Windows Server blog by Kurt Roggen [BE]

Secure Socket Tunneling Protocol (SSTP) is a new form of (SSL-based) VPN tunnel with features that allow traffic to pass through firewalls that block PPTP and L2TP/IPsec traffic. 

SSTP provides a mechanism to encapsulate PPP traffic over the SSL channel of the HTTPS protocol.  The use of PPP allows support for strong authentication methods such as EAP-TLS.  The use of HTTPS means traffic will flow through TCP port 443.  Secure Sockets Layer (SSL) provides transport-level security with enhanced key negotiation, encryption, and integrity checking. 

SSTP supports multiple authentication methods such as passwords, smart cards, certificate-based and "One Time Password" authentication.

SSTP has integrated NAP support for client health check, by using the NPS (Network Policy Server - ex-IAS) for authentication and authorization.  

Client/Server Requirements

SSTP is available through the Windows Server 2008 Routing and Remote Access VPN Server.  IIS is not required for running SSTP, since RRAS listens to HTTPS connections directly over HTTP.SYS.

Only clients running Windows Vista SP1 are able to create SSTP-based VPN tunnels.

Additional reading:

• Step by Step Guide: Deploying SSTP Remote Access 
• Screencast: Deploying SSTP Remote Access
• Technet June 2007 Cable Guy SSTP article

DNS provides the name resolution services required by Active Directory.  The DNS server in Windows Server 2008 complies with the set of Requests for Comments (RFCs) that define and standardize the DNS protocol.
Because the DNS Server service is RFC compliant and it can use standard DNS data file and resource record formats, it can work successfully with most other DNS server implementations, such as DNS implementations that use the Berkeley Internet Name Domain (BIND) software.

1. Background zone loading

A DNS server running Windows Server 2008 now loads zone data stored in AD DS in the background while it (re)starts, so that it can respond immediately to requests for data from other zones.  Because the task of loading zones is performed by separate threads, the DNS server is able to respond to queries while zone loading is in progress.  Let's have a look at the startup sequence:

• The DNS server starts, it first enumerates all zones to be loaded.
• It loads root hints from files or AD DS storage. 
• All file-based zones (stored in files rather than in AD DS-integrated) are loaded.
• The DNS server begins responding to queries and remote procedure calls (RPCs).
• All AD DS-based zones are loaded afterwards, by one or more threads spawned.

Because the task of loading zones is performed by separate threads, the DNS server is able to respond to queries while zone loading is in progress.

2. GlobalNames Zone

This new feature provides single-label name resolution for large enterprise networks that do not deploy Windows Internet Name Service (WINS) and where using DNS name suffixes to provide single-label name resolution is not practical.

When the GlobalNames zone is deployed, single-label name resolution by clients works as follows:

1. The client's primary DNS suffix is appended to the single-label name and the query is submitted to the DNS server.
2. If that FQDN does not resolve, the client requests resolution using its DNS suffix search lists .
3. If none of those names resolve, the client requests resolution using the single-label name.
4. If the single-label name appears in the GlobalNames zone, the DNS server hosting the zone resolves the name. Otherwise, the query fails over to WINS.

The GlobalNames zone provides single-label name resolution only when all authoritative DNS servers are running Windows Server 2008.  No changes to client software are required to enable single-label name with this feature.

How to setup GlobalNamesZones (GNZ) in 3 steps:

1. To get GNZ functionality for a given domain or forest, all authoritative DNS servers must be running Windows Server 2008.
   
2. Create an Active Directory integrated zone called GlobalNamesZone. 
   
   Don't forget to choose the appropriate storage method and replication scope for this zone.
   Recommendation: Create the new "GlobalNames" zone as AD DS‑integrated zone, stored in the forest-wide DNS application partition (replicating to all domain controllers that are DNS servers in the forest).
   
   dnscmd ServerName /ZoneAdd GlobalNames /DsPrimary /DP /forest
   
3. Enable the GlobalNames Zone functionality on the DNS Server.
   
   Ensure that the GlobalNamesSupport registry setting has been enabled on all DNS servers, using dnscmd as follows:
   
   dnscmd ServerName /config /EnableGlobalnamesSupport 1

For more information: DNS Server GlobalNames Zone Deployment white paper

WINS is still often used as a secondary name-resolution protocol alongside DNS.  WINS is an older protocol, and it uses NetBIOS over TCP/IP (NetBT), therefore, it is approaching obsolescence.  But how do you actually know if you are still using the WINS servers?  Well, have a look at Performance Monitor by using the WINS counter "Queries/second".

