Professional Documents
Culture Documents
Windows Server 2008 Foundation editionIn addition to the usual Standard, Enterprise, and
Datacenter editions, Microsoft introduced Windows Server 2008 R2 Foundation edition. This is
designed to be pre-installed on original equipment manufacturer (OEM) servers and used in businesses
with 15 or fewer users. Windows Server 2008 R2 Foundation does not require client access licenses
and cannot operate in multi-domain forests. For more on Windows Server 2008 R2 Foundation, see
www.microsoft.com/windowsserver2008/en/us/foundation.aspx.
64-bit onlyWith Windows Server 2008 R2, Microsoft has made the plunge into an exclusively 64-bit
OS. All editions of Windows Server 2008 R2 are 64-bit OSs and can only be run on a 64-bit CPU. If
you are running older 32-bit hardware, you cannot upgrade to Windows Server 2008 R2 on that
hardware. In most cases, this limitation will not be a problem because all modern CPUs since about
2005, particularly those designed for servers, are 64-bit CPUs. However, this 64-bit-only limitation
does not apply to the Windows client line of OSs as of this writing.
256 CPU cores supportedUp from 64 CPU cores supported in the original Windows Server 2008,
Windows Server 2008 R2 supports 256 CPU cores.
Server Manager enhancementsServer Manager has undergone some changesmost notably, the
ability to use it to remotely manage a Windows Server 2008 R2 server. This allows you to connect
Server Manager to a remote server running Windows Server 2008 R2. You can create a custom MMC
and add multiple instances of the Server Manager snap-in, with each instance connected to a different
server. Figure 1 shows a custom MMC with three instances of Server Manager, each connected to a
different server.
Other Server Manager enhancements include the Best Practices Analyzer, additional Windows
PowerShell cmdlets, and additional roles and features that can be installed from Server Manager. The
Best Practices Analyzer (BPA), available for selected roles, provides administrators with a report that
lists violations to best practices for the installation and configuration for the selected role. Figure 2
shows an example of a report produced by the BPA for the Active Directory Domain Services role.
Windows PowerShell 2.0, now installed by default on Windows Server 2008 R2, contains new
cmdlets for managing Windows Server 2008 R2, including the ability to install, uninstall, and view
information about roles and features. These cmdlets are: Add-WindowsFeature, Get-WindowsFeature,
and Remove-WindowsFeature.
Changes to the available roles and features in Server Manager include the renaming of Terminal
Services to Remote Desktop Services which now supports the Aero Glass UI, multiple monitors and
Direct X versions 9-11, and the renaming of Print Services to Print and Document Services. Windows
Software Update Services (WSUS) can now be installed using Server Manager instead of requiring a
separate download. Several new features are available in Windows Server 2008 R2 and can be
installed using Server Manager. They are discussed in the appropriate sections of this document.
Server Core supports the .NET frameworkThe Server Core installation option of Windows Server
2008 R2 now supports a subset of the .NET framework, which, among other things, allows Server
Core to run PowerShell 2.0 and ASP.NET applications.
User Account Control (UAC) changesUAC was introduced in Windows Vista and Windows Server
2008 and is designed to reduce the likelihood that malicious software will be inadvertently installed.
However, some users and administrators felt that the number of prompts they had to answer to perform
common tasks was excessive. UAC in Windows Server 2008 R2 is improved by increasing the number
of tasks that can be performed without administrator approval. The new and improved UAC also
allows administrators to configure UAC in Control Panel (see Figure 3) to choose aspects of its
behavior, such as when and if the desktop should be dimmed and whether UAC should prompt when
making changes to Windows settings.
Core parkingMost systems today run one or more CPUs with multiple cores. Core parking enables
the OS to suspend cores that are not in use, thereby reducing power consumption. When CPU
requirements increase, suspended cores can be reactivated immediately to meet the increase in
performance requirements.
depend on this service, so it is installed and enabled by default when Active Directory or ADLDS instances
are installed. ADWS requires TCP port 9389 to be open, and a Windows firewall exception is
automatically created. However, if Group Policy is used to configure the server firewall, the relevant GPO
must be edited to allow this exception. ADWS (referred to as Active Directory Management Gateway
Service) can be installed as an update for Windows Server 2008 and Windows Server 2003 servers.
Active Directory PowerShell 2.0 New Cmdlets
The Active Directory module for Windows PowerShell provides over 75 new cmdlets for managing Active
Directory and Active Directory objects. These new cmdlets allow administrators to perform a host of
configuration, administration, and diagnostic tasks in the Active Directory (and ADLDS) environment.
