Maintaining Windows Server 2008 File Services
Shadow Copies of Shared Folders is based on the Volume Shadow Copy Service (VSS) and allows users to access and recover previous versions of files in the event that they are accidentally deleted or overwritten. Shadow Copies of Shared Folders is enabled at a volume level and affects all shared folders on a particular volume. A maximum of 64 shadow copies can be stored on a particular volume. The Restore Previous Versions functionality lessons the dependant on admin to recover files allowing users to access and restore their own Shared Copies of Shared Folders snapshots without requiring administrative intervention.
Disk Quota is a limit on the disk space a user is permitted to consume in a particular volume or folder. These quotas are based on file ownership. Windows automatically makes a user the owner of all files that he or she creates and tracks this and adds up all their sizes. When the total size of a given user’s files reaches the quota specified by the server administrator, the system takes action.
The three types are as follows:
• Hard quota stops the user from creating past their quota.
• Soft quota sends a notification to Admin.
• Threshold quota sends notifications when a certain percentage has been reached prior to the hard quota.
Windows Server Backup is new in Windows Server 2008 which uses VSS to back up servers at the volume level. It supports two types of backups:
• Manual backup
• Scheduled backup
Restore Windows 2008 can be performed by using the Windows Server Backup MMC snap-in, as well as the wbadmin command-line utility. You can also perform a bare-metal restore of a server that has experienced a hardware failure by using the Windows Recovery Environment (WinRE), a special boot mode that provides a centralized platform for operating system recovery.
Thursday, April 22, 2010
Lesson 10
Maintaining Network Health
Active Directory Certificate Services The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows Public Key Infrastructure( PKI) for authentication and authorization of users and devices.
PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.
PKI certificates are managed through Certificate Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA.
The Public Key Infrastructure
• CA (Certification Authority) is an entity, that issue and manage digital certificates for use in a PKI.
• Digital certificate contains information about a particular user along with public key, digital signatures and expiration dates.
• Digital signature is an electronic signature to prove the identity of the entity has a signed doc with a private key.
• CPS (Certificate Practice Statement) is how the CA manages certificates and keys.
• CRL(Certificate Revocation List) A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.
• Certificate templates used by Admin to simplify management and issuing certificates.
• Smart cards are physical devices containing the digital certificate.
• Self-enrollment gives the user the ability to request their own PKI certificates.
• Autoenrollment is only available in 2003 or later server installations.
• Recovery agent is used to recover keys were a hard drive has crashed and the user does not have a back up of the certificate.
• Key archival most commercial CAs do not allow it at all.
AD CS (Active directory Certificate Services) server role consists of the following services and features:
• CAs(Certification Authorities)
• Web enrollment allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List.
• Online responder
• NDES (Network Device Enrollment Service) The Network Device Enrollment Service (NDES) allows network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).
When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs.
• Stand alone ca A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.
• Enterprise CA integrates with an AD Active Directory domain and it can be use templates to allow autoenrollment of digital certificates, as well as storing the certificates themselves within the AD database.
Managing Certificate Enrollments in the Windows 2008 server you can manage it in a number of ways depending on your needs.
In an Active Directory environment you can automate the distribution of PKI certificates by using the following features:
• Certificate templates can be used to automate the deployment of PKI certificates by controlling the security associated with each template:
o The Full Control ACL Admin reserved
o The Read ACL
o The Write ACL should be set up as Admin reserved
o The Enroll ACL manually request certificates
o The Autoenroll ACL users are automatically issued certificates.
• Group Policy can be used to establish autoenrollment settings for an Active Directory Domain. The Certificate Services Client-Autoenrollment node includes the following settings:
o Enroll certificates automatically
o Do not enroll certificates automatically.
o If you select the option to enroll certificates automatically, you can also select one or more of the following settings:
Renew expired certificates, update pending certificates and remove revoked certificates.
Update certificates that use certificate templates.
Expiry notification to notify when a certificate has only a certain percentage of its lifetime remaining.
In a Non Active Directory environment clients can enroll manually for certificates using either of the following: Certificate Request Wizard or the Certification Authority Web Enrollment where users manually create a certificate request.
CA Server Settings
• Key archival and recovery
• Maintainers of a Windows Server 2008 CA
o CA administrator has the overall management of a CA.
o Certificate managers managed and issue certificates.
o Backup operators are able to back up and restore the operating system files and folders.
o Auditors are able to read security logs.
Introducing Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.
NAP can be configured with one of five built-in enforcement mechanisms:
• DHCP enforcement
• IPSec enforcement
• VPN enforcement
• 802.1x enforcement
• Terminal Services Gateway enforcement
The NAP client includes one or more System Health Agents (SHAs), which map to System Health Validators(SHVs) within the NAP server architecture.
Active Directory Certificate Services The Active Directory Certificate Services (AD CS) role in Windows Server 2008 is a component within Microsoft's larger Identity Lifecycle Management (ILM) strategy. The role of AD CS in ILM is to provide services for managing a Windows Public Key Infrastructure( PKI) for authentication and authorization of users and devices.
PKI allows two parties to communicate securely without ever having communicated with one another before in any previous communication through the use of a mathematical algorithm called public key cryptography.
PKI certificates are managed through Certificate Authorities that are hierarchical, which means that you can have many subordinate CAs within an organization that chain upward to a single root CA.
The Public Key Infrastructure
• CA (Certification Authority) is an entity, that issue and manage digital certificates for use in a PKI.
• Digital certificate contains information about a particular user along with public key, digital signatures and expiration dates.
• Digital signature is an electronic signature to prove the identity of the entity has a signed doc with a private key.
• CPS (Certificate Practice Statement) is how the CA manages certificates and keys.
• CRL(Certificate Revocation List) A Certificate Revocation List (CRL) identifies certificates that have been revoked or terminated.
• Certificate templates used by Admin to simplify management and issuing certificates.
• Smart cards are physical devices containing the digital certificate.
• Self-enrollment gives the user the ability to request their own PKI certificates.
• Autoenrollment is only available in 2003 or later server installations.
• Recovery agent is used to recover keys were a hard drive has crashed and the user does not have a back up of the certificate.
• Key archival most commercial CAs do not allow it at all.
AD CS (Active directory Certificate Services) server role consists of the following services and features:
• CAs(Certification Authorities)
• Web enrollment allows users to connect to a Windows Server 2008 CA through a Web browser to request certificates and obtain an up-to-date Certificate Revocation List.
• Online responder
• NDES (Network Device Enrollment Service) The Network Device Enrollment Service (NDES) allows network devices to enroll for certificates within a Windows Server 2008 PKI using the Simple Certificate Enrollment Protocol (SCEP).
When deploying a Windows-based PKI, two different types of CAs can be deployed: enterprise CAs and standalone CAs.
• Stand alone ca A standalone CA is not integrated with Active Directory and relies on administrator intervention to respond to certificate requests.
• Enterprise CA integrates with an AD Active Directory domain and it can be use templates to allow autoenrollment of digital certificates, as well as storing the certificates themselves within the AD database.
Managing Certificate Enrollments in the Windows 2008 server you can manage it in a number of ways depending on your needs.
In an Active Directory environment you can automate the distribution of PKI certificates by using the following features:
• Certificate templates can be used to automate the deployment of PKI certificates by controlling the security associated with each template:
o The Full Control ACL Admin reserved
o The Read ACL
o The Write ACL should be set up as Admin reserved
o The Enroll ACL manually request certificates
o The Autoenroll ACL users are automatically issued certificates.
• Group Policy can be used to establish autoenrollment settings for an Active Directory Domain. The Certificate Services Client-Autoenrollment node includes the following settings:
o Enroll certificates automatically
o Do not enroll certificates automatically.
o If you select the option to enroll certificates automatically, you can also select one or more of the following settings:
Renew expired certificates, update pending certificates and remove revoked certificates.
Update certificates that use certificate templates.
Expiry notification to notify when a certificate has only a certain percentage of its lifetime remaining.
In a Non Active Directory environment clients can enroll manually for certificates using either of the following: Certificate Request Wizard or the Certification Authority Web Enrollment where users manually create a certificate request.
CA Server Settings
• Key archival and recovery
• Maintainers of a Windows Server 2008 CA
o CA administrator has the overall management of a CA.
o Certificate managers managed and issue certificates.
o Backup operators are able to back up and restore the operating system files and folders.
o Auditors are able to read security logs.
Introducing Network Access Protection (NAP) is a policy enforcement mechanism that is used to allow or reject access to Windows network resources on the basis of policy decisions, such as whether the Windows Firewall is turned on or if anti-virus signatures are up to date.
NAP can be configured with one of five built-in enforcement mechanisms:
• DHCP enforcement
• IPSec enforcement
• VPN enforcement
• 802.1x enforcement
• Terminal Services Gateway enforcement
The NAP client includes one or more System Health Agents (SHAs), which map to System Health Validators(SHVs) within the NAP server architecture.
Wednesday, April 21, 2010
Lesson 9
Securing Data Transmission and Authentication
Securing Network Traffic with IPSec
Whether you have a public or private presents on the internet securing your organizations data is a core requirement. We deploy measures to secure the network perimeter and secure access to resources; however, securing the actual IP (Internet Protocol) is often overlooked. Both the TPC and UDP contain a checksum in the header of each packet, which is a mathematical value to provide the integrity of each packet. However because this is a well know algorithm a malicious user can intercept these packet, view and modify its contents, recomputed the checksums and then forward the packet to its destination without the sender or receiver knowing.
The IPSec suite of protocols was developed and is now the standard method of providing security services for IP packets. It has two principle goals Proper protection of the content of IP packets and provides a defense against network attacks through packet filtering and the enforcement of trusted communication. Both of these goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management.
IPSec has a number of features that can significantly reduce or prevent the following attacks:
• Packet Sniffing – IPSec includes mechanisms that provide data confidentiality by encrypting the payload of IP packets.
• Data Modification – IPSec uses cryptography-based keys that are shared only by the sender and receivers to create a cryptographic checksum for each IP packet that is secured using IPSec to protect the integrity of the data.
• Identity Spoofing – IPSec allows the exchange and verification of entities without exposing that information to interpretation by the attacker. This process is known as mutual authentication is used to establish trust between the communicating systems.
• Man in the middle attacks – IPSec protects against these through a combinations of mutual authentication and the use of shared cryptography-based keys to confirm the integrity of each packet as well as the identity of the sender and receiver.
• Denial of service attacks – IPSec uses IP packet filtering methodology as the basis for determining whether communications is allowed, secured, or blocked. This is determination is based on the IP address ranges, IP protocols, or even specific TCP and UDP ports.
IPSec is an architectural framework the provided cryptographic security services for IP packets. It is and end-to-end security technology. This meaning that the only nodes aware of the presence of IPSec are the two hosts using IPSec to communicate with each other.
IPSec can be deployed to protect data transmissions in the following scenarios:
• LAN –Client/server and peer-to-peer.