3. Support for IPv6 zones

DNS servers running Windows Server 2008 now support IPv6 addresses (AAAA records - 128 bit = 4x32) as fully as they support IPv4 addresses (A records - 32 bit - 1x32).  DHCP clients can also register IPv6 addresses in addition to IPv4 addresses. 

In the DNS snap-in, wherever an IP address is typed or displayed, the address can display as an IPv4 address or an IPv6 address. 

The dnscmd command-line tool also accepts addresses in either format.
DNS servers can now send recursive queries to IPv6-only servers and the server forwarder list can contain both IPv4 and IPv6 addresses.

DNS servers now support the ip6.arpa domain namespace for reverse lookup mapping.   

4. Read Only Domain Controller (RODC) support

To support RODCs, a DNS server running Windows Server 2008 supports a new type of zone, the "primary read-only zone".  When a computer becomes an RODC, it replicates a full read-only copy of all application directory partitions that DNS uses, including the domain partition, ForestDNSZones and DomainDNSZones.  This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions. 
The administrator of an RODC can view the contents of a primary read-only zone.  However, the contents of the zone can only be changed on the centrally located writable Windows Server 2008-based domain controller and replicated back to all RODCs.  

4. DNS client DC Locator mechanism

DC Rediscovery
A DNS client computer running Windows Vista or Windows Server 2008 periodically searches for a domain controller in the domain to which it belongs.  This functionality helps avoid performance problems that might occur when a DNS client locates its domain controller during a period of network failure, associating the client with a domain controller located on a slow link. 
Previously, this association continued until the client was forced to locate a new domain controller, for example, when the client computer was disconnected from the network for a long period of time.  By periodically renewing its association with a domain controller, a DNS client can now reduce the probability that it will be associated with an inappropriate domain controller.

The rediscovery interval can be configured via Group Policies under
Computer Configuration\Administrative templates\System\Netlogon\DC Locator DNS Records\Force Rediscovery Interval

Next Closest Site/DC
A DNS client computer running Windows Vista or Windows Server 2008 can be configured to locate the nearest domain controller - using the defined Active Directory sitelink costs - instead of searching randomly.  This functionality can improve network performance in networks containing domains that exist across slow links.  However, because locating the nearest domain controller can itself have a negative impact on network performance, this functionality is not enabled by default.

The nearest domain controller discovery can be configured via Group Policies under
Computer Configuration\Administrative templates\System\Netlogon\DC Locator DNS Records\Try Next Closest Site

Related reading: Jorge's Quest for Knowledge (MVP Directory Services)

• DC Locator Process in W2K, W2K3(R2) and W2K8 - Part 1
• DC Locator Process in W2K, W2K3(R2) and W2K8 - Part 2
• DC Locator Process in W2K, W2K3(R2) and W2K8 - Part 3

For more information: Windows Server 2008 TechCenter

The DHCP Server Callout DLL helps to filter out DHCP requests based on MAC address.  When a device or computer tries to connect to network, it first tries to obtain an IP address from the DHCP Server.  The Callout DLL (read: hook-in DLL) also works and should continue to work on Windows Server 2008.

The DHCP Server Callout DLL checks if this device MAC address is present in known list (text file) of MAC addresses configured by administrators.  If it is present, the device will be allowed to obtain an IP address or the device requests will be ignored based on the action configured by administrator.

MAC address based filtering will allow network administrators to ensure that only a know set of devices in the system are able get ip address from DHCP Server. This DLL will help administrators to enforce additional security into network.

After installation, both the DLL (MacFilterCallout.dll) and the installation/configuration instructions (SetupDHCPMacFilter.rtf) are available under %windir%\system32.

Download here

Additional reading: DHCP Team blog

So I've talked about the concept of "Easy Print" in the Windows Server 2008 Terminal Services in a previous post, but how does this "universal print driver" actually work?

"Easy Print" builds on the functionality provided by the XPS (XML Paper Specification) printer/driver infrastructure delivered with Windows Vista and also included in Windows Server 2008.

