Windows Server 2008 Administration Overview

Unit – III
Windows-2008 Server
Administration
Asmatullah Khan,
CL/CP, GIOE,
Secunderabad.
Contents
 Analyze the Installation &  Describe Remote Access and VPN
Configuration of Windows 2008 Server Overview, Configuring & Implementing
Remote Access Server.
 Discuss User & Group Managements.
 Implementing & Configuring VPN.
 Analyze the working of Device
Manager, Drivers Signing & Signature  Implementing & Configuring Active
Directory Services Forest.
 Analyze Verification & Managing Ports.
 Implementing Server Roles, Restoring
 Implement the Installing & Managing &
Active Directory.
Configuration Printers,
 Implementing Local and Domain
 Discuss Disk Management Tools &
Security policies
Tasks,
 Explain briefly about Group policy
 Describe File Systems and User
Architecture
Management.
 Implementing Group Policy:
 Implementing Files and Folder NTFS &
Configuring User environment by using
Share Permissions.
Group policy
 Explain Managing Servers Remotely
 Deploying software through Group
Using Terminal Services (Remote
Policy
Desktop).
Installation & Configuration of Windows 2008 Server
 Windows Server 2008 offers two general
types of installations:
a typical Full server installation and
Server Core.
Server Core is a stripped down version of
Windows Server 2008 that doesn’t include a
GUI or any other unneeded services.
Instead, the server installs only key features
that are related to the role that it supports—
for example, Active Directory or Domain Name
System (DNS).
Installation & Configuration of Windows 2008 Server -
Pre-Installation Analysis
 In Windows Server 2008, major problem (to key in bits of
information at different times throughout the installation process
such as license information, components to install, and network
configuration, etc.) has been addressed by reducing the number of
interactive steps required to get windows server up and running.
 All the necessary questions for the installation are asked up front,
before you begin the actual installation process of copying the
files and performing the initial server configuration.
 By doing this, the installation process no longer has to stop for
additional information before it can proceed.
 Once the server software installation is complete, installation of
components and the configuration of the server can proceed under
the new integrated management tool called Server Manager.
Interactive Installation Steps
1. Insert the appropriate Windows Server 2008 installation media into your DVD drive. If
you don’t have an installation DVD for Windows Server 2008, you can download one
for free from Microsoft’s Windows 2008 Server Trial website. Reboot the computer.
Interactive Installation Steps cont…
2. When prompted for an installation language and other regional options, make
your selection and press Next.
3. Next, press Install Now to begin the installation process.
4. Product activation is now also identical with that found in Windows Vista. Enter
your Product ID in the next window, and if you want to automatically activate
Windows the moment the installation finishes, click Next.
If you do not have the Product ID available right now, you can leave the box empty, and
click Next. You will need to provide the Product ID later, after the server installation is
over. Press No.
5. Because you did not provide the correct ID, the installation process cannot determine what kind of
Windows Server 2008 license you own, and therefore you will be prompted to select your correct
version in the next screen, assuming you are telling the truth and will provide the correct ID to prove
your selection later on.
6. If you did provide the right Product ID, select the Full version of the right Windows
version you’re prompted, and click Next.
7. Read and accept the license terms by clicking to select the checkbox and
pressing Next.
8. In the “Which type of installation do you want?” window, click the only available
option – Custom (Advanced).
9. In the “Where do you want to install Windows?”, if you’re installing the server on
a regular IDE hard disk, click to select the first disk, usually Disk 0, and click Next.
9. In the “Where do you want to install Windows?”, if you’re installing the server on
a regular IDE hard disk, click to select the first disk, usually Disk 0, and click Next.
10. The installation now begins, and you can go and have lunch. Copying the setup files from the DVD to the hard drive
only takes about one minute. However, extracting and uncompressing the files takes a good deal longer. After 20
minutes, the operating system is installed. The exact time it takes to install server core depends upon your
hardware specifications. Faster disks will perform much faster installs… Windows Server 2008 takes up
approximately 10 GB of hard drive space.
11. Then the server reboots you’ll be prompted with the new Windows Server 2008 type
of login screen. Press CTRL+ALT+DELto log in.
12. Click on Other User.
13. The default Administrator is blank, so just type Administrator and press Enter.
14. You will be prompted to change the user’s password. You have no choice but to
press Ok.
15. In the password changing dialog box, leave the default password blank, and enter a new, complex,
at-least-7-characters-long new password twice. A password like “topsecret” is not valid (it’s not
complex), but one like “T0pSecreT!” sure is. Make sure you remember it.
16. Someone thought it would be cool to nag you once more, so now you’ll be prompted to accept the fact that
the password had been changed. Press Ok. Finally, the desktop appears and that’s it, you’re logged on and
can begin working. You will be greeted by an assistant for the initial server configuration, and after
performing some initial configuration tasks, you will be able to start working.
Initial Post Installation Configuration Tasks
Task Description
Set the Administrator Password Lets you set the password for the Administrator account and rename the account.
Set Time Zone Sets the time zone for the server.
Configure Networking Opens the Network Connections Control Panel applet so you can configure your
various network interfaces.
Provide Computer Name and Lets you change the computer name as well as join a domain.
Domain
Enable Automatic Updating and Lets you specify how you want to configure Windows Update, Windows Error
Feedback Reporting, and the Customer Experience Improvement Program (CEIP). You should
compare the Windows Error Reporting information as well as the CEIP settings
against your organization’s policies, since both features send usage information
back to Microsoft.
Download and Install Updates Lets you download and install updates. You should do this unless you have an
alternative patch-management tool, since you want your system to be up to date
with all critical security patches before opening it up to your network. You should
manually set the configuration of the updates based on your own policies to
prevent updates from automatically restarting your server. You should also keep
checking for updates after each reboot until all the updates have been installed.
Initial Post Installation Configuration Tasks cont…
Task Description
Add Roles Lets you add roles to this server—that is, Dynamic Host Configuration Protocol
(DHCP), DNS, Internet Information Services (IIS), and so on.
Add Features This new interface replaces the Add/Remove Windows Components from the
Add/Remove Programs Control Panel applet in previous versions of Windows and
provides a much easier means of adding additional Windows components.
Enable Remote Desktop Lets you configure remote desktop.
Configure Windows Firewall Turns on or turns off the Windows Firewall.

