Microsoft IT Professional Blog

 Windows Networking has an article that’s worth reading regarding the top1 10 reasons (according to the author) to upgrade to Windows Server 2008, the article highlights the following 10 features:

• Server Manager and the Advanced Event Viewer
• Server Core
• Terminal Services Gateway
• Terminal Services RemoteApps
• Native IPv6 support
• Read Only Domain Controllers
• Hyper-V
• Network Access Protection (NAP)
• Secure Sockets Tunneling Protocol (SSTP)
• The Windows Advanced Firewall and Policy-based QoS

This new version of the Windows Server product provides a lot of the needed functionality and flexibility being asked for by large corporations since Windows Server 2008, if you would like more information on each of this features please feel free to go to the Windows Server 2008 Technical Library.

Today Microsoft is making the world wide launch of Windows Server 2008 and other new and exciting products such as SQL Server 2008 and the new Visual Studio 2008 development suite, with this they’ve put together the heroes happen here (HHH) campaign please go out and check the site for events Microsoft will be hosting worldwide related to the launch of these products. Also the site is shocked full of useful information to get you started with this technologies.

So you might be wondering what is a hero? A hero is each of us IT professionals who man’s the IT help desk and uses remote monitoring and managing abilities to solve the end user problems before they even notice. A hero is someone who has implemented high availability technologies to keep your business going online without leaving his families side when it counts the most (yes we’ve all been there missed birthdays, or big family events), and all of this is made possible thru some of the technologies available in Windows Server 2008. (Yes Microsoft marketing you can steal my definition)

What’s your definition of a hero? the Canadian IT Professionals blog has also a definition of what a hero is.

As you all know the Terminal Services role enables your users to access Windows applications that are installed on a terminal server remotely without them having them to install them in their system or access complete Windows desktop hosted in the server, excellent to have remote users log in using thin client computers that have no data stored on them and avoiding the risk of those computers being stolen and having information compromised.

With Windows Server 2008, Microsoft introduced 2 new Terminal Server role services that provide even further flexibility to the terminal service roles these are:

• TS RemoteAPP - Allows programs installed in Terminal Services to be accessed remotely and appear as if they where running on the local computer.  The user can just hit the start menu and open the remote application in his desktop very similar to how Citrix solutions allows access to published application, the feature of RemoteAPP that most impacted me is the fact that I can associate file type entries in my local registry let’s say .doc to open up a RemoteAPP just by double clicking a .doc file.
• TS Gateway - This role service uses RDP over HTTPS to establish a secure, encrypted connection between remote users on the Internet and the internal network resources.

Some of the features that have received an overhaul in Windows Server 2008 that are worth mentioning are:

• TS Web Access - Building on TS RemoteAPP, TS Web Access allows you to access applications on a terminal server over the web, without having to install an ActiveX controller like in past instances of TS Web Access since this control is already a part of the RDC bundled with Vista and Windows Server 2008.
• TS Session Broker - This is mostly a new feature in Server 2008, however you could manually do some work on 2003 to get a session broker to work and load balance sessions between multiple terminal servers in an active directory environment based on Server 200.
• TS Printing - The printing section of terminal servers has had a major overhaul by the addition of the Terminal Services Easy Print printer driver and a Group Policy setting that enables you to redirect only the default client printer.

I could probably go on writing more about each of the previously mentioned features however I think there is already a good set of documentation available in the links provided in this article and in the articles the Microsoft Performance Team was publishing prior to the launch of Windows Server 2008.

Hi All! sorry I’ve been away and haven’t had the opportunity to share with you some more and exciting information about the new features in Windows Server 2008, but my attention has been focused on other items. In order to re-mediate this I have some homework for you all or how should we say some assigned reading material that will help you prep on your road to success with Windows Server 2008.

The Windows Performance team in their blog over at TechNet has been posting the following articles daily since the beginning of February regarding some of the real back-end work that goes on in Windows Server 2008 when talking about topics such as printing, terminal services and some other important topics, I would like all of you to review them at your own pace and I specially recommend the ones highlighted in bold bellow as I think they are quite valuable and worthwhile.

This article series by the performance team will last a couple more days till the official release of Windows Server 2008, so I will add to the list the pending articles they will publish in the upcoming days for your personal reference.

