Installing, Managing and Troubleshooting Windows Server 2008 R2

 

 "Covers the finer points of Server 2008 R2, with energy and humor"

a two-day course by Mark Minasi, author of The Expert Guide to Windows 7 and Server 2008 R2

Schedule of dates and cities •  Course Objectives  •   Course Outline  •   Course Materials  •  Bring a Class to Your Site • About the Instructor

Course Objectives

A new version of Windows Server (2008 R2), delivered a scant year and a half after the previous one (2008)?  Heck, we haven't seen that sort of rapid-fire rollouts of new Server releases since the NT 3.5 days.  Oh, wait, it's just an "R2" -- that explains it, it's probably just a repackaging of some already-downloadable stuff, right?  Surprisingly, no — R2's almost as much as a change from 2008 as 2008 was from 2003, and arguably more so in the area of Active Directory.  While the timing of this completely new Server will be troublesome for some ("arrgh, we just started rolling out 2008 and this appears!"), its non-trivial list of changes means that it's time to wade through a sea of white papers to figure out whether it's worth an upgrade... or, alternatively, perhaps it's time to spend two days with veteran Windows Server expert, consultant and best-selling author Mark Minasi.  Mark's insights, experience and unbiased advice have helped millions get the most out of Windows Server from NT 3.1 onward, and now he's back to pick apart Windows Server 2008 R2 for you — the good, the bad, and the incompatible.

To save time and maximize the depth of our coverage, this is a "delta" course that only covers what's new in Windows Server 2008 R2.  That means that you won't have to sit through long explanations of Windows elements that you've known about since Windows 2000... but for those who've not had time to look at R2's predecessor, we'll still have enough time to fill in any 2008 tidbits that attendees haven't yet gotten to.  (Of course, if the idea of a delta course isn't optimal for you or your organization, then please take a look here for a couple of alternatives.)

Join Mark for a fast-paced, entertaining look at this "how'd they get that done so quickly?" version of Server!

Key Seminar Benefits

  • Delve into how to Server 2008 R2's new VPN replacement, DirectAccess, works and what you'll need in order to set it up
  • Understand how AD's undelete feature (AD recycle bin) works, its limitations and its operation
  • Check out what BranchCache can do to relieve pressure on your WAN links, and know exactly how to get it up and running
  • See the new DHCP add-ons that could be useful for almost any enterprise
  • Know what parts of R2 completely replace tools introduced in Server 2008
  • Discover why you now need to know PowerShell to get certain jobs done and how it can help you in other tasks
  • Master Win 7's new virtual storage support, including its native "virtual hard drive" (VHD)-format support and its ability to boot a physical system from a virtual hard drive (a tool letting you roll out an image by simply XCOPYing it)
  • Grasp the changes to server virtualization that improve Hyper-V's value in R2
  • Discover how Server 2008 R2 and Windows 7 let you protect your DNS infrastructure with  DNSSEC
  • Meet the array of new server management tools both for "full server" and Server Core
  • See how Managed Service Accounts can remove the headaches associated with running services and IIS application pools under separate accounts
  • Learn what Win 7/R2's new "offline domain join" feature simplifies joining systems en masse to a domain and its three different approaches
  • Meet AD's new admin tools:  a new GUI and 70+ PowerShell cmdlets

Course Outline

  1. Server Overview

    Server 2008 R2 comes in several flavors and requires a few choices, as well as offering a few of what Microsoft likes to call "better together" features, things in Server 2008 R2 that are essentially useless without Windows 7 clients, and vice versa.  In this section, we briefly outline the versions of Server and highlight any upgrade considerations.

    1. Hardware issues:  64 bit is it
    2. Server versions:  can you avoid Enterprise in 2008 R2?
    3. Upgrade paths
    4. Virtual licensing considerations

  2. New Storage:  Virtual, Virtual, Virtual...

    Windows 7 desktop and server use your disk in ways we've not seen before, with new in-the-box support of the VHD (Virtual Hard Disk) format for storing data and the ability to "boot VHDs natively," a concept that we'll explain in depth in this section.  As you'll see, Microsoft may have to change the name of VHDs to remove "virtual," as Win 7/R2 use VHDs in ways that have nothing to do with virtual machines.