Windows Server 2008 - User & Group Managements
 Whether you are working with a Windows Server 2008 R2 full installation or
with Server Core, managing local groups offers some great similarities.
Starting with the default installations, both systems have the same default
users and groups installed.
 On your Windows Server 2008 R2 server, by default you have two user
accounts that are created, Administrator and Guest.
 Administrator is the default built-in account for administering the local machine.
 The Administrator account is by default the only account that is enabled.
 Guest is the default built-in account for guest access to the system;
 however, the account is disabled by default.
 Placing user accounts in default local groups will grant those users access to
the proper permissions and responsibilities for the groups.
 The basic concept behind using groups allows you to assign permissions just
once to the group, thus granting permissions to all the members in the group
and ease way for you to delegate administration for your server.
 For example, if you want to have a user perform a daily backup of your server,
you would simply need to add them to the Backup Operators group, and they
would be granted the necessary rights to perform backup and restore
operations.
Windows Server 2008 - User & Group Managements – List
of Default Groups
Group Definition and Usage
Administrators This group has unrestricted access to the local computer. This account is the main account
to accomplish any task on a server. By default, the Administrator account is the only
member of this group.
Backup Operators This group, as the name suggests, is designed for the backup and restoration of files on the
server.
Certificate Service This group is allowed to connect to certificate authorities for enrollment in your preferred
DCOM Access Public Key Infrastructure.
Cryptographic Operators This group is allowed and authorized to perform cryptography operations on your server.
These settings include the crypto settings in the IPsec policy of the Windows Firewall,
among other settings.
Distributed COM Users This group can activate and launch DCOM objects on the server. DCOM objects are used
for the communications of the applications.
Event Log Readers This group can work with and read the local event logs on the server.
Guests Users of this group by default have the same access as the Users group, except for the
Guest account, which is further restricted. By default, the only account in this group is the
disabled Guest account.
Windows Server 2008 - User & Group Managements – List of
Default Groups cont…
Group Definition and Usage
IIS_IUSRS This is the default group account for use with Internet Information Services.
Network Configuration Users in this group have some administrative privileges over managing the configuration of
Operators networking features on the server.
Performance Log Users This group allows its users to schedule the logging of performance counters, enable trace
providers, and collect event traces for the local server. The tasks can be performed locally or
remotely.
Performance Monitor This group can access the local performance counter data either locally or through remote
Users administration.
Power Users This group has limited administrative capabilities on the system and is primarily included for
backward compatibility with previous operating systems.
Print Operators These users can work with and administer printers on the local server system.
Remote Desktop Users Users in this group are given the right to log on remotely to the server.
Replicator This group is designed for file replication.
Users Have limited administrative access to the system to prevent members from inadvertently
making changes that can cause system-wide changes; however, users in this group can run
and access most applications.
Windows Server 2008 - User & Group Managements –
Creating Users – Types of User Accounts
 There are two types of User Accounts in case of
System Administration:
 Local User Account
 allows a user to logon to its own system,
 access the resources that are there on the system, and
 manage only and only that system.
 Account credentials are saved and authenticated locally on the specific
system.
 Domain User Account
 allows a user to logon to any system from a remote machine configured to be
in the domain,
 access any resource in the domain configured to be shared, and
 manage any system configured with remote desktop or terminal services.
 Account credentials are saved and authenticated on Active Directory and are
centralized throughout the domain.
Creating Users – Local Users Accounts
1. Click Start, select Administrative Tools and click Computer Management.
Creating Users – Local Users Accounts cont…
2. In Computer Management, click Local Users and Groups.
3. Double click the Users folder.
4. Right click in the users list and click New User.
5. Fill in the information for the new user and click Create. You can create another
user. Click Close when you are done creating users.
6. You should now see your newly created user accounts. By default, new user accounts
are given limited access permissions.
Windows Server 2008 - User & Group Managements – Creating Users – Local
Users Accounts (Granting Local Administrator Permissions)cont…
7. Right click the user and click Properties.

Users Accounts (Granting Local Administrator Permissions)cont…
8. Click the Member Of tab.

Users Accounts (Granting Local Administrator Permissions) cont…
9. In the Member Of tab, click Add.

Users Accounts (Granting Local Administrator Permissions) cont…
10. In Select Groups, type in Administrators and click Check Names. Click OK when you
are done. Click OK again to save the changes.
Windows Server 2008 - User & Group Managements – Creating Users –
Domain Users Accounts
1. Click Start, select Administrative Tools and click Active Directory Users and
Computers.
Domain Users Accounts cont…
2. In Active Directory Users and Computers, navigate to the folder where you want to
store the new user.
3. Right in click the user list and click New User.

4. Fill in the new user information and click Next.

5. Fill in the password information and click Next.

6. Click Finish.
7. You should now see your newly created user account. By default, new user accounts
are given limited access permissions.
Domain Users Accounts (Granting Administrator Permissions) cont…
8. Right click the user and click Properties.

