0505 Windows Server 2008 一日精華營 PartI

Module 1

Server Management in Windows Server 2008

Server Management Overview

Primary Management Tools

Server Manager ConsoleNew MMC snap-in provides a consolidated view of the server, including server configuration, status of installed roles, and links for adding/removing roles and features

Server Manager ConsoleNew MMC snap-in provides a consolidated view of the server, including server configuration, status of installed roles, and links for adding/removing roles and features

Initial Configuration TasksGuides you through the process of configuring a new server

Initial Configuration TasksGuides you through the process of configuring a new server

BenefitsEasy, systematic, single interface for all management

More secure and reliable

Ensures service prerequisites are met

BenefitsEasy, systematic, single interface for all management

More secure and reliable

Ensures service prerequisites are met

Alternative Management Tools

Windows PowerShellWindows PowerShell

ServerManagerCmd.exeServerManagerCmd.exe

Remote Management

Windows Remote Manager (WS-Management)

Windows Remote Shell (WinRS)

Remote Management

Windows Remote Manager (WS-Management)

Windows Remote Shell (WinRS)

Event SubscriptionsEvent Subscriptions

Task Scheduling based on EventsTask Scheduling based on Events

Microsoft System CenterMicrosoft System Center

Technical Background

Server ManagerServer Manager

Server Manager WizardsServer Manager Wizards

Server RolesServer Roles

Initial Configuration TasksInitial Configuration Tasks

FeaturesFeatures

伺服器角色伺服器角色Server RoleServer Role

功能功能FeatureFeature

AD Certificate ServicesAD Certificate ServicesAD Domain ServicesAD Domain Services

AD Federation ServicesAD Federation ServicesAD Lightweight Directory ServicesAD Lightweight Directory Services

AD Right Management ServicesAD Right Management ServicesApplication ServerApplication ServerDHCP/DNS ServerDHCP/DNS Server

Fax Server/File ServiceFax Server/File ServiceNetwork Policy and Access ServiceNetwork Policy and Access Service

Print ServicePrint ServiceTerminal ServicesTerminal Services

UDDI ServicesUDDI ServicesWeb Service (IIS)Web Service (IIS)

Windows Deployment ServicesWindows Deployment ServicesWindows SharePoint ServicesWindows SharePoint Services

伺服器管理員伺服器管理員 - Server Manager- Server Manager

.NET Framework 3.0.NET Framework 3.0BtLocker Drive EncryptionBtLocker Drive EncryptionBITS Server ExtensionBITS Server ExtensionConnection Manager Admin KitConnection Manager Admin KitDesktop ExperienceDesktop ExperienceFailover ClusteringFailover ClusteringGroup Policy ManagementGroup Policy ManagementInternet Printing ClientInternet Printing ClientInternet Storage Name ServerInternet Storage Name ServerLPR Port Monitor/Message QueuingLPR Port Monitor/Message QueuingMultipath I/O, Network Load BalancingMultipath I/O, Network Load BalancingPeer Name Resolution ProtocolPeer Name Resolution ProtocolQuality Windows Audio Video ExperienceQuality Windows Audio Video ExperienceRemote AssistanceRemote AssistanceRemote Differential CompressionRemote Differential CompressionRemovable Storage managerRemovable Storage managerRPC over HTTP ProxyRPC over HTTP ProxySimple TCP/IP ServicesSimple TCP/IP ServicesSMTP Server/SNMP ServicesSMTP Server/SNMP ServicesStorage Manager for SANsStorage Manager for SANsSubsystem for UNIX-based ApplicationSubsystem for UNIX-based ApplicationTelnet Client/Server/TFTP ClientTelnet Client/Server/TFTP ClientWindows Internal DatabaseWindows Internal DatabaseWindows Power ShellWindows Power ShellWindows Process Activation ServiceWindows Process Activation ServiceWindows Recovery DiscWindows Recovery DiscWindows Server Backup FeaturesWindows Server Backup FeaturesWindows System Resource ManagerWindows System Resource ManagerWINS ServerWINS ServerWireless LAN ServiceWireless LAN Service

