Window Server 2008

Microsoft Windows Server 2008 helps you to increase the flexibility of your server infrastructure while saving time and reducing costs. Powerful new management tools and security enhancements allow you to have more control over your servers while providing advanced protection so you can spend less time on everyday tasks and more time bringing greater value to your organization.

Product Highlights:

� Increase Control and Manageability
Windows Server 2008 allows you to get more control over your server and network infrastructure, allowing you to focus on your most critical business needs.

Server Manager accelerates server setup and configuration, and simplifies ongoing management of server roles via a unified management console.

Windows PowerShell is a new command-line shell with more than 130 tools and an integrated scripting language that enables an administrator to automate routine system administration tasks, especially across multiple servers.

Server Core is a new installation option for selected roles that includes only the necessary components and subsystems without a graphical user interface, to provide a highly available server that requires fewer updates and less servicing.

� Flexibility for Changing Business Needs
Windows Server 2008 provides you with the flexibility to create an agile and dynamic datacenter to meet your changing business needs.

Terminal Services Gateway and Terminal Services RemoteApp are designed for easy remote access and application integration with the local desktop, enabling secure and seamless application deployment without the need for a VPN.

Internet Information Server (IIS) 7 and .NET Framework 3.0 provide a comprehensive platform for building applications that connect users to each other and to their data, enabling them to visualize, share, and act on information.

� A Solid Foundation on Which to Build Your Business
Windows Server 2008 hardens the operating system and helps protect your environment to provide a solid foundation on which you can run and build your business.

Windows Server 2008 helps protect against failure and intrusion for servers, networks, data, and user accounts.

Network Access Protection gives you the power to isolate computers that don�t comply with your organization’s security policies, and provides network restriction, remediation, and ongoing compliance checking.

Active Directory Rights Management Services provides persistent protection for sensitive data; helps reduce risks and enables compliance; and provides a platform for comprehensive information protection.

Read-Only Domain Controller allows you to deploy Active Directory Domain Services while restricting replication of the full Active Directory database, to better protect against server theft or compromise.

Source: Microsoft.com

Download: *Windows Server 2008 Beta 3

(*You must registered before you can download.)

There are a myriad of both subtle and fundamental differences in the basic architecture of Windows Server 2008, which could dramatically change not only the way it’s used in the enterprise, but also the logical and physical structure of networks where it’s the dominant OS.

The abilities to consolidate servers, to manage hardware more effectively, to remotely manage hardware without the graphical traffic, and to radically alter the system security model, could present a more compelling argument for customers to plan their WS2K8 migrations now, than the arguments for moving from Windows 2000 to Server 2003.

Based on the information we gathered last week at WinHEC 2007 in Los Angeles, we decided that rather than list a bunch of mind-jarring new categories and marketing terms that sound like rejected gadgets from the Bat-Cave, we’d select what we believe to be the ten most influential and important new technologies to find their way into WS2K8, with the help of Microsoft software engineers such as Mark Russinovich to explain their relevance. We begin at the end with our #10 entry:

#10: The self-healing NTFS file system. Ever since the days of DOS, an error in the file system meant that a volume had to be taken offline for it to be remedied. In WS2K8, a new system service works in the background that can detect a file system error, and perform a healing process without anyone taking the server down.

“So if there’s a corruption detected someplace in the data structure, an NTFS worker thread is spawned,” Russinovich explained, “and that worker thread goes off and performs a localized fix-up of those data structures. The only effect that an application would see is that files would be unavailable for the period of time that it was trying to access, had been corrupted. If it retried later after the corruption was healed, then it would succeed. But the system never has to come down, so there’s no reason to have to reboot the system and perform a low-level CHKDSK offline.”

Application Server is an expanded server role in the Windows Server® 2008 operating system. The new version of Application Server provides an integrated environment for deploying and running custom, server-based business applications. These applications respond to requests that arrive over the network from remote client computers or from other applications. Typically, applications that are deployed and run on Application Server take advantage of one or more of the following:

•	Internet Information Services (IIS) (the Hypertext Transfer Protocol (HTTP) server that is built into Windows Server)
•	Microsoft® .NET Framework versions 3.0 and 2.0
•	ASP.NET
•	COM+
•	Message Queuing
•	Web services that are built with Windows Communication Foundation (WCF)

The Application Server role is required when Windows Server 2008 runs applications that depend on role services or features that are part of the integrated Application Server role and that you select during the installation process. An example might be a specific configuration of Microsoft BizTalk® Server that uses a set of role services or features that are part of the Application Server environment.

Typically, the Application Server role is required when you are deploying a business application that was developed within your organization (or developed by an independent software vendor (ISV) for your organization) and when the developer has indicated that specific role services are required. For example, your organization may have an order processing application that accesses customer records that are stored in a database. The application accesses the customer information through a set of WCF Web services. In this case, you can configure one Windows Server 2008 computer as an application server, and you can install the database on the same computer or on a different computer.

Not every server application requires the installation of the Application Server role to run properly. For example, the Application Server role is not required to support Microsoft Exchange Server or Microsoft SQL Server on Windows Server 2008.