9. Click the Member Of tab.

10. In the Member Of tab, click Add.

11. In Select Groups, type in Administrators and click Check Names. Click OK when you
are done. Click OK again to save the changes.
Explain Managing Servers Remotely Using Terminal Services
(Remote Desktop)
 Remote Desktop Services (RDS), known as Terminal Services in Windows Server
2008 and earlier, is one of the components of Microsoft Windows that allows a user to
take control of a remote computer or virtual machine over a network connection.
 RDS is Microsoft's implementation of thin client, where Windows software, and the
entire desktop of the computer running RDS, are made accessible to a remote client
machine that supports Remote Desktop Protocol (RDP).
 With RDS, only software user interfaces are transferred to the client system.
 In effect, while the applications and desktops appear to be running on the local machine
they are actually running in virtual sessions on the remote server with only the display
graphics and keyboard and mouse information passing between the two systems.
 This allows one or more Windows Server 2008 R2 systems (referred to as Remote
Desktop Session Hosts) to provide the applications and desktops for any number of
desktop systems.
 This has a number of advantages in terms of ensuring that all users have the same
version of a particular application and also in terms of reducing administrative
overheads.
(Remote Desktop)
 RDS include
 RDSH – Remote Desktop Session Host
 It’s a workforce where remote desktop sessions are running
 RSWA – Remote Desktop Web Access

 It’s a web client application to gain remote desktop
services
 RDG – Remote Desktop Gateway

 If connections need to go through external networks then it
goes through gateway.
 RDVH – Remote Desktop Virtualization Host

 This is actually a Hyper-V Server where virtual machines
are running to which clients can connect to.
 RDCB – Remote Desktop Connection Broker

 It’s responsible to brokerage RD connection.
(Remote Desktop) - Installing Remote Desktop Services
 Click on Start -> Administrative Tools -> Server Manager -> Add Roles -> select Remote Desktop Services ->
Click Next -> And Click Next
 Select Remote Desktop Session Host (Ignore the warning and select Remote Desktop Session Host anyway) ->
Click Next -> Again Click Next -> Select Do not require Network Level Authentication -> Click Next
 Select Configure Later -> Click Next
 Click on Add to add other users apart from the default administrators group (if needed) -> Click Next.
 Select all three checkboxes to configure Client experience -> Click Next
 Click Install to finish up installation after restart -> Click Close
(Remote Desktop) – Using RD Services – RemoteApp Manager
 Click Start -> Administrative Tools -> Remote Desktop Services -> RemoteApp Manager
 Right Click in list tabular fields of RemoteApp Programs section -> click Add RemoteApp Programs -> Click
Next
 Select the program which you want to make available to be accessed and used from remote server -> Click
Next and Finish.
 Right Click the RemoteApp Program which you have added -> select Create .rdp File
 Right Click the RemoteApp Program which you have added -> select Create .rdp File -> Click Next
 Click on Browse to select a shared folder to which the clients have access -> Click Ok -> Click Next -> Click
Finish
 Move on to Client Machine where you want to use the remote program and browse for the shared folder ->
Double Click the program -> Click on Connect
 Enter credentials of those users to whome “Allow logon remotely” permissions have been granted, usually its administrators
group users -> Click OK.
 Observe that the program in not installed at client machine but is running on the remote server.
Describe Remote Access and VPN Overview, Configuring &
Implementing Remote Access Server
 A remote-access VPN allows individual A remote-access VPN connection allows an individual
users to establish secure connections user to connect to a private business network from a
with a remote computer network. remote location using a laptop or desktop computer
connected to the Internet.
 Those users can access the secure
resources on that network as if they
were directly plugged in to the
network's servers.
 An example of a company that needs a
remote-access VPN is a large firm with
hundreds of salespeople in the field.
 Another name for this type of VPN
is virtual private dial-up
network (VPDN), acknowledging that in
its earliest form, a remote-access VPN
required dialing in to a server using an
analog telephone system.
 There are two components required in a remote-access VPN.
 The first is a network access server(NAS, usually pronounced "nazz" conversationally), also called a media
gateway or a remote-access server (RAS).
 IT professionals also use NAS to mean network-attached storage.
 A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared
server.
 It's a NAS that a user connects to from the Internet in order to use a VPN.
 The NAS requires that user to provide valid credentials to sign in to the VPN.
 To authenticate the user's credentials, the NAS uses either its own authentication process or a separate
authentication server running on the network.
 The other required component of remote-access VPNs is client software.
 In other words, employees who want to use the VPN from their computers require software on those
computers that can establish and maintain a connection to the VPN.
 Most operating systems today have built-in software that can connect to remote-access VPNs, though
some VPNs might require users to install a specific application instead.
 The client software sets up the tunneled connection to a NAS, which the user indicates by its Internet
address.
 The software also manages the encryption required to keep the connection secure.
 VPN protocols
 There are several different protocols used to secure and encrypt users and
corporate data:
1. IP security (IPsec)
2. Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
3. Point-To-Point Tunneling Protocol (PPTP)
4. Layer 2 Tunneling Protocol (L2TP)
5. OpenVPN
 The most common types of VPNs are
1. remote-access VPNs, and
2. site-to-site VPNs.
 Remote-Access VPNs
 A VPN client on the remote user's computer or mobile device connects to a
VPN gateway on the organization's network.
 The gateway typically requires the device to authenticate its identity.
 Then, it creates a network link back to the device that allows it to reach internal
network resources -- e.g., file servers, printers and intranets -- as though it was on
that network locally.
 A remote-access VPN usually relies on either IPsec or Secure Sockets Layer (SSL) to
secure the connection, although SSL VPNs are often focused on supplying secure
access to a single application, rather than to the entire internal network.
 Some VPNs provide Layer 2 access to the target network; these require a
tunneling protocol like PPTP or L2TP running across the base IPsec connection.
Describe Remote Access and VPN Overview, Configuring & Implementing Remote Access Server
 ClickStart -> Administrative Tools -> Server Manager -> Add Roles -> Select
Network Policy and Access Services -> Click Next -> Again click Next
 Select Network Policy Server and Routing and Remote Access Services along with its sub
services Remote Access Service and Routing -> Click Next -> Click Install -> Click Close
 Select Start -> Administrative Tools -> Routing and Remote Access
 Right Click on the Server and Select Configure and Enable Routing and
Remote Access -> Click Next
 Select Custom Configuration (as the default one will expect us to have more than one NIC)-> Click Next -
> Select VPN access and Click Next -> Click Finish (Ignore the warning Click OK) -> Click Start Service
 Right Click the Server -> select Properties -> IPv4 Tab -> Select Static
Address Pool -> Add -> Specify a range for VPN Clients
 Right Click Remote Access Logging & Policies -> Select Launch NPS ->
Select Accounting -> Click Configure Accounting
 Click Next -> Select Log to a text file on the local computer -> Click
Next
 Leave as default Click Next -> Again Next -> Close

