Information Sheet 1.1: Network Operating System (Nos) Features
Information Sheet 1.1: Network Operating System (Nos) Features
1
NETWORK OPERATING SYSTEM (NOS) FEATURES
A network operating system is a software application that provides a platform for both the functionality of an
individual computer and for multiple computers within an interconnected network. Basically, a network operating
system controls other software and computer hardware to run applications, share resources, protects data and
establishes communication. Individual computers run client operating systems, while network systems create the
software infrastructure for wireless, local and wide area networks to function.
Security Features
Network operating systems support a number of security features that control access to the network. These include
authorization and permission for access to the network, with specific control of features such as user management,
log-on controls and passwords. Systems also provide access control for features such as remote access and network
monitoring
Networking
A network operating system is the platform on which computer networking takes place. Basic features allow for file,
print and Internet connections. Data backup and replication functions are controlled through the network operating
system. The management of connective systems for local and wide area networks (LANs and WANs), such as
routing, switches and other ports are configured and managed through network operating system features.
Administrative Interface
One of the features of a network operating system is that it has an administrative interface that allows a network
administrator to monitor and maintain the system. This interface will have a menu that allows the administrator to
perform functions such as formatting hard drives and setting up security protocols for both the system and individual
users. He can also and configures security and data backup requirements for individual computers or the network as a
whole.
Computer Server
A server is a computer that provides data to other computers. It may serve data to systems on a local area network
(LAN) or a wide area network (WAN) over the Internet.
Maintains an index or table of contents of information Any computer program that needs to find
that can be found across a large distributed network, something on the network, such
Catalog server such as computers, users, files shared on file servers, a Domain member attempting to log in,
and web apps. Directory servers and name an email client looking for an email
servers are examples of catalog servers. address, or a user looking for a file
Spreadsheets, accounting
Maintains and shares any form
software, asset management software or
of database (organized collections of data with
Database server virtually any computer program that
predefined properties that may be displayed in a table)
consumes well-organized data, especially
over a network.
in large volumes
Print server Shares one of more printers over a network, thus Computers in need of printing something
Release
Release
Name version Editions
date
number
Hardware requirement
A rack-mountable server with the top cover removed to reveal internal components
Since servers are usually accessed over a network, many run unattended
without a computer monitor or input device, audio hardware
and USB interfaces. Many servers do not have a graphical user
interface (GUI). They are configured and managed remotely. Remote
management include MMC, SSH or a web browser.
Large servers
Large traditional single servers would need to be run for long periods without interruption. Availability would have to be
very high, making hardware reliability and durability extremely important. Mission-critical enterprise servers would be
very fault tolerant and use specialized hardware with low failure rates in order to maximize uptime. Uninterruptible
power supplies might be incorporated to insure against power failure. Servers typically include
[8]
hardware redundancy such as dual power supplies, RAID disk systems, and ECC memory, along with extensive pre-
boot memory testing and verification. Critical components might be hot swappable, allowing technicians to replace
them on the running server without shutting it down, and to guard against overheating, servers might have more
powerful fans or use water cooling. They will often be able to be configured, powered up and down or rebooted
remotely, using out-of-band management, typically based on IPMI. Server casings are usually flat and wide, and
designed to be rack-mounted.
Computers on a network can be part of a workgroup or a domain. The main difference between workgroups and
domains is how resources on the network are managed. Computers on home networks are usually part of a
workgroup, and computers on workplace networks are usually part of a domain.
In a workgroup:
All computers are peers; no computer has control over another computer.
Each computer has a set of user accounts. To use any computer in the workgroup, you must have an account
on that computer.
There are typically no more than ten to twenty computers.
All computers must be on the same local network or subnet.
In a domain:
One or more computers are servers. Network administrators use servers to control the security and
permissions for all computers on the domain. This makes it easy to make changes because the changes are
automatically made to all computers.
If you have a user account on the domain, you can log on to any computer on the domain without needing an
account on that computer.
There can be hundreds or thousands of computers.
The computers can be on different local networks.
Server Manager
Server Manager is a new roles-based management tool for Windows Server 2008. It is a combination of Manage Your
Server and Security Configuration Wizard SCW from Windows Server 2003. Server Manager is an improvement of
the Configure my server dialog that launches by default on Windows Server 2003 machines. However, rather than
serve only as a starting point to configuring new roles, Server Manager gathers together all of the operations users
would want to conduct on the server, such as, getting a remote deployment method set up, adding more server roles
etc., and provides a consolidated, portal-like view about the status of each role.
This section defines the terms role, role service, and feature as they apply to Windows Server 2008.
They describe the primary function, purpose, or use of a computer. A specific computer can be dedicated to
perform a single role that is heavily used in the enterprise, or may perform multiple roles if each role is only
lightly used in the enterprise.
They provide users throughout an organization access to resources managed by other computers, such as
Web sites, printers, or files stored on different computers.
They typically include their own databases, which can queue user or computer requests, or record information
about network users and computers that relates to the role. For example, Active Directory Domain Services
includes a database for storing the names and hierarchical relationships of all computers in a network.
Once properly installed and configured, roles are designed to function automatically, allowing the computers
on which they are installed to perform prescribed tasks with limited user commands or supervision.
Role services
Role services are software programs that provide the functionality of a role. When you install a role, you can choose
which role services the role will provide for other users and computers in your enterprise. Some roles, such as DNS
Server, have only a single function, and therefore do not have available role services. Other roles, such as Terminal
Services, have several role services that can be installed, depending on the remote computing needs of your
enterprise.
You can consider a role as a grouping of closely related, complementary role services, for which, in the majority of
cases, installing the role means installing one or more of its role services.
Features
Features are software programs that, though they are not directly parts of roles, can support or augment the
functionality of one or more roles, or enhance the functionality of the entire server, regardless of which roles are
installed. For example, the Failover Clustering feature augments the functionality of other roles, such as File Services
and DHCP Server, by enabling them to join server clusters for increased redundancy and improved performance.
Another feature, Telnet Client, allows you to communicate remotely with a telnet server over a network connection,
functionality which enhances the communication options of the server as a whole.
Roles
The following roles are available for installation by opening the Add Roles Wizard, either from the Initial
Configuration Tasks window, or from within Server Manager.
Active Directory® Active Directory® Certificate Services provides customizable services for creating
Certificate Services and managing public key certificates used in software security systems employing
public key technologies. Organizations can use Active Directory Certificate Services
to enhance security by binding the identity of a person, device, or service to a
corresponding private key. Active Directory Certificate Services also includes features
that allow you to manage certificate enrollment and revocation in a variety of scalable
environments.
Applications supported by Active Directory Certificate Services include
Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks,
virtual private networks (VPN), Internet Protocol security (IPsec), Encrypting File
System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security
(SSL/TLS), and digital signatures.
Active Directory Active Directory Domain Services (AD DS) stores information about users,
Domain Services computers, and other devices on the network. AD DS helps administrators securely
manage this information and facilitates resource sharing and collaboration between
users. AD DS is also required to be installed on the network in order to install
directory-enabled applications such as Microsoft Exchange Server and for applying
other Windows Server technologies such as Group Policy.
Active Directory Active Directory Federation Services (AD FS) provides Web single-sign-on (SSO)
Federation Services technologies to authenticate a user to multiple Web applications using a single user
account. AD FS accomplishes this by securely federating, or sharing, user identities
and access rights, in the form of digital claims, between partner organizations.
Active Directory Active Directory Rights Management Services (AD RMS) (AD RMS) is information
Rights Management protection technology that works with AD RMS -enabled applications to help
Services (AD RMS) safeguard digital information from unauthorized use. Content owners can define
exactly how a recipient can use the information, such as who can open, modify, print,
forward, and/or take other actions with the information. Organizations can create
custom usage rights templates such as "Confidential - Read Only" that can be applied
directly to information such as financial reports, product specifications, customer data,
and e-mail messages.
Application Server Application Server provides a complete solution for hosting and managing high-
performance distributed business applications. Integrated services, such as the .NET
Framework, Web Server Support, Message Queuing, COM+, Windows
Communication Foundation, and Failover Clustering support boost productivity
throughout the application life cycle, from design and development through
deployment and operations.
Dynamic Host The Dynamic Host Configuration Protocol allows servers to assign, or lease, IP
Configuration addresses to computers and other devices that are enabled as DHCP clients.
Protocol (DHCP) Deploying DHCP servers on the network automatically provides computers and other
Server TCP/IP based network devices with valid IP addresses and the additional
configuration parameters these devices need, called DHCP options that allow them to
connect to other network resources, such as DNS servers, WINS servers, and
routers.