To determine if the Application Server role is required for your organization’s business applications, have your administrators work closely with the application’s developers to understand the requirements of the application, for example, whether it uses Microsoft .NET Framework 3.0 or COM+ components.

What does Application Server do?

Application Server provides the following:

•	A runtime that supports effective deployment and management of high-performance server-based business applications. These applications are able to service requests from remote client systems, including Web browsers connecting from the public Internet or from a corporate network or intranet, and remote computer systems that may send requests as messages.
•	The .NET Framework 3.0., which provides developers with a simplified programming model for connected server applications. Developers use the built-in .NET Framework libraries for many application functions, including input/output (I/O), numerical and text processing, database access, XML processing, transaction control, workflow, and Web services. For system administrators, the .NET Framework provides a secure and high-performance execution runtime for server-based applications, as well as a simplified application configuration and deployment environment.
•	Windows Server 2008 installation by means of a new, user-friendly Add Roles Wizard that helps you choose the role services and features that are necessary to run your applications. The Add Roles Wizard automatically installs all features that are necessary for a given role service and makes it easier for you to set up and provision a computer as an application server for your business applications.

Who will be interested in this role?

This information about the Application Server role is primarily for information technology (IT) professionals who are responsible for deploying and maintaining an organization’s line-of-business (LOB) applications. LOB applications are typically developed in your organization or for your organization.

An application server environment consists of one or more servers running Windows Server 2008 that are configured with the Application Server role. This includes servers that do the following:

•	Host applications that are built with the .NET Framework 3.0
•	Host applications that are built to use COM+, Message Queuing, Web services, and distributed transactions
•	Connect to an intranet or to the Internet to exchange information
•	Host applications that expose or consume Web services
•	Host applications that expose Web pages
•	Interoperate with other remote systems running on disparate platforms and operating systems

An extended Application Server environment can also include the following:

•	Domain-joined client computers and their users
•	Computers that are used primarily for management of the application servers
•	Infrastructure servers that run resources, such as Active Directory Domain Services (AD DS) or other Lightweight Directory Access Protocol (LDAP) repositories, Certificate Services, security gateways, process servers, integration servers, application or data gateways, or databases

What new functionality does this role provide?

The new, expanded version of the Application Server role is installed through the Add Roles Wizard in Server Manager. Administrators who have LOB applications that are built with the .NET Framework 3.0 may discover that setting up a hosting environment for these applications is simpler with this server role. The Add Roles Wizard guides the administrator through the process of selecting the role services or supporting features that are available in this role and may be necessary to run specific LOB applications.

Application Server Foundation

Application Server Foundation is the group of technologies that are installed by default when you install the Application Server role. Essentially, Application Server Foundation is the .NET Framework 3.0.

Windows Server 2008 includes the .NET Framework 2.0, regardless of any server role that is installed. The .NET Framework 2.0 contains the Common Language Runtime (CLR), which provides a code-execution environment that promotes safe execution of code, simplified code deployment, and support for interoperability of multiple languages, as well as extensive libraries for building applications.

Application Server Foundation adds the .NET Framework 3.0 features to the baseline .NET Framework 2.0 features. For more information about the .NET Framework 3.0, see .NET Framework Developer Center (http://go.microsoft.com/fwlink/?LinkId=81263).

Why is this functionality important?

The key components of Application Server Foundation are installed as a set of code libraries and .NET assemblies. The following are the key components of Application Server Foundation:

•	Windows Communication Foundation (WCF)
•	Windows Workflow Foundation (WF)
•	Windows Presentation Foundation (WPF)

Of these three, WCF and WF are commonly used in server-based applications as well as client-based applications. WPF is used primarily in client-based applications, and it is not discussed further here. For more information about WPF, see Windows Presentation Foundation (http://go.microsoft.com/fwlink/?LinkId=78407).

WCF is the Microsoft unified programming model for building connected applications that use Web services to communicate with each other. These applications are also known as Service-Oriented Applications (SOA), and they are becoming increasingly more important for business. Developers can use WCF to build SOA applications that employ secure, reliable, transacted Web services that communicate across platforms and interoperate with existing systems and applications in your organization.

WCF enables developers to compose or combine the various technologies that are available today for building distributed applications (COM+ and .NET Enterprise services, Message Queuing, .NET Remoting, ASP.NET Web Services, and Web Services Enhancements (WSE)) in ways that make sense for your organization’s business needs and computing environment. For more information about WCF, see What is Windows Communication Foundation? (http://go.microsoft.com/fwlink/?LinkId=81260).

WF is the programming model and engine for building workflow-enabled applications quickly on Windows Server 2008. A workflow is a set of activities that describe a real-world process, such as an order-purchasing process. A workflow is commonly described and viewed graphically—something like a flowchart. The description of the workflow is often called “the model.” Work items pass through the workflow model from start to finish.

Work items or activities within the model can be executed by people or by systems or computers. While it is possible to describe a workflow in traditional programming languages as a series of steps and conditions, for more complex workflows or workflows that support simpler revisions, designing the workflow graphically and storing that design as a model is typically much more appropriate and flexible.

