84
Microsoft TechNet Seminar Technical Deep Dive into Windows Server 2008 Howard Chow Microsoft MVP Microsoft MVP

Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

  • Upload
    vannhi

  • View
    261

  • Download
    1

Embed Size (px)

Citation preview

Page 1: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Microsoft TechNet Seminar

Technical Deep Dive into pWindows Server 2008

Howard ChowMicrosoft MVPMicrosoft MVP

Page 2: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Prerequisites

Windows Server 2000 or 2003NetworkingActive Directory and Network InfrastructureS iSecurityMicrosoft Windows 2000, Windows XP Professional, or Microsoft Vista Microsoft Vista

Page 3: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows Server 2008 Pillars

WebInternet Information Services 7.0 Windows Server Virtualization

Security

Net ork Access Protection

Virtualization

Efficient management and deployment tools Enhanced reliability, security and failure

recovery Customizable platform with .NET extensibility

Windows SharePoint Services - Advanced

do s Se e tua at oHypervisor-based platform for increased

reliability. High availability through Failover Clustering. Resource optimization with server

consolidation

Terminal Services RemoteApp™

Network Access ProtectionHealth validation and compliance checking for

client devices

Read-Only Domain ControllerIncreased security and delegated management

f b h ffistreaming experience with caching and proxy plug-ins

Windows Media Services

Terminal Services RemoteAppAccess and run remote applications locally with

presentation virtualization

Terminal Services Gateway

for branch offices

Federated Rights Management

Solid Foundation for Your Business WorkloadsSolid Foundation for Your Business Workloads

Server ManagerRole based configuration management and reporting

Server CoreMinimal installation option for better security and reliability

ReliabilityReliabilityManagementManagement

Role-based configuration, management and reporting

Windows PowerShell™Command shell and scripting language for task automation

Windows Deployment Services

Minimal installation option for better security and reliability

Next Generation NetworkingNew TCP/IP stack for improved scalability and performance

High Availability Clustering

Page 4: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Seminar Outline

Installing and Configuring

Wi d S Windows Server 2008

Windows Server 2008 Server CoreDEMOS!! 2008 Server Core

Windows Server Windows Backup

Windows Server 2008 Active

Directory Domain Service

Network Policies and Access Protection

Hyper-VProtection

Page 5: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

C fi i Wi d Configuring Windows Server 2008Server 2008

Page 6: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Improvements in Setup from Windows 2003 to Windows Server 2008

Server roles streamline managementWindows Server 2003

Windows Server 2003 SetupS it U d t

Windows Server 2008Operating System SetupI iti l C fi ti T kSecurity Updates

Manage Your ServerConfigure Your Server

Initial Configuration TasksServer Manager

Configure Your Server WizardWindows ComponentsComputer ManagementSecurity Configuration WizardWizard

Page 7: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Initial Configuration Tasks Overview

Administrator PasswordNetwork IP AddressDomain MembershipC NComputer NameWindows UpdatesWi d Fi llWindows Firewall

What Works Differently

Page 8: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Overview of Server Manager

Active Directory

Print Server File Server

Page 9: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Demonstration: Using Server Manager

Using Server Manager to add a roleUsing Server Manager to monitor server rolesUsing Server Manager to add a feature

Page 10: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Overview of Role Functions

Web ServerSIIS Management Tools

Server Side IncludesFTP ServerFTP ServerASPCGI

Roles are Secured by DefaultRoles are Secured by Default

Page 11: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Roles Available in Windows Server 2008

DHCP ServerDNS ServerFax Server

File ServerFile ServerPrint Server

Terminal Services

Windows Deployment Deployment

ServicesNetwork Access

Services

Page 12: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows Server 2008 Features

Failover Cluster

Backupp

Remote Assistance

Page 13: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

New Features Available in Windows Server 2008

Background Intelligent Transfer Intelligent Transfer Service (BITS) Server ExtensionsWindows BitLocker™ Windows BitLocker™ Drive EncryptionMultipath I/O

Storage Manager for Storage Area Networks (SANs)Windows Activation Service (WAS)Wireless NetworkingWireless Networking

Page 14: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows PowerShell

New Command-line Shell and Scripting LanguageI d i i d I d i i d Improves productivity and controlAccelerates automation of

t d i

Improves productivity and controlAccelerates automation of

t d isystem adminEasy-to-use Works with existing scripts

system adminEasy-to-use Works with existing scriptsg pg p

Page 15: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Powershell Object Pipelines

Use the output from one cmdlet as the input to anotherExample: Get-Process | Sort-Object –property HandlesExample: Get-Process | Sort-Object –property Handles

