Windows Server 2008 (R2) blog by Kurt Roggen [BE]

At first glance, the story for FTP and IIS 7.0 may seem a little confusing. There are actually two FTP servers available.  One comes out of the box with either Windows Vista or Windows Server 2008 and we provide the other as a download from the web.

Why bother downloading?  Because the new features are compelling.  For shared hosting, we offer improvements to integrating FTP into your web site, virtual host name support and new user isolation features.  We offer support for Internet standards like IPv6, UTF8, and SSL.  And our FTP server is fully integrated with IIS 7.0: this means you get a new user interface, the new XML-based configuration, and the extensibility improvements that all come built-in with IIS 7.0.

More information: IIS product team website

For those of you who are missing the GPMC script on Windows Vista, here's what you need... the downloadable bundle of GPMC (sample) script for Windows Vista and Windows Server 2008.

The Group Policy Management Console (GPMC) provides a comprehensive set of COM interfaces that you can use to script many of the operations supported by the console.  Included in this download is a set of sample scripts that make use of these interfaces.

The scripts included were written to solve real-world administrative problems and form the basis for a scripting toolkit useful for managing Group Policy.  The sample scripts also serve to illustrate some of the key scripting objects and methods, and to provide an overview of the wide variety of tasks that can be accomplished with the GPMC.

The script samples are written in either VBscript or Jscript and are designed to be executed using Windows Script Host. All of the samples are intended to be executed from the command line.  Because the sample scripts echo output to the command window, they should be executed using cscript.exe. If cscript.exe is not your default scripting host, you will need to explicitly specify cscript.exe on the command line.

The main administrative scripts have a .wsf extension, which is one of the file formats associated with Windows Script Host (WSH). Scripts with the .wsf extension are XML-formatted files that can call other scripts written in VBScript or JScript, which means that one script can take advantage of both the VBScript and JScript scripting engines. 
Many of the sample scripts rely on a library of common helper functions contained in the file Lib_CommonGPMCFunctions.js.  If you copy these scripts to another location, you must also copy this library file to that location for the sample script to work.

Below a list of included scripts:

BackupAllGPOs.wsf
BackupGPO.wsf
CopyGPO.wsf
CreateEnvironmentFromXML.wsf
CreateGPO.wsf
CreateMigrationTable.wsf
CreateXMLFromEnvironment.wsf
DeleteGPO.wsf
DumpGPOInfo.wsf
DumpSOMInfo.wsf
FindDisabledGPOs.wsf
FindDuplicateNamedGPOs.wsf
FindGPOsByPolicyExtension.wsf
FindGPOsBySecurityGroup.wsf
FindGPOsWithNoSecurityFiltering.wsf
FindOrphanedGPOsInSYSVOL.wsf
FindSOMsWithExternalGPOLinks.wsf
FindUnlinkedGPOs.wsf
GetReportsForAllGPOs.wsf
GetReportsForGPO.wsf
GrantPermissionOnAllGPOs.wsf
ImportAllGPOs.wsf
ImportGPO.wsf
Lib_CommonGPMCFunctions.js
ListAllGPOs.wsf
ListSOMPolicyTree.wsf
QueryBackupLocation.wsf
RestoreAllGPOs.wsf
RestoreGPO.wsf
SampleEnvironment.xml
SampleMigrationTable.migtable
ScriptingReadme.rtf
SetGPOCreationPermissions.wsf
SetGPOPermissions.wsf
SetGPOPermissionsBySOM.wsf
SetSOMPermissions.wsf

Download here

Related reading:

• Getting Started with GPMC Scripting
• Automate GPO management tasks
• Group Policy Administration with Windows PowerShell
• Windows Server 2008 & Group Policy Management Console (GPMC)

Ever had to contact Microsoft for a non-public hotfix you needed??
Then this will surely help you in the future!

To obtain a hotfix from Microsoft, you can now submit your request via a web form (below) to Microsoft Online Customer Service and Support.  
You should expect to receive a download link via email from Microsoft within 8 business hours.

Link can be found here.