• WAN – Router to Router and gateway to gateway.
• Remote Access – Dial-up clients and Internet access from private networks.
IPSec has many security features the following are some of these:
• Automatic security associations
• IP Packet Filtering
• Network Layer security
• Peer Authentication
• Data origin Authentication
• Data integrity
• Data confidentiality
• Anti-reply
• Key management
You can configure IPSec to use the following two modes:
• Transport mode – Used when you require packet filtering and when you require end to end security. Both host must support IPSec using the same authentication protocols and must have compatible IPSec filters.
• Tunnel mode - Used for site-to-site communications that cross the internet (or other public networks). Tunnel mode provides gateway-to-gateway protection.
IPSec Protocol suite provides security using a combination of individual protocols. The following are the protocols work independently or in tandem, depending on the need for confidentiality and authentication:
• AH (Authentication Header) provides authentication, integrity and anti-reply for the entire packet. It doesn’t provide confidentiality and doesn’t encrypt the data. Therefore the data can be read however it can’t be modified. It uses keyed hash algorithms to sign the packet.
• ESP (Encapsulating Security Payload) provides confidentiality (in addition to authentication, integrity and anti-reply) for the IP payload.
IPSEC Security Associations (SAS) is the combination of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. The association determines how the traffic is to be secured and with which secrete keys. The following are the two types of associations:
• ISAKMP SA (Main Mode) is used to protect IPSec security negotiations.
• IPSec SA (Quick Mode) is used to protect data sent between the IPSec peers.
When an IPSec session is established between two hosts the following must be tracked by the three different associations (SA):
• ISAKMP SA
• Inbound IPSec SA
• Outbound IPSec SA
To identify a specific SA for tracking purposes, a 32-bit number known as the SPI (Security Parameters Index) is used.
IKE (Internet Key Exchange) is a standard that defines a mechanism to establish SAs.
IKE Combines ISAKMP and the Oakley Key Determination Protocol to generate secret key material.
IPSec Policies are the security rules defining security levels, hashing and encryption algorithms and key length. These rules also define the addresses, protocols, DNS names, subnets, or connection types. These policies can be configures to meet the security requirements at the user, group, application, domain, site or for the entire network (organization).
These components of the IPSec policy are as follows:
• Tunnel setting – The IP address of the endpoint.
• Network type – The type of connection affected by the IPSec policy.
• IP filter – A subset of network traffic based on IP address, port and transport protocols.
• IP filter list – The concatenation of one or more IP filters, which define a range of network traffic.
• Filter action – how the IPSec should secure network traffic.
• Authentication method – One of the security algorithms and types used for authentication and key exchange.
Windows Server 2008 the following are the four pre-configured Connections Security Roles or you can create a customized set of security:
• Isolation rule allows you to restrict inbound and outbound connections based on certain sets of criteria, such as membership in a particular AD domain.
• Authentication Exception rule allows you to specify one or more computers that do not need to be authenticated in order to pass traffic: for example, defining a DHCP server that should not have and Isolation connection security rule applied to it.
• Server-to-Server rule secures traffic between two servers or two groups of servers.
• Tunnel rule is similar to the server-to-server rule; however it will secure traffic only between tunnel end points, not between the actual hosts that will be sending and receiving secured traffic.
The IPSEC Driver stores all current quick mode SAs in a database. The IPSec uses the SPI field to match the correct SA with the correct packet.
The Security Negotiation Process this process is divided into the two following types of negotiations:
Main mode negotiation is used to establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations.
Quick mode negotiation must occur to determine the type of traffic to be secured and how it will be secured. A quick mode negotiation is also done when a quick mode SA expires.
The IPSEC Policy Agent Service purpose is to retrieve information about the IPSecs policies and to pass this information to other IPSec components that require it in order to perform security functions.
Deploying IPSec can be deployed using local policies, AD or both. Each method has its advantages and disadvantages.
Managing and Monitoring IPSec Windows Server 2008 provides several tools to manage and monitor IPSec, including IP Security Monitor, RSoP, Event Viewer, and the netsh command line utility.
Network Authentication is another common issue while securing the network authentication process. By default Kerberos v5 is the protocol used in AD, however there are situations in which the NTLM authentication protocols come into play. The following are the available versions of NTLM authentication and their strength:
• LM Authentication is the weakest form used in the earliest days of windows networking Windows NT, 95 and 98. Passwords were easily hatched through the use of packet sniffers.
• NTLM Authentication is the middle of the road that improved upon the security of LM authentication.
• NTLMv2 Authentication is the strongest and further improved and required additional software to be installed on 95 and 98 workstations. Windows 2000 and later this is built in by default.
Windows Firewall
The Windows Firewall with Advanced Security MMC snap-in allows you to control inbound and outbound traffic on a Windows Server 2008 computer, as well as integrate Windows Firewall configuration with IPSec through the use of Connection Security rules.
Securing Network Traffic with IPSec
Whether you have a public or private presents on the internet securing your organizations data is a core requirement. We deploy measures to secure the network perimeter and secure access to resources; however, securing the actual IP (Internet Protocol) is often overlooked. Both the TPC and UDP contain a checksum in the header of each packet, which is a mathematical value to provide the integrity of each packet. However because this is a well know algorithm a malicious user can intercept these packet, view and modify its contents, recomputed the checksums and then forward the packet to its destination without the sender or receiver knowing.
The IPSec suite of protocols was developed and is now the standard method of providing security services for IP packets. It has two principle goals Proper protection of the content of IP packets and provides a defense against network attacks through packet filtering and the enforcement of trusted communication. Both of these goals are met through the use of cryptography-based protection services, security protocols, and dynamic key management.
IPSec has a number of features that can significantly reduce or prevent the following attacks:
• Packet Sniffing – IPSec includes mechanisms that provide data confidentiality by encrypting the payload of IP packets.
• Data Modification – IPSec uses cryptography-based keys that are shared only by the sender and receivers to create a cryptographic checksum for each IP packet that is secured using IPSec to protect the integrity of the data.
• Identity Spoofing – IPSec allows the exchange and verification of entities without exposing that information to interpretation by the attacker. This process is known as mutual authentication is used to establish trust between the communicating systems.
• Man in the middle attacks – IPSec protects against these through a combinations of mutual authentication and the use of shared cryptography-based keys to confirm the integrity of each packet as well as the identity of the sender and receiver.
• Denial of service attacks – IPSec uses IP packet filtering methodology as the basis for determining whether communications is allowed, secured, or blocked. This is determination is based on the IP address ranges, IP protocols, or even specific TCP and UDP ports.
IPSec is an architectural framework the provided cryptographic security services for IP packets. It is and end-to-end security technology. This meaning that the only nodes aware of the presence of IPSec are the two hosts using IPSec to communicate with each other.
IPSec can be deployed to protect data transmissions in the following scenarios:
• LAN –Client/server and peer-to-peer.
• WAN – Router to Router and gateway to gateway.
• Remote Access – Dial-up clients and Internet access from private networks.
IPSec has many security features the following are some of these:
• Automatic security associations
• IP Packet Filtering
• Network Layer security
• Peer Authentication
• Data origin Authentication
• Data integrity
• Data confidentiality
• Anti-reply
• Key management
You can configure IPSec to use the following two modes:
• Transport mode – Used when you require packet filtering and when you require end to end security. Both host must support IPSec using the same authentication protocols and must have compatible IPSec filters.
• Tunnel mode - Used for site-to-site communications that cross the internet (or other public networks). Tunnel mode provides gateway-to-gateway protection.
IPSec Protocol suite provides security using a combination of individual protocols. The following are the protocols work independently or in tandem, depending on the need for confidentiality and authentication:
• AH (Authentication Header) provides authentication, integrity and anti-reply for the entire packet. It doesn’t provide confidentiality and doesn’t encrypt the data. Therefore the data can be read however it can’t be modified. It uses keyed hash algorithms to sign the packet.
• ESP (Encapsulating Security Payload) provides confidentiality (in addition to authentication, integrity and anti-reply) for the IP payload.
IPSEC Security Associations (SAS) is the combination of security services, protection mechanisms, and cryptographic keys mutually agreed to by communicating peers. The association determines how the traffic is to be secured and with which secrete keys. The following are the two types of associations:
• ISAKMP SA (Main Mode) is used to protect IPSec security negotiations.
• IPSec SA (Quick Mode) is used to protect data sent between the IPSec peers.
When an IPSec session is established between two hosts the following must be tracked by the three different associations (SA):
• ISAKMP SA
• Inbound IPSec SA
• Outbound IPSec SA
To identify a specific SA for tracking purposes, a 32-bit number known as the SPI (Security Parameters Index) is used.
IKE (Internet Key Exchange) is a standard that defines a mechanism to establish SAs.
IKE Combines ISAKMP and the Oakley Key Determination Protocol to generate secret key material.
IPSec Policies are the security rules defining security levels, hashing and encryption algorithms and key length. These rules also define the addresses, protocols, DNS names, subnets, or connection types. These policies can be configures to meet the security requirements at the user, group, application, domain, site or for the entire network (organization).
These components of the IPSec policy are as follows:
• Tunnel setting – The IP address of the endpoint.
• Network type – The type of connection affected by the IPSec policy.
• IP filter – A subset of network traffic based on IP address, port and transport protocols.
• IP filter list – The concatenation of one or more IP filters, which define a range of network traffic.
• Filter action – how the IPSec should secure network traffic.
• Authentication method – One of the security algorithms and types used for authentication and key exchange.
Windows Server 2008 the following are the four pre-configured Connections Security Roles or you can create a customized set of security:
• Isolation rule allows you to restrict inbound and outbound connections based on certain sets of criteria, such as membership in a particular AD domain.
• Authentication Exception rule allows you to specify one or more computers that do not need to be authenticated in order to pass traffic: for example, defining a DHCP server that should not have and Isolation connection security rule applied to it.
• Server-to-Server rule secures traffic between two servers or two groups of servers.
• Tunnel rule is similar to the server-to-server rule; however it will secure traffic only between tunnel end points, not between the actual hosts that will be sending and receiving secured traffic.
The IPSEC Driver stores all current quick mode SAs in a database. The IPSec uses the SPI field to match the correct SA with the correct packet.
The Security Negotiation Process this process is divided into the two following types of negotiations:
Main mode negotiation is used to establish the ISAKMP SA, which is used to protect future main mode and all quick mode negotiations.
Quick mode negotiation must occur to determine the type of traffic to be secured and how it will be secured. A quick mode negotiation is also done when a quick mode SA expires.
The IPSEC Policy Agent Service purpose is to retrieve information about the IPSecs policies and to pass this information to other IPSec components that require it in order to perform security functions.
Deploying IPSec can be deployed using local policies, AD or both. Each method has its advantages and disadvantages.
Managing and Monitoring IPSec Windows Server 2008 provides several tools to manage and monitor IPSec, including IP Security Monitor, RSoP, Event Viewer, and the netsh command line utility.
