vBulletin statistics
July 2007 - Posts - Windows Server 2008 (R2) blog by Kurt Roggen [BE]

July 2007 - Posts

Getting started with Group Policies

Here are some links that should help you getting started with Group Policies in Windows Vista and Windows Server 2008. 
Enjoy!!

Getting Started

Planning and Architecture

Deployment

Security and Protection

Operations

Troubleshooting

Technical Reference

Development

Windows Vista

Windows Server 2008

Posted Friday, July 27, 2007 2:11 PM by Kurt Roggen | 1 comment(s)
Filed under: , , , ,

Windows Server 2008 & Group Policy Management Console (GPMC)

Group Policy Management Console (GPMC.msc) makes it easier to understand, deploy, manage and troubleshoot Group Policy implementations and provides a single administrative tool for managing Group Policy across the enterprise and is now installed by default on a server running the Active Directory Domain Services (AD DS) role.

Eventhough this was already the case with Windows Vista, both the GPMC and Group Policy Object Editor introduce some long-wanted features.

Group Policy Templates

A long time ago (Sept, 2003), Microsoft posted the Group Policy Common Scenarios, which are a series of desktop management scenarios implemented through Group Policy and documented in the included whitepaper.  All Group Policy Objects are packaged for import using the Group Policy Management Console.  It represents Microsoft best practices for specific (common) Group Policy scenarios.

The concept of "best practices" is merged into the GPMC, where collections of GPO scenarios can be imported through packages (.cab)

When creating new Group Policy Objects, you are able the use a GPO template as a starting point.

Group Policy Comments

For documentation purposes, you can now include comments per GPO (global) and/or per GPO setting (individual), allowing you to comment the policy implementation you make at a certain point in time...


Comments per GPO setting (individual).

 
Comments per GPO (global).

Group Policy settings Search/Filters

Finally, you're able to easily find GPO settings within the Administrative Templates (only!) through filtering.
Basically, there's 3 global filters you can apply:

  1. Based on state of GPO setting (Managed, Configured, Commented)
  2. Based on keywords
  3. Based on Requirement Filters

Most wanted and most powerful is the (multiple) keyword search/filter, which allows you to filter the +2500 settings based on (key)words found (via AND/OR) in the GPO setting title (1), its explain text (2) and/or comments (3) you might have added.

Once you turn on the filter, the results of the Search/Filter are visible individually in the Group Policy Object Editor nodes and/or consolidated in the All Settings node.

Even though these are features available only on Windows Server 2008, they will be made available for Windows Vista shortly after the release of Windows Vista SP1 as an OOB RTW (Out-Of-Band Release-To-Web) of the Remote Server Administration Tools (RSAT)

For those of you who are not familiar with RSAT, they are the next-generation adminpak.msi (Administrative Tools) for Windows Vista/Server 2008.

Central ADMX/ADML Store

Windows Vista introduced a new format to display registry-based policy settings (aka Administrative Templates).  In Windows Vista, these registry-based policy settings are defined by standards-based XML files that have an .admx file name extension.  The .admx file format replaces the legacy .adm file format.  The .adm file format uses a proprietary markup language.  Windows Vista does only ship with .admx files located in the %windir%\PolicyDefinitions folder.

In Windows Vista, Administrative Template files are divided into general .admx files and language-specific .adml files. The changes that are implemented since Windows Vista let administrators configure the same set of policies by using different languages.  Administrators can configure policies by using the language-specific .adml files and the language-neutral .admx files.

In pre-Vista operating systems, all the default Administrative Template files are added to the ADM folder of a Group Policy object (GPO) on the domain controller's SYSVOL folder.  The SYSVOL folder is automatically replicated to other domain controllers in the same domain.  A policy file uses approximately 4 to 5 megabytes (MB) of hard disk space.  Because each domain controller stores a distinct version of a policy, replication traffic is increased.  This is referred to as SYSVOL bloat.