WS2008: Upgrade Paths, Resource Limits & Registry Values
WS2008: Startup Processes and Delayed Automatic Start
WS2008: Windows Service Hardening
WS2008: Service Shutdown and Crash Handling
WS2008: Windows Error Reporting
WS2008: Dynamic Link Library Loader and Address Space Load Randomization
WS2008: Memory Management, Dynamic Kernel Addressing, Memory Priorities and I/O Handling
WS2008: The Print Services Role
WS2008: Understanding XML Paper Specification (XPS)
WS2008: Client-side Rendering
WS2008: The WSD Port Monitor
WS2008: Printer-Driver Packages
WS2008: Print Management Enhancements
WS2008: Terminal Services Architecture
WS2008: Terminal Server Management and Administration
WS2008: Network Level Authentication and Encryption
WS2008: Terminal Services Printing
WS2008: Overview of the Remote Desktop Connection (RDC) Client
WS2008: Remote Desktop Connection Architecture
WS2008: RDC Enhancements and Administrative Sessions
WS2008: Frontside Authentication and SSO
WS2008: Terminal Services RemoteApps
WS2008: Terminal Server Web Access Architecture
WS2008: Terminal Server Session Broker Overview
WS2008: Session Broker Load Balancing
WS2008: Terminal Services Gateway Overview

I will come back tomorrow to you all with a post on terminal Services on 2008 and a good point to start and then continue on reading some of the articles mentioned on this extensive list.

TIP: I normally bookmark this articles using a social bookmark aggregator such as del.icio.us or ma.gnolia.com, websites that allow you to store your bookmarks online and access them regardless of your location or the system you are using to browse the web. Be sure to check out services like this to save your personal bookmarks and save some valuable study time.

In pasts posts I’ve talked a bit about the Server Manager tool that is bundled with Windows Server 2008, that will allow you to set up, configure and monitor different roles in your server installation. Microsoft has also bundle with this new version of Windows a command line version of this tool (only available in full installs of 2008 and not in core) that allows you to:

• Install new roles/features
• List currently installed roles
• Remove server roles
• View the possible outcome of installing a new role before doing so

Also this tool allows you to automate some role installations via answer files, pretty similar (but with XML yey!) as to what we used to do in Windows Server 2003 with unattended installations. This will come in handy to setup IIS quickly in a couple of boxes after doing a fresh install of Windows Server 2008 in case you don’t have an imaging solution already in place that is more practical for these scenarios.

Let’s go quickly over some of available switches for this command line based tool and what they do.

ServerManagercmd.exe –query
Will list all of the currently installed roles (IIS, Active Directory, Terminal Services, etc.) and features (Remote Server Administration tools, telnet client, etc.)

ServeManagercmd.exe -install <role-or-feature-name>
Does pretty much what the command says it does, install a new role such as IIS or Terminal Services, however I would like to exercise a word of caution when using this tool first of all some roles require to reboot your server and you will be prompted for this afer you issue the coomand you can avoid being prompted and reload the server using this command with the -restart switch the complete syntax of this command would be ServeManagercmd.exe -install <role-or-feature-name> -restart

Also I would like to mention the fact that the role names are “case sensitive” and sometimes the name of the role is not spelled out clearly for more information on the usage of this command please review this TechNet document titled Server Manager Technical Overview Appendix.

ServeManagercmd.exe -remove <role-or-feature-name>
Pretty self-explanatory, does the same the contrary effect of install and removes roles be vary careful with this command as the possible impact it can have to you infrastructure could be severe if not used carefully and always remember run a backup before modifying anything of this importance, if it ain’t broken don’t fix it is my motto!

ServeManagercmd.exe -install <role-or-feature-name> -whatif
Provides information as to what exactly would be installed/modified when adding a role pretty useful when a role has sub-dependencies and you would like to know what else would be added to your box.

I also mentioned earlier in this post that you can create answer files for the installation of roles this is done via XML and the documentation for it is avaiable in the document I linked from TechNet above, but for a practical example of a real-world scenario I found this article titled Installing IIS 7.0 using ServerManagerCmd.exe, Additionally for all of the previously explained commands you are allowed to dump the results to an XML formatted file for your viewing pleasure in your favorite XML editor for some info on this please refer to this MSDN blog article titled using ServerManagerCmd.

Windows Networking had a feature on ServerManagerCmd that might be intersting to take a look at as a complement to this post.

