Computer For Dummies Free Download For Pc
Windows Server® 2008 FOR
DUMmIES
‰
by Ed Tittel and Justin Korelc
Windows Server® 2008 For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http:// www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Microsoft and Windows Server are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Control Number: 2008922653 ISBN: 978-0-470-18043-3 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
Windows Server® 2008 FOR
DUMmIES
‰
by Ed Tittel and Justin Korelc
Windows Server® 2008 For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http:// www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Microsoft and Windows Server are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Control Number: 2008922653 ISBN: 978-0-470-18043-3 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
About the Authors Ed Tittel is an increasingly grizzled, if not wizened, veteran of the publishing game, with over a thousand magazine articles and more than 140 books to his credit. Ed has worked on numerous For Dummies books, including HTML 4 For Dummies, 5th Edition (with Mary Burmeister) and XML For Dummies, 4th Edition (with Lucinda Dykes), as well as books on many other topics. Ed runs a small professional IT practice in Round Rock, TX, that specializes in network-oriented training, writing, and consulting. When Ed’s not busy writing, he likes to spend time with his wife, Dina, and son, Gregory. He also likes to shoot pool, cook, and read sci-fi. You can reach Ed by e-mail at [email protected] yahoo.com or through his Web page at www.edtittel.com. Justin Korelc has been working with computers and technology for over 15 years. Justin is an independent consultant working as a writer and trainer. His work focuses on security, Windows and Linux operating systems, and PC hardware. Justin has coauthored several books on media PCs, including Build the Ultimate Home Theater PC (an ExtremeTech BuildIt Guide) and Hacking MythTV (an ExtremeTech title). He has developed online training materials on information security, PC tune-ups, file transfer technologies, and more. Justin’s computer knowledge is self-taught and based on nearly 20 years of hands-on experience. He spends his spare time practicing the fine art of bricolage, playing with computers, and improving his culinary skills. You can reach Justin by e-mail at [email protected]
Authors’ Acknowledgments As always, thanks to my agent, Carole McClendon at Waterside Productions, for hooking me up with For Dummies in the first place. Has it really been 15 years now? On the Wiley side, special thanks to Katie Feltman, Kim Darosett, and Heidi Unger. I’d also like to thank Justin Korelc for rolling up his sleeves and digging into the former Longhorn Server as far back as Beta 1. Personally, I want to thank my Mom and Dad for making my career both possible and attainable. Finally, I want to thank my wife, Dina Kutueva, for coming into my life rather later than sooner, and for giving me our wonderful son, Gregory. —ET Thanks to my coauthor, Ed Tittel, for including me in this book. —JPK
Publisher’s Acknowledgments We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/. Some of the people who helped bring this book to market include the following: Acquisitions and Editorial
Composition Services
Project Editor: Kim Darosett
Project Coordinator: Lynsey Stanford
Senior Acquisitions Editor: Katie Feltman
Layout and Graphics: Stacie Brooks, Reuben W. Davis, Andrea Hornberger, Shane Johnson, Christine Williams
Copy Editor: Heidi Unger Technical Editor: Christian Mayoros Editorial Manager: Leah Cameron
Proofreaders: Laura Albert, Broccoli Information Management
Editorial Assistant: Amanda Foxworth
Indexer: Broccoli Information Management
Sr. Editorial Assistant: Cherie Case Cartoons: Rich Tennant (www.the5thwave.com)
Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Acquisitions Director Mary C. Corder, Editorial Director Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services
Contents at a Glance Introduction .................................................................1 Part I: Servers at Your Service .......................................7 Chapter 1: Making Windows Server 2008 Serve You .....................................................9 Chapter 2: Server Networking Principles ......................................................................21 Chapter 3: Building Your Network..................................................................................39 Chapter 4: Hooking Up Your Network............................................................................57
Part II: Servers, Start Your Engines ..............................71 Chapter 5: Ready, Set, Install!..........................................................................................73 Chapter 6: Configuring Connections to the Universe ..................................................93 Chapter 7: Doing the Directory Thing .........................................................................115 Chapter 8: Working with Active Directory, Domains, and Trusts ............................137 Chapter 9: Printing on the Network .............................................................................155 Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat ..............................175
Part III: Running Your Network .................................199 Chapter 11: Managing Users with Active Directory Users and Computers ............201 Chapter 12: Managing Shares, Permissions, and More..............................................227 Chapter 13: Preparing for That Rainy Day ..................................................................241 Chapter 14: Network Security Management ...............................................................263
Part IV: Serve It Yourself...........................................281 Chapter 15: How to Be a DIY Guru ...............................................................................283 Chapter 16: Servers the Intel Way ................................................................................297 Chapter 17: Servers the AMD Way ...............................................................................315 Chapter 18: Taking Care of Your Own Issues ..............................................................331
Part V: The Part of Tens ............................................351 Chapter 19: Ten Tips for Installation and Configuration ...........................................353 Chapter 20: Ten Steps to Networking Nirvana with Windows Server 2008 ............363
Part VI: Appendixes ..................................................371 Appendix A: Server Components and Technologies .................................................373 Appendix B: Windows Troubleshooting Resources...................................................385
Index .......................................................................391
Table of Contents Introduction..................................................................1 About This Book...............................................................................................1 How to Use This Book .....................................................................................2 Foolish Assumptions .......................................................................................3 How This Book Is Organized...........................................................................3 Part I: Servers at Your Service ..............................................................3 Part II: Servers, Start Your Engines ......................................................4 Part III: Running Your Network .............................................................4 Part IV: Serve It Yourself........................................................................4 Part V: The Part of Tens.........................................................................5 Part VI: Appendixes................................................................................5 Bonus Chapter ........................................................................................5 Icons Used in This Book..................................................................................5 Where to Go from Here....................................................................................6
Part I: Servers at Your Service ........................................7 Chapter 1: Making Windows Server 2008 Serve You . . . . . . . . . . . . . . .9 Any Server Must Do This ..............................................................................10 Choosing Windows Server 2008 ...................................................................11 Meeting the Windows Server 2008 family .........................................11 Why use Windows Server 2008? .........................................................12 Exploring Windows Server 2008 Networking Features .............................14 Providing services through your server ...........................................14 Managing the user experience............................................................16 Keeping it all safe and secure .............................................................16 The Very Basics of Windows Server 2008 ...................................................18
Chapter 2: Server Networking Principles . . . . . . . . . . . . . . . . . . . . . . . .21 Understanding the Differences between Server and Client Networking ..................................................................................................21 More Is Better: Multiple NICs (No Cuts)......................................................23 Windows Server 2008 Enhances Networking .............................................24 Next Generation TCP/IP stack ............................................................24 Offloading protocol processing ..........................................................27 TCP Chimney ........................................................................................28 Changes to NDIS ...................................................................................28 Networking Is About Services, Too..............................................................30 What clients want.................................................................................30 What enterprises want ........................................................................35
x
Windows Server 2008 For Dummies Chapter 3: Building Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Developing a Network Implementation Plan ..............................................39 Understanding Network Design’s Barest Basics ........................................42 Deciding Where Networking Devices Must Go...........................................45 Consider Hiring an Expert to Install Cable and Equipment......................46 Always Check Your Work!..............................................................................47 Evaluating Your Network’s Performance and Usefulness .........................47 Creating a Network Map................................................................................48 It isn’t a map; it’s the whole enchilada ..............................................49 Capturing data for your network map ...............................................49 Taking stock of your network .............................................................50 When the network changes, so does the map! .................................52 Network Interfaces: Built-ins versus Extender Cards................................52 Don’t knock your NIC...........................................................................53 Don’t stub your TOE (TCP Offload Engine) ......................................54 The ever-popular ping test..................................................................55
Chapter 4: Hooking Up Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Make a Network Medium Happy! .................................................................57 Fiber and coax make a seriously twisted pair ..................................60 Wireless is media, too! .........................................................................63 A final note about cabling ...................................................................64 Raising the Bandwidth Ceiling......................................................................65 100 Mbps Ethernet ...............................................................................67 Gigabit Ethernet....................................................................................68 The Backbone’s Connected to . . . Everything Else!...................................69
Part II: Servers, Start Your Engines...............................71 Chapter 5: Ready, Set, Install! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Planning the Installation: Upgrade or New? ...............................................73 Handling preinstallation tasks ............................................................75 Preparing for the battle .......................................................................77 Got Enough Horsepower? .............................................................................79 Step by Step: Installing Windows Server 2008............................................82 Server: Are you ready?.........................................................................82 Windows Server 2008 Setup: A walk-through ...................................82 Installing from an Existing OS.......................................................................85 Installing across a Network...........................................................................87 Installing Remotely ........................................................................................88 Working through Post-Installation Stress Disorder ...................................88 Understanding Activation ...................................................................88 Dealing with service packs..................................................................89 Using Automated System Recovery...................................................90 Oops, My Installation Didn’t Take................................................................91 Exploring Automated Installation ................................................................92
Table of Contents Chapter 6: Configuring Connections to the Universe . . . . . . . . . . . . . .93 Completing the Initial Configuration Tasks ................................................94 Server Manager Configuration .....................................................................95 Getting to know the Server Manager console...................................96 Establishing directory trees and forests .........................................103 Getting the word out ..........................................................................108 Organizing the neighborhood ...........................................................109 Establishing Remote Connections .............................................................111 Getting connected ..............................................................................111 Other frills ...........................................................................................113
Chapter 7: Doing the Directory Thing . . . . . . . . . . . . . . . . . . . . . . . . . . .115 What Is a Directory Service? ......................................................................115 Meeting Active Directory ............................................................................116 Organizing and storing data..............................................................116 Managing data.....................................................................................117 Locating data and resources.............................................................118 Of Domains and Controllers .......................................................................118 In the beginning . . . ............................................................................118 Wherefore art thou, BDC/PDC?.........................................................120 Knowing What Makes Active Directory Tick ............................................121 What replication means.....................................................................122 The grand schema of things..............................................................124 Global catalogs ...................................................................................125 Planning for Active Directory .....................................................................126 What’s in a namespace?.....................................................................127 Making sites happen ..........................................................................127 Oh, you organizational unit (OU), you.............................................129 Installing Active Directory ..........................................................................129 Promoting domain controllers..........................................................130 Active Directory’s database and shared system volume ..............130 Modes of domain operation..............................................................131 When Domains Multiply ..............................................................................133 Trust relationships across domains ................................................133 Building trees ......................................................................................134 Understanding forests .......................................................................135
Chapter 8: Working with Active Directory, Domains, and Trusts . . .137 Master of Your Domain................................................................................137 Trusts Are Good for NT 4.0 and Active Directory Domains ...................140 How Domain Controllers Work Together ..................................................141 When replication happens ................................................................141 Know your database limits ...............................................................143 Administrivia Anyone? (Controlling Domains and Directories) ............144 Exploring the directory management console ...............................144 Creating directory objects ................................................................145 Finding directory objects ..................................................................148 A word on ADSI ...................................................................................148
xi
xii
Windows Server 2008 For Dummies Permission to Proceed? Handling Directory Permissions ......................149 About Active Directory permissions ...............................................149 Assigning permissions .......................................................................149 Permissions inheritance....................................................................150 Delegating administrative control....................................................151 Managing Trusts...........................................................................................152 Establishing trusts .............................................................................153 If you open the door to trusts, who gets to come through? .........154
Chapter 9: Printing on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Windows 2008 Has a Print Model...............................................................156 Physical print devices........................................................................158 Logical assignments...........................................................................158 Installing on the Server’s Side ....................................................................160 Meet the Printers folder ....................................................................160 Adding a networked print device .....................................................161 Sharing Printer Access ................................................................................167 Bringing Printers and Clients Together.....................................................168 Managing Windows 2008–Based Printers .................................................169 Preventing Printer Problems ......................................................................171 Faxing the Windows Server 2008 Way .......................................................172 Enabling faxing....................................................................................173 Sending faxes ......................................................................................173
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat . . .175 Resolving a Name: TCP/IP and NetBIOS ....................................................175 NetBIOS names ...................................................................................176 TCP/IP names and addresses............................................................178 Calling Everything a Node...........................................................................180 To network ID or host ID? That is the question..............................180 Subnetting: Quiet time for IP addresses ..........................................182 Hanging your shingle: Obtaining IP addresses ...............................184 Address translation: The new magic ...............................................185 Forcing IP Down the Throat of Windows Server 2008 .............................187 Basic configuration ............................................................................187 Advanced configuration ....................................................................189 Everyone WINS Sometimes.........................................................................191 A glimpse at WINS ..............................................................................191 WINS servers.......................................................................................192 WINS clients ........................................................................................192 NetBIOS over TCP/IP....................................................................................193 DNS Does the Trick ......................................................................................193 Whether to DNS ..................................................................................194 The deans of DNS ...............................................................................194
Table of Contents DHCP: IP Addressing Automation ..............................................................195 What is DHCP? ....................................................................................195 Is DHCP in your future?......................................................................196 Ironing Out Problems ..................................................................................197
Part III: Running Your Network ..................................199 Chapter 11: Managing Users with Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 User Accounts Have Properties .................................................................201 Administrators rule! ...........................................................................203 Guests can wear out their welcome.................................................203 Creating Active Directory Accounts ..........................................................204 General tab ..........................................................................................208 Address tab .........................................................................................208 Account tab.........................................................................................208 Profile tab ............................................................................................208 Telephones tab ...................................................................................210 Organization tab .................................................................................210 Member Of tab ....................................................................................210 Dial-in tab ............................................................................................211 Getting Pushy with Users............................................................................211 What about Groups? ....................................................................................212 Understanding group scopes............................................................212 Creating and managing groups .........................................................214 Using built-in groups ..........................................................................215 Giving Your Users Nice Profiles..................................................................217 Where You Find Profiles, Policies Are Never Far Away ...........................219 Administering a group policy ...........................................................219 Understanding how group policies are processed ........................221 Creating a group policy .....................................................................222 Auditing for trouble............................................................................224 When Access Problems Loom . . . ..............................................................225
Chapter 12: Managing Shares, Permissions, and More . . . . . . . . . . .227 More about Objects, Rights, and Permissions .........................................228 An object lesson .................................................................................228 When is a file not an object? .............................................................229 Users have rights; objects have permissions .................................229 Of Windows Server 2008 NTFS and Permissions .....................................230 NTFS permissions...............................................................................232 Advanced permissions ......................................................................233 FAT and FAT32 Have No Permissions.........................................................234 Share Permissions........................................................................................235
xiii
xiv
Windows Server 2008 For Dummies Calculating Actual Permissions..................................................................237 The rules of calculation .....................................................................237 Figure this! ...........................................................................................237 Let the OS do it for you......................................................................238 But What about Access Control with Active Directory Objects? ..........239 Delegation of access control.............................................................239 Property-based inheritance ..............................................................239
Chapter 13: Preparing for That Rainy Day . . . . . . . . . . . . . . . . . . . . . . .241 Why Bother Backing Up?.............................................................................241 Considering potential threats ...........................................................242 How many backup types are there?.................................................243 Network versus local backup ...........................................................245 Understanding the technology .........................................................246 Beep! Beep! Planning Backups....................................................................249 Storing backup tapes off-site ............................................................249 Documenting your hardware and its settings.................................250 Practicing disaster recovery for your system ................................250 The Windows Server 2008 Backup Facility ...............................................251 Looking at the big picture .................................................................252 Performing command line backups .................................................253 Selecting targets and volumes .........................................................254 Specifying backup destination and media settings........................255 Scheduling backup jobs.....................................................................256 Restoring from a Backup.............................................................................256 Third-Party Backup Options.......................................................................257 Finding third-party packages ............................................................258 Evaluating backup systems...............................................................258 The Backup Operator ..................................................................................260
Chapter 14: Network Security Management . . . . . . . . . . . . . . . . . . . .263 Network Security Basics .............................................................................264 Getting physical..................................................................................264 Informing the masses about security policies................................267 Windows Server 2008 and Security ...........................................................268 Usernames are more than just names .............................................269 Passwords and security.....................................................................270 A few more things about passwords................................................274 A Look into the Future: Service Packs.......................................................274 Copping an Attitude.....................................................................................275 The Everyone group...........................................................................276 User rights...........................................................................................276 Plugging Common Mouse Holes.................................................................277 Unseen administrative shares ..........................................................277 Decoy accounts ..................................................................................278 Last logged on username ..................................................................278 When good floppies go bad ..............................................................278 Security Equals Vigilance ............................................................................279
Table of Contents
Part IV: Serve It Yourself ...........................................281 Chapter 15: How to Be a DIY Guru . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Server Requirements Revisited..................................................................284 Processors: Cores, counts, and options ..........................................284 Memory: You can’t have too much ..................................................285 Disk space: Look out, it’s a RAID! .....................................................286 Network access: Internal, add-in, and counts.................................287 Case and power supply .....................................................................289 What about graphics? ........................................................................291 Important miscellany (cooler, fans, optical drive, monitor, keyboard, mouse) ...........................................................................291 Building a Better Budget .............................................................................292 PC Component Shopping Tips....................................................................293 Assessing Windows Server 2008 Compatibility .......................................294
Chapter 16: Servers the Intel Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 Choosing a CPU and Motherboard First ...................................................298 Selecting and Sizing Memory......................................................................299 Selecting and Sizing Disk Space..................................................................300 Accessing current needs and anticipating future growth .............300 Planning for RAID ..............................................................................301 Making Network Connections.....................................................................301 Picking the Right Case and Power Supply ................................................302 Building an Intel-Based Server from A to Z...............................................303 Insert the PSU .....................................................................................304 Seat the CPU and cooler ....................................................................305 Seat the RAM modules.......................................................................309 Install the hard disk drives................................................................311 Install the optical disk .......................................................................312 Set up the hardware ...........................................................................313 Install the OS .......................................................................................314 Ready to Rock-and-Roll?..............................................................................314
Chapter 17: Servers the AMD Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Choosing the CPU and Motherboard First................................................316 What we chose for our example build.............................................316 Exploring your options ......................................................................316 Selecting and Sizing Memory......................................................................317 Selecting and Sizing Disk Space..................................................................318 Making the Network Connections..............................................................318 Picking the Right Case and Power Supply ................................................318 Construction from A to Z ............................................................................319 Insert the PSU .....................................................................................319 Seat the CPU and cooler ....................................................................320 Seat the RAM modules.......................................................................324 Installing hard disk drives .................................................................326
xv
xvi
Windows Server 2008 For Dummies Installing the optical disk ..................................................................328 Setting up hardware ...........................................................................329 Installing the OS..................................................................................329 Ready to Rock-and-Roll?..............................................................................330
Chapter 18: Taking Care of Your Own Issues . . . . . . . . . . . . . . . . . . . .331 Troubleshooting Common Windows Server 2008 Problems ..................332 Setup failures ......................................................................................332 Startup failures ...................................................................................333 Diagnosing startup errors .................................................................335 Run-time issues...................................................................................337 Windows Activation ...........................................................................339 Hardware upgrades and software updates .....................................340 Monitoring Server Operations....................................................................341 Event Viewer .......................................................................................341 Reliability and Performance .............................................................343 Device Manager ..................................................................................346 Tweaking Windows Server 2008 for Efficiency.........................................346 Managed entities ................................................................................346 Run-time optimization .......................................................................348 Making the Most of Your Server.................................................................349
Part V: The Part of Tens .............................................351 Chapter 19: Ten Tips for Installation and Configuration . . . . . . . . . . .353 Exceed the Minimum Requirements..........................................................354 Use Only Qualified Server Hardware .........................................................355 Install from Your Network ...........................................................................356 Let the Software Do the Work: Automating Installation..........................356 Beat Installation Weirdness: Be Persistent ...............................................358 Let Lo-Res Come to Your Rescue! ..............................................................358 Use “Last Known Good” to Do Good!.........................................................359 A Custom Installation Saves Systems! .......................................................359 Use the Windows Server 2008 DVD to Boot..............................................360 When in Doubt, Back Up!.............................................................................361 Prepare for the Real Work! ..........................................................................361
Chapter 20: Ten Steps to Networking Nirvana with Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 Never Overlook the Obvious ......................................................................364 Check Windows Server 2008 Routing ........................................................364 Open Your TCP/IP Toolkit ...........................................................................365 Use One or More Fast Server Network Adapters .....................................366
Table of Contents Know When to Divide and When to Conquer...........................................367 When in Doubt, Check Your Services ........................................................367 Handle Names and Addresses Efficiently .................................................368 Ask What’s New or Different .......................................................................369 If You Need Help, Ask...................................................................................369 Watch Network Trouble Spots....................................................................370
Part VI: Appendixes...................................................371 Appendix A: Server Components and Technologies . . . . . . . . . . . . . .373 Server Motherboards ..................................................................................374 Server Processors ........................................................................................375 Server Memory (RAM) ................................................................................376 Disk Drives, Controllers, and RAID ............................................................377 SCSI versus SATA drives ....................................................................378 SCSI versus SATA controllers ............................................................379 Building RAID arrays..........................................................................381 High-End Network Adapters .......................................................................383
Appendix B: Windows Troubleshooting Resources . . . . . . . . . . . . . .385 Marvels from Microsoft...............................................................................385 Windows Server 2008 Books.......................................................................387 Server-Friendly Publications ......................................................................388 Other Third-Party Windows Server 2008 Sources ...................................389
Index........................................................................391
xvii
xviii
Windows Server 2008 For Dummies
Introduction
W
elcome to Windows Server 2008 For Dummies, the book that helps anyone who’s unfamiliar with Windows Server 2008 (or Windowsbased networks) find his or her way around a Windows Server 2008–based network. In a wired world, networks provide the links that tie all users together. This book tells you what’s going on, in basic, straightforward terms. Although a few fortunate individuals may already be acquainted with Windows Server 2008 and the networks it supports, many more people are not only unfamiliar with server-based networking but downright scared of it. To those who may be concerned about facing new and difficult technologies, we say, “Don’t worry. Be happy.” Using a server-based network isn’t beyond anyone’s wits or abilities — it’s mostly a matter of using a language that ordinary people can understand. Ordinary folks are why this book talks about using Windows Server 2008 and networks in simple — and deliberately irreverent — terms. Nothing is too highfalutin to be mocked, nor too arcane to state in plain English. And when we do have to get technical, we warn you and make sure to define our terms to boot. This book aims to help you meet your needs. You’ll find everything you need to know about Windows Server 2008 in here, so you’ll be able to find your way around — without having to learn lots of jargon or obtain an advanced degree in computer science along the way. We want you to enjoy yourself. Because server-based networking really is a big deal, it’s important that you be able to get the most out of it. We really want to help!
About This Book This book is designed so you can pick it up and start reading at any point — like you might read a reference book. In Parts I and II, we cover server basics: concepts and terminology in Part I, and the installation and deployment of Windows Server 2008 in Part II. In Parts III through V, you’ll find tons of information on how to run or build a Windows Server 2008–based network. Part III covers running a Windows Server 2008–based network, whereas Part IV describes how you might design, build, and use a do-it-yourself network server PC. Part V includes tips and tricks to help smooth out installing, configuring, and using Windows Server 2008.
2
Windows Server 2008 For Dummies Each chapter is divided into freestanding sections, each one relating to the chapter’s major theme. For example, the chapter on installing Windows Server 2008, contains the following collection of information: 0001 The differences between an upgrade install and a clean install 0001 How to make sure your hardware is suitable for use as a server 0001 A step-by-step walkthrough of the installation process 0001 What to do when installation completes 0001 Troubleshooting installation problems 0001 Automating the Windows Server 2008 installation process You don’t have to memorize the contents of this book. Each section supplies just the facts you need to make networking with Windows Server 2008 easy to use. On some occasions, however, you may want to work directly from the book to make sure you keep things straight.
How to Use This Book This book works like a reference, so start with a topic that interests you. You can use the table of contents to identify general areas of interest or broad topics. The index, however, is your best tool for identifying detailed concepts, related topics, or particular Windows Server 2008 capabilities, tools, or controls. After you find what you need, you can close the book and tackle whatever task you’ve set for yourself — without having to grapple with unrelated details. If you’ve never worked with a Windows Server operating system before, it’s a good idea to read Parts I and II in their entirety. Likewise, if you’re new to administering a Windows Server 2008–based network, you might want to read all of Part III. If the idea of building your own server PC from scratch sounds interesting, you’ll definitely dig Part IV. Otherwise, dig in wherever your fancy moves you! When you need to type something at the keyboard, you’ll see text that looks like this: Type this. You’re expected to enter this text at the keyboard and then press the Enter key. Because typing stuff can sometimes be confusing, we always try to describe what it is you’re typing and why you need to type it. This book occasionally suggests that you consult the Windows Server 2008 online help, printed manuals, Resource Kit, and even Microsoft’s Web site for additional information. In most cases, though, you find everything you need to know about a particular topic right here — except for some of the bizarre details that abound in Windows Server 2008.
Introduction If there’s a topic we don’t cover in this book that you need to know more about, we suggest you look for a book on that subject in the For Dummies series, published by Wiley Publishing. In addition, a whole world of Web information about Windows Server 2008 is available on the Internet, and the Microsoft Web site (at www.microsoft.com/windowsserver2008/ default.mspx) isn’t a bad place to start looking for such information.
Foolish Assumptions We’re going to climb out on a limb and make some potentially foolish assumptions about you, our gentle reader. You have or are thinking about getting a computer, a network, and at least one copy of Windows Server 2008. You know what you want to do with these things. You might even be able to handle all these things yourself, if somebody would only show you how. Our goal with this book is to decrease your need for such a somebody, but we don’t recommend telling him or her that out loud — at least, not until you’ve finished this book!
How This Book Is Organized The book is divided into five major parts, each of which consists of two to six chapters. Each chapter covers a major topic and is divided into sections, which discuss particular issues or concerns related to that topic. That’s how things in this book are organized, but how you read it is up to you. Choose a topic, a section, a chapter, or a part — whatever strikes your fancy or suits your needs — and start reading.
Part I: Servers at Your Service Part I provides an introduction to Windows Server 2008. You’ll find a detailed description of Windows Server 2008 in Chapter 1 that includes its important features, functions, capabilities, and requirements. Chapter 2 takes a more general look at server-based networking and explains what makes servers special, hardware-wise; what kinds of things servers do; and what services they provide. Chapters 3 and 4 provide a speedy primer on network design and construction to help you decide where to put the pieces and parts that go into a network, including your server, and what to do with them when they’re all interconnected. If you’re already a seasoned networker or have worked with another Windows Server operating system, you can skip this part if you’d like, although you may still want to check out Chapter 1 to see what’s new and interesting in this latest and presumably greatest of Windows Server operating systems.
3
4
Windows Server 2008 For Dummies
Part II: Servers, Start Your Engines Part II tackles Windows Server 2008 head on, starting with its installation and configuration. It covers the issues involved in installing and configuring network hardware specifically for Windows Server 2008. It also covers how to install and manage print servers and services on a Windows Server 2008–based network, how to handle Transmission Control Protocol/Internet Protocol (TCP/IP) addresses, and how to set up and manage directory services in a Windows Server 2008–based environment. Part II is where you figure out how to put the basic pieces of a network together using Windows Server 2008.
Part III: Running Your Network Part III picks up where Part II leaves off — that is, it talks about living with and managing a Windows Server 2008–based network after the initial installation and configuration phase is complete. It begins with a discussion of how to manage users and groups on a Windows Server 2008–based network, including details on profiles, policies, and local and global groups. Next, it covers how Windows Server 2008 controls access to NTFS files and directories and how to manage network-accessible file system resources called shares. After a network’s users, groups, and data assets are in place, rebuilding such a setup from scratch can be a real pain. That’s where a backup comes in handy, so Part III covers the ins and outs of backing up and restoring a Windows Server 2008 machine, plus other aspects of fault tolerance. After that, a review of network security principles and practices should help to prepare you to protect your data from accidental loss and from would-be hackers and crackers.
Part IV: Serve It Yourself Part IV takes a detour away from the software side of servers to dig deeply into the hardware on which such software must run. You’ll find out what kinds of pieces and parts go into a PC and what kinds of selections make the most sense when that PC is going to act as a network server. You’ll also dig into the specifics involved in building a basic Intel-based PC for use with Windows Server 2008, where we guide you through options and selection rationales for choosing specific processors, motherboards, memory, disk drives, and so forth. Then we repeat that process for AMD-based PCs for those who might choose to opt for an Opteron processor instead.
Introduction
Part V: The Part of Tens Part V follows the grand tradition of For Dummies books, all of which include “The Part of Tens.” Here, you’ll find lists of information, tips, tricks, and suggestions, all organized into short and convenient chapters. This supplemental information is designed to be both helpful and informative and is supplied at no extra charge.
Part VI: Appendixes If you’ll recall, we said earlier that this book is divided into five major parts. By definition, that means the appendixes must be a minor part of the book, although there’s nothing minor about the content you’ll find covered here. In fact, we decided to include this material to provide our readers with additional information and resources on server hardware and developing good troubleshooting skills to help provide users with the best networking experiences possible.
Bonus Chapter You’ll find a bonus chapter titled “What Makes Servers Special” at this book’s companion Web site at www.dummies.com/go/winserver2008. This chapter will quickly get you up to speed on server capabilities.
Icons Used in This Book The icons used in this book point you to important (and not so important) topics in the text. This icon lets you know that you’re about to encounter information that’s important to understand if you really want to get what’s going on with Windows Server 2008. It may be painful at times, but you have to slog through it. Oh gee, we’re getting so old that we can’t recall what this one means. Maybe you should check one out and see whether it’s worth watching for!
5
6
Windows Server 2008 For Dummies This icon lets you know that you’re about to be swamped in technical details. We include this information because we love it, not because we think you have to master it to use Windows Server 2008. If you aspire to nerdhood, you probably want to read it; if you’re already a nerd, you’ll want to write us about stuff we left out or other information we should put in! This icon signals that helpful advice is at hand. We also use it when we offer insights that we hope make using Windows Server 2008 more interesting or easier. For example, whenever we include a shortcut that improves your productivity, it’s usually marked with the Tip icon. This icon means what it says — you’d better be careful with the information it conveys. Nine times out of ten, it’s warning you not to do something that can have nasty or painful consequences, as in accidentally wiping out the contents of an entire hard drive. Whoops!
Where to Go from Here With this book at your side, you should be ready to wrestle with Windows Server 2008 and the networks it connects to. Find a subject, turn to its page, and you’re ready to jam. Feel free to mark up this book, fill in the blanks, dogear the pages, and do anything else that might make a librarian queasy. The important things are to make good use of it and enjoy yourself while you’re at it. Please check out the Web page at www.dummies.com. Be sure to take the opportunity to register your purchase online or send us e-mail with feedback about your reading experience.
Part I
Servers at Your Service
I
In this part . . .
n this part of the book, you get an introduction to the big star in this production — namely, Windows Server 2008 — as you dig into its features, functions, and requirements. But we also introduce you to the whole server circus as we explain what makes servers so special and why taking care of clients is both a joy and a chore. You even get a chance to meet and make sense of the network pieces and parts necessary to bring clients and servers together to help bring home the bacon. Each chapter presents its information in small, easy-toread sections. If information is really technical (mostly worth skipping, unless you’re a glutton for punishment), it’s clearly marked as such. Even so, we hope you find this information useful — and maybe even worth a giggle or two.
Chapter 1
Making Windows Server 2008 Serve You In This Chapter 0001 Understanding the client-server network model 0001 Meeting the Windows Server 2008 product family 0001 Finding out about added and enhanced security features
W
indows Server 2008 is the latest and greatest version of Microsoft’s flagship server platform and the successor to the hugely popular Windows Server 2003. Prior to its debut, Windows Server 2008 was codenamed Longhorn, a platform that shared common client features also found in Windows Vista, much like the relationship between Windows Server 2003 and Windows XP. In fact, Windows Server 2008 even shares a common code base with Windows Vista and therefore carries much of the same architecture and core functionality. Both Windows Server 2008 and Windows Vista share common technical, security, management, and administrative features; an improved IPv6-capable networking stack; native wireless utilities; and a revamped image-based installation format (among many other exciting new features). However, Windows Server 2008 is a total departure from the desktop/workstation realm and offers enterprise and server-specific features and functionality above and beyond anything Windows Vista offers. In this chapter, we explore some of these features from a 10,000-foot view and then focus on specific topics in the chapters that follow. Large-scale deployment options, improved self-diagnostic tools, advanced reliability and performance monitoring, and enhanced security features are just some of the benefits that inhere to the new Windows Server 2008 platform. First, we take a look at server hardware and make some important distinctions between workstation and server roles and responsibilities.
10
Part I: Servers at Your Service
Any Server Must Do This The term server speaks to a broad classification of computers that combine hardware components and software services to handle a variety of tasks maintained through network relationships. A server takes many shapes and sizes, covers a wide range of form-factors, and includes numerous components and services. Embedded server platforms are used in network attached storage (NAS) devices, included in network print servers, and scale all the way up to giant mainframes capable of handling millions of simultaneous transactions and resource-intensive processing. The terms form-factor refers to a specific design, layout, size, and shape of component or device. A form-factor can refer to several mutually independent devices, from the power supply and its interface types to motherboards and their various dimensions, pinouts, and connection types. In fact, if you take a good look around your office environment, or just about any other office IT infrastructure, you can probably identify several otherwise-overlooked servers and server applications that you use on a regular basis. Modern technology puts the power of servers and server applications in the hands of mere mortals, and nowhere is this more evident than in the consumer market, where multimedia home theater PCs (HTPCs) are part of daily life for many. But back to the business world. . . . Essentially, any server must serve a network — either clients or other servers, or some combination of the two. The term server also includes the actual server operating system that makes the computer do its job. Commercial server software products such as Windows Server 2008 are designed to handle a greater frequency and variety of tasks than are typical in either the desktop or workstation realms. Server platforms are an entirely different breed of PC, as compared to their desktop and workstation brethren, which is why they perch atop the hierarchy and the marketplace when it comes to buying an operating system. Specifically, a server is designed and intended to provide services and run server applications under heavy workloads, left unattended and selfmanaging most of the time. For the most part, servers are self-contained, self-regulated core network entities in an enterprise or business IT environment. Larger amounts of memory (upwards of 8GB or more), larger storage capacity (terabytes, petabytes, and beyond), special storage methods (mirroring, striping, and multiple disk aggregation), redundant power supplies, and server-specific form-factors all typically distinguish specialized server hardware components from other, more ordinary computer components. That said, plenty of servers use desktop and workstation hardware such as optical drives, disk drives, and peripheral or display devices.
Chapter 1: Making Windows Server 2008 Serve You See Appendix A for more details on server hardware components and check out the Bonus Chapter at dummies.com/go/winserver2008 for a more indepth discussion of server technologies.
Choosing Windows Server 2008 The Windows Server 2008 platform is further subdivided into multiple packages designed specifically for particular forms and functions. Understanding the distinctions among these market offerings and then understanding how they do or don’t meet your requirements will help you choose the right offering for your budget and your computing needs. In this section, we give you a look at some of the different offerings available under the Windows Server 2008 umbrella.
Meeting the Windows Server 2008 family Microsoft follows the usual format for marketing its server family offerings, which include both 32-bit and 64-bit varieties. Some of these editions remain functionally identical to the Windows Server 2003 family. These offerings include the following: 0002 Windows Server 2008 Web Edition: Designed as a basic Internet Information Services (IIS) server platform to build and host Web applications and pages and provide eXtensible Markup Language (XML) services including Active Server Pages (ASP) and the .NET framework. 0002 Windows Server 2008 Standard Edition: Designed for small to medium businesses, this version supports file and print sharing, works with up to four processors, and accommodates up to 4GB RAM. 0002 Windows Server 2008 Datacenter Edition: Designed for infrastructures that demand greater security and reliability features, supportive of up to 64 processors and 512GB for high-availability, high-demand processing applications and processes. 0002 Windows Server 2008 Enterprise Edition: Designed for medium- to large-size businesses as a fully-functional server platform capable of operating eight processors and 64GB RAM, with enterprise-class features including clustering and virtualization. 0002 Windows Storage Server 2008: Designed as a specialized platform for network attached storage (NAS) implementations and optimized for use with file- and print-sharing services in storage area network (SAN) scenarios. 0002 Windows Server 2008 for Itanium-Based Systems: 64-bit Intel Itaniumbased computers require a special version of Windows Server 2008 entirely its own.
11
12
Part I: Servers at Your Service You might be thinking, “Wow, what a diverse group of systems! You can’t possibly get any better than that!” Well, that’s what Microsoft was aiming for: To expand and proliferate its new 2008 platform, Microsoft has reformulated many of its top products to encompass many diverse business computing environments. In the preceding list, the items up to and including Enterprise are listed by increasing cost and capability; we don’t yet have information about the cost for Storage Server and Itanium versions, so we left those for the end of the list.
Why use Windows Server 2008? There are dozens of compelling reasons to explore Windows Server 2008 as a viable platform for any business. In the list that follows, we give you a look at some highlights and expand on features and functions provided in Microsoft’s latest flagship product: 0002 More control: Windows Server 2008 empowers IT professionals with greater control and management over servers and network infrastructure with enhanced scripting and task-automation capabilities. Improved self-diagnostics and remote control tools create field-serviceable platforms that also may be supported across the network or via the Internet. These features are described in some detail in the section entitled “Benefits of Windows Server 2008” in the Microsoft Product Overview at www.microsoft.com/windowsserver2008/evaluation/ overview.mspx. When we speak of field-serviceable parts, we mean those components and devices that can be operated and fixed onsite, or in the field. Many computer-related issues can be resolved onsite, but there are certain circumstances where a part must be sent to a well-equipped service department or parts distributor. Role-based, image-driven platform installation streamlines large-scale deployment processes and includes new utilities to facilitate creation of custom installation images and custom recovery images, all under one umbrella. The new Server Manager console delivers a consolidated, centralized control center for managing server configurations and related system information. See Chapter 6 for more information on the all-new Server Manager console. 0002 Greater flexibility: Windows Server 2008 supports custom modifications to better adapt to ever-changing business needs. Enhanced flexibility for mobile users, integrated virtualization (which means that one server can look and act like a bunch of servers, as far as its users are concerned), centralized application access, and new deployment options create a workable platform to suit a variety of enterprise networking scenarios.
Chapter 1: Making Windows Server 2008 Serve You You can create a custom installation image, or several, based on a core set of necessary applications and configurations and then roll it out to an entire enterprise in a completely automated, unattended fashion to expedite upgrades and new installations. 0002 Better tools and utilities: The new Windows PowerShell command line interpreter and scripting language facilitates more administrative control and productivity and better monitoring and analysis of system performance with its new Reliability and Performance Monitor. Plus, you can manage and secure multiple server types using the new Server Manager console, which provides centralized access to common administrative tools. PowerShell functionality is beyond the scope of this book and remains in beta status at the time of this writing, so we don’t include material on this subject. See www.microsoft.com/windowsserver2008/ powershell.mspx for more details on PowerShell. 0002 Increased protection: Windows Server 2008 delivers improved security features that increase platform protection, reduce attack surfaces, and provide a firm foundation on which to construct and operate a business. The very core, or kernel, of the operating system is now better protected against various forms of attack. Windows Service Hardening makes Internet-facing services more resilient to Internet attacks, and a variety of access protections and cryptography services strengthen the Windows system. See Chapter 14 for more information on security topics related to Windows Server 2008. 0002 New and improved TCP/IP features: Windows Server 2008 includes many changes and enhancements to the Next Generation TCP/IP stack, such as IPv6 enhancements and policy-based Quality of Service (QoS) for enterprise networks. The Next Generation TCP/IP stack is a total redesign of traditional network stack functionality for both IPv4 and IPv6 protocol versions. Receive window auto-tuning, neighbor reachability, dead gateway detection, black hole router detection, routing compartments, and explicit congestion notification are just a few of its newly added and updated capabilities. (See Chapter 2 for more on the Next Generation TCP/IP stack.) 0002 Self-healing NT File System (NTFS): In the past, file system errors often required that a disk volume be taken offline for service, which clearly impacted business flow. A new feature and added benefit of the Windows Server 2008 platform is its inclusion of a real-time recovery or self-healing process for the NTFS storage format. That way, businesses can remain operational even in the face of file-system-related issues. 0002 Server Message Block version 2 (SMB2): The de facto standard for network file systems in the Windows realm is SMB, now revamped to handle scalable increases in server workloads more expeditiously.
13
14
Part I: Servers at Your Service 0002 Windows Server virtualization: Windows Server 2008 provides a builtin virtualization capability to enable multiple separate operating system instances operating at the same time, using the same hardware. Users see multiple servers, each with their own data sets, services, and access controls, but IT departments can manage multiple virtual servers on a single set of server hardware. 0002 Server Core: A new installation option for Windows Server 2008 includes a stripped-down, graphical interface-free server platform that contains only those components and subsystems necessary for a high-availability server that requires fewer updates and less servicing. Envision a cluster of low-overhead, virtualized, highly optimized server operating systems running stripped-down core roles like DHCP or DNS in protected environments, completely autonomous, managed only by a single terminal, and you’ve got the right idea. These are just some of the exciting new things going on with Windows Server 2008. You’ll find out about many of these capabilities in more detail in the chapters that follow.
Exploring Windows Server 2008 Networking Features Generally speaking, from a networking perspective, it’s safe to assume that Windows Server 2008 does everything that previous versions of Windows Server have done — including automatic client addressing (DHCP), directory services (Active Directory), network name resolution (DNS, WINS, and so forth), as well as a whole slew of networked applications such as e-mail, databases, transaction processing, and so forth. In fact, Windows Server 2008 does more for networking than previous versions have done, especially where advanced network performance (auto-tuning and optimization), network security, network-based offload and acceleration technologies, and simplified management and diagnostics are concerned. For the complete Microsoft version of this story, see “Windows Server 2008 Networking Features” at www. microsoft.com/windowsserver2008/platnetworking/default.mspx.
Providing services through your server The client-server paradigm operates largely on client requests for server services. Such requests require both server and client hardware and compatible software, which are necessary to facilitate network functionality between the
Chapter 1: Making Windows Server 2008 Serve You two. At the most basic level, a client must have a network connection available to transmit a request for services. Likewise, the client must have the correct software installed to formulate an intelligible request and pass it to the network, where a server can notice and respond to such a request. Servers respond to client requests through a listener process represented by application services such as File Transfer Protocol (FTP) and Telnet. This process runs continuously, dispatching inbound client connections as they arrive and managing transitional connection states through the native TCP/IP stack implementation. On the software side, servers require the following elements to make services available across the network: 0002 Network drivers enable the server to communicate with its network interface. This software lurks in the background and exists only to tie the computer to the network interface. 0002 Protocol stacks send and receive messages across the network. This software also lurks in the background and provides a common language shared with clients used to ferry information across the network. 0002 Service applications respond to requests for service and formulate replies to those requests. This software runs in the foreground and does the useful work. The service application includes the listener process, the temporary execution threads, and some type of configuration or management console so that it can be installed, configured, and altered as necessary. Most software that resides on a server is network aware because delivery of information via network is a server’s primary function. Some application and protocol services that are performed on behalf of a server computer include Active Directory, SQL Server database engines, Exchange e-mail servers, and Quality of Service networking. Three improvements to existing services and one additional service in Windows Server 2008 include: 0002 Failover clustering: Improvements to failover clusters (previously called server clusters) simplify setup and management and better secure cluster deployment and enhance operational stability. In addition, both networking and communication to storage devices are improved to increase availability of applications and services.
15
16
Part I: Servers at Your Service The concepts and terminologies known as failover and clustering aren’t something you’ll encounter with only casual computing experiences, so don’t feel threatened if these are entirely foreign to you. A cluster is a set of servers running one or several applications and services. A failover cluster is one in which several server computers operate cohesively so that in the event that one fails, another takes over processing of applications and data in its place. 0002 Network load-balancing: Advances include support for IPv6 and Network Driver Interface Specification (NDIS) 6.0, Windows Management Instrumentation (WMI) enhancements, and improved functionality with Internet Security and Acceleration (ISA) Server. Network load-balancing redistributes the load for networked client/server application requests across a set of cluster servers. 0002 802.1X authenticated wired and wireless access: Authenticated access for both networking technologies relies on 802.1X-compatible Ethernet switches and access points (APs) to provide port-based network access control. This prevents unauthenticated or unauthorized accesses and packet transmission to user and computer resources.
Managing the user experience Windows Server 2008 provides a single central source for managing server identities, system information, server status, configuration problem identification, and role management through the new Server Manager console. Server Manager is an expanded Microsoft Management Console (MMC) snapin that enables you to view and manage virtually all information and tools affecting server productivity. Server Manager replaces features included with Windows Server 2003, such as Manage Your Server, Configure Your Server, and Add or Remove Windows Components. It also eliminates the requirement for the Security Configuration Wizard to run prior to server deployment, because roles are configured with security settings by default and easily deployable once installed and configured. See Chapter 6 for more on Server Manager.
Keeping it all safe and secure Windows Server 2008 includes an impressive array of new security applications and features that further enhance enterprise deployments, particularly within hostile environments or under potentially threatening scenarios. Today’s Internet is a brightly illuminated world that casts shadows, and from those shadows arise criminal aspirations that seek to infiltrate, pilfer, and
Chapter 1: Making Windows Server 2008 Serve You undermine Internet-accessible businesses. Microsoft has stepped up its Windows Server 2008 defenses to better serve the computing public that can’t always defend against unforeseen, persistent, or stealthy attack. The following paragraphs briefly summarize some of the new and newly enhanced security features of the Windows Server 2008 family: 0002 BitLocker Drive Encryption is a security feature of both Windows Vista and Windows Server 2008 (again sharing a common base) to provide strong cryptographic protection over stored sensitive data within the operating system volume. BitLocker encrypts all data stored in the Windows volume and any relevant configured data volumes, which includes hibernation and paging files, applications, and application data. Furthermore, BitLocker works in conjunction with Trusted Platform Module (TPM) frameworks to ensure the integrity of protected volumes from tampering, even — and especially — while the operating system isn’t operational (like when the system is turned off). 0002 Windows Service Hardening turns Internet-facing servers into bastions resistant to many forms of network-driven attack. This restricts critical Windows services from performing abnormal system activities within the file system, registry, network, or other resources that may be leveraged to install malware or launch further attacks on other computers. 0002 Microsoft Forefront Security Technologies is a comprehensive solution that provides protection for the client operating system, application servers, and the network edge. In the Forefront Client Security role, you may provide unified malware protection for business notebooks, workstations, and server platforms with easier management and control. Server security can fortify Microsoft Exchange messaging environments or protect Office SharePoint Server 2007 services against viruses, worms, and spam. 0002 Internet Security and Acceleration (ISA) Server provides enterpriseworthy firewall, virtual private network (VPN), and Web caching solutions to protect IT environments against Internet-based threats. Microsoft’s Intelligent Application Gateway is a remote-access intermediary that provides secure socket layer (SSL) application access and protection with endpoint security management. 0002 User Account Control (UAC) enables cleaner separation of duties to allow non-administrative user accounts to occasionally perform administrative tasks without having to switch users, log off, or use the Run As command. UAC can also require administrators to specifically approve applications that make system-wide changes before allowing those applications to run. Admin Approval Mode (AAM) is a UAC configuration that creates a split user access token for administrators, to further separate administrative from non-administrative tasks and capabilities.
17
18
Part I: Servers at Your Service 0002 Windows Firewall and Advanced Security is an MMC snap-in that handles both firewall and IP Security (IPSec) configurations in Windows Sever 2008. This edition is the first to have the Windows Firewall enabled by default. It can create filters for IPv4 and IPv6 inbound or outbound traffic and protect information entering or exiting the computer through IPSec. This component replaces both the firewall applet and the IPSec and IPSec-related tool sets. 0002 Network Access Protection (NAP) is a policy enforcement platform built into Windows Server 2008 that maintains a social health order for the network environment by specifically requiring that connecting client computers meet certain criteria. Such requirements include having a current, functional firewall enabled with recent operating system updates already in place. NAP helps create custom health code requirements driven through policy enforcement to validate compliant computers before making any connections to the protected network. Microsoft has also gone to great lengths to improve and expand upon many other security features, management and configuration applets, applications, and tools. We cover network security topics more in-depth in Chapter 14.
The Very Basics of Windows Server 2008 Windows Server 2008 is built with components that draw on the Windows Vista family of features and functionality, with added components and capabilities that extend platform coverage to encompass medium and large business computing needs. From NT’s humble beginnings in the early 1990s to Windows Server 2003, Microsoft’s premier network operating system server product has come a long way. Today, Windows Server 2008 offers a reliable and scalable platform for deploying complex intranet solutions by integrating Internet and local network capabilities. In other words, this product will let you play multiplayer, first-person shooter games with people across the office or spread across the globe. Most of the advantages and benefits you enjoy with Windows Server 2003 are contained in Windows Server 2008, along with some changes, additions, and enhancements to existing features and functionality. Most of these improvements are found under the hood, such as changes to how Active Directory works, an expansion of command line management and scripting tools, improvements to domain management, improved security mechanisms and services, greater accessibility and authentication, and some convenient new prepare and repair options in the way installations are handled.
Chapter 1: Making Windows Server 2008 Serve You A can’t-miss interface change is the Windows Server Manager (formerly called Manage Your Server), which appears automatically when you log on. In the Server Manager window, you can manage server roles and features, and access Diagnostics, Configuration, and Storage utility categories and much more. It’s up to you whether you want to use Windows Server Manager or start programs and utilities the old-fashioned way (by choosing Start). We chose to bypass the Windows Server Manager by selecting the Do Not Show Me This Console at Logon check box at the bottom of the Computer Information window pane. The entire 2008 platform does offer some interesting promises that just might be realized. The most important of these is the reduced effort required to develop and deploy complex e-commerce Web sites, stand-alone server core application services, and large-scale simultaneous roll-outs. Windows Server 2008 (as well as the rest of the .NET OS family) is tuned to provide better Internet and network service support to clients. When used with the .NET editions of Microsoft programming languages and networking services, you can create an impressive online presence. In the next chapter, we expand more on networking concepts, covering topics that range from multiple network interfaces to load-balancing and protocol offload processing, application services, client-based management, and widescale software deployment.
19
20
Part I: Servers at Your Service
Chapter 2
Server Networking Principles In This Chapter 0001 Understanding the client/server network model 0001 Discovering new Windows Server 2008 features to core networking components 0001 Identifying client needs and positioning services 0001 Exploring protocol offload processing and network features 0001 Establishing server needs and provisioning services 0001 Defining network-oriented client/server services 0001 Examining policy-driven network-based application access 0001 Differentiating client and server wants or needs
F
or most applications, using Windows Server 2008 in a networked environment means buying into the client/server model. To help you understand this networking model, which explains why it’s necessary for Windows Server 2008 to exist, we explore the client/server model in detail in this chapter. Along the way, you discover more about the types of capabilities and services that client-server networks provide and the various ways that clients and servers interact on such networks.
Understanding the Differences between Server and Client Networking The client-server networking paradigm describes the basic nature of operation between two computers that establish a connection and exchange data or share resources. The process typically begins when a client caller makes a request to a server application or service — this typifies a normal clientserver transaction.
22
Part I: Servers at Your Service Now, the server may have something to give to the client, or the client may have something to give to the server, but that aspect doesn’t alter the relationship (although it may superimpose roles, particularly where a server is actually the client to another server). This is the push/pull concept, which describes the nature of data that is either pushed or pulled from source to destination. Characteristically, the client will follow this process: 1. Initiate a request. The client caller requests access to some resource or information from the remote server. 2. Wait for a reply. A participating server issues a reply, either permitting or forbidding the connection, which may require authentication in some cases. 3. Connect and interact. If access is granted, the client possibly authenticates and then begins interacting in some fashion with the server. Likewise, the characteristic behavior pattern for a server includes these steps: 1. Listen for a request. Calling clients come and go as they please, requesting to initiate and interact with hosted services. 2. Process the request. Once received, the client request may optionally require authentication. 3. Connect and interact. At this point, both client and server are connected on a common channel and able to share resources or information. What isn’t always apparent is that a single client connection may potentially involve several different servers to fulfill a single client request. Simple examples are all around you: 0002 E-mail clients send and receive messages from e-mail servers. 0002 Web browser clients broker data connections to FTP and Web servers. 0002 Even simple numeric dots-and-decimals addresses to human-readable hostname resolutions (and vice versa) require that your computer act as a client to a Domain Name Server (DNS). An alternative to the client/server model that you’ll hear from time to time, which we don’t discuss at great length, is the peer-to-peer (P2P) network
Chapter 2: Server Networking Principles model. In this model, participants act as both clients and servers, sometimes sharing multiple parts of a single piece of data or establishing an open network of client-server hybrids capable of either sending and receiving data or sharing resources without a formal client/server role.
More Is Better: Multiple NICs (No Cuts) Redundancy is one way of handling heavy workloads and network traffic for a single server servicing multiple clients. Multiple NICs (network interface cards) or network adapters provide separate network stacks that are better able to process a higher volume of traffic, create joined or separate subnets, or serve as an immediate fail-over when one interface goes down. You can even bind, load, and prioritize settings for one interface over another. Redundancy also enables future network expansion without the added cost of new servers and lets administrators logically separate networks according to the network interfaces they use. Administrators can establish and maintain server gateways that firewall inbound Internet connections from outbound internal endpoint computers, interconnect otherwise separate networks and subnets, and perform a variety of other tasks. In fact, if you take stock of the server-worthy hardware currently available on the market, you’re likely to see at least two integrated network adapters on many motherboards. Cheaper manufacturing costs and constant consumer demand put those dual interfaces on board and have thus far kept them there. However, these are limited-capability network interfaces that offer only basic functionality — mostly, they just do networking. Additional features are available from some add-in cards and stand-alone network appliances that can perform other tasks generally not feasible with integrated hardware, as described in the next section of this chapter.
Networking lingo Network stack: We use the term network stack in this chapter, which is the basis of any operating system’s networking capability. In Chapter 1, we called this the protocol stack, which is the same as network protocol stack (or TCP/IP, mentioned later in this chapter), so the two are used interchangeably. Hopefully you won’t be confused when encountering these variations in the field.
NIC: A NIC is the hardware component that establishes network capability and connectivity through its software applications and drivers. This is the add-in or integrated interface card where you plug in the network cable from a router, switch, or broadband modem.
23
24
Part I: Servers at Your Service
Windows Server 2008 Enhances Networking Several underlying changes to the Windows Server 2008 networking infrastructure can enhance the capability and performance of an existing (or designphase) network, regardless if it’s at home or at work. Many of these substantial changes, including total redesigns and new additions, are enterprise-oriented, where the primary emphasis is on capability, performance, and security features, and where advanced options are in the greatest demand. But that doesn’t mean you can’t take advantage of them, too! In this section, we make a connection to some of these enhancements to explore what you can do with your Windows Server 2008 network environment.
Next Generation TCP/IP stack Windows Server 2008 includes a new implementation (a complete redesign) of the original TCP/IP protocol stack called the Next Generation TCP/IP stack. This new framework is a total rewrite of TCP/IP functionality for both IPv4 and IPv6. It’s designed to better meet connectivity and performance needs in various networking environments using various networking technologies. For the benefit of those stuck in a cave in Patagonia since the early 1980s, TCP/IP is the de facto standard network protocol stack for most server and workstation computers you’ll encounter, but it’s by no means the only one. It expands to Transmission Control Protocol/Internet Protocol and serves as the foundation for network traffic shuttled across the Internet. It’s become a nearly universal means for networked communications of all kinds. The core network stack framework is improved and enhanced to increase existing functionality, complement it with supplementary performanceenhancing functionality, and further expand that framework through additional features and components. The following section covers much of the material that’s both directly and indirectly related to advances in the Next Generation TCP/IP network protocol stack in Windows Server 2008.
Chapter 2: Server Networking Principles
Here’s the deal with IPv6 The new kid on the netblock is IPv6, the designated successor to IPv4 and touted as the next best thing. Primary improvements provided in IPv6 include a much larger (128-bit) address space capable of addressing 2128 unique hosts, eliminating stopgap measures to deal with IPv4 address space limitations and enhancing security and mobility for networked computers. Despite these improvements, little actual real-world deployment of IPv6 in a general sense limits the accessibility and availability of this new protocol framework to reserved, designated working groups in the technical field. Outside the scope of experimental and prototype networks in Europe and branches in hightech companies, nobody is really using IPv6. Not even Cisco has shifted its internal infrastructure entirely over to IPv6 yet, so it’s no surprise (to us, anyway) that not too many other organizations are charging aggressively into IPv6 deployment, either. That said, we certainly won’t deny you the privilege of exploring this new technology and experiencing the advantages, benefits, and
contributions of IPv6 deployment in your personal networking environment. We will, however, encourage you to experiment entirely at your own expense of time and money. (There’s just too much ground for us to reasonably cover.) Here are a few pointers to some online resources where you may begin your journey: 0002 “Everything You Need to Know about IPv6”: This is an Ars Technica article explaining IPv6 in (almost) plain English, complete with block-assignment diagrams. See http:// arstechnica.com/articles/ paedia/IPv6.ars for more information. 0002 IPv6 Running, Understanding IPv6 & Advanced Implementation of Protocol: This daily blog is dedicated to IPv6 topical discussion. Visit http://ipv6-tips. blogspot.com for more information. 0002 IPv6 to Standard: This Web page, devoted to the IETF IPv6 working group standardization process, lists and identifies vendors whose products are IPv6-enabled. See www.ipv6to-standard.org for details.
Receive window auto-tuning In TCP, a receive window size defines the amount of data that a TCP receiver permits a TCP sender to push onto the network before requiring the sender to wait for acknowledgement of its receipt. Correctly determining the maximum receive window size for a connection is now automatically handled by receive window auto-tuning, which continuously determines the optimal window size on a per-connection basis using real-time bandwidth calculations. Improved receive window throughput increases network bandwidth utilization during data transfers. If all receivers are optimized for TCP data, Quality of Service (QoS) can help reduce congestion for networks operating at or near capacity.
25
26
Part I: Servers at Your Service Quality of Service (abbreviated QoS) refers to the ability to shape and control the characteristics of ongoing network communications services. This idea operates on the notion that transmission and error rates (along with other traffic characteristics) can be measured, improved, and guaranteed — to some extent, anyway.
Compound TCP The Next Generation TCP/IP network stack also treats connections with large receive window sizes and large bandwidth delays to Compound TCP (CTCP), a function that aggressively increases the amount of data sent in real-time by monitoring current traffic conditions. CTCP also ensures that it doesn’t negatively impact other existing TCP connections and complements receive window auto-tuning support to provide substantial performance gains appreciable in any high-delay, high-throughput network environment.
Explicit Congestion Notification support Lost TCP segments are assumed to be lost, probably owing to router congestion, which triggers a congestion control mechanism that dramatically reduces a TCP sender’s transmission rate. With Explicit Congestion Notification (ECN; see RFC 3168, which you can find at www.faqs.org/ rfcs/rfc3168.html) support, both TCP peers and routers experiencing congestion accordingly mark packets they forward. On receipt of such packets, a TCP peer will scale back its transmission rate to ease congestion and reduce segment loss. Windows Server 2008 now includes core support for this protocol feature.
Quality of Service (QoS) support Windows Server 2003 and Windows XP provide QoS functionality to applications through QoS APIs, which are leveraged to prioritize time-sensitive network data delivery functions. Windows Server 2008 and Windows Vista include new facilities for network traffic management on Windows networks so that high-priority traffic is handled first, which helps with streaming media, voice over IP, video conferencing, and other applications where quick response times are needed. Policy-based QoS for enterprise networks allows IT staff to either prioritize or manage the send rate for outbound connections, which can be confined to applications, source/destination IPv4 or IPv6 addresses, and source/destination or a range of ports.
Chapter 2: Server Networking Principles Enhancements for high-loss environments The Next Generation TCP/IP stack also improves network conditions in highloss environments through several optimization features that include: 0002 (RFC 2582) The NewReno Modification to TCP’s Fast Recovery Algorithm: The NewReno algorithm provides faster throughput by changing the way a sender can increase its sending rate when multiple segments in a given window are lost, and the sender receives partial acknowledgement only for segments actually received. 0002 (RFC 2883) An Extension to Selective Acknowledgement (SACK) Option for TCP: SACK allows a receiver to determine when it has retransmitted a segment unnecessarily and adjust its behavior on-the-fly to prevent further unnecessary retransmissions. Fewer retransmissions result in more optimal overall delivery. 0002 (RFC 3517) A Conservative Selective Acknowledgement (SACK)-based Loss Recovery Algorithm for TCP: Windows Server 2003 and Windows XP use SACK information only to determine those TCP segments that have yet to arrive. Windows Server 2008 includes a method defined in RFC 3517 to use SACK information for loss recovery in the event duplicate acknowledgements are received, which is maintained on a perconnection basis by the Next Generation TCP/IP stack. 0002 (RFC 4138) Forward RTO-Recovery (F-RTO): Spurious retransmissions can occur as a result of increases in round trip time (RTT). The F-RTO algorithm prevents unnecessary retransmissions, particularly in wireless environments where client adapters may roam from point to point, to return quickly to normal send rates. These represent only some of the many additions, enhancements, and inclusions to the core network components in Windows Server 2008. For a more complete list, visit the Microsoft TechNet article at www.microsoft.com/ technet/network/evaluate/new_network.mspx.
Offloading protocol processing Certain specialized network interfaces and hardware are capable of offloading the often resource-intensive burden of processing TCP/IP network stack information, which requires handling of a multilayered protocol framework to deliver encapsulated data. This frees up local CPU and RAM to process other general-purpose tasks and moves the strain of ongoing network connection processes to specially-designed hardware designated for that purpose.
27
28
Part I: Servers at Your Service By encapsulated data, we refer to the way data is packaged as it travels down the TCP/IP network protocol stack. Higher-level protocols are encapsulated within header (and sometimes trailer) information so that lower-level routing and switching devices can process (and in some cases interpret) protocol data. Protocol offload processing is supported through software that is called the TCP Chimney in Windows (discussed next) and hardware that is called the TCP Offload Engine (discussed in Chapter 3).
TCP Chimney The TCP Chimney is a feature introduced first in Windows Vista and second — by extension — in Windows Server 2008. It’s the result of Microsoft’s Scalable Networking initiative, which encompasses a number of changes to the core network infrastructure of every new platform product. The goal is to reduce operational overhead associated with establishing, maintaining, and terminating connection state — the status of a given network connection — and all requisite state information throughout the lifetime of a connection. By removing such overhead from general-purpose resources and delegating the responsibility to special-purpose network interfaces, additional computing resources are freed up, especially on servers. A chimney is a collection of offloaded protocol state objects and any associated semantics that enable the host computer to offload network protocol processing to some other network device, usually the network interface. Since NDIS 6.0, Windows Server has included an architecture that supports full TCP offload, called a chimney offload architecture because it provides a direct connection between applications and an offload-capable network adapter. This enables the network adapter to perform TCP/IP stack processing for offloaded connections, as well as to maintain the protocol state.
Changes to NDIS Microsoft’s Network Driver Interface Specification (NDIS) defines a standard application programming interface (API) for network adapters. The details of a network adapter’s hardware implementation are wrapped by a MAC device driver so that all devices for the same media are accessed in a common, predictable way. NDIS provides the library of functionality necessary to drive network interactions for the Windows platform that both simplifies driver development tasks
Chapter 2: Server Networking Principles and hides the ugliness of platform-specific dependencies. Some of the new features provided by NDIS specification version 6.0 are described below.
New offload support NDIS 6.0 now supports new offloading network traffic processing functionality to compatible network adapters that includes: 0002 IPv6 traffic offload: NDIS 5.1 (Windows XP, Windows Server 2003) already supports IPv4 protocol offload processing; NDIS 6.0 also includes IPv6 traffic. 0002 IPv6 checksum offload: Checksum calculations for IPv6 can now be offloaded to compliant network adapters. 0002 Large send offload (version 2): NDIS 5.1 supports large send offload (LSO), which offloads the segmentation of TCP protocol data into 64K blocks. Large send offload 2 (LSOv2) in NDIS 6.0 now offloads much larger blocks.
Support for lightweight filter drivers Intermediate filter drivers are replaced by lightweight filter (LWF) drivers, a combination of an NDIS 6.0 intermediate driver and a miniport driver. LWF improves performance, consolidates protocol driver support, and provides a bypass mode where LWF examines only select control and data paths.
Receive-side scaling Multiprocessor computers running Windows Server 2003 or Windows XP associate a given network adapter with a single processor. That individual processor must handle all traffic for that interface, despite the fact that other processors may be available. This impacts Web- and file-server performance when client connections reach the serviceable limit of that associated processor. Incoming traffic that can’t be handled by either network interface or server processor will be discarded, which is undesirable in just about every situation. This increases the number of TCP/IP-oriented session serialization and sequence identifiers and amplifies performance penalties as a result of network stack retransmissions. Both session serialization (sessions encoded as a sequence) and sequence identifiers (unique numeric values associated with serialized sessions) are related to the protocol stack. These properties help identify what portions of data are assembled and in what order, such that portions arriving out-oforder are properly reordered and those that never arrive are requested again.
29
30
Part I: Servers at Your Service Windows Server 2008 no longer associates a network adapter to a single processor; instead, inbound traffic is distributed among the available processor array and processed accordingly. This feature is called receive-side scaling, which allows for more inbound traffic on high-volume network interfaces. A multiprocessor server computer can scale its ability to handle incoming traffic without additional hardware, so long as compliant network adapters are already in place.
Networking Is About Services, Too In the first part of the chapter, our discussion of Windows Server 2008 principles covers mostly the new features included to core networking components, the NDIS 6.0 API, and protocol offload processing. Networking isn’t just about these features — in fact, they represent the unseen or transparent infrastructure upon which all services are built and operate. Networking is much more than the communications protocols, offload engines, and security frameworks that serve as the basis for connectivity. Networking might not have a purpose or place without the necessary application services that server computers host for client computers (comprised of workstations and servers), so that both may interact in some fashion. A network, by and large, is for the people — the very endpoint representatives that create network connections. But it isn’t entirely about what the people — or clients — want; much of the way a network infrastructure is designed, constructed, and maintained is dictated by what the business wants and needs. In the following sections, we take a closer look at the very distinctions that differentiate client and server wants and needs in terms of application and background services.
What clients want Client computers and personnel want a lot of things: easy access, worry-free reliability, unfaltering dependability . . . and probably some other things they aren’t quite sure of or don’t know how to articulate in techie terms. Who wants to configure an IP address every time a connection is made to the same, or any, network? What about sharing a common connection among other computers?
Chapter 2: Server Networking Principles Simple naming schemes, remote Web-based application access, and transaction-driven database services are just some of what clients want. Let’s delve a little further into these topics for your personal benefit.
DHCP Dynamic Host Configuration Protocol (DHCP) is a set of rules used by network communications devices to request and obtain an IPv4 or IPv6 address lease assignment from the available pool of administrator-specified addresses. DHCP alleviates the need for network administrators to actually make such assignments by hand, freeing them up to handle other tasks. A DHCP server ensures that uniquely-generated, dynamically allocated IP assignments are made to connecting clients, along with whatever preferential server settings may apply to the client connection. However, it can also ensure that the same IP is given only to a specific machine every single time it connects. DHCP is successor to an older Boot Protocol (BOOTP), which achieved a very similar goal. DHCP automates not only the assignment of IP addresses but also subnet masks, default gateways, and other lease-related parameters. On boot-up, a connecting client will issue a request to the network for its personal address assignment to the DHCP application service. In turn, the service applies a set of rules that govern the assignment and return the requested information back to the client. DHCP provides three modes for allocating addresses: 0002 Dynamic: Clients are provided an address assignment lease that expires after some specified duration of time. Reconnecting client computers may or may not receive the same IP address, and no real concern is given to consistency. 0002 Automatic: Also known as DHCP Reservation, an automatic assignment is one where a given address is permanently assigned to a particular client. The DHCP server selects from a range specified by the administrator. 0002 Manual: Client-based address selection and DHCP protocol message response inform the server of the new address allocation. The DHCP server performs the allocation based on a table with interface hardware or MAC addresses, where administrators manually specify IP and MAC pairs for connecting clients. Network administrators not only reduce the amount of repetitive and potentially unnecessary effort associated with manual address assignments, but also eliminate the potential for configuration mistakes when configuring multiple clients.
31
32
Part I: Servers at Your Service Windows Server 2008 enhancements to DHCP include IPv6 support (DHCPv6) and Network Access Protection (NAP) enforcement, which requires a connecting DHCP client to prove its system health status before receiving an address assignment.
NAT Network Address Translation (NAT), network masquerading, and IP masquerading are all terms used to describe rewriting packets as they pass through an intermediary networking device to appear as if they originated from that device. There are many NAT arrangements, types, and variations, but all operate along the same lines. NAT confers two profound advantages on outbound network traffic: 0002 It permits internal networks to use private IP addresses as per RFC 1918 and handles incoming and outgoing traffic to make that arrangement work. 0002 It hides the details of internal network addresses, whether public or private — which explains the masquerading terminology used in the preceding paragraph. There are several distinct advantages to this kind of arrangement. For starters, NAT insulates internal computers from external probes, keeping crime out like a security fence. At the same time, NAT enables many internal computers to utilize a single external network connection where only a single IP address is assigned. NAT originally began as a response to the IPv4 address space shortage but has proven useful in many other ways. Sometimes, communications protocols can be sensitive to alterations in packet header data. NAT mangles the original data contained in a packet, which can disrupt certain types of security protocols that absolutely require a packet to pass from sender to receiver unaltered. This was the case for IPSec when it first arrived on the scene because critical portions of header elements were modified by NAT, upon which IPSec relied. As a result, connections failed, and trouble followed close behind. Today, such traffic is handled without much difficulty, thanks to innovations in how NAT works and how security protocols are used. Internet Protocol Security, abbreviated IPSec, is an addition to the TCP/IP framework that includes more reliable security mechanisms for an otherwise insecure network environment. Such capability is usually involved with largescale environments spread across geographically diverse networks, or anywhere sensitive business applications and services are privately shared over the Internet.
Chapter 2: Server Networking Principles NAT can be used for load-balancing for connection redirection, as part of a failover design to establish high-availability, as a transparent proxy for content caching and request filtration, or to connect two networks with overlapping addresses.
Name services Windows Internet Naming Service (WINS) is Microsoft’s implementation of NetBIOS Name Server (NBNS) on Windows and is very similar to the relationship between DNS and domain names. This is a basic service for NetBIOS computer names, which are dynamically updated and mapped through DHCP. WINS allows client computers to register and request NetBIOS names and IP addresses in a dynamic, distributed fashion to resolve locally-connected Windows computer resources. A single network may have several WINS servers operating in push/pull replication, perhaps in a decentralized, distributed hub-and-spoke configuration. Each WINS server contains a full copy of every other WINS server’s records because there’s no hierarchy as with DNS — but the database may still be queried for the address to contact (rather than broadcasting a request for the right one). WINS is only necessary if pre-Windows 2000 clients or servers or Exchange 2000/2003 clients are present and resolving NetBIOS names. Realistically, most networking environments are better served by DNS as a preferable alternative to WINS, particularly in Windows Server 2003 or 2008 environments. However, WINS remains an integral function in Windows network to support older clients using legacy software.
Application access Terminal Services (TS) in Windows Server 2008 implements Microsoft’s most powerful centralized application access platform and offers an array of new capabilities that reshape administrator and user experiences alike. TS provides centralized access to individual applications without requiring a full-fledged remote desktop session (although that’s still an option). Applications operating remotely are integrated on local user desktops, where they look and feel like local applications. An organization can employ HTTPS over VPN to secure remote access to centralized applications and desktops. Using TS in a Windows Server 2008 environment enables you to: 0002 Deploy applications that integrate with the local user desktop. 0002 Provide central access to managed Windows desktops. 0002 Enable remote access for existing WAN applications. 0002 Secure applications and data within the data center.
33
34
Part I: Servers at Your Service Windows Server 2008 TS includes the following features: 0002 TS RemoteApp: Programs accessed through TS behave as if they run locally on a remote user’s computer. Users may run TS RemoteApp programs alongside local applications. 0002 TS Gateway: Authorized remote users may connect to TS servers and desktops on the intranet from any Internet-accessible device running Remote Desktop Connection (RDC) 6.0. TS Gateway uses Remote Desktop Protocol (RDP) via HTTPS to form a secure, encrypted channel between remote users. 0002 TS Web Access: TS RemoteApp is made available to remote end users through TS Web Access, which can be a simple default Web page used to deploy RemoteApp via the Web. Resources are accessible via both intranet and Internet computers. 0002 TS Session Broker: A simpler alternative to load-balancing TS is provided through TS Broker, a new feature that distributes session data to the least active server in a small (two to five) farm of servers. IT administrators can even map several TS IP addresses to a single human-addressable DNS name, so end users needn’t be aware of any specific settings to connect and reconnect TS broker sessions. 0002 TS Easy Print: Another new feature in Windows Server 2008 enables users to reliably print from a TS RemoteApp program or desktop session to either a local or network printer installed on the client computer. Printers are supported without any installation of print drivers on the TS endpoint, which greatly simplifies the network sharing process. In addition, the Application Server role in Windows Server 2008 provides an integrated environment for customizing, deploying, and running server-based business applications. This supports applications that use ASP.NET, COM+, Message Queuing, Microsoft .NET Framework 2.0/3.0, Web Services, and distributed transactions that respond to network-driven requests from other applications and client computers. The Application Server role is a requirement for Windows Server 2008 environments running applications dependent upon role services or features selected during the installation process. Typically, this role is required when deploying internally-developed business applications, which might be database-stored customer records interfaced through Windows Communication Foundation (WCF) Web Services.
Data-based services Centralized application and data access helps secure sensitive and/or personally identifying information to the remote working environment. Less data
Chapter 2: Server Networking Principles leaving the corporate network reduces the risk of accidental or incidental data loss through the interception, theft, or misplacement of company notebooks. Through TS Gateway and TS RemoteApp, participants can be limited to a single application or several resources, without exposing any more information than necessary to do their jobs. For those mobile users out in the field, BitLocker Drive Encryption provides a complete cryptographic solution to safely and securely store sensitive data at rest. Everything up to core Windows operating system data and files gets cryptographic coverage so that tampering by unauthorized parties is thwarted, even if the hard drive is removed and the notebook is manipulated in any way. Windows Server 2008 File Services are technological provisions that facilitate storage management, file replication, folder sharing, fast searching, and accessibility for UNIX client computers. See Microsoft TechNet articles for information on these features.
Web-based services Task-based Web server management is handled in Internet Information Services (IIS) 7.0, a powerful, modular platform for remote applications and services with enhanced security, featuring health monitoring for Web services. IIS 7.0 and .NET Framework 3.0 provide the basis for application and user connectivity, enabling users to distribute and visualize shared information. Windows Server 2008 SharePoint Services is a scalable, manageable platform for the collaboration and development of Web-based business applications. This can be installed as an integrated server role through the new Server Manager console — no more downloading and running Setup. The SharePoint Products and Technologies Configuration Wizard runs you through the installation process for server farm configurations, dramatically easing the deployment options for large-scale enterprise networks. Consult Microsoft TechNet articles for more information on SharePoint Services.
What enterprises want Enterprise wants and needs far exceed anything the desktop or workstation consumer group can possibly offer. Most of those wants and needs center around managing resources or maintaining connections among desktops, workstations, and other server computers.
35
36
Part I: Servers at Your Service Active Directory Active Directory (AD) is an implementation of the Lightweight Directory Access Protocol (LDAP), a protocol and service framework that delivers directory services to Windows-based networks. AD provides central authentication and authorization services, global policy assignment, widespread software deployment, and large-scale updates for an entire organization. AD Directory Service (DS) is used to centrally store and manage information about the network resources spread across a given domain. The framework itself holds a number of levels that include forests, domains, and trees, as described in fuller detail in Chapters 7 and 8.
Access controls Employees are defined by their roles or capacities within an organization. There are leadership roles, management roles, and general occupational roles to fulfill, each defined by separate duties, privileges, and responsibilities. Among those privileges and responsibilities are varying layers of access to business-related information. For example, a general employee has no real reason to access or modify management-related information, such as work schedules or other employees’ contact information. In much the same way, users are defined in a system by their access privileges on that system. Access controls are captive restrictions set in place on server computers necessary to prevent accidental, intentional, and unauthorized use of data, files, and settings, particularly those critical to system operation. One feature Windows Server 2008 brings to the table is Network Access Protection (NAP), which enforces strict health checks on all incoming client connections. That is, it inspects the state of the client to make sure it meets requirements for antivirus and antispyware coverage and currency, Windows update currency, and so forth.
Policy-based controls Policy-based controls on the Windows Server 2008 platform are evident virtually anywhere a user or process interacts with the system. Active Directory (AD) Domain Services are a global configuration policy-driven framework used to define various Windows network parameters for an entire organization. Policy-based control is also apparent in protective access mechanisms deployed on the network to enforce certain requirements for connecting computers.
Chapter 2: Server Networking Principles Microsoft’s Network Policy Server (NPS) is an implementation of Remote Authentication Dial-In User Service (RADIUS), a network-policy checking server and proxy for Windows Server 2008. NPS replaces the original Internet Authentication Service (IAS) in Windows Server 2003 and performs all the same functions for VPN and 802.1x-based wired and wireless links, and performs health evaluations before granting access to NAP clients. Policy-based controls also encompass the variety of various Windows Server 2008 core components and features like network protocol-oriented QoS and system-wide directory services provided through AD.
Client management In addition to NAP features that ensure an optimal level of health for Windows Server 2008 networks, a number of other useful client management tools are natively available on the platform. TS Remote Desktop Connection (RDC) 6.0 remotely verifies that clients are connecting to the correct computers or servers. This prevents accidental connections to unintended targets and the potential to expose sensitive client-side information with an unauthorized server recipient. TS Gateway also provides for endpoint-to-endpoint sessions using the Remote Desktop Protocol (RDP) with HTTPS for a secure, encrypted communications channel between various clients that include FreeBSD, Linux, Mac OS X, and Solaris.
Software deployment There’s a lot of redundancy in virtually every modern computing and networking environment. There are multiple workstation computers for multiple employees, possibly built with dual memory banks, dual-core processors, and doubled-up RAID drives and NICs, communicating with load-balanced servers operating in round-robin fashion — just to give a thumbnail perspective of a much bigger portrait. Chances are good that in an environment like this, when you configure, install, or modify something once, you’ll have to repeat that same action elsewhere. Large-scale software deployments are one clear instance of this observation. Generally, you don’t install just one computer but several. It may be a few dozen, or it may be several hundreds or thousands. Either way, do you really want to process each case individually by hand? We didn’t think so, and neither do most administrators, which is why you hear things like “unattended” or “automated” installation.
37
38
Part I: Servers at Your Service Windows Server 2008 further enhances the software deployment cycle by realizing a simple principle: Build a modular, easily modified, unified image format through which all subsequent installation images are created, each unique only in the features it removes or adds to the base. The Windows Imaging Format (WIF) creates an abstract modular building block for operating system deployment so that you can create in-house install images that incorporate whatever applications, configurations, or extensions you deem necessary. Then, you can roll out multiple installs at a time in a completely self-contained, automated fashion that can even include previously backedup personal user data and settings.
Chapter 3
Building Your Network In This Chapter 0001 Designing networks that work 0001 Understanding the fundamentals of network design 0001 Situating servers and other network devices 0001 Double-checking your design work 0001 Mapping your network
W
hether you’re constructing a complete network or simply renovating an existing network, the basic approach is the same. You begin by planning what you want to implement, and then you gather the ingredients necessary to realize your plans. Next, you have to execute those plans according to the blueprint that you devised. The execution of any successful network project plan involves bringing all the pieces together, applying solid organizational principles to your network, and documenting what you add (and what’s already in place) to your network.