WF supports system workflow and human workflow across a variety of scenarios, including the following:

•	Workflow in LOB applications
•	The sequential flow of screens, pages, and dialog boxes as presented to the user in response to the user’s interaction with the user interface (UI)
•	Document-centric workflow, for example, the processing of a purchase order or a medical record
•	Human workflow interaction, such as sending e-mail to a business client and receiving e-mail from the client
•	Composite workflow for SOA
•	Business-rule-driven workflow, for example: “On a Monday at 5 P.M. send an update catalogue request to business partners.”
•	Workflow for systems management

For more information about WF, see Windows Workflow Foundation (http://go.microsoft.com/fwlink/?LinkId=82119).

What works differently?

Although there is an Application Server role in Windows Server 2003, the new, expanded Application Server role that is available in Windows Server 2008 is not simply an upgrade from the application server configuration tool that is included in Windows Server 2003 or an earlier operating system. Because the role functionality is completely new, administrators should be aware that there is no migration path for the Application Server configuration tool from Windows Server 2003 or earlier operating systems.

How do I resolve these issues?

If you upgrade your server to Windows Server 2008 from Windows Server 2003 or an earlier operating system, and you want to use the capabilities of the Application Server role, you must reinstall the Application Server role by using the Add Roles Wizard in Server Manager. As long as you configure Windows Server 2008 with the correct application services by using the Add Roles Wizard in Server Manager, you can easily move your applications from Windows Server 2003 to Windows Server 2008.

When should I use the Application Server role?

If the server-based LOB applications that you need to deploy and manage require one or more of the following technologies: Microsoft .NET Framework 3.0, Message Queuing, COM+, or distributed transactions, consider configuring your server in the Application Server role.

How should I prepare for installation?

As a part of your preparation for installing the Application Server role, create an inventory of the applications that you will run on this server. If you are an administrator, work with your developers or the ISV who developed the applications to identify the supporting technologies and configurations that must be present on the server to run the applications. Then, map these technologies to the role services that are described in the following sections so that you can select and properly configure the services during server role installation. Typically the developer or ISV provides a list of the technologies that are required to be installed for this application, for example, the .NET Framework 3.0.

Web Server

This option installs IIS version 7.0, the Web server that is built into Windows Server 2008. IIS has been available in Windows Server for many years, but has been revised significantly for Windows Server 2008 to provide improvements in performance, security, management, supportability, reliability, and modularity.

IIS provides the following baseline benefits:

•	IIS enables Application Server to host internal or external Web sites or services with static or dynamic content.
•	IIS provides support for running ASP.NET applications that are accessed from a Web browser.
•	IIS provides support for running Web services that are built with Microsoft WCF or ASP.NET.

COM+ Network Access

This option adds COM+ Network Access for remote invocation of applications that are built on and hosted in COM+ and Enterprise Services components. Such applications are also sometimes called Enterprise Services components.

COM+ Network Access is one of the remote invocation capabilities that has been supported in Windows Server since Windows 2000 Server, and it continues to be supported in Windows Server 2008. Newer applications typically use WCF to support remote invocation because WCF provides interoperability across multiple platforms.

Windows Process Activation Service

This option adds Windows Process Activation Service (WAS). WAS can start and stop applications dynamically, based on messages that are received over the network through HTTP, Message Queuing, TCP, and named pipes protocols. Dynamic start and stop of applications means that server resources are used more efficiently. WAS is a new service in Windows Server 2008.

Net.TCP Port Sharing

This option adds the Net.TCP Port Sharing Service. This role service makes it possible for multiple applications to use a single TCP port for incoming communications. For example, an SOA that is built with WCF can share the same port. Sharing ports is often a requirement when firewall configurations or network restrictions allow only a limited number of open ports or when multiple distinct instances of a WCF application must be running and available at the same time.

So that multiple WCF applications can share ports (multiplexing), the Net.TCP Port Sharing Service performs the multiplexing. The Net.TCP Port Sharing Service accepts incoming connection requests using the TCP protocol. The service then automatically forwards incoming requests to the various WCF services based on the target addresses of the requests. Port sharing works only when the WCF applications use the net.tcp protocol for incoming communications. Net.TCP Port Sharing is a new service in Windows Server 2008.

Distributed Transactions

Applications that connect to and perform updates on multiple databases or other transactional resources may require that these updates are performed with “all-or-none” transactional semantics—a technology that ensures that every part of the transaction is complete or that the whole transaction is rolled back to its original state.

Support for distributed transactions in Windows Server 2008 provides a way for applications to have this requirement met. Distributed transaction support has been in Windows Server since Microsoft Windows NT® Server 4.0, and this support continues in Windows Server 2008.

Is this role available in all editions of Windows Server 2008?

Application Server is available in the following editions of Windows Server 2008:

•	Windows Server 2008 Standard
•	Windows Server 2008 Enterprise
•	Windows Server 2008 Datacenter
•	Windows Server 2008 for Itanium-Based Systems

The Application Server role is not available in the following edition of Windows Server 2008:

•	Windows Web Server 2008

Does it behave differently in some editions?

Application Server behavior does not vary based on the edition of Windows Server 2008.

Is it available in both 32-bit and 64-bit versions?

