Windows Server 2008 Loadfest

Olav Tvedt - olav@tvedt.info

Oppgave sett til Loadfest Januar og februar. Basert på diverse Microsoft dokumenter og egent matriale

Objectives

After completing this lab, you will be better able to: ? Identify the tasks necessary to complete the installation of Windows Server 2008  using the Initial Configuration Tasks console. ? Summarize the steps necessary to install and configure Windows Server 2008  server roles and features using Server Manager. ? Determine Windows Server 2008  server status using Server Manager as well as evaluate the other integrated Microsoft Management Console (MMC) snap-ins available in Server Manager.

Scenario

You are responsible in your organization for the installation and configuration of Windows Server 2008 . You are required to install and configure each 2008 server to provide a variety of roles (such as Print and DHCP) and features (such as Windows Server Backup) without the creation of special tools or scripts. You need to have the ability to quickly inspect the configuration of your servers, and when troubleshooting a service failure, take appropriate corrective actions without the creation of special tools or scripts.

Prerequisites

Before working on this lab, you must have: • Server Manager is installed by default as part of the Windows Server 2008  setup process. To use Server Manager, you must be logged on to the computer as an administrator. • If you log on to the computer by using an account other than the built-in Administrator account, you may see the following dialog box requesting your permission to run Server Manager. In this case, click Allow to start Server Manager.

Estimated Time to Complete This Lab

90 Minutes

Computer used in this Lab

NYC-DC-1 NYC-SRV -1

Tasks

Detailed Steps

Complete the following 4 tasks on: NYC-DC-1

1. Exploring Initial Configuration Tasks

a)       On the Master Status pane click and select NYC-DC-1 Note: You can also start Initial Configuration Tasks by typing oobe.exe from the Run or Search.

b)       On the Initial Configuration Tasks console, click set the Administrator password. This is where you can initially rename the Administrator account as well as assign a new password.

Note: For the purposes of this lab, we have already set the Administrator Account password and will keep the default name.

c)       On the Administrator Account dialog box, click Cancel.

d)       On the Initial Configuration Tasks console, click Configure networking.

e)       Right-click the connected network interface card Local Area Connection and click Properties.

Note: This is where you can initially set networking properties, such as assigning a static IP address. Windows Server 2008  will also support the new Internet Protocol Version 6 (IPv6).

Note: For the purposes of this lab, we have already assigned a static IPv4 address and IPv6 has been disabled.

f)        On the Local Area Connection dialog box, click Cancel.

g)       Close the Network Connections window.

h)       h. On the Initial Configuration Tasks console, click Provide computer name and domain

Tasks

Detailed Steps

Note: This is where you can initially set the computer name and domain settings. For the purposes of this lab, we have already assigned a computer name and domain

i)        On the System Properties dialog box, click Cancel.

j)        On the Initial Configuration Tasks console, click Enable Automatic Updating and feedback.

k)       In the Windows area, turn on Enable Automatic Updating and feedback.

l)        On the Initial Configuration Tasks console, click Download and install updates.

m)     Click Change settings, on the upper left Windows Update window.

n)       On the Change settings window, select the radio button Install updates automatically.

o)       Check, Included recommended updates when downloading, installing, or notifying me about updates.

p)       Click OK. Note: For the purposes of this lab, we will not be checking for any updates.

q)       Close the Windows Update window.

2. Adding Server Roles

a)       On the Initial Configuration Tasks console click Add roles. The Add Roles Wizard will appear.

b)       On the Select Server Roles page check the checkbox for Windows SharePoint Services. The Add role services required for Windows SharePoint Services dialog box will appear.

Note: Unlike previous versions of Windows where you could only install one role at a time, in Windows Server 2008  you are now able to install multiple roles at the same time. Also, when more complex roles are installed, such as Windows SharePoint Services, any associated required role services will be automatically installed for you.

c)       Click Cancel Note: Step c is intended to familiarize you with the concept of dependencies in Server Manager and how these dependencies are handled at installation time through the use of this standard popup. You are encouraged to complete step c by clicking on Add Required Roles Services in your spare time.

d)       Check the checkbox for Print Server. Click Next.

e)       Note the “Introduction to Print Services” page and the explanatory text and guidance on it. Click Next

f)        f. On the Select Role Services page, note that the Print Service role service is selected by default. Click Select Server Roles in the navigation pane on the left. Note: You can navigate to any of the active links in this pane. This can be useful if you want to make a change or skip ahead to a section in the wizard.

Tasks

Detailed Steps

g)       Check the checkbox for DHCP Server. Click Next.

Note the “Introduction to DHCP” page and the explanatory text and guidance on it.

h)       Keep clicking Next till you get to the Confirm Installation Selections page.

i)        On the Confirm Installation Selections page review all of the settings you have chosen.

j)        Note the “Print, e-mail, or save this information” link at the bottom. Click Cancel. Note: For the purpose of time, you won’t be installing the above services.

k)       In the Add Roles Wizard, click Yes.

