microsoft System Center Configuration Manager 2007.
Windows Deployment ServicesWindows Deployment Services (WDS) is a familiar server role
available in Windows Server 2008. However, the new version in Windows Server 2008 R2 includes
enhanced multicast support and driver provisioning. Multicast allows you to deploy images to multiple
systems by sending the image only once across the network. Driver provisioning allows you to deploy
boot images along with driver packages specific to the system hardware. Another improvement to
WDS includes support for VHDs in unattended installations.

Configure Windows Server Hyper-V and Virtual Machines


Some of the most anticipated changes in Windows Server 2008 R2 are related to the Hyper-V 2.0 server
role. With virtualization now a standard part of the IT datacenter, improvements to Hyper-V are much
welcomed by server managers. The highlights of these changes include:
Live migrationLive migration adds to the already considerable flexibility afforded by virtualization
technologies. With live migration, a running virtual machine (VM) can be moved between Hyper-V
servers without disconnecting client computers that are using the VM. This feature brings IT managers
closer to the goal of zero downtime. All Hyper-V servers involved in live migration must have the
Failover Clustering feature installed, and to get the best results from live migration, you should be
using Cluster Shared Volumes (CSVs) between the Hyper-V servers. There are some limitations of
live migration. It cannot be completed automatically, due to server failover; it must be instigated
manually. Only one live migration at a time on both the source and destination server can be in
progress. Live migration requires that the virtual disk be located in shared storage, accessible to both
the source and destination Hyper-V host. Live migration copies the memory being used by VM to the
destination Hyper-V host's memory. Once the memory is copied, the VM on the source server is
paused and the VM on the destination server is started. This process results in essentially no downtime.
Another migration option, quick migration, copies the VM memory to disk storage, and when the new
server takes over the VM, the memory is read from disk storage. This scenario involves some VM

Windows Server 2008 R2: Summary of Changes from R1 to R2

31

downtime as the memory exchange does not occur in real time. However, as part of a planned Hyper-V
host migration, quick migration can be used to migrate several VMs to a new host at the same time.
Dynamic VM storageHyper-V 2.0 supports hot-add/hot remove storage. Both virtual and physical
disks can be added to or removed from a running VM as long as Hyper-V integration services is
installed on the VM.
Improved scalabilityHyper-V 2.0 supports up to 8 (or 64 in the Datacenter edition) physical
processors, up to 64 CPU cores, and up to a terabyte of RAM. As many as 384 guests can be running at
a time on a Hyper-V server, and 16 nodes per cluster are supported. Network enhancements include
VM chimney, which provides the aforementioned TCP offload feature by mapping virtual networks to
specific virtual network interfaces on the host machine. Jumbo frames (frames from 1518 bytes to over
900 bytes) are also supported.
Configure High Availability
Changes to the configuration of Windows Server 2008 R2 high availability technologies primarily involve
failover clusters. Failover cluster management has been improved with a Windows PowerShell interface
and new PowerShell cmdlets. The new cmdlets allow common management and configuration tasks to be
scripted. Enhancements in cluster shared volumes make clustered VM configuration easier and make the
use of shared volumes more flexible; for example, VHDs no longer must be stored on a separate physical
disk and can instead be shared by other VHDs using the same LUN.
The Cluster Validation Wizard has been improved with additional validation tests that allow
administrators to fine-tune their cluster configuration before deploying it. DFS and Remote Desktop
Connection Broker can now be configured as clustered services, bringing additional aspects of your
applications infrastructure into the high availability realm. In addition, the Migration Wizard allows cluster
settings for additional services to be migrated from clusters running on Windows Server 2003, Windows
Server 2008, and Windows Server 2008 R2 servers. For more information on specific migration paths, see
http://technet.microsoft.com/en-us/library/ee791924(WS.10).aspx.
Configure Storage
Storage configuration has been enhanced in Windows Server 2008 R2 in the following areas:

Windows Server 2008 R2: Summary of Changes from R1 to R2

32

iSCSI initiatorThe UI has been redesigned and can now be run on Server Core installations. A new
feature called Quick Connect, shown in Figure 9, allows fast, single-click connections to storage
devices. In addition, servers booting from external iSCSI devices have the option of up to 32 boot
paths.
MPIO improvementsBecause MPIO supports multiple paths, it was sometimes difficult for
administrators to diagnose path health. New health and configuration reporting improves on MPIO
device management and troubleshooting. In addition, load balancing policies can be displayed and
configured using the new MPClaim command-line utility.