Developing a Network Implementation Plan Whenever you set forth on a network project, start by analyzing your requirements. If you’re building a network from scratch, this phase can take weeks or even months of effort; if you’re simply extending or repairing an existing network, planning may take a day of your time or less. Whatever your project’s scope, your plan should contain the following: 0002 A brief statement of your overall objectives, plus a more lengthy statement of requirements that addresses the following: • What applications and services users need to access
40
Part I: Servers at Your Service • Estimates of user-to-server bandwidth requirements • Estimates of server-to-server bandwidth requirements (where applicable) For example: The new XYZ Inc. network will provide 60 users with access to Windows Server 2008 file and print services, plus access to a SQL Server sales and inventory database. Each user will require no more than 6 Mbps bandwidth, and there are no server-to-server bandwidth requirements during business hours because all backups are scheduled for after-hours and weekends. 0002 A complete list of all the elements that you must purchase or otherwise acquire to meet those objectives. For example: At, XYZ Inc., three different department servers (Accounting, Manufacturing, and Sales) will act as routers to link two network segments of 10 users each, for a total of six user segments based on 100 Mbps Ethernet. The three servers will be connected with a 1000 Mbps Ethernet backbone using Gigabit Ethernet (GbE). We will purchase six 16-port 10/100 Ethernet hubs (one per user segment, each with two GbE links for the corporate backbone) to leave room for growth, and three dual-core 2.13 GHz Intel Xeon 3050 server machines, each with 8GB RAM and 2TB of disk space, along with a 16-port GbE switch to handle the backbone itself. We will also attach three Buffalo TeraStation Pro II network attached storage (NAS) units so that we can back up all three servers across the backbone. 0002 A description of the role each element will play on the network, the location of each element on the network, the configuration of each element, and the time during the installation process in which you plan to add each element to the network. You should use a map or a set of plans to help you place cables, computers, and other components, and a timeline to indicate the order in which you have to install everything. For example: The Accounting server will handle users from the Accounting and Purchasing departments; the Manufacturing server will handle users from the Manufacturing and Engineering departments; the Sales server will handle users from Administration as well as from the Sales and Marketing departments. All servers, the backbone, and all hubs will be installed when the company is closed between Christmas and the new year. The network should be operational when normal business operations resume. A map of this network appears in Figure 3-1. 0002 A test plan that describes how you plan to test individual elements, individual cable segments, and the entire network (including who is responsible for specific tasks) to make sure everything functions properly after you finish the installation. For example: The three servers will be installed first and tested individually the weekend before the Christmas break. On December 23 and 24,
Chapter 3: Building Your Network the GbE backbone will be installed. On December 28, the backbone will be tested. On December 28 and 29, the hubs will be installed and tested. On December 30, workstations on all existing 10-Mbps cable segments will be connected to the new 10/100 hubs and tested individually. From December 31 to January 2, automated testing software will exercise the entire network. On January 3, a network technician will visit our site with Bob, the site administrator, and any last-minute changes, repairs, and adjustments will be performed. We believe the network will be ready for use on January 4.
Network attached storage (NAS)
Sam K office 301 Bob T office 314
Mary B office 309
Jeff L office 302
Mary B office 313
Sheila E office 303
John F office 316
Sandy Y office 305
Sally P office 320
Donna B office 308
Fred C office 315
Switch #3
3rd floor GbE backbone
Sales server
Administration (3 PCs)
Sales (10 PCs)
Sandra S office 201
Shawn I office 211
Yvonne N office 210
Carl K office 220
Switch #2 Accounting server
1st floor Manufacturing server
GbE backbone
2nd floor
Figure 3-1: A simple map of XYZ Inc.’s network shows all switches, servers, and cable segments laid over a simple floor plan.
Betty A office 304
Accounting (10 PCs)
Switch #1
Purchasing (10 PCs)
PC 1
Alex T office 102
PC 14 room 101
Sandra R room 107
Manufacturing (14 PCs)
Engineering (14 PCs)
Marketing (7 PCs)
41
42
Part I: Servers at Your Service This plan helps you to decide where you must place key network elements, such as servers, switches, routers, and other network devices. More importantly, the plan also helps you determine what type of network technology and bandwidth you need to deploy to meet your objectives. Because most businesses work on a budget, building a plan also helps you make sure that you won’t try to spend more than you’re allowed to spend or incorporate more exotic technologies than you can afford. Your network implementation plan should also help you evaluate your current network backbone or plan a new one to be able to carry all the traffic that normally comes together on such critical network segments.
Understanding Network Design’s Barest Basics The possible implementations from which you can choose when designing a network are innumerable. To help you distinguish between what’s improbable, possible, feasible, and recommended when designing your network, here’s a set of helpful guidelines: 0002 Select a network technology: When adding to or expanding an existing network, this decision is easy — it simply requires choosing something identical to or compatible with whatever you’re using. For new networks, you need to analyze what kinds of applications and services users require: • For ordinary office work (e-mail, word processing, spreadsheets, basic database access, and so on), 10/100 Mbps Ethernet works well. • For high-traffic or real-time applications — such as Computer Aided Design (CAD), imaging, video conferencing, and voice over network — either 100 Mbps Ethernet or GbE to the desktop makes sense, depending on end-user bandwidth requirements. • For high-availability or mission-critical business applications — such as on-demand services and business-to-business applications — both redundant network configurations and failover clustering (first introduced in Chapter 1) should be part of your initial IT infrastructure design. It’s seldom necessary to deploy GbE to all desktops, but some may need it. So plan carefully to provide gigabit connections to those who do need it, and likewise, plan your backbone carefully to make sure it can handle all the aggregated bandwidth needs. (In some rare cases, a 10 GbE backbone might be required, but usually not for most small- to medium-sized operations.)
Chapter 3: Building Your Network 0002 Position office equipment close to users: When designing a network, the smartest thing you can do is minimize the distance between users and the resources they use most. This applies to printers (so users enjoy easy access to output), servers (so cable runs needn’t be too long), and other resources (such as fax machines, scanners, and copiers) that users need to access to do their jobs. 0002 Closely situate mutually-dependent servers: Keep in mind that some servers act as front-end clients to other servers, which stands in contrast to the typical client-server role. Maintain close proximity for these servers to minimize bandwidth utilization to a reasonable level and leave the longer pathways between client and server. 0002 Build an online work environment: When designing a network, you also have to take into account current working patterns and arrangements in your offices. (For example, if the Accounting and Purchasing departments work together all the time and use the same applications, perhaps they should share a server.) This also applies to the type of network you build. For small companies, centralized control and tight security may hamper your workers; in large companies, centralized control and tight security are the norm. You must serve the communities that currently exist in your organization and use the network to help users communicate and be as productive as possible. 0002 Arrange servers, hubs, and other key resources: The places where wiring congregates — namely at punchdown blocks, wiring centers, and equipment rooms (or closets) — sometimes dictate where certain equipment must be placed. Be sure to check the distance between those locations and the areas where workers reside. In most cases, offices are designed to support cabling from a centrally located wiring center or equipment room for groups of offices. If that isn’t the case in your workspace, you may have to add new equipment rooms and wiring centers or move workers to bring them closer to existing facilities. Either of these solutions takes time and costs serious money, so be sure to get management involved in deciding which options make the most sense for your organization. 0002 Build better backbones: Depending on your network technology choice, you’ll probably want to arrange your network to include a special highway for data to travel across when multiple network cables come together. This can happen between servers, as with the XYZ Inc. example in this chapter. Such portions of the network are called backbones. A backbone can be something as simple as a so-called collapsed backbone, in which a high-speed switch links multiple cable segments and provides a single, high-speed connection between all cable segments. A backbone can also be as complex as a staged backbone, in which intermediate segments jump from switched 100 Mbps-Ethernet to switched GbE at the server (as in the XYZ Inc. example in this chapter). More complex backbones might even include a segment of 10 GbE on the innermost segment, where traffic is heaviest.
43
44
Part I: Servers at Your Service 0002 Plan for growth: When planning a network, include at least 30 percent spare, unused capacity in your design. This spare capacity should include network ports (unused ports on switches), unused network cables in offices and cableways, and bandwidth on individual network segments and switches. That way, you can grow within your current environment for a while without having to redesign your network on a regular basis. If your annual growth rate exceeds 30 percent, design at least one year’s planned growth into your network — better yet, one year’s planned growth plus 30 percent. 0002 Work within the system: As you discover when you start deploying a network in any organization, networks have a political as well as a technical side. When you plan a network, you should work within your system in at least two ways: 1. Make sure that management knows about and approves of what you plan. 2. Make sure that you handle the work, contracts, purchases, and so on within the rules and regulations of your organization. If you neglect either of these guidelines, the only thing you’ll learn how to network is trouble! 0002 Check your design: After you put a network design down on paper, review that design against what you know about the network technologies it uses. Be especially careful to check maximum cable lengths, maximum number of devices per segment, and maximum number of cable segments and devices between any two ends of the network against the rules that apply to the technologies you plan to use. You don’t want to build a network that tries to break these rules. If you do, your network may not work, or worse, it may work for a while and then quit working when you add users or devices. If you check your work before you build, you won’t try to build something that can’t work or that’s inherently prone to trouble. 0002 Ask for a sanity check: After you’ve put a network design down on paper and checked your work, you should also solicit input from one or more networking experts. Redesigning a network is always easier while it’s still on paper; you don’t want to fix a flawed design after you’ve built a network. The more qualified advice you get before you start building, the better off you’ll be in the long run. In fact, this advice is worth paying for because it can save you a world of hurt (or your job, for that matter). Although this list of network design principles isn’t exhaustive, it should lead you toward designing a network that works best for your organization. Because these guidelines consider work patterns, politics, and organizational
Chapter 3: Building Your Network rules as well as technology, the resulting network should serve your organization well for more than just technical reasons.
Deciding Where Networking Devices Must Go You must purchase the necessary equipment, cables, connectors, and so on and start deploying the components that make a network work. When you start situating key network equipment — including servers, storage or backup devices, switches, and routers — you need to make some important decisions about how to situate them particularly as they fit into your existing network plan. For small organizations of 25 people or less, using separate locked facilities to store hubs and servers may not make sense. Small organizations tend to be more informal and are less likely to have the kind of budget that supports a full-time information systems (IS) staff. In these circumstances, you usually want to situate your networking gear along with all your other gear — out in the open with other equipment for easy access to one and all. If you do put the networking gear out in the open, make sure that only users with valid passwords can log on to such equipment. Otherwise, we highly recommend locking it up. Larger organizations tend to be more concerned about security and control, and therefore, they usually situate key networking components in locked equipment rooms and in locked wiring closets or wiring centers at various locations around their offices. Because the equipment has to be close to the wiring, it isn’t uncommon for servers to reside in wiring closets along with punchdown blocks, switches, and other networking equipment. Only authorized personnel should be allowed to access these facilities. Likewise, only authorized personnel should be allowed to add users or equipment to the network, usually within a system of regularly scheduled updates or maintenance. In office buildings, for example, this usually means one or two wiring closets or equipment rooms per floor, where only authorized personnel have keys or access codes to get into these rooms. Choose an approach to situating your servers that makes sense for your organization, and stick with it. If you’re going to follow rules for placing equipment, share those rules with employees so that they know what’s going on. In fact, formulating a security policy for most networks is a smart move, and you should regularly explain that policy to your employees in detail. (For more information on this subject, see Chapter 14.)
45
46
Part I: Servers at Your Service Most small- to medium-sized companies — such as the fictitious XYZ Inc. mentioned in this chapter — put their servers into small, locked rooms at each end of the floors they occupy in an office building. This keeps the distances between users’ desktops and the wiring centers acceptably low and puts their servers alongside the punchdown blocks and switches they use, which helps manage wiring. This approach also provides controlled access to the equipment and software that makes their networks work in a small number of closely managed locations. Finally, it addresses the need for adequate ventilation and power control that hubs and servers require for proper operation, which many wiring closets don’t offer.
Consider Hiring an Expert to Install Cable and Equipment Normally, you install cable and equipment at the same time you build a network. You may run your own cables for your network and perform all equipment installation and configuration yourself; you may contract both the cable and equipment installation out to third parties, or you may choose some point between these two extremes. Whichever way you go, somewhere along the way you’ll be ready to put the finished pieces of your network together. When it comes to installing cable, we highly recommend that you employ experienced cable installers with good references. The company that owns or operates your office building may even require a licensed cable installer to perform any such work. Here’s why this is a good idea: 0002 Adherence to building and fire codes is mandatory, but it can also be tricky; working with an experienced professional is a good way to avoid trouble. 0002 Cable placement and routing are sensitive; trained professionals know how to avoid potential trouble spots and always test their work to make sure that the network will behave properly. 0002 High-speed networks are much more finicky and prone to installation difficulties than lower-speed networks. The faster you want your network to go, the better off you’ll be if you leave the cabling to an expert. 0002 Consult with network installers and professionals to acquire an accurate concept as to how to lay your cable. They don’t necessarily have to install your network if you already have capable hands onboard, but in the event you receive outside assistance, make sure they provide you with the cabling plans for your organization.
Chapter 3: Building Your Network
Always Check Your Work! If you decide to install cable and/or equipment yourself, we strongly advise that you bring up your network in small, manageable pieces. When installing multiple cable segments, as when linking one wiring closet to another or each wiring closet to the backbone, bring up individual segments one at a time and test them to make sure each one works before connecting all of them. Likewise, if you’re installing a backbone or a server cluster, test individual components separately before trying them out en masse. When you install equipment, apply the same principles. After you install and configure a machine, check it by itself to make sure it works before attaching it to the network. This is as appropriate for switches and routers as it is for server and desktop computers, as well as network attached storage devices. Our suggestions on piecewise checking and gradually increasing the complexity of your network come from experience. We found out the hard way that throwing everything together at once can cause problems that are too hard to troubleshoot because you have to deal with too many unknowns.
Evaluating Your Network’s Performance and Usefulness After you build a network, you may be tempted to rest for a while to enjoy your success. After all, you’ve earned it, right? Well, although you should certainly pat yourself on the back, you should also realize that the real work begins as soon as users start using the network (or a new portion of an existing one). If you’re responsible for a network, you must not only keep things running for the moment, but also keep them running — and running well — over time. Whereas the network you build or extend may meet your users’ initial needs, any network’s capability to meet users’ continuing needs diminishes over time. Growth, change in technologies, and new applications and services guarantee that nothing stays the same for long in the workplace — this includes your network as well as the systems and services that the network delivers to your users. Therefore, you need to conduct regular reviews of how well your network meets users’ needs. In small or slow-growing organizations, you may have to review the network only once a year. In large or fast-growing organizations, you should review the network on a quarterly basis.
47
48
Part I: Servers at Your Service Your network review should include at least these three elements: 0002 Traffic analysis and usage review: You can conduct this yourself by using the built-in Windows Server 2008 tools and facilities, such as System Monitor, and third-party software tools. The idea is to take a performance and behavior snapshot of your network during ordinary-load, light-load, and peak-load conditions. If any of these loads encroach on the boundaries of what the current design can reasonably support, start planning to extend and expand your network. 0002 User interviews: You can interview selected users on a one-on-one basis in your organization or hold meetings with individual workgroups and departments. The idea is to give employees a chance to share their observations, gripes, and wishes regarding the network. This can give you a great opportunity to not only gauge user satisfaction and networking knowledge, but also determine whether you should give employees additional training on how to use the network more effectively. 0002 Management review: You should meet with members of management regularly to find out what they’re planning and what future informationprocessing needs they’re considering. You can also gauge management’s impressions of and beliefs about the network as you report your findings from the previous two items to them. If you perform these reviews and keep in touch with upcoming changes and requirements, you can keep your network and your organization better synchronized. Planning for change and growth is essential to modern networks because they’ve become critical business tools that organizations depend on to do their work. If you take an active approach and plan, you can stay ahead of the curve!
Creating a Network Map Earlier in this chapter, we introduce you to most of the basic principles involved in designing and building a network. By now, you have a pretty good idea about how networks work. As you spend more time around networks, however, you may realize that what they do isn’t nearly as important as what you know about what they do. Whether you wrestle with networks only occasionally or full-time, you may discover that there’s nothing like a network map to help you find and keep track of routers, switches, and other network appliances on your network.
Chapter 3: Building Your Network
It isn’t a map; it’s the whole enchilada Calling the collection of data that describes your network a map doesn’t do this concept justice. A network map is certainly more than a mere drawing that shows where network components live on your network, but creating such a drawing is a great way to start building a network map. If you look at the following list of devices and properties that a network map should contain, you’ll see why such a map is more than a mere depiction: 0002 A list of all computers on your network, with supporting documentation 0002 A list of all network equipment — such as servers and switches, plus any routers, firewalls, and so on — with supporting documentation 0002 A list of all printers and other similar equipment on the network — such as scanners and fax machines — with supporting documentation 0002 Lines to indicate where cables run and where punchdown blocks, wall plates, and other media-related elements are located
Capturing data for your network map Because a network map is so important and such a powerful tool, pause right here and start one immediately. Be prepared to spend some time and energy on this project because most of the data that makes up a network map is scattered all over the place. Building a detailed network map is a worthwhile investment. It can pay for itself many times over as you come to depend on it. At worst, you discover more about your network than you ever wanted to know (but not more than you’ll ever need to know). At best, you get to know your network so well that it will seldom throw you a curve ball — and you may even find some things to tweak and tune while building that map.
Starting at the foundation Obtaining a set of your building’s architectural drawings or engineering plans can help a great deal. If you can find any drawings or plans, take them to an architect’s supply store and make copies that you can mark up and use as a base map. (Most plans are created using an old-fashioned, ammonia-based copying system called blueline. You can copy even large-sized plans for less than $25 per plan.)
49
50
Part I: Servers at Your Service If a professional cabling outfit installed your network, you should be able to get a copy of their cabling plans, which work even better than architectural drawings or engineering plans because they probably already show where the cable is laid and how much of it you have. This is another good reason that do-it-yourself may not be the best way to cable your network. If no such plans are available, you can sketch a room-by-room layout on rectangular grid paper (such as an engineering pad) to make it easy to draw to scale. Be sure to mark the location of machines, devices, approximate locations for cable runs, and so on. A network map drawn to scale enables you to visualize the network layout, including any potential problem areas or unforeseen complications in the final design.
Anything on your network should be on the map Anything that merits attention or costs money is worth recording on your map. You don’t need to go into great detail about each and every connector or note the exact length of every cable. (Approximate lengths within a meter or so are useful, however.) Indicate every major cable run, every computer, and every piece of gear attached to the network.
Taking stock of your network The information you gather while producing a network map creates a detailed inventory of what’s on your network and where everything’s located. Unfortunately, you quickly find out that this is a lot of information. To make keeping an inventory easy for yourself (and for anyone who follows in your footsteps), build a template or form that you can fill out for each item on the network. This approach forces you to collect consistent information and makes delegating information gathering to others easier. Include all of the following information for each computer on the network: 0002 The hardware configuration for each machine: Include a list of all interfaces and their settings, information about installed RAM and drives, and the make and model of the keyboard, display, and so on. If you can find out who sold you the equipment, write that down, too. Keeping track of equipment is typically the accounting department’s responsibility. Check with those folks for a copy of your company’s capital assets or a depreciable items inventory (if available). This type of documentation normally includes serial numbers and other identification for hardware on the network. If no one in your company has gathered such information, collect it yourself. It’s valuable.
Chapter 3: Building Your Network 0002 The software configuration for each machine: Include lists of configuration files, operating system data (including version number, most recent Service Pack applied, and so on), as well as a list of programs and versions installed on the machine. 0002 The network configuration for each machine: Include the make and model of each network interface card (NIC), plus a list of driver files with names, version numbers, dates, and sizes. You can capture such data to a file easily on Windows systems by choosing Start➪Programs➪ Accessories➪System Tools➪System Information➪Hardware Resources; use this as the basis for this inventory. (On Windows XP, Windows Vista, and Windows Server 2003/2008 systems, the menu selection begins with Start➪All Programs.) In addition to information on each computer, your inventory should also include the following data: 0002 A list of other equipment, such as switches, routers, storage devices, and printers: Include the manufacturer, model, make, and serial number for each piece of equipment. If the equipment includes memory modules, disk drives, or plug-in interface cards, get information about them, too. If the equipment uses software or firmware, record the name, version, release date, and any other information you can garner about such items. 0002 A list of all the cable segments on the network: Give each segment a unique name or number and associate your records with whatever type of identifier you use for those segments. Record the type and make of cable, its length, the locations of its ends, and any significant connections or intermediate locations that you may have to visit in the future. 0002 A list of all the vendors who’ve worked on your network or its machines: Include names and phone numbers of contacts at each operation. This can be a valuable resource for technical support and troubleshooting. Over time, add the names and phone numbers of tech support or other individuals at these organizations who prove to be knowledgeable and helpful. Essentially, the information gathered while creating and maintaining a network map forms a database of everything anyone needs to know about your network. To improve access to and usability of this data, consider storing the text for your network map in an honest-to-gosh database engine. If this is too labor-intensive, a file- or paper-based approach works, but it takes more effort to maintain over time. Whichever method of recording data for your map you use, be sure to keep your inventory complete and up-to-date.
51
52
Part I: Servers at Your Service Applications such as Visio (Microsoft Office’s diagram and visualization application that can be found at http://office.microsoft.com/en-us/ visio/default.aspx) and Cheops (an active network visualization tool that can be found at http://cheops-ng.sourceforge.net/) can help you create network maps. Search your favorite search engine using the keywords network visualization to find other applications and companies that can help you with this process. If you don’t want to spend money on such a tool, add the words free or open source to the front of the search string.
When the network changes, so does the map! One thing that you can always be sure of when it comes to networks: They’re always changing. Your map is only as good as the information it contains. And the map remains useful only if that information is an accurate reflection of the real network in your organization. Whenever anything changes on your network, make updating the map and its associated database a priority. Sitting down and checking your map is much less work than walking around and looking at the real objects that the map shows. If the map is current, you can keep on top of things from the comfort of your office. If it’s out of date, you’d better start walking!
Network Interfaces: Built-ins versus Extender Cards Integrated and add-in components continue to define the basic classifications for most computer hardware. Some consumers, consultants, and computer geeks swear by and base buying decisions purely and solely on this distinction. Why, then, is this distinction so incredibly special? The advantages and disadvantages for built-in versus extender cards used to be much different only a few years ago, when components and technologies just weren’t up to speed with the best-of-breed, high-speed network capabilities. As internal processing power and speed continue to increase, so does networking power — albeit separately and for its own reasons. Point being, these two computing properties are beginning to find that happy medium, which is perhaps best illustrated by the fact that GbE network interfaces are built into most contemporary retail motherboards, and server motherboards usually have two or more built-in GbE interfaces.
Chapter 3: Building Your Network One primary difference remains unchanged: serviceability. Clearly an integrated network solution is an island unto itself when damaged, even though it’s physically very much a part of the motherboard. That’s actually the crux of the problem — it can’t (easily, if at all!) be removed, and replacement can be costly, up to whatever the price of the same or similar motherboard replacement costs. Usually it isn’t so bad — a simple GbE replacement NIC costs an average of $50 as we update this chapter, whereas fancy but very fast GbE NICs can cost from $100 to as much as $800. As mentioned earlier, a Network Interface Card (NIC) is the basic physical component that enables you to have network capability on any given computer. This also requires a network stack and driver software and may involve a third-party configuration utility or application.
Don’t knock your NIC Don’t underestimate the worth of your NIC, and certainly don’t overestimate the capability of a cheap store-bought generic card. The problem with cheap network cards is the same as anything else: cost-saving, corner-cutting, conservative-thinking manufacturers skimp on form and feature to produce a market-ready, low-budget offering. Sure, these generic cards are okay for mundane machines handling lightweight, mundane chores. But we aren’t even operating on that level — we have Windows Server 2008 to empower and embolden our network, and there’s no sense in cutting cost on the NIC because the difference in price is negligible to savings that can be realized elsewhere. Here are a few points to consider when researching NICs for your network: 0002 Which computers will connect to the network 0002 Connection types (wired, wireless) and interfaces (UTP, fiber) 0002 Network interface properties and services (TOE, Quality of Service, and so on) 0002 Security principles and procedures (encryption and encapsulation protocols) 0002 Server- or workstation-specific roles and responsibilities For the most part, NICs are all the same for workstations, servers, and notebook computers. Their packaging, features, and capabilities are all specific to the particular needs and uses for the computers they go into. The interfaces for Ethernet and GbE are exactly the same — it’s mainly in the way that the medium is used that makes up the biggest difference. However, a fiber interface is incompatible with a GbE interface and requires some intervening
53
54
Part I: Servers at Your Service piece of network hardware to connect the two. While many such technologies can and often do intermix on the same network, there may be performance bottlenecks that occur with each transition between separate interface types and technologies. Such bottlenecks are unavoidable because there will always be some transition between several network technologies and protocols in a large-scale network environment, especially the Internet. Remember that a computer is for computing and a router is for routing. Although a computer can perform the same tasks as a router (and then some), it may be considerably wasteful in some circumstances and just plain overkill in others. When given the option, always buy a router for routing purposes and leave the computing tasks to computers (and vice versa).
Don’t stub your TOE (TCP Offload Engine) Why make something your responsibility if it doesn’t have to be? After all, offloading responsibility is how a lot of managers — ahem, we mean management applications — operate in the network world. The TCP Offload Engine (TOE) is one such technology built into network interfaces that offloads processing of the entire TCP/IP network stack directly onto a specialized NIC controller. This process no longer has to be the typical burden to your main CPU and RAM! This tactic is employed within high-speed NICs and networks (typically Gigabit Ethernet and 10 Gigabit Ethernet) where handling network stack overhead is most significant. Because TCP is a connection-oriented protocol, this increases the complexity and processing overhead related to the establishment of serially-controlled connections, checksum and sequence number calculations, sliding window recalculations, and eventual connection teardown and termination. In short, there’s a lot of computation and tracking required while TCP is busy at work, and that workload increases with network speed and increased demand. TOE is a response to the increased load and network resource demand imposed by GbE hardware and the invariable increase in resource utilization. When the computer carries this burden, the CPU is interrupted repeatedly from processing normal applications and processes, which slows performance gradually to the point that perceptible signs of performance degradation can appear. As the network expands coverage and aggregates multiple GbE links, even the most powerful servers will eventually suffer performance penalties under intense load. Clustering, virtualization, Internet SCSI (iSCSI), and Remote Direct Memory Access (RDMA) have all contributed to the increasing use of TOE-enabled network interface cards because they leave more server oomph to deliver services and handle requests outside the network communications realm.
Chapter 3: Building Your Network
The ever-popular ping test Perhaps nowhere is groping more appreciated than within an unresponsive network environment, where it’s perfectly okay and even warranted to reach out and touch your neighbor — or several of them. Packet Internet Groper (ping) is a basic network diagnostic command that enables you to check link state and troubleshoot connectivity problems by sending stimulus packets to another endpoint or intermediary device on the network, which elicit responses from participating network devices and computers. Ping is an essential first resort when testing network connectivity — it establishes a baseline and jump-off point for further investigation or immediate resolution. You usually precede issuance of the ping command only by an obligatory physical cable connection check to ensure sanity and eliminate any silly probable causes. Ping works by issuing Internet Control Message Protocol (ICMP) echo request packets to a destination and then awaits echo reply response packets. This is sometimes dubbed ping and pong in honor of tabletop tennis. Ping uses interval timing and response rates, estimates round-trip time, and reports any packet losses that might occur.
55
56
Part I: Servers at Your Service
Chapter 4
Hooking Up Your Network In This Chapter 0001 Selecting the correct network medium 0001 Choosing an Ethernet technology 0001 Understanding the role of a network backbone
B
uying computers doesn’t make a network! You have to interconnect computers to enable them to communicate. You can set up communications among computers in several ways; the one you choose depends on your budget and bandwidth needs. Okay, most of it depends on your budget! Transmission media is a fancy, generic term for cabling and wireless transmission technologies. The media provide the means by which computers talk to each other across a network. In fact, computers can communicate through the airwaves using broadcast transmissions, through the wiring in a building, or through fiber-optic cabling across a campus. Linking long-distance or Internet connections to local networks means that there’s almost no limit to what your network can access! In this chapter, you also examine different methods to interconnect networks using cables and other media. You find out which media are appropriate for desktop access and which work best for server-to-server activity. You also discover more about network anatomy as we tackle two ticklish subjects — namely, backbones and wide area network (WAN) links.
Make a Network Medium Happy! A happy network medium has nothing whatsoever to do with a TV psychic. Rather, finding the right network medium means implementing network cabling that won’t cause bottlenecks. Depending on whether you’re building
58
Part I: Servers at Your Service a network from the ground up or starting from scratch, you may need to take a different approach to evaluating cabling options for your network: 0002 If you step into a job where a local area network (LAN) is already in place, cabling is probably in place, too. Evaluating the type, capabilities, and usability of an inherited network is almost always a good idea. That way, you can decide whether you can live with what you have, or whether some change will do the network good. You may learn, for example, that old cabling causes so many difficulties that you’re better off replacing or upgrading it. (We’ve popped out ceiling tiles and found badly spliced cables hidden from view.) 0002 If you’re planning a brand-new network, one of your concerns is to determine your cabling needs. Decide which network cabling you’re going to use before ordering equipment for your network because you can often order computers and peripherals with the appropriate network interface cards (NICs) preinstalled and preconfigured. (Of course, NICs are preinstalled and preconfigured on an existing network, which means your choices have already been made for you.) The more work you save yourself, the better! 0002 If a contractor handles your cabling maintenance, don’t assume that every old cable gets replaced if it isn’t completely up to snuff. A contractor may choose to reuse substandard cables to save on material costs. Without proper wiring, your network may be in constant trouble. (Or it may not work at all.) If you work with a cable contractor, require the contractor to test each network cable and insist that the contractor provide you with those test results. In fact, many companies hire one contractor to install cables and another to test them. By doing so, they ensure that the common tendency to overlook errors or potential sources of problems on a network can be avoided — plus, it never hurts to get a second opinion. The most common cabling technology for LANs is baseband cable, which is cable set up for baseband transmission. For this reason, we concentrate on baseband cable in this book. Check out the sidebar titled “Use the right pipes in your network’s plumbing” for a description of baseband transmission and how it differs from broadband transmission. If you know what to look for, the name of a particular type of cable can tell you all about its transmission properties. Ethernet cable notation (set down by the Institute of Electrical and Electronic Engineers, or IEEE) breaks down as follows: 0002 The speed of the Ethernet in Mbps 0002 The cable’s technology — broadband or baseband 0002 The cable’s rated distance in hundreds of meters or the type of cable — twisted-pair or fiber-optic cable
Chapter 4: Hooking Up Your Network
Use the right pipes in your network’s plumbing Wiring in a network is like plumbing in a house. Just as pipes form the pathways through which water flows to and from your plumbing fixtures, a network’s wiring provides the pathways through which computers transmit data using electrical signals. The amount of data that computers can move through a wiring system at any one time depends on the characteristics of the wires, or pipes, installed. The larger the pipes, the more data the computers can send simultaneously. You can think of a network’s bandwidth as the size of a network’s pipes. Bandwidth represents a range of usable frequencies and is measured in hertz (Hz). A higher hertz rating for a network medium means higher available bandwidth. Higher bandwidth translates into bigger pipes to carry data. Just because you have big pipes, however, doesn’t mean you always get to fill them completely. Therefore, it makes sense to try to measure the actual amount of data (called throughput) flowing through the pipes. Different types of cabling are rated for different amounts of data flow at different distances. Remember, however, that even if a pipe is big enough to handle all the water you send through it, that pipe can still get clogged. As a
result, although a given amount of data can theoretically flow through a cable, in the real world you may see less data flow than the maximum bandwidth indicates. Plumbers will tell you that mineral deposits and other obstructions can often restrict the water flow in pipes. In keeping with our metaphor, we can say that noise, cross-talk, electromagnetic interference (EMI), and other network maladies can often degrade the actual performance of your cable. Throughput, commonly measured in bits per second (bps), describes the actual amount of data that’s flowing through a cable at any one time. If you take one pipe and divide it into little pipes, you’ve just reinvented the concept of broadband transmission (in which multiple transmissions at different frequencies use the same networking medium simultaneously). If the pipe is kept whole instead of subdivided, you end up with the concept of baseband transmission (in which the entire bandwidth is used to carry only one set of frequencies and one transmission at a time). Whew! Got all that? Maybe it’s time to call Roto-Rooter!
For example, 10Base5 is an Ethernet designation that stands for [10 Mbps] [baseband] [5 x 100 meters = 500 meters]. From the name alone, you can tell that the baseband cable is rated to handle up to 10 Mbps on a segment up to 500 meters (1,640 feet) long. Any time you see a T or an F in such a name, replace that letter with either twisted-pair or fiber-optic, respectively. For example, 10BaseT means that this particular baseband Ethernet cable is rated at up to 10 Mbps using twistedpair cables. Likewise, 10BaseF means the same thing, except that it uses fiber-optic media instead of twisted-pair.
59
60
Part I: Servers at Your Service
Fiber and coax make a seriously twisted pair Fiber-optic cable is different from twisted-pair and coax cable because it transmits data using light signals instead of electrical impulses. When you look at the layout of the cable, it appears similar to coax but has a glass or plastic fiber as its inner conductor instead of a copper wire. Figure 4-1 shows you what the inside of a fiber-optic cable looks like.
Outer jacket
Buffer coating
Cladding Core
Figure 4-1: An inside view of fiber-optic cable.
Notice that the inner glass core is sometimes called buffer coating, and the entire cable has another strong jacket around it. The outer jacket is designed to be thick enough to protect the inner fiber from being broken when the cable is handled (with care, that is).
Fiber-optic cable Although it has a higher price tag than electrical cables, fiber-optic cable can also handle greater bandwidth, which means that it can transfer more data over longer distances. Fiber-optic cable is largely immune to electromagnetic interference (EMI) and other sources of noise that affect electrically conductive cables. One factor that adds to the expense of fiber-optic cable is the care required during installation. A knowledgeable technician must carefully polish each glass fiber with specialized tools and then add special connectors to the cable. You often find fiber-optic cable installed between buildings in campus environments or between floors in a building. You rarely see fiber pulled to the
Chapter 4: Hooking Up Your Network desktop because of the expense involved — you must use fiber-optic NICs, and you must attach two cables to each workstation because one cable transmits outbound signals and the other receives inbound signals. Although the appetite for bandwidth is always increasing, don’t expect your desktop to have a high-fiber diet anytime soon! In some locations, such as hospitals, it’s necessary to run fiber-optic cable to some desktops because X-ray and MRI equipment can interfere with electrical cables. Also, the bandwidth requirements for medical imaging equipment can be so extreme that conventional electrical cables can’t handle the traffic involved. For light signals to pass through a fiber-optic cable, you have to attach a transmitter to one end of the cable and a receiver to the other end. This is why you need two cables to permit any one device to send and receive signals. On the transmitting end, an injection laser diode (ILD) or a light-emitting diode (LED) sends light pulses down the cable. These light pulses reflect within the glass core and bounce against the mirror-like cladding through the length of the cable until they reach a photo diode receiver at the cable’s other end. Notice that data flows in only one direction. The receiver converts incoming light pulses into electrical signals and passes the data to the NIC. Because of the way that light pulses travel through fiber-optic cable, splicing two such cables requires great care so that the cable’s signal-carrying capabilities aren’t reduced. Otherwise, a light pulse may arrive at the splice but may not make it through to the other end of the cable. We call this situation a bad splice, but your users will call it much worse names!
Coaxial cable Coaxial cable, also called coax, was once the most popular transmission medium for networks. However, with the cost of unshielded twisted pair (UTP) dropping significantly in the last few years, it’s hard to justify supporting legacy coax cabling, NICs, and other network connection devices. Older networks used coaxial cable exclusively before UTP arrived in the mid-1980s. Initially, only thick coaxial cable (which we like to call “frozen yellow garden hose”) was available. Thick coax is quite cumbersome to handle and a real pain in the neck to install. Imagine pulling a frozen garden hose through the ceiling and then having to connect transceivers (a portmanteau or combination of two words transmitter and receiver) to that cable! Maybe a frozen garden hose is easier after all. . . . Coaxial cable incorporates two layers of insulation. Beginning in the middle of the cable and spanning outward, the cable has a copper wire surrounded by a foam insulator, which is surrounded by a wire mesh conductor that is then surrounded by an outer jacket insulation. This jacket, in turn, is surrounded by a plastic casing, called cladding. Figure 4-2 shows a cross section of a well-dressed piece of cable.
61
62
Part I: Servers at Your Service
Outer casing
Wire mesh conductor
Inner insulation
Copper wire Figure 4-2: An inside view of coax cable.
Suffice to say, coaxial cable types are a dying breed in the local network segment, apart from the hybridized technology described in the next section, but remains steadfast in its behind-the-scenes placement as a provider of multimedia networking, television, and telephony service. We won’t go into their distinctions and differentiations, but we will leave you with one last remark. If you have a small network and a highly restricted budget, 10BaseT Ethernet is absolutely the way to go. It’s standardized, well-utilized here and abroad, and is plentiful and cheap on the open market. There really is no cost justification for legacy coaxial equipment, only the operational justification to support existing legacy coaxial applications and services within the organization.
Hybrid networking Hybrid fiber-coaxial (HFC) is the telecom industry term for networks that incorporate both optical fiber and coaxial cable to produce a broadband network medium for handling high load and large subscriber traffic. This seriously twisted pair is capable of carrying and delivering a wealth of features and services that include analog and digital television signals, video-on-demand programming, and switched digital video, telephony, and high-speed data. HFC network coverage extends from the cable operator’s point of presence to a through point at a neighborhood hub site, which terminates at a node that
Chapter 4: Hooking Up Your Network services from 25 to 2,000 homes. This cable operator’s master location also houses telephony equipment for providing telecom services to the community, which is individually delivered via coax. Therefore it’s common to have the same provider supply both phone and Internet services (and possibly public television access, where applicable) to the same location. HFC is the primary technology used to service many modern cable modem communities, so the technology is very widespread and widely utilized. In fact, it’s likely you’re already using the technology at home or work without even knowing it. That’s the beauty behind transparent technologies — they work diligently for us, sight unseen, as long as we continue to rely upon them.
Wireless is media, too! Speaking of things unseen, a relative newcomer to the high-speed network interface assortment is another IEEE design, the 802.11 wireless (WiFi) family of multiple over-the-air standards and modulation techniques. There are a number of competing technologies and substandards to the 802.11 specification, but they all essentially operate in much the same fashion. Instead of using hard, physical network links to transmit data, WiFi pushes and pulls information through the air using radio frequencies. While this brings a lot of eye-popping reactions to those previously unfamiliar with the technology, it does give those of us with some working knowledge and experience of these devices a moment to reflect and relate the reality of such devices operating in a business network environment. First and foremost is the fact that no physical medium is present. This defies the logic built into most CSMA/CD-type of access methods, where you can satisfy line contention by merely listening on the wire for any ongoing communications and waiting some period of time before trying to transmit or retransmit data. (See the “Carrier sensing access methods” sidebar for more on CSMA/CD.) Instead, participant WiFi devices must request to speak before opening the lines for communication, which is a more active role than the more passive eavesdropping approach employed by 802.3 Ethernet. This creates extra overhead that increases with the number of participating devices in the effective vicinity of the radio. This lack of physical medium also opens the network to other, unintended listeners. An eavesdropper can more easily observe, record, and potentially intrude upon wireless network traffic. In fact, the would-be attacker need not be inside the building to observe wireless traffic. There is also a limited effective range for such equipment, since radio signal has a difficult time permeating dense walls full of thick, absorbent material like metal, wood, and other elements. Shade trees can also deflect radio signals and cause connectivity problems for courtyard or outside network coverage. Additionally, any competing RF devices in the area will cause distortion, noise, and contention,
63
64
Part I: Servers at Your Service which also reduces the effective reach and range for most WiFi devices. So you have to deliberately and thoughtfully design the WiFi network to fit the environment and its signal- or quality-reducing attributes. Data transfer rates are typically half (or less!) of the manufacturer’s rated speed for any given WiFi device operating under normal conditions: 0002 Early 802.11b devices operate on the 2.4 GHz frequency (which incidentally coincides with common cordless phones and causes much interference) and tend to realize around 4 Mbps, or much less than their rated 11 Mbps transfer rate. 0002 802.11g, the next step up, also operates on 2.4 GHz and realizes around 19 Mbps versus a 45 Mbps maximum throughput rating. Fortunately, each device is backwards compatible in that an 802.11g device can and will work with an 802.11b device, but only at the maximum effective throughput of the slower (802.11b) performer. 0002 The 802.11n standard, which has remained in draft status for quite some time now, operates on 2.4 or 5 GHz channels at speeds between 74 Mbps and 248 Mbps, which easily eclipses anything previously seen in an airborne letter='>:i386winnt 0002 If you’re using a 32-bit operating system, such as Windows 9x, Windows NT, Windows 2000, or Windows XP, and you don’t have autorun enabled, you need to use this command, replacing drive letter with the letter assigned to your DVD drive::i386winnt32 If you try to run the wrong setup program, the tool will tell you — just run the other program. If autorun is enabled, you see the Welcome to Windows Setup Wizard screen. Manually launching Setup from DOS, Windows 3.x, or Windows for Workgroups requires you to do the following after the DOS, text-only display appears, asking for confirmation of the location of the distribution files: 1. Make sure that the screen shows the correct path to the i386 directory on the distribution DVD-ROM and then press Enter. Setup copies files from the DVD to your hard drive. 2. After Setup informs you that all files have been copied, press Enter to reboot and continue. After the machine reboots, the setup resumes at Step 9 of the “Windows Server 2008 Setup: A walk-through” section earlier in this chapter.
Chapter 5: Ready, Set, Install! If you insert the Windows Server 2008 DVD into a DVD-ROM drive under an operating system with autorun enabled (for example, Windows NT), the Windows Server 2008 splash screen appears and asks whether you want to upgrade to Windows Server 2008. By clicking Yes, you don’t need to manually locate and execute WINNT or WINNT32. Launching Setup from an eligible Windows platform requires you to follow these steps: 1. On the Install Windows Setup Wizard screen, click Next. 2. Choose whether to get important updates now or later, locate the corresponding option, and then click it. Windows Setup will begin looking for updates if you so choose, which requires an Internet connection. 3. Enter your product key and then click Next. Alternatively, you can choose from a drop-down list of choices and omit the license key altogether at this stage, but they must match up for activation purposes. 4. Accept the license agreement terms and click the Next button. 5. Choose between Upgrade or Custom installation options and click the corresponding text button. 6. To install Windows Server 2008 to a partition other than the one currently hosting an operating system (highly recommended), be sure to choose the appropriate partition from the menu displayed in this dialog box. 7. Click Next to continue. Setup copies files from the DVD to your hard drive. Setup then offers a 10-second interval during which you can manually restart before automatically rebooting your computer. After the machine reboots, the setup resumes at Step 9 of the “Windows 2003 Setup: A walk-through” section earlier in this chapter.
Installing across a Network Installing Windows Server 2008 across a network is almost the same as performing the installation from a local DVD-ROM. Both methods require access to the distribution files from the DVD (duh!), and you have to manually launch the Windows setup tools.
87
88
Part II: Servers, Start Your Engines Manually launching setup over a network requires little change to the process described in the preceding section. However, you need to map a local drive letter to the network share. (This mapped letter tells Setup where the distribution files live.) Setup automatically copies all of the data files it needs before rebooting.
Installing Remotely Microsoft has created an installation process called the Remote Installation Service (RIS). RIS enables network administrators to push a Windows Server 2008 installation out to network systems. Although this process simplifies multiple installations overall, it isn’t a simple activity. It requires the installation and configuration of several key services, namely Domain Name Service (DNS), DHCP, and Active Directory, in addition to RIS. The clients that will have the Windows Server 2008 installation pushed to them must have a Preboot Extension Environment (PXE)–compliant NIC or be booted with a special network client boot disk. If you want to explore the remote OS installation procedure further, we highly recommend that you check out the RIS documentation in the operating system, TechNet, and the Windows Server 2008 Resource Kit.
Working through Post-Installation Stress Disorder After you finish the basic installation, you’ve simply defined a basic server. You need to dress it up with things such as users, groups, domain controllers, Active Directory, applications, services, and printers, as we describe in Chapters 7 through 14. But, before you get excited and flip to those chapters, we want to mention three more issues: the activation process, service packs, and Automated System Recovery.
Understanding Activation In an effort to curb pirating of software, Microsoft has implemented an installation control feature (first debuted in Windows XP) called activation. After the initial installation of a product, such as Windows Server 2008, Microsoft grants you a 30-day period within which you must contact Microsoft and activate that product. If you fail to activate the product, on day 31, the product
Chapter 5: Ready, Set, Install! ceases to function. In fact, the only activity you can perform from that point forward is activation. After a product has been activated, it functions normally. The activation process requires your system to generate a 50-digit code. This code is unique to your system and is used to associate your product key with your computer hardware. If any other computer attempts to activate the same product key on a different computer, Microsoft will think you’ve pirated their software or at least attempted to install it on another system without purchasing another package. The gotcha to activation is this computer ID, which is generated by pulling unique IDs from ten different parts of your computer, including your motherboard, CPU, and hard drives. If you change six or more of these parts, the system thinks you’ve changed computers, and your activated status will be terminated. You have to contact Microsoft and explain that you’ve only upgraded your existing system and that you’re not just installing the product onto a completely new second system. Can we say major headaches ahead? Activation can occur over the Internet, in which case it takes only a few seconds. Activation can occur also over a phone line, whereby you must read off the 50-digit computer ID to the auto-attendant or a customer service representative, and then you must enter an equally long confirmation key yourself. To activate your system, you can click the reminder pop-up bubble that appears over your notification area (previously known as the icon tray or system tray), which is right beside the clock. Until you activate, the operating system reminds you every day, or every time you log on, about activating. You can initiate the activation process also by launching the Activation Wizard found in the Start menu. It appears in the top-level menu initially; after you activate, it appears only in the All Programs➪Accessories➪System Tools section.
Dealing with service packs A service pack is a release of updates and patches for a software product. Microsoft is famous for releasing service packs to repair its software. This indicates to some cynics that Microsoft is concerned enough about its user community to maintain a product, but not concerned enough to get it right the first time. Be that as it may, the first service pack for Windows Server 2008 will probably be released three to nine months after Windows Server 2008 makes its debut in February 2008. Microsoft has integrated two capabilities into Windows Server 2008 to ease the burden of maintaining an up-to-date version: 0002 You can configure the Windows Update tool to regularly check for new updates and prompt you to download and install them.
89
90
Part II: Servers, Start Your Engines 0002 You can slipstream service packs into distribution files so that an initial setup results in automagic application of the service pack. In other words, you can apply service packs to a distribution point so that new systems automatically get installations that include that service pack. After service packs are available for Windows Server 2008, read the accompanying documentation to learn how to slipstream them. Windows Server 2008 service packs don’t entangle you in the Catch-22 of installing files from the original distribution DVD after a service pack is applied. In other words, adding new services doesn’t require reapplication of service packs, and application of service packs doesn’t require reinstallation of services from the distribution DVD. What a relief! Microsoft advertises releases of its service packs, making it easier for the typical user to locate, download, and apply these jewels. You’ll usually find a link on the product-specific Web page at www.microsoft.com/windows server2008/default.mspx.
Using Automated System Recovery Automated System Recovery (ASR) is partially designed to replace the function of the previous ERD repair process (remember that from Windows NT?). You can use ASR to restore a system to its stored configuration settings in the wake of a complete system failure. The only drawback to ASR is that it restores files found on only the system partition. Therefore, if you have applications or user data files on other partitions, ASR doesn’t offer a safety net for these items. To use the ASR restore process, you must first create an ASR backup set. You can create an ASR backup set from the Welcome tab of the Backup utility (Start➪All Programs➪Accessories➪System Tools➪Windows Server Backup). The ASR backup set consists of a single floppy and one or more backup tapes (depending on the amount of data stored on your system partition). To restore a failed system, you must boot to the original setup program either from a bootable DVD or the setup boot floppies, and then press F2 when prompted to initiate the ASR repair process. You’ll then be prompted for the floppy and your backup tapes. If you want to protect all your data, you have two options. You can use the full backup capabilities (which include the System State) of the native Backup utility. Or you can spend the money for a quality third-party backup solution that offers restoration from tape after simply booting from a floppy instead of requiring that the entire operating system be reinstalled before a restoration can be performed.
Chapter 5: Ready, Set, Install!
Oops, My Installation Didn’t Take In most cases, as long as your hardware is on the HCL, installation will be a breeze. (Well, how about a long, continuous gust?) For those other cases, here are some common problems and solutions: 0002 DVD-ROM problems: The entire Windows Server 2008 installation ships on a single DVD-ROM (unlike previous market releases that appear on CDs), so if you can’t read the DVD, you can’t install Windows Server 2008 (unless you’re installing over a network, but even then, the distribution files have to come from a DVD at some point). DVD-ROMs are similar to music records or DVDs in that one little scratch or speck of dust on the surface can cause problems. On the other hand, the DVD may be okay, but the drive may not function correctly — or Windows Server 2008 may not recognize the drive. We hope that your drive appears on the HCL. To determine whether the drive or the DVD isn’t functioning, take the DVD to another DVD-ROM drive and see whether you can read it there. After you determine which element is the culprit, you can replace it and retry your installation. 0002 Hardware problems: If Windows Server 2008 setup doesn’t recognize a server’s hardware, it’s likely to stop. Make sure that the machine’s hardware appears in the HCL and that you configured all devices correctly. If you have more than one SCSI device, for example, make sure that they’re chained (connected) correctly. 0002 Blue screen of death: Sometimes, Setup simply crashes and gives you a blue screen; other times, it gives you a display of error codes that only a propeller head can understand. By itself, the blue screen simply means that you must reboot. If you get a fancy stop screen, however, you can look at the first few lines to determine the error code and then use it to look up the error message in the error-message manual. A stop typically occurs if a driver problem occurs; if you look beyond the first few lines of the error-message screen, it tells you which drivers were loaded at the time the crash occurred. A good idea is to write the first few lines of the stop screen down before attempting to reboot. 0002 Connectivity problems: Installing a machine into an existing domain requires that the new system be capable of communicating with a domain controller to create a domain computer account. If communication isn’t possible for any reason (such as a wrong network interface, a wrong driver, a bad or missing cable, a domain controller offline, or too much network traffic), you can’t join the domain. In some cases, you can resolve the problem by quickly replacing a cable or allowing the system to try the connection a second or third time. In other cases, you can delay confronting the problem by joining a workgroup instead. Then you
91
92
Part II: Servers, Start Your Engines can resolve any problems (such as network interface, driver, and configuration problems) with a functioning system. 0002 Dependency problems: Some services in Windows Server 2008 depend on other services loading correctly. If service A doesn’t load, service B doesn’t work, and you get error messages if service B is set to automatically start at bootup. For example, if a network interface isn’t installed correctly, all services that use that network interface also fail to start. Your first order of business, therefore, is to get the network interface to function correctly. If you get this far in the installation process, you can view the error logs (Start➪All Programs➪Administrative Tools➪Event Viewer) to see which service didn’t start and then work your way from there. 0002 Script file errors: The Windows Server 2008 automated installation program (see the next section) isn’t forgiving if you mistype a script. If a script stops midway and the Windows Server 2008 setup program asks you for manual input, you entered something incorrectly. Check the input file to look for transposed letters or anything else that may be out of place. Scripts expect to feed the computer exactly what you put in the script file. If you don’t enter the right information, Setup doesn’t receive the information it expects.
Exploring Automated Installation An unattended installation feature enables you to install Windows Server 2008 without keyboard interaction. Just start the process and walk away. Unattended installation uses a script file that pipes in information and keyboard strokes from a data file that you compose in advance. If you already know all the answers to the questions that the installation program asks, you can answer these questions and place them in a data file. You can use more than one data file for different types of installations. Unattended installation is great for organizations that install Windows Server 2008 over and over on machines with the same hardware configurations. Large enterprise networks that include remote offices can also take advantage of unattended installation because home office administrators can customize script files and transmit them to remote offices. The caveat here is that you must test the script files for accuracy thoroughly in the central office; otherwise, the folks in the remote office may soon be screaming for help! Details on creating automation scripts are included in the Windows Server 2008 Resource Kit. You can also find information on this subject in the Windows Server 2008 Technical Library at technet2.microsoft.com/ windowsserver2008/en/library/.
Chapter 6
Configuring Connections to the Universe In This Chapter 0001 Introducing the Server Management console 0001 Configuring your server 0001 Configuring domain controllers 0001 Understanding server roles 0001 Using remote access
E
ven after you complete the installation of Windows Server 2008, you still face numerous decisions and related activities before you can safely say, “Mission accomplished!” What role does this server play on your network? Does it host multiple network interfaces? Do you need remote access? In this chapter, you seek answers to all these questions and follow the steps to implement them properly. Before you get too excited, we must warn you that certain topics covered in this chapter are just flat-out complex. We try to give a general overview of each topic, but in some cases, covering all the relevant details goes beyond the scope of this book. When that happens, we refer you to other resources and materials where you can find meaningful, reliable, and more detailed coverage of these topics, to supplement and complete what we provide you with here. In this chapter, you go through the steps necessary to get your Windows Server 2008 installation up and running.
94
Part II: Servers, Start Your Engines
Completing the Initial Configuration Tasks Starting at square one, the first time you log on to Windows Server 2008 after completing the initial installation, you’re confronted with an Initial Configuration Tasks (ICT) dialog box, shown in Figure 6-1. This wizard appears by default the first time you log in, and every subsequent time, unless you select the Do Not Show this Window at Logon check box. ICT assists administrators with Windows Server 2008 deployments by postponing platform settings previously encountered during the installation process to shorten the installation time. ICT does this by allowing administrators to specify relevant values at the end of the installation process, thereby bypassing lots of dialog boxes and related interruptions along the way. Windows Server 2008 also brings a concept called componentization to the table, which is defined as breaking a complete system into interchangeable parts to create a standardized approach to assembly, interface, or operation. For Windows Server 2008, this translates into the ability to reuse components outside their usual frameworks. A simple analogy is the relationship between electronic components and electronic devices. A device is made of components, but it can also do things that individual components normally can’t.
Figure 6-1: The Initial Configuration Tasks dialog box.
Chapter 6: Configuring Connections to the Universe The Initial Configuration Tasks dialog box allows administrators to configure a server with the following parameters: 0002 Administrator password: Set the administrator password (left blank by default). 0002 Computer name: The computer name is randomly generated and assigned during installation, but you get your first chance to change it here. 0002 Time zone: Configure the local time zone. 0002 Configure networking: Establish initial network interface settings. 0002 Domain membership: There is no default domain to join; however, the computer is automatically assigned to a workgroup, appropriately named WORKGROUP. 0002 Enable Windows Update and feedback: Choose whether to automatically update Windows and issue problem reports or receive feedback. 0002 Add roles: A server role describes the primary function of a server, which can be one or several roles (each with one or more separate services) on a single computer. 0002 Add features: A feature provides supportive functionality to servers, which typically means augmenting a configured server role with additional capabilities. 0002 Enable Remote Desktop: Remote desktop assistance is provided by an underlying Remote Desktop Protocol (RDP), which enables user computers to communicate with Microsoft Terminal Services. 0002 Configure Windows Firewall: The Windows Firewall is enabled by default, but you might want to spend some time familiarizing yourself with its features and capabilities, or configure it with site-specific settings. These pre-deployment options are left for the end of installation to improve efficiency. Administrators can set these as soon as the install completes, which shortens time-to-launch for a fresh server installation. When you close the ICT dialog box, another configuration utility pops up: the Windows Server Manager, which we describe next.
Server Manager Configuration Windows Server 2008 includes an all-new Server Manager application in GUI and command-line form that simultaneously replaces and consolidates the Windows Server 2003 interfaces called Manage Your Server, Configure Your Server, and Add or Remove Windows Components. Server Manager eliminates any need to run the Security Configuration Wizard prior to deployment because server roles come pre-configured with recommended security settings. Each
95
96
Part II: Servers, Start Your Engines separate application is consolidated into one utility for a better combination of features and functionality in a single centralized applet, which provides a holistic view of server configuration and related server components. This new management platform enables you to install, configure, and manage server roles specific to Windows Server 2008, including some capabilities that even work on Windows Server 2003 machines.
Getting to know the Server Manager console You can use the expanded Server Manager MMC (Microsoft Management Console) to configure various applications, features, and roles on your Windows Server 2008 PC. A role describes a server’s primary function; administrators may designate or dedicate an entire computer to one or more roles that can include DHCP and DNS services, among many others. A feature describes some supporting function in a server; for example: failover clustering indicates that multiple server computers function as a single logical server, and if one computer fails, another stands ready to take its place automatically. The Windows Server Manager console provides a consolidated view that includes: server information, configured roles, services, and feature status. It puts all the easily accessible management tools together under one interface. Server Manager improves productivity so that you spend less time on deployment, management, and maintenance phases and more time adding and using new features in your network infrastructure. Here are a few key highlights to the new Server Manager platform: 0002 Server Manager functionality incorporates snap-in extensions from Computer Manager (Reliability and Performance, and Windows Firewall) that are always available regardless of which roles are installed. 0002 Server Manager displays notifications linked to descriptive help topics atop role management homepages when constraints in the role model are violated. Help topics may include additional content, solutions, or tools to help resolve some particular issue. 0002 The Server Manager Add Roles Wizard provides configuration pages for many roles, including AD Federation Services (AD-FS), Network Policy and Access Services, Fax Server, AD Rights Management (AD-RM), File Services, and many others, as shown in Figure 6-2. See Table 6-1 for more information on Server Roles. 0002 The Server Manager Add Features Wizard supports installation of BitLocker Drive Encryption, Group Policy Management, Remote Server Administration Tools, and a variety of supplementary or supportive network and storage features. See Table 6-2 for more details about Server Features.
Chapter 6: Configuring Connections to the Universe
Figure 6-2: The server roles that can be installed through the Server Manager Wizard.
0002 Server Manager provides Remote Server Administration Tools (RSAT) that enable remote management for specific roles, role-based services, and features on computers running Windows Server 2008 and Windows Server 2003. 0002 Server Manager supports automated deployment and scripting options for Windows Server 2008 roles from a command-line tool that can install or remove multiple roles, role services, or server features.
Table 6-1
Windows Server 2008 Server Roles
Role Name
Description
Active Directory Certificate Services (AD-CS)
AD-CS provides customizable services to create and manage public key certificates used in public cryptographic systems. Organizations may enhance their security posture by binding user identities, devices, or services to corresponding private keys. AD-CS also includes features for enrollment and revocation of certificates.
Active Directory Domain Services (AD-DS)
AD-DS stores user, computer, and other networked device information to help administrators securely manage and facilitate resource sharing or collaboration between users. AD-DS is also required for directory-enabled services such as Microsoft Exchange Server or Group Policy. (continued)
97
98
Part II: Servers, Start Your Engines Table 6-1 (continued) Role Name
Description
Active Directory Lightweight Services (AD-LDS)
AD-LDS is a directory for storing application data that runs as a non-operating system service, which doesn’t require deployment on a DC and permits multiple simultaneous instances to be configured independently to service multiple applications.
Active Directory Rights Management Services (AD-RMS)
AD-RMS is information protection technology that works with compatible applications to safeguard against unauthorized use of digital media. Content owners define how such data may be used, and organizations may create custom templates that apply directly to financial reports, product specifications, and other such materials.
Application Server (AS)
AS provides a turnkey solution for hosting and managing high-performance distributed business applications with integrated services such as .NET, COM+, and others.
Dynamic Host Configuration Protocol (DHCP)
DHCP allows temporary or permanent dynamic (and static) address assignments to computers and other network-addressable devices and gives administrators more flexible control over address assignments, duration, and type.
File Services
File Services provides storage management, file replication, a distributed namespace, and fast file-searching technologies for efficient client access to server resources.
Network Policy and Access Services (NPAS)
NPAS delivers an array of options to local and remote users, works across network segments, centralizes management tasks and enforces network health properties among client callers. NPAS facilitates VPN, dial-up server, router, and 802.11 protected access deployment, and other such capabilities.
Print Services (PS)
PS provides printer and print server management, which reduces administrative overhead by centralizing printer management tasks.
Terminal Services (TS)
TS enables users to access server-based Windows applications and desktops so that remote users can connect and utilize remote resources.
Chapter 6: Configuring Connections to the Universe
Role Name
Description
Universal Description, Discovery, and Integration (UDDI)
UDDI services enable information sharing via intranet-based Web services or between business partners that share an extranet or Internet connection. UDDI can help improve developer productivity and promote reuse of existing development work.
Web Server (IIS)
IIS 7.0, the Windows Web server, enables information sharing on intranets or over the Internet as a unified Web platform that integrates several key Microsoft components.
Windows Deployment Services (WDS)
WDS is used to remotely install and configure Windows installations using the Preboot Execution Environment (PXE).
Windows SharePoint Services (WSP)
WSP services allow end-user collaboration through documents, tasks, and events, enabling them to easily share contacts and other necessary information. WSP is designed to support flexible deployment, administration, and custom application development.
You can find more in-depth information about each of the server roles we introduce in Table 6-1 on Microsoft’s Windows Server 2008 TechCenter page located at http://technet.microsoft.com/en-us/windowsserver/ 2008/default.aspx.
Table 6-2 Windows Server 2008 Server Manager Server Features Feature Name
Description
.NET Framework 3.0
This latest version combines .NET 2.0 APIs with newer technologies for building user interface applications that help protect customer identities, enable seamless and security-enhanced communication, and model an array of business procedures.
BitLocker Drive Encryption
This new feature protects>. For example, 200.200.201.0/24 is network 200.200.201.0 with subnet mask 255.255.255.0. 5. Select the Site with which to associate the subnet (for example, New York). 6. Click OK. You now have a subnet linked to a site. You can assign multiple subnets to a site if you like. For more information on subnets, see Chapter 10. For even more details, search the Windows Server 2008 Help menu for subnets.
Oh, you organizational unit (OU), you The organizational unit (OU) is a key component of the X.500 protocol. As the name suggests, organizational units contain objects in a domain that are organized into logical containers, thus allowing finer segregation and control within a domain. Organizational unit containers can contain other organizational units, groups, users, and computers. OUs may be nested to create a hierarchy to match the structure of your business or organization closely. Using OUs, you can eliminate cumbersome domain models developed for Windows NT Server–based domains (the master domain model, for example, in which several resource domains use accounts from a central user domain). Using Active Directory, you can create one large domain and group resources and users into multiple, distinct OUs. The biggest advantage of OUs is that they allow you to delegate authority. You can assign certain users or groups administrative control over an OU, which allows them to change passwords and create accounts in that OU but grants no control over the rest of the domain. This capability is a major improvement over Windows NT domain administration, which was an all-or-nothing affair.
Installing Active Directory In Windows NT, you set up each server’s type during installation. The server’s function can fill one of the following roles: 0002 Stand-alone/member server 0002 PDC 0002 BDC
129
130
Part II: Servers, Start Your Engines With the exception of PDC/BDC swapping, a server’s role can’t be changed without reinstalling the operating system. For example, you can’t change a member server to a domain controller without reinstalling Windows NT. Windows Server 2008 has left all that behind by allowing you to install all servers as normal servers. You can use a wizard (covered in the following section) to convert normal servers to domain controllers, or domain controllers to normal servers. This facility also gives you the ability to move domain controllers from one domain to another by demoting a domain controller to a member server and then promoting it to a domain controller in a different domain. In the Windows NT environment, demoting and promoting domain controllers typically requires reinstalling the operating system or jumping through some pretty major hoops.
Promoting domain controllers Windows Server 2008 allows you to convert servers from normal servers to domain controllers and vice versa. To do this, you use the Active Directory Installation Wizard. You can access this wizard through the Configure Your Server tool (Start➪Server Manager — see Chapter 6) or by executing DCPROMO from the RUN command (or command prompt). You can use the Active Directory Installation Wizard also to remove Active Directory from a domain controller; this returns the system to a member server state. For the step-by-step of installing Active Directory and creating a domain controller, go to Chapter 6.
Active Directory’s database and shared system volume Although you can think of Active Directory as an information bubble, it’s stored in file form on each domain controller in a file named %systemroot%NTDS ntds.dit. This file is always open and can’t be backed up using a simple file copy operation. However, like old methods for backing up SAM in Windows NT 4.0, the new NTBACKUP program included with Windows Server 2008 includes an option to take a snapshot of Active Directory and back up that information. (This option is called System State.) There’s even a special directory restoration mode you must boot into to restore an Active Directory backup! (Chapter 13 covers backups in detail.) The share system volume, or SYSVOL, is the replication root for each domain. Its contents are replicated to each domain controller in the domain using the File Replication Service. The SYSVOL must reside on an NTFS 5.0 volume because that’s a File Replication Service requirement.
Chapter 7: Doing the Directory Thing SYSVOL is also a share that points (by default) to %systemroot%SYSVOL sysvol, which contains domain-specific areas, such as logon scripts. For example, the logon share NETLOGON for domain savilltech.com points to %systemroot%SYSVOLsysvolsavilltech.comSCRIPTS. You can simply copy files used for logging on to or off this directory, and the change is replicated to all other domain controllers in the next replication interval (which by default is set to 15 minutes).
Modes of domain operation Windows Server 2008 domains operate in four modes: mixed, native, .NET, and .NET interim: 0002 Mixed mode domains allow Windows NT 4.0 BDCs to participate in a Windows Server 2008 domain. 0002 In native mode, only Windows Server 2008/2003–based and Windows 2000–based domain controllers can participate in the domain, and Windows NT 4.0–based BDCs can no longer act as domain controllers. 0002 In .NET mode, only servers running Windows Servers 2008 can act as domain controllers. 0002 The .NET interim mode is used when upgrading a Windows NT 4.0 domain to the first domain in a new Windows 2008 forest. The switch from mixed to native mode or native mode to .NET mode can’t be reversed, so don’t change mode until all domain controllers are converted to Windows Server 2008, Windows Server 2003, or Windows 2000 for native mode — or just Windows Server 2008 for .NET mode. Also, note that you can’t add more Windows NT 4.0–based BDCs after the domain mode is switched. In addition, a switch to native mode allows the use of universal groups, which, unlike global groups, can be nested inside one another. Older NetBIOS-based clients remain able to log on using the NetBIOS domain name even in native mode. Universal groups are also supported in .NET mode. Changing a domain’s mode is known as raising a domain’s functionality. You can choose to step up to native mode from mixed mode, step up to .NET mode from native mode, or jump directly to .NET mode from mixed mode. Be careful: This is a one-way switch. After you raise the functionality, you’ll have to reinstall Windows Server to return to a lower functionality. To raise a domain’s functionality, perform the following steps on a Windows Server 2008 domain controller: 1. Start Active Directory Domains and Trusts. (Choose Start➪ Administrative Tools➪Active Directory Domains and Trusts.)
131
132
Part II: Servers, Start Your Engines 2. In the console tree, select and right-click the domain you want to change. 3. Click Raise Domain Functional Level. The Raise Domain Functional Level dialog box appears, as shown in Figure 7-3.
Figure 7-3: The Raise Domain Functional Level dialog box.
4. Under Select an available domain functional level, do one of the following: • Raise the domain functional level by selecting Windows Server 2003 and clicking Raise. • Raise the domain functional level by selecting Windows Server “Longhorn” and clicking Raise. 5. Click OK. A warning is displayed stating that the domain mode change can take up to 15 minutes. You can also raise the domain functional level by right-clicking a domain in the Active Directory Users and Computers snap-in, and then clicking Raise Domain Functional Level. The current domain functional level is displayed under a like-named entry in the Raise Domain Functional Level dialog box. You also need to check all other domain controllers in the domain. Make sure each domain lists the correct mode on its properties dialog box. (Right-click the domain and select Properties.) If any domain controller isn’t reflecting the change after 15 to 20 minutes, reboot it. This forces a replication. If a domain controller can’t be contacted when you make the change (for example, if it’s located at a remote site and connects to the main site only periodically), the remote domain controller will switch its mode the next time replication occurs.
Chapter 7: Doing the Directory Thing
When Domains Multiply In this section, you look at new methods available in Windows Server 2008 to interconnect domains. In Windows NT 4.0 domains, you’re limited to simple unidirectional or bidirectional trust relationships to interconnect two domains explicitly at a time. Windows Server 2008 has many more sophisticated, functional models to create relationships and connections among its domains.
Trust relationships across domains Windows NT 4.0 trust relationships aren’t transitive. For example, if domain A trusts domain B, and domain C trusts domain B, domain C doesn’t automatically trust domain A. (See Figure 7-4.)
Domain B
Figure 7-4: An example of a trust relationship in Windows NT 4.0.
Domain C
Domain A
This relationship would not have been implicitly created in a 4.0 domain environment but is possible in 2000 domain forests
This lack of transitivity is no longer the case with the trust relationships used to connect members of a tree or forest in Windows Server 2008/2003 or Windows 2000. Trust relationships used in a Windows Server 2008/2003 or 2000 tree are two-way, transitive trusts. This means that any domain in the forest implicitly trusts every other domain in its tree and forest. This removes the need for time-consuming administration of individual trusts
133
134
Part II: Servers, Start Your Engines between pairs of domains because such trusts are created automatically whenever a new domain joins a tree. The security of Windows Server 2008 trusts is maintained by Kerberos. Kerberos Version 5.0 is the primary security protocol for Windows Server 2008, but it isn’t a Microsoft protocol. Kerberos is a security system developed at the Massachusetts Institute of Technology (MIT). It verifies both the identity of the user and the integrity of all session data while that user is logged in. Kerberos services are installed on each domain controller, and a Kerberos client is installed on each workstation and server. A user’s initial Kerberos authentication provides that user with a single logon to enterprise resources. For more information about Kerberos, see the Internet Engineering Task Force’s (IETF’s) Requests for Comments (RFCs) 1510 and 1964. These documents are available on the Web at http://rfc-editor.org.
Building trees In Windows Server 2008, one domain may be a child of another domain. For example, www.legal.savilltech.com is a child of savilltech.com (which is the root domain name and therefore the name of the tree). A child domain always contains the complete domain name of the parent. As shown in Figure 7-5, dev.savillCORP.com can’t be a child of savilltech.com because those domain names don’t match. A child domain and its parent share a two-way, transitive trust. When a domain is the child of another domain, a domain tree is formed. A domain tree must have a contiguous namespace (which means all namespaces share a common root — that is, have the same parent). Domain trees can be created only during the server-to-domain-controllerpromotion process with DCPROMO.EXE. Here are some advantages to placing domains in a tree: 0002 All members of a tree enjoy Kerberos transitive trusts with their parent and all of its children. 0002 These transitive trusts mean that any user or group in a domain tree can be granted access to any object in the entire tree. 0002 A single network logon can be used at any workstation in the domain tree.
Chapter 7: Doing the Directory Thing
savilltech.com
legal.savilltech.com
Figure 7-5: Parent/child relationship example.
dev.savillCORP.com
Child domains MUST contain the parent DNS name
defense.legal.savilltech.com
Understanding forests You may have a number of separate domain trees in your organization with which you’d like to share resources. You can share resources between domain trees by joining those trees to form a forest. A forest is a collection of trees that doesn’t explicitly share a single, contiguous namespace. (However, each tree must be contiguous.) Creating a forest may be useful if your company has multiple root DNS addresses. For example, in Figure 7-6, the two root domains are joined via transitive, two-way Kerberos trusts (like the trust created between a child and its parent). Forests always contain the entire domain tree of each domain, and you can’t create a forest that contains only parts of a domain tree.
135
136
Part II: Servers, Start Your Engines
savilltech.com
legal.savilltech.com
Figure 7-6: An example of a forest.
acme.com
dev.savilltech.com
legal.acme.com
defense.legal.savilltech.com
Forests are created when the first server-to-domain-controller-promotion process using DCPROMO is initialized and can’t currently be created at any other time. You aren’t limited to only two domain trees in a forest. (You can have as few as one because a single domain by itself is technically considered both a tree and a forest.) You can add as many trees as you want, and all domains in the forest will be able to grant access to objects for any user in the forest. Again, this cuts back the need to manage trust relationships manually. The advantages of creating forests are as follows: 0002 All trees have a common global catalog containing specific information about every object in the forest. 0002 The trees all contain a common schema. Microsoft has not yet confirmed what will happen if two trees have different schemas before they’re joined. We assume that the changes will be merged. 0002 Searches in a forest perform deep searches of the entire tree of the domain from which the request is initiated and use the global catalog entries for the rest of the forest.
Chapter 8
Working with Active Directory, Domains, and Trusts In This Chapter 0001 Understanding domains 0001 Controlling domains and directories 0001 Handling directory permissions 0001 Managing trusts
A
ccess to Active Directory’s sheer power is useless unless you can configure and manage its content. Only then can you get the most out of its powerful (but sometimes cryptic) environment. In this chapter, you take a long hard look at Active Directory. Before you enter into this staring contest with your computer screen, however, we want to show you how manipulating and configuring content is tied to manipulating and configuring domains. That’s right; you get to tackle domains one more time. So once more into the breach, dear friend, so that you too can master your own domain(s). For details on domain controllers and their changing roles in Windows 2008, see Chapter 7. We also suggest you pick up a copy of Active Directory For Dummies (Wiley Publishing).
Master of Your Domain Domain controller roles aren’t defined during the installation of Windows Server 2008 but rather while running the Active Directory Installation Wizard. (For more information about the Active Directory Installation Wizard, see Chapter 7.) Windows Server 2008 borrows the concept of a primary domain controller (PDC) from Windows NT through the use of the PDC emulator for certain domain functions, though it has jettisoned Windows NT’s concept of a
138
Part II: Servers, Start Your Engines backup domain controller (BDC). In Windows 2008, all domain controllers are equal and share peer-to-peer relationships, rather than acting either as master (PDC) or slave (BDC). To support older Windows NT Server 4.0 and 3.51 BDCs in a mixed mode environment, one of the Windows Server 2008 domain controllers must emulate a Windows NT Server 4.0 PDC. Then it must replicate changes to those old-fashioned BDCs so that they can keep up with changes to Active Directory, such as password modifications. Keeping lots of peers around can cause problems if you don’t watch out. (Ever hear the expression, “Too many cooks spoil the soup”?) Windows Server 2008 uses five special roles to keep peers in line. One role is specifically designed to support any Windows NT vintage clients and domain controllers. The other four roles work to minimize the risk that multiple domain controllers will make changes to the same object, thereby losing or confusing attribute modifications. These roles are called Flexible Single Master Operation (FSMO) roles, where each of the five roles manages a particular aspect of a domain or forest. Some of the Flexible Single Master Operation domain controllers, sometimes referred to as operations masters, have a role that is domain wide, so their effect percolates throughout the given domain. When a forest has multiple domains, each domain has a domain-wide FSMO domain controller. Other FSMO domain controllers have a forest-wide role. Each forest-wide FSMO domain controller is the only one of its type in the entire forest, regardless of how many domains reside within that forest. The flexibility of the Flexible Single Master of Operation domain controllers indicates that these roles can move between domain controllers within a domain if the role of the original FSMO DC is domain wide, or between other domain controllers in the forest if the role of the original FSMO DC is forest wide. However, it does take some effort on your part to move them. You assign FSMO roles using the NTDSUTIL utility. For more information on the NTDSUTIL utility, see the Windows Server 2008 Server Help files or the Resource Kit. The following list gives you an idea how these five roles work with domains in Active Directory: 0002 Schema master: At the heart of Active Directory, the schema is a blueprint for all objects and containers. Because the schema has to be the same throughout an entire forest, only one domain controller can be used to make modifications to the schema. If the domain controller that
Chapter 8: Working with Active Directory, Domains, and Trusts holds the role of schema master can’t be reached, no updates to the Active Directory schema may be performed. You must be a member of the schema administrators group to make changes to the schema. (See Chapter 7 for a more detailed definition of the schema.) 0002 Domain naming master: To add a domain to a forest, its name must be verifiably unique. The domain naming master of the forest oversees the domain name operation and ensures that only verifiably unique names are assigned. It also functions to add and remove any cross-references to domains in external directories, such as external Lightweight Directory Access Protocol (LDAP) directories. Only one domain naming master exists per forest. You must be a member of the enterprise administrators group to make changes to the domain naming master, such as transferring the FSMO role or adding domains to or removing domains from a forest. 0002 Relative ID (RID) master: Any domain controller can create new objects (such as user, group, and computer accounts). The domain controller contacts the RID master when fewer than 100 RIDs are left. This means that the RID master can be unavailable for short periods of time without causing object-creation problems. This ensures that each object has a unique RID. There can be only one RID master per domain. 0002 PDC emulator: The PDC emulator domain controller acts as a Windows NT primary domain controller when there is a domain environment that contains both NT4 BDCs and Windows 2000 DCs or Windows 2003/2008 DCs (or all three). It processes all NT4 password changes from clients and replicates domain updates to the down-level BDCs. After upgrades to the domain controllers have been performed and the last of the BDCs are upgraded or removed from the environment, the Windows 2000 domain or Windows Server 2003/2008 domain (or all three) can be switched to native mode. After the domain is in native mode, the PDC emulator still performs certain duties that no other DCs in the domain handle. Each domain in the forest, including child domains, has only one PDC emulator domain controller. 0002 Infrastructure master: When a user and a group are in different domains, there can be a lag between changes to a user profile (a username, for example) and its display in the group. The infrastructure master of the group’s domain is responsible for fixing the group-to-user reference to reflect the rename. The infrastructure master performs its fix-ups locally and relies on replication to bring all other replicas up to date. (For more information on replication, see the “When replication happens” section, later in this chapter.)
139
140
Part II: Servers, Start Your Engines
Trusts Are Good for NT 4.0 and Active Directory Domains In the good old days before the need for FSMO roles (that is, during Windows NT’s prime), there was exactly one main domain controller (a primary domain controller, or PDC) that could make changes to the Security Accounts Manager (SAM) database. Those changes were then replicated to other backup domain controllers (BDCs). In this model, the SAM database was simply a file stored on each PDC that contained information about the domain’s security objects, such as users and groups. To support authentication across domains (and thus stymie unauthorized access to the network), you created one-way trust relationships between domains that would allow users and groups from the trusted domain to be assigned access to resources in the trusting domain. The concept of trusting and trusted is confusing, so we’re going to try to shed some light on the subject. Imagine a trust between two domains: A and B. Domain A trusts domain B, so domain B is the trusted domain, and domain A is the trusting domain. Because domain A trusts domain B to correctly authenticate its users, users from domain B can be assigned access to resources in domain A. (You could create a bidirectional trust relationship, where domain A trusts domain B with its resources and domain B trusts domain A with its resources. However, what you really have with a bidirectional trust is two unidirectional trusts that have been joined.) Before you get the idea that we’re all one happy, trusting family, don’t forget that Windows NT 4.0–based trusts aren’t transitive; therefore, if domain C trusts domain B, and domain B trusts domain A, domain C doesn’t implicitly trust domain A. For domain A to trust domain C, you must establish an explicit trust relationship between domain A and domain C. Got all that? Remember it; we’ll come back to it later. Windows Server 2008 makes use of Active Directory to keep domains in line when it comes to trust relationships. Windows Server 2008 domain controllers store the directory service information in a file (NTDS.DIT), and trust relationships are still needed to authenticate across multiple domains. Windows Server 2008 automatically creates trust relationships between all domains in a forest just as it did under Windows 2000, but the real change from the older NT4 model to the Active Directory approach lies in how modifications are made and replicated to the domain database and how all automatically created trusts are two way and transitive by default. Now if A trusts B and B trusts C, A trusts C — and the reverse is true as well. Before you get too flabbergasted, don’t forget that Windows 2000 and Windows Server 2003/2008 use trusts in the same way. All operating systems create two-way and transitive trusts.
Chapter 8: Working with Active Directory, Domains, and Trusts
How Domain Controllers Work Together In the days of Windows NT, domains had it easy. You made changes at only one domain controller, and the changes were copied at regular intervals to any other controllers for the domain. Now, with Windows Server 2008, you can make changes at any domain controller and remain confident that Windows Server 2008’s left hand always knows what its right hand is doing. How does this work, you ask? The answer, dear friend, is multimaster replication. (And you thought we were going to say “blowing in the wind.”) How multimaster replication works is discussed in Chapter 7, but here you look at the concept at a higher level. With multimaster replication, any domain controller can make changes to the Active Directory database. Those changes are then replicated to all other domain controllers in that domain.
When replication happens Replication between domain controllers in a Windows NT 4.0 domain is configured using a couple of Registry settings. That’s it. Fairly useless really. Windows Server 2008 is much cooler! A site is a collection of machines and domain controllers connected by means of a fast network and grouped by IP subnets. What do sites have to do with replication, you ask? Well, everything. They allow us to define different replication schedules depending on the domain controllers’ site membership. There are essentially two types of replication: intrasite replication (between domain controllers in the same site) and intersite replication (between domain controllers in different sites).
Intrasite replication When a change is made to the Active Directory, such as adding or deleting a user or changing an attribute of an object (say, adding properties to a printer), this change must be replicated to other domain controllers in the domain. The change is called an originating update. The domain controller where the originating update was made sends a notification to its replication partners (other domain controllers in the site) that a change is available. After replication occurs, the replication partners will have a copy of the change that was made on the other domain controller. This updating of the Active Directory on the partner domain controller is called a replicated update because it originated elsewhere.
141
142
Part II: Servers, Start Your Engines Replication is initiated between domain controllers at a defined regular interval (five minutes, by default), and urgent replication using notification can be initiated for any of the following: 0002 Replication of a newly locked-out account: Prevents users from moving to another part of a domain to log on with a user account that has been locked out on a domain controller. 0002 Modification of a trust account: Enables all members of a domain to take advantage of a new trust with another domain. This replication methodology has some problems. In the good ol’ days (in other words, with Windows NT 4.0), you changed your password at the PDC to avoid the problem of a new setting not being replicated for a long time. With Windows 2008, password changes are initially changed at the PDC FSMO; in the event of password failure, the PDC FSMO is consulted in case the password has been recently changed but hasn’t yet been replicated. If replication partners don’t receive any change notifications in an hour (the default setting), they initiate contact with their replication partners to see whether any updates were made remotely and whether the subsequent change notifications were missed.
