0505 Windows Server 2008 一日精華營 PartI
-
Upload
timothy-chen -
Category
Business
-
view
2.784 -
download
4
Transcript of 0505 Windows Server 2008 一日精華營 PartI
Module 1
Server Management in Windows Server 2008
Server Management Overview
Primary Management Tools
Server Manager ConsoleNew MMC snap-in provides a consolidated view of the server, including server configuration, status of installed roles, and links for adding/removing roles and features
Server Manager ConsoleNew MMC snap-in provides a consolidated view of the server, including server configuration, status of installed roles, and links for adding/removing roles and features
Initial Configuration TasksGuides you through the process of configuring a new server
Initial Configuration TasksGuides you through the process of configuring a new server
BenefitsEasy, systematic, single interface for all management
More secure and reliable
Ensures service prerequisites are met
BenefitsEasy, systematic, single interface for all management
More secure and reliable
Ensures service prerequisites are met
Alternative Management Tools
Windows PowerShellWindows PowerShell
ServerManagerCmd.exeServerManagerCmd.exe
Remote Management
Windows Remote Manager (WS-Management)
Windows Remote Shell (WinRS)
Remote Management
Windows Remote Manager (WS-Management)
Windows Remote Shell (WinRS)
Event SubscriptionsEvent Subscriptions
Task Scheduling based on EventsTask Scheduling based on Events
Microsoft System CenterMicrosoft System Center
Technical Background
Server ManagerServer Manager
Server Manager WizardsServer Manager Wizards
Server RolesServer Roles
Initial Configuration TasksInitial Configuration Tasks
FeaturesFeatures
伺服器角色伺服器角色Server RoleServer Role
功能功能FeatureFeature
AD Certificate ServicesAD Certificate ServicesAD Domain ServicesAD Domain Services
AD Federation ServicesAD Federation ServicesAD Lightweight Directory ServicesAD Lightweight Directory Services
AD Right Management ServicesAD Right Management ServicesApplication ServerApplication ServerDHCP/DNS ServerDHCP/DNS Server
Fax Server/File ServiceFax Server/File ServiceNetwork Policy and Access ServiceNetwork Policy and Access Service
Print ServicePrint ServiceTerminal ServicesTerminal Services
UDDI ServicesUDDI ServicesWeb Service (IIS)Web Service (IIS)
Windows Deployment ServicesWindows Deployment ServicesWindows SharePoint ServicesWindows SharePoint Services
伺服器管理員 伺服器管理員 - Server Manager- Server Manager
.NET Framework 3.0.NET Framework 3.0BtLocker Drive EncryptionBtLocker Drive EncryptionBITS Server ExtensionBITS Server ExtensionConnection Manager Admin KitConnection Manager Admin KitDesktop ExperienceDesktop ExperienceFailover ClusteringFailover ClusteringGroup Policy ManagementGroup Policy ManagementInternet Printing ClientInternet Printing ClientInternet Storage Name ServerInternet Storage Name ServerLPR Port Monitor/Message QueuingLPR Port Monitor/Message QueuingMultipath I/O, Network Load BalancingMultipath I/O, Network Load BalancingPeer Name Resolution ProtocolPeer Name Resolution ProtocolQuality Windows Audio Video ExperienceQuality Windows Audio Video ExperienceRemote AssistanceRemote AssistanceRemote Differential CompressionRemote Differential CompressionRemovable Storage managerRemovable Storage managerRPC over HTTP ProxyRPC over HTTP ProxySimple TCP/IP ServicesSimple TCP/IP ServicesSMTP Server/SNMP ServicesSMTP Server/SNMP ServicesStorage Manager for SANsStorage Manager for SANsSubsystem for UNIX-based ApplicationSubsystem for UNIX-based ApplicationTelnet Client/Server/TFTP ClientTelnet Client/Server/TFTP ClientWindows Internal DatabaseWindows Internal DatabaseWindows Power ShellWindows Power ShellWindows Process Activation ServiceWindows Process Activation ServiceWindows Recovery DiscWindows Recovery DiscWindows Server Backup FeaturesWindows Server Backup FeaturesWindows System Resource ManagerWindows System Resource ManagerWINS ServerWINS ServerWireless LAN ServiceWireless LAN Service
角色服務角色服務Role ServiceRole Service