3. Adding Server

a)       On the Initial Configuration Tasks console, click Add features.

Features

b)       On the Select Features page, check the check boxes next to Windows Server Backup. Click Next.

c)       On the Confirm Installation Selections page, click Install. Note: This may take a few minutes to complete.

d)       On the Installation Results page, click Close.

4. More Initial Configuration Tasks

a)       On the Initial Configuration Tasks console, click Enable Remote Desktop.

b)       On the System Properties dialog box, click on the Remote Tab and in the Remote Desktop area, select the radio button Allow connections only from computers running Remote Desktop with Network Level Authentication.

c)       Click OK once on the popup and again on the dialog box to get back to the Initial Configuration Tasks console.

d)       On the Initial Configuration Tasks console, near the bottom left, click Print, e-mail, or save this information. Internet Explorer will open showing detailed computer information.

e)       In the Internet Explorer window, near the top right, click Page, and then click Save As.

f)        On the Save Webpage dialog box, leave the defaults and click Save.

g)       g. Close Internet Explorer.

h)       On the Initial Configuration Tasks console, click Close.

Tasks

Detailed Steps

Complete the following 3 tasks on: NYC-DC-1 1. Removing Server Roles

a)       On the Master Status pane click and select NYC-DC-1 and log on to machine as administrator.

b)       On the Start menu, click Server Manager. The Server Manager console will appear. The Server Manager ‘home page’ gives you an overview of the server, allows you to change system properties, and installs or removes server roles and features. This is the IT Administrator’s “one-stop-shop” for the server.

c)       On the Server Manager console, under Server Summary, in the Computer Information area, note that a lot of information from the Initial Configuration Tasks console is available here Note: This is because Initial Configuration Tasks is used for initial configuration while Server Manager is used to perform the same steps as well as others as part of day-to-day management. This is the reason for making the same tasks available in Server Manager as well

d)       On the Server Manager console, under Server Summary, in the Roles Summary area, note the roles that have been installed for you (TS, IIS). Click Remove roles. The Remove Roles Wizard will appear.

e)       On the Remove Server Roles page, uncheck the check box Terminal Services.

f)        On the Remove Server Roles page, click Next.

g)       On the Confirm Removal Options page, note that the role service Terminal Server is set to be removed. Note: For the purposes of this lab and in order to save time, we will not actually be removing these roles, role services, and features.

h)       On the Confirm Removal Options page, click Cancel.

i)        i. On the Are you sure you want to cancel this wizard dialog box, click Yes.

2. Removing Server

a)       a. On the Server Manager console, under Server Summary, in the Features

Features

b)       Summary area, note the feature that has been installed for you (WAS). Click Remove features. The Remove Features Wizard will appear.

c)       b. On the Select Features page, uncheck Windows Server Backup checkbox.

Tasks

Detailed Steps

a)       c. On the Select Features page, click Next.

b)       d. On the Confirm Removal Selections page, note that Windows Server Backup is set to be removed. Note: Server Manager preserves the dependency information and prompts the user when removing a role, role service or feature will have an impact on others which depend on it. The purpose of this task is to familiarize you with the standard dependency popup shown in such a scenario.

c)       e. On the Confirm Removal Selections page, click Cancel.

d)       f. On the Are you sure you want to cancel this wizard dialog box, click Yes.

3. Managing Server Roles

a)       On the Server Manager console, in the top left area, expand the node Roles. Select the node Roles. On the Manage Roles ‘home page’ you can view the health of the roles that are currently installed on your server and add or remove role and features.

b)       On the Roles ‘home page’, under Roles Summary notice the roles currently installed out of the number of available roles.

c)       On the Roles ‘home page’, notice the Role Status and Role Services under each of the installed roles, Web Server (IIS) and Terminal Services.

d)       On the Server Manager console, in the top left area, select the node Terminal Services.

e)       On the Terminal Services ‘home page’, under Summary in the System Services area, under the Display Name column, select the Terminal Services service. To the right, click Stop Terminal Services. Note: You have been asked to manually stop the service so that you can emulate service failure in the real world and see how Server manager identifies and helps you solve errors which result from service failure.

f)        On the Server Manager console, in the top left area, select the node Roles. g. On the Roles ‘home page’, under Roles Summary, notice the new red X’s next to Terminal Services in both the Roles Summary as well as Terminal Services tiles. If a problem with services like this were to happen in your environment, you could easily see all of the affected roles in one spot on the Roles ‘home page’.

g)       On the Manage Roles ‘home page’, under Roles Summary, click the hyperlink Terminal Services. This will take you right to the problem.

h)       On the Terminal Services ‘home page’, under Summary in the System Services area, under the Display Name column, select Terminal Services. To the right, click Start Terminal Services. All of the services that explicitly depend on the Terminal Server service will also be started automatically.

