Windows Server (2008 R2) blog by Kurt Roggen [BE]

The Branch Infrastructure Implementation Solution (BIIS) provides guidance to design and implement Microsoft’s branch infrastructure solution. This solution, previously known as the Branch Office Infrastructure Solution (BOIS), has been updated to support the features and functionality in Windows Server 2008 that support branch infrastructure.

Windows Server 2008 includes several enhancements to the base operating system plus powerful new functionalities that make it valuable in a branch office environment. These include:

- Mitigated Security Risks: The Read-Only Domain Controller is a powerful new feature that enables organizations provide their remote branch office with local authentication servers, without having to increase security exposure to their Domain Database. The RODC also provides a read-only copy of the DNS and receives uni-directional updates from the Central Office Datacenter.  BitLocker technology provides hardware-based encryption for data on branch office server. The Server Core installation option helps significantly decrease the servers’ surface area of exposure and management overheads by reducing the operating system footprint.

- Improved Network Performance: Windows Server 2008 offers several new or improved network technologies that will improve the efficiency of WAN communications. The new TCPIP Stack and the Server Message Block (SMB 2.0) is redesigned for networking environments especially when connecting branch offices. The Distributed File System Replication (DFSR) service is a multi-master replication engine that increases data availability and gives users in remote sites fast, reliable access to files

- Improved Deployment and Administration: New management tools like the Server Manager Console provide a single, unified console for managing a server's configuration and system information, displaying server status, identifying problems with server role configuration, and managing all roles installed on the server.

Download here

Additional reading: Branch Office TechCenter

Windows Vista introduced the "Next Generation IP stack". It is also present in Windows Server 2008, both in Full and Server Core installations.
Sander Berkouwer has written a nice post on the networking tweaks present out-of-the-box and possible implications for your (legacy) environment.
He explains technologies Microsoft introduced in the "Scalable Network Initiative", such as Receive-Side-Scaling (RSS), TCP Chimney Offloading, Receive Window Auto-Tuning.

Read the full story: Backward Compatible Networking with Server Core on Sander Berkouwer's blog

The Sysinternals Troubleshooting Utilities have been rolled up into a single Suite of tools. This file contains the individual troubleshooting tools and help files. It does not contain non-troubleshooting tools like the BSOD Screen Saver or NotMyFault.

The Suite is a bundling of the following selected Sysinternals Utilities:

Download Sysinternals Suite (9 MB)

More information: Sysinternals website

The Infrastructure Planning and Design (IPD) guides are the next version of Windows Server System Reference Architecture. The guides in this series help clarify and streamline design processes for Microsoft infrastructure technologies, with each guide addressing a unique infrastructure technology or scenario.

Infrastructure Planning and Design guides share a common structure, including:

• Definition of the technical decision flow through the planning process.
• Listing of decisions to be made and the commonly available options and considerations.
• Relating the decisions and options to the business in terms of cost, complexity, and other characteristics.
• Framing decisions in terms of additional questions to the business to ensure a comprehensive alignment with the appropriate business landscape.

These guides complement product documentation by focusing on infrastructure design options.
Each guide leads the reader through critical infrastructure design decisions, in the appropriate order, evaluating the available options for each decision against its impact on critical characteristics of the infrastructure.

The IPD Series highlights when service and infrastructure goals should be validated with the organization and provides additional questions that should be asked of service stakeholders and decision makers.

IPD consists of the following downloadable packages:

• Infrastructure Planning and Design Series Introduction
• Selecting the Right Virtualization Technology
• Microsoft SoftGrid Application Virtualization
• Windows Server Virtualization (for Windows Server 2008 Hyper-V and Virtual Server 2005 R2 SP1)
• New! Windows Deployment Services
• New! Windows Server 2008 Active Directory Domain Services
• New! Windows Server 2008 Terminal Services

The guides are available as individual downloads or as a single all-in-one package.

Download here

Administrative templates provide Group Policy setting information for the items that appear under "Administrative Templates" in the Group Policy Object Editor. Group Policy tools use Administrative template files to populate policy settings through a user interface.  This allows administrators to manage registry-based policy settings.