Output objects must be compatible with input parametersExample: Get-Process | Stop-Service – will not workE l G t P | St P ill kExample: Get-Process | Stop-Process – will work

Page 16: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Wi d S 2008 Windows Server 2008 Server CoreServer Core

Page 17: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows Server Core Overview

Minimal Server InstallationMinimal Server Installation

Easier to Secure, Manage, and Maintain

Supports Unattended Installation

Supports Key Infrastructure Roles

Page 18: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Server Core Architecture

Standard and Enterprise Server Roles

TS IAS WebServer

SharePoint Etc…

Server Core Server RolesDNS DHCP File AD

ServerWith WinFx, Shell, Tools, etc.DNS DHCP File AD With WinFx, Shell, Tools, etc.

Server Core Security, TCP/IP, File Systems, RPC,plus other Core Server Sub-Systems

GUI, CLR, Shell, IE,

Media, OE, EtEtc.

Page 19: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Benefits of Server Core

Reduced software maintenanceReduced software maintenance

Reduced attack surface

Reduced management

Less disk space required

Page 20: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Unattended Install

Same as Vista and Windows Server 2008

Configure attributes not available on command line without editing registrycommand line, without editing registry

Page 21: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Configuring Server Core

S t d i dSet admin passwordSet static IP addressJ i i ti d iJoin existing domainActivate the ServerConfigure the firewallConfigure the firewall

Page 22: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Demonstration: Configuring Server Core

Using ocsetup to add the DNS Server roleUsing dnscmd to configure the DNS Server

Page 23: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Adding Server Roles

> start w/ ocsetup RolePackage

> Dcpromo /unattend:Unattendfile

> start /w ocsetup featurename> start /w ocsetup featurename

Page 24: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Domain Controller Role on Server Core

> Dcpromo /unattend:Unattendfile

Page 25: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Dynamic Host Configuration Protocol (DHCP) Server

> start w/ ocsetup DHCPServerCore

> Netsh dhcp add server dhcpsrv1.example.microsoft.com 10 2 2 210.2.2.2

Page 26: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Domain Name System (DNS) Server

> start w/ ocsetup DNS-Server-Core-RoleCore Role

> Dnscmd /zoneadd test.reskit.com /dsprimarydnscmd reskit com /dsprimarydnscmd reskit.com /zoneadd secondtest.restkit.com /secondary 10.0.0.2

Page 27: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows Backup

Page 28: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

What’s New in Windows Server 2008 Backup

New, faster backup technology

Simplified Restoration

Simplified recovery of operating system

Improved scheduling

Support for DVD media

Page 29: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

New Backup Infrastructure

Writer (SQL)Requestor

Writer (Exchange)

Writer (other

q

Volume Shadow Copy Serviceapp/store)

Writer (other app/store)

Copy Service

Provider (Windows

copy-on-write)

Provider (EMC/Clariion

hardware)Provider (HP)

Disk 1 Disk 2 Disk 3 Disk 4 Disk 5

Page 30: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Shadow Copies

Shadow copy creation Restore from shadow copy

shadow copy storage

Page 31: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Demonstration: Introduce Backup Features

Explore Backup Console

Page 32: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows Recovery Environment

Boot managerdetects failure

Fail over into

Wi d RE

Computercrashes Reboot

Auto-launchStartup

Windows RE

Repair

No

>5attempts?Successful boot?OS starts

YesYes

Diagnose and repaircomputer

RebootCannot

auto-repair(try manual)

No

p

Page 33: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Next Generation Networking

Page 34: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Review of Windows Server Network Architecture

Windows Sockets Application

Applications and User Mode Services

NetBIOSApplication

RPC ApplicationWin32

Wnet/Wininet Application

Named Pipes

User

RPC WNet Wininet NetBIOS Support

Windows Sockets

Application Interfaces

Kernel

TCP

Redirector/Server

NetBT AFD

IPICMP IP Forwarder IP Filtering IGMP ARP

Packet Classifier

Packet SchedulerPacket Queue Packet Queue Packet Queue Packet Queue

Traffic Control

Driver Interfaces

NDIS Wrapper

Page 35: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

New Networking Features

Next Generation TCP/IP StackNext Generation TCP/IP Stack

IPv6 Enhancements

Policy-Based Quality of Service

Page 36: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

The New TCP/IP Architecture

WSK Clients TDI Clients

AFD TDI

Winsock User ModeKernel Mode

PWSK

RAWUDPTCP

Next Generation TCP/IP stack (tcpip.sys)