Windows Server 2008 R2: Summary of Changes from R1 to R2

Figure 9. iSCSI initiator properties with Quick Connect

Configuring Remote Desktop Services

33

Windows Server 2008 R2: Summary of Changes from R1 to R2

34

Perhaps the most obvious change to this objective is the name, which was formerly Configure Terminal
Services. All the Terminal Services-related role services now use the term Remote Desktop instead of
Terminal Services (see Figure 10). In most cases, the term "Terminal Services" is simply replaced by
"Remote Desktop,"; for example, the role service Terminal Services Gateway is now Remote Desktop
Gateway. However, there are a few changes in role service and management tool names that go beyond
that, as shown in Table 1.

Figure 10. Remote Desktop role services

Windows Server 2008 R2: Summary of Changes from R1 to R2

35

Table 1. Role service and management tool name changes from Terminal Services to Remote Desktop Services

Old name

New name

Terminal Server

Remote Desktop Session Host

Terminal Services Session Broker

Remote Desktop Connection Broker

Terminal Services Configuration

Remote Desktop Session Host Configuration

Terminal Services RemoteApp Manager

RemoteApp Manager

Configure RemoteApp and Remote Desktop Web Access


The RemoteApp feature available in Windows Server 2008 R2 has been extended in Windows Server 2008
R2 with a feature called RemoteApp and Desktop Connection. This new feature places shortcuts to
RemoteApp programs and virtual desktops on the user's Windows 7 Start menu. You configure the client
side of this feature using a new Control Panel applet named RemoteApp and Desktop Connections.
RemoteApp and Desktop Connections can also be automatically configured by users with an administratordistributed client configuration file or silently with a logon script.
Remote Desktop Web Access allows RemoteApp and Desktop Connections to be accessed using a
Web browser. Enhancements to this role service include:
Public and private modesWhen choosing public mode, your Remote Desktop Web Access user
name is not remembered by the Web browser, whereas private mode makes your user name available
for four hours.
Per user application filteringAdministrators can configure Remote Desktop Web Access on a per
user basis so that users logging on only see RemoteApp programs intended for them to see.
Single sign-onSingle sign-on between Remote Desktop Session Host and Remote Desktop Web
Access simplifies the logon experience for users who previously had to enter credentials for both the
Remote Desktop Web Access server and the Session Host server that hosted the RemoteApp.
Remote Desktop Virtualization Host is a new role service in Windows Server 2008 R2. Using
Remote Desktop Virtualization Host along with RemoteApp and Desktop Connection, administrators can
create virtual desktops for use as personal desktops or for use in desktop pools. The virtual desktops are

Windows Server 2008 R2: Summary of Changes from R1 to R2

36

VMs running on a Hyper-V host and are available through the Desktop Connection or Remote Desktop
Web Access interface. Virtual desktops allow users to access their own personal desktop on Hyper-V
servers, making backup and maintenance more manageable than with physical desktop computers. Virtual
desktop pools allow users to check out a desktop, perhaps with a specific application or OS installed, and
then return the desktop to the pool when they are finished. Desktop pools have applications for training and
testing or for running enterprise applications without having to maintain the applications on individual
user's desktops.
Configure Remote Desktop Gateway
Remote Desktop Gateway brings with it a number of enhancements for Windows Server 2008 R2,
primarily as they relate to session control and authentication. Administrators can configure timeouts for idle
sessions, thereby disconnecting users who are not actively using the session and freeing up gateway server
resources. When users become active again, their former session states are reestablished. Session timeouts
allow administrators to enforce new policies on currently active sessions so that changes in accounts or
security policies can take effect almost immediately without administrators having to wait for a user to
terminate an active session.
Another improvement in Remote Desktop Gateway is integration with Network Access Protection
(NAP), allowing Remote Desktop Gateway servers to bring client computers to compliance with health
policies. Furthermore, system and logon messages can be displayed on remote desktops, just as they are on
local desktops, giving administrators a way to inform users of system events like downtime and system
updates as well as logon messages that are displayed before users access remote resources.
Configure Remote Desktop Connection Broker
Remote Desktop Connection Broker can be configured for session load-balancing in a remote desktop
server farm as well as automatic session reconnection. The new session reconnection feature will reconnect
disconnected remote desktop sessions with the same server in a load-balanced server farm. In previous
versions, a disconnected session would, upon reconnection, be connected to the first available server in the
farm, causing the user's previous state to be lost.
Configure Remote Desktop Licensing