XPS (XML Paper Specification) printing provides some extra advantages:

• Public open document format
• Portable and printer independent (incl. print server x86/x64 independent)
• Flexible document properties handling
• Lower bandwidth consumption
  • For typical knowledge worker print jobs
  • For print jobs with multiple copies

But what is the real advantage of this "Easy Print"??
First of all, you no longer need to map the local client-side print driver with the exact Terminal Server-side print driver, which introduced some administrative overhead, and in some case (x64 Terminal Servers) would be blocking due to the absence of x64 print drivers.  

Another advantage of the Easy Print is that all client side printers can be made available including their specific printing  properties/options/preferences and enhanced device settings/capabilities.  By default, only the default client-side printer is redirected for performance/scalability reasons.

XPS EasyPrint enables users to have a much more consistent printing experience between local and remote sessions.

As I've mentioned, by default, the Terminal Services Easy Print driver is enabled/active in Windows Server 2008 and will be used for all TS printing for both RemoteApps and remote desktop sessions.  However on the client-side, RDP 6.1 and .NET Framework 3.0 SP1 are required (available around Windows Server 2008 RTM).  To understand about these dependencies, look at the architecture layout below.

Print jobs will consume less bandwidth than before - due to XPS EasyPrint - and combined with the "Display data prioritization", will be more controlled so they do not interfere with display data, keyboard and/or mouse input.

For more information:

• Terminal Services Team blog: Introducing Terminal Services Easy Print
• Windows Performance Team blog: Terminal Services Easy Print
• Terminal Services Newsgroups: microsoft.public.windows.terminal_services
• Windows Server Terminal Services 2008: Display data prioritization
• Windows Server 2008 Terminal Services TechCenter

Display data prioritization within Terminal Services 2008 automatically controls virtual channel traffic so that display, keyboard, and mouse data is given a higher priority over other virtual channel traffic, such as printing or file transfers.
This prioritization is designed to ensure that your screen performance (user experience) is not affected by bandwidth intensive actions, such as large print jobs.

The default bandwidth ratio is 70:30.  Display and input data will be allocated 70 percent of the bandwidth and all other traffic, such as clipboard, file transfers, or print jobs will be allocated 30 percent of the bandwidth.

You can adjust the display data prioritization settings by making changes to the registry of the terminal server.  You can change the value of the following entries under the HKLM\SYSTEM\CurrentControlSet\Services\TermDD subkey:

• FlowControlDisable
• FlowControlDisplayBandwidth
• FlowControlChannelBandwidth
• FlowControlChargePostCompression

You can disable display data prioritization by setting the value of FlowControlDisable to 1 (DWORD).  If display data prioritization is disabled, all requests are handled on a first-in-first-out basis. 
The default value for FlowControlDisable is 0.

You can set the relative bandwidth priority for display (and input data) by setting the FlowControlDisplayBandwidth value. The default value is 70; the maximum value allowed is 255.

You can set the relative bandwidth priority for other virtual channels (such as clipboard, file transfers, or print jobs) by setting the FlowControlChannelBandwidth value. The default value is 30; the maximum value allowed is 255.

The bandwidth ratio for display data prioritization is based on the values of FlowControlDisplayBandwidth and FlowControlChannelBandwidth.  For example, if FlowControlDisplayBandwidth is set to 150 and FlowControlChannelBandwidth is set to 50, the ratio is 150:50.

The FlowControlChargePostCompression value determines if flow control will calculate the bandwidth allocation based on pre-compression or post-compression bytes.  The default value is 0, which means that the calculation will be made on pre-compression bytes.

If you make any changes to the registry values, you need to restart the "terminal services" service - which is now a restartable service - before for the changes to take effect. 

For more information: Windows Server 2008 Terminal Services TechCenter

The Terminal Services Easy Print driver is a new feature in Windows Server 2008 that enables users to reliably print from a RemoteApp (remote/published application) or from a terminal server desktop session to the correct printer on their client computer.  It also enables users to have a much more consistent printing experience between local and remote sessions.
By default, the Terminal Services Easy Print driver is enabled in Windows Server 2008.

But what is "TS Easy Print" actually?

"TS Easy Print is a proxy for every print action that simply redirects all printing-related work to the user's local machine without the need to install any print drivers on the Terminal Server.  This system provides several benefits, such as being able to redirect any printer from the user's client machine without having to reconfigure the server while still allowing the user to configure the print job as though he were printing on his client machine."