DNS Server Domain Name System (DNS) provides a standard method for associating names with
numeric Internet addresses. This makes it possible for users to refer to network
computers by using easy-to-remember names instead of a long series of numbers.
Windows DNS services can be integrated with Dynamic Host Configuration Protocol
(DHCP) services on Windows, eliminating the need to add DNS records as
computers are added to the network.
Fax Server Fax Server sends and receives faxes, and allows you to manage fax resources such
as jobs, settings, reports, and fax devices on this computer or on the network.
File Services File Services provides technologies for storage management, file replication,
distributed namespace management, fast file searching, and streamlined client
Network Policy and Network Policy and Access Services delivers a variety of methods to provide users
Access Services with local and remote network connectivity, to connect network segments, and to
allow network administrators to centrally manage network access and client health
policies. With Network Access Services, you can deploy VPN servers, dial-up
servers, routers, and 802.11 protected wireless access. You can also deploy RADIUS
servers and proxies, and use Connection Manager Administration Kit to create
remote access profiles that allow client computers to connect to your network.
Print Services Print Services enables the management of print servers and printers. A print server
reduces administrative and management workload by centralizing printer
management tasks.
Terminal Services Terminal Services provides technologies that enable users to access Windows-based
programs that are installed on a terminal server, or to access the Windows desktop
itself, from almost any computing device. Users can connect to a terminal server to
run programs and to use network resources on that server.
Universal UDDI Services provides Universal Description, Discovery, and Integration (UDDI)
Description, capabilities for sharing information about Web services within an organization's
Discovery, and intranet, between business partners on an extranet, or on the Internet. UDDI Services
Integration (UDDI) can help improve the productivity of developers and IT professionals with more
Services reliable and manageable applications. With UDDI Services you can prevent
duplication of effort by promoting reuse of existing development work.
Web Server (IIS) Web Server (IIS) enables sharing of information on the Internet, an intranet, or an
extranet. It is a unified Web platform that integrates IIS 7.0, ASP.NET, and Windows
Communication Foundation. IIS 7.0 also features enhanced security, simplified
diagnostics, and delegated administration.
Windows You can use Windows Deployment Services to install and configure Microsoft®
Deployment Services Windows operating systems remotely on computers with Pre-boot Execution
Environment (PXE) boot ROMs. Administration overhead is decreased through the
implementation of the WdsMgmt Microsoft Management Console (MMC) snap-in,
which manages all aspects of Windows Deployment Services. Windows Deployment
Services also provides end-users an experience consistent with Windows Setup.
Hyper-V™ Hyper-V provides the services that you can use to create and manage virtual
machines and their resources. Each virtual machine is a virtualized computer system
that operates in an isolated execution environment. This allows you to run multiple
operating systems simultaneously.
Features
Feature Description
.NET Framework 3.0 combines the power of the .NET Framework 2.0 APIs with
.NET
new technologies for building applications that offer appealing user interfaces,
Framework
protect your customers’ personal identity information, enable seamless and secure
3.0
communication, and provide the ability to model a range of business processes.
Internet Printing Client allows you to use HTTP to connect to and use printers that
are on Web print servers. Internet printing enables connections between users and
Internet
printers that are not on the same domain or network. Examples of uses include a
Printing Client
traveling employee at a remote office site, or in a coffee shop equipped with Wi-Fi
access.
Internet Internet Storage Name Server (iSNS) provides discovery services for Internet Small
Storage Name Computer System Interface (iSCSI) storage area networks. iSNS processes
Server (iSNS) registration requests, deregistration requests, and queries from iSNS clients.
LPR Port Line Printer Remote (LPR) Port Monitor allows users who have access to UNIX-
Monitor based computers to print on devices attached to them.
Multipath I/O (MPIO), along with the Microsoft Device Specific Module (DSM) or a
Multipath I/O third-party DSM, provides support for using multiple data paths to a storage device
on Microsoft Windows.
Peer Name Peer Name Resolution Protocol (PNRP) allows applications to register on and
Resolution resolve names from your computer, so other computers can communicate with
Protocol these applications.
Remote Remote Assistance enables you (or a support person) to offer assistance to users
Removable Removable Storage Manager (RSM) manages and catalogs removable media and
Storage operates automated removable media devices.
Manager
RPC Over HTTP Proxy is a proxy that is used by objects that receive remote
RPC Over procedure calls (RPC) over Hypertext Transfer Protocol (HTTP). This proxy allows
HTTP Proxy clients to discover these objects even if the objects are moved between servers or if
they exist in discrete areas of the network, usually for security reasons.
Services for Network File System (NFS) is a protocol that acts as a distributed file
system, allowing a computer to access files over a network as easily as if they were
Services for
on its local disks. This feature is available for installation in Windows Server 2008
NFS
for Itanium-based Systems only; in other versions of Windows Server 2008,
Services for NFS is available as a role service of the File Services role.
SMTP Server SMTP Server supports the transfer of e-mail messages between e-mail systems.
Storage Storage Manager for Storage Area Networks (SANs) helps you create and manage
Manager for logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems
SANs that support Virtual Disk Service (VDS) in your SAN.
Simple Network Management Protocol (SNMP) is the Internet standard protocol for
SNMP exchanging management information between management console applications—
Services such as HP Openview, Novell NMS, IBM NetView, or Sun Net Manager—and
managed entities. Managed entities can include hosts, routers, bridges, and hubs.
Telnet Client uses the Telnet protocol to connect to a remote telnet server and run
Telnet Client
applications on that server.
Telnet Server allows remote users, including those running UNIX-based operating
Telnet Server systems, to perform command-line administration tasks and run programs by using
a telnet client.
Trivial File Trivial File Transfer Protocol (TFTP) Client is used to read files from, or write files
Transfer to, a remote TFTP server. TFTP is primarily used by embedded devices or systems
Protocol that retrieve firmware, configuration information, or a system image during the boot
(TFTP) Client process from a TFTP server.
Network Load Balancing (NLB) distributes traffic across several servers, using the
Network Load TCP/IP networking protocol. NLB is particularly useful for ensuring that stateless
Balancing applications, such as a Web server running Internet Information Services (IIS), are
scalable by adding additional servers as the load increases.
Windows Windows Server Backup allows you to back up and recover your operating system,
Server applications, and data. You can schedule backups to run once a day or more often,
Backup and can protect the entire server or specific volumes.
Windows Windows Internet Name Service (WINS) Server provides a distributed database for
Internet Name registering and querying dynamic mappings of NetBIOS names for computers and
Service groups used on your network. WINS maps NetBIOS names to IP addresses and
(WINS) solves the problems arising from NetBIOS name resolution in routed environments.
Server
Wireless LAN Wireless LAN (WLAN) Service configures and starts the WLAN AutoConfig service,
Service regardless of whether the computer has any wireless adapters. WLAN AutoConfig
enumerates wireless adapters, and manages both wireless connections and the
Windows Windows Internal Database is a relational data store that can be used only by
Internal Windows roles and features, such as UDDI Services, Active Directory Rights
Database Management Services (AD RMS), Windows Server Update Services, and Windows
System Resource Manager.
Windows PowerShell is a command line shell and scripting language that helps IT
Windows professionals achieve greater productivity. It provides a new administrator-focused
PowerShell scripting language and more than 130 standard command line tools to enable
easier system administration and accelerated automation.
Windows Process Activation Service (WAS) generalizes the IIS process model,
Windows
removing the dependency on HTTP. All the features of IIS that were previously
Process
available only to HTTP applications are now available to applications hosting
Activation
Windows Communication Foundation (WCF) services, using non-HTTP protocols.
Service
IIS 7.0 also uses WERE for message-based activation over HTTP.
There are several different types of computer networks. Computer networks can be characterized by their size as well
as their purpose.
The size of a network can be expressed by the geographic area they occupy and the number of computers that are
part of the network. Networks can cover anything from a handful of devices within a single room to millions of devices
spread across the entire globe.
Some of the different networks based on size are:
In terms of purpose, many networks can be considered general purpose, which means they are used for everything
from sending files to a printer to accessing the Internet. Some types of networks, however, serve a very particular
purpose. Some of the different networks based on their main purpose are:
A local area network, or LAN, consists of a computer network at a single site, typically an individual office
building. A LAN is very useful for sharing resources, such as data storage and printers. LANs can be built with
relatively inexpensive hardware, such as hubs, network adapters and Ethernet cables.
A wide area network, or WAN, occupies a very large area, such as an entire country or the entire world. A
WAN can contain multiple smaller networks, such as LANs or MANs. The Internet is the best-known example of a
public WAN.
An enterprise private network is a computer network that helps enterprise companies with a number of
disparate offices connects those offices to each in a secure way over a network. An enterprise private network is
mainly set up to share computer resources.