i)        On the Server Manager console, in the top left area, select the node Roles. Note that the red X that was next to Terminal Services is gone.

j)        On the Server Manager console, in the top left area, expand the node Terminal Services.

k)       Click on the Terminal Services Manager node.

l)        Click OK on the popup n. In the Terminal Services Manager snap-in, make sure that the Users tab is selected. Select the one user entry and right click. Note that you can disconnect users connected to this Terminal Server or send them a message.

m)     o. On the Server Manager console, in the top left area, note that the Remote Programs and Terminal Server Configuration nodes appear just above the Terminal Services Manager node. Server Manager arranges and exposes all the management tools related to an installed role for easy access

Tasks

Detailed Steps

p)       On the Server Manager console, in the top left area, select the node Terminal Services

q)       On the Terminal Services ‘home page’, under Summary in the Events area, notice the summary of events (if any). If an event is present, double-click it. Examine the General tab and the Details tab. Note that an XML View as well as a Friendly View is now available from the Details tab. Once you are done examining the Event Properties dialog box, click Close.

r)       Collapse the node Terminal Services. s. Collapse the node Roles.

Tasks

Detailed Steps

Complete the following task on: NYC-DC-1 1. Troubleshoot Windows Server

a)       On the Master Status pane click and select NYC-DC-1

b)       On the Server Manager console, in the top left area, expand the node Diagnostics.

c)       Select the node Event Viewer.

d)       On the Event Logs Summary page.

e)       Expand the node Event Viewer.

f)        Expand the node Custom Views. Explore the events in the new groups such as Administrative Events

g)       Expand the node Windows Logs. Explore the events in the familiar groups such as Application, Security, Setup, System, and Forwarded Events.

h)       Expand the node Applications and Service Logs. Explore the events in the new groups such as Hardware Events, Internet Explorer and Key Management Service.

i)        Expand the node Microsoft. Expand the node Windows. Explore some of the folders and groups such as OfflineFiles, Group Policy, Winlogon

j)        Collapse the node Event Viewer. k. Expand the node Configuration.

k)       Select the node Task Scheduler. Explore the Task Scheduler interface.

l)        Select the node Windows Firewall with Advanced Security.

m)     On the Windows Firewall with Advanced Security page, in the Overview section, click the hyperlink Windows Firewall Properties.

n)       On the Windows Firewall with Advanced Security dialog box, select the tab Private Profile.

o)       In the State area, click on the dropdown and select On.

p)       On the Windows Firewall with Advanced Security dialog box, click OK. Note the changes made to the Windows Firewall with Advanced Security page. If desired, explore and evaluate more of the settings in the Windows Firewall with Advanced Security node.

q)       r. Collapse the node Configuration.

Tasks

Detailed Steps

s)        Change to NYC-SRV-1 Machine

t)        Logon as Administrator@woodgrovebank.com / Nwy2007.

u)       If Server Manager is not running, click on the Start menu and click Server Manager

v)       On the Server Manager console, in the mid-left area expand the node Storage and Backup and select the node Windows Server Backup.

w)      In the Actions panel, click Backup Schedule. The Backup Schedule wizard will appear.

Note: Windows Server Backup introduces new backup and recovery technology that replaces earlier versions of backup in the Windows operating system. Administrators can use Windows Server Backup in Windows Server 2008  to protect an entire server efficiently and reliably without worrying about the intricacies of backup and recovery technology. New MMC wizards guide administrators through setting up an automatic backup schedule, creating manual backups if necessary, and recovering items or entire volumes x. Note the steps in the wizard, displayed on the navigation pane in the left. Click Cancel..

Note: Windows Server Backup is a set of easy-to-use wizards and tools that simplify the process of creating backups of your important data and recovering your data or restoring your system if the need arises.

Objectives

After completing this lab, you will be better able to: ? Manage event logs, subscriptions, and views ? Configure event subscriptions ? Analyze system performance and reliability using reliability and performance reporting

Scenario

In this lab you will use a Windows 2008 Member Server to manage a Windows 2008 Server Domain Controller using new Windows management technologies. From your Windows 2008 Member Server, you will use event log views and event log subscriptions to identify problems occurring on your server. You will then create custom tasks to alert you when specific problems occur on the server. Finally you will review server performance and reliability data using custom reports.

Note: During the course of this lab you may encounter one or more User Account Control prompts. These prompts will ask you to confirm an action you have just taken. When you encounter a User Account Control prompt, select the option which confirms the action you have taken and you will be able to proceed with the next step in the exercise. A shield icon appears after each instruction which invokes a User Account Control dialog box. Note: The steps in this lab are intended to provide an overview of the technology presented. They are not intended to, and may not follow, Microsoft best practices or guidance on the technology presented. Note: This lab uses pre-release software. While every effort has been taken to ensure the functionality of the steps documented, some steps may still not function as intended at all times.

