Académique Documents
Professionnel Documents
Culture Documents
643
TS: Windows Server 2008 Applications Infrastructure, Configuring
Contents
Skills Being Measured..................................................................................... ............3
Deploying Servers......................................................................................................6
Windows Deployment Services.............................................................................. ..6
Important Features of Windows Server 2008 Deployment...................................6
How Does Windows Deployment Services Work?.................................................7
Multicast Support in Windows Deployment Services............................................9
Managing Images by Using ImageX.....................................................................9
Process for Installing Windows Deployment Services.........................................10
TechNet Virtual Lab: Deployment Services (WDS) in Windows Server 2008 Beta
3.......................................................................................................... ...............11
KMS Activation..................................................................................................... ..11
Prerequisites for KMS Activation.........................................................................11
Known Issues for KMS Activation .......................................................................12
Steps for Installing, Configuring, and Deploying KMS Activation........................12
KMS Hosts..........................................................................................................13
KMS Publishing to DNS.......................................................................................15
Steps for Configuring KMS Publishing to DNS.....................................................17
KMS Clients........................................................................................................20
Configure Windows Server Hyper-V and virtual machines.....................................23
Virtualization Scenarios in Windows Server 2008..................................................23
What Is Virtualization?................................................................................. .......23
TechNet Webcast: Virtualization and Windows Server 2008 (Level 300)............24
Overview of the Production Server Consolidation Scenario................................24
Overview of the Business Continuity Management Scenario..............................25
Overview of the Dynamic Datacenter Scenario..................................................25
Overview of the Test and Development Scenario...............................................26
Virtualization Features in Windows Server 2008................................................27
Features of System Center Virtual Machine Manager.........................................28
Configure high availability.....................................................................................29
TechNet Webcast: Achieving High Availability with Windows Server 2008
Clustering (Level 200)........................................................................................29
What Is Failover Clustering?...............................................................................29
Process for Validating the Server Environment for Clustering............................30
Requirements for Installing Failover Clustering..................................................31
How to Install Failover Clustering.......................................................................32
Implementing Network Load Balancing in Windows Server 2008.......................33
Implementing High Availability and Virtualization in Windows Server 2008.......34
TechNet Virtual Lab: Windows Server 2008 Enterprise Failover Clustering Lab. .34
Windows Server 2008 Availability and Scalability Article...................................34
Configuring Terminal Services..................................................................................34
Core Functionality of Terminal Services.................................................................34
Overview of Functionalities of Terminal Services................................................35
What Is Terminal Services Licensing?.................................................................36
Considerations for Implementing Terminal Services Licensing...........................38
Implementing Terminal Services Remote Programs...............................................39
What Are Terminal Services Remote Programs?.................................................39
How to Manage Remote Programs.....................................................................40
Implementing Terminal Services Web Access........................................................40
How to Implement Terminal Services Web Access..............................................40
Implementing Terminal Services Gateway.............................................................41
What Is Terminal Services Gateway?..................................................................42
Considerations for Planning the Terminal Services Gateway Installation............42
Installing the Terminal Services Gateway Role...................................................44
Managing Terminal Services by Using Windows System Resource Manager..........45
What Is Windows System Resource Manager?...................................................45
Summary................................................................................................. ..............47
Core Functionality of Terminal Services..............................................................47
Implementing Terminal Services Remote Programs...........................................47
TechNet Virtual Lab: Centralized Application Access with Windows Server 2008
Beta 3........................................................................................................... ......48
Implementing Terminal Services Web Access.....................................................48
Implementing Terminal Services Gateway..........................................................48
Managing Terminal Services by Using Windows System Resource Manager......49
TechNet Virtual Lab: Managing Terminal Services Gateway and RemoteApps in
Windows Server 2008...................................................................................... ...49
Configuring a Web Services Infrastructure ..............................................................49
Manage Internet Information Services (IIS)...........................................................49
TechNet Webcast: End-to-End Overview of Internet Information Services 7.0
(Level 200)................................................................................. ........................49
Benefits of the IIS 7.0 Server Role......................................................................49
Features of the Administrative Tools in IIS 7.0....................................................50
Configuration Files in IIS 7.0...............................................................................51
Options for Replicating Settings between Servers..............................................52
Options for Managing Security in IIS 7.0............................................................53
Options for Troubleshooting IIS 7.0.....................................................................54
TechNet Virtual Lab: Using APPCMD Command Line or UI with IIS 7 in Windows
Server 2008.................................................................................................... ....54
Configuring Network Application Services ...............................................................54
Configure Windows Media server..........................................................................54
Configuring Advanced Streaming Solutions in Windows Media Server...............54
Options for Configuring Security in Windows Media Server................................56
Active Directory Rights Management Service........................................................57
Features............................................................................................................57
Requirements................................................................................. ....................57
capture Windows Deployment Services images; deploy Windows Deployment Services images; server
core
Configure storage.
May include but is not limited to: RAID types; Virtual Disk Specification (VDS) API; Network Attached
Storage; iSCSI and fibre channel Storage Area Networks; mount points
The installation process of Windows Server 2008 is simplified with the new image-
based installation technology. Many organizations use traditional sector-based
images that are difficult to update. To deal with this problem, a new imaging process
has been introduced in Windows Server 2008. Some of the components involved in
the new imaging process are:
The WIM is a file-based disk image format. The following are the benefits of
using a file-based image format over the typical sector-based image format:
Windows Server 2008 is modularized to ensure that the setup files are
composed of multiple components, rather than a single file. The following are
the benefits of modularizing Windows Server 2008:
• You can add device drivers, service packs, and updates to the image
files offline without installing the image on a computer.
• You can customize certain Windows components, based on your
requirements.
• You can update a component without re-creating the image when an
update is introduced.
• You can deploy multiple language versions of the operating system in a
single image file because the core Windows components are not
language-specific.
