0505 Windows Server 2008 一日精華營 PartI

Slide 1: Module 1 Server Management in Windows Server 2008

Slide 2: Server Management Overview

Slide 3: Primary Management Tools Initial Configuration Tasks Guides you through the process of configuring a new server Server Manager Console New MMC snap-in provides a consolidated view of the server, including server configuration, status of installed roles, and links for adding/removing roles and features Benefits Easy, systematic, single interface for all management More secure and reliable Ensures service prerequisites are met

Slide 4: Alternative Management Tools ServerManagerCmd.exe Windows PowerShell Remote Management Windows Remote Manager (WS-Management) Windows Remote Shell (WinRS) Event Subscriptions Task Scheduling based on Events Microsoft System Center

Slide 5: Technical Background Initial Configuration Tasks Server Manager Server Manager Wizards Server Roles Features

Slide 6: 伺服器管理員 - Server Manager 伺服器角色 功能 Server Role Feature .NET Framework 3.0 AD Certificate Services BtLocker Drive Encryption AD Domain Services BITS Server Extension Connection Manager Admin Kit AD Federation Services Desktop Experience AD Lightweight Directory Services Failover Clustering Group Policy Management 主要的伺服器服務 Right Management Services AD Application Server Internet Printing Client Internet Storage Name Server 提供網路的資源存取 DHCP/DNS Server LPR Port Monitor/Message Queuing 增強伺服器的功能 Multipath I/O, Network Load Balancing 錄 包含資料庫或紀 包含資料庫或紀 Fax Server/File Service Network Policy and Access Service Peer Name Resolution Protocol 不隸屬特定的角色 Quality Windows Audio Video Experience 啟 自動 用功能 自動 Print Service Remote Assistance Remote Differential Compression Removable Storage manager Terminal Services RPC over HTTP Proxy UDDI Services Simple TCP/IP Services SMTP Server/SNMP Services Web Service (IIS) Storage Manager for SANs Windows Deployment Services Subsystem for UNIX-based Application Telnet Client/Server/TFTP Client Windows SharePoint Services Windows Internal Database Windows Power Shell Windows Process Activation Service 角色服務 Windows Recovery Disc Windows Server Backup Features Windows System Resource Manager Role Service WINS Server Wireless LAN Service

Slide 7: Demonstration: Server Manager Overview • Server Manager Overview • Performing Key Tasks • Using ServerManagerCmd.exe

Slide 8: Implementation/Usage Scenarios Improved New Server Deployment and Configuration Improved Security Improved Server Administration

Slide 9: Recommendations For single server administration, use Server Manager To manage roles from a command prompt, use ServerManagerCmd.exe For multiple server administration, use Windows PowerShell For Remote Management, use Windows Remote Management (based on WS-Management Standard) Use Event Subscriptions to collect Event Viewer logs from multiple servers Use System Center for enterprise-wide management

Slide 10: Server Core

Slide 11: Overview Server Core Installation Server Active Directory, AD Core Lightweight Directory Services, DHCP Server, DNS Server, File Services, Print Services, Windows Media Services, Windows Virtualization Services Benefits of Server Core Reduced maintenance Reduced attack surface Reduced management Less disk space required

Slide 12: Technical Background Prerequisites Deployment Server Roles Optional Features Managing a Server Core Installation

Slide 13: Demonstration: Managing a Server Core • Locally and remotely via the Command Prompt • Remotely via MMC Server Core

Slide 14: 1 時區 / 時間，語系 / 鍵盤設定 Control TimeDate.cpl ， Control Intl.cpl 管理員密碼 Net User Administrator * 啟 電腦名稱 / 重新 動 重新 Hostname Netdom RenameComputer 原主機名 /NewName: 新主機名 /Force /Reboot:10 固定 IP 位址 Netsh Interface IPV4 Show Interfaces Netsh Interface IPV4 Set Address Name= 網卡代號 Source=Static Address=IP 位址 Mask= 遮 罩號碼 Gateway= 閘道位址 Netsh Interface IPV4 Add DnsServer Name= 網卡代號 Address=DNS 伺服器 IP Index=1 加入網域 / 將指定網域用 加入本機管理員群組 / 啟新 動 戶 將指定網域用 重 重新 戶 Netdom Join 主機名 /Domain: 網域名 /UD: 具權限帳 名 /PD:* Net LocalGroup Administrators /Add 戶 網域名 指定網域帳 名 Shutdown /r /f /t 10

Slide 15: 2 啟用 SLMGR.vbs –xpr SLMGR.vbs -ato 啟用防火牆 Netsh Firewall OpMode Enable Netsh Firewall Set ICMPSetting 8 Enable 啟用遠端桌面 Cscript %windir%System32ScRegEdit.wsf /ar 0 啟用自動更新 Cscript %windir%System32ScRegEdit.wsf /au 4 新增伺服器角色 Start /w OcSetup DHCPServerCore Start /w OcSetup DNS-Server-Core-Role Start /w OcSetup Printing-ServerCore-Role 檔 Dcpromo /Unattend: 自動安裝 案名