主要的伺服器服務主要的伺服器服務提供網路的資源存取提供網路的資源存取包含資料庫或紀錄包含資料庫或紀錄自動啟用功能自動啟用功能
增強伺服器的功能增強伺服器的功能不隸屬特定的角色不隸屬特定的角色
Demonstration: Server Manager Overview
• Server Manager Overview
• Performing Key Tasks
• Using ServerManagerCmd.exe
Implementation/Usage Scenarios
Improved SecurityImproved Security
Improved Server AdministrationImproved Server Administration
Improved New Server Deployment and ConfigurationImproved New Server Deployment and Configuration
Recommendations
To manage roles from a command prompt, use ServerManagerCmd.exeTo manage roles from a command prompt, use ServerManagerCmd.exe
For multiple server administration, use Windows PowerShellFor multiple server administration, use Windows PowerShell
For single server administration, use Server ManagerFor single server administration, use Server Manager
For Remote Management, use Windows Remote Management (based on WS-Management Standard)For Remote Management, use Windows Remote Management (based on WS-Management Standard)
Use Event Subscriptions to collect Event Viewer logs from multiple serversUse Event Subscriptions to collect Event Viewer logs from multiple servers
Use System Center for enterprise-wide managementUse System Center for enterprise-wide management
Server Core
Overview
Server Core Installation
Active Directory, AD Lightweight Directory Services, DHCP Server, DNS Server, File Services, Print Services, Windows Media Services, Windows Virtualization Services
Server Core Installation
Active Directory, AD Lightweight Directory Services, DHCP Server, DNS Server, File Services, Print Services, Windows Media Services, Windows Virtualization Services
Benefits of Server Core
Reduced maintenance
Reduced attack surface
Reduced management
Less disk space required
Benefits of Server Core
Reduced maintenance
Reduced attack surface
Reduced management
Less disk space required
Server Core
Technical Background
DeploymentDeployment
Server RolesServer Roles
PrerequisitesPrerequisites
Optional FeaturesOptional Features
Managing a Server Core InstallationManaging a Server Core Installation
Demonstration: Managing a Server Core
• Locally and remotely via the Command Prompt
• Remotely via MMC
Server Core
時區時區 // 時間,語系時間,語系 // 鍵盤設定鍵盤設定Control TimeDate.cpl , Control Intl.cpl
管理員密碼管理員密碼Net User Administrator *
電腦名稱電腦名稱 // 重新啟動重新啟動Hostname
Netdom RenameComputer 原主機名 /NewName: 新主機名 /Force /Reboot:10
固定固定 IPIP 位址位址Netsh Interface IPV4 Show Interfaces
Netsh Interface IPV4 Set Address Name= 網卡代號 Source=Static Address=IP 位址 Mask= 遮罩號碼 Gateway= 閘道位址Netsh Interface IPV4 Add DnsServer Name= 網卡代號 Address=DNS 伺服器 IP Index=1
加入網域加入網域 // 將指定網域用戶加入本機管理員群組將指定網域用戶加入本機管理員群組 // 重新啟動重新啟動Netdom Join 主機名 /Domain: 網域名 /UD: 具權限帳戶名 /PD:*
Net LocalGroup Administrators /Add 網域名 \ 指定網域帳戶名Shutdown /r /f /t 10
11
啟用啟用SLMGR.vbs –xpr
SLMGR.vbs -ato
啟用防火牆啟用防火牆Netsh Firewall OpMode Enable
Netsh Firewall Set ICMPSetting 8 Enable
啟用遠端桌面啟用遠端桌面Cscript %windir%\System32\ScRegEdit.wsf /ar 0
啟用自動更新啟用自動更新Cscript %windir%\System32\ScRegEdit.wsf /au 4
新增伺服器角色新增伺服器角色Start /w OcSetup DHCPServerCore
Start /w OcSetup DNS-Server-Core-Role
Start /w OcSetup Printing-ServerCore-Role
Dcpromo /Unattend: 自動安裝檔案名
22
Implementation/Usage Scenarios
Reduced attack surfaceReduced attack surface
Reduced managementReduced management
Reduced maintenanceReduced maintenance
Less disk space requiredLess disk space required
Recommendations
Publish cmd.exe using Terminal Services RemoteApp to allow you to run cmd.exe in a window on your local machine rather than in a full terminal services client
Publish cmd.exe using Terminal Services RemoteApp to allow you to run cmd.exe in a window on your local machine rather than in a full terminal services client
Implement Server Core whenever possibleImplement Server Core whenever possible
Minimize administrative access to the systemMinimize administrative access to the system
Ensure physical security of the serverEnsure physical security of the server
Implement BitLocker Drive EncryptionImplement BitLocker Drive Encryption
Windows PowerShell
Overview
What are cmdlets?What are cmdlets?