Windows PE 2.0
By using Windows System Image Manager (SIM), you can create and manage
unattended Windows Setup answer files in a GUI. You can use answer files,
which are XML-based files, to configure and customize the default Windows
installation.
Script-based installations
WDS includes extensive support for using the command line and scripting to
enable remote, automated, and repeatable deployment scenarios. For
example, ImageX, Migration, and SIM are completely scriptable.
WDS is the updated version of Remote Installation Services (RIS). WDS allows rapid
adoption and deployment of Windows operating systems. By using WDS, you can
deploy new computers through network-based installation. You can install Windows
Server 2008 or Windows Vista by using WDS.
WDS Components
1. Create an answer file by using SIM. The steps to create an answer file
are:
o Build a catalog and then create a new blank answer file.
o Add components and configure Windows settings.
o Validate the answer file and then save it to removable media.
2. Build a master installation by using the product DVD and your answer
file. A master installation is a customized installation of Windows,
which you can duplicate onto one or more destination computers.
3. Create an image of the master installation by using Windows PE and
ImageX technologies. The steps to create an image of the master
installation are:
o Create a CD that you can use to start Windows PE.
o Start the master installation by using Windows PE media.
o Capture the installation image by using ImageX.
o Store the image on a network share.
4. Deploy the image from a network share onto a destination computer
by using Windows PE and ImageX technologies. The steps to deploy
the image from a network share are:
o Start the computer by using Windows PE media.
o Format the hard drive.
o Connect to your network share and copy the custom image
down to the destination computer's local hard drive.
o Apply the image by using ImageX.
Multicast Support in Windows Deployment Services
The main benefit of multicast is optimized network performance. If you want to send
the same data to multiple TCP/IP clients, it is more efficient to send that data to all
clients at once, rather than sending multiple separate transmissions.
WDS supports a new multicast protocol that has congestion control and flow control.
By using this protocol, clients can request an image anytime and trigger a new
multicast deployment or join an existing deployment, mid-transmission and receive
all the data. Windows Server 2008 can perform ImageX multicast deployments,
without requiring full-blown WDS or Active Directory. Windows Server 2008 consists
of a CMD-line multicast client application, which can run within Windows Server
2008, Windows PE, Windows Vista, Windows XP SP2, and Windows Server 2003 SP2.
ImageX is a command-line tool that you can use to create and manage WIM image
files (installation files for Windows Vista). By using ImageX, you can store multiple
images in a single image file and mount the WIM image files as folders. You can also
edit images offline by using ImageX.
Features of ImageX?
ImageX enables you to manage file-based disk images. ImageX works with
WIM files to build and deploy disk images. By using ImageX you can:
Using ImageX
ImageX includes a number of command-line options that you can use to view
and manage a WIM file. The following are some of the common commands
and their functions:
• Info. This command is used to return information about the WIM file.
• Capture. This command is used to capture a volume image from a
drive to a new WIM file.
• Apply. This command is used to apply a volume image to a specified
drive.
• Append. This command is used to add a volume image to an existing
WIM file and create a single instance of the file.
• Delete. This command is used to remove the specified volume image
from a WIM file.
• Mountrw. This command is used to mount a WIM file with Read/Write
permission, thereby, allowing the contents of the file to be modified.
• Unmount. This command is used to unmount an image from a specified
directory.
You can install the WDS server role on Windows Server 2008. You can configure WDS
to deploy images to clients as long as the underlying infrastructure is in place. After
installing, you can configure WDS by using WDS MMC or the command-line utility.
The WDS service is installed as a server role. Once the WDS server role is
installed, you need to launch the WDS MMC. Also, you need to add the server
to the MMC and authorize the server in AD DS.
KMS Activation
• Changing the Renewal Interval will not take effect on a KMS client until after the
change is received by the client and the software licensing service (slsvc) is
restarted or the client computer restarted.
• Beta versions of KMS (including Windows Server 2008 beta hosts) cannot support
activation of released Windows Vista clients.
To manually create a KMS SRV record in DNS, see the following sections:
• Manually Create KMS SRV Records in DNS
• Guidance for creating KMS SRV Records on Non-Microsoft DNS hosts
To install, configure, deploy, and activate KMS clients, perform the steps in the
following sections:
Notes:
1. You should always use the KMS key from the highest product group your
organization has licensed. This way, you are assured that all licensed KMS clients in
your organization can be activated. You do not need multiple KMS hosts to support
multiple product groups on your network.
2. If you install KMS on a virtual machine host which is then later moved to a different
physical location, the operating system will detect that the underlying hardware has
changed and the KMS host will require reactivation with Microsoft.
3. If you want to use a Windows Server 2003 computer (with Service Pack 1 [SP1] or
later) as the KMS host computer, download KMS from the Microsoft Download Center
at http://go.microsoft.com/fwlink/?LinkID=82964 for x86 systems or
http://go.microsoft.com/fwlink/?LinkId=83041 for x64 systems.
4. You can verify the KMS host is set up correctly by observing the KMS count and by
reviewing the KMS event log entries. Run slmgr.vbs /dli on the KMS host to obtain
the current KMS count. The KMS Event Log 12290 entries will show the name of the
computer and the time-stamp for each activation request.
If you have an existing volume license and then purchase a new volume license for
a Windows edition in a higher product group, you should upgrade your existing KMS
hosts.
For a KMS host with Internet access, run the following from an elevated Command
Prompt – waiting for each step to complete before moving on to the next.
Slmgr.vbs /ato
For a KMS host which does not have Internet access, you will have to phone activate
the KMS. Run the following from an elevated command prompt and follow the on-
screen prompts to phone activate:
Slui 4
NOTE Installing a new KMS key will erase the KMS cache. The KMS n-count will need
to be rebuilt. This should happen automatically as clients regularly reconnect to
renew their activations.
