0505 Windows Server 2008 一日精華營 PartI


Published on

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 0505 Windows Server 2008 一日精華營 PartI

    1. 1. Module 1 Server Management in Windows Server 2008
    2. 2. Server Management Overview
    3. 3. Primary Management Tools <ul><li>Server Manager Console </li></ul><ul><ul><li>New MMC snap-in provides a consolidated view of the server, including server configuration, status of installed roles, and links for adding/removing roles and features </li></ul></ul><ul><li>Initial Configuration Tasks </li></ul><ul><ul><li>Guides you through the process of configuring a new server </li></ul></ul><ul><li>Benefits </li></ul><ul><ul><li>Easy, systematic, single interface for all management </li></ul></ul><ul><ul><li>More secure and reliable </li></ul></ul><ul><ul><li>Ensures service prerequisites are met </li></ul></ul>
    4. 4. Alternative Management Tools <ul><li>Windows PowerShell </li></ul><ul><li>ServerManagerCmd.exe </li></ul><ul><li>Remote Management </li></ul><ul><ul><li>Windows Remote Manager (WS-Management) </li></ul></ul><ul><ul><li>Windows Remote Shell (WinRS) </li></ul></ul><ul><li>Event Subscriptions </li></ul><ul><li>Task Scheduling based on Events </li></ul><ul><li>Microsoft System Center </li></ul>
    5. 5. Technical Background <ul><li>Server Manager </li></ul><ul><li>Server Manager Wizards </li></ul><ul><li>Server Roles </li></ul><ul><li>Initial Configuration Tasks </li></ul><ul><li>Features </li></ul>
    6. 6. 伺服器角色 Server Role 功能 Feature AD Certificate Services AD Domain Services AD Federation Services AD Lightweight Directory Services AD Right Management Services Application Server DHCP/DNS Server Fax Server/File Service Network Policy and Access Service Print Service Terminal Services UDDI Services Web Service (IIS) Windows Deployment Services Windows SharePoint Services 伺服器管理員 - Server Manager .NET Framework 3.0 BtLocker Drive Encryption BITS Server Extension Connection Manager Admin Kit Desktop Experience Failover Clustering Group Policy Management Internet Printing Client Internet Storage Name Server LPR Port Monitor/Message Queuing Multipath I/O, Network Load Balancing Peer Name Resolution Protocol Quality Windows Audio Video Experience Remote Assistance Remote Differential Compression Removable Storage manager RPC over HTTP Proxy Simple TCP/IP Services SMTP Server/SNMP Services Storage Manager for SANs Subsystem for UNIX-based Application Telnet Client/Server/TFTP Client Windows Internal Database Windows Power Shell Windows Process Activation Service Windows Recovery Disc Windows Server Backup Features Windows System Resource Manager WINS Server Wireless LAN Service 角色服務 Role Service 主要的伺服器服務 提供網路的資源存取 包含資料庫或紀錄 自動啟用功能 增強伺服器的功能 不隸屬特定的角色
    7. 7. Demonstration: Server Manager Overview <ul><li>Server Manager Overview </li></ul><ul><li>Performing Key Tasks </li></ul><ul><li>Using ServerManagerCmd.exe </li></ul>
    8. 8. Implementation/Usage Scenarios <ul><li>Improved Security </li></ul><ul><li>Improved Server Administration </li></ul><ul><li>Improved New Server Deployment and Configuration </li></ul>
    9. 9. Recommendations <ul><li>To manage roles from a command prompt, use ServerManagerCmd.exe </li></ul><ul><li>For multiple server administration, use Windows PowerShell </li></ul><ul><li>For single server administration, use Server Manager </li></ul><ul><li>For Remote Management, use Windows Remote Management (based on WS-Management Standard) </li></ul><ul><li>Use Event Subscriptions to collect Event Viewer logs from multiple servers </li></ul><ul><li>Use System Center for enterprise-wide management </li></ul>
    10. 10. Server Core
    11. 11. Overview <ul><li>Server Core Installation </li></ul><ul><ul><li>Active Directory, AD Lightweight Directory Services, DHCP Server, DNS Server, File Services, Print Services, Windows Media Services, Windows Virtualization Services </li></ul></ul><ul><li>Benefits of Server Core </li></ul><ul><ul><li>Reduced maintenance </li></ul></ul><ul><ul><li>Reduced attack surface </li></ul></ul><ul><ul><li>Reduced management </li></ul></ul><ul><ul><li>Less disk space required </li></ul></ul>Server Core
    12. 12. Technical Background <ul><li>Deployment </li></ul><ul><li>Server Roles </li></ul><ul><li>Prerequisites </li></ul><ul><li>Optional Features </li></ul><ul><li>Managing a Server Core Installation </li></ul>
    13. 13. Demonstration: Managing a Server Core <ul><li>Locally and remotely via the Command Prompt </li></ul><ul><li>Remotely via MMC </li></ul>Server Core
    14. 14. <ul><li>時區 / 時間,語系 / 鍵盤設定 </li></ul><ul><ul><li>Control TimeDate.cpl , Control Intl.cpl </li></ul></ul><ul><li>管理員密碼 </li></ul><ul><ul><li>Net User Administrator * </li></ul></ul><ul><li>電腦名稱 / 重新啟動 </li></ul><ul><ul><li>Hostname </li></ul></ul><ul><ul><li>Netdom RenameComputer 原主機名 /NewName: 新主機名 /Force /Reboot:10 </li></ul></ul><ul><li>固定 IP 位址 </li></ul><ul><ul><li>Netsh Interface IPV4 Show Interfaces </li></ul></ul><ul><ul><li>Netsh Interface IPV4 Set Address Name= 網卡代號 Source=Static Address=IP 位址 Mask= 遮罩號碼 Gateway= 閘道位址 </li></ul></ul><ul><ul><li>Netsh Interface IPV4 Add DnsServer Name= 網卡代號 Address=DNS 伺服器 IP Index=1 </li></ul></ul><ul><li>加入網域 / 將指定網域用戶加入本機管理員群組 / 重新啟動 </li></ul><ul><ul><li>Netdom Join 主機名 /Domain: 網域名 /UD: 具權限帳戶名 /PD:* </li></ul></ul><ul><ul><li>Net LocalGroup Administrators /Add 網域名 指定網域帳戶名 </li></ul></ul><ul><ul><li>Shutdown /r /f /t 10 </li></ul></ul>1
    15. 15. <ul><li>啟用 </li></ul><ul><ul><li>SLMGR.vbs –xpr </li></ul></ul><ul><ul><li>SLMGR.vbs -ato </li></ul></ul><ul><li>啟用防火牆 </li></ul><ul><ul><li>Netsh Firewall OpMode Enable </li></ul></ul><ul><ul><li>Netsh Firewall Set ICMPSetting 8 Enable </li></ul></ul><ul><li>啟用遠端桌面 </li></ul><ul><ul><li>Cscript %windir%System32ScRegEdit.wsf /ar 0 </li></ul></ul><ul><li>啟用自動更新 </li></ul><ul><ul><li>Cscript %windir%System32ScRegEdit.wsf /au 4 </li></ul></ul><ul><li>新增伺服器角色 </li></ul><ul><ul><li>Start /w OcSetup DHCPServerCore </li></ul></ul><ul><ul><li>Start /w OcSetup DNS-Server-Core-Role </li></ul></ul><ul><ul><li>Start /w OcSetup Printing-ServerCore-Role </li></ul></ul><ul><ul><li>Dcpromo /Unattend: 自動安裝檔案名 </li></ul></ul>2
    16. 16. Implementation/Usage Scenarios <ul><li>Reduced attack surface </li></ul><ul><li>Reduced management </li></ul><ul><li>Reduced maintenance </li></ul><ul><li>Less disk space required </li></ul>
    17. 17. Recommendations <ul><li>Publish cmd.exe using Terminal Services RemoteApp to allow you to run cmd.exe in a window on your local machine rather than in a full terminal services client </li></ul><ul><li>Implement Server Core whenever possible </li></ul><ul><li>Minimize administrative access to the system </li></ul><ul><li>Ensure physical security of the server </li></ul><ul><li>Implement BitLocker Drive Encryption </li></ul>
    18. 18. Windows PowerShell
    19. 19. Overview <ul><li>What are cmdlets? </li></ul><ul><li>What is PowerShell? </li></ul><ul><li>Benefits </li></ul><ul><li>What can I do with PowerShell? </li></ul><ul><li>Prerequisites </li></ul>
    20. 20. Technical Background <ul><li>Cmdlets | New Scripting Language </li></ul><ul><li>Native Support </li></ul><ul><li>Important Concepts </li></ul><ul><li>Administration </li></ul><ul><li>PowerShell Pipeline </li></ul><ul><li>Security </li></ul><ul><li>Aliasing </li></ul><ul><li>Navigation </li></ul>
    21. 21. Demonstration: Using Windows PowerShell <ul><li>Getting Help </li></ul><ul><li>Navigating Windows PowerShell </li></ul><ul><li>Adding a User to Active Directory </li></ul>
    22. 22. Implementation/Usage Scenarios <ul><li>Server/Role Management </li></ul><ul><li>Command-Line Services, Processes, Registry, and WMI Data Management </li></ul>Terminal Server IIS 7.0 AD Exchange 2007 MOM 2007
    23. 23. Recommendations <ul><li>Don’t throw away any existing scripts or batch files – they can still be used! </li></ul><ul><li>Start using Windows PowerShell immediately! </li></ul><ul><li>Don’t forget the power of the wildcard, such as “get-services*” </li></ul><ul><li>Don’t deploy Windows PowerShell on any machine where it is not actually needed </li></ul><ul><li>Centrally-Control Windows PowerShell security settings through GPOs – do it now! </li></ul>
    24. 24. Module 2 Centralized Application Access with Windows Server 2008
    25. 25. Terminal Services Core Functionality
    26. 26. Overview <ul><li>Who will be interested in the new capabilities of Terminal Services? </li></ul><ul><li>What is Centralized Application Access? </li></ul><ul><li>Benefits & Uses of Terminal Services </li></ul><ul><li>Terminal Services Installation, Configuration & Management </li></ul><ul><li>New Features: </li></ul><ul><ul><li>Experience </li></ul></ul><ul><ul><li>Security </li></ul></ul><ul><ul><li>Manageability & Scalability </li></ul></ul><ul><li>Client Connectivity </li></ul>Mobile Worker In Airport Branch Office Home Office Central Location
    27. 27. Support for 64-bit Architecture and Hardware <ul><li>Provides a significantly larger virtual address space for kernel data structures </li></ul><ul><li>Accommodates more TS user sessions </li></ul><ul><li>Runs 32-bit software without recompiling </li></ul><ul><li>Runs 64-bit drivers/software specifically compiled for 64-bit environment </li></ul><ul><li>Runs 32-bit applications at high performance </li></ul><ul><ul><li>4 GB user VA for large memory-aware processes </li></ul></ul><ul><li>Runs 64 bit applications </li></ul><ul><ul><li>8 TB virtual address space </li></ul></ul><ul><ul><li>Reduces mapping and soft page faults </li></ul></ul><ul><li>Eases migration to 64-bit infrastructure </li></ul>
    28. 28. Installation and Configuration <ul><li>Terminal Services roles that can be installed: </li></ul><ul><ul><li>Terminal Server </li></ul></ul><ul><ul><li>TS Licensing </li></ul></ul><ul><ul><li>TS Session Broker </li></ul></ul><ul><ul><li>TS Gateway </li></ul></ul><ul><ul><li>TS Web Access </li></ul></ul><ul><li>Configuring Terminal Services </li></ul><ul><ul><li>Install programs on server </li></ul></ul><ul><ul><li>Configure remote connection settings </li></ul></ul><ul><ul><li>Configure clients to use Terminal Services </li></ul></ul>
    29. 29. Authentication <ul><li>Network Level Authentication – finishes user authentication before you establish a full remote connection and the desktop appears </li></ul><ul><li>Server Authentication – verifies that you are connecting to the correct remote computer </li></ul><ul><li>Single Sign-On – allows a user with a domain account to log on once, using a password or smart card, and then gain access to remote servers without being asked for their credentials again </li></ul>
    30. 30. Terminal Services SSO 設定 <ul><li>Client 需為 Vista 或 Windows Server 2008 </li></ul><ul><ul><li>啟用 “允許預設認證被用於登入至指定的終端機服務” </li></ul></ul><ul><ul><li>電腦設定 , 系統管理範本 , 系統 , 認證委派 , 啟用「允許委派預設認證」 </li></ul></ul><ul><ul><li>「顯示」 , 新增 , “TermSrv /終端機服務伺服器名稱” (FQDN, NetBIOS Name) </li></ul></ul><ul><li>Client 需為 Vista 或 Windows Server 2008 </li></ul><ul><ul><li>啟用 “允許預設認證被用於登入至指定的終端機服務” </li></ul></ul><ul><ul><li>電腦設定 , 系統管理範本 , 系統 , 認證委派 , 啟用「允許委派預設認證」 </li></ul></ul><ul><ul><li>「顯示」 , 新增 , “TermSrv /終端機服務伺服器名稱” (FQDN, NetBIOS Name) </li></ul></ul><ul><li>Server 需為 Windows Server 2008 </li></ul><ul><ul><li>終端機服務設定 , RDP-TCP, 一般 , 安全性階層為「交涉」或 「 SSL (TLS 1.0) 」 </li></ul></ul><ul><li>Domain 帳戶需在 Client / Server 皆可使用 </li></ul>
    31. 31. Device Redirection <ul><li>Plug and Play Device Redirection </li></ul><ul><ul><li>Windows Portable Devices </li></ul></ul><ul><ul><ul><li>Media players, based on Media Transfer Protocol (MTP) </li></ul></ul></ul><ul><ul><ul><li>Digital cameras, based on Picture Transfer Protocol (PTP) </li></ul></ul></ul><ul><li>Windows Point of Service (POS) Device Redirection </li></ul><ul><ul><li>Implement POS for .NET 1.1 (downloadable) </li></ul></ul><ul><ul><li>Configure .rdp file </li></ul></ul><ul><ul><li>Connect device </li></ul></ul>
    32. 32. Remote Experience Improvements <ul><li>Monitor Spanning </li></ul><ul><li>Desktop Experience </li></ul><ul><li>Font Smoothing </li></ul><ul><li>Custom Display Resolutions </li></ul><ul><li>Display Data Prioritization </li></ul><ul><li>32-Bit Color </li></ul><ul><li>TS Easy Print </li></ul>
    33. 33. Demonstration: User Experience Enhancements <ul><li>Plug & Play Redirection configuration </li></ul><ul><li>Remote Desktop Connection Display configuration </li></ul>
    34. 34. Implementation/Usage Scenarios <ul><li>Security Enhancement </li></ul><ul><li>Centralized Application Management </li></ul><ul><li>User Productivity Enhancement </li></ul><ul><li>Complexity Reduction </li></ul><ul><li>Centralized Application Access </li></ul><ul><li>Branch Office Environments </li></ul>
    35. 35. Recommendations <ul><li>Configure client systems to use RDC 6.0 </li></ul><ul><li>Implement new features to enhance user experience </li></ul><ul><li>Use Single Sign-On </li></ul><ul><li>Implement TS Gateway, TS RemoteApp and TS Web capabilities </li></ul><ul><li>Upgrade existing Terminal Servers to Windows Server 2008 </li></ul><ul><li>Use x64 hardware and WSRM </li></ul>
    36. 36. Terminal Services Gateway
    37. 37. Overview <ul><li>Benefits of a TS Gateway </li></ul><ul><li>TS Gateway Management </li></ul><ul><li>TS Gateway Prerequisites </li></ul>Hotel Home Business Partner/ Client Site TS Terminal Services Gateway Server NPS DC HTTPS / 443 TS Other RDP Hosts Strips off RPC/HTTPS Passes RDP/SSL traffic to TS
    38. 38. Benefits of TS Gateway <ul><li>Allows you to control access to specific resources </li></ul><ul><li>Reduces management costs </li></ul><ul><li>Facilitates consolidation of existing Terminal Servers </li></ul><ul><li>Can be integrated with Network Policy Server, enabling centralized policy deployment and lower TCO </li></ul><ul><li>Eliminates the need to configure VPN connections </li></ul><ul><li>Allows monitoring on remote connections </li></ul><ul><li>Enables connections across firewalls and NATs </li></ul>
    39. 39. TS Gateway Management <ul><li>TS Gateway Management Snap-In: </li></ul><ul><ul><li>Provides a single, one-stop tool to configure policies to define conditions that must be met before users to connect. </li></ul></ul><ul><ul><li>Provides a tool to monitor TS Gateway events. </li></ul></ul><ul><ul><li>Allows you to review details about connections. </li></ul></ul><ul><li>No remote computers are directly exposed to the internet; all data remains within the corporate network. </li></ul>
    40. 40. Prerequisites for a TS Gateway <ul><li>A Network Policy Server (NPS) to centralize the storage, management and validation of TS Gateway policies </li></ul><ul><li>A certificate for the TS Gateway server that meets these requirements: </li></ul><ul><ul><li>Computer certificate </li></ul></ul><ul><ul><li>Intended purpose – server authentication </li></ul></ul><ul><ul><li>Has a corresponding private key </li></ul></ul><ul><li>A server with Windows Server 2008 installed </li></ul><ul><ul><li>Administrator must be a member of the Administrators group on this machine </li></ul></ul>
    41. 41. Technical Background <ul><li>Configuring a TS Gateway Server </li></ul><ul><ul><li>Connection Authorization Policies </li></ul></ul><ul><ul><li>Resource Groups </li></ul></ul><ul><ul><li>Resource Authorization Policies </li></ul></ul><ul><li>Client Configuration </li></ul>
    42. 42. TS Gateway Configuration <ul><li>Configuring the TS Gateway Server: </li></ul><ul><ul><li>Install the TS Gateway role services </li></ul></ul><ul><ul><li>Configure IIS settings </li></ul></ul><ul><ul><li>Obtain/Configure a server certificate </li></ul></ul><ul><ul><li>Create a CAP for the TS Gateway Server </li></ul></ul><ul><ul><li>Create resource groups </li></ul></ul><ul><ul><li>Create a RAP for the TS Gateway Server </li></ul></ul><ul><li>Configure the TS Gateway Client: </li></ul><ul><ul><li>RDC 6.0 Settings </li></ul></ul>
    43. 43. 遠端存取內部應用程式的資源 DMZ HTTPS / 443 Internet 內部網路 終端機 伺服器 出差在外 外部防火牆 內部防火牆 在家工作 商業夥伴 / 用戶端站台 網路原則 伺服器 AD 網域控制站 Internet RDP over HTTPS 通道 無線用戶 拆解 RDP/HTTPS 將 RDP/SSL 流量傳送至 TS 終端機服務閘道 伺服器
    44. 44. Demonstration: Implementing a TS Gateway <ul><li>Importing and mapping a certificate </li></ul><ul><li>Creating a CAP </li></ul><ul><li>Creating a Resource Group </li></ul><ul><li>Creating a RAP </li></ul><ul><li>Monitoring connections </li></ul>
    45. 45. Implementation/Usage Scenarios <ul><li>Server Consolidation | Cost Reduction </li></ul><ul><li>Centralized Application Access </li></ul><ul><li>Security Enhancement </li></ul>Hotel Home Business Partner/ Client Site Terminal Services Gateway Server
    46. 46. Recommendations <ul><li>Configure Connection Access Policies, Resource Groups and Resource Access Policies </li></ul><ul><li>Use TS Gateway management to monitor the status, health, and events on remote connections </li></ul><ul><li>Use a TS Gateway instead of a VPN </li></ul><ul><li>Do not use a self-signed SSL certificate in production </li></ul><ul><li>Use in conjunction with an application layer firewall </li></ul><ul><li>Don’t depend on device blocking for security </li></ul>
    47. 47. Terminal Services RemoteApp
    48. 48. Overview <ul><li>What are the benefits of using TS RemoteApp? </li></ul><ul><li>What is TS RemoteApp? </li></ul><ul><li>Does any code require modification? </li></ul>Mobile Worker In Airport Branch Office Home Office TS RemoteApp
    49. 49. Technical Background <ul><li>Configuring a TS RemoteApp Server </li></ul><ul><li>What works differently? </li></ul><ul><li>How can users access RemoteApp programs? </li></ul>
    50. 50. Demonstration: Implementing TS RemoteApp <ul><li>Managing the Allow List </li></ul><ul><li>Distributing an MSI package to users </li></ul><ul><li>Connecting to a remote program from a client </li></ul>
    51. 51. Implementation/Usage Scenarios Branch Offices Roaming Users Line of Business Applications Deployment
    52. 52. Recommendations <ul><li>Consider putting individual applications on separate servers when: </li></ul><ul><ul><li>The application has compatibility issues </li></ul></ul><ul><ul><li>A single application and associated users may fill server capacity </li></ul></ul><ul><li>Create a load-balanced farm for single applications that exceed the capacity of one server </li></ul><ul><li>Put common applications, such as MS Office, on the same TS RemoteApp Server </li></ul><ul><li>Consider placing the TS RemoteApp server behind an ISA Server </li></ul><ul><li>Use a trusted root-signed SSL certificate </li></ul>
    53. 53. Terminal Services Web Access
    54. 54. Overview <ul><li>What are the benefits of TS Web Access? </li></ul><ul><li>What is Terminal Services Web Access? </li></ul><ul><li>TS Web Access Server Requirements </li></ul><ul><li>TS Web Access Client Requirements </li></ul>Mobile Worker In Airport Branch Office Home Office TS Web Access
    55. 55. Technical Background <ul><li>Using Active Directory as the Data Source </li></ul><ul><li>Populating the TS RemoteApp Web Part </li></ul><ul><li>Using a Single Terminal Server as the Data Source </li></ul>
    56. 56. Demonstration: Configuring TS Web Access <ul><li>Configuring a TS data source </li></ul><ul><li>Configuring the TS Web Access Server </li></ul><ul><li>Launching Applications </li></ul>
    57. 57. Implementation/Usage Scenarios <ul><li>New Version Deployment </li></ul><ul><li>Centralized Application Access </li></ul>
    58. 58. Recommendations <ul><li>Use Active Directory mode for multi-server deployments when customers are used to Active Directory MSI deployment </li></ul><ul><li>When customer has no Active Directory MSI experience, use custom ASP scripting solutions or third-party solutions </li></ul><ul><li>Use TS Web Access defaults for single server deployments </li></ul>