Windows Server 2008 70-642
IPv6
Improvement
1. large address space
2. more efficient routing
3. simple automatic configuration
4. built in security
5. better quality of service features
128 bits
64 bit prefix (Network ID): 3 bit prefix / 45 bit routing prefix / 16 bit subnet
64 bit interface identifier (Host ID)
Example:
full format: 2001:0CC8:0000:00BC:00BB:0000:8BB6
short format: 2001:CC8::BC:BB:0:8BB6
Address Type
A. Global Unicase Address
1. Equivalent to IPv4 public addresses
2. Routable on the internet
3. Hierarchical based
4. First 3 bits are always 001
address start with 2000-3FFF
B. Link Local Address
1. Automatically applied to your adapter
2. Begin with fe80
3. Always assinged to your adapter
4. Local network only
5. Zone id
C. Unique Local Address
1. Equivalent to private ranges in IPv4
2. Private network used only
3. Start with fd
D. Loopback Used to tst the network stack ::1
E. Anycast
F. Multicast: ff00::
Life cycle of IPv6 Address
1. Tentative: check for duplicates
2. Preferred: use for the lifetime of the ip address
3. Deprecated: the lifetime of the address has expired(existing communication can still use, new communication not allowed)
Transition from IPv4 to IPv6
Transition Technologies
ISATAP / 6to4 / Teredo
IPv6 Transition Technologies
1. IPv6 has a new header
A. Layer 2 devices are compatible
B. Layer 3 devices need to be upgraded
2. Next generation TCP/IP
A. Allow both the IPv4 and IPv6 stack on the same computer
B. Windows automatically determines which to use
C. Force IPv4 use the -4 switch
D. Force IPv6 use the -6 switch
ISATAP
1. Intra-site Automatic Tunnel Addressing Protocol (ISATAP)
2. Used in a private network only
3. Uses the address fe80::0:5efe:ww.xx:yy.zz
For example: 10.0.30.120 --> fe80::5efe:0a00:1e78
10 --> 0a
0 --> 00
30 -->1e
120 -->78
6to4
1. Transition protocol
2. Allow IPv4 networks to tunnel IPv6 traffic
3. 2002:wwxx.yyzz:subnetid:interfaceid
4. Allow IPv6 clients to connect to IPv4 while IPv4 can not connect to IPv6
Example: inside company all the computer using IPv6, with 6to4 router, they still can visit IPv4 SERVER. But the IPv4 SERVER cannot visit the IPv6 computers
Teredo
Used when you have an IPv4 NAT device
IPv4 will be around for a long time
IPv6 knowledge: http://gogonet.gogo6.com
Dynaimc Host Configuration Protocol (DHCP)
Use "Reservation" to add policy which set one static ip address to one server.
Use "Scope Option" to add policy which DHCP server to assign client computer.
Remember to backup the DHCP setting
dos command: ping dc3 | clip
open notepad and paste the result
Install DHCP in Server Core
1. install: setup DHCPServerCore
2. check: oclist | more
3. configure: netsh
Example backup: netsh dhcp server dump > DHCPconfig.cfg
IPv4 DHCP Work flow (DORA)
1. Discover (Broadcast for DHCP servers)
2. Offer (Broadcasts an offer to the client)
3. Request (Requests the IP address from the DHCP server)
4. Ack (DHCP server confirms client can use IP address)
Configure Routing
Routing: selecting a path for your data to travel
MAC address and routing:
use ARP(Address Resolution Protocol)
ARP: use media access control (MAC) in local subnet
Install Routing
1. Add Role "Network Policy and Access Services"
2. Choose "Routing" component
3. Install it
4. Click Start / Administrative Tools / Routing an Remote Access
5. Right click server and click "Configure and Enable Routing an Remote Access"
6. Choose "Custom configuration"
7. Choose "LAN routing"
Static Routing
1. Create a manual entry in the routing table
2. Overrides dynamic routes
3. Command:
a. Add route: route -p add <dest ip> mask <mask> <GW>
Example: route -p add 192.168.50.0 MASK 255.255.255.0 10.0.2.2
b. Check route table: route print -4
Routing Protocols
1. Automatically builds routing table
2. Change as network changes
a. Support multiple paths
3. Open Shortest Path First (OSPF)
a. No longer supported
b. Supported in windows server 2003
4. Routing Internet Protocol(RIP)
a. windows server 2008 support version 2
b. based on hops (Route with lowest hop counts gets add to route table)
Setting RIP
1. Click Start / Administrative Tools / Routing an Remote Access
2. Click server / IPv4
3. Right click "General" and Click "New Routing Protocol"
4. Choose “RIP Version 2 for Internet Protocol”
5. Right click "RIP" and Click "New Interface"
6. Add the interface in the list
Troubleshooting Routing
1. tracert <hostname>
tracert -d <hostname>: disable reverse name lookups
2. pathping <hostname>
Windows Firewall
Reason to use firewall
1. Controls network traffic coming and going
2. Helps stop your computer becoming infected
3. Prevents your computer infecting others
How Firewall work
Windows uses a state full firewall
Firewall Features
1. In bound rules / Out bound rules
2. Remote configuration
3. Integrates with IPSec
Firewall Profiles
1. Domain Profile (computer can contact the domain controller)
2. Private Profile (small network)
3. Public Profile (most restrictive / blocks incoming connection)
Configure Windows Firewall
1. Based on
a. Where traffic came from
b. Port / Protocol it is using
c. Software it came from
d. Services
2. Basic firewall configuration
a. can't configure outbound rules
b. can't configure IPSec
3. Windows firewall with advanced configuration
Basic firewall configuration
1. Go to Control Panel / Windows Firewall
2. Click "Allow programs to communicate through Windows Firewall" to change the policy
Windows Firewall with Advanced Security
1. Create more specific rules
2. IPSec configuration
3. Monitoring Section
4. Can be used for remote administrator
Group Policy set Windows Firewall
Go to Computer configruation / Policies / Windows Settings / Security Settings / Windows Firewal with Advanced Security
Same as "Windows Firewall with Advanced Security"
IPSec
IPSec: Internet Protocol Security, Securing IP communications
1. Provides communicateion between client to server / server to server / network to network
2. Provides authentication
3. Prevents ears dropping
4. Prevents Replay attack
5. Prevents Data tampering
Windows Server 2008
1. Integrated with Windows Firewall
2. Support for IPv6
3. Integrates with NAP
4. Improved load balancing and clustering support
5. More encryption algorithm
Security Association(SA)
1. Logical group of security parameters
a. contains algorithms used
b. contains key sizes
Protocol Used in IPSec
1. Internet Key Exchange (IKE)
2. Authentication Header (AH): provide integrity and authentication
3. Encapsulating Security Payload (ESP): provide integrity, authentication and encryption
IPSec Models
1. Main Model (AH)
a. Time consuming to make sure identity of each party
b. Establish a secure connection to configure quick model
2. Quick Model (ESP)
a. Used to communicate with each party
IPSec Creation
1. Go to start / Administrative Tools / Windows Firewall with Advanced Security
2. Right Click "Connection Security Rules" and click "New Rule"
3. Choose "Isolation"
4. Choose "Request authentication for inbound and outbound connections"