角色服務角色服務Role ServiceRole Service

主要的伺服器服務主要的伺服器服務提供網路的資源存取提供網路的資源存取包含資料庫或紀錄包含資料庫或紀錄自動啟用功能自動啟用功能

增強伺服器的功能增強伺服器的功能不隸屬特定的角色不隸屬特定的角色

Demonstration: Server Manager Overview

• Server Manager Overview

• Performing Key Tasks

• Using ServerManagerCmd.exe

Implementation/Usage Scenarios

Improved SecurityImproved Security

Improved Server AdministrationImproved Server Administration

Improved New Server Deployment and ConfigurationImproved New Server Deployment and Configuration

Recommendations

To manage roles from a command prompt, use ServerManagerCmd.exeTo manage roles from a command prompt, use ServerManagerCmd.exe

For multiple server administration, use Windows PowerShellFor multiple server administration, use Windows PowerShell

For single server administration, use Server ManagerFor single server administration, use Server Manager

For Remote Management, use Windows Remote Management (based on WS-Management Standard)For Remote Management, use Windows Remote Management (based on WS-Management Standard)

Use Event Subscriptions to collect Event Viewer logs from multiple serversUse Event Subscriptions to collect Event Viewer logs from multiple servers

Use System Center for enterprise-wide managementUse System Center for enterprise-wide management

Server Core

Overview

Server Core Installation

Active Directory, AD Lightweight Directory Services, DHCP Server, DNS Server, File Services, Print Services, Windows Media Services, Windows Virtualization Services

Server Core Installation

Active Directory, AD Lightweight Directory Services, DHCP Server, DNS Server, File Services, Print Services, Windows Media Services, Windows Virtualization Services

Benefits of Server Core

Reduced maintenance

Reduced attack surface

Reduced management

Less disk space required

Benefits of Server Core

Reduced maintenance

Reduced attack surface

Reduced management

Less disk space required

Server Core


DeploymentDeployment

Server RolesServer Roles

PrerequisitesPrerequisites

Optional FeaturesOptional Features

Managing a Server Core InstallationManaging a Server Core Installation

Demonstration: Managing a Server Core

• Locally and remotely via the Command Prompt

• Remotely via MMC

Server Core

時區時區 // 時間，語系時間，語系 // 鍵盤設定鍵盤設定Control TimeDate.cpl ， Control Intl.cpl

管理員密碼管理員密碼Net User Administrator *

電腦名稱電腦名稱 // 重新啟動重新啟動Hostname

Netdom RenameComputer 原主機名 /NewName: 新主機名 /Force /Reboot:10

固定固定 IPIP 位址位址Netsh Interface IPV4 Show Interfaces

Netsh Interface IPV4 Set Address Name= 網卡代號 Source=Static Address=IP 位址 Mask= 遮罩號碼 Gateway= 閘道位址Netsh Interface IPV4 Add DnsServer Name= 網卡代號 Address=DNS 伺服器 IP Index=1

加入網域加入網域 // 將指定網域用戶加入本機管理員群組將指定網域用戶加入本機管理員群組 // 重新啟動重新啟動Netdom Join 主機名 /Domain: 網域名 /UD: 具權限帳戶名 /PD:*

Net LocalGroup Administrators /Add 網域名 \ 指定網域帳戶名Shutdown /r /f /t 10

11

啟用啟用SLMGR.vbs –xpr

SLMGR.vbs -ato

啟用防火牆啟用防火牆Netsh Firewall OpMode Enable

Netsh Firewall Set ICMPSetting 8 Enable

啟用遠端桌面啟用遠端桌面Cscript %windir%\System32\ScRegEdit.wsf /ar 0

啟用自動更新啟用自動更新Cscript %windir%\System32\ScRegEdit.wsf /au 4

新增伺服器角色新增伺服器角色Start /w OcSetup DHCPServerCore

Start /w OcSetup DNS-Server-Core-Role

Start /w OcSetup Printing-ServerCore-Role

Dcpromo /Unattend: 自動安裝檔案名

22


Reduced attack surfaceReduced attack surface

Reduced managementReduced management

Reduced maintenanceReduced maintenance

Less disk space requiredLess disk space required

Recommendations

Publish cmd.exe using Terminal Services RemoteApp to allow you to run cmd.exe in a window on your local machine rather than in a full terminal services client