AFD

TDX

TDIW

ind

ow

s Filterin

g

Platfo

rm A

PI

IPv4

802.3 WLAN Loop-back

IPv4 Tunnel

IPv6 Tunnel

IPv6

NDIS

• Dual-IP layer architecture for native IPv4 and IPv6 support• Better security through expanded IPsec integration• Improved performance via hardware acceleration• Network auto-tuning and optimization algorithms• Greater extensibility and reliability through rich APIs

Page 37: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Security Features

Reduce the risk of network security threatsAn additional layer of defense-in-depthReduced attack surface area to known computersIncreased manageability and more healthy clients

Safeguard sensitive data and intellectual propertyAuthenticated, end-to-end network communicationsScalable tiered access to trusted networked resources

F ll f t d t i f ti lit

Scalable, tiered access to trusted networked resourcesProtect the confidentiality and integrity of data

Full featured, enterprise functionalitySupport for computer and user authentication with IPsecNetwork Access Protection over VPNs and IPsecSecure routing compartments extends isolation to VPN

Page 38: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows Firewall with Advanced Security

Page 39: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Performance

Optimized performance without lossIntelligent, automated tuning of TCP receive window sizeBetter packet loss resiliencyAdvanced congestion control for better throughput

Automatically adjusts for maximum efficiencyy j yFaster network transfers, especially across WAN linksOptimized use of available network bandwidthReduced packet loss resulting in fewer retransmitsReduced packet loss, resulting in fewer retransmits

Page 40: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Receive Window Auto Tuning

Replicating data between Tukwila, Bay AreaDefault configurationsDefault configurationsOn Windows Server 2003 SP1

100Mbps NICs, 10Mbps throughputp , p g pOn Windows Server 2008

100Mbps NICs, 80Mbps throughputp , p g p1000Mbps NICs, 400Mbps throughput

Page 41: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Policy-Based Quality of Service

•Source IPv4/IPv6 addresses

•Destination IPv4/IPv6 addresses

•Protocol

•Source or destination ports

Page 42: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Scalability

Cost-effectively scale networking up and outSpecialized hardware frees CPU(s) for applicationsEase consolidation with support for multiple Ease consolidation with support for multiple GbpsMore efficient use of large server resources

Adopt hardware acceleration and offloadingReceive-side scaling optimizes multi-processor systemssystemsArchitected to support latest TCP offload hardwareOffload hardware less expensive than new high-

d PCend PCs

Page 43: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Server and Domain Isolation

Active Directory Domain ControllerCorporate Network Controller

Trusted Resource Server

p

HR Workstation

UnmanagedComputer

X

X

Servers with Sensitive Data

Untrusted

ComputerServer

Isolation

X

Managed ComputerManaged

Domain Isolation

pComputer

Page 44: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

New DNS Features in Windows Server 2008

Background Zone Loading

Support for IPv6 Addresses

DNS

RODC Support

GlobalNames Zone

Page 45: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

DNS Client Changes

LLMNRLLMNRChanges to the way

DNS Cli t L t LLMNRDNS Clients Locate DCs

DNS

DNS Server

DNS Server

Link-Local Multicast Name Resolution

Page 46: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

N t k P li i d A Network Policies and Access ProtectionProtection

Page 47: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Why Use Network Access Protection?

Private NetworkHealthy computer

Unhealthy computerUnhealthy computer

Page 48: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Network Protection Services Overview

Network Policy Server (NPS)Network Access Protection (NAP) Policy ServerIEEE 802.11 WirelessIEEE 802 3 Wi dIEEE 802.3 WiredRADIUS ServerRADIUS PRADIUS ProxyRouting and Remote Access

Remote Access Ser iceRemote Access ServiceRouting

Health Registration Authority (HRA)Health Registration Authority (HRA)

Page 49: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Network Access Protection Solution

Policy ValidationNetwork Restriction Data

Application

Network RestrictionRemediationOngoing Compliance

Host

g g p

Internal Network

Perimeter

Polices, Procedures & Awareness

Page 50: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

NAP Architecture Overview

UpdatesNetwork

System Health Servers

Remediation Servers

Health policy

MS Network Policy Server

Client

Q ti A t (QA)

HealthStatements

AccessRequests

HealthC ifi

System Health Agent (SHA)MS and 3rd Parties

System Health Validator

Quarantine Server (QS)

Quarantine Agent (QA) Certificate

Network Access Devices and Servers

System Health Validator

Enforcement Client (EC)(DHCP, IPSec, 802.1X, VPN)

Page 51: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Network Layer Protection with NAP

Remediation Servers

Restricted Network System Health Servers

Here you go.