Many of us have grown really fond of the computer management MMC available in Windows Server since the days of Windows Server 2000, and some got used to the Manage your Server screen in 2003 (I for one did not use it, but some IT administrators I know used it quite a bit). In Windows Server 2008 Microsoft introduced a new tool that you could consider to be the illegitimate child pumped up in steroids of both Computer Management and Manage your server called Server Manager this new tool even allows you to install additional features and roles in your server which some of us used to do in the add/remove components wizard located in control panel.

Basically Server Manager will be your one stop tool to setup server roles and provide ongoing management post initial configuration of the server. Microsoft has good write-up on Server Manager that’s not too technical and everybody can understand and pick up quickly on to start using Server Manager right from the get go.

Before moving on I might add that Server Manager will open up each and every time you log on to your server and doesn’t offer a quick and easy way to disable this behavior like the Manager your Server tool did in 2003, to get rid of this behavior simply modify this registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Server Manager with a value of 1 to disable it and 0 to re-enable it.

Server Manager is based on MMC 3.0 which allows you to have a 3 pane Window that is basically dived into a Console tree, the actual content of each branch in the tree and the actions pane related to the currently selected item. This makes administration of components really fast except that now you have a lot of information on your screen and it can get a bit overwhelming sometimes, but there’s a way of removing or resizing some of the on screen information and this is done with my new 2 favorite buttons in Server Manager which allow you to hide either the console pane or the action pane.

In my opinion the thing that really just works out fine and perfectly within server manager is the role management area, since it allows you to add/remove roles, view information about roles such as current services status, manage the roles and even stop them all from one little tool.

In the screen shot above you can see all of the different options I mentioned above for the file server role, this would be pretty much the same for other roles such as IIS and Terminal Services.

My recommendation would be use it, play around with it and it will start to grow on you quickly and you will start thinking how you lived without it in the past (for real). If you would like to do some additional reading on the Server manager please refer to the following articles:

• Windows Networking - How Longhorn Server’s Server Manager will Change Server Management
• Network World - Chapter 20: Windows Server 2008 Management and Maintenance Practices

In my next post I will talk about a bit about the console version of server manager and how you could use this version of server manager to automate part of the setup and configuration of your desired server roles.

In yesterday’s article I wanted to write about how to enable remote desktop for administration in Windows Server 2008 Core, but I thought it would be best to treat this as a separate article since the target audience for it might be different. The process to enable RDP it’s pretty straight forward and I will outline it in the following steps.

Ensure your Windows Server 2008 Core install has a valid IP address if you are unsure of this you could issue the ipconfig command to review your settings. If you are receiving an APIPA (Automatic Private IP Addressing) address tipically 169.x.x.x, you will need to configure a valid IP address on your box that is reachable in your network to do this.

Run Netsh interface IPv4 show interface the in the command prompt, this command will list the available network interfaces on your system and will provide you the Idx value of the network card you wish to configure.

In the above screenshot you see the results of this command and you only need to remember the Idx number or the complete name of the network interface you want to configure.

Now you can set the IP address of the network card with the following command netsh interface ipv4 set address name=”<ID>” source=static address=<StaticIP> mask=<SubnetMask> gateway=<DefaultGateway> and finally you add the DNS server you wish to associate with this interface if deemed appropriate with the command netsh interface ipv4 add dnsserver name=”<ID>” address=<DNSIP> index=1 if you need to add an additional DNS server issue the same comamand but modify the index to 2, 3 and so on depending on the number of DNS servers you want your interface to query.

Once this is complete you need to review the current settings for remote desktop this is done running the following command

C:\Windows\System32>cscript SCregEdit.wsf /AR /v

If you see “1″ in the script output, that means that remote desktop connections will be denied. To change that you need to run the following command

C:\Windows\System32>cscript SCregEdit.wsf /AR 0

Now we need to review the status of inbound firewall rule that manages connections via RDP port 3389, to do this we run the command netsh advfirewall firewall sho rule name=all, this command will show the status of all current rules in your list find one called RDP desktop (TCP-in), it might be useful to pipe this command with the more option to view a paused display of the output, the format for that command would be netsh advfirewall firewall sho rule name=all | more, you advance thru by pressing the spacebar and you can stop it using the control + c key sequence.

To set the rule to allow this type of traffic we issue the command netsh advfirewall firewall set rule name=”Remote Desktop (TCP-IN)” new enable=yes and that is it! We are done configuring remote desktop for administration on our core install of Windows Server 2008.

