Course and Lab Environment Introduction

Module 1
COMP10041 Microsoft Server Admin 1

Activity: Prepare the Environment

Boot the computer at your seat this is your local host Login as CSAIT (no password) The following procedures will register the Virtual Machines. 1. From a command prompt, change to the Sun VirtualBox installation directory. cd c:\program files\sun\VirtualBox 2. The following command will run the vboxmanage command line interface to register the Windows 2008 R2 Server virtual machine in the Sun VirtualBox inventory. vboxmanage registervm d:\courses\comp-10051\Server2008R2.xml 3. The following command will run the vboxmanage command line interface to register the Windows 7 Professional virtual machine in the Sun VirtualBox inventory vboxmanage registervm d:\courses\comp-10051\Windows7Pro.xml Start the VirtualBox and the two virtual machines should already be listed.

Registering Hard Drive files in the Virtual Media Manager

2. The following command will run the vboxmanage command line interface to register the Windows 2008 R2 Server virtual machine in the Sun VirtualBox inventory.
vboxmanage openmedium disk d:\courses\comp-10051\ Server2008R2.vdi (--type immutable)

3. The following command will run the vboxmanage command line interface to register the Windows 7 Professional virtual machine in the Sun VirtualBox inventory
vboxmanage openmedium disk d:\courses\comp-10051\ Windows7Pro.vdi (--type immutable)

The parameters in brackets are optional and will register the hard disk file as immutable. All changes will be lost when the virtual machine is shutdown. Start the VirtualBox and the two virtual machines should already be listed.

Activity: Prepare the Environment

Select the Server2008R2 virtual machine from the inventory and click on the Storage link. Click on the hard disk icon next the IDE Controller

Click on the hard disk file then the Hard Disk folder to select the Server2008R2.vdi file and click Select. Click ok to close the media manager. Repeat these steps for the Windows7Pro virtual machine.

Activity: Prepare the Environment

First start the Server2008R2 virtual machine then the Windows7Pro virtual machine. Once the virtual machines have booted, you can logon with the administrator account. Username: Administrator Password: Adminp&ss

Delivery
COMP-10041 will consist of two, 2 hour classes per week with both held in a lab room Typically, each class will include:
Review of concepts taught in the previous class Brief overview of new content to be covered in this class Professor-led class with a mix of lecture material and hands-on activities

Evaluations and Weighting

Hands-on Midterm Exam 25% Written Midterm Exam 25% Hands-on Final Exam 25% Written Final Exam 25% There are no assignments for this course

Course Text Book and Class Notes

Course text:
Microsoft Windows Server 2008 Administrators Pocket Consultant by William R. Stanek
ISBN-13: 978-0-7356-2437-5

This book must be brought to every class

Lists detailed steps for performing hands-on tasks (slides dont always provide full details)

Bring the relevant Supplemental Content document to every class

Contains lab configuration information, reading assignments, handson tasks students must know, theory questions students must know

Microsoft Developer Network Academic Alliance

Full versions of Windows Server 2008 R2 and Windows 7 Professional are available free of charge to students taking this course
Made possible through the MSDNAA agreement that Mohawk College has with Microsoft

Go to the following link for the details on how to obtain this software:
http://www.mohawkcollege.ca/Schools/fet/ECET/Current_CSAIT_Students/MSDNAA.html

Activity: COMP-10041 Home Page

Your professor will bring up the COMP-10041 home page on eLearn and discuss key content There are two important documents:
Module 1 Supplemental Content
It is not necessary to print this document for this lab You are responsible for printing the remaining Supplemental Content modules and bringing them to the appropriate classes

Workstation and Server Configuration Information

You are responsible for having this document available to you for every class

What To Bring To EVERY Class

Course Text Hard Copy of the current modules Supplemental Content
Alternatively, you can bring this in on a USB drive if you find that this works better for you

E109 / E129 / i228 Lab Environment

All virtual servers have the same IP address Each virtual workstation will be unaware of the other virtual workstations in the room
Each seat runs its own virtual network Accomplished using Host Only Network option

Internet access will be available from the local host machine only The servers will not provide DHCP information

Windows Server 2008 R2 Platforms

Windows 2008 R2 Server Platforms

The Windows 2008 R2 Server family consists of 7 versions, all of which are only available in 64-bit versions:
1. Windows Server 2008 R2, Standard Edition
2. Windows Server 2008 R2, Enterprise Edition
This is what we use in this course

3. Windows Server 2008 R2, Datacenter Edition

4. Windows Server 2008 R2, Web Edition 5. Windows Server 2008 R2 for Itanium-Based Edition 6. Windows Server 2008 R2 Foundation Edition 7. Windows Server 2008 R2 HPC Edition

Standard Edition Features

Direct replacement of Windows 2003 Server designed to provide services and resources to other systems on a network
Supports up to 32 GB of RAM Supports up to 4 CPUs Supports Hyper-V and Hyper-V-based virtualization

Source: http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx

Enterprise Edition Features

Extends Standard Edition by supplying support for:
Supports up to 2 TB of RAM Supports up to 8 CPUs Server Clustering Active Directory Federated Services

Hot swappable RAM

Source: http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx

Data Center Features

This is the most robust edition Adds enhanced clustering features and supports:
Supports up to 2 TB of RAM Requires a Minimum of 8 CPUs Supports up to 64 CPUs

Source: http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx

Web Edition Features

Designed to provide Web Services for Web-based applications and provides a limited set of the Server 2008 R2 features
Supports up to 32 GB of RAM Supports up to 4 CPUs Microsoft .NET Framework Microsoft Internet Services (IIS) ASP.NET Network Load Balancing Does not include Active Directory
Source: http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx

Itanium-Based Edition Features

Offers a foundation optimized for the most computeintensive and critical business analytics and enterprise applications
Supports up to 2 TB of RAM Supports up to 64 CPUs (IA-64 Itanium Sockets)

Hot swappable RAM

Source: http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx

Foundation Edition Features

A cost-effective, entry-level technology foundation targeted at small business owners and IT generalists supporting small businesses
Supports up to 8 GB of RAM Designed for one CPU servers

Licensed for only 15 users

Only able to join to root domains (cant create child domains)

Source: http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx

High Performance Computing Edition Features

The next generation of high-performance computing (HPC) provides enterprise-class tools for a highly productive HPC environment
Supports up to 128 GB of RAM Supports up to 4 CPUs (Intel Xeon)

Source: http://www.microsoft.com/windowsserver2008/en/us/r2-editions-overview.aspx

Common Features
All of the Server 2008 R2 editions support the same core features and administration tools Important Exception:
Active Directory cannot be installed on a system running the Web Edition making it impossible for it to act as a domain controller Web Edition servers can participate as member servers in an Active Directory domain

The Evolution of Windows Clients and Servers

Family
Windows NT 3.1

Workstation
Windows NT (Used Windows 3.1 U.I.)

Server
Windows NT Advanced Server

Windows NT 3.5

Windows NT 3.5 Workstation

Windows NT 3.5 Server

Windows NT 3.51

Windows NT 3.51 Workstation

Windows NT 3.51 Server

Windows NT 4.0

Windows NT 4.0 Workstation (Used the Win95 U.I.)

Windows NT 4.0 Server

The Evolution of Windows Clients and Servers

Family
Windows 2000 Windows 2003

Workstation
Windows 2000 Professional Windows XP Professional

Server
Windows 2000 Server Windows .NET Server Windows Server 2003 Standard Windows Server 2008

Windows 2008

Windows Vista (Used the Vista U.I.) Windows 7

Windows 2008 R2

Windows Server 2008 R2

Windows 7 Versions and Windows Server 2008 R2

Only workstations running the Professional, Enterprise or Ultimate versions of Windows 7 clients can join a Windows domain
Windows 7 Starter, Home Basic and Home Professional clients cannot join a Windows Server 2008 R2 domain These three editions can only participate in a workgroup, not a domain

Major Windows Domain Concepts

Active Directory
Active Directory is a directory (database) service that uses a naming convention based on the Domain Name System (DNS) Active Directory plays a very large part in Windows Server administration A solid understanding of Active Directory structures and procedures is essential to your success as a Windows Server 2008 R2 system administrator

Workgroups versus Domains

Servers are generally assigned to be part of a workgroup or a domain

Workgroups are groups of computers that share resources where each individual computer is managed separately
Domains are collections of computers that you can manage collectively as a single unit through domain controllers Domain controllers are Windows Server systems that manage access to:
The network The directory database (i.e. Active Directory) Shared network resources

Domain Controllers and Member Servers

In a domain environment, when a Windows Server is installed, it can be configured to be a member server or a domain controller Member servers are a part of a domain but don't store Active Directory information Member servers maintain a Security Accounts Manager (SAM) database for local accounts (users and groups)

Domain Controllers
Domain controllers store Active Directory information and provide authentication and directory services for the domain Windows 2000, 2003, 2008 and 2008 R2 domains use a multi-master domain replication model
Any domain controller can process directory changes and then replicate those changes to other domain controllers automatically

The Active Directory database is also referred to as the Data Store

Data Store
The data store contains information about domain objects such as:
Account information for:
Users Groups Computers

Shared resources information for objects such as:

Servers Folders and files Printers

Active Directory Changes

With Server 2008, Active Directory has had its functionality realigned into a family of related services:
Active Directory Certificate Services (AD CS)
Active Directory Domain Services (AD DS) Active Directory Federation Services (AD FS)

Active Directory Lightweight Directory Services (AD LDS)

Active Directory Right Management Services (AD RMS)

Active Directory Certificate Services

AD CS provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key AD CS also includes features that allow the management of certificate enrollment and revocation in a variety of environments

Active Directory Domain Services

AD DS is the foundation for distributed networks built on Windows Server 2008 R2 operating systems that use domain controllers AD DS provides secure, structured, hierarchical data storage for objects in a network such as users, computers, printers, and services AD DS provides support for locating and working with these objects

Active Directory Federation Services

AD FS helps administrators enable organizations to share a users identity information securely by addressing some of the commonly faced challenges Federated systems operate across organizational boundaries and connect processes that are using different technologies, identity storage, security approaches, and programming models Within a federated system, an organization needs a standardized and secure way of expressing not only the services it makes available to trusted partners and customers, but also the policies by which it runs its business, such as which other organizations and users it trusts, what types of credentials and requests it accepts, and its privacy policies

Active Directory Lightweight Directory Services

AD LDS is an independent mode of Active Directory that provides dedicated directory services for applications

Although AD LDS independently provides directory storage and access for applications, it uses the same standard application programming interfaces (APIs) as Active Directory to manage and access the application data
This makes AD LDS ideal for applications that require directory services, but do not require the complete infrastructure features of Active Directory

Active Directory Rights Management Services

AD RMS protects information via the use of encryption and a form of selective functionality denial for limiting access to documents such as e-mail, documents, and web pages Protected documents can be encrypted and prevent the content from being decrypted except by specified people or groups, in certain environments, under certain conditions, and for certain periods of time Specific operations like printing, copying, editing, forwarding, and deleting can be allowed or disallowed for individual pieces of content

Domain Objects
Windows Server 2008 R2 Domain

Active Directory Database

Domain Controller

Windows 7 Client Windows 7 Client

Network Printer

Active Directory Database

SAM Database

Windows 7 Client Member Server

Domain Controller

Logging on to any Domain Controller potentially gives the user access to any resources in the domain

Stand-Alone Servers
In a workgroup environment a Windows Server 2008 R2 must be configured as a Stand-alone server Stand-alone servers are NOT a part of a domain and have their own user database Stand-alone servers authenticate logon requests using their local SAM database for access to local resources

Workgroup Objects
Windows Workgroup

SAM Database

Stand-alone Server

SAM Database

Windows 7 Client

SAM Database

Windows 7 Client
SAM Database SAM Database

Stand-alone Server

Stand-alone Server

Each computer keeps its own list of users that it allows to access its resources in a separate SAM database

Local and Domain Logon Procedures

TCP/IP Configuration Information

This information is also located on the Workstation and Server Configuration Information document

Windows 2008 R2 Server:

Local Area Connection: IP Address: Subnet Mask: Intel(R) PRO/1000 MT Desktop Adapter 192.168.100.10 255.255.255.0

Windows 7 Client:
Local Area Connection: IP Address: Subnet Mask: Default Gateway: Preferred DNS Server: Intel(R) PRO/1000 MT Desktop Adapter 192.168.100.1 255.255.255.0 192.168.100.10 192.168.100.10

These machines are already configured

Domain Configuration Information

This information is also located on the Workstation and Server Configuration Information document

Domain Configuration
Domain Name: Domain Controller Name: acme.com acmeserver.acme.com

DNS Server:
Domain Administrator Account: Domain Administrator Password:

acmeserver.acme.com
Administrator Adminp&ss

Hands-On Procedure Note

Since students are not likely to have the course text in the first class, the detailed hands-on procedures will be included in this module Be advised that some in-class hands-on procedures are not described in detailed in future modules therefore it is necessary for you to purchase the text and bring it to every class after today

This text will be an excellent long term reference for field work and future Windows courses so you should find this text useful even after completing this course

Activity: Configuring TCP/IP on the Workstation

Although the workstation has already been configured, these are the steps to follow should you need to make a change

1. Click the Network icon from the System Tray and choose Open Network and Sharing Center

2. Click Change adapter settings and Local Area Connection and select
Properties 3. Select Internet Protocol Version 4 (TCP/IPv4) and select Properties

4. Configure the settings to match those in the Workstation and Server

Configuration Information document 5. If you wanted to save the new settings, you would click OK