It is a good idea to stop and restart the licensing service after applying a new key.
For Windows Vista and Windows Server 2008 KMS hosts, the licensing service is
named slsvc.exe. On KMS for Windows Server 2003, the licensing service is named
sppsvc.exe.
KMS publishes its host name and the configured TCP port in the SRV record. 1 record
exists per KMS host in the domain.
Clients query DNS and retrieve a list of KMS SRV records. They select a KMS host
randomly from this list and then attempt to use this information to connect to the
KMS. If the connection is successful, the KMS location is cached for subsequent
connections. Otherwise, the process repeats until the client is able to connect to a
KMS or until the list is exhausted.
Advantages of using SRV records include:
• The following procedures assume the use of Active Directory and Microsoft DNS.
Configuring non-Microsoft DNS services like BIND is outside the scope of this guide.
However, a section has been included to detail the required content of a KMS SRV
record. See Guidance for creating KMS SRV Records on Non-Microsoft DNS hosts for
more information.
• Clients that will need access to KMS hosts across another domain or forest are able to do
so.
• If you are using Active Directory and Microsoft’s DNS server, you must be a member of
the Domain Administrators group, have delegated privileges, or have arranged for the
procedures to be carried out by the authority responsible for DNS in your organization.
Equivalent requirements apply for non-Microsoft DNS services.
* Port 1688 is the default. If the KMS host is configured to use a custom port, input that
port number instead.
** The Host Name field requires the FQDN of the KMS host. For example:
KMS01.contoso.com
If a custom port for the KMS is used and the SRV records are manually maintained,
be certain to change the port data in the SRV record to match the custom port
configured on the KMS. Otherwise, the KMS clients will not be able to communicate
with the KMS host.
NOTE DNSSEC, ACLs, and any other security mechanisms must be configured to
allow writing of SRV and A resource records to the necessary DNS zones if DDNS is
to be implemented. Alternatively, a static SRV RR can be created in any zone where
it is needed.
If DDNS is not supported, an administrator can manually create the necessary SRV
record for a KMS host. It should contain the following information:
Name=_vlmcs._TCP
Type=SRV
Priority = 0
Weight = 0
Port = 1688
In a sample BIND 9.x zone file, a proper KMS SRV RR looks like this:
Notes:
• Priority and Weight are not used by the KMS service and are ignored by the KMS
client. However, they do need to be included in the zone file.
• Port 1688 is the default port, but it can be changed on the KMS and KMS client
computers. For more information, see Configure Optional KMS Host Settings.
If a custom port for the KMS is used and the SRV records are manually maintained,
be certain to change the port data in the SRV record to match the custom port
configured on the KMS. Otherwise, the KMS clients will not be able to communicate
with the KMS host.
To configure a BIND 9.x DNS server to support KMS auto-publishing, the BIND server
must be set up to enable resource record updates from the KMS host. For example,
add the following line to the zone definition in named.conf (or named.conf.local):
allow-update { any; };
KMS Clients
This section includes procedures for installing and configuring computers as KMS
clients.
If a client computer mostly connects through virtual private network (VPN), and is past
the activation or renewal period, it will attempt to connect to a KMS host five minutes
after establishing a VPN connection. You can force the computer to refresh its activation
by adjusting the Renewal Interval at the KMS; the change will be propagated to all KMS
clients the next time the client renews its activation.
What Is Virtualization?
In earlier versions of Windows Server, Virtual Server and Virtual PC were used for
virtualization. In a computer running Windows Server 2008, virtualization requires
64-bit hardware and the 64-bit version of the operating system. The 64-bit
environment provides additional processing power and a large addressable memory
space. Windows Server 2008 provides a powerful platform to run multiple
virtualized operating systems that use up to eight processors.
One of the important scenarios for virtualization in Windows Server 2008 is server
consolidation. In the server consolidation scenario, organizations can use
virtualization to reduce the number of physical servers that they need to deploy,
while maintaining service levels or supporting legacy operating systems and
applications.
When you reduce the number of servers in the datacenter, you can significantly
decrease the cost of running the servers. For example, you can reduce electrical
costs for cooling and costs for server power consumption and may be able to reduce
the overall datacenter physical footprint. By moving the servers on a standardized
platform rather than having a variety of systems to support them, you can reduce
operational costs. Server management becomes easier because you need to
manage fewer servers.
Windows Server 2008 provides additional features to enhance the management of
multiple servers running virtualization. For example, you can use group policies to
apply consistent policies to all servers hosting virtualization in the domain. Windows
Server 2008 provides health-monitoring tools that can be used to monitor the health
and performance of the Windows Virtualization servers.
Virtualization also provides virtual machine migration, which means that you can
move virtual machines from one Windows virtualization server to another. If one
host computer needs to be taken offline for maintenance, you can move the
virtualized operating system to another host without disrupting service availability.
You can also enable automatic failover of datacenter operations to a recovery site.
This gives you the ability to replicate, automatically fail over, and resume
operations in a recovery site with minimal disruption to network services.
If you deploy Windows Server 2008 servers without virtualization, it can be very
difficult to manage changes in the IT environment. If the demand for a network
service increases and resources on the server providing the service are over-
utilized, it can be difficult to increase the server resources to meet the increased
demand. If the demand for a network service decreases and the server hosting the
network service is under-utilized, it is not profitable to invest on such server
resources. The goal of the dynamic datacenter is to easily and rapidly reallocate
server resources among various servers on the network to ensure the optimal use of
server hardware, while providing highly available network services.
Virtualization can help you to meet the goals of the dynamic datacenter by ensuring
that all server resources are appropriately sized and used. If the demand for a
network service increases, you can dedicate more hardware resources from the host
computer to the virtual machine. In this manner, you can maximize hardware
utilization.