In my previous post "Signup for the Windows Server 2008 Security Guide BETA", I mentioned how to subscribe.
Meanwhile an alpha version of the Windows Server 2008 Security has appeared (about 250 pages).

This guide provides instructions and recommendations to help strengthen the security of machines running Windows Server 2008 in a domain that use Active Directory, by implementing a security baseline and hardening security per type of server role (ADDS, ADCS, DNS, DHCP, Web Servers, File Servers, Print Servers, Terminal Servers, ...).

NOTE: The Alpha version of the Windows Server 2008 Security Guide is not supported for production use.

As you known RC0 of Windows Server 2008 is quite unique since it contains a CTP (Customer Technical Preview) of the Windows Server Virtualization (WSv) server role.

This release of Windows Server Virtualization is distributed in two update packages, which must be installed before you can install the role. The updates are stored in %windir%\WSV. To install the packages, double-click Windows6.0-KB939854-x64.msu and Windows6.0-KB939853-x64.msu. After you install the updates, Windows Server Virtualization is available for installation by using Server Manager. For more information: see WSv release notes below.

This time-limited release of Windows Server 2008 Release Candidate 0 will expire on April 7, 2008.  After this time, you will need to uninstall the software or upgrade to a later release or a fully-licensed version of Windows Server 2008.

This product requires a valid product key for activation – you may install the product without activation, but if you do not enter a valid product key and activate within 30 days of installation, the software will cease to function.

If you have not received a product key, you can obtain one by visiting one of the following sites:

Downloads are available below:

Windows Server 2008 RC0 Standard Edition

Windows Server 2008 RC0 Enterprise

Windows Server 2008 RC0 Datacenter

Windows Web Server 2008 RC0

Updates documentation/guides is available below:

Windows Server 2008 Technical Overviews

Windows Server 2008 Step-by-Step Guides

System Requirements and Installation Documentation for Windows Server 2008 Release Candidate

Release Notes for this Release of Windows Server Virtualization

Additional reading:

How to install the Windows Server virtualization role in Windows Server 2008 RC0 (John Howard - PM WSv)

The Microsoft Windows Imaging format (WIM) is a file-based image format, instead of the sector-based image formats you find a lot today.  Using a file-based image format, WIM provides several benefits:

• This WIM image format is hardware-agnostic, meaning that you need only one image to address many different hardware configurations.  Together with the HAL independence of Windows Vista you can reduce the number of images dramatically. 
• The WIM image format also lets you store multiple images within one actual file.  Microsoft ships multiple SKUs in one WIM image file. You store images with and without core applications in a single image file.  Also, you can mark one of the images as bootable, allowing you to start/boot a machine from a disk image contained in a WIM file.
• The WIM image format enables compression and single instancing, reducing the size of image files significantly and thus their transfer over the network. 
  Single instancing is a technique that allows you to store two or more copies of a file for the space cost of one copy.
  For example, if images 1, 2, and 3 all contain file A, single-instancing stores a single copy of the file A and points images 1, 2, and 3 to that copy.
• The WIM image format allows you to do offline image servicing.  You can add or delete certain operating system components, patches, and drivers without creating a new image. Rather than spending a few hours updating an image, which you do now with Microsoft Windows XP, for example, you can update an image in minutes. For example, to add a patch to a Windows XP image, you must boot the master image, add the patch, and then prepare the image again. With Windows Vista, you can simply service the image offline.
• The WIM image format lets you install a disk image on partitions of any size, unlike sector-based image formats that require you to deploy a disk image to a partition that's the same size or larger than the source disk.
• Windows Vista provides an API for the WIM image format called WIMGAPI that developers can use to work with WIM image files.
• The WIM image format allows for non-destructive deployment.  This means that you can leave data on the volume to which you apply the image because the application of the image does not erase the disk's existing contents.  A tool that will help you in that area is USMT (User State Migration Tool).
• Ready for "carousel multi-cast implementations" as found in Windows Server 2008 (see previous post).

ImageX is a command-line tool in Windows Vista & Windows Server 2008 that you can use to create and manage Windows image (.wim) files.  A .wim file contains one or more volume/partition images that contain images of an installed Windows operating system.