Slide 16: Implementation/Usage Scenarios Reduced maintenance Reduced attack surface Reduced management Less disk space required

Slide 17: Recommendations Implement Server Core whenever possible Publish cmd.exe using Terminal Services RemoteApp to allow you to run cmd.exe in a window on your local machine rather than in a full terminal services client Minimize administrative access to the system Ensure physical security of the server Implement BitLocker Drive Encryption

Slide 18: Windows PowerShell

Slide 19: Overview What is PowerShell? What are cmdlets? Benefits What can I do with PowerShell? Prerequisites

Slide 20: Technical Background Native Support Aliasing Cmdlets | New Scripting Language Navigation Important Concepts Administration PowerShell Pipeline Security

Slide 21: Demonstration: Using Windows PowerShell • Getting Help • Navigating Windows PowerShell • Adding a User to Active Directory

Slide 22: Implementation/Usage Scenarios Command-Line Services, Processes, Registry, and WMI Data Management Server/Role Management Terminal Server IIS 7.0 AD Exchange 2007 MOM 2007

Slide 23: Recommendations Start using Windows PowerShell immediately! Don’t throw away any existing scripts or batch files – they can still be used! Don’t forget the power of the wildcard, such as “get- services*” Don’t deploy Windows PowerShell on any machine where it is not actually needed Centrally-Control Windows PowerShell security settings through GPOs – do it now!

Slide 24: Module 2 Centralized Application Access with Windows Server 2008

Slide 25: Terminal Services Core Functionality

Slide 26: Overview Benefits & Uses of Terminal Services Central Location Who will be interested in the new capabilities of Terminal Services? What is Centralized Application Access? Terminal Services Installation, Configuration & Management New Features: Branch Office Experience Home Office Security Manageability & Scalability Mobile Worker In Airport Client Connectivity

Slide 27: Support for 64-bit Architecture and Hardware Provides a significantly larger virtual address space for kernel data structures Accommodates more TS user sessions Runs 32-bit software without recompiling Runs 64-bit drivers/software specifically compiled for 64-bit environment Runs 32-bit applications at high performance 4 GB user VA for large memory-aware processes Runs 64 bit applications 8 TB virtual address space Reduces mapping and soft page faults Eases migration to 64-bit infrastructure

Slide 28: Installation and Configuration Terminal Services roles that can be installed: • Terminal Server • TS Licensing • TS Session Broker • TS Gateway • TS Web Access Configuring Terminal Services • Install programs on server • Configure remote connection settings • Configure clients to use Terminal Services

Slide 29: Authentication Network Level Authentication – finishes user authentication before you establish a full remote connection and the desktop appears Server Authentication – verifies that you are connecting to the correct remote computer Single Sign-On – allows a user with a domain account to log on once, using a password or smart card, and then gain access to remote servers without being asked for their credentials again

Slide 30: Terminal Services SSO 設定 Client 需為 Vista 或 Windows Server 2008 Client 需為 Vista 或 Windows Server 2008  啟用 “允許預設認證被用於登入至指定的終端機服務”  電腦設定 , 系統管理範本 , 系統 , 認證委派 , 啟用「允許委派預設認證」  「顯示」 , 新增 , “TermSrv ／終端機服務伺服器名稱” (FQDN, NetBIOS Name) Server 需為 Windows Server 2008  終端機服務設定 , RDP-TCP, 一般 , 安全性階層為「交涉」或 「 SSL (TLS 1.0) 」 Domain 帳戶需在 Client / Server 皆可使用

Slide 31: Device Redirection Plug and Play Device Redirection Windows Portable Devices Media players, based on Media Transfer Protocol (MTP) Digital cameras, based on Picture Transfer Protocol (PTP) Windows Point of Service (POS) Device Redirection Implement POS for .NET 1.1 (downloadable) Configure .rdp file Connect device

Slide 32: Remote Experience Improvements Custom Display Resolutions Monitor Spanning Desktop Experience 32-Bit Color Font Smoothing Display Data Prioritization TS Easy Print

Slide 33: Demonstration: User Experience Enhancements • Plug & Play Redirection configuration • Remote Desktop Connection Display configuration

Slide 34: Implementation/Usage Scenarios Centralized Application Access Security Enhancement Centralized Application Management User Productivity Enhancement Complexity Reduction Branch Office Environments

Slide 35: Recommendations Upgrade existing Terminal Servers to Windows Server 2008 Configure client systems to use RDC 6.0 Implement new features to enhance user experience Use Single Sign-On Implement TS Gateway, TS RemoteApp and TS Web capabilities Use x64 hardware and WSRM