Network Authentication is another common issue while securing the network authentication process. By default Kerberos v5 is the protocol used in AD, however there are situations in which the NTLM authentication protocols come into play. The following are the available versions of NTLM authentication and their strength:
• LM Authentication is the weakest form used in the earliest days of windows networking Windows NT, 95 and 98. Passwords were easily hatched through the use of packet sniffers.
• NTLM Authentication is the middle of the road that improved upon the security of LM authentication.
• NTLMv2 Authentication is the strongest and further improved and required additional software to be installed on 95 and 98 workstations. Windows 2000 and later this is built in by default.
Windows Firewall
The Windows Firewall with Advanced Security MMC snap-in allows you to control inbound and outbound traffic on a Windows Server 2008 computer, as well as integrate Windows Firewall configuration with IPSec through the use of Connection Security rules.
Sunday, April 18, 2010
Lesson 8
Maintaining and Updating Windows Server 2008
Monitoring a Windows Server Network
Monitoring a Windows Server Network
There are three tools to help you proactively monitor and troubleshoot networks issues. Reliability and Performance Monitor, Windows 2008 Event Viewer and Network monitor.
Reliability and Performance Monitor in Windows Server 2008 allows you to collect real-time information. This information can be viewed in a number of different formats that include charts, graphs, and histograms. It uses performance objects, or categories, and performance counters to organize performance information. It collects the following three types of information on Windows 2008 Server:
• Performance counters are the specific processes and events you want to monitor. As you add roles and services performance monitors are exposed for these new roles and services.
• Event Trace data is data collected over time to provide a real-time view into the behavior and performance of the server operating systems and any applications it is running.
• Configuration Information is available via queries to the registry from the Reliability and performance Monitor.
The follow are the three views you can choose:
• Resource View is the default view and gives you a quick overview of the four major performance components of a server: CPU, Disk, and Network & Memory.
• Performance Monitor is the view that provides a visual display of performance counters, in real-time or historical.
• Reliability Monitor is the view providing information about system events that can affect a server’s stability, including software un-install or install, as well application, OS, or hardware failures.
Performance Monitor is probably the most viewed and can be opened easily form the start menu and key perfom.exe. You can add performance counters however the following are what is installed by default:
• Browser
o Announcements Domains/sec - the rate at which a domain has announced itself to the network.
o Election Packet/sec – the rate at which browser election packets have been received by the local computer.
• Memory
o Available bytes - the amount of physical memory available for allocation to a particular process.
o Committed bytes – the amount of committed virtual memory.
• Processor
o % Processor Time – the amount of time the processor spends executing a non-idle thread.
Data Collector Sets were introduced into Windows 2008 server. Rather than manually adding individual performance counters anytime you want to monitor on a 2008 server, Data Collector Sites allow you to organize a set of performance counters, event traces and system configuration data in a single “object” that you can reuse on one or more servers. The following are the three built-in Data Collector Sets: LAN Diagnostics, System Diagnostics and System performance.
Securing Access to Performance Data Windows server 2008 includes a number of built-in group objects that grant limited access to performance data. These are User Group, Performance monitor Users, and Performance Log User.
Windows Event Viewer to monitor the health of Windows Server 2008, you can examine the Window Event Viewer to obtain information. By default, it logs informational events such as service start and stop messages, errors, and warnings. Additional diagnostic logging can be achieved by modifying the registry. When using the event viewer you will see the following items:
Custom views is a “New” feature of Windows in Server 2008 giving you the ability to setup views that will only give you information such as Critical errors
Windows logs Traditional View which includes Application, Security, System logs along Setup log and Forward Events, which both are “New” in Server 2008.
Applications and Services provide various collections of Event viewer entries associated with server hardware, Internet Explorer, and other windows components.
Windows Event Collector Service is also another “New” feature in windows server 2008. It allows you to configure a single server as a repository of events from multiple computes. It creates and manages subscriptions from one or more remote computers. It then uses the WS-Management protocol to communicate for communication with the remote subscribers. Subscriptions are either setup as collector or source computer initiated.
Network Monitor (Gathering Network Data) server 2008 does not include a built-in network monitoring however Microsoft has a free download available. This version is a powerful tool however, there is a more powerful tool available SCOM (Server Center Operations Manager) which can not only capture traffic sent to it from its own interface it but it can also run in promiscuous mode and capture 100 percent of the network traffic available to the network interface. It also gives you central managing point where you can see other instances where network monitoring.
Windows Server Update Services (WUSU) is a tool used to manage and distribute software updates that fix known security vulnerabilities or otherwise improve the performance of Microsoft operating systems. Updates can include items such as security fixes, critical updates, and critical drivers. The following are the categories for the windows operating system: Critical updates, Recommended down loads, Windows tools, Internet and Multimedia updates, Additional Windows downloads, Multilanguage features and Documentation.
WSUS has three main components:
• A content synchronization service
• An internal Windows Update server
• Automatic Updates on computers (desktops or servers)
WSUS server performs two primary functions:
• Synchronizing content with the public Windows Update site.
• Approving content for distribution to your organization.
Windows Updates and Automatic Updates are two separate components designed to work together to keep Windows operating system updated and secure. Windows Update is a Microsoft Web site that works with Automatic Updates to provide timely, critical and noncritical system updates. Automatic Updates enables you to automatically interact with the Windows Update Web site.
WSUS Software and Hardware requirements
• A server running the IIS(Internet Information Service) server role including the following components:
o Windows Authentication
o ASP.NET
o 6.0 Management Compatibility
o IIS Metabase Compatibility
• Microsoft Report Viewer Redistributable 2005
• Microsoft SQL Server 2005 Service Pack 1
• A minimum of 1 GB free Space on the system partition
• 20 GB Minimum space on a volume used to store downloaded content.
• 2 GB Free Space on the volume where WSUS stores the Windows Internal Database.
WSUS server management includes reviewing and changing configuration options, automatically or manually synchronizing the server, viewing update status, and backing up and restoring the server.
WSUS Clients you can configure Automatic Updates through the Automatic Updates configuration page, Group Policy, and by configuring registry entries.
Monday, April 12, 2010
Lesson 7
Deploying a Print Server
FYI: Printing is usually the number one helpdesk request. Note the last paragraph of current printing devices being used at my current employment.
Printing typically involves the following four components: print device, printer, print server, and print driver.
The simplest form of print architecture consists of a locally attached print device. The printer then can be shared with other users on the same network.
XML Paper Specification (XPS) is a new, platform-independent document format used in Windows Server 2008 and Windows Vista in which print job files use a single XPS format to the print device rather than being converted first to EMS and then later to PCL.
With network-attached print devices, the primary deployment decision that the administrator must make is which computer will function as the print server.
Printer permissions are much simpler than NTFS permissions. They basically dictate whether users are allowed to merely use the printer, manage documents submitted to the printer, or manage the properties of the printer itself.
The Print Management snap-in for MMC is an administrative tool that consolidates the controls for the printing components throughout the enterprise into a single console.
Currently coming from a Novell network to a Microsoft network we purchase printers with a NIC cards and set the printer to a static IP address. Then when adding a printer we create a port o the workstation to point to the IP address on the printers then select the most current print drivers for a local network share. As we have progressed we have move Multi Function Printers that fax, scan to PDF, store user print jobs until they release it at the printer. These also add security putting password on accounts so someone can’t just walk up and print from the HR Directors mailbox. These printers are administered via a webpage point to the device.
In the future I see this more and more the norm along with the reduction of printing hard copies.
FYI: Printing is usually the number one helpdesk request. Note the last paragraph of current printing devices being used at my current employment.
Printing typically involves the following four components: print device, printer, print server, and print driver.
The simplest form of print architecture consists of a locally attached print device. The printer then can be shared with other users on the same network.
XML Paper Specification (XPS) is a new, platform-independent document format used in Windows Server 2008 and Windows Vista in which print job files use a single XPS format to the print device rather than being converted first to EMS and then later to PCL.
With network-attached print devices, the primary deployment decision that the administrator must make is which computer will function as the print server.
Printer permissions are much simpler than NTFS permissions. They basically dictate whether users are allowed to merely use the printer, manage documents submitted to the printer, or manage the properties of the printer itself.
The Print Management snap-in for MMC is an administrative tool that consolidates the controls for the printing components throughout the enterprise into a single console.
Currently coming from a Novell network to a Microsoft network we purchase printers with a NIC cards and set the printer to a static IP address. Then when adding a printer we create a port o the workstation to point to the IP address on the printers then select the most current print drivers for a local network share. As we have progressed we have move Multi Function Printers that fax, scan to PDF, store user print jobs until they release it at the printer. These also add security putting password on accounts so someone can’t just walk up and print from the HR Directors mailbox. These printers are administered via a webpage point to the device.
In the future I see this more and more the norm along with the reduction of printing hard copies.
Saturday, April 10, 2010
Lesson 6
Configuring File Services
Planning a File Server Deployment
Scalability – Be thinking about current and future needs how much are you going to need 3 to 5years from now. Do you have any archiving policy set into practice?
Navigation – How are user going to be able to locate the files they need access to.
Protection – Who needs access and how are you going to manage it?
Abuse – How are you going to control users from using up too much space on the file servers?
Diversity – How to provide access for users who are not running Windows operating sytems?
Fault tolerance – How quickly can you recover from failure of a hard drive, server or entire facility?
Availability – How can you make sure that users have continuous access to critical files across you complete network even if it is remote?
The following is Windows 2008 Storage Limitations.
Storage Characteristic
Maximum Basic Volume - Limitation: 2 Terabytes
Maximum dynamic Volume size(simple and mirrored volumes)- Limitation: 2 Terabytes
Maximum dynamic Volume size(spanned and striped volumes)- Limitation: 64 terabytes (2 terabytes per disk with the max on 32 discs)
Maximum dynamic Volume size(RAID-5 volumes)- Limitation: 64 terabytes (2 terabytes per disk with the max on 32 discs and 2 terabytes reserved for parity info.)
Maximum NTFS Volume size - Limitation: 2 to the power of 32 clusters minus 1 cluster (using the default 4 kilobyte cluster size, the max volume size is 16 terabytes minus 64 kilobytes. Using the max 64 kilobytes cluster size, the max vol. size is 256 terabytes minus 64 kilobytes. )
Maximum number of clusters on a NTFS Volume - Limitation: 2 to the power of 32
Maximum NTFS file size - Limitation: 2 to the power of 44 (16 terabytes) minus 64 kilobytes
Maximum number of files on an NTFS Volume - Limitation: 2 to the power of 32 minus one file.
Maximum Number of Volumes on a server - Limitation: Approx 2000(1000 dynamic and the rest basic)
When installing additional storage you must address the following tasks:
Select a partitioning style – there are two types supported MBR (Master Boot Record) and GUID(Global Unique Identifier). You will need to choose one or the other not both.
Select a disc type – there are two types supported basic and dynamic. You can use both disk types on the same disk, but you can not mix disk types on the same computer.