Intersite replication Intersite replication takes place between particular servers in one site to particular servers in another site. This is where Windows Server 2008 shines. You can configure a timetable of how often to replicate for every hour of every day. All you need to do is follow these steps: 1. Navigate to the Active Directory Sites and Services MMC snap-in. (Choose Start➪Control Panel➪Administrative Tools➪Active Directory Sites and Services.) 2. Go to the Inter-Site Transport branch and select IP. 3. In the right-hand pane, select a site link (for example, a remote domain), right-click, and choose Properties. 4. Make sure that the General tab is selected and then click Change Schedule. The dialog box used to change replication times appears, as shown in Figure 8-1. 5. Change the replication schedule as desired. For example, you can set it to replicate only on Sundays from 6 p.m. to 7 p.m. You can have different replication schedules for every pair of sites, so depending on the network connectivity and geographical location, different
Chapter 8: Working with Active Directory, Domains, and Trusts schedules may be appropriate. For example, if a slow WAN link exists between two sites, a replication with less frequent updates may be necessary to prevent bandwidth consumption. One other area of replication crosses domains: global catalog information. The global catalog contains all the information about all the objects in its own domain and a subset of information for every object in the forest. However, Windows Server 2008 performs all the calculations needed to optimize this replication, so mere mortals like us don’t need to worry about it.
Figure 8-1: This is where you change replication times.
Know your database limits In Windows 2008, there’s really no limit to the number of objects per domain — your organization will never get that big! Windows NT 4.0 domains are limited to around 40,000 objects per domain. This forces some companies to acquire multiple master domains joined by bidirectional trust relationships. Windows 2008, on the other hand, extends this to around 10,000,000 objects per domain. HP has performed tests and created 16,000,000 user objects in a single domain with no significant performance problems. However, it had some very powerful hardware — probably much more powerful than your home PC or even your company’s primary server! These objects have to be replicated at some point. Windows Server 2008 uses property rather than object replication, which means that only the property change is replicated, not the entire object. In other words, if you change just one property of an object (a user’s phone number, for example), only the property change (the new phone number) is replicated. Your database size is governed by your domain controller hardware and the physical network infrastructure. But if you have enough money to invest in the proper hardware, we doubt that you would need more than a single
143
144
Part II: Servers, Start Your Engines domain (unless your company is really big). There are, however, other reasons for needing multiple domains and forests, such as needing different schemas. (See Chapter 7 for more on schemas.) The backup and restoration needs of your enterprise may govern database size because a huge directory database is no good if it takes days to back it up.
Administrivia Anyone? (Controlling Domains and Directories) If you don’t have sufficient tools available to manipulate and manage Active Directory, its power won’t do you much good. Fortunately, not only does Windows Server 2008 come with a complete set of ready-made tools, but you can also write your own tools and scripts using the Active Directory Scripting Interface (ADSI).
Exploring the directory management console As with everything else in Windows 2008, management of Active Directory is accomplished using a Microsoft Management Console (MMC) snap-in. The snap-in you’ll use most often is the Active Directory Users and Computers snap-in (shown in Figure 8-2), which is what you use to create, manage, and delete everything from users to computers. It includes some of the features of the old User and Server Manager from Windows NT.
Figure 8-2: The Active Directory Users and Computers MMC snap-in.
Chapter 8: Working with Active Directory, Domains, and Trusts To access the Active Directory Users and Computers snap-in, choose Start➪Administrative Tools➪Active Directory Users and Computers. When you first start the snap-in, you see your domain name (represented as a DNS domain name) at the top of the directory. You’ll also notice several containers (known more commonly as folders). Some of these containers are built-in organizational units (OUs), which contain objects in a domain that are organized into logical containers, thus allowing finer segregation and control in a domain. Certain container objects appear in all typical Active Directory installations: 0002 Built-in: By default, the details of the old Windows NT 4.0 groups, such as Administrators and Backup Operators. 0002 Computers: The computer accounts that were managed using Windows NT’s Server Manager. Computer objects in other organizational units aren’t listed in this container. 0002 Domain controllers: A built-in organizational unit that contains all domain controllers. 0002 Users: The default store for all domain users. Again, users in other organizational units aren’t listed. In a fully functional domain, you’ll find various organizational units, depending on the services you have installed and the organizational units you create. Everything is context driven in Windows Server 2008. This means that if you right-click an object or container, a menu specific to that object or container is displayed. This is much better than hunting through huge standard menus for options relevant to the chosen object.
Creating directory objects Windows Server 2008 has tons of objects, such as computer, user, group, and shared folder objects. In this section, we concentrate on the creation of only the first two (computer and user objects) because the others are fairly intuitive and don’t support many configuration options. In a Windows NT 4.0 domain, it never took too much planning to create new user or computer objects. You just did it. In Windows Server 2008, however, you can’t be quite so spontaneous. You first need to think about where you want to create such an object. Placement is important because, although you can still move objects around, it’s much easier in the long run if you create an object in the correct location from the get-go. However, because you may not always have the time to plan and do it right the first time, you can always move the object later if you have to. (Just don’t say we didn’t warn you.)
145
146
Part II: Servers, Start Your Engines Use OUs to help you organize your data into logical containers. First you create an OU for the various departments in your organization (for example, one for accounting, one for engineering, one for personnel, and so on). Then you can put all user and computer objects in a particular department in its OU. In addition, you can lighten your administrative load by assigning a person in each department the rights necessary to manage his or her OU and that OU only. Pretty nifty, huh? You can create a user object in one of two places: in the default User/ Computer container or in some organizational unit they or someone else has already created. If you delegate the ability to create objects, you can set it up so that the delegated users can create objects in only one location, or certain selected locations. To create a user object, perform the following steps: 1. Start Active Directory Users and Computers. (Choose Start➪Control Panel➪Administrative Tools➪Active Directory Users and Computers.) 2. In the Active Directory Users and Computers console tree, right-click the container (such as Users) in which you want to create the user object, point to New, and click User. The first page of the User Creation Wizard (the New Object – User dialog box) is displayed, as shown in Figure 8-3. For interoperability with other directory services, you can click InetOrgPerson instead of the user object type, which is nearly identical. You can find information regarding InetOrgPerson in the “Understanding user accounts” article in the Windows Help files.
Figure 8-3: The first page of the User Creation Wizard.
Chapter 8: Working with Active Directory, Domains, and Trusts 3. Type the user’s first and last name, initials, and a logon name, and then click Next. The next page of the Wizard allows you to set the new password and the following options: • User Must Change Password at Next Logon • User Cannot Change Password • Password Never Expires • Account Is Disabled 4. In the Password and Confirm Password text boxes, type the user’s password and select the appropriate password options. 5. Click Finish. That’s it; you’ve created a new user. You’re probably thinking, “What about all the other user attributes, such as security features?” Well, you no longer define those settings during the creation of the user. After you create the user object, you right-click it and select Properties. The Properties dialog box for the user appears. Each tab pertains to various aspects of the selected user object. These tabs vary depending on the Windows Server 2008 subsystems in use, on other back office applications such as Exchange Server or SQL Server, and even on what third-party software you might have installed. Computer account creation is much simpler and doesn’t bombard you with quite so many tabs. Again, in Active Directory Users and Computers, rightclick the container in which you want to create the new computer object (such as computers), and choose New➪Computer. The New Object – Computer dialog box appears, as shown in Figure 8-4. You have to only type a computer name and select who can add the computer to the domain.
Figure 8-4: We’re creating a new computer object named FriedBanana Sandwich.
147
148
Part II: Servers, Start Your Engines
Finding directory objects Finding objects is one of Active Directory’s greatest pluses. Using the global catalog, you can find an object anywhere in an enterprise forest by querying Active Directory. You can search for anything — a user, a computer, even a printer — and you can search for many attributes. (The attributes presented vary depending on the type of object you’re searching for.) For example, you can ask Active Directory to find the closest color-capable, double-sided printer at your site. You don’t even have to tell Active Directory where you are. It figures that out automatically. On a Windows Server 2008 system, there’s a Search component that you can access from the Start menu. (Choose Start➪Search.) Under this menu, you can use a number of options to search for users, folders, and printers. The available options are as follows: 0002 For Files or Folders 0002 On the Internet 0002 Find Printers 0002 For People For example, if you want to search for a color printer, choose Start➪Search➪ Find Printers. There are three available tabs: Printers, Features, and Advanced. You want to choose the Advanced tab because it allows you to specify that you’re searching for a color printer. After you enter all your details, click Find Now, and your results appear. In a large enterprise, many listings that meet your requirements may appear, so always try to be as specific and detailed as possible when performing a search.
A word on ADSI Active Directory Scripting Interface (ADSI for short) allows you to manipulate the directory service from a script. You can use Java, Visual Basic, C, or C++ scripts. With ADSI, you can write scripts that automatically create users, including their setup scripts, profiles, and details. If you need to manage a medium or large domain, you should learn ADSI. In the long run, it’ll save you a great deal of time and aggravation. Search the Microsoft Web site at www.microsoft.com/windows for ADSI, and you’ll find loads of great information (more than you’d want!). Also check the Windows Server 2008 Resource Kit for details.
Chapter 8: Working with Active Directory, Domains, and Trusts
Permission to Proceed? Handling Directory Permissions An old concept says, “You’re the administrator; administrate no longer.” And it does have some truth to it in Windows Server 2008. Although some tasks still require a full-fledged domain administrator, the common management of a domain may be more easily accomplished when you grant different sets of user permissions to manage different sets of users and user properties. In English, this means you can delegate the responsibility for managing lowlevel users to slightly higher-level users, and so on, until you, as the administrator, need to get involved only to manage more weighty constructs, such as domain forests and trees or intrasite access.
About Active Directory permissions If you’re familiar with the Windows NT security model, you probably know all about Access Control Lists (ACLs). ACLs allow a set of permissions to be applied to a file, directory, share, or printer (and more), thus controlling which users can access and modify these particular objects. Windows Server 2008 takes this to the next level by assigning an ACL to every single attribute of every single object. This means you can control user access to such a fine degree that you can micromanage your users into the nearest insane asylum. You could insist, for example, that “User group Personnel Admin may change the address, phone number, and e-mail attributes of all users but nothing else.”
Assigning permissions You can assign permissions to Active Directory objects in various ways. Here, we present an extreme case, so everything else looks like a piece of cake! Remember Active Directory Users and Computers? Well, earlier in this chapter, in “Exploring the directory management console,” you saw a nice, basic view of this utility. However, it has other options that are shown only when it’s in Advanced Features mode. To turn on Advanced Features, start Active Directory Users and Computers (choose Start➪Administrative Tools➪ Active Directory Users and Computers) and then choose View➪Advanced Features.
149
150
Part II: Servers, Start Your Engines Some new branches are added to the basic domain root: LostAndFound and System. We don’t care about that, though. Instead, we’re interested in the new tab added to the objects — the Security tab. In Active Directory Users and Computers, find a user, any user. Right-click the user and then select Properties. In the user’s Properties dialog box, click the Security tab, and then click the Advanced button. The Permissions tab for the Advanced Security Settings dialog box appears, as shown in Figure 8-5. You see a list of permission entries that includes a type (Allow/Deny), a user or group, and the permission and its scope.
Figure 8-5: The Advanced Security Settings dialog box for an object used to control user access.
Obviously, assigning permissions explicitly to every object takes forever. Thankfully, Active Directory uses an inheritance model so that you need to make changes only at the root; the changes propagate down from there. The following section spells out how this works.
Permissions inheritance There are two types of permissions: explicit and inherited. Explicit permissions are assigned directly to an object, and inherited permissions are propagated to an object from its parent (and so on). By default, any object in a container inherits permissions from its container.
Chapter 8: Working with Active Directory, Domains, and Trusts Sometimes, you don’t want permissions to be inherited — for example, you’re working with a directory structure in which different permissions are defined on each contained object, such as with a multiuser File Transfer Protocol (FTP) site or a shared folder that contains user home directories. The default setting in Active Directory specifies that permissions are inherited, but you can change this default behavior. Remember the Advanced Features view for Active Directory Users and Computers? Well, you need it again. When you turn on the Advanced Features from the View menu and check out the advanced security properties of a user (right-click the user, choose Properties, click the Security tab, and then click the Advanced button), notice the Include Inheritable Permissions from This Object’s Parent check box, which is selected by default. If you deselect it, any changes made to the parent container no longer propagate to the objects it contains. You disable inheritance for the object. If you do disable inheritance, you’re given the following options: 0002 Copy Previously Inherited Permissions to This Object 0002 Remove Inherited Permissions 0002 Cancel (Disable) the Inheritance Of course, you can enable inheritance later if you want. It’s not a one-way operation, so don’t panic!
Delegating administrative control Delegating administration over certain elements of your domain is one of the great things about Active Directory — no more administrator or nonadministrator. Different people or groups can be delegated control over certain aspects of a domain’s organizational unit. The following steps can be employed to delegate administration on objects: 1. Open Active Directory Users and Computers. (Choose Start➪Control Panel➪Administrative Tools➪Active Directory Users and Computers.) Another way of accessing Active Directory Users and Computers is to click Start and type dsa.msc into the Start Search bar. 2. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
151
152
Part II: Servers, Start Your Engines 3. Click Delegate Control to start the Delegation of Control Wizard. This is accomplished by clicking the Add button to access the Active Directory search tool to locate users and groups. Make your selections. (Hold down Ctrl to select multiple users at the same time.) The users are now displayed in the selected user’s area. The people you’ve selected are the ones who can perform the tasks you’re about to choose. 4. Click Next. A list of common tasks is displayed for which you can delegate control (reset passwords and modify group membership, for example). 5. Make your selections and then click Next. If you choose to create a custom task to delegate, follow the steps presented by the wizard. A summary screen is displayed (as shown in Figure 8-6), giving you the option to change your mind. 6. When you’re happy with the changes you’ve made, click Finish. That’s it; a few mouse clicks and you’ve delegated control of a container to a specific person or groups of people.
Figure 8-6: The summary screen of the Delegation of Control wizard.
Managing Trusts In Windows NT 4.0, trust management was a big problem in a large enterprise. In Windows Server 2008, however, trust management is simple because all trusts are set up by default between all domains in a forest, and these trusts are two-way transitive trust relationships.
Chapter 8: Working with Active Directory, Domains, and Trusts Two-way transitive trusts are created automatically between all domains in a forest when you run DCPROMO. You can, however, still create the old-style Windows NT 4 trusts for any domains that aren’t part of the same enterprise forest.
Establishing trusts You can create old-style trusts by following these steps: 1. Open Active Directory Domains and Trusts by choosing Start➪ Control Panel➪Administrative Tools➪Active Directory Domains and Trusts. 2. Right-click the domain of choice in the Active Directory Domains and Trusts interface and then choose Properties. 3. Click the Trusts tab (see Figure 8-7) to create one-way trusts. One-way external trusts aren’t transitive and work the same as the old Windows NT 4.0 trusts. You can delete a trust by selecting the trust and choosing Remove.
Figure 8-7: This is where you create oneway trusts between domains.
153
154
Part II: Servers, Start Your Engines
If you open the door to trusts, who gets to come through? In a forest, when you open the trust door (which happens automatically between all domains in the same forest), anyone gets to come in. All trusts are transitive, so anyone in any domain in the forest can be granted permission to any resource. For old-style trust relationships (which are created manually between domains in different forests or in a Windows NT domain), the trust isn’t transitive. Only users in the two domains for which the trust is defined can be assigned access to resources and only in the direction of the trust. There’s no need to panic, though, because users can’t access resources without permission. Therefore, although they can be given access, they won’t be able to gain access until specifically given permission to do so.
Chapter 9
Printing on the Network In This Chapter 0001 Printing the Windows Server 2008 way 0001 Installing the server side first 0001 Sharing print device access 0001 Setting up print devices on the client side 0001 Managing Windows Server 2008–based print devices 0001 Preventing print device problems 0001 Introducing Windows Fax and Scan
N
ext to not being able to access network resources, nothing freaks out users more than not being able to print their work. We bet you can’t find a network administrator who can say that he or she hasn’t struggled with print devices at one time or another. (If you’ve seen the movie Office Space, you can imagine the kind of frustration we’re talking about.) Windows Server 2008 includes a new printer architecture that provides a better print-server platform with improved performance and a strong foundation for future application development. It simultaneously maintains compatibility with existing print applications and drivers and enables them to use features found only in the newer XPSDrv printer drivers, which are built upon a modular design that enables more efficient print queue operation. In addition to TS Easy Print capabilities, Windows Server 2008 integrates the XML Paper Specification (XPS) throughout to provide efficient, compatible, and high-quality document delivery to the entire print subsystem. The XPS document format is based on fixed-layout technology and, along with Open Packaging Conventions (OPC), defines a new format and specification built on industry standards like XML and ZIP. In this chapter, you discover the specifics for setting up print devices on your network and avoiding common printing problems.
156
Part II: Servers, Start Your Engines Throughout this chapter, we use the Microsoft terminology print device and printer, which may be confusing in the real world. Microsoft defines a print device as the physical printer, such as an HP LaserJet 2605, and a printer as the software on the server where you configure settings for the physical print device. We use Microsoft’s terms in this chapter to be technically accurate. However, this terminology may be confusing if this is your first time working with Windows Server 2008.
Windows 2008 Has a Print Model When a user prints, the print data follows a particular path from the user to the print device. One such example is the new XPS print path, which uses the XPS document format throughout the entire print path, from application to printer, and creates the possibility for true WYSIWYG output. In Windows Server 2008, the basic pieces of this print scheme are as follows: 0002 Print users: Print users are the people who want to send print jobs to a print device on the network, on the Internet, or attached to their PC. To actually print, users must have a print device driver (called a print driver in non-Microsoftspeak) installed on their PC. 0002 Graphics Device Interface (GDI): The already expanded GDI is a software program that finds the appropriate print device driver and works with the driver to render print information into an appropriate printer language. After the information is rendered, the GDI sends it to the client-side spooler. (A Windows client application would call the GDI the print process.) 0002 Print device driver: This software piece is provided by either the manufacturer (for the latest version) or by Microsoft (not always the latest) and corresponds directly to a particular print device make and model. It’s the interface between the software application and the print device, which is called a print driver in non-Microsoftspeak. You may also hear it referred to as a printer driver. The print device driver need not be installed on the client. Instead, if the client is a Windows 98, SE, ME, NT, 2000, or XP system, it can download the print device driver from the print server when it wants to print a document. However, this does require that the print server be configured to host print device drivers for these operating systems. 0002 Printers: This is also called a logical printer, and it isn’t the physical piece of machinery you sometimes want to kick, but rather the bundle of settings you need to make a print device run. It exists as software on the server that you use to configure settings for print job processing and routing for the physical print device.
Chapter 9: Printing on the Network 0002 Print jobs: Print jobs are files you want to print. Print jobs are formatted at the workstation by the GDI and a print device driver and submitted for output on a local or networked print device. If the print device is local (attached to the PC), the output is printed right there and then. If a network print device and print server are involved, the output is sent (spooled) to a queue on the print server until a print device is available to service the request. 0002 Print servers: Print servers are computers that manage network print devices attached to them. A print server can be any computer located on a network (or the Internet) that has a print device attached and runs some Microsoft operating system, such as Windows 2000/2003/2008, NT, or 9x. (Even a user workstation can function as a print server — but we don’t like this approach because it typically brings too much traffic to some user’s PC.) When a user submits a print job, the print server stores the job in a queue for the print device and then polls the print device to check for its availability. If the print device is available, the print server pulls the next job out of the queue and sends it to the print device. Any network administrator or user with appropriate access rights can manage print servers from anywhere on the network. By default, in Windows 2008, all members of the Everyone group can print to a device, but only those members specifically given rights can manage the device. 0002 Print queues: A print queue is a location on the hard disk where spooled files wait in line for their turn to print. Each print device has at least one corresponding print queue (although additional queues are possible). As users submit print jobs, those jobs go into the queue to wait for their turn. You define a queue for a print device when you add a printer to the Printers and Faxes folder and assign it a name. Print jobs enter the queues on a first-come, first-serve basis. Only someone with appropriate access rights to manage queues (administrators, print operators, and server operators) can alter print order in a print queue. You can assign users on your network permission to manage print queues for you. Windows 2008 includes a built-in user group called Print Operators, and you can add users to this group to give them the proper access rights for the task by choosing Start➪ Administrative Tools➪Active Directory Users and Computers, selecting a domain, and opening the Built-in folder. Giving some users print-queue management rights rather than others may be seen as playing politics if you don’t exercise great caution in making such assignments. Some folks may accuse others of playing favorites when print jobs are rearranged in the queue. We’ve seen this happen a lot. If you choose people who are neutral, your life will be easier! 0002 Print devices: Print devices are physical devices or physical printers, such as HP laser printers. Print devices can be attached locally to a workstation or server or directly to the network. In the real (nonMicrosoft) world, this is what we normal people call a printer!
157
158
Part II: Servers, Start Your Engines
Physical print devices We call print devices physical print devices because you can walk up to these devices and touch them. Print devices come in different categories, including laser, plotter, inkjet, and bubble jet. You can attach a physical print device locally to a PC, server, or print server, or directly to the network (as shown in Figure 9-1). A print server is just a network-attached PC that services print jobs — so, technically, we could lump PCs and print servers in the same category. We list them separately in this case because we want to distinguish between a PC where a user does work and a dedicated print server located on the network.
Logical assignments A logical printer assignment isn’t a print device — it exists intangibly, in the form of a Windows Server 2008 definition. It’s sort of like a name that Windows 2008 uses to identify a physical print device (or a group of physical print devices, as you see later in this section). Each time you define a print device and its properties in Windows 2008, the operating system assigns a logical printer definition to the physical print device so that it knows to which physical print device you want to send your jobs. When you first install a print device, a one-to-one correlation exists between the physical print device and the logical definition. You can expand the use of logical printer assignments, however, so that one logical printer assignment serves as the definition for several physical print devices. This use is known as print device pooling, and you set it up through print device properties by adding ports to the print device’s definition. You don’t need to be too concerned about defining logical printers unless you intend to pool print devices. Pooling happens whenever you attach a print device to the server (as explained later in the “Attaching print devices to servers” section). Just understand that Windows 2008 correlates a logical printer definition to one or more physical print devices attached to your network. For example, you’re likely to have several print devices connected to your network, and all or many of them may be the same type, such as HPLJ2605. If you don’t define a logical printer for Windows 2008, how does it know to which HPLJ2605 print device to send your jobs? You could end up running all around the building looking for your expense report! Defining a logical printer definition keeps order in your world. You could name one logical printer
Chapter 9: Printing on the Network 2FLWest and you’d know that your report is sent to the HPLJ2605 on the second floor of the west wing of your building. (The mechanics involved are covered in the next section, “Installing on the Server’s Side.”) Another bit of magic that logical assignments can help you with is balancing print jobs. Suppose that you have three physical laser print devices (A, B, and C) located on your network in close proximity. If a user chooses to send a print job to print device A, which is printing a large print job, a lot of time and resources are wasted if print devices B and C sit idle at the same time. You can help your users by setting up one logical printer definition and assigning it several different physical print devices to which to print. Therefore, your users print to the logical printer, which then figures out which physical print device is available. This takes decision-making and worrying away from users and transfers it to the operating system. The only caveat here is avoiding too much physical distance between print devices. Try to make sure that all physical print devices in any logical printer definition are in the same general area so users don’t have to run around the building looking for printouts.
2008 Server queue for #2
#4 Laser printer
Print server
Job 1 Job 2 Job 3
Job 1 2008 Server Job 2 queue for #3 Job 3
Print server queue for #4
Job 1 Job 2 Job 3 Job 4
2008 Server
#2 Laser printer (server attached)
Figure 9-1: Different methods to connect print devices on a network.
Job 1 Job 2 Job 3 #3 Laser printer (network attached)
Queue for #1
(Print user)
#1 Laser printer (server attached)
159
160
Part II: Servers, Start Your Engines Individual departments are typically arranged so that they share a common print device or print device group. Each group is logically labeled in some site-specific manner (hopefully accompanied by physical identifiers on each print device) that may or may not be descriptive of its assigned area or purpose. You will require advanced knowledge of what prints where whenever multiple devices are available in a pool. When setting up logical assignments to service more than one physical print device, all physical print devices must be identical. The only changes you can make are to properties, such as bin number or paper size for each print device. Conversely, you can assign several printer assignments to service one physical print device. You want to do this if users print special items, such as envelopes. Define one printer assignment to print to the envelope bin on the physical print device and define another printer assignment to print lettersize paper on the same print device. If you give logical assignments descriptive names, users will know where the print device is and what type of function it performs. For example, using logical names such as 2FLWestEnv and 2FLWest tells users that 2FLWestEnv is on the second floor of the west wing and it prints envelopes, whereas the other is a normal print device on the second floor of the west wing. Both printer assignments service the same physical print device, but they may print to different bins, or one may pause the print device between pages, and so on. Here, you don’t need to do anything other than define separate print devices that all print to the same port.
Installing on the Server’s Side Before you set up clients to print on your network, first make sure to go to the server and install all the print device definitions, drivers, and hardware, and then go to the client side. Doing so ensures that when you finally get to the user’s workstation, you can submit a test print job right away because all the components are in place. If you start at the user’s side first, you have to return later to check your work.
Meet the Printers folder You can find nearly everything you want to do with print devices on the server in the Control Panel’s Printers folder, which you can access by choosing Start➪Control Panel➪Printers. Previously, this applet was called Printers
Chapter 9: Printing on the Network and Faxes, but Microsoft has since reassigned faxing and scanning capabilities to a combined applet. We say nearly everything because the print device drivers are stored outside the print devices folder. (Most of the drivers are found on the Windows Server 2008 DVD.) When you first install Windows Server 2008, the Printers folder contains only an Add Printer icon, which is designed to help you install a physical print device (or logical printer definition). Each time you install a new print device by clicking the Add Printer icon (as described later in this chapter), Windows 2008 assigns it a separate icon in the Printers folder, as shown in Figure 9-2.
Figure 9-2: The Printers folder showing an installed print device, a Microsoft XPS Document Writer icon, and the Add Printer icon.
When you click the Add Printer icon, the Add Printer Wizard appears, bringing with it a set of default policies that it uses to guide you through the process of adding each new print device to the Printers folder. After you’ve installed the print devices you want, you can make changes to the print devices’ settings by visiting the Printers folder. Right-click the print device you added and choose Properties from the pull-down list that appears. A window with numerous tabs appears. You make all the changes to the particular print device’s settings in this Properties dialog box, so take some time to familiarize yourself with the available settings.
Adding a networked print device In an ideal world, your network and users would allow you to set up one type of print device in one manner (such as all laser print devices of the same make and model with network interface cards). In the real world, however,
161
162
Part II: Servers, Start Your Engines things don’t pan out like that. Therefore, the engineers at Microsoft designed Windows Server 2008 to provide you with four ways to attach print devices to your network: 0002 Windows Server 2008 0002 Print server 0002 Networked (as shown in Figure 9-1) 0002 PC (a workstation, in Microsoft-speak) In the following sections, we show you the four approaches to installing print devices on your network. Three of the four installations are similar; they’re just performed on different machines. For example, the steps for installing print devices attached to networks are similar to the steps for installing print devices attached to workstations. Both machines have print devices connected to their local ports, and they both share print devices on the network.
Attaching print devices to servers You may find a need to attach a print device directly to your server. We don’t recommend that you use this method unless your organization can’t afford to spare a machine for you to use as a dedicated print server. Why? Because any time you attach a device to a file server, you run the risk that it may get hosed and crash the server — and we’ve seen this happen often. To attach a print device to a Windows Server 2008, you need a print device, a Windows Server 2008 computer, a cable, the Windows Server 2008 installation DVD (if you didn’t copy it to your server’s hard disk), and any print device drivers you want automatically downloaded to the clients. Connect the print device directly to one of the ports on the server (for example, LPT1) and install the print device on this machine in its Printers and Faxes folder by choosing Start➪Control Panel➪Printers. Then follow these steps: 1. Double-click the Add Printer icon, which invokes the Add Printer Setup Wizard, and click Next. 2. Choose Add a Local Printer and then click Next. (USB devices are automatically detected and installed by Windows.) The printer detection window of the wizard appears, searching for and installing attached Plug and Play print devices. If the print device isn’t Plug and Play, you must follow the rest of the steps in this section. 3. From the Use an Existing Port drop-down list, select the port to which you attached this print device (such as LPT1) and click Next. A window appears for choosing the manufacturer and model of the print device.
Chapter 9: Printing on the Network 4. In the Manufacturer area, highlight the print device manufacturer; In the Printers area, highlight the model of the print device and click Next. If you don’t see your print device listed here, it means you have to provide the Add Printer Wizard with the driver. Click the Have Disk button and point the wizard to the location and path where the driver resides. 5. In the Type a Printer Name window of the wizard, Setup suggests a name for this printer. Accept this name by clicking Next or type a new name for this printer in the Printer Name text box. 6. (Optional) Select the Set As the Default printer check box if you want this to be the default printer for users permitted to access the associated print queue. 7. Click Next to move on to the Printer Sharing window. 8. Indicate whether you’d like to share the printer. By default, Windows furnishes a share name in the Printer Sharing window of the wizard. • Share: If you want to share the printer and you don’t want to use the default name, you can type over it to change it. The share name is the name that your users will see when they print to this printer, so make it meaningful. (For example, create a name such as 2ndFLWestEnv to indicate that the printer is on the second floor of the west wing and it prints envelopes.) • Do Not Share: If you don’t want to share the printer, choose the Do Not Share this printer option. 9. Click Next. 10. Choose whether you want to print a test page (always a great idea) by clicking the Print a Test Page option. Next, to install drivers for the other client operating systems that will access the printer, click the Install Drivers button. 11. Click Finish. Setup copies files from the Windows Server 2008 installation DVD to the Windows Server 2008 computer’s hard disk. If you elected to print a test page, it also emerges from your newly defined printer at this point. If you chose to share the printer in Step 8, Windows may ask you to supply any missing operating system print drivers (see Step 10) so that it can automatically download those drivers to its clients. (However in most cases, Windows Server 2008 won’t have to ask, because it comes equipped with a large library of client print drivers from which it can draw.)
163
164
Part II: Servers, Start Your Engines 12. If you chose not to print a test page and not to install additional drivers, Setup presents you with a summary page of the choices you elected during the setup process. Click Finish if your choices are correct. Otherwise, use the Back and Next buttons to correct any invalid or incorrect info. If you’re familiar with setting up printers on previous versions of Windows, you probably whipped through these steps because the print device setups are similar. At this point, you’ve set up the following: 0002 One basic logical printer assignment that points to one physical print device on Windows Server 2008: We say basic because you haven’t yet customized any options, such as paper bins, dots per inch, and separator pages, for this print device. You probably weren’t aware that as you defined this physical print device, you also assigned it a logical printer assignment. Remember that there’s a one-to-one correlation between the two each time you install a physical device and define it — unless you add more physical devices. 0002 A print queue for this print device: Windows Server 2008 does this for you when you define the print device. To view the queue, double-click the print device icon. You won’t see anything in the queue just yet. 0002 Shared access to this print device by everyone on the network: When you define a share name on the network for a print device, Windows Server 2008, by default, assigns the Everyone group access to this print device. You have to change this default policy if you don’t want “everyone” to have access to this print device. If you have Active Directory installed, the print device is published to the Directory. You can have multiple logical printer assignments pointing to one physical print device. If you want to assign another logical printer assignment that services this physical print device, you repeat the previous steps but assign a new computer and share name. You can assign different properties to this physical print device for each logical printer definition.
Attaching print devices to print servers In the preceding section, we show you how to hook up a print device to a Windows Server 2008 computer so that your Windows Server 2008 functions as a print server on your network, in addition to its other duties. To help manage the load on the Windows Server 2008, you can offload this printing task to another computer on your network and have it function as your print server. The print server is just another computer on your network, only with an attached print device that you set up to manage print spooling, print queues, and print jobs. We like this method because it frees up the Windows Server 2008 to perform other tasks. When your clients print to the print server, they bypass the Windows Server 2008.
Chapter 9: Printing on the Network You can install any Microsoft operating system that you like on the computer that will be your print server. We recommend at least Windows 9x, but we prefer a Windows NT, 2000, or XP workstation because you can download the print drivers to the client workstations from the print server automatically with no intervention on your part. This means that you don’t have to install drivers manually on each of the client workstations. After you’ve installed an operating system on your soon-to-be print server, follow Steps 1 through 12 from the “Attaching print devices to servers” section if you’re using a Windows NT, 2000, or XP Workstation as the operating system. If you’re using Windows 9x, repeat the same steps but exclude the downloadable print device drivers from Step 10. Instead, you must go to each client and install the corresponding print device drivers.
Attaching networked print devices to print servers Some print devices, such as HP laser print devices, are neat because after you plug a network adapter into them, they’re nearly ready to be placed anywhere on your network where there’s an electrical outlet and an available network connection. Nearly, but not quite! You must still make all the physical connections and assign an IP address to the printer. After you do that, perform the following steps to add the networked print device to the print server: 1. Choose Start➪Control Panel➪Printers. The Printers applet window appears. 2. Double-click the Add Printer icon to invoke the Add Printer Wizard and click Next. 3. In the Add Printer window, click Add a Network, Wireless, or Bluetooth Printer and then click Next. Windows begins searching for available network-accessible print devices and displays the Searching for Available Printers window. 4. Select the printer (print device) you want from the list of discovered printers (print devices) that appears in list form and then skip to Step 6. If the desired print device isn’t found, you can find it by following these steps: a. Click The Printer I Want Isn’t Listed. The Find a Printer by Name or TCP/IP Address window appears. b. Under Find a Printer by Name or TCP/IP Address, choose Browse for a Printer, Select a Shared Printer by Name (followed by the actual name), or Add a Printer Using a TCP/IP Address or Hostname. c. Click Next and follow the dialog boxes to find and select the printer.
165
166
Part II: Servers, Start Your Engines 5. Depending on what option you selected in Step 4, do the following: • If you clicked Browse for a Printer, a browse list of all the local servers and workstations appears. Double-click those entries to find attached print devices, after which you can add them. If you supply a valid UNC name for a networked print device (for example, library-srvrHPLaserJ), you can add it by using that name when you click Next. • If you clicked Add a Printer Using a TCP/IP Address or Hostname, the Type a Printer Hostname or IP Address window appears. Here you can explicitly identify (TCP/IP Device or Web Services Device) the device type or stick with the default Autodetect option. After that you must supply a valid hostname or IP address and a UDP port number to complete the print device connection. 6. After completing these steps, click Next to see a Connect to Printer window, where you can change the printer name or leave it as is. 7. Finally, you can elect to print a test page (a good way to make sure your printer connection is working), or you can simply click the Finish button. Congrats! You’re done! When installing a print device on a Windows Server 2008 with Active Directory installed, the Add Printer Wizard shares the print device and publishes it in the Directory — unless you change the policy rules. For more information on Active Directory, please read Chapter 7.
Attaching print devices to a workstation PC Some users may have print devices on their desks that you may want to make available to other users on the network. Attaching a print device to a PC is the least desirable method because it involves users going to another user’s PC to pick up print jobs. This can cause a disruption in workflow for the user who’s unfortunate enough to have a print device on his or her desk. However, in smaller organizations where budgets are tight, this method is sometimes used. To set this up, you must go to the user’s desktop and share that print device on the network. If you’d like, you can restrict access to that share so that the entire organization isn’t allowed to print there. Where do you find all this? In the Printers and Faxes folder on the user’s desktop, of course! Right-click the Add Printer icon if no print device is installed, choose the print device to be a local print device connected to a local printer port (such as LPT1 or a USB port), and assign it a name. If a print device is already defined, right-click its
Chapter 9: Printing on the Network icon and select Properties to give this print device a share name. After you share the print device on the network, other users can see it. This method causes the user’s workstation to manage the printing process. You can define this workstation-attached print device so that Windows 2008 Server will manage the print process instead. Here’s how: 1. Go to the user’s computer desktop and define a share for this print device, but limit access to the username of “JoePrinter.” This is a fabricated username you set up purely to manage this printer. See the following section, “Sharing Printer Access,” to find out how to define a share. 2. Mosey back over to the Windows Server 2008 computer. 3. Add a user named “JoePrinter” in Active Directory Users and Computers. (Choose Start➪Administrative Tools➪Active Directory Users and Computers.) 4. Choose Start➪Control Panel➪Printers to open the Printers applet. 5. Follow the same steps in the “Attaching print devices to servers” section earlier in this chapter, except for the following changes: • Click the Add Printer icon and choose the networked print device instead of the locally attached print device. • Let Windows search the network or choose The Printer I Want Isn’t Listed to manually specify a share name. Either type the share name or use the Browse option to select and choose the share name you gave the print device on the client’s desktop. • Give this print device a new share name that the rest of the users on the network will see. Again, we don’t recommend that you use this method unless your organization is tight on money. It can cause aggravation for the user who has to share the print device with other people on the network and can disrupt that user’s work environment.
Sharing Printer Access After you’ve installed a printer (software and a print device, that is) on your network (as we explain in the previous section), the next step is to create a share for it on the network. (See Chapter 12 for more details on Windows 2008 network shares.)
167
168
Part II: Servers, Start Your Engines Until you share a print device, your users can’t see it on the network. To share a print device, do the following: 1. Open the Printers folder. (Choose Start➪Printers and Faxes). 2. Right-click the print device you want to share and choose the Sharing option. 3. On the Sharing tab, choose the Share this Printer option and type a descriptive share name (for example, 2ndFlWest). 4. Unless you want to process print jobs locally on this computer, leave the Render Print Jobs on Client Computers option selected. 5. Click OK and you’re finished! When you share a print device, it’s available to everyone on the network by default. You must specifically restrict groups or users from accessing the print device if that’s what you want. If you have MS-DOS-based clients on your network, make sure that your share names for print devices are only eight characters long.
Bringing Printers and Clients Together The final step in setting up networked printing involves setting up the print devices on the client side. Fortunately, not much is required in this process. Everything you need is on the Windows Server 2008, the print server, or in the user’s Printers and Faxes folder on his or her desktop, depending on which client operating system is used. If the client operating system is Windows XP, 2000, or NT, you need to only add the print device in the Printers and Faxes folder (Add Printer) and choose Networked Print Device. The reason is that the print device is attached to another computer somewhere on the network; it isn’t local to this workstation. For the port, use the Browse option and find the share name of the print device to which you want to print. That’s it! If your clients have Windows 9x and are printing to a Windows Server 2008 (and you’ve installed the various client operating system drivers at the server), you simply add the print device in the Printers and Faxes folder (Add Printer) and select it as a networked print device. When you select the port as the share name of the networked print device, Windows Server 2008 automatically downloads the drivers.
Chapter 9: Printing on the Network
Managing Windows 2008–Based Printers You can view and manage your print servers, queues, and print devices (all of which are called printers in Microsoft-speak) from anywhere on the network, including your Windows Server 2008. From one location, you can view what’s going on with all the print devices on your network. The only thing you can’t do remotely is install hardware on the print device itself, such as memory or cables. But you knew that already! The improved Print Management Console (PMC) that first appeared with Windows Server 2003 R2 is now enhanced to meet larger-scale network demands. PMC supports print server migration from Windows Server 2000/2003 to Windows Server 2008 installations and features an improved Network Printer Installation Wizard. The installation wizard reduces administrative overhead by automatically locating and — where applicable — deploying a compatible driver for hands-free automated setup. The following list includes some issues to keep in mind as you manage print devices: 0002 Make sure you don’t run out of disk space on the server. If you set up spooling on your network, you must keep a close eye on the hard disk space that print servers consume. The spooling process involves sending files from the print user to the print server. Remember that the print server can also be your Windows Server 2008. In either case, if your network handles high-volume print activity, it’s possible to fill up a hard disk quickly with the spooling process. After files are spooled to the print server, they remain on the hard disk in the queue until an available print device is ready. If there’s a problem with the print device, jobs can back up quickly. Remember that queues take up space on the hard disk, so if the queues back up, more and more space is needed. Be careful that you don’t run low on disk space! 0002 Make sure your print devices have enough memory. When your users print graphics on the network, memory becomes an issue on the print devices. Large graphics files require more memory to print. You can find out how much memory is in a print device by performing a self test on the print device. Some organizations don’t have a large budget for adding extra memory to all networked print devices, so they select one or more in strategic locations and then define logical print device setups just for graphics output.
169
170
Part II: Servers, Start Your Engines 0002 Select the appropriate properties for print devices. You can access the print device’s Properties menu by right-clicking i icon in the Printers folder. (Figure 9-3 shows the various settings you can alter for any print device on your network.) We go through each of the tabs here to help you understand which print device properties you can change: • General tab: Here’s where you add information about the print device, such as comments, location, and whether to use a banner page. When defining a banner page, we recommend that you add some general comments about the print device and its location. In medium- to large-sized operations, adding a separator page so that print jobs may more easily be distinguished from each other is a good idea. The current print driver information is also found here. Change this only if you’re going to install a new driver. • Sharing tab: If you want users on the network to see this print device, you define the share name on this tab. (Remember to make it meaningful.) You can also tell Windows Server 2008 to allow this device to show up in the Directory. This is also where you tell Windows Server 2008 which client operating systems you have on your network and to which systems you want print drivers automatically downloaded. • Ports tab: This is where you tell the system to which port your print device is attached. If it’s a network-attached print device, you define it here using the Media Access Control (MAC) address; if it’s a Transmission Control Protocol/Internet Protocol (TCP/IP) print device, you define it here using the IP address. • Advanced tab: On this tab, you can schedule the print device’s availability, priority, and spooling options. For example, you may opt to have print jobs run at night for a print device. • Security tab: On the Security tab, you set up auditing of your print devices, which enables you to gather the information you’ll need if something goes wrong with a device. You may want to use the Security tab for charge-back purposes on a departmental basis (where you audit the usage and charge users or departments for that use) or limit this print device’s availability. You can also define who is allowed to manage this print device. • Device Settings tab: On this tab, you define specific properties of the print device, such as paper size, dots per inch, and paper bin. • Color Management tab: Adjust monitor or print device color-specific settings on this tab. • Cartridge Maintenance tab: On this tab, you can view left and right ink cartridge levels and use clickable options to install/change cartridges, clean print nozzles, align cartridges, and order supplies. This last option actually opens the default Web browser and points it to your print device manufacturer’s Web site. (This tab may not show up in every Properties window you examine; its presence or absence depends on your print device.)
Chapter 9: Printing on the Network
Figure 9-3: Print device Properties tabs in the Printers folder.
Preventing Printer Problems Printing problems on a network can wreak havoc. Here are a few pointers to help you head off this type of trouble. If you do experience problems, see Chapter 20 for some troubleshooting help. 0002 Purchase Windows Server Catalog compatible devices. Purchase only network print devices listed in the Hardware Catalog for Windows Server 2008. Otherwise, you may spend hours trying to get a print device to work on the network — only to find that the device isn’t compatible. And always remember to check Microsoft’s site for the latest version of the Windows Server Catalog; you can find it at www. windowsservercatalog.com. 0002 Get the latest print device drivers. Be sure to obtain the latest print device driver associated with each print device on your network. Windows Server 2008 does its best to install print device drivers by itself where applicable, which may come from dated archives, online updates, or install media. Newer drivers often correct bugs found in older drivers. If you use an older driver, you may sometimes end up troubleshooting a known bug that has already been corrected in a newer driver.
171
172
Part II: Servers, Start Your Engines 0002 Purchase a name brand. We hope that your organization can afford to purchase name-brand print devices, such as Hewlett-Packard or Lexmark, for your network. We find that the biggest printing problems on networks stem from cheaper models. Even if you’re able to hook these cheaper devices up, it may take so long to get all the pieces working that investing in brand-name print devices would be more cost effective. 0002 Purchase from one manufacturer. We like to stick with one type (brand name) of print device where possible. Notice we said brand and not model. We realize that some organizations need to print in both black and white and color. If you can purchase all your print devices from one manufacturer (for example, Hewlett-Packard), your life and your users’ lives will be easier. If you have all Hewlett-Packard laser print devices on your network, don’t buy another manufacturer’s laser print device just because it’s on sale that day at your local computer superstore. You can save time by working with one vendor and its equipment and drivers instead of having to hunt all over the Internet for various manufacturers’ Web sites. Allow your users to become familiar with the one brand, and they won’t have to learn how to use new equipment all the time. 0002 Buy enough memory. The influx of graphics software has upped memory usage in print devices to produce image-laden output. Don’t wait until print jobs start fouling up before adding memory. If your budget is too low to do this up front, find a local vendor that stocks memory for your printers and keep their telephone number handy.
Faxing the Windows Server 2008 Way Windows Server 2008, like Windows Server 2003 and Windows XP, includes native fax and scan support. This means you can now send and receive faxes using your computer without third-party software. The combined capabilities of Windows Server 2008 faxing and scanning are now controlled through (you might’ve guessed) the Windows Fax and Scan applet. Windows Fax and Scan enables you to perform and manage all faxing or scanning tasks and documents from a central location. The new Windows Fax and Scan interface (shown in Figure 9-4) closely resembles Microsoft’s Outlook interface — not coincidentally. Historically, Outlook stores calendar entries, contact entries, and e-mail messages; presently, the next-generation Exchange Server and Outlook client software utilize more expansive roles that encompass and accommodate many other types of information.
Chapter 9: Printing on the Network
Figure 9-4: Windows Server 2008 Fax and Scan application.
For example, Unified Messaging in Exchange Server stores mailboxes, public folders, voice messages, and faxed documents in a central repository for clients. Windows Fax and Scan provides a limited scope of capability that interfaces with Exchange Server Unified Messaging.
Enabling faxing Faxing isn’t enabled by default. First, you must have a fax modem already installed and properly configured. (That means the driver is installed and things are working properly.) Next, follow these steps to enable faxing: 1. Open the Windows Fax and Scan applet from the Start menu or Control Panel, and choose File➪New Fax. The Fax Setup Wizard launches. 2. When the wizard asks whether you want to connect to a fax modem or fax server on the network, click OK. The wizard installs the necessary components for faxing. After a few moments, you’re returned to the Windows Fax and Scan applet. 3. Follow the setup wizard’s instructions to define the fax device name and location and decide how to receive faxes or incoming calls.
Sending faxes Faxing is like printing, but instead of sending the document’s print job to a physical print device where the results are on paper, the print job is digitized and sent over the phone line to a receiving fax device (which can be a traditional fax machine or a fax-enabled computer). Other than needing to provide
173
174
Part II: Servers, Start Your Engines a phone number and the occasional cover sheet, faxing a document is just like printing a document. To send a fax, just select the New Fax option from the File menu of Windows Fax and Scan, begin formatting or typing your message, and then click Send. The first time you attempt to send a fax, the Fax Configuration Wizard is launched. This wizard is used to define information about your fax system, such as the phone number, area code, and sender information. Windows Fax and Scan is used to track and manage incoming and outgoing faxes, in much the same way as you might manage e-mail in Outlook. If you want to change your sender information, choose Tools➪Sender Information from the Windows Fax and Scan console. To receive faxes, you have to enable incoming faxes and set the Answer After Rings control. Keep in mind that you can have only one answering service per modem device. So, if you need a telecommuter to call in to connect to your system, don’t set up that modem to wait for faxes. The device that is waiting for incoming faxes can still be used to send faxes or even for normal dial-out connections. If you find that you need more help with the fax capabilities of Windows 2008, check out the help file and the Windows Server 2008 Resource Kit.
Chapter 10
IP Addressing: Zero to Insane in Two Seconds Flat In This Chapter 0001 Working with TCP/IP and NetBIOS names 0001 Understanding IP addressing, nets, and subnets 0001 Obtaining Internet-ready IP addresses 0001 Using private IP addresses 0001 Using proxy servers and address translation 0001 Working with DHCP 0001 Dealing with problems
T
he Transmission Control Protocol/Internet Protocol (TCP/IP) drives the Internet and makes it accessible around the world. However, TCP/IP is a lot more than just a collection of protocols: Many elements in TCP/IP marry protocols to related services to provide complete capabilities. Important examples include dynamic address allocation and management, known as the Dynamic Host Configuration Protocol (DHCP), plus domain name to address resolution services, known as the Domain Name Service (DNS). In this chapter, you find out about TCP/IP names, addresses, and related standard services, as well as other related services hosted in Windows Server 2008.
Resolving a Name: TCP/IP and NetBIOS Whenever you issue a command in Windows Server 2008, you’re expected to use the proper syntax. Otherwise, your efforts may not produce the desired results. For example, when you issue a net use command from a command prompt, you must enter the server name and a share name, as well as the drive to which you want to map. Therefore, a simple command such as net use G: ORWELLAPPS
176
Part II: Servers, Start Your Engines associates the drive letter G with a share named APPS on the ORWELL server. If you use the TCP/IP protocol to convey the data involved, the protocol doesn’t know how to interpret the name ORWELL as a server. Instead, it understands Internet Protocol (IP) addresses, such as 172.16.1.7. If you use TCP/IP on your network, you need some way to convert IP addresses into names and vice versa. Just as the United Nations requires translators so that everyone can communicate, so too does Windows Server 2008, which is why understanding naming conventions and name-to-address resolution are such an important part of working with TCP/IP on Windows Server 2008.
NetBIOS names If you’re like most folks, you freeze like a deer in the headlights when you hear the word NetBIOS. Don’t worry. Only a small number of people really understand NetBIOS in detail, and figuring out what you need to know is easy. A NetBIOS name is often called a computer name. When you install Windows Server 2008 on a network, each computer that runs Windows requires a unique computer name. This allows all NetBIOS-based utilities to identify each machine by name. When you enter a command that includes a computer name, Windows 2008 knows which computer you’re talking about. If you try to give two devices the same name, you run into trouble — like trying to use the same Social Security number for two people. Each time a computer joins the network, it registers its name with a browser service that keeps track of such things. When the second computer with the same name tries to register, it’s rejected because that name is already taken. In fact, that machine will be unable to join the network until its name is changed to something unique. When creating NetBIOS names, you need to work within some limitations, which are as follows: 0002 NetBIOS names must be between 1 and 15 characters long. 0002 NetBIOS names may not contain any of the characters shown in the following list: '
double quotation mark
/
right slash
left slash
[
left square bracket
]
right square bracket
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat :
colon
;
semicolon
|
vertical slash
=
equal sign
+
plus sign
*
asterisk
?
question mark
<
left angle bracket
>
right angle bracket
In addition, dollar signs aren’t recommended because they have a special meaning. (A NetBIOS name that ends in $ doesn’t appear in a browse list.) 0002 Don’t use lengthy names or put spaces in names. Windows Server 2008 doesn’t care if you use longer names or include embedded spaces, but other networking clients or systems may not be able to handle them. 0002 Choose names that make sense to users and are short and to the point. Don’t name machines after users or locations, especially if users come and go regularly or if machines move around a lot. When it comes to servers, name them to indicate their organizational role or affiliation (for example, Sales, Accounting, or Engineering). What’s in a NetBIOS name, you ask? A NetBIOS name should provide a short, clear indication of what’s being named so users can recognize what they see. At best, this type of naming convention makes sense without further explanation. At the least, you can do what we do and put a sticker with the machine’s name on each monitor or computer case for identification. You can view a list of your network’s NetBIOS names by expanding the My Network Places section of Windows Explorer. See Figure 10-1 for a sample list of NetBIOS names taken from our network (such as Hush and Pentium_m).
Figure 10-1: NetBIOS computer names on our network.
177
178
Part II: Servers, Start Your Engines
TCP/IP names and addresses TCP/IP uses a different naming scheme than NetBIOS does. TCP/IP uses 32-bit numbers to construct IP addresses (for example, 172.16.1.11). Each host or node on a TCP/IP network must have a unique IP address. IP addresses aren’t meaningful to most humans and are difficult to remember. Therefore, it’s helpful to have some way to convert IP addresses to meaningful names. On a Windows Server 2008 network, you use computer names (also known as NetBIOS names). The Internet community uses a different naming convention called domain names. Translation methods, such as Windows Internet Name Service (WINS) and Domain Name Service (DNS), maintain databases to convert IP addresses to computer names (WINS) or domain names (DNS). If you’ve ever used a Web browser on the Internet, you know that you can type a Uniform Resource Locator (URL), such as www.wiley.com, or an IP address, such as 208.215.179.146, to obtain access to a Web page. You can do so because the Internet uses DNS to resolve IP addresses to domain names and vice versa. If you type an IP address, the Web browser jumps straight to that address; if you type a domain name, your request goes through a DNS server that resolves the name to an IP address, and then the browser jumps to that address. In the IP world, the naming scheme you can use is limited if you plan to connect your network directly to the Internet. VeriSign (www.verisign.com) is one of many domain name registrars in charge of approving and maintaining a database of legal Internet top-level domain names. You can request any domain name you want, but if someone else is using it or has a legitimate claim to a trade or brand name, you won’t be able to use it. For example, you probably won’t be able to use mcdonalds.com or cocacola.com as domain names. In fact, if someone else has already registered xyzcorp.com, you wouldn’t be able to use that name, even if your company is named XYZ Corporation. The format for a typical IP name is host.domainname.suffix. The domain name is something you can’t guarantee, but typically represents your organization. The suffix, called a top-level domain, sometimes identifies the country of origin (for example, .ca is Canada and .de is Germany) or the type of organization (.gov is government, .edu is education, .com is a commercial business, .org is a nonprofit organization, and so forth). Some domain names are more complex; they can take a form such as host.subdomain.domainname.suffix, as in jello.eng.sun.com, where the host name is jello, the subdomain is eng (for engineering), and the domain name is sun (the domain name for Sun Microsystems, Inc.), which is a commercial (.com) entity. The only parts of the name under
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat control of the various Internet domain name registrars (such as VeriSign and other companies and organizations identified at www.norid.no/ domenenavnbaser/domreg.en.html) are the domain name and the suffix — every domain name must be unique in its entirety to be properly recognized. Names that include the host part, the domain name, and the suffix (plus any other subdomain information that may apply) are called Fully Qualified Domain Names (FQDNs). To be valid, any FQDN must have a corresponding entry in some DNS server’s database that allows it to be translated into a unique numeric IP address. For example, the Web server for this book’s publisher is named www.wiley.com, which resolves into an IP address of 208.215.179.146. As long as you’re completely isolated from the Internet and intend to stay that way, you can assign any names and IP addresses you like on your network. If you ever connect your network to the Internet, however, you’ll have to go back and change everything! If your network will be — or simply might ever be — connected to the Internet, you have one of two options for assigning addresses: 0002 You can obtain and install valid public IP addresses and domain names. Your Internet Service Provider (ISP) can provide these for you. When you obtain a range of IP addresses for your network — remember, each computer needs its own unique address, and some computers or devices need multiple addresses (one for each interface) —, make sure you get enough to leave some room for growth. 0002 You can (and should) obtain a valid domain name from VeriSign or another domain name registrar, but you can use any of a range of reserved IP addresses, called private IP addresses, to number your networks. These addresses may not be used directly on the Internet; they’ve been set aside for private use. When used in concert with a type of software called Network Address Translation (or NAT for short), this approach requires you to obtain only a small number of public IP addresses but still allows Internet access for every computer on your network. This topic is discussed in more detail later in this chapter in the section “Address translation: The new magic.” To find out more about the process of obtaining a domain name, visit VeriSign’s Web site at www.verisign.com. The form for researching domain names (determining whether a FQDN is already in use) and registering domain names (applying for a new FQDN) is on the main page. You’ll find details on name registration services as well as on directory and database services that support the Internet’s distributed collection of DNS servers.
179
180
Part II: Servers, Start Your Engines
Calling Everything a Node A unique numeric identification tag, called an IP address, is assigned to each interface on a TCP/IP network. Every IP address in a TCP/IP network must be unique. Each device on a TCP/IP network is known as a host. Each host has at least one network interface with an assigned IP address. However, a host can have multiple network interface cards (NICs), and even multiple IP addresses, assigned to each NIC.
To network ID or host ID? That is the question An IP address consists of two components: 0002 Network ID: Identifies the network segment to which the host belongs. 0002 Host ID: Identifies an individual host on some specific network segment. A host can communicate directly only with other hosts on the same network segment. A network segment is a logical division of a network into unique numeric network IDs called subnets. A host must use a router to communicate with hosts on other subnets. A router moves packets from one subnet to another. In addition, a router reads the network ID for a packet’s destination address and determines whether that packet should remain on the current subnet or be routed to a different subnet. When a router delivers a packet to the correct subnet, the router then uses the host ID portion of the destination address to deliver the packet to its final destination. A typical IP address looks like 207.46.249.222 (This example address matches the domain name www.microsoft.com.) This numeric IP address format is known as dotted-decimal notation. However, computers see IP addresses as binary numbers. This same IP address in binary form is 11001111 00101110 11111001 11011110 and is written in collections of eight bits called octets. Each octet is converted to a decimal number and then separated by periods to form the dotted-decimal notation format shown at the beginning of this paragraph.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat The dotted-decimal version of IP addresses is more human-friendly than the binary version. As you may already know, domain names and NetBIOS names are even more friendly because they use symbolic names that make sense to humans. An IP address requires 32 binary digits and defines a 32-bit address space that supports nearly 4.3 billion unique addresses. Although this seems like a lot of addresses, the number of available IP addresses is quickly dwindling. Consequently, several plans exist to expand or change the IP addressing scheme to make many more addresses available. For more information on such plans, search for IPng Transition in your favorite search engine. IP designers carved the entire galaxy of IP addresses into classes to meet different addressing needs. Today, there are five IP address classes labeled by the letters A through E. Classes A, B, and C are assigned to organizations to allow their networks to connect to the Internet, and Classes D and E are reserved for special uses. The first three classes of addresses differ by how their network IDs are defined: 0002 Class A addresses use the first octet for the network ID. 0002 Class B addresses use the first two octets. 0002 Class C addresses use the first three octets. Class A addresses support a relatively small number of networks, each with a huge number of possible hosts. Class C addresses support a large number of networks, each with a relatively small number of hosts, as shown in Table 10-1. (Class B falls in the middle.) Therefore, branches of the military, government agencies, and large corporations are likely to need Class A addresses; medium-sized organizations and companies need Class B addresses; and small companies and organizations need Class C addresses.
Table 10-1
Address Classes and Corresponding Network and Host IDs
Class
High-Order Bits
First Octet Range
# Networks
# Hosts
Class A
0xxxxxxx
1–126.x.y.z
126
16,777,214
Class B
10xxxxxx
128–191.x.y.z
16,384
65,534
Class C
110xxxxx
192–223.x.y.z
2,097,152
254
When it comes to recognizing address Classes A through C, the network ID for Class A addresses always starts its first octet with a 0. Each Class B network ID always starts with 10, and Class C network IDs always start with 110.
181
182
Part II: Servers, Start Your Engines Consequently, you can determine address classes by examining an address, either in binary or decimal form. (See Tables 10-1 and 10-2.)
Table 10-2
Division of IP Address Component Octets According to Class
Class
IP Address
Network ID
Host ID
A
10.1.1.10
10
1.1.10
B
172.16.1.10
172.16
1.10
C
192.168.1.10
192.168.1
10
Network ID 127 is missing from Table 10-1 because that ID is a loopback address. Loopback addresses are used when testing IP transmission — they transmit to themselves.
Subnetting: Quiet time for IP addresses Subnets represent divisions of a single TCP/IP network address into logical subsets. The motivation for subnetting is twofold: 0002 It reduces overall traffic on any network segment by collecting systems that communicate often into groups. 0002 It makes it easier for networks to grow and expand and adds an extra layer of security control. Subnets work by “stealing” bits from the host part of an IP address and using those bits to divide a single IP network address into two or more subnetworks, usually called subnets — hence, the term in the preceding heading. Network administrators typically use subnet masks to divide IP address blocks into smaller subnetworks. A subnet mask is a special bit pattern that takes over part of the host ID portion of an IP address and permits a larger network to be subdivided into two or more subnetworks, each with its own unique network address. The base subnet masks for Classes A, B, and C networks are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively. You can create additional subset masks by adding extra bits set to 1 in the space occupied by the 0 that appears next to the rightmost 255 in any such number. This transformation is illustrated in Table 10-3, which shows some typical values for usable subnet masks.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat Table 10-3
Subnet Masks and Results
Binary Mask
Decimal Equivalent
Number of New Subnets
Number of Hosts
00000000
A: 255.0.0.0
A: 16,777,214
1
B: 255.255.0.0
B: 65,534
C: 255.255.255.0
C: 254
A: 255.128.0.0
A: Not valid
B: 255.255.128.0
B: Not valid
C: 255.255.255.128
C: Not valid
A: 255.192.0.0
A: 4,194,302
B: 255.255.192.0
B: 16,382
C: 255.255.255.192
C: 62
A: 255.224.0.0
A: 2,097,150
B: 255.255.224.0
B: 8,190
C: 255.255.255.224
C: 30
A: 255.240.0.0
A: 1,048,574
B: 255.255.240.0
B: 4,094
C: 255.255.255.240
C: 14
A: 255.248.0.0
A: 524,286
B: 255.255.248.0
B: 2,046
C: 255.255.255.248
C: 6
A: 255.252.0.0
A: 262,142
B: 255.255.252.0
B: 1,022
C: 255.255.255.252
C: 2
A: 255.254.0.0
A: 131,070
B: 255.255.254.0
B: 510
C: 255.255.255.254
C: Not valid
10000000
11000000
11100000
11110000
11111000
11111100
11111110
Not valid
2
6
14
30
62
126
183
184
Part II: Servers, Start Your Engines
What about IPv6? Those who know a little bit about TCP/IP already are also likely to know it comes in two flavors. The current, predominant flavor (the one we describe at length in this very chapter) is called IPv4. It features 32-bit addresses broken into four 8-bit octets. There’s a newer version of IP around, however. It’s known as IPv6 and features 128-bit addresses (16 8-bit octets but seldom represented as such; these numbers are so big you see them primarily in hexadecimal or base 16 form if not plain old decimal form). In addition to a much bigger address space, IPv6features enhancedsecurity, multiple
automatic addressing schemes, improved routing, and much more. But it’s seldom used on small networks and despite a U.S. government mandate to switch over to IPv6 addressing in June 2008, that event looks increasingly unlikely as the date looms ever closer. Because it’s very rarely used on small networks, we don’t cover IPv6 in this book. Those readers who want to learn more, and work with IPv6 on Windows Server, should check out the TechNet IPv6 clearinghouse at technet.microsoft. com/en-us/network/bb530961.aspx.
Because routers are required to communicate across IP subnets, a router’s IP address on each subnet must be known to every client on that subnet. This address is called the default gateway because it’s where all out-of-subnet transmissions are directed by default. (It’s the gateway to the world outside each local subnet.) If no default gateway is defined, clients can’t communicate outside their subnets.
Hanging your shingle: Obtaining IP addresses Deploying your own network or using a stand alone system with Network Address Translation (NAT) to connect to the Internet requires that you obtain one or more valid IP addresses. For some uses, you may simply contract with an ISP to use a dial-up connection. Each time you connect, you’re assigned an IP address automatically from a pool of available addresses. After you disconnect from the ISP, that IP address is returned to the pool for reuse. This works equally well for stand alone machines and for the servers that might dial into an ISP to provide an on-demand connection for users who have private IP addresses but can attach to the Internet using NAT software. One way to attach an entire network to the Internet is to lease a block, or subnet, of IP addresses from an ISP. However, leasing IP addresses can be
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat expensive and can limit your growth. Also, many ISPs can no longer lease large blocks of IP addresses, so you may have to limit Internet access to specific machines or subnets. For more information about taking this approach, you must contact your ISP to find out what it offers by way of available addresses and contiguous subnets. For some uses, public IP addresses are required because security needs dictate a true end-to-end connection between clients and servers across the Internet. In plain English, true end-to-end connection means that the IP address that a client advertises to the Internet is the same one it uses in reality. In the next section, you discover an alternate approach where an IP address advertised to the Internet is different from the private IP address that a client uses on its home subnet. For some applications, particularly where secure IP-based protocols such as IP Secure (IPSec) or particular secure sockets layer (SSL) implementations are involved, network address translation techniques may not work! Make sure you understand your application requirements in detail before you decide whether to lease public IP addresses or use private IP addresses with network address translation.
Address translation: The new magic If you don’t want to pay to lease a range of IP addresses and your application requirements allow you to use private IP addresses, you can employ IP addresses reserved for private use in RFC 1918 on your networks. When used with network address translation software to connect to an ISP, a single public IP address (or one for each Internet connection) is all you need to service an entire network.
Routers move packets among subnets and networks Only routers can transfer packets from one subnet to another, or from one network ID to another, in the TCP/IP world. Routers are specialized, high-end, high-speed devices from companies such as Cisco Systems or Extreme Networks. However, any computer with two or more NICs installed (where each NIC resides on a different subnet) can act as a router, provided
that the computer can forward packets from one NIC to another (and thus, from one subnet to another). Right out of the box, in fact, Windows Server 2008 includes software and built-in capabilities to work as a router. Computer nerds like to call such machines multi-homed computers because the machines are “at home” on two or more subnets.
185
186
Part II: Servers, Start Your Engines RFC 1918 (which you can find at www.faqs.org/rfcs/rfc1918.html) defines special IP addresses for use on private intranets. These addresses, which appear in Table 10-4, cannot be routed on the Internet. This approach provides improved security for your network as a fringe benefit because it means that any impostor who wants to break into your network can’t easily masquerade as a local workstation. (Doing so would require routing a private IP address packet across the Internet.) Because all of these addresses are up for grabs, you can use the address class that makes sense for your organization. (And for Class B and Class C addresses, you can use as many as you need within the legal range of such addresses.)
Table 10-4
Private IP Address Ranges from RFC 1918
Class
Address Range
# Networks
A
10.0.0.0–10.255.255.255
1
B
172.16.0.0–172.31.255.255
16
C
192.168.0.0–192.168.255.255
254
Using address translation software to offer Internet access reduces your costs and allows nearly unlimited growth. If you think private IP addresses combined with NAT software make sense for your situation, consult with your ISP for specific details and recommendations on how to use this technology on your network. You’ve probably seen the terms firewall and proxy thrown about when reading about Internet access. Firewalls and proxy servers are network tools that are little more than special-purpose routers. A firewall may be used to filter traffic — both inbound and outbound. Firewall filters may be based on a source or destination address, on a specific protocol, or port address, or even on patterns that appear in the contents of a data packet. A proxy server is an enhanced firewall, and its primary purpose is to manage communications between an in-house network and external networks such as the Internet. Proxies hide the identity of internal clients and can keep local copies of resources that are accessed frequently. (This is called caching, and it improves response time for users.) You can check out several great online resources for firewalls, but online information on proxies is limited to product documentation. In addition to consulting the Windows Server 2008 Resource Kit and TechNet (http:// technet.microsoft.com/en-us/default.aspx), here are several online resources you may want to check to discover more about these technologies:
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat 0002 NIST Guidelines on Firewalls and Firewall Policy: http://csrc. nist.gov/publications/nistpubs/800-41/sp800-41.pdf 0002 Microsoft’s Internet Security and Acceleration Server (ISA) 2006: www. microsoft.com/isaserver 0002 Zone Lab’s ZoneAlarm: www.zonealarm.com 0002 Cisco’s Self-Defending Networks: www.cisco.com/en/US/netsol/ ns643/networking_solutions_packages_list.html 0002 WinGate proxy server: www.wingate.com In addition to these excellent third-party products, Windows Server 2008 offers a built-in native firewall product known as the Windows Firewall (previously called the Internet Connection Firewall, or ICF), which is enabled and configured on the Advanced tab of a connection object. Windows Firewall is a host-based solution that can provide stateful filtering for inbound and outbound traffic with integrated IPSec protection settings, which may or may not offer the versatility and capabilities that your production network requires in a firewall. If you want to find out more about Windows Firewall, check the Help and Support Center and the TechNet article at http://technet. microsoft.com/en-us/network/bb545423.aspx.
Forcing IP Down the Throat of Windows Server 2008 Configuring TCP/IP on Windows Server 2008 can range from simple to complex. We review the simple process and discuss a few advanced items. For complex configurations, consult a reference such as the Windows Server 2008 Resource Kit or TechNet. Three basic items are always required for configuring TCP/IP: 0002 IP address 0002 Subnet mask 0002 Default gateway With just these three items, you can connect a client or server to a network.
Basic configuration The protocol is configured on the Internet Protocol (TCP/IP) Properties dialog box. To access this dialog box, follow these steps:
187
188
Part II: Servers, Start Your Engines 1. Choose Start➪Control Panel➪Network and Sharing Center. 2. Under Tasks, click Manage Network Connections. The Network Connections dialog box appears. 3. In the Network Connections dialog box, right-click Local Area Connection and select Properties. The Local Area Connection Properties dialog box appears. 4. In the list of installed components, select Internet Protocol (TCP/IP). Note: If TCP/IP isn’t already installed, follow these steps to install it: a. In the Local Area Connection Properties dialog box, click Install. The Select Network Component Type dialog box appears. b. Select Protocol and then click Add. The Select Network Protocol dialog box appears. c. Select Internet Protocol Version 4 (TCP/IP) and then click OK. d. If prompted, provide a path to the distribution CD. 5. Click Properties to open the Internet Protocol Version 4 (TCP/IP) Properties dialog box, shown in Figure 10-2. The Internet Protocol (TCP/IP) Properties dialog box offers fields to define the three IP configuration basics. Note the selection to obtain an IP address automatically. This setting configures the system to request IP configuration from a Dynamic Host Configuration Protocol (DHCP) server. Because most servers don’t work well using dynamic IP addresses, you may want to define a static IP address for your Windows Server 2008 instead of using DHCP. (Or use DHCP to make a manual or static address allocation.)
Figure 10-2: The Internet Protocol (TCP/IP) Properties dialog box.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat 6. To enter your IP settings, select the Use the Following Address option in the dialog box and fill in the fields as follows: • IP Address: Either obtain a public IP address from your ISP or use a private IP address from one of the reserved address ranges defined in RFC 1918. • Subnet Mask: You must also calculate a subnet mask for your network. (That is, as long as you aren’t using DHCP.) Here again, you may obtain this from your ISP if you’re using public IP addresses, or you may calculate your own if you’re using private IP addresses. In most cases where private IP is used, the default subnet mask for the address class should work without alteration or additional calculations, as described in Table 10-3. • Default Gateway: Finally, you must also provide a default gateway address for your server (unless you just don’t want this system to communicate with other hosts outside of its subnet). The default gateway should be the address of the router on the local subnet to which the server is attached that can forward outbound traffic to other network segments. On networks using public IP addresses, this is probably a router, firewall, or proxy server that connects the local subnet to other subnets or to the Internet. On networks using private IP addresses, this is usually the machine on which the proxy and NAT software resides, which mediates between the local subnet and an Internet connection. 7. The Internet Protocol (TCP/IP) Properties dialog box also offers fields to configure Domain Name Service (DNS). You can leave these fields blank — at least for now. We talk more about DNS in the “DNS Does the Trick” section later in this chapter. 8. After you define an IP address, a subnet mask, and a default gateway, click OK, and then close all the windows you’ve opened and reboot. That’s all there is to basic TCP/IP configuration on Windows Server 2008!
Advanced configuration More complex configurations become necessary when your network is larger and, therefore, more complicated. To deal with such complexity, you have to do some advanced work. Click the Advanced button in the Internet Protocol (TCP/IP) Properties dialog box (we tell you how to open that dialog box in the preceding section) to reveal the Advanced TCP/IP Settings dialog box, complete with its four tabs (see Figure 10-3). The tabs (along with brief descriptions) are as follows:
189
190
Part II: Servers, Start Your Engines
Figure 10-3: The TCP/IP Settings dialog box.
0002 IP Settings: This tab allows you to define multiple IP address and subnet mask combinations for a single NIC. You can define also additional default gateways, as well as an interface metric, which is used by routers (or the routing service of Windows Server 2008) to determine which path to send data to — the path with the lowest metric is used first. 0002 DNS: This tab allows you to define additional DNS servers — the one or two you define on the Internet Protocol (TCP/IP) Properties dialog box appears here as well, so don’t get confused. In addition, you can specify how to search or resolve issues based on DNS server, DNS domain, and DNS parent domains. The two check boxes at the bottom of the DNS tab allow you to use dynamic registration to automatically add your server’s IP address and domain name to your local DNS. For more information about DNS, please consult the “DNS Does the Trick” section later in this chapter. 0002 WINS: This tab is where IP addresses for Windows Internet Name Service (WINS) servers are defined. WINS servers resolve NetBIOS names into IP addresses. WINS is convenient for Windows Server 2008 networks with multiple servers and network segments. This tab also offers you control over how or whether NetBIOS operates over TCP/IP. For more information about WINS, please consult the “Everyone WINS Sometimes” section later in this chapter. 0002 Options: This tab is where you can define alternate settings associated with TCP/IP. This tab offers access to only TCP/IP filtering by default, but the layout of the interface seems to hint that other optional features or services may be configured here if they’re installed later. TCP/IP filtering allows you to define TCP, User Datagram Protocol (UDP), and protocol
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat ports that will be allowed to function. In other words, it blocks all traffic except the traffic for the ports that you choose to allow in. This interface is rather limited because it doesn’t tell you which ports you need to allow in. We recommend deploying a proxy or firewall to perform TCP/IP filtering because these devices are more user-friendly and tell you which ports you need.
Everyone WINS Sometimes In a Microsoft Windows network, TCP/IP hosts can be called by NetBIOS names instead of IP addresses or domain names. Because NetBIOS names are more or less unique to Microsoft networks, there’s no current standard for associating NetBIOS names with IP addresses. On a Microsoft network that uses TCP/IP as its only networking protocol, it’s essential to be able to resolve NetBIOS names to IP addresses. This is where Windows Internet Name Service (WINS) comes in.
A glimpse at WINS Because resolving NetBIOS names to IP addresses is the key to providing access to many of Windows Server 2008’s built-in services and facilities, Microsoft provides two methods to handle this process: 0002 LMHOSTS: You can use a file named LMHOSTS to create a static table that associates specific NetBIOS names with specific IP addresses. (LM stands for LAN Manager and points to the network operating system that preceded Windows NT in the Microsoft product world.) Such a file must be present on every machine to provide the necessary name-toaddress resolution capabilities. For small, simple networks, using LMHOSTS files is an acceptable method. On large, complex networks, the busywork involved in maintaining a large number of such files can quickly get out of hand. 0002 WINS: Larger, more complex networks are where WINS comes into play. WINS runs on Windows Server 2008 machines as a service that automatically discovers NetBIOS names and manages a dynamic database that associates NetBIOS names with TCP/IP addresses. As networks grow, multiple WINS servers sometimes become necessary to help speed up the time it takes to handle name resolution requests. A single WINS server can handle an entire network. On networks that include multiple sites or thousands of users, however, multiple WINS servers can distribute the load involved in providing name resolution, and speed users’ access to NetBIOS-based resources.
191
192
Part II: Servers, Start Your Engines WINS has several advantages over LMHOSTS files. For one thing, it’s built on a dynamic database, which means that as networks change and names and addresses come and go, the database changes as the WINS server detects new name and address relationships or finds old names with new addresses. WINS can be especially important on networks where DHCP is used, if clients also share files or printers on their machines. Also, WINS is something like a Spanish-English dictionary that’s constantly updated as new words — or in this case, names — are added.
WINS servers A WINS server maintains a database that maps computer names to their respective IP addresses and vice versa. Rather than sending broadcasts for address information, which eats excess network bandwidth, a workstation that needs a NetBIOS name resolved makes a request directly to a designated WINS server. (That’s the real purpose of the WINS tab in the Advanced TCP/IP Settings dialog box.) This approach lets workstations take advantage of a well-defined service and obtain address information quickly and efficiently. Also, when workstations with NetBIOS names log on to the network, they provide information about themselves and their resources to the WINS server. Then, any changes automatically appear in the WINS server’s database. Although WINS is much simpler than DNS, it still isn’t an easy process. You need to install WINS as a network service component through the Local Area Connections applet and corresponding network interfaces. We recommend seeking guidance from the Windows Server 2008 Resource Kit or Technet before starting on that journey.
WINS clients When configuring workstations or servers (at least, those servers that don’t play host to the WINS server software) on your network, you provide an IP address for one or more WINS servers on your network. When those machines boot, they provide the WINS server with their computer names, share names, and IP addresses. The WINS server handles everything else. If a workstation needs an IP address that corresponds to a NetBIOS name, it asks the WINS server to supply that information.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat
NetBIOS over TCP/IP The bane of many security consultants, NetBIOS over TCP/IP is a piggyback application programming interface (API) employed by Windows Server 2008 for all of its internal and server-to-server communications. Within a secured environment, such as behind firewalls and proxies, NetBIOS over TCP/IP is beneficial because it supports many of the user-friendly features of Windows Server 2008 networking. But without adequate security, it’s a gaping hole that devious individuals can exploit to overtake your network or stand alone system. The WINS tab offers you the ability to disable NetBIOS over TCP/IP on the current system (meaning NetBIOS will not be transmitted over network links from this computer) or allow it to mimic its DHCP server. (If the DHCP server disables NetBIOS, this system will as well.) You should consider disabling NetBIOS over TCP/IP only if all systems on the network are Windows 2000, Windows XP, or Windows 2003 and no application or service on the network requires NetBIOS to function. In other words, you’ll need to live with NetBIOS for a bit longer.
DNS Does the Trick One way to simplify TCP/IP host identification is to use Fully Qualified Domain Names (FQDNs) instead of IP addresses. An FQDN is the type of name used to identify resources on the Internet to make access easier for humans (such as www.microsoft.com). Resolving domain names and FQDNs to IP addresses is a crucial service on TCP/IP networks in general and especially on the Internet, where hundreds of millions of names and addresses can be found. This is where the Domain Name Service — sometimes called the Domain Naming Service or Domain Name System, but always abbreviated as DNS — comes into play. As with NetBIOS names and IP addresses, the association between FQDNs and IP addresses can also be maintained in two ways: 0002 HOSTS file: You can create a HOSTS file on each system. The HOSTS file maintains a local table that associates specific FQDNs with specific IP addresses. When such associations change, the HOSTS file must be updated manually and copied to all machines on a network. HOSTS files aren’t suited for interaction with large IP-based networks, especially the Internet. This explains why HOSTS files are mostly relics of an earlier, simpler era of IP networking. Except as a fallback in case access to DNS fails, no one uses HOSTS files anymore.
193
194
Part II: Servers, Start Your Engines 0002 DNS: Access to a DNS server allows network machines to request name resolution services from that server instead of maintaining name-toaddress associations themselves. Although DNS servers must be configured manually, a DNS server can handle the name resolution needs of an entire network with ease. DNS servers can also communicate with one another, so a name resolution request that the local server can’t handle can be passed up the FQDN name hierarchy until it reaches a server that can resolve the name into an address or indicate that the name is invalid. The Internet includes tens of thousands of DNS servers. ISPs manage many of these DNS servers; others fall under the control of special top-level domain authorities. To stake out an Internet presence, you must obtain a unique FQDN through the InterNIC (or let your ISP do it for you). After you obtain this name, it’s associated with a special root IP address in some DNS server (probably at your ISP, unless you decide to set up a DNS server of your own).
Whether to DNS Unless you manage a large, complex network, chances are better than average that you’ll work with someone else’s DNS server — probably your ISP’s — rather than managing your own. However, if you have a large network with more than 1,000 computers, or if your network spans multiple sites using private wide-area links, a DNS server may be just the thing to help you stake out the right type of Internet presence. One unique feature of Windows Server 2003 is that it automatically installs three services on the first server of a domain: Active Directory, DHCP, and DNS. Although you don’t actually have to employ DHCP and DNS, they’re still installed by default. Installing these services is therefore a breeze. (So much so that the Configure Your Server Wizard does it for you automatically.) The real headaches come when you try to configure DNS (or DHCP, for that matter).
The deans of DNS If you think you may be interested in setting up a DNS server, you need to consult a technical resource, such as the Windows Server 2008 Resource Kit or TechNet. We also highly recommend DNS on Windows Server 2003, a book by Matt Larson, Cricket Liu, and Robbie Allen (published by O’Reilly
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat & Associates), as the ultimate resource for using Windows 2003 as a DNS server. Even though the title says Windows 2003, this is also a great resource for Windows Server 2008 because DNS is almost exactly the same. Paul Albitz and Cricket Liu also wrote a general DNS book called DNS and BIND, now in its fifth edition (also published by O’Reilly) that is widely regarded as the best general reference on DNS. Both of these books should be updated or revised soon to encompass new material for Windows Server 2008.
DHCP: IP Addressing Automation DHCP, the Dynamic Host Configuration Protocol, is used to dynamically assign IP addresses and other configuration settings to systems as they boot. This allows clients to be configured automatically at startup, thus reducing installation administration. DHCP also allows a large group of clients to share a smaller pool of IP addresses, if only a fraction of those clients needs to be connected to the Internet at any given time.