Application Server is available in both 32-bit and 64-bit versions of Windows Server 2008

In Windows Server® 2008, the new, expanded version of the Application Server role provides an integrated environment for deploying and running custom, server-based business applications. Typically, these business applications are developed within an organization or by an independent software vendor (ISV) for the organization.

For an overview of the improvements in Application Server, see the next section. For details about the improvements, see Application Server Role.

Overview of the improvements in Application Server

Application Server in Windows Server 2008 includes improvements in the following areas that simplify the process of installing and configuring the Application Server role in your environment so that you can deploy and run your organization’s applications:

•	A new, user-friendly Add Roles Wizard that helps you choose the services and features that are necessary to run your applications
•	Application Server Foundation, the default installation of Application Server that includes the .NET Framework 3.0 features
•	Web Server: Application Server installs Internet Information Services (IIS) 7.0
•	Windows Process Activation Service (WAS), which dynamically stops and starts applications based on messages received over the network
•	Net.TCP Port Sharing, which enables multiple Windows Communication Foundation (WCF) applications to share a single TCP port for incoming communications

General

•	What happened to RIS?
•	What happened to the Single Instance Store?
•	Can I use Windows Deployment Services (especially multicasting) with virtual computers?

Boot and Install Images

•	What is the difference between install images and boot images?
•	What is the Legacy Images node in the MMC?
•	How do I maintain my boot and install images?

Configuration

•	Can I have multiple Windows Deployment Services servers on the network?
•	What permissions do I need to configure?
•	Why do I need two unattend files?
•	Can I protect my users by requiring them to log in before they have a chance to reformat their hard drives?

Diagnostics

•	What logs should I look at to troubleshoot issues?
•	How do I turn on logging?

Common Tasks

•	How do I replicate images?
•	How do I join a computer to a domain?
•	How do I set up computer naming?
•	How do I use WDSMCast to transmit other types of files?

General

What happened to RIS?

Windows Deployment Services is the updated and redesigned version of Remote Installation Services (RIS). Windows Deployment Services includes several modifications to RIS features. There are also modifications in Windows Server 2008 from the Windows Deployment Services update that you can install on computers running Windows Server 2003. These modifications are described in the following table.

Changes from RIS	Changes from Windows Deployment Services on Windows Server 2003
•	The ability to deploy Windows Vista and Windows Server 2008
•	Windows PE is the boot operating system
•	Image-based installation, using the Windows image (.wim) file
•	The ability to transmit data and images by using multicast transmissions (see Chapter 12: Multicasting with Deployment Server)
•	The ability to transmit data and images by using multicast namespaces on a stand-alone server (when you install Chapter 14: Transport Server)
•	An extensible and higher-performing PXE server
•	A new boot menu format for selecting boot images
•	A new GUI that you can use to select and deploy images and to manage Windows Deployment Services servers and clients

•	The ability to transmit data and images by using multicast transmissions (see Chapter 12: Multicasting with Deployment Server)
•	The ability to transmit data and images by using multicast namespaces on a stand-alone server (when you install Chapter 14: Transport Server)
•	No support for RISETUP images or OSChooser screens
•	An enhanced TFTP server (see Chapter 3: Server Components and Chapter 4: PXE Boot)
•	The ability to boot from the network on x64-based computers with Extensible Firmware Interface (EFI) (see Chapter 4: PXE Boot)
•	Metric reporting for installations (see Appendix B: Logging, Tracing, and Diagnostics)

What happened to the Single Instance Store?

Windows Deployment Services does not use the Single Instance Store functionality that was used in RIS. Instead, Windows Deployment Services uses a method by which file resources are shared across each image group (and therefore single-instanced) and the metadata of each image resides in a separate .wim file. The image store takes the concept of split .wim images a step further by creating a split media set consisting of two files:

•	An “empty” .wim file that contains only the definition of the image
•	A Res.rwm file that contains all the file resources for all images in the image group. The data within Res.rwm is single-instanced and compressed; therefore, the Single Instance Store service is no longer needed. In fact, with Windows Deployment Services, the storage size on disk for images within an image group is greatly reduced, and it is more efficient than the storage mechanism used in RIS.

Can I use Windows Deployment Services (especially multicasting) with virtual computers?

Windows Deployment Services should work on virtual computers. Note, however, that the performance will often be degraded, particularly during the Trivial File Transfer Protocol (TFTP) download phase. This phase is very resource-intensive and may fail if insufficient resources are available on the host computer.

Top of page

Boot and Install Images

What is the difference between install images and boot images?

Install images are the operating system images that you deploy to the client computer. Boot images are the images that you boot a client computer into to perform an operating system installation. Boot images contain Windows PE and the Windows Deployment Services client (the client is essentially Windows Vista Setup.exe and its supporting files for Window Deployment Services). You can use the standard boot images that are included on the Windows Vista or Windows Server 2008 media (located at \Sources\boot.wim) without modification. However, the Boot.wim that you use must match or be newer than the operating system of the install image. For example, if you are installing Windows Vista, you must use the boot image from the Windows Server 2008 media; you cannot use the Boot.wim from the Windows Vista media. You can also create custom boot images. For more information, see Chapter 6: Working with Images.

What is the Legacy Images node in the MMC?