Most IT administrators want to get busy configuring their servers once they have finished doing the initial deployment of the operating system onto the bare metal box in order to do this from their cubes or offices instead of the cold data center environment and standing for hours at a time in front of a server rack they enable remote desktop for administration. To enable remote desktop for administration in Windows Server 2008 it’s quite straight forward, but to some it could be a tad complicated due to the unfamiliarity with the new server manager administration console.

To do this you need to click Enable remote desktop link that appears in the ICT screen, if you’ve closed this screen remember you can bring it up using the oobe command from the run box in the start menu, however this task can also be done more conveniently from server manager that opens every time you log into your box and also provides access to the firewall controls you might need to review in order to ensure you can establish a successful RDP connection to your fresh install of Windows Server 2008.

To enable remote desktop for administration simply hit the configure remote desktop link in the root of the server manager interface and in the system properties window that appear select either the “Allow connections from computers running any version remote desktop (less secure)” or the “Allow connections only from computers running remote desktop with Network Level Authentication (more secure)“.

Now what do these 2 options really mean? With Windows Server 2008 and Windows Vista a new remote desktop protocol was developed RDP 6.0 which brings some interesting features to the table such as:

• Maximum screen resolution of 4096×2048
• Maximum color depth increase to 32-bit color
• Support for ClearType fonts
• Support for connected USB and other peripheral devices
• Support for spanning multiple horizontally-connected monitors using the “/span” switch
• Ability to use client-side themes in remote sessions

The first option “Allow connections from computers running any version remote desktop (less secure)” allows computers with previous versions of the RDP client to connect to the server for administration however this is less secure since you can’t authenticate that you are connecting to the correct server from the client since DNS name or IP spoofing could have occurred in your network, the other option “Allow connections only from computers running remote desktop with Network Level Authentication (more secure)” allows newer RDP clients such as the one bundled with Windows Vista or Server 2008 to authenticate the identity of the server to where they are connecting to avoid any type of spoofing and having someone capture your credentials.

For more information on Network Level Authentication please refer to the post titled WS2008: Network Level Authentication and Encryption on the blog for the Enterprise Platforms Windows Server Performance Team.

If you have a system that has a legacy version of the RDP software such as the one that is bundled by default with Windows XP you can update your software to the latest version of the RDP client that benefits from Network Level Authentication by downloading it directly from Microsoft.

Once we’ve enabled remote desktop with the desired settings we can select the Windows Firewall with Advanced Security node under the configuration branch of the Server Manager utility to review the state of the firewall and ensure we can connect via RDP to our server selecting Properties from the Actions pane.

The default state for the firewall in the Windows Server 2008 family of products is On and for good reason, since statistically speaking the majority of attacks on server operating systems occurs out of the box exploiting unpatched vulnerabilities or improperly configured services. Once we’ve reviewed the state of our firewall we open up the branch titled Windows Firewall with Advanced Security and select the Inbound Rules node, under this node we will search for the Remote Desktop (TCP-in) rule and ensure that the action chosen in this rule reads “Allow the connection”, this might also be a good moment to remind you that the port on which RDP works it’s still 3389 in case you have other network considerations such as ACL’s in place in your switching and routing infrastructure that you might need to take a look at.

After this is done you can remote into your fresh install of Windows Server 2008 to do further configuration tasks.

For further information on how to configure the Windows Server 2008 firewall with the new MMC tool in server manager please refer to the article titled How to configure the new Windows Server 2008 advanced firewall MMC snap-in from one of my favorite sites Windows Networking or review the TechNet article titled Getting Started with Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008.

Probably one of the first features you will run into when working with Windows Server 2008 it’s the Initial Configuration task list ICT for short. This tool provides server administrators with some of the answers the question some server administrators had the past couple of years with Windows Server 2003. What must I do to configure my Windows Server 2003 install on this server? to answer this Microsoft in 2003 had a set of tools available for us but since they where all over the place made this task somewhat difficult, in Windows Server 2008 Microsoft provided us with Initial Configuration Wizard (ICT) a tool that allows us to:

• Set the timezone (previously done in the setup portion of Windows Server 2003)
• Configure networking (also done in the setup portion of 2003)
• Provide computer name and domain (commonly done post setup right-clicking the my computer icon)
• Enable automatic updates and feedback (done in the Post-setup security updates wizard)
• Download and install updates
• Add roles (previously done thru Manager your server or Add/Remove Windows components)
• Add features (done in Add/Remove Windows components)
• Enable remote desktop (done by right-clicking my computer)
• Configure Windows Firewall (done in Security Configuration Wizard or messing with the properties of each network adapter card.