What are the client/server requirements?

On the (Terminal) server-side, Windows Server 2008 needs to be installed.  No additional drivers need to be installed; no additional configuration needs to take place.  The Terminal Services Easy Print driver is enabled by default. 

On the client-side, to use the Terminal Services Easy Print driver, clients must be running Remote Desktop Connection (RDC) 6.1 and Microsoft .NET Framework 3.0 Service Pack 1 (SP1) must be installed.

Both RDC/RDP client 6.1 and .NET Framework 3.0 SP1 are intended to be available for Windows XP, Windows Server 2003 and Vista machines in the same timeframe as Windows Server 2008.  As a result, Windows XP, Windows Server 2003 and Vista machines will be able to connect to Windows Server 2008 servers and use TS Easy Print just as Vista machines will.

NOTE: The terminal server fallback printer driver is no longer included with Windows Server 2008.  Although the "Specify terminal server fallback printer driver behavior" Group Policy setting still exists, it can only be used for Windows Server 2003 with SP1/SP2-based computers.

Some related Group Policies:

"Use Terminal Services Easy Print driver first"   
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection

"Redirect only the default client printer"
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Printer Redirection

For more information:

• Terminal Services Team blog: Introducing Terminal Services Easy Print
• Windows Performance Team blog: Terminal Services Easy Print

Windows Server 2008 delivers a platform for Web publishing that integrates Internet Information Services (IIS), ASP.NET, Windows Communication Foundation and Microsoft Windows SharePoint Services.  IIS version 7.0 is a major enhancement to the existing IIS Web server and plays a central role in integrating Web platform technologies.

Key features of IIS 7.0 are:

• Flexible extensibility model for powerful customization
• Powerful diagnostic and troubleshooting tools
• Delegated administration
• Enhanced security and reduced attack surface through customization
• True application xcopy deployment
• Integrated Application and health management for Windows Communication Foundation (WCF) services
• Improved administration tools

Some related webcasts:

• What’s New in Microsoft Internet Information Services 7.0 for IT Professionals
  Tuesday, October 02, 2007 11:30 AM Pacific Time (US & Canada)
• Microsoft Internet Information Services 7.0 Diagnostics & Troubleshooting
  Thursday, October 04, 2007 9:30 AM Pacific Time (US & Canada)
• Securing and Tuning Microsoft Internet Information Services 7.0
  Tuesday, October 09, 2007 11:30 AM Pacific Time (US & Canada)
• Deploying and Managing Web Farms
  Thursday, October 11, 2007 9:30 AM Pacific Time (US & Canada)
• Secure, Simplified Web Publishing using Microsoft Internet Information Services 7.0
  Tuesday, October 16, 2007 11:30 AM Pacific Time (US & Canada)
• Securely Delegating Remote Web Site Administration With Internet Information Services 7.0
  Thursday, October 18, 2007 9:30 AM Pacific Time (US & Canada)
• Windows SharePoint Services and Windows Server 2008
  Tuesday, October 23, 2007 11:30 AM Pacific Time (US & Canada)
• Automating Microsoft Internet Information Services 7.0
  Thursday, October 25, 2007 9:30 AM Pacific Time (US & Canada)

These features help create a unified platform so that IIS 7.0 delivers a single, consistent developer and administrator model for Web solutions.

More on-demand webcasts: here

The ADMX Migrator enables you to convert ADM files to the ADMX format and take advantage of the additional capabilities that it provides. The new XML-based format includes multilanguage support, an optional centralized datastore and version control capabilities.

You can select multiple ADM files for conversion.  The ADMX Migrator creates a unique namespace which you can rename and will display a warning if a collision is detected due to duplicate names.  Also, any items that cannot be validated against the ADMX schema are preserved in an Unsupported section.  Please note that any annotations in ADM files are removed during the conversion process.

Additionally, the ADMX Migrator provides an ADMX editor with a graphical user interface for creating and editing Administrative Templates.  You can select settings from menus rather than entering them manually in a text file, speeding template creation and reducing the chance for error.

Download here

ADMX Migrator comes as a MMC snapin.

ADMX Migrator also comes with a CLI (Command Line Interface) for automating ADM-to-ADMX conversions.

NOTE:  For your information, my screenshots are probably not the most relevant, since meanwhile the Office team released an update of the Office System 2007Administrative templates as ADM and ADMX files.  These are available here.