Divide the disk into partitions or volumes – You create partitions on basic disks and volumes on dynamic disks.
Format the partitions or volumes with a file system – the two file systems that are support are NTFS and FAT ( Fat 16 & Fat 32)
During installation two partitions are created system and a boot partition. The System partition contains hardware related files that the computer uses to boot. The boot partition contains the operating system files which are stored in the windows directory. You can create up to four primary partitions.
Volume Types
Simple volume – Is a single disk and once you have created a simple volume you can later extend it to multiple disks to create a spanned or a stripped volume as long as it is not a system or boot volume.
Spanned volume – Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. A spanned volume is essentially a method for combining the space for multiple disks into a single large volume.
Striped volume – Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. The difference between a striped volume and and spanned volume is that is a striped volume, the system writes data one stripe at a time to each successive disk in the volume.
Mirrored volume – Consists of an identical amount of space on two physical disks, both of which must be dynamic. The system then performs all read and write operations on both disk simultaneously, so they contain duplicate copies of the data.
RAID-5 volume – Consists of space on three or more physical disks, all of which must be dynamic disk. The system stripes data and parity information across all of the disks, so that is on disk fails, the missing data then can be recreated using the parity information on the other disks.
File Sharing and Permissions
Now that you have the volumes set up you will need to set up a file structure and a sharing strategy following a basic Structure set the root of organizations public and private shares.
Public
Accounting
Customer service
General Access
Human Resources
Information Systems
Marketing
Purchasing
Sales
Private
Bob Johnson
Cindy Johnsen
Dan Mann
Nick Nickleson
Paul Pusher
Steven Sales
Permissions then can be set at the individual level to the private directories on as groups on the public directories. The following are the four different types of permissions:
• Share permissions
• NTFS permissions
• Registry permissions
• Active Directory permissions
All of these permissions can operate independently of each other and sometime combine to increase protection of a specific resource. NTFS permissions enable you to control access to files and folders by specifying just what tasks individual users can perform on them. Share permissions provide rudimentary access control for all of the files on a network share. Network users must have the proper share and NTFS permissions to access file server shares.
The File Services role includes several role services that you can choose to install, including Distributed File System and Services for Network File System. Selecting individual role services can add extra configuration pages to the Add Roles Wizard.
The Distributed File System (DFS) includes two technologies: DFS Namespaces and DFS Replication, which can simplify the process of locating files, control the amount of traffic passing over WAN links, provide users at remote sites with local file server access, configure the network to survive a WAN link failure, and facilitate consistent backups.
DFS is a virtual namespace technology that enables you to create a single directory tree containing references to shared folders located on various file servers all over the network.
A namespace server functions just like a file server except that when a user requests access to a file in the DFS directory tree, the namespace server replies—not with the file itself, but with a referral specifying the file’s actual location.
Planning a File Server Deployment
Scalability – Be thinking about current and future needs how much are you going to need 3 to 5years from now. Do you have any archiving policy set into practice?
Navigation – How are user going to be able to locate the files they need access to.
Protection – Who needs access and how are you going to manage it?
Abuse – How are you going to control users from using up too much space on the file servers?
Diversity – How to provide access for users who are not running Windows operating sytems?
Fault tolerance – How quickly can you recover from failure of a hard drive, server or entire facility?
Availability – How can you make sure that users have continuous access to critical files across you complete network even if it is remote?
The following is Windows 2008 Storage Limitations.
Storage Characteristic
Maximum Basic Volume - Limitation: 2 Terabytes
Maximum dynamic Volume size(simple and mirrored volumes)- Limitation: 2 Terabytes
Maximum dynamic Volume size(spanned and striped volumes)- Limitation: 64 terabytes (2 terabytes per disk with the max on 32 discs)
Maximum dynamic Volume size(RAID-5 volumes)- Limitation: 64 terabytes (2 terabytes per disk with the max on 32 discs and 2 terabytes reserved for parity info.)
Maximum NTFS Volume size - Limitation: 2 to the power of 32 clusters minus 1 cluster (using the default 4 kilobyte cluster size, the max volume size is 16 terabytes minus 64 kilobytes. Using the max 64 kilobytes cluster size, the max vol. size is 256 terabytes minus 64 kilobytes. )
Maximum number of clusters on a NTFS Volume - Limitation: 2 to the power of 32
Maximum NTFS file size - Limitation: 2 to the power of 44 (16 terabytes) minus 64 kilobytes
Maximum number of files on an NTFS Volume - Limitation: 2 to the power of 32 minus one file.
Maximum Number of Volumes on a server - Limitation: Approx 2000(1000 dynamic and the rest basic)
When installing additional storage you must address the following tasks:
Select a partitioning style – there are two types supported MBR (Master Boot Record) and GUID(Global Unique Identifier). You will need to choose one or the other not both.
Select a disc type – there are two types supported basic and dynamic. You can use both disk types on the same disk, but you can not mix disk types on the same computer.
Divide the disk into partitions or volumes – You create partitions on basic disks and volumes on dynamic disks.
Format the partitions or volumes with a file system – the two file systems that are support are NTFS and FAT ( Fat 16 & Fat 32)
During installation two partitions are created system and a boot partition. The System partition contains hardware related files that the computer uses to boot. The boot partition contains the operating system files which are stored in the windows directory. You can create up to four primary partitions.
Volume Types
Simple volume – Is a single disk and once you have created a simple volume you can later extend it to multiple disks to create a spanned or a stripped volume as long as it is not a system or boot volume.
Spanned volume – Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. A spanned volume is essentially a method for combining the space for multiple disks into a single large volume.
Striped volume – Consists of space from 2 to 32 physical disks, all of which must be dynamic disks. The difference between a striped volume and and spanned volume is that is a striped volume, the system writes data one stripe at a time to each successive disk in the volume.
Mirrored volume – Consists of an identical amount of space on two physical disks, both of which must be dynamic. The system then performs all read and write operations on both disk simultaneously, so they contain duplicate copies of the data.
RAID-5 volume – Consists of space on three or more physical disks, all of which must be dynamic disk. The system stripes data and parity information across all of the disks, so that is on disk fails, the missing data then can be recreated using the parity information on the other disks.
File Sharing and Permissions
Now that you have the volumes set up you will need to set up a file structure and a sharing strategy following a basic Structure set the root of organizations public and private shares.
Public
Accounting
Customer service
General Access
Human Resources
Information Systems
Marketing
Purchasing
Sales
Private
Bob Johnson
Cindy Johnsen
Dan Mann
Nick Nickleson
Paul Pusher
Steven Sales
Permissions then can be set at the individual level to the private directories on as groups on the public directories. The following are the four different types of permissions:
• Share permissions
• NTFS permissions
• Registry permissions
• Active Directory permissions
All of these permissions can operate independently of each other and sometime combine to increase protection of a specific resource. NTFS permissions enable you to control access to files and folders by specifying just what tasks individual users can perform on them. Share permissions provide rudimentary access control for all of the files on a network share. Network users must have the proper share and NTFS permissions to access file server shares.
The File Services role includes several role services that you can choose to install, including Distributed File System and Services for Network File System. Selecting individual role services can add extra configuration pages to the Add Roles Wizard.
The Distributed File System (DFS) includes two technologies: DFS Namespaces and DFS Replication, which can simplify the process of locating files, control the amount of traffic passing over WAN links, provide users at remote sites with local file server access, configure the network to survive a WAN link failure, and facilitate consistent backups.
DFS is a virtual namespace technology that enables you to create a single directory tree containing references to shared folders located on various file servers all over the network.
A namespace server functions just like a file server except that when a user requests access to a file in the DFS directory tree, the namespace server replies—not with the file itself, but with a referral specifying the file’s actual location.
Sunday, April 4, 2010
Lesson 5
Configuring Routing and Remote Access (RRAS) and Wireless Networking
Routing is the process of transferring data across an internetwork from one LAN to another using the internet and the TCP/IP protocol s between multiple organizations. Routing and Remote Access service, Windows Server 2008 is a software-based router that can be configured as a router and remote access server. A significant advantage of using Windows Server 2008 in this manner is that it is integrated with Windows features, such as Group Policy and the Active Directory service. The Routing and Remote Access console is the principal tool used for configuring and managing this service.
The following are some common routing protocols:
• RIP (Routing Information Protocol) and RIP v2, RIP will broad cast information about available on a regular basis, as well as when the network topology changes. RIP v2 increases the security and the information provided. Without dynamic routing protocols, such as RIPv2, network administrators must add static routes to connect to non-neighboring subnets when those subnets do not lie in the same direction as the default route.
• OSPF (Open Shortest Path First) designed to address scalability limitations of RIP. Rather than using broadcasts to transmit data, each router maintains a database of router to all destinations that it knows of; when it receives network traffic destined for one of these destinations, it routes the traffic using the shortest path/route.
Routers read the destination addresses of received packets and route those packets using the routing tables. These routing tables in Windows Server 2008, can be viewed using the Routing and Remote Access console or through the Route Print command.
The following are the five columns that are displayed in the routing table:
• Network destination as the name suggests, this indicates the destination network.
• Netmask refers to the subnet mask of the destination network.
• The Gateway indicates the value for each routing table entry.
• Interface value specified in that it determines which local network interface card is used to forward the packet to the correct gateway.
• Metric is the cost of using this route to transfer the data.
Four types of routes found in a routing table are:
• Directly attached Network routes
• Remote Network routes
• Host routes
• Default route
Demand-Dial Routing AKA (Dial-On-Demand routing) also is included within Routing and Remote Access, which is a low cost solution for low traffic situations.
Remote Access
Remote Access DUN (Dial-Up Networking) or VPN (Virtual Private Network) . When you are providing connectivity for remote access clients the client will use one of the two. DUN use a POTS line to dial directly into the remote access server. Since it is a dedicated physical connection it is often unencrypted traffic. VPN connectivity creates a secure point-to-point connection across either a private network or a public network (internet). VPN uses TCP/IP tunneling protocols to create a secured VPN connection.
The following are several other options available when configuring Remote Access:
• Remote Access (Dial-Up or VPN)
• Network Address Translation (NAT)
• Virtual Private Network (VPN) Access and NAT
• Secure Connection between two Private Networks
• Custom Configuration
A VPN connection consists of the following components:
• VPN server
• VPN client
• VPN connection(the data is encrypted)
• VPN tunnel(the data is encapsulated)
The Two tunneling protocols that provide this service are PPTP(Point-to-Point Tunneling Protocol) and L2TP (Layer Two Tunneling Protocol). PPTP supports only the 128-bit RC4 encryption and L2TP supports Advanced Encryption Standard (AES)256-bit, AES 192-bit, AES 128-bit, and 3DES encryption by default on Windows Server 2008.
Network Access Translation (NAT) enables private networks to connect to the internet. The NAT protocol translates internal, private IP addresses to external, public IP addresses and Vice versa.