Microsoft defines user rights in two types of categories: Logon Rights and Privileges. These are defined as follows:
Logon Right: A user right that is assigned to a user and that specifies the ways in which a user can log onto a
system. An example of a logon right is the right to log on to a system remotely.
Privilege: A user right that is assigned to a user and that specifies allowable actions on the system. An
example of a privilege is the right to shut down a system.
In general, however, user rights assigned to one group do not conflict with the rights assigned to another group. To
remove rights from a user, the administrator simply removes the user from the group. In this case, the user no longer
has the rights assigned to that group.
The following lists show the logon rights and privileges that can be assigned to a user.
Access This Computer from Network Act as Part of the Operating System
Deny Access to This Computer from the Change the System Time
Network
Increase Quotas
Some of the privileges can override permissions set on an object. For example, a user logged on to a domain account
as a member of the Backup Operators group has the right to perform backup operations for all domain servers.
Date Developed: Document No.
CBLM on CSS NC II August 2018 Issued By:
The Take Ownership of Files or Other Object (Take Ownership) privilege grants Write Owner access to an
object. Backup and Restore privileges grant read and write access to an object. The Debug Programs (debug)
privilege grants read or open access to an object. The Bypass Traverse Checking (Change Notify) privilege provides
the reverse access on directories. This privilege is given, by default, to all users and is not considered security
relevant. The Manage Auditing and Security Log (Security) privilege provides several abilities including access to
the security log, overriding access restrictions to the security log. The Event Logger is responsible for enforcing the
Security privilege in this context. The Take Ownership, Security, Backup, Restore, Debug privileges should only be
assigned to administrator accounts (See Appendix C, User Rights and Privileges, of the Windows 2000 Security
Configuration Guide, for the restrictions of the assignment of privileges to be in accordance with the Evaluated
Configuration).
The special user account Local System has almost all privileges and logon rights assigned to it, because all processes
that are running as part of the operating system are associated with this account, and these processes require a
complete set of user rights.
Appendix C – User Rights and Privileges, of the Windows 2000 Security Configuration Guide, contains a cross-
reference table of user rights and privileges to applicable Security Target requirements that should be used as
reference when implementing a user rights policy that must address specific ST requirements.
Assigning User Rights
User rights are assigned through the Local Policies node of Group Policy. As the name implies, local policies
pertain to a local computer. However, local policies can be configured and then imported into Active Directory. Local
policies can also be configured as part of an existing Group Policy for a site, domain, or organizational unit. When
this is done, the local policies will apply to computer accounts in the site, domain, or organizational unit.
User rights policies can be administered as follows:
1. Log on using an administrator account.
2. Open the Active Directory Users and Computers tool.
3. Right-click the container holding the domain controller and click Properties.
4. Click the Group Policy tab, and then click Edit to edit the Default Domain Policy.
5. In the Group Policy window, expand Computer Configuration, navigate to Windows Settings, to Security
Settings, and then to Local Policies.
6. Select User Rights Assignment.
For a site, domain, or organizational unit, individual user rights can be configured by completing the following
steps:
8. Open the Security Policy Setting dialog box for the user right to be modified.
9. Select Define these policy settings to define the policy.
10. To apply the right to a user or group, click Add.
11. In the Add user or group dialog box, click Browse. This opens the Select Users Or Groups dialog box. The
right can now be applied to users and groups.
The following selection options appear on the Select Users Or Groups box:
Name: The Name column shows the available accounts of the currently selected domain or resource.
Add: Add selected names to the selection list.
Check Names: Validate the user and group names entered into the selection list. This is useful if names are
typed in manually and it is necessary ensure that they're actually available.
Note: Only domains that have been designated as trusted are available in the Look In drop-down list.
Because of the transitive trusts in Windows 2000, this usually means that all domains in the domain tree or
forest are listed. A transitive trust is one that is not established explicitly. Rather, the trust is established
automatically based on the forest structure and permissions set in the forest.
2. After selecting the account names to add to the group, click OK. The Add user or group dialog box
should now show the selected accounts. Click OK again.
3. The Security Policy Setting dialog box is updated to reflect the selections. If a mistake is made,
select a name and remove it by clicking Remove.
4. To configure user rights assignment, double-click a user right or right-click on it and select Security. This
opens a Security Policy Setting dialog box. The effective policy for the computer is displayed, but it cannot
be changed. However, the local policy settings can be adjusted. Use the fields provided to configure the local
policy. Remember that site, domain, and organizational unit policies have precedence over local policies.
7. To access account names from the domain, click the Look In list box. There should be a list that shows the
current machine, the local domain, trusted domains, and other resources that can be accessed. Select the
local domain to view all the account names in the domain.
3. We are going to click on our Users section where we are going to create a new User Account. To do so, right-click on
the blank section, point to New and select User.
In our example we are going to create a user account for Billy Miles and his logon name will be miles. When done, click on
the Next button.
In our example we are going to have the user change his password at his next logon. You can also prevent a user from
changing his password, set the password so that it will never expire or completely disable the account.
6. And finally, click on the Finish button to complete the creation of new User Account.
A user template in Active Directory will make your life a little easier, especially if you are creating users for a specific
department, with exactly the same properties, and membership to the same user groups. A user template is nothing more
than a disabled user account that has all these settings already in place. The only thing you are doing is copying this
account, adding a new name and a password.
You may have multiple user templates for multiple purposes with different settings and properties. There is no limit on the
number of user templates, but keep in mind that they are there to help you, not to confuse you, so keep in mind less is
better.
To create a user template, we are going to create a regular user account just like we did above. A little note here, you may
want to add an * as the first character of the name so it floats at the top in AD and is much easier to find.
1. To start out, right-click on the empty space, point to new, and select User.
3. Create the template's password and do not forget to check the box next to the Account is disabled option. When ready,
click Next.
1. Now in order to use that user template, we are going to select it, copy it and add the unique information such as user
name, password, etc.
We can do that for as many users as needed. Let's start by right-clicking on the template and selecting Copy.
2. Next we are going to enter the user's name, login and password information while making sure the checkbox next
to Account is disabled is unchecked.
A web application is a computer program that utilizes web browsers and web technology to perform
tasks over the Internet.
Millions of businesses use the Internet as a cost-effective communications channel. It lets them exchange information
with their target market and make fast, secure transactions. However, effective engagement is only possible when the
business is able to capture and store all the necessary data, and have a means of processing this information and
presenting the results to the user.
Web applications use a combination of server-side scripts (PHP and ASP) to handle the storage and retrieval of the
information, and client-side scripts (JavaScript and HTML) to present information to users. This allows users to
interact with the company using online forms, content management systems, shopping carts and more. In addition, the
applications allow employees to create documents, share information, collaborate on projects, and work on common
documents regardless of location or device.
Windows Server 2008 introduced the most significant changes to Active Directory Domain Services (AD DS) since its
inaugural release in Windows 2000 Server. Microsoft has continued along this path with Windows Server 2008 R2,
making it the most noteworthy interim release of Windows Server.
Since this is the first DC in our domain we can change our forest functional level to Server 2008 R2.
We want to include DNS in our installation as this will allow us to have an AD Integrated DNS Zone, when you click
next you will be prompted with a message just click yes to continue.
Date Developed: Document No.
CBLM on CSS NC II August 2018 Issued By:
You will be able to see what components are being installed by looking in the following box.
When it’s done you will be notified and required to reboot your PC.
DNS Server
Installing a Domain Name System (DNS) server involves adding the DNS server role to an existing Windows
Server 2008 server. You can also install the DNS server role when you install the Active Directory Domain Services
(AD DS) role. This is the preferred method for installing the DNS Server role if you want to integrate your DNS domain
namespace with the AD DS domain namespace.
A DNS server is any computer registered to join the Domain Name System.
A DNS server runs special-purpose networking software, features a public IP address, and contains a database of
network names and addresses for other Internet hosts.
You can use this topic to install the File Services server role and the BranchCache for Network Files role service on
the content server Content-01.
To perform this procedure, you must be a member of the Administrators group on the local computer.
1. On Content-01, click Start, point to Administrative Tools, and then click Server Manager.
2. In Roles Summary, click Add Roles.
3. In the Add Roles Wizard, on the Before You Begin page, click Next.
4. On the Select Server Roles page, select File Services, and then click Next.
7. On the Confirm Installation Selections page, confirm your selections, and then click Install.
8. On the Installation Results page, confirm that your installation of the File Services role and required role
services completed successfully, and then click Close.
Date Developed: Document No.
CBLM on CSS NC II August 2018 Issued By:
Installing Windows Server 2008 DCHP Server is easy. DHCP Server is now a “role” of Windows Server 2008 – not a
windows component as it was in the past.