5. Choose "Default"
5. Choose "Default"
6. Input "Name" and finish
IPSec Troubleshooting
Check the main mode and quick mode in Windows Firewall with Advanced Security
Type of Connection
1. Isolation: based on authentication criteria
2. Authentication Exemption: specify computers that do not need to authenticate
3. Server to Server: can enter in your own end point or points
3. Server to Server: can enter in your own end point or points
4. Tunnel: embeds IPSec packet in an IP packet
IPSec Authentication Methods
1. Kerberos: computers in domain
2. Certificates
3. NTLMv2: computers in work group / firewall is blocking kerberos
4. Preshared key: very weak, not recommended
Group Policy
1. Go to Computer Settings / Policies / Windows Settings / Security Settings
a. Windows Firewall with Advanced Security
b. IP Security Policies on Active Directory
i. Filter Action
ii. Filter List
iii. Rule
DNS Server
1. Windows server 2008 support IPv6
2. Background zone loading
3. Support for read only domain controllers
DNS Name Space
Root Domain: . (13 internet root hint servers)
Top Level Domains: .net / .org / .com
Second Level Domains: example / Microsoft
Sub Domains: www / ftp / sales
Install Requirements
1. static ip address
2. user account must be a member of the local administrators user group
3. in AD, can save dns zone data in AD
4. at least 2 DNS servers on your network
Cache only DNS Server
All DNS server cache resolved requests
Cache only DNS Server: does not hold any DNS data or zones
(slow network link and only have several clients)
Advantages: 1. easy to set up; 2 No administration
DNS Properties
1. Interfaces: only choose the company IP address, which prevent the hacker to view the company resource;
2. Forward: forward the requests which this DNS server can not resolve to the specific DNS server
3. Advanced:
Disable recursion (also disables forwarders): when the company network is securiy and only used to resolve the local resource, you may choose it in order to prevent DoS(Deny of Service) attach
4. Root Hints: no need to change it
5. Debug Logging: set detail log to record the DNS service for troubleshooting
6. Event Logging: set log to record the DNS servcie for troubleshooting
7. Monitoring: quick test the DNS service status
DNS Zones Types
1. Primary Zone
2. Secondary zone
3. Active directory integrated zone
4. stub zone
Primary Zone
1. Read/Write copy
2. Stored in a text file
3. Primary zone must be available to make changes
Secondary zone
1. Read only copy (copy of primary zone, secondary zone, ad integrated zone)
2. windows can be a secondary zone to a unix primay zone
AD Integrated zone
1. Only available on Domain Controller(all domain controller have a read write copy of the zone)
2. High availability and redundancy
3. Harder to restore in a disaster
4. Also supported on read only domain controllers
5. Supports secure updates
Stub Zone
Redirects the requests to a server that can answer it
Forwards look up zone: resolve names to IP address
Backward look up zone: resolve IP address to name
DNS Records Types
1. SOA (Start of authority): Primary name server / Email of administrator / Domain serial number
2. A or AAAA record: maps name to IP Address
3. CNAME (Canonical name / Alise ): Points to an A or AAAA record
4. SRV (Service Record)
5. MX (Mail Exchange): lowest priority is tried first
6. PTR Records: maps an IP address to a name; can be created automatically; must have an existing resverse look up zone
Dynamic DNS
Controlled by the DHCP service
Force an update of a client DNS record run: ipcnofig /registerdns
For domain computer can update with secure updates
If missing or damage service records, right click the dns / forward lookup zone / domain and click properties. choose the General tab, choose the dynamic updates with "Secure only" and restart the DNS service.
DNS Replication
Zone Transfer: Transfer of DNS records between DNS servers
Zone Replication:
1. AD integrated zone replicate with AD (runs on same schedule)
2. Primary and Seconrdary zone: set security
DNS Resolve Process
1. DNS Cache Host File
2. DNS Server
3. NetBIOS Cache
4. WINS Server
5. Broadcast LLMNR(IPv6) and NetBIOS(IPv4)
6. Lmhosts (%systemroot%\system32\drivers\etc\lmhosts)
Troubleshooting
1. ipconfig /flushdns
2. ipconfig /registerdns
3. ipconfig /displaydns
4. nbtstat -n
Remote Access 3 stages
1. Connection: physical connection
2. Authentication: who they are
3. Authorization: what they can access
ICS (Internet connection sharing) Config
Share the internet connection with other computers
1. Control Panel / View netwok status and tasks
2. Change Adapter Setting
3. Right click network adapter and click the properties
4. Go to Sharing page
Remote Access Service(one internal network adapter, one public network adapter)
Install
1. Add "Network Policy and Access Services" Role
2. Choose "Remote Access Service"
Config
1. Go to Administrative Tools / Routing and Remote Access
2. Right click the server and click the "Configure and Enable Routing and Remote Access"
3. Choose "Remote Access"
4. Choose "VPN" and "Dial up"
5. Choose internal network adapter
6. Choose Automatically if you have DHCP
VPN Protocols
1. PPTP (Point to Point Tunneling Protocol): Microsoft protocol; support only TCP/IP; TCP Port 1723
2. L2TP (Layer Two Tunneling Protocol): TCP Port 1701, UDP Port 500; open standard;
3. SSTP (Secure Socket Tunneling Protocol): Port 443; Users SSL for encryption
Client Config
1. Control Panel / View netwok status and tasks
2. Click "Set up a new connection on network"
3. Click "Connect to a workplace"
4. Click "VPN"
6. Click "I'll set up an Internet connection later"
7. Input the IP Address of RAS server into "Internet address"
8. Input the username and password (the user need to be set "Allow access" in Dail-in tab)
NPS(Network Policy Server) Config
instead of set the dial-in tab of user
creates rules used to access your network
1. Go to Administrative Tools / Routing and Remote Access
2. Right click "Remote Access Logging & Policies" and click "Launch NPS"
3. Click folder "Network Policies" to check current policies
4. Right click "Network Policies" and click "New" to create new policy
5. Input name and choose "Remote Access Server(VPN-Dial up)"
6. In Specify conidtions page, you may set the condition based on Windows Groups, User Groups...
Radius
1. Remote Authentication Dial In User Service
2. Allows for AAA (Authentication, Authorization, Accounting)
Troubleshooting
1. check network connection
2. check firewall rule
Network Access Protection(NAP)
1. Protects the integrity of your netork by
a. Performing health checks
b. Can isolate computers failing health checks
c. updates computers to allow them to pass health check
The NAP Process
Health statement sent to NAP enforcement point(DHCP, VPN,...)
If computer fails health check
1. Do nothing
2. Deny access
3. Grant access to Remediation network
NAP Components
1. System Health Agent (SHA)
Reports health state
Server 2008, Windows 7, ...