Prerequisites

Before working on this lab, you must have: • An understanding of performance monitoring • An understanding of event logs • An understanding of scheduled tasks • An understanding of WMI

Estimated Time to Complete This Lab

60 Minutes

Computer used in this Lab

NYC-DC-1 NYC-SRV-1 The password for the Woodgrovebank \Administrator account on this computer is: Nwy2007.

Tasks

Detailed Steps

Complete the following 2 tasks on: NYC-DC-1

1. Create a Custom Event View

Note: In this task you will create a custom event view which will filter the events to only events that are relevant to you. Event views are a powerful way to parse multiple types of events in multiple event logs. By focusing the event view on only important or actionable events, you increase your chance of identifying a performance or reliability problem before it causes system downtime. Event views are also useful in branch office environments, allowing you to create a view of all critical events that span all servers.

Note: Perform this procedure on the NYC-DC-1 computer as Woodgrovebank\Administrator

a. On the Start menu, in Start Search, type compmgmt.msc and then press ENTER. b. Under Computer Management (Local), expand Event Viewer and then click on    

   Custom Views.

c. On the Action menu, click Create Custom View.

d. In the Create Custom View dialog box, create a new view with the following settings and then click OK.

Setting      Value

Logged:      Last 24 hours

Event level:  Error

Event log:    Windows Logs/System

e. In the Save Filter to Custom View dialog box, in Name type Error Events

  (24 hours) and then click OK

f. Review the contents of the Error Events (24 hours) view.

2. Add a Custom Event to the System Log and View it in the Event View

Note: In this task you will use the EventQuery command to record a custom event in the Event log. This event will meet the criteria of the event view you created in the previous task. You will use your event view to review the custom event in the event log. When performing configuration tasks via script, such as those used to configure Windows 2008 Server Core, you can use this command to record success or failure of script actions.

Note: Perform this task on the NYC-DC-1 computer as Woodgrovebank\Administrator

a.       On the Start menu, right-click Command Prompt and then click Run as administrator.

b.       In the command prompt, type the following command and then press ENTER.

Eventcreate /T ERROR /ID 100 /L SYSTEM /D “Application Error #1” /SO MyApp

c.        In Computer Management, click Error Events (24 Hours) and then in the Actions pane, click Refresh.

d.       d. Review the new entry on the top of the list of events. Complete the

Complete the following 2 tasks on: NYC-SRV-1

3. Create an Event

Subscription on a

Windows 2008

Member Server

Note: In this task you will create an event subscription on a Windows 2008 Member

Server computer which reports events that occur on a Windows 2008 Server Domain Controller. Event subscriptions are a new way to monitor multiple computer event logs from a single machine. An event subscription uses Windows Remote Management to query the event logs WMI provider on the remote computer using

HTTP or HTTPS. The use of HTTP and HTTPS allows you to perform management

tasks in environments that do not allow protocols such as RPC. This is useful if you

want to remotely manage branch office servers without the need for RPC or VPN

connections. The proven security of SSL and the integrated authentication in WinRM ensures this is done without introducing additional risk. The event subscription creates a copy of the remote event and stores it in a log of your choosing. The default location is a log called Forwarded Events. This log can contain all events from all remote computers to which you have event subscriptions. Each event subscription can be configured to use custom credentials, and can be configured to subscribe to only the events of your choosing.

Note: Perform this task on the NYC-SRV-1 computer as Woodgrovebank\Administrator.

a.       On the Start menu, in Start Search, type compmgmt.msc and then press ENTER.

b.       Under Computer Management (Local), expand Event Viewer and then click on Subscriptions.

c.        In the Event Viewer dialog box, click Yes.

d.       On the Action menu, click Create Subscription.

e.        In the Subscription Properties dialog box, in Subscription Name type MyApp Errors on NYC-DC-1

f.        In Source Computers, click Add.

g.       In the Select Computer dialog box, type NYC-DC-1.woodgrovebank.com and then click OK.

h.       In Subscription Properties, select NYC-DC-1.woodgrovebank.com and then click Test.

i.         In the Event Viewer dialog box, click OK.

Note: The subscription fails because WimRM is not yet configured on NYC-DC-1. This will be completed in a future task.

j.         In the Subscription Properties dialog box, click Select Events.

k.       In the Query Filter dialog box, configure the filter with the following settings and then click OK.

Setting                 |                    Value

Tasks

Detailed Steps

g. In the contents pane, verify that an Error entry exists for MyApp.

6. Create an Alert Task Based On a Forwarded Event

Note: In this task you will create a task based on an event. The new Task Scheduler in Windows 2008 Server has been extended to include the ability to launch tasks when system events occur. This is a very effective way to automatically respond to system events. Three types of actions are supported for events which allow you to run an application or script, display an alert, or sent an email message. This task will create an alert to notify the currently logged on user that an error has occurred. Note: Perform this task on the NYC-SRV-1 computer as Woodgrovebank\Administrator.

a.       In Computer Management, navigate to System Tools/Event Viewer/Windows Logs and then click Forwarded Events.

b.       In the Contents pane, click MyApp Error, and then in the Actions pane click Attach Task To This Event.

c.        Complete the Create Basic Task Wizard using the following information.