To do this, you will need a Windows Server 2008 system already installed and configured with a static IP address.
You will need to know your network’s IP address range, the range of IP addresses you will want to hand out to your
PC clients, your DNS server IP addresses, and your default gateway. Additionally, you will want to have a plan for all
subnets involved, what scopes you will want to define, and what exclusions you will want to create.
To start the DHCP installation process, you can click Add Roles from the Initial Configuration Tasks window or from
Server Manager à Roles à Add Roles.
When the Add Roles Wizard comes up, you can click Next on that screen.
Next, select that you want to add the DHCP Server Role, and click Next.
If you do not have a static IP address assigned on your server, you will get a warning that you should not install DHCP
with a dynamic IP address.
At this point, you will begin being prompted for IP network information, scope information, and DNS information. If you
only want to install DHCP server with no configured scopes or settings, you can just click Next through these
questions and proceed with the installation.
On the other hand, you can optionally configure your DHCP Server during this part of the installation.
In my case, I chose to take this opportunity to configure some basic IP settings and configure my first DHCP Scope.
I was shown my network connection binding and asked to verify it, like this:
What the wizard is asking is, “what interface do you want to provide DHCP services on?” I took the default and clicked
Next.
Next, I entered my Parent Domain, Primary DNS Server, and Alternate DNS Server (as you see below) and clicked
Next.
Then, I was promoted to configure a DHCP scope for the new DHCP Server. I have opted to configure an IP address
range of 192.168.1.50-100 to cover the 25+ PC Clients on my local network. To do this, I clicked Add to add a new
scope. As you see below, I named the Scope WBC-Local, configured the starting and ending IP addresses of
192.168.1.50-192.168.1.100, subnet mask of 255.255.255.0, default gateway of 192.168.1.1, type of
subnet (wired), and activated the scope.
Back in the Add Scope screen, I clicked Next to add the new scope (once the DHCP Server is installed).
Then, I confirmed my DHCP Installation Selections (on the screen below) and clicked Install.
After only a few seconds, the DHCP Server was installed and I saw the window, below:
I clicked Close to close the installer window, then moved on to how to manage my new DHCP Server.
Like the installation, managing Windows Server 2008 DHCP Server is also easy. Back in my Windows Server
2008Server Manager, under Roles, I clicked on the new DHCP Server entry.
While I cannot manage the DHCP Server scopes and clients from here, what I can do is to manage what events,
services, and resources are related to the DHCP Server installation. Thus, this is a good place to go to check the
status of the DHCP Server and what events have happened around it.
However, to really configure the DHCP Server and see what clients have obtained IP addresses, I need to go to the
DHCP Server MMC. To do this, I went to Start à Administrative Tools à DHCP Server, like this:
When expanded out, the MMC offers a lot of features. Here is what it looks like:
The DHCP Server MMC offers IPv4 & IPv6 DHCP Server info including all scopes, pools, leases, reservations, scope
options, and server options.
If I go into the address pool and the scope options, I can see that the configuration we made when we installed the
DHCP Server did, indeed, work. The scope IP address range is there, and so are the DNS Server & default gateway.
So how do we know that this really works if we do not test it? The answer is that we do not. Now, let’s test to make
sure it works.
To test this, I have a Windows Vista PC Client on the same network segment as the Windows Server 2008 DHCP
server. To be safe, I have no other devices on this network segment.
Also, I went to my Windows 2008 Server and verified that the new Vista client was listed as a client on the DHCP
server. This did indeed check out, as you can see below:
Figure 14: Win 2008 DHCP Server has the Vista client listed under Address Leases
With that, I knew that I had a working configuration and we are done!
In this article, you learned how to install and configure DHCP Server in Windows Server 2008. During that process,
you learned what DHCP Server is, how it can help you, how to install it, how to manage the server, and how to
configure DHCP server specific settings like DHCP Server scopes. In the end, we tested our configuration and it all
worked! Good luck configuring your Windows Server 2008 DHCP Server!
Folder Redirection in Group Policy allows a systems administrator to redirect certain folders from a user’s profile to a
file server.
To get started with Folder Redirection, you’ll need to be running Active Directory (any functional level), have an
available file server, and a management station running the Group Policy Management Console. As with most Group
Policy, the latest version of the GPMC is preferred, but most of these settings are available in older versions.
FIGURE 1: In the GPMC, the Folder Redirection settings can be found in User Configuration > Policies > Windows
Settings > Folder Redirection. If you’re using the GPMC in Windows XP, you can redirect Application Data, Desktop,
My Documents, and the Start Menu. In addition, folders in Windows XP that are inside the My Documents folder like
My Music and My Pictures will follow My Documents when it is redirected.
FIGURE 5: The easiest method for provisioning new folders for users is to allow the logon process to create all of the
folders automatically as they are redirected to the file server. To do this, you’ll need to set the file permissions so that
users can create folders, but not access the folders of other users. This can all be done in the GUI, but I prefer using
the icacls.exe utility to set the file permissions for something like this so I can be sure I don’t miss something. Here are
the commands you’ll need:
Give “Everyone” execute/traverse (x), read attributes (ra), and append data/add subdirectory (ad). After
running the command, your permissions should look like this:
Administrators (Full Control) – This folder, sub-folders, and files
SYSTEM (Full Control) – This folder, sub-folders, and files
CREATOR OWNER (Full Control) – Sub-folders, and files
Everyone (Special – Traverse Folder/Execute File, Read Attributes, Create Folders/Append Data) – This folder
only
Second, List folder/read data is also missing because we don’t want users to be able to enumerate folders in the
share. Here’s what it will look like to the end user if they try to go to \\fileserver\Users:
Type in the name of your server and the path to your Users share. If you used the option to create a folder for each
user under the path, you’ll see that your folder structure should be in the format \\fileserver\Users\%username
%\redirectefoldername for each Folder Redirection you configure.
Go to the Settings tab. Uncheck the checkbox by “Grant the user exclusive rights to Documents.” If you don’t uncheck
this setting, the permissions will be configured so that even Administrators won’t be able to access the files without
changing the folder permissions.
Choose the settings for the remaining options that work for your environment and click OK.
That’s it! All you need to do is go to your test system, refresh Group Policy, log off, and log back in.
Windows Terminal Services has come a long way since its infancy and has improved with every version of Windows,
and Windows 2008 R2 is no exception. There are even noticeable differences between Windows 2008 and Windows
2008 R2 and should be highly considered as a worthy upgrade for those currently running older versions of the
Windows component. I first began working with Terminal Server technologies back in the day of Win Frame which
was a “special” version of Windows NT 3.5.1 that was developed by Citrix. Since then I have worked with all versions
of Terminal Server from NT4 to the most recent Windows 2008 R2 which I am excited about.
This 3 part series will consist of the following articles and will provide you with step by step instructions in getting most
of your Remote Desktop infrastructure in place;
Part 1 – Installation of Remote Desktop Services
Part 2 – Configuration of Remote Desktop Gateway and Remote Desktop Client
Part 3 – Configuration of Remote Desktop Web Access
In Windows 2008 R2, Terminal Server and its underlying components is now referred to as Remote Desktop Services
(RDS). The below table is a snippet directly from TechNet outlining the renaming of Terminal Server and it’s services;
Previous name (Windows 2008) Name in Windows Server 2008 R2
Terminal Services Licensing (TS Licensing) Remote Desktop Licensing (RD Licensing)
Terminal Services Gateway (TS Gateway) Remote Desktop Gateway (RD Gateway)
Terminal Services Session Broker (TS Session Remote Desktop Connection Broker (RD Connection
Broker) Broker)
Terminal Services Web Access (TS Web Access) Remote Desktop Web Access (RD Web Access)
Before delving into the step by step guide I will quickly highlight some of the enhancements and improvements that
have been incorporated in this release; this is by no means a comprehensive list, however I have provided a number
of links at the end of this post to TechNet articles outlining What’s New in RDS.
Windows Server 2008 R2 is 64 bit only, meaning that RDS is also 64 bit.
Forms based authentication for Remote Desktop Web Access
Per user RemoteApp program filtering
Enhancements to Remote Desktop Client experience such as multiple monitor support, Audio recording
redirection and Audio and Video playback
Windows Installer compatibility
Introduction of Remote Desktop Virtualization Host providing personal virtual desktops utilizing Hyper-V (note:
This technology will not be discussed in this series, however I will have a future post dedicated to this new inclusion)
So let’s begin the installation by Navigating to Start / Administrative Tools / Server Manager (This post is assuming
that you already have a dedicated Windows 2008 R2 server setup)
Click Next
Select Remote Desktop Services as the role to install on this server.
