tips and tricks guide to tm -...

of 100/100
Don Jones and Dan Sullivan Tips and Tricks Guide To tm Windows Administration Tips and Tricks Guide To tm

Post on 15-Sep-2018

233 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Don Jones andDan Sullivan

    Tips and TricksGuide To

    tm

    WindowsAdministration

    Tips and TricksGuide To

    tm

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    i

    IntroductiontoRealtimePublishersby Don Jones, Series Editor Forseveralyearsnow,Realtimehasproduceddozensanddozensofhighqualitybooksthatjusthappentobedeliveredinelectronicformatatnocosttoyou,thereader.Wevemadethisuniquepublishingmodelworkthroughthegeneroussupportandcooperationofoursponsors,whoagreetobeareachbooksproductionexpensesforthebenefitofourreaders.

    Althoughwevealwaysofferedourpublicationstoyouforfree,dontthinkforamomentthatqualityisanythinglessthanourtoppriority.Myjobistomakesurethatourbooksareasgoodasandinmostcasesbetterthananyprintedbookthatwouldcostyou$40ormore.Ourelectronicpublishingmodeloffersseveraladvantagesoverprintedbooks:Youreceivechaptersliterallyasfastasourauthorsproducethem(hencetherealtimeaspectofourmodel),andwecanupdatechapterstoreflectthelatestchangesintechnology.

    Iwanttopointoutthatourbooksarebynomeanspaidadvertisementsorwhitepapers.Wereanindependentpublishingcompany,andanimportantaspectofmyjobistomakesurethatourauthorsarefreetovoicetheirexpertiseandopinionswithoutreservationorrestriction.Wemaintaincompleteeditorialcontrolofourpublications,andImproudthatweveproducedsomanyqualitybooksoverthepastyears.

    Iwanttoextendaninvitationtovisitusathttp://nexus.realtimepublishers.com,especiallyifyouvereceivedthispublicationfromafriendorcolleague.Wehaveawidevarietyofadditionalbooksonarangeoftopics,andyouresuretofindsomethingthatsofinteresttoyouanditwontcostyouathing.WehopeyoullcontinuetocometoRealtimeforyour

    farintothefuture.educationalneeds

    enjoy.Untilthen,

    DonJones

    http://nexus.realtimepublishers.com/

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    ii

    Tip ,Trick,Technique1:SettingupaServerCoreDomainController..............................................1

    StartingtheInstallation....................................................................................................................................1

    BasicConfiguration.............................................................................................................................................1

    ActivatingWindows...........................................................................................................................................2

    CustomizetheServer.........................................................................................................................................2

    InstallingRoles.....................................................................................................................................................3

    Tip ,Trick,Technique2:ReadOnlyDomainControllers........................................................................4

    PasswordCaching...............................................................................................................................................5

    Caveats.....................................................................................................................................................................5

    FilteredAttributes...............................................................................................................................................6

    ReadOnlyDNS......................................................................................................................................................6

    Bonus:AdministrativeSeparation...............................................................................................................6

    ApplicationCompatibility................................................................................................................................7

    UltimateSecurity.................................................................................................................................................7

    EdgeCases..............................................................................................................................................................8

    RODCs:ProsandCons.......................................................................................................................................8

    Tip,Trick,Technique3:NoMoreCHKDSK...................................................................................................8

    Tip ,Trick,Technique4:InternetInformationServices7.......................................................................9

    AllNewConsole...................................................................................................................................................9

    ApplicationPools..............................................................................................................................................10

    WebPlatformInstaller...................................................................................................................................11

    FTP..........................................................................................................................................................................13

    URLRewriting....................................................................................................................................................14

    Tip ,Trick,Technique5:EvaluatingWindowsServerBackup...........................................................17

    InstallingWindowsServerBackup...........................................................................................................17

    UsingWindowsServerBackup..................................................................................................................18

    ProsandCons.....................................................................................................................................................20

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    iii

    Tip ,Trick,Technique6:UsingWindowsPowerShell............................................................................21

    WhatIsWindowsPowerShell?...................................................................................................................21

    EnablingWindowsPowerShell..................................................................................................................21

    WindowsPowerShellSecurityandProfiles..........................................................................................22

    UsingWindowsPowerShell:TheBasics.................................................................................................24

    AllAboutCommands,Aliases,andParameters...................................................................................26

    Tip ,Trick,Technique7:UnderstandingHyperV....................................................................................27

    HyperV,HypervisorWhatsitAllMean?...........................................................................................27

    HowDoesHyperVLicensingWork?.......................................................................................................28

    IsHyperVaBareMetalHypervisor?...................................................................................................28

    Tip,Trick,Technique8:RemoteServerManagerinR2.......................................................................30

    Tip,Trick,Technique9:LeveragingServerCoreinR2........................................................................30

    Tip,Trick,Technique10:DeletedADObjectRecoveryinR2............................................................33

    Tip,Trick,Technique11:ClassifyingFilesinR2.....................................................................................36

    Tip,Trick,Technique12:RemoteCommandLineAdministrationinR2.....................................41

    Tip,Trick,Technique13:ConfiguringServerCoreinWindowsServer2008R2.....................41

    Tip ,Trick,Technique14:WhatAreMicrosoftsManyVirtualizationOptions?.........................45

    HyperV.................................................................................................................................................................45

    AppV.....................................................................................................................................................................45

    VirtualPC.............................................................................................................................................................45

    DeskVorMEDV..............................................................................................................................................45

    RemoteDesktopServices..............................................................................................................................46

    ItsallV..............................................................................................................................................................46

    Tip,Trick,Technique15:TheNewWindowsLogFiles........................................................................46

    ...................50Tip,Trick,Technique16:GeographicallyDispersedClusterNodes............................

    Tip,Trick,Technique17:IdentifyingThreatsofDataLossinaWindowsServerEnvironment............................................................................................................................................................51

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    iv

    AccidentalDataLossDuetoHumanError............................................................................................53

    AccidentalDataLossDuetoApplicationError...................................................................................53

    IntentionalDataLossDuetoMalware....................................................................................................54

    IntentionalDataLossDuetoHumanActions......................................................................................55

    55DataLossDuetoNaturalDisaster............................................................................................................

    Tip,Trick,Technique18:UnderstandingtheBuildingBlocksofaRecoveryManagementStr ategy......................................................................................................................................................................57

    CreatingaDataClassificationScheme.....................................................................................................57

    Ide ntifyingCriticalServersandApplications.......................................................................................59

    CriticalServersHostCriticalApplications........................................................................................59

    CriticalServersSupportCriticalBusinessProcesses...................................................................60

    ImportantButNonCriticalServers.....................................................................................................60

    DeterminingRPOsandRTOs.......................................................................................................................61

    .......62CreatingaDisasterRecoveryPolicy..................................................................................................

    Tip,Trick,Technique19:UnderstandingSecurityIssueswithBackups,Archives,andDisasterRecovery..................................................................................................................................................64

    Tip ,Trick,Technique20:UnderstandingtheSourcesofGrowingVolumesofData...............65

    DataIntensiveApplications.........................................................................................................................65

    Cu stomerInteractionData...........................................................................................................................66

    BusinessIntelligenceandAnalytics....................................................................................................66

    GrowingImportanceofUnstructuredData..........................................................................................69

    .....69ComplianceandDataGeneration.........................................................................................................

    Tip,Trick,Technique21:UnderstandingSystemsAdministratorsResponsibilitiesforGr owingVolumesofData..................................................................................................................................70

    BackupandRecovery.....................................................................................................................................71

    Se curity.................................................................................................................................................................72

    ChallengestoMaintainingConfidentialityandIntegrity...........................................................72

    ChallengestoMaintainingAvailability...............................................................................................74

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    v

    Tip,Trick,Technique22:GettingControlofDataGrowthwithInformationLifeCycleMa nagement............................................................................................................................................................76

    Step1:ClassifyingData..................................................................................................................................77

    Step2:DeterminingAccessRequirementsforCategoriesofData.............................................77

    Step3:DefiningRecoveryRequirementsforData.............................................................................78

    Step4:DefiningExplicitPoliciesforDestroyingData......................................................................78

    Step5:ImplementingInformationLifeCyclePolicies.....................................................................78

    LimitsofInformationLifeCycleManagement.....................................................................................79

    Tip ,Trick,Technique23:BusinessDriversBehindtheNeedforHighAvailability.................79

    UserExpectationforContinuousAvailability......................................................................................79

    ApplicationDesignConsiderationsandHighAvailability..............................................................80

    Tip ,Trick,Technique24:UnderstandingtheKeyElementsofHighAvailability.....................82

    TheNeedforHardwareRedundancy......................................................................................................83

    TheNeedforOSRedundancy......................................................................................................................84

    SpecialIssueswithApplicationSoftwareRedundancy...................................................................84

    Tip ,Trick,Technique25:WindowsServerOptionsforHighAvailability....................................86

    UsingNLBtoEnsurePerformanceLevels.............................................................................................86

    ApplicationRedundancyinFailoverClusters......................................................................................87

    Tip ,Trick,Technique26:EnsuringHighAvailabilityforSQLServerDatabases......................89

    FailoverClusters...............................................................................................................................................89

    DatabaseMirroring..........................................................................................................................................91

    LogShipping.......................................................................................................................................................91

    Replication...........................................................................................................................................................91

    Tip ,Trick,Technique27:EnsuringHighAvailabilityforMicrosoftExchange...........................92

    HighAvailabilityinMicrosoftExchange2007.....................................................................................92

    HighAvailabilityinMicrosoftExchange2010.....................................................................................93

    DownloadAdditionalBooksfromRealtimeNexus!...............................................................................93

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    vi

    Copyright Statement 2010 Realtime Publishers. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtime Publishers (the Materials) and this site and any such Materials are protected by international copyright and trademark laws.

    THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtime Publishers or its web site sponsors. In no event shall Realtime Publishers or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials.

    The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, non-commercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice.

    The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties.

    Realtime Publishers and the Realtime Publishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners.

    If you have any questions about these terms, or if you would like information about licensing materials from Realtime Publishers, please contact us via e-mail at [email protected]

    mailto:[email protected]

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    1

    [EditorsNote:ThisbookwasdownloadedfromRealtimeNexusTheDigitalLibraryforITProfessionals.AllleadingtechnologybooksfromRealtimePublisherscanbefoundatttp://nexus.realtimepublishers.comh .]

    Tip,Trick,Technique1:SettingupaServerCoreDomainControllerWindowsServer2008sServerCoreinstallationisagreatoptionfordomaincontrollers:Theoperatingsystem(OS)hasasmallerfootprintandhassofarrequiredsignificantlyfewerpatchesthanthefullWindowsinstallation,makingitpossibletohavelessdowntimeandmaintenanceforyourcriticaldomaincontrollers.Inthistip,wellinstallaServerCoredomaincontrollerfromscratch.

    StartingtheInstallationTheinstallationbegins,ironically,withthelightweightGUIinstallerthatsfamiliartoalleditionsofWin2008andtoWindowsVista.SelectoneoftheServerCoreoptions.

    NoteNotethatthisisaonetimedecision:YoucantlaterupgradetothefullWindowsinstallationnorcanyoudowngradeafullinstalltoServerCore.