To modify your volume images, you must install the Windows Imaging File System Filter (WIM FS Filter) driver on a computer running Windows XP with Service Pack 2 (SP2), Windows Server 2003 with Service Pack 1 (SP1), Windows Vista or Windows Server 2008.  Installing the WIM FS Filter driver enables you to mount a .wim file as if it were a directory and to browse, copy, paste, and edit the volume images from a file management tool, such as Windows Explorer, without extracting or recreating the image.

ImageX is part of the WAIK (Windows Automated Installation Kit).

For more information: Vista TechCenter

Richard Smith has written has written a nice little GUI on top of imageX - called GimageX.exe - making it more user friendly.  Just drop the GImageX.exe into a folder with the ImageX files in your Windows PE environment.  It even supports the configuration file wimscript.ini, which determine which files and folders must be excluded from the capture process when using the /capture option or excluded from the compression process when using the /compress option.

The GUI allows you to :

• Map a drive
• Capture a wim file
• Deploy/Apply image from a .wim file

Capture a .wim file

Deploy/Apply an image from a .wim file

On Wednesday-evening, September 26th, the HP Interex User Group is focusing on security technologies in Windows Server 2008.  If you're interested have a look at the agenda below and register, it is a free event. 

Agenda

Presentation 1: Overview of What’s New in Windows Server 2008

Abstract: This session will present an overview of the key Windows Server 2008 Beta 3 features and the development philosophy behind these features.  We will take a close look at Server Manager, Windows Firewall, Networking, Security, Failover Clustering, Server Core, Internet Information Services (IIS) 7.0, Terminal Services (TS), and more! 
Speaker: Arlindo Alves (IT Pro Evangelist, Microsoft Belgium)

Presentation 2: Security Technologies in Windows Server 2008

Abstract: This session will present an overview of the new security technologies that Microsoft includes in Windows Server 2008. It discusses the new Windows Server 2008 security features in the areas of isolation and resilience, security management and access control.  Among the topics covered are: BitLocker Drive Encryption (BDE), User Account Control, new Active Directory (AD) security features (Read-Only DC, fine-grain password policies and Server Core), and the enhancements in Windows PKI.  Special attention is paid to how these new technologies can be turned into a real customer added-value and arguments that can motivate the upgrade to Windows Server 2008.
Speaker: Jan De Clercq (Security Advisor, HP Belgium)

Timing and Registration

When: September 26, 2007 - Doors open at 16:00, sessions starts at 16:30
Where: Microsoft, Diegem

Please register via e-mail to administrator@hp-interex.be.  Mention your name, first name and company name.

"Deployment 4" Beta 3 combines the guidance and toolset from previous releases of Business Desktop Deployment and beta releases of Windows Server Deployment. 

This release continues to support Zero Touch Installation (ZTI) of desktop operating systems using Systems Management Server (SMS) 2003 with the Operating System Deployment Feature Pack and adds new deployment and task sequencing capabilities for desktops and servers using System Center Configuration Manager 2007. 

Deployment 4 also continues to provide Lite Touch Installation (LTI) support without infrastructure requirements and adds capabilities for Windows Server 2003 and pre-release versions of Windows Server 2008 (including support for Server Core installation options).

Some of the enhancements you will find are:

Learn more about the improved features and functionality in the upcoming Windows Server 2008 release, including management tasks, network protection and improvements to Terminal Services.

• Windows Server 2008 Initial Configuration
• Server Manager
• User Account Control
• Granular Password Setting
• Server Core (Andrew Mason - PM Server Core)
• Network Access Protection (PM NAP)
• Networking with Windows Server 2008
• Quality of Service 
• Windows Server 2008 Terminal Services (PM Terminal Services)
• Windows Server Virtualization (WSv)

Enjoy!!

As with Windows Server 2003, you can use restored backup media to minimize replication traffic during AD DS installation on a server that is running Windows Server 2008.  You can use this installation method to install a new (additional) domain controller in an existing domain. 