What is DHCP? DHCP is a service that Windows Server 2008 can deliver. In other words, a Windows Server 2008 can run DHCP server software to manage IP addresses and configuration information for just about any type of TCP/IP client. In fact, it can even perform this role in a completely stripped-down way if Windows Server 2008 is installed as Server Core with additional service roles. DHCP manages IP address distribution using leases. When a new system configured to use DHCP comes online and requests configuration data, an IP address is leased to that system. (Each lease lasts three days by default.) When the duration of the lease is half expired, the client can request a lease renewal for another three days. If that request is denied or goes unanswered, the renewal request is repeated when 87.5 percent and 100 percent of the lease duration has expired. If a lease expires and isn’t renewed, the client can’t access the network until it obtains a new IP address lease. You can initiate manual lease renewals or releases by executing ipconfig /renew or ipconfig /release at the Windows Server 2008 command prompt. You can view the current state of IP configuration using the ipconfig command. Issuing the ipconfig /all|more command at the command prompt displays all of a machine’s IP configuration information, one screen at a time.
195
196
Part II: Servers, Start Your Engines
Is DHCP in your future? We can think of two profound reasons why DHCP is a godsend to Windows Server 2008 administrators who need to use it: 0002 DHCP enables you to manage an entire collection of IP addresses in one place, on a single server, with little effort beyond the initial configuration of the address pool (the range of addresses that DHCP will be called upon to manage). In the old days (before DHCP), managing IP addresses usually required walking from machine to machine on a far too frequent basis. 0002 DHCP automates delivery of IP addresses and configuration information (including subnet mask and the default gateway addresses) to end-user machines. This makes it astonishingly easy to set up IP clients and to handle configuration changes when they must occur. To configure IP on a new client, all an end user (or you) must do in Windows Server 2008, Windows Server 2003, Windows NT, or Windows 9x is click the single option in the Internet Protocol (TCP/IP) Properties dialog box that reads, Obtain an IP Address Automatically. DHCP does the rest! When configuration changes occur, these changes are automatically introduced when IP leases are renewed. You can even cancel all existing leases and force clients to renew their leases whenever major renumbering or configuration changes require immediate updates to their IP configurations.
Enough TCP/IP to choke a hippo If this chapter whets your appetite for TCP/IP, you can obtain more details and information from the following great resources:
Stevens, and Michael Evangelista (published by Prentice Hall) in various editions from 2nd through 5th
0002 Windows Server 2008 TCP/IP Protocols and Services, by Joseph Davies (published by Microsoft Press)
0002 TCP/IP For Dummies, 5th Edition, by Candace Leiden, Marshall Wilensky, and Scott Bradner (published by Wiley Publishing)
0002 The TCP/IP Guide, by Charles Kozierok (published by No Starch Press; check out the complete online version at www. tcpguide.com.) 0002 Internetworking with TCP/IP, Volumes I, II, and III, by Douglas E. Comer, David L.
If that’s still not enough, one of your authors pulled together a more comprehensive TCP/IP bibliography for NetPerformance.com. Check it out at www.netperformance.com/ reading_tcpip.aspx.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat The ultimate reason for using DHCP is that it makes your job much easier. DHCP is recommended for all networks that use TCP/IP with ten or more clients. The first Windows Server 2008 in a domain has DHCP installed automatically, but you still need to enable and configure it properly before it will do you any good. So, if you think you may be interested in setting up a DHCP server, consult a technical resource, such as the Windows Server 2008 Resource Kit or TechNet, for all the details of installation and configuration.
Ironing Out Problems Problems that occur on TCP/IP networks are almost always associated with incorrect configurations. The wrong IP address, subnet mask, default gateway, DNS server, WINS server, or DHCP server can bring a system, if not an entire network, to its knees. Therefore, you need to take extra caution to double-check your settings and changes before putting them into effect. If you connect to an ISP, you should contact the ISP’s technical support personnel early to eliminate as much wheel-spinning as possible. You may discover the problem isn’t on your end, but theirs. If so, your only recourse is to wait it out, and then complain. If problems occur too often for your comfort, take your business elsewhere. Windows Server 2008 includes a few TCP/IP tools that you can employ to help track down problems. We already mentioned ipconfig; here are the others: 0002 ping: This tool tests the communications path between your system and another remote system. If a PING returns, you know the link is traversal and the remote system is online. If the PING times out, either the link is down or the remote system is offline. 0002 tracert: This tool reveals the hops (systems encountered) between your system and a remote system. The results inform you whether your trace route packets are getting through and at what system a failure is occurring. 0002 route: This tool is used to view and modify the routing table of a multihomed system. 0002 netstat: This tool displays information about the status of the current TCP/IP connections. 0002 nslookup: This tool displays DNS information that helps you manage and troubleshoot your DNS server. 0002 telnet: This tool is used to establish a text-based terminal emulation with a remote system. Telnet gives you access to a remote system as if you were sitting at its keyboard. Windows Server 2003 doesn’t include an inbound Telnet server. Complete details on these tools are included in the Windows 2008 help files, the Windows Server 2008 Resource Kit, and TechNet.
197
198
Part II: Servers, Start Your Engines
Part III
Running Your Network
A
In this part . . .
fter Windows Server 2008 is up and running, the real fun — namely, maintaining the server and network you’ve so laboriously constructed — begins. Or at least, so goes the conventional wisdom. In a very real sense, therefore, Part III begins where Part II leaves off. First, there’s managing the users (and their groups) who will work on your network and use your server. Then, it’s on to how to set up and handle NTFS and share permissions, with a heaping order of file systems and related topics on the side. Once you have data and users to protect, backing up your system is no longer an option — it’s a downright necessity — so it’s the next topic on our systems-management agenda. Part III closes out with an exercise in positive paranoia, where you find out about computer and network security in a discussion that covers the bases from physical security all the way up to how to build a solid password. Thus, Part III covers all the key topics involved in managing a Windows Server 2008–based network to prepare you to live with one of your own (or to work on someone else’s). Use these chapters to establish a systematic routine — not only will your users thank you, but you’ll also save yourself some time and effort! Remember this: Maintenance activities and costs usually represent 90 percent of any computer system’s life cycle. That’s why establishing a solid maintenance routine and sticking to it religiously are the keys to running a successful network. Do yourself a favor and don’t learn this lesson the hard way. . . .
Chapter 11
Managing Users with Active Directory Users and Computers In This Chapter 0001 Defining user account properties 0001 Creating new user accounts and groups 0001 Managing user accounts 0001 Understanding groups 0001 Assigning profiles 0001 Governing activities with policies 0001 Solving problems
U
ser accounts are indispensable elements in the Windows Server 2008 environment. They’re central management and control tools for the operating system to authenticate users and manage access to the resources on a local system and in the domain and forest as well. If you don’t have a defined user account on a Windows Server 2008 stand-alone system or a Windows Server 2008 domain, you can’t gain access to that system or to available resources in the forest. This chapter looks at managing domain user accounts and policies through the Active Directory Users and Computers console.
User Accounts Have Properties Computers are typically used by more than one person. Even systems that workers use exclusively on their desks allow system administrators to log on locally. If these systems have computer accounts in the domain, it’s possible for other users with domain accounts to log on to those systems as well. The computer distinguishes between one person and another by employing a security device called the user account object. Each user on a computer or a network has a unique user account that contains details about the user, such as his or her rights and restrictions to access resources and more.
202
Part III: Running Your Network A Windows Server 2008 domain-based user account contains, is linked to, or is associated with the following items: 0002 Password security: User accounts are protected by passwords so that only authorized persons can gain access to the systems. 0002 Permissions: Permissions are the access privileges granted to a user account. These include group memberships and user-specific settings to access resources. 0002 Identification: A user account identifies a person to the computer system and the network. 0002 User rights: A user right is a high-level privilege that can be granted to users or groups to define or limit their actions on a computer system. 0002 Roaming: You can define user accounts so that a user can log on to any system that is a member of a domain by using a domain user account (certain users may be able to log on to local accounts in certain situations), a Remote Access Service (RAS), or a gateway. 0002 Environment layout: Profiles are user-specific and store information about the layout, desktop, and user environment in general, unless they are specifically restricted through the use of mandatory profiles. You can define profiles so that they follow the user account no matter where the user gains access on the network. 0002 Auditing: Windows Server 2008 can track access and usage by domain user accounts if that level of auditing has been enabled in the domain. Access to Windows Server 2008 requires that users successfully authenticate themselves with a domain user account. This means that when a user with the proper permission level (not everyone has permission to log on locally to all systems in a domain) sits down at a Windows Server 2008 system, he or she can log on at the local machine with a local account (called an interactive logon) by pressing Ctrl+Alt+Delete to start the logon process. Then the user must provide a valid username and password. He or she may also log on to a domain user account in the same manner if the server is a member of the domain. After the system verifies this information, the user is granted access. When the user is finished, he or she can log out and leave the system available for the next user to log on. With Windows Server 2008 installed, three user accounts are automatically created by default on stand-alone (non-domain-member) systems: 0002 The Administrator account is used to configure the system initially and to create other user accounts. 0002 The Guest account is a quick method to grant low-level access to any user — but is disabled by default.
Chapter 11: Managing Users with Active Directory Users and Computers 0002 The HelpAssistant, often named Support_ Table A-4
Typical SCSI and SATA 3.5” Drive Speeds
Type
RPM
Cost/GB (Low–High)
Capacity (Low–HIgh)
Remarks
SATA
7,200
$0.20–$0.40
40GB–1TB
Larger, more capable drives cost more; sizes range from 80GB to 1TB.
SATA
10,000
$1.33–$2.02
74–150GB
WD Raptor models, available in only two sizes, are the only 10,000 RPM SATA drives available.
Appendix A: Server Components and Technologies
Type
RPM
Cost/GB (Low–High)
Capacity (Low–HIgh)
Remarks
SCSI
10,000
$1.48–$2.45
146–434GB
Most major drive manufacturers offer such drives but none in sizes larger than 4xxGB.
SCSI
15,000
$4.10–$8.97
36–46GB
Same as for 10K RPM SCSI drives, except sizes top out at 146GB.
There’s a very interesting moral to be drawn from the foregoing table. Unless your server must absolutely scream with disk speed, the best storage value comes from 7,200 RPM SATA drives. With Seagate now offering perpendicular magnetic recording (PMR) drive technologies that basically stand bit regions sideways on the disk platter and therefore cram data into hitherto unheard-of data densities, you can get very good performance from drives that range from 320 to 750GB in size, at prices from 25 cents to 28 cents per GB. High-performance junkies will often use a WD 10,000 RPM Raptor or a 10,000 or 15,000 RPM SCSI drive for the Windows system drive, but even these folks are increasingly turning to 7,200 RPM SATA drives for data RAID arrays. The whole SCSI versus SATA subject continues to be a raging debate in server hardware circles. Some of the most interesting outlooks on this subject come from well-known system builder Puget Custom Computers. Its “SCSI vs SATA, Which is Faster?” article includes fascinating explanations and test results to back up its contention that SATA is more or less edging SCSI out of the server storage game. Find it online at www.pugetsystems.com/articles. php?id=19.
SCSI versus SATA controllers The other side of the storage equation is the disk controller. Those who need fast storage usually also opt to purchase add-in disk controller cards, and eschew controllers and RAID circuitry built into most modern server motherboards. Those who can stomach the higher costs of 10,000 or 15,000 RPM SCSI drives should also prepare to swallow additional costs for suitable disk controllers.
379
380
Part VI: Appendixes Even modest SCSI RAID controller cards (like the Adaptec 2246200-R) cost more than $300, and a high-end version (like the Adaptec 2185900) costs more than $700. A minimal RAID array usually requires at least three disk drives, where it isn’t unusual for them to include as many as seven drives. (The max for most SCSI controllers is 15 devices per SCSI channel.) On the SATA side, costs are pretty similar: Low-end RAID controllers start at about $200 (like the Adaptec 2220300-R) and approach $700 at the high end (like the Adaptec 2251600). SATA controllers can typically handle many more devices, however, where high-end controllers top out at 128 devices in total. When choosing a disk controller for your server, two additional selection factors come into play: 0001 Bus slot: A disk controller is an interface card and, therefore, must plug into an interface slot. Most servers come equipped with one or more of each of the slot types described in Table A-5. Be aware that the faster the bus speed for a given slot, the more a controller card that uses such a slot typically costs. 0001 Slot contention: When designing a server, multiple interface cards may end up competing for scarce slot space. This makes the number and type of slots available on a motherboard an important consideration for its purchase, and putting some thought into what kinds of cards you want to put in your service is equally important. You may have to balance the need for fast storage — which requires a disk controller card — against the need for fast network access — which may mandate one or two high-speed TCP/IP Offload Engine (TOE) network adapters. This can force some tough choices, and may occasionally appear to argue for the wisdom of Solomon in choosing faster storage versus faster networking.
Table A-5
Server Bus Slot Speeds and Feeds
Name
Bus Speed
Bit Width
Maximum Throughput
Remarks
PCI
33 MHz
32 bits
132 MB/s
Common PC utility bus.
PCI64
133 MHz
64 bits
1066 MB/s
Occasionally found on server motherboards.
PCI-e x1
33 MHz
1 bit
250 MB/s
All PCI-e buses are bidirectional. (Throughput shown is one-way only; total possible amount is double.)
Appendix A: Server Components and Technologies
Name
Bus Speed
Bit Width
Maximum Throughput
Remarks
PCI-e x4
33 MHz
4 bits
1.0 GB/s
Used for some disk controllers.
PCI-e x8
33 MHz
8 bits
2.0 GB/s
Used for many disk controllers and TOE network adapters.
PCI-X
66–133 MHz
64 bits
1.08 GB/s
Popular server bus technology.
Typically, you find between one and three PCI-e x8 slots on a server motherboard, and one or two PCI-X slots as well. If the numbers permit, you can use either one for disk controllers and network adapters. The important thing is to purchase a motherboard that has enough of the right kinds of slots to meet your needs. There’s also a case to be made at the low end of the server spectrum that you should try to use built-in controllers and adapters first and move to more expensive add-in cards only if built-ins don’t cut it. But because this means you still need the right number and kind of bus slots to add any adapters you need, it’s wise to pay attention to bus slots even if you don’t intend to stuff them immediately after the purchase of the motherboard on which they reside.
Building RAID arrays The full expansion for the RAID acronym holds the meat of its technology story: A redundant array of inexpensive disks uses conventional disk drives in a group and achieves performance, reliability, and availability gains by doing so. Using RAID of any kind requires multiple drives to work — at least two and as many as six (for the various types of RAID we’re about to explain, compare, and contrast in this very section) drives are needed to support different RAID schemes. RAID schemes go by the numbers, starting with 0 through 6, plus 10, 50, and other designations. Here we examine only those types of RAID most often used on Windows servers (but we do provide a couple of pointers at the end of this section to where the curious or the technically motivated can learn about “missing numbers” if they like). For convenience, we list them in numerical order in Table A-6, starting with zero.
381
382
Part VI: Appendixes Table A-6
RAID Schemes and Characteristics
Name
Minimum Disks
Typical
Failure
Remarks
0
2
3–5
0
Striping across multiple drives; no redundancy or fault tolerance; offers best performance improvement; easy to implement.
1
2
2
1
Also known as disk mirroring or duplexing, copies everything onto each drive in a pair; easiest recovery from failure; hardware controller recommended.
0+1
4
4–10
1
Stripes across mirrored pairs; expensive with high overhead but offers very high data transfer performance.
5
3
5–7
1
Striping with parity, 1/n overhead (n = number of drives); keeps running even if a single drive fails; hardware controller required.
10
4
6–10
1
Combines striping with mirroring (all drives are in mirrored pairs and all pairs are striped); expensive and high overhead but high reliability and performance.
50
6
6–10
2
Combines parity and striping across two or more RAID 3 (parity) sets; very expensive but very resilient to drive failure.
In RAID arrays, all disks are usually the same kind, make, and model to permit them to work together most effectively. Another technology, called JBOD (just a bunch of disks), works like RAID 0 to stripe data across any number of disks (2 to 15, practically speaking) where the disks need not be the same. Striping essentially distributes data across all drives in an array so that reads and writes can be broken up and distributed across all of them. This provides
Appendix A: Server Components and Technologies a nice boost to overall performance. People usually use RAID 0 or JBOD for a performance boost, but because it confers no added reliability, these technologies aren’t used very often on servers. Disk mirroring or duplexing requires 100 percent overhead in exchange for increased reliability. Essentially, two drives each contain a copy of the same thing so that if one fails, the other one can keep chugging right along. 0001 Mirroring generally refers to “two drives, one controller,” so that if the controller fails, the whole array goes down. 0001 Duplexing refers to “two drives, two controllers,” so that if one drive or controller fails, the working drive and controller keep on truckin’. When RAID 1 is used on servers, it’s most often used for the Windows system/boot drive, because that allows it to keep working even if one of the drives fails with little or no downtime for repairs and reconstruction. When both drives are working, two reads are possible for the set, which effectively doubles read speed as compared to a single drive. Write speed remains unchanged because data must be written to both drives to keep the mirror synchronized. Disk striping with parity enables control data about a collection of data blocks to be written to the only drive where none of that data resides. If a single drive fails, this lets any single stripe be reconstructed from the portions on the still-working drives that are intact, plus the parity data on the parity drive for that stripe. The controller mixes things up so that no single drive failure results in the loss of parity data needed to reconstruct missing stripe elements. RAID 5 also offers the highest read data transaction rates and medium write data transaction rates, and it’s widely used on servers that need improved performance and reliability. RAID 0+1, 10, and 50 are all pretty complex and expensive, and they’re used more often in high-end, high-volume environments than on servers in small businesses or SOHO situations. You’ll see that many of the disk controllers that support RAID offer these options, but they aren’t as applicable for low-end to medium-demand server situations.
High-End Network Adapters As with disk controllers, network adapters for various server buses are available. You can find versions of such adapters for the PCI, PCI-e x1 and x4, and the PCI-X buses. When shopping for such cards, make sure that Windows Server 2008 drivers are available for them, or you won’t be able to put them to work on your server.
383
384
Part VI: Appendixes Vendors who offer TCP Offload Engine adapters invariably also require installation of the Windows TCP Chimney Offload on those Windows Server 2008 systems on which they’re to be used. This essentially equips the driver to hand over TCP processing, including IP address information, ports in use, packet sequence numbers, and so forth, without requiring the server CPU(s) to get involved. For any kinds of connections that persist over time and use large packet payloads — such as network storage access, multimedia streaming, and other content-heavy applications — TCP Chimney Offload reduces CPU overhead by delegating network packet processing, including TCP segmentation and reassembly, to the network adapter. In turn, the CPU is freed up to do other things, such as handle additional user sessions or process application or service requests more quickly. Vendors that offer network adapters that work with Windows operating systems are listed in Table A-7, along with price ranges, product descriptions, and URLs.
Table A-7
Windows TOE Network Adapters
Vendor
Product
Prices
Description
URL
Alacritech
SENxxxx
$449–849
1–4 ports, fiber & copper, PCI, PCI-X
Chelsio
S30xx
$795–1,495
2–4 ports, copper, www.chelsio.com PCI-e x1, x4, PCI-X
Dell
NetXtreme II
$100
Model 5708, 1 port, PCI-e x1
www.dell.com
HP
Bladesystem
$225–400
1 or 2 ports, PCI-X, NC370i, NC373m
www.hp.com
www.alacritech. com
For servers that support less than 25 simultaneous users, a network adapter with TOE capability is overkill. If servers support 25–100 users, a network adapter with TOE becomes increasingly helpful, and when handling over 100 users, it helps to keep the server available to handle other tasks as well as managing its network connections.
Appendix B
Windows Troubleshooting Resources
W
indows Server 2008 is something of a world unto itself. In fact, it’s a large, complex, and pretty interesting world, as the attached collection of recommended Windows Server 2008 resources in print and online illustrate. In the sections that follow, we look at books and magazines that address Windows 2008 topics, as well as a plethora of Web sites, forums, newsgroups, and more. We start with a series of enthusiastic nods to the source for Windows Server 2008 and a whole raft of additional information and resources — namely, Microsoft itself. After that, we trip over numerous third parties in print and online. Along the way, you should find some fabulous goodies to help you learn more about Windows Server 2008, understand it better, and deal with troubles, trials, and tribulations related to that operating system as and when they should happen to come up.
Marvels from Microsoft As the company that built the Windows Server 2008 operating system, it’s only natural that Microsoft should also have a lot of information to share about this product. And it doesn’t disappoint in any way, either in terms of volume, coverage, technical depth, and more, more, more than many will ever want to know about Windows Server 2008. We present all of the important online links at the Microsoft sites in Table B-1, each of which includes a name so we can also expand a little on this content in a bulleted list of explanations that follows the table.
386
Part VI: Appendixes Table B-1
Microsoft Windows Server 2008 Resources Online
Name
URL
Blogs
www.microsoft.com/communities/ blogs/PortalHome.mspx
Microsoft Press
www.microsoft.com/mspress/hop
TechNet forums: Server 2008
forums.microsoft.com/TechNet/ default.aspx?ForumGroupID161&SiteID=17
TechNet SysInternals Web page
www.microsoft.com/technet/ sysinternals/default.aspx
Windows Server 2003 newsgroup
https://www.microsoft.com/ technet/prodtechnol/windows server2003/newsgroups.mspx
Windows Server 2008 home page
www.microsoft.com/windows server2008/default.mspx
Windows Server 2008 Learning Portal
www.microsoft.com/learning/ windowsserver2008/default.aspx
Windows Server 2008 TechCenter
http://technet.microsoft.com/ en-us/windowsserver/2008/ default.aspx
Windows Server 2008 Technical Library
http://technet2.microsoft.com/ windowsserver2008/en/library/
0001 Blogs: Important categories include Windows Server 2008, Windows Longhorn Beta 1, and Windows Longhorn Beta 2. This is where you can find developers, trainers, and key “idea people” from Microsoft explaining what’s up and what’s going on with Windows Server 2008. 0001 Microsoft Press: This organization publishes lots of materials about the company’s platforms, most notably the Resource Kit titles that act as general technical encyclopedias for the company’s operating systems. This Web page tells you what’s coming down the pike from the press, and while we see numerous interesting Windows Server 2008 resource kit titles on IIS 7.0, Group Policy, Active Directory, productivity solutions, and more as we write this list, we don’t see a single monolithic Windows Server 2008 Resource Kit. (These sometimes take 6–12 months after product release to arrive in print, however.) 0001 TechNet forums: TechNet is the Microsoft Technical Network, itself a huge compendium of technical information on Microsoft offerings. Among those offerings are online forums, including those for Windows
Appendix B: Windows Troubleshooting Resources Server 2008 mentioned in the URL (but you can find information about anything and everything Microsoft-related through TechNet). 0001 TechNet SysInternals Web page: SysInternals is a formerly independent company that’s now part of Microsoft, and its outstanding library of Windows administration tools is still available online. Check out the free tools available at this URL in all of these covered categories: file and disk utilities, security utilities, networking utilities, system information tools, process utilities, and miscellaneous stuff. You’ll find a surprising number of real gems here. (We’re especially fond of TCPView, BgInfo, ProcessMonitor, and the Registry defragmentation tool, PageDefrag.) 0001 Windows Server 2003 newsgroup: As we write this, no official Windows Server 2008 newsgroups are defined yet, but we expect them to show up in a windowsserver2008 directory like the windowsserver2003/ newsgroups entry we include by way of indirect reference here. 0001 Windows Server 2008 home page: This is the primary jumping off point in the Microsoft Web pages for all things related to Windows Server 2008. You’ll find pointers to all the other Microsoft resources mentioned here, and more, on this Web page. 0001 Windows Server 2008 Learning Portal: This is where you can turn for access to official Microsoft Windows Server 2008 training materials and information. At present, Microsoft is offering a free e-book and a free four-part introductory online course on Windows Server 2008 to all comers, but by the time you read this, you’ll probably find different offers and information there instead. 0001 Window Server 2008 TechCenter: This is home to the Windows Server 2008 Technical Library, related community resources online, links to popular downloads and recent Knowledge Base articles, and additional resources as well. It’s an outstanding clearinghouse for technical Windows Server 2008 information. Elements of the Technical Library are also available in convenient downloadable form from the Windows Server 2008 Step-by-Step Guides page (www.microsoft.com/down loads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5acaf31de6dce&DisplayLang=en). We also provide a direct link to the Windows Server 2008 Technical Library, which is starting to flesh out significantly as this new OS is readied for release.
Windows Server 2008 Books A quick hop up to your favorite online bookstore will no doubt augment this list immediately, but here are a couple of titles we’ve heard good things about as we’re working on our own book (and as Microsoft continues to ready Windows Server 2008 for its commercial release).
387
388
Part VI: Appendixes 0001 Administering Windows Server 2008 Server Core, by John Paul Mueller (Wiley Publishing, February 2008) is designed to serve as both a tutorial and a desk reference for administrators. This book includes a discussion of the new interface, describes how to perform all kinds of tasks, and provides a complete reference for relevant Server Core commands. Topics included cover performing essential maintenance, executing registry hacks, automating routine tasks, managing hardware, managing the network, working with TCP/IP, working with applications and data, monitoring system events and performance, managing users, and securing your system. Mueller’s book makes an excellent supplement to this one. 0001 Windows Server 2008 Implementation and Administration, by Barrie Sosinsky (Wiley Publishing, February 2008). This book provides a concise instruction for IT professionals already trained to use earlier versions of Windows Server. It dispenses with common networking Windows technology and concepts that administrators already know, such as DHCP, DNS, and basic Active Directory to concentrate on the crucial features of the new operating system. This book seeks to bridge the old to the new without making readers relearn familiar material. Thus, this book contains topics that might be found in other Windows Server 2008 books, but it’s organized to enable the reader to use these technologies more quickly. As much as possible, the book presents instructional how-to material with an eye toward teaching administrators to use Windows Server 2008 in new and more productive ways.
Server-Friendly Publications The entire computer trade press always covers Microsoft, to a greater or lesser extent. Table B-2 points you to publications where you’re most likely to find information relevant to the needs and interests of system or network administrators, and other IT professionals, who are among the people most likely to work with Windows Server 2008 on a day-to-day basis.
Table B-2
Windows Server Publications
Name
URL
Microsoft Certified Professional Magazine Online
www.mcpmag.com
Windows IT Pro Magazine
www.windowsitpro.com
Redmond Magazine
www.redmondmag.com
Appendix B: Windows Troubleshooting Resources 0001 MCP Magazine, as this publication is better known, caters to certified Microsoft professionals, most of whom manage Windows systems and servers for a living. This isn’t an exclusively server-focused publication, but it provides lots of useful information about Microsoft operating systems and technologies. 0001 WindowsITPro Magazine is probably the best and most highly regarded of the specialty publications that focus on Windows-oriented IT professionals. This publication does a great job of covering server hardware, software, and operating systems and should continue to be a great source of information on Windows Server 2008 for interested professionals. 0001 Redmond Magazine is another publication that caters to the needs of working IT professionals with a Windows focus. This publication also does a good job of covering server hardware, software, and operating systems, and it’s also devoting increasing coverage to Windows Server 2008.
Other Third-Party Windows Server 2008 Sources To some extent, we appreciate the existence and variety of third parties who also provide information about Windows Server 2008. That’s because Microsoft sources must toe the company line and can’t always be as exact (or as direct) when it comes to identifying trouble spots and how to work around them. Typically, that’s where the third parties really come into their own, and it’s what makes them so worth attending to, as listed in Table B-3.
Table B-3
Other Third-Party Windows Server Resources
Name
URL
Windows Server Troubleshooting
http://teamapproach.ca/trouble
WindowsNetworking. com
www.windowsnetworking.com
ZDNet Troubleshooting Windows Server 2003
http://downloads.zdnet.com/download. aspx?docid=172733
389
390
Part VI: Appendixes 0001 Windows Server Troubleshooting: The Canadian Team Approach group has put a stellar server troubleshooting guide together here. Although it doesn’t yet include many Windows Server 2008 specifics, we expect them to remedy this in the near future. It’s one of the best general troubleshooting references we’ve ever seen anywhere. 0001 WindowsNetworking.com: This is a Web site that caters to professional IT administrators who manage Windows servers, among other elements of the IT infrastructure. Among this site’s many attractions are articles on current and emerging technologies, a large collection of information and tips under an “Admin KnowledgeBase” heading, plus tutorials on all kinds of subjects bound to be of interest to anybody who manages a Windows Server of just about any vintage, including Windows Server 2008. See a collection of Windows Server 2008 articles and tutorials at www.windowsnetworking.com/articles_tutorials/Windows_ Server_2008. 0001 ZDNet Troubleshooting Windows Server 2003: The editors at ZDNet have done a great job of assembling a detailed, thorough Windows Server 2003 troubleshooting guide. While we hope they’ll do likewise for Windows Server 2008 ASAP, there’s a lot in here that remains fresh and relevant, even for those who use Windows Server 2008 instead.
Index • Symbols and Numerics • 100 Mbps Ethernet, 67 100BaseT standard (Fast Ethernet), 67 100BaseVG-AnyLAN standard, 67 802.11 wireless support, 64
•A• AAM (Admin Approval Mode), 17 access to applications, 33–34 authenticated, 16 controlling, 36 printer, 167–168 problems with, 225–226 remote, 109 to trusts, 154 unauthenticated, 16 user, 275–277 Access Control Lists (ACLs), 149, 227–229, 337–338 access methods, 66 access points (APs), 16 access tokens, 230 Account Lockout Policy, 273 Account tab, 208 accounts Account Lockout Policy, 273 Administrator, 202–203 decoy, 278 domain user, 202 dummy, 278 Guest, 202–204 HelpAssistant, 203 SAM (Security Accounts Manager), 118–119, 140 UAC (User Account Control), 17, 337
user managing, 211 properties, 201–204 user account objects, 201 ACLs (Access Control Lists), 149, 227–229, 337–338 ACT (Application Compatibility Toolkit), 75, 294 activation, 88–89 Active Directory (AD). See also Active Directory Users and Computers console directory permissions, 149–152 directory services, 115–116 domain controllers overview, 118–122 roles, 137–139 features global catalogs, 125–126 overview, 121–122 replication, 122–124 schemas, 124–125 installing, 129–132 locating data, 118 management of ADSI, 148 creating directory objects, 145–147 finding directory objects, 148 overview, 144 Users and Computers console, 144–145 managing data, 117–118 multimaster replication, 141–144 multiplying domains, 133–136 organizing data, 116–117 overview, 36, 115, 137 planning for, 126–129 trust relationships, 140, 152–154
392
Windows Server 2008 For Dummies Active Directory Certificate Services (AD-CS), 97 Active Directory Domain Services (AD-DS), 97 Active Directory forests, 122, 125 Active Directory Installation Wizard, 127, 137 Active Directory Lightweight Services (AD-LDS), 98 Active Directory Rights Management Services (AD-RMS), 98 Active Directory Scripting Interface (ADSI), 144, 148 Active Directory Users and Computers console access problems, 225–226 creating accounts Account tab, 208 Address tab, 208 Dial-in tab, 211 General tab, 208 Member Of tab, 210 Organization tab, 210 process of, 204–211 Profile tab, 208–209 Telephones tab, 210 group policies administering, 219–220 auditing, 224 creating, 222–223 overview, 219 processing of, 221–222 groups built-in, 215–217 creating, 214 managing, 215 overview, 212 scopes, 212–214 overview, 144–145, 201 user accounts managing, 211 properties of, 201–204 user profiles, 217–219 Active Server Pages (ASP), 11
AD. See Active Directory; Active Directory Users and Computers console AD Directory Service (DS), 36 AD-CS (Active Directory Certificate Services), 97 Add Printer icon, 160–161 add-in cards, 287–289 address pools, 196 Address tab, 208 addresses, network, 368–369. See also Internet Protocol (IP) addresses AD-DS (Active Directory Domain Services), 97 AD-LDS (Active Directory Lightweight Services), 98 Admin Approval Mode (AAM), 17 administrative control, delegating, 151–152 administrative shares, 277–278 Administrator accounts, 202–203 administrator role, 330 AD-RMS (Active Directory Rights Management Services), 98 ADSI (Active Directory Scripting Interface), 144, 148 advanced permissions, 233 Advanced Security Settings dialog box, 150, 233–234 Advanced tab, 170 Allow or Deny setting, 232 AMD servers administrator role, 330 building inserting PSU, 319–320 installing hard disk drives, 326–327 installing optical disk, 328–329 installing OS, 329–330 overview, 319 seating CPU and cooler, 320–324 seating RAM modules, 324–326 setting up hardware, 329 cases, 318 CPUs, 316–317
Index disk space, 318 memory, 317 motherboards, 316–317 network connections, 318 overview, 315–316 power supplies, 318 answer files, 356 API (application programming interface), 28, 193 application access, 33–34 Application Compatibility Toolkit (ACT), 75, 294 Application logs, 343 application programming interface (API), 28, 193 Application Server (AS), 98 Applications and Services logs, 343 APs (access points), 16 archive bit, 244 AS (Application Server), 98 ASP (Active Server Pages), 11 ASR (Automated System Recovery), 88–90 ATL (Automated Tape Library), 245 atomic operations, 123 attribute-level ACLs, 227–229 attributes, 121, 228–229, 244 auditing, 224 authenticated access, 16 automated installation, 37, 92, 356–357 Automated System Recovery (ASR), 90 Automated Tape Library (ATL), 245 automatic address allocation mode, 31 automatic client addressing, 14
•B• backbones defined, 43 overview, 69–70 testing, 47 Background Intelligent Transfer Service (BITS), 100
backup destinations, 255–256 backup domain controller (BDC), 119–121, 138, 140 Backup facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 backup media, 248 Backup Operators group, 260–261 backup units, 247–248 backups AD, 130 Backup facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 Backup Operators group, 260–261 evaluating tape systems, 258–260 before making changes, 74, 361 network versus local, 245–246 overview, 241–242 planning, 249–251 potential threats, 242–243 restoring from, 256–257 storage options, 246–249 third-party options, 257–260 types of, 243–245 bad splices, 61 bandwidth, 59, 65–68 banner pages, 170 baseband cable, 58–59 BDC (backup domain controller), 119–121, 138, 140 binary buffer comparisons, 124 binary numbers, 180–181 BitLocker Drive Encryption, 17, 35, 99
393
394
Windows Server 2008 For Dummies BITS (Background Intelligent Transfer Service), 100 blueline copying system, 49 books, Windows Server 2008, 387–389 boot drive, 378 boot partition, 378 Boot Protocol (BOOTP), 31 boot volume, 378 BOOTP (Boot Protocol), 31 broadband transmission, 59 brute-force attacks, 269–271 budgeting, 292–293 buffer coating, 60 built-in groups, 215–217 built-in network interfaces, 52–55 bus mastering, 367 bus slots, 380–381
•C• cable contractors, 58, 65 cable installers, 46, 50 cable segments, 69 cables baseband, 58–59 coaxial, 61–62 fiber-optic, 59–61 HFC networks, 62–63 installing, 46, 64–65 overview, 57–59 plenum-rated, 65 twisted-pair, 59 UTP, 61 cabling plans, 49–50 CAD (Computer Aided Design), 42 callback, 211 Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), 66–67 Carrier Sense Multiple Access/Collision Detection (CSMA/CD), 66–68 Cartridge Maintenance tab, 170 cases, 289–290, 302, 318
catalog compliance, 355 Cheops application, 52 chimney offload architecture, 28 chimneys, 28 chips, 375 cladding, 61 clients automatic addressing, 14 management of, 37 networking, 21–23 preferences of, 30–35 setting up printing for, 168 WINS, 192 clustering, 15–16, 42 CMAK (Connection Manager Administration Kit), 100 coaxial (coax) cable, 61–62 collapsed backbones, 43 collisions, 66–68, 124 Color Management tab, 170 command line backups, 253–254 compatibility checks, 294–295 componentization, 94 components server controllers, 377–381 disk drives, 377–379 motherboards, 374–375 network adapters, 383–384 overview, 373 processors, 375–376 RAID, 377–378, 381–383 RAM, 376–377 shopping for PC, 293–294 Compound TCP (CTCP), 26 Computer Aided Design (CAD), 42 computer names, 176–177, 191–193 computer rooms, protecting, 264–266 configuring ICT dialog box, 94–95 overview, 93 remote connections, 111–114
Index Server Manager application console, 96–103 DHCP and DNS, 109–111 directory trees and forests, 103–108 IIS and WMS, 108–109 overview, 95–96 Connection Manager Administration Kit (CMAK), 100 connection state, 28 connection-oriented protocols, 54 container objects, 145–146, 232 context driven, 145 contiguous namespaces, 134 contractors, cable, 58, 65 controllers disk, 377–381 domain backup (BDC), 119–121, 138, 140 modes, 131–132 overview, 104, 118 PDC emulator, 139 primary (PDC), 119–121, 137 promoting, 130 read-only (RODC), 103, 269 upgrading, 126 coolers importance of, 291–292 installing, 323–324 seating, 308–309, 320–324 copy backups, 244 cores, 284–285, 375 CPUs (central processing units) choosing, 316–317 installing, 321–322 overview, 375–376 seating, 305–308, 320–324 speed of, 292 Create Custom View dialog box, 342 Create Time Inheritance, 240 CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance), 66–67 CSMA/CD (Carrier Sense Multiple Access/Collision Detection), 66–68
CTCP (Compound TCP), 26 custom installation, 359–360 Custom Views container, 342
•D• daily backups, 244 data collector sets, 345 data losses, 242–243 data transfer rates, 64 database, AD, 130–131 database size, 143–144 data-based services, 35 Datacenter Edition, Windows Server 2008, 11 decoy accounts, 278 deep searches, 125 default gateways, 184 Default-First-Site, 127 Delegate Administration Wizard, 239 delegating access control, 239 administrative control, 151–152 Delegation of Control Wizard, 152 Desktop Experience, 100 Developer Network, Microsoft, 370 Device Manager application, 341, 345 Device Settings tab, 170 DHCP (Dynamic Host Configuration Protocol), 31–32, 98, 109, 195–197 Dial-in tab, 211 dial-up clients/hosts, 111 differential backups, 244 DIMMS (double inline memory modules), 376 DIP (dual in-line package) switches, 82 Direct Memory Access (DMA), 366 directory objects, 145–148 directory permissions, 149–152 directory restoration mode, 130 directory services. See Active Directory directory trees, 103–104 disabling unnecessary services, 348 disaster recovery, 250–251
395
396
Windows Server 2008 For Dummies disk controllers, 377–381 disk defragmentation, 349 disk drives, 377–379 disk duplexing, 383 disk mirroring, 383 disk space, 169, 286–287, 300–301, 318 distribution groups, 212 DMA (Direct Memory Access), 366 DNS (Domain Name Service) Active Directory, 118–119 client networking, 22 IP addresses, 178, 193–195 domain controller roles, 137–139 domain controllers backup (BDC), 119–121, 138, 140 modes, 131–132 overview, 104, 118 PDC emulator, 139 primary (PDC), 119–121, 137 promoting, 130 read-only (RODC), 103, 269 upgrading, 126 domain name registrars, 179 Domain Name Service (DNS) Active Directory, 118–119 client networking, 22 IP addresses, 178, 193–195 domain trees, 122, 134–136 domain user accounts, 202 domains, 103–104, 118–121 dotted-decimal notations, 180–181 double inline memory modules (DIMMS), 376 drive letters, 86 dry-fit approach, 308 DS (AD Directory Service), 36 dual in-line package (DIP) switches, 82 dual network interfaces, 287, 294 Dummies.com Web site, 5–6 dummy accounts, 278 DVD-ROM, 75, 360–361 dynamic address allocation mode, 31 Dynamic Host Configuration Protocol (DHCP), 31–32, 98, 109, 195–197 dynamic inheritance, 239
•E• ECC (Error Correcting Code) memory, 286–287, 376–377 ECN (Explicit Congestion Notification), 26 education, security, 267–268 Effective Permissions tab, 238 electromagnetic interference (EMI), 59–60 Enable low-resolution video option, 359 encapsulated data, 28 end-to-end connection, 185 Enterprise Edition, Windows Server 2008, 11 enterprise forests, 125 enterprises, needs of, 35–38 Error Correcting Code (ECC) memory, 286–287, 376–377 Ethernet cable notation, 58 Event logs, 342–343 Everyone group, 276 Exchange Server, Microsoft, 118 Explicit Congestion Notification (ECN), 26 explicit permissions, 150–151 extender cards, 52–55 extensibility, 121 eXtensible Markup Language (XML) services, 11
•F• “faceless” computers, 76 Failover Clustering (FC) feature, 102 failover clusters, 15–16, 42, 102 fans, 291–292 Fast Ethernet (100BaseT standard), 67 FAT (File Allocation Table) file system, 79, 227–229, 234–235, 250 Fax and Scan applet, 172–174 faxing, 172–174 FC (Failover Clustering) feature, 102 FC-AL (Fibre Channel Arbitrated Loops), 246 Federated Rights Management, 269 fiber-optic cables, 59–61
Index Fibre Channel Arbitrated Loops (FC-AL), 246 field-serviceable parts, 12 File Allocation Table (FAT) file system, 79, 227–229, 234–235, 250 file permissions, 229 File Services, 98 file shares, 227 File Transfer Protocol (FTP), 15, 151 firewalls, 18, 95, 186–187, 365 Flexible Single Master Operation (FSMO) roles, 120, 138 floppy disks (floppies), 278–279 Forefront Security Technologies, Microsoft, 17 forest root domains, 104 forests, 103–104, 122, 135–136 form-factor, 10 Forward RTO-Recovery (F-RTO), 27 FQDNs (Fully Qualified Domain Names), 106, 179, 193 F-RTO (Forward RTO-Recovery), 27 FSMO (Flexible Single Master Operation) roles, 120, 138 FTP (File Transfer Protocol), 15, 151 Fully Qualified Domain Names (FQDNs), 106, 179, 193
•G• GbE. See Gigabit Ethernet GDI (Graphics Device Interfaces), 156 General tab, 170, 208 Gigabit Ethernet (GbE) motherboards, 52–53, 287 network backups, 246 network implementation plans, 40–42 overview, 68 global catalogs, 122, 125–126, 148 global groups, 213 globally unique identifiers (GUID), 124 GPDBPA (Group Policy Diagnostic Best Practice Analyzer), 338 graphical user interfaces (GUI), 80, 111 graphics cards, 291
Graphics Device Interfaces (GDI), 156 group policies administering, 219–220 auditing, 224 creating, 222–223 overview, 219 processing of, 221–222 Group Policy Diagnostic Best Practice Analyzer (GPDBPA), 338 Group Policy dialog box, 224 Group Policy tab, 220 groups built-in, 215–217 creating, 214 managing, 215 overview, 212 scopes, 212–214 Guest accounts, 202–204 GUI (graphical user interfaces), 80, 111 GUID (globally unique identifiers), 124
•H• hard disk drives, 311–312, 326–327 hardware for backup systems, 247–249 checking, 364 diagnosing startup errors, 335–336 documenting, 250 enhancements, 366–367 requirements, 78–81, 354–355 server, 355 setting up, 313, 329 “headless” computers, 76 health checks, 36 heat buildup, 291 HelpAssistant accounts, 203 hertz (Hz) ratings, 59 HFC (hybrid fiber-coaxial) networks, 62–63 Hierarchical Storage Management (HSM), 259 high watermark vector, 124 high-loss environments, improving, 27
397
398
Windows Server 2008 For Dummies home theater PCs (HTPCs), 10 host IDs, 180–182 hotfixes, 274 hot-swappable drives, 287 HSM (Hierarchical Storage Management), 259 HTPCs (home theater PCs), 10 HTTP (HyperText Transfer Protocol), 122 hybrid fiber-coaxial (HFC) networks, 62–63 HyperText Transfer Protocol (HTTP), 122 Hz (hertz) ratings, 59
•I• ICMP (Internet Control Message Protocol), 55 icon tray, 89 icons used in this book Key Concept, 5 Remember, 5 Technical Stuff, 6 Tip, 6 Warning, 6 ICT (Initial Configuration Tasks) dialog box, 73, 94–95, 104 IDE (Integrated Drive Electronics) interfaces, 246 IEEE (Institute of Electrical and Electronic Engineers), 58 IETF (Internet Engineering Task Force), 134 IIS (Internet Information Services), 11, 35, 79, 99, 108–109 ILDs (injection laser diodes), 61 ImageX tool, 359 implementation plans, network, 39–42 incremental backups, 245 Indexing Service, 348 inherited permissions, 150–151 Initial Configuration Tasks (ICT) dialog box, 73, 94–95, 104 injection laser diodes (ILDs), 61
installation AD, 129–132 cable, 46, 64–65 cooler, 323–324 CPU, 321–322 network printing, 160–161 optical disk, 312–313, 328–329 OS, 314, 329–330 Windows Server 2008 across the network, 75, 87–88, 356 automated, 75, 92, 356–357 custom, 359–360 DVD-ROM, 75, 360–361 from existing OS, 85–87 failures, 358 hardware requirements, 79–81, 354–355 LKGC, 359 low resolution video, 358–359 overview, 73, 353 planning, 73–79 post-installation tasks, 88–90, 361 problems with, 91–92 process, 82–85 professional, 46 pushing, 75 RIS, 88 troubleshooting, 358 Institute of Electrical and Electronic Engineers (IEEE), 58 Integrated Drive Electronics (IDE) interfaces, 246 Integrated Services Digital Network (ISDN), 109, 364 integrated virtualization, 12 Intel servers administrator role, 314 building cooler, 305–309 CPU, 305–309 hard disk drives, 311–312 optical disks, 312–313 OS, 314
Index overview, 303 PSU, 304–305 RAM modules, 309–311 setting up hardware, 313 cases, 302–303 CPUs, 298–299 disk space, 300–301 memory, 299–300 motherboards, 298–299 network connections, 301–302 overview, 297–298 power supplies, 302–303 interactive logon, 202 Interactive Logon: Do Not Display Last User Name Policy option, 278 interdomain parent-child relationships, 127 internal network access, 287–289 International Organization for Standardization (ISO), 116 Internet Control Message Protocol (ICMP), 55 Internet Engineering Task Force (IETF), 134 Internet Information Services (IIS), 11, 35, 79, 99, 108–109 Internet Printing Client (IPC), 100 Internet Protocol (IP) addresses classes of, 181–182 components of, 180 configuration of advanced, 189–191 basic, 187–189 overview, 187 DHCP, 195–197 DNS, 193–195 leasing, 184–185 names NetBIOS, 176–177 overview, 175–176 TCP/IP, 178–179 NetBIOS over TCP/IP, 193 network IDs versus host IDs, 180–182 obtaining, 184–185
overview, 175 private, 179, 186 problems with, 197 subnetting of, 182–184 translation of, 185–187 WINS, 191–192 Internet Protocol (TCP/IP) Properties dialog box, 187–188 Internet Protocol Security (IPSec), 18, 32, 185 Internet Protocol version 6 (IPv6), 25–26, 29, 184 Internet SCSI (iSCSI), 54 Internet Security and Acceleration (ISA) Server, 16–17 Internet Service Providers (ISPs), 111–113 Internet Storage Name Server (ISNS), 100 intersite replication, 141–143 intrasite replication, 141–142 inventories, network, 50–52 IP (Internet Protocol) addresses classes of, 181–182 components of, 180 configuration of advanced, 189–191 basic, 187–189 overview, 187 DHCP, 195–197 DNS, 193–195 leasing, 184–185 names NetBIOS, 176–177 overview, 175–176 TCP/IP, 178–179 NetBIOS over TCP/IP, 193 network IDs versus host IDs, 180–182 obtaining, 184–185 overview, 175 private, 179, 186 problems with, 197 subnetting of, 182–184 translation of, 185–187 WINS, 191–192
399
400
Windows Server 2008 For Dummies IP masquerading, 32 IPC (Internet Printing Client), 100 IPng Transition, 181 IPSec (Internet Protocol Security), 18, 32, 185 IPv6 (Internet Protocol version 6), 25–26, 29, 184 ISA (Internet Security and Acceleration) Server, 16–17 iSCSI (Internet SCSI), 54 ISDN (Integrated Services Digital Network), 109, 364 ISNS (Internet Storage Name Server), 100 ISO (International Organization for Standardization), 116 ISPs (Internet Service Providers), 111–113 Itanium-Based Systems, Windows Server 2008 for, 11
lightweight filter (LWF) drivers, 29 listener process, 15 LKGC (Last Known Good Configuration), 359–360 load-balancing, network, 16 local area networks (LANs), 58, 109 local backups, 246 local profiles, 218 logical printer assignments, 158–160 logical printers, 156 logon process, 225–226 logs, 342–343 Longhorn, 9, 126 loopback addresses, 182 low resolution video, 358–359 LPR Port Monitor (LPM), 100 LSO (large send offload), 29 LWF (lightweight filter) drivers, 29
•J•
•M•
jukebox devices, 248
managed entities, 346–347 mandatory profiles, 219 manual address allocation mode, 31 manuals, installation, 77 maps, network capturing data, 49–50 inventories, 50–52 overview, 48–49 updating, 52 masquerading IP, 32 network, 32 Massachusetts Institute of Technology (MIT), 134 master-slave relationships, 119 media backup, 248 network cable installation, 64–65 fiber-optic and coax cables, 60–63 overview, 57–59 wireless, 63–64 media settings, 255–256
•K• Kerberos, 134, 273 kernels, 13 Key Concept icons, 5 keyboards, 291–292
•L• lab certification, 80–81 LANs (local area networks), 58, 109 large send offload (LSO), 29 Last Known Good Configuration (LKGC), 359–360 LDAP (Lightweight Directory Access Protocol), 36, 117–120, 139 LEDs (light-emitting diodes), 61 legacy clients, 119 light-emitting diodes (LEDs), 61 Lightweight Directory Access Protocol (LDAP), 36, 117–120, 139
Index Member Of tab, 210 memory main system, 285–287 random access (RAM), 376–377 selecting and sizing AMD servers, 317 Intel servers, 299–300 server versus computer, 10 memory modules, 309–311, 324–326 memory registers, 376 Message Queuing (MQ), 100 methods, 228 mice, 291–292 Microsoft hardware catalog, 81 lab certification, 80–81 troubleshooting resources, 385–387 Web site, 2–3, 80, 148 Microsoft Application Compatibility Toolkit (ACT), 75, 294 Microsoft Developer Network, 370 Microsoft Directory Synchronization Services (MSDSS), 116 Microsoft Exchange Server, 118 Microsoft Forefront Security Technologies, 17 Microsoft Management Consoles (MMCs), 16, 128, 144, 224 Microsoft Small Business Center, 370 MIT (Massachusetts Institute of Technology), 134 mixed mode domains, 131 MMCs (Microsoft Management Consoles), 16, 128, 144, 224 modems, 112 modes AAM (Admin Approval Mode), 17 automatic address allocation, 31 directory restoration, 130 domain operation, 131–132 dynamic address allocation, 31 manual address allocation, 31 native, 131 .NET, 131
monitoring tools, 344 monitors, 78, 291–292 motherboards, 298–299, 316–319, 374–375 MPIO (Multipath I/O), 100 MQ (Message Queuing), 100 MSDSS (Microsoft Directory Synchronization Services), 116 multiboot systems, 74 multi-homed computers, 185 multimaster replication, 120–123, 141–144 Multipath I/O (MPIO), 100 multiple NICs, 23
•N• name services, 33 names. See also Internet Protocol (IP) addresses NetBIOS, 176–177 overview, 175–176 problems with, 368–369 TCP/IP, 178–179 namespaces, 127, 134 naming conventions, 207 NAP (Network Access Protection), 18, 36, 64, 269, 365 NAS (network attached storage) devices, 10–11 NAT (Network Address Translation), 32–33, 179, 184–185 native mode, 131 NDIS (Network Driver Interface Specification), 16, 28–30 NDS (Novell Directory Services), 116–117 nearline backups, 247 .NET Framework 3.0, 99 .NET interim mode, 131 .NET mode, 131 NetBIOS (Network Basic Input-Output System), 118–119, 176–177, 191–193 NetMon (Network Monitor), 367 NetWare, 116
401
402
Windows Server 2008 For Dummies Network Access Protection (NAP), 18, 36, 64, 269, 365 network adapters, 366–367, 383–384 Network Address Translation (NAT), 32–33, 179, 184–185 network addresses, 368–369 network attached storage (NAS) devices, 10–11 network backups, 245–246 Network Basic Input-Output System (NetBIOS), 118–119, 176–177, 191–193 network connections, 318. See also transmission media Network Connections Property page, 113 Network Driver Interface Specification (NDIS), 16, 28–30 Network File System (NFS) Services, 101 network IDs, 180–182 Network Load Balancing (NLB), 16, 102 network maps capturing data, 49–50 inventories, 50–52 overview, 48–49 updating, 52 network masquerading, 32 network media cable installation, 64–65 fiber-optic and coax cables, 60–63 overview, 57–59 wireless, 63–64 Network Monitor (NetMon), 367 Network Monitor Tools check box, 367 network name resolution, 14 Network Operating System (NOS), 116 Network Policy and Access Services (NPAS), 98 Network Policy Server (NPS), 37 Network Printer Installation Wizard, 169 network protocol stacks, 15, 23–24 network segments, 180 network shares, 235–236 network visualization, 52
networks access to, 287–289 backups of, 245–246 design basics, 42–45 cables, 46 checking installations, 47 devices, 45–46 equipment, 46 evaluation, 47–48 guidelines, 42–45 implementation plan, 39–42 interfaces, 52–55 maps, 49–52 overview, 39 devices for, 45–46 drivers, 15 educating users of, 267–268 installing Windows Server across, 75, 87–88, 356 ports, 44 security accounts policies, 223–224 common weaknesses, 277–279 education, 267–268 features, 13, 16–18 maintaining, 279 overview, 263–264 passwords, 270–274 physical access, 264–267 service packs, 274–275 user access, 275–277 usernames, 269–270 NewReno algorithm, 27 Next Generation TCP/IP stack, 24–27 NFS (Network File System) Services, 101 NICs (network interface cards) versus built-ins, 52–54 cabling needs, 58 inventory of, 51 minimum requirements, 354–355 multiple, 23 NLB (Network Load Balancing), 16, 102
Index noises, hardware, 336 normal backups, 244 NOS (Network Operating System), 116 notebook theft, 266–267 notification area, 89 Novell Directory Services (NDS), 116–117 Novell NetWare, 116 NPAS (Network Policy and Access Services), 98 NPS (Network Policy Server), 37 nslookup tool, 197 NT 4.0, 118–119 ntbackup program, 251–254 NTFS file systems, 230–233, 250
•O• object permissions, 229 object replication, 143 object-oriented, 230–231 objects, 228–230 octets, 180 odors, hardware heating, 336 offline backups, 247 offloading protocol processing, 27–29 online backups, 247 Open Packaging Conventions (OPC), 155 operating environments, protecting, 264–266 operating systems (OS), 85–87, 314, 329–330 operations master roles, 120, 138–139 optical disks, 312–313, 328–329 optical drives, 291–292 optimization, server disabling unnecessary services, 348 disk defragmentation, 349 managed entities, 346–347 overview, 346 turning off Indexing Service, 348 Options button, 220 Organization tab, 210 organizational units (OUs), 126, 129, 145–146, 204, 239
originating updates, 141 OS (operating systems), 85–87, 314, 329–330 OUs (organizational units), 126, 129, 145–146, 204, 239
•P• P2P (peer-to-peer) relationships, 22–23, 120, 138 Packet Internet Groper (ping) command, 55 Password Policy, 271–272 passwords, 223–225, 270–274 patch releases, 274 PDC (primary domain controller), 119–121, 137 PDC emulator, 120, 139 PE (Preinstallation Environment), 360 Peer Name Resolution Protocol (PRNP), 100 peer-to-peer (P2P) relationships, 22–23, 120, 138 performance, evaluating, 47–48 Performance Monitor tool, 344 peripheral input devices, 292 permissions access control, 239–240 AD, 149–150 advanced, 233–234 calculating, 236–238 defined, 202 explicit, 150–151 FAT and FAT32 file systems, 234 inherited, 150–151 NTFS, 232–233 and objects and rights, 228–230 overview, 229–230 printer, 229 share, 235–236 shortcuts, 238 perpendicular magnetic recording (PMR) hard disks, 318 physical print devices, 158
403
404
Windows Server 2008 For Dummies ping (Packet Internet Groper) command, 55 ping tool, 197 plenum-rated cables, 65 plenums, 65 PMC (Print Management Console), 169 PMR (perpendicular magnetic recording) hard disks, 318 PRNP (Peer Name Resolution Protocol), 100 Point-to-Point Protocol (PPP) feature, 113, 272 Point-to-Point Tunneling Protocol (PPTP) feature, 113 policy-based controls, 36–37 pooling, print device, 158–160 Ports tab, 170 POST (Power-On Self-Test), 313, 329 post-installation tasks, 88–90, 361 power supplies, 289–290, 302, 318 power supply units (PSUs), 285, 289–290, 304–305, 318–320 Power-On Self-Test (POST), 313, 329 PowerShell, 13, 102 PPP (Point-to-Point Protocol) feature, 113, 272 PPTP (Point-to-Point Tunneling Protocol) feature, 113 Preboot Extension Environment (PXE), 88 Preinstallation Environment (PE), 360 preinstallation tasks, 75–76 primary domain controller (PDC), 119–121, 137 principle of least privilege, 275 print devices attaching to print servers, 164–166 attaching to servers, 162–164 attaching to workstation PCs, 166–167 drivers, 156 installing, 160 managing, 169 memory, 169 overview, 158, 161–162 pooling, 158–160
Printers folder, 171–172 sharing, 167–168 print jobs, 157 Print Management Console (PMC), 169 print models devices, 158 logical assignments, 158–160 overview, 156–157 print process, 156 print queues, 157 print servers, 157, 164–166 Print Services (PS), 98 print users, 156 printer access, sharing, 167–168 printer permissions, 229 Printer Set Up Wizard, 162–163 printers, 156. See also print devices Printers and Faxes folder, 166–168 Printers folder, 160–161 printing. See also print devices faxing, 172–174 installing on servers, 160–161 overview, 155–156 print model devices, 158 logical assignments, 158–160 overview, 156–157 problems, 171–172 setting up on client side, 168 sharing printer access, 167–168 Windows 2008–based printers, 169–171 private IP addresses, 179 processors, 284–285, 298–299, 375–376 production systems, 250 Profile tab, 208–209 propagation-dampening schemes, 124 property replication, 143 property version numbers (PVNs), 124 property-based inheritance, 239–240 protocol stacks, 15, 23–24 proxy servers, 186–187 PS (Print Services), 98 PSUs (power supply units), 285, 289–290, 304–305, 318–320
Index publications, Windows Server, 387–389 pushing installations, 75 push/pull concept, 22, 33 PVNs (property version numbers), 124 PXE (Preboot Extension Environment), 88
•Q• Quality of Service (QoS), 13, 25–26 Quality Windows Audio/Video Experience (qWave), 101
•R• RA (Remote Assistance), 101 RADIUS (Remote Authentication Dial-In User Service), 37, 114 RAID (redundant arrays of inexpensive disks) building, 381–383 documenting, 250 overview, 286–288, 377–378 planning for, 301 Raise Domain Functionality dialog box, 131–132 random access memory (RAM) overview, 376–377 seating modules, 309–311, 324–326 RAS (Remote Access Services), 79, 109, 202 RD (Recovery Disc) utility, 101 RDC (Remote Desktop Connection), 34, 37 RDMA (Remote Direct Memory Access), 54 RDP (Remote Desktop Protocol), 34, 37, 95 RE (Recovery Environment), 359–360 read-only domain controller (RODC), 103, 269 receive window auto-tuning, 25–26 receive window size, 25 receive-side scaling, 29–30 Recovery Disc (RD) utility, 101
Recovery Environment (RE), 359–360 redundancy, 23, 37 redundant arrays of inexpensive disks (RAID) building, 381–383 documenting, 250 overview, 286–288, 377–378 planning for, 301 registered ECC, 376 Relative ID (RID) master, 139 Reliability Monitor, 344–345 Remember icons, 5 Remote Access Services (RAS), 79, 109, 202 Remote Assistance (RA), 101 Remote Authentication Dial-In User Service (RADIUS), 37, 114 Remote Desktop Connection (RDC), 34, 37 Remote Desktop Protocol (RDP), 34, 37, 95 Remote Direct Memory Access (RDMA), 54 Remote Installation Service (RIS), 75, 88 Remote Server Administration Tools (RSAT), 97, 101 Removable Storage Manager (RSM), 101, 251 replicated updates, 141 replication, 122–124, 141–144 replication cycles, 123, 139, 141–143 Requests for Comments (RFCs), 134 resources, third-party Windows Server, 389–390 RFCs (Requests for Comments), 134 RID (Relative ID) master, 139 RIS (Remote Installation Service), 75, 88 roaming profiles, 217–219 RODC (read-only domain controller), 103, 269 root domains, 122 round trip time (RTT), 27 route tool, 197 routers, 54, 180, 185
405
406
Windows Server 2008 For Dummies Routing and Remote Access management console, 109–111 routing capability, 109, 364–365 RSAT (Remote Server Administration Tools), 97, 101 RSM (Removable Storage Manager), 101, 251 RTT (round trip time), 27
•S• SACK (Selective Acknowledgement) option, 27 SAM (Security Accounts Manager), 118–119, 140 SAN (storage area networks), 11, 246 SATA (Serial Advanced Technology Attachment) hard drives controllers overview, 377–378 versus SCSI controllers, 379–381 local backup, 246 overview, 377–380 scanning, 172–174 schemas, 124–125, 138–139 SCSI (Small Computer System Interface) hard drives controllers overview, 377–378 versus SATA controllers, 379–381 drivers, 78 local backup, 246 overview, 377–379 Search components, 148 secure sockets layer (SSL), 17, 185 Security Accounts Manager (SAM), 118–119, 140 security groups, 212 Security Log, 224 security, network accounts policies, 223–224 common weaknesses, 277–279 education, 267–268 features, 13, 16–18
maintaining, 279 overview, 263–264 passwords, 270–274 physical access, 264–267 resources, 279 service packs, 274–275 user access, 275–277 usernames, 269–270 security policies, 267–268 Security Reference Monitor (SRM), 230 Security tab, 150, 170 segments cable, 69 network, 180 Selective Acknowledgement (SACK) option, 27 sequence identifiers, 29 Serial Advanced Technology Attachment (SATA) hard drives controllers overview, 377–378 versus SCSI controllers, 379–381 local backup, 246 overview, 377–380 Serial Line Internet Protocol (SLIP) feature, 113 Server 2008 basics of, 18–19 DVD-ROM, 75, 360–361 editions of, 11–12 minimum requirements for, 354 networking features overview, 14 security, 16–18 Server Manager, 16 server services, 14–16 online resources, 386–387 overview, 9–11 problems, 332–337 publications, 387–389 reasons to use, 12–14 security features, 269 third-party resources, 389–390 utilities, 81
Index server clusters, 15–16 Server Core installation option, 284 Server Manager application directory trees and forests, 103–108 features, 99–102 overview, 12–13, 16, 96–103 server roles, 97–99 WMS, 108–109 server networking versus client networking, 21–23 enhancement of NDIS, 28–30 Next Generation TCP/IP stack, 24–27 offloading protocol processing, 27–28 overview, 24 TCP Chimney, 28 multiple NICs, 23 overview, 21–38 services client preferences, 30–35 enterprise preferences, 35–38 overview, 30 server optimization disabling unnecessary services, 348 disk defragmentation, 349 managed entities, 346–347 overview, 346 turning off Indexing Service, 348 server roles list of, 97–99 overview, 95–96 servers cases, 289–290 components of, 291–292 graphics, 291 hardware, 9–10, 293 memory, 285–286 prices, 377 selecting and sizing, 299–300, 317 server versus computer, 10 motherboards, 374–375 network access, 287–289 overview, 284 power supply, 289–290
preparing for installation, 82 processors, 284–285, 375–376 RAID, 286–287 setting up, 104–108 WINS, 192 service applications, 15 Service Hardening, 17 Service logs, 343 service packs, 89–90, 274–275 services defined, 228 disabling, 348 Services tool, 367–368 session serialization, 29 Setup logs, 342–343 setup process, 78–79, 82–85 share system volume (SYSVOL), 130–131 shared system memory, 366 SharePoint Services, 35 shares administrative, 277–278 file, 227 network, 235–236 sharing printer access, 167–168 Sharing tab, 170 Shiva Password Authentication Protocol (SPAP), 272 shopping, PC component, 293–294 Simple Mail Transfer Protocol (SMTP), 101 sites, 127–129, 141 SLIP (Serial Line Internet Protocol) feature, 113 Small Business Center, Microsoft, 370 Small Computer System Interface (SCSI) hard drives controllers overview, 377–378 versus SATA controllers, 379–381 drivers, 78 local backup, 246 overview, 377–379 smart cards, 114 smells, hardware heating, 336
407
408
Windows Server 2008 For Dummies SMTP (Simple Mail Transfer Protocol), 101 software backup, 248–249 deployment, 37–38 installation, 77–78 SPAP (Shiva Password Authentication Protocol), 272 splicing cables, 61 spooling, print job, 157, 169 SRM (Security Reference Monitor), 230 SSL (secure sockets layer), 17, 185 stacks, network protocol, 15, 23–24 staged backbones, 43 Standard Edition, Windows Server 2008, 11 static discharge, 303 static model, 240 storage area networks (SAN), 11, 246 Storage Server 2008, 11 striping, 382–383 subnet masks, 182–183 subnetting, 182–184 Super Video Graphics Array (SVGA) monitors, 78 support, troubleshooting, 369–370 SVGA (Super Video Graphics Array) monitors, 78 Syspart utility, 357 Sysprep utility, 357 system drives, 378 system partitions, 378 system testing, 47 system tray, 89 system volumes, 378 SYSVOL (share system volume), 130–131
•T• tabs Account, 208 Address, 208 Advanced, 170 Cartridge Maintenance, 170
Color Management, 170 Device Settings, 170 Dial-in, 211 Effective Permissions, 238 General, 170, 208 Group Policy, 220 Member Of, 210 Organization, 210 Ports, 170 Profile, 208–209 Security, 150, 170 Sharing, 170 Telephones, 210 tape backup systems, 249–250, 258–260 targets, 254–255 TCP Chimney feature, 28 TCP/IP (Transmission Control Protocol/Internet Protocol) configuring requirements, 187–191 names, 178–179 NetBIOS, 193 problems, 197 resources, 196 toolkits, 365–366 TCP/IP Offload Engine (TOE) cards, 54, 302, 318, 366, 383–384 TechNet CD, 370 Technical Stuff icons, 6 technology. See components Telephones tab, 210 Telnet application services, 15 Telnet Client, 101 Telnet Server, 101 telnet tool, 197 Terminal Services (TS), 33–35, 98 test plans, 40–42 TFTP (Trivial File Transfer Protocol), 101 thermal paste, 308–309, 323 third-party backup packages, 258 third-party Windows Server resources, 389–390 threats, data, 242–243 throughput, 59 time stamps, 124
Index Tip icon, 6 TOE (TCP/IP Offload Engine) cards, 54, 302, 318, 366, 383–384 top-level domains, 178 TPM (Trusted Platform Module), 17 tracert tool, 197 transceivers, 61 Transmission Control Protocol/Internet Protocol (TCP/IP) configuring requirements, 187–191 names, 178–179 NetBIOS, 193 problems, 197 resources, 196 toolkits, 365–366 transmission media backbones, 69–70 bandwidths, 65–68 network media cable installation, 64–65 fiber-optic and coax cables, 60–63 overview, 57–59 wireless, 63–64 overview, 57 transparent infrastructure, 30 trees directory, 103–104 domain, 122, 134–135 Trivial File Transfer Protocol (TFTP), 101 troubleshooting hardware and software updates, 340–341 network hardware problems, 364 names and addresses, 368–369 network adapters, 366–367 Network Monitor, 367 overview, 363 preventing problems, 370 recent changes, 369 routing, 364–365 Services tool, 367–368 support for, 369–370 TCP/IP toolkits, 365–366 overview, 331–332
resources for Microsoft, 385–387 overview, 385 publications, 387–389 third-party sources, 389–390 run-time issues Group Policy infrastructure, 338 overview, 337 printing infrastructure, 338–339 User Account Control, 337–338 Server Manager Event Viewer, 341–343 overview, 341 Performance Diagnostics, 343–345 Services, 343 setup failures overview, 332 restart failure, 333 unavailable partition, 332–333 startup errors, 335–336 startup failures corrupt file or volume, 334–335 driver failure, 334 hardware failure, 334 malware or viral infection, 335 misconfigured settings, 335 Windows activation, 339–340 trust relationships, 120, 133–134, 140, 152–154 Trusted Platform Module (TPM), 17 TS (Terminal Services), 33–35, 98 twisted-pair cables, 59 two-way transitive trusts, 104
•U• UAC (User Account Control), 17, 337 UDDI (Universal Description, Discovery, and Integration), 99 unattended installation, 37, 92, 356–357 unauthenticated access, 16 Uniform Resource Locators (URLs), 178 uninterruptible power supply (UPS) devices, 76, 265, 290
409
410
Windows Server 2008 For Dummies units backup, 247–248 organizational (OUs), 126, 129, 145–146, 204, 239 Universal Description, Discovery, and Integration (UDDI), 99 universal groups, 131, 213 unshielded twisted pair (UTP) cables, 61 update sequence numbers (USNs), 123–124 upgrade installation, 73–74 UPS (uninterruptible power supply) devices, 76, 265, 290 up-to-date vectors, 124 URLs (Uniform Resource Locators), 178 user access, 275–277 User Account Control (UAC), 17, 337 user account objects, 201 user accounts managing, 211 properties, 201–204 User Creation Wizard, 146–147 user objects, 146–147 user profiles, 217–219 user rights, 202, 229–230, 276–277 usernames, 269–270, 278 USNs (update sequence numbers), 123–124 UTP (unshielded twisted pair) cables, 61
•V• VeriSign domain name registrar, 178–179 VGA (Video Graphics Array) monitors, 78 Video Graphics Array (VGA) monitors, 78 video, low resolution, 358–359 virtual private networks (VPNs), 17 virtualization capability, 14, 115, 292–293 viruses, 242–243 Visio application, 52 Vista, 9 Vista Upgrade Advisor, 294 visualization, network, 52 volumes, 254–255 VPNs (virtual private networks), 17
•W• WANs (wide area networks), 57, 109, 127 Warning icons, 6 WCF (Windows Communication Foundation) Web Services, 34 WDS (Windows Deployment Services), 99 Web Edition, Windows Server 2008, 11 Web Server, 11, 35, 79, 99, 108–109 Web-based services, 35 WER (Windows Error Reporting), 345 WID (Windows Internal Database), 102 wide area networks (WANs), 57, 109, 127 WIF (Windows Imaging Format), 38, 359–361 WiFi (wireless) devices, 63–64 Wi-Fi Protected Access 2 (WPA2), 64 Windows Communication Foundation (WCF) Web Services, 34 Windows Deployment Services (WDS), 99 Windows Fax and Scan applet, 172–174 Windows Firewall, 18, 95, 187, 365 Windows Imaging Format (WIF), 38, 359–361 Windows Indexing Service, 348 Windows Internal Database (WID), 102 Windows Internet Name Service (WINS), 33, 102, 178, 191–193 Windows Management Instrumentation (WMI) enhancements, 16 Windows Media Services (WMS), 108–109 Windows NT 4.0, 118–119 Windows PowerShell, 13, 102 Windows Preinstallation Environment (PE), 360 Windows Process Activation Service (WPAS), 102 Windows Recovery Environment (Windows RE), 359–360 Windows Server 2008. See also Active Directory basics of, 18–19 DVD-ROM, 75, 360–361 editions of, 11–12
Index minimum requirements for, 354 networking features overview, 14 security, 16–18 Server Manager, 16 server services, 14–16 online resources, 386–387 overview, 9–11 problems, 332–337 publications, 387–389 reasons to use, 12–14 security features, 269 third-party resources, 389–390 utilities, 81 Windows Server Backup (WSB) facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 Windows Server Catalog, 355 Windows Server Virtualization, 14, 115, 292–293 Windows Service Hardening, 17 Windows SharePoint Services (WSP), 99 Windows Storage Server 2008, 11 Windows System Resource Manager (WSRM), 102 Windows Vista features, 9 WINS (Windows Internet Name Service), 33, 102, 178, 191–193
wireless (WiFi) devices, 63–64 Wireless LAN (WLAN) Service, 102 wireless networks, 63–64 wiring systems, 59 WLAN (Wireless LAN) Service, 102 WMI (Windows Management Instrumentation) enhancements, 16 WMS (Windows Media Services), 108–109 WPA2 (Wi-Fi Protected Access 2), 64 WPAS (Windows Process Activation Service), 102 WSB (Windows Server Backup) facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 WSB facility. See Windows Server Backup (WSB) facility WSP (Windows SharePoint Services), 99 WSRM (Windows System Resource Manager), 102
•X• X.500 directory, 116–118, 121 XML (eXtensible Markup Language) services, 11 XPS (XML Paper Specification), 155
411
412
Windows Server 2008 For Dummies
BUSINESS, CAREERS & PERSONAL FINANCE Also available:
0-7645-9847-3
0-7645-2431-3
Business Plans Kit For Dummies 0-7645-9794-9 Economics For Dummies 0-7645-5726-2 Grant Writing For Dummies 0-7645-8416-2 Home Buying For Dummies 0-7645-5331-3 Managing For Dummies 0-7645-1771-6 Marketing For Dummies 0-7645-5600-2
HOME & BUSINESS COMPUTER BASICS Also available:
0-470-05432-8
0-471-75421-8
Cleaning Windows Vista For Dummies 0-471-78293-9 Excel 2007 For Dummies 0-470-03737-7 Mac OS X Tiger For Dummies 0-7645-7675-5 MacBook For Dummies 0-470-04859-X Macs For Dummies 0-470-04849-2 Office 2007 For Dummies 0-470-00923-3
Personal Finance For Dummies 0-7645-2590-5* Resumes For Dummies 0-7645-5471-9 Selling For Dummies 0-7645-5363-1 Six Sigma For Dummies 0-7645-6798-5 Small Business Kit For Dummies 0-7645-5984-2 Starting an eBay Business For Dummies 0-7645-6924-4 Your Dream Career For Dummies 0-7645-9795-7 Outlook 2007 For Dummies 0-470-03830-6 PCs For Dummies 0-7645-8958-X Salesforce.com For Dummies 0-470-04893-X Upgrading & Fixing Laptops For Dummies 0-7645-8959-8 Word 2007 For Dummies 0-470-03658-3 Quicken 2007 For Dummies 0-470-04600-7
FOOD, HOME, GARDEN, HOBBIES, MUSIC & PETS Also available:
0-7645-8404-9
0-7645-9904-6
Candy Making For Dummies 0-7645-9734-5 Card Games For Dummies 0-7645-9910-0 Crocheting For Dummies 0-7645-4151-X Dog Training For Dummies 0-7645-8418-9 Healthy Carb Cookbook For Dummies 0-7645-8476-6 Home Maintenance For Dummies 0-7645-5215-5
INTERNET & DIGITAL MEDIA Also available:
0-470-04529-9
0-470-04894-8
* Separate Canadian edition also available † Separate U.K. edition also available
Blogging For Dummies 0-471-77084-1 Digital Photography For Dummies 0-7645-9802-3 Digital Photography All-in-One Desk Reference For Dummies 0-470-03743-1 Digital SLR Cameras and Photography For Dummies 0-7645-9803-1 eBay Business All-in-One Desk Reference For Dummies 0-7645-8438-3 HDTV For Dummies 0-470-09673-X
Horses For Dummies 0-7645-9797-3 Jewelry Making & Beading For Dummies 0-7645-2571-9 Orchids For Dummies 0-7645-6759-4 Puppies For Dummies 0-7645-5255-4 Rock Guitar For Dummies 0-7645-5356-9 Sewing For Dummies 0-7645-6847-7 Singing For Dummies 0-7645-2475-5 Home Entertainment PCs For Dummies 0-470-05523-5 MySpace For Dummies 0-470-09529-6 Search Engine Optimization For Dummies 0-471-97998-8 Skype For Dummies 0-470-04891-3 The Internet For Dummies 0-7645-8996-2 Wiring Your Digital Home For Dummies 0-471-91830-X
Available wherever books are sold. For more information or to order direct: U.S. customers visit www.dummies.com or call 1-877-762-2974. U.K. customers visit www.wileyeurope.com or call 0800 243407. Canadian customers visit www.wiley.ca or call 1-800-567-4797.