    Thatsabouttheonlydecisionyouhaveduringinstallation.Whenitsfinished,youllbelookingatalogonscreenandmightbewonderingwhattodo.SelecttheOtherUser,andloginasAdministrator.Useablankpassword;youllbeimmediatelypromptedtocreateanewpassword.

    Afterchangingthepassword,youllbeloggedinandstaringatyournew,trimmeddowndesktop.Thatsrightnotmuchtosee!ThisisServerCore,andithasonlyafewgraphicalelementsavailabletoit.Togetitupandrunning,youllneedtorunafewcommands.Manyofthesewillbecommandsyourefamiliarwithalready;othersarenewandareuniquetoServerCore.

    BasicConfigurationSincewerebuildingadomaincontroller,youllprobablywanttostartbyassigningastaticIPaddress.DosousingtheNetshcommand,asshown,togetalistofnetworkinterfaces.UsethenumberintheIdxcolumntorefertotheinterfaceinlatercommands.

    Netshinterfaceipv4showaddress

    http://nexus.realtimepublishers.com/

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    2

    Withyournetworkadapteridentified,assignastaticIPaddress,subnetmask,anddefaultgatewayusingtheNetshcommand.TheName=parameteriswhereyourchosenadaptersIDnumbergoes.

    Netshinterfaceipv4setaddressname=2source=staticaddress=10.0.1.57mask=255.255.255.0gateway=10.0.1.1

    UsethesametechniquetoassignaDNSserver.Toassignmorethanone,incrementtheindex=parameteryoucanseeherethatIveattemptedtoaddindex=1twice,andreceivedanerrormessage.Ipconfig/allwillconfirmthatyouveaddedthecorrectserveraddress.

    Netshinterfaceipv4adddnsservername=2address=10.0.1.1index=1

    ActivatingWindowsServerCorestillrequiresactivation,whichisatwostepprocessthatusestheSlmgrcommand.First,installaproductkey.ThenactivateWindows.NotethatServerCoreiscompatiblewithenterprisekeyserversifyourorganizationusesoneofthose.RunSlmgrwithoutanyparameterstogetapopupdialogboxofotherthingsitcando;notethatthedialogoftenappearsbehindthecommandlinewindowandtheresnoTaskBartoclueyouin.Ifthecommandsoutputdoesntshowupquickly,trymovingtheCmd.exewindowoutoftheway.Dontcloseitifyoudo,pressCtrl+Alt+DeletetogettoTaskmanager,andusetheNewTaskmenuoptiontorunanewinstanceofCmd.exe.

    Slmgripkyourproductkeyhere

    Afterinstallingthekey,activateit.Thiscantakesometimewaitforthedialogboxindicatingsuccessorfailure,anddontforgetthatitmightappearbehindtheCmd.exewindow.

    Slmgrato

    CustomizetheServerYoullprobablywanttocustomizethecomputernameatthispoint.Usethehostnamecommandtofindthecurrentcomputername,andthentheNetdomcommandtochangeittoanewone.

    Netdomrenamecomputeroldname/newname:newname

    Arebootwillberequiredafterwards,sousetheShutdown/rcommandtoreboot.

    Shutdown/r

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    3

    InstallingRolesIgenerallyliketoinstalltheDNSServerrolemyselfsothatIcancustomizeit.Afterinstalling,youllneedtousetheDNSadministrationconsoleonanothercomputer(suchasyourworkstation)toconnecttotheServerCorecomputerandconfigureDNS.ServerCoredoesntrunanygraphicaladmintools.YoucouldalsousetheDnscmdcommandtoconfigureDNS,ifyourecomfortablewithit.Toinstalltherole,usetheOcsetupcommand;IprefertogetthisgoingbyusingtheStart/wcommand,whichsuspendsthecommandpromptuntilOcsetupfinishes.Ifyoudontdoso,thecommandpromptimmediatelyreturnswhiletheinstallationcompletesinthebackground,andyouwontknowwhenitsdone.

    Start/wocsetupDNSServerCoreRole

    Next,youllneedtocreateanunattendedinstallationfileforDcpromobecauseitsgraphicalwizardisntavailableinServerCore.http://www.petri.co.il/creatingunattendinstallationfiledcpromowindowsserver2008.htmisanexcellentreferenceforWin2008unattendedDcpromofilesnotethattheWin2008syntaxisabitdifferentandnewerfromtheWin2003one.ServerCoredoeshaveNotepad,soyoucanuseittocreateyourunattendedfileifneeded.ServerCoresNotepadusesanoldersetoffiledialogboxes;paycloseattentiontotheseWin95vintagedialogboxesbecausetheyworkdifferentlyfromtheneweronesyoureusedto.

    TheunattendfiletellsDcpromoifyourecreatinganewdomain,anewdomaincontrollerinanexistingdomain,awholenewforest,orwhatever.Readthroughtheoptionscarefully!YoucanalsouseDcpromoonanexistingfullWindowsinstallation(althoughnotonanexistingdomaincontroller)tocreateanunattendfile;justrunthroughtheDcpromowizardand,beforeyoucommittoinstallingAD,saveyourconfigurationinafile.ThatfilecanthenbecarriedtoServerCore(onaUSBkey,forexample)andusedwithDcpromothere.

    http://www.petri.co.il/creating-unattend-installation-file-dcpromo-windows-server-2008.htmhttp://www.petri.co.il/creating-unattend-installation-file-dcpromo-windows-server-2008.htm

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    4

    [unattended]unattendmode=fullunattended[DCINSTALL][email protected]=company.proDatabasePath=%systemroot%\ntdsLogPath=%systemroot%\ntdsSYSVOLPath=%systemroot%\[email protected]=noInstallDNS=yesDomainNetBIOSName=COMPANYNewDomain=ForestNewDomainDNSName=company.proRebookOnSuccess=YesSiteName=DefaultFirstSiteNameReplicaOrNewDomain=domainForestLevel=3DomainLevel=3

    Withyourunattendedfileready,runDcpromo/unattend:filenametostarttheADinstallationprocess.Youllseeplentyofoutputtellingyouwhatshappening.

    Dcpromo/unattend:filename

    Ofcourse,arebootisinorderafterwards,andDcpromowillhandlethatautomatically.Oncetheserverrestarts,youcanuseActiveDirectoryUsers&Computersagain,fromanothercomputertobeginmanagingyourdomain.

    Tip,Trick,Technique2:ReadOnlyDomainControllersReadOnlyDomainControllers(RODCs)areanewfeatureinWindowsServer2008designedspecificallyforbranchofficeswherethedomaincontrollermightnotbeasphysicallysecureasyouwouldlike.Ariskwithlesssecurecomputersisthatthecomputeroritssystemharddrivemightbestolen,givinganattackertheopportunitytobreaktheencryptionontheActiveDirectorydatabaseandthenrunadictionaryattackagainststoredpasswords,potentiallycompromisingeverypasswordinyourdomain.Thisisntfarfetched;whilebreakingthedatabaseencryptionwouldbetimeconsuming,adictionaryattackthatusedapregeneratedrainbowtable(whicharereadilyavailable)canbegincrackingpasswordsinjustminutes.TheideawithanRODCisthatitdoesntstoreanypasswords,sostealingit(ortheharddrive)reallylimitstheamountofusefulinformationanattackercangetholdof.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    5

    PasswordCachingAdownsidetoanRODCisthattheydontstorepasswordsmeaningtheprimaryfunctionofadomaincontroller,authentication,cantbeperformed.Actually,RODCscanperformauthentication.Whattheydoiscontactawritabledomaincontroller,whichhaspasswordsstored,tohandletheauthentication;theRODCcanthencachethepasswordinformationlocally.Thisallowsauthenticationtooccurwhenawritabledomaincontrollerisntavailableprovidedtheuserthatthepasswordinformationwasretrievedforwascachedintheadvance.IftheRODCisstolen,anycachedpasswordsrepresentpotentialsecurityvulnerabilities,butonlythosepasswordsneedtobechanged,nottheentiredomain.Simplyforceapasswordchangeoneveryoneinthatoffice,andyourefine.Youcanspecify,inadvance,whichaccountsanRODCwillcache.Anyotheraccountswillonlyauthenticateifawritabledomaincontrollerisavailableatthetime.

    Youcanprepopulatethepasswordcache:WhenaddingcacheallowedaccountstotheRODCsPasswordReplicationPolicy,clickPrepopulatePasswordstomakethishappen.Thisensuresthatallcacheablepasswordsarecachedimmediately,withoutwaitingforeachofthoseuserstologon.

    CaveatsThepresenceofanRODCdoesntnegatetheneedforawritabledomaincontroller.Anychangesmadetothedomain,includinguserpasswordchanges,needtocontactawritabledomaincontroller;Windowsclientshandlethisautomatically,butyoudoneedtoensurethatbranchofficeconnectivityissufficienttohandlethesecontacts.AbranchofficethathappenstohaveanactivedomainadministratormightnotofferacceptableperformancebecausetheadministratorwouldessentiallybeworkingovertheWANtoadministerthedomain.Joiningacomputertothedomainalsorequirescontactingawritabledomain

    inistracontroller,andGroupPolicyadm tionrequiresawritabledomaincontroller.

    OneconcernwithRODCsisthatcertaininformation,inadditiontopasswords,isstoredlocally,includingaccountlockoutstatus.WhenanRODClocksanaccount,thatlockoutisforwardedtoawritabledomaincontrollerbutnotreplicatedintheADsenseoftheterm.IfthelockoutoccurswhiletheWANlinkisdown,however,nowritabledomaincontrollerwillreceivethelockoutnotice.TheADmanagementtoolswillnotshowthelockout,buttheaccountwillbelockedonouttheRODCalthougheventheRODCsmanagementtoolswillnotshowthelockoutbecauseitisntofficiallyinthedomaindatabase,yet.ADSIEditdoesshowthelockoutontheRODC,inthelockoutTimeattribute(whichisnttheattributetheADmanagementtoolslookattoseewhetheranaccountislocked).NormalaccountunlockingmethodswontworkbecausetheyrelyonawritabledomaincontrollerandtheRODCisntone.ThemainwaytounlocktheaccountistorestoreWANconnectivity,allowingtheusertoauthenticatenormally.Unfortunately,restoringtheWANlinkwillalsoimmediatelyunlocktheaccountbecausethewritabledomaincontrollersinyourdomainwilloverwritetheRODCslockoutstatusalmostimmediately.Thus,iftheaccountwaslockedforagoodreasonsuchasanattemptedattacktheaccountwillnowbefreeforanothertry,andyoumightnotevenknowthatithadbeenlockedontheRODCatall,ifnousercomplainedaboutit.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    6

    FilteredAttributesSomethirdpartyapplicationsthatstoredatainADmaystoresensitiveinformationthatyoudontwantreplicatedtoRODCs.Inthesecases,youcanconfigureasetofattributesintheschemathatwillnotreplicatetoanRODCthisiscalledtheRODCfilteredattributeset.EvenifanattackermodifiesanRODCandattemptstorequestreplicationoftheseattributes,thedomainwilldenytherequest.However,beawarethatdomaincontrollersrunningolderversionsofWindowswillhonorarequestfortheseattributesbecausethoseolderdomaincontrollersdontrecognizethefilteredattributeset.ThefilteredattributesetisconfiguredonthedomainsSchemaMaster,whichmustberunningWindowsServer2008inorderfortheattributesettobeproperlystored.