Here’s how it works. The user’s IP on the client computer creates an IP packet with specific values in the IP and Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) headers. The client computer then forwards the IP packet to the computer running NAT. The computer running NAT changes the outgoing packet header to indicate that the packet originated from the NAT computer’s external address. However, the computer running NAT does not change the destination. It then sends the remapped packet over the Internet to the Web server. The external Web server receives the packet and sends a reply to the computer running NAT. The computer running NAT receives the packet and checks its mapping information to determine the destination client computer. The computer running NAT changes the packet header to indicate the private address of the destination client and then sends the packet to the client.
NPS Network Policy Server
The remote access connection must be authorized by a Windows 2008 server running NPS RRAS role service or a RADIUS(Remote Authentication Dial-In Service) server. Use a RADIUS server to centralize remote access authentication, authorization, and logging. When you implement RADIUS, on multiple Windows Server 2008 computers running the Routing and Remote Access service forward access requests to the RADIUS server. The RADIUS server then queries the domain controller for authentication and applies remote access policies to the connection requests.
Keep in mind the AAA:
• Authentication proves the user is who they claim to be.
• Authorization controls what resources an authorized user can or can not access
• Accounting keeps track of what resources a user has accessed or attempted to access.
NPS which is a rule for evaluating remote connections consists of three components: conditions, constraints and settings. Here’s how it works: A user attempts to initiate a remote access connection. The Remote Access server checks the conditions in the first configured NPS Network Policy. If the conditions of this NPS Network Policy do not match, the Remote Access server checks any remaining configured NPS Network Policies until it finds a match. Once the Remote Access Server finds an NPS Network Policy with conditions that match the incoming connection attempt, the Remote Access server checks any constraints that have been configured for the policy. If the connection attempt does not match any configured constraints (time of day, minimum encryption level), the remote access server denies the connection. If the connection attempt matches both the conditions and the constraints of a particular NPS Network Policy, the remote access server will allow or deny the connection based on the Access permissions configured for that policy.
Authentication Protocols the following is a list on these (in order of most secure t least secure):
• EAP-TLS
• MS-CHAP v2
• MS-CHAP v1
• Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Shiva Password Authentication Protocol (SPAP)
• Password Authentication Protocol (PAP)
• Unauthenticated access
Wireless Access
The 802.1X IEEE standard allows for port-level network access control of both wired and wireless connections. A Windows Server 2008 server running the NPS role can also secure 802.1X connectivity for 802.1X-capable network switched and wireless access ports. The 802.1X standard provides port based security by using the following components:
• Supplicant which is the device that is seeking access to the network.
• Authenticator which is the component that requests authentication credentials for the supplicant (commonly the port on the switch or the wireless access point).
• Authentication Server (AS) is the server that verifies the supplicant’s authentication credentials, and informs the authenticator whether to allow or disallow access to the 802.1x secured network port.
Routing is the process of transferring data across an internetwork from one LAN to another using the internet and the TCP/IP protocol s between multiple organizations. Routing and Remote Access service, Windows Server 2008 is a software-based router that can be configured as a router and remote access server. A significant advantage of using Windows Server 2008 in this manner is that it is integrated with Windows features, such as Group Policy and the Active Directory service. The Routing and Remote Access console is the principal tool used for configuring and managing this service.
The following are some common routing protocols:
• RIP (Routing Information Protocol) and RIP v2, RIP will broad cast information about available on a regular basis, as well as when the network topology changes. RIP v2 increases the security and the information provided. Without dynamic routing protocols, such as RIPv2, network administrators must add static routes to connect to non-neighboring subnets when those subnets do not lie in the same direction as the default route.
• OSPF (Open Shortest Path First) designed to address scalability limitations of RIP. Rather than using broadcasts to transmit data, each router maintains a database of router to all destinations that it knows of; when it receives network traffic destined for one of these destinations, it routes the traffic using the shortest path/route.
Routers read the destination addresses of received packets and route those packets using the routing tables. These routing tables in Windows Server 2008, can be viewed using the Routing and Remote Access console or through the Route Print command.
The following are the five columns that are displayed in the routing table:
• Network destination as the name suggests, this indicates the destination network.
• Netmask refers to the subnet mask of the destination network.
• The Gateway indicates the value for each routing table entry.
• Interface value specified in that it determines which local network interface card is used to forward the packet to the correct gateway.
• Metric is the cost of using this route to transfer the data.
Four types of routes found in a routing table are:
• Directly attached Network routes
• Remote Network routes
• Host routes
• Default route
Demand-Dial Routing AKA (Dial-On-Demand routing) also is included within Routing and Remote Access, which is a low cost solution for low traffic situations.
Remote Access
Remote Access DUN (Dial-Up Networking) or VPN (Virtual Private Network) . When you are providing connectivity for remote access clients the client will use one of the two. DUN use a POTS line to dial directly into the remote access server. Since it is a dedicated physical connection it is often unencrypted traffic. VPN connectivity creates a secure point-to-point connection across either a private network or a public network (internet). VPN uses TCP/IP tunneling protocols to create a secured VPN connection.
The following are several other options available when configuring Remote Access:
• Remote Access (Dial-Up or VPN)
• Network Address Translation (NAT)
• Virtual Private Network (VPN) Access and NAT
• Secure Connection between two Private Networks
• Custom Configuration
A VPN connection consists of the following components:
• VPN server
• VPN client
• VPN connection(the data is encrypted)
• VPN tunnel(the data is encapsulated)
The Two tunneling protocols that provide this service are PPTP(Point-to-Point Tunneling Protocol) and L2TP (Layer Two Tunneling Protocol). PPTP supports only the 128-bit RC4 encryption and L2TP supports Advanced Encryption Standard (AES)256-bit, AES 192-bit, AES 128-bit, and 3DES encryption by default on Windows Server 2008.
Network Access Translation (NAT) enables private networks to connect to the internet. The NAT protocol translates internal, private IP addresses to external, public IP addresses and Vice versa.
Here’s how it works. The user’s IP on the client computer creates an IP packet with specific values in the IP and Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) headers. The client computer then forwards the IP packet to the computer running NAT. The computer running NAT changes the outgoing packet header to indicate that the packet originated from the NAT computer’s external address. However, the computer running NAT does not change the destination. It then sends the remapped packet over the Internet to the Web server. The external Web server receives the packet and sends a reply to the computer running NAT. The computer running NAT receives the packet and checks its mapping information to determine the destination client computer. The computer running NAT changes the packet header to indicate the private address of the destination client and then sends the packet to the client.
NPS Network Policy Server
The remote access connection must be authorized by a Windows 2008 server running NPS RRAS role service or a RADIUS(Remote Authentication Dial-In Service) server. Use a RADIUS server to centralize remote access authentication, authorization, and logging. When you implement RADIUS, on multiple Windows Server 2008 computers running the Routing and Remote Access service forward access requests to the RADIUS server. The RADIUS server then queries the domain controller for authentication and applies remote access policies to the connection requests.
Keep in mind the AAA:
• Authentication proves the user is who they claim to be.
• Authorization controls what resources an authorized user can or can not access
• Accounting keeps track of what resources a user has accessed or attempted to access.
NPS which is a rule for evaluating remote connections consists of three components: conditions, constraints and settings. Here’s how it works: A user attempts to initiate a remote access connection. The Remote Access server checks the conditions in the first configured NPS Network Policy. If the conditions of this NPS Network Policy do not match, the Remote Access server checks any remaining configured NPS Network Policies until it finds a match. Once the Remote Access Server finds an NPS Network Policy with conditions that match the incoming connection attempt, the Remote Access server checks any constraints that have been configured for the policy. If the connection attempt does not match any configured constraints (time of day, minimum encryption level), the remote access server denies the connection. If the connection attempt matches both the conditions and the constraints of a particular NPS Network Policy, the remote access server will allow or deny the connection based on the Access permissions configured for that policy.
Authentication Protocols the following is a list on these (in order of most secure t least secure):
• EAP-TLS
• MS-CHAP v2
• MS-CHAP v1
• Extensible Authentication Protocol-Message Digest 5 Challenge Handshake Authentication Protocol (EAP-MD5 CHAP)
• Challenge Handshake Authentication Protocol (CHAP)
• Shiva Password Authentication Protocol (SPAP)
• Password Authentication Protocol (PAP)
• Unauthenticated access
Wireless Access
The 802.1X IEEE standard allows for port-level network access control of both wired and wireless connections. A Windows Server 2008 server running the NPS role can also secure 802.1X connectivity for 802.1X-capable network switched and wireless access ports. The 802.1X standard provides port based security by using the following components:
• Supplicant which is the device that is seeking access to the network.
• Authenticator which is the component that requests authentication credentials for the supplicant (commonly the port on the switch or the wireless access point).
• Authentication Server (AS) is the server that verifies the supplicant’s authentication credentials, and informs the authenticator whether to allow or disallow access to the 802.1x secured network port.
Saturday, April 3, 2010
Lesson 4
Configuring and Managing the DNS Server Role
DNS Domain Name System
Windows Server 2008 includes both DNS and Windows Internet Naming System (WINS) name resolution services to allow 2008 computers to translate between human-readable names, which are easier for us humans to understand and remember then IP addresses but they are necessary for TCP/IP communications.
The DNS namespace is hierarchical and based on a unique root that can have any number of subdo-mains. A Fully Qualified Domain Name (FQDN) is the name of a DNS host in this namespace indicating the host’s location relative to the root of the DNS domain tree. An example of an FQDN is host1.subdomain.microsoft.com. The top level is com The Second level domain is microsoft.com which are registered to individuals or organizations. Then second level domains have many subdomains and any domain can have hosts. A host is a specific computer or network device with in a domain such as a computer.
DNS names and the DNS protocol are required for Active Directory domains and for compatibility with the Internet.
A DNS zone is a contiguous portion of a namespace for which a server is authoritative. A server can be authoritative for one or more zones, and a zone can contain one or more contiguous domains. A DNS server is authoritative for a zone if it hosts the zone, either as a primary or secondary DNS server. Each DNS zone contains the resource records it needs to answer queries for its portion of the DNS namespace.
There are several types of DNS servers: primary, secondary, master name, and caching-only.
• A DNS server that hosts a primary DNS zone is said to act as a primary DNS server. Primary DNS servers store original source data for zones. With Windows Server 2003, you can implement primary zones in one of two ways: as standard primary zones (zone data is stored in a text file) or as an Active Directory–integrated zone (zone data is stored in the Active Directory database).
• A DNS server that hosts a secondary DNS server is said to act as a secondary DNS server. Secondary DNS servers are authoritative backup servers for the primary server. The servers from which secondary servers acquire zone information are called masters.
• A caching-only server forwards requests to other DNS servers and hosts no zones, but builds a cache of frequently requested records.
A DNS zone is a collection of host name-to-IP address mappings for hosts in a contiguous portion of the DNS namespace. Contiguous meaning that is, connected by a parent child relationship. For each DNS domain name included in a zone, the zone becomes the authoritative source for information about that domain. These zones are stored in text files or within active directory. Recommended is to have a primary and secondary zone to provide fault tolerance if one of the servers fail. There are four Standard Zones, Standard primary, Standard secondary, Reverse lookup and Stub zones.
• The Standard primary zone hosts a read/write copy of the DNS zone in which resource records are created and managed.
• The Standard secondary zone is a copy of the Standard primary zone. These are copied from the in what is called a zone transfer which can be a full zone transfer (called an AXFR) or an incremental zone transfer (called an IXFR) which only sends updates from the Standard primary zone.
• The reverse zone is a zone which gives the ability to lookup either by IP address or DNS name.
• The Stub zone is a pointer the DNS server that is authoritative for that zone, and it is used to maintain or improve DNS resolution efficiency.
Active Directory – Integrated zones has the following benefits:
• Fault tolerances keeping redundant copies stored on multiple servers.
• Security DNS stored in active directory you can modify the discretionary access control list (DACL). DACL enables you on specify which users and groups may modify the DNS zones.
• These Zones are multi-master meaning that zones can be updated in more than one location.
• Replication is efficient zone transfers are replaced by more efficient Active Directory replication.
• Maintain the use of secondary zones by transferring which can also be transferred in to secondary zones similar to the way file-backed secondary zones are transferred.
DNS Resource Record is the information that is related to the DNS Domain; the host record defining a host IP address and are represented in binary form in packets. Typical Resource record fields are Owner, TTL(time to live), Class, Type and RDATA(Resource Record Data). The following are the different types of resource records:
• SOA(Start of Authority) This record indicates the starting point of the authority for information stored in a zone. It is the first record created when creating a zone and contains zone specific information used for maintaining the zone. It’s RDATA fields are, Authoritative Server, Responsible Person, Serial Number, Refresh, Retry, Expire, and Minimum TTL.
• A(Host) Record maps FQDN to an IPv4 IP address and AAAA(Host) Record maps FQDN to an IPv6 IP address.
• PTR Record performs the reverse function of the A resource record by mapping an IP address to FQDN.
• NS (Name Server) Record identifies a DNS server that is authoritative for a zone; that is, a DNS server that hosts a primary or secondary copy of the DNS zone in questions.
• MX(Mail Exchanger) Record specifies a server that is configured to act as a mail server for a DNS name.
• CNAME (Canonical Name/Alias) Record creates an alias for a specified FQDN. You ca use CNAME records to hide the implementation details of your network from the clients connecting to it.
• SRV (Service Locator) Record enables you to specify the locations of servers that provide a specific network server over a specific protocol and in a specific domain.
The DNS Name Resolution Process starts and passes the query to h the local DNS resolver client service for resolution. If the query cannot be resolved locally it is sent to the preferred DNS server as configured in the clients TCP/IP properties. IF the query does not match an entry in cache the resolution process continues with the client querying a DNS server to resolve the name.
When a query is sent to a DNS the following are the most common responses:
• Authoritative answer is a positive answer returned to the client and delivered with the authority bit set in the DNS message to indicate the answer was obtained from a server with direct authority for the queried name.
• Positive answer can consist of the queried resource record or a list of featured records that fits the queried DNS domain name and record type specified in the query message.
• Referral answer contains additional resource records not specified by the name or type in the query.
• Negative answer is where an authoritative server reported that the queried name exsists but no records of the specified type exist for that name.
Root hints contain the names and IP addresses of the DNS servers authoritative for the root zone. By default, DNS Servers use root hints file, called cache.dns on MS Servers. The DNS Server service must be configured with root hints to resolve queries for names that it is not authoritative for or for which it contains no delegations.
Recursion is one of the two process types for DNS name resolution. A DNS client will request that a DNS server provide a complete answer to a query that does not include pointers to other DNS servers, effectively shifting the workload of resolving the query from the client to the DNS server. The iterative type of query keeps the workload on the client going from one server to the next to get it name resolution. For the DNS server to perform recursion properly, the server needs to know where to begin searching for names in the DNS namespace. This information is provided by the root hints file, cache.dns, which is stored on the server computer.
A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. Conditional forwarding enables a DNS server to forward queries to other DNS servers based on the DNS domain names in the queries.
DNS Domain Name System
Windows Server 2008 includes both DNS and Windows Internet Naming System (WINS) name resolution services to allow 2008 computers to translate between human-readable names, which are easier for us humans to understand and remember then IP addresses but they are necessary for TCP/IP communications.
The DNS namespace is hierarchical and based on a unique root that can have any number of subdo-mains. A Fully Qualified Domain Name (FQDN) is the name of a DNS host in this namespace indicating the host’s location relative to the root of the DNS domain tree. An example of an FQDN is host1.subdomain.microsoft.com. The top level is com The Second level domain is microsoft.com which are registered to individuals or organizations. Then second level domains have many subdomains and any domain can have hosts. A host is a specific computer or network device with in a domain such as a computer.
DNS names and the DNS protocol are required for Active Directory domains and for compatibility with the Internet.
A DNS zone is a contiguous portion of a namespace for which a server is authoritative. A server can be authoritative for one or more zones, and a zone can contain one or more contiguous domains. A DNS server is authoritative for a zone if it hosts the zone, either as a primary or secondary DNS server. Each DNS zone contains the resource records it needs to answer queries for its portion of the DNS namespace.
There are several types of DNS servers: primary, secondary, master name, and caching-only.
• A DNS server that hosts a primary DNS zone is said to act as a primary DNS server. Primary DNS servers store original source data for zones. With Windows Server 2003, you can implement primary zones in one of two ways: as standard primary zones (zone data is stored in a text file) or as an Active Directory–integrated zone (zone data is stored in the Active Directory database).
• A DNS server that hosts a secondary DNS server is said to act as a secondary DNS server. Secondary DNS servers are authoritative backup servers for the primary server. The servers from which secondary servers acquire zone information are called masters.
• A caching-only server forwards requests to other DNS servers and hosts no zones, but builds a cache of frequently requested records.
A DNS zone is a collection of host name-to-IP address mappings for hosts in a contiguous portion of the DNS namespace. Contiguous meaning that is, connected by a parent child relationship. For each DNS domain name included in a zone, the zone becomes the authoritative source for information about that domain. These zones are stored in text files or within active directory. Recommended is to have a primary and secondary zone to provide fault tolerance if one of the servers fail. There are four Standard Zones, Standard primary, Standard secondary, Reverse lookup and Stub zones.
• The Standard primary zone hosts a read/write copy of the DNS zone in which resource records are created and managed.
• The Standard secondary zone is a copy of the Standard primary zone. These are copied from the in what is called a zone transfer which can be a full zone transfer (called an AXFR) or an incremental zone transfer (called an IXFR) which only sends updates from the Standard primary zone.
• The reverse zone is a zone which gives the ability to lookup either by IP address or DNS name.
• The Stub zone is a pointer the DNS server that is authoritative for that zone, and it is used to maintain or improve DNS resolution efficiency.
Active Directory – Integrated zones has the following benefits:
• Fault tolerances keeping redundant copies stored on multiple servers.
• Security DNS stored in active directory you can modify the discretionary access control list (DACL). DACL enables you on specify which users and groups may modify the DNS zones.
• These Zones are multi-master meaning that zones can be updated in more than one location.
• Replication is efficient zone transfers are replaced by more efficient Active Directory replication.
• Maintain the use of secondary zones by transferring which can also be transferred in to secondary zones similar to the way file-backed secondary zones are transferred.
DNS Resource Record is the information that is related to the DNS Domain; the host record defining a host IP address and are represented in binary form in packets. Typical Resource record fields are Owner, TTL(time to live), Class, Type and RDATA(Resource Record Data). The following are the different types of resource records:
• SOA(Start of Authority) This record indicates the starting point of the authority for information stored in a zone. It is the first record created when creating a zone and contains zone specific information used for maintaining the zone. It’s RDATA fields are, Authoritative Server, Responsible Person, Serial Number, Refresh, Retry, Expire, and Minimum TTL.
• A(Host) Record maps FQDN to an IPv4 IP address and AAAA(Host) Record maps FQDN to an IPv6 IP address.
• PTR Record performs the reverse function of the A resource record by mapping an IP address to FQDN.
• NS (Name Server) Record identifies a DNS server that is authoritative for a zone; that is, a DNS server that hosts a primary or secondary copy of the DNS zone in questions.
• MX(Mail Exchanger) Record specifies a server that is configured to act as a mail server for a DNS name.
• CNAME (Canonical Name/Alias) Record creates an alias for a specified FQDN. You ca use CNAME records to hide the implementation details of your network from the clients connecting to it.
• SRV (Service Locator) Record enables you to specify the locations of servers that provide a specific network server over a specific protocol and in a specific domain.
The DNS Name Resolution Process starts and passes the query to h the local DNS resolver client service for resolution. If the query cannot be resolved locally it is sent to the preferred DNS server as configured in the clients TCP/IP properties. IF the query does not match an entry in cache the resolution process continues with the client querying a DNS server to resolve the name.
When a query is sent to a DNS the following are the most common responses:
• Authoritative answer is a positive answer returned to the client and delivered with the authority bit set in the DNS message to indicate the answer was obtained from a server with direct authority for the queried name.
• Positive answer can consist of the queried resource record or a list of featured records that fits the queried DNS domain name and record type specified in the query message.
• Referral answer contains additional resource records not specified by the name or type in the query.
• Negative answer is where an authoritative server reported that the queried name exsists but no records of the specified type exist for that name.
Root hints contain the names and IP addresses of the DNS servers authoritative for the root zone. By default, DNS Servers use root hints file, called cache.dns on MS Servers. The DNS Server service must be configured with root hints to resolve queries for names that it is not authoritative for or for which it contains no delegations.
Recursion is one of the two process types for DNS name resolution. A DNS client will request that a DNS server provide a complete answer to a query that does not include pointers to other DNS servers, effectively shifting the workload of resolving the query from the client to the DNS server. The iterative type of query keeps the workload on the client going from one server to the next to get it name resolution. For the DNS server to perform recursion properly, the server needs to know where to begin searching for names in the DNS namespace. This information is provided by the root hints file, cache.dns, which is stored on the server computer.
A DNS server on a network is designated as a forwarder by having the other DNS servers in the network forward the queries they cannot resolve locally to that DNS server. Conditional forwarding enables a DNS server to forward queries to other DNS servers based on the DNS domain names in the queries.
Sunday, March 7, 2010
Lesson 3
Configuring and Managing the DHCP Server Role
DHCP is a simple, standard protocol that makes TCP/IP network configuration much easier for the administrator by dynamically assigning IP addresses and providing additional configuration information to DHCP clients automatically. It is based heavily on BOOTP but rather than pushing preconfigured parameters to the expected clients, DHCP can dynamically allocate and reclaim IP addresses from a pool of IP addresses. DHCP is an open, industry-standard protocol reducing the complexity of administering networks based on TCP/IP. It is defined by IEFT (Internet Engineering Task Force) in RFC (Request for Comments) 2131 and 2132. DHCP functions at the application layer of the OSI (Open System Interconnection) model, as defined by ISO (International Organizations for Standardization) and the ITU-T (International Telecommunication union ) Telecommunications Standards Section.