What is PowerShell?What is PowerShell?
BenefitsBenefits
What can I do with PowerShell?What can I do with PowerShell?
PrerequisitesPrerequisites
Technical Background
Cmdlets | New Scripting LanguageCmdlets | New Scripting Language
Native SupportNative Support
Important ConceptsImportant Concepts AdministrationAdministration
PowerShell PipelinePowerShell Pipeline SecuritySecurity
AliasingAliasing
NavigationNavigation
Demonstration: Using Windows PowerShell
• Getting Help
• Navigating Windows PowerShell
• Adding a User to Active Directory
Implementation/Usage Scenarios
Server/Role ManagementServer/Role Management
Command-Line Services, Processes, Registry, and WMI Data ManagementCommand-Line Services, Processes, Registry, and WMI Data Management
Terminal ServerIIS 7.0
ADExchange 2007
MOM 2007
Recommendations
Don’t throw away any existing scripts or batch files – they can still be used!Don’t throw away any existing scripts or batch files – they can still be used!
Start using Windows PowerShell immediately!Start using Windows PowerShell immediately!
Don’t forget the power of the wildcard, such as “get-services*”Don’t forget the power of the wildcard, such as “get-services*”
Don’t deploy Windows PowerShell on any machine where it is not actually neededDon’t deploy Windows PowerShell on any machine where it is not actually needed
Centrally-Control Windows PowerShell security settings through GPOs – do it now!Centrally-Control Windows PowerShell security settings through GPOs – do it now!
Module 2
Centralized Application Access with Windows Server 2008
Terminal Services Core Functionality
Overview
Who will be interested in the new capabilities of Terminal Services?Who will be interested in the new capabilities of Terminal Services?
What is Centralized Application Access?What is Centralized Application Access?
Benefits & Uses of Terminal ServicesBenefits & Uses of Terminal Services
Terminal Services Installation, Configuration & ManagementTerminal Services Installation, Configuration & Management
New Features:
Experience
Security
Manageability & Scalability
New Features:
Experience
Security
Manageability & ScalabilityMobile WorkerMobile Worker
In AirportIn Airport
Branch OfficeBranch Office
Home OfficeHome Office
Central LocationCentral Location
Client ConnectivityClient Connectivity
Support for 64-bit Architecture and Hardware
Provides a significantly larger virtual address space for kernel data structures
Accommodates more TS user sessions
Provides a significantly larger virtual address space for kernel data structures
Accommodates more TS user sessions
Runs 32-bit software without recompiling
Runs 64-bit drivers/software specifically compiled for 64-bit environment
Runs 32-bit applications at high performance
4 GB user VA for large memory-aware processes
Runs 64 bit applications
8 TB virtual address space
Reduces mapping and soft page faults
Eases migration to 64-bit infrastructure
Runs 32-bit software without recompiling
Runs 64-bit drivers/software specifically compiled for 64-bit environment
Runs 32-bit applications at high performance
4 GB user VA for large memory-aware processes
Runs 64 bit applications
8 TB virtual address space
Reduces mapping and soft page faults
Eases migration to 64-bit infrastructure
Installation and Configuration
Terminal Services roles that can be installed:• Terminal Server• TS Licensing• TS Session Broker• TS Gateway• TS Web Access
Terminal Services roles that can be installed:• Terminal Server• TS Licensing• TS Session Broker• TS Gateway• TS Web Access
Configuring Terminal Services• Install programs on server• Configure remote connection settings• Configure clients to use Terminal Services
Configuring Terminal Services• Install programs on server• Configure remote connection settings• Configure clients to use Terminal Services
Authentication
Network Level Authentication – finishes user authentication before you establish a full remote connection and the desktop appears
Network Level Authentication – finishes user authentication before you establish a full remote connection and the desktop appears