Publish cmd.exe using Terminal Services RemoteApp to allow you to run cmd.exe in a window on your local machine rather than in a full terminal services client

Implement Server Core whenever possibleImplement Server Core whenever possible

Minimize administrative access to the systemMinimize administrative access to the system

Ensure physical security of the serverEnsure physical security of the server

Implement BitLocker Drive EncryptionImplement BitLocker Drive Encryption

Windows PowerShell

Overview

What are cmdlets?What are cmdlets?

What is PowerShell?What is PowerShell?

BenefitsBenefits

What can I do with PowerShell?What can I do with PowerShell?

PrerequisitesPrerequisites


Cmdlets | New Scripting LanguageCmdlets | New Scripting Language

Native SupportNative Support

Important ConceptsImportant Concepts AdministrationAdministration

PowerShell PipelinePowerShell Pipeline SecuritySecurity

AliasingAliasing

NavigationNavigation

Demonstration: Using Windows PowerShell

• Getting Help

• Navigating Windows PowerShell

• Adding a User to Active Directory


Server/Role ManagementServer/Role Management

Command-Line Services, Processes, Registry, and WMI Data ManagementCommand-Line Services, Processes, Registry, and WMI Data Management

Terminal ServerIIS 7.0

ADExchange 2007

MOM 2007

Recommendations

Don’t throw away any existing scripts or batch files – they can still be used!Don’t throw away any existing scripts or batch files – they can still be used!

Start using Windows PowerShell immediately!Start using Windows PowerShell immediately!

Don’t forget the power of the wildcard, such as “get-services*”Don’t forget the power of the wildcard, such as “get-services*”

Don’t deploy Windows PowerShell on any machine where it is not actually neededDon’t deploy Windows PowerShell on any machine where it is not actually needed

Centrally-Control Windows PowerShell security settings through GPOs – do it now!Centrally-Control Windows PowerShell security settings through GPOs – do it now!

Module 2

Centralized Application Access with Windows Server 2008

Terminal Services Core Functionality

Overview

Who will be interested in the new capabilities of Terminal Services?Who will be interested in the new capabilities of Terminal Services?

What is Centralized Application Access?What is Centralized Application Access?

Benefits & Uses of Terminal ServicesBenefits & Uses of Terminal Services

Terminal Services Installation, Configuration & ManagementTerminal Services Installation, Configuration & Management

New Features:

Experience

Security

Manageability & Scalability

New Features:

Experience

Security

Manageability & ScalabilityMobile WorkerMobile Worker

In AirportIn Airport

Branch OfficeBranch Office

Home OfficeHome Office

Central LocationCentral Location

Client ConnectivityClient Connectivity

Support for 64-bit Architecture and Hardware

Provides a significantly larger virtual address space for kernel data structures

Accommodates more TS user sessions

Provides a significantly larger virtual address space for kernel data structures

Accommodates more TS user sessions

Runs 32-bit software without recompiling

Runs 64-bit drivers/software specifically compiled for 64-bit environment

Runs 32-bit applications at high performance

4 GB user VA for large memory-aware processes

Runs 64 bit applications

8 TB virtual address space

Reduces mapping and soft page faults

Eases migration to 64-bit infrastructure

Runs 32-bit software without recompiling

Runs 64-bit drivers/software specifically compiled for 64-bit environment

Runs 32-bit applications at high performance

4 GB user VA for large memory-aware processes

Runs 64 bit applications

8 TB virtual address space

Reduces mapping and soft page faults

Eases migration to 64-bit infrastructure

Installation and Configuration

Terminal Services roles that can be installed:• Terminal Server• TS Licensing• TS Session Broker• TS Gateway• TS Web Access