Windows Vista/Server 2008 uses a Central Store to store Administrative Template files.  Since Windows Vista, the ADM folder is not created in a GPO as in earlier versions of Windows.  Therefore, domain controllers do not store or replicate redundant copies of .adm(x/l) files.

To take advantage of the benefits of .admx files, you must create a Central Store in the SYSVOL folder on a domain controller.  The Central Store is a file location that is checked by the Group Policy tools.  The Group Policy tools use any .admx files that are in the Central Store.  The files that are in the Central Store are later replicated to all domain controllers in the domain.

A part from this replication optimisation (by not inserting ADM(X) files into a GPO), also know that all SYSVOL replication is done by DFSR (DFS-Replication) instead of FRS (File Replication Services).  More about this in an upcoming blog post, so keep posted.

For more information on "How to create the central store": Q929841 and Managing Group Policy ADMX Files Step-by-Step Guide

Group Policy Change and Release Management

DesktopStandard GPO Vault Enterprise is transformed into Microsoft Advanced Group Policy Management and is included as part of the Microsoft Desktop Optimization Pack for Software Assurance (DOPSA) available now.

In the near future, I will do a quite detailed post on the features "Advanced Group Policy Management" brings!!
Keep posted!!

For more information on the Microsoft Desktop Optimization Pack for Software Assurance, see here.

DesktopStandard PolicyMaker Standard Edition, Share Manager, and Registry Extension will be integrated into a future release of the Group Policy Management tools.  Microsoft is still working through the long-term integration plan to determine a time frame for their release, which is not anticipated before fall 2007.

Not sure (anymore) what else is new for Group Policies in Windows Vista, check out my "Group Policies in Windows Vista" presentation on DevITProDays 2007 in Belgium, Ghent.

More information: Group Policy Settings Reference Windows Server 2008 Beta 3

Posted Wednesday, July 25, 2007 1:05 AM by Kurt Roggen | 7 comment(s)
Filed under: ,

Windows Server 2008 Roadmap

At Microsoft's Worldwide Partner Conference today, COO Kevin Turner announced the worldwide ship date for Windows Server 2008: February 27.  Microsoft will simultaneously release SQL Server 2008 and Visual Studio Server 2008 at the same time. There will also be some local launch events...

Windows Server 2008 general availability is still months away, but Microsoft already has plans for a Windows Server 2008 R2 release in 2009.  Bill Laing, general manager of the Windows Server division, announced this during his Wednesday morning keynote at the Windows Hardware Engineering Conference (WinHEC) in Los Angeles.
He did mention that customers can expect R2 to be available only for 64-bit servers

"One of the reasons behind the R2 release is to keep delivering value to Software Assurance and Enterprise Agreement customers," explained Ward Ralston, senior technical product manager in the Windows Server division in a post-keynote interview.  "We want to to make sure we're very predictable to those customers."

Ralston reiterated Microsoft's update plans, which is to provide software updates every two years and major releases every four years.

Windows Server 2008 is on schedule and is expected to have a release candidate prior to getting released to manufacturing (RTM) in late November or begin December.

Windows Server 2008 will be generally available in January.  Windows Server codename "Cougar", aka Windows Small Business Server 2008, follows Windows Server 2008.  Windows Server codename "Centro" the much-anticipated medium-sized version, is expected around or just after Cougar. Windows Server 2008 Storage Server, the storage and file server primarily targeted at SMBs, debuts sometime after Cougar and Centro.

Posted Sunday, July 22, 2007 10:57 PM by Kurt Roggen | 1 comment(s)
Filed under: ,

Getting started with Windows Server 2008

Do you need to evaluate, plan, deploy, maintain, or support Windows Server 2008 in the near future??
These links will help you get started with Windows Server 2008.

Learn

Evaluate

Troubleshoot

Connect with Community

Security

eBooks 

Windows Server 2008 Technical Library

Need to learn more about what’s new for key Windows Server 2008 technologies and where to get additional information? These links to the Windows Server 2008 Technical Library will provide you with introductory and technical overviews and other resources.