2. System Health Validator (SHV)
Network Policy Server component(Server 2008 only)
Can work with radius
3. Remediation Servers (Optional)
Update antivirus
WSUS
NAP Network Layout
meets requirements: production network (DC, DHCP)
fail health check: remediation network (WSUS, Read only DC, DHCP)
no nap support: guest network (DHCP, Web proxy)
DHCP NAP Config
1. Compliant Clients --> Full access
2. Non Compliant Clients --> Limit access
NAP Server
Install NAP: add "Network Policy and Access Services" / "Network Policy Server"
Go to Administrative Tools / Network Policy Server
DHCP Server
Install NAP: add "Network Policy and Access Services" / "Network Policy Server"
Go to Administrative Tools / Network Policy Server
Client part
Setting in Group policy
Network Authentication
NTLM: authenticates the user each time access is required
Kerberos: time based authentication, need the hostname and domain
EAP: authentication framework
EAP-TLS: Smartcards
Wireless Standard
802.11a 54Mbps short range
802.11b 11Mbps good range, slow speed
802.11g 54Mbps good range
802.11n 250Mbps very fast, use multiple input, multiple output(MIMO)
Wireless Security
1. Disabled SSID
2. MAC Security
3. WEP (Wired Equivalent Privacy)
4. WPA (Wi-Fi Protected Access)
WPA-PSK(Personal users pre share key)
WPA-EAP(Enterprise uses authentication system)
5. WPA2
6. 802.1X
Wireless Modes
1. Infrastructure mode
2. Ad hoc mode
Domain Wireless Management (Bootstrap Wireless Profile)
Config Bootstrap Wireless Profile by Group Policy
NTFS Permissions (Default Inheritance)
1. List Folder Contents
2. Read
3. Read & Execute
4. Write (Does not give read or delete)
5. Modify (All the above including delete)
6. Full Control (All the above plus can change permissions)
7. Special Permission (12 granular permissions)
Ownership(properties --> security --> advanced --> owner)
1. Owner can change permissions;
2. Administrator can take ownship without permission
NTFS Permission Troubleshooting
Check user actual permision of file or folder: Properties --> Security --> Advanced --> Effective Permissions
In parent folders, can recover the inheritance for the subfolder and files: Properties --> Security --> Advanced
File Sharing Permissions (same thing different names)
| Classic | Windows Server 2008 R2 | Windows Server 2008 |
| Read | Read | Reader |
| Change | Read / Write | Contributor |
| Full control | Owner | Co-Owner |
File Server Role
1. Sever manager additions to manage shares: Generate reports
2. Quotas
3. File Screening
4. File Classifications (R2)
Special Features of File Server
1. Can use NFS to share folder, UNIX or Linux system can visit;
2. In "SMB Setting" / Advanced, can set "Enable access-based enumeration", only the folder that user can access will be display;
Offline Files (poor network)
Server
1. install "BranchCache for network files" (one of the file service role services)
2. Right click the folder and click Properties --> Sharing --> Advanced Sharing
3. Enable "Share this folder"
4. Click "Caching"
5. Choose the first option to enable offline files
6. Use need at least change permision for offline files
Client
1. Click Tools --> "Map network drive" to create network driver
2. Right click the network driver and click "Always available offline"
3. Click Tools --> "Open Sync Center"
4. Click "Manage offline files" --> can check the status, setting, encryption, network and etc
Test
1. In client, choose the network driver and click "offline"
2. update the file both in client and server with different context
3. In client, choose the network driver and click "online"
4. in Sync Center, can see confict
Encryptiong File System(EFS)
1. Encrypt files and folder (Protects hard disk from off line attacks)
2. Uses symmetric key (one key for encryption and decryption)
3. Asymmetric key protect sysmmetric key
If you do not want to use EFS, disable it
1. domain: Group policy
A. Computer Configurations --> Policies --> Windows Settings --> Security Settings --> Public Key Policies --> Encrypting File System
B. Right click "Encrypting File System", click "Properties"
C. Choose "Don't Allow", the EFS feature will be disable in domain
2. WorkGroup: Local Security Policy
A. Public Key Policies --> Encrypting File System
B. Right click "Encrypting File System", click "Properties"
C. Choose "Don't Allow", the EFS feature will be disable in domain
Encryption Process (key: symmetric key + user public asymmetric key)
1. Right click the specific file and click Proterties --> General --> Advanced
2. Choose "Encrypt..."
3. The file will change to green after it
4. Input "mmc" in run, and add snap-ins "Certificates" and go to personal to check whether you create the personal certification for EFS
5. Right click the specific file and click Proterties --> General --> Advanced
6. Click "detail" after the "Encrypt..."
7. If you want to let others to read or write the file, the target use need to create certification for himself
A. login computer with the target user
B. run command to generate personal certification for EFS: cipher /k
C. logout the target user
8. Right click the specific file and click Proterties --> General --> Advanced
9. Add the target user into the user access
Data Recovery Agent(DRA): User that can read encrypted data files
Add additional DRA Process (Default is Administrator user)
1. Login with the user to one client machine
2. Create DRA key by input command: cipher /r:<file name>
Example cipher /r:dra.pfx
3. input password as request
4. In DC, go to Group Policy Management;
5. If you want to works for all domain, edit the "default domain policies"
6. Go to Computer Configurations --> Policies --> Windows Settings --> Security Settings --> Public Key Policies --> Encrypting File System
7. Right click "Encrypting File System", click "Add Revery Agent"
8. Import the pfx file
9. Right click "Encrypting File System", click "Properties"
10. Choose "Allow" for File encryption using Encrypting File System. (Enable the EFS in domain)
If choose "Don't Allow", the EFS feature will be disable in domain
11. Go back to client machince and input command to apply the Group policy: gpupdate /force
Distributed File Server
1. Many shares to be accessed with the same namespace
2. Create replicates
Install DFS
1. Add "file services" in role
2. Choose "Distributed File System"
3. Input the namespace
4. Choose the namspace type
Domain-based namespace: it saved in DC.