Sh ld thi li t b R ti May I have access?

Ongoing policy updates to Network Policy Server

Can I have updates?

A di t li

Should this client be restricted basedon its health?

Requesting access. Here’s my newhealth status.

May I have access?Here’s my current health status.

According to policy, the client is not up to date. Quarantine client, request it to

MS NPSClient

802.1xSwitch

You are given restricted accessuntil fix-up. Client is granted access to

According to policy, the client is up to date. , q

update.Switch g

full intranet. Grant access.

Page 52: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Host Layer Protection with NAP

No Policy

AuthenticationO ti l

No Policy

AuthenticationO ti lOptional

AuthenticationRequired

OptionalAuthentication

Required

HRA

May I have a health certificate? Here’s my SoH.

Client ok?

No. Needs fix-up.You don’t get a health certificate.Go fix up.

I need updates

Here’s your health certificate.Yes. Issue health certificate.

Clienti h k

HRAClient

Accessing the network

NPS

I need updates.

Here you go.

ClientAccessing the network

NPS

Client

Remediation ServerNPS

Remediation ServerNPS

Page 53: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

NAP with DHCP

Requesting access. I need to Lease an IP address IEEE 802.1X

Devicesq gHere’s my new health status.

NPS ServerDHCP ServerClient

The client requests and receives updates

You are not within the Health Policy requirements

Access Granted. Here is Remediation your new IP Address

VPN ServerRemediation

Servers

Page 54: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

IPsec-based Communication

Secure network

Boundary network

Restricted network

IPsec AuthenticatedUnauthenticated Restricted network

Page 55: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Scenario 1: Roaming Laptops

NAPNAP

Page 56: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Scenario 2: Health of Desktop Computers

Network Policy Server

Page 57: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Scenario 3: Health of Visiting Laptops

Network Policy Server

Page 58: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Scenario 4: Unmanaged Home Computers

Page 59: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Hyper-V

Page 60: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Hyper-V Overview

64-bit Hypervisoryp

Up to 4 Logical Processors per GuestUp to 4 Logical Processors per Guest

VMBus for Hardware Sharing

High Availability Features

Page 61: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Configuring Virtual Machines

Virtual Machines Based on VHD Files

Virtual Machine Off for Most Setting ChangesVirtual Machine Off for Most Setting Changes

Ensure Adequate Disk Space for VM

Ensure Adequate Processor Capacity

Page 62: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Configuring Virtual Machine Files

VHD Files are Virtual Hard Drives.

Multiple VHD Files per VM SupportedMultiple VHD Files per VM Supported.

Snapshots Used to Preserve VM State

Page 63: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Session: Configuring Hyper-V

List the functions of Integration ComponentsImplement configuration best practices for optimized performance

Page 64: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Hyper-V Integration Components

Increase Usability of Guest OSesy

Provide VSCs to some Guest OSesProvide VSCs to some Guest OSes

Provide Snapshot Capability to Guest OSes

Page 65: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Optimizing Performance

Virtual Hardware Challenges Assumptionsg p

Ensure Adequate CPU & RAM for WorkloadsEnsure Adequate CPU & RAM for Workloads

Multiple HD Spindles Ideal for VHDs

Multiple NICs Ideal

Page 66: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

A ti Di t D i Active Directory Domain ServicesServices

Page 67: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Active Directory Service Server Roles

Active Directory Certificate Services (AD CS)y ( )

Active Directory Domain Services (AD DS)Active Directory Domain Services (AD DS)

Active Directory Federation Services (AD FS)

Active Directory Lightweight Directory Services (AD LDS)

Page 68: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

New Active Directory Features

DNS: IPv6 Support, Background Zone Loadingpp , g g

DNS: GlobalNames zone RODC SupportDNS: GlobalNames zone, RODC Support

AD: Certificate Services, Federation Services

AD: Lightweight Directory Services, Auditing

Page 69: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

AD DS Installation Wizard

Advanced Option from th W l

•Access Wizard Easily

R l t d F ti lit the Welcome page•Related Functionality Grouped Together

•Reduced Change or Error•Reduced Change or Error

Page 70: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Active Directory Sites and Services

Page 71: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Common Criteria

Level of Quality Assurance

Higher Security in Higher Security in Implementation and Deployment

Page 72: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

DFSR for SYSVOL

SYSVOL SYSVOL

Distributed File System Replication

Page 73: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

DNS Improvements

•Support for AD DSSuppo t o S

•Auto-Configuration Installation

Improved DC Location Support •Improved DC Location Support for Clients

•Read-Only Integrated Zone for RODCRODC

Page 74: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Restartable AD DS

Server Off

Directory Services Start as DC?