Although the cmdlets are too numerous to list here, the following list describes a few of the tasks that can
be performed using PowerShell:
Unlock-ADAccountUnlock an account
Set-ADAccountPasswordChange an account password
New-ADComputerCreate a new computer account
Set-ADDefaultDomainPasswordPolicyChange the default password policy
Set-ADDomainModeSet the domain functional level
Set-ADFineGrainedPasswordPolicyModify a fine-grained password policy
New-ADGroupCreate a new group account
New-ADUserCreate a new user account
For a complete list of cmdlets available with PowerShell 2.0 and the Active Directory module, see
http://technet.microsoft.com/en-us/library/ee617195.aspx.
preparing for the 70-640 exam, you should study the DNS changes outlined in that section. The DNS topics
discussed in that section are:
DNS Security Extensions
DNS Cache Locking
DNS Socket Pool
DNS Devolution
10
2008, but only if the Active Directory Recycle Bin feature has not been enabled. Once it has been
enabled, the forest functional level cannot be changed to Windows Server 2008.
11
R2 introduces several changes in Active Directory object maintenance and group policy. Some changes
have already been discussed, such as the plethora of PowerShell cmdlets available for managing Active
Directory objects. The following sections discuss other changes as they pertain to this objective.
Automate Creation of Active Directory Accounts
A new process for joining Windows 7 or Windows Server 2008 R2 computers to a domain, called offline
domain join, has been introduced to allow administrators to join computers without network connectivity
to a domain. Computers can be joined to the domain the first time they start up after a new OS installation,
and they do not require a restart. The command-line program djoin.exe is used to preprovision the accounts
in Active Directory. The steps for performing an offline domain join can be found at
http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx, or you can
go to the Microsoft Technet site and search for "offline domain join."
Maintain Active Directory Accounts
Most services installed on a server require access to system and/or network resources. To gain access to a
resource, a running service, just like a user, must logon to the system and have the appropriate rights and
permissions granted. Windows Server 2008 has two built-in accounts that have sufficed for this purpose:
the Local System Account and the Network Service Account. However, using these two accounts for each
and every running service poses some security problems. Running services are likely to have more
privileges than they actually need, and system auditing becomes more difficult when a single account is
involved in many different types of actions.
Although you can often create a domain account for some services to use and then assign only the
necessary privileges to that account, there are problems with that solution. The biggest problem is that of
the account password. The built-in accounts automatically change their password periodically, but a
managed domain account must either have its password changed manually when the password expires or
have its password set to never expire. Both scenarios can be problematic. If an administrator must manually
change the password for an account used by a service and yet fails to do so, the service will fail to run if the
password expires. If the administrator sets the account password to never expire, the system will likely fail
a security audit. To resolve these dilemmas, Microsoft introduced managed service accounts (MSAs) in
Windows Server 2008 R2.
12
MSAs are accounts you can create using the New-ADServiceAccount PowerShell cmdlet. You cannot
use the GUI to create MSAs. MSAs solve the password problem by using automated password
regeneration provided by the netlogon service. MSA passwords are changed every 30 days and are 240
random characters in length. You can only use MSAs on a server running Windows Server 2008 R2 or a
computer running Windows 7; however ,neither the domain nor the forest functional level need be R2. To
use MSAs, you must first run adprep /forestprep at the forest level and adprep /domainprep in each domain
where you will use MSAs. New MSAs are located in a new Active Directory folder named Managed
Service Accounts located at the root of the domain in Active Directory Users and Computers or ADAC.
You can create an MSA for as many services as you wish and assign individual permissions and rights to
each account according to the needs of the particular service. For more information on MSAs, see
http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx.
Similar to a managed service account, a virtual account is designed primarily to be used in place of
the Network Service Account. Virtual accounts use the computer account's credentials to access the
network in a domain environment. You don't create virtual accounts like you do MSAs, however. Virtual
accounts are created automatically when you configure a service by specifying "NT Service\ServiceName"
on the Log On tab of a service's properties and restarting the service. The service name can be found on the
General tab of the service's properties page. Both password fields must remain blank as the password is
automatically generated (see Figure 5). As with MSAs, virtual accounts can only be used on Windows
Server 2008 R2 or Windows 7 systems, but no change to the Active Directory schema is necessary. For
more
information
on
us/library/dd548356(WS.10).aspx.
virtual
accounts,
see
http://technet.microsoft.com/en-
13
14
Starter GPOsA number of new Starter GPOs are available in Windows Server 2008 R2 that contain
recommended Group Policy settings for the Windows Vista Enterprise Client, Windows XP SP2
Enterprise Client, and several others. These Starter GPOs can be downloaded in Windows Server 2008
but are included in R2.
Administrative TemplatesThe primary change in Administrative Templates is an improved user
interface in which the tabbed interface (consisting of Setting, Explain, and Comment) is replaced by a
single box showing the content of all three tabs, as shown in Figure 6. Over 300 policy settings have
been added for Windows Server 2008 R2 and Windows 7.
Group Policy PowerShell cmdletsOver 25 new cmdlets are available in PowerShell to automate
Group Policy tasks, including GPO creation and deletion, GPO linking, and creating and editing
Starter GPOs.