    ReadOnlyDNSRODCscanalsohosttheWindowsDNSServerservice,andtheRODCwillbeabletoreplicateallapplicationdirectorypartitionsthatDNSuses.ClientscanquerytheDNSserverastheywouldanyotherfornameresolution.However,theDNSservicewillbereadonlyandwillbeunabletoacceptupdatesofanykind.

    Typically,clientsusetheDNSserverintheirsiteastheirpreferredDNSserver,andsendupdatesincludingupdatesforA,AAAA,SRV,andotherrecordtypes.AnRODChasnomeansofacceptingtheseupdates,however,andwhenqueriedforanSOArecord,theRODCwillreturnthenameofawritabledomaincontrollerrunningtheDNSserviceratherthanthatoftheRODC.ThisishowasecondaryDNSserverhandlesupdatesforzonesthatarenotADintegratedzones,anditsawellestablishedDNSstandardoperation.

    TheRODCdoeshaveabitofsmarts:WhenitrefersaclienttoawritableDNSserver,itwaitsforabitandthentriestoqueryanyrecordsrelatedtothatclientfromtheDNSserver.ThatgivestheclientachancetocontactawritableDNSserver,submitupdates,andletstheRODCquicklypullthoseupdatesdownsothatitslocal,readonlyDNSdatabaseisuptodate.ThisworksonlyifatleastoneofyourDNSserversisonaWindowsServer2008computer,andifthatcomputerhasregisteredanNSrecordforitselfintheDNSdatabase.

    Bonus:AdministrativeSeparationRODCsallowyoutodelegatelocaladministrativeauthoritysuchastheabilitytorunbackupandrestoreoperationswithoutdelegatinganydomainauthority.ThisallowsbranchofficepersonneltoperformbasicadministrativetasksontheRODCcomputerwithouthavinganybroaderpermissionwithinADitself.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    7

    ApplicationCompatibilityGenerallyspeaking,RODCsarecompatiblewithanyADenabledapplication.However,writeintensiveapplicationsdontdowellwhentheyrecolocatedwithonlyRODCsbecausewriterequestshavetobereferredtoawritabledomaincontroller,whichmightundersomecircumstances(suchasinterruptedWANconnectivity)beunavailable.Thewritereferralispotentiallythemostdifficultoperation;whileapplicationsthatusestandarddirectoryprogramminginterfacesshouldhavenoproblem,noteveryapplicationisbuiltusingthesestandardinterfaces.OnlytestingwilldeterminewhetherallyourapplicationswillbeRODCcompatible,andiftheyrenot,thedeveloperwillneedtomakecorrections.ApplicationsbuiltusingMicrosoftsActiveDirectoryServicesInterface(ADSI)willautomaticallyhandlewritereferrals;developersoftenpreferthehigherperformanceLDAP,however,whichcarriesreferralsbutdoesnotautomaticallychasethemasADSIdoes.

    MostMicrosoftapplicationsworkfineagainstanRODC,althoughthefollowingonesrequirespecialstepsifactuallyinstalledonanRODC(seehttp:// y/cc732790.aspxtechnet.microsoft.com/enus/librar fordetails):

    cationsServerOfficeLiveCommuni

    es OfficeOutlook

    rvic 05

    SharePointSeSQLServer20

    DHCPServer

    ProbablythebigchallengeisExchangeServer,whichdoesnotuseRODCs.Outlookclients,however,canuseanRODCforreadonlyGlobalCatalogaddressbooklookups.

    Generally,specialstepsmeanscreatingappropriateserviceaccountsonawritabledomaincontrollerandthenensuringtheyreplicatetotheRODCbeforebeginningthesoftwareinstallation.

    UltimateSecurityThebestsecurityisachievedwhenRODCsarecombinedwithtwootherWindowsServer2008features:BitLockerandahardwareTrustedPlatformModule(TPM).Thelattertechnologiesprovidevolumewideencryptionforthesystemdrive,providingyetanotherlayeranattackermustworkthroughinordertoaccessdata.TheTPMhelpsbycheckingthehardwareconfigurationagainstwhatsstoredinitssecurememorytoensurethatnothinghasbeentamperedwithbeforeallowingthehosttoboothelpingtopreventunauthorizedhardwaremodificationsthatmightbeusedtosubvertorcompromisetheOS.Combined,thesethreefeaturesdontmakeitimpossibletohackadomaincontroller,buttheymakeitprettyimpracticalandultimatelyunrewarding.

    http://technet.microsoft.com/en-us/library/cc732790.aspx

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    8

    EdgeCasesAsidefromsecurityandlogonperformanceatbranchoffices,RODCsofferbenefitsinacoupleofoddscenarios.Oneisalineofbusinessapplication,whichwillonlyworkifphysicallyinstalledonadomaincontrollerapoorpractice,tobesure,butonewhichsomeadministratorsface.AnRODCwillworkwithmanyoftheseapplications(subjecttothecaveatsmentionedearlier),providingasortofspecialpurposedomaincontrollerjustforthatapplication.RODCsalsoprovidebettersecurityinsomeextranetscenarios,whereyouneedtoexposeauthenticationcapabilitiesbutdontnecessarilywantpasswordstobecompromised.

    RODCs:ProsandConsecure

    ectivity Bettersecurityfordomaincontrollersthatmightnotbephysicallys

    ithlimitedWANconn oundaccountlockouts

    BetterlogonperformanceforbranchofficeswPotentialusersupportandsecurityissuesar

    Potentialapplicationcompatibilityconcerns

    Tip,Trick,Technique3:NoMoreCHKDSKInthepast,acorruptedfileorsegmentofdiskstoragecouldtypicallyonlyberepairedbytakingtheentireserverofflineandrunningonofflineCHKDSK.Nomore:UnderWin2008,anewservicedetectscorruptedfilesautomaticallyandspawnsathreadthatattemptstofixthem.Theaffectedfilesremainoffline,meaningapplicationsincludingtheServerservicethatprovidesfilesharingcantaccessthefilebuteverythingelseondiskremainsaccessibleandtheserveritselfremainsonline.AccesstothefileisrestoredautomaticallyifWindowsisabletorepairthecorruption;ifnot,thatareaofdiskismarkedofflimitssothatnootherprocessestrytowritefilesthere.

    Youdontevenneedtodoanythingtotakeadvantageofthisfeature,butyoudoneedtobeawarethatitshappening.Clientapplicationsmaydisplaymisleadingaccessdeniedmessages,forexample,whenafileisunderrepair.ItsnotapermissionsissuebutratherthefactthatWindowshastakenthefileoutofservicewhileattemptingtofixit.Yourfirsttroubleshootingstep,therefore,shouldbetoseewhetheryoucanaccessthefileasafullprivilegeadministratortoeliminatepermissionsasapossiblecauseoftheerror(keepinginmindthatwithUserAccountControlenabledonyourownworkstation,youwontappeartobearealadministratorunlessyouexplicitlylaunchExploreroranotherapplicationasAdministrator.)

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    9

    Tip,Trick,Technique4:InternetInformationServices7IIS7isprettymuchatotalrewriteofIIS.Itssuchadrasticchange,infact,thatWin2008continuestoshipwiththeoldIIS6managementtoolssothatyoucanmanageexistingIIS6installations!ManyofthecommonIISmanagementtaskshavechangedcompletely,allthewaydowntohowyouinstallandsetupFTPservices.

    AllNewConsoleAsbefore,IISmaintainsatoplevel,serverwidesetofconfigurationoptions,andWebsitescaninheritthese.YoucanalsoconfigurepersitesettingsoneachindividualWebsite.Whatsnewishowyoudoso:TheIISManagementconsolehasbeenvastlyextended,somakingeverythingaccessiblefromasinglePropertiesdialogboxwasnolongerpractical.Instead,theserverandeachsitepresentapageofconfigurationicons,anddoubleclickingoneopensapageforthatspecificitem.

    Figure1:IIS7Manager.

    Inmostcases,thelayoutoftheseitemspecificpagesisnew,too,becausemostofthemarealsoextensible.Authentication,forexample,isnolongerasetoffourradiobuttonsbutratheralistofallinstalledauthenticationchoices,andtheabilitytoenableordisableeach.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    10

    Figure2:Authenticationconfiguration.

    Insomecases,itcanbeabittrickytofindthesettingyoureafter:Editingsitebindings,forexample(whichdeterminesthehostnames,IPaddresses,andportnumbersasitewillrespondto),isaccessedfromtherighthandsidebar,asarefunctionsforstoppingandrestartingsites.

    ApplicationPoolsIIScontinuestohostsiteswithinApplicationPools,whichareusedtoconfigurethenumberofthreadsservicingoneormoresites,theuseridentitythesitesoperateunder,andsoforth.UnlikeIIS6,though,IIS7willbydefaultcreateanewAppPoolforeachnewWebsiteyoucreate.Itsaneasytochangesettingwhenyoucreateanewsite,butitsalsoeasytomiss,andtherearedisadvantagestohavingoneApplicationPoolpersite.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    11

    Figure3:ConfiguringApplicationPools.

    EachApplicationPoolconsistsofatleastonethreadofexecution.Infrequentlyusedsitescaneasilyshareasinglethread,whilebusiersitesmaybenefitfrommultiplethreadsforparallelservicingofmultipleincomingrequests.Eachthread,however,bringsasmallamountofoverhead,sohavingonethreadapieceforseverallessbusysitesmayactuallyhamperserverperformance.Themoral?Dontacceptthedefaultsuntilyouvedecidedwhetherthatssuitableforyourspecificsituation.

    WebPlatformInstallerIIS7isprobablythemostextensibleversionofIISever,andMicrosoftaswellasthirdpartiesismakingnumerousextensionsavailable.Tomakeinstallingalloftheseeasier,MicrosofthascreatedtheWebPlatformInstaller,whichisavailableforfreeatwww.iis.net.ThisinstallerqueriesavailableextensionsandofferstoinstallthemforyouuptoandincludingnonMicrosoftplatformssuchasPHP,whichenjoysbettersupportthaneverunderIIS7.

    http://www.iis.net/

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    12

    Figure4:WebPlatformInstaller.

    Oncesetup,theInstallerisavailablefromthemanagementpageofanyWebsite.ItllremindyouabitoftheeasytouseWebbasedmanagementconsolesthatmanyhostingcompaniesprovide:YoucanevenuseittoinstallselectedprepackagedWebapplicationssuchasDasBlog,Drupal,Subtext,WordPress,andmore.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    13

    Figure5:InstallingWebapplications.

    TheWebPlatformInstallerisprobablytheeasiestwaytoextendIISweveeverhad.

    FTPAlthoughWin2008includestheoldFTPPublishingService,youdontwantit.Infact,ifitsalreadyinstalled,uninstallitusingServerManager(gototheWebServerrole,andclickRemoveRoleServices),andusethenewFTPserviceavailablethroughtheWebPlatformInstaller.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    14

    Figure6:ThenewFTPservice.