 Right Click Network Policies -> New

 Give a name Test -> select Type of Network access server as Remote
Access Server (VPN – Dial up) from the dropdown list -> Click Next
 Click Add -> User Groups -> Add Groups -> type in the required group of users
to whom you want to grant VPN access and click OK -> again OK -> Next
 Select what IPSec setting you want (Access granted) -> Check Access is determined by User Dial-in properties (which overrides
NPS policy) -> click next
 Let the default authentication protocols be as it is and click next.
 Select Disconnect after the maximum idle time and set it as 7 minutes -> click next
 Leave default settings as it is and click next and finish.
 We can change the behavior of user dial-in either through dial-in tab of the user’s properties from the AD Users and Computers
Or
 Through Overview Tab from Properties of Test Network Policy we have created.
 Select Virtual (VPN) as NAS Port Type in Constraints Tab from Test Network Policy Properties and Click Ok.
 Move on to VPN Client (make sure you are able ping the server) -> Control panel -> Network and Internet -> Network and
Sharing Center -> Click Set up a new connection or network.
 Select Connect to a Workplace -> Click Next
 Select Use My Internet Connection (VPN)
 Select I’ll set up an Internet connection later
 Type in the VPN Internet Address (VPN Server IP) and Click Next
 Type in the credentials required to login to the VPN server and Click Next
 If you have internet connection configured then it will proceed to connect to VPN Server and gives you are connected.
 Then you can open cmd and check IP assigned through the VPN Server through the ipconfig command.
Implementing & Configuring Active Directory
Services Forest
 The Active Directory directory service is a distributed database that stores and
manages information about network resources, as well as application-specific data
from directory-enabled applications.
 Active Directory allows administrators to organize objects of a network (such as
users, computers, and devices) into a hierarchical collection of containers known as
the logical structure.
 The top-level logical container in this hierarchy is the forest.
 Within a forest are domain containers, and within domains are organizational units.
 Service administrators can use domain and forest containers to meet a number of
specific requirements, including:
1. Implementing an authentication and authorization strategy for sharing resources across a
network.
2. Providing a mechanism for centralizing management of multiple domains and forests.
3. Providing an information repository and services to make information available to users and
applications.
4. Organizing objects of a network (such as users, computers, devices, resources, and
application specific data from directory-enabled applications) into a non-physical
hierarchical structure
Implementing & Configuring Active Directory Services Forest
 What Are Domains?
 Domains are logical directory components that you create to manage the administrative requirements of your organization.
 The logical structure is based on the administrative requirements of an organization, such as the delegation of
administrative authority, and operational requirements, such as the need to control replication.
 In general, domains are used to control where in the forest replication of domain data occurs and organizational units are
used to further organize network objects into a logical hierarchy and delegate control to appropriate administrative support
personnel.
 A domain is a partition in an Active Directory forest.
 Partitioning data enables organizations to replicate data only to where it is needed.
 In this way, the directory can scale globally over a network that has limited available bandwidth.
 Domains can also be defined as:
 Containers within a forest
 Units of Policy
 Units of Replication
 Authentication and Authorization Boundaries
 Units of Trust
 Each domain has a domain administrators group.
 Domain administrators have full control over every object in the domain.
 These administrative rights are valid within the domain only and do not propagate to other domains.
Domains as Containers Domains as Units of Policy Domains as Units of Replication
Within a Forest
Domains as Authentication and Authorization Boundaries Domains as Units of Trust
 What Are Forests?
 At its highest level, a forest is a single instance of Active Directory.
 Therefore, a forest is synonymous with Active Directory, meaning that the set of all directory partitions in a
particular Active Directory instance (which includes all domain, configuration, schema and optional application
information) makes up a forest.
 This means that when you have multiple forests in an enterprise they will, by default, act separately from each
other as if they were the only directory service in your organization.
 This behavior, however, is easily be modified so that multiple forests can share Active Directory
responsibilities across an enterprise.
 This is done by creating external or forest trust relationships between the forests.
 In this way, each forest can be connected with every other forest to form a collaborative directory service
solution for any enterprise with business needs that include multiple forest collaboration.
 Forests can also be defined as:
 Collections of Domain Containers that Trust Each Other
 Units of Replication
 Security Boundaries
 Units of Delegation
Forests as Units of Replication
Forests as Collections of Domain
Containers that Trust Each Other
Forests as Security Boundaries
Forests as Units of Delegation
gpthyd.local gioe.local
IP: 192.168.1.1 IP: 192.168.1.2
DNS: 192.168.1.1 DNS: 192.168.1.2
DG: 192.168.1.2 DG: 192.168.1.1
cp.gioe.local
IP: 192.168.1.3
DNS: 192.168.1.3
DG: 192.168.1.2
 Make three Servers and configure IP settings as shown below along with System names.
gioe.local (parent server) gpthyd.local (parent server) cp.gioe.local (child server)
Implementing & Configuring Active Directory Services Forest - gioe.local (parent server)
 Add Active Directory Services role to server.
 Start -> Administrative Tools -> Server Manager -> Add Role
 Active Directory Services -> Next -> Add Required Features (.NET Framework)
 Next -> Install -> Close.
 Active Directory Services get installed and next we have to make the server as Domain Controller.
 Start -> dcpromo -> Next -> Next -> Select Create a new domain in a new forest.
 Give an appropriate domain (gioe.local) and click Next -> Select appropriate forest functional level (Windows
Server 2008 R2) and click Next.
 Click Next -> Yes -> Next -> Give AD Backup Password (ADBckup@Srv-1) and click Next.
 Click Next -> Check Reboot on completion -> Wait till server restarts and verify and reset IP Settings once again ->
Configure DNS by Click Start -> Administrative Tools -> DNS.
 Right Click Forward Lookup Zone -> New Zone -> Next -> Next -> Next.
 Provide Second Tree’s Domain Name as new forward lookup zone name (gpthyd.local) and click Next -> Next -> Finish.
 Then we will Delegate forward lookup zone authority to second tree server (GpthydSrv) by Right Clicking new forward lookup zone (gpthyd.local) and select New Delegation.
 Click Next -> Give second tree server name GpthydSrv and click Next -> Click Add -> Provide FQDN of second Tree’s
DNS server (GpthydSrv.gpthyd.local) and click OK.
 Click Next -> Finish.
 Forward Lookup Zone on First Tree DNS Server is configured now and delegated to the Second Tree Server.