Four Key Benefits of DHCP
• Centralized administration of IP configuration
• Dynamic host configuration
• Seamless IP host configuration
• Flexibility and scalability
Additional configuration information is provided in the form of options and can be associated with reserved IPs to a vendor or user class, to a scope, or to an entire DHCP server.
APIPA is useful for providing addresses to single-segment networks that do not have a DHCP server.
DHCP Terminology
• DHCP client – Computer on the network obtaining information from the DHCP server.
• DHCP server – Computer on the network providing DHCP configuration to clients.
• DHCP lease – This defines the duration for which the DHCP lease to the client. The lease duration can be between 1 minute and 999 days. The default lease is eight days.
DHCP Message Types
• DHCPDISCOVER – Sent by the client to locate a DHCP Server.
• DHCPOFFER – Sent by the DHCP server in response to DHCPDICOVER with the offered configuration parameters.
• DHCPREQUEST – Sent by the client to signal acceptance of the offer (DHCPOFFER) from the DHCP server.
• DHCPDECLINE – Sent by the client to the DHCP Server, informing that the offer has been declined.
• DHCPACK – Sent by the DHCP server to the client to confirm.
• DHCPNACK - Sent by the DHCP server to the client to deny the DHCPREQUEST.
• DHCPRELEASE - Sent by the client to a DHCP server to relinquish an IP address and cancel the remaining lease.
• DHCPINFORM - Sent by the client to a DHCP server to ask only for additional local configuration parameters.
D.O.R.A. Discover (DHCPDISCOVER), Offer (DHCPOFFER), Request (DHCPREQUEST), Acknowledge (DHCPACK) is the process between the client and the DHCP server.
DHCP Scope The Scope determines which IP Addresses are allocated to clients. You can configure as many scopes on a DHCP server as needed for your environment.
DHCP Reservation: These are reserved IP addresses for hosts that need to have a static IP address. Examples are e-mail servers, and application servers. These are set up using the MAC address of the DHCP client computer so only the client with that address will get that reserved address.
DHCP Maintenance: Because DHCP is a key component in your organization, you must manage and monitor it. DHCP management consists of backing up and restoring the database as well as reconciling, compacting, and, in some cases, removing the database.
DHCP is a simple, standard protocol that makes TCP/IP network configuration much easier for the administrator by dynamically assigning IP addresses and providing additional configuration information to DHCP clients automatically. It is based heavily on BOOTP but rather than pushing preconfigured parameters to the expected clients, DHCP can dynamically allocate and reclaim IP addresses from a pool of IP addresses. DHCP is an open, industry-standard protocol reducing the complexity of administering networks based on TCP/IP. It is defined by IEFT (Internet Engineering Task Force) in RFC (Request for Comments) 2131 and 2132. DHCP functions at the application layer of the OSI (Open System Interconnection) model, as defined by ISO (International Organizations for Standardization) and the ITU-T (International Telecommunication union ) Telecommunications Standards Section.
Four Key Benefits of DHCP
• Centralized administration of IP configuration
• Dynamic host configuration
• Seamless IP host configuration
• Flexibility and scalability
Additional configuration information is provided in the form of options and can be associated with reserved IPs to a vendor or user class, to a scope, or to an entire DHCP server.
APIPA is useful for providing addresses to single-segment networks that do not have a DHCP server.
DHCP Terminology
• DHCP client – Computer on the network obtaining information from the DHCP server.
• DHCP server – Computer on the network providing DHCP configuration to clients.
• DHCP lease – This defines the duration for which the DHCP lease to the client. The lease duration can be between 1 minute and 999 days. The default lease is eight days.
DHCP Message Types
• DHCPDISCOVER – Sent by the client to locate a DHCP Server.
• DHCPOFFER – Sent by the DHCP server in response to DHCPDICOVER with the offered configuration parameters.
• DHCPREQUEST – Sent by the client to signal acceptance of the offer (DHCPOFFER) from the DHCP server.
• DHCPDECLINE – Sent by the client to the DHCP Server, informing that the offer has been declined.
• DHCPACK – Sent by the DHCP server to the client to confirm.
• DHCPNACK - Sent by the DHCP server to the client to deny the DHCPREQUEST.
• DHCPRELEASE - Sent by the client to a DHCP server to relinquish an IP address and cancel the remaining lease.
• DHCPINFORM - Sent by the client to a DHCP server to ask only for additional local configuration parameters.
D.O.R.A. Discover (DHCPDISCOVER), Offer (DHCPOFFER), Request (DHCPREQUEST), Acknowledge (DHCPACK) is the process between the client and the DHCP server.
DHCP Scope The Scope determines which IP Addresses are allocated to clients. You can configure as many scopes on a DHCP server as needed for your environment.
DHCP Reservation: These are reserved IP addresses for hosts that need to have a static IP address. Examples are e-mail servers, and application servers. These are set up using the MAC address of the DHCP client computer so only the client with that address will get that reserved address.
DHCP Maintenance: Because DHCP is a key component in your organization, you must manage and monitor it. DHCP management consists of backing up and restoring the database as well as reconciling, compacting, and, in some cases, removing the database.
Wednesday, March 3, 2010
Lesson 2
Installing Microsoft Windows Server 2008
Installing and Initial Server Configuration:
Best practices when installing Windows Server 2008 recommends installing the software onto which type of media fresh (media that has never been used before) or previously used media(media containing existing files). If Windows Server 2008 is installed onto a disk partition containing a previous version of Windows, the files will be preserved but the software will not be usable. Note: The Windows Server 2008 distribution media contains a bootable system that can be used for a standalone software installation or to repair an existing installation.
Once you have installed Windows 2008 Server the software will automatically launch the ICT Initial Configuration Tasks. You should go through all of these tasks (Administrator password, time zone, windows update, networks settings, adding server roles and features …). Note: By default, the Windows Firewall is turned on. It is also especial important to download and apply any that have been released since the creation of the media you are using to install.
When setting up your network connection keep in mind a server usually has a static IP address so you will also need to manually setup the DNS address information.
Network discovery finds and accesses other computer and resources shared on the network. Warning if you inappropriately allow network discovery in a public network such as at a wireless café, you would be allowing anyone to access file shares on your system.
Configuring Server Roles:
To improve security and manageability of Windows 2008 Servers you use the Server Manager console to install one or multiple server roles. To reduce the attach surface on Windows 2008 computers, system files(executables and DLL files) associated with a particular role will not be installed on a server until not be install until the role is installed, instead of leaving unused software lying dormant on the server as a potential target for a network virus or worm. This also keeps the system/server cleaner to run these applications.
Configuring Server Storage:
Windows Server 2008 (and all Microsoft operating systems going back to Windows 2000) supports which two types of hard disks, basic and dynamic.
Basic disks use partition tables that are recognized and supported by older operating systems. All disks in a windows 2008 server start out as basic until they are converted to dynamic disks.
Dynamic disks provide access to advance configuration features.
Windows Server 2008 allows you to configure various types of storage including RAID-0, RAID-1, and RAID-5 storage arrays.
A volume describes a logical unit of space that is made up of space contained on one or more physical disks.
A simple volume is type of volume consists of free space contained on a single physical disk. You can configure all of the available space on a disk as a simple volume, or you can configure multiple simple volumes using the space on a single disk.
A spanned volume is made up of free space from multiple physical disks. For example, if you have two physical disks in a server that are each 500GB in size, you can combine them into a single spanned volume that is 1TB in size.
A striped volume is similar to a spanned volume in that it is made up of free space from multiple disks and uses RAID-0 striping to interleave data across the disks, thus improving the read performance of the volume.
A mirrored volume is a fault tolerant volume consisting of two physical disks, in which the data on one disk is copied exactly on to the second disk.
A RAID-5 volume is also a fault tolerant volume where data in interleaved across three or more disks much in the same way as a stripe volume, but with additional information know as parity. If on disk in RAID-5 fails, the data on the failed disk can be rebuilt using the parity information stored on the other disks in the rest of the volume. A max of 32 disks can be used in this type volume.
When creating a new partition you can either assign the patrician a drive letter, or else you can configure a mount point that will appear as a folder within the existing drive letter.
Before you can manage a disk drive in Windows 2008 Server the disk needs to be initialized. With either of the two following styles:
MBR (Master Boot Record) – this partition style is recognized by down level operating systems.
GPT (GUID Partition Table ) – this partition style is recommended for disks larger than 2TB, or disks that are used in Itanium computers.
Installing Server Core:
The server core is introduced as a new option in 2008 for installing only the services required for a specific function/role (DHCP, DNS, file Server or domain controller) and takes up an extremely small footprint. The installation process for Server Core is identical to the installation of a full version of Windows Server 2008. Once a Server Core computer is installed, however, it can be managed locally using only command-line utilities and the limited GUI facilities installed on a Server Core computer. A Server Core computer will allow you to launch the Windows Registry Editor, Notepad, and a number of Control Panel applets. However, it does not include a Start menu and does not allow you to install or run any of the MMC consoles, such as Computer Management or Active Directory Users and Computer.
Installing and Initial Server Configuration:
Best practices when installing Windows Server 2008 recommends installing the software onto which type of media fresh (media that has never been used before) or previously used media(media containing existing files). If Windows Server 2008 is installed onto a disk partition containing a previous version of Windows, the files will be preserved but the software will not be usable. Note: The Windows Server 2008 distribution media contains a bootable system that can be used for a standalone software installation or to repair an existing installation.
Once you have installed Windows 2008 Server the software will automatically launch the ICT Initial Configuration Tasks. You should go through all of these tasks (Administrator password, time zone, windows update, networks settings, adding server roles and features …). Note: By default, the Windows Firewall is turned on. It is also especial important to download and apply any that have been released since the creation of the media you are using to install.
When setting up your network connection keep in mind a server usually has a static IP address so you will also need to manually setup the DNS address information.
Network discovery finds and accesses other computer and resources shared on the network. Warning if you inappropriately allow network discovery in a public network such as at a wireless café, you would be allowing anyone to access file shares on your system.
Configuring Server Roles:
To improve security and manageability of Windows 2008 Servers you use the Server Manager console to install one or multiple server roles. To reduce the attach surface on Windows 2008 computers, system files(executables and DLL files) associated with a particular role will not be installed on a server until not be install until the role is installed, instead of leaving unused software lying dormant on the server as a potential target for a network virus or worm. This also keeps the system/server cleaner to run these applications.
Configuring Server Storage:
Windows Server 2008 (and all Microsoft operating systems going back to Windows 2000) supports which two types of hard disks, basic and dynamic.