Virtualization can also reduce IT complexity and management in the dynamic data
center. Virtualization decouples workload from server hardware and makes it easy
to rapidly provision workload. Because the virtual machine is not dependant on a
particular host or host configuration, you can easily move the virtual machine to
another host, or modify the hardware dedicated to the virtual machine on the
current host, depending on your organizational requirements.
One of the most often used scenarios for virtualization is the test and development
scenario. Many organizations have implemented virtualization technologies in their
test environment to reduce the hardware requirements for the test lab.
Virtualization can also streamline test and development efforts. For example,
virtualization can significantly reduce the time required to provision test and
development environments. By using virtualization, you can rapidly duplicate a
production environment to ensure the validity of any tests that you perform.
Virtualization also makes it easy to run multiple test scenarios. Because you can
save changes to the virtual machine at any point during the testing process, you
can easily duplicate test scenarios for multiple passes. You can also run through
different test scenarios on the same virtual machine without rebuilding the test lab
environment.
Hardware Support for Virtualization
In Windows Server 2008, hardware support, such as 32-bit (x86) and 64-bit (x64)
child partitions, symmetric multiprocessing (SMP) (2/4/8) core virtual machines
(VM), and large memory support (>32GB) within VMs, is available for virtualization.
To install virtualization, the host server must meet the following requirements:
• 64-bit hardware. You can install virtualization only on servers running 64-bit
hardware. Virtualization supports both Intel and AMD processors.
• Hardware assisted virtualization. You must enable hardware assisted
virtualization on the host computer. To enable this feature, you must
configure Intel Virtualization Technology or AMD Pacifica.
• Hardware enabled Data Execution Prevention (DEP). You must configure DEP
on the host computer. To configure this, use the AMD no-execute (NX) bit or
the Intel execute disable (XD) features.
• Longhorn Server x64 Enterprise edition or Data Center editions. You must
install a 64-bit version of Windows Server 2008 on the server. Windows
Server 2008 installs in the parent partition. You can install the full version of
Windows Server 2008, or you can install Server Core.
Note
You must install the 64-bit version of Windows Server 2008 on the host computer,
but you can run both 64-bit and 32-bit versions of Windows Server 2008 as virtual
operating systems.
• Windows Server 2008 Server Core as the parent operating system. Server
Core is a version of Windows Server 2008 that does not provide a graphical
user interface (GUI) to manage the server. If you use Server Core as the
parent operating system, you reduce the attack surface on the host computer
and the resources required to run the host computer.
• Group policy integration. You can use group policies to publish configuration
changes to Windows Virtualization servers on a domain. The group policy
settings can be applied to the parent operating system or the virtual
operating system.
• Non-Microsoft guest operating system support. You can run earlier versions of
Windows and non-Microsoft operating systems as virtual operating systems.
• Dynamic and secure networking. You can dynamically add or remove virtual
network interface cards and take advantage of underlying virtual local area
network (VLAN) security when configuring the network connections for virtual
machines. You can also configure features, such as Network Address
Translation (NAT), firewall, or quarantine settings, for virtual machines.
• Virtual machine snapshots. You can dynamically create multiple checkpoints
of the current state for any virtual machine, and revert to any previous
checkpoint. This can be useful during testing.
• Scripting interface. Virtualization supports Windows PowerShell, a rich
scripting interface that can be used to monitor and control the virtual
machine environment.
• Live virtual machine migration. You can move virtual machines, which are
running, from one Windows Virtualization server to another without disrupting
the operating system availability.
• Manages server consolidation. When you deploy a virtual machine, the Virtual
Machine Manager analyzes performance data and resource requirements for
both the workload and the host. This console allows you to fine-tune
placement algorithms to get the best-matched deployment
recommendations. You can use the historical performance data to understand
the actual resource requirements of the workload. Then, check the minimum
CPU, disk, RAM, and network capacity requirements in the virtual machine
configuration. After determining the virtual machine requirements, you have
to gather the performance data for candidate virtual machine hosts. Finally,
you have to factor in the pre-selected business rules to optimize placement
recommendations, either for resource maximization or for load balancing, and
to weigh the importance of different resource types for the workload.
• Manages Physical-to-Virtual (P2V) conversions. Virtual Machine Manager
improves the Physical-to-Virtual user experience by integrating the
conversion process and by using the Volume Shadow Copy Service (VSS) of
Windows Server 2003. VSS facilitates you to create the virtual machine faster
and without having to interrupt the physical source server.
• Provisions new machines. Virtual Machine Manager enables quick
provisioning of new virtual machines. Using the wizard-based user interface,
you can rapidly deploy virtual machines from approved templates. Virtual
Machine Manager also allows you to manage and reallocate existing virtual
machines between virtual machine hosts, giving you an integrated and
holistic view of their virtual and physical infrastructure.
• Offers Library for managing virtual machines. The library organizes not only
stored virtual machines but also the various virtual machine building blocks
such as virtual hard disks, CD and DVD media, ISO images, post deployment
customization scripts, hardware configurations and templates.
• Offers Familiar administration interface. The Virtual Machine Manager
Administrator console is built on the System Center Operations Manager 2007
user interface. Therefore, you can become proficient in managing your virtual
machines. You can do a comprehensive health monitoring of hosts, virtual
machines, and library servers using the Virtual Machine Manager
components. These components are provided through the Virtualization
Management Pack in Operations Manager 2007.
You can use this tool to verify if the computers, storage, and network
configuration meet the requirements for setting up a cluster.
You can use the Validate a Configuration Wizard to run tests to confirm that the
hardware and the hardware settings are compatible with failover clustering. You can
run a complete set of configuration tests, or you can select only the tests that you
want to run.
You can run the tests on a set of servers and storage devices before or after you
have configured them as a failover cluster. However, the failover cluster feature
must be installed on all servers that are included in the tests. You can use the
Validate a Configuration Wizard to run the System Configuration test, Inventory
Tasks test, Network tests, and Storage test.