    Thisnewservice,whichcannotbeinstallediftheoldIIS6compatibleFTPPublishingServiceisinstalled,offerssecureFTP,FTPfirewallsupport,betterFTPlogging,andmuchmore.ItsamorescalableandmoreefficientFTPservicethatcanbemanagedfromwithintheIIS7Managerconsole(theoldservicerequirestheuseoftheoldIIS6console).

    URLRewritingOneofthemostannoyingaspectsofusingIIS,asopposedtosomethinglikeApache,istheavailabilityofURLrewriting.NumerouspopularWebapplicationsmakeuseofthisfeaturetoprovidesearchenginefriendlyURLsaswellasothercapabilities.Apachemakesiteasybyusinganindustrystandardrewritingsyntaxinasimpletextfile,named.htaccess.Droppingan.htaccessfileintoaWebsitesrootfolder,oranysubfolder,enablesrewritingforthatsiteorfolder.UnderIIS,thirdpartycommercialtoolswererequiredtoprovidethiscapabilityuntilIIS7.TheWebPlatformInstallercanbeusedtogetafreeURLrewritingmodule,whichappearsasaconfigurationoptioninIISManager.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    15

    Figure7:EditingaURLrewriterule.

    AlthoughIISstill(somewhatirritatingly)doesntusesimply.htaccessfiles,itcanimportthosefilesintoitsownURLrewritingmodule.Youcancreatecustomrules,andawizardprovidesshortcutsforcreatingcommontypesofrules.Forexample,onerule(seeFigure8)canbeusedtoremovethewwwfromincomingrequests,forcinguserstorealtimepublishers.comratherthanwww.realtimepublishers.com.ThisisacommontrickforhelpingsearchenginesseeonlyoneversionofthesiteandavoidingtheduplicatecontentpenaltymanyenginesimposewhentheythinktheyreseeingthesamecontentontwodifferentWebsites(onestartingwithwww,andtheotherwithout).

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    16

    Figure8:TheNoWWWrule.

    Tocreatethisrule,createanew,blankURLrewriterule.Setittomatchthepattern:

    ^(.*)$

    Whichisaregularexpression(regex)foranyURLcomingintothesite(thesitesbindingswillensurethatonlyrequestsintendedforthatsitemakeitthisfar).Undertherulesconditi ecifyasinglecondition:ons,sp

    {HTTP_HOST}Input:

    tchesthepatt rnType:Ma e

    Pattern:^(www\.)(.*)$Andsettheactiontoredirectto:

    http://yoursiteURLwithoutwww{PATH_INFO}

    SelecttheAppendquerystringcheckboxandmaketheredirectaPermanent(301)redirect.ThiswillgrabwhateverURLtheuserwastryingtoreach,ifitstartswithwww,andredirecttothenonwwwversionoftheURL.Youcanalsousethistocaptureolddomainnamesandpermanentlyredirectthemtoanewone.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    17

    Tip,Trick,Technique5:EvaluatingWindowsServerBackupWindowsServerBackuphasbeenentirelyrewrittenforWin2008,anditsfinallyaftermorethanadecadeofWindowsexistenceasaserveroperatingsystem(OS)aviablechoiceformanyrealworldbackupandrecoverytasks,especiallyinsmallerenvironments.However,itsnotadoitallsolution;youshouldbepreparedforsignificantdisadvantagesandweaknesses.

    InstallingWindowsServerBackupLikenearlyeverycomponentofWin2008,WindowsServerBackup(WSBackup)isntinstalledbydefault.YoullneedtoopenServerManager,gotoFeatures,andasshowninFigure9,manuallyaddtheWindowsServerBackupfeature.ItsagoodideatoaddtheCommandlineToolssubfeaturebecauseyoullgaintheabilitytoaddbackupstootherautomatedprocessesinWindowsPowerShellcommandsandscripts.

    Figure9:AddingWindowsServerBackup.

    NoteTheneedtoaddthisfeaturecanactuallybealittleconfusingbecauseWindowsinstallsashortcutontheStartmenuforWindowsServerBackupevenifthefeatureitselfisntinstalled.Clickingtheshortcutopensaconsolethattellsyouthatyouneedtoinstallthefeature.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    18

    UsingWindowsServerBackupLetsbeperfectlyclearinthatWSBackupisintendedtobackupdataandapplicationsonthelocalcomputer;Microsoftdoesntpositionthisfeatureasanythingmorethanaverybasic,local,barebonesutility.Operationsareprimarilywizarddriven,suchastheBackupScheduleWizardthatFigure10shows.Withthiswizard,youcanselectwhatyouwanttobackup,whenyouwanttobackitup,wherethebackupwillbestored(diskonlynotapesupport),andsoon.

    Figure10:Configuringabackup.

    Youcanrestoreabackupthatwasmadefromthelocalcomputerorfromanothercomputer(ifyouretryingtorecoveranentiresystem,forexample,orneedtograbafewfilesfromabackupthatwasmadeofanothercomputer).Inaddition,youcanrestoreindividualitemsfromabackupaswellastheentirething.

    AsFigure11shows,youcanconfigurebackupperformancebysimplyselectingthetypeofbackupthatwillbemade:afullbackup(doesnthithardtheserveritselfintermsofperformanceandcleansupVolumeShadowCopyfiles),oranincrementalbackup(leavesbehindWindowsVolumeShadowCopyfilesandmaydiminishserverperformancesomewhat).Youcanalsomakethisdecisiononapervolumebasis.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    19

    Figure11:Configuringbackupperformance.

    NoteVolumeShadowCopy(VSC)isdesignedtokeepoldversionsoffileshandyinadiskbasedstoreforeasierrecovery;userscanuseWindowsPreviousVersionstabonafilesPropertiesdialogboxtoaccessVSCversions.Uponmakingafullbackup,VSCfilesarenormallyclearedbecausethefilesprotectedbyVSCarenowsafelyinabackup.

    AlthoughWSBackupitselfisdesignedtobackupthelocalcomputeronly,youcanusethemanagementconsoletoconnecttoWSBackuprunningonothercomputers,allowingyoutomanagetheirlocalbackupoperationswithouthavingtophysicallylogontotheirconsoles.Figure12showsthistaskinaction.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    20

    Figure12:ConnectingtheWSBackupConsoletoanothercomputer.

    ProsandConsMostexperiencedadministratorsprettymuchignoreWindowsbuiltinbackup,andWSBackupisntgoingtochangetheirminds.Foraverysmallenvironmentdealingprimarilywithfileandprintservers,WSBackupisareasonablyeffective,ifbarebones,meansofmakingthebackupsyouneedtobesafe.Youllneedtomovethebackupsoffserver,ofcourse,ortheyreatriskofacompletediskorsystemfailure,andWSBackupdoesntmakeiteasytomovethosefilesaround(itexpectsthemtoprettymuchremainlocal).YoucantsavebackupstoanydiskvolumethatcontainsWindowsitselforapplicationdata,whichmeansyoullneedtoinstalladedicatedvolumeoftennotanoptiononaserverthatsalreadyhadallitsdiskspaceallocated.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    21

    Tip,Trick,Technique6:UsingWindowsPowerShellAlthoughWindowsPowerShellisntspecificallynewinWin2008(itwaspreviouslymadeavailableforWindowsXP,WindowsServer2003,andWindowsVista),Win2008isthefirstversionofWindowsthatincludesWindowsPowerShell.AcompletediscussiononPowerShellisabookuntoitself,butthereareafewthingsyoushouldbeawareofandplantotakeadvantageofrightaway.

    WhatIsWindowsPowerShell?EveryonewhohasheardofPowerShellhasanideaofwhatitis:acommandlinetool,ascriptinglanguage,orsomething.ItsalmosteasiertoexplainwhatPowerShellisnt:

    Itsnotascriptinglanguage.True,itdoeshavescriptingcapabilities,butitsnotquitethesameassomethinglikeVBScript.ItsmorelikethebatchlanguageintheoldCmd.exeshellbutabitmorerefined.Itssimplejust14keywordsinPowerShellv1butitsveryflexibleandextensible.

    Itsnotashell.Not,atleast,inthesamesenseasCmd.exe.PowerShelltheactual,underthehoodgutsofPowerShellisanenginecapableofrunningcommandsand

    scripts;themostcommonwayforushumanbeingstotellitwhichcommandstorunistotypethosecommandsintoahostwindow,whichisacommandlineinterface.

    PowerShellisastandardizedmeansforMicrosofttopackageadministrativefunctionality.Theyrenotquitecommandlinetools,althoughwehumanscanaccessthemthroughacommandlineinterface.ThebigpartthereisstandardizedbecausePowerShellisthefirsttimethatMicrosofthascreatedaclear,documentedstandardforexposingadministrativefunctionality.PowerShellcanbeaccessedfromacommandlinewindow,true,butitcanalsobehostedbygraphicalapplicationsthatruncommandsinthebackground.Insomecases,youmightbeusingaGUIconsoleandnotrealizethatPowerShellisactuallydoingalltheworkbehindthescenes.

    Itssafe,incasualconversation,torefertoPowerShellasacommandlineinterfacebecausethatshowmostofuswillexperienceitdirectly.

    EnablingWindowsPowerShellAlthoughPowerShellisincludedwithWin2008,itisntinstalledbydefault:AsFigure13shows,youhavetoenableitsfeatureinordertostartusingit.Doingsowillalsoenablethe.NETFrameworkv3.0,whichistheversionthatshipswithPowerShell.PowerShellactuallyrequiresv2.0,whichisasubsetofv3.0.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    22

    Figure13:WindowsPowerShellisanoptionalfeature.

    NoteTheR2releaseofWin2008actuallydoesinstallWindowsPowerShellv2bydefault,whichmeansthelatestversionoftheFramework(3.5)isalsoinstalledbydefault.BecauseofPowerShellv2snewfeatures,MicrosoftfeelsandIagreethateveryonewillwantandneedPowerShelloneverycomputer.

    WindowsPowerShellSecurityandProfilesPowerShellhastheabilitytoexecutescriptfiles,whichareessentiallyabatchofcommandsexecutedinsequence,soMicrosofthasobviousconcernsaboutPowerShellandsecurity.ThelastscriptinglanguageMicrosoftpushedout,VBScript,wasadismalfailureintermsofsecurity,enablingmassvirusattackssuchasILoveYou,Melissa,andotherfamousmalware;thecompanycertainlydidntwantPowerShelllandinginthesameboat.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    23

    UnderstandthatthepotentialdangerinPowerShelldoesnotcomefromrunningcommandsinteractively.Typingacommand,gettingthesyntaxright,anddoinganythingrequiresacertainamountofexpertiseandisntsomethingyoucantypicallytricksomeoneintodoing.Inanyevent,nocommandwillworkunlesstheuserhasthenecessaryunderlyingpermissionsinthefirstplacePowerShellisntawaytobypassWindowssecurity.No,therealdangerinPowerShellcomesfromscripts.Thatsbecauseascriptissomethingyoucantricksomeoneintorunning,andascriptmaycontainentiresequencesofcommandsthatthetrickedpersonmightnormallyknownottorun.Trickinganadminisespeciallydeadly,becausetheadminwillusuallyhavepermissiontodoallkindsofdangerousthings.