Stand-alone namespace: it saved in local server
5. Choose the admin accout to continue
6. Add share folders in local server to the DFS
Window Server 2008 mode
1. Forest function level windows server 2003 or higher
2. Domain function level windows server 2008 or higher
3. All namespace servers run windows server 2008
4. Support access based enumeration(Right click the namespace and click properties, go to Advanced tab)
5. Support more han 5000 targets
DFS Options
Right click the namespace and click properties, go to Advanced tab
1. Optimize for consistency (less than 16 namespaces)
A. Namespace servers pool PDC emulator for changes
2. Optimize for scalability (more than 16 namespaces)
A. Poll nearest DC for changes
B. Changes do not appear until active directory replicates
Right click the namespace and click properties, go to Referrals tab
3. Ordering method for clients with no local file server
A. Random order
B. Lowest Cost
C. Exclude targets outside of the clients' site
DFS Admin
1. Go to control panel --> Administrative tools --> DFS Management
2. In order to increase the redundancy:
A. Add namespace: create new network share folder
B. Add replication group: set sync method and frequency between two share folders
Shadow Copy Service
1. Take snapshots of your data according to schedule
2. Very fast. saves changes at the block level
3. Works on volumn level
4. Save the change within the disk space. When space not enough, the history will be deleted. (FIFO)
5. Not recommendation for Database server
6. Not a replacement of backups
Shadow Copy Config
1. In Windows Server 2008, right click disk driver, and click "Configure Shadow Copies"
2. First settings and Then enable
3. Choose the disk drive you need to set shadow
4. Click schedule: default is twice per day.
5. Do some changes on specific files
6. Run the manual shadow copy by click "Cerate Now"
7. Right click the files and click "Restore preivous versions"
8. Right click the folder and click "Restore preivous versions"
Windows Server Backup
1. Replace Windows NT Backup
2. NTBackup available for download from Microsoft
Restore only, will not backup
3. Windows Server 2008 backups volumnes only
4. Windows Server 2008 R2 can backup folders
5. No longer supports tape drivers
6. Support for backup to Hard disk, USB, Optical and network
7. Complete PC Restore (Bare-metal recovery)
8. Excellent incremental backup support
Works best when hard disk has been defragged
Windows Server Backup Process
1. Add feature: Windows Server Backup Features
2. Go to Control Panel / Administrative Tools / Windows Server Backup
3. Use "Backup once" or "Backup Schedule" to backup
4. Choose items for backup
5. Choose the target
6. Click "close", the backup still runs background
7. The backup file is VHD
Windows Server Restore Process
1. Go to Control Panel / Administrative Tools / Windows Server Backup
2. Click "Recover"
3. Choose the backup date
4. Choose the recover type
5. Recovery Options
Disk Quotes
1. Control how much drive space a user can use
A. soft quote, warning only
B. hard quote, stop write access
2. Must b on an NTFS formatted hard disk
3. Calculated based on who is the owner of the file
A. Does not apply to the administrator
Quotas Systems
1. NTFS Quotas:
A. Per user/per volume
B. Logical file sizes
C. Event log notification only
2. FSRM Quotas
A. by folder or volume
B. Actual disk space
C. notification via email, event, ...
3. Using group policy (Define NTFS Quotas in Domain)
FSRM Quotas
1. Add role "File services" / "File Server Resource Management"
2. Choose the volumn drivers
3. After install, need to config
4. Go to Server Manager --> File Services --> Share and Storage Mangement --> File Server Resource Management --> Quota Management
Print Service
Local Print: print software installed local;
Network Print: print software installed on another server;
If you want to share the print in the domain,
1. Go to properties of printer, in general tab, choose the default page size;
2. Go to Sharing tab, choose the "List in the directory" to show the print in Domain as resource;
3. Go to Sharing tab, click "Additional Drivers" install the other drivers prepare for other computer to use;
4. Go to Advanced tab, input the "Available from" and "to" to define the print work time;
Print Pooling
Print pooling: need same printer driver
Go to Ports to list the print and choose "Enable printer pooling"
Print Management
1. install "Print and Document Services" in role services
2. With print management can manage all prints in domain
3. Can export the configuration of print to backup or restore
WSUS(Windows Server Update Services)
1. Download updates from Microsoft and store locally
2. Allows you to approve or decline updates
3. Put computers into groups for administrative purposes
WSUS Requirements
Software
1. Windows Server 2008 R2 / Windows Server 2008 SP1
2. Windows Server 2003 SP1
3. .NET framework 2.0
4. Windows internal database
5. Microsoft Management Console 3.0
6. IIS 6.0 (ASP.NET / Windows authentication / Dynamic content compression)
Hardware
1. NTFS
2. 1GB for system partition
3. 2GB for database parition
4. 20GB for updates
Install WSUS
http://www.microsoft.com/wsus or server management add role
1. Choose the update server
2. Set proxy server
3. Choose languages
4. Choose Microsoft products
5. Choose Classification (Type of updates)
Recommendation: defaults + Drivers
If the networks performance good add "Feature packs" and "Service packs"
6. Choose Sync Schedule (When to download)
Configuring WSUS
1. Go to "Windows Server Update Services"
2. Click WSUS --> Options to update the setting
WSUS Groups
1. Default Groups
A. All computers
B. Unassigned computers
2. Server Side Targeting
A. Perform through the WSUS admin tool
3. Client Side Targeting
A. Done through by Group Policy
Server Side Targeting
Client
1. Go to Local Group Policy Editor --> Computer Configuration --> Administrative Template --> Windows Components --> Windows Update
2. Double click "Specify intranet Microsoft upate service location"
3. Choose "Enabled" and input the WSUS server link
4. Update policy by input command: gpupdate
WSUS Server
1. Go to Go to "Windows Server Update Services --> WSUS --> Computers
2. Create new group and put client into the group
3. Create new rule in WSUS --> Options --> Automatic Approvals
4. Choose "When an updte is in a specific classification" and "When an update is in a specific product"
5. Click in the step 2 to set the product, classification, group and input rule name
Client Side Targeting
WSUS Server
1. Go to "Windows Server Update Services --> WSUS --> Options --> Computers
2. Choose "Use Group Policy or registry settings on computers"
Domain Controller
1. Go to "Group Policy Management"
2. Create one policy
3. Edit policy by Go to Computer configuration -->Policies --> Administrative Templates --> Windows Components --> Windows Update --> Standard