Windows Server 2008 R2: Summary of Changes from R1 to R2

37

A few minor changes have occurred in the Remote Desktop Licensing role service. In earlier versions of
Terminal Services Licensing, discovery scopes were configured, which allowed terminal servers to
automatically discover license servers. In Windows Server 2008 R2, the name of the license server must be
specified to the Remote Desktop Session Host. Client Access License (CAL) management is improved with
a new Remote Desktop Licensing Manager wizard that allows migration of Remote Desktop CALs and
easier rebuilds of the licensing database. To migrate licenses from one License Server to another, both
servers must be running Windows Server 2008 R2.
Configure Remote Desktop Session Host
The most important change to configuring Remote Desktop Session Host involves IP address virtualization
for remote desktop connections. This feature resolves issues in which each instance of an application
running on a Remote Desktop Session Host server requires a unique IP address. In earlier versions, all
sessions shared the IP address assigned to the server. With IP virtualization, an administrator assigns a
network ID, and IP addresses are assigned for each session or application as necessary.

Configuring a Web Services Infrastructure


Rather than discuss changes made under each sub-objective, this section covers the most pertinent changes
in IIS 7.5, which ships with Windows Server 2008 R2. Although trying to cover all the changes between
IIS 7 and IIS 7.5 is beyond the scope of this document, the highlights as they pertain to the 70-643 exam
are covered here:
Best Practices AnalyzerThe BPA was discussed earlier in this document and is accessed through
Server Manager or PowerShell cmdlets. IIS 7.5 best practices can be followed by using BPA to scan an
IIS 7.5 Web server and report configuration issues.
Request FilteringSpecific HTTP requests that may be harmful to the Web server can be blocked
before reaching the server. This feature was previously only available on IIS 7 as an extension and is
now an integral module in IIS 7.5.
WebDAV and FTPThese two functions have been upgraded to be more secure and reliable, allowing
Web authors to publish content more confidently than before.
Web applications improvementsASP.NET and PHP applications have improved security and
diagnostics. Processes in application pools have unique identities with fewer privileges, and services

Windows Server 2008 R2: Summary of Changes from R1 to R2

38

that once used standard service accounts can now use managed service accounts to further increase
security.
Server Core gets .NETThe Server Core installation option in Windows Server 2008 did not include
the .NET framework, limiting the types of applications you could run on the IIS server role on Server
Core. With Windows Server 2008 R2, .NET framework versions 2.0, 3.0, 3.51, and 4.0 are supported,
allowing ASP.NET applications to run on Server Core as well as on PowerShell cmdlets.

Configuring Network Application Services


The biggest change in Network Application Services is the upgrade to Windows SharePoint Foundation
2010. Windows SharePoint Foundation 2010, formerly Windows SharePoint Services, is supported in
Windows Server 2008 64-bit with at least Service Pack 2 as well as in Windows Server 2008 R2.
Additional requirements include Microsoft SQL Server 2005 64-bit with SP2, SQL Server 2005 Express
64-bit, SQL Server 2008 64-bit or SQL Server 2008 Express 64-bit. Microsoft .NET Framework 3.5 SP1
must be installed. SharePoint Foundation 2010 only supports IE 7 and above, Firefox 3.x and above, and
Safari 3.x and above. Covering all the features in SharePoint Foundation is beyond the scope of this
document. For a full discussion on this new product, see http://sharepoint.microsoft.com/enus/product/Related-Technologies/Pages/SharePoint-Foundation.aspx.