    SoPowerShellssecurityfocusesonscriptexecution,primarilythroughamechanismcalledtheexecutionpolicy.Bydefault,thispolicyissettoRestricted,whichpreventsscripts

    ved.fromrunningentirely.Problemsol

    ChangingthepolicybyusingtheSetExecutionPolicycommandwithinPowerShellitselfrequireslocalAdministratorprivileges,asthesettingisstoredintheHKEY_LOCAL_MACHINEportionoftheWindowsregistry.YoucanalsocontrolthissettingcentrallyusingaGroupPolicyadministrativetemplatethatsavailablefromhttp://download.microsoft.com(justpunchinPowerShelladminthesearchboxtofindthedownload).AGroupPolicyappliedsettingoverridesanythingelse.

    Sowhatmightyouchangethepolicyto?Unrestricted,theloosestsetting,isstupid;youreputtingPowerShellrightbackintotheVBScriptdays,allowinganyscripttoexecuteatanytime.Thenexthighersetting,RemoteSigned,mightsoundpromising.ItallowslocalscriptstoexecutewithoutrestrictionbutrequiresremotescriptsthosedownloadedfromtheInternetoraccessedviaUNCtocontainadigitalsignature.ThissettingisntanysaferthanUnrestricted,nomatterwhatanyonetellsyou.Illexplain.

    Whenascriptisdigitallysigned(somethingyoucanaccomplishusingtheSetAuthenticodeSignaturecommand),anencryptedcopyofthescriptisaddedtotheendofthescriptfileinaspecialblockofcomments.Whenrunningthescript,PowerShelldecryptsthissignatureandcomparesitwiththecleartextcopyofthescript.Ifthetwomatch,thesignatureisintactandthescriptexecutes.Ifthesignaturedoesntmatchthescript,thesignatureisbrokenandthescriptwontexecute.Thisinandofitselfdoesntpreventmaliciousness,buthereswhatdoes:ObtainingthenecessarydigitalcertificateaClassIIIAuthenticodeCodeSigningCertificate,tobespecifictypicallyrequiresyoutoproveyouridentity,insomefashion,tothecertificateissuer.Youridentitybecomesapartofthecertificateandofanysignaturesyoucreateusingthatcertificate.Thus,ifyoucreateamaliciousscript,andsignit,PowerShellwillrunitandanyoneaffectedbyitwillbeabletodivineyouridentityandhuntyoudown.So,inverygeneralterms,signedscript=safescript.

    http://download.microsoft.com/

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    24

    NoteThissafedependsentirelyonthecertificateissuerdoingagoodjobofactuallycheckingyouridentitywhenissuingacertificate.YoucanconfigureWindowstotrustcertificateissuerswhoyoubelievedoagoodjob;youcanconfigureittonottrustissuerswhoyoudontbelievedoagoodjob.IfPowerShellencountersasignaturethatcamefromanuntrustedissuer,thesignatureandthescriptarealsoconsidereduntrustedandthescriptwontrun.

    So,imagineascenario:Yourcomputergetsinfectedwithapieceofmalware.Only,ratherthantryingtodoanythingnasty,itjustmodifiesaninnocentlittletextfileonyourcomputer.Onewith,say,a.ps1filenameextensionaPowerShellscript,inotherwords,thatyouvealreadywritten.Thenexttimeyougotorunthislocalscript,thecommandsaddedbythemalwarealsoexecuteandchaosensues.

    Or,evenworse,themalwarecreatesasimpletextfilewiththenameprofile.ps1,insideafoldernamedWindowsPowerShell,rightinyourDocumentsfolder.Nobigdeal,right?Wrong:ThisisaPowerShellprofilescript,anditisgoingtoexecuteautomaticallythenexttimeyouopentheshell!Worse,thisfiledoesntexistbydefault,soitseasyforapieceofmalwaretocreateitwithoutyouknowing.UserAccountControl(UAC)wontsaveyouherebecauseitsjustasimpletextfileinyourDocumentsfoldernothingyouneedAdministratorprivilegestoaccess.

    Thesolution?PowerShellsthirdexecutionpolicy,AllSigned.Thissettingrequiresallscriptstocarryasignature,createdbyusingacertificatethatcamefromatrustedissuer.Createyourownprofilescript(ablankoneisfine)andsignittopreventapieceofmalwarefromploppingdownaprofilescript,andyoureprotected.Sure,youhavetosignyourscriptsbeforetheyllrunnobigdeal.Thebettercommercialscripteditors(PrimalScriptandPowerShellPlusProfessionalEditioncometomind)willdothatautomaticallyforyou,ifyouwantthemto.Dontwanttobuyacertificate?Runhelpabout_signinginPowerShellandreadhowtousetheMakeCertutilitytocreateafree,localuseonlycertificateforyourownscripts.

    UsingWindowsPowerShell:TheBasicsAsacommandlineshell,PowerShellworksalotliketheCmd.exeshellyoureprobablyfamiliarwith:typeacommand,addonanynecessaryparameters,andyourereadytohit

    Enter.Needtotryagain?Hittheuparrow,modifythecommand,hitEnter,andyouredone.

    SohowdoyougetaroundyoursysteminPowerShell?IfyouveevernavigatedadiskdriveinCmd.exe,thenyouknowhowtodoitinPowerShell.

    TypeDirtogetalistingoffilesandfoldersortypeLs,ifyoupreferthat.Cdwillchangefolders.Delwilldeletefiles,sowillRm.Typewilldisplaythecontentsofatextfile,aswillCat.Abackslashisapathseparator,asisaforwardslash.SowhetheryourecomfortablewithUNIXorDOSstylesyntax,youregoodtogo.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    25

    Therearesomecaveats.cd..wontgouponefolderlevel;youneedtousecd..withaspace.ThatsbecausePowerShellassignsaspecialmeaningtothespacecharacter:itsaseparatorbetweenacommandanditsarguments.ThatswhyCdc:\programfilesdoesntworkthespacebetweenprogramandfilesconfusesit.AddquoteseithersingleordoubleandrunCdc:\programfilesinstead.ThatsprettymuchwhatyouwoulddoinCmd.exeorevenmostUNIXshells,bytheway.

    Sothereyouhaveit:Acompletelyarbitrary(likeLsisintuitive?)setofcommandsthatyouveprobablyalreadymemorizedandcanusetonavigatethroughahierarchicaldatabase.Yes,adatabasethatswhatthefilesystemreallyis,afterall.ItsnotrelationallikeanAccessorSQLServerdatabase,butitshierarchical,notunlikeanExchangeServermailstore,ortheWindowsregistry,orevenActiveDirectory(AD).Speakingofwhich,wouldyouliketolearnawholenewsetofcommandsthatletyounavigatetheregistryorevenAD?

    IhopeyousaidnobecausewhowantstolearnawholenewsetofcommandswhenYOUALREADYKNOWASETthatshoulddothejob?Inotherwords,whycantwejustrunCdHKCU:tochangeintotheHKEY_CURRENT_USERregistryhive?WhycantwerunLstogetalistofregistrykeys?RunCdSoftwaretochangeintothatkey,andDel*todeleteeverythingwhoops.

    Well,itturnsoutyoucaninPowerShell.Tryit.ThatsbecausePowerShellhaslittleadapterscalledPSDrivesthatallowPowerShelltoseedifferentformsofstorageasiftheywerediskdrives.TheCertificateStore,environmentvariables,registry,andmorearejustthebeginning.MorePSDriveadapterscanbeaddedin,andproductslikeSQLServer2008,AD(inWin2008R2),andothersdojustthat.RunGetPSDrivetoseealistofallthedrivescurrentlyavailable,anduseNewPSDrivetocreatenewdrivemappings(remember,thesearePSDrives,sotheyonlyliveinPowerShellyouwontseetheminWindowsExplorer).

    PSDrivesillustrateakeypartofPowerShellsdesignphilosophy:TakeONEsetofskillspreferablyaskillthatadministratorsalreadyhaveandleverageitaswidelyaspossible.Thatmeanslesslearningforyouwhileexpandingthenumberofthingsyoucando.Itslikethemovingwalkwayattheairport:slowpeoplearesupposedtokeeprightsothatfasterpeoplecanpassontheleft.Itsthesameskillthatweresupposedtouseonthehighway,leveragedinanewlocation.Sadly,mostpeopleseemtolacktheskillineitherscenario,butyougettheidea.Andeventhatmakesagoodpoint:PowerShellisleveragingskillsthatadministratorsSHOULDalreadyhave;ifyouvestayedawayfromanykindofcommandlineadministration,youhavedoneyourselfadisservicebecausePowerShellassumesyouveworkedatleastalittlefromthecommandline.Ifyouhavent,PowerShellwontbeimpossibletouse,butitwillbeabitmoreofalearningcurvebecauseyoulacksomeofthe

    .backgroundexperiencethatPowerShellistryingtoleveragetomakethingseasieronyou

    LetTHATbealessonforyou.AbigreasontolearnPowerShellNOWisbecausetherewillbefutureversionsthataddMOREfunctionality.BylearningPowerShellNOW,youcanstartgainingthebackgroundexperiencethatwillmakefutureversionsmoreincrementalandeasiertolearn;thelongeryouwait,theharderitwillbetolearneachsuccessiveversion.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    26

    AllAboutCommands,Aliases,andParametersSoallofthesethingsweranCD,DIR,LS,andwhatnotareallcommands.Technically,becausetheyrewithinPowerShell,theyrecalledcmdlets(pronouncedcommandlets,

    ).Actually,technically,whatwevebeenusingsofararealiases.notceeemdeelets

    Letmebackupabit.

    PowerShellsfunctionalitycomesprimarilyfromthesecmdlets,allofwhicharewrittenbydevelopersworkingina.NETlanguagesuchasC#orVisualBasic.Cmdletscomepackagedinasnapin,whichisbasicallyaDLLfile.YoucanthinkofthemassimilartothesnapinsusedbytheMicrosoftManagementConsole(MMC),inthattheyaddproductspecificfunctionalitytoanotherwiseemptyshellorconsole.

    CmdletsuseaconsistentnamingschemedevisedbyMicrosoft.Cmdletnamesconsistofaverb,suchasGet,adash,andthenasingularnoun,suchasService(forexample,GetService).Thelistofverbsisactuallyfairlyshortandisintendedtobeusedconsistently.ChangingsomethingusestheSetverb,soyouhavecmdletssuchasSetServiceandSetExecutionPolicyneverChangePolicyorConfigureService.Usingconsistentverbshelpsfolkslikeusguesstherightcommandnamewithouthavingtoporethroughmanuals.Forexample,basedsolelyonwhatIvewrittenhere,canyouguesstheExchangeServercommandthatwouldretrieveusermailboxes?GetMailbox.

    Thedownsideofthesecommandnamesisthattheycanbelong.Notthatlongisinherentlybadlongalsomeansclearerandeasiertoremember.Butlongdoesmeanhardertotype,andnobodywantsthat.SoPowerShellhasasystemforaliases,whicharesimplynicknamesforacommand.DirisanaliasforGetChildItem,TypeisanaliasforGetContent,PsisanaliasforGetProcess,andsoforth.Thealiasissimplyawayofshorteningthecommandnameormakingthecmdletnamelooklikeafamiliarcommand(suchasDirorDel).Thealiasdoesntchangeanythingaboutthewaythecmdletworks.RunDir/sandyoullsee.ThatgeneratesanerrorbecausetheGetChildItemcmdlet,whichiswhatsreallybeingrunwhenyoutypeDir,doesntsupporta/sparameter.