Of course the amount of data to be replicated, depends on the up-to-dateness of your backup.  Objects that were modified, added or deleted since the backup was taken, must be replicated after the AD DS installation process. 
If the backup was recent, the amount of replication data required will be considerably smaller than the amount of replication data required for a normal AD DS installation.

The Install From Media (IFM) option only appears when the check box for "Use advanced mode installation" is selected on the Welcome page of the wizard.  This "advanced mode" is an alternative to running dcpromo /adv.

IMPORTANT: The installation media that you use must be prepared from the same type of domain controller that you are installing. The following aspects of the domain controller source and target must be identical:

• Domain controller option: Writable (RWDC) or Read-Only (RODC)
• Operating system: Windows 2000 Server, Windows Server 2003 or Windows Server 2008
• Platform: x86, IA64 or x64

NOTE: A Server Core installation can be the source for installing a new domain controller on a Full installation of Windows Server 2008.

Installation Media

Windows Server 2008 includes an improved version of Ntdsutil.exe that you can use to create the installation media for both writable (RWDC) and read-only DCs (RODC).  Ntdsutil.exe can create four types of installation media:

1. Full (or writable) domain controller (Create Sysvol Full %s)
2. Full (or writable) domain controller without SYSVOL data (Create Full %s)
3. Read-only domain controller (Create Sysvol RODC %s)
4. Read-only domain controller without SYSVOL data (Create RODC %s)

 
Ntdsutil allows to create four types of installation media.

If the installation media does not include SYSVOL - by default - the entire SYSVOL data must be replicated from another domain controller.  If the installation media includes SYSVOL, then the new domain controller will need to replicate only changes that have been made to SYSVOL since the installation media was created.

So, you can run the ntdsutil ifm command on a writable domain controller to create an installation media for an RWDC and/or an RODC.  You can only create an installation media for a RODC from another RODC.  In case of an RODC installation media only, ntdsutil removes any cached secrets, such as passwords.

As you can see below, ntdsutil uses VSS (Volume Shadow Copy Service) to create a snapshot of AD from the running DC, replays its logs and defragments the AD database.
 
Ntdsutil ifm allows to create IFM media for RWDC and RODC.

After also running a "Create Sysvol full" IFM creation, this is what the filesystem looks like. Notice the StartGPOs folder...

You can also create installation media by using the Windows Server Backup tool - feature not installed by default - in Windows Server 2008.  In this case, you need to use the wbadmin (WindowsBackupAdmin) command-line tool option to restore system state data to an alternate location.

However, you should use Ntdsutil.exe because Windows Server Backup can back up only the set of critical volumes, which occupies much more space than is required for AD DS installation data.

More information: Installing AD DS from (Installation) Media

Also have a look at Jorge de Almeida Pinto's Quest for Knowledge (MVP Directory Services)

There seem to be a lot of discussions going on about the upcoming Windows Vista SP1 and the removal of the GPMC as part of the SP1 installation.  Don't worry... it's not as bad as it sounds!!  Let me explain...

Vista Service Pack 1 will include a number of Group Policy changes.  Most controversial, the Group Policy Management Console (GPMC) will be uninstalled so that the GPEdit management console will be used to manage local policies only.

From the security point of view, it makes sense to remove the GPMC, since you do not want "standard users" snooping around in all your defined (security) GPOs through the default available and installed GPMC in Vista.

From the administrators point of view, it's scary to lose such a great tool!! 
However, Microsoft will ship an updated version of the GPMC - as part of the RSAT - around SP1 RTM timeframe, that will also let admins add comments to Group Policy Objects (GPOs) and individual GP settings, and search/filter settings within a Group Policy.

For those of you who are not familiar with RSAT, it is the next-generation adminpak.msi (Administrative Tools pack) for Windows Vista/Server 2008.  I already mentioned it briefly in a previous post (on Windows Server 2008 & Group Policy Management Console) and apparently it drew at lot of attention (based on the mails i've been receiving).