Terminal Services roles that can be installed:• Terminal Server• TS Licensing• TS Session Broker• TS Gateway• TS Web Access

Configuring Terminal Services• Install programs on server• Configure remote connection settings• Configure clients to use Terminal Services

Configuring Terminal Services• Install programs on server• Configure remote connection settings• Configure clients to use Terminal Services

Authentication

Network Level Authentication – finishes user authentication before you establish a full remote connection and the desktop appears

Network Level Authentication – finishes user authentication before you establish a full remote connection and the desktop appears

Server Authentication – verifies that you are connecting to the correct remote computerServer Authentication – verifies that you are connecting to the correct remote computer

Single Sign-On – allows a user with a domain account to log on once, using a password or smart card, and then gain access to remote servers without being asked for their credentials again

Single Sign-On – allows a user with a domain account to log on once, using a password or smart card, and then gain access to remote servers without being asked for their credentials again

Terminal Services SSO Terminal Services SSO 設定設定

Client Client 需為需為 Vista Vista 或或 Windows Server 2008Windows Server 2008 啟用 “允許預設認證被用於登入至指定的終端機服務” 電腦設定 , 系統管理範本 , 系統 , 認證委派 , 啟用「允許委派預設認證」「顯示」 , 新增 , “TermSrv ／終端機服務伺服器名稱” (FQDN, NetBIOS Name)

Client Client 需為需為 Vista Vista 或或 Windows Server 2008Windows Server 2008 啟用 “允許預設認證被用於登入至指定的終端機服務” 電腦設定 , 系統管理範本 , 系統 , 認證委派 , 啟用「允許委派預設認證」「顯示」 , 新增 , “TermSrv ／終端機服務伺服器名稱” (FQDN, NetBIOS Name)

ServerServer 需為需為 Windows Server 2008Windows Server 2008 終端機服務設定 , RDP-TCP, 一般 , 安全性階層為「交涉」或「 SSL (TLS 1.0) 」

Domain Domain 帳戶需在帳戶需在 Client / ServerClient / Server 皆可使用皆可使用

Device Redirection

Plug and Play Device Redirection

Windows Portable Devices

Media players, based on Media Transfer Protocol (MTP)

Digital cameras, based on Picture Transfer Protocol (PTP)

Plug and Play Device Redirection

Windows Portable Devices

Media players, based on Media Transfer Protocol (MTP)

Digital cameras, based on Picture Transfer Protocol (PTP)

Windows Point of Service (POS) Device Redirection

Implement POS for .NET 1.1 (downloadable)

Configure .rdp file

Connect device

Windows Point of Service (POS) Device Redirection

Implement POS for .NET 1.1 (downloadable)

Configure .rdp file

Connect device

Remote Experience Improvements

Monitor SpanningMonitor Spanning

Desktop ExperienceDesktop Experience

Font SmoothingFont Smoothing

Custom Display ResolutionsCustom Display Resolutions

Display Data PrioritizationDisplay Data Prioritization

32-Bit Color32-Bit Color

TS Easy PrintTS Easy Print

Demonstration: User Experience Enhancements

• Plug & Play Redirection configuration

• Remote Desktop Connection Display configuration


Security EnhancementSecurity Enhancement

Centralized Application ManagementCentralized Application Management

User Productivity EnhancementUser Productivity Enhancement

Complexity ReductionComplexity Reduction

Centralized Application AccessCentralized Application Access

Branch Office EnvironmentsBranch Office Environments

Recommendations

Configure client systems to use RDC 6.0Configure client systems to use RDC 6.0

Implement new features to enhance user experienceImplement new features to enhance user experience

Use Single Sign-OnUse Single Sign-On

Implement TS Gateway, TS RemoteApp and TS Web capabilitiesImplement TS Gateway, TS RemoteApp and TS Web capabilities