Setting                       Value

Name                         - MyApp Error 100 Interactive Notification

Action                        - Display a message

Display a MessageTitle:       - MyApp Error

Display a Message: Message   - Error 100 occurred in MyApp on NYC-DC-1

d.       In the Event Viewer dialog box, click OK.

e.        On the Start menu, navigate to All Programs/Accessories, right-click Command prompt and then click Run as administrator.

f.        In the command prompt window, type the following command and then press ENTER.

EVENTCREATE /S NYC­DC­1.woodgrovebank.com /L System /T Error /ID 100 /SO MyApp /D “MyApp Encountered an error”E

Note: It may take up to 20 seconds for the error message dialog box to be displayed. g. In the MyApp Error dialog box, click OK.

Tasks

Detailed Steps

Complete the following 3 tasks on: NYC-SRV-1

1. Create a task to run at a fixed time.

Note: We will create a defrag.exe task which will defragment our hard disk weekly. The defragmentation will run each Friday night at 11:30 PM. Note: Complete this task on the NYC-SRV-1 computer as Woodgrovebank\Administrator.

a.       Click Start, Run and type MMC.

b.       From the MMC click File > Add/Remove Snap-in…

c.        Select Computer Management and Click Add.

d.       Select Local Computer, Click Finish and then OK.

e.        In Computer Management console, navigate to Task Scheduler\Task Scheduler Library.

f.        On the Action menu, click New Folder.

g.       Create a new folder named Custom Tasks.

h.       Click the Custom Tasks folder.

i.         In the Actions pane, click Create Basic Task.

j.         Complete the Create Basic Task Wizard wizard using the following information.

Setting: Value

Name:           - Weekly Defrag

Trigger:         - Weekly

Recurrence:     - 11:30PM on Friday

Action:          -Start a program

Program/Script  - C:\windows\system32\defrag.exe

Note: Notice the new task listed in the Upper-Middle pane. In the Lower-Middle pane you can see the details of the task.

k.       Click the Triggers and Actions tabs to see the details.

l.         In the Actions pane, click Properties.

m.     Under Security Options select Run whether user is logged on or not.

n.       Check Do not store password.

o.       Check Run with highest privileges and then click OK.

p.       In the Actions pane click Run. This will immediately run the task without waiting for the scheduled time. Note: You will not see the defrag application running.

q.       q. In the Lower-Middle pane, click History. This will show you the events related to

Tasks

Detailed Steps

this task, and let you know whether or not it ran, or if there were any errors with running the task.

Note: You may have to refresh Task Scheduler Library to notice that the task has run.

2. Create a Task to Respond to a System Event

Note: The Woodgrovebank administrator monitors several secure servers which get powered on, but not logged on. The administrator wants to be alerted if anyone does successfully log onto these Servers. In this exercise you will create a task to display a message whenever the secure workstation gets logged on to.

Note: Complete this task from the NYC-SRV-1 computer as Woodgrovebank\Administrator.

a.       Click the Custom Tasks folder.

b.       In the Actions pane, click Create Task.

c.        In the Create Task dialog box, in Name type Log on to Secure Workstation.

d.       On the Triggers tab, click New.

e.        In the Begin the Task list, select At log on and then click OK.

f.        On the Actions tab, click New.

g.       In the New Action dialog box, in Action, select Display message, in Title, type Log on Warning, and then in Message, type You have just logged on to a secure workstation, ensure you log off when you are finished.

h.       Click OK to close the New Action dialog box.

i.         Click OK to close the Create Task dialog box.

j.         Close all programs and log off

k.       Log on to NYC-SRV-1 as WOODGROVEBANK\Administrator

l.         l. Once your desktop appears, in the Log on Warning dialog box click OK.

3. Configure the AT Service Account

Note: The AT Service account is used by Windows 2008 Server when you schedule a task by using the command line, instead of the Task Scheduler user interface. In this task we will create an account to be used, instead of the default localsystem account.

Note: Complete this task from the NYC-SRV-1 computer as Woodgrovebank\Administrator.

a.       On the Start menu, in Start Search, type compmgmt.msc and then press ENTER.

b.       In Computer Management, click Task Scheduler.

c.        In the Actions pane, click AT Service Account Configuration.

d.       In the AT Service Account Configuration dialog box, click Another User account, then click “Change user”. At the sign in box type WOODGROVEBANK\Administrator. Enter Nwy2007 as the password and click OK. Then click OK again.

e.        On the Start menu, navigate to All Programs/Accessories, right-click Command Prompt and then click Run as administrator.

f.        f. In the command prompt, type the following command where hh:mm is three minutes after your current 2008 time using the 24 hr clock and then press ENTER.