Server Authentication – verifies that you are connecting to the correct remote computerServer Authentication – verifies that you are connecting to the correct remote computer
Single Sign-On – allows a user with a domain account to log on once, using a password or smart card, and then gain access to remote servers without being asked for their credentials again
Single Sign-On – allows a user with a domain account to log on once, using a password or smart card, and then gain access to remote servers without being asked for their credentials again
Terminal Services SSO Terminal Services SSO 設定設定
Client Client 需為 需為 Vista Vista 或 或 Windows Server 2008Windows Server 2008 啟用 “允許預設認證被用於登入至指定的終端機服務” 電腦設定 , 系統管理範本 , 系統 , 認證委派 , 啟用「允許委派預設認證」 「顯示」 , 新增 , “TermSrv /終端機服務伺服器名稱” (FQDN, NetBIOS Name)
Client Client 需為 需為 Vista Vista 或 或 Windows Server 2008Windows Server 2008 啟用 “允許預設認證被用於登入至指定的終端機服務” 電腦設定 , 系統管理範本 , 系統 , 認證委派 , 啟用「允許委派預設認證」 「顯示」 , 新增 , “TermSrv /終端機服務伺服器名稱” (FQDN, NetBIOS Name)
ServerServer 需為 需為 Windows Server 2008Windows Server 2008 終端機服務設定 , RDP-TCP, 一般 , 安全性階層為「交涉」或 「 SSL (TLS 1.0) 」
Domain Domain 帳戶需在 帳戶需在 Client / ServerClient / Server 皆可使用皆可使用
Device Redirection
Plug and Play Device Redirection
Windows Portable Devices
Media players, based on Media Transfer Protocol (MTP)
Digital cameras, based on Picture Transfer Protocol (PTP)
Plug and Play Device Redirection
Windows Portable Devices
Media players, based on Media Transfer Protocol (MTP)
Digital cameras, based on Picture Transfer Protocol (PTP)
Windows Point of Service (POS) Device Redirection
Implement POS for .NET 1.1 (downloadable)
Configure .rdp file
Connect device
Windows Point of Service (POS) Device Redirection
Implement POS for .NET 1.1 (downloadable)
Configure .rdp file
Connect device
Remote Experience Improvements
Monitor SpanningMonitor Spanning
Desktop ExperienceDesktop Experience
Font SmoothingFont Smoothing
Custom Display ResolutionsCustom Display Resolutions
Display Data PrioritizationDisplay Data Prioritization
32-Bit Color32-Bit Color
TS Easy PrintTS Easy Print
Demonstration: User Experience Enhancements
• Plug & Play Redirection configuration
• Remote Desktop Connection Display configuration
Implementation/Usage Scenarios
Security EnhancementSecurity Enhancement
Centralized Application ManagementCentralized Application Management
User Productivity EnhancementUser Productivity Enhancement
Complexity ReductionComplexity Reduction
Centralized Application AccessCentralized Application Access
Branch Office EnvironmentsBranch Office Environments
Recommendations
Configure client systems to use RDC 6.0Configure client systems to use RDC 6.0
Implement new features to enhance user experienceImplement new features to enhance user experience
Use Single Sign-OnUse Single Sign-On
Implement TS Gateway, TS RemoteApp and TS Web capabilitiesImplement TS Gateway, TS RemoteApp and TS Web capabilities
Upgrade existing Terminal Servers to Windows Server 2008Upgrade existing Terminal Servers to Windows Server 2008
Use x64 hardware and WSRMUse x64 hardware and WSRM
Terminal Services Gateway
Overview
Benefits of a TS Gateway
TS Gateway Management
Benefits of a TS Gateway
TS Gateway ManagementTS Gateway PrerequisitesTS Gateway Prerequisites
Hotel
Home
Business Partner/
Client Site
TS
Terminal Services Gateway Server NPS
DC
HTTPS / 443
TS
Other RDPHosts
Strips off Strips off RPC/HTTPSRPC/HTTPS
Passes Passes RDP/SSL RDP/SSL traffic to traffic to
TSTS
Benefits of TS Gateway
Allows you to control access to specific resourcesAllows you to control access to specific resources
Reduces management costsReduces management costs
Facilitates consolidation of existing Terminal ServersFacilitates consolidation of existing Terminal Servers
Can be integrated with Network Policy Server, enabling centralized policy deployment and lower TCOCan be integrated with Network Policy Server, enabling centralized policy deployment and lower TCO
Eliminates the need to configure VPN connectionsEliminates the need to configure VPN connections
Allows monitoring on remote connections Allows monitoring on remote connections