    1. New disk layout: the "unlettered drive"
    2. BCDEDIT background:  remember, boot.ini's gone!
    3. Implications for new disk layout and Windows 7 and Server 2008 R2 deployment
    4. Mirror booting supported in Windows 7 client
    5. Booting from VHD explained and examined
    6. Native VHD support in detail:  creating VHDs, populating them, attaching/detaching
    7. Getting images onto VHDs in the first place
    8. Advanced boot-from-VHD:  run Windows from a handful of files, step by step!
    9. BCDEDIT revisited:  doing the boot surgery for boot-from-VHD
    10. Can't [locate] the drive?  BCDEDIT troubleshooting
    11. Optical disk support via "isoburn"
    12. Changes to Windows Backup
    13. What's new in Hyper-V server in R2 (beyond the simple virtual storage stuff)

  3. BranchCache:  WAN Caching for SMB and HTTP

    Windows 6 (that is, Vista and Server 2008) saw Microsoft introduce a number of technologies aimed at making IT run more smoothly in branch offices.  Windows 7 and Server R2 add to those with BranchCache, a tool that enables Windows 7 Enterprise/Ultimate desktops to cooperatively cache incoming SMB and HTTP traffic.  The basic idea is that if a bunch of people in your branch office all want to access the same file from the central office, then only the first two actually need to retrieve (and cache) the file over the WAN link — the others get it from the local systems that have already cached the data.  Sounds simple, but actually making it work and controlling it can be a bit tricky, until you know what you'll get from this very detailed section.

    1. BranchCache overview
      1. Protocols cached: SMB and HTTP
      2. Intended to save WAN bandwidth to branch offices
      3. Driven by latency
      4. SMB caching different than HTTP
      5. Caching can happen either on Win 7 desktops or Server 2008 R2 servers
    2. Setting up a distributed HTTP BranchCache
    3. Configuring BranchCache systems via command-line
    4. Configuring BranchCache systems via group policies
    5. Setting up a hosted HTTP BranchCache
    6. Configuring clients and the host server
    7. Setting up SMB caching
    8. Monitoring BranchCache
    9. BranchCache tuning parameters

  4. Windows 7 Networking Changes

    In addition to the "big" networking-related things (BranchCache, DirectAccess and the like), Windows 7 includes a number of general networking changes.

    1. Wireless UI changes
    2. The "network troubleshooter"
    3. HomeGroups
    4. Rearranged Network and Sharing Center
    5. Solving the "I can't connect to XP" issue
    6. Changes to Network Access Protection (NAP)
    7. How often don't you use Kerberos?  NTLM blocking policies

  5. Auditing Gets a Lot More Specific

    The "NT" family of Windows has supported "auditing," — a security feature which enables Windows to record security-related activity on a particular computer in that computer's Security log.  Enabling and tracking Windows logs, however, is often something that we don't do, however, because it's somewhat difficult to make useful. Windows 6 simplified things a bit when it introduced event log centralization and easily-scheduled event log archiving, and Windows 7 makes things a bit more useful with four changes to how and what you can audit.  In this section, you'll see how to make use of these new auditing capabilities.

    1. Auditable items increase from 9 to 54
    2. Fine-tune what you audit with auditpol
    3. Track a person's actions more easily with global SACLs
    4. "Reason for failure" reports answer the question, "exactly why couldn't I access that object?" 

  6. PowerShell 2.0 for Windows Admins: A Quick Introduction

    As you may know, PowerShell is Microsoft's new command-line shell for controlling and scripting Windows administrative tools.  In this latest Windows, Microsoft actually mandated PowerShell support throughout the operating system, which means that it's time to learn at least a bit of PowerShell.  The fact that there are number of things in Windows 7 and Server 2008 R2 that you simply cannot do in any other way than with a PowerShell command is another good reason to know a bit of PowerShell, and so this section gets you ready for the "compulsory PowerShell work" with a simple introduction to Windows' new command line.

    1. Why PowerShell?
    2. PowerShell components: cmdlets, scripts, aliases, "the pipeline" and modules
    3. Enabling PowerShell on Windows 7
    4. Working with PowerShell
    5. Using PowerShell cmdlets
    6. Getting Help
    7. How PowerShell objects work:  properties and methods
    8. Using the pipeline
    9. Introduction to PowerShell variables
    10. Viewing properties and altering properties:  file object and AD user object examples
    11. PowerShell providers
    12. A very brief look at PowerShell scripting:  modules and signing policies
    13. What PowerShell 2.0 brings to administration

  7. More New Server Management Tools

    Windows Server 2008 brought us three new overall server management tools.  The first was called (not surprisingly) Server Manager; it was joined by a command-line counterpart named servermanagercmd.exe and a ready-for-Server-Core version called "ocsetup.exe."  Now, if you're not confused yet, then get ready for Server 2008 R2, where servermanager.exe and ocsetup.exe are deprecated and deleted, and are replaced by two new tools... the Deployment Image Service Manager (DISM) and a handful of new PowerShell tools.  But that's not all:  Server Manager (which is still around, surprisingly) can now control remote servers, including Server Core systems. 

    1. Server Manager changes
      1. New roles and features
      2. Remote control... but not the way you expect
      3. Setting up remote Server Manager:  Windows Remote Management setup
      4. Enabling remote Server Manager
    2. Servermanagercmd's replacement:  DISM
      1. DISM's role in server management
      2. DISM online versus offline
      3. Using DISM on Server Core
      4. Using DISM on full Server
    3. Using the new Server Manager cmdlets
      1. Installing the server management module
      2. Using the server management cmdlets

  8. Server 2008 R2 Server Core Configuration and Operation

    Server Core was one of Server 2008's innovations, a version of Server that essentially lacks a GUI (and therefore a Web browser), and so requires fewer updates, offers fewer places for bugs to crawl in, and uses fewer megabytes of disk and RAM.  As attractive as a GUI-less place is security-wise, administering it wasn't quite so attractive, as most admins aren't all that familiar with the command-line tools that Server Core required to get admin jobs done.  R2 changes that situation in a few ways, as you'll discover in this section.

    1. Server Core's new "GUI-ish" admin tool
    2. Ocsetup's out, DISM's in:  basic Server Core configuration, PowerShell Setup
    3. Connecting Server Manager to Server Core
      1. PowerShell setup
      2. Enabling remote control
      3. What a remote Server Manager can and can't do for Server Core
    4. Managing Server Core with PowerShell
      1. Getting PowerShell on Server Core
      2. Using the server management cmdlets
      3. Remote PowerShell administration

  9. DHCP Upgrades

    Believe it or not, Server 2008 R2 includes a number of fairly useful changes to the way that the DHCP server runs.  (It's almost like the new DHCP team actually uses the product... who knew?)  This section outlines what you'll get when you move your DHCP servers to R2.

    1. Split-scope support and configuration wizard
    2. MAC address filtering
    3. DHCP Server Events Tool
    4. Client-side upgrades:  SSID caching

  10. 21st Century DNS:  DNSSEC Comes to Server

    Once considered to be the safe, secure bedrock of the Internet, DNS has come under attack in recent years, and that's highlighted the perceived need for some sort of way of establishing that the DNS data you're getting is indeed the data that you want.  That way seems to be DNSSEC, a set of technologies first outlined in RFCs in 2000 but that many folks still aren't using.  That may change, however, as the US government, the .org and other big top-level domains have already secured their root domains, and private roots like .com and .net will soon follow.  In order to play in this secure new world, Microsoft's DNS needs to support DNSSEC, and 2008 R2's DNS server finally does.

    1. Why DNSSEC?
      1. DNS insecurity
      2. Common attack approaches
      3. Cost of inactivity
    2. DNSSEC's approach to the problem
      1. Secured PKI-based transfer
      2. Four new resource records
        1. DNSKEY
        2. RRSIG
        3. NSEC (and its controversial cousin NSEC3)
        4. DS
    3. DNSSEC's "web of trust"
      1. How you can trust a DNSSEC public key
      2. The root problem:  the root's got a problem (for now)
      3. Workarounds: trust anchors and the interim Trust Anchor Repository (iTAR)
      4. Who's signed and who isn't
    4. Making DNSSEC work with Windows Server 2008 R2: what pieces you'll need
    5. Signing your zone with DNSCMD /offlinesign
    6. Trusting others:  managing trust anchors
      1. Getting trust anchors
      2. Installing them via CLI and GUI... and why you may not be able to use all trust anchors
      3. Letting others trust you
    7. Client support of DNSSEC:  the "name resolution policy table" (NRPT)

  11. No More VPNs:  DirectAccess and R2

    In the ranks of "necessary but irritating evils," VPNs definitely place in the top three.  (Having to change your password every few weeks and needing to reboot just because Windows Defender has a new pattern file are the other two.)  Over the years, Microsoft has slowly lessened the need for VPNs in the first place, first in the Outlook/Exchange connection in Server 2003 and more recently in Remote Desktop Services (the new name for Terminal Services) in the Terminal Services Gateway.  With Server 2008 R2, you get the option to essentially forgo VPNs altogether, replacing it with an IPsec-based secure connection to your enterprise servers called DirectAccess.  As you'll see in this section, DirectAccess is a potentially very neat technology, but you need a panoply of other technologies in place before you can use it -- don't miss this chance to get "the short version" of whether DirectAccess is right for you and if so, what you'll need to get it working!

    1. Current VPN structure and limitations
    2. DirectAccess structure and benefits
    3. The price of DirectAccess:  required technologies
    4. DirectAccess installation outline

  12. Introducing R2's Active Directory

    In the remaining sections of the class, you'll examine R2's AD change in great depth.  This section starts us out with quick look at some overall changes.

    1. What still isn't fixed in AD in 2008 R2
    2. New domain/forest functional level
    3. Functional levels can be rolled back
    4. Adding R2 DCs to an existing Active Directory

  13. Active Directory Gets PowerShell

    In R2, Active Directory finally gets PowerShell support with over 70 new cmdlets.  In this section, you'll get an easy-to-understand look at how to use AD's PowerShell support, and what goes on under the hood when running that support.

    1. Installing the AD cmdlets
    2. AD cmdlet overview
    3. Remote PowerShell administration
    4. AD's new web service
    5. Does "web service" mean I'm running IIS on every domain controller, eeek! (Don't worry, it doesn't mean that... but there is a new tcp port to know.)
    6. Examining the "atomic" cmdlets
    7. Tying them together:  useful pipeline examples
    8. Finding AD PowerShell scripts

  14. AD Best Practices Analyzer (BPA)

    For years, we've used DCDIAG to get some notion of the health of our AD.  With Server 2008 R2, Microsoft's extended their "health model," something that they inaugurated with Server 2008, to AD with a new AD Best Practices Analyzer.  

    1. Where to find the BPA
    2. BPA strengths and weaknesses
    3. Running the Analyzer
    4. Interpreting the results and reconfiguring the BPA

  15. "Oops" Protection in Active Directory:  the AD Recycle Bin

    Well, AD's been with us for about ten years now, and if we've learned nothing else, most of us have painfully discovered that un-deleting accidentally deleted AD objects is a pain.  Server 2008 introduced a sort of "70 percent solution" to the problem in the form of AD snapshots, a pretty neat idea that might have made AD undeletes easy... but that ultimately went nowhere.  Instead, Server 2008 R2 took the undelete bull by the horns and offers a complete solution in the form of the somewhat misnamed "AD recycle bin."  While it can undelete objects quite nicely, there are a few catches -- but in this section you'll learn how to make the AD recycle bin work for you.

    1. AD recycle bin overview
    2. What you'll need to make it work
    3. Undelete syntax and examples
    4. How long before it starts to smell?  A look at how quickly you've got to perform a desired recycle
    5. Recycle hitches and solutions

  16. Active Directory's New GUI:  the AD Administrative Center

    When AD arrived with Windows 2000, it introduced Active Directory Users and Computers (ADUC).  ADUC's nice, but it's a bit quirky in some ways, so Server 2008 R2 ships with a brand-new GUI admin tool for Active Directory, the "AD Administrative Center" (ADAC).  This section shows ADAC's abilities and gives it an under-the-hood look.

    1. Running ADAC
    2. ADAC capabilities
    3. ADAC requirements
    4. ADAC:  PowerShell scripts with a GUI front-end

  17. Managed Service Accounts

    Much of the publicity about R2's AD features heralds the AD recycle bin as being R2's most attractive new AD-related feature, but many folks we've spoken to are more excited about a new-to-R2 item called "Managed Service Accounts" or MSAs.  If you've ever set up a service or an IIS application pool to run under an account other than the local System account, then you might also find MSAs pretty interesting, as they're a new sort of account designed specifically to be used one of those service/IIS app pool situations.

    1. MSA overview
      1. New type of AD account
      2. Serve services on member servers
      3. Automatic password updates
    2. MSA requirements
    3. Creating and using an MSA
      1. Creating the account
      2. Preparing the member server
      3. Attaching the account to the service/pool
    4. Managing MSAs
    5. Automatic SPN management

  18.  Offline Domain Joins

    Anyone rolling out dozens of clients from the same image knows that one of the biggest pains in deploying those clients comes when it's time to join them to an AD.  Server 2008 R2's Active Directory lets you do this more simply in a two-step operation called an "offline domain join," (ODJ) as you'll learn in this section. 

    1. How offline domain joins work
    2. What you can and can't join with an ODJ
    3. Three options
      1. Online
      2. Offline
      3. XML scripted offline domain joins
    4. Step-by-step instructions on doing each approach

A Note on This Course and its Companion Windows 7 Desktop Course

Because Microsoft is releasing a new version of both their desktop operating system and their server OS at the same time, we offer not only this course but also one focused on the new desktop OS, the "Windows 7" product released at the same time as Server 2008 R2.  Because some of the changes to the overall operating system affected both the server version of the OS and the desktop version of the OS, those common changes appear both in the desktop seminar and the server seminar; they're Day Two of the desktop seminar and Day One of the server seminar.  Thus, any clients wanting to learn the contents of both two-day seminars need only attend three, rather than four, days (at a reduced cost, of course).

Course Materials and Course Format

The class works from PowerPoint presentations.  Every attendee gets a printed copy of the PowerPoints.  To make it possible to run this course in just two days, this runs in mainly lecture/demo format.  You'll see Server 2008 R2 run through its paces in a series of interesting and explanatory demonstrations. 

Arranging a Course At Your Location

We offer this class as a public seminar occasionally; you can view the current schedule www.minasi.com/pubsems.htm.  But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.  For more info, please contact out office at (757) 426-1431 between noon and five PM Eastern time or email assistant@minasi.com to discuss scheduling and fees. 

Need to Arrange a More Comprehensive Course?

As noted in the course objectives, this course assumes a knowledge of Server 2008 and focuses only on what's new in Server 2008 R2.  If, however, you'd like us to teach a course for your organization but you need coverage of both Server 2008 and Server 2008 R2, then we can easily do that, as we've been teaching Server 2008 courses for years.  Just contact us at the above number or email and we can help you choose which Server 2008 topics you'd like to bring to a class at your location.  (You can find the outline for the Server 2008 class at http://www.minasi.com/2008class/.)

If, on the other hand you'd like to attend one of our public Server 2008 R2 classes but would first like to develop some background knowledge of Server 2008, then you may find our 15-CD audio sets of Server 2008 lectures useful.  The set normally sells for $225, but we're offering it at a discounted price of $150 to anyone signed up for one of our public Windows Server 2008 R2 classes.  You can find more information about this audio CD lecture set at http://www.minasi.com/2008class/audio/ .