Posted Friday, July 20, 2007 9:54 PM by Kurt Roggen | 3 comment(s)
Filed under: , ,

Active Directory Domain Services: Fine-grained Password Policies

[This information is based on the Windows Server 2008 June CTP and is subject to change...]

Windows Server 2008 provides a way to define different password and account lockout policies for different sets of users in a Windows Server 2008 domain.

In Microsoft Windows 2000 and Windows Server 2003 Active Directory domains, only one password policy and account lockout policy could be applied to all users in the domain.  These policies were specified in the Default Domain Policy for the domain. As a result, organizations that wanted different password and account lockout settings for different sets of users, had to either create a password filter, deploy multiple domains or implement third party password filter solutions like Anixis Password Policy Enforcer, SpecOpsSoftware Password Policy, etc...).

Now, when the domain functional level is set to Windows Server 2008, password policies can be assigned on a per user and/or per group (global security group) basis.  A fine-grained password policy can not be applied to an organizational unit (OU) directly.  To apply fine-grained password policy to users of an OU, you can use a shadow group.
A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed.

And now the bad news; there is no GUI available to set these password policies; meaning ADSIedit still stays your best friend...

To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory Domain Services (AD DS) schema:

  • Password Settings Container (PSC)
  • Password Settings Object (PSO) (msDS-PasswordSettings)

A Password Settings Container (PSC) is created by default under the System container in the domain.  You can view it by using the Active Directory Users and Computers snap-in with Advanced features enabled.  It stores the Password Settings objects (PSOs) for that domain only.
A PSO has attributes for all the settings that can be defined in the Default Domain Policy (both Password Policy & Account Lockout Policy except Kerberos settings).
These settings include attributes for the following "Password Policy" settings:

  • Enforce password history (msDS-PasswordHistoryLength - integer)
  • Maximum password age (msDS-MaximumPasswordAge - integer8)
  • Minimum password age (msDS-MinimumPasswordAge - integer8)
  • Minimum password length (msDS-MinimumPasswordLength - integer)
  • Passwords must meet complexity requirements (msDS-PasswordComplexityEnabled - boolean)
  • Store passwords using reversible encryption (msDS-PasswordReversibleEncryptionEnabled - boolean)

These settings also include attributes for the following "Account Lockout Policy" settings:

  • Account lockout duration (msDS-LockoutDuration - integer8)
  • Account lockout threshold (msDS-LockoutThreshold - integer)
  • Reset account lockout after (msDS-LockoutObservationWindow - integer8)

These nine attributes are mandatory attributes.  This means that you must define a value for each one. 
Settings from multiple PSOs are and can not be merged.  In addition, a PSO has the following two new attributes:

  • PSO Link (msDS-PSOAppliesTo - string): a multivalued attribute that is linked to user(s) and/or global group(s)
  • Precedence (msDS-PasswordSettingsPrecedence - integer): an integer value that is used to resolve conflicts if multiple PSOs are applied to a user or group object.  A lower value for the precedence attribute indicates that the PSO has a higher rank/priority than other PSOs. 

NOTE: Integer8 attributes are 64-bit numbers (8 bytes) which usually represent time in 100-nanosecond intervals.  If the Integer8 attribute is a date, the value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601.

To link the PSO (Password Security Object) to a global security group or user, you just need to add the distinguished-name ("CN=group, OU=Organisational Unit, DC=win2008, DC=net") of the user or group in the attribute msDS-PSOAppliesTo of the Password Settings Object (PSO).

So a PSO is linked to users or global security groups via a standard forward/backlink mechanism (like the group membership among others).  The forward link (msDS-PSOAppliesTo) is on the PSO, the backlink (msDS-PSOApplied) is on the user/group object.
 