System Configuration
This test validates that the system software and configuration settings are
compatible across the servers.
Inventory Task
This test validates that the network is set up correctly for clustering. This test
includes verifying that there are at least two network adapters for each
server and verifying that each network adapter has a different IP address.
The test also validates that the computers can communicate on all network
connections.
Storage
This test validates that the storage, which is configured for failover cluster,
supports the required functions of the cluster. The tests validate that the
computers can access the shared storage required for the quorum disk.
Before installing a two-node failover cluster in Windows Server 2008, you need to
ensure that the server, network, storage, and infrastructure fulfills certain
requirements.
Server
You require two identical failover cluster computers that are compatible with
Windows Server 2008. The servers should have identical components,
including identical processors of the same brand, model, and version.
The servers must run Windows Server 2008 Enterprise edition and have the
same hardware version, such as 32-bit, x64, or Itanium. The servers should
also have the same software updates and service packs.
Network
Storage
You need to use identical mass-storage device controllers that are dedicated
to the cluster storage. This is required if you are using Serial Attached Small
Computer Systems Interface (SCSI) or Fibre Channel. You also need to use
identical firmware version.
You should have either a network adapter or a host bus adapter that is
dedicated to the cluster storage. This is required if you are using iSCSI. If you
are using a network adapter, it must be dedicated to iSCSI.
The storage should contain at least two separate logical unit numbers (LUNs)
that are configured at the hardware level. One volume functions as the
quorum, and the other quorum contains the files that are being shared to
users.
Infrastructure
The servers in the cluster must use Domain Name System (DNS) for name
resolution. You can also use the DNS dynamic update protocol.
All servers in the cluster must be in the same Active Directory domain. As a
best practice, all clustered servers should have the same domain role either
as member server or domain controller. However, it is recommended that you
configure the member server role for the clustered servers.
You need to perform various steps to install failover clustering in Windows Server
2008. First, you need to configure a network on each cluster and connect the server
to the cluster storage. You also need to install the failover cluster on all servers in
the cluster. You can also run the Cluster Validate Wizard and the Create Cluster
Wizard to analyze the nodes and servers in the cluster.
To ensure a successful installation, you must configure the following services on the
clustered server:
Configure the networks on each node in the cluster. To implement a failover cluster,
you must create at least two separate networks for network communication. You
should install two network interface cards in each node and then configure separate
IP addresses on separate networks for each network card.
Connect the servers to the cluster storage. Because failover clustering requires a
shared storage disk, you must configure the servers to enable access to the shared
storage. You must have at least two LUNs available, one for the quorum disk and the
other for storing data.
Install the failover cluster feature on all servers. All servers participating in the
cluster must be running Windows Server 2008 Enterprise edition.
Run the Cluster Validation Wizard. When you run the wizard, analyze all the nodes
that are participating in the cluster. After running the wizard, review the report and
resolve any issues identified by the wizard.
Run the Create Cluster Wizard. When you run the wizard, you must identify the
servers that need to be included in the cluster, the name of the cluster, and any IP
address information that is not automatically supplied by the Domain Host
Configuration Protocol (DHCP) settings.
Configure servers in a cluster. Before the cluster provides any service, you must
install and configure the services on the clustered servers. For example, if you are
creating a file server cluster, you should use the Manage Failover Cluster option in
the Failover Cluster console to add file server roles. You can also use the Manage
Failover Cluster option to configure options such as the name of the clustered file
server and the storage locations used by the file server.
When you configure NLB between servers, the network load is shared between the
servers. In earlier versions of Windows Server, you could perform NLB by using
Internet Protocol version 4 (IPv4) only. With Windows Server 2008, you can configure
NLB by using Internet Protocol version 6 (IPv6). You can implement NLB between
two Internet Information Services servers. After configuring NLB, you can integrate
it with Terminal Services to connect users to the existing sessions.
By using IPv6, you can configure NLB. NLB enables you to balance loads between IIS
servers. By using Terminal Services session directory service, you can integrate NLB
with Terminal Services to maintain a database on terminal server sessions in load-
balanced farms. Windows Server 2008 supports the following NLB features:
• Support for IPv6. NLB extends full support to IPv6 for all communication.
• Support for NDIS 6.0. The NLB driver has been completely redeveloped to use
the new NDIS 6.0 lightweight filter model. NDIS 6.0 retains backward
compatibility with earlier versions of NDIS. NDIS 6.0 is a simplified driver
model and includes design enhancements such as better driver performance
and scalability.
• Support for IPv6 and dedicated IP address through WMI Enhancements. The
WMI enhancements to the MicrosoftNLB namespace provide support for
IPv6. The classes in the MicrosoftNLB namespace support IPv6 addresses, in
addition to IPv4 addresses.
• Enhanced functionality with ISA Server. By using ISA Server, you can
configure multiple dedicated IP addresses for each NLB node for scenarios
where there are IPv4 and IPv6 clients. To manage traffic, both IPv4 and IPv6
clients need to access a particular ISA Server. ISA Server can also provide
NLB with SYN attack and timer starvation notifications. These scenarios
usually occur when a computer is overloaded or infected by a virus.
• Support for multiple dedicated IP addresses per node. NLB extends full
support for defining more than one dedicated IP address for each node. In
previous versions of Windows Server, only one dedicated IP address per node
was supported.
By using IPv6, you can configure NLB. NLB enables you to balance loads between IIS
servers. By using Terminal Services session directory service, you can integrate NLB
with Terminal Services to maintain a database on terminal server sessions in load-
balanced farms. Windows Server 2008 supports the following NLB features:
Support for IPv6. NLB extends full support to IPv6 for all communication.
Support for NDIS 6.0. The NLB driver has been completely redeveloped to use the
new NDIS 6.0 lightweight filter model. NDIS 6.0 retains backward compatibility with
earlier versions of NDIS. NDIS 6.0 is a simplified driver model and includes design
enhancements such as better driver performance and scalability.