Success?

Directory Services Restore Mode

Restart

No

No

Yes

Success?

Active Directory St t d

RestartNo

Yes

Started

Stop Active Directory

YesActive Directory

Stopped

Start command No

Start command successful

Page 75: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Read-Only Domain Controller

Read-Only Domain ControllerDomain Controller

Branch Office Guide RecommendationsBranch Office Guide Recommendations

Page 76: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

RODC Deployment Prerequisites

1 Works in existing environments1. Works in existing environments2. Windows Server® 2003 Forest Functional Mode

One Windows Server® 2008 DCOne Windows Server® 2008 DC3. No patching to down-level DCs or clients is needed4. Multiple Windows Server 2008 DCs per Domain

One RODC per Domain per Site

Page 77: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Read-Only Active Directory Database

Directory Service “Cloud”

Data Center or Trusted Network

Edge sites or edge\boundary of network

Page 78: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Read-Only Domain Controller Replication

Replication is Unidirectionalp

Cannot Perform Outbound ReplicationCannot Perform Outbound Replication

D i P titi li ti t b d Domain Partition replication must be sourced from Windows Server 2008

Requires writeable 2008 domain controller in nearest site in the topology

Page 79: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Credential Caching

Credential Caching is storing user passwords on RODC

Must be explicitly allowedMust be explicitly allowed

Configured via Password Replication Policy on Configured via Password Replication Policy on RODC’s writeable replication partner

Page 80: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Administrator Role Separation

Problem SolutionToo many domain administrators Provides a new “local

administrator” level of access per RODCPrevents accidental Active Prevents accidental Active Directory modifications by computer administratorsDoes not prevent “local administrator” from maliciously modifying the local databaseThis is a true security feature for Read-Only Domain ControllerR d O l Read-Only Domain ControllerRead-Only

Domain Controller

Page 81: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Read-Only Domain Name System

Does not support client updates directlypp p y

Refers clients to a writeable authoritative DNSRefers clients to a writeable authoritative DNS

Replicates updated records from writeable Replicates updated records from writeable DNS

Page 82: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Recovering from RODC Compromise

Delete the RODC from the domain

Change passwords of accounts that are g pcached on compromised RODC

Manually remove the server object for the Manually remove the server object for the deleted RODC

Page 83: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Session Summary

Windows Server 2008 Innovations

Positioning and Messaging

F M t K F tFocus on Management Key Features

Integrated and robust AD DS for complex

environmentDon’t forget these great TechNet resources:g g

• WS08 –www.microsoft.com/windowsserver2008 • IPsec – http://www.microsoft.com/ipsec

• Scalable Networking – http://www.microsoft.com/snp• QoS http://www microsoft com/technet/network/qos/default mspx• QoS - http://www.microsoft.com/technet/network/qos/default.mspx

• IPv6 – http://www.microsoft.com/ipv6

Page 84: Technical Deep Dive into Windows Server 2008download.microsoft.com/download/9/a/1/9a1bd19d-f612-4444-8c25-0fa... · Technical Deep Dive into Windows Server 2008 ... Network Policy

Windows Server 2008 Pillars

WebInternet Information Services 7.0 Windows Server Virtualization

Security

Net ork Access Protection

Virtualization

Efficient management and deployment tools Enhanced reliability, security and failure

recovery Customizable platform with .NET extensibility

Windows SharePoint Services - Advanced

do s Se e tua at oHypervisor-based platform for increased

reliability. High availability through Failover Clustering. Resource optimization with server

consolidation

Terminal Services RemoteApp™

Network Access ProtectionHealth validation and compliance checking for

client devices

Read-Only Domain ControllerIncreased security and delegated management

f b h ffistreaming experience with caching and proxy plug-ins

Windows Media Services

Terminal Services RemoteAppAccess and run remote applications locally with

presentation virtualization

Terminal Services Gateway

for branch offices

Federated Rights Management

Solid Foundation for Your Business WorkloadsSolid Foundation for Your Business Workloads

Server ManagerRole based configuration management and reporting

Server CoreMinimal installation option for better security and reliability

ReliabilityReliabilityManagementManagement

Role-based configuration, management and reporting

Windows PowerShell™Command shell and scripting language for task automation

Windows Deployment Services

Minimal installation option for better security and reliability

Next Generation NetworkingNew TCP/IP stack for improved scalability and performance

High Availability Clustering