Click Next.
The below introduction to Remote Desktop Services is displayed. Microsoft have done a great job in providing
administrators with thorough documentation pertaining to the role being installed.
Adding the Remote Desktop Gateway and or Remote Desktop Web Access will prompt you to install other services
that are prerequisites such as IIS.
Because this is a new install of Windows 2008 R2, I can ignore this warning and click Next.
You will now be required to specify an Authentication Method for the Remote Desktop Session Host. The two options
provided below are as follows;
Require Network Level Authentication: This is more secure as user authentication occurs before a full remote
desktop session is established, however it is only supported by Remote Desktop Client 6 and greater running on
Windows Vista or Windows XP SP3 (Windows 7 is equipped with Remote Desktop Client 7) as they are the only
current operating systems that support Credential Security Support Provider (CredSSP) protocol. Please be aware
that the CredSSP is turned off by default on Windows XP SP3 and must be turned on via the registry.
Do not require Network Level Authentication: This is less secure because authentication occurs later in the
connection process, however is supported by all Remote Desktop clients and all versions of Windows.
Click Next.
Specify your Licensing Mode
Click Next
You will then be prompted to select user groups that you would like to provide access to the Remote Session Host
Server. By Default, the “Administrators” group is added and I will also be adding a security group that I have created
specifically for my Remote Desktop Users. Users or User groups added in this section will be automatically added to
the local Remote Desktop Users group.
I will be selecting all 3 options provided, with one of the enhancements to Remote Desktop Services in R2 being the
ability to provide users with a much better Video playback experience than in previous releases. It does so by
offloading the actual video playback to the local graphics processing unit. More information on Multimedia Redirection
Improvements in Windows 7 and WS2008 R2 can be found
Click Next
The next screen provides you with the ability to configure discovery scope for RD licensing. Following Microsoft’s
recommendation, I will not configure a discovery scope for the license server and will utilize the inbuilt RDS Host
configuration tool instead.
Click Next
The next part of the wizard is all about creating your RD CAP and RD RAP. Don’t worry too much if you don’t get
everything right in the wizard as all of these options are configurable post wizard installation.
Click Next
The next part of this wizard provides you with a primer on Network Policy and Access Services.
Click Next
The following screen provides you with an introduction to the Web Server Role that is required to be installed for
Remote Desktop Web Access.
We are finally presented with a summary of the confirmed installation selections that we have made throughout this
wizard. It is worthwhile printing and or saving this information via the available hyperlink to form part of your
documentation. Kudos to Microsoft who in my own opinion has done a great job with their wizard based installations
which ease the usual configuration pains associated with such an install.
To enable Remote Desktop, open the System Properties. My favorite method is to hold down the Windows Key, then
press the Pause / Break key. Alternatively, you could navigate via the Control Panel, Support and Maintenance,
System and then Remote Settings. Naturally, add your own account in the Select Users dialog box, because in this
scenario, you will be the person taking advantage of Remote Desk toping to this machine. If in doubt, select the link
'Help me choose'
Trap: Confusing Remote Desktop with Remote Assistance.
To activate the client side of the connection, i.e. on the remote machine, go to Start, All Programs, Accessories and
Remote Desktop Connection.
The first step is to insure that the Print Services role is installed, which enables a number of required administrative
steps. This is not the same as the Printers applet in the Control Panel: the latter doesn't run in an administrative
context, and will not allow many of the required operations to installation and management of printers.
FIGURE 1: Launch the Server Manager, and approve the User Account Control prompt when offered. We are strong
supporters of UAC and never disabled it.
If a "Before You Begin" box is displayed, read and click through it.
Likewise, review the Introduction to Print Services page and click Next to get started.
FIGURE 2: Launch Server Manager< from the Start Menu, expand the local server's name, and then expand
the Roles item. If Print Services are already found, then stop.
FIGURE 4: Most users require only Print Server — this provides normal ordinary Windows printing support.
LPD is an older UNIX-style printing that's not commonly used in Windows environments. If not sure, leave unchecked.
The Internet Printing Protocol is likewise not commonly used. It not sure, leave unchecked.
FIGURE 5: This final dialog confirms what's about to be performed, and though it warns that a system reboot may be
necessary. It didn't require one when we added print services to our server.
Administrating Printers
With Print Services fully installed, there are several places that can perform printer administration.
This is the main Print Management application for administration of printing resources. This is an MMC snap-in, so it
fits right in with all the other administrative
This launches the same Print Management MMC application directly, without going through the Server
Manager. This can be made into a shortcut onto the desktop if print management will be done often.
Unlike the previous two items, which run with Administrative privileges because of the UAC elevation, the
Control Panel runs in the user's Windows Explorer context without administrative rights.
Only the machine's local Administrator — not merely a member of the local Administrators group — has
these rights automatically, so it forbids changes to most settings. This stumped a number of experienced
admins for days.
It turns out that right-clicking a printer and selecting Run as administrator, then Open will allow full
administration after the UAC confirmation.
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections.
3. In Network Connections, right-click the connection you want to work with and then select Properties.
4. This displays the Local Area Connection Properties dialog box, shown in figure 21-1.
Figure 1 Install and configure TCP/IP in the Local Area Connection Properties dialog box.
5. If Internet Protocol Version 6 (TCP/IPv6), internet protocol version 4 (TCP/IPv4), or both aren't shown in the
list of installed components, you'll need to install them. Click Install. Select Protocol, and then click Add. In the
Select Network Protocol dialog box, select the protocol to install and then click OK. If you are installing both
TCP/IPv6 and TCP/IPv4, repeat this procedure for each protocol.
6. In the Local Area Connection Properties dialog box, make sure that the following are selected as appropriate:
Internet Protocol Version 6 (TCP/IPv6), internet protocol version 4 (TCP/IPv4), or both. Then click OK.
7. As necessary, follow the instructions in the next section for configuring local area connections for the
computer.
A local area connection is created automatically if a computer has a network adapter and is connected to a network. If
a computer has multiple network adapters and is connected to a network, you'll have one local area connection for
each adapter. If no network connection is available, you should connect the computer to the network or create a
different type of connection, as explained in "Managing Network Connections" on page 671.
Computers use IP addresses to communicate over TCP/IP. Windows Server 2008 provides the following ways to
configure IP addressing:
Manually IP addresses that are assigned manually are called static IP addresses. Static IP addresses are
fixed and don't change unless you change them. You'll usually assign static IP addresses to Windows
Servers, and when you do this, you'll need to configure additional information to help the server navigate the
network.
Dynamically A DHCP server (if one is installed on the network) assigns dynamic IP addresses at startup, and
the addresses might change over time. Dynamic IP addressing is the default configuration.
Alternatively (IPv4 only) When a computer is configured to use DHCPv4 and no DHCPv4 server is available,
Windows Server 2008 assigns an alternate private IP address automatically. By default, the alternate IPv4
address is in the range from 169.254.0.1 to 169.254.255.254 with a subnet mask of 255.255.0.0. You can also
specify a user-configured alternate IPv4 address, which is particularly useful for laptop users.
Note Unless an IP address is specifically reserved, DHCP servers assign IP addresses for a specific period of time,
known as an IP address lease. If this lease expires and cannot be renewed, then the client assigns itself an automatic
private IP address.
Note To perform most TCP/IP configuration tasks, you must be a member of the Administrators group.
When you assign a static IP address, you need to tell the computer the IP address you want to use, the
subnet mask for this IP address, and, if necessary, the default gateway to use for internetwork
communications. An IP address is a numeric identifier for a computer. Ip addressing schemes vary according
to how your network is configured, but they're normally assigned based on a particular network segment.
IPv6 addresses and IPv4 addresses are very different. With IPv6, the first 64 bits represent the network id and
the remaining 64 bits represent the network interface. With IPv4, a variable number of the initial bits represent
the network id and the rest of the bits represent the host id. For example, if you're working with IPv4 and a
computer on the network segment 192.168.10.0 with a subnet mask of 255.255.255.0, the first 24 bits
represent the network id and the address range you have available for computer hosts is from 192.168.10.1 to
192.168.10.254. In this range, the address 192.168.10.255 is reserved for network broadcasts.
All other IPv4 network addresses are public and must be leased or purchased. If the network is connected directly to
the internet and you've obtained a range of IPv4 addresses from your internet service provider, you can use the IPv4
addresses you've been assigned.
Using advanced TCP/IP settings, you can configure a single network interface on a computer to use multiple IP
addresses and multiple gateways. This allows a computer to appear to be several computers and to access multiple
logical subnets to route information or to provide internetworking services.