AT \\Localhost hh:mm /every:m,t,w,th,f calc.exe

g.       Read the message, and then minimize the command prompt.

h.       In the Computer Management console, expand Task Scheduler, click Task Scheduler Library and then in the Actions pane, click Refresh.

i.         The task AT1 will be listed as Ready. Wait for it to show as Running and then

Tasks

Detailed Steps

open your Task Manager by right-clicking the task bar and clicking Task Manager

Note: You may have to refresh this screen again at the appropriate time.

j.         Click the Processes tab and ensure Show Processes from all users is selected. Notice calc.exe is running in the background. It is running as the Administrator account, which is what you previously configured as the AT Service Account.

k.       Close the Task Manager and click the At1 scheduled task. In the Lower-Middle pane, select the History tab. Double click the top event listed and notice which user account is being used to run the task. Close the dialog box.

l.         Click and then right-click Task Scheduler in the Explorer pane, and then click AT Service Account Configuration. Change this back to System Account and click OK. m. In Computer Management, in the contents page, click AT1 and then on the Actions menu, click End.

m.     In the Task Scheduler dialog box, click Yes.

n.       o. Close Computer Management. Close the Command Prompt window.

Tasks

Detailed Steps

Complete the following task on: NYC-SRV-1 1. Configure the WinRM service

Note: WinRM is initially not configured to listen for remote management commands on any network interface. To configure WinRM to listen to remote management commands, you must configure a listener on at least one interface. In this task you will use the WinRM command line tool to create a default HTTP listener, which listens on all interfaces. This listener can be further secured by enabling HTTPS and limiting authentication methods to only the most secure methods. HTTPS is configured using the WinRM command, assuming a suitable computer authentication certificate is present on the server computer. Limiting authentication methods is done using Group Policy or the WinRM command.

Note: Perform this task on the NYC-SRV-1 computer as Woodgrovebank\Administrator.

a.       On the Start menu, navigate to All Programs/Accessories, right-click Command Prompt and then click Run as administrator.

b.       b. In the command prompt, type the following command and then press ENTER.

WINRM QuickConfig

c.        c. WinRM could already be configured on this server if so just go on to next step otherwise: In the command prompt, type Y and then press ENTER.

Complete the following 5 tasks on: NYC-DC-1 2. Perform a GET Operation

Note: The WS-Management GET operation returns the value of a specific WMI object. In the following example, WS-Management retrieves the properties of the WinRM service running on NYC-SRV-1.

Note: Perform this task on NYC-DC-1 as Woodgrovebank\Administrator.

a.       In the command prompt, type the following command and then press ENTER.

winrm get wmicimv2/win32_service?name=WinRM –remote:NYC-SRV-1

b.       In the command prompt, type the following command and then press ENTER.

winrm get wmicimv2/win32_service?name=WinRM –remote:NYC-SRV-1 –format:pretty

3. To Perform an

Note: The WS-Management Enumerate operation returns a collection of objects. The

Enumerate Operation

resulting output will be similar to that of a GET operation, but instead of listing the information of a single object, it will list all of the objects.

Note: Perform this task on NYC-DC-1 as Woodgrovebank\Administrator.

Tasks

Detailed Steps

a.       In the command prompt, type the following command and then press ENTER.

winrm enumerate wmicimv2/win32_logicaldisk –remote:NYC-SRV-1

4. To Perform an Invoke Operation

Note: The WS-Management Invoke operation executes methods on the target object. In the following example, we will stop and start the Windows Time service on NYC­SRV-1.

Note: Perform this task on NYC-DC-1 as Woodgrovebank\Administrator.

a.       In the command prompt, type the following command and then press ENTER.

winrm invoke StopService wmicimv2/win32_service?name=W32Time –remote:NYC-SRV-1

b. The output should show StopService_OUTPUT ReturnValue=0

c. In the command prompt, type the following command and then press ENTER.

winrm invoke StartService wmicimv2/win32_service?name=W32Time –remote:NYC-SRV-1

d. The Output should now show StartService_OUTPUT ReturnValue=0.

e. Again to verify this service has started, redo the GET operation above.

5. To Perform a PUT operation

Note: The WS-Management PUT operation allows a value of keys to be set. In the following example the value of the MaxEnvelopeSizekb key will be re-configured.

Note: Perform this task on NYC-DC-1 as Woodgrovebank\Administrator.

a.       In the command prompt, type the following command and then press ENTER.

winrm get winrm/config –remote:NYC-SRV-1

b. Notice in the resulting XML data, the MaxEnvelopeSizekb value of 150. We will now change this to be 100.

c. In the command prompt, type the following command and then press ENTER.

winrm put winrm/config @{MaxEnvelopeSizekb=”100”} – remote:NYC-SRV-1

d. Notice the resulting XML, and the new MaxEnvelopeSizekb value.