The Legacy Images node in the Windows Deployment Services MMC snap contains any RIS images that were left after an upgrade from a computer running Windows Server 2003. If you did not upgrade your computer, this node will be empty and will be of no use to you.

How do I maintain my boot and install images?

The following procedures cover some of the common tasks that you may want to perform with your images. For more procedures, see How to Manage Images.

To modify and reimport an image

1.	Open the Windows Deployment Services MMC snap-in, right-click the image, and then click Disable. This will allow existing installations to continue, but new clients will not be able to install the image.

To force an in-place conversion of an RIPREP image

When converting an RIPREP image offline, it is possible to force an in-place conversion of a RIPREP image, which will save time and the amount of disk space that you use during the conversion process. You can do this by using the /InPlace option with the WDSUTIL /Convert-RiprepImage command. It is common for variations of a single RIPREP image (differing only by HAL type) to exist on the same server. You can save time during the conversion process by using the /Overwrite:Append option of the WDSUTIL /Convert-RiprepImage command to take advantage of single-instancing technology within the .wim format. The append operation is much faster than a traditional capture because it avoids compressing and inserting files that already exist in the .wim. Files that are identical between images and that already exist within the .wim file will just have their reference count incremented to indicate that the single file belongs to multiple images within the .wim. The general conversion process is to first convert the first RIPREP image of the set by creating a new .wim file. Then convert the remaining RIPREP images of the set (for the other HAL types) by appending them to the .wim you created previously. For more information, see Chapter 6: Working with Images.

To export an image in the store to a standalone .wim

Using the MMC	Using WDSUTIL

•

For a boot image, run the command WDSUTIL /Verbose /Progress /Export-Image /Image:<name> /ImageType:Boot /Architecture:{x86|x64|ia64} /DestinationImage /Filepath:<path and filename>.

•

For an install image, run the command WDSUTIL /Verbose /Progress /Export-Image /Image:<name> /ImageType:Install /ImageGroup:<image group name> /DestinationImage /Filepath:<path and filename>. • To set these metadata fields on the image, append /Name:<name> or /Description:<description> to the command. • To determine behavior when the image specified with /DestinationImage already exists, append /Overwrite:{Yes|No|Append} to the command. Yes will overwrite the image, No will cause an error to occur in the process, and Append will append the new image to the existing .wim file. Note that the Append is available only for install images.

Top of page

Configuration

Can I have multiple Windows Deployment Services servers on the network?

Yes. For more information, see Chapter 13: Managing a Complex Environment.

What permissions do I need to configure?

For information about the permissions that you need, see Appendix C: Required Permissions.

Why do I need two unattend files?

Two unattend files are necessary because the Windows Deployment Services client can deploy two image types: Windows Vista images that support the Unattend.xml format, and Windows XP and Windows Server 2003 images, which use the Sysprep.inf file. The two files that you must create to automate Setup are the following:

•

Windows Deployment Services client unattend file. This file uses the Unattend.xml format and is stored on the Windows Deployment Services server in the \WDSClientUnattend folder. It automates the Windows Deployment Services client user interface screens (such as entering credentials, choosing an install image, and configuring the disk).

•

Image unattend file. This file uses either the Unattend.xml or Sysprep.inf format, depending upon the version of the operating system in the image. It is used to configure unattended installation options during Windows Setup and is stored in a subfolder (either $OEM$ structure or \Unattend) in the per-image folder. It automates the remaining phases of Setup (for example, offline servicing, Sysprep specialize, and mini-setup).

For more information, see Chapter 8: Performing Unattended Installations.

Can I protect my users by requiring them to log in before they have a chance to reformat their hard drives?

No permissions are required for the following actions:

•	Booting a client into PXE (no mechanism exists to secure the process of booting from the network).
•	Selecting a boot image (no mechanism exists to secure the boot images that are listed).

If security is a concern for you, we recommend that you use physical Windows PE media to boot each client computer. The first authentication mechanism for a network installation occurs when the Windows Deployment Services client is running within Windows PE. At this point, users must enter credentials to select an install image. These credentials must be those of a domain account. After a client has been authenticated to the Windows Deployment Services server, the authenticated user must be able to read the Image.wim and Res.rwm files for an image from the RemoteInstall folder. By default, authenticated users have the necessary permissions to do so. For more information, see the “Permissions for Client Installations” section in Appendix C: Required Permissions.

Top of page

Diagnostics

What logs should I look at to troubleshoot issues?

There are various logs that you can look at to troubleshoot your issues. For a complete list of the logs, see Appendix B: Logging, Tracing, and Diagnostics.

How do I turn on logging?

For information about how to turn on logging, see Appendix B: Logging, Tracing, and Diagnostics.

Top of page

Common Tasks

The following section contains an assortment of common tasks. For a more extensive list, see Chapter 10: How to Perform Common Tasks.

How do I replicate images?

To make a copy of an install image, run the command WDSUTIL /Copy-Image /Image:<name> /ImageType:Install /ImageGroup:<image group name> /DestinationImage /Name:<name> /Filename:<filename> [/Description:<description>].

How do I join a computer to a domain?