4. Click "Enable client-side targeting"
5. Choose "Enabled" and input the group name
6. Click "Specific intranet Microsoft update service location"
7. Choose "Enabled" and input the WSUS location
WSUS Server
1. Go to "Windows Server Update Services --> WSUS --> Computers
2. Create the computer group name you create in Group Policy
3. Input command to refresh: wuauclt /resetauthorization /detectnow
WSUS Report
1. Install Microsoft Reprot viewer 2008 Redistributable
2. Go to "Windows Server Update Services --> WSUS --> Reports
Windows Performance Tools
1. Task Manager
2. Resource monitor
3. Performance Monitor
Event logs new features in Windows Server 2008
1. New logs: setup / forwareded events
2. Can create custom view: filter
3. Can export to XML
4. Integration with task scheduler
Connect the issue in event log to schedule task
1. Go to Event Viewer
2. Right click the specific issue and click "Attach Task to This Event..."
3. Set the windows scheduler task
Event Forwarding
Fowarder computer push the copy of event log to Collector computer
Requirement: Windows Server 2008 / Windows 7 / Windows Vista
Windows 7 --> Windows Server 2008 R2
Process:
Forwarder computerIPv6
Improvement
1. large address space
2. more efficient routing
3. simple automatic configuration
4. built in security
5. better quality of service features
128 bits
64 bit prefix (Network ID): 3 bit prefix / 45 bit routing prefix / 16 bit subnet
64 bit interface identifier (Host ID)
Example:
full format: 2001:0CC8:0000:00BC:00BB:0000:8BB6
short format: 2001:CC8::BC:BB:0:8BB6
Address Type
A. Global Unicase Address
1. Equivalent to IPv4 public addresses
2. Routable on the internet
3. Hierarchical based
4. First 3 bits are always 001
address start with 2000-3FFF
B. Link Local Address
1. Automatically applied to your adapter
2. Begin with fe80
3. Always assinged to your adapter
4. Local network only
5. Zone id
C. Unique Local Address
1. Equivalent to private ranges in IPv4
2. Private network used only
3. Start with fd
D. Loopback Used to tst the network stack ::1
E. Anycast
F. Multicast: ff00::
Life cycle of IPv6 Address
1. Tentative: check for duplicates
2. Preferred: use for the lifetime of the ip address
3. Deprecated: the lifetime of the address has expired(existing communication can still use, new communication not allowed)
Transition from IPv4 to IPv6
Transition Technologies
ISATAP / 6to4 / Teredo
IPv6 Transition Technologies
1. IPv6 has a new header
A. Layer 2 devices are compatible
B. Layer 3 devices need to be upgraded
2. Next generation TCP/IP
A. Allow both the IPv4 and IPv6 stack on the same computer
B. Windows automatically determines which to use
C. Force IPv4 use the -4 switch
D. Force IPv6 use the -6 switch
ISATAP
1. Intra-site Automatic Tunnel Addressing Protocol (ISATAP)
2. Used in a private network only
3. Uses the address fe80::0:5efe:ww.xx:yy.zz
For example: 10.0.30.120 --> fe80::5efe:0a00:1e78
10 --> 0a
0 --> 00
30 -->1e
120 -->78
6to4
1. Transition protocol
2. Allow IPv4 networks to tunnel IPv6 traffic
3. 2002:wwxx.yyzz:subnetid:interfaceid
4. Allow IPv6 clients to connect to IPv4 while IPv4 can not connect to IPv6
Example: inside company all the computer using IPv6, with 6to4 router, they still can visit IPv4 SERVER. But the IPv4 SERVER cannot visit the IPv6 computers
Teredo
Used when you have an IPv4 NAT device
IPv4 will be around for a long time
IPv6 knowledge: http://gogonet.gogo6.com
Dynaimc Host Configuration Protocol (DHCP)
Use "Reservation" to add policy which set one static ip address to one server.
Use "Scope Option" to add policy which DHCP server to assign client computer.
Remember to backup the DHCP setting
dos command: ping dc3 | clip
open notepad and paste the result
Install DHCP in Server Core
1. install: setup DHCPServerCore
2. check: oclist | more
3. configure: netsh
Example backup: netsh dhcp server dump > DHCPconfig.cfg
IPv4 DHCP Work flow (DORA)
1. Discover (Broadcast for DHCP servers)
2. Offer (Broadcasts an offer to the client)
3. Request (Requests the IP address from the DHCP server)
4. Ack (DHCP server confirms client can use IP address)
Configure Routing
Routing: selecting a path for your data to travel
MAC address and routing:
use ARP(Address Resolution Protocol)
ARP: use media access control (MAC) in local subnet
Install Routing
1. Add Role "Network Policy and Access Services"
2. Choose "Routing" component
3. Install it
4. Click Start / Administrative Tools / Routing an Remote Access
5. Right click server and click "Configure and Enable Routing an Remote Access"
6. Choose "Custom configuration"
7. Choose "LAN routing"
Static Routing
1. Create a manual entry in the routing table
2. Overrides dynamic routes
3. Command:
a. Add route: route -p add <dest ip> mask <mask> <GW>
Example: route -p add 192.168.50.0 MASK 255.255.255.0 10.0.2.2
b. Check route table: route print -4
Routing Protocols
1. Automatically builds routing table
2. Change as network changes
a. Support multiple paths
3. Open Shortest Path First (OSPF)
a. No longer supported
b. Supported in windows server 2003
4. Routing Internet Protocol(RIP)
a. windows server 2008 support version 2
b. based on hops (Route with lowest hop counts gets add to route table)
Setting RIP
1. Click Start / Administrative Tools / Routing an Remote Access
2. Click server / IPv4
3. Right click "General" and Click "New Routing Protocol"
4. Choose “RIP Version 2 for Internet Protocol”
5. Right click "RIP" and Click "New Interface"
6. Add the interface in the list
Troubleshooting Routing
1. tracert <hostname>
tracert -d <hostname>: disable reverse name lookups
2. pathping <hostname>
Windows Firewall
Reason to use firewall
1. Controls network traffic coming and going
2. Helps stop your computer becoming infected
3. Prevents your computer infecting others
How Firewall work
Windows uses a state full firewall
Firewall Features
1. In bound rules / Out bound rules
2. Remote configuration
3. Integrates with IPSec
Firewall Profiles
1. Domain Profile (computer can contact the domain controller)
2. Private Profile (small network)
3. Public Profile (most restrictive / blocks incoming connection)
Configure Windows Firewall
1. Based on
a. Where traffic came from
b. Port / Protocol it is using
c. Software it came from
d. Services
2. Basic firewall configuration
a. can't configure outbound rules
b. can't configure IPSec
3. Windows firewall with advanced configuration
Basic firewall configuration
1. Go to Control Panel / Windows Firewall
2. Click "Allow programs to communicate through Windows Firewall" to change the policy
Windows Firewall with Advanced Security
1. Create more specific rules
2. IPSec configuration
3. Monitoring Section
4. Can be used for remote administrator
Group Policy set Windows Firewall
Go to Computer configruation / Policies / Windows Settings / Security Settings / Windows Firewal with Advanced Security
Same as "Windows Firewall with Advanced Security"
IPSec
IPSec: Internet Protocol Security, Securing IP communications
1. Provides communicateion between client to server / server to server / network to network
2. Provides authentication
3. Prevents ears dropping
4. Prevents Replay attack
5. Prevents Data tampering
Windows Server 2008
1. Integrated with Windows Firewall
2. Support for IPv6
3. Integrates with NAP
4. Improved load balancing and clustering support
5. More encryption algorithm
Security Association(SA)
1. Logical group of security parameters
a. contains algorithms used
b. contains key sizes
Protocol Used in IPSec
1. Internet Key Exchange (IKE)
2. Authentication Header (AH): provide integrity and authentication
3. Encapsulating Security Payload (ESP): provide integrity, authentication and encryption
IPSec Models
1. Main Model (AH)
a. Time consuming to make sure identity of each party
b. Establish a secure connection to configure quick model
2. Quick Model (ESP)
a. Used to communicate with each party
IPSec Creation
1. Go to start / Administrative Tools / Windows Firewall with Advanced Security
2. Right Click "Connection Security Rules" and click "New Rule"
3. Choose "Isolation"
4. Choose "Request authentication for inbound and outbound connections"
5. Choose "Default"
5. Choose "Default"
6. Input "Name" and finish
IPSec Troubleshooting
Check the main mode and quick mode in Windows Firewall with Advanced Security
Type of Connection
1. Isolation: based on authentication criteria
2. Authentication Exemption: specify computers that do not need to authenticate
3. Server to Server: can enter in your own end point or points
3. Server to Server: can enter in your own end point or points
4. Tunnel: embeds IPSec packet in an IP packet
IPSec Authentication Methods
1. Kerberos: computers in domain
2. Certificates
3. NTLMv2: computers in work group / firewall is blocking kerberos
4. Preshared key: very weak, not recommended
Group Policy
1. Go to Computer Settings / Policies / Windows Settings / Security Settings
a. Windows Firewall with Advanced Security
b. IP Security Policies on Active Directory
i. Filter Action
ii. Filter List
iii. Rule
DNS Server
1. Windows server 2008 support IPv6
2. Background zone loading
3. Support for read only domain controllers
DNS Name Space
Root Domain: . (13 internet root hint servers)
Top Level Domains: .net / .org / .com
Second Level Domains: example / Microsoft
Sub Domains: www / ftp / sales
Install Requirements
1. static ip address
2. user account must be a member of the local administrators user group
3. in AD, can save dns zone data in AD
4. at least 2 DNS servers on your network
Cache only DNS Server
All DNS server cache resolved requests
Cache only DNS Server: does not hold any DNS data or zones
(slow network link and only have several clients)
Advantages: 1. easy to set up; 2 No administration
DNS Properties
1. Interfaces: only choose the company IP address, which prevent the hacker to view the company resource;
2. Forward: forward the requests which this DNS server can not resolve to the specific DNS server
3. Advanced:
Disable recursion (also disables forwarders): when the company network is securiy and only used to resolve the local resource, you may choose it in order to prevent DoS(Deny of Service) attach
4. Root Hints: no need to change it
5. Debug Logging: set detail log to record the DNS service for troubleshooting
6. Event Logging: set log to record the DNS servcie for troubleshooting
7. Monitoring: quick test the DNS service status
DNS Zones Types
1. Primary Zone
2. Secondary zone
3. Active directory integrated zone
4. stub zone
Primary Zone
1. Read/Write copy
2. Stored in a text file
3. Primary zone must be available to make changes
Secondary zone
1. Read only copy (copy of primary zone, secondary zone, ad integrated zone)
2. windows can be a secondary zone to a unix primay zone
AD Integrated zone
1. Only available on Domain Controller(all domain controller have a read write copy of the zone)
2. High availability and redundancy
3. Harder to restore in a disaster
4. Also supported on read only domain controllers
5. Supports secure updates
Stub Zone
Redirects the requests to a server that can answer it
Forwards look up zone: resolve names to IP address
Backward look up zone: resolve IP address to name
DNS Records Types
1. SOA (Start of authority): Primary name server / Email of administrator / Domain serial number
2. A or AAAA record: maps name to IP Address
3. CNAME (Canonical name / Alise ): Points to an A or AAAA record
4. SRV (Service Record)
5. MX (Mail Exchange): lowest priority is tried first
6. PTR Records: maps an IP address to a name; can be created automatically; must have an existing resverse look up zone
Dynamic DNS
Controlled by the DHCP service
Force an update of a client DNS record run: ipcnofig /registerdns
For domain computer can update with secure updates
If missing or damage service records, right click the dns / forward lookup zone / domain and click properties. choose the General tab, choose the dynamic updates with "Secure only" and restart the DNS service.
DNS Replication
Zone Transfer: Transfer of DNS records between DNS servers
Zone Replication:
1. AD integrated zone replicate with AD (runs on same schedule)
2. Primary and Seconrdary zone: set security
DNS Resolve Process
1. DNS Cache Host File
2. DNS Server
3. NetBIOS Cache
4. WINS Server
5. Broadcast LLMNR(IPv6) and NetBIOS(IPv4)
6. Lmhosts (%systemroot%\system32\drivers\etc\lmhosts)
Troubleshooting
1. ipconfig /flushdns
2. ipconfig /registerdns
3. ipconfig /displaydns
4. nbtstat -n
Remote Access 3 stages
1. Connection: physical connection
2. Authentication: who they are
3. Authorization: what they can access
ICS (Internet connection sharing) Config
Share the internet connection with other computers
1. Control Panel / View netwok status and tasks
2. Change Adapter Setting
3. Right click network adapter and click the properties
4. Go to Sharing page
Remote Access Service(one internal network adapter, one public network adapter)
Install
1. Add "Network Policy and Access Services" Role
2. Choose "Remote Access Service"
Config
1. Go to Administrative Tools / Routing and Remote Access
2. Right click the server and click the "Configure and Enable Routing and Remote Access"
3. Choose "Remote Access"
4. Choose "VPN" and "Dial up"
5. Choose internal network adapter
6. Choose Automatically if you have DHCP
VPN Protocols
1. PPTP (Point to Point Tunneling Protocol): Microsoft protocol; support only TCP/IP; TCP Port 1723
2. L2TP (Layer Two Tunneling Protocol): TCP Port 1701, UDP Port 500; open standard;
3. SSTP (Secure Socket Tunneling Protocol): Port 443; Users SSL for encryption
Client Config
1. Control Panel / View netwok status and tasks
2. Click "Set up a new connection on network"
3. Click "Connect to a workplace"
4. Click "VPN"
6. Click "I'll set up an Internet connection later"
7. Input the IP Address of RAS server into "Internet address"
8. Input the username and password (the user need to be set "Allow access" in Dail-in tab)
NPS(Network Policy Server) Config
instead of set the dial-in tab of user
creates rules used to access your network
1. Go to Administrative Tools / Routing and Remote Access
2. Right click "Remote Access Logging & Policies" and click "Launch NPS"
3. Click folder "Network Policies" to check current policies
4. Right click "Network Policies" and click "New" to create new policy
5. Input name and choose "Remote Access Server(VPN-Dial up)"
6. In Specify conidtions page, you may set the condition based on Windows Groups, User Groups...
Radius
1. Remote Authentication Dial In User Service
2. Allows for AAA (Authentication, Authorization, Accounting)
Troubleshooting
1. check network connection
2. check firewall rule
Network Access Protection(NAP)
1. Protects the integrity of your netork by
a. Performing health checks
b. Can isolate computers failing health checks
c. updates computers to allow them to pass health check
The NAP Process
Health statement sent to NAP enforcement point(DHCP, VPN,...)
If computer fails health check
1. Do nothing
2. Deny access
3. Grant access to Remediation network
NAP Components
1. System Health Agent (SHA)
Reports health state
Server 2008, Windows 7, ...
2. System Health Validator (SHV)
Network Policy Server component(Server 2008 only)
Can work with radius
3. Remediation Servers (Optional)
Update antivirus
WSUS
NAP Network Layout
meets requirements: production network (DC, DHCP)
fail health check: remediation network (WSUS, Read only DC, DHCP)
no nap support: guest network (DHCP, Web proxy)
DHCP NAP Config
1. Compliant Clients --> Full access
2. Non Compliant Clients --> Limit access
NAP Server
Install NAP: add "Network Policy and Access Services" / "Network Policy Server"
Go to Administrative Tools / Network Policy Server
DHCP Server
Install NAP: add "Network Policy and Access Services" / "Network Policy Server"
Go to Administrative Tools / Network Policy Server
Client part
Setting in Group policy
Network Authentication
NTLM: authenticates the user each time access is required
Kerberos: time based authentication, need the hostname and domain
EAP: authentication framework
EAP-TLS: Smartcards
Wireless Standard
802.11a 54Mbps short range
802.11b 11Mbps good range, slow speed
802.11g 54Mbps good range
802.11n 250Mbps very fast, use multiple input, multiple output(MIMO)
Wireless Security
1. Disabled SSID
2. MAC Security
3. WEP (Wired Equivalent Privacy)
4. WPA (Wi-Fi Protected Access)
WPA-PSK(Personal users pre share key)
WPA-EAP(Enterprise uses authentication system)
5. WPA2
6. 802.1X
Wireless Modes
1. Infrastructure mode
2. Ad hoc mode
Domain Wireless Management (Bootstrap Wireless Profile)
Config Bootstrap Wireless Profile by Group Policy
NTFS Permissions (Default Inheritance)
1. List Folder Contents
2. Read
3. Read & Execute
4. Write (Does not give read or delete)
5. Modify (All the above including delete)
6. Full Control (All the above plus can change permissions)
7. Special Permission (12 granular permissions)
Ownership(properties --> security --> advanced --> owner)
1. Owner can change permissions;
2. Administrator can take ownship without permission
NTFS Permission Troubleshooting
Check user actual permision of file or folder: Properties --> Security --> Advanced --> Effective Permissions
In parent folders, can recover the inheritance for the subfolder and files: Properties --> Security --> Advanced
File Sharing Permissions (same thing different names)
| Classic | Windows Server 2008 R2 | Windows Server 2008 |
| Read | Read | Reader |
| Change | Read / Write | Contributor |
| Full control | Owner | Co-Owner |
File Server Role
1. Sever manager additions to manage shares: Generate reports
2. Quotas
3. File Screening
4. File Classifications (R2)
Special Features of File Server
1. Can use NFS to share folder, UNIX or Linux system can visit;
2. In "SMB Setting" / Advanced, can set "Enable access-based enumeration", only the folder that user can access will be display;
Offline Files (poor network)
Server
1. install "BranchCache for network files" (one of the file service role services)
2. Right click the folder and click Properties --> Sharing --> Advanced Sharing
3. Enable "Share this folder"
4. Click "Caching"
5. Choose the first option to enable offline files
6. Use need at least change permision for offline files
Client
1. Click Tools --> "Map network drive" to create network driver
2. Right click the network driver and click "Always available offline"
3. Click Tools --> "Open Sync Center"
4. Click "Manage offline files" --> can check the status, setting, encryption, network and etc
Test
1. In client, choose the network driver and click "offline"
2. update the file both in client and server with different context
3. In client, choose the network driver and click "online"
4. in Sync Center, can see confict
Encryptiong File System(EFS)
1. Encrypt files and folder (Protects hard disk from off line attacks)
2. Uses symmetric key (one key for encryption and decryption)
3. Asymmetric key protect sysmmetric key
If you do not want to use EFS, disable it
1. domain: Group policy
A. Computer Configurations --> Policies --> Windows Settings --> Security Settings --> Public Key Policies --> Encrypting File System
B. Right click "Encrypting File System", click "Properties"
C. Choose "Don't Allow", the EFS feature will be disable in domain
2. WorkGroup: Local Security Policy
A. Public Key Policies --> Encrypting File System
B. Right click "Encrypting File System", click "Properties"
C. Choose "Don't Allow", the EFS feature will be disable in domain
Encryption Process (key: symmetric key + user public asymmetric key)
1. Right click the specific file and click Proterties --> General --> Advanced
2. Choose "Encrypt..."
3. The file will change to green after it
4. Input "mmc" in run, and add snap-ins "Certificates" and go to personal to check whether you create the personal certification for EFS
5. Right click the specific file and click Proterties --> General --> Advanced
6. Click "detail" after the "Encrypt..."
7. If you want to let others to read or write the file, the target use need to create certification for himself
A. login computer with the target user
B. run command to generate personal certification for EFS: cipher /k
C. logout the target user
8. Right click the specific file and click Proterties --> General --> Advanced
9. Add the target user into the user access
Data Recovery Agent(DRA): User that can read encrypted data files
Add additional DRA Process (Default is Administrator user)
1. Login with the user to one client machine
2. Create DRA key by input command: cipher /r:<file name>
Example cipher /r:dra.pfx
3. input password as request
4. In DC, go to Group Policy Management;
5. If you want to works for all domain, edit the "default domain policies"
6. Go to Computer Configurations --> Policies --> Windows Settings --> Security Settings --> Public Key Policies --> Encrypting File System
7. Right click "Encrypting File System", click "Add Revery Agent"
8. Import the pfx file
9. Right click "Encrypting File System", click "Properties"
10. Choose "Allow" for File encryption using Encrypting File System. (Enable the EFS in domain)
If choose "Don't Allow", the EFS feature will be disable in domain
11. Go back to client machince and input command to apply the Group policy: gpupdate /force
Distributed File Server
1. Many shares to be accessed with the same namespace
2. Create replicates
Install DFS
1. Add "file services" in role
2. Choose "Distributed File System"
3. Input the namespace
4. Choose the namspace type
Domain-based namespace: it saved in DC.
Stand-alone namespace: it saved in local server
5. Choose the admin accout to continue
6. Add share folders in local server to the DFS
Window Server 2008 mode
1. Forest function level windows server 2003 or higher
2. Domain function level windows server 2008 or higher
3. All namespace servers run windows server 2008
4. Support access based enumeration(Right click the namespace and click properties, go to Advanced tab)
5. Support more han 5000 targets
DFS Options
Right click the namespace and click properties, go to Advanced tab
1. Optimize for consistency (less than 16 namespaces)
A. Namespace servers pool PDC emulator for changes
2. Optimize for scalability (more than 16 namespaces)
A. Poll nearest DC for changes
B. Changes do not appear until active directory replicates
Right click the namespace and click properties, go to Referrals tab
3. Ordering method for clients with no local file server
A. Random order
B. Lowest Cost
C. Exclude targets outside of the clients' site
DFS Admin
1. Go to control panel --> Administrative tools --> DFS Management
2. In order to increase the redundancy:
A. Add namespace: create new network share folder
B. Add replication group: set sync method and frequency between two share folders
Shadow Copy Service
1. Take snapshots of your data according to schedule
2. Very fast. saves changes at the block level
3. Works on volumn level
4. Save the change within the disk space. When space not enough, the history will be deleted. (FIFO)
5. Not recommendation for Database server
6. Not a replacement of backups
Shadow Copy Config
1. In Windows Server 2008, right click disk driver, and click "Configure Shadow Copies"
2. First settings and Then enable
3. Choose the disk drive you need to set shadow
4. Click schedule: default is twice per day.
5. Do some changes on specific files
6. Run the manual shadow copy by click "Cerate Now"
7. Right click the files and click "Restore preivous versions"
8. Right click the folder and click "Restore preivous versions"
Windows Server Backup
1. Replace Windows NT Backup
2. NTBackup available for download from Microsoft
Restore only, will not backup
3. Windows Server 2008 backups volumnes only
4. Windows Server 2008 R2 can backup folders
5. No longer supports tape drivers
6. Support for backup to Hard disk, USB, Optical and network
7. Complete PC Restore (Bare-metal recovery)
8. Excellent incremental backup support
Works best when hard disk has been defragged
Windows Server Backup Process
1. Add feature: Windows Server Backup Features
2. Go to Control Panel / Administrative Tools / Windows Server Backup
3. Use "Backup once" or "Backup Schedule" to backup
4. Choose items for backup
5. Choose the target
6. Click "close", the backup still runs background
7. The backup file is VHD
Windows Server Restore Process
1. Go to Control Panel / Administrative Tools / Windows Server Backup
2. Click "Recover"
3. Choose the backup date
4. Choose the recover type
5. Recovery Options
Disk Quotes
1. Control how much drive space a user can use
A. soft quote, warning only
B. hard quote, stop write access
2. Must b on an NTFS formatted hard disk
3. Calculated based on who is the owner of the file
A. Does not apply to the administrator
Quotas Systems
1. NTFS Quotas:
A. Per user/per volume
B. Logical file sizes
C. Event log notification only
2. FSRM Quotas
A. by folder or volume
B. Actual disk space
C. notification via email, event, ...
3. Using group policy (Define NTFS Quotas in Domain)
FSRM Quotas
1. Add role "File services" / "File Server Resource Management"
2. Choose the volumn drivers
3. After install, need to config
4. Go to Server Manager --> File Services --> Share and Storage Mangement --> File Server Resource Management --> Quota Management
Print Service
Local Print: print software installed local;
Network Print: print software installed on another server;
If you want to share the print in the domain,
1. Go to properties of printer, in general tab, choose the default page size;
2. Go to Sharing tab, choose the "List in the directory" to show the print in Domain as resource;
3. Go to Sharing tab, click "Additional Drivers" install the other drivers prepare for other computer to use;
4. Go to Advanced tab, input the "Available from" and "to" to define the print work time;
Print Pooling
Print pooling: need same printer driver
Go to Ports to list the print and choose "Enable printer pooling"
Print Management
1. install "Print and Document Services" in role services
2. With print management can manage all prints in domain
3. Can export the configuration of print to backup or restore
WSUS(Windows Server Update Services)
1. Download updates from Microsoft and store locally
2. Allows you to approve or decline updates
3. Put computers into groups for administrative purposes
WSUS Requirements
Software
1. Windows Server 2008 R2 / Windows Server 2008 SP1
2. Windows Server 2003 SP1
3. .NET framework 2.0
4. Windows internal database
5. Microsoft Management Console 3.0
6. IIS 6.0 (ASP.NET / Windows authentication / Dynamic content compression)
Hardware
1. NTFS
2. 1GB for system partition
3. 2GB for database parition
4. 20GB for updates
Install WSUS
http://www.microsoft.com/wsus or server management add role
1. Choose the update server
2. Set proxy server
3. Choose languages
4. Choose Microsoft products
5. Choose Classification (Type of updates)
Recommendation: defaults + Drivers
If the networks performance good add "Feature packs" and "Service packs"
6. Choose Sync Schedule (When to download)
Configuring WSUS
1. Go to "Windows Server Update Services"
2. Click WSUS --> Options to update the setting
WSUS Groups
1. Default Groups
A. All computers
B. Unassigned computers
2. Server Side Targeting
A. Perform through the WSUS admin tool
3. Client Side Targeting
A. Done through by Group Policy
Server Side Targeting
Client
1. Go to Local Group Policy Editor --> Computer Configuration --> Administrative Template --> Windows Components --> Windows Update
2. Double click "Specify intranet Microsoft upate service location"
3. Choose "Enabled" and input the WSUS server link
4. Update policy by input command: gpupdate
WSUS Server
1. Go to Go to "Windows Server Update Services --> WSUS --> Computers
2. Create new group and put client into the group
3. Create new rule in WSUS --> Options --> Automatic Approvals
4. Choose "When an updte is in a specific classification" and "When an update is in a specific product"
5. Click in the step 2 to set the product, classification, group and input rule name
Client Side Targeting
WSUS Server
1. Go to "Windows Server Update Services --> WSUS --> Options --> Computers
2. Choose "Use Group Policy or registry settings on computers"
Domain Controller
1. Go to "Group Policy Management"
2. Create one policy
3. Edit policy by Go to Computer configuration -->Policies --> Administrative Templates --> Windows Components --> Windows Update --> Standard
4. Click "Enable client-side targeting"
5. Choose "Enabled" and input the group name
6. Click "Specific intranet Microsoft update service location"
7. Choose "Enabled" and input the WSUS location
WSUS Server
1. Go to "Windows Server Update Services --> WSUS --> Computers
2. Create the computer group name you create in Group Policy
3. Input command to refresh: wuauclt /resetauthorization /detectnow
WSUS Report
1. Install Microsoft Reprot viewer 2008 Redistributable
2. Go to "Windows Server Update Services --> WSUS --> Reports
Windows Performance Tools
1. Task Manager
2. Resource monitor
3. Performance Monitor
Event logs new features in Windows Server 2008
1. New logs: setup / forwareded events
2. Can create custom view: filter
3. Can export to XML
4. Integration with task scheduler
Connect the issue in event log to schedule task
1. Go to Event Viewer
2. Right click the specific issue and click "Attach Task to This Event..."
3. Set the windows scheduler task
Event Forwarding
Fowarder computer push the copy of event log to Collector computer
Requirement: Windows Server 2008 / Windows 7 / Windows Vista
Windows 7 --> Windows Server 2008 R2
Process:
Forwarder computer
1. input command: Winrm quickconfig
2. Add collector computer account to group "event log readers"
Collector computer
1. input command: Wecutil qc
2. Go to Event View
3. Right click Subscriptions and click Properties
4. input subscription name and click "Collector initiated" --> "select computer"
5. add the forwarder computer
6. also can use filter to control the event log type
Network Monitor
1. Download Network Monitor from Microsoft
2. Need to be an administrator
3. Used to monitor the network of the computer
4. Also can use command line
Simple Network Mointoring Protocol (SNMP)
1. Open standard
2. Report performance and faults
3. Hacking attempts
4. Consist of: SNMP Management Software / SNMP Agent
Install SNMP Agent
1. Add "SNMP Service" feature
2. Go to Services --> "SNMP Service" --> Agent/Traps/Security tab do config
1. input command: Winrm quickconfig
2. Add collector computer account to group "event log readers"
Collector computer
1. input command: Wecutil qc
2. Go to Event View
3. Right click Subscriptions and click Properties
4. input subscription name and click "Collector initiated" --> "select computer"
5. add the forwarder computer
6. also can use filter to control the event log type
Network Monitor
1. Download Network Monitor from Microsoft
2. Need to be an administrator
3. Used to monitor the network of the computer
4. Also can use command line
Simple Network Mointoring Protocol (SNMP)
1. Open standard
2. Report performance and faults
3. Hacking attempts
4. Consist of: SNMP Management Software / SNMP Agent
Install SNMP Agent
1. Add "SNMP Service" feature
2. Go to Services --> "SNMP Service" --> Agent/Traps/Security tab do config
Comments
Post a Comment