SPORTS, FITNESS, PARENTING, RELIGION & SPIRITUALITY Also available:
0-471-76871-5
0-7645-7841-3
TRAVEL
Catholicism For Dummies 0-7645-5391-7 Exercise Balls For Dummies 0-7645-5623-1 Fitness For Dummies 0-7645-7851-0 Football For Dummies 0-7645-3936-1 Judaism For Dummies 0-7645-5299-6 Potty Training For Dummies 0-7645-5417-4 Buddhism For Dummies 0-7645-5359-3
Also available:
0-7645-7749-2
0-7645-6945-7
Alaska For Dummies 0-7645-7746-8 Cruise Vacations For Dummies 0-7645-6941-4 England For Dummies 0-7645-4276-1 Europe For Dummies 0-7645-7529-5 Germany For Dummies 0-7645-7823-5 Hawaii For Dummies 0-7645-7402-7
Pregnancy For Dummies 0-7645-4483-7 † Ten Minute Tone-Ups For Dummies 0-7645-7207-5 NASCAR For Dummies 0-7645-7681-X Religion For Dummies 0-7645-5264-3 Soccer For Dummies 0-7645-5229-5 Women in the Bible For Dummies 0-7645-8475-8
Italy For Dummies 0-7645-7386-1 Las Vegas For Dummies 0-7645-7382-9 London For Dummies 0-7645-4277-X Paris For Dummies 0-7645-7630-5 RV Vacations For Dummies 0-7645-4442-X Walt Disney World & Orlando For Dummies 0-7645-9660-8
GRAPHICS, DESIGN & WEB DEVELOPMENT Also available:
0-7645-8815-X
0-7645-9571-7
3D Game Animation For Dummies 0-7645-8789-7 AutoCAD 2006 For Dummies 0-7645-8925-3 Building a Web Site For Dummies 0-7645-7144-3 Creating Web Pages For Dummies 0-470-08030-2 Creating Web Pages All-in-One Desk Reference For Dummies 0-7645-4345-8 Dreamweaver 8 For Dummies 0-7645-9649-7
InDesign CS2 For Dummies 0-7645-9572-5 Macromedia Flash 8 For Dummies 0-7645-9691-8 Photoshop CS2 and Digital Photography For Dummies 0-7645-9580-6 Photoshop Elements 4 For Dummies 0-471-77483-9 Syndicating Web Sites with RSS Feeds For Dummies 0-7645-8848-6 Yahoo! SiteBuilder For Dummies 0-7645-9800-7
NETWORKING, SECURITY, PROGRAMMING & DATABASES Also available:
0-7645-7728-X
0-471-74940-0
Access 2007 For Dummies 0-470-04612-0 ASP.NET 2 For Dummies 0-7645-7907-X C# 2005 For Dummies 0-7645-9704-3 Hacking For Dummies 0-470-05235-X Hacking Wireless Networks For Dummies 0-7645-9730-2 Java For Dummies 0-470-08716-1
Microsoft SQL Server 2005 For Dummies 0-7645-7755-7 Networking All-in-One Desk Reference For Dummies 0-7645-9939-9 Preventing Identity Theft For Dummies 0-7645-7336-5 Telecom For Dummies 0-471-77085-X Visual Studio 2005 All-in-One Desk Reference For Dummies 0-7645-9775-2 XML For Dummies 0-7645-8845-1
DUMmIES
‰
by Ed Tittel and Justin Korelc
Windows Server® 2008 For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http:// www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Microsoft and Windows Server are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Control Number: 2008922653 ISBN: 978-0-470-18043-3 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
Windows Server® 2008 FOR
DUMmIES
‰
by Ed Tittel and Justin Korelc
Windows Server® 2008 For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 www.wiley.com Copyright © 2008 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, or online at http:// www.wiley.com/go/permissions. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission. Microsoft and Windows Server are registered trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ. For general information on our other products and services, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. For technical support, please visit www.wiley.com/techsupport. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Control Number: 2008922653 ISBN: 978-0-470-18043-3 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1
About the Authors Ed Tittel is an increasingly grizzled, if not wizened, veteran of the publishing game, with over a thousand magazine articles and more than 140 books to his credit. Ed has worked on numerous For Dummies books, including HTML 4 For Dummies, 5th Edition (with Mary Burmeister) and XML For Dummies, 4th Edition (with Lucinda Dykes), as well as books on many other topics. Ed runs a small professional IT practice in Round Rock, TX, that specializes in network-oriented training, writing, and consulting. When Ed’s not busy writing, he likes to spend time with his wife, Dina, and son, Gregory. He also likes to shoot pool, cook, and read sci-fi. You can reach Ed by e-mail at [email protected] yahoo.com or through his Web page at www.edtittel.com. Justin Korelc has been working with computers and technology for over 15 years. Justin is an independent consultant working as a writer and trainer. His work focuses on security, Windows and Linux operating systems, and PC hardware. Justin has coauthored several books on media PCs, including Build the Ultimate Home Theater PC (an ExtremeTech BuildIt Guide) and Hacking MythTV (an ExtremeTech title). He has developed online training materials on information security, PC tune-ups, file transfer technologies, and more. Justin’s computer knowledge is self-taught and based on nearly 20 years of hands-on experience. He spends his spare time practicing the fine art of bricolage, playing with computers, and improving his culinary skills. You can reach Justin by e-mail at [email protected]
Authors’ Acknowledgments As always, thanks to my agent, Carole McClendon at Waterside Productions, for hooking me up with For Dummies in the first place. Has it really been 15 years now? On the Wiley side, special thanks to Katie Feltman, Kim Darosett, and Heidi Unger. I’d also like to thank Justin Korelc for rolling up his sleeves and digging into the former Longhorn Server as far back as Beta 1. Personally, I want to thank my Mom and Dad for making my career both possible and attainable. Finally, I want to thank my wife, Dina Kutueva, for coming into my life rather later than sooner, and for giving me our wonderful son, Gregory. —ET Thanks to my coauthor, Ed Tittel, for including me in this book. —JPK
Publisher’s Acknowledgments We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/. Some of the people who helped bring this book to market include the following: Acquisitions and Editorial
Composition Services
Project Editor: Kim Darosett
Project Coordinator: Lynsey Stanford
Senior Acquisitions Editor: Katie Feltman
Layout and Graphics: Stacie Brooks, Reuben W. Davis, Andrea Hornberger, Shane Johnson, Christine Williams
Copy Editor: Heidi Unger Technical Editor: Christian Mayoros Editorial Manager: Leah Cameron
Proofreaders: Laura Albert, Broccoli Information Management
Editorial Assistant: Amanda Foxworth
Indexer: Broccoli Information Management
Sr. Editorial Assistant: Cherie Case Cartoons: Rich Tennant (www.the5thwave.com)
Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary Bednarek, Executive Acquisitions Director Mary C. Corder, Editorial Director Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services
Contents at a Glance Introduction .................................................................1 Part I: Servers at Your Service .......................................7 Chapter 1: Making Windows Server 2008 Serve You .....................................................9 Chapter 2: Server Networking Principles ......................................................................21 Chapter 3: Building Your Network..................................................................................39 Chapter 4: Hooking Up Your Network............................................................................57
Part II: Servers, Start Your Engines ..............................71 Chapter 5: Ready, Set, Install!..........................................................................................73 Chapter 6: Configuring Connections to the Universe ..................................................93 Chapter 7: Doing the Directory Thing .........................................................................115 Chapter 8: Working with Active Directory, Domains, and Trusts ............................137 Chapter 9: Printing on the Network .............................................................................155 Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat ..............................175
Part III: Running Your Network .................................199 Chapter 11: Managing Users with Active Directory Users and Computers ............201 Chapter 12: Managing Shares, Permissions, and More..............................................227 Chapter 13: Preparing for That Rainy Day ..................................................................241 Chapter 14: Network Security Management ...............................................................263
Part IV: Serve It Yourself...........................................281 Chapter 15: How to Be a DIY Guru ...............................................................................283 Chapter 16: Servers the Intel Way ................................................................................297 Chapter 17: Servers the AMD Way ...............................................................................315 Chapter 18: Taking Care of Your Own Issues ..............................................................331
Part V: The Part of Tens ............................................351 Chapter 19: Ten Tips for Installation and Configuration ...........................................353 Chapter 20: Ten Steps to Networking Nirvana with Windows Server 2008 ............363
Part VI: Appendixes ..................................................371 Appendix A: Server Components and Technologies .................................................373 Appendix B: Windows Troubleshooting Resources...................................................385
Index .......................................................................391
Table of Contents Introduction..................................................................1 About This Book...............................................................................................1 How to Use This Book .....................................................................................2 Foolish Assumptions .......................................................................................3 How This Book Is Organized...........................................................................3 Part I: Servers at Your Service ..............................................................3 Part II: Servers, Start Your Engines ......................................................4 Part III: Running Your Network .............................................................4 Part IV: Serve It Yourself........................................................................4 Part V: The Part of Tens.........................................................................5 Part VI: Appendixes................................................................................5 Bonus Chapter ........................................................................................5 Icons Used in This Book..................................................................................5 Where to Go from Here....................................................................................6
Part I: Servers at Your Service ........................................7 Chapter 1: Making Windows Server 2008 Serve You . . . . . . . . . . . . . . .9 Any Server Must Do This ..............................................................................10 Choosing Windows Server 2008 ...................................................................11 Meeting the Windows Server 2008 family .........................................11 Why use Windows Server 2008? .........................................................12 Exploring Windows Server 2008 Networking Features .............................14 Providing services through your server ...........................................14 Managing the user experience............................................................16 Keeping it all safe and secure .............................................................16 The Very Basics of Windows Server 2008 ...................................................18
Chapter 2: Server Networking Principles . . . . . . . . . . . . . . . . . . . . . . . .21 Understanding the Differences between Server and Client Networking ..................................................................................................21 More Is Better: Multiple NICs (No Cuts)......................................................23 Windows Server 2008 Enhances Networking .............................................24 Next Generation TCP/IP stack ............................................................24 Offloading protocol processing ..........................................................27 TCP Chimney ........................................................................................28 Changes to NDIS ...................................................................................28 Networking Is About Services, Too..............................................................30 What clients want.................................................................................30 What enterprises want ........................................................................35
x
Windows Server 2008 For Dummies Chapter 3: Building Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 Developing a Network Implementation Plan ..............................................39 Understanding Network Design’s Barest Basics ........................................42 Deciding Where Networking Devices Must Go...........................................45 Consider Hiring an Expert to Install Cable and Equipment......................46 Always Check Your Work!..............................................................................47 Evaluating Your Network’s Performance and Usefulness .........................47 Creating a Network Map................................................................................48 It isn’t a map; it’s the whole enchilada ..............................................49 Capturing data for your network map ...............................................49 Taking stock of your network .............................................................50 When the network changes, so does the map! .................................52 Network Interfaces: Built-ins versus Extender Cards................................52 Don’t knock your NIC...........................................................................53 Don’t stub your TOE (TCP Offload Engine) ......................................54 The ever-popular ping test..................................................................55
Chapter 4: Hooking Up Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Make a Network Medium Happy! .................................................................57 Fiber and coax make a seriously twisted pair ..................................60 Wireless is media, too! .........................................................................63 A final note about cabling ...................................................................64 Raising the Bandwidth Ceiling......................................................................65 100 Mbps Ethernet ...............................................................................67 Gigabit Ethernet....................................................................................68 The Backbone’s Connected to . . . Everything Else!...................................69
Part II: Servers, Start Your Engines...............................71 Chapter 5: Ready, Set, Install! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Planning the Installation: Upgrade or New? ...............................................73 Handling preinstallation tasks ............................................................75 Preparing for the battle .......................................................................77 Got Enough Horsepower? .............................................................................79 Step by Step: Installing Windows Server 2008............................................82 Server: Are you ready?.........................................................................82 Windows Server 2008 Setup: A walk-through ...................................82 Installing from an Existing OS.......................................................................85 Installing across a Network...........................................................................87 Installing Remotely ........................................................................................88 Working through Post-Installation Stress Disorder ...................................88 Understanding Activation ...................................................................88 Dealing with service packs..................................................................89 Using Automated System Recovery...................................................90 Oops, My Installation Didn’t Take................................................................91 Exploring Automated Installation ................................................................92
Table of Contents Chapter 6: Configuring Connections to the Universe . . . . . . . . . . . . . .93 Completing the Initial Configuration Tasks ................................................94 Server Manager Configuration .....................................................................95 Getting to know the Server Manager console...................................96 Establishing directory trees and forests .........................................103 Getting the word out ..........................................................................108 Organizing the neighborhood ...........................................................109 Establishing Remote Connections .............................................................111 Getting connected ..............................................................................111 Other frills ...........................................................................................113
Chapter 7: Doing the Directory Thing . . . . . . . . . . . . . . . . . . . . . . . . . . .115 What Is a Directory Service? ......................................................................115 Meeting Active Directory ............................................................................116 Organizing and storing data..............................................................116 Managing data.....................................................................................117 Locating data and resources.............................................................118 Of Domains and Controllers .......................................................................118 In the beginning . . . ............................................................................118 Wherefore art thou, BDC/PDC?.........................................................120 Knowing What Makes Active Directory Tick ............................................121 What replication means.....................................................................122 The grand schema of things..............................................................124 Global catalogs ...................................................................................125 Planning for Active Directory .....................................................................126 What’s in a namespace?.....................................................................127 Making sites happen ..........................................................................127 Oh, you organizational unit (OU), you.............................................129 Installing Active Directory ..........................................................................129 Promoting domain controllers..........................................................130 Active Directory’s database and shared system volume ..............130 Modes of domain operation..............................................................131 When Domains Multiply ..............................................................................133 Trust relationships across domains ................................................133 Building trees ......................................................................................134 Understanding forests .......................................................................135
Chapter 8: Working with Active Directory, Domains, and Trusts . . .137 Master of Your Domain................................................................................137 Trusts Are Good for NT 4.0 and Active Directory Domains ...................140 How Domain Controllers Work Together ..................................................141 When replication happens ................................................................141 Know your database limits ...............................................................143 Administrivia Anyone? (Controlling Domains and Directories) ............144 Exploring the directory management console ...............................144 Creating directory objects ................................................................145 Finding directory objects ..................................................................148 A word on ADSI ...................................................................................148
xi
xii
Windows Server 2008 For Dummies Permission to Proceed? Handling Directory Permissions ......................149 About Active Directory permissions ...............................................149 Assigning permissions .......................................................................149 Permissions inheritance....................................................................150 Delegating administrative control....................................................151 Managing Trusts...........................................................................................152 Establishing trusts .............................................................................153 If you open the door to trusts, who gets to come through? .........154
Chapter 9: Printing on the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Windows 2008 Has a Print Model...............................................................156 Physical print devices........................................................................158 Logical assignments...........................................................................158 Installing on the Server’s Side ....................................................................160 Meet the Printers folder ....................................................................160 Adding a networked print device .....................................................161 Sharing Printer Access ................................................................................167 Bringing Printers and Clients Together.....................................................168 Managing Windows 2008–Based Printers .................................................169 Preventing Printer Problems ......................................................................171 Faxing the Windows Server 2008 Way .......................................................172 Enabling faxing....................................................................................173 Sending faxes ......................................................................................173
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat . . .175 Resolving a Name: TCP/IP and NetBIOS ....................................................175 NetBIOS names ...................................................................................176 TCP/IP names and addresses............................................................178 Calling Everything a Node...........................................................................180 To network ID or host ID? That is the question..............................180 Subnetting: Quiet time for IP addresses ..........................................182 Hanging your shingle: Obtaining IP addresses ...............................184 Address translation: The new magic ...............................................185 Forcing IP Down the Throat of Windows Server 2008 .............................187 Basic configuration ............................................................................187 Advanced configuration ....................................................................189 Everyone WINS Sometimes.........................................................................191 A glimpse at WINS ..............................................................................191 WINS servers.......................................................................................192 WINS clients ........................................................................................192 NetBIOS over TCP/IP....................................................................................193 DNS Does the Trick ......................................................................................193 Whether to DNS ..................................................................................194 The deans of DNS ...............................................................................194
Table of Contents DHCP: IP Addressing Automation ..............................................................195 What is DHCP? ....................................................................................195 Is DHCP in your future?......................................................................196 Ironing Out Problems ..................................................................................197
Part III: Running Your Network ..................................199 Chapter 11: Managing Users with Active Directory Users and Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 User Accounts Have Properties .................................................................201 Administrators rule! ...........................................................................203 Guests can wear out their welcome.................................................203 Creating Active Directory Accounts ..........................................................204 General tab ..........................................................................................208 Address tab .........................................................................................208 Account tab.........................................................................................208 Profile tab ............................................................................................208 Telephones tab ...................................................................................210 Organization tab .................................................................................210 Member Of tab ....................................................................................210 Dial-in tab ............................................................................................211 Getting Pushy with Users............................................................................211 What about Groups? ....................................................................................212 Understanding group scopes............................................................212 Creating and managing groups .........................................................214 Using built-in groups ..........................................................................215 Giving Your Users Nice Profiles..................................................................217 Where You Find Profiles, Policies Are Never Far Away ...........................219 Administering a group policy ...........................................................219 Understanding how group policies are processed ........................221 Creating a group policy .....................................................................222 Auditing for trouble............................................................................224 When Access Problems Loom . . . ..............................................................225
Chapter 12: Managing Shares, Permissions, and More . . . . . . . . . . .227 More about Objects, Rights, and Permissions .........................................228 An object lesson .................................................................................228 When is a file not an object? .............................................................229 Users have rights; objects have permissions .................................229 Of Windows Server 2008 NTFS and Permissions .....................................230 NTFS permissions...............................................................................232 Advanced permissions ......................................................................233 FAT and FAT32 Have No Permissions.........................................................234 Share Permissions........................................................................................235
xiii
xiv
Windows Server 2008 For Dummies Calculating Actual Permissions..................................................................237 The rules of calculation .....................................................................237 Figure this! ...........................................................................................237 Let the OS do it for you......................................................................238 But What about Access Control with Active Directory Objects? ..........239 Delegation of access control.............................................................239 Property-based inheritance ..............................................................239
Chapter 13: Preparing for That Rainy Day . . . . . . . . . . . . . . . . . . . . . . .241 Why Bother Backing Up?.............................................................................241 Considering potential threats ...........................................................242 How many backup types are there?.................................................243 Network versus local backup ...........................................................245 Understanding the technology .........................................................246 Beep! Beep! Planning Backups....................................................................249 Storing backup tapes off-site ............................................................249 Documenting your hardware and its settings.................................250 Practicing disaster recovery for your system ................................250 The Windows Server 2008 Backup Facility ...............................................251 Looking at the big picture .................................................................252 Performing command line backups .................................................253 Selecting targets and volumes .........................................................254 Specifying backup destination and media settings........................255 Scheduling backup jobs.....................................................................256 Restoring from a Backup.............................................................................256 Third-Party Backup Options.......................................................................257 Finding third-party packages ............................................................258 Evaluating backup systems...............................................................258 The Backup Operator ..................................................................................260
Chapter 14: Network Security Management . . . . . . . . . . . . . . . . . . . .263 Network Security Basics .............................................................................264 Getting physical..................................................................................264 Informing the masses about security policies................................267 Windows Server 2008 and Security ...........................................................268 Usernames are more than just names .............................................269 Passwords and security.....................................................................270 A few more things about passwords................................................274 A Look into the Future: Service Packs.......................................................274 Copping an Attitude.....................................................................................275 The Everyone group...........................................................................276 User rights...........................................................................................276 Plugging Common Mouse Holes.................................................................277 Unseen administrative shares ..........................................................277 Decoy accounts ..................................................................................278 Last logged on username ..................................................................278 When good floppies go bad ..............................................................278 Security Equals Vigilance ............................................................................279
Table of Contents
Part IV: Serve It Yourself ...........................................281 Chapter 15: How to Be a DIY Guru . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Server Requirements Revisited..................................................................284 Processors: Cores, counts, and options ..........................................284 Memory: You can’t have too much ..................................................285 Disk space: Look out, it’s a RAID! .....................................................286 Network access: Internal, add-in, and counts.................................287 Case and power supply .....................................................................289 What about graphics? ........................................................................291 Important miscellany (cooler, fans, optical drive, monitor, keyboard, mouse) ...........................................................................291 Building a Better Budget .............................................................................292 PC Component Shopping Tips....................................................................293 Assessing Windows Server 2008 Compatibility .......................................294
Chapter 16: Servers the Intel Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . .297 Choosing a CPU and Motherboard First ...................................................298 Selecting and Sizing Memory......................................................................299 Selecting and Sizing Disk Space..................................................................300 Accessing current needs and anticipating future growth .............300 Planning for RAID ..............................................................................301 Making Network Connections.....................................................................301 Picking the Right Case and Power Supply ................................................302 Building an Intel-Based Server from A to Z...............................................303 Insert the PSU .....................................................................................304 Seat the CPU and cooler ....................................................................305 Seat the RAM modules.......................................................................309 Install the hard disk drives................................................................311 Install the optical disk .......................................................................312 Set up the hardware ...........................................................................313 Install the OS .......................................................................................314 Ready to Rock-and-Roll?..............................................................................314
Chapter 17: Servers the AMD Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . .315 Choosing the CPU and Motherboard First................................................316 What we chose for our example build.............................................316 Exploring your options ......................................................................316 Selecting and Sizing Memory......................................................................317 Selecting and Sizing Disk Space..................................................................318 Making the Network Connections..............................................................318 Picking the Right Case and Power Supply ................................................318 Construction from A to Z ............................................................................319 Insert the PSU .....................................................................................319 Seat the CPU and cooler ....................................................................320 Seat the RAM modules.......................................................................324 Installing hard disk drives .................................................................326
xv
xvi
Windows Server 2008 For Dummies Installing the optical disk ..................................................................328 Setting up hardware ...........................................................................329 Installing the OS..................................................................................329 Ready to Rock-and-Roll?..............................................................................330
Chapter 18: Taking Care of Your Own Issues . . . . . . . . . . . . . . . . . . . .331 Troubleshooting Common Windows Server 2008 Problems ..................332 Setup failures ......................................................................................332 Startup failures ...................................................................................333 Diagnosing startup errors .................................................................335 Run-time issues...................................................................................337 Windows Activation ...........................................................................339 Hardware upgrades and software updates .....................................340 Monitoring Server Operations....................................................................341 Event Viewer .......................................................................................341 Reliability and Performance .............................................................343 Device Manager ..................................................................................346 Tweaking Windows Server 2008 for Efficiency.........................................346 Managed entities ................................................................................346 Run-time optimization .......................................................................348 Making the Most of Your Server.................................................................349
Part V: The Part of Tens .............................................351 Chapter 19: Ten Tips for Installation and Configuration . . . . . . . . . . .353 Exceed the Minimum Requirements..........................................................354 Use Only Qualified Server Hardware .........................................................355 Install from Your Network ...........................................................................356 Let the Software Do the Work: Automating Installation..........................356 Beat Installation Weirdness: Be Persistent ...............................................358 Let Lo-Res Come to Your Rescue! ..............................................................358 Use “Last Known Good” to Do Good!.........................................................359 A Custom Installation Saves Systems! .......................................................359 Use the Windows Server 2008 DVD to Boot..............................................360 When in Doubt, Back Up!.............................................................................361 Prepare for the Real Work! ..........................................................................361
Chapter 20: Ten Steps to Networking Nirvana with Windows Server 2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 Never Overlook the Obvious ......................................................................364 Check Windows Server 2008 Routing ........................................................364 Open Your TCP/IP Toolkit ...........................................................................365 Use One or More Fast Server Network Adapters .....................................366
Table of Contents Know When to Divide and When to Conquer...........................................367 When in Doubt, Check Your Services ........................................................367 Handle Names and Addresses Efficiently .................................................368 Ask What’s New or Different .......................................................................369 If You Need Help, Ask...................................................................................369 Watch Network Trouble Spots....................................................................370
Part VI: Appendixes...................................................371 Appendix A: Server Components and Technologies . . . . . . . . . . . . . .373 Server Motherboards ..................................................................................374 Server Processors ........................................................................................375 Server Memory (RAM) ................................................................................376 Disk Drives, Controllers, and RAID ............................................................377 SCSI versus SATA drives ....................................................................378 SCSI versus SATA controllers ............................................................379 Building RAID arrays..........................................................................381 High-End Network Adapters .......................................................................383
Appendix B: Windows Troubleshooting Resources . . . . . . . . . . . . . .385 Marvels from Microsoft...............................................................................385 Windows Server 2008 Books.......................................................................387 Server-Friendly Publications ......................................................................388 Other Third-Party Windows Server 2008 Sources ...................................389
Index........................................................................391
xvii
xviii
Windows Server 2008 For Dummies
Introduction
W
elcome to Windows Server 2008 For Dummies, the book that helps anyone who’s unfamiliar with Windows Server 2008 (or Windowsbased networks) find his or her way around a Windows Server 2008–based network. In a wired world, networks provide the links that tie all users together. This book tells you what’s going on, in basic, straightforward terms. Although a few fortunate individuals may already be acquainted with Windows Server 2008 and the networks it supports, many more people are not only unfamiliar with server-based networking but downright scared of it. To those who may be concerned about facing new and difficult technologies, we say, “Don’t worry. Be happy.” Using a server-based network isn’t beyond anyone’s wits or abilities — it’s mostly a matter of using a language that ordinary people can understand. Ordinary folks are why this book talks about using Windows Server 2008 and networks in simple — and deliberately irreverent — terms. Nothing is too highfalutin to be mocked, nor too arcane to state in plain English. And when we do have to get technical, we warn you and make sure to define our terms to boot. This book aims to help you meet your needs. You’ll find everything you need to know about Windows Server 2008 in here, so you’ll be able to find your way around — without having to learn lots of jargon or obtain an advanced degree in computer science along the way. We want you to enjoy yourself. Because server-based networking really is a big deal, it’s important that you be able to get the most out of it. We really want to help!
About This Book This book is designed so you can pick it up and start reading at any point — like you might read a reference book. In Parts I and II, we cover server basics: concepts and terminology in Part I, and the installation and deployment of Windows Server 2008 in Part II. In Parts III through V, you’ll find tons of information on how to run or build a Windows Server 2008–based network. Part III covers running a Windows Server 2008–based network, whereas Part IV describes how you might design, build, and use a do-it-yourself network server PC. Part V includes tips and tricks to help smooth out installing, configuring, and using Windows Server 2008.
2
Windows Server 2008 For Dummies Each chapter is divided into freestanding sections, each one relating to the chapter’s major theme. For example, the chapter on installing Windows Server 2008, contains the following collection of information: 0001 The differences between an upgrade install and a clean install 0001 How to make sure your hardware is suitable for use as a server 0001 A step-by-step walkthrough of the installation process 0001 What to do when installation completes 0001 Troubleshooting installation problems 0001 Automating the Windows Server 2008 installation process You don’t have to memorize the contents of this book. Each section supplies just the facts you need to make networking with Windows Server 2008 easy to use. On some occasions, however, you may want to work directly from the book to make sure you keep things straight.
How to Use This Book This book works like a reference, so start with a topic that interests you. You can use the table of contents to identify general areas of interest or broad topics. The index, however, is your best tool for identifying detailed concepts, related topics, or particular Windows Server 2008 capabilities, tools, or controls. After you find what you need, you can close the book and tackle whatever task you’ve set for yourself — without having to grapple with unrelated details. If you’ve never worked with a Windows Server operating system before, it’s a good idea to read Parts I and II in their entirety. Likewise, if you’re new to administering a Windows Server 2008–based network, you might want to read all of Part III. If the idea of building your own server PC from scratch sounds interesting, you’ll definitely dig Part IV. Otherwise, dig in wherever your fancy moves you! When you need to type something at the keyboard, you’ll see text that looks like this: Type this. You’re expected to enter this text at the keyboard and then press the Enter key. Because typing stuff can sometimes be confusing, we always try to describe what it is you’re typing and why you need to type it. This book occasionally suggests that you consult the Windows Server 2008 online help, printed manuals, Resource Kit, and even Microsoft’s Web site for additional information. In most cases, though, you find everything you need to know about a particular topic right here — except for some of the bizarre details that abound in Windows Server 2008.
Introduction If there’s a topic we don’t cover in this book that you need to know more about, we suggest you look for a book on that subject in the For Dummies series, published by Wiley Publishing. In addition, a whole world of Web information about Windows Server 2008 is available on the Internet, and the Microsoft Web site (at www.microsoft.com/windowsserver2008/ default.mspx) isn’t a bad place to start looking for such information.
Foolish Assumptions We’re going to climb out on a limb and make some potentially foolish assumptions about you, our gentle reader. You have or are thinking about getting a computer, a network, and at least one copy of Windows Server 2008. You know what you want to do with these things. You might even be able to handle all these things yourself, if somebody would only show you how. Our goal with this book is to decrease your need for such a somebody, but we don’t recommend telling him or her that out loud — at least, not until you’ve finished this book!
How This Book Is Organized The book is divided into five major parts, each of which consists of two to six chapters. Each chapter covers a major topic and is divided into sections, which discuss particular issues or concerns related to that topic. That’s how things in this book are organized, but how you read it is up to you. Choose a topic, a section, a chapter, or a part — whatever strikes your fancy or suits your needs — and start reading.
Part I: Servers at Your Service Part I provides an introduction to Windows Server 2008. You’ll find a detailed description of Windows Server 2008 in Chapter 1 that includes its important features, functions, capabilities, and requirements. Chapter 2 takes a more general look at server-based networking and explains what makes servers special, hardware-wise; what kinds of things servers do; and what services they provide. Chapters 3 and 4 provide a speedy primer on network design and construction to help you decide where to put the pieces and parts that go into a network, including your server, and what to do with them when they’re all interconnected. If you’re already a seasoned networker or have worked with another Windows Server operating system, you can skip this part if you’d like, although you may still want to check out Chapter 1 to see what’s new and interesting in this latest and presumably greatest of Windows Server operating systems.
3
4
Windows Server 2008 For Dummies
Part II: Servers, Start Your Engines Part II tackles Windows Server 2008 head on, starting with its installation and configuration. It covers the issues involved in installing and configuring network hardware specifically for Windows Server 2008. It also covers how to install and manage print servers and services on a Windows Server 2008–based network, how to handle Transmission Control Protocol/Internet Protocol (TCP/IP) addresses, and how to set up and manage directory services in a Windows Server 2008–based environment. Part II is where you figure out how to put the basic pieces of a network together using Windows Server 2008.
Part III: Running Your Network Part III picks up where Part II leaves off — that is, it talks about living with and managing a Windows Server 2008–based network after the initial installation and configuration phase is complete. It begins with a discussion of how to manage users and groups on a Windows Server 2008–based network, including details on profiles, policies, and local and global groups. Next, it covers how Windows Server 2008 controls access to NTFS files and directories and how to manage network-accessible file system resources called shares. After a network’s users, groups, and data assets are in place, rebuilding such a setup from scratch can be a real pain. That’s where a backup comes in handy, so Part III covers the ins and outs of backing up and restoring a Windows Server 2008 machine, plus other aspects of fault tolerance. After that, a review of network security principles and practices should help to prepare you to protect your data from accidental loss and from would-be hackers and crackers.
Part IV: Serve It Yourself Part IV takes a detour away from the software side of servers to dig deeply into the hardware on which such software must run. You’ll find out what kinds of pieces and parts go into a PC and what kinds of selections make the most sense when that PC is going to act as a network server. You’ll also dig into the specifics involved in building a basic Intel-based PC for use with Windows Server 2008, where we guide you through options and selection rationales for choosing specific processors, motherboards, memory, disk drives, and so forth. Then we repeat that process for AMD-based PCs for those who might choose to opt for an Opteron processor instead.
Introduction
Part V: The Part of Tens Part V follows the grand tradition of For Dummies books, all of which include “The Part of Tens.” Here, you’ll find lists of information, tips, tricks, and suggestions, all organized into short and convenient chapters. This supplemental information is designed to be both helpful and informative and is supplied at no extra charge.
Part VI: Appendixes If you’ll recall, we said earlier that this book is divided into five major parts. By definition, that means the appendixes must be a minor part of the book, although there’s nothing minor about the content you’ll find covered here. In fact, we decided to include this material to provide our readers with additional information and resources on server hardware and developing good troubleshooting skills to help provide users with the best networking experiences possible.
Bonus Chapter You’ll find a bonus chapter titled “What Makes Servers Special” at this book’s companion Web site at www.dummies.com/go/winserver2008. This chapter will quickly get you up to speed on server capabilities.
Icons Used in This Book The icons used in this book point you to important (and not so important) topics in the text. This icon lets you know that you’re about to encounter information that’s important to understand if you really want to get what’s going on with Windows Server 2008. It may be painful at times, but you have to slog through it. Oh gee, we’re getting so old that we can’t recall what this one means. Maybe you should check one out and see whether it’s worth watching for!
5
6
Windows Server 2008 For Dummies This icon lets you know that you’re about to be swamped in technical details. We include this information because we love it, not because we think you have to master it to use Windows Server 2008. If you aspire to nerdhood, you probably want to read it; if you’re already a nerd, you’ll want to write us about stuff we left out or other information we should put in! This icon signals that helpful advice is at hand. We also use it when we offer insights that we hope make using Windows Server 2008 more interesting or easier. For example, whenever we include a shortcut that improves your productivity, it’s usually marked with the Tip icon. This icon means what it says — you’d better be careful with the information it conveys. Nine times out of ten, it’s warning you not to do something that can have nasty or painful consequences, as in accidentally wiping out the contents of an entire hard drive. Whoops!
Where to Go from Here With this book at your side, you should be ready to wrestle with Windows Server 2008 and the networks it connects to. Find a subject, turn to its page, and you’re ready to jam. Feel free to mark up this book, fill in the blanks, dogear the pages, and do anything else that might make a librarian queasy. The important things are to make good use of it and enjoy yourself while you’re at it. Please check out the Web page at www.dummies.com. Be sure to take the opportunity to register your purchase online or send us e-mail with feedback about your reading experience.
Part I
Servers at Your Service
I
In this part . . .
n this part of the book, you get an introduction to the big star in this production — namely, Windows Server 2008 — as you dig into its features, functions, and requirements. But we also introduce you to the whole server circus as we explain what makes servers so special and why taking care of clients is both a joy and a chore. You even get a chance to meet and make sense of the network pieces and parts necessary to bring clients and servers together to help bring home the bacon. Each chapter presents its information in small, easy-toread sections. If information is really technical (mostly worth skipping, unless you’re a glutton for punishment), it’s clearly marked as such. Even so, we hope you find this information useful — and maybe even worth a giggle or two.
Chapter 1
Making Windows Server 2008 Serve You In This Chapter 0001 Understanding the client-server network model 0001 Meeting the Windows Server 2008 product family 0001 Finding out about added and enhanced security features
W
indows Server 2008 is the latest and greatest version of Microsoft’s flagship server platform and the successor to the hugely popular Windows Server 2003. Prior to its debut, Windows Server 2008 was codenamed Longhorn, a platform that shared common client features also found in Windows Vista, much like the relationship between Windows Server 2003 and Windows XP. In fact, Windows Server 2008 even shares a common code base with Windows Vista and therefore carries much of the same architecture and core functionality. Both Windows Server 2008 and Windows Vista share common technical, security, management, and administrative features; an improved IPv6-capable networking stack; native wireless utilities; and a revamped image-based installation format (among many other exciting new features). However, Windows Server 2008 is a total departure from the desktop/workstation realm and offers enterprise and server-specific features and functionality above and beyond anything Windows Vista offers. In this chapter, we explore some of these features from a 10,000-foot view and then focus on specific topics in the chapters that follow. Large-scale deployment options, improved self-diagnostic tools, advanced reliability and performance monitoring, and enhanced security features are just some of the benefits that inhere to the new Windows Server 2008 platform. First, we take a look at server hardware and make some important distinctions between workstation and server roles and responsibilities.
10
Part I: Servers at Your Service
Any Server Must Do This The term server speaks to a broad classification of computers that combine hardware components and software services to handle a variety of tasks maintained through network relationships. A server takes many shapes and sizes, covers a wide range of form-factors, and includes numerous components and services. Embedded server platforms are used in network attached storage (NAS) devices, included in network print servers, and scale all the way up to giant mainframes capable of handling millions of simultaneous transactions and resource-intensive processing. The terms form-factor refers to a specific design, layout, size, and shape of component or device. A form-factor can refer to several mutually independent devices, from the power supply and its interface types to motherboards and their various dimensions, pinouts, and connection types. In fact, if you take a good look around your office environment, or just about any other office IT infrastructure, you can probably identify several otherwise-overlooked servers and server applications that you use on a regular basis. Modern technology puts the power of servers and server applications in the hands of mere mortals, and nowhere is this more evident than in the consumer market, where multimedia home theater PCs (HTPCs) are part of daily life for many. But back to the business world. . . . Essentially, any server must serve a network — either clients or other servers, or some combination of the two. The term server also includes the actual server operating system that makes the computer do its job. Commercial server software products such as Windows Server 2008 are designed to handle a greater frequency and variety of tasks than are typical in either the desktop or workstation realms. Server platforms are an entirely different breed of PC, as compared to their desktop and workstation brethren, which is why they perch atop the hierarchy and the marketplace when it comes to buying an operating system. Specifically, a server is designed and intended to provide services and run server applications under heavy workloads, left unattended and selfmanaging most of the time. For the most part, servers are self-contained, self-regulated core network entities in an enterprise or business IT environment. Larger amounts of memory (upwards of 8GB or more), larger storage capacity (terabytes, petabytes, and beyond), special storage methods (mirroring, striping, and multiple disk aggregation), redundant power supplies, and server-specific form-factors all typically distinguish specialized server hardware components from other, more ordinary computer components. That said, plenty of servers use desktop and workstation hardware such as optical drives, disk drives, and peripheral or display devices.
Chapter 1: Making Windows Server 2008 Serve You See Appendix A for more details on server hardware components and check out the Bonus Chapter at dummies.com/go/winserver2008 for a more indepth discussion of server technologies.
Choosing Windows Server 2008 The Windows Server 2008 platform is further subdivided into multiple packages designed specifically for particular forms and functions. Understanding the distinctions among these market offerings and then understanding how they do or don’t meet your requirements will help you choose the right offering for your budget and your computing needs. In this section, we give you a look at some of the different offerings available under the Windows Server 2008 umbrella.
Meeting the Windows Server 2008 family Microsoft follows the usual format for marketing its server family offerings, which include both 32-bit and 64-bit varieties. Some of these editions remain functionally identical to the Windows Server 2003 family. These offerings include the following: 0002 Windows Server 2008 Web Edition: Designed as a basic Internet Information Services (IIS) server platform to build and host Web applications and pages and provide eXtensible Markup Language (XML) services including Active Server Pages (ASP) and the .NET framework. 0002 Windows Server 2008 Standard Edition: Designed for small to medium businesses, this version supports file and print sharing, works with up to four processors, and accommodates up to 4GB RAM. 0002 Windows Server 2008 Datacenter Edition: Designed for infrastructures that demand greater security and reliability features, supportive of up to 64 processors and 512GB for high-availability, high-demand processing applications and processes. 0002 Windows Server 2008 Enterprise Edition: Designed for medium- to large-size businesses as a fully-functional server platform capable of operating eight processors and 64GB RAM, with enterprise-class features including clustering and virtualization. 0002 Windows Storage Server 2008: Designed as a specialized platform for network attached storage (NAS) implementations and optimized for use with file- and print-sharing services in storage area network (SAN) scenarios. 0002 Windows Server 2008 for Itanium-Based Systems: 64-bit Intel Itaniumbased computers require a special version of Windows Server 2008 entirely its own.
11
12
Part I: Servers at Your Service You might be thinking, “Wow, what a diverse group of systems! You can’t possibly get any better than that!” Well, that’s what Microsoft was aiming for: To expand and proliferate its new 2008 platform, Microsoft has reformulated many of its top products to encompass many diverse business computing environments. In the preceding list, the items up to and including Enterprise are listed by increasing cost and capability; we don’t yet have information about the cost for Storage Server and Itanium versions, so we left those for the end of the list.
Why use Windows Server 2008? There are dozens of compelling reasons to explore Windows Server 2008 as a viable platform for any business. In the list that follows, we give you a look at some highlights and expand on features and functions provided in Microsoft’s latest flagship product: 0002 More control: Windows Server 2008 empowers IT professionals with greater control and management over servers and network infrastructure with enhanced scripting and task-automation capabilities. Improved self-diagnostics and remote control tools create field-serviceable platforms that also may be supported across the network or via the Internet. These features are described in some detail in the section entitled “Benefits of Windows Server 2008” in the Microsoft Product Overview at www.microsoft.com/windowsserver2008/evaluation/ overview.mspx. When we speak of field-serviceable parts, we mean those components and devices that can be operated and fixed onsite, or in the field. Many computer-related issues can be resolved onsite, but there are certain circumstances where a part must be sent to a well-equipped service department or parts distributor. Role-based, image-driven platform installation streamlines large-scale deployment processes and includes new utilities to facilitate creation of custom installation images and custom recovery images, all under one umbrella. The new Server Manager console delivers a consolidated, centralized control center for managing server configurations and related system information. See Chapter 6 for more information on the all-new Server Manager console. 0002 Greater flexibility: Windows Server 2008 supports custom modifications to better adapt to ever-changing business needs. Enhanced flexibility for mobile users, integrated virtualization (which means that one server can look and act like a bunch of servers, as far as its users are concerned), centralized application access, and new deployment options create a workable platform to suit a variety of enterprise networking scenarios.
Chapter 1: Making Windows Server 2008 Serve You You can create a custom installation image, or several, based on a core set of necessary applications and configurations and then roll it out to an entire enterprise in a completely automated, unattended fashion to expedite upgrades and new installations. 0002 Better tools and utilities: The new Windows PowerShell command line interpreter and scripting language facilitates more administrative control and productivity and better monitoring and analysis of system performance with its new Reliability and Performance Monitor. Plus, you can manage and secure multiple server types using the new Server Manager console, which provides centralized access to common administrative tools. PowerShell functionality is beyond the scope of this book and remains in beta status at the time of this writing, so we don’t include material on this subject. See www.microsoft.com/windowsserver2008/ powershell.mspx for more details on PowerShell. 0002 Increased protection: Windows Server 2008 delivers improved security features that increase platform protection, reduce attack surfaces, and provide a firm foundation on which to construct and operate a business. The very core, or kernel, of the operating system is now better protected against various forms of attack. Windows Service Hardening makes Internet-facing services more resilient to Internet attacks, and a variety of access protections and cryptography services strengthen the Windows system. See Chapter 14 for more information on security topics related to Windows Server 2008. 0002 New and improved TCP/IP features: Windows Server 2008 includes many changes and enhancements to the Next Generation TCP/IP stack, such as IPv6 enhancements and policy-based Quality of Service (QoS) for enterprise networks. The Next Generation TCP/IP stack is a total redesign of traditional network stack functionality for both IPv4 and IPv6 protocol versions. Receive window auto-tuning, neighbor reachability, dead gateway detection, black hole router detection, routing compartments, and explicit congestion notification are just a few of its newly added and updated capabilities. (See Chapter 2 for more on the Next Generation TCP/IP stack.) 0002 Self-healing NT File System (NTFS): In the past, file system errors often required that a disk volume be taken offline for service, which clearly impacted business flow. A new feature and added benefit of the Windows Server 2008 platform is its inclusion of a real-time recovery or self-healing process for the NTFS storage format. That way, businesses can remain operational even in the face of file-system-related issues. 0002 Server Message Block version 2 (SMB2): The de facto standard for network file systems in the Windows realm is SMB, now revamped to handle scalable increases in server workloads more expeditiously.
13
14
Part I: Servers at Your Service 0002 Windows Server virtualization: Windows Server 2008 provides a builtin virtualization capability to enable multiple separate operating system instances operating at the same time, using the same hardware. Users see multiple servers, each with their own data sets, services, and access controls, but IT departments can manage multiple virtual servers on a single set of server hardware. 0002 Server Core: A new installation option for Windows Server 2008 includes a stripped-down, graphical interface-free server platform that contains only those components and subsystems necessary for a high-availability server that requires fewer updates and less servicing. Envision a cluster of low-overhead, virtualized, highly optimized server operating systems running stripped-down core roles like DHCP or DNS in protected environments, completely autonomous, managed only by a single terminal, and you’ve got the right idea. These are just some of the exciting new things going on with Windows Server 2008. You’ll find out about many of these capabilities in more detail in the chapters that follow.
Exploring Windows Server 2008 Networking Features Generally speaking, from a networking perspective, it’s safe to assume that Windows Server 2008 does everything that previous versions of Windows Server have done — including automatic client addressing (DHCP), directory services (Active Directory), network name resolution (DNS, WINS, and so forth), as well as a whole slew of networked applications such as e-mail, databases, transaction processing, and so forth. In fact, Windows Server 2008 does more for networking than previous versions have done, especially where advanced network performance (auto-tuning and optimization), network security, network-based offload and acceleration technologies, and simplified management and diagnostics are concerned. For the complete Microsoft version of this story, see “Windows Server 2008 Networking Features” at www. microsoft.com/windowsserver2008/platnetworking/default.mspx.
Providing services through your server The client-server paradigm operates largely on client requests for server services. Such requests require both server and client hardware and compatible software, which are necessary to facilitate network functionality between the
Chapter 1: Making Windows Server 2008 Serve You two. At the most basic level, a client must have a network connection available to transmit a request for services. Likewise, the client must have the correct software installed to formulate an intelligible request and pass it to the network, where a server can notice and respond to such a request. Servers respond to client requests through a listener process represented by application services such as File Transfer Protocol (FTP) and Telnet. This process runs continuously, dispatching inbound client connections as they arrive and managing transitional connection states through the native TCP/IP stack implementation. On the software side, servers require the following elements to make services available across the network: 0002 Network drivers enable the server to communicate with its network interface. This software lurks in the background and exists only to tie the computer to the network interface. 0002 Protocol stacks send and receive messages across the network. This software also lurks in the background and provides a common language shared with clients used to ferry information across the network. 0002 Service applications respond to requests for service and formulate replies to those requests. This software runs in the foreground and does the useful work. The service application includes the listener process, the temporary execution threads, and some type of configuration or management console so that it can be installed, configured, and altered as necessary. Most software that resides on a server is network aware because delivery of information via network is a server’s primary function. Some application and protocol services that are performed on behalf of a server computer include Active Directory, SQL Server database engines, Exchange e-mail servers, and Quality of Service networking. Three improvements to existing services and one additional service in Windows Server 2008 include: 0002 Failover clustering: Improvements to failover clusters (previously called server clusters) simplify setup and management and better secure cluster deployment and enhance operational stability. In addition, both networking and communication to storage devices are improved to increase availability of applications and services.
15
16
Part I: Servers at Your Service The concepts and terminologies known as failover and clustering aren’t something you’ll encounter with only casual computing experiences, so don’t feel threatened if these are entirely foreign to you. A cluster is a set of servers running one or several applications and services. A failover cluster is one in which several server computers operate cohesively so that in the event that one fails, another takes over processing of applications and data in its place. 0002 Network load-balancing: Advances include support for IPv6 and Network Driver Interface Specification (NDIS) 6.0, Windows Management Instrumentation (WMI) enhancements, and improved functionality with Internet Security and Acceleration (ISA) Server. Network load-balancing redistributes the load for networked client/server application requests across a set of cluster servers. 0002 802.1X authenticated wired and wireless access: Authenticated access for both networking technologies relies on 802.1X-compatible Ethernet switches and access points (APs) to provide port-based network access control. This prevents unauthenticated or unauthorized accesses and packet transmission to user and computer resources.
Managing the user experience Windows Server 2008 provides a single central source for managing server identities, system information, server status, configuration problem identification, and role management through the new Server Manager console. Server Manager is an expanded Microsoft Management Console (MMC) snapin that enables you to view and manage virtually all information and tools affecting server productivity. Server Manager replaces features included with Windows Server 2003, such as Manage Your Server, Configure Your Server, and Add or Remove Windows Components. It also eliminates the requirement for the Security Configuration Wizard to run prior to server deployment, because roles are configured with security settings by default and easily deployable once installed and configured. See Chapter 6 for more on Server Manager.
Keeping it all safe and secure Windows Server 2008 includes an impressive array of new security applications and features that further enhance enterprise deployments, particularly within hostile environments or under potentially threatening scenarios. Today’s Internet is a brightly illuminated world that casts shadows, and from those shadows arise criminal aspirations that seek to infiltrate, pilfer, and
Chapter 1: Making Windows Server 2008 Serve You undermine Internet-accessible businesses. Microsoft has stepped up its Windows Server 2008 defenses to better serve the computing public that can’t always defend against unforeseen, persistent, or stealthy attack. The following paragraphs briefly summarize some of the new and newly enhanced security features of the Windows Server 2008 family: 0002 BitLocker Drive Encryption is a security feature of both Windows Vista and Windows Server 2008 (again sharing a common base) to provide strong cryptographic protection over stored sensitive data within the operating system volume. BitLocker encrypts all data stored in the Windows volume and any relevant configured data volumes, which includes hibernation and paging files, applications, and application data. Furthermore, BitLocker works in conjunction with Trusted Platform Module (TPM) frameworks to ensure the integrity of protected volumes from tampering, even — and especially — while the operating system isn’t operational (like when the system is turned off). 0002 Windows Service Hardening turns Internet-facing servers into bastions resistant to many forms of network-driven attack. This restricts critical Windows services from performing abnormal system activities within the file system, registry, network, or other resources that may be leveraged to install malware or launch further attacks on other computers. 0002 Microsoft Forefront Security Technologies is a comprehensive solution that provides protection for the client operating system, application servers, and the network edge. In the Forefront Client Security role, you may provide unified malware protection for business notebooks, workstations, and server platforms with easier management and control. Server security can fortify Microsoft Exchange messaging environments or protect Office SharePoint Server 2007 services against viruses, worms, and spam. 0002 Internet Security and Acceleration (ISA) Server provides enterpriseworthy firewall, virtual private network (VPN), and Web caching solutions to protect IT environments against Internet-based threats. Microsoft’s Intelligent Application Gateway is a remote-access intermediary that provides secure socket layer (SSL) application access and protection with endpoint security management. 0002 User Account Control (UAC) enables cleaner separation of duties to allow non-administrative user accounts to occasionally perform administrative tasks without having to switch users, log off, or use the Run As command. UAC can also require administrators to specifically approve applications that make system-wide changes before allowing those applications to run. Admin Approval Mode (AAM) is a UAC configuration that creates a split user access token for administrators, to further separate administrative from non-administrative tasks and capabilities.
17
18
Part I: Servers at Your Service 0002 Windows Firewall and Advanced Security is an MMC snap-in that handles both firewall and IP Security (IPSec) configurations in Windows Sever 2008. This edition is the first to have the Windows Firewall enabled by default. It can create filters for IPv4 and IPv6 inbound or outbound traffic and protect information entering or exiting the computer through IPSec. This component replaces both the firewall applet and the IPSec and IPSec-related tool sets. 0002 Network Access Protection (NAP) is a policy enforcement platform built into Windows Server 2008 that maintains a social health order for the network environment by specifically requiring that connecting client computers meet certain criteria. Such requirements include having a current, functional firewall enabled with recent operating system updates already in place. NAP helps create custom health code requirements driven through policy enforcement to validate compliant computers before making any connections to the protected network. Microsoft has also gone to great lengths to improve and expand upon many other security features, management and configuration applets, applications, and tools. We cover network security topics more in-depth in Chapter 14.
The Very Basics of Windows Server 2008 Windows Server 2008 is built with components that draw on the Windows Vista family of features and functionality, with added components and capabilities that extend platform coverage to encompass medium and large business computing needs. From NT’s humble beginnings in the early 1990s to Windows Server 2003, Microsoft’s premier network operating system server product has come a long way. Today, Windows Server 2008 offers a reliable and scalable platform for deploying complex intranet solutions by integrating Internet and local network capabilities. In other words, this product will let you play multiplayer, first-person shooter games with people across the office or spread across the globe. Most of the advantages and benefits you enjoy with Windows Server 2003 are contained in Windows Server 2008, along with some changes, additions, and enhancements to existing features and functionality. Most of these improvements are found under the hood, such as changes to how Active Directory works, an expansion of command line management and scripting tools, improvements to domain management, improved security mechanisms and services, greater accessibility and authentication, and some convenient new prepare and repair options in the way installations are handled.
Chapter 1: Making Windows Server 2008 Serve You A can’t-miss interface change is the Windows Server Manager (formerly called Manage Your Server), which appears automatically when you log on. In the Server Manager window, you can manage server roles and features, and access Diagnostics, Configuration, and Storage utility categories and much more. It’s up to you whether you want to use Windows Server Manager or start programs and utilities the old-fashioned way (by choosing Start). We chose to bypass the Windows Server Manager by selecting the Do Not Show Me This Console at Logon check box at the bottom of the Computer Information window pane. The entire 2008 platform does offer some interesting promises that just might be realized. The most important of these is the reduced effort required to develop and deploy complex e-commerce Web sites, stand-alone server core application services, and large-scale simultaneous roll-outs. Windows Server 2008 (as well as the rest of the .NET OS family) is tuned to provide better Internet and network service support to clients. When used with the .NET editions of Microsoft programming languages and networking services, you can create an impressive online presence. In the next chapter, we expand more on networking concepts, covering topics that range from multiple network interfaces to load-balancing and protocol offload processing, application services, client-based management, and widescale software deployment.
19
20
Part I: Servers at Your Service
Chapter 2
Server Networking Principles In This Chapter 0001 Understanding the client/server network model 0001 Discovering new Windows Server 2008 features to core networking components 0001 Identifying client needs and positioning services 0001 Exploring protocol offload processing and network features 0001 Establishing server needs and provisioning services 0001 Defining network-oriented client/server services 0001 Examining policy-driven network-based application access 0001 Differentiating client and server wants or needs
F
or most applications, using Windows Server 2008 in a networked environment means buying into the client/server model. To help you understand this networking model, which explains why it’s necessary for Windows Server 2008 to exist, we explore the client/server model in detail in this chapter. Along the way, you discover more about the types of capabilities and services that client-server networks provide and the various ways that clients and servers interact on such networks.
Understanding the Differences between Server and Client Networking The client-server networking paradigm describes the basic nature of operation between two computers that establish a connection and exchange data or share resources. The process typically begins when a client caller makes a request to a server application or service — this typifies a normal clientserver transaction.
22
Part I: Servers at Your Service Now, the server may have something to give to the client, or the client may have something to give to the server, but that aspect doesn’t alter the relationship (although it may superimpose roles, particularly where a server is actually the client to another server). This is the push/pull concept, which describes the nature of data that is either pushed or pulled from source to destination. Characteristically, the client will follow this process: 1. Initiate a request. The client caller requests access to some resource or information from the remote server. 2. Wait for a reply. A participating server issues a reply, either permitting or forbidding the connection, which may require authentication in some cases. 3. Connect and interact. If access is granted, the client possibly authenticates and then begins interacting in some fashion with the server. Likewise, the characteristic behavior pattern for a server includes these steps: 1. Listen for a request. Calling clients come and go as they please, requesting to initiate and interact with hosted services. 2. Process the request. Once received, the client request may optionally require authentication. 3. Connect and interact. At this point, both client and server are connected on a common channel and able to share resources or information. What isn’t always apparent is that a single client connection may potentially involve several different servers to fulfill a single client request. Simple examples are all around you: 0002 E-mail clients send and receive messages from e-mail servers. 0002 Web browser clients broker data connections to FTP and Web servers. 0002 Even simple numeric dots-and-decimals addresses to human-readable hostname resolutions (and vice versa) require that your computer act as a client to a Domain Name Server (DNS). An alternative to the client/server model that you’ll hear from time to time, which we don’t discuss at great length, is the peer-to-peer (P2P) network
Chapter 2: Server Networking Principles model. In this model, participants act as both clients and servers, sometimes sharing multiple parts of a single piece of data or establishing an open network of client-server hybrids capable of either sending and receiving data or sharing resources without a formal client/server role.
More Is Better: Multiple NICs (No Cuts) Redundancy is one way of handling heavy workloads and network traffic for a single server servicing multiple clients. Multiple NICs (network interface cards) or network adapters provide separate network stacks that are better able to process a higher volume of traffic, create joined or separate subnets, or serve as an immediate fail-over when one interface goes down. You can even bind, load, and prioritize settings for one interface over another. Redundancy also enables future network expansion without the added cost of new servers and lets administrators logically separate networks according to the network interfaces they use. Administrators can establish and maintain server gateways that firewall inbound Internet connections from outbound internal endpoint computers, interconnect otherwise separate networks and subnets, and perform a variety of other tasks. In fact, if you take stock of the server-worthy hardware currently available on the market, you’re likely to see at least two integrated network adapters on many motherboards. Cheaper manufacturing costs and constant consumer demand put those dual interfaces on board and have thus far kept them there. However, these are limited-capability network interfaces that offer only basic functionality — mostly, they just do networking. Additional features are available from some add-in cards and stand-alone network appliances that can perform other tasks generally not feasible with integrated hardware, as described in the next section of this chapter.
Networking lingo Network stack: We use the term network stack in this chapter, which is the basis of any operating system’s networking capability. In Chapter 1, we called this the protocol stack, which is the same as network protocol stack (or TCP/IP, mentioned later in this chapter), so the two are used interchangeably. Hopefully you won’t be confused when encountering these variations in the field.
NIC: A NIC is the hardware component that establishes network capability and connectivity through its software applications and drivers. This is the add-in or integrated interface card where you plug in the network cable from a router, switch, or broadband modem.
23
24
Part I: Servers at Your Service
Windows Server 2008 Enhances Networking Several underlying changes to the Windows Server 2008 networking infrastructure can enhance the capability and performance of an existing (or designphase) network, regardless if it’s at home or at work. Many of these substantial changes, including total redesigns and new additions, are enterprise-oriented, where the primary emphasis is on capability, performance, and security features, and where advanced options are in the greatest demand. But that doesn’t mean you can’t take advantage of them, too! In this section, we make a connection to some of these enhancements to explore what you can do with your Windows Server 2008 network environment.
Next Generation TCP/IP stack Windows Server 2008 includes a new implementation (a complete redesign) of the original TCP/IP protocol stack called the Next Generation TCP/IP stack. This new framework is a total rewrite of TCP/IP functionality for both IPv4 and IPv6. It’s designed to better meet connectivity and performance needs in various networking environments using various networking technologies. For the benefit of those stuck in a cave in Patagonia since the early 1980s, TCP/IP is the de facto standard network protocol stack for most server and workstation computers you’ll encounter, but it’s by no means the only one. It expands to Transmission Control Protocol/Internet Protocol and serves as the foundation for network traffic shuttled across the Internet. It’s become a nearly universal means for networked communications of all kinds. The core network stack framework is improved and enhanced to increase existing functionality, complement it with supplementary performanceenhancing functionality, and further expand that framework through additional features and components. The following section covers much of the material that’s both directly and indirectly related to advances in the Next Generation TCP/IP network protocol stack in Windows Server 2008.
Chapter 2: Server Networking Principles
Here’s the deal with IPv6 The new kid on the netblock is IPv6, the designated successor to IPv4 and touted as the next best thing. Primary improvements provided in IPv6 include a much larger (128-bit) address space capable of addressing 2128 unique hosts, eliminating stopgap measures to deal with IPv4 address space limitations and enhancing security and mobility for networked computers. Despite these improvements, little actual real-world deployment of IPv6 in a general sense limits the accessibility and availability of this new protocol framework to reserved, designated working groups in the technical field. Outside the scope of experimental and prototype networks in Europe and branches in hightech companies, nobody is really using IPv6. Not even Cisco has shifted its internal infrastructure entirely over to IPv6 yet, so it’s no surprise (to us, anyway) that not too many other organizations are charging aggressively into IPv6 deployment, either. That said, we certainly won’t deny you the privilege of exploring this new technology and experiencing the advantages, benefits, and
contributions of IPv6 deployment in your personal networking environment. We will, however, encourage you to experiment entirely at your own expense of time and money. (There’s just too much ground for us to reasonably cover.) Here are a few pointers to some online resources where you may begin your journey: 0002 “Everything You Need to Know about IPv6”: This is an Ars Technica article explaining IPv6 in (almost) plain English, complete with block-assignment diagrams. See http:// arstechnica.com/articles/ paedia/IPv6.ars for more information. 0002 IPv6 Running, Understanding IPv6 & Advanced Implementation of Protocol: This daily blog is dedicated to IPv6 topical discussion. Visit http://ipv6-tips. blogspot.com for more information. 0002 IPv6 to Standard: This Web page, devoted to the IETF IPv6 working group standardization process, lists and identifies vendors whose products are IPv6-enabled. See www.ipv6to-standard.org for details.
Receive window auto-tuning In TCP, a receive window size defines the amount of data that a TCP receiver permits a TCP sender to push onto the network before requiring the sender to wait for acknowledgement of its receipt. Correctly determining the maximum receive window size for a connection is now automatically handled by receive window auto-tuning, which continuously determines the optimal window size on a per-connection basis using real-time bandwidth calculations. Improved receive window throughput increases network bandwidth utilization during data transfers. If all receivers are optimized for TCP data, Quality of Service (QoS) can help reduce congestion for networks operating at or near capacity.
25
26
Part I: Servers at Your Service Quality of Service (abbreviated QoS) refers to the ability to shape and control the characteristics of ongoing network communications services. This idea operates on the notion that transmission and error rates (along with other traffic characteristics) can be measured, improved, and guaranteed — to some extent, anyway.
Compound TCP The Next Generation TCP/IP network stack also treats connections with large receive window sizes and large bandwidth delays to Compound TCP (CTCP), a function that aggressively increases the amount of data sent in real-time by monitoring current traffic conditions. CTCP also ensures that it doesn’t negatively impact other existing TCP connections and complements receive window auto-tuning support to provide substantial performance gains appreciable in any high-delay, high-throughput network environment.
Explicit Congestion Notification support Lost TCP segments are assumed to be lost, probably owing to router congestion, which triggers a congestion control mechanism that dramatically reduces a TCP sender’s transmission rate. With Explicit Congestion Notification (ECN; see RFC 3168, which you can find at www.faqs.org/ rfcs/rfc3168.html) support, both TCP peers and routers experiencing congestion accordingly mark packets they forward. On receipt of such packets, a TCP peer will scale back its transmission rate to ease congestion and reduce segment loss. Windows Server 2008 now includes core support for this protocol feature.
Quality of Service (QoS) support Windows Server 2003 and Windows XP provide QoS functionality to applications through QoS APIs, which are leveraged to prioritize time-sensitive network data delivery functions. Windows Server 2008 and Windows Vista include new facilities for network traffic management on Windows networks so that high-priority traffic is handled first, which helps with streaming media, voice over IP, video conferencing, and other applications where quick response times are needed. Policy-based QoS for enterprise networks allows IT staff to either prioritize or manage the send rate for outbound connections, which can be confined to applications, source/destination IPv4 or IPv6 addresses, and source/destination or a range of ports.
Chapter 2: Server Networking Principles Enhancements for high-loss environments The Next Generation TCP/IP stack also improves network conditions in highloss environments through several optimization features that include: 0002 (RFC 2582) The NewReno Modification to TCP’s Fast Recovery Algorithm: The NewReno algorithm provides faster throughput by changing the way a sender can increase its sending rate when multiple segments in a given window are lost, and the sender receives partial acknowledgement only for segments actually received. 0002 (RFC 2883) An Extension to Selective Acknowledgement (SACK) Option for TCP: SACK allows a receiver to determine when it has retransmitted a segment unnecessarily and adjust its behavior on-the-fly to prevent further unnecessary retransmissions. Fewer retransmissions result in more optimal overall delivery. 0002 (RFC 3517) A Conservative Selective Acknowledgement (SACK)-based Loss Recovery Algorithm for TCP: Windows Server 2003 and Windows XP use SACK information only to determine those TCP segments that have yet to arrive. Windows Server 2008 includes a method defined in RFC 3517 to use SACK information for loss recovery in the event duplicate acknowledgements are received, which is maintained on a perconnection basis by the Next Generation TCP/IP stack. 0002 (RFC 4138) Forward RTO-Recovery (F-RTO): Spurious retransmissions can occur as a result of increases in round trip time (RTT). The F-RTO algorithm prevents unnecessary retransmissions, particularly in wireless environments where client adapters may roam from point to point, to return quickly to normal send rates. These represent only some of the many additions, enhancements, and inclusions to the core network components in Windows Server 2008. For a more complete list, visit the Microsoft TechNet article at www.microsoft.com/ technet/network/evaluate/new_network.mspx.
Offloading protocol processing Certain specialized network interfaces and hardware are capable of offloading the often resource-intensive burden of processing TCP/IP network stack information, which requires handling of a multilayered protocol framework to deliver encapsulated data. This frees up local CPU and RAM to process other general-purpose tasks and moves the strain of ongoing network connection processes to specially-designed hardware designated for that purpose.
27
28
Part I: Servers at Your Service By encapsulated data, we refer to the way data is packaged as it travels down the TCP/IP network protocol stack. Higher-level protocols are encapsulated within header (and sometimes trailer) information so that lower-level routing and switching devices can process (and in some cases interpret) protocol data. Protocol offload processing is supported through software that is called the TCP Chimney in Windows (discussed next) and hardware that is called the TCP Offload Engine (discussed in Chapter 3).
TCP Chimney The TCP Chimney is a feature introduced first in Windows Vista and second — by extension — in Windows Server 2008. It’s the result of Microsoft’s Scalable Networking initiative, which encompasses a number of changes to the core network infrastructure of every new platform product. The goal is to reduce operational overhead associated with establishing, maintaining, and terminating connection state — the status of a given network connection — and all requisite state information throughout the lifetime of a connection. By removing such overhead from general-purpose resources and delegating the responsibility to special-purpose network interfaces, additional computing resources are freed up, especially on servers. A chimney is a collection of offloaded protocol state objects and any associated semantics that enable the host computer to offload network protocol processing to some other network device, usually the network interface. Since NDIS 6.0, Windows Server has included an architecture that supports full TCP offload, called a chimney offload architecture because it provides a direct connection between applications and an offload-capable network adapter. This enables the network adapter to perform TCP/IP stack processing for offloaded connections, as well as to maintain the protocol state.
Changes to NDIS Microsoft’s Network Driver Interface Specification (NDIS) defines a standard application programming interface (API) for network adapters. The details of a network adapter’s hardware implementation are wrapped by a MAC device driver so that all devices for the same media are accessed in a common, predictable way. NDIS provides the library of functionality necessary to drive network interactions for the Windows platform that both simplifies driver development tasks
Chapter 2: Server Networking Principles and hides the ugliness of platform-specific dependencies. Some of the new features provided by NDIS specification version 6.0 are described below.
New offload support NDIS 6.0 now supports new offloading network traffic processing functionality to compatible network adapters that includes: 0002 IPv6 traffic offload: NDIS 5.1 (Windows XP, Windows Server 2003) already supports IPv4 protocol offload processing; NDIS 6.0 also includes IPv6 traffic. 0002 IPv6 checksum offload: Checksum calculations for IPv6 can now be offloaded to compliant network adapters. 0002 Large send offload (version 2): NDIS 5.1 supports large send offload (LSO), which offloads the segmentation of TCP protocol data into 64K blocks. Large send offload 2 (LSOv2) in NDIS 6.0 now offloads much larger blocks.
Support for lightweight filter drivers Intermediate filter drivers are replaced by lightweight filter (LWF) drivers, a combination of an NDIS 6.0 intermediate driver and a miniport driver. LWF improves performance, consolidates protocol driver support, and provides a bypass mode where LWF examines only select control and data paths.
Receive-side scaling Multiprocessor computers running Windows Server 2003 or Windows XP associate a given network adapter with a single processor. That individual processor must handle all traffic for that interface, despite the fact that other processors may be available. This impacts Web- and file-server performance when client connections reach the serviceable limit of that associated processor. Incoming traffic that can’t be handled by either network interface or server processor will be discarded, which is undesirable in just about every situation. This increases the number of TCP/IP-oriented session serialization and sequence identifiers and amplifies performance penalties as a result of network stack retransmissions. Both session serialization (sessions encoded as a sequence) and sequence identifiers (unique numeric values associated with serialized sessions) are related to the protocol stack. These properties help identify what portions of data are assembled and in what order, such that portions arriving out-oforder are properly reordered and those that never arrive are requested again.
29
30
Part I: Servers at Your Service Windows Server 2008 no longer associates a network adapter to a single processor; instead, inbound traffic is distributed among the available processor array and processed accordingly. This feature is called receive-side scaling, which allows for more inbound traffic on high-volume network interfaces. A multiprocessor server computer can scale its ability to handle incoming traffic without additional hardware, so long as compliant network adapters are already in place.
Networking Is About Services, Too In the first part of the chapter, our discussion of Windows Server 2008 principles covers mostly the new features included to core networking components, the NDIS 6.0 API, and protocol offload processing. Networking isn’t just about these features — in fact, they represent the unseen or transparent infrastructure upon which all services are built and operate. Networking is much more than the communications protocols, offload engines, and security frameworks that serve as the basis for connectivity. Networking might not have a purpose or place without the necessary application services that server computers host for client computers (comprised of workstations and servers), so that both may interact in some fashion. A network, by and large, is for the people — the very endpoint representatives that create network connections. But it isn’t entirely about what the people — or clients — want; much of the way a network infrastructure is designed, constructed, and maintained is dictated by what the business wants and needs. In the following sections, we take a closer look at the very distinctions that differentiate client and server wants and needs in terms of application and background services.
What clients want Client computers and personnel want a lot of things: easy access, worry-free reliability, unfaltering dependability . . . and probably some other things they aren’t quite sure of or don’t know how to articulate in techie terms. Who wants to configure an IP address every time a connection is made to the same, or any, network? What about sharing a common connection among other computers?
Chapter 2: Server Networking Principles Simple naming schemes, remote Web-based application access, and transaction-driven database services are just some of what clients want. Let’s delve a little further into these topics for your personal benefit.
DHCP Dynamic Host Configuration Protocol (DHCP) is a set of rules used by network communications devices to request and obtain an IPv4 or IPv6 address lease assignment from the available pool of administrator-specified addresses. DHCP alleviates the need for network administrators to actually make such assignments by hand, freeing them up to handle other tasks. A DHCP server ensures that uniquely-generated, dynamically allocated IP assignments are made to connecting clients, along with whatever preferential server settings may apply to the client connection. However, it can also ensure that the same IP is given only to a specific machine every single time it connects. DHCP is successor to an older Boot Protocol (BOOTP), which achieved a very similar goal. DHCP automates not only the assignment of IP addresses but also subnet masks, default gateways, and other lease-related parameters. On boot-up, a connecting client will issue a request to the network for its personal address assignment to the DHCP application service. In turn, the service applies a set of rules that govern the assignment and return the requested information back to the client. DHCP provides three modes for allocating addresses: 0002 Dynamic: Clients are provided an address assignment lease that expires after some specified duration of time. Reconnecting client computers may or may not receive the same IP address, and no real concern is given to consistency. 0002 Automatic: Also known as DHCP Reservation, an automatic assignment is one where a given address is permanently assigned to a particular client. The DHCP server selects from a range specified by the administrator. 0002 Manual: Client-based address selection and DHCP protocol message response inform the server of the new address allocation. The DHCP server performs the allocation based on a table with interface hardware or MAC addresses, where administrators manually specify IP and MAC pairs for connecting clients. Network administrators not only reduce the amount of repetitive and potentially unnecessary effort associated with manual address assignments, but also eliminate the potential for configuration mistakes when configuring multiple clients.
31
32
Part I: Servers at Your Service Windows Server 2008 enhancements to DHCP include IPv6 support (DHCPv6) and Network Access Protection (NAP) enforcement, which requires a connecting DHCP client to prove its system health status before receiving an address assignment.
NAT Network Address Translation (NAT), network masquerading, and IP masquerading are all terms used to describe rewriting packets as they pass through an intermediary networking device to appear as if they originated from that device. There are many NAT arrangements, types, and variations, but all operate along the same lines. NAT confers two profound advantages on outbound network traffic: 0002 It permits internal networks to use private IP addresses as per RFC 1918 and handles incoming and outgoing traffic to make that arrangement work. 0002 It hides the details of internal network addresses, whether public or private — which explains the masquerading terminology used in the preceding paragraph. There are several distinct advantages to this kind of arrangement. For starters, NAT insulates internal computers from external probes, keeping crime out like a security fence. At the same time, NAT enables many internal computers to utilize a single external network connection where only a single IP address is assigned. NAT originally began as a response to the IPv4 address space shortage but has proven useful in many other ways. Sometimes, communications protocols can be sensitive to alterations in packet header data. NAT mangles the original data contained in a packet, which can disrupt certain types of security protocols that absolutely require a packet to pass from sender to receiver unaltered. This was the case for IPSec when it first arrived on the scene because critical portions of header elements were modified by NAT, upon which IPSec relied. As a result, connections failed, and trouble followed close behind. Today, such traffic is handled without much difficulty, thanks to innovations in how NAT works and how security protocols are used. Internet Protocol Security, abbreviated IPSec, is an addition to the TCP/IP framework that includes more reliable security mechanisms for an otherwise insecure network environment. Such capability is usually involved with largescale environments spread across geographically diverse networks, or anywhere sensitive business applications and services are privately shared over the Internet.
Chapter 2: Server Networking Principles NAT can be used for load-balancing for connection redirection, as part of a failover design to establish high-availability, as a transparent proxy for content caching and request filtration, or to connect two networks with overlapping addresses.
Name services Windows Internet Naming Service (WINS) is Microsoft’s implementation of NetBIOS Name Server (NBNS) on Windows and is very similar to the relationship between DNS and domain names. This is a basic service for NetBIOS computer names, which are dynamically updated and mapped through DHCP. WINS allows client computers to register and request NetBIOS names and IP addresses in a dynamic, distributed fashion to resolve locally-connected Windows computer resources. A single network may have several WINS servers operating in push/pull replication, perhaps in a decentralized, distributed hub-and-spoke configuration. Each WINS server contains a full copy of every other WINS server’s records because there’s no hierarchy as with DNS — but the database may still be queried for the address to contact (rather than broadcasting a request for the right one). WINS is only necessary if pre-Windows 2000 clients or servers or Exchange 2000/2003 clients are present and resolving NetBIOS names. Realistically, most networking environments are better served by DNS as a preferable alternative to WINS, particularly in Windows Server 2003 or 2008 environments. However, WINS remains an integral function in Windows network to support older clients using legacy software.
Application access Terminal Services (TS) in Windows Server 2008 implements Microsoft’s most powerful centralized application access platform and offers an array of new capabilities that reshape administrator and user experiences alike. TS provides centralized access to individual applications without requiring a full-fledged remote desktop session (although that’s still an option). Applications operating remotely are integrated on local user desktops, where they look and feel like local applications. An organization can employ HTTPS over VPN to secure remote access to centralized applications and desktops. Using TS in a Windows Server 2008 environment enables you to: 0002 Deploy applications that integrate with the local user desktop. 0002 Provide central access to managed Windows desktops. 0002 Enable remote access for existing WAN applications. 0002 Secure applications and data within the data center.
33
34
Part I: Servers at Your Service Windows Server 2008 TS includes the following features: 0002 TS RemoteApp: Programs accessed through TS behave as if they run locally on a remote user’s computer. Users may run TS RemoteApp programs alongside local applications. 0002 TS Gateway: Authorized remote users may connect to TS servers and desktops on the intranet from any Internet-accessible device running Remote Desktop Connection (RDC) 6.0. TS Gateway uses Remote Desktop Protocol (RDP) via HTTPS to form a secure, encrypted channel between remote users. 0002 TS Web Access: TS RemoteApp is made available to remote end users through TS Web Access, which can be a simple default Web page used to deploy RemoteApp via the Web. Resources are accessible via both intranet and Internet computers. 0002 TS Session Broker: A simpler alternative to load-balancing TS is provided through TS Broker, a new feature that distributes session data to the least active server in a small (two to five) farm of servers. IT administrators can even map several TS IP addresses to a single human-addressable DNS name, so end users needn’t be aware of any specific settings to connect and reconnect TS broker sessions. 0002 TS Easy Print: Another new feature in Windows Server 2008 enables users to reliably print from a TS RemoteApp program or desktop session to either a local or network printer installed on the client computer. Printers are supported without any installation of print drivers on the TS endpoint, which greatly simplifies the network sharing process. In addition, the Application Server role in Windows Server 2008 provides an integrated environment for customizing, deploying, and running server-based business applications. This supports applications that use ASP.NET, COM+, Message Queuing, Microsoft .NET Framework 2.0/3.0, Web Services, and distributed transactions that respond to network-driven requests from other applications and client computers. The Application Server role is a requirement for Windows Server 2008 environments running applications dependent upon role services or features selected during the installation process. Typically, this role is required when deploying internally-developed business applications, which might be database-stored customer records interfaced through Windows Communication Foundation (WCF) Web Services.
Data-based services Centralized application and data access helps secure sensitive and/or personally identifying information to the remote working environment. Less data
Chapter 2: Server Networking Principles leaving the corporate network reduces the risk of accidental or incidental data loss through the interception, theft, or misplacement of company notebooks. Through TS Gateway and TS RemoteApp, participants can be limited to a single application or several resources, without exposing any more information than necessary to do their jobs. For those mobile users out in the field, BitLocker Drive Encryption provides a complete cryptographic solution to safely and securely store sensitive data at rest. Everything up to core Windows operating system data and files gets cryptographic coverage so that tampering by unauthorized parties is thwarted, even if the hard drive is removed and the notebook is manipulated in any way. Windows Server 2008 File Services are technological provisions that facilitate storage management, file replication, folder sharing, fast searching, and accessibility for UNIX client computers. See Microsoft TechNet articles for information on these features.
Web-based services Task-based Web server management is handled in Internet Information Services (IIS) 7.0, a powerful, modular platform for remote applications and services with enhanced security, featuring health monitoring for Web services. IIS 7.0 and .NET Framework 3.0 provide the basis for application and user connectivity, enabling users to distribute and visualize shared information. Windows Server 2008 SharePoint Services is a scalable, manageable platform for the collaboration and development of Web-based business applications. This can be installed as an integrated server role through the new Server Manager console — no more downloading and running Setup. The SharePoint Products and Technologies Configuration Wizard runs you through the installation process for server farm configurations, dramatically easing the deployment options for large-scale enterprise networks. Consult Microsoft TechNet articles for more information on SharePoint Services.
What enterprises want Enterprise wants and needs far exceed anything the desktop or workstation consumer group can possibly offer. Most of those wants and needs center around managing resources or maintaining connections among desktops, workstations, and other server computers.
35
36
Part I: Servers at Your Service Active Directory Active Directory (AD) is an implementation of the Lightweight Directory Access Protocol (LDAP), a protocol and service framework that delivers directory services to Windows-based networks. AD provides central authentication and authorization services, global policy assignment, widespread software deployment, and large-scale updates for an entire organization. AD Directory Service (DS) is used to centrally store and manage information about the network resources spread across a given domain. The framework itself holds a number of levels that include forests, domains, and trees, as described in fuller detail in Chapters 7 and 8.
Access controls Employees are defined by their roles or capacities within an organization. There are leadership roles, management roles, and general occupational roles to fulfill, each defined by separate duties, privileges, and responsibilities. Among those privileges and responsibilities are varying layers of access to business-related information. For example, a general employee has no real reason to access or modify management-related information, such as work schedules or other employees’ contact information. In much the same way, users are defined in a system by their access privileges on that system. Access controls are captive restrictions set in place on server computers necessary to prevent accidental, intentional, and unauthorized use of data, files, and settings, particularly those critical to system operation. One feature Windows Server 2008 brings to the table is Network Access Protection (NAP), which enforces strict health checks on all incoming client connections. That is, it inspects the state of the client to make sure it meets requirements for antivirus and antispyware coverage and currency, Windows update currency, and so forth.
Policy-based controls Policy-based controls on the Windows Server 2008 platform are evident virtually anywhere a user or process interacts with the system. Active Directory (AD) Domain Services are a global configuration policy-driven framework used to define various Windows network parameters for an entire organization. Policy-based control is also apparent in protective access mechanisms deployed on the network to enforce certain requirements for connecting computers.
Chapter 2: Server Networking Principles Microsoft’s Network Policy Server (NPS) is an implementation of Remote Authentication Dial-In User Service (RADIUS), a network-policy checking server and proxy for Windows Server 2008. NPS replaces the original Internet Authentication Service (IAS) in Windows Server 2003 and performs all the same functions for VPN and 802.1x-based wired and wireless links, and performs health evaluations before granting access to NAP clients. Policy-based controls also encompass the variety of various Windows Server 2008 core components and features like network protocol-oriented QoS and system-wide directory services provided through AD.
Client management In addition to NAP features that ensure an optimal level of health for Windows Server 2008 networks, a number of other useful client management tools are natively available on the platform. TS Remote Desktop Connection (RDC) 6.0 remotely verifies that clients are connecting to the correct computers or servers. This prevents accidental connections to unintended targets and the potential to expose sensitive client-side information with an unauthorized server recipient. TS Gateway also provides for endpoint-to-endpoint sessions using the Remote Desktop Protocol (RDP) with HTTPS for a secure, encrypted communications channel between various clients that include FreeBSD, Linux, Mac OS X, and Solaris.
Software deployment There’s a lot of redundancy in virtually every modern computing and networking environment. There are multiple workstation computers for multiple employees, possibly built with dual memory banks, dual-core processors, and doubled-up RAID drives and NICs, communicating with load-balanced servers operating in round-robin fashion — just to give a thumbnail perspective of a much bigger portrait. Chances are good that in an environment like this, when you configure, install, or modify something once, you’ll have to repeat that same action elsewhere. Large-scale software deployments are one clear instance of this observation. Generally, you don’t install just one computer but several. It may be a few dozen, or it may be several hundreds or thousands. Either way, do you really want to process each case individually by hand? We didn’t think so, and neither do most administrators, which is why you hear things like “unattended” or “automated” installation.
37
38
Part I: Servers at Your Service Windows Server 2008 further enhances the software deployment cycle by realizing a simple principle: Build a modular, easily modified, unified image format through which all subsequent installation images are created, each unique only in the features it removes or adds to the base. The Windows Imaging Format (WIF) creates an abstract modular building block for operating system deployment so that you can create in-house install images that incorporate whatever applications, configurations, or extensions you deem necessary. Then, you can roll out multiple installs at a time in a completely self-contained, automated fashion that can even include previously backedup personal user data and settings.
Chapter 3
Building Your Network In This Chapter 0001 Designing networks that work 0001 Understanding the fundamentals of network design 0001 Situating servers and other network devices 0001 Double-checking your design work 0001 Mapping your network
W
hether you’re constructing a complete network or simply renovating an existing network, the basic approach is the same. You begin by planning what you want to implement, and then you gather the ingredients necessary to realize your plans. Next, you have to execute those plans according to the blueprint that you devised. The execution of any successful network project plan involves bringing all the pieces together, applying solid organizational principles to your network, and documenting what you add (and what’s already in place) to your network.
Developing a Network Implementation Plan Whenever you set forth on a network project, start by analyzing your requirements. If you’re building a network from scratch, this phase can take weeks or even months of effort; if you’re simply extending or repairing an existing network, planning may take a day of your time or less. Whatever your project’s scope, your plan should contain the following: 0002 A brief statement of your overall objectives, plus a more lengthy statement of requirements that addresses the following: • What applications and services users need to access
40
Part I: Servers at Your Service • Estimates of user-to-server bandwidth requirements • Estimates of server-to-server bandwidth requirements (where applicable) For example: The new XYZ Inc. network will provide 60 users with access to Windows Server 2008 file and print services, plus access to a SQL Server sales and inventory database. Each user will require no more than 6 Mbps bandwidth, and there are no server-to-server bandwidth requirements during business hours because all backups are scheduled for after-hours and weekends. 0002 A complete list of all the elements that you must purchase or otherwise acquire to meet those objectives. For example: At, XYZ Inc., three different department servers (Accounting, Manufacturing, and Sales) will act as routers to link two network segments of 10 users each, for a total of six user segments based on 100 Mbps Ethernet. The three servers will be connected with a 1000 Mbps Ethernet backbone using Gigabit Ethernet (GbE). We will purchase six 16-port 10/100 Ethernet hubs (one per user segment, each with two GbE links for the corporate backbone) to leave room for growth, and three dual-core 2.13 GHz Intel Xeon 3050 server machines, each with 8GB RAM and 2TB of disk space, along with a 16-port GbE switch to handle the backbone itself. We will also attach three Buffalo TeraStation Pro II network attached storage (NAS) units so that we can back up all three servers across the backbone. 0002 A description of the role each element will play on the network, the location of each element on the network, the configuration of each element, and the time during the installation process in which you plan to add each element to the network. You should use a map or a set of plans to help you place cables, computers, and other components, and a timeline to indicate the order in which you have to install everything. For example: The Accounting server will handle users from the Accounting and Purchasing departments; the Manufacturing server will handle users from the Manufacturing and Engineering departments; the Sales server will handle users from Administration as well as from the Sales and Marketing departments. All servers, the backbone, and all hubs will be installed when the company is closed between Christmas and the new year. The network should be operational when normal business operations resume. A map of this network appears in Figure 3-1. 0002 A test plan that describes how you plan to test individual elements, individual cable segments, and the entire network (including who is responsible for specific tasks) to make sure everything functions properly after you finish the installation. For example: The three servers will be installed first and tested individually the weekend before the Christmas break. On December 23 and 24,
Chapter 3: Building Your Network the GbE backbone will be installed. On December 28, the backbone will be tested. On December 28 and 29, the hubs will be installed and tested. On December 30, workstations on all existing 10-Mbps cable segments will be connected to the new 10/100 hubs and tested individually. From December 31 to January 2, automated testing software will exercise the entire network. On January 3, a network technician will visit our site with Bob, the site administrator, and any last-minute changes, repairs, and adjustments will be performed. We believe the network will be ready for use on January 4.