Implementing & Configuring Active Directory Services Forest - gpthyd.local (parent server-second tree)
 Install Active Directory Services and promote server as Domain Controller by clicking on Start -> type dcpromo -> select Use advanced mode installation and click Next -> Select
Existing Forest and its sub choice as Create a new domain in an existing forest and select Create a new domain tree root instead of a new child domain and click Next -> Give
first tree’s domain name (gioe.local) and its corresponding login credentials by clicking Set button and click Ok and Next.
 Give second tree’s domain name (gpthyd.local) and click Next -> Next -> Next -> Select Global Catalog and click
Next.
 Click Next (as we have already created DNS Delaegation on first tree’s DNS (gioe.local)) -> Next -> Next -> Give
appropriate Active Directory Backup Password (ADBckup@Srv-2) and click Next.
 Click Next -> Select Reboot on completion wait for restart of the server.
 Second tree’s Domain Controller (gpthyd.local) is ready and has got trust relationship established with the first tree’s domain controller (gioe.local).
Implementing & Configuring Active Directory Services Forest – cp.gioe.local (child server-first tree)
 Make sure the IP settings are as given below on child server and install Active Directory Services and
 Promote the server as Domain Controller by clicking Start -> dcpromo -> Next -> Next -> Select Existing forest and Create a new domain in an existing forest and click Next.
 Give parent domain name gioe.local and its corresponding credentials by clicking Set button -> it will examine Active Directory Forest
details and then give FQDN gioe.local along with its child domain name cp and click Next it will validate to proceed further.
 Click Next -> Select Global Catalog along with DNS server and click Next -> Next -> Give Active Directory Recovery
Password (ADBckup@Srv-3) and click Next.
 Next -> Select Reboot on completion and wait till server reboots.
 We have configured basic forest requirements and next will test it by creating groups on individual servers and trying to include users from any where from the entire forest.
 On the child server try to create a group Test by selecting Start -> Administrative Tools -> Active Directory Users
and Computers -> Expand cp.gioe.local -> Right click Users OU and select New and then Group.
 Give Test as name of group and group scope as Universal and group type as Security -> click OK.
 Right Click Test group and go to properties -> Click Add in Members tab -> Click Locations to browse entire forest -> select gioe.local to add users from first tree -> click OK
 Type Enterprise Admins and click Check Names -> Click OK to add the user to the Test group, thus we are able to
use Parent server gioe.local domain users in Child server cp.gioe.local domain.
 Similarly on Second Tree DC gpthyd.local try to add users to a group Test from the First Tree gioe.local
 If we are able to add Enterprise Admins from gioe.local to gpthyd.local then our forest has been configured correctly with trust relationship among the first and second trees of the forest.
Implementing Server Roles, Restoring Active Directory
 Windows Server 2008 includes a new backup application named
Windows Server Backup.
 Windows Server Backup replaces the good old NTBACKUP.EXE and is
not installed by default.
 You must install it by using the Add Features option in Server Manager
before you can use the Wbadmin.exe command-line tool or Windows
Server Backup on the Administrative Tools menu.
 There are several methods for Active Directory backup and Recovery:
1. Through System State
2. Through the recycle bin
3. Through snapshot backups
4. Through Tombstone Reanimation
 System State Backup
 In Windows Server 2008, the system components that make up system state data depend on the server
roles that are installed on the computer.
 The system state data includes at least the following data, plus additional data, depending on the server
roles that are installed:
 Registry
 COM+ Class Registration database
 Boot files
 Active Directory Certificate Services (AD CS) database
 Active Directory database (Ntds.dit)
 SYSVOL directory
 Cluster service information
 Microsoft Internet Information Services (IIS) metadirectory
 System files that are under Windows Resource Protection
 When you use Windows Server Backup to back up the critical volumes on a domain controller, the backup
includes all data that resides on the volumes that include the following:
 The volume that hosts the boot files, which consist of the Bootmgr file and the Boot Configuration Data (BCD) store
 The volume that hosts the Windows operating system and the registry
 The volume that hosts the SYSVOL tree
 The volume that hosts the Active Directory database (Ntds.dit)
 The volume that hosts the Active Directory database log files
 Windows Server 2008 supports the following backup types:
 Manual backup
 A member of the Administrators group or the or Backup Operators group can initiate a manual
backup by using Server Backup or the Wbadmin.exe command-line tool each time that a backup is
needed.
 If the target volume is not included in the backup set, you can make manual backups on a remote
network share or on a volume on a local hard drive.
 Manual backups made by wbadmin always create a new folder containing the full systemstate
backup.
 This means you need a huge amount of disk space if you want to keep several versions of your
backup.
 The wbengine creates a separate folder containing a timestamp for each backup.
 Scheduled backup
 A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe
command-line tool to schedule backups.
 The scheduled backups must be made on a local, physical drive that does not host any critical
volumes or on any remote share(even the system volume of another server).
 Allowing backing up onto system critical volumes can be forced using a registry key.
 Active Directory Recycle Bin
 Active Directory Recycle Bin helps minimize directory service downtime by enhancing your ability
to preserve and restore accidentally deleted Active Directory objects without restoring Active
Directory data from backups, restarting Active Directory Domain Services (AD DS), or rebooting
domain controllers.
 When you enable Active Directory Recycle Bin, all link-valued and non-link-valued attributes of
the deleted Active Directory objects are preserved and the objects are restored in their entirety
to the same consistent logical state that they were in immediately before deletion.
 For example, restored user accounts automatically regain all group memberships and
corresponding access rights that they had immediately before deletion, within and across domains.
 By default, Active Directory Recycle Bin in Windows Server 2008 R2 is disabled.
 After you enable Active Directory Recycle Bin in your environment, you cannot disable it.
 When Active Directory Recycle Bin has not been enabled, objects are stripped down and marked
Tombstoned.
 The Garbage collection process will delete these objects when the Tombstone Life Time has been expired.
 When the Active Directory Recycle Bin has been enabled, deleted object are no longer tombstoned
but they receive a “Deleted” status.
 In this status, all attributes are preserved.
 Objects are in the Recycled status when the deleted life time expires.
 In this status, most of the attributes are stripped of and lost.
 The garbage collection process physically deletes the object from the AD database when the Recycled Life
Time has been expired.
without Recycle Bin
with Recycle Bin