To provide fault tolerance in case of a router outage, you can choose to configure Windows Server 2008 computers so
that they use multiple default gateways. When you assign multiple gateways, Windows Server 2008 uses the gateway
metric to determine which gateway is used and at what time. The gateway metric indicates the routing cost of using a
gateway. The gateway with the lowest routing cost, or metric, is used first. If the computer can't communicate with this
gateway, Windows Server 2008 tries to use the gateway with the next lowest metric.
The best way to configure multiple gateways depends on the configuration of your network. If your organization's
computers use DHCP, you'll probably want to configure the additional gateways through settings on the DHCP server.
If computers use static IP addresses or you want to set gateways specifically, assign them by following these steps:
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections. In Network Connections, right-click the
connection you want to work with and then select Properties.
3. Double-click Internet Protocol Version 6 (TCP/IPv6) or internet protocol version 4 (TCP/IPv4) as appropriate
for the type of IP address you are configuring.
4. Click Advanced to open the Advanced TCP/IP Settings dialog box. Figure 21-2 shows advanced settings for
IPv4. The dialog box for IPv6 is similar.
5. To add an IP address, click Add below IP Addresses to display the TCP/IP Address dialog box. After you type
the IP address in the IP Address field, enter the subnet mask in the Subnet Mask field for IPv4 addresses or
the subnet prefix length in the Subnet Prefix Length field for IPv6 addresses. Click Add to return to the
Advanced TCP/IP Settings dialog box. Repeat this step for each IP address you want to add.
6. The Default Gateways panel shows the current gateways that have been manually configured (if any). To add
a default gateway, clicks add below Default Gateways to display the TCP/IP Gateway Address dialog box.
Type the gateway address in the Gateway field. By default, Windows Server 2008 automatically assigns a
metric to the gateway, which determines in which order the gateway is used. To assign the metric manually,
clear the automatic metric check box, and then enter a metric in the field provided. Click Add, and then repeat
this step for each gateway you want to add.
7. Click OK three times to close the open dialog boxes.
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections. In Network Connections, right-click the
connection you want to work with and then select Properties.
3. Double-click Internet Protocol Version 6 (TCP/IPv6) or internet protocol version 4 (TCP/IPv4) as appropriate
for the type of IP address you are configuring.
4. If the computer is using DHCP and you want DHCP to specify the DNS server address, select Obtain DNS
Server Address Automatically. Otherwise, select Use The Following DNS Server Addresses and then type
primary and alternate DNS server addresses in the text boxes provided.
5. Click OK three times to save your changes.
You configure advanced DNS settings on the DNS tab of the Advanced TCP/IP Settings dialog box, shown in Figure
21-3. You use the fields of the DNS tab as follows:
DNS server addresses, in order of use Use this area to specify the IP address of each DNS server that is
used for domain name resolution. Click Add if you want to add a server IP address to the list. Click Remove to
remove a selected server address from the list. Click Edit to edit the selected entry. You can specify multiple
servers for DNS resolution. Their priority is determined by the order. If the first server isn't available to respond
to a host name resolution request, the next DNS server in the list is accessed, and so on. To change the
position of a server in the list box, select it and then click the up or down arrow button.
Append primary and connection specific DNS suffixes Normally, this option is selected by default. Select
this option to resolve unqualified computer names in the primary domain. For example, if the computer name
gandolf is used and the parent domain is microsoft.com, the computer name would resolve to
gandolf.microsoft.com. If the fully qualified computer name doesn't exist in the parent domain, the query fails.
The parent domain used is the one set in the System Properties dialog box, on the Computer Name tab. (Click
System and Maintenance\System in Control Panel, then click Change Settings and view the Computer Name
tab to check the settings.)
Append parent suffixes of the primary DNS suffix This option is selected by default. Select this check box
to resolve unqualified computer names using the parent/child domain hierarchy. If a query fails in the
immediate parent domain, the suffix for the parent of the parent domain is used to try to resolve the query.
This process continues until the top of the DNS domain hierarchy is reached. For example, if the computer
name gandolf is used in the dev.microsoft.com domain, DNS would attempt to resolve the computer name to
gandolf.dev.microsoft.com. If this didn't work, DNS would attempt to resolve the computer name to
gandolf.microsoft.com.
Append these DNS suffixes (in order) Select this option to set specific DNS suffixes to use rather than
resolving through the parent domain. Click Add if you want to add a domain suffix to the list. Click Remove to
remove a selected domain suffix from the list. Click Edit to edit the selected entry. You can specify multiple
domain suffixes, which are used in order. If the first suffix doesn't resolve properly, DNS attempts to use the
Date Developed: Document No.
CBLM on CSS NC II August 2018 Issued By:
Note Dynamic DNS updates are used in conjunction with DHCP to enable a client to update its a (host
address) record if its IP address changes, and to enable the DHCP server to update the ptr (pointer) record for
the client on the DNS server. You can also configure DHCP servers to update both the and ptr records on the
client's behalf. Dynamic DNS updates are supported only by bind 5.1 or higher DNS servers as well as server
editions of Microsoft windows.
Use this connection's DNS suffix in DNS registration select this check box if you want all IP addresses for
this connection to be registered in DNS under the parent domain.
Figure 3 Configure advanced DNS settings on the DNS tab of the Advanced TCP/IP Settings dialog box.
Figure 4 configures WINS resolution for NetBIOS computer names on the WINS tab of the Advanced TCP/IP
Settings dialog box.
1. You can specify multiple servers, which are used in order, for WINS resolution. If the first server isn't available
to respond to a NetBIOS name resolution request, the next WINS server on the list is accessed, and so on. To
change the position of a server in the list box, select it and then click the up or down arrow button.
Date Developed: Document No.
CBLM on CSS NC II August 2018 Issued By:
Local area connections make it possible for computers to access resources on the network and the internet. One local
area connection is created automatically for each network adapter installed on a computer. This section examines
techniques you can use to manage these connections.
Checking the status, speed, and activity for local area connections
To check the status of a local area connection, follow these steps:
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections. In Network Connections, right-click the
connection you want to work with and then click Status.
3. This displays the Local Area Connection Status dialog box. If the connection is disabled or the media is
unplugged, you won't be able to access this dialog box. Enable the connection or connect the network cable
to resolve the problem and then try to display the Status dialog box again.
The General tab of this dialog box, shown in Figure 21-5, provides useful information regarding the following:
IPv4 connectivity the current IPv4 connection state and type. You'll typically see the status as local when
connected to an internal network or not connected when not connected to a network.
IPv6 connectivity the current IPv6 connection state and type. You'll typically see the status as local when
connected to an internal network or not connected when not connected to a network.
Media state the state of the media. Because the Status dialog box is available only when the connection is
enabled, you'll typically see this as enabled.
Duration the amount of time the connection has been established. If the duration is fairly short, the user either
recently connected to the network or the connection was recently reset.
Figure 5 the General tab of the Local Area Connection Status dialog box provides access to summary information
regarding connections, properties, and support.
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections. In Network Connections, right-click the
connection you want to work with and then click Status. This displays the Local Area Connection Status dialog
box. If the connection is disabled or the media is unplugged, you won't be able to access this dialog box.
Enable the connection or connect the network cable to resolve the problem and then try to display the Status
dialog box again.
3. Click Details to view detailed information about the IP address configuration, including:
You can also use the IPCONFIG command to view advanced configuration settings. To do so, follow these steps:
Note The command prompt is started in standard user mode. This is not an elevated command prompt.
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections. In Network Connections, right-click the
connection and select Disable to deactivate the connection and disable it.
3. If you want to enable the connection later, right-click the connection in Network Connections and select
Enable.
If you want to disconnect from a network or start another connection, follow these steps:
1. Click Start and then click Network. In Network Explorer, click Network and Sharing Center on the toolbar.
2. In Network and Sharing Center, click Manage Network Connections. In Network Connections, right-click the
connection and select Disconnect. Typically, only remote access connections have a Disconnect option.
3. If you want to activate the connection later, right-click the connection in Network Connections and select
Connect.
When people talk about computer security, there's almost always a discussion of isolating a computer. A machine that
has sensitive data or that should only be accessed by certain people might be behind closed doors and without
network access, just for the sake of safety. As someone else once put it, the only truly secure computer is one that's in
a locked room and not connected to a network (and probably not plugged in or turned on, either).
Isolating a server isn't an all-or-nothing proposition, however. There are degrees of isolation that can be performed on
a system, from simple firewalling to total physical isolation. If you're nervous about the possible effects of having a
system exposed to the outside world (or even to parts of your own organization), a partial lockdown may be every bit
as effective as a total lockdown depending on your needs.