15
16
users or security groups, and exceptions can be created for specific .exe files. An audit-only mode allows
you to see what files would be affected by the policy without actually enabling it live in the domain.
Configure Audit Policy by Using Group Policy Objects
Security auditing has been improved in Windows Server 2008 R2 by giving administrators an increased
level of detail in the information contained in auditing logs and by simplifying the deployment of auditing
policies. The new features in security auditing policy are:
Advanced audit policy settingsThere are 53 audit policy settings in 10 categories available under the
Advanced Audit Policy Configuration node of a GPO (see Figure 7). The original nine audit policy
settings found under Local Policies/Audit Policy should not be used if these settings are configured.
Details on all the settings under each category can be found at http://technet.microsoft.com/enus/library/dd772712(WS.10).aspx.
17
Global Object Access AuditingOne of the 10 categories of advanced audit policies, Global Object
Access Auditing allows the creation of System Access Control Lists (SACLs) on files or registry keys
for an entire computer (or all computers in the scope of the GPO) rather than the administrator having
to set audit policies on individual files. Keep in mind that auditing of the file system or registry must
also be enabled for auditing events to be created. You do this by enabling the Object Access\Audit File
System or Object Access\Audit Registry policies. Figure 8 shows the relevant dialogs involved in
enabling Global Object Access Auditing.
18
19
manually change the schema, but if the forest was upgraded from earlier versions, you must run adprep
/forestprep on the schema operations master. Next, prepare the domain by running adprep /domainprep
/gpprep on the infrastructure operations master in each domain. On RODCs, you must also run adprep
/rodcprep. Additionally, the forest functional level must be set to Windows Server 2008 R2. To enable the
Active Directory Recycle Bin once the forest and domain have been prepared at the R2 functional level,
you start the Active Directory Module for Windows PowerShell and enter the following command:
Service,CN=Windows
DC=top-level-domain
Scope
In this command, the italicized arguments are replaced by the appropriate domain components. For
example, if your domain name is allaboutcomputernetworks.com, you will replace domain with
allaboutcomputernetworks and top-level-domain with com. The argument fullyqualifieddomainname is
replaced by allaboutcomputernetworks.com.
Note: You start the Active Directory Module for Windows PowerShell on a
Windows Server 2008 R2 domain controller by going to Start/Administrative
Tools, right-clicking Active Directory Module for Windows PowerShell, and
clicking Run as administrator. Also note that you must run all the commands
discussed in this section as a member of Enterprise Admins.
For more information on how the Active Directory Recycle Bin works and how to use it, see
http://technet.microsoft.com/en-us/library/dd392261(WS.10).aspx.
Monitor Active Directory
The major change in an administrator's ability to monitor Active Directory comes with the new Active
Directory Best Practices Analyzer (BPA), discussed earlier, and the new cmdlets for the Active Directory
Module for Windows PowerShell. The BPA is available for Active Directory Domain Services (ADDS),
DNS Server, Remote Desktop Services, and Active Directory Certificate Services (ADCS). The BPA can
be run using Server Manager or PowerShell cmdlets.
20
The BPA works by comparing actual configuration information of installed services to a set of rules
that defines a best-practices configuration. A report is generated showing discrepancies between the actual
configuration and the best-practices configuration. The configuration settings verified include:
DNS configurationVerifies that all required host (A or AAAA), global service (SRV), and alias
(CNAME) records exist and that the DNS server can be reached by the domain controller.
FSMOsVerifies all operations masters are present and reachable.
Two DCs are presentVerifies that two domain controllers for the domain are present and reachable.
Required servicesVerifies that all required services are present and running, including ADDS,
ADWS, and the Active Directory Module for PowerShell.
BackupVerifies that critical partitions have been backed up and that OUs are protected from
deletion.
For more information on the Best Practices Analyzer, see http://technet.microsoft.com/enus/library/dd759260.aspx.
21
In addition, organizations that use NAP with IPSec, which generally results in high-volume CAs with
large databases, can choose to bypass some of the standard CA database operations. The result is smaller
database sizes and higher performance certificate operations.
Authentication mechanism assurance is designed for domains that utilize federation services
(ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This
mechanism adds information to the users kerberos token about the type of authentication used. This allows
administrators to modify permissions based on how the user authenticates. For example, users can have
access to different resources if they log in with certificates versus when they log in with just their
usernames and passwords.
When authentication mechanism assurance is enabled and a user authenticates using a certificate, a
universal group membership is added to the user's kerberos access token. This universal group can be used
to assign permissions and rights to users based on the fact that they authenticated via a certificate they
wouldnt have if they authenticated using some other method. To learn more about this feature, see
http://technet.microsoft.com/en-us/library/dd391847(WS.10).aspx.
22
so that important Web traffic is routed first and less-important or non-work-related Web traffic can be
assigned a lower priority.