 Active Directory Snapshot Backups
 Windows Server 2008 has a new feature allowing administrators to create snapshots of the Active
Directory database for offline use.
 With AD snapshots you can mount a backup of AD DS under a different set of ports and have read-
only access to your backups through LDAP.
 There are quite a few scenarios for using AD snapshots.
 For example, if someone has changed properties of AD objects and you need to revert to their previous
values, you can mount a copy of a previous snapshot to an alternate port and easily export the required
attributes for every object that was changed.
 These values can then be imported into the running instance of AD DS.
 You can also restore deleted objects or simply view objects for diagnostic purposes.
 AD snapshots, when mounted and connected to, allow you to see how the AD Database looked
like at the moment of the snapshot creation, what objects existed and other type of information.
 However, out of the box, it does not allow you to move or copy items or information from the
snapshot to the live database.
 In order to do that you will need to manually export the relevant objects or attributes from the snapshot,
and manually import them back to the live AD database.
 Active Directory Snapshots are not created to use as a real restore mechanism.
 It’s more a way to find differences in Active Directory over time without the need to reboot a domain
controller into the AD restore mode and restore the entire or parts of the database authoritatively.
 Tombstone Reanimation
 All previous backup and restore methods are using backups or snapshots to start from.
 But what are the possibilities when there are no backups at all and the recycle bin has not
been enabled yet?
 A deleted Active Directory object isn’t physically deleted from the database, it’s just
Tombstoned, moved to the Deleted Items container in AD and hidden from any tool or MMC
snap-in.
 In opposite to the AD recycle bin, not all object attributes are preserved, some of them
were deleted when Tombstoned.
 Tombstone reanimation changes the deleted objects attributes directly in the AD database
and isn’t something you should do often, it’s really a worst case scenario.
 Before you can backup Server 2008 you need to install the backup features from the Server Manager.
1. To install the backup features click Start → Server Manager.
2. Next click Features → Add Features
3. Scroll to the bottom and select both the Windows Server Backup and the Command Line Tools
4. Click Next, then click Install
 Now that we have the backup features installed
we need to backup Active Directory.
1. Open up your command prompt by
clicking Start and type "cmd" and hit enter.
2. In your command prompt type "wbadmin start
systemstatebackup -backuptarget:e:" and
press enter.
Note: You can use a different backup target of your
choosing
3. Type "y" and press enter to start the backup
process.
 When the backup is finished running you should
get a message that the backup completed
successfully. If it did not complete properly you
will need to troubleshoot.
 Now you have a system state backup of your
2008 Server.
 So now what if you accidentally delete an OU, group, or a user account and it's already replicated to your other servers? We
will need to perform an authoritative restore of the Active Directory object you accidentally deleted.
1. To do this you will need to boot into DSRM (Directory Services Restore Mode) by restarting your server and pressing F8 during
the restart.
2. Choose Directory Services Restore Mode from the Advanced Boot menu.
3. Login to your server with your DSRM password you created during Active Directory installation.
4. Once you're logged into your server and in DSRM safe mode, open a command prompt by clicking Start, type
"cmd", and press enter.
5. To make sure you restore the correct backup it's a good idea to use the "wbadmin get versions" command and
write down the version you need to use.
6. Now we need to perform a non-authoritative restore of Active Directory by typing "wbadmin start
systemstaterecovery -version:04/14/2009-02:39".
Note: The version of backup will vary depending on your situation. Type "y" and press enter to start the non authoritative
restore.
7. Wait or take a break while the restore completes.
Implementing Local and Domain Security policies
 Security is a primary concern for all Windows administrators.
 Windows Server 2008 R2 includes numerous settings that affect the services that are
running, the ports that are open, the network packets that are allowed into or out of the
system, the rights and permissions of users, and the activities that are audited.
 You can manage an enormous number of settings, and, unfortunately, there is no magic
formula that applies the perfect security configuration to a server.
 The appropriate security configuration for a server depends on the roles that server plays,
the mix of operating systems in the environment, and the security policies of the
organization, which themselves depend on compliance regulations enforced from outside
the organization.
 Group Policies are administered through the use of Group Policy Objects (GPOs), data
structures that are attached in a specific hierarchy to selected Active Directory Objects,
such as Sites, Domains, or Organizational Units (OUs).
 These GPOs, once created, are applied in a standard order:
 LSDOU, which stands for
(1) Local,
(2) Site,
(3) Domain,
(4) OU,
 with the later policies being superior to the earlier applied policies.
Implementing Local and Domain Security policies
 Local Group Policy Objects (LGPOs) are processed first, followed by the domain policy.
 The settings found in the local Security Settings policies are a subset of the policies that
can be configured using domain-based Group Policy.
 The Default Domain Controllers Policy GPO is created when the first domain controller is
promoted for a new domain.
 It is linked to the Domain Controllers OU and should be used to manage baseline security settings
for all DCs in the domain so that DCs are consistently configured.
 If a computer is participating in a domain and a conflict occurs between domain and local
computer policy, domain policy prevails.
 However, if a computer is no longer participating in a domain, the Local Group Policy
Object is applied.
 When a computer is joined to a domain with the Active Directory and Group Policy
implemented, a LGPO is processed.
 Note that LGPO policy is processed even when the Block Policy Inheritance option has been
specified.
 Account policies (password, lockout, Kerberos) are defined for the entire domain in the
default domain GPO.
 Local policies (audit, user rights, and security options) for DCs are defined in the default
Domain Controllers GPO.
Implementing Local Security policies
 Since stand-alone computers are not part of Active Directory, group policies do not
apply to them. To view and edit a local security policy;
 Log on to the computer with administrative rights.
 Click Start, point to Programs, point to Administrative Tools, and then click Local