Network attached storage (NAS)
Sam K office 301 Bob T office 314
Mary B office 309
Jeff L office 302
Mary B office 313
Sheila E office 303
John F office 316
Sandy Y office 305
Sally P office 320
Donna B office 308
Fred C office 315
Switch #3
3rd floor GbE backbone
Sales server
Administration (3 PCs)
Sales (10 PCs)
Sandra S office 201
Shawn I office 211
Yvonne N office 210
Carl K office 220
Switch #2 Accounting server
1st floor Manufacturing server
GbE backbone
2nd floor
Figure 3-1: A simple map of XYZ Inc.’s network shows all switches, servers, and cable segments laid over a simple floor plan.
Betty A office 304
Accounting (10 PCs)
Switch #1
Purchasing (10 PCs)
PC 1
Alex T office 102
PC 14 room 101
Sandra R room 107
Manufacturing (14 PCs)
Engineering (14 PCs)
Marketing (7 PCs)
41
42
Part I: Servers at Your Service This plan helps you to decide where you must place key network elements, such as servers, switches, routers, and other network devices. More importantly, the plan also helps you determine what type of network technology and bandwidth you need to deploy to meet your objectives. Because most businesses work on a budget, building a plan also helps you make sure that you won’t try to spend more than you’re allowed to spend or incorporate more exotic technologies than you can afford. Your network implementation plan should also help you evaluate your current network backbone or plan a new one to be able to carry all the traffic that normally comes together on such critical network segments.
Understanding Network Design’s Barest Basics The possible implementations from which you can choose when designing a network are innumerable. To help you distinguish between what’s improbable, possible, feasible, and recommended when designing your network, here’s a set of helpful guidelines: 0002 Select a network technology: When adding to or expanding an existing network, this decision is easy — it simply requires choosing something identical to or compatible with whatever you’re using. For new networks, you need to analyze what kinds of applications and services users require: • For ordinary office work (e-mail, word processing, spreadsheets, basic database access, and so on), 10/100 Mbps Ethernet works well. • For high-traffic or real-time applications — such as Computer Aided Design (CAD), imaging, video conferencing, and voice over network — either 100 Mbps Ethernet or GbE to the desktop makes sense, depending on end-user bandwidth requirements. • For high-availability or mission-critical business applications — such as on-demand services and business-to-business applications — both redundant network configurations and failover clustering (first introduced in Chapter 1) should be part of your initial IT infrastructure design. It’s seldom necessary to deploy GbE to all desktops, but some may need it. So plan carefully to provide gigabit connections to those who do need it, and likewise, plan your backbone carefully to make sure it can handle all the aggregated bandwidth needs. (In some rare cases, a 10 GbE backbone might be required, but usually not for most small- to medium-sized operations.)
Chapter 3: Building Your Network 0002 Position office equipment close to users: When designing a network, the smartest thing you can do is minimize the distance between users and the resources they use most. This applies to printers (so users enjoy easy access to output), servers (so cable runs needn’t be too long), and other resources (such as fax machines, scanners, and copiers) that users need to access to do their jobs. 0002 Closely situate mutually-dependent servers: Keep in mind that some servers act as front-end clients to other servers, which stands in contrast to the typical client-server role. Maintain close proximity for these servers to minimize bandwidth utilization to a reasonable level and leave the longer pathways between client and server. 0002 Build an online work environment: When designing a network, you also have to take into account current working patterns and arrangements in your offices. (For example, if the Accounting and Purchasing departments work together all the time and use the same applications, perhaps they should share a server.) This also applies to the type of network you build. For small companies, centralized control and tight security may hamper your workers; in large companies, centralized control and tight security are the norm. You must serve the communities that currently exist in your organization and use the network to help users communicate and be as productive as possible. 0002 Arrange servers, hubs, and other key resources: The places where wiring congregates — namely at punchdown blocks, wiring centers, and equipment rooms (or closets) — sometimes dictate where certain equipment must be placed. Be sure to check the distance between those locations and the areas where workers reside. In most cases, offices are designed to support cabling from a centrally located wiring center or equipment room for groups of offices. If that isn’t the case in your workspace, you may have to add new equipment rooms and wiring centers or move workers to bring them closer to existing facilities. Either of these solutions takes time and costs serious money, so be sure to get management involved in deciding which options make the most sense for your organization. 0002 Build better backbones: Depending on your network technology choice, you’ll probably want to arrange your network to include a special highway for data to travel across when multiple network cables come together. This can happen between servers, as with the XYZ Inc. example in this chapter. Such portions of the network are called backbones. A backbone can be something as simple as a so-called collapsed backbone, in which a high-speed switch links multiple cable segments and provides a single, high-speed connection between all cable segments. A backbone can also be as complex as a staged backbone, in which intermediate segments jump from switched 100 Mbps-Ethernet to switched GbE at the server (as in the XYZ Inc. example in this chapter). More complex backbones might even include a segment of 10 GbE on the innermost segment, where traffic is heaviest.
43
44
Part I: Servers at Your Service 0002 Plan for growth: When planning a network, include at least 30 percent spare, unused capacity in your design. This spare capacity should include network ports (unused ports on switches), unused network cables in offices and cableways, and bandwidth on individual network segments and switches. That way, you can grow within your current environment for a while without having to redesign your network on a regular basis. If your annual growth rate exceeds 30 percent, design at least one year’s planned growth into your network — better yet, one year’s planned growth plus 30 percent. 0002 Work within the system: As you discover when you start deploying a network in any organization, networks have a political as well as a technical side. When you plan a network, you should work within your system in at least two ways: 1. Make sure that management knows about and approves of what you plan. 2. Make sure that you handle the work, contracts, purchases, and so on within the rules and regulations of your organization. If you neglect either of these guidelines, the only thing you’ll learn how to network is trouble! 0002 Check your design: After you put a network design down on paper, review that design against what you know about the network technologies it uses. Be especially careful to check maximum cable lengths, maximum number of devices per segment, and maximum number of cable segments and devices between any two ends of the network against the rules that apply to the technologies you plan to use. You don’t want to build a network that tries to break these rules. If you do, your network may not work, or worse, it may work for a while and then quit working when you add users or devices. If you check your work before you build, you won’t try to build something that can’t work or that’s inherently prone to trouble. 0002 Ask for a sanity check: After you’ve put a network design down on paper and checked your work, you should also solicit input from one or more networking experts. Redesigning a network is always easier while it’s still on paper; you don’t want to fix a flawed design after you’ve built a network. The more qualified advice you get before you start building, the better off you’ll be in the long run. In fact, this advice is worth paying for because it can save you a world of hurt (or your job, for that matter). Although this list of network design principles isn’t exhaustive, it should lead you toward designing a network that works best for your organization. Because these guidelines consider work patterns, politics, and organizational
Chapter 3: Building Your Network rules as well as technology, the resulting network should serve your organization well for more than just technical reasons.
Deciding Where Networking Devices Must Go You must purchase the necessary equipment, cables, connectors, and so on and start deploying the components that make a network work. When you start situating key network equipment — including servers, storage or backup devices, switches, and routers — you need to make some important decisions about how to situate them particularly as they fit into your existing network plan. For small organizations of 25 people or less, using separate locked facilities to store hubs and servers may not make sense. Small organizations tend to be more informal and are less likely to have the kind of budget that supports a full-time information systems (IS) staff. In these circumstances, you usually want to situate your networking gear along with all your other gear — out in the open with other equipment for easy access to one and all. If you do put the networking gear out in the open, make sure that only users with valid passwords can log on to such equipment. Otherwise, we highly recommend locking it up. Larger organizations tend to be more concerned about security and control, and therefore, they usually situate key networking components in locked equipment rooms and in locked wiring closets or wiring centers at various locations around their offices. Because the equipment has to be close to the wiring, it isn’t uncommon for servers to reside in wiring closets along with punchdown blocks, switches, and other networking equipment. Only authorized personnel should be allowed to access these facilities. Likewise, only authorized personnel should be allowed to add users or equipment to the network, usually within a system of regularly scheduled updates or maintenance. In office buildings, for example, this usually means one or two wiring closets or equipment rooms per floor, where only authorized personnel have keys or access codes to get into these rooms. Choose an approach to situating your servers that makes sense for your organization, and stick with it. If you’re going to follow rules for placing equipment, share those rules with employees so that they know what’s going on. In fact, formulating a security policy for most networks is a smart move, and you should regularly explain that policy to your employees in detail. (For more information on this subject, see Chapter 14.)
45
46
Part I: Servers at Your Service Most small- to medium-sized companies — such as the fictitious XYZ Inc. mentioned in this chapter — put their servers into small, locked rooms at each end of the floors they occupy in an office building. This keeps the distances between users’ desktops and the wiring centers acceptably low and puts their servers alongside the punchdown blocks and switches they use, which helps manage wiring. This approach also provides controlled access to the equipment and software that makes their networks work in a small number of closely managed locations. Finally, it addresses the need for adequate ventilation and power control that hubs and servers require for proper operation, which many wiring closets don’t offer.
Consider Hiring an Expert to Install Cable and Equipment Normally, you install cable and equipment at the same time you build a network. You may run your own cables for your network and perform all equipment installation and configuration yourself; you may contract both the cable and equipment installation out to third parties, or you may choose some point between these two extremes. Whichever way you go, somewhere along the way you’ll be ready to put the finished pieces of your network together. When it comes to installing cable, we highly recommend that you employ experienced cable installers with good references. The company that owns or operates your office building may even require a licensed cable installer to perform any such work. Here’s why this is a good idea: 0002 Adherence to building and fire codes is mandatory, but it can also be tricky; working with an experienced professional is a good way to avoid trouble. 0002 Cable placement and routing are sensitive; trained professionals know how to avoid potential trouble spots and always test their work to make sure that the network will behave properly. 0002 High-speed networks are much more finicky and prone to installation difficulties than lower-speed networks. The faster you want your network to go, the better off you’ll be if you leave the cabling to an expert. 0002 Consult with network installers and professionals to acquire an accurate concept as to how to lay your cable. They don’t necessarily have to install your network if you already have capable hands onboard, but in the event you receive outside assistance, make sure they provide you with the cabling plans for your organization.
Chapter 3: Building Your Network
Always Check Your Work! If you decide to install cable and/or equipment yourself, we strongly advise that you bring up your network in small, manageable pieces. When installing multiple cable segments, as when linking one wiring closet to another or each wiring closet to the backbone, bring up individual segments one at a time and test them to make sure each one works before connecting all of them. Likewise, if you’re installing a backbone or a server cluster, test individual components separately before trying them out en masse. When you install equipment, apply the same principles. After you install and configure a machine, check it by itself to make sure it works before attaching it to the network. This is as appropriate for switches and routers as it is for server and desktop computers, as well as network attached storage devices. Our suggestions on piecewise checking and gradually increasing the complexity of your network come from experience. We found out the hard way that throwing everything together at once can cause problems that are too hard to troubleshoot because you have to deal with too many unknowns.
Evaluating Your Network’s Performance and Usefulness After you build a network, you may be tempted to rest for a while to enjoy your success. After all, you’ve earned it, right? Well, although you should certainly pat yourself on the back, you should also realize that the real work begins as soon as users start using the network (or a new portion of an existing one). If you’re responsible for a network, you must not only keep things running for the moment, but also keep them running — and running well — over time. Whereas the network you build or extend may meet your users’ initial needs, any network’s capability to meet users’ continuing needs diminishes over time. Growth, change in technologies, and new applications and services guarantee that nothing stays the same for long in the workplace — this includes your network as well as the systems and services that the network delivers to your users. Therefore, you need to conduct regular reviews of how well your network meets users’ needs. In small or slow-growing organizations, you may have to review the network only once a year. In large or fast-growing organizations, you should review the network on a quarterly basis.
47
48
Part I: Servers at Your Service Your network review should include at least these three elements: 0002 Traffic analysis and usage review: You can conduct this yourself by using the built-in Windows Server 2008 tools and facilities, such as System Monitor, and third-party software tools. The idea is to take a performance and behavior snapshot of your network during ordinary-load, light-load, and peak-load conditions. If any of these loads encroach on the boundaries of what the current design can reasonably support, start planning to extend and expand your network. 0002 User interviews: You can interview selected users on a one-on-one basis in your organization or hold meetings with individual workgroups and departments. The idea is to give employees a chance to share their observations, gripes, and wishes regarding the network. This can give you a great opportunity to not only gauge user satisfaction and networking knowledge, but also determine whether you should give employees additional training on how to use the network more effectively. 0002 Management review: You should meet with members of management regularly to find out what they’re planning and what future informationprocessing needs they’re considering. You can also gauge management’s impressions of and beliefs about the network as you report your findings from the previous two items to them. If you perform these reviews and keep in touch with upcoming changes and requirements, you can keep your network and your organization better synchronized. Planning for change and growth is essential to modern networks because they’ve become critical business tools that organizations depend on to do their work. If you take an active approach and plan, you can stay ahead of the curve!
Creating a Network Map Earlier in this chapter, we introduce you to most of the basic principles involved in designing and building a network. By now, you have a pretty good idea about how networks work. As you spend more time around networks, however, you may realize that what they do isn’t nearly as important as what you know about what they do. Whether you wrestle with networks only occasionally or full-time, you may discover that there’s nothing like a network map to help you find and keep track of routers, switches, and other network appliances on your network.
Chapter 3: Building Your Network
It isn’t a map; it’s the whole enchilada Calling the collection of data that describes your network a map doesn’t do this concept justice. A network map is certainly more than a mere drawing that shows where network components live on your network, but creating such a drawing is a great way to start building a network map. If you look at the following list of devices and properties that a network map should contain, you’ll see why such a map is more than a mere depiction: 0002 A list of all computers on your network, with supporting documentation 0002 A list of all network equipment — such as servers and switches, plus any routers, firewalls, and so on — with supporting documentation 0002 A list of all printers and other similar equipment on the network — such as scanners and fax machines — with supporting documentation 0002 Lines to indicate where cables run and where punchdown blocks, wall plates, and other media-related elements are located
Capturing data for your network map Because a network map is so important and such a powerful tool, pause right here and start one immediately. Be prepared to spend some time and energy on this project because most of the data that makes up a network map is scattered all over the place. Building a detailed network map is a worthwhile investment. It can pay for itself many times over as you come to depend on it. At worst, you discover more about your network than you ever wanted to know (but not more than you’ll ever need to know). At best, you get to know your network so well that it will seldom throw you a curve ball — and you may even find some things to tweak and tune while building that map.
Starting at the foundation Obtaining a set of your building’s architectural drawings or engineering plans can help a great deal. If you can find any drawings or plans, take them to an architect’s supply store and make copies that you can mark up and use as a base map. (Most plans are created using an old-fashioned, ammonia-based copying system called blueline. You can copy even large-sized plans for less than $25 per plan.)
49
50
Part I: Servers at Your Service If a professional cabling outfit installed your network, you should be able to get a copy of their cabling plans, which work even better than architectural drawings or engineering plans because they probably already show where the cable is laid and how much of it you have. This is another good reason that do-it-yourself may not be the best way to cable your network. If no such plans are available, you can sketch a room-by-room layout on rectangular grid paper (such as an engineering pad) to make it easy to draw to scale. Be sure to mark the location of machines, devices, approximate locations for cable runs, and so on. A network map drawn to scale enables you to visualize the network layout, including any potential problem areas or unforeseen complications in the final design.
Anything on your network should be on the map Anything that merits attention or costs money is worth recording on your map. You don’t need to go into great detail about each and every connector or note the exact length of every cable. (Approximate lengths within a meter or so are useful, however.) Indicate every major cable run, every computer, and every piece of gear attached to the network.
Taking stock of your network The information you gather while producing a network map creates a detailed inventory of what’s on your network and where everything’s located. Unfortunately, you quickly find out that this is a lot of information. To make keeping an inventory easy for yourself (and for anyone who follows in your footsteps), build a template or form that you can fill out for each item on the network. This approach forces you to collect consistent information and makes delegating information gathering to others easier. Include all of the following information for each computer on the network: 0002 The hardware configuration for each machine: Include a list of all interfaces and their settings, information about installed RAM and drives, and the make and model of the keyboard, display, and so on. If you can find out who sold you the equipment, write that down, too. Keeping track of equipment is typically the accounting department’s responsibility. Check with those folks for a copy of your company’s capital assets or a depreciable items inventory (if available). This type of documentation normally includes serial numbers and other identification for hardware on the network. If no one in your company has gathered such information, collect it yourself. It’s valuable.
Chapter 3: Building Your Network 0002 The software configuration for each machine: Include lists of configuration files, operating system data (including version number, most recent Service Pack applied, and so on), as well as a list of programs and versions installed on the machine. 0002 The network configuration for each machine: Include the make and model of each network interface card (NIC), plus a list of driver files with names, version numbers, dates, and sizes. You can capture such data to a file easily on Windows systems by choosing Start➪Programs➪ Accessories➪System Tools➪System Information➪Hardware Resources; use this as the basis for this inventory. (On Windows XP, Windows Vista, and Windows Server 2003/2008 systems, the menu selection begins with Start➪All Programs.) In addition to information on each computer, your inventory should also include the following data: 0002 A list of other equipment, such as switches, routers, storage devices, and printers: Include the manufacturer, model, make, and serial number for each piece of equipment. If the equipment includes memory modules, disk drives, or plug-in interface cards, get information about them, too. If the equipment uses software or firmware, record the name, version, release date, and any other information you can garner about such items. 0002 A list of all the cable segments on the network: Give each segment a unique name or number and associate your records with whatever type of identifier you use for those segments. Record the type and make of cable, its length, the locations of its ends, and any significant connections or intermediate locations that you may have to visit in the future. 0002 A list of all the vendors who’ve worked on your network or its machines: Include names and phone numbers of contacts at each operation. This can be a valuable resource for technical support and troubleshooting. Over time, add the names and phone numbers of tech support or other individuals at these organizations who prove to be knowledgeable and helpful. Essentially, the information gathered while creating and maintaining a network map forms a database of everything anyone needs to know about your network. To improve access to and usability of this data, consider storing the text for your network map in an honest-to-gosh database engine. If this is too labor-intensive, a file- or paper-based approach works, but it takes more effort to maintain over time. Whichever method of recording data for your map you use, be sure to keep your inventory complete and up-to-date.
51
52
Part I: Servers at Your Service Applications such as Visio (Microsoft Office’s diagram and visualization application that can be found at http://office.microsoft.com/en-us/ visio/default.aspx) and Cheops (an active network visualization tool that can be found at http://cheops-ng.sourceforge.net/) can help you create network maps. Search your favorite search engine using the keywords network visualization to find other applications and companies that can help you with this process. If you don’t want to spend money on such a tool, add the words free or open source to the front of the search string.
When the network changes, so does the map! One thing that you can always be sure of when it comes to networks: They’re always changing. Your map is only as good as the information it contains. And the map remains useful only if that information is an accurate reflection of the real network in your organization. Whenever anything changes on your network, make updating the map and its associated database a priority. Sitting down and checking your map is much less work than walking around and looking at the real objects that the map shows. If the map is current, you can keep on top of things from the comfort of your office. If it’s out of date, you’d better start walking!
Network Interfaces: Built-ins versus Extender Cards Integrated and add-in components continue to define the basic classifications for most computer hardware. Some consumers, consultants, and computer geeks swear by and base buying decisions purely and solely on this distinction. Why, then, is this distinction so incredibly special? The advantages and disadvantages for built-in versus extender cards used to be much different only a few years ago, when components and technologies just weren’t up to speed with the best-of-breed, high-speed network capabilities. As internal processing power and speed continue to increase, so does networking power — albeit separately and for its own reasons. Point being, these two computing properties are beginning to find that happy medium, which is perhaps best illustrated by the fact that GbE network interfaces are built into most contemporary retail motherboards, and server motherboards usually have two or more built-in GbE interfaces.
Chapter 3: Building Your Network One primary difference remains unchanged: serviceability. Clearly an integrated network solution is an island unto itself when damaged, even though it’s physically very much a part of the motherboard. That’s actually the crux of the problem — it can’t (easily, if at all!) be removed, and replacement can be costly, up to whatever the price of the same or similar motherboard replacement costs. Usually it isn’t so bad — a simple GbE replacement NIC costs an average of $50 as we update this chapter, whereas fancy but very fast GbE NICs can cost from $100 to as much as $800. As mentioned earlier, a Network Interface Card (NIC) is the basic physical component that enables you to have network capability on any given computer. This also requires a network stack and driver software and may involve a third-party configuration utility or application.
Don’t knock your NIC Don’t underestimate the worth of your NIC, and certainly don’t overestimate the capability of a cheap store-bought generic card. The problem with cheap network cards is the same as anything else: cost-saving, corner-cutting, conservative-thinking manufacturers skimp on form and feature to produce a market-ready, low-budget offering. Sure, these generic cards are okay for mundane machines handling lightweight, mundane chores. But we aren’t even operating on that level — we have Windows Server 2008 to empower and embolden our network, and there’s no sense in cutting cost on the NIC because the difference in price is negligible to savings that can be realized elsewhere. Here are a few points to consider when researching NICs for your network: 0002 Which computers will connect to the network 0002 Connection types (wired, wireless) and interfaces (UTP, fiber) 0002 Network interface properties and services (TOE, Quality of Service, and so on) 0002 Security principles and procedures (encryption and encapsulation protocols) 0002 Server- or workstation-specific roles and responsibilities For the most part, NICs are all the same for workstations, servers, and notebook computers. Their packaging, features, and capabilities are all specific to the particular needs and uses for the computers they go into. The interfaces for Ethernet and GbE are exactly the same — it’s mainly in the way that the medium is used that makes up the biggest difference. However, a fiber interface is incompatible with a GbE interface and requires some intervening
53
54
Part I: Servers at Your Service piece of network hardware to connect the two. While many such technologies can and often do intermix on the same network, there may be performance bottlenecks that occur with each transition between separate interface types and technologies. Such bottlenecks are unavoidable because there will always be some transition between several network technologies and protocols in a large-scale network environment, especially the Internet. Remember that a computer is for computing and a router is for routing. Although a computer can perform the same tasks as a router (and then some), it may be considerably wasteful in some circumstances and just plain overkill in others. When given the option, always buy a router for routing purposes and leave the computing tasks to computers (and vice versa).
Don’t stub your TOE (TCP Offload Engine) Why make something your responsibility if it doesn’t have to be? After all, offloading responsibility is how a lot of managers — ahem, we mean management applications — operate in the network world. The TCP Offload Engine (TOE) is one such technology built into network interfaces that offloads processing of the entire TCP/IP network stack directly onto a specialized NIC controller. This process no longer has to be the typical burden to your main CPU and RAM! This tactic is employed within high-speed NICs and networks (typically Gigabit Ethernet and 10 Gigabit Ethernet) where handling network stack overhead is most significant. Because TCP is a connection-oriented protocol, this increases the complexity and processing overhead related to the establishment of serially-controlled connections, checksum and sequence number calculations, sliding window recalculations, and eventual connection teardown and termination. In short, there’s a lot of computation and tracking required while TCP is busy at work, and that workload increases with network speed and increased demand. TOE is a response to the increased load and network resource demand imposed by GbE hardware and the invariable increase in resource utilization. When the computer carries this burden, the CPU is interrupted repeatedly from processing normal applications and processes, which slows performance gradually to the point that perceptible signs of performance degradation can appear. As the network expands coverage and aggregates multiple GbE links, even the most powerful servers will eventually suffer performance penalties under intense load. Clustering, virtualization, Internet SCSI (iSCSI), and Remote Direct Memory Access (RDMA) have all contributed to the increasing use of TOE-enabled network interface cards because they leave more server oomph to deliver services and handle requests outside the network communications realm.
Chapter 3: Building Your Network
The ever-popular ping test Perhaps nowhere is groping more appreciated than within an unresponsive network environment, where it’s perfectly okay and even warranted to reach out and touch your neighbor — or several of them. Packet Internet Groper (ping) is a basic network diagnostic command that enables you to check link state and troubleshoot connectivity problems by sending stimulus packets to another endpoint or intermediary device on the network, which elicit responses from participating network devices and computers. Ping is an essential first resort when testing network connectivity — it establishes a baseline and jump-off point for further investigation or immediate resolution. You usually precede issuance of the ping command only by an obligatory physical cable connection check to ensure sanity and eliminate any silly probable causes. Ping works by issuing Internet Control Message Protocol (ICMP) echo request packets to a destination and then awaits echo reply response packets. This is sometimes dubbed ping and pong in honor of tabletop tennis. Ping uses interval timing and response rates, estimates round-trip time, and reports any packet losses that might occur.
55
56
Part I: Servers at Your Service
Chapter 4
Hooking Up Your Network In This Chapter 0001 Selecting the correct network medium 0001 Choosing an Ethernet technology 0001 Understanding the role of a network backbone
B
uying computers doesn’t make a network! You have to interconnect computers to enable them to communicate. You can set up communications among computers in several ways; the one you choose depends on your budget and bandwidth needs. Okay, most of it depends on your budget! Transmission media is a fancy, generic term for cabling and wireless transmission technologies. The media provide the means by which computers talk to each other across a network. In fact, computers can communicate through the airwaves using broadcast transmissions, through the wiring in a building, or through fiber-optic cabling across a campus. Linking long-distance or Internet connections to local networks means that there’s almost no limit to what your network can access! In this chapter, you also examine different methods to interconnect networks using cables and other media. You find out which media are appropriate for desktop access and which work best for server-to-server activity. You also discover more about network anatomy as we tackle two ticklish subjects — namely, backbones and wide area network (WAN) links.
Make a Network Medium Happy! A happy network medium has nothing whatsoever to do with a TV psychic. Rather, finding the right network medium means implementing network cabling that won’t cause bottlenecks. Depending on whether you’re building
58
Part I: Servers at Your Service a network from the ground up or starting from scratch, you may need to take a different approach to evaluating cabling options for your network: 0002 If you step into a job where a local area network (LAN) is already in place, cabling is probably in place, too. Evaluating the type, capabilities, and usability of an inherited network is almost always a good idea. That way, you can decide whether you can live with what you have, or whether some change will do the network good. You may learn, for example, that old cabling causes so many difficulties that you’re better off replacing or upgrading it. (We’ve popped out ceiling tiles and found badly spliced cables hidden from view.) 0002 If you’re planning a brand-new network, one of your concerns is to determine your cabling needs. Decide which network cabling you’re going to use before ordering equipment for your network because you can often order computers and peripherals with the appropriate network interface cards (NICs) preinstalled and preconfigured. (Of course, NICs are preinstalled and preconfigured on an existing network, which means your choices have already been made for you.) The more work you save yourself, the better! 0002 If a contractor handles your cabling maintenance, don’t assume that every old cable gets replaced if it isn’t completely up to snuff. A contractor may choose to reuse substandard cables to save on material costs. Without proper wiring, your network may be in constant trouble. (Or it may not work at all.) If you work with a cable contractor, require the contractor to test each network cable and insist that the contractor provide you with those test results. In fact, many companies hire one contractor to install cables and another to test them. By doing so, they ensure that the common tendency to overlook errors or potential sources of problems on a network can be avoided — plus, it never hurts to get a second opinion. The most common cabling technology for LANs is baseband cable, which is cable set up for baseband transmission. For this reason, we concentrate on baseband cable in this book. Check out the sidebar titled “Use the right pipes in your network’s plumbing” for a description of baseband transmission and how it differs from broadband transmission. If you know what to look for, the name of a particular type of cable can tell you all about its transmission properties. Ethernet cable notation (set down by the Institute of Electrical and Electronic Engineers, or IEEE) breaks down as follows: 0002 The speed of the Ethernet in Mbps 0002 The cable’s technology — broadband or baseband 0002 The cable’s rated distance in hundreds of meters or the type of cable — twisted-pair or fiber-optic cable
Chapter 4: Hooking Up Your Network
Use the right pipes in your network’s plumbing Wiring in a network is like plumbing in a house. Just as pipes form the pathways through which water flows to and from your plumbing fixtures, a network’s wiring provides the pathways through which computers transmit data using electrical signals. The amount of data that computers can move through a wiring system at any one time depends on the characteristics of the wires, or pipes, installed. The larger the pipes, the more data the computers can send simultaneously. You can think of a network’s bandwidth as the size of a network’s pipes. Bandwidth represents a range of usable frequencies and is measured in hertz (Hz). A higher hertz rating for a network medium means higher available bandwidth. Higher bandwidth translates into bigger pipes to carry data. Just because you have big pipes, however, doesn’t mean you always get to fill them completely. Therefore, it makes sense to try to measure the actual amount of data (called throughput) flowing through the pipes. Different types of cabling are rated for different amounts of data flow at different distances. Remember, however, that even if a pipe is big enough to handle all the water you send through it, that pipe can still get clogged. As a
result, although a given amount of data can theoretically flow through a cable, in the real world you may see less data flow than the maximum bandwidth indicates. Plumbers will tell you that mineral deposits and other obstructions can often restrict the water flow in pipes. In keeping with our metaphor, we can say that noise, cross-talk, electromagnetic interference (EMI), and other network maladies can often degrade the actual performance of your cable. Throughput, commonly measured in bits per second (bps), describes the actual amount of data that’s flowing through a cable at any one time. If you take one pipe and divide it into little pipes, you’ve just reinvented the concept of broadband transmission (in which multiple transmissions at different frequencies use the same networking medium simultaneously). If the pipe is kept whole instead of subdivided, you end up with the concept of baseband transmission (in which the entire bandwidth is used to carry only one set of frequencies and one transmission at a time). Whew! Got all that? Maybe it’s time to call Roto-Rooter!
For example, 10Base5 is an Ethernet designation that stands for [10 Mbps] [baseband] [5 x 100 meters = 500 meters]. From the name alone, you can tell that the baseband cable is rated to handle up to 10 Mbps on a segment up to 500 meters (1,640 feet) long. Any time you see a T or an F in such a name, replace that letter with either twisted-pair or fiber-optic, respectively. For example, 10BaseT means that this particular baseband Ethernet cable is rated at up to 10 Mbps using twistedpair cables. Likewise, 10BaseF means the same thing, except that it uses fiber-optic media instead of twisted-pair.
59
60
Part I: Servers at Your Service
Fiber and coax make a seriously twisted pair Fiber-optic cable is different from twisted-pair and coax cable because it transmits data using light signals instead of electrical impulses. When you look at the layout of the cable, it appears similar to coax but has a glass or plastic fiber as its inner conductor instead of a copper wire. Figure 4-1 shows you what the inside of a fiber-optic cable looks like.
Outer jacket
Buffer coating
Cladding Core
Figure 4-1: An inside view of fiber-optic cable.
Notice that the inner glass core is sometimes called buffer coating, and the entire cable has another strong jacket around it. The outer jacket is designed to be thick enough to protect the inner fiber from being broken when the cable is handled (with care, that is).
Fiber-optic cable Although it has a higher price tag than electrical cables, fiber-optic cable can also handle greater bandwidth, which means that it can transfer more data over longer distances. Fiber-optic cable is largely immune to electromagnetic interference (EMI) and other sources of noise that affect electrically conductive cables. One factor that adds to the expense of fiber-optic cable is the care required during installation. A knowledgeable technician must carefully polish each glass fiber with specialized tools and then add special connectors to the cable. You often find fiber-optic cable installed between buildings in campus environments or between floors in a building. You rarely see fiber pulled to the
Chapter 4: Hooking Up Your Network desktop because of the expense involved — you must use fiber-optic NICs, and you must attach two cables to each workstation because one cable transmits outbound signals and the other receives inbound signals. Although the appetite for bandwidth is always increasing, don’t expect your desktop to have a high-fiber diet anytime soon! In some locations, such as hospitals, it’s necessary to run fiber-optic cable to some desktops because X-ray and MRI equipment can interfere with electrical cables. Also, the bandwidth requirements for medical imaging equipment can be so extreme that conventional electrical cables can’t handle the traffic involved. For light signals to pass through a fiber-optic cable, you have to attach a transmitter to one end of the cable and a receiver to the other end. This is why you need two cables to permit any one device to send and receive signals. On the transmitting end, an injection laser diode (ILD) or a light-emitting diode (LED) sends light pulses down the cable. These light pulses reflect within the glass core and bounce against the mirror-like cladding through the length of the cable until they reach a photo diode receiver at the cable’s other end. Notice that data flows in only one direction. The receiver converts incoming light pulses into electrical signals and passes the data to the NIC. Because of the way that light pulses travel through fiber-optic cable, splicing two such cables requires great care so that the cable’s signal-carrying capabilities aren’t reduced. Otherwise, a light pulse may arrive at the splice but may not make it through to the other end of the cable. We call this situation a bad splice, but your users will call it much worse names!
Coaxial cable Coaxial cable, also called coax, was once the most popular transmission medium for networks. However, with the cost of unshielded twisted pair (UTP) dropping significantly in the last few years, it’s hard to justify supporting legacy coax cabling, NICs, and other network connection devices. Older networks used coaxial cable exclusively before UTP arrived in the mid-1980s. Initially, only thick coaxial cable (which we like to call “frozen yellow garden hose”) was available. Thick coax is quite cumbersome to handle and a real pain in the neck to install. Imagine pulling a frozen garden hose through the ceiling and then having to connect transceivers (a portmanteau or combination of two words transmitter and receiver) to that cable! Maybe a frozen garden hose is easier after all. . . . Coaxial cable incorporates two layers of insulation. Beginning in the middle of the cable and spanning outward, the cable has a copper wire surrounded by a foam insulator, which is surrounded by a wire mesh conductor that is then surrounded by an outer jacket insulation. This jacket, in turn, is surrounded by a plastic casing, called cladding. Figure 4-2 shows a cross section of a well-dressed piece of cable.
61
62
Part I: Servers at Your Service
Outer casing
Wire mesh conductor
Inner insulation
Copper wire Figure 4-2: An inside view of coax cable.
Suffice to say, coaxial cable types are a dying breed in the local network segment, apart from the hybridized technology described in the next section, but remains steadfast in its behind-the-scenes placement as a provider of multimedia networking, television, and telephony service. We won’t go into their distinctions and differentiations, but we will leave you with one last remark. If you have a small network and a highly restricted budget, 10BaseT Ethernet is absolutely the way to go. It’s standardized, well-utilized here and abroad, and is plentiful and cheap on the open market. There really is no cost justification for legacy coaxial equipment, only the operational justification to support existing legacy coaxial applications and services within the organization.
Hybrid networking Hybrid fiber-coaxial (HFC) is the telecom industry term for networks that incorporate both optical fiber and coaxial cable to produce a broadband network medium for handling high load and large subscriber traffic. This seriously twisted pair is capable of carrying and delivering a wealth of features and services that include analog and digital television signals, video-on-demand programming, and switched digital video, telephony, and high-speed data. HFC network coverage extends from the cable operator’s point of presence to a through point at a neighborhood hub site, which terminates at a node that
Chapter 4: Hooking Up Your Network services from 25 to 2,000 homes. This cable operator’s master location also houses telephony equipment for providing telecom services to the community, which is individually delivered via coax. Therefore it’s common to have the same provider supply both phone and Internet services (and possibly public television access, where applicable) to the same location. HFC is the primary technology used to service many modern cable modem communities, so the technology is very widespread and widely utilized. In fact, it’s likely you’re already using the technology at home or work without even knowing it. That’s the beauty behind transparent technologies — they work diligently for us, sight unseen, as long as we continue to rely upon them.
Wireless is media, too! Speaking of things unseen, a relative newcomer to the high-speed network interface assortment is another IEEE design, the 802.11 wireless (WiFi) family of multiple over-the-air standards and modulation techniques. There are a number of competing technologies and substandards to the 802.11 specification, but they all essentially operate in much the same fashion. Instead of using hard, physical network links to transmit data, WiFi pushes and pulls information through the air using radio frequencies. While this brings a lot of eye-popping reactions to those previously unfamiliar with the technology, it does give those of us with some working knowledge and experience of these devices a moment to reflect and relate the reality of such devices operating in a business network environment. First and foremost is the fact that no physical medium is present. This defies the logic built into most CSMA/CD-type of access methods, where you can satisfy line contention by merely listening on the wire for any ongoing communications and waiting some period of time before trying to transmit or retransmit data. (See the “Carrier sensing access methods” sidebar for more on CSMA/CD.) Instead, participant WiFi devices must request to speak before opening the lines for communication, which is a more active role than the more passive eavesdropping approach employed by 802.3 Ethernet. This creates extra overhead that increases with the number of participating devices in the effective vicinity of the radio. This lack of physical medium also opens the network to other, unintended listeners. An eavesdropper can more easily observe, record, and potentially intrude upon wireless network traffic. In fact, the would-be attacker need not be inside the building to observe wireless traffic. There is also a limited effective range for such equipment, since radio signal has a difficult time permeating dense walls full of thick, absorbent material like metal, wood, and other elements. Shade trees can also deflect radio signals and cause connectivity problems for courtyard or outside network coverage. Additionally, any competing RF devices in the area will cause distortion, noise, and contention,
63
64
Part I: Servers at Your Service which also reduces the effective reach and range for most WiFi devices. So you have to deliberately and thoughtfully design the WiFi network to fit the environment and its signal- or quality-reducing attributes. Data transfer rates are typically half (or less!) of the manufacturer’s rated speed for any given WiFi device operating under normal conditions: 0002 Early 802.11b devices operate on the 2.4 GHz frequency (which incidentally coincides with common cordless phones and causes much interference) and tend to realize around 4 Mbps, or much less than their rated 11 Mbps transfer rate. 0002 802.11g, the next step up, also operates on 2.4 GHz and realizes around 19 Mbps versus a 45 Mbps maximum throughput rating. Fortunately, each device is backwards compatible in that an 802.11g device can and will work with an 802.11b device, but only at the maximum effective throughput of the slower (802.11b) performer. 0002 The 802.11n standard, which has remained in draft status for quite some time now, operates on 2.4 or 5 GHz channels at speeds between 74 Mbps and 248 Mbps, which easily eclipses anything previously seen in an airborne letter='>:i386winnt 0002 If you’re using a 32-bit operating system, such as Windows 9x, Windows NT, Windows 2000, or Windows XP, and you don’t have autorun enabled, you need to use this command, replacing drive letter with the letter assigned to your DVD drive:
Chapter 5: Ready, Set, Install! If you insert the Windows Server 2008 DVD into a DVD-ROM drive under an operating system with autorun enabled (for example, Windows NT), the Windows Server 2008 splash screen appears and asks whether you want to upgrade to Windows Server 2008. By clicking Yes, you don’t need to manually locate and execute WINNT or WINNT32. Launching Setup from an eligible Windows platform requires you to follow these steps: 1. On the Install Windows Setup Wizard screen, click Next. 2. Choose whether to get important updates now or later, locate the corresponding option, and then click it. Windows Setup will begin looking for updates if you so choose, which requires an Internet connection. 3. Enter your product key and then click Next. Alternatively, you can choose from a drop-down list of choices and omit the license key altogether at this stage, but they must match up for activation purposes. 4. Accept the license agreement terms and click the Next button. 5. Choose between Upgrade or Custom installation options and click the corresponding text button. 6. To install Windows Server 2008 to a partition other than the one currently hosting an operating system (highly recommended), be sure to choose the appropriate partition from the menu displayed in this dialog box. 7. Click Next to continue. Setup copies files from the DVD to your hard drive. Setup then offers a 10-second interval during which you can manually restart before automatically rebooting your computer. After the machine reboots, the setup resumes at Step 9 of the “Windows 2003 Setup: A walk-through” section earlier in this chapter.
Installing across a Network Installing Windows Server 2008 across a network is almost the same as performing the installation from a local DVD-ROM. Both methods require access to the distribution files from the DVD (duh!), and you have to manually launch the Windows setup tools.
87
88
Part II: Servers, Start Your Engines Manually launching setup over a network requires little change to the process described in the preceding section. However, you need to map a local drive letter to the network share. (This mapped letter tells Setup where the distribution files live.) Setup automatically copies all of the data files it needs before rebooting.
Installing Remotely Microsoft has created an installation process called the Remote Installation Service (RIS). RIS enables network administrators to push a Windows Server 2008 installation out to network systems. Although this process simplifies multiple installations overall, it isn’t a simple activity. It requires the installation and configuration of several key services, namely Domain Name Service (DNS), DHCP, and Active Directory, in addition to RIS. The clients that will have the Windows Server 2008 installation pushed to them must have a Preboot Extension Environment (PXE)–compliant NIC or be booted with a special network client boot disk. If you want to explore the remote OS installation procedure further, we highly recommend that you check out the RIS documentation in the operating system, TechNet, and the Windows Server 2008 Resource Kit.
Working through Post-Installation Stress Disorder After you finish the basic installation, you’ve simply defined a basic server. You need to dress it up with things such as users, groups, domain controllers, Active Directory, applications, services, and printers, as we describe in Chapters 7 through 14. But, before you get excited and flip to those chapters, we want to mention three more issues: the activation process, service packs, and Automated System Recovery.
Understanding Activation In an effort to curb pirating of software, Microsoft has implemented an installation control feature (first debuted in Windows XP) called activation. After the initial installation of a product, such as Windows Server 2008, Microsoft grants you a 30-day period within which you must contact Microsoft and activate that product. If you fail to activate the product, on day 31, the product
Chapter 5: Ready, Set, Install! ceases to function. In fact, the only activity you can perform from that point forward is activation. After a product has been activated, it functions normally. The activation process requires your system to generate a 50-digit code. This code is unique to your system and is used to associate your product key with your computer hardware. If any other computer attempts to activate the same product key on a different computer, Microsoft will think you’ve pirated their software or at least attempted to install it on another system without purchasing another package. The gotcha to activation is this computer ID, which is generated by pulling unique IDs from ten different parts of your computer, including your motherboard, CPU, and hard drives. If you change six or more of these parts, the system thinks you’ve changed computers, and your activated status will be terminated. You have to contact Microsoft and explain that you’ve only upgraded your existing system and that you’re not just installing the product onto a completely new second system. Can we say major headaches ahead? Activation can occur over the Internet, in which case it takes only a few seconds. Activation can occur also over a phone line, whereby you must read off the 50-digit computer ID to the auto-attendant or a customer service representative, and then you must enter an equally long confirmation key yourself. To activate your system, you can click the reminder pop-up bubble that appears over your notification area (previously known as the icon tray or system tray), which is right beside the clock. Until you activate, the operating system reminds you every day, or every time you log on, about activating. You can initiate the activation process also by launching the Activation Wizard found in the Start menu. It appears in the top-level menu initially; after you activate, it appears only in the All Programs➪Accessories➪System Tools section.
Dealing with service packs A service pack is a release of updates and patches for a software product. Microsoft is famous for releasing service packs to repair its software. This indicates to some cynics that Microsoft is concerned enough about its user community to maintain a product, but not concerned enough to get it right the first time. Be that as it may, the first service pack for Windows Server 2008 will probably be released three to nine months after Windows Server 2008 makes its debut in February 2008. Microsoft has integrated two capabilities into Windows Server 2008 to ease the burden of maintaining an up-to-date version: 0002 You can configure the Windows Update tool to regularly check for new updates and prompt you to download and install them.
89
90
Part II: Servers, Start Your Engines 0002 You can slipstream service packs into distribution files so that an initial setup results in automagic application of the service pack. In other words, you can apply service packs to a distribution point so that new systems automatically get installations that include that service pack. After service packs are available for Windows Server 2008, read the accompanying documentation to learn how to slipstream them. Windows Server 2008 service packs don’t entangle you in the Catch-22 of installing files from the original distribution DVD after a service pack is applied. In other words, adding new services doesn’t require reapplication of service packs, and application of service packs doesn’t require reinstallation of services from the distribution DVD. What a relief! Microsoft advertises releases of its service packs, making it easier for the typical user to locate, download, and apply these jewels. You’ll usually find a link on the product-specific Web page at www.microsoft.com/windows server2008/default.mspx.
Using Automated System Recovery Automated System Recovery (ASR) is partially designed to replace the function of the previous ERD repair process (remember that from Windows NT?). You can use ASR to restore a system to its stored configuration settings in the wake of a complete system failure. The only drawback to ASR is that it restores files found on only the system partition. Therefore, if you have applications or user data files on other partitions, ASR doesn’t offer a safety net for these items. To use the ASR restore process, you must first create an ASR backup set. You can create an ASR backup set from the Welcome tab of the Backup utility (Start➪All Programs➪Accessories➪System Tools➪Windows Server Backup). The ASR backup set consists of a single floppy and one or more backup tapes (depending on the amount of data stored on your system partition). To restore a failed system, you must boot to the original setup program either from a bootable DVD or the setup boot floppies, and then press F2 when prompted to initiate the ASR repair process. You’ll then be prompted for the floppy and your backup tapes. If you want to protect all your data, you have two options. You can use the full backup capabilities (which include the System State) of the native Backup utility. Or you can spend the money for a quality third-party backup solution that offers restoration from tape after simply booting from a floppy instead of requiring that the entire operating system be reinstalled before a restoration can be performed.
Chapter 5: Ready, Set, Install!
Oops, My Installation Didn’t Take In most cases, as long as your hardware is on the HCL, installation will be a breeze. (Well, how about a long, continuous gust?) For those other cases, here are some common problems and solutions: 0002 DVD-ROM problems: The entire Windows Server 2008 installation ships on a single DVD-ROM (unlike previous market releases that appear on CDs), so if you can’t read the DVD, you can’t install Windows Server 2008 (unless you’re installing over a network, but even then, the distribution files have to come from a DVD at some point). DVD-ROMs are similar to music records or DVDs in that one little scratch or speck of dust on the surface can cause problems. On the other hand, the DVD may be okay, but the drive may not function correctly — or Windows Server 2008 may not recognize the drive. We hope that your drive appears on the HCL. To determine whether the drive or the DVD isn’t functioning, take the DVD to another DVD-ROM drive and see whether you can read it there. After you determine which element is the culprit, you can replace it and retry your installation. 0002 Hardware problems: If Windows Server 2008 setup doesn’t recognize a server’s hardware, it’s likely to stop. Make sure that the machine’s hardware appears in the HCL and that you configured all devices correctly. If you have more than one SCSI device, for example, make sure that they’re chained (connected) correctly. 0002 Blue screen of death: Sometimes, Setup simply crashes and gives you a blue screen; other times, it gives you a display of error codes that only a propeller head can understand. By itself, the blue screen simply means that you must reboot. If you get a fancy stop screen, however, you can look at the first few lines to determine the error code and then use it to look up the error message in the error-message manual. A stop typically occurs if a driver problem occurs; if you look beyond the first few lines of the error-message screen, it tells you which drivers were loaded at the time the crash occurred. A good idea is to write the first few lines of the stop screen down before attempting to reboot. 0002 Connectivity problems: Installing a machine into an existing domain requires that the new system be capable of communicating with a domain controller to create a domain computer account. If communication isn’t possible for any reason (such as a wrong network interface, a wrong driver, a bad or missing cable, a domain controller offline, or too much network traffic), you can’t join the domain. In some cases, you can resolve the problem by quickly replacing a cable or allowing the system to try the connection a second or third time. In other cases, you can delay confronting the problem by joining a workgroup instead. Then you
91
92
Part II: Servers, Start Your Engines can resolve any problems (such as network interface, driver, and configuration problems) with a functioning system. 0002 Dependency problems: Some services in Windows Server 2008 depend on other services loading correctly. If service A doesn’t load, service B doesn’t work, and you get error messages if service B is set to automatically start at bootup. For example, if a network interface isn’t installed correctly, all services that use that network interface also fail to start. Your first order of business, therefore, is to get the network interface to function correctly. If you get this far in the installation process, you can view the error logs (Start➪All Programs➪Administrative Tools➪Event Viewer) to see which service didn’t start and then work your way from there. 0002 Script file errors: The Windows Server 2008 automated installation program (see the next section) isn’t forgiving if you mistype a script. If a script stops midway and the Windows Server 2008 setup program asks you for manual input, you entered something incorrectly. Check the input file to look for transposed letters or anything else that may be out of place. Scripts expect to feed the computer exactly what you put in the script file. If you don’t enter the right information, Setup doesn’t receive the information it expects.
Exploring Automated Installation An unattended installation feature enables you to install Windows Server 2008 without keyboard interaction. Just start the process and walk away. Unattended installation uses a script file that pipes in information and keyboard strokes from a data file that you compose in advance. If you already know all the answers to the questions that the installation program asks, you can answer these questions and place them in a data file. You can use more than one data file for different types of installations. Unattended installation is great for organizations that install Windows Server 2008 over and over on machines with the same hardware configurations. Large enterprise networks that include remote offices can also take advantage of unattended installation because home office administrators can customize script files and transmit them to remote offices. The caveat here is that you must test the script files for accuracy thoroughly in the central office; otherwise, the folks in the remote office may soon be screaming for help! Details on creating automation scripts are included in the Windows Server 2008 Resource Kit. You can also find information on this subject in the Windows Server 2008 Technical Library at technet2.microsoft.com/ windowsserver2008/en/library/.
Chapter 6
Configuring Connections to the Universe In This Chapter 0001 Introducing the Server Management console 0001 Configuring your server 0001 Configuring domain controllers 0001 Understanding server roles 0001 Using remote access
E
ven after you complete the installation of Windows Server 2008, you still face numerous decisions and related activities before you can safely say, “Mission accomplished!” What role does this server play on your network? Does it host multiple network interfaces? Do you need remote access? In this chapter, you seek answers to all these questions and follow the steps to implement them properly. Before you get too excited, we must warn you that certain topics covered in this chapter are just flat-out complex. We try to give a general overview of each topic, but in some cases, covering all the relevant details goes beyond the scope of this book. When that happens, we refer you to other resources and materials where you can find meaningful, reliable, and more detailed coverage of these topics, to supplement and complete what we provide you with here. In this chapter, you go through the steps necessary to get your Windows Server 2008 installation up and running.
94
Part II: Servers, Start Your Engines
Completing the Initial Configuration Tasks Starting at square one, the first time you log on to Windows Server 2008 after completing the initial installation, you’re confronted with an Initial Configuration Tasks (ICT) dialog box, shown in Figure 6-1. This wizard appears by default the first time you log in, and every subsequent time, unless you select the Do Not Show this Window at Logon check box. ICT assists administrators with Windows Server 2008 deployments by postponing platform settings previously encountered during the installation process to shorten the installation time. ICT does this by allowing administrators to specify relevant values at the end of the installation process, thereby bypassing lots of dialog boxes and related interruptions along the way. Windows Server 2008 also brings a concept called componentization to the table, which is defined as breaking a complete system into interchangeable parts to create a standardized approach to assembly, interface, or operation. For Windows Server 2008, this translates into the ability to reuse components outside their usual frameworks. A simple analogy is the relationship between electronic components and electronic devices. A device is made of components, but it can also do things that individual components normally can’t.
Figure 6-1: The Initial Configuration Tasks dialog box.
Chapter 6: Configuring Connections to the Universe The Initial Configuration Tasks dialog box allows administrators to configure a server with the following parameters: 0002 Administrator password: Set the administrator password (left blank by default). 0002 Computer name: The computer name is randomly generated and assigned during installation, but you get your first chance to change it here. 0002 Time zone: Configure the local time zone. 0002 Configure networking: Establish initial network interface settings. 0002 Domain membership: There is no default domain to join; however, the computer is automatically assigned to a workgroup, appropriately named WORKGROUP. 0002 Enable Windows Update and feedback: Choose whether to automatically update Windows and issue problem reports or receive feedback. 0002 Add roles: A server role describes the primary function of a server, which can be one or several roles (each with one or more separate services) on a single computer. 0002 Add features: A feature provides supportive functionality to servers, which typically means augmenting a configured server role with additional capabilities. 0002 Enable Remote Desktop: Remote desktop assistance is provided by an underlying Remote Desktop Protocol (RDP), which enables user computers to communicate with Microsoft Terminal Services. 0002 Configure Windows Firewall: The Windows Firewall is enabled by default, but you might want to spend some time familiarizing yourself with its features and capabilities, or configure it with site-specific settings. These pre-deployment options are left for the end of installation to improve efficiency. Administrators can set these as soon as the install completes, which shortens time-to-launch for a fresh server installation. When you close the ICT dialog box, another configuration utility pops up: the Windows Server Manager, which we describe next.
Server Manager Configuration Windows Server 2008 includes an all-new Server Manager application in GUI and command-line form that simultaneously replaces and consolidates the Windows Server 2003 interfaces called Manage Your Server, Configure Your Server, and Add or Remove Windows Components. Server Manager eliminates any need to run the Security Configuration Wizard prior to deployment because server roles come pre-configured with recommended security settings. Each
95
96
Part II: Servers, Start Your Engines separate application is consolidated into one utility for a better combination of features and functionality in a single centralized applet, which provides a holistic view of server configuration and related server components. This new management platform enables you to install, configure, and manage server roles specific to Windows Server 2008, including some capabilities that even work on Windows Server 2003 machines.
Getting to know the Server Manager console You can use the expanded Server Manager MMC (Microsoft Management Console) to configure various applications, features, and roles on your Windows Server 2008 PC. A role describes a server’s primary function; administrators may designate or dedicate an entire computer to one or more roles that can include DHCP and DNS services, among many others. A feature describes some supporting function in a server; for example: failover clustering indicates that multiple server computers function as a single logical server, and if one computer fails, another stands ready to take its place automatically. The Windows Server Manager console provides a consolidated view that includes: server information, configured roles, services, and feature status. It puts all the easily accessible management tools together under one interface. Server Manager improves productivity so that you spend less time on deployment, management, and maintenance phases and more time adding and using new features in your network infrastructure. Here are a few key highlights to the new Server Manager platform: 0002 Server Manager functionality incorporates snap-in extensions from Computer Manager (Reliability and Performance, and Windows Firewall) that are always available regardless of which roles are installed. 0002 Server Manager displays notifications linked to descriptive help topics atop role management homepages when constraints in the role model are violated. Help topics may include additional content, solutions, or tools to help resolve some particular issue. 0002 The Server Manager Add Roles Wizard provides configuration pages for many roles, including AD Federation Services (AD-FS), Network Policy and Access Services, Fax Server, AD Rights Management (AD-RM), File Services, and many others, as shown in Figure 6-2. See Table 6-1 for more information on Server Roles. 0002 The Server Manager Add Features Wizard supports installation of BitLocker Drive Encryption, Group Policy Management, Remote Server Administration Tools, and a variety of supplementary or supportive network and storage features. See Table 6-2 for more details about Server Features.
Chapter 6: Configuring Connections to the Universe
Figure 6-2: The server roles that can be installed through the Server Manager Wizard.
0002 Server Manager provides Remote Server Administration Tools (RSAT) that enable remote management for specific roles, role-based services, and features on computers running Windows Server 2008 and Windows Server 2003. 0002 Server Manager supports automated deployment and scripting options for Windows Server 2008 roles from a command-line tool that can install or remove multiple roles, role services, or server features.
Table 6-1
Windows Server 2008 Server Roles
Role Name
Description
Active Directory Certificate Services (AD-CS)
AD-CS provides customizable services to create and manage public key certificates used in public cryptographic systems. Organizations may enhance their security posture by binding user identities, devices, or services to corresponding private keys. AD-CS also includes features for enrollment and revocation of certificates.
Active Directory Domain Services (AD-DS)
AD-DS stores user, computer, and other networked device information to help administrators securely manage and facilitate resource sharing or collaboration between users. AD-DS is also required for directory-enabled services such as Microsoft Exchange Server or Group Policy. (continued)
97
98
Part II: Servers, Start Your Engines Table 6-1 (continued) Role Name
Description
Active Directory Lightweight Services (AD-LDS)
AD-LDS is a directory for storing application data that runs as a non-operating system service, which doesn’t require deployment on a DC and permits multiple simultaneous instances to be configured independently to service multiple applications.
Active Directory Rights Management Services (AD-RMS)
AD-RMS is information protection technology that works with compatible applications to safeguard against unauthorized use of digital media. Content owners define how such data may be used, and organizations may create custom templates that apply directly to financial reports, product specifications, and other such materials.
Application Server (AS)
AS provides a turnkey solution for hosting and managing high-performance distributed business applications with integrated services such as .NET, COM+, and others.
Dynamic Host Configuration Protocol (DHCP)
DHCP allows temporary or permanent dynamic (and static) address assignments to computers and other network-addressable devices and gives administrators more flexible control over address assignments, duration, and type.
File Services
File Services provides storage management, file replication, a distributed namespace, and fast file-searching technologies for efficient client access to server resources.
Network Policy and Access Services (NPAS)
NPAS delivers an array of options to local and remote users, works across network segments, centralizes management tasks and enforces network health properties among client callers. NPAS facilitates VPN, dial-up server, router, and 802.11 protected access deployment, and other such capabilities.
Print Services (PS)
PS provides printer and print server management, which reduces administrative overhead by centralizing printer management tasks.
Terminal Services (TS)
TS enables users to access server-based Windows applications and desktops so that remote users can connect and utilize remote resources.
Chapter 6: Configuring Connections to the Universe
Role Name
Description
Universal Description, Discovery, and Integration (UDDI)
UDDI services enable information sharing via intranet-based Web services or between business partners that share an extranet or Internet connection. UDDI can help improve developer productivity and promote reuse of existing development work.
Web Server (IIS)
IIS 7.0, the Windows Web server, enables information sharing on intranets or over the Internet as a unified Web platform that integrates several key Microsoft components.
Windows Deployment Services (WDS)
WDS is used to remotely install and configure Windows installations using the Preboot Execution Environment (PXE).
Windows SharePoint Services (WSP)
WSP services allow end-user collaboration through documents, tasks, and events, enabling them to easily share contacts and other necessary information. WSP is designed to support flexible deployment, administration, and custom application development.
You can find more in-depth information about each of the server roles we introduce in Table 6-1 on Microsoft’s Windows Server 2008 TechCenter page located at http://technet.microsoft.com/en-us/windowsserver/ 2008/default.aspx.
Table 6-2 Windows Server 2008 Server Manager Server Features Feature Name
Description
.NET Framework 3.0
This latest version combines .NET 2.0 APIs with newer technologies for building user interface applications that help protect customer identities, enable seamless and security-enhanced communication, and model an array of business procedures.
BitLocker Drive Encryption
This new feature protects>. For example, 200.200.201.0/24 is network 200.200.201.0 with subnet mask 255.255.255.0. 5. Select the Site with which to associate the subnet (for example, New York). 6. Click OK. You now have a subnet linked to a site. You can assign multiple subnets to a site if you like. For more information on subnets, see Chapter 10. For even more details, search the Windows Server 2008 Help menu for subnets.
Oh, you organizational unit (OU), you The organizational unit (OU) is a key component of the X.500 protocol. As the name suggests, organizational units contain objects in a domain that are organized into logical containers, thus allowing finer segregation and control within a domain. Organizational unit containers can contain other organizational units, groups, users, and computers. OUs may be nested to create a hierarchy to match the structure of your business or organization closely. Using OUs, you can eliminate cumbersome domain models developed for Windows NT Server–based domains (the master domain model, for example, in which several resource domains use accounts from a central user domain). Using Active Directory, you can create one large domain and group resources and users into multiple, distinct OUs. The biggest advantage of OUs is that they allow you to delegate authority. You can assign certain users or groups administrative control over an OU, which allows them to change passwords and create accounts in that OU but grants no control over the rest of the domain. This capability is a major improvement over Windows NT domain administration, which was an all-or-nothing affair.
Installing Active Directory In Windows NT, you set up each server’s type during installation. The server’s function can fill one of the following roles: 0002 Stand-alone/member server 0002 PDC 0002 BDC
129
130
Part II: Servers, Start Your Engines With the exception of PDC/BDC swapping, a server’s role can’t be changed without reinstalling the operating system. For example, you can’t change a member server to a domain controller without reinstalling Windows NT. Windows Server 2008 has left all that behind by allowing you to install all servers as normal servers. You can use a wizard (covered in the following section) to convert normal servers to domain controllers, or domain controllers to normal servers. This facility also gives you the ability to move domain controllers from one domain to another by demoting a domain controller to a member server and then promoting it to a domain controller in a different domain. In the Windows NT environment, demoting and promoting domain controllers typically requires reinstalling the operating system or jumping through some pretty major hoops.
Promoting domain controllers Windows Server 2008 allows you to convert servers from normal servers to domain controllers and vice versa. To do this, you use the Active Directory Installation Wizard. You can access this wizard through the Configure Your Server tool (Start➪Server Manager — see Chapter 6) or by executing DCPROMO from the RUN command (or command prompt). You can use the Active Directory Installation Wizard also to remove Active Directory from a domain controller; this returns the system to a member server state. For the step-by-step of installing Active Directory and creating a domain controller, go to Chapter 6.
Active Directory’s database and shared system volume Although you can think of Active Directory as an information bubble, it’s stored in file form on each domain controller in a file named %systemroot%NTDS ntds.dit. This file is always open and can’t be backed up using a simple file copy operation. However, like old methods for backing up SAM in Windows NT 4.0, the new NTBACKUP program included with Windows Server 2008 includes an option to take a snapshot of Active Directory and back up that information. (This option is called System State.) There’s even a special directory restoration mode you must boot into to restore an Active Directory backup! (Chapter 13 covers backups in detail.) The share system volume, or SYSVOL, is the replication root for each domain. Its contents are replicated to each domain controller in the domain using the File Replication Service. The SYSVOL must reside on an NTFS 5.0 volume because that’s a File Replication Service requirement.
Chapter 7: Doing the Directory Thing SYSVOL is also a share that points (by default) to %systemroot%SYSVOL sysvol, which contains domain-specific areas, such as logon scripts. For example, the logon share NETLOGON for domain savilltech.com points to %systemroot%SYSVOLsysvolsavilltech.comSCRIPTS. You can simply copy files used for logging on to or off this directory, and the change is replicated to all other domain controllers in the next replication interval (which by default is set to 15 minutes).
Modes of domain operation Windows Server 2008 domains operate in four modes: mixed, native, .NET, and .NET interim: 0002 Mixed mode domains allow Windows NT 4.0 BDCs to participate in a Windows Server 2008 domain. 0002 In native mode, only Windows Server 2008/2003–based and Windows 2000–based domain controllers can participate in the domain, and Windows NT 4.0–based BDCs can no longer act as domain controllers. 0002 In .NET mode, only servers running Windows Servers 2008 can act as domain controllers. 0002 The .NET interim mode is used when upgrading a Windows NT 4.0 domain to the first domain in a new Windows 2008 forest. The switch from mixed to native mode or native mode to .NET mode can’t be reversed, so don’t change mode until all domain controllers are converted to Windows Server 2008, Windows Server 2003, or Windows 2000 for native mode — or just Windows Server 2008 for .NET mode. Also, note that you can’t add more Windows NT 4.0–based BDCs after the domain mode is switched. In addition, a switch to native mode allows the use of universal groups, which, unlike global groups, can be nested inside one another. Older NetBIOS-based clients remain able to log on using the NetBIOS domain name even in native mode. Universal groups are also supported in .NET mode. Changing a domain’s mode is known as raising a domain’s functionality. You can choose to step up to native mode from mixed mode, step up to .NET mode from native mode, or jump directly to .NET mode from mixed mode. Be careful: This is a one-way switch. After you raise the functionality, you’ll have to reinstall Windows Server to return to a lower functionality. To raise a domain’s functionality, perform the following steps on a Windows Server 2008 domain controller: 1. Start Active Directory Domains and Trusts. (Choose Start➪ Administrative Tools➪Active Directory Domains and Trusts.)
131
132
Part II: Servers, Start Your Engines 2. In the console tree, select and right-click the domain you want to change. 3. Click Raise Domain Functional Level. The Raise Domain Functional Level dialog box appears, as shown in Figure 7-3.
Figure 7-3: The Raise Domain Functional Level dialog box.
4. Under Select an available domain functional level, do one of the following: • Raise the domain functional level by selecting Windows Server 2003 and clicking Raise. • Raise the domain functional level by selecting Windows Server “Longhorn” and clicking Raise. 5. Click OK. A warning is displayed stating that the domain mode change can take up to 15 minutes. You can also raise the domain functional level by right-clicking a domain in the Active Directory Users and Computers snap-in, and then clicking Raise Domain Functional Level. The current domain functional level is displayed under a like-named entry in the Raise Domain Functional Level dialog box. You also need to check all other domain controllers in the domain. Make sure each domain lists the correct mode on its properties dialog box. (Right-click the domain and select Properties.) If any domain controller isn’t reflecting the change after 15 to 20 minutes, reboot it. This forces a replication. If a domain controller can’t be contacted when you make the change (for example, if it’s located at a remote site and connects to the main site only periodically), the remote domain controller will switch its mode the next time replication occurs.
Chapter 7: Doing the Directory Thing
When Domains Multiply In this section, you look at new methods available in Windows Server 2008 to interconnect domains. In Windows NT 4.0 domains, you’re limited to simple unidirectional or bidirectional trust relationships to interconnect two domains explicitly at a time. Windows Server 2008 has many more sophisticated, functional models to create relationships and connections among its domains.
Trust relationships across domains Windows NT 4.0 trust relationships aren’t transitive. For example, if domain A trusts domain B, and domain C trusts domain B, domain C doesn’t automatically trust domain A. (See Figure 7-4.)
Domain B
Figure 7-4: An example of a trust relationship in Windows NT 4.0.
Domain C
Domain A
This relationship would not have been implicitly created in a 4.0 domain environment but is possible in 2000 domain forests
This lack of transitivity is no longer the case with the trust relationships used to connect members of a tree or forest in Windows Server 2008/2003 or Windows 2000. Trust relationships used in a Windows Server 2008/2003 or 2000 tree are two-way, transitive trusts. This means that any domain in the forest implicitly trusts every other domain in its tree and forest. This removes the need for time-consuming administration of individual trusts
133
134
Part II: Servers, Start Your Engines between pairs of domains because such trusts are created automatically whenever a new domain joins a tree. The security of Windows Server 2008 trusts is maintained by Kerberos. Kerberos Version 5.0 is the primary security protocol for Windows Server 2008, but it isn’t a Microsoft protocol. Kerberos is a security system developed at the Massachusetts Institute of Technology (MIT). It verifies both the identity of the user and the integrity of all session data while that user is logged in. Kerberos services are installed on each domain controller, and a Kerberos client is installed on each workstation and server. A user’s initial Kerberos authentication provides that user with a single logon to enterprise resources. For more information about Kerberos, see the Internet Engineering Task Force’s (IETF’s) Requests for Comments (RFCs) 1510 and 1964. These documents are available on the Web at http://rfc-editor.org.
Building trees In Windows Server 2008, one domain may be a child of another domain. For example, www.legal.savilltech.com is a child of savilltech.com (which is the root domain name and therefore the name of the tree). A child domain always contains the complete domain name of the parent. As shown in Figure 7-5, dev.savillCORP.com can’t be a child of savilltech.com because those domain names don’t match. A child domain and its parent share a two-way, transitive trust. When a domain is the child of another domain, a domain tree is formed. A domain tree must have a contiguous namespace (which means all namespaces share a common root — that is, have the same parent). Domain trees can be created only during the server-to-domain-controllerpromotion process with DCPROMO.EXE. Here are some advantages to placing domains in a tree: 0002 All members of a tree enjoy Kerberos transitive trusts with their parent and all of its children. 0002 These transitive trusts mean that any user or group in a domain tree can be granted access to any object in the entire tree. 0002 A single network logon can be used at any workstation in the domain tree.
Chapter 7: Doing the Directory Thing
savilltech.com
legal.savilltech.com
Figure 7-5: Parent/child relationship example.
dev.savillCORP.com
Child domains MUST contain the parent DNS name
defense.legal.savilltech.com
Understanding forests You may have a number of separate domain trees in your organization with which you’d like to share resources. You can share resources between domain trees by joining those trees to form a forest. A forest is a collection of trees that doesn’t explicitly share a single, contiguous namespace. (However, each tree must be contiguous.) Creating a forest may be useful if your company has multiple root DNS addresses. For example, in Figure 7-6, the two root domains are joined via transitive, two-way Kerberos trusts (like the trust created between a child and its parent). Forests always contain the entire domain tree of each domain, and you can’t create a forest that contains only parts of a domain tree.
135
136
Part II: Servers, Start Your Engines
savilltech.com
legal.savilltech.com
Figure 7-6: An example of a forest.
acme.com
dev.savilltech.com
legal.acme.com
defense.legal.savilltech.com
Forests are created when the first server-to-domain-controller-promotion process using DCPROMO is initialized and can’t currently be created at any other time. You aren’t limited to only two domain trees in a forest. (You can have as few as one because a single domain by itself is technically considered both a tree and a forest.) You can add as many trees as you want, and all domains in the forest will be able to grant access to objects for any user in the forest. Again, this cuts back the need to manage trust relationships manually. The advantages of creating forests are as follows: 0002 All trees have a common global catalog containing specific information about every object in the forest. 0002 The trees all contain a common schema. Microsoft has not yet confirmed what will happen if two trees have different schemas before they’re joined. We assume that the changes will be merged. 0002 Searches in a forest perform deep searches of the entire tree of the domain from which the request is initiated and use the global catalog entries for the rest of the forest.
Chapter 8
Working with Active Directory, Domains, and Trusts In This Chapter 0001 Understanding domains 0001 Controlling domains and directories 0001 Handling directory permissions 0001 Managing trusts
A
ccess to Active Directory’s sheer power is useless unless you can configure and manage its content. Only then can you get the most out of its powerful (but sometimes cryptic) environment. In this chapter, you take a long hard look at Active Directory. Before you enter into this staring contest with your computer screen, however, we want to show you how manipulating and configuring content is tied to manipulating and configuring domains. That’s right; you get to tackle domains one more time. So once more into the breach, dear friend, so that you too can master your own domain(s). For details on domain controllers and their changing roles in Windows 2008, see Chapter 7. We also suggest you pick up a copy of Active Directory For Dummies (Wiley Publishing).
Master of Your Domain Domain controller roles aren’t defined during the installation of Windows Server 2008 but rather while running the Active Directory Installation Wizard. (For more information about the Active Directory Installation Wizard, see Chapter 7.) Windows Server 2008 borrows the concept of a primary domain controller (PDC) from Windows NT through the use of the PDC emulator for certain domain functions, though it has jettisoned Windows NT’s concept of a
138
Part II: Servers, Start Your Engines backup domain controller (BDC). In Windows 2008, all domain controllers are equal and share peer-to-peer relationships, rather than acting either as master (PDC) or slave (BDC). To support older Windows NT Server 4.0 and 3.51 BDCs in a mixed mode environment, one of the Windows Server 2008 domain controllers must emulate a Windows NT Server 4.0 PDC. Then it must replicate changes to those old-fashioned BDCs so that they can keep up with changes to Active Directory, such as password modifications. Keeping lots of peers around can cause problems if you don’t watch out. (Ever hear the expression, “Too many cooks spoil the soup”?) Windows Server 2008 uses five special roles to keep peers in line. One role is specifically designed to support any Windows NT vintage clients and domain controllers. The other four roles work to minimize the risk that multiple domain controllers will make changes to the same object, thereby losing or confusing attribute modifications. These roles are called Flexible Single Master Operation (FSMO) roles, where each of the five roles manages a particular aspect of a domain or forest. Some of the Flexible Single Master Operation domain controllers, sometimes referred to as operations masters, have a role that is domain wide, so their effect percolates throughout the given domain. When a forest has multiple domains, each domain has a domain-wide FSMO domain controller. Other FSMO domain controllers have a forest-wide role. Each forest-wide FSMO domain controller is the only one of its type in the entire forest, regardless of how many domains reside within that forest. The flexibility of the Flexible Single Master of Operation domain controllers indicates that these roles can move between domain controllers within a domain if the role of the original FSMO DC is domain wide, or between other domain controllers in the forest if the role of the original FSMO DC is forest wide. However, it does take some effort on your part to move them. You assign FSMO roles using the NTDSUTIL utility. For more information on the NTDSUTIL utility, see the Windows Server 2008 Server Help files or the Resource Kit. The following list gives you an idea how these five roles work with domains in Active Directory: 0002 Schema master: At the heart of Active Directory, the schema is a blueprint for all objects and containers. Because the schema has to be the same throughout an entire forest, only one domain controller can be used to make modifications to the schema. If the domain controller that
Chapter 8: Working with Active Directory, Domains, and Trusts holds the role of schema master can’t be reached, no updates to the Active Directory schema may be performed. You must be a member of the schema administrators group to make changes to the schema. (See Chapter 7 for a more detailed definition of the schema.) 0002 Domain naming master: To add a domain to a forest, its name must be verifiably unique. The domain naming master of the forest oversees the domain name operation and ensures that only verifiably unique names are assigned. It also functions to add and remove any cross-references to domains in external directories, such as external Lightweight Directory Access Protocol (LDAP) directories. Only one domain naming master exists per forest. You must be a member of the enterprise administrators group to make changes to the domain naming master, such as transferring the FSMO role or adding domains to or removing domains from a forest. 0002 Relative ID (RID) master: Any domain controller can create new objects (such as user, group, and computer accounts). The domain controller contacts the RID master when fewer than 100 RIDs are left. This means that the RID master can be unavailable for short periods of time without causing object-creation problems. This ensures that each object has a unique RID. There can be only one RID master per domain. 0002 PDC emulator: The PDC emulator domain controller acts as a Windows NT primary domain controller when there is a domain environment that contains both NT4 BDCs and Windows 2000 DCs or Windows 2003/2008 DCs (or all three). It processes all NT4 password changes from clients and replicates domain updates to the down-level BDCs. After upgrades to the domain controllers have been performed and the last of the BDCs are upgraded or removed from the environment, the Windows 2000 domain or Windows Server 2003/2008 domain (or all three) can be switched to native mode. After the domain is in native mode, the PDC emulator still performs certain duties that no other DCs in the domain handle. Each domain in the forest, including child domains, has only one PDC emulator domain controller. 0002 Infrastructure master: When a user and a group are in different domains, there can be a lag between changes to a user profile (a username, for example) and its display in the group. The infrastructure master of the group’s domain is responsible for fixing the group-to-user reference to reflect the rename. The infrastructure master performs its fix-ups locally and relies on replication to bring all other replicas up to date. (For more information on replication, see the “When replication happens” section, later in this chapter.)
139
140
Part II: Servers, Start Your Engines
Trusts Are Good for NT 4.0 and Active Directory Domains In the good old days before the need for FSMO roles (that is, during Windows NT’s prime), there was exactly one main domain controller (a primary domain controller, or PDC) that could make changes to the Security Accounts Manager (SAM) database. Those changes were then replicated to other backup domain controllers (BDCs). In this model, the SAM database was simply a file stored on each PDC that contained information about the domain’s security objects, such as users and groups. To support authentication across domains (and thus stymie unauthorized access to the network), you created one-way trust relationships between domains that would allow users and groups from the trusted domain to be assigned access to resources in the trusting domain. The concept of trusting and trusted is confusing, so we’re going to try to shed some light on the subject. Imagine a trust between two domains: A and B. Domain A trusts domain B, so domain B is the trusted domain, and domain A is the trusting domain. Because domain A trusts domain B to correctly authenticate its users, users from domain B can be assigned access to resources in domain A. (You could create a bidirectional trust relationship, where domain A trusts domain B with its resources and domain B trusts domain A with its resources. However, what you really have with a bidirectional trust is two unidirectional trusts that have been joined.) Before you get the idea that we’re all one happy, trusting family, don’t forget that Windows NT 4.0–based trusts aren’t transitive; therefore, if domain C trusts domain B, and domain B trusts domain A, domain C doesn’t implicitly trust domain A. For domain A to trust domain C, you must establish an explicit trust relationship between domain A and domain C. Got all that? Remember it; we’ll come back to it later. Windows Server 2008 makes use of Active Directory to keep domains in line when it comes to trust relationships. Windows Server 2008 domain controllers store the directory service information in a file (NTDS.DIT), and trust relationships are still needed to authenticate across multiple domains. Windows Server 2008 automatically creates trust relationships between all domains in a forest just as it did under Windows 2000, but the real change from the older NT4 model to the Active Directory approach lies in how modifications are made and replicated to the domain database and how all automatically created trusts are two way and transitive by default. Now if A trusts B and B trusts C, A trusts C — and the reverse is true as well. Before you get too flabbergasted, don’t forget that Windows 2000 and Windows Server 2003/2008 use trusts in the same way. All operating systems create two-way and transitive trusts.
Chapter 8: Working with Active Directory, Domains, and Trusts
How Domain Controllers Work Together In the days of Windows NT, domains had it easy. You made changes at only one domain controller, and the changes were copied at regular intervals to any other controllers for the domain. Now, with Windows Server 2008, you can make changes at any domain controller and remain confident that Windows Server 2008’s left hand always knows what its right hand is doing. How does this work, you ask? The answer, dear friend, is multimaster replication. (And you thought we were going to say “blowing in the wind.”) How multimaster replication works is discussed in Chapter 7, but here you look at the concept at a higher level. With multimaster replication, any domain controller can make changes to the Active Directory database. Those changes are then replicated to all other domain controllers in that domain.
When replication happens Replication between domain controllers in a Windows NT 4.0 domain is configured using a couple of Registry settings. That’s it. Fairly useless really. Windows Server 2008 is much cooler! A site is a collection of machines and domain controllers connected by means of a fast network and grouped by IP subnets. What do sites have to do with replication, you ask? Well, everything. They allow us to define different replication schedules depending on the domain controllers’ site membership. There are essentially two types of replication: intrasite replication (between domain controllers in the same site) and intersite replication (between domain controllers in different sites).
Intrasite replication When a change is made to the Active Directory, such as adding or deleting a user or changing an attribute of an object (say, adding properties to a printer), this change must be replicated to other domain controllers in the domain. The change is called an originating update. The domain controller where the originating update was made sends a notification to its replication partners (other domain controllers in the site) that a change is available. After replication occurs, the replication partners will have a copy of the change that was made on the other domain controller. This updating of the Active Directory on the partner domain controller is called a replicated update because it originated elsewhere.
141
142
Part II: Servers, Start Your Engines Replication is initiated between domain controllers at a defined regular interval (five minutes, by default), and urgent replication using notification can be initiated for any of the following: 0002 Replication of a newly locked-out account: Prevents users from moving to another part of a domain to log on with a user account that has been locked out on a domain controller. 0002 Modification of a trust account: Enables all members of a domain to take advantage of a new trust with another domain. This replication methodology has some problems. In the good ol’ days (in other words, with Windows NT 4.0), you changed your password at the PDC to avoid the problem of a new setting not being replicated for a long time. With Windows 2008, password changes are initially changed at the PDC FSMO; in the event of password failure, the PDC FSMO is consulted in case the password has been recently changed but hasn’t yet been replicated. If replication partners don’t receive any change notifications in an hour (the default setting), they initiate contact with their replication partners to see whether any updates were made remotely and whether the subsequent change notifications were missed.
Intersite replication Intersite replication takes place between particular servers in one site to particular servers in another site. This is where Windows Server 2008 shines. You can configure a timetable of how often to replicate for every hour of every day. All you need to do is follow these steps: 1. Navigate to the Active Directory Sites and Services MMC snap-in. (Choose Start➪Control Panel➪Administrative Tools➪Active Directory Sites and Services.) 2. Go to the Inter-Site Transport branch and select IP. 3. In the right-hand pane, select a site link (for example, a remote domain), right-click, and choose Properties. 4. Make sure that the General tab is selected and then click Change Schedule. The dialog box used to change replication times appears, as shown in Figure 8-1. 5. Change the replication schedule as desired. For example, you can set it to replicate only on Sundays from 6 p.m. to 7 p.m. You can have different replication schedules for every pair of sites, so depending on the network connectivity and geographical location, different
Chapter 8: Working with Active Directory, Domains, and Trusts schedules may be appropriate. For example, if a slow WAN link exists between two sites, a replication with less frequent updates may be necessary to prevent bandwidth consumption. One other area of replication crosses domains: global catalog information. The global catalog contains all the information about all the objects in its own domain and a subset of information for every object in the forest. However, Windows Server 2008 performs all the calculations needed to optimize this replication, so mere mortals like us don’t need to worry about it.