Firewalling
Firewalls are the simplest and most basic way to give a computer a degree of isolation, mostly as protection against
direct attacks on the server. All versions of Windows ship with Microsoft's own basic but reasonably useful firewall
product, which can be used to lock in everything that doesn't need to be accessed. It works both by port and by
application, so it has that much more flexibility for incoming as well as outgoing traffic. However, it doesn't do anything
to protect the traffic itself -- if someone sends plaintext to the server and it responds as plaintext, anyone who can
capture those packets will know what's going on.
Network segmentation or sub netting is another way to isolate a given computer: Give the computer in question and
any clients that need access to it their own network segment. This makes it a little more difficult to get access to the
computer in question, but it's still not impossible since it may still be connected to the same physical network segment.
Someone running Snort, for instance, on the same physical network may be able to sniff traffic.
It's also possible to isolate the computer and any needed clients on their own wires, but this is often not very practical
unless you already have space set aside for it. In one of my previous jobs, before wireless networking was feasible,
we created a separate physical network for testing by running CAT5 cables up into the ceiling spaces and back and
forth between offices. It worked, but it was inconvenient at best -- and once someone else found out what was up, we
had to dismantle the whole thing.
One very elegant way to secure Windows Server machines is by using IPsec, a strongly integrated network security
mechanism that works at the packet level. Packets are encrypted and only exchanged between the server and trusted
clients according to policies created on the server. IPsec's other big benefit, aside from encryption, is verification: Are
the packets from the correct server?
Another particularly handy thing about IPsec is that it can use Windows' own built-in authentication scheme, Kerberos,
so there's less fuss when you use it than you might think. Also, since it's integrated into Windows' own IP stack and
not an adjunct to it (like a firewall), you can have a good deal of confidence in it. This allows you to exchange
protected traffic with, for example, another domain controller in another subnet. For many people, IPSec may be one
of the easiest ways to selectively isolate a server without actually removing it from the network entirely.
A "clean room" computer is a machine with no network connectivity at all -- it's an isolated PC, most likely hidden
behind locked doors as well. The types of circumstances that require this degree of isolation are vanishingly few, but
they do exist. For instance, a certification authority for internal use (such as code signing) could be hosted on such a
system; certificate requests would have to be brought in and out by hand. Such a machine should have strict control
over hardware and software -- it should not allow software to be installed, nor any new hardware devices, without
administrative access. This will prevent someone from, for instance, installing a wireless USB networking device or
plugging in a flash drive.
Even if you have no need in your organization for a totally isolated machine, you should at least set up policies and
physical space so that you can physically isolate a machine if you have to. Having such methods and space available
is always good if, for instance, you need to work with a PC that's been hit with a virus or some other calamity, or you
need to check a PC for that occurrence.
TESTING PROCEDURES
Testing Connectivity and Shutdown
After the OS is installed and network parameters configured, it is time to test both activities; an important test is to
verify the server can communicate with another machine, such as a Windows 7 client, and the client can communicate
with the server; you can do this using the Command Prompt, and after testing is complete, you can shutdown the
server.
Verify Connectivity.
Display Start.
Click the down arrow to display several Apps.
Scroll right.
Click the Command Prompt.
Ping the second machine.
From the second machine, ping the server.
Shutdown server.
Date Developed: Document No.
CBLM on CSS NC II August 2018 Issued By:
o If an OS is already installed on the machine, and you do not see Press any key to boot from CD/DVD,
you will have to reconfigure the boot process to boot form the CD/DVD drive.
o If an OS it not on the machine, the boot process goes directly to the CD/DVD drive and begins
booting.
o If you are installing from a DVD that came with a textbook, you may not need a product key.
o Depending on the DVD you are using, such as one that came with a textbook, or one from Microsoft,
you may see a slightly different selection menu; be sure not to select Server Core but GUI instead.
If you have an existing operating system that you want to upgrade, when prompted, you would select
Upgrade, but in this case select Custom so you can customize the disk for installation.
The configuration shown will depend on the partition and unallocated space on your disk(s). Notice that you
are given a number of disk options, but they are not always enabled; it depends on whether a partition or unallocated
space is highlighted; if a partition is highlighted all except New are enabled, and if an unallocated space is highlighted,
all are grayed, except New.
When installation completes the system reboots; during the reboot you will see Press any key to boot from
CD/DVD, ignore this message since it will take you back to the beginning of the installation process. After the reboot
completes, you are prompted to create a password for user Administrator.
Test connectivity: To verify a two-way connectivity of the server and at least one other machine, such as
Windows 7, you must configure IP settings on both the server and the second machine. If the server is on a network
with existing test machines, configure it with the same addressing scheme as the others.
o If the server is on a network with one other newly created machine, such as Windows 7, you can use
these Private addresses and subnet mask: server 172.16.0.10, 255.255.255.0; client 172.16.0.2, 255.255.255.0.
Server Manager Dashboard: Server Manager, Configure this local server, has tools that administrators can
use to manage operating features, such as domain name services (DNS) and domain creation.
Warnings
When partitioning the disks, Next does not depend on a selection; this means whichever space is highlighted,
partition or unallocated, and you click Next, setup formats the space, copy the necessary operating system files, and
install the operating system. Everything on that partition will be lost.
When partitioning the disks, if you select Delete, setup will delete the highlighted partition and label it
unallocated; you will then have to use New to create a partition for the install, or click Next to install. Also, note that if
Date Developed: Document No.
CBLM on CSS NC II August 2018 Issued By:
Pre-deployment
Continuously adhere to all System Requirements for Windows-Based Backup Solutions to ensure sustained stability
of your Datto implementation.
Hardware Health
Run chkdsk to be sure that all RAIDs and individual disks report back as healthy. Perform necessary disk repairs prior
to deploying any backup agent. Failure to do so may result in backing up corrupted systems and restoration failures.
Disk Defragmentation
While Datto can perform backups that are running disk defragmentation, be aware that this rearranges data at a block
level, and larger backups will consequently result. Run a disk defragmentation before deployment of the agent. VSS-
aware disk defragmentation programs may allow for smaller backups, but this would be left to your own discretion.
Windows updates
Download Windows updates, service packs, and any other Microsoft provided updates. After installing these updates,
reboot the server. When scheduling your deployment, remember that the 2nd Tuesday of every month is Microsoft's
"patch Tuesday."
Virus scan
Run a virus scan before you deploy the Datto backup solution to your production machine.
Event Viewer
Check the target's system and application logs to see if there are any VSS or hardware errors. Resolve any errors
before attempting to install the agent.
Exchange
Since Exchange Servers are essentially database servers with mail stores in EDB (Exchange Database Format),
Datto recommends the same procedures for maintenance jobs as SQL (see above SQL recommendation). Make sure
Hypervisors
Datto recommends that hypervisors have their datastores isolated on a separate partition, and that the non-datastore
volumes be backed up by the Datto backup solution. Servers that reside on the datastore should be backed up
individually to allow for more granular recovery and restore efforts. Best practices for backing up hypervisors can be
found here.
Clustering
Due to an incompatibility between the Datto backup software and Cluster Shared Volumes (CSVs), Datto backup
software does not support backing up Hyper-V hosts that are members of a failover cluster. Datto backup solutions do
not support backing up any other OS that has access to a CSV. However, we can support backing up a guest
VM running on a Hyper-V failover cluster, as long as the guest OS itself does not access a CSV.
Proxies
ShadowSnap and ShadowProtect do not support the use of proxy servers on the network. Agents must check in to
StorageCraft to verify their license monthly.
Laptops
Due to their mobile nature, Datto does not endorse or support backing up laptops. Laptops must be inside the LAN,
and not on a wireless network, to perform backups in a timely manner. Attempts to back up laptops are at your own
discretion.
Because of this, and due to the wide range of touchpad drivers, custom drivers, and hardware configurations available
for both laptops and all-in-one workstations, restoration support for these platforms is 'best-effort' only.
Firewall rules
Antivirus exceptions
Before setting a backup schedule, discuss with your client how far back you would ever need to go to retrieve
data. Set the expectations with them and provide a schedule accordingly. Set the local data retention policies based
on these conversations and expectations. Remember that long-running retention policies will require more disk space,
and should be considered when sizing an appliance.
Consider the server’s role when establishing a backup schedule. A file server may need multiple backups
during business hours, as files are in constant change. A terminal server simply housing configurations, however, may
not require as many backups per day, as there is little to no change provided. Like any other service on a server,
backups consume resources and take disk input / output.
The size of your server's backups can grow if you use Distributed File System (DFS) in your environment.
See How Distributed File System (DFS) Interacts with the Datto Solution for more information.
Prior to the initial backup, ensure that all undesired volumes are excluded. Remember that backups may be
attempted on any additional drives attached to the machine (USB drives, additional storage drives, etc.).