By default, only members of the Domain Admins group can set fine-grained password policies by creating PSOs.
Only members of this group have the Create Child and Delete Child permissions on the Password Settings Container object.  In addition, only members of the Domain Admins group have Write Property permissions on the PSO by default. Therefore, only members of the Domain Admins group can apply a PSO to a group or user. 
However, you can also delegate the ability to set these policies to other users. 

The settings on the PSO may be considered confidential.  Therefore, by default, Authenticated Users do not have Read Property permissions for a PSO.

You do not need permissions on the user or group object to be able to apply a PSO to it.  Having Write permissions on the user or group object does not give you the ability to link a PSO to the user or group.  The ability of linking a PSO to a group or user is given to the owner of the PSO, because the forward link is on the PSO.

Multiple PSOs applied

A user or group object can have multiple PSOs linked to it, either because of membership in multiple groups where each have different PSOs applied to them or because multiple PSOs are applied to the object directly.  However, only one PSO can be applied as the effective password policy.  The settings from other PSOs that are linked to the user or group cannot be merged in any way.

If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:

1. A PSO that is linked directly to the user object is the resultant PSO.  If more than one PSO is linked directly to the user object, a warning message is logged in the event log and the PSO with the lowest precedence value is the resultant PSO.

2. If no PSO is linked to the user object, the global security group membership(s) of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared.  The PSO with the lowest precedence value is the resultant PSO.

3. If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.

IMPORTANT:

Microsoft positions this feature as alternative for deploying multiple domains due to the "single domain password policy"-limitation.  Fine-grained password policies do NOT interfere with custom password filter solutions (passflt.dll) that you might use in the same domain.  Organizations that have deployed custom password filters to domain controllers running Windows 2000 or Windows Server 2003 can continue to use those password filters to enforce additional restrictions for passwords.

Some Gothas!!

  • Fine-grained password policies apply only to users and global security groups - NO OUs!!
  • Only members of the Domain Admins group can set fine-grained password policies
  • Only one PSO can be applied as the effective password policy to a user and/or group
  • Settings from other PSOs linked to a user and/or group cannot be merged.
  • Fine-grained password policies do NOT replace custom built password filters.

For more information: Windows Server 2008 Technical Library

Also: Manage Fine-Grained Password Policies with Powershell, Ulf B. Simon-Weidner's blog

Also have a look at the free UI Console for Fine-Grained Password Policies (using Powershell password policy cmdlets)

Posted Wednesday, July 18, 2007 10:59 AM by Kurt Roggen | 6 comment(s)
Filed under: , ,

Server Manager - Adding Roles & Features

The Add Roles Wizard, which can be used to add one or more roles to the server, automatically checks for dependencies between roles and verifies that all required roles and role services are installed for each selected role.

For some roles, such as Terminal Services and Active Directory Certificate Services, the Add Roles Wizard also provides configuration pages that allow the user to specify how the role should be configured as part of the installation process. Currently, there are 17 server roles available (listed below) and which 9 can also run on Server Core (as mentioned in a previous post).

Most roles, such as File Services, Terminal Services, and Active Directory Certificate Services, are composed of multiple sub-elements, identified as role services in the Server Manager interface.  These role services can be selected via the Add Role Services Wizard.

The Add Features Wizard allows you to install one or more features (PowerShell, GPMC, NLB, fail-over clustering) to the computer in a single session.  Features are software programs that support or augment the functionality of one or more roles or enhance the functionality of the server itself, regardless of which roles are installed.

Server Manager also offers a command-line tool - ServerManagerCmd.exe - which automates the deployment of roles and features on computers running Windows Server 2008.

Use ServerManagerCmd.exe to - in an unattended way - install and remove roles, role services, and features via command line parameters or unattend XML. ServerManagerCmd.exe parameters also display a list of all roles, role services, and features both installed and available for installation on the computer.