6. To Perform a Remote Shell operation

Note: The WS-Management Remote Shell operation allows certain non-interactive commands to be executed in the CMD shell on the remote machine. This is a very useful for performing remote operations. Note: Perform this task on NYC-DC-1 as Woodgrovebank\Administrator.

a.       In the command prompt, type the following command and then press ENTER.

winrs –remote:NYC-SRV-1 ipconfig /all

Note: Notice in the resulting data looks the same as if this command was executed on the local machine. The Hostname result shows the name of the remote machine.

Objectives

After completing this lab, you will be better able to: ? Understand the difference between Group Policy Password Policies and Granular Password Settings. ? Configure Granular Password Settings for individual users and groups.

Scenario

You are a network administrator and the business has determined that certain high level employees in Research are now required to have a more complex password setting then the current Domain Policy.

Prerequisites

Before working on this lab, you must have: • Active Directory is installed. • Group Policy Management Feature installed.

Estimated Time to Complete This Lab

30 Minutes

Computer used in this Lab

NYC-DC-1

Tasks

Detailed Steps

Complete the following 3 tasks on: NYC-DC-1 1. Configuring Passwrod

Note: Logon to the server using the following credentials: Username: administrator Password: Nwy2007 Domain: Woodgrovebank.com

a.       From the Desktop Open the Lab MMC.

b.       Expand Group Policy Management.

c.        Expand Forest: woodgrovebank.com.

d.       Expand Domains\woodgrovebank.com.

e.        Right Click Default Domain Policy and Click Edit.

f.        Expand Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

g.       Notice the minimum password length is set to seven.

h.       Close the Group Policy Management Editor and Collapse the Group Policy Management Node.

i.         Expand Active Directory > woodgrovebank.com > Research > Right Click Dbarber and select Reset Password.

j.         In the password dialog box enter the password of 1234 in both sections. Press Ok.

k.       This will fail and you will get a notice saying that the password doesn’t meet the requirements. Click OK.

l.         l. Collapse Active Directory Users and Computers.

2. Creating Custom

a.       Right Click ADSI Edit > Connect to > OK

Password Settings

b.       Expand to Default Naming content\DC=woodgrovebank,DC=com\CN=System\CN=Password Settings Container\

c.        Right-Click Password Settings Container and click New – Object.

d.       Select msDS-PasswordSettings, click next.

e.        Value: MyPasswordSettings12char, click next.

Tasks

Detailed Steps

Complete the following 3 tasks on: NYC-DC-1 1. Configuring Passwrod

Note: Logon to the server using the following credentials: Username: administrator Password: Nwy2007 Domain: Woodgrovebank.com

a.       From the Desktop Open the Lab MMC.

b.       Expand Group Policy Management.

c.        Expand Forest: woodgrovebank.com.

d.       Expand Domains\woodgrovebank.com.

e.        Right Click Default Domain Policy and Click Edit.

f.        Expand Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

g.       Notice the minimum password length is set to seven.

h.       Close the Group Policy Management Editor and Collapse the Group Policy Management Node.

i.         Expand Active Directory > woodgrovebank.com > Research > Right Click Dbarber and select Reset Password.

j.         In the password dialog box enter the password of 1234 in both sections. Press Ok.

k.       This will fail and you will get a notice saying that the password doesn’t meet the requirements. Click OK.

l.         Collapse Active Directory Users and Computers.

2. Creating Custom

a.       Right Click ADSI Edit > Connect to > OK

Password Settings

b.       Expand to Default Naming content\DC=woodgrovebank,DC=com\CN=System\CN=Password Settings Container\

c.        Right-Click Password Settings Container and click New – Object.

d.       Select msDS-PasswordSettings, click next.

e.        Value: MyPasswordSettings12char, click next.

Tasks

Detailed Steps

f.        Under msDS-PasswordsSettingsPrecedence set the value of 10, click next.

g.       Fill in the following attributes for password settings:

·         msDS-PasswordReversibleEncryptionEnabled

Value = False

·         msDS-PasswordHistoryLength

Value = 15 (domain default: 24)

·         msDS-PasswordComplexityEnabled

Value = True

·         msDS-MinimumPasswordLength

Value = 12 (domain default(chars): 7)

·         msDS-MinimumPasswordAge

Value = -864000000000 (domain default: 1 day = -864000000000)

·         msDS-MaximumPasswordAge

Value = -36288000000000 (domain default: 42 days = -36288000000000)

h.       Fill in the following attributes for account lockout settings:

·         msDS-LockoutThreshold

Value = 0 (domain default: 0 = don‘t lockout accounts after invalid passwords)

·         msDS-LockoutObservationWindow

Value = -18000000000 (domain default: 6 min = -18000000000)

·         msDS-LockoutDuration

Value = -18000000000 (domain default: 6 min = -18000000000)

i.         Click Finished.