Current Domain Configuration

Your workstation virtual machine is currently configured to belong to the acme.com domain
Your workstation has a domain account

Your server virtual machine is configured as the domain controller for the acme.com domain

Domain Computer Accounts

Like users, computers have domain accounts A computer account gives the workstation the right to be used by a user to log onto the domain The procedures on the next slide show one way that a computer domain account can be created
In our lab environment, server and workstation images are reset to their defaults when the host computer reboots, so any changes will be lost between classes

Activity: Remove your Workstation from the Domain

1. From the Start menu, right click Computer and select Properties 2. In the Computer name, domain, and workgroup settings section, select Change settings tab 3. Click the Change button
The Computer name field displays the computers NetBIOS name The Full computer name includes the FQDN (fully qualified domain name) No two computers in the domain are allowed to have the same name

4. Select the Workgroup radio button and enter workgroup as the workgroup name then click OK 5. If requested, enter the User name: Administrator with the password Adminp&ss
Passwords are case-sensitive (i.e. use uppercase A when entering Adminp&ss)

Activity: Remove your Workstation from the Domain

6. Close all open windows 7. Reboot when prompted

When the workstation finishes booting, you will be prompted to login. You will no longer be able to logon with the domain administrators credentials. Login as the local administrator- password is P&ssw0rd

Activity: Joining your Workstation to the Domain

Now we will walk through the procedures to join the workstation to the domain

1. From the Start menu, right click Computer and select Properties 2. In the Computer name, domain, and workgroup settings section, select Change settings tab 3. Click the Change button
The Computer name field displays the computers NetBIOS name The Full computer name includes the FQDN (fully qualified domain name) No two computers in the domain are allowed to have the same name

4. Select the Domain radio button and enter acme.com as the domain name then click OK

Activity: Joining your Workstation to the Domain

5. When requested, enter the User name: Administrator with the password Adminp&ss
Passwords are case-sensitive (i.e. use uppercase A when entering Adminp&ss)

6. When the Welcome to the acme.com domain. message appears, click OK

7. Close all open windows

8. Reboot when prompted

When a computer joins a domain, a computer account is created in the domains Active Directory
To prevent just anyone from doing this, a domain username and password must be given when performing this procedure

Domain Accounts
You will work with several user accounts in this course:
Administrator
Full control over all domain resources with the password Adminp&ss

tony.green
Tony is the I.T. Manager for the Acme Corporation Tony has some administrative authority in the domain but he is not a full administrator His password is Adminp&ss

Other Users (as needed)

The rest of the employees for the Acme Corporation are capable of logging on but they are just regular users with no special abilities These accounts all have the password P&ssw0rd which must be changed the first time they log on (0 is zero, not capital O)

Activity: Logging on Locally with a non-Administrator account

1. Because the default user is currently the local Administrator, click the Switch User button and choose Other User 2. For the User name enter Windows7-PC\acmeclient and enter P&ssw0rd for the password and then click the arrow button acmeclient is a user account stored locally in your computers SAM (Security Accounts Manager) database You are now logged on locally which means you are only logged onto your workstation and not to the domain
You can only access resources on your workstation

Note: Do not confuse logging on locally with logging on to your local host
Your local host is the physical machine youre sitting at Logging on locally means using the local account on the virtual workstation

Activity: Listing Local User Accounts

1. Select Start / Administrative Tools 2. Select Computer Management 3. Expand Local Users and Groups 4. Select the Users folder
acmeclient will be listed because it is a local user account Password is P&ssw0rd

Administrator is also listed

Each computer will have its own Local Administrator account This is NOT the Domain Administrator account This account has administrative authority over the local computer only Password is P&ssw0rd

Activity: Listing Local Group Members

1. While in Computer Management, select the Groups folder 2. Right click the Administrators group and select Properties
Note that the ACME\Domain Admins group is a member When a computer joins the domain, all members of ACMEs Domain Admins group are automatically given full administrative authority to this local computer

Other domain users and groups are also automatically given access to this local computer when it joined the domain
Note that ACME/Administrator (domain administrator) is also a member

Other local users and groups may be given access to this local computer as well
Note that Administrator (local administrator) is also a member

Activity: Listing Local User Accounts

3. Click OK and if necessary, select the Groups folder

4. Right click the Users group entry and select Properties

Note ACME\Domain Users is a member

Domain Users is a domain group account that includes all user accounts in the domain

Any domain user can log onto this workstation because it belongs to the domain and these accounts can potentially be given all of the same access to this local workstation that the Administrator user has

Activity: Logging onto the Domain as the acme.com Domain Administrator

Here our goal is to log onto the domain with a domain user account using a computer with an existing domain account (i.e. computer has already joined the domain)

1. Close all open windows and log off

2. Switch users and as the other user log on using the domain administrator account (acme\administrator, Adminp&ss)
By specifying a logon to the ACME domain, the administrator account will be authenticated by the domains Active Directory rather than by the local computers SAM This gives the logged on administrator account access to domain resources not just to the local computer resources

Primary Domain User Accounts

The Administrator account will be used throughout this course to perform domain-level administrative tasks At times there will be tasks that need to be done as a regular domain user
The acmeclient user account cant be used since it is strictly a local user account and cant access domain resources (not stored in Active Directory)

Two account types will be used throughout this course to perform domain-level regular user type tasks:
tony.green and any of the other Acme employees Circumstances will dictate when each is used

Tony Greens Account

tony.green is, for the most part, a regular user account that has already been created in the acme.com Active Directory

As an attempt to model a real-world company, Tony has been given some moderate domain administrative authority but he has nowhere near the power of Administrator Tony has been given two added capabilities:
Delegated Control over the Acme Organizational Units
Can create and manage objects in these OUs

Member of Server Operators group

A local group that allows a user to perform general server level administrator tasks such as sharing server resources, performing file backup and recovery, logging on to a server locally and shutting it down

Activity: Logging on to a Domain with Tonys User Account

1. Close all open windows and log off

2. Log on using the tony.green account with Adminp&ss (make sure that you are logging onto the acme domain)

Now you should be logged into the domain using a regular domain user account

Password Complexity Rules

The default password policy for Windows Server 2008 R2 user accounts specifies that passwords meet the following minimum specifications:
At least 7 keystrokes long NOT contain your username or parts of your full name Different from past 24 passwords used NOT been changed within the last day Contains at least three of the following four restrictions:
English uppercase letters A-Z English lowercase letters a-z Westernized Arabic numerals 0-9 Non-alphanumeric punctuation marks and other symbols

Administrative Tools

RSAT Remote Server Admin Tools

The Windows 7 Remote Server Administration Tools Pack has already been installed on your virtual workstations Windows 7 Professional client
The amd64fre_GRMRSATX_MSU.msu installation file is located in the C:\Downloads directory

Made up of utility programs we will use throughout this course to administer the Windows Server 2008 R2 domain A Windows 7 installation would NOT include these Administrative Tools The RSAT Pack is available for free download from Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyID=7D2F6AD7-656B-4313-A005-4E344E43997D

Administrative Tools Compatibility Issues

RSAT for Windows 7 can be installed ONLY on computers that are running the Enterprise, Professional, or Ultimate editions of Windows 7 Windows 2000 Server Administration Tools are NOT compatible with Windows 7, XP, 2003, 2008, or 2008 R2

RSAT for Windows 7 ARE backward compatible with Windows 2000 and 2003 Server and they obviously are compatible with Windows Server 2008 R2
RSAT for Windows 7 enables IT administrators to manage roles and features that are installed on remote computers that are running Windows Server 2008 R2 (and, for some roles and features, Windows Server 2008 or Windows Server 2003) from a remote computer that is running Windows 7

Activity: Using the Administrative Tools

1. Log off then back on as the domain administrator (acme\administrator, Adminp&ss)

2. Select Start / Administrative Tools Your professor will briefly discuss a few of the main administrative tools

Computer Management Console

The Computer Management console tools can be used to:
Manage user sessions and connections to servers Manage file, directory and share usage Set administrative alerts Manage applications and network services

Configure hardware devices

View and configure disk drives and removable storage devices

Activity: Accessing Different Domain Computers Using Computer Management

1. Select Start / Administrative Tools / Computer Management 2. Right click the Computer Management (Local) entry
(Local) indicates that Computer Management is currently working with the computer you are sitting at

3. Select Connect to another computer

This is how you switch to another computer in the domain

4. Choose Another computer: and enter acmeserver which is the NetBIOS name of the domain controller and click OK
Computer Management (Local) should now be replaced by Computer Management (acmeserver) indicating you are now working with the computer called ACMESERVER

Alternative Ways to Select a Computer with Computer Management

Instead of entering the NetBIOS name (i.e. acmeserver), you can also specify the computer to work with by one of the following methods:
a) Enter the computers IP address (i.e. 192.168.100.10)

b) Enter the computers fully qualified domain name (i.e. acmeserver.acme.com)

c) Select Browse / Advanced / Find Now to list all computers in the domain and select the one you want

Computer Management console functions will be covered in future labs

End
Remember to bring the Supplemental Content documents for this module and the next module to the next class