The Microsoft® Web Platform is a powerful set of tools, servers, and technologies optimized for building and hosting
next-generation Web applications and solutions. At the base of the Microsoft Web Platform is Windows Server® 2008,
Windows Server® 2008 R2, or another Windows Server® operating system version. Windows Server 2008 R2 comes
with Internet Information Services 7.5 (IIS 7.5), a Web server and security-enhanced platform for developing and
reliably hosting Web applications and services. Windows Server 2008 comes with IIS 7.0. IIS 7.0 and 7.5 (together
known as IIS 7) include a componentized architecture for greater flexibility and control. IIS 7 and above also provides
simplified management and powerful diagnostic and troubleshooting capabilities. IIS Manager extensions make it easy
to administer local and remote Web servers.
IIS 7 and above, together with the Microsoft® .NET Framework 3.0, provides a comprehensive platform for building
applications. Additionally, IIS plays a central role in unifying the Microsoft Web platform technologies—Microsoft®
ASP.NET, Windows® Communication Foundation (WCF) Web services, and Windows® SharePoint® Services.
This article describes general procedures for installing Windows Server 2008 or Windows Server 2008 R2; links for
more detailed information can be found throughout the article. After installing Windows Server 2008 or Windows
Server 2008 R2, you will need to install IIS.
Operating System Editions
Windows Server 2008 and Windows Server 2008 R2 are available in multiple editions to support the varying server
and workload needs of organizations. The four main editions include Windows Server® 2008 R2 Standard, Windows
Server® 2008 R2 Enterprise, Windows Server® 2008 R2 Datacenter, and Windows® Web Server 2008 R2 (or
Windows Server® 2008 Standard, Windows Server® 2008 Enterprise, Windows Server® 2008 Datacenter, and
Processor — Processor performance depends not only on the clock frequency of the processor, but also on the
number of processor cores and the size of the processor cache. The following are the processor requirements:
Minimum: 1 GHz (for x86 processors) or 1.4 GHz (for x64 processors)
Recommended: 2 GHz or faster
Minimum: 512 MB
Recommended: 2 GB or more
Maximum (32-bit systems): 4 GB (for Windows Server 2008 Standard) or 64 GB (for Windows Server 2008
Enterprise or Windows Server 2008 Datacenter)
Maximum (64-bit systems): 32 GB (for Windows Server 2008 Standard) or 2 terabyte (for Windows Server
2008 Enterprise, Windows Server 2008 Datacenter, or Windows Server® 2008 for Itanium-Based Systems)
Disk space requirements —The following are the approximate disk space requirements for the system partition.
Itanium-based and x64-based operating systems will vary from these estimates. Additional disk space may be
required if you install the system over a network:
Minimum: 10 GB
Recommended: 40 GB or more
Note
Computers with more than 16 GB of RAM require more disk space for paging, hibernation, and dump files.
DVD-ROM drive
Super VGA (800 x 600) or higher-resolution monitor
Keyboard and mouse (or other compatible pointing device)
One of the biggest oversights in any data center is the lack of clear and informative server documentation.
IT professionals know how to install and configure the most complex equipment, but often don't have strong
communication skills. As a result, organizations rely on administrators' memory or informally passed-along knowledge,
causing avoidable integration, upgrade and troubleshooting problems because administrators forget what they've
done or leave behind a knowledge vacuum.
There is no single established standard for system or server documentation. The emphasis is not on the path, but
rather on establishing a "map" of how each system is equipped, configured and integrated into the data center so that
other IT professionals can understand, test, upgrade and troubleshoot it and the production environment with minimal
time wasted.
Lists. Start with a hardware inventory that includes a list of all major components. Follow that up with a software
inventory that details the operating systems, hypervisors, virtual machines (and all their operating systems), drivers,
applications (workloads), and all the associated licensing information.
Any system inventory tool can detail hardware and software components and update over time, but a printed
component list offers a complete at-a-glance picture, which can easily be compared to systems' purchase
specifications. Organize inventory reports along with original installation or recovery media and any original vendor
documentation, such as manuals or setup guides.
Instructions. Next, document anything related to each individual system's setup and configuration, starting with its
firmware options (BIOS settings). Also, document startup scripts. Command-line scripts notoriously lack comments, so
add them for easier changes or troubleshooting in the future. Then, implement a version control system to help
administrators track the version of each one and understand when a system might be using old or erroneous scripts.
Document the system's integration into the larger data center, including its LAN address, the media access control, or
MAC, address for each network interface card's port, and external notes that show how the system is interconnected
with network switches. Taken together, this information forms a map of the network for IT professionals to follow to
survey current architectures and make suggestions for infrastructure improvements.
Systems management tools automate at least some of these information-gathering tasks. Tools frequently replace
more formalized documentation because reporting changes dynamically and won't become obsolete. No matter the
method, implement a process to update systems and their associated documentation as changes occur. Wrong
documentation can be worse than no documentation
As is the case with system and server documentation content, there is no clear choice for where to keep it.
System documentation should ideally be located close to the physical system, speeding access to important details
when uptime is on the line. Keep documentation on something other than the system it represents. Documentation is
meant to help with troubleshooting, but saving notes on the system's local hard drive won't do much good if that
system fails or becomes inaccessible.
Consolidating documents in a single location is also common. If you choose this route, set aside a shelf for manuals,
configuration files and other details in the data center. Avoid redundant copies of documentation -- changes to one
copy often don't get migrated to subsequent copies, resulting in errors and confusion.
Generally, the vendor documentation that accompanies a new server has limited value once the system is actually
configured and deployed, but it is good practice to retain vendor documentation with new documentation you develop.
Vendor documentation bulk and clutter is becoming less of an issue as more vendors shift to Web-based
documentation and guides. For example, vendors can update their online documentation alongside an evolving
knowledge base to help deal with errors, oversights, troubleshooting and workarounds.
Still, the original documentation and current configuration details add value when an aging system is repurposed (sold
to another user or reassigned to another business unit).
Documentation must be clear and precise -- down to the specific keystrokes or mouse clicks of a complex setup and
configuration procedure. It is possible to document detailed activities manually, but the potential to skip over certain
steps is high.
Tools record processes and give documentation users a step-by-step insight into key procedures.
One tool is Microsoft's Problem Steps Recorder (PSR.exe), originally introduced with Windows 7 and Windows Server
2008 R2 to help support staff see what's happening on remote users' desktops. IT administrators recognized that the
ability to record and comment on each mouse click and then save that activity into a zipped MHTML report could be
used for more than remote user activities.
The tool, continued in Windows Server 2012, can record and document important activities for client- and server-side
systems. It creates a library of recordings that staff can refer to when they tackle important setup and configuration
activities. To launch PSR.exe, click Start, type psr into the search line, then click on the PSR applet that appears in
the search results list.
There are no established standards for documenting any part of a data center, so documentation quantity and quality
vary from one organization to another. Peer-review improves documentation, allowing other IT staff to read material
and provide feedback on its clarity and completeness. And data center managers should make time for periodic
training, allowing IT staff to familiarize themselves with the available documentation before they need it.
https://world.episerver.com/Search/?searchQuery=PRE DEPLOYMENT%20PROCEDURES%20AND
%20PRACTICES
https://docs.oracle.com/cd/E11857_01/em.111/e16599/customizing_dps.htm
https://kb.datto.com/hc/en-us/articles/115005985646-Windows-Pre-Deployment-Configurations-and-Best-Practices-
https://docs.microsoft.com/en-us/iis/install/installing-iis-7/install-windows-server-2008-and-windows-server-2008-r2
https://www.microsoft.com/en-ph/download/details.aspx?id=5842
https://www.askvg.com/download-windows-7-service-pack-1-now/
https://www.rapid7.com/db/vulnerabilities/servicepack-windows-2008-r2-sp1-x64
https://docs.microsoft.com/en-us/windows-server/administration/server-core/server-core-roles-and-services
http://www.tech-faq.com/understanding-server-roles.html
tps://www.lifewire.com/what-is-dhcp-2625848
https://whatismyipaddress.com/dhcp
https://www.cloudflare.com/learning/dns/what-is-dns/
http://www.networksolutions.com/support/what-is-a-domain-name-server-dns-and-how-does-it-work/
https://dyn.com/blog/dns-why-its-important-how-it-works/
https://msdn.microsoft.com/en-us/library/ee256001.aspx
https://www.coursera.org/lecture/system-administration-it-infrastructure-services/what-are-file-services-wStCJ
https://msdn.microsoft.com/en-us/library/dd163554.aspx
https://searchnetworking.techtarget.com/definition/network
https://www.techopedia.com/definition/5537/network
https://www.merriam-webster.com/dictionary/network