For detailed information about this topic, see the “Domain Join and Computer Naming” section in Chapter 8: Performing Unattended Installations. To prestage a client computer to join a domain by using WDSUTIL, do one of the following:

•	To enable a user to join the client computer to a domain once, run the command WDSUTIL /Set-Device /Device:<name> /User:<user> /JoinRights:JoinOnly /JoinDomain:Yes /Domain:<domain> /ResetAccount, where: <user> is domain\user or user@domain. <name> is the name of the device. <domain> is the name of the domain.
•	To enable a user to join the client computer to a domain at any time, run the command WDSUTIL /Set-Device /Device:<name> /User:<user> /JoinRights:Full /JoinDomain:Yes /Domain:<domain>.
•	To join the client computer to a domain without granting any user rights, run the command WDSUTIL /Set-Device /Device:<name> /JoinDomain:Yes /Domain:<domain>.

How do I set up computer naming?

To specify a policy for generating client computer names, use one of the following methods. For detailed information about this topic, see the “Domain Join and Computer Naming” section in Chapter 8: Performing Unattended Installations.

Using the MMC	Using WDSUTIL

Run WDSUTIL /Set-Server /NewMachineNamingPolicy:<Policy>

The policy string works as follows:

•	%First: the user’s first name
•	%Last: the user’s last name
•	%Username: the user’s user name
•	%MAC: the MAC address of the computer
•	%n#: an incremental n-digit number. For example, %2# will add a number to the computer name in the following order: 1,2,3,…99.
•	%0n#: an incremental n-digit number, with zeros added before the digit. For example, %02# will add a number to the computer name in the following order: 01,02,03,…99.

These values can be combined in any order. A number before a tag string (such as %3First or %5Username) will crop the string to that length. For example:

•	%61Username%# equals JohnSmi12
•	%2first.%last equals Jo.Smith

How do I use WDSMCast to transmit other types of files?

The following steps outline the general process for using WDSMCast to transmit data.

1.	Install the Transport Server role service.

For more information about this procedure, see Chapter 14: Transport Server.

Windows Firewall with Advanced Security is an advanced interface for IT professionals to use to configure both Windows Firewall and Internet Protocol security (IPsec) settings for the computers on their networks. Windows Firewall with Advanced Security is not for home users or for users that are not familiar with advanced firewall or IPsec technologies.

Note:

This topic describes the documentation currently available for Windows Firewall with Advanced Security in Windows Vista® and Windows Server® 2008. Additional documentation is in development, so check back periodically to see what has been added.

Your feedback is valuable. Please send your comments and suggestions to “Windows Vista and Windows Server 2008 Feedback” at vistafb@microsoft.com, with a subject of “Feedback on IPsec and Firewall Documentation”.

Installed Help

Installed Help is available when you open any of the following Microsoft Management Consoles (MMCs), and then press F1: Windows Firewall with Advanced Security, IP Security Policies, and IP Security Monitor. The installed Help provides information about how to use and configure Windows Firewall with Advanced Security and IPsec.

Windows Firewall with Advanced Security Help

The Authfw.chm file is installed with Windows Vista and Windows Server 2008. It is displayed when you open the Windows Firewall with Advanced Security MMC snap-in and press F1. The contents of this Help file are also available on the Web at http://go.microsoft.com/fwlink/?linkid=108253.

Creating and Using IPsec Policies

The Ipsecpolicy.chm file is installed with Windows Vista and Windows Server 2008. It is displayed when you open the IP Security Policies MMC snap-in and press F1. The contents of this Help file are also available on the Web at http://go.microsoft.com/fwlink/?linkid=108254.

Note:

Monitoring IPsec

The Ipsecmonitor.chm file is installed with Windows Vista and Windows Server 2008. It is displayed when you IP Security Monitor MMC snap-in and press F1. The contents of this help file are also available on the Web at http://go.microsoft.com/fwlink/?linkid=108255.

Note:

Product Evaluation

Product Evaluation documents are designed to help you learn about the technology and some of the ways the technology is commonly used.

Getting Started with Windows Firewall with Advanced Security

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=64343

Although typical end-user configuration of Windows Firewall still takes place through the Windows Firewall program in Control Panel, advanced configuration now takes place in the Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. The inclusion of this snap-in not only provides an advanced interface for configuring Windows Firewall locally but also for configuring Windows Firewall on remote computers by using Group Policy. Firewall settings are now integrated with Internet Protocol security (IPsec) settings, allowing for some synergy: the firewall can now allow traffic based on whether the traffic is secured by IPsec.

Introduction to Server and Domain Isolation with Microsoft Windows

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=64344 By using the Windows operating systems, you can mitigate some of the risks associated with unauthorized and potentially unfriendly access to your network and its resources by creating an isolated network. By using Active Directory® Domain Services and Group Policy settings, you can isolate both your domain and servers that store sensitive data, thus limiting access to only authenticated and authorized users.

Server Isolation with Microsoft Windows Explained

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=94793

This white paper provides a detailed overview of server isolation. It explains how server isolation protects isolated servers and the benefits of deploying server isolation. It also provides a brief overview of how to deploy server isolation.

Domain Isolation with Microsoft Windows Explained

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=94632

This white paper provides a detailed overview of domain isolation. It explains how domain isolation protects domain member computers and the benefits of deploying domain isolation. It also provides a brief overview of how to deploy domain isolation.