Enables connections across firewalls and NATsEnables connections across firewalls and NATs
TS Gateway Management
TS Gateway Management Snap-In:
Provides a single, one-stop tool to configure policies to define conditions that must be met before users to connect.
Provides a tool to monitor TS Gateway events.
Allows you to review details about connections.
TS Gateway Management Snap-In:
Provides a single, one-stop tool to configure policies to define conditions that must be met before users to connect.
Provides a tool to monitor TS Gateway events.
Allows you to review details about connections.
No remote computers are directly exposed to the internet; all data remains within the corporate network.No remote computers are directly exposed to the internet; all data remains within the corporate network.
Prerequisites for a TS Gateway
A Network Policy Server (NPS) to centralize the storage, management and validation of TS Gateway policiesA Network Policy Server (NPS) to centralize the storage, management and validation of TS Gateway policies
A certificate for the TS Gateway server that meets these requirements:
Computer certificate
Intended purpose – server authentication
Has a corresponding private key
A certificate for the TS Gateway server that meets these requirements:
Computer certificate
Intended purpose – server authentication
Has a corresponding private key
A server with Windows Server 2008 installed
Administrator must be a member of the Administrators group on this machine
A server with Windows Server 2008 installed
Administrator must be a member of the Administrators group on this machine
Technical Background
Configuring a TS Gateway Server
Connection Authorization Policies
Resource Groups
Resource Authorization Policies
Configuring a TS Gateway Server
Connection Authorization Policies
Resource Groups
Resource Authorization Policies
Client ConfigurationClient Configuration
TS Gateway Configuration
Configuring the TS Gateway Server:
Install the TS Gateway role services
Configure IIS settings
Obtain/Configure a server certificate
Create a CAP for the TS Gateway Server
Create resource groups
Create a RAP for the TS Gateway Server
Configuring the TS Gateway Server:
Install the TS Gateway role services
Configure IIS settings
Obtain/Configure a server certificate
Create a CAP for the TS Gateway Server
Create resource groups
Create a RAP for the TS Gateway Server
Configure the TS Gateway Client:
RDC 6.0 Settings
Configure the TS Gateway Client:
RDC 6.0 Settings
遠端存取內部應用程式的資源遠端存取內部應用程式的資源DMZDMZ
HTTPS / 443
InternetInternet 內部網路內部網路
終端機伺服器
出差在外外
部防
火牆
內部
防火
牆
在家工作
商業夥伴 /用戶端站台
網路原則伺服器
AD網域控制站
InternetInternet
RDP over RDP over HTTPS HTTPS 通道通道
無線用戶
拆解 拆解 RDP/HTTPSRDP/HTTPS
將 將 RDP/SSL RDP/SSL 流量傳送至 流量傳送至 TSTS
終端機服務閘道終端機服務閘道伺服器伺服器
Demonstration: Implementing a TS Gateway
• Importing and mapping a certificate
• Creating a CAP
• Creating a Resource Group
• Creating a RAP
• Monitoring connections
Implementation/Usage Scenarios
Server Consolidation | Cost ReductionServer Consolidation | Cost Reduction
Centralized Application AccessCentralized Application Access
Hotel
Home
Business Partner/
Client Site
Terminal Services Gateway Server
Security EnhancementSecurity Enhancement
Recommendations
Configure Connection Access Policies, Resource Groups and Resource Access PoliciesConfigure Connection Access Policies, Resource Groups and Resource Access Policies
Use TS Gateway management to monitor the status, health, and events on remote connectionsUse TS Gateway management to monitor the status, health, and events on remote connections
Use a TS Gateway instead of a VPNUse a TS Gateway instead of a VPN
Do not use a self-signed SSL certificate in productionDo not use a self-signed SSL certificate in production
Use in conjunction with an application layer firewallUse in conjunction with an application layer firewall
Don’t depend on device blocking for securityDon’t depend on device blocking for security
Terminal Services RemoteApp
Overview
What are the benefits of using TS RemoteApp?What are the benefits of using TS RemoteApp?