Figure 8-1: This is where you change replication times.
Know your database limits In Windows 2008, there’s really no limit to the number of objects per domain — your organization will never get that big! Windows NT 4.0 domains are limited to around 40,000 objects per domain. This forces some companies to acquire multiple master domains joined by bidirectional trust relationships. Windows 2008, on the other hand, extends this to around 10,000,000 objects per domain. HP has performed tests and created 16,000,000 user objects in a single domain with no significant performance problems. However, it had some very powerful hardware — probably much more powerful than your home PC or even your company’s primary server! These objects have to be replicated at some point. Windows Server 2008 uses property rather than object replication, which means that only the property change is replicated, not the entire object. In other words, if you change just one property of an object (a user’s phone number, for example), only the property change (the new phone number) is replicated. Your database size is governed by your domain controller hardware and the physical network infrastructure. But if you have enough money to invest in the proper hardware, we doubt that you would need more than a single
143
144
Part II: Servers, Start Your Engines domain (unless your company is really big). There are, however, other reasons for needing multiple domains and forests, such as needing different schemas. (See Chapter 7 for more on schemas.) The backup and restoration needs of your enterprise may govern database size because a huge directory database is no good if it takes days to back it up.
Administrivia Anyone? (Controlling Domains and Directories) If you don’t have sufficient tools available to manipulate and manage Active Directory, its power won’t do you much good. Fortunately, not only does Windows Server 2008 come with a complete set of ready-made tools, but you can also write your own tools and scripts using the Active Directory Scripting Interface (ADSI).
Exploring the directory management console As with everything else in Windows 2008, management of Active Directory is accomplished using a Microsoft Management Console (MMC) snap-in. The snap-in you’ll use most often is the Active Directory Users and Computers snap-in (shown in Figure 8-2), which is what you use to create, manage, and delete everything from users to computers. It includes some of the features of the old User and Server Manager from Windows NT.
Figure 8-2: The Active Directory Users and Computers MMC snap-in.
Chapter 8: Working with Active Directory, Domains, and Trusts To access the Active Directory Users and Computers snap-in, choose Start➪Administrative Tools➪Active Directory Users and Computers. When you first start the snap-in, you see your domain name (represented as a DNS domain name) at the top of the directory. You’ll also notice several containers (known more commonly as folders). Some of these containers are built-in organizational units (OUs), which contain objects in a domain that are organized into logical containers, thus allowing finer segregation and control in a domain. Certain container objects appear in all typical Active Directory installations: 0002 Built-in: By default, the details of the old Windows NT 4.0 groups, such as Administrators and Backup Operators. 0002 Computers: The computer accounts that were managed using Windows NT’s Server Manager. Computer objects in other organizational units aren’t listed in this container. 0002 Domain controllers: A built-in organizational unit that contains all domain controllers. 0002 Users: The default store for all domain users. Again, users in other organizational units aren’t listed. In a fully functional domain, you’ll find various organizational units, depending on the services you have installed and the organizational units you create. Everything is context driven in Windows Server 2008. This means that if you right-click an object or container, a menu specific to that object or container is displayed. This is much better than hunting through huge standard menus for options relevant to the chosen object.
Creating directory objects Windows Server 2008 has tons of objects, such as computer, user, group, and shared folder objects. In this section, we concentrate on the creation of only the first two (computer and user objects) because the others are fairly intuitive and don’t support many configuration options. In a Windows NT 4.0 domain, it never took too much planning to create new user or computer objects. You just did it. In Windows Server 2008, however, you can’t be quite so spontaneous. You first need to think about where you want to create such an object. Placement is important because, although you can still move objects around, it’s much easier in the long run if you create an object in the correct location from the get-go. However, because you may not always have the time to plan and do it right the first time, you can always move the object later if you have to. (Just don’t say we didn’t warn you.)
145
146
Part II: Servers, Start Your Engines Use OUs to help you organize your data into logical containers. First you create an OU for the various departments in your organization (for example, one for accounting, one for engineering, one for personnel, and so on). Then you can put all user and computer objects in a particular department in its OU. In addition, you can lighten your administrative load by assigning a person in each department the rights necessary to manage his or her OU and that OU only. Pretty nifty, huh? You can create a user object in one of two places: in the default User/ Computer container or in some organizational unit they or someone else has already created. If you delegate the ability to create objects, you can set it up so that the delegated users can create objects in only one location, or certain selected locations. To create a user object, perform the following steps: 1. Start Active Directory Users and Computers. (Choose Start➪Control Panel➪Administrative Tools➪Active Directory Users and Computers.) 2. In the Active Directory Users and Computers console tree, right-click the container (such as Users) in which you want to create the user object, point to New, and click User. The first page of the User Creation Wizard (the New Object – User dialog box) is displayed, as shown in Figure 8-3. For interoperability with other directory services, you can click InetOrgPerson instead of the user object type, which is nearly identical. You can find information regarding InetOrgPerson in the “Understanding user accounts” article in the Windows Help files.
Figure 8-3: The first page of the User Creation Wizard.
Chapter 8: Working with Active Directory, Domains, and Trusts 3. Type the user’s first and last name, initials, and a logon name, and then click Next. The next page of the Wizard allows you to set the new password and the following options: • User Must Change Password at Next Logon • User Cannot Change Password • Password Never Expires • Account Is Disabled 4. In the Password and Confirm Password text boxes, type the user’s password and select the appropriate password options. 5. Click Finish. That’s it; you’ve created a new user. You’re probably thinking, “What about all the other user attributes, such as security features?” Well, you no longer define those settings during the creation of the user. After you create the user object, you right-click it and select Properties. The Properties dialog box for the user appears. Each tab pertains to various aspects of the selected user object. These tabs vary depending on the Windows Server 2008 subsystems in use, on other back office applications such as Exchange Server or SQL Server, and even on what third-party software you might have installed. Computer account creation is much simpler and doesn’t bombard you with quite so many tabs. Again, in Active Directory Users and Computers, rightclick the container in which you want to create the new computer object (such as computers), and choose New➪Computer. The New Object – Computer dialog box appears, as shown in Figure 8-4. You have to only type a computer name and select who can add the computer to the domain.
Figure 8-4: We’re creating a new computer object named FriedBanana Sandwich.
147
148
Part II: Servers, Start Your Engines
Finding directory objects Finding objects is one of Active Directory’s greatest pluses. Using the global catalog, you can find an object anywhere in an enterprise forest by querying Active Directory. You can search for anything — a user, a computer, even a printer — and you can search for many attributes. (The attributes presented vary depending on the type of object you’re searching for.) For example, you can ask Active Directory to find the closest color-capable, double-sided printer at your site. You don’t even have to tell Active Directory where you are. It figures that out automatically. On a Windows Server 2008 system, there’s a Search component that you can access from the Start menu. (Choose Start➪Search.) Under this menu, you can use a number of options to search for users, folders, and printers. The available options are as follows: 0002 For Files or Folders 0002 On the Internet 0002 Find Printers 0002 For People For example, if you want to search for a color printer, choose Start➪Search➪ Find Printers. There are three available tabs: Printers, Features, and Advanced. You want to choose the Advanced tab because it allows you to specify that you’re searching for a color printer. After you enter all your details, click Find Now, and your results appear. In a large enterprise, many listings that meet your requirements may appear, so always try to be as specific and detailed as possible when performing a search.
A word on ADSI Active Directory Scripting Interface (ADSI for short) allows you to manipulate the directory service from a script. You can use Java, Visual Basic, C, or C++ scripts. With ADSI, you can write scripts that automatically create users, including their setup scripts, profiles, and details. If you need to manage a medium or large domain, you should learn ADSI. In the long run, it’ll save you a great deal of time and aggravation. Search the Microsoft Web site at www.microsoft.com/windows for ADSI, and you’ll find loads of great information (more than you’d want!). Also check the Windows Server 2008 Resource Kit for details.
Chapter 8: Working with Active Directory, Domains, and Trusts
Permission to Proceed? Handling Directory Permissions An old concept says, “You’re the administrator; administrate no longer.” And it does have some truth to it in Windows Server 2008. Although some tasks still require a full-fledged domain administrator, the common management of a domain may be more easily accomplished when you grant different sets of user permissions to manage different sets of users and user properties. In English, this means you can delegate the responsibility for managing lowlevel users to slightly higher-level users, and so on, until you, as the administrator, need to get involved only to manage more weighty constructs, such as domain forests and trees or intrasite access.
About Active Directory permissions If you’re familiar with the Windows NT security model, you probably know all about Access Control Lists (ACLs). ACLs allow a set of permissions to be applied to a file, directory, share, or printer (and more), thus controlling which users can access and modify these particular objects. Windows Server 2008 takes this to the next level by assigning an ACL to every single attribute of every single object. This means you can control user access to such a fine degree that you can micromanage your users into the nearest insane asylum. You could insist, for example, that “User group Personnel Admin may change the address, phone number, and e-mail attributes of all users but nothing else.”
Assigning permissions You can assign permissions to Active Directory objects in various ways. Here, we present an extreme case, so everything else looks like a piece of cake! Remember Active Directory Users and Computers? Well, earlier in this chapter, in “Exploring the directory management console,” you saw a nice, basic view of this utility. However, it has other options that are shown only when it’s in Advanced Features mode. To turn on Advanced Features, start Active Directory Users and Computers (choose Start➪Administrative Tools➪ Active Directory Users and Computers) and then choose View➪Advanced Features.
149
150
Part II: Servers, Start Your Engines Some new branches are added to the basic domain root: LostAndFound and System. We don’t care about that, though. Instead, we’re interested in the new tab added to the objects — the Security tab. In Active Directory Users and Computers, find a user, any user. Right-click the user and then select Properties. In the user’s Properties dialog box, click the Security tab, and then click the Advanced button. The Permissions tab for the Advanced Security Settings dialog box appears, as shown in Figure 8-5. You see a list of permission entries that includes a type (Allow/Deny), a user or group, and the permission and its scope.
Figure 8-5: The Advanced Security Settings dialog box for an object used to control user access.
Obviously, assigning permissions explicitly to every object takes forever. Thankfully, Active Directory uses an inheritance model so that you need to make changes only at the root; the changes propagate down from there. The following section spells out how this works.
Permissions inheritance There are two types of permissions: explicit and inherited. Explicit permissions are assigned directly to an object, and inherited permissions are propagated to an object from its parent (and so on). By default, any object in a container inherits permissions from its container.
Chapter 8: Working with Active Directory, Domains, and Trusts Sometimes, you don’t want permissions to be inherited — for example, you’re working with a directory structure in which different permissions are defined on each contained object, such as with a multiuser File Transfer Protocol (FTP) site or a shared folder that contains user home directories. The default setting in Active Directory specifies that permissions are inherited, but you can change this default behavior. Remember the Advanced Features view for Active Directory Users and Computers? Well, you need it again. When you turn on the Advanced Features from the View menu and check out the advanced security properties of a user (right-click the user, choose Properties, click the Security tab, and then click the Advanced button), notice the Include Inheritable Permissions from This Object’s Parent check box, which is selected by default. If you deselect it, any changes made to the parent container no longer propagate to the objects it contains. You disable inheritance for the object. If you do disable inheritance, you’re given the following options: 0002 Copy Previously Inherited Permissions to This Object 0002 Remove Inherited Permissions 0002 Cancel (Disable) the Inheritance Of course, you can enable inheritance later if you want. It’s not a one-way operation, so don’t panic!
Delegating administrative control Delegating administration over certain elements of your domain is one of the great things about Active Directory — no more administrator or nonadministrator. Different people or groups can be delegated control over certain aspects of a domain’s organizational unit. The following steps can be employed to delegate administration on objects: 1. Open Active Directory Users and Computers. (Choose Start➪Control Panel➪Administrative Tools➪Active Directory Users and Computers.) Another way of accessing Active Directory Users and Computers is to click Start and type dsa.msc into the Start Search bar. 2. In the console tree, right-click the organizational unit (OU) for which you want to delegate control.
151
152
Part II: Servers, Start Your Engines 3. Click Delegate Control to start the Delegation of Control Wizard. This is accomplished by clicking the Add button to access the Active Directory search tool to locate users and groups. Make your selections. (Hold down Ctrl to select multiple users at the same time.) The users are now displayed in the selected user’s area. The people you’ve selected are the ones who can perform the tasks you’re about to choose. 4. Click Next. A list of common tasks is displayed for which you can delegate control (reset passwords and modify group membership, for example). 5. Make your selections and then click Next. If you choose to create a custom task to delegate, follow the steps presented by the wizard. A summary screen is displayed (as shown in Figure 8-6), giving you the option to change your mind. 6. When you’re happy with the changes you’ve made, click Finish. That’s it; a few mouse clicks and you’ve delegated control of a container to a specific person or groups of people.
Figure 8-6: The summary screen of the Delegation of Control wizard.
Managing Trusts In Windows NT 4.0, trust management was a big problem in a large enterprise. In Windows Server 2008, however, trust management is simple because all trusts are set up by default between all domains in a forest, and these trusts are two-way transitive trust relationships.
Chapter 8: Working with Active Directory, Domains, and Trusts Two-way transitive trusts are created automatically between all domains in a forest when you run DCPROMO. You can, however, still create the old-style Windows NT 4 trusts for any domains that aren’t part of the same enterprise forest.
Establishing trusts You can create old-style trusts by following these steps: 1. Open Active Directory Domains and Trusts by choosing Start➪ Control Panel➪Administrative Tools➪Active Directory Domains and Trusts. 2. Right-click the domain of choice in the Active Directory Domains and Trusts interface and then choose Properties. 3. Click the Trusts tab (see Figure 8-7) to create one-way trusts. One-way external trusts aren’t transitive and work the same as the old Windows NT 4.0 trusts. You can delete a trust by selecting the trust and choosing Remove.
Figure 8-7: This is where you create oneway trusts between domains.
153
154
Part II: Servers, Start Your Engines
If you open the door to trusts, who gets to come through? In a forest, when you open the trust door (which happens automatically between all domains in the same forest), anyone gets to come in. All trusts are transitive, so anyone in any domain in the forest can be granted permission to any resource. For old-style trust relationships (which are created manually between domains in different forests or in a Windows NT domain), the trust isn’t transitive. Only users in the two domains for which the trust is defined can be assigned access to resources and only in the direction of the trust. There’s no need to panic, though, because users can’t access resources without permission. Therefore, although they can be given access, they won’t be able to gain access until specifically given permission to do so.
Chapter 9
Printing on the Network In This Chapter 0001 Printing the Windows Server 2008 way 0001 Installing the server side first 0001 Sharing print device access 0001 Setting up print devices on the client side 0001 Managing Windows Server 2008–based print devices 0001 Preventing print device problems 0001 Introducing Windows Fax and Scan
N
ext to not being able to access network resources, nothing freaks out users more than not being able to print their work. We bet you can’t find a network administrator who can say that he or she hasn’t struggled with print devices at one time or another. (If you’ve seen the movie Office Space, you can imagine the kind of frustration we’re talking about.) Windows Server 2008 includes a new printer architecture that provides a better print-server platform with improved performance and a strong foundation for future application development. It simultaneously maintains compatibility with existing print applications and drivers and enables them to use features found only in the newer XPSDrv printer drivers, which are built upon a modular design that enables more efficient print queue operation. In addition to TS Easy Print capabilities, Windows Server 2008 integrates the XML Paper Specification (XPS) throughout to provide efficient, compatible, and high-quality document delivery to the entire print subsystem. The XPS document format is based on fixed-layout technology and, along with Open Packaging Conventions (OPC), defines a new format and specification built on industry standards like XML and ZIP. In this chapter, you discover the specifics for setting up print devices on your network and avoiding common printing problems.
156
Part II: Servers, Start Your Engines Throughout this chapter, we use the Microsoft terminology print device and printer, which may be confusing in the real world. Microsoft defines a print device as the physical printer, such as an HP LaserJet 2605, and a printer as the software on the server where you configure settings for the physical print device. We use Microsoft’s terms in this chapter to be technically accurate. However, this terminology may be confusing if this is your first time working with Windows Server 2008.
Windows 2008 Has a Print Model When a user prints, the print data follows a particular path from the user to the print device. One such example is the new XPS print path, which uses the XPS document format throughout the entire print path, from application to printer, and creates the possibility for true WYSIWYG output. In Windows Server 2008, the basic pieces of this print scheme are as follows: 0002 Print users: Print users are the people who want to send print jobs to a print device on the network, on the Internet, or attached to their PC. To actually print, users must have a print device driver (called a print driver in non-Microsoftspeak) installed on their PC. 0002 Graphics Device Interface (GDI): The already expanded GDI is a software program that finds the appropriate print device driver and works with the driver to render print information into an appropriate printer language. After the information is rendered, the GDI sends it to the client-side spooler. (A Windows client application would call the GDI the print process.) 0002 Print device driver: This software piece is provided by either the manufacturer (for the latest version) or by Microsoft (not always the latest) and corresponds directly to a particular print device make and model. It’s the interface between the software application and the print device, which is called a print driver in non-Microsoftspeak. You may also hear it referred to as a printer driver. The print device driver need not be installed on the client. Instead, if the client is a Windows 98, SE, ME, NT, 2000, or XP system, it can download the print device driver from the print server when it wants to print a document. However, this does require that the print server be configured to host print device drivers for these operating systems. 0002 Printers: This is also called a logical printer, and it isn’t the physical piece of machinery you sometimes want to kick, but rather the bundle of settings you need to make a print device run. It exists as software on the server that you use to configure settings for print job processing and routing for the physical print device.
Chapter 9: Printing on the Network 0002 Print jobs: Print jobs are files you want to print. Print jobs are formatted at the workstation by the GDI and a print device driver and submitted for output on a local or networked print device. If the print device is local (attached to the PC), the output is printed right there and then. If a network print device and print server are involved, the output is sent (spooled) to a queue on the print server until a print device is available to service the request. 0002 Print servers: Print servers are computers that manage network print devices attached to them. A print server can be any computer located on a network (or the Internet) that has a print device attached and runs some Microsoft operating system, such as Windows 2000/2003/2008, NT, or 9x. (Even a user workstation can function as a print server — but we don’t like this approach because it typically brings too much traffic to some user’s PC.) When a user submits a print job, the print server stores the job in a queue for the print device and then polls the print device to check for its availability. If the print device is available, the print server pulls the next job out of the queue and sends it to the print device. Any network administrator or user with appropriate access rights can manage print servers from anywhere on the network. By default, in Windows 2008, all members of the Everyone group can print to a device, but only those members specifically given rights can manage the device. 0002 Print queues: A print queue is a location on the hard disk where spooled files wait in line for their turn to print. Each print device has at least one corresponding print queue (although additional queues are possible). As users submit print jobs, those jobs go into the queue to wait for their turn. You define a queue for a print device when you add a printer to the Printers and Faxes folder and assign it a name. Print jobs enter the queues on a first-come, first-serve basis. Only someone with appropriate access rights to manage queues (administrators, print operators, and server operators) can alter print order in a print queue. You can assign users on your network permission to manage print queues for you. Windows 2008 includes a built-in user group called Print Operators, and you can add users to this group to give them the proper access rights for the task by choosing Start➪ Administrative Tools➪Active Directory Users and Computers, selecting a domain, and opening the Built-in folder. Giving some users print-queue management rights rather than others may be seen as playing politics if you don’t exercise great caution in making such assignments. Some folks may accuse others of playing favorites when print jobs are rearranged in the queue. We’ve seen this happen a lot. If you choose people who are neutral, your life will be easier! 0002 Print devices: Print devices are physical devices or physical printers, such as HP laser printers. Print devices can be attached locally to a workstation or server or directly to the network. In the real (nonMicrosoft) world, this is what we normal people call a printer!
157
158
Part II: Servers, Start Your Engines
Physical print devices We call print devices physical print devices because you can walk up to these devices and touch them. Print devices come in different categories, including laser, plotter, inkjet, and bubble jet. You can attach a physical print device locally to a PC, server, or print server, or directly to the network (as shown in Figure 9-1). A print server is just a network-attached PC that services print jobs — so, technically, we could lump PCs and print servers in the same category. We list them separately in this case because we want to distinguish between a PC where a user does work and a dedicated print server located on the network.
Logical assignments A logical printer assignment isn’t a print device — it exists intangibly, in the form of a Windows Server 2008 definition. It’s sort of like a name that Windows 2008 uses to identify a physical print device (or a group of physical print devices, as you see later in this section). Each time you define a print device and its properties in Windows 2008, the operating system assigns a logical printer definition to the physical print device so that it knows to which physical print device you want to send your jobs. When you first install a print device, a one-to-one correlation exists between the physical print device and the logical definition. You can expand the use of logical printer assignments, however, so that one logical printer assignment serves as the definition for several physical print devices. This use is known as print device pooling, and you set it up through print device properties by adding ports to the print device’s definition. You don’t need to be too concerned about defining logical printers unless you intend to pool print devices. Pooling happens whenever you attach a print device to the server (as explained later in the “Attaching print devices to servers” section). Just understand that Windows 2008 correlates a logical printer definition to one or more physical print devices attached to your network. For example, you’re likely to have several print devices connected to your network, and all or many of them may be the same type, such as HPLJ2605. If you don’t define a logical printer for Windows 2008, how does it know to which HPLJ2605 print device to send your jobs? You could end up running all around the building looking for your expense report! Defining a logical printer definition keeps order in your world. You could name one logical printer
Chapter 9: Printing on the Network 2FLWest and you’d know that your report is sent to the HPLJ2605 on the second floor of the west wing of your building. (The mechanics involved are covered in the next section, “Installing on the Server’s Side.”) Another bit of magic that logical assignments can help you with is balancing print jobs. Suppose that you have three physical laser print devices (A, B, and C) located on your network in close proximity. If a user chooses to send a print job to print device A, which is printing a large print job, a lot of time and resources are wasted if print devices B and C sit idle at the same time. You can help your users by setting up one logical printer definition and assigning it several different physical print devices to which to print. Therefore, your users print to the logical printer, which then figures out which physical print device is available. This takes decision-making and worrying away from users and transfers it to the operating system. The only caveat here is avoiding too much physical distance between print devices. Try to make sure that all physical print devices in any logical printer definition are in the same general area so users don’t have to run around the building looking for printouts.
2008 Server queue for #2
#4 Laser printer
Print server
Job 1 Job 2 Job 3
Job 1 2008 Server Job 2 queue for #3 Job 3
Print server queue for #4
Job 1 Job 2 Job 3 Job 4
2008 Server
#2 Laser printer (server attached)
Figure 9-1: Different methods to connect print devices on a network.
Job 1 Job 2 Job 3 #3 Laser printer (network attached)
Queue for #1
(Print user)
#1 Laser printer (server attached)
159
160
Part II: Servers, Start Your Engines Individual departments are typically arranged so that they share a common print device or print device group. Each group is logically labeled in some site-specific manner (hopefully accompanied by physical identifiers on each print device) that may or may not be descriptive of its assigned area or purpose. You will require advanced knowledge of what prints where whenever multiple devices are available in a pool. When setting up logical assignments to service more than one physical print device, all physical print devices must be identical. The only changes you can make are to properties, such as bin number or paper size for each print device. Conversely, you can assign several printer assignments to service one physical print device. You want to do this if users print special items, such as envelopes. Define one printer assignment to print to the envelope bin on the physical print device and define another printer assignment to print lettersize paper on the same print device. If you give logical assignments descriptive names, users will know where the print device is and what type of function it performs. For example, using logical names such as 2FLWestEnv and 2FLWest tells users that 2FLWestEnv is on the second floor of the west wing and it prints envelopes, whereas the other is a normal print device on the second floor of the west wing. Both printer assignments service the same physical print device, but they may print to different bins, or one may pause the print device between pages, and so on. Here, you don’t need to do anything other than define separate print devices that all print to the same port.
Installing on the Server’s Side Before you set up clients to print on your network, first make sure to go to the server and install all the print device definitions, drivers, and hardware, and then go to the client side. Doing so ensures that when you finally get to the user’s workstation, you can submit a test print job right away because all the components are in place. If you start at the user’s side first, you have to return later to check your work.
Meet the Printers folder You can find nearly everything you want to do with print devices on the server in the Control Panel’s Printers folder, which you can access by choosing Start➪Control Panel➪Printers. Previously, this applet was called Printers
Chapter 9: Printing on the Network and Faxes, but Microsoft has since reassigned faxing and scanning capabilities to a combined applet. We say nearly everything because the print device drivers are stored outside the print devices folder. (Most of the drivers are found on the Windows Server 2008 DVD.) When you first install Windows Server 2008, the Printers folder contains only an Add Printer icon, which is designed to help you install a physical print device (or logical printer definition). Each time you install a new print device by clicking the Add Printer icon (as described later in this chapter), Windows 2008 assigns it a separate icon in the Printers folder, as shown in Figure 9-2.
Figure 9-2: The Printers folder showing an installed print device, a Microsoft XPS Document Writer icon, and the Add Printer icon.
When you click the Add Printer icon, the Add Printer Wizard appears, bringing with it a set of default policies that it uses to guide you through the process of adding each new print device to the Printers folder. After you’ve installed the print devices you want, you can make changes to the print devices’ settings by visiting the Printers folder. Right-click the print device you added and choose Properties from the pull-down list that appears. A window with numerous tabs appears. You make all the changes to the particular print device’s settings in this Properties dialog box, so take some time to familiarize yourself with the available settings.
Adding a networked print device In an ideal world, your network and users would allow you to set up one type of print device in one manner (such as all laser print devices of the same make and model with network interface cards). In the real world, however,
161
162
Part II: Servers, Start Your Engines things don’t pan out like that. Therefore, the engineers at Microsoft designed Windows Server 2008 to provide you with four ways to attach print devices to your network: 0002 Windows Server 2008 0002 Print server 0002 Networked (as shown in Figure 9-1) 0002 PC (a workstation, in Microsoft-speak) In the following sections, we show you the four approaches to installing print devices on your network. Three of the four installations are similar; they’re just performed on different machines. For example, the steps for installing print devices attached to networks are similar to the steps for installing print devices attached to workstations. Both machines have print devices connected to their local ports, and they both share print devices on the network.
Attaching print devices to servers You may find a need to attach a print device directly to your server. We don’t recommend that you use this method unless your organization can’t afford to spare a machine for you to use as a dedicated print server. Why? Because any time you attach a device to a file server, you run the risk that it may get hosed and crash the server — and we’ve seen this happen often. To attach a print device to a Windows Server 2008, you need a print device, a Windows Server 2008 computer, a cable, the Windows Server 2008 installation DVD (if you didn’t copy it to your server’s hard disk), and any print device drivers you want automatically downloaded to the clients. Connect the print device directly to one of the ports on the server (for example, LPT1) and install the print device on this machine in its Printers and Faxes folder by choosing Start➪Control Panel➪Printers. Then follow these steps: 1. Double-click the Add Printer icon, which invokes the Add Printer Setup Wizard, and click Next. 2. Choose Add a Local Printer and then click Next. (USB devices are automatically detected and installed by Windows.) The printer detection window of the wizard appears, searching for and installing attached Plug and Play print devices. If the print device isn’t Plug and Play, you must follow the rest of the steps in this section. 3. From the Use an Existing Port drop-down list, select the port to which you attached this print device (such as LPT1) and click Next. A window appears for choosing the manufacturer and model of the print device.
Chapter 9: Printing on the Network 4. In the Manufacturer area, highlight the print device manufacturer; In the Printers area, highlight the model of the print device and click Next. If you don’t see your print device listed here, it means you have to provide the Add Printer Wizard with the driver. Click the Have Disk button and point the wizard to the location and path where the driver resides. 5. In the Type a Printer Name window of the wizard, Setup suggests a name for this printer. Accept this name by clicking Next or type a new name for this printer in the Printer Name text box. 6. (Optional) Select the Set As the Default printer check box if you want this to be the default printer for users permitted to access the associated print queue. 7. Click Next to move on to the Printer Sharing window. 8. Indicate whether you’d like to share the printer. By default, Windows furnishes a share name in the Printer Sharing window of the wizard. • Share: If you want to share the printer and you don’t want to use the default name, you can type over it to change it. The share name is the name that your users will see when they print to this printer, so make it meaningful. (For example, create a name such as 2ndFLWestEnv to indicate that the printer is on the second floor of the west wing and it prints envelopes.) • Do Not Share: If you don’t want to share the printer, choose the Do Not Share this printer option. 9. Click Next. 10. Choose whether you want to print a test page (always a great idea) by clicking the Print a Test Page option. Next, to install drivers for the other client operating systems that will access the printer, click the Install Drivers button. 11. Click Finish. Setup copies files from the Windows Server 2008 installation DVD to the Windows Server 2008 computer’s hard disk. If you elected to print a test page, it also emerges from your newly defined printer at this point. If you chose to share the printer in Step 8, Windows may ask you to supply any missing operating system print drivers (see Step 10) so that it can automatically download those drivers to its clients. (However in most cases, Windows Server 2008 won’t have to ask, because it comes equipped with a large library of client print drivers from which it can draw.)
163
164
Part II: Servers, Start Your Engines 12. If you chose not to print a test page and not to install additional drivers, Setup presents you with a summary page of the choices you elected during the setup process. Click Finish if your choices are correct. Otherwise, use the Back and Next buttons to correct any invalid or incorrect info. If you’re familiar with setting up printers on previous versions of Windows, you probably whipped through these steps because the print device setups are similar. At this point, you’ve set up the following: 0002 One basic logical printer assignment that points to one physical print device on Windows Server 2008: We say basic because you haven’t yet customized any options, such as paper bins, dots per inch, and separator pages, for this print device. You probably weren’t aware that as you defined this physical print device, you also assigned it a logical printer assignment. Remember that there’s a one-to-one correlation between the two each time you install a physical device and define it — unless you add more physical devices. 0002 A print queue for this print device: Windows Server 2008 does this for you when you define the print device. To view the queue, double-click the print device icon. You won’t see anything in the queue just yet. 0002 Shared access to this print device by everyone on the network: When you define a share name on the network for a print device, Windows Server 2008, by default, assigns the Everyone group access to this print device. You have to change this default policy if you don’t want “everyone” to have access to this print device. If you have Active Directory installed, the print device is published to the Directory. You can have multiple logical printer assignments pointing to one physical print device. If you want to assign another logical printer assignment that services this physical print device, you repeat the previous steps but assign a new computer and share name. You can assign different properties to this physical print device for each logical printer definition.
Attaching print devices to print servers In the preceding section, we show you how to hook up a print device to a Windows Server 2008 computer so that your Windows Server 2008 functions as a print server on your network, in addition to its other duties. To help manage the load on the Windows Server 2008, you can offload this printing task to another computer on your network and have it function as your print server. The print server is just another computer on your network, only with an attached print device that you set up to manage print spooling, print queues, and print jobs. We like this method because it frees up the Windows Server 2008 to perform other tasks. When your clients print to the print server, they bypass the Windows Server 2008.
Chapter 9: Printing on the Network You can install any Microsoft operating system that you like on the computer that will be your print server. We recommend at least Windows 9x, but we prefer a Windows NT, 2000, or XP workstation because you can download the print drivers to the client workstations from the print server automatically with no intervention on your part. This means that you don’t have to install drivers manually on each of the client workstations. After you’ve installed an operating system on your soon-to-be print server, follow Steps 1 through 12 from the “Attaching print devices to servers” section if you’re using a Windows NT, 2000, or XP Workstation as the operating system. If you’re using Windows 9x, repeat the same steps but exclude the downloadable print device drivers from Step 10. Instead, you must go to each client and install the corresponding print device drivers.
Attaching networked print devices to print servers Some print devices, such as HP laser print devices, are neat because after you plug a network adapter into them, they’re nearly ready to be placed anywhere on your network where there’s an electrical outlet and an available network connection. Nearly, but not quite! You must still make all the physical connections and assign an IP address to the printer. After you do that, perform the following steps to add the networked print device to the print server: 1. Choose Start➪Control Panel➪Printers. The Printers applet window appears. 2. Double-click the Add Printer icon to invoke the Add Printer Wizard and click Next. 3. In the Add Printer window, click Add a Network, Wireless, or Bluetooth Printer and then click Next. Windows begins searching for available network-accessible print devices and displays the Searching for Available Printers window. 4. Select the printer (print device) you want from the list of discovered printers (print devices) that appears in list form and then skip to Step 6. If the desired print device isn’t found, you can find it by following these steps: a. Click The Printer I Want Isn’t Listed. The Find a Printer by Name or TCP/IP Address window appears. b. Under Find a Printer by Name or TCP/IP Address, choose Browse for a Printer, Select a Shared Printer by Name (followed by the actual name), or Add a Printer Using a TCP/IP Address or Hostname. c. Click Next and follow the dialog boxes to find and select the printer.
165
166
Part II: Servers, Start Your Engines 5. Depending on what option you selected in Step 4, do the following: • If you clicked Browse for a Printer, a browse list of all the local servers and workstations appears. Double-click those entries to find attached print devices, after which you can add them. If you supply a valid UNC name for a networked print device (for example, library-srvrHPLaserJ), you can add it by using that name when you click Next. • If you clicked Add a Printer Using a TCP/IP Address or Hostname, the Type a Printer Hostname or IP Address window appears. Here you can explicitly identify (TCP/IP Device or Web Services Device) the device type or stick with the default Autodetect option. After that you must supply a valid hostname or IP address and a UDP port number to complete the print device connection. 6. After completing these steps, click Next to see a Connect to Printer window, where you can change the printer name or leave it as is. 7. Finally, you can elect to print a test page (a good way to make sure your printer connection is working), or you can simply click the Finish button. Congrats! You’re done! When installing a print device on a Windows Server 2008 with Active Directory installed, the Add Printer Wizard shares the print device and publishes it in the Directory — unless you change the policy rules. For more information on Active Directory, please read Chapter 7.
Attaching print devices to a workstation PC Some users may have print devices on their desks that you may want to make available to other users on the network. Attaching a print device to a PC is the least desirable method because it involves users going to another user’s PC to pick up print jobs. This can cause a disruption in workflow for the user who’s unfortunate enough to have a print device on his or her desk. However, in smaller organizations where budgets are tight, this method is sometimes used. To set this up, you must go to the user’s desktop and share that print device on the network. If you’d like, you can restrict access to that share so that the entire organization isn’t allowed to print there. Where do you find all this? In the Printers and Faxes folder on the user’s desktop, of course! Right-click the Add Printer icon if no print device is installed, choose the print device to be a local print device connected to a local printer port (such as LPT1 or a USB port), and assign it a name. If a print device is already defined, right-click its
Chapter 9: Printing on the Network icon and select Properties to give this print device a share name. After you share the print device on the network, other users can see it. This method causes the user’s workstation to manage the printing process. You can define this workstation-attached print device so that Windows 2008 Server will manage the print process instead. Here’s how: 1. Go to the user’s computer desktop and define a share for this print device, but limit access to the username of “JoePrinter.” This is a fabricated username you set up purely to manage this printer. See the following section, “Sharing Printer Access,” to find out how to define a share. 2. Mosey back over to the Windows Server 2008 computer. 3. Add a user named “JoePrinter” in Active Directory Users and Computers. (Choose Start➪Administrative Tools➪Active Directory Users and Computers.) 4. Choose Start➪Control Panel➪Printers to open the Printers applet. 5. Follow the same steps in the “Attaching print devices to servers” section earlier in this chapter, except for the following changes: • Click the Add Printer icon and choose the networked print device instead of the locally attached print device. • Let Windows search the network or choose The Printer I Want Isn’t Listed to manually specify a share name. Either type the share name or use the Browse option to select and choose the share name you gave the print device on the client’s desktop. • Give this print device a new share name that the rest of the users on the network will see. Again, we don’t recommend that you use this method unless your organization is tight on money. It can cause aggravation for the user who has to share the print device with other people on the network and can disrupt that user’s work environment.
Sharing Printer Access After you’ve installed a printer (software and a print device, that is) on your network (as we explain in the previous section), the next step is to create a share for it on the network. (See Chapter 12 for more details on Windows 2008 network shares.)
167
168
Part II: Servers, Start Your Engines Until you share a print device, your users can’t see it on the network. To share a print device, do the following: 1. Open the Printers folder. (Choose Start➪Printers and Faxes). 2. Right-click the print device you want to share and choose the Sharing option. 3. On the Sharing tab, choose the Share this Printer option and type a descriptive share name (for example, 2ndFlWest). 4. Unless you want to process print jobs locally on this computer, leave the Render Print Jobs on Client Computers option selected. 5. Click OK and you’re finished! When you share a print device, it’s available to everyone on the network by default. You must specifically restrict groups or users from accessing the print device if that’s what you want. If you have MS-DOS-based clients on your network, make sure that your share names for print devices are only eight characters long.
Bringing Printers and Clients Together The final step in setting up networked printing involves setting up the print devices on the client side. Fortunately, not much is required in this process. Everything you need is on the Windows Server 2008, the print server, or in the user’s Printers and Faxes folder on his or her desktop, depending on which client operating system is used. If the client operating system is Windows XP, 2000, or NT, you need to only add the print device in the Printers and Faxes folder (Add Printer) and choose Networked Print Device. The reason is that the print device is attached to another computer somewhere on the network; it isn’t local to this workstation. For the port, use the Browse option and find the share name of the print device to which you want to print. That’s it! If your clients have Windows 9x and are printing to a Windows Server 2008 (and you’ve installed the various client operating system drivers at the server), you simply add the print device in the Printers and Faxes folder (Add Printer) and select it as a networked print device. When you select the port as the share name of the networked print device, Windows Server 2008 automatically downloads the drivers.
Chapter 9: Printing on the Network
Managing Windows 2008–Based Printers You can view and manage your print servers, queues, and print devices (all of which are called printers in Microsoft-speak) from anywhere on the network, including your Windows Server 2008. From one location, you can view what’s going on with all the print devices on your network. The only thing you can’t do remotely is install hardware on the print device itself, such as memory or cables. But you knew that already! The improved Print Management Console (PMC) that first appeared with Windows Server 2003 R2 is now enhanced to meet larger-scale network demands. PMC supports print server migration from Windows Server 2000/2003 to Windows Server 2008 installations and features an improved Network Printer Installation Wizard. The installation wizard reduces administrative overhead by automatically locating and — where applicable — deploying a compatible driver for hands-free automated setup. The following list includes some issues to keep in mind as you manage print devices: 0002 Make sure you don’t run out of disk space on the server. If you set up spooling on your network, you must keep a close eye on the hard disk space that print servers consume. The spooling process involves sending files from the print user to the print server. Remember that the print server can also be your Windows Server 2008. In either case, if your network handles high-volume print activity, it’s possible to fill up a hard disk quickly with the spooling process. After files are spooled to the print server, they remain on the hard disk in the queue until an available print device is ready. If there’s a problem with the print device, jobs can back up quickly. Remember that queues take up space on the hard disk, so if the queues back up, more and more space is needed. Be careful that you don’t run low on disk space! 0002 Make sure your print devices have enough memory. When your users print graphics on the network, memory becomes an issue on the print devices. Large graphics files require more memory to print. You can find out how much memory is in a print device by performing a self test on the print device. Some organizations don’t have a large budget for adding extra memory to all networked print devices, so they select one or more in strategic locations and then define logical print device setups just for graphics output.
169
170
Part II: Servers, Start Your Engines 0002 Select the appropriate properties for print devices. You can access the print device’s Properties menu by right-clicking i icon in the Printers folder. (Figure 9-3 shows the various settings you can alter for any print device on your network.) We go through each of the tabs here to help you understand which print device properties you can change: • General tab: Here’s where you add information about the print device, such as comments, location, and whether to use a banner page. When defining a banner page, we recommend that you add some general comments about the print device and its location. In medium- to large-sized operations, adding a separator page so that print jobs may more easily be distinguished from each other is a good idea. The current print driver information is also found here. Change this only if you’re going to install a new driver. • Sharing tab: If you want users on the network to see this print device, you define the share name on this tab. (Remember to make it meaningful.) You can also tell Windows Server 2008 to allow this device to show up in the Directory. This is also where you tell Windows Server 2008 which client operating systems you have on your network and to which systems you want print drivers automatically downloaded. • Ports tab: This is where you tell the system to which port your print device is attached. If it’s a network-attached print device, you define it here using the Media Access Control (MAC) address; if it’s a Transmission Control Protocol/Internet Protocol (TCP/IP) print device, you define it here using the IP address. • Advanced tab: On this tab, you can schedule the print device’s availability, priority, and spooling options. For example, you may opt to have print jobs run at night for a print device. • Security tab: On the Security tab, you set up auditing of your print devices, which enables you to gather the information you’ll need if something goes wrong with a device. You may want to use the Security tab for charge-back purposes on a departmental basis (where you audit the usage and charge users or departments for that use) or limit this print device’s availability. You can also define who is allowed to manage this print device. • Device Settings tab: On this tab, you define specific properties of the print device, such as paper size, dots per inch, and paper bin. • Color Management tab: Adjust monitor or print device color-specific settings on this tab. • Cartridge Maintenance tab: On this tab, you can view left and right ink cartridge levels and use clickable options to install/change cartridges, clean print nozzles, align cartridges, and order supplies. This last option actually opens the default Web browser and points it to your print device manufacturer’s Web site. (This tab may not show up in every Properties window you examine; its presence or absence depends on your print device.)
Chapter 9: Printing on the Network
Figure 9-3: Print device Properties tabs in the Printers folder.
Preventing Printer Problems Printing problems on a network can wreak havoc. Here are a few pointers to help you head off this type of trouble. If you do experience problems, see Chapter 20 for some troubleshooting help. 0002 Purchase Windows Server Catalog compatible devices. Purchase only network print devices listed in the Hardware Catalog for Windows Server 2008. Otherwise, you may spend hours trying to get a print device to work on the network — only to find that the device isn’t compatible. And always remember to check Microsoft’s site for the latest version of the Windows Server Catalog; you can find it at www. windowsservercatalog.com. 0002 Get the latest print device drivers. Be sure to obtain the latest print device driver associated with each print device on your network. Windows Server 2008 does its best to install print device drivers by itself where applicable, which may come from dated archives, online updates, or install media. Newer drivers often correct bugs found in older drivers. If you use an older driver, you may sometimes end up troubleshooting a known bug that has already been corrected in a newer driver.
171
172
Part II: Servers, Start Your Engines 0002 Purchase a name brand. We hope that your organization can afford to purchase name-brand print devices, such as Hewlett-Packard or Lexmark, for your network. We find that the biggest printing problems on networks stem from cheaper models. Even if you’re able to hook these cheaper devices up, it may take so long to get all the pieces working that investing in brand-name print devices would be more cost effective. 0002 Purchase from one manufacturer. We like to stick with one type (brand name) of print device where possible. Notice we said brand and not model. We realize that some organizations need to print in both black and white and color. If you can purchase all your print devices from one manufacturer (for example, Hewlett-Packard), your life and your users’ lives will be easier. If you have all Hewlett-Packard laser print devices on your network, don’t buy another manufacturer’s laser print device just because it’s on sale that day at your local computer superstore. You can save time by working with one vendor and its equipment and drivers instead of having to hunt all over the Internet for various manufacturers’ Web sites. Allow your users to become familiar with the one brand, and they won’t have to learn how to use new equipment all the time. 0002 Buy enough memory. The influx of graphics software has upped memory usage in print devices to produce image-laden output. Don’t wait until print jobs start fouling up before adding memory. If your budget is too low to do this up front, find a local vendor that stocks memory for your printers and keep their telephone number handy.
Faxing the Windows Server 2008 Way Windows Server 2008, like Windows Server 2003 and Windows XP, includes native fax and scan support. This means you can now send and receive faxes using your computer without third-party software. The combined capabilities of Windows Server 2008 faxing and scanning are now controlled through (you might’ve guessed) the Windows Fax and Scan applet. Windows Fax and Scan enables you to perform and manage all faxing or scanning tasks and documents from a central location. The new Windows Fax and Scan interface (shown in Figure 9-4) closely resembles Microsoft’s Outlook interface — not coincidentally. Historically, Outlook stores calendar entries, contact entries, and e-mail messages; presently, the next-generation Exchange Server and Outlook client software utilize more expansive roles that encompass and accommodate many other types of information.
Chapter 9: Printing on the Network
Figure 9-4: Windows Server 2008 Fax and Scan application.
For example, Unified Messaging in Exchange Server stores mailboxes, public folders, voice messages, and faxed documents in a central repository for clients. Windows Fax and Scan provides a limited scope of capability that interfaces with Exchange Server Unified Messaging.
Enabling faxing Faxing isn’t enabled by default. First, you must have a fax modem already installed and properly configured. (That means the driver is installed and things are working properly.) Next, follow these steps to enable faxing: 1. Open the Windows Fax and Scan applet from the Start menu or Control Panel, and choose File➪New Fax. The Fax Setup Wizard launches. 2. When the wizard asks whether you want to connect to a fax modem or fax server on the network, click OK. The wizard installs the necessary components for faxing. After a few moments, you’re returned to the Windows Fax and Scan applet. 3. Follow the setup wizard’s instructions to define the fax device name and location and decide how to receive faxes or incoming calls.
Sending faxes Faxing is like printing, but instead of sending the document’s print job to a physical print device where the results are on paper, the print job is digitized and sent over the phone line to a receiving fax device (which can be a traditional fax machine or a fax-enabled computer). Other than needing to provide
173
174
Part II: Servers, Start Your Engines a phone number and the occasional cover sheet, faxing a document is just like printing a document. To send a fax, just select the New Fax option from the File menu of Windows Fax and Scan, begin formatting or typing your message, and then click Send. The first time you attempt to send a fax, the Fax Configuration Wizard is launched. This wizard is used to define information about your fax system, such as the phone number, area code, and sender information. Windows Fax and Scan is used to track and manage incoming and outgoing faxes, in much the same way as you might manage e-mail in Outlook. If you want to change your sender information, choose Tools➪Sender Information from the Windows Fax and Scan console. To receive faxes, you have to enable incoming faxes and set the Answer After Rings control. Keep in mind that you can have only one answering service per modem device. So, if you need a telecommuter to call in to connect to your system, don’t set up that modem to wait for faxes. The device that is waiting for incoming faxes can still be used to send faxes or even for normal dial-out connections. If you find that you need more help with the fax capabilities of Windows 2008, check out the help file and the Windows Server 2008 Resource Kit.
Chapter 10
IP Addressing: Zero to Insane in Two Seconds Flat In This Chapter 0001 Working with TCP/IP and NetBIOS names 0001 Understanding IP addressing, nets, and subnets 0001 Obtaining Internet-ready IP addresses 0001 Using private IP addresses 0001 Using proxy servers and address translation 0001 Working with DHCP 0001 Dealing with problems
T
he Transmission Control Protocol/Internet Protocol (TCP/IP) drives the Internet and makes it accessible around the world. However, TCP/IP is a lot more than just a collection of protocols: Many elements in TCP/IP marry protocols to related services to provide complete capabilities. Important examples include dynamic address allocation and management, known as the Dynamic Host Configuration Protocol (DHCP), plus domain name to address resolution services, known as the Domain Name Service (DNS). In this chapter, you find out about TCP/IP names, addresses, and related standard services, as well as other related services hosted in Windows Server 2008.
Resolving a Name: TCP/IP and NetBIOS Whenever you issue a command in Windows Server 2008, you’re expected to use the proper syntax. Otherwise, your efforts may not produce the desired results. For example, when you issue a net use command from a command prompt, you must enter the server name and a share name, as well as the drive to which you want to map. Therefore, a simple command such as net use G: ORWELLAPPS
176
Part II: Servers, Start Your Engines associates the drive letter G with a share named APPS on the ORWELL server. If you use the TCP/IP protocol to convey the data involved, the protocol doesn’t know how to interpret the name ORWELL as a server. Instead, it understands Internet Protocol (IP) addresses, such as 172.16.1.7. If you use TCP/IP on your network, you need some way to convert IP addresses into names and vice versa. Just as the United Nations requires translators so that everyone can communicate, so too does Windows Server 2008, which is why understanding naming conventions and name-to-address resolution are such an important part of working with TCP/IP on Windows Server 2008.
NetBIOS names If you’re like most folks, you freeze like a deer in the headlights when you hear the word NetBIOS. Don’t worry. Only a small number of people really understand NetBIOS in detail, and figuring out what you need to know is easy. A NetBIOS name is often called a computer name. When you install Windows Server 2008 on a network, each computer that runs Windows requires a unique computer name. This allows all NetBIOS-based utilities to identify each machine by name. When you enter a command that includes a computer name, Windows 2008 knows which computer you’re talking about. If you try to give two devices the same name, you run into trouble — like trying to use the same Social Security number for two people. Each time a computer joins the network, it registers its name with a browser service that keeps track of such things. When the second computer with the same name tries to register, it’s rejected because that name is already taken. In fact, that machine will be unable to join the network until its name is changed to something unique. When creating NetBIOS names, you need to work within some limitations, which are as follows: 0002 NetBIOS names must be between 1 and 15 characters long. 0002 NetBIOS names may not contain any of the characters shown in the following list: '
double quotation mark
/
right slash
left slash
[
left square bracket
]
right square bracket
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat :
colon
;
semicolon
|
vertical slash
=
equal sign
+
plus sign
*
asterisk
?
question mark
<
left angle bracket
>
right angle bracket
In addition, dollar signs aren’t recommended because they have a special meaning. (A NetBIOS name that ends in $ doesn’t appear in a browse list.) 0002 Don’t use lengthy names or put spaces in names. Windows Server 2008 doesn’t care if you use longer names or include embedded spaces, but other networking clients or systems may not be able to handle them. 0002 Choose names that make sense to users and are short and to the point. Don’t name machines after users or locations, especially if users come and go regularly or if machines move around a lot. When it comes to servers, name them to indicate their organizational role or affiliation (for example, Sales, Accounting, or Engineering). What’s in a NetBIOS name, you ask? A NetBIOS name should provide a short, clear indication of what’s being named so users can recognize what they see. At best, this type of naming convention makes sense without further explanation. At the least, you can do what we do and put a sticker with the machine’s name on each monitor or computer case for identification. You can view a list of your network’s NetBIOS names by expanding the My Network Places section of Windows Explorer. See Figure 10-1 for a sample list of NetBIOS names taken from our network (such as Hush and Pentium_m).
Figure 10-1: NetBIOS computer names on our network.
177
178
Part II: Servers, Start Your Engines
TCP/IP names and addresses TCP/IP uses a different naming scheme than NetBIOS does. TCP/IP uses 32-bit numbers to construct IP addresses (for example, 172.16.1.11). Each host or node on a TCP/IP network must have a unique IP address. IP addresses aren’t meaningful to most humans and are difficult to remember. Therefore, it’s helpful to have some way to convert IP addresses to meaningful names. On a Windows Server 2008 network, you use computer names (also known as NetBIOS names). The Internet community uses a different naming convention called domain names. Translation methods, such as Windows Internet Name Service (WINS) and Domain Name Service (DNS), maintain databases to convert IP addresses to computer names (WINS) or domain names (DNS). If you’ve ever used a Web browser on the Internet, you know that you can type a Uniform Resource Locator (URL), such as www.wiley.com, or an IP address, such as 208.215.179.146, to obtain access to a Web page. You can do so because the Internet uses DNS to resolve IP addresses to domain names and vice versa. If you type an IP address, the Web browser jumps straight to that address; if you type a domain name, your request goes through a DNS server that resolves the name to an IP address, and then the browser jumps to that address. In the IP world, the naming scheme you can use is limited if you plan to connect your network directly to the Internet. VeriSign (www.verisign.com) is one of many domain name registrars in charge of approving and maintaining a database of legal Internet top-level domain names. You can request any domain name you want, but if someone else is using it or has a legitimate claim to a trade or brand name, you won’t be able to use it. For example, you probably won’t be able to use mcdonalds.com or cocacola.com as domain names. In fact, if someone else has already registered xyzcorp.com, you wouldn’t be able to use that name, even if your company is named XYZ Corporation. The format for a typical IP name is host.domainname.suffix. The domain name is something you can’t guarantee, but typically represents your organization. The suffix, called a top-level domain, sometimes identifies the country of origin (for example, .ca is Canada and .de is Germany) or the type of organization (.gov is government, .edu is education, .com is a commercial business, .org is a nonprofit organization, and so forth). Some domain names are more complex; they can take a form such as host.subdomain.domainname.suffix, as in jello.eng.sun.com, where the host name is jello, the subdomain is eng (for engineering), and the domain name is sun (the domain name for Sun Microsystems, Inc.), which is a commercial (.com) entity. The only parts of the name under
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat control of the various Internet domain name registrars (such as VeriSign and other companies and organizations identified at www.norid.no/ domenenavnbaser/domreg.en.html) are the domain name and the suffix — every domain name must be unique in its entirety to be properly recognized. Names that include the host part, the domain name, and the suffix (plus any other subdomain information that may apply) are called Fully Qualified Domain Names (FQDNs). To be valid, any FQDN must have a corresponding entry in some DNS server’s database that allows it to be translated into a unique numeric IP address. For example, the Web server for this book’s publisher is named www.wiley.com, which resolves into an IP address of 208.215.179.146. As long as you’re completely isolated from the Internet and intend to stay that way, you can assign any names and IP addresses you like on your network. If you ever connect your network to the Internet, however, you’ll have to go back and change everything! If your network will be — or simply might ever be — connected to the Internet, you have one of two options for assigning addresses: 0002 You can obtain and install valid public IP addresses and domain names. Your Internet Service Provider (ISP) can provide these for you. When you obtain a range of IP addresses for your network — remember, each computer needs its own unique address, and some computers or devices need multiple addresses (one for each interface) —, make sure you get enough to leave some room for growth. 0002 You can (and should) obtain a valid domain name from VeriSign or another domain name registrar, but you can use any of a range of reserved IP addresses, called private IP addresses, to number your networks. These addresses may not be used directly on the Internet; they’ve been set aside for private use. When used in concert with a type of software called Network Address Translation (or NAT for short), this approach requires you to obtain only a small number of public IP addresses but still allows Internet access for every computer on your network. This topic is discussed in more detail later in this chapter in the section “Address translation: The new magic.” To find out more about the process of obtaining a domain name, visit VeriSign’s Web site at www.verisign.com. The form for researching domain names (determining whether a FQDN is already in use) and registering domain names (applying for a new FQDN) is on the main page. You’ll find details on name registration services as well as on directory and database services that support the Internet’s distributed collection of DNS servers.
179
180
Part II: Servers, Start Your Engines
Calling Everything a Node A unique numeric identification tag, called an IP address, is assigned to each interface on a TCP/IP network. Every IP address in a TCP/IP network must be unique. Each device on a TCP/IP network is known as a host. Each host has at least one network interface with an assigned IP address. However, a host can have multiple network interface cards (NICs), and even multiple IP addresses, assigned to each NIC.
To network ID or host ID? That is the question An IP address consists of two components: 0002 Network ID: Identifies the network segment to which the host belongs. 0002 Host ID: Identifies an individual host on some specific network segment. A host can communicate directly only with other hosts on the same network segment. A network segment is a logical division of a network into unique numeric network IDs called subnets. A host must use a router to communicate with hosts on other subnets. A router moves packets from one subnet to another. In addition, a router reads the network ID for a packet’s destination address and determines whether that packet should remain on the current subnet or be routed to a different subnet. When a router delivers a packet to the correct subnet, the router then uses the host ID portion of the destination address to deliver the packet to its final destination. A typical IP address looks like 207.46.249.222 (This example address matches the domain name www.microsoft.com.) This numeric IP address format is known as dotted-decimal notation. However, computers see IP addresses as binary numbers. This same IP address in binary form is 11001111 00101110 11111001 11011110 and is written in collections of eight bits called octets. Each octet is converted to a decimal number and then separated by periods to form the dotted-decimal notation format shown at the beginning of this paragraph.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat The dotted-decimal version of IP addresses is more human-friendly than the binary version. As you may already know, domain names and NetBIOS names are even more friendly because they use symbolic names that make sense to humans. An IP address requires 32 binary digits and defines a 32-bit address space that supports nearly 4.3 billion unique addresses. Although this seems like a lot of addresses, the number of available IP addresses is quickly dwindling. Consequently, several plans exist to expand or change the IP addressing scheme to make many more addresses available. For more information on such plans, search for IPng Transition in your favorite search engine. IP designers carved the entire galaxy of IP addresses into classes to meet different addressing needs. Today, there are five IP address classes labeled by the letters A through E. Classes A, B, and C are assigned to organizations to allow their networks to connect to the Internet, and Classes D and E are reserved for special uses. The first three classes of addresses differ by how their network IDs are defined: 0002 Class A addresses use the first octet for the network ID. 0002 Class B addresses use the first two octets. 0002 Class C addresses use the first three octets. Class A addresses support a relatively small number of networks, each with a huge number of possible hosts. Class C addresses support a large number of networks, each with a relatively small number of hosts, as shown in Table 10-1. (Class B falls in the middle.) Therefore, branches of the military, government agencies, and large corporations are likely to need Class A addresses; medium-sized organizations and companies need Class B addresses; and small companies and organizations need Class C addresses.
Table 10-1
Address Classes and Corresponding Network and Host IDs
Class
High-Order Bits
First Octet Range
# Networks
# Hosts
Class A
0xxxxxxx
1–126.x.y.z
126
16,777,214
Class B
10xxxxxx
128–191.x.y.z
16,384
65,534
Class C
110xxxxx
192–223.x.y.z
2,097,152
254
When it comes to recognizing address Classes A through C, the network ID for Class A addresses always starts its first octet with a 0. Each Class B network ID always starts with 10, and Class C network IDs always start with 110.
181
182
Part II: Servers, Start Your Engines Consequently, you can determine address classes by examining an address, either in binary or decimal form. (See Tables 10-1 and 10-2.)
Table 10-2
Division of IP Address Component Octets According to Class
Class
IP Address
Network ID
Host ID
A
10.1.1.10
10
1.1.10
B
172.16.1.10
172.16
1.10
C
192.168.1.10
192.168.1
10
Network ID 127 is missing from Table 10-1 because that ID is a loopback address. Loopback addresses are used when testing IP transmission — they transmit to themselves.
Subnetting: Quiet time for IP addresses Subnets represent divisions of a single TCP/IP network address into logical subsets. The motivation for subnetting is twofold: 0002 It reduces overall traffic on any network segment by collecting systems that communicate often into groups. 0002 It makes it easier for networks to grow and expand and adds an extra layer of security control. Subnets work by “stealing” bits from the host part of an IP address and using those bits to divide a single IP network address into two or more subnetworks, usually called subnets — hence, the term in the preceding heading. Network administrators typically use subnet masks to divide IP address blocks into smaller subnetworks. A subnet mask is a special bit pattern that takes over part of the host ID portion of an IP address and permits a larger network to be subdivided into two or more subnetworks, each with its own unique network address. The base subnet masks for Classes A, B, and C networks are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively. You can create additional subset masks by adding extra bits set to 1 in the space occupied by the 0 that appears next to the rightmost 255 in any such number. This transformation is illustrated in Table 10-3, which shows some typical values for usable subnet masks.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat Table 10-3
Subnet Masks and Results
Binary Mask
Decimal Equivalent
Number of New Subnets
Number of Hosts
00000000
A: 255.0.0.0
A: 16,777,214
1
B: 255.255.0.0
B: 65,534
C: 255.255.255.0
C: 254
A: 255.128.0.0
A: Not valid
B: 255.255.128.0
B: Not valid
C: 255.255.255.128
C: Not valid
A: 255.192.0.0
A: 4,194,302
B: 255.255.192.0
B: 16,382
C: 255.255.255.192
C: 62
A: 255.224.0.0
A: 2,097,150
B: 255.255.224.0
B: 8,190
C: 255.255.255.224
C: 30
A: 255.240.0.0
A: 1,048,574
B: 255.255.240.0
B: 4,094
C: 255.255.255.240
C: 14
A: 255.248.0.0
A: 524,286
B: 255.255.248.0
B: 2,046
C: 255.255.255.248
C: 6
A: 255.252.0.0
A: 262,142
B: 255.255.252.0
B: 1,022
C: 255.255.255.252
C: 2
A: 255.254.0.0
A: 131,070
B: 255.255.254.0
B: 510
C: 255.255.255.254
C: Not valid
10000000
11000000
11100000
11110000
11111000
11111100
11111110
Not valid
2
6
14
30
62
126
183
184
Part II: Servers, Start Your Engines
What about IPv6? Those who know a little bit about TCP/IP already are also likely to know it comes in two flavors. The current, predominant flavor (the one we describe at length in this very chapter) is called IPv4. It features 32-bit addresses broken into four 8-bit octets. There’s a newer version of IP around, however. It’s known as IPv6 and features 128-bit addresses (16 8-bit octets but seldom represented as such; these numbers are so big you see them primarily in hexadecimal or base 16 form if not plain old decimal form). In addition to a much bigger address space, IPv6features enhancedsecurity, multiple
automatic addressing schemes, improved routing, and much more. But it’s seldom used on small networks and despite a U.S. government mandate to switch over to IPv6 addressing in June 2008, that event looks increasingly unlikely as the date looms ever closer. Because it’s very rarely used on small networks, we don’t cover IPv6 in this book. Those readers who want to learn more, and work with IPv6 on Windows Server, should check out the TechNet IPv6 clearinghouse at technet.microsoft. com/en-us/network/bb530961.aspx.
Because routers are required to communicate across IP subnets, a router’s IP address on each subnet must be known to every client on that subnet. This address is called the default gateway because it’s where all out-of-subnet transmissions are directed by default. (It’s the gateway to the world outside each local subnet.) If no default gateway is defined, clients can’t communicate outside their subnets.
Hanging your shingle: Obtaining IP addresses Deploying your own network or using a stand alone system with Network Address Translation (NAT) to connect to the Internet requires that you obtain one or more valid IP addresses. For some uses, you may simply contract with an ISP to use a dial-up connection. Each time you connect, you’re assigned an IP address automatically from a pool of available addresses. After you disconnect from the ISP, that IP address is returned to the pool for reuse. This works equally well for stand alone machines and for the servers that might dial into an ISP to provide an on-demand connection for users who have private IP addresses but can attach to the Internet using NAT software. One way to attach an entire network to the Internet is to lease a block, or subnet, of IP addresses from an ISP. However, leasing IP addresses can be
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat expensive and can limit your growth. Also, many ISPs can no longer lease large blocks of IP addresses, so you may have to limit Internet access to specific machines or subnets. For more information about taking this approach, you must contact your ISP to find out what it offers by way of available addresses and contiguous subnets. For some uses, public IP addresses are required because security needs dictate a true end-to-end connection between clients and servers across the Internet. In plain English, true end-to-end connection means that the IP address that a client advertises to the Internet is the same one it uses in reality. In the next section, you discover an alternate approach where an IP address advertised to the Internet is different from the private IP address that a client uses on its home subnet. For some applications, particularly where secure IP-based protocols such as IP Secure (IPSec) or particular secure sockets layer (SSL) implementations are involved, network address translation techniques may not work! Make sure you understand your application requirements in detail before you decide whether to lease public IP addresses or use private IP addresses with network address translation.
Address translation: The new magic If you don’t want to pay to lease a range of IP addresses and your application requirements allow you to use private IP addresses, you can employ IP addresses reserved for private use in RFC 1918 on your networks. When used with network address translation software to connect to an ISP, a single public IP address (or one for each Internet connection) is all you need to service an entire network.
Routers move packets among subnets and networks Only routers can transfer packets from one subnet to another, or from one network ID to another, in the TCP/IP world. Routers are specialized, high-end, high-speed devices from companies such as Cisco Systems or Extreme Networks. However, any computer with two or more NICs installed (where each NIC resides on a different subnet) can act as a router, provided
that the computer can forward packets from one NIC to another (and thus, from one subnet to another). Right out of the box, in fact, Windows Server 2008 includes software and built-in capabilities to work as a router. Computer nerds like to call such machines multi-homed computers because the machines are “at home” on two or more subnets.
185
186
Part II: Servers, Start Your Engines RFC 1918 (which you can find at www.faqs.org/rfcs/rfc1918.html) defines special IP addresses for use on private intranets. These addresses, which appear in Table 10-4, cannot be routed on the Internet. This approach provides improved security for your network as a fringe benefit because it means that any impostor who wants to break into your network can’t easily masquerade as a local workstation. (Doing so would require routing a private IP address packet across the Internet.) Because all of these addresses are up for grabs, you can use the address class that makes sense for your organization. (And for Class B and Class C addresses, you can use as many as you need within the legal range of such addresses.)
Table 10-4
Private IP Address Ranges from RFC 1918
Class
Address Range
# Networks
A
10.0.0.0–10.255.255.255
1
B
172.16.0.0–172.31.255.255
16
C
192.168.0.0–192.168.255.255
254
Using address translation software to offer Internet access reduces your costs and allows nearly unlimited growth. If you think private IP addresses combined with NAT software make sense for your situation, consult with your ISP for specific details and recommendations on how to use this technology on your network. You’ve probably seen the terms firewall and proxy thrown about when reading about Internet access. Firewalls and proxy servers are network tools that are little more than special-purpose routers. A firewall may be used to filter traffic — both inbound and outbound. Firewall filters may be based on a source or destination address, on a specific protocol, or port address, or even on patterns that appear in the contents of a data packet. A proxy server is an enhanced firewall, and its primary purpose is to manage communications between an in-house network and external networks such as the Internet. Proxies hide the identity of internal clients and can keep local copies of resources that are accessed frequently. (This is called caching, and it improves response time for users.) You can check out several great online resources for firewalls, but online information on proxies is limited to product documentation. In addition to consulting the Windows Server 2008 Resource Kit and TechNet (http:// technet.microsoft.com/en-us/default.aspx), here are several online resources you may want to check to discover more about these technologies:
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat 0002 NIST Guidelines on Firewalls and Firewall Policy: http://csrc. nist.gov/publications/nistpubs/800-41/sp800-41.pdf 0002 Microsoft’s Internet Security and Acceleration Server (ISA) 2006: www. microsoft.com/isaserver 0002 Zone Lab’s ZoneAlarm: www.zonealarm.com 0002 Cisco’s Self-Defending Networks: www.cisco.com/en/US/netsol/ ns643/networking_solutions_packages_list.html 0002 WinGate proxy server: www.wingate.com In addition to these excellent third-party products, Windows Server 2008 offers a built-in native firewall product known as the Windows Firewall (previously called the Internet Connection Firewall, or ICF), which is enabled and configured on the Advanced tab of a connection object. Windows Firewall is a host-based solution that can provide stateful filtering for inbound and outbound traffic with integrated IPSec protection settings, which may or may not offer the versatility and capabilities that your production network requires in a firewall. If you want to find out more about Windows Firewall, check the Help and Support Center and the TechNet article at http://technet. microsoft.com/en-us/network/bb545423.aspx.
Forcing IP Down the Throat of Windows Server 2008 Configuring TCP/IP on Windows Server 2008 can range from simple to complex. We review the simple process and discuss a few advanced items. For complex configurations, consult a reference such as the Windows Server 2008 Resource Kit or TechNet. Three basic items are always required for configuring TCP/IP: 0002 IP address 0002 Subnet mask 0002 Default gateway With just these three items, you can connect a client or server to a network.
Basic configuration The protocol is configured on the Internet Protocol (TCP/IP) Properties dialog box. To access this dialog box, follow these steps:
187
188
Part II: Servers, Start Your Engines 1. Choose Start➪Control Panel➪Network and Sharing Center. 2. Under Tasks, click Manage Network Connections. The Network Connections dialog box appears. 3. In the Network Connections dialog box, right-click Local Area Connection and select Properties. The Local Area Connection Properties dialog box appears. 4. In the list of installed components, select Internet Protocol (TCP/IP). Note: If TCP/IP isn’t already installed, follow these steps to install it: a. In the Local Area Connection Properties dialog box, click Install. The Select Network Component Type dialog box appears. b. Select Protocol and then click Add. The Select Network Protocol dialog box appears. c. Select Internet Protocol Version 4 (TCP/IP) and then click OK. d. If prompted, provide a path to the distribution CD. 5. Click Properties to open the Internet Protocol Version 4 (TCP/IP) Properties dialog box, shown in Figure 10-2. The Internet Protocol (TCP/IP) Properties dialog box offers fields to define the three IP configuration basics. Note the selection to obtain an IP address automatically. This setting configures the system to request IP configuration from a Dynamic Host Configuration Protocol (DHCP) server. Because most servers don’t work well using dynamic IP addresses, you may want to define a static IP address for your Windows Server 2008 instead of using DHCP. (Or use DHCP to make a manual or static address allocation.)
Figure 10-2: The Internet Protocol (TCP/IP) Properties dialog box.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat 6. To enter your IP settings, select the Use the Following Address option in the dialog box and fill in the fields as follows: • IP Address: Either obtain a public IP address from your ISP or use a private IP address from one of the reserved address ranges defined in RFC 1918. • Subnet Mask: You must also calculate a subnet mask for your network. (That is, as long as you aren’t using DHCP.) Here again, you may obtain this from your ISP if you’re using public IP addresses, or you may calculate your own if you’re using private IP addresses. In most cases where private IP is used, the default subnet mask for the address class should work without alteration or additional calculations, as described in Table 10-3. • Default Gateway: Finally, you must also provide a default gateway address for your server (unless you just don’t want this system to communicate with other hosts outside of its subnet). The default gateway should be the address of the router on the local subnet to which the server is attached that can forward outbound traffic to other network segments. On networks using public IP addresses, this is probably a router, firewall, or proxy server that connects the local subnet to other subnets or to the Internet. On networks using private IP addresses, this is usually the machine on which the proxy and NAT software resides, which mediates between the local subnet and an Internet connection. 7. The Internet Protocol (TCP/IP) Properties dialog box also offers fields to configure Domain Name Service (DNS). You can leave these fields blank — at least for now. We talk more about DNS in the “DNS Does the Trick” section later in this chapter. 8. After you define an IP address, a subnet mask, and a default gateway, click OK, and then close all the windows you’ve opened and reboot. That’s all there is to basic TCP/IP configuration on Windows Server 2008!
Advanced configuration More complex configurations become necessary when your network is larger and, therefore, more complicated. To deal with such complexity, you have to do some advanced work. Click the Advanced button in the Internet Protocol (TCP/IP) Properties dialog box (we tell you how to open that dialog box in the preceding section) to reveal the Advanced TCP/IP Settings dialog box, complete with its four tabs (see Figure 10-3). The tabs (along with brief descriptions) are as follows:
189
190
Part II: Servers, Start Your Engines
Figure 10-3: The TCP/IP Settings dialog box.
0002 IP Settings: This tab allows you to define multiple IP address and subnet mask combinations for a single NIC. You can define also additional default gateways, as well as an interface metric, which is used by routers (or the routing service of Windows Server 2008) to determine which path to send data to — the path with the lowest metric is used first. 0002 DNS: This tab allows you to define additional DNS servers — the one or two you define on the Internet Protocol (TCP/IP) Properties dialog box appears here as well, so don’t get confused. In addition, you can specify how to search or resolve issues based on DNS server, DNS domain, and DNS parent domains. The two check boxes at the bottom of the DNS tab allow you to use dynamic registration to automatically add your server’s IP address and domain name to your local DNS. For more information about DNS, please consult the “DNS Does the Trick” section later in this chapter. 0002 WINS: This tab is where IP addresses for Windows Internet Name Service (WINS) servers are defined. WINS servers resolve NetBIOS names into IP addresses. WINS is convenient for Windows Server 2008 networks with multiple servers and network segments. This tab also offers you control over how or whether NetBIOS operates over TCP/IP. For more information about WINS, please consult the “Everyone WINS Sometimes” section later in this chapter. 0002 Options: This tab is where you can define alternate settings associated with TCP/IP. This tab offers access to only TCP/IP filtering by default, but the layout of the interface seems to hint that other optional features or services may be configured here if they’re installed later. TCP/IP filtering allows you to define TCP, User Datagram Protocol (UDP), and protocol
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat ports that will be allowed to function. In other words, it blocks all traffic except the traffic for the ports that you choose to allow in. This interface is rather limited because it doesn’t tell you which ports you need to allow in. We recommend deploying a proxy or firewall to perform TCP/IP filtering because these devices are more user-friendly and tell you which ports you need.
Everyone WINS Sometimes In a Microsoft Windows network, TCP/IP hosts can be called by NetBIOS names instead of IP addresses or domain names. Because NetBIOS names are more or less unique to Microsoft networks, there’s no current standard for associating NetBIOS names with IP addresses. On a Microsoft network that uses TCP/IP as its only networking protocol, it’s essential to be able to resolve NetBIOS names to IP addresses. This is where Windows Internet Name Service (WINS) comes in.
A glimpse at WINS Because resolving NetBIOS names to IP addresses is the key to providing access to many of Windows Server 2008’s built-in services and facilities, Microsoft provides two methods to handle this process: 0002 LMHOSTS: You can use a file named LMHOSTS to create a static table that associates specific NetBIOS names with specific IP addresses. (LM stands for LAN Manager and points to the network operating system that preceded Windows NT in the Microsoft product world.) Such a file must be present on every machine to provide the necessary name-toaddress resolution capabilities. For small, simple networks, using LMHOSTS files is an acceptable method. On large, complex networks, the busywork involved in maintaining a large number of such files can quickly get out of hand. 0002 WINS: Larger, more complex networks are where WINS comes into play. WINS runs on Windows Server 2008 machines as a service that automatically discovers NetBIOS names and manages a dynamic database that associates NetBIOS names with TCP/IP addresses. As networks grow, multiple WINS servers sometimes become necessary to help speed up the time it takes to handle name resolution requests. A single WINS server can handle an entire network. On networks that include multiple sites or thousands of users, however, multiple WINS servers can distribute the load involved in providing name resolution, and speed users’ access to NetBIOS-based resources.
191
192
Part II: Servers, Start Your Engines WINS has several advantages over LMHOSTS files. For one thing, it’s built on a dynamic database, which means that as networks change and names and addresses come and go, the database changes as the WINS server detects new name and address relationships or finds old names with new addresses. WINS can be especially important on networks where DHCP is used, if clients also share files or printers on their machines. Also, WINS is something like a Spanish-English dictionary that’s constantly updated as new words — or in this case, names — are added.
WINS servers A WINS server maintains a database that maps computer names to their respective IP addresses and vice versa. Rather than sending broadcasts for address information, which eats excess network bandwidth, a workstation that needs a NetBIOS name resolved makes a request directly to a designated WINS server. (That’s the real purpose of the WINS tab in the Advanced TCP/IP Settings dialog box.) This approach lets workstations take advantage of a well-defined service and obtain address information quickly and efficiently. Also, when workstations with NetBIOS names log on to the network, they provide information about themselves and their resources to the WINS server. Then, any changes automatically appear in the WINS server’s database. Although WINS is much simpler than DNS, it still isn’t an easy process. You need to install WINS as a network service component through the Local Area Connections applet and corresponding network interfaces. We recommend seeking guidance from the Windows Server 2008 Resource Kit or Technet before starting on that journey.
WINS clients When configuring workstations or servers (at least, those servers that don’t play host to the WINS server software) on your network, you provide an IP address for one or more WINS servers on your network. When those machines boot, they provide the WINS server with their computer names, share names, and IP addresses. The WINS server handles everything else. If a workstation needs an IP address that corresponds to a NetBIOS name, it asks the WINS server to supply that information.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat
NetBIOS over TCP/IP The bane of many security consultants, NetBIOS over TCP/IP is a piggyback application programming interface (API) employed by Windows Server 2008 for all of its internal and server-to-server communications. Within a secured environment, such as behind firewalls and proxies, NetBIOS over TCP/IP is beneficial because it supports many of the user-friendly features of Windows Server 2008 networking. But without adequate security, it’s a gaping hole that devious individuals can exploit to overtake your network or stand alone system. The WINS tab offers you the ability to disable NetBIOS over TCP/IP on the current system (meaning NetBIOS will not be transmitted over network links from this computer) or allow it to mimic its DHCP server. (If the DHCP server disables NetBIOS, this system will as well.) You should consider disabling NetBIOS over TCP/IP only if all systems on the network are Windows 2000, Windows XP, or Windows 2003 and no application or service on the network requires NetBIOS to function. In other words, you’ll need to live with NetBIOS for a bit longer.
DNS Does the Trick One way to simplify TCP/IP host identification is to use Fully Qualified Domain Names (FQDNs) instead of IP addresses. An FQDN is the type of name used to identify resources on the Internet to make access easier for humans (such as www.microsoft.com). Resolving domain names and FQDNs to IP addresses is a crucial service on TCP/IP networks in general and especially on the Internet, where hundreds of millions of names and addresses can be found. This is where the Domain Name Service — sometimes called the Domain Naming Service or Domain Name System, but always abbreviated as DNS — comes into play. As with NetBIOS names and IP addresses, the association between FQDNs and IP addresses can also be maintained in two ways: 0002 HOSTS file: You can create a HOSTS file on each system. The HOSTS file maintains a local table that associates specific FQDNs with specific IP addresses. When such associations change, the HOSTS file must be updated manually and copied to all machines on a network. HOSTS files aren’t suited for interaction with large IP-based networks, especially the Internet. This explains why HOSTS files are mostly relics of an earlier, simpler era of IP networking. Except as a fallback in case access to DNS fails, no one uses HOSTS files anymore.
193
194
Part II: Servers, Start Your Engines 0002 DNS: Access to a DNS server allows network machines to request name resolution services from that server instead of maintaining name-toaddress associations themselves. Although DNS servers must be configured manually, a DNS server can handle the name resolution needs of an entire network with ease. DNS servers can also communicate with one another, so a name resolution request that the local server can’t handle can be passed up the FQDN name hierarchy until it reaches a server that can resolve the name into an address or indicate that the name is invalid. The Internet includes tens of thousands of DNS servers. ISPs manage many of these DNS servers; others fall under the control of special top-level domain authorities. To stake out an Internet presence, you must obtain a unique FQDN through the InterNIC (or let your ISP do it for you). After you obtain this name, it’s associated with a special root IP address in some DNS server (probably at your ISP, unless you decide to set up a DNS server of your own).
Whether to DNS Unless you manage a large, complex network, chances are better than average that you’ll work with someone else’s DNS server — probably your ISP’s — rather than managing your own. However, if you have a large network with more than 1,000 computers, or if your network spans multiple sites using private wide-area links, a DNS server may be just the thing to help you stake out the right type of Internet presence. One unique feature of Windows Server 2003 is that it automatically installs three services on the first server of a domain: Active Directory, DHCP, and DNS. Although you don’t actually have to employ DHCP and DNS, they’re still installed by default. Installing these services is therefore a breeze. (So much so that the Configure Your Server Wizard does it for you automatically.) The real headaches come when you try to configure DNS (or DHCP, for that matter).
The deans of DNS If you think you may be interested in setting up a DNS server, you need to consult a technical resource, such as the Windows Server 2008 Resource Kit or TechNet. We also highly recommend DNS on Windows Server 2003, a book by Matt Larson, Cricket Liu, and Robbie Allen (published by O’Reilly
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat & Associates), as the ultimate resource for using Windows 2003 as a DNS server. Even though the title says Windows 2003, this is also a great resource for Windows Server 2008 because DNS is almost exactly the same. Paul Albitz and Cricket Liu also wrote a general DNS book called DNS and BIND, now in its fifth edition (also published by O’Reilly) that is widely regarded as the best general reference on DNS. Both of these books should be updated or revised soon to encompass new material for Windows Server 2008.
DHCP: IP Addressing Automation DHCP, the Dynamic Host Configuration Protocol, is used to dynamically assign IP addresses and other configuration settings to systems as they boot. This allows clients to be configured automatically at startup, thus reducing installation administration. DHCP also allows a large group of clients to share a smaller pool of IP addresses, if only a fraction of those clients needs to be connected to the Internet at any given time.
What is DHCP? DHCP is a service that Windows Server 2008 can deliver. In other words, a Windows Server 2008 can run DHCP server software to manage IP addresses and configuration information for just about any type of TCP/IP client. In fact, it can even perform this role in a completely stripped-down way if Windows Server 2008 is installed as Server Core with additional service roles. DHCP manages IP address distribution using leases. When a new system configured to use DHCP comes online and requests configuration data, an IP address is leased to that system. (Each lease lasts three days by default.) When the duration of the lease is half expired, the client can request a lease renewal for another three days. If that request is denied or goes unanswered, the renewal request is repeated when 87.5 percent and 100 percent of the lease duration has expired. If a lease expires and isn’t renewed, the client can’t access the network until it obtains a new IP address lease. You can initiate manual lease renewals or releases by executing ipconfig /renew or ipconfig /release at the Windows Server 2008 command prompt. You can view the current state of IP configuration using the ipconfig command. Issuing the ipconfig /all|more command at the command prompt displays all of a machine’s IP configuration information, one screen at a time.