Design and Deployment

Step-by-Step Guide to Deploying Policies for Windows Firewall with Advanced Security

Microsoft Download Center: http://go.microsoft.com/fwlink/?LinkID=102503

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?linkid=96318

This step-by-step guide illustrates how to deploy Active Directory® Group Policy objects (GPOs) to configure Windows Firewall with Advanced Security in Windows Vista® and Windows Server® 2008. You get hands-on experience in a lab environment using Group Policy Management tools to create and edit GPOs that implement typical firewall settings. You also configure GPOs to implement common server and domain isolation scenarios.

Troubleshooting

Troubleshooting documentation is designed to help you solve problems that arise when you try to deploy, manage, or use the technology.

Windows Firewall with Advanced Security - Diagnostics and Troubleshooting Tools

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=64382

This article describes how Windows Firewall with Advanced Security works, describes the common troubleshooting situations, and specifies which tools you can use for troubleshooting.

Windows Firewall with Advanced Security Event Messages

Windows Server 2008 Technical Library: http://go.microsoft.com/fwlink/?LinkId=96306

These pages describe some of the Event Log messages that can be generated by Windows Firewall with Advanced Security. Each event message is explained along with probable causes, and includes recommended steps to resolve the problem the message represents.

Other Information

Documentation for previous versions of Windows

•	More information about the Windows Firewall available in previous versions of Windows can be found at http://go.microsoft.com/fwlink/?linkid=95393.
•	More information about IPsec available in previous versions of Windows can be found at http://go.microsoft.com/fwlink/?linkid=95394.
•	More information about using IPsec for Server and Domain Isolation in previous versions of Windows can be found at http://go.microsoft.com/fwlink/?linkid=95395.

Network shell (netsh) is a command-line utility that allows you to configure and display the status of various network communications server roles and components after they are installed on computers running Windows Server® 2008.

Some client technologies, such as Network Access Protection (NAP) client and Dynamic Host Configuration Protocol (DHCP) client, also provide netsh commands that allow you to configure client computers running Windows Vista®.

In most cases, netsh commands provide the same functionality that is available when using the Microsoft Management Console (MMC) snap-in for each server role or component. For example, you can configure Network Policy Server (NPS) by using either the NPS MMC snap-in or the netsh commands in the netsh nps context.

In addition, there are netsh commands for network technologies, such as for IPv6, network bridge, and remote procedure call (RPC), that are not available in Windows as an MMC snap-in.

Network Shell (Netsh) Technical Reference

The Netsh Technical Reference provides a comprehensive netsh command reference, including syntax, parameters, and examples for netsh commands. You can use the Netsh Technical Reference to build scripts and batch files by using netsh commands for local or remote management of network technologies on computers running Windows Server 2008.

Content availability

This content is not yet available.

Windows Server 2008 Foundation Network Guide and Companion Guides

The Windows Server® 2008 Foundation Network Guide provides instructions for planning and deploying the components required for a fully functioning network and a new Active Directory® domain in a new forest.

Companion guides are also available to help you add new network functionality and features to the network you deployed with the Foundation Network Guide.

Windows Server 2008 Foundation Network Guide

Using this guide, you can deploy computers configured with the following Windows server components:

•	The Active Directory Domain Services (AD DS) server role
•	The Domain Name System (DNS) server role
•	The Dynamic Host Configuration Protocol (DHCP) server role
•	The Network Policy Server (NPS) role service of the Network Policy and Access Services server role
•	The Windows Internet Name Service (WINS) feature
•	TCP/IP connections on individual servers

Content availability

This content is available for download at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252).

Foundation Network Companion Guide: Deploying Server Certificates

This companion guide to the Foundation Network Guide provides instructions for deploying server certificates with Active Directory Certificate Services (AD CS) and autoenrolling server certificates to computers running Network Policy Server (NPS) and the Routing and Remote Access service.

You can use server certificates to allow client computers to authenticate servers running NPS and Routing and Remote Access when you deploy the following authentication methods for network access authentication:

•	Extensible Authentication Protocol with Transport Layer Security (EAP-TLS). This authentication method also requires the deployment of user and client computer certificates.
•	Protected EAP with TLS (PEAP-TLS). This authentication method also requires the deployment of user and client computer certificates.
•	PEAP with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2). This authentication method does not require the deployment of user and client computer certificates.

Guide requirements

To successfully deploy the technologies in this guide, you must first deploy the technologies in the Windows Server 2008 Foundation Network Guide.

For EAP-TLS or PEAP-TLS, you can deploy user and client computer certificates with the Foundation Network Companion Guide: Deploying User and Client Computer Certificates.

Content availability

This content is available for download at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=108259) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=108258).

Foundation Network Companion Guide: Deploying Computer and User Certificates

This companion guide to the Foundation Network Guide provides instructions for deploying client computer and user certificates with AD CS. When you deploy EAP-TLS or PEAP-TLS, certificates are required for the authentication of servers, clients, and users during network connection attempts through network access servers, such as 802.1X authenticating switches and wireless access points, virtual private network (VPN) servers, and computers running Windows Server® 2008 and Terminal Services Gateway (TS Gateway).