Support for IPv6 and dedicated IP address through WMI Enhancements. The WMI
enhancements to the MicrosoftNLB namespace provide support for IPv6. The
classes in the MicrosoftNLB namespace support IPv6 addresses, in addition to IPv4
addresses.
Enhanced functionality with ISA Server. By using ISA Server, you can configure
multiple dedicated IP addresses for each NLB node for scenarios where there are
IPv4 and IPv6 clients. To manage traffic, both IPv4 and IPv6 clients need to access a
particular ISA Server. ISA Server can also provide NLB with SYN attack and timer
starvation notifications. These scenarios usually occur when a computer is
overloaded or infected by a virus.
Support for multiple dedicated IP addresses per node. NLB extends full support for
defining more than one dedicated IP address for each node. In previous versions of
Windows Server, only one dedicated IP address per node was supported.
RDC 6.0
Remote Programs
By using the Remote Programs feature in Windows Server 2008, users can
publish only their programs or applications instead of the complete desktop
environment. Remote applications can run in a seamless manner on a client
computer by using an RDC. Users will not experience much of a difference
between an RDC and a local application. You must configure file type
associations on the clients so that the clients can automatically launch a
terminal server application for certain file types. You can distribute these
remote programs as an MSI package, which is created in the Terminal
Services Console, or through TS Web Access.
By using RDP, you can make Plug and Play devices available to applications
that are running on remote sessions over Terminal Server in Windows Server
2008. To be eligible for redirection, the device and its driver must meet the
Windows Logo Program requirement.
The following are the features and benefits of Terminal Services Licensing:
To use Terminal Services Licensing, there must be at least one terminal server
with the following primary components:
By using the Terminal Server License Server Activation Wizard, you can
activate a license server to certify the server, and to enable the server to
issue client-access license tokens. A licensing server that has not been
activated can only issue temporary licenses. You must activate the server
within 120 days.
You can activate a license server by using one of the following connection
methods:
• Web. You can use the Web method to activate a license server when
the device running the Terminal Services Licensing management tool
does not have Internet connectivity, but you have connectivity through
a Web browser from another computer.
• Telephone. You can use the telephone method to talk to a Microsoft
customer service representative to complete the activation or license
installation transactions.
• Internet. You can use the Internet method when you have Internet
connectivity from the device running the Terminal Services Licensing
management tool.
1. The terminal server first checks the local registry for information about
the license server.
2. Next, the terminal server tries discovery through Active Directory by
using Lightweight Data Access Protocol (LDAP) instead of RPC.
3. For domain discovery, the terminal server first tries the local or on-site
domain controllers. If the terminal server fails to locate the on-site
domain controllers, it tries contacting off-site domain controllers.
4. The terminal server stops the discovery process as soon as the first
license server is found.
User-based License Tracking
Server
Before you can post Terminal Services Remote Programs, you must apply the
Terminal Server role to the server that will be hosting the remote programs.
However, the sub-components of terminal services are not required to host
remote programs.
To configure a terminal server for remote programs, you must install the
application for Terminal Services and designate the program to run remotely.
Use the Remote Programs Wizard to designate each application that should
be available for remote execution. You can configure the following properties
for remote applications:
Client
To run remote programs, the client computer must be running any one of the
following operating systems:
• Double-clicking a RDP (.rdp) file or program icon that has been created
and distributed by the administrator.
• Double-clicking a file whose extension is associated with a Remote
Program that can be configured by the administrator with an .msi file.
• Accessing a link to the program on a Web site by using Terminal
Services Web Access.
Permissions
A user can access a Remote Program only when the Remote Program exists in
the Allow List of the Terminal Server. The user should also be a member of the
Remote Desktop Users local group and Remote Desktop connections must be
allowed. When the administrator adds the Terminal Services role to a server,
Windows Server “Longhorn” automatically enables the remote desktop
feature.
Remote Programs are accessed remotely through Terminal Services and behave as if
they were running on the user's local computer. The following steps will tell you how
to manage Remote Programs:
After installing Terminal Services Web Access, you can specify the data source that
must be used to populate the list of Remote Programs that appears in the Web Part.
The Web server need not be a terminal server because it can populate the list of
Remote Programs from an external data source.
You can enable users to access the Web page from the Internet by using TS
Gateway to help secure remote connections.
Terminal Services Web Access can populate the list of Remote Programs,
which appears in the Web Part, from Active Directory or from a single terminal
server.
You can configure the data source by using the browser to connect to
http://server_name/ts and by editing the properties of the Web Part.
TS Gateway allows the users to connect remotely over the Internet to computers
that are hosted behind firewalls in private networks and across network address
translators (NATs).
TS Gateway also eliminates the need to deploy VPN servers for users to connect
remotely to the corporate network from the Internet. It also provides a security
configuration model for network administrators to control access to specific
resources on the network. You can configure TS Gateway servers and Terminal
Services clients to use NAP to further enhance security.
By using the TS Gateway Management snap-in console, you can configure policies
to define conditions that users must meet to connect to resources on the network.
For example, you can specify the local user groups or Active Directory user groups
that are allowed to connect to resources on the corporate network. You can also
specify whether the client computers must be members of Active Directory domains
and whether the clients need to use smart card authentication or password
authentication.
If NPS is deployed in your organization, you can configure TS Gateway policies, and
then use NPS to store, manage, and validate those policies. NPS is the Microsoft
implementation of a RADIUS server.
By using the TS Gateway role, you can enable authorized users to remotely connect
to terminal servers and remote desktops on a corporate network. To install TS
Gateway, you need to consider various requirements such as client name
specification, connection authorization policies (CAPs), resource allocation policies
(RAPs) and firewall configuration and network location.
You need to avoid name resolution failures and you need to support either
NetBIOS names or FQDNs by including each computer name in the resource
group that you create.