This screen takes a page of the To-do list some of you might have seen in Windows Server 2003 Small Business Server installs which helped the SBS server user to easily configure some very complex tasks in a simple manner.

This screen will appear every single time you turn on your Windows Server 2008 install, but can be disabled by clicking the “Do not show this window at logon box”, if you would like to go back to it simply run the command oobe in the run command box.

At this point I would like to stop and make note of the default behavior of these options after setup in Windows Server 2008, please pay special attention to the firewall section.

Yes the firewall is now enabled out of the box so when you enable remote desktop make sure you review the firewall setting in server manager to ensure you are allowed to remotely manage your server. Also you might notice that no role or feature is installed by default this will minimize the effective attack surface for your Windows Server 2008 box as it does not have any service running by default like in previous instances of Windows that could lead to an attack due to an unpatched security vulnerability or improperly configured services.

Before closing this post I would just like to remind everyone that this screen is not available in the Windows Server 2008 core install.

In my next post tomorrow I will talk a bit about server manager and how to make sure your remote desktop connection is allowed thru with the firewall enabled out of the box, see you then!

As some of you might know Windows Server 2008 RTM’d on February 4th, for those of you that have an MDSN or TechNet Plus subscription you might want to go ahead and check it out if you have not done so already in one of it’s previous release candidate or beta forms.

So now that the product is out and the official worldwide date for the release of it is February 27th it might be a good moment to start playing around with it and documenting yourself on how it might fit in your enterprise or it shop environment. A good place to start out and get a good feel for it might be the TechNet Virtual Labs, some of the featured labs include:

• Managing Windows Server 2008 Beta 3 and Windows Vista using Group Policy
• Microsoft Windows Server 2008 Server Core Beta 2
• Microsoft Windows Server 2008 Beta 2 Server Manager
• Deployment Services (WDS) in Windows Server 2008 Beta 3
• Windows Server 2008 Enterprise Failover Clustering Lab
• Managing Terminal Services Gateway and RemoteApps in Windows Server 2008 Beta 3
• Managing Windows Server 2008 Beta 3 using New Management Technologies
• Using PowerShell in Windows Server 2008 Beta 3

Or maybe you would like to watch first some demo’s of the features that can be used in Windows Server 2008 and then try them out for this Microsoft made available the Windows Server 2008 Test Drives.

Personally I enjoy watching the Microsoft On-Demand webcasts as I get to hear the experiences of the different individuals that made this excellent product happen, some of the webcasts I recommend for starting out with Windows Server 2008 are:

• Introducing Windows Server Code-Named “Longhorn” (Level 200)
• Overview of Windows Server 2008 (Level 200)
• What Is New in Windows Server Longhorn (Level 300)
• Installing, Configuring, and Managing Server Roles in Windows Server 2008 (Level 300)
• Overview of Server Manager and Windows PowerShell in Windows Server Longhorn (Level 300)

Another item I like to use to learn about new products and technologies is online courses and Microsoft has made available some very insightful e-learning style clinics that focus on Windows Server 2008 for free, the series is titled Collection 5934: Introducing Microsoft Windows Server Code Name “Longhorn” (Beta 3), and includes the following topics:

• Introducing Server Virtualization in Windows Server 2008
• Introducing Security and Policy Management in Windows Server 2008
• Introducing Branch Office Management in Windows Server 2008
• Introducing Centralized Application Access in Windows Server 2008
• Introducing Server Management in Windows Server 2008

And for those of you that like the traditional way of learning I might suggest Microsoft Press book by Mitch Tulloch’s book Introducing Windows Server 2008, this book is based on Beta 3 but all of the information it’s still pretty relevant and valid, probably what I liked about this book aside from other MS Press books is the interaction the author did with the different development teams within Microsoft that worked on the product and that he allowed to write part of the book in what he calls “From the experts” sidebars.

Whichever is the way you prefer to get ready and start out with Windows Server 2008 please leave a comment in this post with your experiences on the product and your tips and favorite resources for information regarding it.