The “Remote Server Administration Tools” (RSAT – Client) is used for managing Windows Server 2008 from a Vista SP1 Business, Enterprise and Ultimate and will be released as an OOB RTW (Out-Of-Band Release-To-Web) component shortly after Vista SP1 RTM. 
In the meantime, you have to leverage the existing Admin Pack (adminpak.msi) for managing Windows Server 2003 servers remotely (http://support.microsoft.com/kb/930056) from a Vista machine.  
The "old" AdminPack will not work against Windows Server 2008, though.”

As mentioned, some features (Group Policy Management Editor filtering and commenting) and snapins (Windows Deployment Services, etc) only available on Windows Server 2008 today, will be made available as part of the Remote Server Administration Tools (RSAT). 

Related reading:

Windows Server 2008 & Group Policy Management Console (GPMC)

BITS (Background Intelligent Transfer Service) Peer caching is a new feature of BITS 3.0 supported on Vista platforms, that allows peers to share files on the same subnet.  When a BITS job is created to download the files for an update, the Automatic Update agent instructs BITS to make the downloaded files available to Peers.

When the files have been downloaded, BITS caches the downloaded files and makes them available to other computers. When another computer tries to download the same update, BITS sends a multicast request to peers on the same subnet.  If one or more of the peers responds that it has the update, BITS will download the file from the peer rather than the WSUS server.  Should the download from the peer fail or take too long, BITS will fall back to the WSUS server and continue the download.

This feature of BITS can:

• Decrease the amount of data transferred from the WSUS server. Computers in the same subnet will tend to download the updates from each other.
• Decrease the amount of data transferred across the WAN in branch office scenarios where no local WSUS server is located.
• Decrease the amount of data transferred across the internet in the scenarios where several WSUS clients in the same subnet are configured to download update files directly from Microsoft update.

Remember: The use of BITS Peercaching requires computers to be running Windows Vista or Windows Codename Longhorn, and be part of an Active Directory Domain.

To enable BITS Peercaching:

Within Group Policy Object Editor (gpedit.msc), under Computer Configuration\Administrative Templates\Network\Background Intelligent Transfer Service (BITS), set the Allow BITS Peercaching policy to Enabled.
There are some other related settings to limit the BITS Peercache size (default: 1% of disk), limit the age of items in the BITS Peercache (default: 14 days), ...

To verify that BITS Peercaching is enabled or disabled, run from an command prompt:

bitsadmin /peercaching /getconfigurationflags

There are a couple of new BITSADMIN (ships with Vista) commands that allow you to see into the cache etc, and these are:

BITSADMIN /PEERCACHING /? - Prints the list of commands to manage Peercaching

BITSADMIN /CACHE /? - Prints the list of cache management commands

BITSADMIN /PEERS /? - Prints the list of peer management commands

To improve the installation and management of Active Directory Domain Services (AD DS), Windows Server 2008 includes some changes in the user interface of the "Active Directory Domain Services Installation Wizard" (dcpromo), but also to the Microsoft Management Console (MMC) snap-in functions that manage AD DS.

Here's an overview:

• Active Directory Installation Wizard (covered in part 1)
• Active Directory Users and Computers (covered in part 2)
• Active Directory Sites & Services
• Active Directory Domains & Trusts
• Active Directory Schema

Active Directory Installation Wizard

The updated "Active Directory Domain Services Installation Wizard" streamlines and simplifies AD DS installation.

The improvements to the "Active Directory Domain Services Installation Wizard" (dcpromo) are all available by default.  However, some wizard pages appear only if the check box for "Use advanced mode installation" is selected on the Welcome page of the wizard.  This "advanced mode" is an alternative to running dcpromo /adv.


Advanced mode contains additional options that enable more "advanced" configurations and more control over the operation.  The additional installation options in "advanced mode" include:

• Creating a new domain tree.
• Using backup media (IFM - Install From Media) from an existing domain controller in the same domain to reduce network traffic that is associated with initial replication of additional domain controllers.  More in an upcoming post!
  
• Selecting the source domain controller for the installation.  This enables you to control which domain controller is used to initially replicate domain data to the new domain controller.
  
• Modifying the NetBIOS name that the wizard generates by default.
• Defining the Password Replication Policy for an RODC (RODC was covered in a previous blog post).
  