Upgrade existing Terminal Servers to Windows Server 2008Upgrade existing Terminal Servers to Windows Server 2008

Use x64 hardware and WSRMUse x64 hardware and WSRM

Terminal Services Gateway

Overview

Benefits of a TS Gateway

TS Gateway Management

Benefits of a TS Gateway

TS Gateway ManagementTS Gateway PrerequisitesTS Gateway Prerequisites

Hotel

Home

Business Partner/

Client Site

TS

Terminal Services Gateway Server NPS

DC

HTTPS / 443

TS

Other RDPHosts

Strips off Strips off RPC/HTTPSRPC/HTTPS

Passes Passes RDP/SSL RDP/SSL traffic to traffic to

TSTS

Benefits of TS Gateway

Allows you to control access to specific resourcesAllows you to control access to specific resources

Reduces management costsReduces management costs

Facilitates consolidation of existing Terminal ServersFacilitates consolidation of existing Terminal Servers

Can be integrated with Network Policy Server, enabling centralized policy deployment and lower TCOCan be integrated with Network Policy Server, enabling centralized policy deployment and lower TCO

Eliminates the need to configure VPN connectionsEliminates the need to configure VPN connections

Allows monitoring on remote connections Allows monitoring on remote connections

Enables connections across firewalls and NATsEnables connections across firewalls and NATs

TS Gateway Management

TS Gateway Management Snap-In:

Provides a single, one-stop tool to configure policies to define conditions that must be met before users to connect.

Provides a tool to monitor TS Gateway events.

Allows you to review details about connections.

TS Gateway Management Snap-In:

Provides a single, one-stop tool to configure policies to define conditions that must be met before users to connect.

Provides a tool to monitor TS Gateway events.

Allows you to review details about connections.

No remote computers are directly exposed to the internet; all data remains within the corporate network.No remote computers are directly exposed to the internet; all data remains within the corporate network.

Prerequisites for a TS Gateway

A Network Policy Server (NPS) to centralize the storage, management and validation of TS Gateway policiesA Network Policy Server (NPS) to centralize the storage, management and validation of TS Gateway policies

A certificate for the TS Gateway server that meets these requirements:

Computer certificate

Intended purpose – server authentication

Has a corresponding private key

A certificate for the TS Gateway server that meets these requirements:

Computer certificate

Intended purpose – server authentication

Has a corresponding private key

A server with Windows Server 2008 installed

Administrator must be a member of the Administrators group on this machine

A server with Windows Server 2008 installed

Administrator must be a member of the Administrators group on this machine


Configuring a TS Gateway Server

Connection Authorization Policies

Resource Groups

Resource Authorization Policies

Configuring a TS Gateway Server

Connection Authorization Policies

Resource Groups

Resource Authorization Policies

Client ConfigurationClient Configuration

TS Gateway Configuration

Configuring the TS Gateway Server:

Install the TS Gateway role services

Configure IIS settings

Obtain/Configure a server certificate

Create a CAP for the TS Gateway Server

Create resource groups

Create a RAP for the TS Gateway Server

Configuring the TS Gateway Server:

Install the TS Gateway role services

Configure IIS settings

Obtain/Configure a server certificate

Create a CAP for the TS Gateway Server

Create resource groups

Create a RAP for the TS Gateway Server

Configure the TS Gateway Client:

RDC 6.0 Settings

Configure the TS Gateway Client:

RDC 6.0 Settings

遠端存取內部應用程式的資源遠端存取內部應用程式的資源DMZDMZ

HTTPS / 443

InternetInternet 內部網路內部網路

終端機伺服器

出差在外外

部防

火牆

內部

防火

牆

在家工作

商業夥伴 /用戶端站台

網路原則伺服器

AD網域控制站

InternetInternet

RDP over RDP over HTTPS HTTPS 通道通道

無線用戶

拆解拆解 RDP/HTTPSRDP/HTTPS

將將 RDP/SSL RDP/SSL 流量傳送至流量傳送至 TSTS

終端機服務閘道終端機服務閘道伺服器伺服器

Demonstration: Implementing a TS Gateway

• Importing and mapping a certificate

• Creating a CAP

• Creating a Resource Group

• Creating a RAP

• Monitoring connections


Server Consolidation | Cost ReductionServer Consolidation | Cost Reduction


Hotel

Home

Business Partner/

Client Site

Terminal Services Gateway Server

Security EnhancementSecurity Enhancement

Recommendations

Configure Connection Access Policies, Resource Groups and Resource Access PoliciesConfigure Connection Access Policies, Resource Groups and Resource Access Policies

Use TS Gateway management to monitor the status, health, and events on remote connectionsUse TS Gateway management to monitor the status, health, and events on remote connections

Use a TS Gateway instead of a VPNUse a TS Gateway instead of a VPN

Do not use a self-signed SSL certificate in productionDo not use a self-signed SSL certificate in production

Use in conjunction with an application layer firewallUse in conjunction with an application layer firewall

Don’t depend on device blocking for securityDon’t depend on device blocking for security

Terminal Services RemoteApp

Overview

What are the benefits of using TS RemoteApp?What are the benefits of using TS RemoteApp?

What is TS RemoteApp? What is TS RemoteApp?

Does any code require modification?Does any code require modification?

Mobile WorkerMobile WorkerIn AirportIn Airport



TS RemoteApp


Configuring a TS RemoteApp ServerConfiguring a TS RemoteApp Server

What works differently? What works differently?

How can users access RemoteApp programs?How can users access RemoteApp programs?

Demonstration: Implementing TS RemoteApp

• Managing the Allow List

• Distributing an MSI package to users

• Connecting to a remote program from a client


Branch OfficesBranch Offices

Roaming

UsersLine of Business

Applications

Deployment

Recommendations

Consider putting individual applications on separate servers when:

The application has compatibility issues

A single application and associated users may fill server capacity

Consider putting individual applications on separate servers when:

The application has compatibility issues

A single application and associated users may fill server capacity

Create a load-balanced farm for single applications that exceed the capacity of one serverCreate a load-balanced farm for single applications that exceed the capacity of one server

Put common applications, such as MS Office, on the same TS RemoteApp ServerPut common applications, such as MS Office, on the same TS RemoteApp Server

Consider placing the TS RemoteApp server behind an ISA ServerConsider placing the TS RemoteApp server behind an ISA Server

Use a trusted root-signed SSL certificateUse a trusted root-signed SSL certificate

Terminal Services Web Access

Overview

What are the benefits of TS Web Access?What are the benefits of TS Web Access?

What is Terminal Services Web Access?What is Terminal Services Web Access?

TS Web Access Server RequirementsTS Web Access Server Requirements

TS Web Access Client RequirementsTS Web Access Client RequirementsMobile WorkerMobile Worker

In AirportIn Airport



TS Web Access


Using Active Directory as the Data SourceUsing Active Directory as the Data Source

Populating the TS RemoteApp Web PartPopulating the TS RemoteApp Web Part

Using a Single Terminal Server as the Data Source Using a Single Terminal Server as the Data Source

Demonstration: Configuring TS Web Access

• Configuring a TS data source

• Configuring the TS Web Access Server

• Launching Applications


New Version DeploymentNew Version Deployment


Recommendations

Use Active Directory mode for multi-server deployments when customers are used to Active Directory MSI deployment

Use Active Directory mode for multi-server deployments when customers are used to Active Directory MSI deployment

When customer has no Active Directory MSI experience, use custom ASP scripting solutions or third-party solutions

When customer has no Active Directory MSI experience, use custom ASP scripting solutions or third-party solutions

Use TS Web Access defaults for single server deploymentsUse TS Web Access defaults for single server deployments

0505 Windows Server 2008 一日精華營 PartI

Business

Transcript of 0505 Windows Server 2008 一日精華營 PartI