Document Summary

General changes from Windows Server 2008 to Windows Server 2008 R2 include a new Windows Server 2008 R2
Foundation edition as well as the move to 64-bit-only versions of the server OS and support for up to 256 CPU
cores, up from 64. Server Manager can now be used to manage remote servers and create custom MMCs to manage
multiple servers with one console.

The new Best Practices Analyzer provides best practice reports for a number of installed server roles, and
PowerShell 2.0 provides dozens of new cmdlets for managing server roles and features. User Account Control
changes make performing common tasks simpler while maintaining security.

Windows Server 2008 R2: Summary of Changes from R1 to R2

39

General changes in Windows Server 2008 R2 that relate to the 70-640 exam objectives include Active Directory
Administrative Center, Active Directory Web Service, and many new PowerShell 2.0 cmdlets for managing all
aspects of Active Directory environments.

Other 70-640-related changes include a new domain and forest functional level, a new feature called offline domain
join, and managed service accounts and virtual accounts for increasing security on services that require system or
network logon. Group Policy changes include new Group Policy Preferences, new Starter GPO templates, and an
improved user interface for working with Administrative Templates. Rounding out the major changes in Active
Directory configuration are the new AppLocker feature for managing user application access and the Active
Directory Recycle Bin. Active Directory Certificate Service changes include the Certificate Enrollment Web Service
and authentication mechanism assurance.

General changes in Windows Server 2008 R2 that relate to the 70-642 exam objectives include URL-based QoS,
multiple active firewall profiles, and TCP chimney offload.

Name resolution is made more secure by DNS cache locking, DNS socket pool, and DNSSEC. DNS devolution
changes enhance DNS resolver management. VPN Reconnect and DirectAccess are two new features that make
remote access to the corporate network more secure and convenient for user and administrator. BranchCache is the
most significant change in configuring a file server; and for Unix/Linux users, Netgroup makes using NFS in a
Windows environment simpler and more secure.

DFS improvements include support for ABE and better performance. Windows Server Backup has been revamped
to be faster and more flexible, while print services has added location-aware printing and printer driver isolation.
Network monitoring is enhanced with Network Diagnostic Framework, Network Tracing, and the Netsh Trace
command.

Changes in Windows Server 2008 R2 that relate to the 70-643 exam objectives include improvements to Windows
Automated Installation Kit, User State Migration Tool 4.0, and Zero Touch Installation and Lite Touch Installation,
which are new features in the Microsoft Deployment Toolkit. WDS adds better multicast support and driver
provisioning.

Hyper-V has seen several improvements, including live migration, dynamic VM storage, and scalability
enhancements, with support for up to 64 CPU cores and a terabyte of RAM. High availability upgrades include the
Cluster Validation Wizard and the addition of several services that can be clustered, including DFS and Remote

Windows Server 2008 R2: Summary of Changes from R1 to R2

40

Desktop Connection Broker. In addition, improvements were made to the iSCSI initiator and MPIO to enhance
storage configuration options.

The Terminal Services role and related role services have been renamed Remote Desktop Services. RemoteApp and
Remote Desktop Web Access have seen enhancements for client connections to remote desktop hosted applications,
including public and private modes, per-user application filtering, and single sign-on. Remote Desktop
Virtualization Host is a new role service that allows provisioning of personal virtual desktops or a desktop from a
virtualization pool.

Web Services Infrastructure configuration is impacted by the upgrade to IIS 7.5, which includes the Best Practices
Analyzer, request filtering, WebDav and FTP upgrades, and .NET framework availability on Server Core. Network
Application Services configuration is primarily impacted by the change from Windows SharePoint Services to
Windows Sharepoint Foundation 2010.

Key Terms
Active Directory Recycle Bin Allows administrators to recover deleted Active Directory and ADLDS
objects without having to perform a DS restore operation or tombstone reanimation procedure.
AppLocker A new section of a GPO that replaces Software Restriction Policies and reduces overhead for
administrators by allowing them to define application rules based on an application's digital signature,
publisher, name, file name, and version.
authentication mechanism assurance Adds information to the users kerberos token about the type of
authentication used, which allows administrators to modify permissions based on how the user
authenticates, such as by certificate or smart card.
automated password regeneration Passwords used by MSAs that are changed every 30 days and are 240
random characters in length. See managed service accounts (MSAs).
Best Practices Analyzer (BPA) This new Server Manager enhancement shows administrators a report that
lists violations to best practices for the installation and configuration for the selected role.
BranchCache Allows clients located in branch offices to access copies of shared files located in the cache
of a local server rather than having to access remote servers across a WAN.

Windows Server 2008 R2: Summary of Changes from R1 to R2

41

Certificate Enrollment Web Service Part of Certificate Services, this new role service enables certificate
enrollment over HTTP.
deleted object lifetime A value that defines the period of time that a deleted object can be restored using
the Recycle Bin.
DirectAccess Allows seamless, secure, and flexible client connections from a Windows 7 Enterprise or
Ultimate client to a Windows Server 2008 R2 DirectAccess server. DirectAccess-enabled Internetconnected client computers are constantly connected to the private network; there is no need for manual
connections.
DNS cache locking A new DNS security feature that prevents the cached record from being overwritten
until the TTL expires.
DNS devolution A new feature on Windows Server 2008 R2 and Windows 7 DNS resolvers that allows
administrators to configure how the DNS resolver devolves DNS queries.
DNSSEC An Internet standard set of DNS security enhancements defined by RFCs 40334035 that uses
public key cryptography and digital signatures to validate the identity of a server providing a DNS
response.
Global Object Access Auditing Allows the creation of System Access Control Lists (SACLs) on files or
registry keys for an entire computer (or all computers in the scope of the GPO) rather than the administrator
having to set audit policies on individual files.
Lite Touch Installation (LTI) Part of the Microsoft Deployment Toolkit, LTI automates Windows
installations requiring minimal user interaction.
live migration Allows a running virtual machine to be moved between Hyper-V servers without
disconnecting client computers that are using it.
location-aware printing A new Print Services feature that allows mobile users to set different default
printers for the different networks they connect to.
logically deleted A deleted object state in which the deleted object is stored in the Deleted Objects
container and all attributes and linked values (such as group memberships) are preserved.

Windows Server 2008 R2: Summary of Changes from R1 to R2

42

managed service accounts (MSAs) Accounts you can create using the New-ADServiceAccount
PowerShell cmdlet, which enhances security by replacing the Local System Account and Network Service
Account.
multi-configuration System Health Validator (SHV) A new feature for Network Access Protection
(NAP) in which administrators can specify multiple SHV configurations that can be selected when a health
policy is configured.
Netgroup Allows administrators of the Service for NFS on Windows Server 2008 R2 servers to create
named groups of hosts, which will simplify NFS login and NFS access control lists.
NPS templates Used to configure elements of NPS, such as RADIUS. The templates can be used on NPS
servers and exported for use on other NPS servers, thus providing a more manageable and consistent NPS
environment.
offline domain join A new feature that allows administrators to join computers without network
connectivity to a domain. Computers can be joined to the domain the first time they start up after a new OS
installation and do not require a restart.
printer driver isolation Allows printer drivers to run in a process isolated from the print spooler. The
isolation prevents misbehaving print drivers from bringing down the entire print spooler process.
quick migration A method of migrating VMs in which a copy of the VM memory is made to disk storage
and when the new server takes over the VM, the memory is read from disk storage. Requires some
downtime of the VM.
recycled object A deleted object state in which most of the linked values and attributes of the object are
deleted and the object will soon be removed from the Active Directory database.
Remote Desktop Virtualization Host A new role service in Windows Server 2008 R2. Using Remote
Desktop Virtualization Host along with RemoteApp and Desktop Connection, administrators can create
virtual desktops for use as personal desktops or for use in desktop pools.
virtual account Similar to a managed service account, a virtual account is designed primarily to be used in
place of the Network Service Account. Virtual accounts use the computer account's credentials to access
the network in a domain environment. See managed service accounts.

Windows Server 2008 R2: Summary of Changes from R1 to R2

43

VPN Reconnect After an Internet connection disruption, VPN Reconnect automatically reestablishes a
VPN connection without requiring the user to reenter credentials.
Zero Touch Installation (ZTI) Part of the Microsoft Deployment Toolkit, ZTI automates Windows
installations requiring no user interaction.