CAPs
By using CAPs, you can specify whether user groups on the local TS Gateway
server or on AD DS can connect to a TS Gateway server. You must specify the
conditions required to access a TS Gateway server. For example, you can
specify that all users who connect to a specific terminal server by using a TS
Gateway server must be members of that particular user group. You must
also specify that a client computer must be a member of an Active Directory
domain in the corporate network to connect to the TS Gateway server.
RAPs
You can use RAPs to specify the computers that users can access on the
network from the Internet by using the TS Gateway server. Before creating
RAPs, you need to create resource groups by adding a list of computers or a
group of computers. To access remote computers on the corporate network,
TS Gateway users need to meet the conditions in one CAP and one RAP.
Firewall Configuration
You can use ISA Server and TS Gateway server to enhance security for
remote connections to internal corporate network resources in the following
three scenarios:
Network Location
The TS Gateway server can be hosted in the perimeter network. RDP traffic is
tunneled using SSL. The external firewall needs to have port 443 open to
allow the SSL traffic. The TS Gateway server strips off the SSL and passes the
RDP traffic through the internal firewall to the internal Terminal Servers. The
internal firewall needs to have port 3389 open to support the RDP protocol.
Note: When you use the Server Manager to install the TS Gateway role
service, these additional role services and features are automatically
installed.
When you install the TS Gateway on your server, you must obtain an SSL
certificate. By default, the RPC/HTTP Load Balancing service and the Internet
Information Services use the Transport Layer Security (TLS) 1.0 to encrypt
communication between the TS Gateway servers and clients over the
Internet. To ensure proper functioning of the TLS, you must install an SSL
certificate on the TS Gateway server.
You can use the WSRM tool to allocate CPU and memory resources to applications,
services, and processes. By using WSRM, you can reduce the chances of
applications, services, or processes affecting the performance of the system. You
can manage resources and create a consistent, predictable experience for users of
applications and services. You can use WSRM to manage applications on a single
computer or to mange users on a computer with Terminal Services.
Process-Matching
A running process is matched when the WSRM service discovers it, or when
changes are made to the active resource-allocation policy. If changes are
made to the policy, WSRM examines the processes again. WSRM checks the
system-defined exclusion list and the user-defined exclusion list and places
the all matching processes in the excluded processes group. After a process is
placed in a group, WSRM enforces the associated resource allocation for the
process by setting resource limits or by modifying the priority of the process.
The processes in the system-defined exclusion list or the user-defined
exclusion list are never modified.
Resource-Allocation Policy
WSRM groups the new process with other processes if the new process has
properties that meet the process-matching criterion. The resource allocations
specified in the resource-allocation policy are then applied to the new
process. If a new process does not match the process-matching criteria, the
process is added to the default group.
Default Group
The default group includes all running processes that have not been matched
to any process-matching criteria in the managing resource-allocation policy.
The processes in the default group are given CPU bandwidth that has not
been allocated to other processes. The default group has unlimited memory
for its processes.
Exclusion Lists
By using WSRM, you can manage most of the applications. However, you
should not use WSRM to manage the Windows processes that are listed in the
system-defined exclusion list. In addition, the user exclusion list contains the
other services or processes that might not perform properly under
management. A process that is included in either of these lists is known as an
unmanaged process.
Summary
Core Functionality of Terminal Services
• Terminal Services Web Access enables you to allow users to access the
Terminal Services Remote Programs from a Web browser. You can use the
Terminal Services Web client to log on to a Terminal Server from your Web
browser. This provides easy access to Terminal Server sessions.
• Terminal Services Web Access can populate the list of Remote Programs,
which appears in the Web Part, from Active Directory or from a single terminal
server. Before installing the Terminal Services Web Access role service, you
must install the Terminal Server role and IIS 7.0. After installing Terminal
Services Web Access, you can specify the data source that must be used to
populate the list of Remote Programs that appears in the Web Part.
• You can access the Terminal Services Remote Programs from a Web browser.
Accessing the terminal server provides access to all remote applications. You
can populate applications either from Active Directory Domain Services or
from a single Terminal server.
• You can use the WSRM tool to allocate CPU and memory resources to
applications, services, and processes. By using WSRM, you can reduce the
chances of applications, services, or processes affecting the performance of
the system. You can use WSRM to manage applications on a single computer
or to mange users on a computer with Terminal Services.
• The various features of WSRM are process matching, resource allocation
policy, process matching criteria, default group and exclusion lists.
• You can manage Terminal Server Resources by using WSRM. You can create a
new process matching criteria and allocate processor and memory resources
to each process matching criteria. You can also suballocate processor
resources. You can specify the amount of sub-allocation you want to apply to
the original allocation for each process-matching criterion.
Because each module has a specific function, you need to load only the
module that is required to support specific Web applications. By loading only
the required module, you can reduce the attack surface, in-memory footprint,
running module code, and CPU load. You can also reduce patching and
management requirements to the installed modules.
You can replace IIS modules with custom components that are developed by
using the native IIS 7.0 C++ application programming interfaces (APIs) or the
ASP.NET 2.0 APIs. You can add modules that can replace or enhance present
IIS features. For example, you can add an IIS module for authenticating users
to a third-party database. You can enable secure FTP transfers by developing
and adding an enhanced FTP module.
IIS 7.0 in Windows Server 2008 offers a broad set of administration features that
simplify the day-to-day tasks of managing Web sites and applications. These
features include an updated graphical user interface (GUI), updated command-line
tool, configuration store, and Windows Media Instrumentation (WMI) provider.
GUI
The important GUI administrative tool in IIS 7.0 offers a new and more
efficient method to manage the Web server.
Command Line
You can use Appcmd.exe to display all key server functionality through a set
of intuitive management objects. These objects can be manipulated from the
command line or from the scripts. You can use the command line to install
modules, create web sites, and modify application pools from the command
line.