To find out which roles and/or features are currently installed, use

ServerManagerCmd.exe -query 

 

 

 

 

 

 

 

 

 

 

 

To install a new role, use

ServerManagerCmd.exe -install Web-Server
ServerManagerCmd.exe -install RSAT-Feature-Tools
ServerManagerCmd.exe -install RSAT-Role-Tools  

 

 

 

 

 


 

 


Results in all Server Role snapins being installed

Some other parameters:

ServerManagerCmd.exe -query [<query.xml>] [-logPath <log.txt>]ServerManagerCmd.exe -inputPath <answer.xml> [-resultPath <result.xml> [-restart] | -whatIf] [-logPath <log.txt>]
ServerManagerCmd.exe -install <command-Id> [-setting <setting-name>=<setting value>]* [-allSubFeatures] [-resultPath <result.xml> [-restart] | -whatIf] [-logPath <log.txt>]
ServerManagerCmd.exe -remove <command-Id> [-resultPath <result.xml> [-restart] | -whatIf] [-logPath <log.txt>]ServerManagerCmd.exe [-help | -?]
ServerManagerCmd.exe -version

For more information: Server Manager Technical Overview - Appendix

Posted Friday, July 13, 2007 7:39 AM by Kurt Roggen | 6 comment(s)
Filed under: ,

Deploying Windows Server 2008: Initial Configuration Tasks

The Initial Configuration Tasks feature helps administrators configure a server and shorten the amount of time between operating system installation and deployment of the server in an enterprise.  "Initial Configuration Tasks" allows administrators to postpone these tasks until installation is complete, meaning fewer interruptions during installation.

Initial Configuration Tasks replaces the Post-Setup Security Updates feature that was introduced in Windows Server 2003 Service Pack 1 (SP1).  Initial Configuration Tasks extends the functionality of Post-Setup Security Updates by guiding you through all of the tasks you must complete to configure a new server, not just those tasks that are related to security.

It opens automatically after the operating system installation process is complete and helps the administrator finish the setup and initial configuration of a new server.  And yes, you can switch it off... (from install.wim via unattend.xml and/or via Group Policies).

It includes tasks such as setting the Administrator password (default: blank), changing the name of the Administrator account (default: Administrator) to improve the security of your server, joining the server to an existing domain (default: WORKGROUP), changing the name of the computer (default: random-generated), enabling Remote Desktop for the server, and enabling Windows Update (default: off) and Windows Firewall (default: on).

The Add Roles and Add Features commands in the Initial Configuration Tasks window allow you to begin adding roles (default: none) and features to your server immediately as from within the Server Manager console.

When the Initial Configuration Tasks window is closed, by default the Server Manager opens which I covered in a previous post.

Posted Friday, July 13, 2007 10:53 AM by Kurt Roggen | 6 comment(s)
Filed under: ,

Deploying Windows Server Core

In Windows Server 2008, administrators can now choose to install a minimal environment that avoids extra overhead.  Although this option limits the server roles and features that can be performed by the server, it can improve security and reduce management. This type of installation is called a Server Core installation.

A Server Core installation provides these benefits in three ways:

  • By reducing the software maintenance required (less updates, etc...)
  • By reducing the management required
  • By reducing the attack surface

To accomplish this, the Server Core installation option installs only the subset of the binary files that are required by the supported server roles.  It takes about 1 GB of disk space and +/- 100 MB memory footprint (varies per server core role).

A server running a Server Core installation does not have a graphical user interface or provide the ability to run applications.  Meaning; no more Windows Explorer shell... Instead, the default user interface for a Server Core installation is the command prompt.

During the deployment of the Windows Server image (install.wim), you are prompted for all available SKU's including the Server Core SKUs.

Server Core installations provide an environment for running the following server roles (9):

  • Active Directory Domain Services (incl. RO DC)
  • Active Directory Lightweight Directory Services (AD LDS)
  • DHCP Server
  • DNS Server
  • File Services
  • Print Server
  • Streaming Media Services
  • Windows Server Virtualisation (aka Hypervisor)
  • Web Server (as static webserver)

Server Core installations provide an environment for running the following server features:

  • Failover Clustering
  • Network Load Balancing (NLB)
  • Subsystem for UNIX-based applications
  • Backup
  • Removable Storage Management
  • BitLocker Drive Encryption (BDE)
  • Simple Network Management Protocol (SNMP) service
  • Telnet client

The initial configuration tasks will have to be completed using command line tools or scripts...