    Whichbringsustoparameters,Isuppose.Instickingwiththeconsistencytheme,PowerShellfinallybringsusaconsistentcommandlinesyntaxforparameters.Parametersalwaysbeginwithadashnotaslashandtheparameternamesarereallyclear:computerName,path,filter,exclude,credential,andsoforth.Theparameternameisfollowedbyaspaceandthenwhatevervaluegoeswiththeparameter,ifappropriate.Aparametersuchasappendwouldntusuallytakeavalue;itsjustaswitch,tellingthecmdlettoappendcontenttoexistingcontent.AparametersuchascomputerNameobviouslydoesneedavaluethecomputernameyouwanttopassalong.SothatswhyDir/sdoesntwork:theGetChildItemcommanddoesntrecognize/sasaparameter.Actually,itllthinkitssupposedtobeapathbecausePowerShellusesboth/and\aspathseparators.However,thecommanddoeshavearecurseparameterthatlldowhatyouwant.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    27

    TheresnowaytocreateanaliassothatDir/sbehavesasGetChildItemrecursealiasesarenicknamesonlyforcommandnames,notforanythingelse,andnotforanyparameters.Usinganaliasdoesntchangethecommandsyntaxinanyway;youresimplysubstitutingashorternameforthecommand,nothingmore.

    Thatsaid,youdonthavetotypethewholeparameternamehonestly,typingcomputerNameallthetimewouldbeahassle.Youonlyhavetotypeasmuchoftheparameternameasneededtodistinguishitfromotherparameters.So,forGetChildItem,insteadoftypingrecurse,youcouldtyperbecausetherearenootherparametersofthatcommandthatbeginwithr.Theraloneisenoughtolettheshellfigureoutwhichcommandyoumeant.Inothercases,afewmorelettersmaybeneeded:IusuallytypecompforcomputerName,forexample.ItsprobablymorelettersthanItechnicallyhavetotypeinmostcases,butitsenoughtohelpmevisuallydeterminewhatparameterImeant.

    AndtheresalwaysHelp:PowerShellsbuiltinhelpsystemevenacceptswildcards,sorunningHelp*Service*willhelpyoufindallthecommandsrelatedtoservices,whilerunningsomethinglikeHelpGetWmiObjectwilloffercompletehelpforthatentirecommandandallitsparameters.InPowerShellv2(withWin2008R2),theHelpcommandpicksupanonlineparameter,whichpopsupthelatestandmostaccuratehelpinaWebbrowser,straightfromMicrosoftsWebsite.

    Tip,Trick,Technique7:UnderstandingHyperVHyperVisanexcitingnewfeatureofWindowsServer2008.Althoughmuchhasbeen,andwillbeforsometimetocome,writtenonHyperVanditsmajorcompetitorsVMwarevSphere(ESXServer),andCitrixXenServeritsimportanttounderstandwhatHyperVisandisntbecauseitcomeswithWin2008.

    HyperV,HypervisorWhatsitAllMean?HyperVisMicrosoftsbrandnamefortheirWindowsbasedhypervisor.Ahypervisorisaspecialtypeofsoftwarethatsspecificallydesignedtoenablevirtualization:theabilityforonecomputertoeffectivelymimictheoperationofmanyvirtualcomputersatthesametime.Thehypervisorinstallsonahostcomputerandhasdirect(moreorless)accesstoitshardware;itthenenablesoneormorevirtualmachinestoexecuteinmemory.Eachvirtualmachine,orguest,canrunitsownoperatingsystem(OS)whichneednotbeWindowsandeachguestOSthinksitsrunningonitsowndedicatedhardware.

    HyperVistechnicallyatype1hypervisor,meaningthehypervisoritselfrunsonbaremetal,ordirectlyontheservershardware.Win2008automaticallycreatesaspecialvirtualmachinewheretherestofWin2008isinstalled.So,whenyoureusingaWin2008machinethathasHyperVinstalled,yourealwaysrunningatleastonevirtualmachinetheonethatWin2008itselfisrunningon.Thatprimaryvirtualmachineistheonethatgetstotellthehypervisorwhattodo.Itsnotquiteaguestvirtualmachinebecauseitdoeshaveaspecialmanagementrelationshiptotheunderlyinghypervisor.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    28

    HowDoesHyperVLicensingWork?YouneedtoownaWin2008licensetorunHyperV.Beyondthat,youllalsoneedlicensesforwhateverguestOSsyouplantoruninsideyourvirtualmachines.Thefree,downloadableWindowsHyperVServerproductdoesntincludelicensesforanythingbutHyperVitself;anyguestOSswillneedalicense.

    WhenyoubuyacopyofWin2008,however,itcomeswithacertainnumberoflicensesforguestvirtualmachinesrunningcopiesofWin2008.TheDatacentereditionofWin2008,forexample,letsyourunanunlimitednumberofvirtualmachinesthatrunanyothereditionsofWin2008;Win2008sEnterpriseeditionincludesguestlicensesforuptofourWin2008guests.

    IsHyperVaBareMetalHypervisor?Yes.LotsofpeopleliketoarguethisbecausewhenyouinstallHyperV,youappeartobeusingafullcopyofWindows.So,theyargue,ifHyperVrequiresWindows,itstechnicallyatype2hypervisor,meaningthehypervisordoesnttalkdirectlytothehardware.Thiswasthecasewiththepredecessor,MicrosoftVirtualServer.ItsarchitecturelookedabitlikewhatsshowninFigure14,withthehypervisorclearlyrunningatopWindowsanddependingonWindowstoprovideaccesstothehardware.Here,thehypervisorrunsasanapplication,atthesamelevelassomethinglikeExchangeServer.

    Figure14:Atype2hypervisor.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    29

    HyperVsarchitectureisshowninFigure15.WhatfoolsfolksaboutHyperVisthatitalwaysinstallsavirtualmachinetechnically,apartition,touseMicrosoftsterminologycontainingafullWin2008install.SoyoualwaysseeWindows,eventhoughHyperVitselfisnttalkingthroughWindowstogettothehardware.

    Figure15:HyperVarchitecture.

    AlsoshownaresomeuniquefeaturesofHyperV,suchastheabilityofOSsthatknowaboutHyperVtorealizethattheyrerunninginaguestvirtualmachine.Thisletsthemfeedspecifictypesofinformation(suchasperformance)tothehostforbettermanageability,andletsHyperVcommunicatewiththeguestOStoperformkeytasks,suchasbettermanagingshutdowns.NonawareguestOSscanalsorunbutgetfewermanageabilityimprovements.

    Infact,thereisawaytorunHyperVwithoutrunningthefullcopyofWindows:WindowsServerCore.ThefreeWindowsHyperVServerdownloadableproductusesthis,andyoucansetuponeyourself.ItsimplyinstallsServerCoreintotherootpartitionsothatyougetasmallerWindowsfootprintintherootandmoreresourcesfreedupforrunningyourotherpartition.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    30

    Tip,Trick,Technique8:RemoteServerManagerinR2ServerManagerhasproventobeagreatwayofadministeringWin2008scomplexsetofserverrolesandfeatures.Itoffersacentralmeansofadding,configuring,andremovingrolesandfeatures,andprovidescentralaccesstoanumberofsecurityandconfigurationrelatedfeaturesthatwouldotherwisebescatteredacrosstheoperatingsystem(OS)andrequirealotofdigging.IfServerManagerhadonesignificantfailing,though,itwasitsinabilitytoworkwithremotecomputers.IfyouwantedtouseServerManager,youwerestuckloggingontotheserverconsoledirectlywhichisareallimitationandreallybreaksthesingleseatadministrationmodelMicrosofthasbeenslowlytryingtoimplement.

    InWindowsServer2008R2(R2forshort),though,ServerManagerhasbeenimprovedtosupportremotemanagement.AsFigure16shows,thischangeissubtleandonethatseasytomiss:YousimplypickupaConnecttoComputermenuoption.

    Figure16:Connectingtoaremotecomputer.

    ThisfeaturemeansyoucannowusealocalcopyofServerManagertomanagefeaturesandrolesonallyourR2serversexceptthoserunningServerCore;unfortunately,theServerManagerconsolecantinstallrolesonthestrippeddownServerCoreversionoftheOS.Hopefullythatcapabilitywillcomeintime,asitwouldgoalongwaytowardmakingServerCoremoreapproachableforawiderrangeofadministrators.

    Tip,Trick,Technique9:LeveragingServerCoreinR2R2offersanimprovedversionofServerCorethatmakesupforalotoftheshortcomingsofpreviousversions,albeitatapotentiallyhigherlevelofmaintenanceoverhead.OneofthemostimportantnewfeaturesistheSConfig.exeutility(seeFigure17).Thisutilityoffersatextbasedmenuthathelpsadministratorsconfigurethecoreoperatingsystem(OS)settingssuchasdomainmembership,computername,WindowsUpdate,networksettings,andsoforth.Thisisawelcomeimprovement,asmanyofthesetasksinthepastrequiredcomplex,fairlyarcanecommandlinetools.Thosesametoolsarestillinuse;theyrejust

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    31

    calledinthebackgroundbySConfig.ThinkofSConfigasasortoflightweightServerManagerspecificallyforServerCore.

    Figure17:UsingSConfiginServerCoreR2.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    32

    ServerCorealsooffersasubsetofthe.NETFramework.Thissubsetincludesportionsofv2.0andv3.0;itspecificallyexcludestheWindowsFormsclassesandWindowsPresentationFramework,whichrequiregraphicaluserinterface(GUI)elementsnotpresentinServerCore.TheinclusionofthisFrameworksubsethasacoupleofreallyimportant,farreachingconsequences.Oneofthoseisthepotentialforadditionalpatches,astheFrameworkisanadditionalsetofmovingpartsthatdocomewiththeirownpotentialproblemsandtheresultinghotfixesandservicepacks.AmajorbenefitofServerCorehasalwaysbeenthatitrequiresfewerpatcheshistorically,aboutathirdofwhatthefullWindowsOSrequires.TheFrameworkisnthistoricallyaheavilypatchedsetofcodebutitdoesgetpatched.

    Thetradeoff,however,issignificant:ServerCoreR2nowsupportsASP.NETWebapplicationsunderIIS7.5,whichisamajorimprovementovertheoriginalServerCorereleasewhichdidnthaveanyFrameworkanddidntsupportASP.NETatall.TheinclusionoftheFrameworkinServerCoreR2alsopermitsremotemanagementofIISthroughthestandardIISmanagementconsoleanothermajorbenefitforadministrators(youhavetoenabletheremotemanagementservicetomakethishappen).

    PerhapsthebiggestimprovementofferedbytheFrameworksubset,however,istheinclusionofWindowsPowerShellv2asapreinstalledcomponentofServerCoreR2.ThisadditionbringssignificantnewadministrativecapabilitytoServerCore,includingtheabilitytoremotelyconnecttoServerCoresPowerShellinstancesfromremotemachines,enablingremotecommandlinemanagementofsingleandmultipleservers.

    CrossReferenceSeeTip,Trick,Technique12:RemoteCommandLineAdministrationinR2formoredetailsonPowerShellv2sremotemanagementcapabilities.

    ActiveDirectoryCertificateServices(ADCS,formerlyjustCertificateServices)isalsosupportedasaserverroleonServerCoreR2.ThismeansthatyetanotherkeyinfrastructurecomponentPublicKeyInfrastructure(PKI)cannowbemigratedtothislowermaintenance,smallerfootprintOS.

    KeepinginmindthatR2isonlybeingmadeavailableina64bitedition,ServerCoreR2optionallysupportsaWoW64layerthatmakesitpossibletorun32bitapplications.Iprimarilyseethisasbeingusedtosupportoldermanagementagentsorantimalwareapplications,althougheveryeffortshouldbemadetoacquirenative64bitversionsoftheseitemsasquicklyaspossible.

    Finally,ServerCoreR2alsosupportsFileServerResourceManager(FSRM),whichfinallynablesadvancedfilequotasandotherFSRMrelatedfunctionalityinServerCore.e

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    33

    Tip,Trick,Technique10:DeletedADObjectRecoveryinR2MuchhasbeenmadeabouttheActiveDirectoryRecycleBininWindowsServer2008R2,buttherealityfallssomewhatshortofthehype.Althoughthisfeatureprovidesgreatcapabilities,italsohassomelimitationsthatarentimmediatelyobviousandthetermRecycleBinactuallyimpliesaleveloffunctionalityandeaseofaccessthatsimplyisntpresent.Butfirst,somebackground.

    Asyoumayknow,deletedobjectsinActiveDirectory(AD)arentdeletedimmediately.Instead,theyremarkedwithatombstoneflag,whichisreplicatedtoalldomaincontrollersinthedomain.Tombstonedobjects,astheyrecalled,continuetohangaroundinthedirectoryforsometime180daysinthemostrecentversionsofAD.Althoughtheycantbeusedtologonorforanyotherpurposes,keepingtheobjectsaroundinthis

    .tombstonedconditionhelpsensurethateverydomaincontrollerknowsaboutthedeletion

    SomethirdpartyRecycleBinliketoolsofthepastsimplytakeadvantageofthesituation,givingyouagraphicaluserinterface(GUI)forseeingtombstonedobjects,andenablingyoutoremovethetombstoneflag(andreplicatethatchange),bringingtheobjectbacktolifereanimatingit,tostickwiththegraveyardterminology.Somethirdpartyrecoverytoolsprovidenootherfunctionality,infact,especiallythoseofthesharewarevariety,andyoudontevenneedatoolifyourecomfortableusingADSIEditorotherfree,lowleveltoolsthatenableyoutochangethetombstoneattributeyourself.

    Theresadownside,though:Whenanobjectisdeleted,ADremovesmostofitsattributesatthesametimeitappliesthetombstoneflag.Thatmeansmanyoftheobjectsattributesarenolongeravailable,sotheobjectisntcomplete.Thisisespeciallyfrustratingwithuserobjects,aswetendtopopulatemanyoftheusersattributes.Sosimplyreanimatinganobjectoftenisntthatsimpleatallbecauseyoumayalsoneedtorepopulatethemajorityofitsattributestomakeitfullyfunctionalagain.

    WindowsServer2008R2makesoneimportantchangetothedeletingprocess:Itplacesdeletedobjectsintoarecycledstatewheretheirattributesareleftintact.Thus,reanimatingthem,byflippingthetombstoneflag,iseasier,becausetheobjectispreservedinitsoriginalform.

    Unfortunately,WindowsServer2008R2willnotprovideanactualRecycleBinintheformofaniconorcontainerthatyoucanusetoeasilyaccessdeletedobjects.DeletedobjectswillstillbeessentiallyinaccessiblefrommostnativeADmanagementtools,andyoullneedtouselowleveldirectoryeditors,scripting,orotherfranklycomplexmeanstoreanimateobjectsfromtheirrecycledstate.ThetermRecycleBiniskindofmisleading,becausealthoughthefeaturedoesprovideasortofundocapability,itdoesntdosointhesameeasytoaccesswaythattheWindowsExplorerRecycleBindoes.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    34

    Also,thisnewrecycledstatedependsonchangesmadetoADinWindowsServer2008R2meaningyoucantleveragethisnewfeatureuntileverydomaincontrollerhasbeenupgradedtothisnewversionofWindows.YoualsohavetoupgradeeverydomaininyourenvironmenttotheWindowsServer2008R2functionallevel,andupgradeyourforesttotheWindowsServer2008R2functionallevel.Thatsaseriouscommitmentformostorganizations,requiringplanning,newsoftwarelicenses,andasignificantamountofeffortinordertoreducetheriskofoutagesinaproductionenvironment.Figure18showshowtomaketheupgradeusingthenewWindowsPowerShellADcmdletsincludedinR2.

    Figure18:Upgradingtheforestfunctionallevel.

    Butwait,theresmoretodo:Onceyourdomaincontrollers,domains,andforestsareupgraded,youhavetomanuallyenabletheRecycleBinfunctionalityinAD.Figure19showsthisbeingdonefromWindowsPowerShell.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    35

    Figure19:EnablingtheRecycleBin.

    Onceyouvedonethat,youcanstartwritingscriptsthatactuallyletyourecoverdeletedobjectswiththeirattributesintact.Oh,andoncetheRecycleBinfunctionalityisturnedon,youcantturnitoff.Sobeforeenablingit,makeabsolutelycertainthatthisnewfeaturewontbeinviolationofanyinternalsecurityrules,legislativesecurityrequirements,orindustrysecurityrequirements.Forexample,inmanyEuropeancountries,itsillegaltoretainpersonallyidentifiableinformation(PII)incertaincircumstances;enablingtheRecycleBinmayunacceptablyretainPIIwithoutyourealizingit,asobjectattributesarentdeleted.

    AccessingdeletedobjectsisntassimpleasopeningaRecycleBiniconintheADmanagementconsole;farfromit.Youllneedalowerleveltool,likeLdp.exe,toaccessthenewlycreatedDeletedObjectscontainer,asshowninFigure20.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    36

    Figure20:Accessingdeletedobj Ldp.exe.

    TheRecycleBinisalsoonlyusefulfordeletedobjects:Changestoobjectsarentcapturedandpreserved.Restoringmultipleobjects,especiallythoseinadeephierarchy,isstillcomplicated.Nondirectoryobjects,includingGroupPolicyObjects(GPOs,whichliveonthefilesystem,notinthedirectory)arentprotectedbytheRecycleBin.TheRecycleBinalsoreliesonADitselfbeingfunctional;ifsomethinggoeswrongatthedomainorforest

    ectsin

    level,youllstillneedtohaveabackupmadebyothermeans.

    SothenewRecycleBinfeaturecancertainlybeusefulbutyouneedtounderstanditslimitationsbeforeyourelyonit,andyoumaystillwanttohavethirdpartyrecoverytoolsinplaceforotherscenariosandforeaseofuse.Youllcertainlystillwantregulardomaincontrollerbackups.

    Tip,Trick,Technique11:ClassifyingFilesinR2AnentirelynewfeatureinWindowsServer2008R2istheWindowsFileClassificationInfrastructure(FCI).Thisfeatureisdesignedtohelpadministratorsbettermanagefilestorageresources,enforcecompanypoliciesregardingstoreddata,andsoon.FCIisessentiallydesignedtohelpclassifythedataonyourfileserversandtoautomateotherwisemanualprocessesusingpredefinedpoliciesthatarebasedonthebusinessvalueofyourdata.FCIisaninfrastructurefeature,meaningitprovidesalotofwaysforthirdpartyvendorstohookinandprovidefeaturesaboveandbeyondwhatWindowsincludesnatively.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    37

    HeresthebasicproblemFCIseekstosolve:Organizationswouldlovetobeabletocleanuptheirfileservers.Butsomedataneedstobepreservedforlongperiodsoftime,andtodayitsverydifficultandtimeconsumingtosortthekeeperdatafromthedontneeditdata.FCIisdesignedtosupportpredefinedrulesthathelpWindowsautomaticallyclassifydata,andthenallowmanagementprocessessuchasfilecleanupandarchiving,orsecurityauditstooperatefromtheclassifications.

    Natively,R2sFCIhelpsclassifyfilesbasedoncontentandlocation.Oneclassified,sensitivedatamightbemovedorsecureddifferently,backupsolutionsmightprioritizehighlyvaluablefilesoverlessvaluableoneswithinabackupwindow,orstaledatamightbeautomaticallyarchivedordeleted.

    ThenativeFCIcapabilitiesareaccessedthroughtheFileServerResourceManager(FSRM)console,showninFigure21.

    Figure21:AccessingFCIthroughFSRM.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    38

    Asyoucansee,classificationstartswithalistofclassificationproperties.Inthisexample,filescanbeclassifiedashavingpersonallyidentifiableinformation(PII)ornot,andcanhaveasecrecylevelapplied.Thesepropertiesessentiallydefinethekeyaspectsofinformationthatmightdriveabusinesstomakedifferentdecisionsaboutthefile:FilescontainingPIImightbesecureddifferently,orfileswithahighsecrecylevelmightbebackedupmorefrequently.

    Next,rulesarecreatedtohelpautomaticallypopulatethesepropertiesforeachfile.Figure22showsthecreationofarule,wherefilesinaparticularlocationhaveaspecificsecrecylevelappliedautomatically.

    Figure22:Automaticclassificationrules.

    Thecontentoffiles,ratherthanjusttheirlocation,canalsodrivetheclassification.Figure23showstheContentClassifierbeingusedtosetthePIIclassificationproperty.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    39

    Figure23:DefiningaContentClassifierrule.

    Figure24showsthecontentthatsbeingsearchedforinthisexample,aregularexpressionthatmatchesonUSSocialSecurityNumberpatterns.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    40

    Figure24:Definingthecontenttosearchfor.

    Thirdpartiescanprovideadditionalclassifiers,andthirdpartiescanalsousetheFCIapplicationprogramminginterface(API)toapplyclassificationpropertiesortoreadthosepropertiesforexample,anauditingsolutionmightusethesepropertiestoprioritizethefilesthatareincludedinasecurityaudit.

    NoteThescreenshotsforFCIweretakenfromprereleaseversionsofR2andmaychangeinthefinalshippingproduct.Thesescreenshotsweredrawninpartfromhttp://blogs.technet.com/filecab/archive/2009/05/11/classifyingfilesbasedonlocationandcontentusingthefileclassificationinfrastructurefciinwindowsserver2008r2.aspx,whichincludesafulldiscussionofthefeature.

    http://blogs.technet.com/filecab/archive/2009/05/11/classifying-files-based-on-location-and-content-using-the-file-classification-infrastructure-fci-in-windows-server-2008-r2.aspxhttp://blogs.technet.com/filecab/archive/2009/05/11/classifying-files-based-on-location-and-content-using-the-file-classification-infrastructure-fci-in-windows-server-2008-r2.aspxhttp://blogs.technet.com/filecab/archive/2009/05/11/classifying-files-based-on-location-and-content-using-the-file-classification-infrastructure-fci-in-windows-server-2008-r2.aspx

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    41

    Tip,Trick,Technique12:RemoteCommandLineAdministrationinRWindowsPowerShellv2introducesanewformofremotemanagementbasedupontheindustrystandardWebServicesforManagement(WSMAN)andMicrosoftsWindows

    2

    implementation,WindowsRemoteManagement(WinRM).

    WinRMisaWebServicesbasedprotocol,meaningitoperatesoverHTTP.Bydefault,thismeansitusesports80and443,althoughthoseportnumbersareconfigurable.TheWinRMservicelistensforincomingrequests,thenpassesthoserequeststoregisteredapplicationsincludingPowerShell.Forsecuritypurposes,administratorscangoverntheapplicationsthatareallowedtoregisterwithWinRM.Essentially,WinRMreplacestheolderandmorecumbersomeRemoteProcedureCall(RPC)protocol;WinRMofferseasiercompatibilitywithfirewalls.

    PowerShellv2includesasetofcmdletsdesignedtoconfigureandenableremotingthroughWinRM,andasetofcmdletsdesignedtoestablishsessionswithremotecomputers.OnceyouhavecreatedanauthenticatedsessionfromyourlocalPowerShellinstancetoaremoteinstance,youcanengageintwodistinctmanagementscenarios:1:1and1:n.

    A1:1scenariobasicallyprovidesyouwitharemoteinteractivecommandlinewindow,notatallunlikeSSHfoundonmostUnix/Linuxoperatingsystems(OSs).A1:nscenarioallowsyoutoinvokePowerShellcommandsandhavethemrunonmultipleremotecomputersinparallel,withtheresultsbeingbroughtbacktoyourcomputer.ThismakesmultiplecomputermanagementvirtuallythesameassinglecomputermanagementandmakesiteasiertomanageevenahighlydistributedITinfrastructure.

    Tip,Trick,Technique13:ConfiguringServerCoreinWindowsServer2008R2Asmentionedinaprevioustip,WindowsServer2008R2sServerCoreinstallationmodeoffersanew,easierwaytoperformtheinitialserverconfiguration:theSconfigutility.Insomeways,Sconfigiskindoflikeatextbased,miniServerManageranditcanbeusedtoenableevengreatermanagementflexibility.

    AsFigure25shows,SconfigcanberunimmediatelyaftertheServerCoreinstallationcompletesandyoulogontotheconsoleforthefirsttime.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    42

    Figure25:RunningSconfig.

    Theutilitymakesiteasiertoperformallbutoneofthemajorinitialconfigurationtasksyouneedtodoonanynewserver(moreonthatmissingoneiteminamoment).Youcanjoinadomain,setthecomputername(althoughcomputernameshouldreallybethefirstitem,notthesecond,sincechangingthenameshouldoccurbeforejoiningadomain).YoucanconfigureWindowsUpdate,runaWindowsUpdatecheck,andconfigureavarietyofremotemanagementoptions,whichyoushoulddefinitelydo.InFigure26,youllseethatImenablingMMCremotemanagement,ataskthatalsoenablesthenecessaryfirewallexceptionsontheserver.

    Figure26:EnablingMMCRemoteManagement.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    43

    IalsorecommendallowingServerManagerRemoteManagement.AnewfeatureinWindowsServer2008R2sServerManagerconsole,RemoteManagementwillenablearemoteinstanceofServerManagertoconnectto,andmanage,yourServerCoreinstancemakingitvastlyeasiertoexaminerolesandfeaturesinstalledonServerCore,forexample.YoucanalsoenableRemoteDesktop,asFigure27shows.KeepinmindthatonServerCore,RemoteDesktoponlybuysyouaremotecommandlinewindow;itdoesntmagicallygiveyouafullGUItoworkwithremotely.Infact,althoughIalwaysenableRemoteDesktop,ImainlyuseitforemergenciesIprefertouseremoteGUIbasedtoolstoconnectto,andmanage,ServerCoreinstallations.

    Figure27:EnablingRemoteDesktop.

    Finally,asFigure28shows,Sconfigevenallowsyoutoconfigurenetworksettingsforeachinstallednetworkadapter.ConfigureastaticIPoranyothersettings.(AlthoughIfranklyprefertoleaveServerCoreusingDHCPandtoinsteadconfigureaDHCPreservationinmyDHCPserver.ThatwayifIeverreinstallServerCoreforsomereason,IdonthavetoreconfigurethestaticIPitlljustpickupthedesiredIPfromDHCP).

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    44

    Figure28:Configuringnetworkadaptersettings.

    ItseemsasifSconfigwilldoeverythingyouneed,butyouwontfindanoptiononitsmenuforactivatingWindows,whichseemslikeaprettyseriousoversight.Instead,youllstillneedtomanuallyinstallyourproductkeyusingSlmgr,asFigure29shows.

    Figure29:InstallingaproductkeyinServerCore.

    Afterinstallingtheproductkey,youllhavetoactivateWindows.Ifyoureusinganormalretailkey,justrunSlmgratotoinitiateactivation.

    Sconfigisabighelp,althoughitwouldbeniceifitalsohandledtheproductactivation.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    45

    Tip,Trick,Technique14:WhatAreMicrosoftsManyVirtualizationOptions?IfyouthoughtWindowsHyperVwasMicrosoftsonlyforayintovirtualization,youreinforabitofasurprise.Microsoftisslappingthevwordonmanydifferentproductsandtechnologiessomeofwhichhavebeenaroundforyearswithoutanyoneapparentlyrealizingtheywerevirtualization!

    HyperVTherealvirtualizationinWindows,HyperVisatype1hypervisorthatsdesignedtoemulatePChardwareforthepurposeofrunningguestoperatingsystems(OSs).DerivingfromMicrosoftVirtualServerbutinfactbuiltinanentirelydifferentwayHyperVisthebasisforMicrosoftsenterprisevirtualizationefforts.ItcompeteswithVMwaresvSphere/ESXproductsandCitrixXenfamily.

    AppVAppVisdesignedtorunonWindowsclientcomputersoronTerminalServicesservers.Itessentiallyallowsyoutocreateimagesofcompletelyinstalledapplications,thendeploythoseimagesratherthanactuallyinstallingtheapplicationoneachofyourclientcomputers.AppVcreatesasortofsandboxorbubblearoundtheapplication,preventingitfromhavingapermanentimpactontheclientsfilesystem,registry,andotherresources,andprotectingapplicationsfromconflictingwithoneanother.Centralmanagementtoolsprovidedeployment,management,deprovisioning,andotherfunctionality.AppVisavailableaspartoftheMicrosoftDesktopOptimizationPack(MDOP),whichisonlyofferedtoMicrosoftcustomerswhohavepurchasedSoftwareAssurancefortheirenterpriseOSs.

    VirtualPCSortofastrippeddownVirtualServer,VirtualPCisMicrosoftsworkstationgradevirtualizationsoftware.Conceptually,itdoesthesamethingasHyperV:RunningguestOSsonWindows(orMacs).Underthehood,itsaverydifferenttypeofhypervisorwithlesserperformance.ItsusefulforsoftwaretestersandotheremployeeswhoneedtorunanalternateOSontheirclientcomputer;Windows7sWindowsXPModeisessentiallyabuiltinVirtualPCrunningapreconfiguredWindowsXPguestOS.VirtualPCcompeteswithVMwareWorkstationandsimilarproductsfromParallels.

    DeskVorMEDVMicrosoftEnterpriseDesktopVirtualization(MEDV)isalsoapartoftheMDOP.ItsdesignedtoprovidecentralmanagementandcontrolofVirtualPCimages,enablingyoutodeploy,manage,andcontroltheseimages.Forexample,subcontractorsworkinginyourenvironmentmightbegivenacorporatestandardVirtualPCimage,whichallowsthemtoaccesscorporateresourceswithoutjoiningtheirlaptopordesktopcomputertoyourdomain.YoucanthencontrolthesecurityanduseofthatVirtualPCimage.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    46

    RemoteDesktopServicesCalledpresentationvirtualization,RemoteDesktopServices(RDS)usedtobeknownasTerminalServices.ItgotanamechangeinWindowsServer2008,andisofficiallypartofMicrosoftsvirtualizationeffortsnow.Technically,ithasalwaysofferedvirtualdesktops,althoughitsvirtualizationinaverydifferentwaythan,say,HyperV.RDScompeteswithCitrixinaway,andinawayiscomplementedbycertainCitrixproducts.

    ItsallVVirtualizationhastakenonsomanymeaningsdueinparttothewordspopularityandmarketingcloutthatithasbecomeanalmostmeaninglessterm,likeActiveXand.NETwerebackintheirdays.SufficetosaythatMicrosofthasanumberofcreativeandusefulproductsandtechnologiesthatvirtualizesomethinginsomeway;focusonindividualsolutionsmoresothanthevword.

    Tip,Trick,Technique15:TheNewWindowsLogFilesFormorethanadecade,WindowsadministratorshavesufferedwiththenativeWindowseventlogs.Wevestruggledtofindrelevanteventstohelpusauditandtroubleshootoursystems,wevehuntedforthemeaningbehindobscuremessagesandeventIDnumbers,andwehavetriedtomakeascienceoutofaprettyrawandlowlevelstoreofinformation.Worse,thethingsarentcentralized,meaningyouwinduphuntingacrossmultipleserverstofindtheinformationyouneed.

    InWindowsServer2008,thingsarealittlebetter.Sure,yougetafancynewuserinterface(UI)embeddedwithinServerManager(showninFigure30),butyoualsogetsomeimportantnewfeatures.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    47

    Figure30: eventlogviewinginServerManager.

    Nowyoucancreatecustomviews,whichcontainfilterandsortcriteriathatmakeiteasierforyoutorepeatedlycomebackandfindspecificevents.Youmightsetupaviewforeventsrelatedtoaspecificapplication,forexample.Figure31showsanexample,usingthebuiltinAdministrativeEventscustomview.

    New

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    48

    Figure31:Viewingeventsthroughacustomview.

    Logdatahasbeensegregatedoutintomorelogs,helpingbreakdowninformationlogicallybyproductortechnology.AsFigure32shows,afairlybarebonesWindowsServer2008installationhasdozensofindividuallogs;fortunately,thosecustomviewscanaggregateeventsfrommultiplelogs,givingyouaconsolidatedviewifyousodesire.

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    49

    Figure32:Multiplelogshelpcategorizeinformationbetter.

    EventforwardingandsubscriptionsprovideasysloglikecapabilitytoforwardselectedeventstoacentralWindowsserverforconsolidation.IttookmorethanadecadetogetthisfeatureinWindows,butyoushouldbegladyouhaveit!Youcansetitupthrougheventsubscriptions,allowingyoutosetupacentrallogserverthataggregatesallyourlogs.Figure33showstheconfigurationforasubscription,andyoucanseethatyoucanevenselectspecificeventstobecollected.

    ResourceYoullfindagreatarticleathttp://redmondmag.com/articles/2007/08/01/syslog20yearslater.aspxthatgoesintomoredetailabouthowtousethese.

    http://redmondmag.com/articles/2007/08/01/syslog--20-years-later.aspx

  • The Tips and Tricks Guide to Windows Administration Don Jones and Dan Sullivan

    50

    Figure33:Settingupeventsubscriptions.

    Noteverythingispe