In addition to the changes above, the "Active Directory Domain Services Installation Wizard" also has some new pages:

• Additional Domain Controller Options (specifies addition AD roles: DNS, GC, RODC)
  
• Select a Domain (specifies the name of the domain)
• Select a Site (specifies in which site the domain controller should be installed)
   
• Set Functional Levels (set the domain and forest functional level during the installation of a new domain or forest)
  More information about what (new) functionality the domain/forest functionality levels bring in an upcoming post.
  Keep posted!
   
• Delegation of RODC Installation and Administration (specifies the user/group who can install/administer the RODC)
  
• Password Replication Policy (specifies which account passwords to allow/deny from being cached on an RODC)
  
• DNS delegation creation (Provides default option to create a DNS delegation based on the type of domain controller installation)
  
• Export settings to unattend answer file
  
  On the Summary page of the wizard, you can export the settings that you have selected to an answer file that you can use as a template for subsequent installations (or uninstallations). 
  
  An example of an exported unattended answer file
  
  You can also type the options and values directly into the command line rather than using an answer file.
  For example:
  
  dcpromo /unattend /unattendOption:value /unattendOption:value ...

  where

  • unattendOption is an option in the Unattend install reference table (below).
    Separate each option:value pair with a space.
  • value is the configuration instruction/data for the option

  A little example (creates the first domain controller in a new forest where you expect to install at least some  Windows Server 2003 domain controllers, sets domain/forest functionality levels, db/log/sysvol locations, ADDS RM administrator password, etc...):

  dcpromo /autoConfigDns:yes /dnsOnNetwork:yes /replicaOrNewDomain:domain /newDomain:forest /newDomainDnsName:win2008.lab 
          /DomainNetbiosName:LAB /databasePath:"e:\ntds" /logPath:"e:\ntds\logs" /sysvolpath:"e:\sysvol" /safeModeAdminPassword:FH#+399.cK 
          /forestLevel:2 /domainLevel:2 /rebootOnCompletion:yes

  Many command line parameters (unattendOptions) have been added for the promotion and demotion of domain controllers.  A limited overview:
  
  dcpromo /syskey - Indicates that the user must provide the system key
  dcpromo /SafeModeAdminPassword - Specifies the administrator password when starting in Safe Mode
  dcpromo /DisableCancelForDnsInstall - Specifies whether to disable the Cancel button during a DNS installation.
  dcpromo /AllowDomainControllerReinstall - Specifies to overwrite the domain controller data of the existing domain controller, if domain controller already exists
  dcpromo /AutoConfigDNS - Specifies whether DNS is configured for a new domain if Dcpromo detects that the DNS dynamic update protocol is not available
  
  dcpromo /ForceDemotion - Indicates that the removal proceeds if the domain controller is offline
  dcpromo /DemoteFSMO - Indicates that a forced removal should continue even if an operations master role is held by the domain controller.
  dcpromo /IsLastDCInDomain - Indicates whether the computer on which Dcpromo is running is the last domain controller in the domain
  
  For a complete reference about the Unattended Installation Parameters
  
  

  When the unattended promotion/demotion completes, Dcpromo returns one of the following codes to indicate the status of the operation.

  · 1-10 = success return codes (1 - ExitSuccess, 2 - ExitSuccessNeedReboot, 3 -  ExitSuccessWithNonCriticalFailure)
  · 11-100 = failure return codes

• Automated Reboot after Active Directory Domain Services Installation Wizard completes or via an answer file unattendOption (RestartOnCompletion=yes)
  

NOTE: When adding the Active Directory Domain Services role (via Server Manager or Initial Configuration Tasks), the Add Roles Wizard only installs the files that are required to install and configure AD DS on a server, but it does not start the actual AD DS installation.  To start the AD DS installation, you must still run dcpromo.exe or initiate the "Active Directory Domain Services Installation Wizard" for the Server Manager in the AD DS server role view.
 

More information: Step-by-Step Guide for Windows Server 2008 Beta 3 AD DS Installation and Removal