Slide 36: Terminal Services Gateway

Slide 37: Overview Benefits of a TS Gateway TS Gateway Prerequisites TS Gateway Management Passes RDP/SSL TS Strips off Home RPC/HTTPS traffic to TS HTTPS / 443 TS Hotel Terminal Other RDP Hosts Services Gateway NPS Server Business Partner/ DC Client Site

Slide 38: Benefits of TS Gateway Allows you to control access to specific resources Reduces management costs Facilitates consolidation of existing Terminal Servers Can be integrated with Network Policy Server, enabling centralized policy deployment and lower TCO Allows monitoring on remote connections Enables connections across firewalls and NATs Eliminates the need to configure VPN connections

Slide 39: TS Gateway Management TS Gateway Management Snap-In: Provides a single, one-stop tool to configure policies to define conditions that must be met before users to connect. Provides a tool to monitor TS Gateway events. Allows you to review details about connections. No remote computers are directly exposed to the internet; all data remains within the corporate network.

Slide 40: Prerequisites for a TS Gateway A server with Windows Server 2008 installed Administrator must be a member of the Administrators group on this machine A Network Policy Server (NPS) to centralize the storage, management and validation of TS Gateway policies A certificate for the TS Gateway server that meets these requirements: Computer certificate Intended purpose – server authentication Has a corresponding private key

Slide 41: Technical Background Configuring a TS Gateway Server Connection Authorization Policies Resource Groups Resource Authorization Policies Client Configuration

Slide 42: TS Gateway Configuration Configuring the TS Gateway Server: Install the TS Gateway role services Configure IIS settings Obtain/Configure a server certificate Create a CAP for the TS Gateway Server Create resource groups Create a RAP for the TS Gateway Server Configure the TS Gateway Client: RDC 6.0 Settings

Slide 43: 內 遠端存取 部應用程式的資源 遠端存取 Internet DMZ 內部網路 外部防火牆 內部防火牆 在家工作 終端機 RDP over 將 RDP/SSL 伺服器 拆解 HTTPS 通道 RDP/HTTPS 流量傳送至 TS Internet HTTPS / 443 出差在外 AD 網域控制站 終端機服務閘道 伺服器 網路原則 商業夥伴 / 伺服器 戶 用 端站台 戶 無線用

Slide 44: Demonstration: Implementing a TS Gateway • Importing and mapping a certificate • Creating a CAP • Creating a Resource Group • Creating a RAP • Monitoring connections

Slide 45: Implementation/Usage Scenarios Centralized Application Security Enhancement Access Server Consolidation | Cost Reduction Home Hotel Terminal Services Gateway Server Business Partner/ Client Site

Slide 46: Recommendations Use a TS Gateway instead of a VPN Configure Connection Access Policies, Resource Groups and Resource Access Policies Use TS Gateway management to monitor the status, health, and events on remote connections Do not use a self-signed SSL certificate in production Use in conjunction with an application layer firewall Don’t depend on device blocking for security

Slide 47: Terminal Services RemoteApp

Slide 48: Overview TS RemoteApp What is TS RemoteApp? What are the benefits of using TS RemoteApp? Branch Office Home Office Does any code require modification? Mobile Worker In Airport

Slide 49: Technical Background What works differently? Configuring a TS RemoteApp Server How can users access RemoteApp programs?

Slide 50: Demonstration: Implementing TS RemoteApp • Managing the Allow List • Distributing an MSI package to users • Connecting to a remote program from a client

Slide 51: Implementation/Usage Scenarios Roaming Line of Business Users Applications Deployment Branch Offices

Slide 52: Recommendations Put common applications, such as MS Office, on the same TS RemoteApp Server Consider putting individual applications on separate servers when: The application has compatibility issues A single application and associated users may fill server capacity Create a load-balanced farm for single applications that exceed the capacity of one server Consider placing the TS RemoteApp server behind an ISA Server Use a trusted root-signed SSL certificate

Slide 53: Terminal Services Web Access

Slide 54: Overview TS Web Access What is Terminal Services Web Access? What are the benefits of TS Web Access? TS Web Access Server Requirements Branch Office Home Office TS Web Access Client Mobile Worker Requirements In Airport

Slide 55: Technical Background Populating the TS RemoteApp Web Part Using Active Directory as the Data Source Using a Single Terminal Server as the Data Source

Slide 56: Demonstration: Configuring TS Web Access • Configuring a TS data source • Configuring the TS Web Access Server • Launching Applications

Slide 57: Implementation/Usage Scenarios Centralized Application Access New Version Deployment

Slide 58: Recommendations Use TS Web Access defaults for single server deployments Use Active Directory mode for multi-server deployments when customers are used to Active Directory MSI deployment When customer has no Active Directory MSI experience, use custom ASP scripting solutions or third- party solutions