Administrative template files in Windows Server 2008 and Windows Vista are divided into ADMX (language-neutral) and ADML (language-specific) files. ADML files are XML-based ADM language files that are stored in a language-specific folder. By default, the %Systemroot%\PolicyDefinitions folder on a local computer stores all ADMX files, and ADML files for all languages that are enabled on the computer.

Windows Vista and Windows Server 2008 do not include Administrative Templates that have an .adm extension.  Additionally, earlier versions of Windows cannot use the new ADMX/L administrative format. Therefore, client computers that are running earlier versions of Windows cannot administer new policies that are included with Windows Vista and Windows Server 2008.  The recommendation is that you use computers that are running Windows Vista or later versions of Windows to perform Group Policy administration through GPMC (Group Policy Management Console) inside RSAT (Remote Server Administration Tools).

Two packages are available for download:

1. 2008ADMX-RTM.msi: the full bundle of 145 ADMX templates as shipped in Windows Server 2008
2. preferences-RTM.msi: only the Group Policy Preferences ADMX as shipped in Windows Server 2008, that allows extra configuration of the Group Policy Preferences infrastructure (CSE Policy Processing, Logging and tracing, Restricted/Permitted snapins).

   CSE Policy Processing

   Logging and Tracing

   Restricted/Permitted MMC snapins

When installing the packages, the new ADMX files will be installed into the following directory on your local computer: C:\Program Files\Microsoft Group Policy\Windows Server 2008\PolicyDefinitions (2008ADMX-RTM.msi) and C:\Program Files\Microsoft Group Policy\Preferences\PolicyDefinitions (for preferences-RTM.msi).
Under the PolicyDefinitions directory, the new ADML files are located in the appropriate language-specific subdirectories for all 34 languages.

To ensure that the new ADMX and ADML files are propagated throughout the domain, copy the new PolicyDefinitions directory to the Central Store, which is located under SYSVOL.
Doing so will ensure that all language-specific subdirectories are also copied to SYSVOL.
For more information on "How to build a Central Store", have a look at a previous post. 

Important: Updates to SYSVOL are replicated to all domain controllers in the domain and result in increased network traffic and load placed on the domain controllers.
Therefore, to minimize the impact of this operation in your domain, schedule the copying of updated ADMX and ADML files to SYSVOL outside core business hours.

Windows Server 2008 deployments (running in Windows Server 2008 domain functionality mode), you will benefit from DFS-R delta replication (which is now responsible for SYSVOL replication) when updating the administrative templates in the future.

Download here

Related reading:

• Vista ADMX Administrative Templates & Central Store
• Q929841 - How to create a Central Store for Group Policy Administrative Templates
• ADMX Migrator
• Group Policy ADMX Syntax Reference Guide

Improvements Over Hyper-V RC0

In addition to bug fixes and stability improvements, Microsoft also made some additional changes largely based on feedback from customers:

• Integration Components for Windows Server 2008 guest’s included in Integration Services Setup Disk
• New icons/graphics for Hyper-V Manager and Virtual Machine Connection – including a “Now” icon in the snapshot pane
• IPv4 Address Migration - when creating a new Virtual Network bound to an adapter with a static IPv4 address the IPv4 settings are migrated to the new virtual adapter

Windows Server 2008 x64 Hyper-V RC1 Update - KB950049
This is the Hyper-V RC1 package for Windows Server 2008 x64. This package must be installed on Hyper-V server’s (physical machines).  It includes the Hyper-V Server components for Full and Core installs, the Hyper-V Integration Components for Server 2008 x64 (see note below for RC1 improvements over RC0) and the Hyper-V Management Components for Full Windows installs.
NOTE: This package is permanent.  Once installed, it cannot be uninstalled.  So you can’t got back to RC0 or Beta after installing RC1.

Windows Server 2008 x86 Hyper-V RC1 Update – KB950049
This is the Hyper-V RC1 package for Windows Server 2008 x86. This package includes only the Hyper-V Management Components for Full Windows installs and the Hyper-V Integration Components for Server 2008 x86 (see note below for RC1 improvements over RC0). 
It does not contain the Hyper-V Server components, Hyper-V is x64 only!!
NOTE: This package is permanent.  Once installed, it cannot be uninstalled.  So you can’t got back to RC0 or Beta after installing RC1.

Hyper-V Management For Windows Vista SP1 - KB949587 
Windows Vista SP1 – x86 Update
Windows Vista SP1 – x64 Update

More information: Microsoft Virtualisation Team blog

1. Is  there a particular feature in DHCP (eg. reservations, callout DLL,   failover, netsh, ...) that interests you?
2. Have you customized the DHCP server, using scripts or external utilities to suit your environment?
3. Are there features, that you would like to see,  in the next version of your favorite DHCP server?    

If you have answered "Yes" to any of the above,  we would love to hear from you.   
Please contact us at msnetworkteam_AT_live_dot_com.

Thanks,

Ajay
Team DHCP

You can find their blog here!

One of the most common questions about Group Policy Preferences is: “How are policy preferences different from policy settings?”
Understanding this concept is crucial to taking full advantage of Group Policy preferences and knowing when to use Group Policy settings or Group Policy preferences.

Related reading:

• Group Policy Preferences in Windows Server 2008
• Group Policy Settings Reference for Windows Server 2008 are available
• Group Policy Preference Client Side Extensions are available for download
• RSAT (Microsoft Remote Server Administration Tools) is available for download

Previously, we talked about Print Migration and Consolidation using the Print Management console, but one of the most common issues customers are struggling with is printer installation.

As you might know, since Windows Vista some changes were introduced relating to printer installation.
The most important one, probably being the "Driver Store".

Driver Store

The driver store is a trusted cache of inbox and third party drivers on the local hard disk and is used during the printer installation.
Third party drivers are copied from media to the driver store before installation.  All drivers are installed from the driver store.
Because drivers in the store are trusted, standard users may install them (without elevation required).

So printer driver installation actually consists of 2 parts:

1. Put the driver package in the driver store.  This is a privileged operation (requires administrative privileges).
   Adding driver package can be done from command prompt both online (using PnPutil.exe) and offline (using PkgMgr.exe or PEImg.exe).
2. Install the driver and create print queue. This is a non-privileged operation (requires NO administrative privileges).

So that explains the UAC prompt or consent UI (see below), you might get when connecting to print servers.  Even though the driver lives on the print server and it is being downloaded by the client (using spool$), installing the driver into the driver store is a privileged operation.

Point and Print

Another important printing concept is "Point and Print".

Point and Print is the Windows feature that automatically downloads and installs a printer driver when a user connects to a shared printer.
Point and Print also updates the printer driver on the client computer when the driver configuration is updated on the print server.

The Point and Print Restrictions group policy settings have been updated to help you manage the improved security of the Point and Print feature in Windows Vista and Windows Server 2008.

The Point and Print Restrictions group policy setting enables you to limit users to connect only to specific print servers. With this setting, you can allow users to connect only to printers on print servers that you manage.  Because this group policy setting prevents users from connecting to any other print servers, you can also disable the warning messages (see above) that would otherwise be displayed.

When disabling this "Point and Print Restrictions" group policy setting you can provide a Windows Vista client computer with the same level of Point and Print security that it had with Windows XP. (read: install silently with UAC prompt/consent).

Printer Driver Packages

Windows Vista introduces "Package Point and Print" which works like Point and Print found on earlier versions of Windows but uses a secure collection of files called a printer driver package.  Printer driver packages are signed, secure and can be installed by users who do not have administrator-level privileges.

Package Point and Print is not supported on versions of Windows prior to Windows Vista. This option can only be used in environments with shared printers that are hosted on print servers running Windows Vista or Microsoft Windows Server 2008.

In my next posting I'll will talk how Group Policy Preferences Printer installation works around the problem, since all printer installations operations happen from within LocalSystem security context.

Keep posted!

Related reading:

• Windows Server 2008: Printer Migration and Consolidation
• Point and Print Security on Windows Vista white paper
• Printing - Architecture and Driver Support

Printers on a machine running Windows Server 2003 R2 or Windows 2003 with R2 Print Management Console may be incompatible with Windows Server 2008, so you must back up these printers before you upgrade to Windows Server 2008 since incompatible printers are deleted during the upgrade process. After you upgrade, the restore process removes any Windows 2003 R2 Print Management incompatibilities.

If incompatible printer queues are found when you upgrade from Windows Server 2003 or from Windows Server 2003 R2 to Windows Server 2008, all printer queues may be deleted during the upgrade process.
If article 938923 is referenced during the upgrade/setup compatibility report, the server has incompatible printer queues. In this case, do not continue with the setup process until the printers are backed up.

To migrate printers on a remote print server running Windows Server 2003 (R2) to Windows Server 2008, you can use the Print Management console on a computer running Windows Vista.  You then add the remote print server. You can use the Printer Migration Wizard or the Printbrm.exe (Print Backup Recovery Migration tool - same engine, different UI) command-line tool to export print queues, printer settings, printer ports, language monitors and then import them on another print server running a Windows operating system. This is an efficient way to consolidate multiple print servers or replace an older print server.

Do remember the the Print Server role is supported an a Windows Server 2008 Server Core installation and could also be a perfect candidate for virtualisation.

Let drill down into this process step-by-step below!

The Printer Migration Wizard and the Printbrm.exe command-line tool were introduced in Windows Vista and replace Print Migrator 3.1.

NOTE:

• The Printer Migration Wizard and Printbrm.exe can import custom forms and color profiles to the local computer only, and they do not support printer settings that are exported using the Print Migrator tool.
• The Printer Migration Wizard and Printbrm.exe can import and export printers on computers running Windows 2000, Windows XP, Windows Server 2003, Windows Vista, or Windows Server 2008. However, some drivers might not import properly on some operating systems. For example, computers running Windows 2000 do not support x64-based printer drivers.
  

Use Print Management console on a computer running Windows Vista

1. Open the Administrative Tools folder, and then click Print Management snapin and add the remote print server.

2. In the Configuration Print Management window, type the name of the remote print server and add to the Print Server list.

Backup/export printers on the remote print server

1. Open the Administrative Tools folder and then click Print Management snapin. 

2. Right-click the Print Management tree, and click Migrate Printers to open the Printer Migration Wizard.

3. Click Export printer queues and printer drivers to a file, and then click Next.

4. On the Select a print server page, click Next.

5. Click Next on the printer review list.

6. On the Select the file location page, specify the location where to store the printer export file (for example, C:\BACKUP\remoteservername.printerExport), and then click Next.

7. Click Next to start the export.

Next, upgrade the remote print server to Windows Server 2008. After the upgrade is complete, restore the printers on the remote print server.

Restore printers on the remote print server

1. From the print server running Windows Server 2008, start Server Manager.

2. Right-click Roles, and then click Add Roles.

3. Select Print Services, and then click Next.

4. Click Next in the two subsequent dialog boxes, and then click Install.

5. When the installation process is complete, click Close.

6. Open the Administrative Tools folder, and then click Print Management.

7. Right-click the Print Management tree, and click Migrate Printers to open the Printer Migration Wizard.

8. Click Import printer queues and printer drivers from a file, and then click Next.

Both Print queues, Print drivers, printer ports and print processors are maintained.

9. On the Select the file location page, specify the location of the printer export/import file (for example, C:\BACKUP\remoteservername.printerExport), and then click Next.

10. On the Select import options page, specify the import options you prefer, and then click Next to import the printers.

Import mode: Specifies what to do if a specific print queue already exists on the destination computer. (Keep/Overwrite)
List in the directory: Specifies whether to publish the imported print queues in the Active Directory Domain Services.
Convert LPR Ports to Standard Port Monitors: Specifies whether to convert Line Printer Remote (LPR) printer ports in the printer settings file to the faster Standard Port Monitor when importing printers.

11. On the Select a print server page, click Next. (This assumes that you specified This print server as the server that should host the printers.)

12. Click Next to start the import.

13. Review application events (using the custom-built View) with the Printbrm.exe source to determine whether further action is needed.

For more information, consult the Print Migration Import Status codes on Technet

You could optionally use the following command-line options to migrate print servers to Windows Server 2008.

Migrate print servers to Windows Server 2008 by using a Command Prompt

1. Right-click Command prompt, and then click Run as administrator.

2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

3. To perform a remote backup of printers , type

CD %WINDIR%\System32\Spool\Tools     (where PrintBrm lives - is not in %PATH%)
Printbrm -s \\<sourcecomputername> -b -f <filename>.printerExport

For <sourcecomputername>, enter the Universal Naming Convention (UNC) of the source computer.
For <filename>, enter the file name for the printer settings file. Use the .printerexport or .cab file extensions.

4. To perform a remote restore of printers, type

Printbrm -s \\<destinationcomputername> -r -f <filename>.printerExport

For <sourcecomputername>, enter the Universal Naming Convention (UNC) of the destination computer.
For <filename>, enter the file name for the printer settings file. Use the .printerexport or .cab file extensions.

To view the complete syntax for this command, open a Command Prompt window and type Printbrm /?
PrintBrm is located in %windir%\system32\spool\Tools.

More information:

• 938923 - How to back up and then restore printers when you upgrade from Windows Server 2003 to Windows Server 2008
• Windows Server 2008 Print Services
• Step-by-Step Guide for Print Management in Windows Server 2008

Good news!  The Microsoft Account Lockout Tools still work as expected on a Windows Vista SP1 with RSAT.
What do you need?  Just the same 2 files as before!

After you've downloaded ALTools.exe from the Microsoft Download Center, double-click on the file to extract the tools to a directory.  Then install the tools as needed on domain controllers, member servers, or on workstations as described below:

1. AcctInfo.dll: Helps isolate and troubleshoot account lockouts and to change a user's password on a domain controller in that user's site. It works by adding a new property page "Additional Account Info" (see below) to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).
   Make sure to copy the file AcctInfo.dll to %windir%\System32.
   Make sure to register the library using "regsvr32 acctinfo.dll"
   
   
   
2. LockoutStatus.exe: Displays information about a locked out account by gathering account lockout-specific information from all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.
   Make sure to copy the file LockoutStatus.exe to %windir%\system32. (that will make the "Account Lockout Status" button appear - see above)
   Make sure to download the latest version available here.
   
   
   
   The following list describes the different information that is displayed by the tool:

   DC Name	Displays all domain controllers that are in the domain
   Site	Displays the sites in which the domain controllers reside
   UserState	Displays the status of the user and whether that user is locked out of their account.
   Bad Pwd Count	Displays the number of bad logon attempts on each domain controller.
   Last Bad Pwd	Displays the time of the last logon attempt that used a bad password.
   Pwd Last Set	Displays the value of the last good password or when the computer was last unlocked.
   Lockout Time	Displays the time when the account was locked out.
   Orig Lock	Displays the domain controller that locked the account (the domain controller that made the originating write to the LockoutTime attribute for that user).

Related reading:

• Account Passwords and Policies
• Account Lockout and Management Tools
• Account Lockout Best Practices

Author: Mark Russinovich (Microsoft Technical Fellow)

"Because Windows Server 2008 shares the same kernel as Windows Vista SP1, it includes many of the enhancements that I covered in my previous TechNet Magazine articles: "Inside the Windows Vista Kernel" Parts 1-3 (February, March, and April 2007) and "Inside Windows Vista User Account Control" (June 2007). Only a handful of the features I described in those articles are exclusively client-focused and not included in Windows Server 2008, such as SuperFetch, ReadyBoost, ReadyDrive, ReadyBoot, and the Multimedia Class Scheduler Service (MMCSS).

Windows Server 2008 is also the last Windows Server operating system that is expected to offer a 32-bit version."

Covered topics:

• Memory Management
• SMB 2.0
• NTFS self-healing
• Windows Hardware Error Architecture, and the driver verifier
• Scalability with I/O completion ports, thread pools, and NUMA
• Hyper-V virtualization

For more information: Technet Magazine March 2008

Related reading:

• Inside the Windows Vista Kernel - Part 1
• Inside the Windows Vista Kernel - Part 2
• Inside the Windows Vista Kernel - Part 3