Multiple active firewall profilesIn Windows Server 2008 and Windows Vista, only a single firewall
profile can be active at a time. A system with multiple network adapters connected to two different
networks (e.g., one domain and one public) can only have one firewall profile active the most
restrictive, which in this example would be the public profile. With this new feature in Windows
Server 2008 R2 (and Windows 7), traffic coming into the domain network is protected by the domain
profile and traffic coming into the public network is protected by the public profile.
TCP chimney offloadThis performance enhancement for Windows Server 2008 R2 and Windows 7
allows an administrator to configure some of the TCP processing to occur on a compliant network
interface rather than on the computers CPU. The feature is enabled by default on 10 GB Ethernet
adapters. To enable it on capable 1 GB Ethernet adapters, the administrator must enter the following
command at an administrator command prompt: nets hint tcp set global
chimney=enabled.
23
lookup. Cache locking can be configured as a percentage of the TTL. By default, the value is set to
100, which means cached entries cannot be overwritten for the entire TTL duration. A value of 50
would cause the cache to be locked until half the TTL time elapsed. Configuration is done by changing
the value stored by the CacheLockingPercent registry key.
DNS Socket PoolDNS socket pools cause the DNS server to choose a random source port from a
pool rather than use a predictable source port. A predictable source port makes the server susceptible to
DNS cache-poisoning attacks by allowing an attacker to send a spoofed response to a DNS server. This
feature is enabled by default on servers with security update MS08-037 installed. The dnscmd.exe
command-line program can be used to configure the size of the socket pool and excluded port ranges.
to.
For
details
on
deploying
DNSSEC,
see
http://technet.microsoft.com/en-
us/library/ee649268(WS.10).aspx.
Configure Name Resolution for Client Computers
DNS devolution is a new feature on Windows Server 2008 R2 and Windows 7 DNS resolvers that allows
administrators to configure how the DNS resolver devolves DNS queries. DNS devolution is the process of
a DNS resolver climbing up the DNS namespace until a match is found or the maximum number of
devolutions is reached. For example, suppose a host named ServerA is a resource in the
SUVS.NA.Honda.com namespace. My computer is a member of the CRV.SUVS.NA.Honda.com domain.
24
My domain suffix is set to CRV.SUVS.NA.Honda.com, so when my computer generates a DNS query for
ServerA, by default the query generated will be ServerA.CRV.SUVS.NA.Honda.com. When that query
produces a negative result, the resolver devolves the query by using the next part of the DNS namespace
namely, SUVS.NA.Honda.com. The number of domain components (not including the host name) present
in the query is called the devolution level. So a query of ServerA.NA.Honda.com represents a devolution
level of 3, and a query of ServerA.Honda.com is devolution level 2. Whats new is that administrators can
set the devolution level on DNS clients using Group Policy, thereby controlling to which level the DNS
resolver will attempt a query before giving up.
25
Note: You can also connect to DirectAccess from Windows Server 2008 R2.
DirectAccess-enabled Internet-connected client computers are constantly connected to the private network;
there is no need for manual connections. In addition, administrators can manage the remote computers as
long as they are connected to the Internet; there is no need for clients to have an active VPN connection as
is the case with traditional VPN remote access. This allows mobile computers to stay updated with current
policies and software updates transparently; users do not even have to be logged on for the computer to be
managed.
DirectAccess is built upon existing technologiesprimarily, IPSec and IPv6. IPSec is used to
authenticate the computer and the user so the computer is available to be managed before the user even logs
on. IPv6 is used for communication between the client computer and DirectAccess server through an IPSec
tunnel. Unlike with traditional VPNs, this process works even when the client computer is behind a
firewall. There are a number of configuration details involved in setting up a DirectAccess infrastructure
that are beyond the scope of this document. For a technical description of DirectAccess and setup details,
see http://technet.microsoft.com/en-us/library/dd637827(WS.10).aspx.
Configure Network Policy Server
Network Policy Server (NPS) improvements in Windows Server 2008 R2 are fairly minor, but heavy users
of NPS for centralizing the management of network access will benefit from these changes. NPS templates
can be used to configure elements of NPS, such as RADIUS. The templates can be used on NPS servers
and exported for use on other NPS servers, thus providing a more manageable and consistent NPS
environment. Improvements in RADIUS accounting allow easy configuration of either text file or
Microsoft SQL Server logging.
26
Server 2008 R2 servers. BranchCache uses the Background Intelligent Transfer Service (BITS) in a
domain-based environment. BranchCache allows clients located in branch offices to access copies of
shared files located in the cache of a local server rather than having to access remote servers across a
WAN. The first time a client accesses a file, the file is retrieved from the remote server hosting the file.
From that point on, subsequent requests for the file are served from the local BranchCache server until the
file changes. BranchCache works with both the HTTP and SMB protocols, so files from both Web and file
servers can be cached.
BranchCache has two operational modes:
Host cache modeCached files are stored on a local Windows Server 2008 R2 server and clients
access the files using a typical client/server model.
Distributed cache modeEach Windows 7 client computer hosts its own cache, and the Windows 7
clients operate in a peer-to-peer network model. When a Windows 7 client computer accesses a file for
the first time, the file is retrieved from the remote server and cached locally. The Windows 7 client
computer then makes the file available to other Windows 7 computers that request it.
Another file server enhancement will be useful for administrators using a combination of Windows,
Linux, Unix, and/or Mac OS in their networksnamely, Services for NFS, which adds several features to
enhance manageability and security. A feature called Netgroup allows administrators of the Service for
NFS on Windows Server 2008 R2 servers to create named groups of hosts that will simplify NFS login and
NFS access control lists. A remote procedure call (RPC) security feature called RPCSEC_GSS enables the
Service for NFS feature to use Kerberos authentication, thereby simplifying and improving security.
Administrators who like to take advantage of the scripting capabilities of Windows Management
Instrumentation (WMI) will be happy to know that Service for NFS can be managed using Web-Based
Enterprise Management (WBEM) through WMI.
Configure Distribute File System
A number of changes to Distributed File System (DFS) have found their way into Windows Server 2008
R2. Most of them focus on performance management and improved replication features. Here are short
descriptions of them:
27
Support for access-based enumerationAccess-based enumeration (ABE) is not new, but it is for
DFS. With ABE enabled on a DFS namespace, users can only see the folders in the namespace for
which they have at least Read permission. In the past, if a user had access to the namespace root, they
could see all the folders underneath the root whether they had permission or not.
Large namespace performance gainsNetworks with more than 5000 domain-based DFS folders will
see an improvement in the time it takes for the DFS Namespace service to start. Overall domain-based
DFS performance is improved when the number of DFS folders exceeds 50,000.
DFS replication on failover clustersFailover clusters can be added as members of a DFS replication
group, allowing DFS replication to failover to another server when the primary server fails.
Read-only replicated foldersThe ability to use DFS Management to mark a folder read-only, thereby
disallowing user changes to the files in that folder, has been added to DFS. Marking a replicated folder
as read-only can also be done using the command-line program Dfsradmin.
New performance countersYou can monitor DFS performance more closely using three new DFS
Namespace counters in Performance Monitor: DFS Namespace Service API Queue, DFS Namespace
Service API Requests, and DFS Namespace Service Referrals. For explanations about these counters,
open Performance Monitor, select the counter, and click Show description.
28
Selected folders and filesIndividual files and folders can be backed up rather than requiring fullvolume backups, and files or folders can be excluded from a backup.
System state backupsSystem state backups can be included with data backups and can be scheduled
from the Windows Server Backup program rather than requiring the command-line wbadmin program.
29
Netsh TraceThe familiar Netsh command includes a trace context that integrates with NDF and
network tracing and allows network packet capture and filtering. Using Netsh trace, particular network
components can be selected, such as TCP/IP or Wireless LAN Services to troubleshoot specific issues
related to those components.
Deploying Servers
The deployment of servers is a topic that covers quite a bit of ground. The most relevant changes made in
Windows Server 2008 R2 pertain to Windows Deployment Services, Hyper-V, high availability
configuration, and storage configuration, as detailed in the following sections.
Deploying Images by Using Windows Deployment Services
The process of deploying Windows Server 2008 R2 and Windows 7 images has been improved by several
new tools, including the following:
Windows Automated Installation Kit (WAIK)The WAIK has been improved with tools such as the
Deployment Image Servicing and Management command-line program that is used to add and remove
device drivers, enable/disable Windows features, configure updates, and add or remove language
packs. The User State Migration Tool (USMT) has been upgraded to version 4.0 and is now part of the
WAIK. USMT 4.0 makes migration of user accounts and their profiles to new Windows systems more
streamlined; and hard-link migration, a new feature in USMT, allows in-place migrations where the
old OS is removed and the new one installed on the same system. Finally, virtual hard disks (VHDs)
can be used to boot a system, obviating the need to image physical disks. Since a VHD is nothing more
than a large file, it can be deployed to compatible systems by simple file copies rather than the more
complex disk imaging process.
30
Microsoft Deployment ToolkitThis collection of tools automates Windows installations using Zero
Touch Installation (ZTI), requiring no user interaction, or Lite Touch Installation (LTI), using
minimal user interaction. ZTI requires the Microsoft System Center Configuration Manager 2007.
Windows Deployment ServicesWindows Deployment Services (WDS) is a familiar server role
available in Windows Server 2008. However, the new version in Windows Server 2008 R2 includes
enhanced multicast support and driver provisioning. Multicast allows you to deploy images to multiple
systems by sending the image only once across the network. Driver provisioning allows you to deploy
boot images along with driver packages specific to the system hardware. Another improvement to
WDS includes support for VHDs in unattended installations.
31
downtime as the memory exchange does not occur in real time. However, as part of a planned Hyper-V
host migration, quick migration can be used to migrate several VMs to a new host at the same time.
Dynamic VM storageHyper-V 2.0 supports hot-add/hot remove storage. Both virtual and physical
disks can be added to or removed from a running VM as long as Hyper-V integration services is
installed on the VM.
Improved scalabilityHyper-V 2.0 supports up to 8 (or 64 in the Datacenter edition) physical
processors, up to 64 CPU cores, and up to a terabyte of RAM. As many as 384 guests can be running at
a time on a Hyper-V server, and 16 nodes per cluster are supported. Network enhancements include
VM chimney, which provides the aforementioned TCP offload feature by mapping virtual networks to
specific virtual network interfaces on the host machine. Jumbo frames (frames from 1518 bytes to over
900 bytes) are also supported.
Configure High Availability
Changes to the configuration of Windows Server 2008 R2 high availability technologies primarily involve
failover clusters. Failover cluster management has been improved with a Windows PowerShell interface
and new PowerShell cmdlets. The new cmdlets allow common management and configuration tasks to be
scripted. Enhancements in cluster shared volumes make clustered VM configuration easier and make the
use of shared volumes more flexible; for example, VHDs no longer must be stored on a separate physical
disk and can instead be shared by other VHDs using the same LUN.
The Cluster Validation Wizard has been improved with additional validation tests that allow
administrators to fine-tune their cluster configuration before deploying it. DFS and Remote Desktop
Connection Broker can now be configured as clustered services, bringing additional aspects of your
applications infrastructure into the high availability realm. In addition, the Migration Wizard allows cluster
settings for additional services to be migrated from clusters running on Windows Server 2003, Windows
Server 2008, and Windows Server 2008 R2 servers. For more information on specific migration paths, see
http://technet.microsoft.com/en-us/library/ee791924(WS.10).aspx.
Configure Storage
Storage configuration has been enhanced in Windows Server 2008 R2 in the following areas:
32
iSCSI initiatorThe UI has been redesigned and can now be run on Server Core installations. A new
feature called Quick Connect, shown in Figure 9, allows fast, single-click connections to storage
devices. In addition, servers booting from external iSCSI devices have the option of up to 32 boot
paths.
MPIO improvementsBecause MPIO supports multiple paths, it was sometimes difficult for
administrators to diagnose path health. New health and configuration reporting improves on MPIO
device management and troubleshooting. In addition, load balancing policies can be displayed and
configured using the new MPClaim command-line utility.
33
34
Perhaps the most obvious change to this objective is the name, which was formerly Configure Terminal
Services. All the Terminal Services-related role services now use the term Remote Desktop instead of
Terminal Services (see Figure 10). In most cases, the term "Terminal Services" is simply replaced by
"Remote Desktop,"; for example, the role service Terminal Services Gateway is now Remote Desktop
Gateway. However, there are a few changes in role service and management tool names that go beyond
that, as shown in Table 1.
35
Table 1. Role service and management tool name changes from Terminal Services to Remote Desktop Services
Old name
New name
Terminal Server
RemoteApp Manager
36
VMs running on a Hyper-V host and are available through the Desktop Connection or Remote Desktop
Web Access interface. Virtual desktops allow users to access their own personal desktop on Hyper-V
servers, making backup and maintenance more manageable than with physical desktop computers. Virtual
desktop pools allow users to check out a desktop, perhaps with a specific application or OS installed, and
then return the desktop to the pool when they are finished. Desktop pools have applications for training and
testing or for running enterprise applications without having to maintain the applications on individual
user's desktops.
Configure Remote Desktop Gateway
Remote Desktop Gateway brings with it a number of enhancements for Windows Server 2008 R2,
primarily as they relate to session control and authentication. Administrators can configure timeouts for idle
sessions, thereby disconnecting users who are not actively using the session and freeing up gateway server
resources. When users become active again, their former session states are reestablished. Session timeouts
allow administrators to enforce new policies on currently active sessions so that changes in accounts or
security policies can take effect almost immediately without administrators having to wait for a user to
terminate an active session.
Another improvement in Remote Desktop Gateway is integration with Network Access Protection
(NAP), allowing Remote Desktop Gateway servers to bring client computers to compliance with health
policies. Furthermore, system and logon messages can be displayed on remote desktops, just as they are on
local desktops, giving administrators a way to inform users of system events like downtime and system
updates as well as logon messages that are displayed before users access remote resources.
Configure Remote Desktop Connection Broker
Remote Desktop Connection Broker can be configured for session load-balancing in a remote desktop
server farm as well as automatic session reconnection. The new session reconnection feature will reconnect
disconnected remote desktop sessions with the same server in a load-balanced server farm. In previous
versions, a disconnected session would, upon reconnection, be connected to the first available server in the
farm, causing the user's previous state to be lost.
Configure Remote Desktop Licensing
37
A few minor changes have occurred in the Remote Desktop Licensing role service. In earlier versions of
Terminal Services Licensing, discovery scopes were configured, which allowed terminal servers to
automatically discover license servers. In Windows Server 2008 R2, the name of the license server must be
specified to the Remote Desktop Session Host. Client Access License (CAL) management is improved with
a new Remote Desktop Licensing Manager wizard that allows migration of Remote Desktop CALs and
easier rebuilds of the licensing database. To migrate licenses from one License Server to another, both
servers must be running Windows Server 2008 R2.
Configure Remote Desktop Session Host
The most important change to configuring Remote Desktop Session Host involves IP address virtualization
for remote desktop connections. This feature resolves issues in which each instance of an application
running on a Remote Desktop Session Host server requires a unique IP address. In earlier versions, all
sessions shared the IP address assigned to the server. With IP virtualization, an administrator assigns a
network ID, and IP addresses are assigned for each session or application as necessary.
38
that once used standard service accounts can now use managed service accounts to further increase
security.
Server Core gets .NETThe Server Core installation option in Windows Server 2008 did not include
the .NET framework, limiting the types of applications you could run on the IIS server role on Server
Core. With Windows Server 2008 R2, .NET framework versions 2.0, 3.0, 3.51, and 4.0 are supported,
allowing ASP.NET applications to run on Server Core as well as on PowerShell cmdlets.
Document Summary
General changes from Windows Server 2008 to Windows Server 2008 R2 include a new Windows Server 2008 R2
Foundation edition as well as the move to 64-bit-only versions of the server OS and support for up to 256 CPU
cores, up from 64. Server Manager can now be used to manage remote servers and create custom MMCs to manage
multiple servers with one console.
The new Best Practices Analyzer provides best practice reports for a number of installed server roles, and
PowerShell 2.0 provides dozens of new cmdlets for managing server roles and features. User Account Control
changes make performing common tasks simpler while maintaining security.
39
General changes in Windows Server 2008 R2 that relate to the 70-640 exam objectives include Active Directory
Administrative Center, Active Directory Web Service, and many new PowerShell 2.0 cmdlets for managing all
aspects of Active Directory environments.
Other 70-640-related changes include a new domain and forest functional level, a new feature called offline domain
join, and managed service accounts and virtual accounts for increasing security on services that require system or
network logon. Group Policy changes include new Group Policy Preferences, new Starter GPO templates, and an
improved user interface for working with Administrative Templates. Rounding out the major changes in Active
Directory configuration are the new AppLocker feature for managing user application access and the Active
Directory Recycle Bin. Active Directory Certificate Service changes include the Certificate Enrollment Web Service
and authentication mechanism assurance.
General changes in Windows Server 2008 R2 that relate to the 70-642 exam objectives include URL-based QoS,
multiple active firewall profiles, and TCP chimney offload.
Name resolution is made more secure by DNS cache locking, DNS socket pool, and DNSSEC. DNS devolution
changes enhance DNS resolver management. VPN Reconnect and DirectAccess are two new features that make
remote access to the corporate network more secure and convenient for user and administrator. BranchCache is the
most significant change in configuring a file server; and for Unix/Linux users, Netgroup makes using NFS in a
Windows environment simpler and more secure.
DFS improvements include support for ABE and better performance. Windows Server Backup has been revamped
to be faster and more flexible, while print services has added location-aware printing and printer driver isolation.
Network monitoring is enhanced with Network Diagnostic Framework, Network Tracing, and the Netsh Trace
command.
Changes in Windows Server 2008 R2 that relate to the 70-643 exam objectives include improvements to Windows
Automated Installation Kit, User State Migration Tool 4.0, and Zero Touch Installation and Lite Touch Installation,
which are new features in the Microsoft Deployment Toolkit. WDS adds better multicast support and driver
provisioning.
Hyper-V has seen several improvements, including live migration, dynamic VM storage, and scalability
enhancements, with support for up to 64 CPU cores and a terabyte of RAM. High availability upgrades include the
Cluster Validation Wizard and the addition of several services that can be clustered, including DFS and Remote
40
Desktop Connection Broker. In addition, improvements were made to the iSCSI initiator and MPIO to enhance
storage configuration options.
The Terminal Services role and related role services have been renamed Remote Desktop Services. RemoteApp and
Remote Desktop Web Access have seen enhancements for client connections to remote desktop hosted applications,
including public and private modes, per-user application filtering, and single sign-on. Remote Desktop
Virtualization Host is a new role service that allows provisioning of personal virtual desktops or a desktop from a
virtualization pool.