  • Setting the Administrator Password
    • ­CTRL+ALT+DEL and click Change password
    • ­net user administrator *
  • Activating your Windows Server
    • cscript ­Slmgr.vbs –ato
  • Renaming computer
    • netdom renamecomputer %computername% /NewName:newname
  • Configuring static IP address
    • ­Netsh interface ipv4
      • ­show interfaces
      • ­set address name="ID" source=static address=StaticIP mask=SubnetMask gateway=DefaultGateway
      • ­add dnsserver name="ID" address=DNSIP1 index=1
      • add dnsserver name="ID" address=DNSIP2 index=2
  • Joining a domain (if required)
    • ­Netdom
  • Adding additional Server (Core) Roles and/or Components/Features
    • OCsetup.exe <Package/Feature>
      (FYI: OC = Optional Component
      Remember: Package/Feature names are case-sensitive!!
  • Displaying available and installed Server (Core) Roles and/or Components/Features
    • OClist.exe
  • Enable Terminal Services RDP
    • cscript SCregedit.wsf /AR 0  
      (FYI: SC = ServerCore, AR = AllowRemoteAdministration, 0 = enabled!)
  • Others
    • DNScmd, DFScmd, DCpromo (/unattend:answerfile), ...

In many cases, a Server Core installation will be installed using an unattended installation script.

Alternatively, you can manage a Server Core installation with Microsoft Management Console (MMC) snap-ins from another computer running Windows Server 2008 by selecting the computer running a Server Core installation as a remote computer to manage.

Oh yes, you cannot upgrade to a Server Core installation from a previous version of Windows, , neither from Windows Server 2008 to Server Core or vica versa... for obvious reasons!!

For more information: Server Core Installation Step-by-Step Guide 
For some additional Tips & Tricks: Server Core Product team blog

Posted Wednesday, July 11, 2007 1:43 PM by Kurt Roggen | 4 comment(s)
Filed under: ,

Server Manager console - Overview

Server Manager console is a new Microsoft Management Console (MMC) snap-in which provides a consolidated view of the server, including information about server configuration, status of installed server roles (such as File, Print, Web, DNS, DHCP, AD DS, AD FS, WDS, etc...), windows features (such as failover clustering, Bitlocker, GPMC, PowerShell, NLB, RSAT, SNMP, etc...) and commands for adding and removing roles and features.

While adding and removing server roles and features is not new, Server Manager unifies the functionality of multiple earlier tools in a single, simple, MMC-based user interface.  Server Manager provides a single point of access to management snap-ins for all installed roles.

Roles and features installed by using Server Manager are secure by default. Administrators need not run the Security Configuration Wizard following role installation or removal unless they want to change default settings.

The hierarchy pane of the Server Manager console contains expandable nodes administrators can use to go directly to consoles for managing specific roles, troubleshooting tools, or backup and disaster recovery options.

Earlier versions of Windows Server required you to use Configure Your Server, Manage Your Server, or Add or Remove Windows Components to add or remove server roles or other software.  Dependency checks were limited and Add or Remove Windows Components limited administrators to the installation of only one role at a time. Before you could add more roles, installation of each role had to complete.

The Server Manager is a collection of wizards allowing you to add, remove, or augment multiple roles in a single session.  It is possible to have your server completely ready for deployment at the completion of a single session in one of the Server Manager wizards. 
Role configurations are configured with recommended security settings by default; there is no requirement to run the Security Configuration Wizard following role or feature installation unless it is necessary to modify security defaults.

 For more information: Windows Server TechCenter

Posted Wednesday, July 04, 2007 11:41 PM by Kurt Roggen | 2 comment(s)
Filed under: ,