Note: If you get an error message about improper values chances are you forgot before some of the numbers listed above

j.         Right Click the Object you just created and click Properties.

Note: msDS-PSOAppliesTo (Multivalued) is for the DistinguishedName of the Groups or Users which should apply those Password Settings. This links the password settings to a user or group.

k.       In Attribute Editor scroll down to msDS-PSOAppliesTo, Click Edit.

l.         In the Value to Add Section type: cn=dbarber,ou=Research,dc=woodgrovebank,dc=com

m.     m. Click Add and then click OK twice.

3. Testing the new

a.       Switch back to Active Directory and Expand to Research.

Password Settings

b.       Right click Dbarber and select Reset Password.

c.        From the dialog box enter the password of Nwy2007, confirm it, and press Ok.

d.       Press Ok to the error message telling you the password doesn’t meet password policy requirements.

e.        Right click Dbarber and select Reset Password.

f.        From the dialog box enter the password of Nwy2007Nwy2007, confirm it, and press Ok.

g.       You have successfully reset the password based on the setting object for this user.

•

Setting the administrative password

•

Setting a static IP address

Note:

A DHCP address is provided by default. You should perform this procedure only if you need to set a static IP address.

•

Joining a domain

•

Activating the server

•

Configuring the firewall

To set the administrative password

To set a static IP address

Note:

If you set the static IP address on the wrong network adapter, you can change back to using the DHCP address supplied by using the following command:

netsh interface ipv4 set address name="<ID>" source=dhcp

where ID is the number of the network adapter from Step 2.

To join a domain

To rename the server

To activate the server (Skal ikke gjøre nå!!!!)

Note:

You can also activate by phone, using a KMS server, or remotely by typing the following command at a command prompt of a computer that is running Windows Vista or Windows Server 2008:

cscript windows\system32\slmgr.vbs <ServerName> <UserName> <password>:-ato

To configure the firewall

Note:

You can also use the Windows Firewall snap-in from a computer running Windows Vista or Windows Server 2008 to remotely manage the firewall on a server running a Server Core installation. To do this, you must first enable remote management of the firewall by running the following command on the computer running a Server Core installation:

netsh advfirewall set currentprofile settings remotemanagement enable

•

You cannot use the Active Directory Domain Controller Installation Wizard (Dcpromo.exe) on a server running Server Core installation. You must use an unattend file with Dcpromo.exe to install or remove the domain controller role.

Alternately, you can run Dcpromo.exe on another computer running Windows Server 2008 and use the wizard to save an unattend file that you can then use on the server running Server Core installation.

•

Dcpromo.exe will restart the computer immediately when the installation is complete or when Active Directory is removed unless RebootOnCompletion=No is included in the answer file.

•

The Web Server (IIS) role does not support ASP.NET in Server Core installations. Because there is no support for managed code, the following IIS features are not available in Server Core installations:

Available server roles

To discover the available server roles, open a command prompt and type the following:

oclist

This command lists the server roles and optional features that are available for use with Ocsetup.exe. It also lists the server roles and optional features that are currently installed.

To install File Services role features

Note:

Uninstall any file server role options by using these commands with the /uninstall option.

To install the Active Directory Domain Services role

Note:

Dcpromo.exe can also be used to demote a domain controller to a server.

•

Managing a server running a Server Core installation locally at a command prompt

•

Managing a server running a Server Core installation remotely at a command prompt

•

Managing a server running a Server Core installation by using Windows Remote Shell

•

Managing a server running a Server Core installation by using Microsoft Management Console (MMC)

To manage a server running a Server Core installation locally at a command prompt

Note:

For more information about command-line tools, see "Steps for administering a Server Core installation" later in this document.

To manage a server running a Server Core installation by using a terminal server

Note:

If you are running the Terminal Services client on a previous version of Windows, you must turn off the higher security level that is set by default in Windows Server 2008. To do this, after step 1, type the following command at the command prompt:

cscript C:\Windows\System32\Scregedit.wsf /cs 0

Note:

For more information about command-line tools, see "Steps for administering a Server Core installation" later in this document.

To use TS RemoteApp to publish Cmd.exe to your local computer

To manage a server running a Server Core installation by using the Windows Remote Shell

Note:

The WinRM quickconfig setting enables a server running a Server Core installation to accept Windows Remote Shell connections. This setting can also be set in an unattend file.

Important:

For more information about using different security credentials to run commands, see the command-line help for WinRS.exe by typing winrs -? at a command prompt.

To manage a server running a Server Core installation by using an MMC snap-in

Task

Steps

List event logs.

At a command prompt, type:

wevtutil el

Query events in a specified log.

At a command prompt, type:

wevtutil qe /f:text <log name>

Export an event log.

At a command prompt, type:

wevtutil epl <log name>

Clear an event log.

At a command prompt, type:

wevtutil cl <log name>