Security Policy. This opens the Local Security Settings console.
Implementing Local Security policies
 Open the items in the tree to find the policy that is to be changed.
 Double-click the policy, make the change, and then click OK.
 Close the Local Security Policy Settings console.
Implementing Domain Security policies
 To view and edit a domain-wide policy;
 Click Start, point to Programs, point to Administrative Tools, and then click Active
Directory Users and Computers.
 In the console tree, click the + next to the domain name to expand the domain
folder (if it is not already expanded).
 Right-click the domain, and then click Properties.
 Click the Group Policy tab, then select Default Domain Policy, and then click Edit.
 In the Group Policy window, expand Computer Configuration; navigate to Windows
Settings, to Security Settings, and then to Account Policies.
 Select Password Policy.
 In the results pane, notice that Password Policy, Account Lockout Policy,
and Kerberos Policy are configured by default in the domain GPO, and thus apply to
all computers within that domain.
 Next, navigate to Local Policies.
 Click the User Rights Assignment subfolder.
 Notice that none of the user rights are defined in the default domain GPO. This does not mean that user rights are not
defined for machines in throughout the enterprise, just that these rights are not defined in the default domain GPO.
For DCs, the user rights are defined in the default DC GPO.
 Close the Group Policy window, close the Properties dialog box, and then close the Active Directory Users and
Computers snap-in.
 Note: Another method of viewing and modifying the Domain Security Policy is to access the Domain Security Policy
GUI from the Administrative Tools Menu.
Explain briefly about Group policy Architecture
 Group Policy provides an infrastructure for centralized configuration
management of the operating system and applications that run on the
operating system.
 You can use Windows Server 2008 Group Policy to manage configurations for
groups of computers and users,
 including options for registry-based policy settings,
 security settings,
 software deployment,
 scripts,
 folder redirection, and preferences.
 Group Policy preferences, new in Windows Server 2008, are more than 20 Group
Policy extensions that expand the range of configurable policy settings within a
Group Policy object (GPO).
 GPO is the container for one or more policy settings
 GPOs are managed with the Group Policy Management Console (GPMC)
 Group Policy Objects Container.
 Edited with the Group Policy Management Editor (GPME)
 There are two major nodes in the GPME:
 Computer Configuration and
 User Configuration.
 The computer configuration policies manage machine-specific settings such as
 disk quotas,
 security auditing, and
 Event Log management.
 User configuration policies apply user-specific settings such as
 application configuration,
 Start menu management, and
 folder redirection.
 Contrary to the name, Group Policy objects aren’t group oriented at all.
 Maybe they are called GPOs because a bunch of different configuration management settings are
grouped together in one location.
 You cannot apply them directly to groups, but only to sites, domains, and Ous (Microsoft
abbreviates these collectively with SDOU) within a given forest.
 This act of assigning GPOs to a site, domain, or OU is called linking.
 Group Policy applies not only to users and client computers, but also to
member servers, domain controllers, and any other Microsoft Windows
computers within the scope of management.
 By default, Group Policy that is applied to a domain (that is, applied at the
domain level, just above the root of Active Directory Users and Computers)
affects all computers and users in the domain.
 Group policy architecture and function involve the following components:
 GPOs
 An object containing policy settings that affect user and computer operating
environments and security; can be local or AD objects
 Replication
 Ensures that all domain controllers have a current copy of each GPO
 Scope and inheritance
 The scope of a group policy defines which users and computers are affected by its
settings
 Creating and linking
 GPOs are created in the Group Policy management console and can be linked to one or
more AD containers
Explain briefly about Group policy Architecture - GPOs
 A GPO contains policy settings for managing many aspects of domain controllers,
member servers, member computers, and users.
 Two main types of GPOs
 Local GPOs
 Local GPOs are stored on local computers and are edited via the Group Policy Object Editor snap-in
 Settings in local GPOs that are inherited from domain GPOs can’t be changed on the local computer
 Only settings that are undefined or not configured by domain GPOs can be edited locally
 New policies allow setting of different policies depending on who logs on to the computer
 Local Administrators GPO
 Local Non-Administrators GPO
 User-specific GPO
 If these policies are used, they are processed in the above order, especially for conflict resolution
(last policy setting takes precedence)
 Domain GPOs
 Domain GPOs are stored in Active Directory on domain controllers
 Consists of two separate parts: a group policy template (GPT) and a group policy container (GPC)
 GPT and GPC have naming structure and folder structure as common traits
 Knowing GPO structure is important for resolving issues
Explain briefly about Group policy Architecture - GPT
 A group policy template contains all the policy settings that make up a GPO
as well as related files, such as scripts, and is contained in the Sysvol share
on a domain controller
 Upon creation of a GPO, several files and subfolders are created (exact
number may vary), but each GPT folder will contain at least three items
 GPT.ini
 Machine
 User
Explain briefly about Group policy Architecture – Group Policy Containers
 Stored in the System\Policies folder
 Contains GPO properties and status information but no policy settings
 Similar to GPT in that it uses a GPO’s GUID for a folder name
 Information contained in a GPC
 Name of the GPO
 File path to GPT
 Version
 Status
Implementing Group Policy: Configuring User environment by using Group policy
Changing Password Requirements through Group Policy
 Click on Start -> Administrative Tools -> Group Policy Management
Changing Password Requirements through Group Policy cont…
 Click on Start -> Administrative Tools -> Group Policy Management
Expand Domain (gioe.local) - > Double Click on Default Domain Policy -> Settings Tab will give a summary report of all the default domain level
settings. It also gives a detailed hierarchical structure of the policy settings using which we can navigate accurately to modify the required settings.
Right Click Default Domain Policy -> Chose Edit -> Expand Computer Configuration then Policies then Windows
Settings then Security Settings then Accounts Policies -> Chose Password Policy.
Enforce Password History is for storing a historical