Guide requirements

To successfully deploy the technologies in this guide, you must first deploy the technologies in the Windows Server 2008 Foundation Network Guide and the Foundation Network Companion Guide: Deploying Server Certificates.

Content availability

This content is not yet available.

Identity and access control are features and technologies that provide a central way of managing credentials and technologies to allow only legitimate users access to devices, applications, and data.
Identity

Establishing a valid user of information or resources in your environment requires that the user be able to provide two pieces of information to your network: identification and proof of identity.

For information about the following topics, see Identity.
•

Authentication
•

Smart Cards
•

Windows Logon (Windows Server 2003)
•

Active Directory Domain Services
•

Microsoft Identity Integration Server
•

Active Directory Federation Services
Access Control

Access control is the process of authorizing users, groups, and computers to access objects on the network by using permissions, user rights, and object auditing.

For information about the following topics, see Access Control.
•

Access Control and Authorization
Information Protection

Information protection is secure data at rest, secure data in transit, and information rights management.

For information about the following topics, see Information Protection.
•

Windows BitLocker Drive Encryption
•

Encrypting File System
•

Active Directory Rights Management Services
•

Active Directory Certificate Services

Secure configuration assessment and management tools and services are available for Windows Server® 2008 to administer security throughout a layered defense and manage ongoing threats.

System Security Configuration

System security configuration technologies in Windows include features, tools, and products that help secure servers and connections to those servers.

Server Security Policy Management

Server Security Policy Management

Server security policy management helps you keep security settings up to date as your various server configurations change over time. You can analyze server security settings to ensure the policy applied to a server is appropriate for the server role, update a server policy when the server configuration is modified, create a policy for a new application or server role not included in Server Manager, and use security policy management tools to apply security policy settings that are unique to your environment.

Components for server security policy management are included with Windows Server 2008 and can be installed by using the Microsoft Management Console (MMC) or Server Manager.

Security Configuration Wizard

Security Configuration Wizard

With the Security Configuration Wizard (SCW), you can reduce the attack surface of a computer running Windows Server 2008. SCW determines the minimum functionality required for a server’s role or roles and disables functionality that is not required.

SCW is included with Windows Server 2008 and can be accessed from Administrative Tools and Server Manager.

Authorization Manager

Authorization Manager

Authorization Manager enables administrators to provide access to applications through assigned user roles that relate to job functions. Authorization Manager applications store the authorization policy in the form of authorization stores in Active Directory Domain Services (AD DS) or in XML files, and these applications apply the authorization policy at run time. In Windows Server 2008, support for SQL stores has been added.

Authorization Manager is included with Windows Server 2008 and can be accessed from the MMC.

Active Directory Domain Services

Active Directory Domain Services

Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches. An Active Directory domain controller is a server that is running AD DS.

The AD DS server role is included with Windows Server 2008 and can be installed with Server Manager.

Group Policy

Group Policy

Group Policy allows you to implement specific configurations for users and computers.

Group Policy Management is a feature included with Windows Server 2008 and can be installed by using Server Manager.

Security Patch Management

Security patch management in Windows allows you to change and configure security settings through manual and automatic update processes.

Systems Management Server 2003

SMS 2003 Security Patch Management

Systems Management Server (SMS) 2003 enables you to stay aware of the latest updates, identify software vulnerabilities, and quickly deploy updates in an accurate, verifiable, and controlled manner.

Note:

SMS 2003 and System Center products must be purchased under a separate license.

Windows Server Update Services

Microsoft Windows Server Update Services

By using Windows Server Update Services (WSUS), administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network. For more information, see the Windows Server Update Services (WSUS) Technical Library.

WSUS 3.0 can be downloaded and installed from Windows Server Update Services 3.0.

Security Reporting, Monitoring, and Assessment

Security reporting, monitoring, and assessment features, tools, and products can assist you in managing security for your servers.

Security Auditing

Security Auditing

Security auditing can help you maintain the security of your system. As part of your overall security strategy, you should determine the level of auditing appropriate for your environment.

Components for security auditing are included with Windows Server 2008 and are accessible by using the Auditpol command-line tool and through any securable object property page.

System Center Reporting Manager 2006

System Center Reporting Manager 2006

System Center Reporting Manager (SCRM) 2006 consolidates your change and configuration information from SMS 2003 and your event and performance information from Microsoft Operations Manager (MOM) 2005 to give you easy access to the reports you need to manage your enterprise.

SCRM 2006 must be purchased under a separate license.

Security Tools

Security tools help you assess and analyze your security configurations. For a complete list of tools, see Security Tools.

Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer

The Microsoft Baseline Security Analyzer (MBSA) is a tool designed for the IT professional that helps small-sized and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.

MBSA 2.1 can be downloaded and installed from Microsoft Baseline Security Analyzer 2.1.

Microsoft Security Assessment Tool

Microsoft Security Assessment Tool

The Microsoft Security Assessment Tool (MSAT) is a risk-assessment tool designed to help organizations assess weaknesses in their current IT security environment, reveal a prioritized list of issues, and help provide specific guidance to minimize those risks.

MSAT 3.0 can be downloaded and installed from Microsoft Security Assessment Tool 3.0.