Basic disks use partition tables that are recognized and supported by older operating systems. All disks in a windows 2008 server start out as basic until they are converted to dynamic disks.
Dynamic disks provide access to advance configuration features.
Windows Server 2008 allows you to configure various types of storage including RAID-0, RAID-1, and RAID-5 storage arrays.
A volume describes a logical unit of space that is made up of space contained on one or more physical disks.
A simple volume is type of volume consists of free space contained on a single physical disk. You can configure all of the available space on a disk as a simple volume, or you can configure multiple simple volumes using the space on a single disk.
A spanned volume is made up of free space from multiple physical disks. For example, if you have two physical disks in a server that are each 500GB in size, you can combine them into a single spanned volume that is 1TB in size.
A striped volume is similar to a spanned volume in that it is made up of free space from multiple disks and uses RAID-0 striping to interleave data across the disks, thus improving the read performance of the volume.
A mirrored volume is a fault tolerant volume consisting of two physical disks, in which the data on one disk is copied exactly on to the second disk.
A RAID-5 volume is also a fault tolerant volume where data in interleaved across three or more disks much in the same way as a stripe volume, but with additional information know as parity. If on disk in RAID-5 fails, the data on the failed disk can be rebuilt using the parity information stored on the other disks in the rest of the volume. A max of 32 disks can be used in this type volume.
When creating a new partition you can either assign the patrician a drive letter, or else you can configure a mount point that will appear as a folder within the existing drive letter.
Before you can manage a disk drive in Windows 2008 Server the disk needs to be initialized. With either of the two following styles:
MBR (Master Boot Record) – this partition style is recognized by down level operating systems.
GPT (GUID Partition Table ) – this partition style is recommended for disks larger than 2TB, or disks that are used in Itanium computers.
Installing Server Core:
The server core is introduced as a new option in 2008 for installing only the services required for a specific function/role (DHCP, DNS, file Server or domain controller) and takes up an extremely small footprint. The installation process for Server Core is identical to the installation of a full version of Windows Server 2008. Once a Server Core computer is installed, however, it can be managed locally using only command-line utilities and the limited GUI facilities installed on a Server Core computer. A Server Core computer will allow you to launch the Windows Registry Editor, Notepad, and a number of Control Panel applets. However, it does not include a Start menu and does not allow you to install or run any of the MMC consoles, such as Computer Management or Active Directory Users and Computer.
Sunday, February 28, 2010
Lesson 1
Introduction to Networking Concepts
TCP/IP: The most commonly used network protocol on modern networks is the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. TCP/IP Protocols were developed by the Department of Defense–ARPANET (1960s). Its purpose is to share data/talk to other computes and only share/talk to computers that we trust and want to allow access. TCP/IP is not just one protocol but a collection of specialized protocols/subprotocols. TCP/IP has become the protocol of choice and both Microsoft and NetWare/Novell use it as their default protocol.
IP Versions
IPv4: Addressing Networks recognize two addresses: Logical (Network layer) IP address assigned dynamically or manually, and the Physical (MAC, hardware) address is static, assigned by the manufacture. The IPv4 protocol handles logical addressing. The IP address contains specific parameters (unique 32-bit number, divided into four octets, and separated by periods). Example: 192.168.1.99. The addresses are then further divided in classes. The first octet specifies the network class you are using on your network.
Classes:
A 1-126 00000001 - 01111111 Subnet Mask 255.0.0.0
B 128-191 10000000 - 10111111 Subnet Mask 255.255.0.0
C 192-223 11000000- 11011111 Subnet Mask 255.255.255.0
D 224-230 11100000-11101111 Reserved for Multi Casting Video Conferencing
E 240-254 11110000-11110111 Testing and Research
IPv6: Addressing is the next generation of IP addressing that is gradually replacing IPv4. IPv6 uses 128 bits, or 16 bytes, for addressing, thus providing 2128 (about 340 billion) unique addresses. Most new development of applications, servers, and network devices support it. Advantages are a more efficient header, better security, better prioritization provisions, automatic IP address configuration, and it also adds billions of additional IP addresses. IPv6 enhances security through the use of IPSec, where as in IPv4 it is an optional feature.
DNS (Domain Name System): TCP/IP addressing is made up of numbers which are not easily remembered by most humans. Therefore a naming system was established. Which takes the host/device or domain IP address and gives it a common name such as Host Name “SERVER” or Domain Name “procomps.com”. The DNS (Domain Name System) relies on many computers across the globe. These computers are related in hierarchical and distributed manners, with 13 computers, known as root servers, so DNS will not fail if there are a handful of the servers experiencing errors. Thus, when changing your DNS for a mail server, it can take up to 24 hours for all DNS servers in the system to update. Reasons to use DNS for its scalability, transparency ease of use and simplicity. The components of DNS are namespace, zones, name servers and resource records.
Dynamic Host Configuration Protocol (DHCP): Each host on a TCP/IP network needs to be configured with a unique IP address. Network administrators can use the Dynamic Host Configuration Protocol (DHCP) to automatically assign IP addresses to multiple client computers. DHCP is a simple, standard protocol that makes TCP/IP network configuration much easier for the administrator by dynamically assigning IP addresses and providing additional configuration information to DHCP clients automatically. Clients may also be configured to use APIPA or an alternate static IP address configuration if DHCP is unavailable. To support and use the DHCP service across multiple subnets, routers connecting each subnet should comply with the DHCP/BOOTP relay agent capabilities described in RFC 1542.
Five Benefits of DHCP:
• Centralized administration of IP configuration
• Dynamic host configuration
• Seamless IP host configuration
• Scalability
• Flexibility
DHCP relay agents eliminate the need to have a DHCP server on every subnet. The DHCP relay agent listens for DHCPDISCOVER, DHCPREQUEST and DHCPINFORM which messages that are broadcast from the client?
Using the Routing and Remote Access Service: The Routing and Remote Access service provides the ability to use a Windows Server 2008 computer as a router, which passes network traffic from one TCP/IP network to another, as well as remote access capabilities using either dial-up or VPN technology. This routing service included with Windows Server 2008 is better suited for a smaller networks.
Network Access Protection (NAP)
Network Access Protection (NAP) is a new feature in Windows Server 2008. NAP allows administrators to enforce network security policies, such as mandatory anti-virus or firewall configuration.
TCP/IP: The most commonly used network protocol on modern networks is the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. TCP/IP Protocols were developed by the Department of Defense–ARPANET (1960s). Its purpose is to share data/talk to other computes and only share/talk to computers that we trust and want to allow access. TCP/IP is not just one protocol but a collection of specialized protocols/subprotocols. TCP/IP has become the protocol of choice and both Microsoft and NetWare/Novell use it as their default protocol.
IP Versions
IPv4: Addressing Networks recognize two addresses: Logical (Network layer) IP address assigned dynamically or manually, and the Physical (MAC, hardware) address is static, assigned by the manufacture. The IPv4 protocol handles logical addressing. The IP address contains specific parameters (unique 32-bit number, divided into four octets, and separated by periods). Example: 192.168.1.99. The addresses are then further divided in classes. The first octet specifies the network class you are using on your network.
Classes:
A 1-126 00000001 - 01111111 Subnet Mask 255.0.0.0
B 128-191 10000000 - 10111111 Subnet Mask 255.255.0.0
C 192-223 11000000- 11011111 Subnet Mask 255.255.255.0
D 224-230 11100000-11101111 Reserved for Multi Casting Video Conferencing
E 240-254 11110000-11110111 Testing and Research
IPv6: Addressing is the next generation of IP addressing that is gradually replacing IPv4. IPv6 uses 128 bits, or 16 bytes, for addressing, thus providing 2128 (about 340 billion) unique addresses. Most new development of applications, servers, and network devices support it. Advantages are a more efficient header, better security, better prioritization provisions, automatic IP address configuration, and it also adds billions of additional IP addresses. IPv6 enhances security through the use of IPSec, where as in IPv4 it is an optional feature.
DNS (Domain Name System): TCP/IP addressing is made up of numbers which are not easily remembered by most humans. Therefore a naming system was established. Which takes the host/device or domain IP address and gives it a common name such as Host Name “SERVER” or Domain Name “procomps.com”. The DNS (Domain Name System) relies on many computers across the globe. These computers are related in hierarchical and distributed manners, with 13 computers, known as root servers, so DNS will not fail if there are a handful of the servers experiencing errors. Thus, when changing your DNS for a mail server, it can take up to 24 hours for all DNS servers in the system to update. Reasons to use DNS for its scalability, transparency ease of use and simplicity. The components of DNS are namespace, zones, name servers and resource records.
Dynamic Host Configuration Protocol (DHCP): Each host on a TCP/IP network needs to be configured with a unique IP address. Network administrators can use the Dynamic Host Configuration Protocol (DHCP) to automatically assign IP addresses to multiple client computers. DHCP is a simple, standard protocol that makes TCP/IP network configuration much easier for the administrator by dynamically assigning IP addresses and providing additional configuration information to DHCP clients automatically. Clients may also be configured to use APIPA or an alternate static IP address configuration if DHCP is unavailable. To support and use the DHCP service across multiple subnets, routers connecting each subnet should comply with the DHCP/BOOTP relay agent capabilities described in RFC 1542.
Five Benefits of DHCP:
• Centralized administration of IP configuration
• Dynamic host configuration
• Seamless IP host configuration
• Scalability
• Flexibility
DHCP relay agents eliminate the need to have a DHCP server on every subnet. The DHCP relay agent listens for DHCPDISCOVER, DHCPREQUEST and DHCPINFORM which messages that are broadcast from the client?
Using the Routing and Remote Access Service: The Routing and Remote Access service provides the ability to use a Windows Server 2008 computer as a router, which passes network traffic from one TCP/IP network to another, as well as remote access capabilities using either dial-up or VPN technology. This routing service included with Windows Server 2008 is better suited for a smaller networks.
Network Access Protection (NAP)
Network Access Protection (NAP) is a new feature in Windows Server 2008. NAP allows administrators to enforce network security policies, such as mandatory anti-virus or firewall configuration.
Thursday, January 21, 2010
Blog Intro
My Name is Danny C
I'm taking the class to pass the Microsoft Exam 70-291 . Currently the company Progressive Components I have been working for the past 11 years has moved from a Netware(GroupWise, iFolder, ) environment to a internal and hosted Microsoft environment. My company is now requiring me to get my Microsoft Certified Systems Administrator(MCSA) over the next year and I think this class will help me prep for the exams. I look forward to learning more along with refining my networking skills.
I'm taking the class to pass the Microsoft Exam 70-291 . Currently the company Progressive Components I have been working for the past 11 years has moved from a Netware(GroupWise, iFolder, ) environment to a internal and hosted Microsoft environment. My company is now requiring me to get my Microsoft Certified Systems Administrator(MCSA) over the next year and I think this class will help me prep for the exams. I look forward to learning more along with refining my networking skills.
Subscribe to:
Posts (Atom)