195
196
Part II: Servers, Start Your Engines
Is DHCP in your future? We can think of two profound reasons why DHCP is a godsend to Windows Server 2008 administrators who need to use it: 0002 DHCP enables you to manage an entire collection of IP addresses in one place, on a single server, with little effort beyond the initial configuration of the address pool (the range of addresses that DHCP will be called upon to manage). In the old days (before DHCP), managing IP addresses usually required walking from machine to machine on a far too frequent basis. 0002 DHCP automates delivery of IP addresses and configuration information (including subnet mask and the default gateway addresses) to end-user machines. This makes it astonishingly easy to set up IP clients and to handle configuration changes when they must occur. To configure IP on a new client, all an end user (or you) must do in Windows Server 2008, Windows Server 2003, Windows NT, or Windows 9x is click the single option in the Internet Protocol (TCP/IP) Properties dialog box that reads, Obtain an IP Address Automatically. DHCP does the rest! When configuration changes occur, these changes are automatically introduced when IP leases are renewed. You can even cancel all existing leases and force clients to renew their leases whenever major renumbering or configuration changes require immediate updates to their IP configurations.
Enough TCP/IP to choke a hippo If this chapter whets your appetite for TCP/IP, you can obtain more details and information from the following great resources:
Stevens, and Michael Evangelista (published by Prentice Hall) in various editions from 2nd through 5th
0002 Windows Server 2008 TCP/IP Protocols and Services, by Joseph Davies (published by Microsoft Press)
0002 TCP/IP For Dummies, 5th Edition, by Candace Leiden, Marshall Wilensky, and Scott Bradner (published by Wiley Publishing)
0002 The TCP/IP Guide, by Charles Kozierok (published by No Starch Press; check out the complete online version at www. tcpguide.com.) 0002 Internetworking with TCP/IP, Volumes I, II, and III, by Douglas E. Comer, David L.
If that’s still not enough, one of your authors pulled together a more comprehensive TCP/IP bibliography for NetPerformance.com. Check it out at www.netperformance.com/ reading_tcpip.aspx.
Chapter 10: IP Addressing: Zero to Insane in Two Seconds Flat The ultimate reason for using DHCP is that it makes your job much easier. DHCP is recommended for all networks that use TCP/IP with ten or more clients. The first Windows Server 2008 in a domain has DHCP installed automatically, but you still need to enable and configure it properly before it will do you any good. So, if you think you may be interested in setting up a DHCP server, consult a technical resource, such as the Windows Server 2008 Resource Kit or TechNet, for all the details of installation and configuration.
Ironing Out Problems Problems that occur on TCP/IP networks are almost always associated with incorrect configurations. The wrong IP address, subnet mask, default gateway, DNS server, WINS server, or DHCP server can bring a system, if not an entire network, to its knees. Therefore, you need to take extra caution to double-check your settings and changes before putting them into effect. If you connect to an ISP, you should contact the ISP’s technical support personnel early to eliminate as much wheel-spinning as possible. You may discover the problem isn’t on your end, but theirs. If so, your only recourse is to wait it out, and then complain. If problems occur too often for your comfort, take your business elsewhere. Windows Server 2008 includes a few TCP/IP tools that you can employ to help track down problems. We already mentioned ipconfig; here are the others: 0002 ping: This tool tests the communications path between your system and another remote system. If a PING returns, you know the link is traversal and the remote system is online. If the PING times out, either the link is down or the remote system is offline. 0002 tracert: This tool reveals the hops (systems encountered) between your system and a remote system. The results inform you whether your trace route packets are getting through and at what system a failure is occurring. 0002 route: This tool is used to view and modify the routing table of a multihomed system. 0002 netstat: This tool displays information about the status of the current TCP/IP connections. 0002 nslookup: This tool displays DNS information that helps you manage and troubleshoot your DNS server. 0002 telnet: This tool is used to establish a text-based terminal emulation with a remote system. Telnet gives you access to a remote system as if you were sitting at its keyboard. Windows Server 2003 doesn’t include an inbound Telnet server. Complete details on these tools are included in the Windows 2008 help files, the Windows Server 2008 Resource Kit, and TechNet.
197
198
Part II: Servers, Start Your Engines
Part III
Running Your Network
A
In this part . . .
fter Windows Server 2008 is up and running, the real fun — namely, maintaining the server and network you’ve so laboriously constructed — begins. Or at least, so goes the conventional wisdom. In a very real sense, therefore, Part III begins where Part II leaves off. First, there’s managing the users (and their groups) who will work on your network and use your server. Then, it’s on to how to set up and handle NTFS and share permissions, with a heaping order of file systems and related topics on the side. Once you have data and users to protect, backing up your system is no longer an option — it’s a downright necessity — so it’s the next topic on our systems-management agenda. Part III closes out with an exercise in positive paranoia, where you find out about computer and network security in a discussion that covers the bases from physical security all the way up to how to build a solid password. Thus, Part III covers all the key topics involved in managing a Windows Server 2008–based network to prepare you to live with one of your own (or to work on someone else’s). Use these chapters to establish a systematic routine — not only will your users thank you, but you’ll also save yourself some time and effort! Remember this: Maintenance activities and costs usually represent 90 percent of any computer system’s life cycle. That’s why establishing a solid maintenance routine and sticking to it religiously are the keys to running a successful network. Do yourself a favor and don’t learn this lesson the hard way. . . .
Chapter 11
Managing Users with Active Directory Users and Computers In This Chapter 0001 Defining user account properties 0001 Creating new user accounts and groups 0001 Managing user accounts 0001 Understanding groups 0001 Assigning profiles 0001 Governing activities with policies 0001 Solving problems
U
ser accounts are indispensable elements in the Windows Server 2008 environment. They’re central management and control tools for the operating system to authenticate users and manage access to the resources on a local system and in the domain and forest as well. If you don’t have a defined user account on a Windows Server 2008 stand-alone system or a Windows Server 2008 domain, you can’t gain access to that system or to available resources in the forest. This chapter looks at managing domain user accounts and policies through the Active Directory Users and Computers console.
User Accounts Have Properties Computers are typically used by more than one person. Even systems that workers use exclusively on their desks allow system administrators to log on locally. If these systems have computer accounts in the domain, it’s possible for other users with domain accounts to log on to those systems as well. The computer distinguishes between one person and another by employing a security device called the user account object. Each user on a computer or a network has a unique user account that contains details about the user, such as his or her rights and restrictions to access resources and more.
202
Part III: Running Your Network A Windows Server 2008 domain-based user account contains, is linked to, or is associated with the following items: 0002 Password security: User accounts are protected by passwords so that only authorized persons can gain access to the systems. 0002 Permissions: Permissions are the access privileges granted to a user account. These include group memberships and user-specific settings to access resources. 0002 Identification: A user account identifies a person to the computer system and the network. 0002 User rights: A user right is a high-level privilege that can be granted to users or groups to define or limit their actions on a computer system. 0002 Roaming: You can define user accounts so that a user can log on to any system that is a member of a domain by using a domain user account (certain users may be able to log on to local accounts in certain situations), a Remote Access Service (RAS), or a gateway. 0002 Environment layout: Profiles are user-specific and store information about the layout, desktop, and user environment in general, unless they are specifically restricted through the use of mandatory profiles. You can define profiles so that they follow the user account no matter where the user gains access on the network. 0002 Auditing: Windows Server 2008 can track access and usage by domain user accounts if that level of auditing has been enabled in the domain. Access to Windows Server 2008 requires that users successfully authenticate themselves with a domain user account. This means that when a user with the proper permission level (not everyone has permission to log on locally to all systems in a domain) sits down at a Windows Server 2008 system, he or she can log on at the local machine with a local account (called an interactive logon) by pressing Ctrl+Alt+Delete to start the logon process. Then the user must provide a valid username and password. He or she may also log on to a domain user account in the same manner if the server is a member of the domain. After the system verifies this information, the user is granted access. When the user is finished, he or she can log out and leave the system available for the next user to log on. With Windows Server 2008 installed, three user accounts are automatically created by default on stand-alone (non-domain-member) systems: 0002 The Administrator account is used to configure the system initially and to create other user accounts. 0002 The Guest account is a quick method to grant low-level access to any user — but is disabled by default.
Chapter 11: Managing Users with Active Directory Users and Computers 0002 The HelpAssistant, often named Support_
Typical SCSI and SATA 3.5” Drive Speeds
Type
RPM
Cost/GB (Low–High)
Capacity (Low–HIgh)
Remarks
SATA
7,200
$0.20–$0.40
40GB–1TB
Larger, more capable drives cost more; sizes range from 80GB to 1TB.
SATA
10,000
$1.33–$2.02
74–150GB
WD Raptor models, available in only two sizes, are the only 10,000 RPM SATA drives available.
Appendix A: Server Components and Technologies
Type
RPM
Cost/GB (Low–High)
Capacity (Low–HIgh)
Remarks
SCSI
10,000
$1.48–$2.45
146–434GB
Most major drive manufacturers offer such drives but none in sizes larger than 4xxGB.
SCSI
15,000
$4.10–$8.97
36–46GB
Same as for 10K RPM SCSI drives, except sizes top out at 146GB.
There’s a very interesting moral to be drawn from the foregoing table. Unless your server must absolutely scream with disk speed, the best storage value comes from 7,200 RPM SATA drives. With Seagate now offering perpendicular magnetic recording (PMR) drive technologies that basically stand bit regions sideways on the disk platter and therefore cram data into hitherto unheard-of data densities, you can get very good performance from drives that range from 320 to 750GB in size, at prices from 25 cents to 28 cents per GB. High-performance junkies will often use a WD 10,000 RPM Raptor or a 10,000 or 15,000 RPM SCSI drive for the Windows system drive, but even these folks are increasingly turning to 7,200 RPM SATA drives for data RAID arrays. The whole SCSI versus SATA subject continues to be a raging debate in server hardware circles. Some of the most interesting outlooks on this subject come from well-known system builder Puget Custom Computers. Its “SCSI vs SATA, Which is Faster?” article includes fascinating explanations and test results to back up its contention that SATA is more or less edging SCSI out of the server storage game. Find it online at www.pugetsystems.com/articles. php?id=19.
SCSI versus SATA controllers The other side of the storage equation is the disk controller. Those who need fast storage usually also opt to purchase add-in disk controller cards, and eschew controllers and RAID circuitry built into most modern server motherboards. Those who can stomach the higher costs of 10,000 or 15,000 RPM SCSI drives should also prepare to swallow additional costs for suitable disk controllers.
379
380
Part VI: Appendixes Even modest SCSI RAID controller cards (like the Adaptec 2246200-R) cost more than $300, and a high-end version (like the Adaptec 2185900) costs more than $700. A minimal RAID array usually requires at least three disk drives, where it isn’t unusual for them to include as many as seven drives. (The max for most SCSI controllers is 15 devices per SCSI channel.) On the SATA side, costs are pretty similar: Low-end RAID controllers start at about $200 (like the Adaptec 2220300-R) and approach $700 at the high end (like the Adaptec 2251600). SATA controllers can typically handle many more devices, however, where high-end controllers top out at 128 devices in total. When choosing a disk controller for your server, two additional selection factors come into play: 0001 Bus slot: A disk controller is an interface card and, therefore, must plug into an interface slot. Most servers come equipped with one or more of each of the slot types described in Table A-5. Be aware that the faster the bus speed for a given slot, the more a controller card that uses such a slot typically costs. 0001 Slot contention: When designing a server, multiple interface cards may end up competing for scarce slot space. This makes the number and type of slots available on a motherboard an important consideration for its purchase, and putting some thought into what kinds of cards you want to put in your service is equally important. You may have to balance the need for fast storage — which requires a disk controller card — against the need for fast network access — which may mandate one or two high-speed TCP/IP Offload Engine (TOE) network adapters. This can force some tough choices, and may occasionally appear to argue for the wisdom of Solomon in choosing faster storage versus faster networking.
Table A-5
Server Bus Slot Speeds and Feeds
Name
Bus Speed
Bit Width
Maximum Throughput
Remarks
PCI
33 MHz
32 bits
132 MB/s
Common PC utility bus.
PCI64
133 MHz
64 bits
1066 MB/s
Occasionally found on server motherboards.
PCI-e x1
33 MHz
1 bit
250 MB/s
All PCI-e buses are bidirectional. (Throughput shown is one-way only; total possible amount is double.)
Appendix A: Server Components and Technologies
Name
Bus Speed
Bit Width
Maximum Throughput
Remarks
PCI-e x4
33 MHz
4 bits
1.0 GB/s
Used for some disk controllers.
PCI-e x8
33 MHz
8 bits
2.0 GB/s
Used for many disk controllers and TOE network adapters.
PCI-X
66–133 MHz
64 bits
1.08 GB/s
Popular server bus technology.
Typically, you find between one and three PCI-e x8 slots on a server motherboard, and one or two PCI-X slots as well. If the numbers permit, you can use either one for disk controllers and network adapters. The important thing is to purchase a motherboard that has enough of the right kinds of slots to meet your needs. There’s also a case to be made at the low end of the server spectrum that you should try to use built-in controllers and adapters first and move to more expensive add-in cards only if built-ins don’t cut it. But because this means you still need the right number and kind of bus slots to add any adapters you need, it’s wise to pay attention to bus slots even if you don’t intend to stuff them immediately after the purchase of the motherboard on which they reside.
Building RAID arrays The full expansion for the RAID acronym holds the meat of its technology story: A redundant array of inexpensive disks uses conventional disk drives in a group and achieves performance, reliability, and availability gains by doing so. Using RAID of any kind requires multiple drives to work — at least two and as many as six (for the various types of RAID we’re about to explain, compare, and contrast in this very section) drives are needed to support different RAID schemes. RAID schemes go by the numbers, starting with 0 through 6, plus 10, 50, and other designations. Here we examine only those types of RAID most often used on Windows servers (but we do provide a couple of pointers at the end of this section to where the curious or the technically motivated can learn about “missing numbers” if they like). For convenience, we list them in numerical order in Table A-6, starting with zero.
381
382
Part VI: Appendixes Table A-6
RAID Schemes and Characteristics
Name
Minimum Disks
Typical
Failure
Remarks
0
2
3–5
0
Striping across multiple drives; no redundancy or fault tolerance; offers best performance improvement; easy to implement.
1
2
2
1
Also known as disk mirroring or duplexing, copies everything onto each drive in a pair; easiest recovery from failure; hardware controller recommended.
0+1
4
4–10
1
Stripes across mirrored pairs; expensive with high overhead but offers very high data transfer performance.
5
3
5–7
1
Striping with parity, 1/n overhead (n = number of drives); keeps running even if a single drive fails; hardware controller required.
10
4
6–10
1
Combines striping with mirroring (all drives are in mirrored pairs and all pairs are striped); expensive and high overhead but high reliability and performance.
50
6
6–10
2
Combines parity and striping across two or more RAID 3 (parity) sets; very expensive but very resilient to drive failure.
In RAID arrays, all disks are usually the same kind, make, and model to permit them to work together most effectively. Another technology, called JBOD (just a bunch of disks), works like RAID 0 to stripe data across any number of disks (2 to 15, practically speaking) where the disks need not be the same. Striping essentially distributes data across all drives in an array so that reads and writes can be broken up and distributed across all of them. This provides
Appendix A: Server Components and Technologies a nice boost to overall performance. People usually use RAID 0 or JBOD for a performance boost, but because it confers no added reliability, these technologies aren’t used very often on servers. Disk mirroring or duplexing requires 100 percent overhead in exchange for increased reliability. Essentially, two drives each contain a copy of the same thing so that if one fails, the other one can keep chugging right along. 0001 Mirroring generally refers to “two drives, one controller,” so that if the controller fails, the whole array goes down. 0001 Duplexing refers to “two drives, two controllers,” so that if one drive or controller fails, the working drive and controller keep on truckin’. When RAID 1 is used on servers, it’s most often used for the Windows system/boot drive, because that allows it to keep working even if one of the drives fails with little or no downtime for repairs and reconstruction. When both drives are working, two reads are possible for the set, which effectively doubles read speed as compared to a single drive. Write speed remains unchanged because data must be written to both drives to keep the mirror synchronized. Disk striping with parity enables control data about a collection of data blocks to be written to the only drive where none of that data resides. If a single drive fails, this lets any single stripe be reconstructed from the portions on the still-working drives that are intact, plus the parity data on the parity drive for that stripe. The controller mixes things up so that no single drive failure results in the loss of parity data needed to reconstruct missing stripe elements. RAID 5 also offers the highest read data transaction rates and medium write data transaction rates, and it’s widely used on servers that need improved performance and reliability. RAID 0+1, 10, and 50 are all pretty complex and expensive, and they’re used more often in high-end, high-volume environments than on servers in small businesses or SOHO situations. You’ll see that many of the disk controllers that support RAID offer these options, but they aren’t as applicable for low-end to medium-demand server situations.
High-End Network Adapters As with disk controllers, network adapters for various server buses are available. You can find versions of such adapters for the PCI, PCI-e x1 and x4, and the PCI-X buses. When shopping for such cards, make sure that Windows Server 2008 drivers are available for them, or you won’t be able to put them to work on your server.
383
384
Part VI: Appendixes Vendors who offer TCP Offload Engine adapters invariably also require installation of the Windows TCP Chimney Offload on those Windows Server 2008 systems on which they’re to be used. This essentially equips the driver to hand over TCP processing, including IP address information, ports in use, packet sequence numbers, and so forth, without requiring the server CPU(s) to get involved. For any kinds of connections that persist over time and use large packet payloads — such as network storage access, multimedia streaming, and other content-heavy applications — TCP Chimney Offload reduces CPU overhead by delegating network packet processing, including TCP segmentation and reassembly, to the network adapter. In turn, the CPU is freed up to do other things, such as handle additional user sessions or process application or service requests more quickly. Vendors that offer network adapters that work with Windows operating systems are listed in Table A-7, along with price ranges, product descriptions, and URLs.
Table A-7
Windows TOE Network Adapters
Vendor
Product
Prices
Description
URL
Alacritech
SENxxxx
$449–849
1–4 ports, fiber & copper, PCI, PCI-X
Chelsio
S30xx
$795–1,495
2–4 ports, copper, www.chelsio.com PCI-e x1, x4, PCI-X
Dell
NetXtreme II
$100
Model 5708, 1 port, PCI-e x1
www.dell.com
HP
Bladesystem
$225–400
1 or 2 ports, PCI-X, NC370i, NC373m
www.hp.com
www.alacritech. com
For servers that support less than 25 simultaneous users, a network adapter with TOE capability is overkill. If servers support 25–100 users, a network adapter with TOE becomes increasingly helpful, and when handling over 100 users, it helps to keep the server available to handle other tasks as well as managing its network connections.
Appendix B
Windows Troubleshooting Resources
W
indows Server 2008 is something of a world unto itself. In fact, it’s a large, complex, and pretty interesting world, as the attached collection of recommended Windows Server 2008 resources in print and online illustrate. In the sections that follow, we look at books and magazines that address Windows 2008 topics, as well as a plethora of Web sites, forums, newsgroups, and more. We start with a series of enthusiastic nods to the source for Windows Server 2008 and a whole raft of additional information and resources — namely, Microsoft itself. After that, we trip over numerous third parties in print and online. Along the way, you should find some fabulous goodies to help you learn more about Windows Server 2008, understand it better, and deal with troubles, trials, and tribulations related to that operating system as and when they should happen to come up.
Marvels from Microsoft As the company that built the Windows Server 2008 operating system, it’s only natural that Microsoft should also have a lot of information to share about this product. And it doesn’t disappoint in any way, either in terms of volume, coverage, technical depth, and more, more, more than many will ever want to know about Windows Server 2008. We present all of the important online links at the Microsoft sites in Table B-1, each of which includes a name so we can also expand a little on this content in a bulleted list of explanations that follows the table.
386
Part VI: Appendixes Table B-1
Microsoft Windows Server 2008 Resources Online
Name
URL
Blogs
www.microsoft.com/communities/ blogs/PortalHome.mspx
Microsoft Press
www.microsoft.com/mspress/hop
TechNet forums: Server 2008
forums.microsoft.com/TechNet/ default.aspx?ForumGroupID161&SiteID=17
TechNet SysInternals Web page
www.microsoft.com/technet/ sysinternals/default.aspx
Windows Server 2003 newsgroup
https://www.microsoft.com/ technet/prodtechnol/windows server2003/newsgroups.mspx
Windows Server 2008 home page
www.microsoft.com/windows server2008/default.mspx
Windows Server 2008 Learning Portal
www.microsoft.com/learning/ windowsserver2008/default.aspx
Windows Server 2008 TechCenter
http://technet.microsoft.com/ en-us/windowsserver/2008/ default.aspx
Windows Server 2008 Technical Library
http://technet2.microsoft.com/ windowsserver2008/en/library/
0001 Blogs: Important categories include Windows Server 2008, Windows Longhorn Beta 1, and Windows Longhorn Beta 2. This is where you can find developers, trainers, and key “idea people” from Microsoft explaining what’s up and what’s going on with Windows Server 2008. 0001 Microsoft Press: This organization publishes lots of materials about the company’s platforms, most notably the Resource Kit titles that act as general technical encyclopedias for the company’s operating systems. This Web page tells you what’s coming down the pike from the press, and while we see numerous interesting Windows Server 2008 resource kit titles on IIS 7.0, Group Policy, Active Directory, productivity solutions, and more as we write this list, we don’t see a single monolithic Windows Server 2008 Resource Kit. (These sometimes take 6–12 months after product release to arrive in print, however.) 0001 TechNet forums: TechNet is the Microsoft Technical Network, itself a huge compendium of technical information on Microsoft offerings. Among those offerings are online forums, including those for Windows
Appendix B: Windows Troubleshooting Resources Server 2008 mentioned in the URL (but you can find information about anything and everything Microsoft-related through TechNet). 0001 TechNet SysInternals Web page: SysInternals is a formerly independent company that’s now part of Microsoft, and its outstanding library of Windows administration tools is still available online. Check out the free tools available at this URL in all of these covered categories: file and disk utilities, security utilities, networking utilities, system information tools, process utilities, and miscellaneous stuff. You’ll find a surprising number of real gems here. (We’re especially fond of TCPView, BgInfo, ProcessMonitor, and the Registry defragmentation tool, PageDefrag.) 0001 Windows Server 2003 newsgroup: As we write this, no official Windows Server 2008 newsgroups are defined yet, but we expect them to show up in a windowsserver2008 directory like the windowsserver2003/ newsgroups entry we include by way of indirect reference here. 0001 Windows Server 2008 home page: This is the primary jumping off point in the Microsoft Web pages for all things related to Windows Server 2008. You’ll find pointers to all the other Microsoft resources mentioned here, and more, on this Web page. 0001 Windows Server 2008 Learning Portal: This is where you can turn for access to official Microsoft Windows Server 2008 training materials and information. At present, Microsoft is offering a free e-book and a free four-part introductory online course on Windows Server 2008 to all comers, but by the time you read this, you’ll probably find different offers and information there instead. 0001 Window Server 2008 TechCenter: This is home to the Windows Server 2008 Technical Library, related community resources online, links to popular downloads and recent Knowledge Base articles, and additional resources as well. It’s an outstanding clearinghouse for technical Windows Server 2008 information. Elements of the Technical Library are also available in convenient downloadable form from the Windows Server 2008 Step-by-Step Guides page (www.microsoft.com/down loads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5acaf31de6dce&DisplayLang=en). We also provide a direct link to the Windows Server 2008 Technical Library, which is starting to flesh out significantly as this new OS is readied for release.
Windows Server 2008 Books A quick hop up to your favorite online bookstore will no doubt augment this list immediately, but here are a couple of titles we’ve heard good things about as we’re working on our own book (and as Microsoft continues to ready Windows Server 2008 for its commercial release).
387
388
Part VI: Appendixes 0001 Administering Windows Server 2008 Server Core, by John Paul Mueller (Wiley Publishing, February 2008) is designed to serve as both a tutorial and a desk reference for administrators. This book includes a discussion of the new interface, describes how to perform all kinds of tasks, and provides a complete reference for relevant Server Core commands. Topics included cover performing essential maintenance, executing registry hacks, automating routine tasks, managing hardware, managing the network, working with TCP/IP, working with applications and data, monitoring system events and performance, managing users, and securing your system. Mueller’s book makes an excellent supplement to this one. 0001 Windows Server 2008 Implementation and Administration, by Barrie Sosinsky (Wiley Publishing, February 2008). This book provides a concise instruction for IT professionals already trained to use earlier versions of Windows Server. It dispenses with common networking Windows technology and concepts that administrators already know, such as DHCP, DNS, and basic Active Directory to concentrate on the crucial features of the new operating system. This book seeks to bridge the old to the new without making readers relearn familiar material. Thus, this book contains topics that might be found in other Windows Server 2008 books, but it’s organized to enable the reader to use these technologies more quickly. As much as possible, the book presents instructional how-to material with an eye toward teaching administrators to use Windows Server 2008 in new and more productive ways.
Server-Friendly Publications The entire computer trade press always covers Microsoft, to a greater or lesser extent. Table B-2 points you to publications where you’re most likely to find information relevant to the needs and interests of system or network administrators, and other IT professionals, who are among the people most likely to work with Windows Server 2008 on a day-to-day basis.
Table B-2
Windows Server Publications
Name
URL
Microsoft Certified Professional Magazine Online
www.mcpmag.com
Windows IT Pro Magazine
www.windowsitpro.com
Redmond Magazine
www.redmondmag.com
Appendix B: Windows Troubleshooting Resources 0001 MCP Magazine, as this publication is better known, caters to certified Microsoft professionals, most of whom manage Windows systems and servers for a living. This isn’t an exclusively server-focused publication, but it provides lots of useful information about Microsoft operating systems and technologies. 0001 WindowsITPro Magazine is probably the best and most highly regarded of the specialty publications that focus on Windows-oriented IT professionals. This publication does a great job of covering server hardware, software, and operating systems and should continue to be a great source of information on Windows Server 2008 for interested professionals. 0001 Redmond Magazine is another publication that caters to the needs of working IT professionals with a Windows focus. This publication also does a good job of covering server hardware, software, and operating systems, and it’s also devoting increasing coverage to Windows Server 2008.
Other Third-Party Windows Server 2008 Sources To some extent, we appreciate the existence and variety of third parties who also provide information about Windows Server 2008. That’s because Microsoft sources must toe the company line and can’t always be as exact (or as direct) when it comes to identifying trouble spots and how to work around them. Typically, that’s where the third parties really come into their own, and it’s what makes them so worth attending to, as listed in Table B-3.
Table B-3
Other Third-Party Windows Server Resources
Name
URL
Windows Server Troubleshooting
http://teamapproach.ca/trouble
WindowsNetworking. com
www.windowsnetworking.com
ZDNet Troubleshooting Windows Server 2003
http://downloads.zdnet.com/download. aspx?docid=172733
389
390
Part VI: Appendixes 0001 Windows Server Troubleshooting: The Canadian Team Approach group has put a stellar server troubleshooting guide together here. Although it doesn’t yet include many Windows Server 2008 specifics, we expect them to remedy this in the near future. It’s one of the best general troubleshooting references we’ve ever seen anywhere. 0001 WindowsNetworking.com: This is a Web site that caters to professional IT administrators who manage Windows servers, among other elements of the IT infrastructure. Among this site’s many attractions are articles on current and emerging technologies, a large collection of information and tips under an “Admin KnowledgeBase” heading, plus tutorials on all kinds of subjects bound to be of interest to anybody who manages a Windows Server of just about any vintage, including Windows Server 2008. See a collection of Windows Server 2008 articles and tutorials at www.windowsnetworking.com/articles_tutorials/Windows_ Server_2008. 0001 ZDNet Troubleshooting Windows Server 2003: The editors at ZDNet have done a great job of assembling a detailed, thorough Windows Server 2003 troubleshooting guide. While we hope they’ll do likewise for Windows Server 2008 ASAP, there’s a lot in here that remains fresh and relevant, even for those who use Windows Server 2008 instead.
Index • Symbols and Numerics • 100 Mbps Ethernet, 67 100BaseT standard (Fast Ethernet), 67 100BaseVG-AnyLAN standard, 67 802.11 wireless support, 64
•A• AAM (Admin Approval Mode), 17 access to applications, 33–34 authenticated, 16 controlling, 36 printer, 167–168 problems with, 225–226 remote, 109 to trusts, 154 unauthenticated, 16 user, 275–277 Access Control Lists (ACLs), 149, 227–229, 337–338 access methods, 66 access points (APs), 16 access tokens, 230 Account Lockout Policy, 273 Account tab, 208 accounts Account Lockout Policy, 273 Administrator, 202–203 decoy, 278 domain user, 202 dummy, 278 Guest, 202–204 HelpAssistant, 203 SAM (Security Accounts Manager), 118–119, 140 UAC (User Account Control), 17, 337
user managing, 211 properties, 201–204 user account objects, 201 ACLs (Access Control Lists), 149, 227–229, 337–338 ACT (Application Compatibility Toolkit), 75, 294 activation, 88–89 Active Directory (AD). See also Active Directory Users and Computers console directory permissions, 149–152 directory services, 115–116 domain controllers overview, 118–122 roles, 137–139 features global catalogs, 125–126 overview, 121–122 replication, 122–124 schemas, 124–125 installing, 129–132 locating data, 118 management of ADSI, 148 creating directory objects, 145–147 finding directory objects, 148 overview, 144 Users and Computers console, 144–145 managing data, 117–118 multimaster replication, 141–144 multiplying domains, 133–136 organizing data, 116–117 overview, 36, 115, 137 planning for, 126–129 trust relationships, 140, 152–154
392
Windows Server 2008 For Dummies Active Directory Certificate Services (AD-CS), 97 Active Directory Domain Services (AD-DS), 97 Active Directory forests, 122, 125 Active Directory Installation Wizard, 127, 137 Active Directory Lightweight Services (AD-LDS), 98 Active Directory Rights Management Services (AD-RMS), 98 Active Directory Scripting Interface (ADSI), 144, 148 Active Directory Users and Computers console access problems, 225–226 creating accounts Account tab, 208 Address tab, 208 Dial-in tab, 211 General tab, 208 Member Of tab, 210 Organization tab, 210 process of, 204–211 Profile tab, 208–209 Telephones tab, 210 group policies administering, 219–220 auditing, 224 creating, 222–223 overview, 219 processing of, 221–222 groups built-in, 215–217 creating, 214 managing, 215 overview, 212 scopes, 212–214 overview, 144–145, 201 user accounts managing, 211 properties of, 201–204 user profiles, 217–219 Active Server Pages (ASP), 11
AD. See Active Directory; Active Directory Users and Computers console AD Directory Service (DS), 36 AD-CS (Active Directory Certificate Services), 97 Add Printer icon, 160–161 add-in cards, 287–289 address pools, 196 Address tab, 208 addresses, network, 368–369. See also Internet Protocol (IP) addresses AD-DS (Active Directory Domain Services), 97 AD-LDS (Active Directory Lightweight Services), 98 Admin Approval Mode (AAM), 17 administrative control, delegating, 151–152 administrative shares, 277–278 Administrator accounts, 202–203 administrator role, 330 AD-RMS (Active Directory Rights Management Services), 98 ADSI (Active Directory Scripting Interface), 144, 148 advanced permissions, 233 Advanced Security Settings dialog box, 150, 233–234 Advanced tab, 170 Allow or Deny setting, 232 AMD servers administrator role, 330 building inserting PSU, 319–320 installing hard disk drives, 326–327 installing optical disk, 328–329 installing OS, 329–330 overview, 319 seating CPU and cooler, 320–324 seating RAM modules, 324–326 setting up hardware, 329 cases, 318 CPUs, 316–317
Index disk space, 318 memory, 317 motherboards, 316–317 network connections, 318 overview, 315–316 power supplies, 318 answer files, 356 API (application programming interface), 28, 193 application access, 33–34 Application Compatibility Toolkit (ACT), 75, 294 Application logs, 343 application programming interface (API), 28, 193 Application Server (AS), 98 Applications and Services logs, 343 APs (access points), 16 archive bit, 244 AS (Application Server), 98 ASP (Active Server Pages), 11 ASR (Automated System Recovery), 88–90 ATL (Automated Tape Library), 245 atomic operations, 123 attribute-level ACLs, 227–229 attributes, 121, 228–229, 244 auditing, 224 authenticated access, 16 automated installation, 37, 92, 356–357 Automated System Recovery (ASR), 90 Automated Tape Library (ATL), 245 automatic address allocation mode, 31 automatic client addressing, 14
•B• backbones defined, 43 overview, 69–70 testing, 47 Background Intelligent Transfer Service (BITS), 100
backup destinations, 255–256 backup domain controller (BDC), 119–121, 138, 140 Backup facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 backup media, 248 Backup Operators group, 260–261 backup units, 247–248 backups AD, 130 Backup facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 Backup Operators group, 260–261 evaluating tape systems, 258–260 before making changes, 74, 361 network versus local, 245–246 overview, 241–242 planning, 249–251 potential threats, 242–243 restoring from, 256–257 storage options, 246–249 third-party options, 257–260 types of, 243–245 bad splices, 61 bandwidth, 59, 65–68 banner pages, 170 baseband cable, 58–59 BDC (backup domain controller), 119–121, 138, 140 binary buffer comparisons, 124 binary numbers, 180–181 BitLocker Drive Encryption, 17, 35, 99
393
394
Windows Server 2008 For Dummies BITS (Background Intelligent Transfer Service), 100 blueline copying system, 49 books, Windows Server 2008, 387–389 boot drive, 378 boot partition, 378 Boot Protocol (BOOTP), 31 boot volume, 378 BOOTP (Boot Protocol), 31 broadband transmission, 59 brute-force attacks, 269–271 budgeting, 292–293 buffer coating, 60 built-in groups, 215–217 built-in network interfaces, 52–55 bus mastering, 367 bus slots, 380–381
•C• cable contractors, 58, 65 cable installers, 46, 50 cable segments, 69 cables baseband, 58–59 coaxial, 61–62 fiber-optic, 59–61 HFC networks, 62–63 installing, 46, 64–65 overview, 57–59 plenum-rated, 65 twisted-pair, 59 UTP, 61 cabling plans, 49–50 CAD (Computer Aided Design), 42 callback, 211 Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA), 66–67 Carrier Sense Multiple Access/Collision Detection (CSMA/CD), 66–68 Cartridge Maintenance tab, 170 cases, 289–290, 302, 318
catalog compliance, 355 Cheops application, 52 chimney offload architecture, 28 chimneys, 28 chips, 375 cladding, 61 clients automatic addressing, 14 management of, 37 networking, 21–23 preferences of, 30–35 setting up printing for, 168 WINS, 192 clustering, 15–16, 42 CMAK (Connection Manager Administration Kit), 100 coaxial (coax) cable, 61–62 collapsed backbones, 43 collisions, 66–68, 124 Color Management tab, 170 command line backups, 253–254 compatibility checks, 294–295 componentization, 94 components server controllers, 377–381 disk drives, 377–379 motherboards, 374–375 network adapters, 383–384 overview, 373 processors, 375–376 RAID, 377–378, 381–383 RAM, 376–377 shopping for PC, 293–294 Compound TCP (CTCP), 26 Computer Aided Design (CAD), 42 computer names, 176–177, 191–193 computer rooms, protecting, 264–266 configuring ICT dialog box, 94–95 overview, 93 remote connections, 111–114
Index Server Manager application console, 96–103 DHCP and DNS, 109–111 directory trees and forests, 103–108 IIS and WMS, 108–109 overview, 95–96 Connection Manager Administration Kit (CMAK), 100 connection state, 28 connection-oriented protocols, 54 container objects, 145–146, 232 context driven, 145 contiguous namespaces, 134 contractors, cable, 58, 65 controllers disk, 377–381 domain backup (BDC), 119–121, 138, 140 modes, 131–132 overview, 104, 118 PDC emulator, 139 primary (PDC), 119–121, 137 promoting, 130 read-only (RODC), 103, 269 upgrading, 126 coolers importance of, 291–292 installing, 323–324 seating, 308–309, 320–324 copy backups, 244 cores, 284–285, 375 CPUs (central processing units) choosing, 316–317 installing, 321–322 overview, 375–376 seating, 305–308, 320–324 speed of, 292 Create Custom View dialog box, 342 Create Time Inheritance, 240 CSMA/CA (Carrier Sense Multiple Access/Collision Avoidance), 66–67 CSMA/CD (Carrier Sense Multiple Access/Collision Detection), 66–68
CTCP (Compound TCP), 26 custom installation, 359–360 Custom Views container, 342
•D• daily backups, 244 data collector sets, 345 data losses, 242–243 data transfer rates, 64 database, AD, 130–131 database size, 143–144 data-based services, 35 Datacenter Edition, Windows Server 2008, 11 decoy accounts, 278 deep searches, 125 default gateways, 184 Default-First-Site, 127 Delegate Administration Wizard, 239 delegating access control, 239 administrative control, 151–152 Delegation of Control Wizard, 152 Desktop Experience, 100 Developer Network, Microsoft, 370 Device Manager application, 341, 345 Device Settings tab, 170 DHCP (Dynamic Host Configuration Protocol), 31–32, 98, 109, 195–197 Dial-in tab, 211 dial-up clients/hosts, 111 differential backups, 244 DIMMS (double inline memory modules), 376 DIP (dual in-line package) switches, 82 Direct Memory Access (DMA), 366 directory objects, 145–148 directory permissions, 149–152 directory restoration mode, 130 directory services. See Active Directory directory trees, 103–104 disabling unnecessary services, 348 disaster recovery, 250–251
395
396
Windows Server 2008 For Dummies disk controllers, 377–381 disk defragmentation, 349 disk drives, 377–379 disk duplexing, 383 disk mirroring, 383 disk space, 169, 286–287, 300–301, 318 distribution groups, 212 DMA (Direct Memory Access), 366 DNS (Domain Name Service) Active Directory, 118–119 client networking, 22 IP addresses, 178, 193–195 domain controller roles, 137–139 domain controllers backup (BDC), 119–121, 138, 140 modes, 131–132 overview, 104, 118 PDC emulator, 139 primary (PDC), 119–121, 137 promoting, 130 read-only (RODC), 103, 269 upgrading, 126 domain name registrars, 179 Domain Name Service (DNS) Active Directory, 118–119 client networking, 22 IP addresses, 178, 193–195 domain trees, 122, 134–136 domain user accounts, 202 domains, 103–104, 118–121 dotted-decimal notations, 180–181 double inline memory modules (DIMMS), 376 drive letters, 86 dry-fit approach, 308 DS (AD Directory Service), 36 dual in-line package (DIP) switches, 82 dual network interfaces, 287, 294 Dummies.com Web site, 5–6 dummy accounts, 278 DVD-ROM, 75, 360–361 dynamic address allocation mode, 31 Dynamic Host Configuration Protocol (DHCP), 31–32, 98, 109, 195–197 dynamic inheritance, 239
•E• ECC (Error Correcting Code) memory, 286–287, 376–377 ECN (Explicit Congestion Notification), 26 education, security, 267–268 Effective Permissions tab, 238 electromagnetic interference (EMI), 59–60 Enable low-resolution video option, 359 encapsulated data, 28 end-to-end connection, 185 Enterprise Edition, Windows Server 2008, 11 enterprise forests, 125 enterprises, needs of, 35–38 Error Correcting Code (ECC) memory, 286–287, 376–377 Ethernet cable notation, 58 Event logs, 342–343 Everyone group, 276 Exchange Server, Microsoft, 118 Explicit Congestion Notification (ECN), 26 explicit permissions, 150–151 extender cards, 52–55 extensibility, 121 eXtensible Markup Language (XML) services, 11
•F• “faceless” computers, 76 Failover Clustering (FC) feature, 102 failover clusters, 15–16, 42, 102 fans, 291–292 Fast Ethernet (100BaseT standard), 67 FAT (File Allocation Table) file system, 79, 227–229, 234–235, 250 Fax and Scan applet, 172–174 faxing, 172–174 FC (Failover Clustering) feature, 102 FC-AL (Fibre Channel Arbitrated Loops), 246 Federated Rights Management, 269 fiber-optic cables, 59–61
Index Fibre Channel Arbitrated Loops (FC-AL), 246 field-serviceable parts, 12 File Allocation Table (FAT) file system, 79, 227–229, 234–235, 250 file permissions, 229 File Services, 98 file shares, 227 File Transfer Protocol (FTP), 15, 151 firewalls, 18, 95, 186–187, 365 Flexible Single Master Operation (FSMO) roles, 120, 138 floppy disks (floppies), 278–279 Forefront Security Technologies, Microsoft, 17 forest root domains, 104 forests, 103–104, 122, 135–136 form-factor, 10 Forward RTO-Recovery (F-RTO), 27 FQDNs (Fully Qualified Domain Names), 106, 179, 193 F-RTO (Forward RTO-Recovery), 27 FSMO (Flexible Single Master Operation) roles, 120, 138 FTP (File Transfer Protocol), 15, 151 Fully Qualified Domain Names (FQDNs), 106, 179, 193
•G• GbE. See Gigabit Ethernet GDI (Graphics Device Interfaces), 156 General tab, 170, 208 Gigabit Ethernet (GbE) motherboards, 52–53, 287 network backups, 246 network implementation plans, 40–42 overview, 68 global catalogs, 122, 125–126, 148 global groups, 213 globally unique identifiers (GUID), 124 GPDBPA (Group Policy Diagnostic Best Practice Analyzer), 338 graphical user interfaces (GUI), 80, 111 graphics cards, 291
Graphics Device Interfaces (GDI), 156 group policies administering, 219–220 auditing, 224 creating, 222–223 overview, 219 processing of, 221–222 Group Policy Diagnostic Best Practice Analyzer (GPDBPA), 338 Group Policy dialog box, 224 Group Policy tab, 220 groups built-in, 215–217 creating, 214 managing, 215 overview, 212 scopes, 212–214 Guest accounts, 202–204 GUI (graphical user interfaces), 80, 111 GUID (globally unique identifiers), 124
•H• hard disk drives, 311–312, 326–327 hardware for backup systems, 247–249 checking, 364 diagnosing startup errors, 335–336 documenting, 250 enhancements, 366–367 requirements, 78–81, 354–355 server, 355 setting up, 313, 329 “headless” computers, 76 health checks, 36 heat buildup, 291 HelpAssistant accounts, 203 hertz (Hz) ratings, 59 HFC (hybrid fiber-coaxial) networks, 62–63 Hierarchical Storage Management (HSM), 259 high watermark vector, 124 high-loss environments, improving, 27
397
398
Windows Server 2008 For Dummies home theater PCs (HTPCs), 10 host IDs, 180–182 hotfixes, 274 hot-swappable drives, 287 HSM (Hierarchical Storage Management), 259 HTPCs (home theater PCs), 10 HTTP (HyperText Transfer Protocol), 122 hybrid fiber-coaxial (HFC) networks, 62–63 HyperText Transfer Protocol (HTTP), 122 Hz (hertz) ratings, 59
•I• ICMP (Internet Control Message Protocol), 55 icon tray, 89 icons used in this book Key Concept, 5 Remember, 5 Technical Stuff, 6 Tip, 6 Warning, 6 ICT (Initial Configuration Tasks) dialog box, 73, 94–95, 104 IDE (Integrated Drive Electronics) interfaces, 246 IEEE (Institute of Electrical and Electronic Engineers), 58 IETF (Internet Engineering Task Force), 134 IIS (Internet Information Services), 11, 35, 79, 99, 108–109 ILDs (injection laser diodes), 61 ImageX tool, 359 implementation plans, network, 39–42 incremental backups, 245 Indexing Service, 348 inherited permissions, 150–151 Initial Configuration Tasks (ICT) dialog box, 73, 94–95, 104 injection laser diodes (ILDs), 61
installation AD, 129–132 cable, 46, 64–65 cooler, 323–324 CPU, 321–322 network printing, 160–161 optical disk, 312–313, 328–329 OS, 314, 329–330 Windows Server 2008 across the network, 75, 87–88, 356 automated, 75, 92, 356–357 custom, 359–360 DVD-ROM, 75, 360–361 from existing OS, 85–87 failures, 358 hardware requirements, 79–81, 354–355 LKGC, 359 low resolution video, 358–359 overview, 73, 353 planning, 73–79 post-installation tasks, 88–90, 361 problems with, 91–92 process, 82–85 professional, 46 pushing, 75 RIS, 88 troubleshooting, 358 Institute of Electrical and Electronic Engineers (IEEE), 58 Integrated Drive Electronics (IDE) interfaces, 246 Integrated Services Digital Network (ISDN), 109, 364 integrated virtualization, 12 Intel servers administrator role, 314 building cooler, 305–309 CPU, 305–309 hard disk drives, 311–312 optical disks, 312–313 OS, 314
Index overview, 303 PSU, 304–305 RAM modules, 309–311 setting up hardware, 313 cases, 302–303 CPUs, 298–299 disk space, 300–301 memory, 299–300 motherboards, 298–299 network connections, 301–302 overview, 297–298 power supplies, 302–303 interactive logon, 202 Interactive Logon: Do Not Display Last User Name Policy option, 278 interdomain parent-child relationships, 127 internal network access, 287–289 International Organization for Standardization (ISO), 116 Internet Control Message Protocol (ICMP), 55 Internet Engineering Task Force (IETF), 134 Internet Information Services (IIS), 11, 35, 79, 99, 108–109 Internet Printing Client (IPC), 100 Internet Protocol (IP) addresses classes of, 181–182 components of, 180 configuration of advanced, 189–191 basic, 187–189 overview, 187 DHCP, 195–197 DNS, 193–195 leasing, 184–185 names NetBIOS, 176–177 overview, 175–176 TCP/IP, 178–179 NetBIOS over TCP/IP, 193 network IDs versus host IDs, 180–182 obtaining, 184–185
overview, 175 private, 179, 186 problems with, 197 subnetting of, 182–184 translation of, 185–187 WINS, 191–192 Internet Protocol (TCP/IP) Properties dialog box, 187–188 Internet Protocol Security (IPSec), 18, 32, 185 Internet Protocol version 6 (IPv6), 25–26, 29, 184 Internet SCSI (iSCSI), 54 Internet Security and Acceleration (ISA) Server, 16–17 Internet Service Providers (ISPs), 111–113 Internet Storage Name Server (ISNS), 100 intersite replication, 141–143 intrasite replication, 141–142 inventories, network, 50–52 IP (Internet Protocol) addresses classes of, 181–182 components of, 180 configuration of advanced, 189–191 basic, 187–189 overview, 187 DHCP, 195–197 DNS, 193–195 leasing, 184–185 names NetBIOS, 176–177 overview, 175–176 TCP/IP, 178–179 NetBIOS over TCP/IP, 193 network IDs versus host IDs, 180–182 obtaining, 184–185 overview, 175 private, 179, 186 problems with, 197 subnetting of, 182–184 translation of, 185–187 WINS, 191–192
399
400
Windows Server 2008 For Dummies IP masquerading, 32 IPC (Internet Printing Client), 100 IPng Transition, 181 IPSec (Internet Protocol Security), 18, 32, 185 IPv6 (Internet Protocol version 6), 25–26, 29, 184 ISA (Internet Security and Acceleration) Server, 16–17 iSCSI (Internet SCSI), 54 ISDN (Integrated Services Digital Network), 109, 364 ISNS (Internet Storage Name Server), 100 ISO (International Organization for Standardization), 116 ISPs (Internet Service Providers), 111–113 Itanium-Based Systems, Windows Server 2008 for, 11
lightweight filter (LWF) drivers, 29 listener process, 15 LKGC (Last Known Good Configuration), 359–360 load-balancing, network, 16 local area networks (LANs), 58, 109 local backups, 246 local profiles, 218 logical printer assignments, 158–160 logical printers, 156 logon process, 225–226 logs, 342–343 Longhorn, 9, 126 loopback addresses, 182 low resolution video, 358–359 LPR Port Monitor (LPM), 100 LSO (large send offload), 29 LWF (lightweight filter) drivers, 29
•J•
•M•
jukebox devices, 248
managed entities, 346–347 mandatory profiles, 219 manual address allocation mode, 31 manuals, installation, 77 maps, network capturing data, 49–50 inventories, 50–52 overview, 48–49 updating, 52 masquerading IP, 32 network, 32 Massachusetts Institute of Technology (MIT), 134 master-slave relationships, 119 media backup, 248 network cable installation, 64–65 fiber-optic and coax cables, 60–63 overview, 57–59 wireless, 63–64 media settings, 255–256
•K• Kerberos, 134, 273 kernels, 13 Key Concept icons, 5 keyboards, 291–292
•L• lab certification, 80–81 LANs (local area networks), 58, 109 large send offload (LSO), 29 Last Known Good Configuration (LKGC), 359–360 LDAP (Lightweight Directory Access Protocol), 36, 117–120, 139 LEDs (light-emitting diodes), 61 legacy clients, 119 light-emitting diodes (LEDs), 61 Lightweight Directory Access Protocol (LDAP), 36, 117–120, 139
Index Member Of tab, 210 memory main system, 285–287 random access (RAM), 376–377 selecting and sizing AMD servers, 317 Intel servers, 299–300 server versus computer, 10 memory modules, 309–311, 324–326 memory registers, 376 Message Queuing (MQ), 100 methods, 228 mice, 291–292 Microsoft hardware catalog, 81 lab certification, 80–81 troubleshooting resources, 385–387 Web site, 2–3, 80, 148 Microsoft Application Compatibility Toolkit (ACT), 75, 294 Microsoft Developer Network, 370 Microsoft Directory Synchronization Services (MSDSS), 116 Microsoft Exchange Server, 118 Microsoft Forefront Security Technologies, 17 Microsoft Management Consoles (MMCs), 16, 128, 144, 224 Microsoft Small Business Center, 370 MIT (Massachusetts Institute of Technology), 134 mixed mode domains, 131 MMCs (Microsoft Management Consoles), 16, 128, 144, 224 modems, 112 modes AAM (Admin Approval Mode), 17 automatic address allocation, 31 directory restoration, 130 domain operation, 131–132 dynamic address allocation, 31 manual address allocation, 31 native, 131 .NET, 131
monitoring tools, 344 monitors, 78, 291–292 motherboards, 298–299, 316–319, 374–375 MPIO (Multipath I/O), 100 MQ (Message Queuing), 100 MSDSS (Microsoft Directory Synchronization Services), 116 multiboot systems, 74 multi-homed computers, 185 multimaster replication, 120–123, 141–144 Multipath I/O (MPIO), 100 multiple NICs, 23
•N• name services, 33 names. See also Internet Protocol (IP) addresses NetBIOS, 176–177 overview, 175–176 problems with, 368–369 TCP/IP, 178–179 namespaces, 127, 134 naming conventions, 207 NAP (Network Access Protection), 18, 36, 64, 269, 365 NAS (network attached storage) devices, 10–11 NAT (Network Address Translation), 32–33, 179, 184–185 native mode, 131 NDIS (Network Driver Interface Specification), 16, 28–30 NDS (Novell Directory Services), 116–117 nearline backups, 247 .NET Framework 3.0, 99 .NET interim mode, 131 .NET mode, 131 NetBIOS (Network Basic Input-Output System), 118–119, 176–177, 191–193 NetMon (Network Monitor), 367 NetWare, 116
401
402
Windows Server 2008 For Dummies Network Access Protection (NAP), 18, 36, 64, 269, 365 network adapters, 366–367, 383–384 Network Address Translation (NAT), 32–33, 179, 184–185 network addresses, 368–369 network attached storage (NAS) devices, 10–11 network backups, 245–246 Network Basic Input-Output System (NetBIOS), 118–119, 176–177, 191–193 network connections, 318. See also transmission media Network Connections Property page, 113 Network Driver Interface Specification (NDIS), 16, 28–30 Network File System (NFS) Services, 101 network IDs, 180–182 Network Load Balancing (NLB), 16, 102 network maps capturing data, 49–50 inventories, 50–52 overview, 48–49 updating, 52 network masquerading, 32 network media cable installation, 64–65 fiber-optic and coax cables, 60–63 overview, 57–59 wireless, 63–64 Network Monitor (NetMon), 367 Network Monitor Tools check box, 367 network name resolution, 14 Network Operating System (NOS), 116 Network Policy and Access Services (NPAS), 98 Network Policy Server (NPS), 37 Network Printer Installation Wizard, 169 network protocol stacks, 15, 23–24 network segments, 180 network shares, 235–236 network visualization, 52
networks access to, 287–289 backups of, 245–246 design basics, 42–45 cables, 46 checking installations, 47 devices, 45–46 equipment, 46 evaluation, 47–48 guidelines, 42–45 implementation plan, 39–42 interfaces, 52–55 maps, 49–52 overview, 39 devices for, 45–46 drivers, 15 educating users of, 267–268 installing Windows Server across, 75, 87–88, 356 ports, 44 security accounts policies, 223–224 common weaknesses, 277–279 education, 267–268 features, 13, 16–18 maintaining, 279 overview, 263–264 passwords, 270–274 physical access, 264–267 service packs, 274–275 user access, 275–277 usernames, 269–270 NewReno algorithm, 27 Next Generation TCP/IP stack, 24–27 NFS (Network File System) Services, 101 NICs (network interface cards) versus built-ins, 52–54 cabling needs, 58 inventory of, 51 minimum requirements, 354–355 multiple, 23 NLB (Network Load Balancing), 16, 102
Index noises, hardware, 336 normal backups, 244 NOS (Network Operating System), 116 notebook theft, 266–267 notification area, 89 Novell Directory Services (NDS), 116–117 Novell NetWare, 116 NPAS (Network Policy and Access Services), 98 NPS (Network Policy Server), 37 nslookup tool, 197 NT 4.0, 118–119 ntbackup program, 251–254 NTFS file systems, 230–233, 250
•O• object permissions, 229 object replication, 143 object-oriented, 230–231 objects, 228–230 octets, 180 odors, hardware heating, 336 offline backups, 247 offloading protocol processing, 27–29 online backups, 247 Open Packaging Conventions (OPC), 155 operating environments, protecting, 264–266 operating systems (OS), 85–87, 314, 329–330 operations master roles, 120, 138–139 optical disks, 312–313, 328–329 optical drives, 291–292 optimization, server disabling unnecessary services, 348 disk defragmentation, 349 managed entities, 346–347 overview, 346 turning off Indexing Service, 348 Options button, 220 Organization tab, 210 organizational units (OUs), 126, 129, 145–146, 204, 239
originating updates, 141 OS (operating systems), 85–87, 314, 329–330 OUs (organizational units), 126, 129, 145–146, 204, 239
•P• P2P (peer-to-peer) relationships, 22–23, 120, 138 Packet Internet Groper (ping) command, 55 Password Policy, 271–272 passwords, 223–225, 270–274 patch releases, 274 PDC (primary domain controller), 119–121, 137 PDC emulator, 120, 139 PE (Preinstallation Environment), 360 Peer Name Resolution Protocol (PRNP), 100 peer-to-peer (P2P) relationships, 22–23, 120, 138 performance, evaluating, 47–48 Performance Monitor tool, 344 peripheral input devices, 292 permissions access control, 239–240 AD, 149–150 advanced, 233–234 calculating, 236–238 defined, 202 explicit, 150–151 FAT and FAT32 file systems, 234 inherited, 150–151 NTFS, 232–233 and objects and rights, 228–230 overview, 229–230 printer, 229 share, 235–236 shortcuts, 238 perpendicular magnetic recording (PMR) hard disks, 318 physical print devices, 158
403
404
Windows Server 2008 For Dummies ping (Packet Internet Groper) command, 55 ping tool, 197 plenum-rated cables, 65 plenums, 65 PMC (Print Management Console), 169 PMR (perpendicular magnetic recording) hard disks, 318 PRNP (Peer Name Resolution Protocol), 100 Point-to-Point Protocol (PPP) feature, 113, 272 Point-to-Point Tunneling Protocol (PPTP) feature, 113 policy-based controls, 36–37 pooling, print device, 158–160 Ports tab, 170 POST (Power-On Self-Test), 313, 329 post-installation tasks, 88–90, 361 power supplies, 289–290, 302, 318 power supply units (PSUs), 285, 289–290, 304–305, 318–320 Power-On Self-Test (POST), 313, 329 PowerShell, 13, 102 PPP (Point-to-Point Protocol) feature, 113, 272 PPTP (Point-to-Point Tunneling Protocol) feature, 113 Preboot Extension Environment (PXE), 88 Preinstallation Environment (PE), 360 preinstallation tasks, 75–76 primary domain controller (PDC), 119–121, 137 principle of least privilege, 275 print devices attaching to print servers, 164–166 attaching to servers, 162–164 attaching to workstation PCs, 166–167 drivers, 156 installing, 160 managing, 169 memory, 169 overview, 158, 161–162 pooling, 158–160
Printers folder, 171–172 sharing, 167–168 print jobs, 157 Print Management Console (PMC), 169 print models devices, 158 logical assignments, 158–160 overview, 156–157 print process, 156 print queues, 157 print servers, 157, 164–166 Print Services (PS), 98 print users, 156 printer access, sharing, 167–168 printer permissions, 229 Printer Set Up Wizard, 162–163 printers, 156. See also print devices Printers and Faxes folder, 166–168 Printers folder, 160–161 printing. See also print devices faxing, 172–174 installing on servers, 160–161 overview, 155–156 print model devices, 158 logical assignments, 158–160 overview, 156–157 problems, 171–172 setting up on client side, 168 sharing printer access, 167–168 Windows 2008–based printers, 169–171 private IP addresses, 179 processors, 284–285, 298–299, 375–376 production systems, 250 Profile tab, 208–209 propagation-dampening schemes, 124 property replication, 143 property version numbers (PVNs), 124 property-based inheritance, 239–240 protocol stacks, 15, 23–24 proxy servers, 186–187 PS (Print Services), 98 PSUs (power supply units), 285, 289–290, 304–305, 318–320
Index publications, Windows Server, 387–389 pushing installations, 75 push/pull concept, 22, 33 PVNs (property version numbers), 124 PXE (Preboot Extension Environment), 88
•Q• Quality of Service (QoS), 13, 25–26 Quality Windows Audio/Video Experience (qWave), 101
•R• RA (Remote Assistance), 101 RADIUS (Remote Authentication Dial-In User Service), 37, 114 RAID (redundant arrays of inexpensive disks) building, 381–383 documenting, 250 overview, 286–288, 377–378 planning for, 301 Raise Domain Functionality dialog box, 131–132 random access memory (RAM) overview, 376–377 seating modules, 309–311, 324–326 RAS (Remote Access Services), 79, 109, 202 RD (Recovery Disc) utility, 101 RDC (Remote Desktop Connection), 34, 37 RDMA (Remote Direct Memory Access), 54 RDP (Remote Desktop Protocol), 34, 37, 95 RE (Recovery Environment), 359–360 read-only domain controller (RODC), 103, 269 receive window auto-tuning, 25–26 receive window size, 25 receive-side scaling, 29–30 Recovery Disc (RD) utility, 101
Recovery Environment (RE), 359–360 redundancy, 23, 37 redundant arrays of inexpensive disks (RAID) building, 381–383 documenting, 250 overview, 286–288, 377–378 planning for, 301 registered ECC, 376 Relative ID (RID) master, 139 Reliability Monitor, 344–345 Remember icons, 5 Remote Access Services (RAS), 79, 109, 202 Remote Assistance (RA), 101 Remote Authentication Dial-In User Service (RADIUS), 37, 114 Remote Desktop Connection (RDC), 34, 37 Remote Desktop Protocol (RDP), 34, 37, 95 Remote Direct Memory Access (RDMA), 54 Remote Installation Service (RIS), 75, 88 Remote Server Administration Tools (RSAT), 97, 101 Removable Storage Manager (RSM), 101, 251 replicated updates, 141 replication, 122–124, 141–144 replication cycles, 123, 139, 141–143 Requests for Comments (RFCs), 134 resources, third-party Windows Server, 389–390 RFCs (Requests for Comments), 134 RID (Relative ID) master, 139 RIS (Remote Installation Service), 75, 88 roaming profiles, 217–219 RODC (read-only domain controller), 103, 269 root domains, 122 round trip time (RTT), 27 route tool, 197 routers, 54, 180, 185
405
406
Windows Server 2008 For Dummies Routing and Remote Access management console, 109–111 routing capability, 109, 364–365 RSAT (Remote Server Administration Tools), 97, 101 RSM (Removable Storage Manager), 101, 251 RTT (round trip time), 27
•S• SACK (Selective Acknowledgement) option, 27 SAM (Security Accounts Manager), 118–119, 140 SAN (storage area networks), 11, 246 SATA (Serial Advanced Technology Attachment) hard drives controllers overview, 377–378 versus SCSI controllers, 379–381 local backup, 246 overview, 377–380 scanning, 172–174 schemas, 124–125, 138–139 SCSI (Small Computer System Interface) hard drives controllers overview, 377–378 versus SATA controllers, 379–381 drivers, 78 local backup, 246 overview, 377–379 Search components, 148 secure sockets layer (SSL), 17, 185 Security Accounts Manager (SAM), 118–119, 140 security groups, 212 Security Log, 224 security, network accounts policies, 223–224 common weaknesses, 277–279 education, 267–268 features, 13, 16–18
maintaining, 279 overview, 263–264 passwords, 270–274 physical access, 264–267 resources, 279 service packs, 274–275 user access, 275–277 usernames, 269–270 security policies, 267–268 Security Reference Monitor (SRM), 230 Security tab, 150, 170 segments cable, 69 network, 180 Selective Acknowledgement (SACK) option, 27 sequence identifiers, 29 Serial Advanced Technology Attachment (SATA) hard drives controllers overview, 377–378 versus SCSI controllers, 379–381 local backup, 246 overview, 377–380 Serial Line Internet Protocol (SLIP) feature, 113 Server 2008 basics of, 18–19 DVD-ROM, 75, 360–361 editions of, 11–12 minimum requirements for, 354 networking features overview, 14 security, 16–18 Server Manager, 16 server services, 14–16 online resources, 386–387 overview, 9–11 problems, 332–337 publications, 387–389 reasons to use, 12–14 security features, 269 third-party resources, 389–390 utilities, 81
Index server clusters, 15–16 Server Core installation option, 284 Server Manager application directory trees and forests, 103–108 features, 99–102 overview, 12–13, 16, 96–103 server roles, 97–99 WMS, 108–109 server networking versus client networking, 21–23 enhancement of NDIS, 28–30 Next Generation TCP/IP stack, 24–27 offloading protocol processing, 27–28 overview, 24 TCP Chimney, 28 multiple NICs, 23 overview, 21–38 services client preferences, 30–35 enterprise preferences, 35–38 overview, 30 server optimization disabling unnecessary services, 348 disk defragmentation, 349 managed entities, 346–347 overview, 346 turning off Indexing Service, 348 server roles list of, 97–99 overview, 95–96 servers cases, 289–290 components of, 291–292 graphics, 291 hardware, 9–10, 293 memory, 285–286 prices, 377 selecting and sizing, 299–300, 317 server versus computer, 10 motherboards, 374–375 network access, 287–289 overview, 284 power supply, 289–290
preparing for installation, 82 processors, 284–285, 375–376 RAID, 286–287 setting up, 104–108 WINS, 192 service applications, 15 Service Hardening, 17 Service logs, 343 service packs, 89–90, 274–275 services defined, 228 disabling, 348 Services tool, 367–368 session serialization, 29 Setup logs, 342–343 setup process, 78–79, 82–85 share system volume (SYSVOL), 130–131 shared system memory, 366 SharePoint Services, 35 shares administrative, 277–278 file, 227 network, 235–236 sharing printer access, 167–168 Sharing tab, 170 Shiva Password Authentication Protocol (SPAP), 272 shopping, PC component, 293–294 Simple Mail Transfer Protocol (SMTP), 101 sites, 127–129, 141 SLIP (Serial Line Internet Protocol) feature, 113 Small Business Center, Microsoft, 370 Small Computer System Interface (SCSI) hard drives controllers overview, 377–378 versus SATA controllers, 379–381 drivers, 78 local backup, 246 overview, 377–379 smart cards, 114 smells, hardware heating, 336
407
408
Windows Server 2008 For Dummies SMTP (Simple Mail Transfer Protocol), 101 software backup, 248–249 deployment, 37–38 installation, 77–78 SPAP (Shiva Password Authentication Protocol), 272 splicing cables, 61 spooling, print job, 157, 169 SRM (Security Reference Monitor), 230 SSL (secure sockets layer), 17, 185 stacks, network protocol, 15, 23–24 staged backbones, 43 Standard Edition, Windows Server 2008, 11 static discharge, 303 static model, 240 storage area networks (SAN), 11, 246 Storage Server 2008, 11 striping, 382–383 subnet masks, 182–183 subnetting, 182–184 Super Video Graphics Array (SVGA) monitors, 78 support, troubleshooting, 369–370 SVGA (Super Video Graphics Array) monitors, 78 Syspart utility, 357 Sysprep utility, 357 system drives, 378 system partitions, 378 system testing, 47 system tray, 89 system volumes, 378 SYSVOL (share system volume), 130–131
•T• tabs Account, 208 Address, 208 Advanced, 170 Cartridge Maintenance, 170
Color Management, 170 Device Settings, 170 Dial-in, 211 Effective Permissions, 238 General, 170, 208 Group Policy, 220 Member Of, 210 Organization, 210 Ports, 170 Profile, 208–209 Security, 150, 170 Sharing, 170 Telephones, 210 tape backup systems, 249–250, 258–260 targets, 254–255 TCP Chimney feature, 28 TCP/IP (Transmission Control Protocol/Internet Protocol) configuring requirements, 187–191 names, 178–179 NetBIOS, 193 problems, 197 resources, 196 toolkits, 365–366 TCP/IP Offload Engine (TOE) cards, 54, 302, 318, 366, 383–384 TechNet CD, 370 Technical Stuff icons, 6 technology. See components Telephones tab, 210 Telnet application services, 15 Telnet Client, 101 Telnet Server, 101 telnet tool, 197 Terminal Services (TS), 33–35, 98 test plans, 40–42 TFTP (Trivial File Transfer Protocol), 101 thermal paste, 308–309, 323 third-party backup packages, 258 third-party Windows Server resources, 389–390 threats, data, 242–243 throughput, 59 time stamps, 124
Index Tip icon, 6 TOE (TCP/IP Offload Engine) cards, 54, 302, 318, 366, 383–384 top-level domains, 178 TPM (Trusted Platform Module), 17 tracert tool, 197 transceivers, 61 Transmission Control Protocol/Internet Protocol (TCP/IP) configuring requirements, 187–191 names, 178–179 NetBIOS, 193 problems, 197 resources, 196 toolkits, 365–366 transmission media backbones, 69–70 bandwidths, 65–68 network media cable installation, 64–65 fiber-optic and coax cables, 60–63 overview, 57–59 wireless, 63–64 overview, 57 transparent infrastructure, 30 trees directory, 103–104 domain, 122, 134–135 Trivial File Transfer Protocol (TFTP), 101 troubleshooting hardware and software updates, 340–341 network hardware problems, 364 names and addresses, 368–369 network adapters, 366–367 Network Monitor, 367 overview, 363 preventing problems, 370 recent changes, 369 routing, 364–365 Services tool, 367–368 support for, 369–370 TCP/IP toolkits, 365–366 overview, 331–332
resources for Microsoft, 385–387 overview, 385 publications, 387–389 third-party sources, 389–390 run-time issues Group Policy infrastructure, 338 overview, 337 printing infrastructure, 338–339 User Account Control, 337–338 Server Manager Event Viewer, 341–343 overview, 341 Performance Diagnostics, 343–345 Services, 343 setup failures overview, 332 restart failure, 333 unavailable partition, 332–333 startup errors, 335–336 startup failures corrupt file or volume, 334–335 driver failure, 334 hardware failure, 334 malware or viral infection, 335 misconfigured settings, 335 Windows activation, 339–340 trust relationships, 120, 133–134, 140, 152–154 Trusted Platform Module (TPM), 17 TS (Terminal Services), 33–35, 98 twisted-pair cables, 59 two-way transitive trusts, 104
•U• UAC (User Account Control), 17, 337 UDDI (Universal Description, Discovery, and Integration), 99 unattended installation, 37, 92, 356–357 unauthenticated access, 16 Uniform Resource Locators (URLs), 178 uninterruptible power supply (UPS) devices, 76, 265, 290
409
410
Windows Server 2008 For Dummies units backup, 247–248 organizational (OUs), 126, 129, 145–146, 204, 239 Universal Description, Discovery, and Integration (UDDI), 99 universal groups, 131, 213 unshielded twisted pair (UTP) cables, 61 update sequence numbers (USNs), 123–124 upgrade installation, 73–74 UPS (uninterruptible power supply) devices, 76, 265, 290 up-to-date vectors, 124 URLs (Uniform Resource Locators), 178 user access, 275–277 User Account Control (UAC), 17, 337 user account objects, 201 user accounts managing, 211 properties, 201–204 User Creation Wizard, 146–147 user objects, 146–147 user profiles, 217–219 user rights, 202, 229–230, 276–277 usernames, 269–270, 278 USNs (update sequence numbers), 123–124 UTP (unshielded twisted pair) cables, 61
•V• VeriSign domain name registrar, 178–179 VGA (Video Graphics Array) monitors, 78 Video Graphics Array (VGA) monitors, 78 video, low resolution, 358–359 virtual private networks (VPNs), 17 virtualization capability, 14, 115, 292–293 viruses, 242–243 Visio application, 52 Vista, 9 Vista Upgrade Advisor, 294 visualization, network, 52 volumes, 254–255 VPNs (virtual private networks), 17
•W• WANs (wide area networks), 57, 109, 127 Warning icons, 6 WCF (Windows Communication Foundation) Web Services, 34 WDS (Windows Deployment Services), 99 Web Edition, Windows Server 2008, 11 Web Server, 11, 35, 79, 99, 108–109 Web-based services, 35 WER (Windows Error Reporting), 345 WID (Windows Internal Database), 102 wide area networks (WANs), 57, 109, 127 WIF (Windows Imaging Format), 38, 359–361 WiFi (wireless) devices, 63–64 Wi-Fi Protected Access 2 (WPA2), 64 Windows Communication Foundation (WCF) Web Services, 34 Windows Deployment Services (WDS), 99 Windows Fax and Scan applet, 172–174 Windows Firewall, 18, 95, 187, 365 Windows Imaging Format (WIF), 38, 359–361 Windows Indexing Service, 348 Windows Internal Database (WID), 102 Windows Internet Name Service (WINS), 33, 102, 178, 191–193 Windows Management Instrumentation (WMI) enhancements, 16 Windows Media Services (WMS), 108–109 Windows NT 4.0, 118–119 Windows PowerShell, 13, 102 Windows Preinstallation Environment (PE), 360 Windows Process Activation Service (WPAS), 102 Windows Recovery Environment (Windows RE), 359–360 Windows Server 2008. See also Active Directory basics of, 18–19 DVD-ROM, 75, 360–361 editions of, 11–12
Index minimum requirements for, 354 networking features overview, 14 security, 16–18 Server Manager, 16 server services, 14–16 online resources, 386–387 overview, 9–11 problems, 332–337 publications, 387–389 reasons to use, 12–14 security features, 269 third-party resources, 389–390 utilities, 81 Windows Server Backup (WSB) facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 Windows Server Catalog, 355 Windows Server Virtualization, 14, 115, 292–293 Windows Service Hardening, 17 Windows SharePoint Services (WSP), 99 Windows Storage Server 2008, 11 Windows System Resource Manager (WSRM), 102 Windows Vista features, 9 WINS (Windows Internet Name Service), 33, 102, 178, 191–193
wireless (WiFi) devices, 63–64 Wireless LAN (WLAN) Service, 102 wireless networks, 63–64 wiring systems, 59 WLAN (Wireless LAN) Service, 102 WMI (Windows Management Instrumentation) enhancements, 16 WMS (Windows Media Services), 108–109 WPA2 (Wi-Fi Protected Access 2), 64 WPAS (Windows Process Activation Service), 102 WSB (Windows Server Backup) facility command line backups, 253–254 destinations, 255–256 media settings, 255–256 overview, 102, 251–253 scheduling jobs, 256 targets, 254–255 volumes, 254–255 WSB facility. See Windows Server Backup (WSB) facility WSP (Windows SharePoint Services), 99 WSRM (Windows System Resource Manager), 102
•X• X.500 directory, 116–118, 121 XML (eXtensible Markup Language) services, 11 XPS (XML Paper Specification), 155
411
412
Windows Server 2008 For Dummies
BUSINESS, CAREERS & PERSONAL FINANCE Also available:
0-7645-9847-3
0-7645-2431-3
Business Plans Kit For Dummies 0-7645-9794-9 Economics For Dummies 0-7645-5726-2 Grant Writing For Dummies 0-7645-8416-2 Home Buying For Dummies 0-7645-5331-3 Managing For Dummies 0-7645-1771-6 Marketing For Dummies 0-7645-5600-2
HOME & BUSINESS COMPUTER BASICS Also available:
0-470-05432-8
0-471-75421-8
Cleaning Windows Vista For Dummies 0-471-78293-9 Excel 2007 For Dummies 0-470-03737-7 Mac OS X Tiger For Dummies 0-7645-7675-5 MacBook For Dummies 0-470-04859-X Macs For Dummies 0-470-04849-2 Office 2007 For Dummies 0-470-00923-3
Personal Finance For Dummies 0-7645-2590-5* Resumes For Dummies 0-7645-5471-9 Selling For Dummies 0-7645-5363-1 Six Sigma For Dummies 0-7645-6798-5 Small Business Kit For Dummies 0-7645-5984-2 Starting an eBay Business For Dummies 0-7645-6924-4 Your Dream Career For Dummies 0-7645-9795-7 Outlook 2007 For Dummies 0-470-03830-6 PCs For Dummies 0-7645-8958-X Salesforce.com For Dummies 0-470-04893-X Upgrading & Fixing Laptops For Dummies 0-7645-8959-8 Word 2007 For Dummies 0-470-03658-3 Quicken 2007 For Dummies 0-470-04600-7
FOOD, HOME, GARDEN, HOBBIES, MUSIC & PETS Also available:
0-7645-8404-9
0-7645-9904-6
Candy Making For Dummies 0-7645-9734-5 Card Games For Dummies 0-7645-9910-0 Crocheting For Dummies 0-7645-4151-X Dog Training For Dummies 0-7645-8418-9 Healthy Carb Cookbook For Dummies 0-7645-8476-6 Home Maintenance For Dummies 0-7645-5215-5
INTERNET & DIGITAL MEDIA Also available:
0-470-04529-9
0-470-04894-8
* Separate Canadian edition also available † Separate U.K. edition also available
Blogging For Dummies 0-471-77084-1 Digital Photography For Dummies 0-7645-9802-3 Digital Photography All-in-One Desk Reference For Dummies 0-470-03743-1 Digital SLR Cameras and Photography For Dummies 0-7645-9803-1 eBay Business All-in-One Desk Reference For Dummies 0-7645-8438-3 HDTV For Dummies 0-470-09673-X
Horses For Dummies 0-7645-9797-3 Jewelry Making & Beading For Dummies 0-7645-2571-9 Orchids For Dummies 0-7645-6759-4 Puppies For Dummies 0-7645-5255-4 Rock Guitar For Dummies 0-7645-5356-9 Sewing For Dummies 0-7645-6847-7 Singing For Dummies 0-7645-2475-5 Home Entertainment PCs For Dummies 0-470-05523-5 MySpace For Dummies 0-470-09529-6 Search Engine Optimization For Dummies 0-471-97998-8 Skype For Dummies 0-470-04891-3 The Internet For Dummies 0-7645-8996-2 Wiring Your Digital Home For Dummies 0-471-91830-X
Available wherever books are sold. For more information or to order direct: U.S. customers visit www.dummies.com or call 1-877-762-2974. U.K. customers visit www.wileyeurope.com or call 0800 243407. Canadian customers visit www.wiley.ca or call 1-800-567-4797.
SPORTS, FITNESS, PARENTING, RELIGION & SPIRITUALITY Also available:
0-471-76871-5
0-7645-7841-3
TRAVEL
Catholicism For Dummies 0-7645-5391-7 Exercise Balls For Dummies 0-7645-5623-1 Fitness For Dummies 0-7645-7851-0 Football For Dummies 0-7645-3936-1 Judaism For Dummies 0-7645-5299-6 Potty Training For Dummies 0-7645-5417-4 Buddhism For Dummies 0-7645-5359-3
Also available:
0-7645-7749-2
0-7645-6945-7
Alaska For Dummies 0-7645-7746-8 Cruise Vacations For Dummies 0-7645-6941-4 England For Dummies 0-7645-4276-1 Europe For Dummies 0-7645-7529-5 Germany For Dummies 0-7645-7823-5 Hawaii For Dummies 0-7645-7402-7
Pregnancy For Dummies 0-7645-4483-7 † Ten Minute Tone-Ups For Dummies 0-7645-7207-5 NASCAR For Dummies 0-7645-7681-X Religion For Dummies 0-7645-5264-3 Soccer For Dummies 0-7645-5229-5 Women in the Bible For Dummies 0-7645-8475-8
Italy For Dummies 0-7645-7386-1 Las Vegas For Dummies 0-7645-7382-9 London For Dummies 0-7645-4277-X Paris For Dummies 0-7645-7630-5 RV Vacations For Dummies 0-7645-4442-X Walt Disney World & Orlando For Dummies 0-7645-9660-8
GRAPHICS, DESIGN & WEB DEVELOPMENT Also available:
0-7645-8815-X
0-7645-9571-7
3D Game Animation For Dummies 0-7645-8789-7 AutoCAD 2006 For Dummies 0-7645-8925-3 Building a Web Site For Dummies 0-7645-7144-3 Creating Web Pages For Dummies 0-470-08030-2 Creating Web Pages All-in-One Desk Reference For Dummies 0-7645-4345-8 Dreamweaver 8 For Dummies 0-7645-9649-7
InDesign CS2 For Dummies 0-7645-9572-5 Macromedia Flash 8 For Dummies 0-7645-9691-8 Photoshop CS2 and Digital Photography For Dummies 0-7645-9580-6 Photoshop Elements 4 For Dummies 0-471-77483-9 Syndicating Web Sites with RSS Feeds For Dummies 0-7645-8848-6 Yahoo! SiteBuilder For Dummies 0-7645-9800-7
NETWORKING, SECURITY, PROGRAMMING & DATABASES Also available:
0-7645-7728-X
0-471-74940-0
Access 2007 For Dummies 0-470-04612-0 ASP.NET 2 For Dummies 0-7645-7907-X C# 2005 For Dummies 0-7645-9704-3 Hacking For Dummies 0-470-05235-X Hacking Wireless Networks For Dummies 0-7645-9730-2 Java For Dummies 0-470-08716-1
Microsoft SQL Server 2005 For Dummies 0-7645-7755-7 Networking All-in-One Desk Reference For Dummies 0-7645-9939-9 Preventing Identity Theft For Dummies 0-7645-7336-5 Telecom For Dummies 0-471-77085-X Visual Studio 2005 All-in-One Desk Reference For Dummies 0-7645-9775-2 XML For Dummies 0-7645-8845-1
- New (Other)From United StatesList price: Previous Price$24.99+$9.13 shipping
Lot Of 40 - For Dummies Books - Computer Hardware and Software (Paperback)
Pre-OwnedFrom United Statesor Best OfferCustoms services and international tracking provided- Scroll to top
macOS Sierra For Dummies (For Dummies (Computer/Tech)), LeVitus, Bob, Good Condi
Pre-OwnedFrom United StatesBuy It NowPre-OwnedFrom United KingdomBuy It NowMCSE Internet Information Server 4 For Dummies Flash Cards (For Dummies (Comput
Pre-OwnedFrom United KingdomBuy It NowOutlook 2010 For Dummies (For Dummies (Computers)) by Dyszel, Bill Paperback The
FREE US DELIVERY | ISBN: 0470487712 | Quality BooksFrom United StatesList price: Previous Price$23.39+$6.00 shippingHudl For Dummies (For Dummies (Computers)), Hattersley, Rosemary, Good Condition
Pre-OwnedFrom United StatesBuy It NowBenefits charityMac OS X Panther For Dummies (For Dummies (Computer/Tech)) By Bob LeVitus
Pre-OwnedFrom United KingdomBuy It NowPhotoshop Elements 6 For Dummies (For Dummies (Computer/Tech)), Barbara Obermeie
Pre-OwnedFrom United StatesBuy It NowBenefits charityIllustrated Computer Dictionary For Dummies Gookin, Dan, Hardin Gookin, Sandra
Pre-OwnedTop Rated PlusBuy It NowFrom United StatesCCNA For Dummies (For Dummies (Computers)) By Ron Gilster
Pre-OwnedFrom United KingdomBuy It NowWordPress For Dummies [For Dummies [Computer/Tech]]
Pre-OwnedFrom United StatesBuy It NowCustoms services and international tracking providedComputer For Dummies Free Download
Coments are closed
Price refinements - Carousel
Showing slide {CURRENT_SLIDE} of {TOTAL_SLIDES} - Price refinements