Web Services Infrastructure configuration is impacted by the upgrade to IIS 7.5, which includes the Best Practices
Analyzer, request filtering, WebDav and FTP upgrades, and .NET framework availability on Server Core. Network
Application Services configuration is primarily impacted by the change from Windows SharePoint Services to
Windows Sharepoint Foundation 2010.
Key Terms
Active Directory Recycle Bin Allows administrators to recover deleted Active Directory and ADLDS
objects without having to perform a DS restore operation or tombstone reanimation procedure.
AppLocker A new section of a GPO that replaces Software Restriction Policies and reduces overhead for
administrators by allowing them to define application rules based on an application's digital signature,
publisher, name, file name, and version.
authentication mechanism assurance Adds information to the users kerberos token about the type of
authentication used, which allows administrators to modify permissions based on how the user
authenticates, such as by certificate or smart card.
automated password regeneration Passwords used by MSAs that are changed every 30 days and are 240
random characters in length. See managed service accounts (MSAs).
Best Practices Analyzer (BPA) This new Server Manager enhancement shows administrators a report that
lists violations to best practices for the installation and configuration for the selected role.
BranchCache Allows clients located in branch offices to access copies of shared files located in the cache
of a local server rather than having to access remote servers across a WAN.
41
Certificate Enrollment Web Service Part of Certificate Services, this new role service enables certificate
enrollment over HTTP.
deleted object lifetime A value that defines the period of time that a deleted object can be restored using
the Recycle Bin.
DirectAccess Allows seamless, secure, and flexible client connections from a Windows 7 Enterprise or
Ultimate client to a Windows Server 2008 R2 DirectAccess server. DirectAccess-enabled Internetconnected client computers are constantly connected to the private network; there is no need for manual
connections.
DNS cache locking A new DNS security feature that prevents the cached record from being overwritten
until the TTL expires.
DNS devolution A new feature on Windows Server 2008 R2 and Windows 7 DNS resolvers that allows
administrators to configure how the DNS resolver devolves DNS queries.
DNSSEC An Internet standard set of DNS security enhancements defined by RFCs 40334035 that uses
public key cryptography and digital signatures to validate the identity of a server providing a DNS
response.
Global Object Access Auditing Allows the creation of System Access Control Lists (SACLs) on files or
registry keys for an entire computer (or all computers in the scope of the GPO) rather than the administrator
having to set audit policies on individual files.
Lite Touch Installation (LTI) Part of the Microsoft Deployment Toolkit, LTI automates Windows
installations requiring minimal user interaction.
live migration Allows a running virtual machine to be moved between Hyper-V servers without
disconnecting client computers that are using it.
location-aware printing A new Print Services feature that allows mobile users to set different default
printers for the different networks they connect to.
logically deleted A deleted object state in which the deleted object is stored in the Deleted Objects
container and all attributes and linked values (such as group memberships) are preserved.
42
managed service accounts (MSAs) Accounts you can create using the New-ADServiceAccount
PowerShell cmdlet, which enhances security by replacing the Local System Account and Network Service
Account.
multi-configuration System Health Validator (SHV) A new feature for Network Access Protection
(NAP) in which administrators can specify multiple SHV configurations that can be selected when a health
policy is configured.
Netgroup Allows administrators of the Service for NFS on Windows Server 2008 R2 servers to create
named groups of hosts, which will simplify NFS login and NFS access control lists.
NPS templates Used to configure elements of NPS, such as RADIUS. The templates can be used on NPS
servers and exported for use on other NPS servers, thus providing a more manageable and consistent NPS
environment.
offline domain join A new feature that allows administrators to join computers without network
connectivity to a domain. Computers can be joined to the domain the first time they start up after a new OS
installation and do not require a restart.
printer driver isolation Allows printer drivers to run in a process isolated from the print spooler. The
isolation prevents misbehaving print drivers from bringing down the entire print spooler process.
quick migration A method of migrating VMs in which a copy of the VM memory is made to disk storage
and when the new server takes over the VM, the memory is read from disk storage. Requires some
downtime of the VM.
recycled object A deleted object state in which most of the linked values and attributes of the object are
deleted and the object will soon be removed from the Active Directory database.
Remote Desktop Virtualization Host A new role service in Windows Server 2008 R2. Using Remote
Desktop Virtualization Host along with RemoteApp and Desktop Connection, administrators can create
virtual desktops for use as personal desktops or for use in desktop pools.
virtual account Similar to a managed service account, a virtual account is designed primarily to be used in
place of the Network Service Account. Virtual accounts use the computer account's credentials to access
the network in a domain environment. See managed service accounts.
43
VPN Reconnect After an Internet connection disruption, VPN Reconnect automatically reestablishes a
VPN connection without requiring the user to reenter credentials.
Zero Touch Installation (ZTI) Part of the Microsoft Deployment Toolkit, ZTI automates Windows
installations requiring no user interaction.