record of previously used passwords which cannot be
used further as new passwords.
Maximum Password Age is the number of days a

password remains valid until it expires.
Minimum Password Age is the number of days that a

password should be used before it can be changed.
Minimum Password Length is the number characters

that a password should be composed of and is usually
dependent on password complexity.
Password must meet complexity requirements is to

enable or disable the password complexity
requirement.
Store Passwords using reversible encryption is to

secure the passwords and is usually disable to give
more security.
Go for Properties Tab of the individual settings that needs to be modified and make necessary changes.
Deploying software through Group Policy
 Group Policy automatically distribute programs to client computers or

users.
 You can use Group Policy to distribute computer programs by using the
following methods:
 Assigning Software
 You can assign a program distribution to users or computers.
 If you assign the program to a user, it is installed when the user logs on to the
computer.
 When the user first runs the program, the installation is completed.
 If you assign the program to a computer, it is installed when the computer
starts, and it is available to all users who log on to the computer.
 When a user first runs the program, the installation is completed.
 Publishing Software
 You can publish a program distribution to users.
 When the user logs on to the computer, the published program is displayed in
the Add or Remove Programs dialog box, and it can be installed from there.
Deploying software through Group Policy
 There are 3 things you will need in order to have a successful Software
Installation GPO:
1. The most important thing you will need is a Microsoft installer file, called
.msi -- you cannot use the .exe file that is on the DVD.
 You will need to get a packaging utility to turn that .exe file into .msi file. Many of
them are available for instant download from internet.
 There are a few that will cost money but there are also free downloads. Here is an
example from each:
 MSI Studio (30 day free trial):
 http://www.scriptlogic.com/products/msi-studio/
 EXE-to-MSI: http://juice.altiris.com/download/1355/exe-to-msi
2. The second thing you will need to create is a Shared Folder on your
network for the software to live in. You need to make sure that every
computer has at least "read" access to that folder and its contents.
3. And the last thing you will need is the new Group Policy Object linked to
the appropriate Organization Unit.
Deploying software through Group Policy – 7Zip MSI Software Installation
 Create an Organizational Unit and Add few users to it.

 Right Click gioe.local -> new -> organizational unit -> name as CP -> click ok.
 Right Click CP -> create a user in it.
 Create an Organizational Unit and Add few users to it.

 Right Click gioe.local -> new -> organizational unit -> name as CP -> click ok.
 Right Click CP -> create a user in it.
 Create a shared folder on the server and put the installation .msi file in it.
 Apply share permissions to everyone with atleast read permissions.
 Apply NTFS permissions to everyone with atleast read permissions.
Open GPMC -> Right Click on CP ou and Select Create a GPO in this domain, and link it here…
Give name as 7zip and click ok -> Navigate to the CP ou on the left hand panel and select it -> right click on the 7zip GPO in the right hand panel and select edit.
GPME opens up and navigate in left hand panel to Computer Configuration -> Policies -> Software Settings -> Software Installation -> Right Click Software Installtion -> new ->
Package.
Browse to the location of .msi software usinf UNC path -> select the software .msi file and click open
Select Assigned -> click ok. Software has got published as a GPO.
Move on to client and type gpudate /force or simply reboot the client.

Windows Server 2008 Administration Overview

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows Server 2008 Administration Overview

Uploaded by

Copyright:

Available Formats

Unit – III

Configure Windows Firewall Turns on or turns off the Windows Firewall.

7. Right click the user and click Properties.

8. Click the Member Of tab.

9. In the Member Of tab, click Add.

3. Right in click the user list and click New User.

4. Fill in the new user information and click Next.

5. Fill in the password information and click Next.

8. Right click the user and click Properties.

9. Click the Member Of tab.

10. In the Member Of tab, click Add.

 RSWA – Remote Desktop Web Access

 RDG – Remote Desktop Gateway

 RDVH – Remote Desktop Virtualization Host

 RDCB – Remote Desktop Connection Broker

 Leave as default Click Next -> Again Next -> Close

 Right Click Network Policies -> New

without Recycle Bin

with Recycle Bin

Enforce Password History is for storing a historical

Maximum Password Age is the number of days a

Minimum Password Age is the number of days that a

Minimum Password Length is the number characters

Password must meet complexity requirements is to

Store Passwords using reversible encryption is to

 Group Policy automatically distribute programs to client computers or

 Create an Organizational Unit and Add few users to it.

 Create an Organizational Unit and Add few users to it.

You might also like