What is TS RemoteApp? What is TS RemoteApp?
Does any code require modification?Does any code require modification?
Mobile WorkerMobile WorkerIn AirportIn Airport
Branch OfficeBranch Office
Home OfficeHome Office
TS RemoteApp
Technical Background
Configuring a TS RemoteApp ServerConfiguring a TS RemoteApp Server
What works differently? What works differently?
How can users access RemoteApp programs?How can users access RemoteApp programs?
Demonstration: Implementing TS RemoteApp
• Managing the Allow List
• Distributing an MSI package to users
• Connecting to a remote program from a client
Implementation/Usage Scenarios
Branch OfficesBranch Offices
Roaming
UsersLine of Business
Applications
Deployment
Recommendations
Consider putting individual applications on separate servers when:
The application has compatibility issues
A single application and associated users may fill server capacity
Consider putting individual applications on separate servers when:
The application has compatibility issues
A single application and associated users may fill server capacity
Create a load-balanced farm for single applications that exceed the capacity of one serverCreate a load-balanced farm for single applications that exceed the capacity of one server
Put common applications, such as MS Office, on the same TS RemoteApp ServerPut common applications, such as MS Office, on the same TS RemoteApp Server
Consider placing the TS RemoteApp server behind an ISA ServerConsider placing the TS RemoteApp server behind an ISA Server
Use a trusted root-signed SSL certificateUse a trusted root-signed SSL certificate
Terminal Services Web Access
Overview
What are the benefits of TS Web Access?What are the benefits of TS Web Access?
What is Terminal Services Web Access?What is Terminal Services Web Access?
TS Web Access Server RequirementsTS Web Access Server Requirements
TS Web Access Client RequirementsTS Web Access Client RequirementsMobile WorkerMobile Worker
In AirportIn Airport
Branch OfficeBranch Office
Home OfficeHome Office
TS Web Access
Technical Background
Using Active Directory as the Data SourceUsing Active Directory as the Data Source
Populating the TS RemoteApp Web PartPopulating the TS RemoteApp Web Part
Using a Single Terminal Server as the Data Source Using a Single Terminal Server as the Data Source
Demonstration: Configuring TS Web Access
• Configuring a TS data source
• Configuring the TS Web Access Server
• Launching Applications
Implementation/Usage Scenarios
New Version DeploymentNew Version Deployment
Centralized Application AccessCentralized Application Access
Recommendations
Use Active Directory mode for multi-server deployments when customers are used to Active Directory MSI deployment
Use Active Directory mode for multi-server deployments when customers are used to Active Directory MSI deployment
When customer has no Active Directory MSI experience, use custom ASP scripting solutions or third-party solutions
When customer has no Active Directory MSI experience, use custom ASP scripting solutions or third-party solutions
Use TS Web Access defaults for single server deploymentsUse TS Web Access defaults for single server deployments