Check out new and upcoming Microsoft Press titles to be expected in the coming year.

Technical resources

• Internet Information Services (IIS) 7.0 Resource Kit
• Windows Server 2008 Security Resource Kit
• Windows Server 2008 PKI and Certificate Security
• Windows Server 2008 Active Directory Resource Kit
• Windows Server 2008 Administrator's Companion
• Windows Server 2008 Networking and Network Access Protection (NAP)
• Windows Server 2008 TCP/IP Protocols and Services
• Understanding IPv6, Second Edition
• Windows Server 2008 Administrator's Pocket Consultant
• Internet Information Services (IIS) 7.0 Administrator's Pocket Consultant

Certification-related

• MCTS Self-Paced Training Kit (Exam 70-640): Configuring Windows Server 2008 Active Directory
• MCTS Self-Paced Training Kit (Exam 70-642): Configuring Windows Server 2008 Network Infrastructure
• MCTS Self-Paced Training Kit (Exam 70-643): Configuring Windows Server 2008 Application Platform
• MCITP Self-Paced Training Kit (Exams 70-640, 70-642, 70-646): Server Administrator Core Requirements
• MCITP Self-Paced Training Kit (Exam 70-646): Windows Server Administration

For more information: MS Press new and upcoming titles

As you already found out (in a previous post), managing a Windows Server 2008 Server Core can challenge you...
You should be well aware of existing and new command line tools and scripts...
For that reason, have a look at the walkthrough on using Windows Server Core as print server on the Windows Performance Team blog.

 

Additional reading: Deploying Windows Server Core

Microsoft has launched a brand new program, entitled IT Pro Momentum, and it is definitely worth to have a look at it. 

"IT Pro Momentum" is a Microsoft program focused on supporting “early adopters” – IT professionals who bet on the newest technologies to drive business value for their companies and advance in their careers.

What does it mean?  In short, if you are planning/thinking about implementing Windows 2008, Vista, but also MOSS 2007 and you would like to share your experiences with the rest of the IT Pro world, you can! 

Once you are enrolled in the program, you will receive in return for your experiences/feedback several advantages, such as a free TechNet Plus subscription, support calls to Microsoft, etc.  You will also gain access to forums where you will have the opportunity to get your problems solved.

For more information, check out the powerpoint slide deck or just contact Arlindo Alves via Arlindo.Alves@microsoft.com

Here are some of the scenarios included in the IT Pro Momentum program:

• Windows Server 2008 : AD
• Windows Server 2008 : Virtualization
• Windows Server 2008 : Networking
• Windows Server 2008 : NAP
• Windows Server 2008 : IIS7
• Windows Server 2008 : PowerShell
  
• Windows Vista : Secure Deployment

How to Install Exchange 2007 SP1 Prerequisites on Windows Server 2008:
http://technet.microsoft.com/en-us/library/bb691354.aspx

For more information, have a look at this post from the boys & girls over at Pro-Exchange [BE].

Find a good overview of what the different flavors of Windows Server 2008 will bring.

Notice the few "details" such as: Terminal Services concurrent connections, hot add memory, ...

The Microsoft Active Directory Topology Diagrammer reads an Active Directory configuration/structure using ActiveX Data Objects (ADO) and then automatically generates a Visio diagram of your Active Directory and /or your Exchange 200x Server topology.  The diagrams include domains, sites, servers, administrative groups, routing groups and connectors and can be changed manually in Visio if needed.

With the Active Directory Topology Diagrammer tool, you can also draw partial Information from your Active Directory, like only one Domain or one site. The objects are linked together, and arranged in a reasonable layout that you can later interactively work with the objects in Microsoft Office Visio.

Download here

Fine-grained password policies - described in a previous post - is a new feature in Windows Server 2008 that can be used to specify multiple password policies and apply different password restrictions and account lockout policies to different sets of users within a single domain.  Password policies apply only to user objects (or inetOrgPerson objects if they are used instead of user objects) and global security groups.  Fine-grained password policy cannot be applied to an organizational unit (OU) directly.

Well, SpecOps software has come out with yet another free GUI tool for managing these new "PSO" objects in AD.

Specops Password Policy Basic is used to configure fine-grained password policies in Windows Server 2008.
Specops Password Policy Basic is a feature limited and free version of Specops Password Policy.

Read more here.