Configuration Store
XML configuration files are based on the NET Framework 2.0 configuration
store. The configuration store is made up of Machine.config,
ApplicationHost.config, and the Web.config files. You can modify these files by
using an XML editor.
WMI Provider
You can read or change settings in the configuration store by using the WMI
provider. You can use the WMI provider to automate configuration changes for
deployment of applications across multiple servers.
Managed Interface
ApplicationHost.config file
Web.config file
The %windir%\Microsoft.NET\Framework\v2.0.50727\config\web.config
configuration file consists of default settings for individual Web sites, Web
applications, or virtual or physical directories. You can store this file in the
same directory with code or content. In this file, you can override settings
that are inherited from higher levels in the configuration hierarchy, or lock
inherited settings.
The web.config file in the root of each Web site consists of the Web site
settings and the web.config file in the application or virtual directory folder
consists of the application or the virtual directory settings.
In the earlier versions of IIS, the configuration information was stored in the
metabase, which contained data specific to each IIS server computer. IIS 7.0 stores
configuration information in XML-based files. The ApplicationHost.config file
contains information about the web site and the application pool configuration for a
particular IIS server. The Web.config file contains specific information on the
operations of a specific web site, an application, or a virtual directory. You can
configure multiple servers in a network load balanced cluster by using both types of
files. You can replicate the IIS configuration information in both the
ApplicationHost.config file and in the web.config file.
ApplicationHost.config
• You can leverage the built-in “Internet User” account for the
application; you do not need to use machine specific Security
Identifiers (SIDs).
• You can use a simple file copy.
• You do not require command line tools.
• You need to install and enable the same modules on each IIS server.
• Before replication, you need to modify information that varies by
machine such as IP Addresses and drive letters.
• You need to terminate and restart all worker processes within the
affected application pools.
Web.config
The following are the methods for replicating IIS configuration in web.config:
• You use XCOPY to copy the application code and content with this file.
• You can replicate files from a centralized location by using Distributed
Files System Replication (DFSR). To implement DFSR to replicate the
Web.config file, you first need to create a DFS namespace for the
content to be replicated. Then, you need to add each IIS server to the
DFSR group.
You need to implement security in any IIS deployment. IIS 7.0 provides various
options to implement security.
Depending on where the user information is stored, you can choose the type
of authentication and the level of authentication required. You can configure
two types of authentication:
To reduce the attack surface, configure server and IIS security and load only
the required modules to the Web. To block administrators with lower level
permissions from overriding critical settings, you must set the AllowOveride
property to False on each critical setting in ApplicationHost.config and
Web.config.
The Runtime State and Control API in IIS 7.0 gives you real-time information about
application pools, worker processes, sites, application domains, and running
requests. The information is in an XML-format so you can troubleshoot the problem
without reproducing it. You can also configure the API to create a detailed log of the
events that led up to the error.
The Health and Diagnostics features in IIS Manager are: Failed Request Tracing,
Logging, and Worker Processes.
The server administrator can generate an error log by defining specific error
conditions in the Failed Request Tracing Rules; the rules can be based on IIS
status codes or on the length of time a process takes to run. Once an error
condition is detected, a detailed trace of events is written to an XML-based
log so you can troubleshoot the problem without having to reproduce it.
Logging
Worker Processes
With Windows Media Services, you can customize streaming content to meet
specific business needs. For example, you can edit Synchronized Multimedia
Integration Language (SMIL)–based playlists and add advertisements to publishing
points.
• Using the Playlist Editor. The Playlist Editor provides a simple, graphical
interface for creating playlists and specifying attributes for the items in
the playlist. You can access the Playlist Editor from the Summary tab of
the Publishing Points console tree or by clicking the View Playlist Editor
button on the Source tab of a publishing point.
• Using the Source tab. The Source tab of a publishing point includes an
embedded version of the Playlist Editor. You can use the embedded
version to edit playlists that are currently assigned to publishing
points.
• Using a text or XML editor. You can use a Text or XML editor to create
and edit playlist files. In addition, you can add comments to your file
and modify all XML elements and attributes.
Securing Windows Media Server from unwanted user access is a concern when
designing an enterprise-wide streaming infrastructure. Windows Media Server has
various security configuration options such as IP address restriction, user
authentication, content expiration, and digital rights management.
IP Address Restriction
You can set a range of IP addresses from the local network. You can either
allow or deny access to the Windows Media Services or a specific publishing
point based on the client computer’s IP address.
User Authentication
You can use Windows NT LAN Manager (NTLM), Kerberos protocol, or Digest
authentication to restrict client access. These authentication methods are
primarily suited for intranet applications.
You can authorize users and give them specific permissions on the publishing
point or on the streamed content files stored on a New Technology File
System (NTFS) partition.
Content Expiration
Using Windows Media Rights Manager, you can assign usage rules to content.
You can ensure the security of downloadable media to local users, remote
users, vendors, clients, and partners.
You can use Windows Media Rights Manager to gather information about the
people who request the media or to make content licenses expire after a
specific duration.
You can use Windows Media Rights Manager to assign usage rules to content.
You can stream the content to users and also allow enforcement of license
usage rules provided by Windows Media Rights Manager. You can apply the
following limits to the content:
Requirements
• Internet Information Services 7.0 with ASP.NET and World Wide Web
Publishing Service.
• Microsoft Message Queuing (MSMQ) and Directory Service Integration
must be enabled to activate AD RMS logging.
• Windows Internal Database, Microsoft SQL Server 2005 or other
compatible database servers. If no database is available during the
installation, you can install the Windows Internal Database on the
server.
• Installation of AD RMS in an Active Directory DS domain that include
domain controllers that run Windows Server 2000 with Service Pack 3
(SP3) or later versions.
The client-side requirements for AD RMS includes: