Chapter 1. Windows Server 2012 R2 administration

Windows Server 2012 R2 is a powerful, versatile, full-featured server operating system that builds on the enhancements that Microsoft provided in Windows Server 2012. Windows Server 2012 R2 and Windows 8.1 share a number of common features because they were part of a single development project. These features share a common code base and extend across many areas of the operating systems, including management, security, networking, and storage. Because of this, you can apply much of what you know about Windows 8.1 to Windows Server 2012 R2.

This chapter covers getting started with Windows Server 2012 R2 and explores the extent to which the architectural changes affect how you work with and manage Windows Server 2012 R2. Throughout this chapter and the other chapters of this book, you’ll also find discussions of the many security features and enhancements. These discussions explore all aspects of computer security, including physical security, information security, and network security. Although this book focuses on Windows Server 2012 R2 administration, the tips and techniques it presents can help anyone who supports, develops for, or works with the Windows Server 2012 R2 operating system.

Windows Server 2012 R2 and Windows 8.1

Before you deploy Windows Server 2012 R2, you should carefully plan the server architecture. As part of your implementation planning, you need to look closely at the software configuration that will be used and modify the hardware configuration on a per-server basis to meet related requirements. For additional flexibility in server deployments, you can deploy servers by using one of three installation types:

  • Server With A GUI installation. An installation option that provides full functionality—also referred to as a full-server installation. You can configure a server to have any allowed combination of roles, role services, and features, and a full user interface is provided for managing the server. This installation option provides the most dynamic solution and is recommended for deployments of Windows Server 2012 R2 in which the server role might change over time.

  • Server Core installation. A minimal installation option that provides a fixed subset of roles but does not include the Server Graphical Shell, Microsoft Management Console, or Desktop Experience. You can configure a Server Core installation with a limited set of roles. A limited user interface is provided for managing the server, and most management is done locally at a command prompt or remotely by using management tools. This installation option is ideally suited to situations in which you want to dedicate servers to a specific server role or combination of roles. Because additional functionality is not installed, the overhead caused by other services is reduced, providing more resources for the dedicated role or roles. Generally, the limited interface also is inherently more secure than other installation types.

  • Server With Minimal Interface installation. An intermediate installation option where you perform a full-server installation and then remove the Server Graphical Shell. This leaves a minimal user interface, Microsoft Management Console, Server Manager, and a subset of Control Panel for local management. This installation option is ideally suited to situations in which you want to carefully control the tasks that can be performed on a server and the roles and features installed, but you still want the convenience of the graphical interface.

You choose the installation type during installation of the operating system. In a significant change from earlier releases of Windows Server, you can change the installation type after you’ve installed a server. A key difference between the installation types relates to the presence of the graphical management tools and the graphical shell. A Server Core installation has neither, a full-server installation has both, and a minimal-interface installation has only the graphical management tools.

More Info

Several server features and roles require the graphical shell. They include Fax Server, Remote Desktop Session Host, Windows Deployment Services, and the Internet Printing user interface. Additionally, in Event Viewer, the Details view requires the graphical shell, as does the graphical interface for Windows Firewall.

Like Windows 8.1, Windows Server 2012 R2 has the following features:

  • Modularization for language independence and disk imaging for hardware independence. Each component of the operating system is designed as an independent module you can easily add or remove. This functionality provides the basis for the configuration architecture in Windows Server 2012 R2. Microsoft distributes Windows Server 2012 R2 on media with Windows Imaging (WIM) format disk images that use compression and single-instance storage to dramatically reduce the size of image files.

  • Preinstallation and preboot environments. The Windows Preinstallation Environment (Windows PE) replaces MS-DOS as the preinstallation environment and provides a bootable startup environment for installation, deployment, recovery, and troubleshooting. The Windows Preboot Environment provides a startup environment with a boot manager that lets you choose which boot application to run to load the operating system. On systems with multiple operating systems, you access pre–Windows 7 operating systems in the boot environment by using the legacy operating system entry.

  • User account controls and elevation of privileges. User Account Control (UAC) enhances computer security by ensuring true separation of standard user and administrator user accounts. Through UAC, all applications are run by using either standard user or administrator user privileges, and a security prompt is displayed by default whenever you run an application that requires administrator privileges. The way the security prompt works depends on Group Policy settings. Additionally, if you log on by using the built-in Administrator account, typically elevation prompts are not provided.

In Windows 8.1 and Windows Server 2012 R2, features with common code bases have identical management interfaces. In fact, just about every Control Panel utility that is available in Windows Server 2012 R2 is identical to or nearly identical to its Windows 8.1 counterpart. Of course, exceptions exist in some cases for standard default settings. Because Windows Server 2012 R2 does not use performance ratings, Windows servers do not have Windows Experience Index scores. Because Windows Server 2012 R2 does not use Sleep or related states, Windows servers do not have sleep, hibernate, or resume functionality. Because you typically do not want to use extended power management options on Windows servers, Windows Server 2012 R2 has a limited set of power options.

Windows Server 2012 R2 does not include the Windows Aero enhancements, Windows Sidebar, or other user-interface enhancements, because Windows Server 2012 R2 is designed to provide optimal performance for server-related tasks and is not designed for extensive personalization of the desktop appearance. That said, when you are working with a full-server installation, you can add the Desktop Experience feature and then enable some Windows 8.1 features on your server.

The Desktop Experience provides Windows desktop functionality on the server. Windows features added include Windows Media Player, desktop themes, Video for Windows (AVI support), Windows Defender, Disk Cleanup, Sync Center, Sound Recorder, Character Map, and Snipping Tool. Although these features allow a server to be used like a desktop computer, they can reduce the server’s overall performance.

Note

Windows Defender for Windows Server 2012 R2 has been upgraded to a more fully featured program. Windows Defender now protects against viruses, spyware, rootkits, and other types of malware. Rootkit detection helps to safeguard computers from malware that inserts itself into non-Microsoft drivers. If Windows Defender detects that a non-Microsoft driver has been infected, it prevents the driver from starting. Microsoft drivers are protected at startup as part of other security features. Note also that Windows Defender is available on Server Core installations, though without the user interface. If you add Windows Defender as an option on a Server Core installation, the program is enabled by default.

Because the common features of Windows 8.1 and Windows Server 2012 R2 have so many similarities, I will not cover changes in the interface from previous operating system releases, discuss how UAC works, and so on. You can find extensive coverage of these features in Windows 8.1 Pocket Consultant: Essentials & Configuration (Microsoft Press, 2013), which I encourage you to use in conjunction with this book. In addition to its coverage of broad administration tasks, Windows 8.1 Pocket Consultant: Essentials & Configuration examines how to customize the operating system and Windows environment, configure hardware devices, manage user access and global settings, troubleshoot system problems, and much more. This book, alternatively, focuses on directory services administration, user administration, and server management.

Getting to know Windows Server 2012 R2

The Windows Server 2012 R2 operating system includes several different editions. All Windows Server 2012 R2 editions support multiple processor cores. It is important to point out that although an edition might support only one discrete-socketed processor (also referred to as a physical processor), that one processor could have eight processor cores (also referred to as logical processors).

Introducing Windows Server 2012 R2

Windows Server 2012 R2 is a 64-bit–only operating system. In this book, I refer to 64-bit systems designed for the x64 architecture as 64-bit systems. Because the various server editions support the same core features and administration tools, you can use the techniques discussed in this book regardless of which Windows Server 2012 R2 edition you’re using.

When you install a Windows Server 2012 R2 system, you configure the system according to its role on the network, as the following guidelines describe:

  • Servers are generally assigned to be part of a workgroup or a domain.

  • Workgroups are loose associations of computers in which each individual computer is managed separately.

  • Domains are collections of computers you can manage collectively by means of domain controllers, which are Windows Server 2012 R2 systems that manage access to the network, to the directory database, and to shared resources.

Note

In this book, Windows Server 2012 R2 and Windows Server 2012 R2 family refer to all editions of Windows Server 2012 R2. The various server editions support the same core features and administration tools.

Windows 8.1 and Windows Server 2012 R2 also support a workplace configuration. A workplace is a loose association of computers that grants access to certain internal network resources and business apps. Workplaces have specific benefits:

  • If users have Windows 8.1 devices from which they want to access corporate resources, those devices can use a workplace configuration to remotely connect to a computer at work. Users can then change their network passwords and connect to internal websites. Users also can use workplaces as an alternative way to access Outlook Web Access (OWA). Here, users connect to the workplace and then access OWA by using the internal URL (rather than an external URL).

  • If administrators have Windows 8.1 devices from which they want to access corporate resources, those devices can use a workplace configuration to remotely connect to servers and perform assigned tasks by using administration links.

You implement workplaces by installing the Windows Server Essentials Experience role on servers running Windows Server 2012 R2. Because the Windows Server Essentials Experience role is designed to be used in single-domain deployments of Active Directory Domain Services (AD DS), you should not deploy this role in AD DS implementations with multiple domains.

Windows 8.1 and Windows Server 2012 R2 also support Work Folders, a similar but distinctly different feature. Work Folders allow users to synchronize their corporate data to their devices and vice versa. Those devices can be joined to the corporate domain or a workplace. To deploy Work Folders, the administrator adds the File And Storage ServicesFile and iSCSI ServicesWork Folders role service to a server and then configures Work Folders by using Server Manager. Unlike workplaces, Work Folders can be used in multidomain environments.

Working with Windows Server 2012 R2

Windows Server 2012 R2 uses a Start screen. Start is a window, not a menu. Programs can have Tiles on the Start screen. Tapping or clicking a Tile runs the program. When you press and hold or right-click on a program, an options panel usually is displayed. The charms bar is an options panel for Start, Desktop, and PC Settings. With a touch UI, you can display the charms by sliding in from the right side of the screen. With a mouse and keyboard, you can display the charms by pointing to the hidden button in the upper-right or lower-right corner of the Start, Desktop, or PC Settings screen; or by pressing Windows key+C.

Tap or click the Search charm to display the Search panel. Any text entered while on the Start screen is entered into the Search box in the Search panel. The search box can be focused on Everywhere, Settings, or Files. When focused on Everywhere, you can use Search to quickly find installed programs, settings, and files. When focused on Settings, you can use Search to quickly find settings and options in Control Panel. When focused on Files, you can use Search to quickly find files.

One way to quickly open a program is by typing the file name of the program, and then pressing Enter. This shortcut works as long as the Everywhere search box is in focus (which it typically is by default). In an Everywhere search, any matches for programs are listed first, followed by any matches for settings and finally, any matches for files.

Pressing the Windows key toggles between the Start screen and the desktop (or, if you are working with PC Settings, between Start and PC Settings). On Start, there’s a Desktop Tile that you can tap or click to display the desktop. You also can display the desktop by pressing Windows key+D or, to peek at the desktop, press and hold Windows key+Comma. From Start, you access Control Panel by tapping or clicking the Control Panel Tile. From either Start or the desktop, you can display Control Panel by pressing Windows key+I and then clicking the Control Panel option. Additionally, because File Explorer is pinned to the desktop taskbar by default, you typically can access Control Panel on the desktop by following these steps:

  1. Open File Explorer by tapping or clicking the taskbar icon.

  2. Tap or click the leftmost arrow button in the address list.

  3. Tap or click Control Panel.

Start and Desktop have a convenient menu that you can display by right-clicking the lower-left corner of the Start screen or the desktop. Alternatively, you can press Windows key+X. Options on the menu include Computer Management, Device Manager, Event Viewer, System, Task Manager, Windows Command Prompt, and Command Prompt (Admin). On the Start screen, the button in the lower-left corner shows a Windows icon, and tapping or clicking the thumbnail opens the desktop. On the desktop, tapping or clicking this button opens Start. Right-clicking the button is what displays the shortcut menu.

Real World

By default with Windows Server 2012 R2, the command prompt and the administrator command prompt are options on the shortcut menu that is displayed when you right-click in the lower-left corner or press Windows key+X. The alternative is for the Windows PowerShell command prompt and the administrator Windows PowerShell command prompt to be displayed on this menu. To configure which options are available, on the desktop, press and hold or right-click the taskbar, and then click Properties. In the Taskbar And Navigation Properties dialog box, on the Navigation tab, select or clear the Replace Command Prompt With Windows PowerShell… check box as appropriate.

Shut Down and Restart are options of Power settings now. This means to shut down or restart a server, you follow these steps:

  1. Display Start options by sliding in from the right side of the screen or moving the mouse pointer to the lower-right or upper-right corner of the screen.

  2. Tap or click Settings, and then tap or click Power.

  3. Tap or click Shut Down or Restart as appropriate.

Alternatively, if configured as a power option, you can press the server’s physical power button to initiate an orderly shutdown by logging off and then shutting down. If you are using a desktop-class system and the computer has a sleep button, the sleep button is disabled by default, as are closing the lid options for portable computers. Additionally, servers are configured to turn off the display after 10 minutes of inactivity.

Windows 8.1 and Windows Server 2012 R2 support the Advanced Configuration and Power Interface (ACPI) 5.0 specification. Windows uses ACPI to control system and device power state transitions, putting devices in and out of full-power (working), low-power, and off states to reduce power consumption.

The power settings for a computer come from the active power plan. You can access power plans in Control Panel by tapping or clicking System And Security and then tapping or clicking Power Options. Windows Server 2012 R2 includes the Power Configuration (Powercfg.exe) utility for managing power options from the command prompt. At a command prompt, you can view the configured power plans by entering powercfg /l. The active power plan is marked with an asterisk.

The default, active power plan in Windows Server 2012 R2 is called Balanced. The Balanced plan is configured to do the following:

  • Never turn off hard disks (as opposed to turning off hard disks after a specified amount of idle time).

  • Disable timed events to wake the computer (as opposed to enabling wake on timed events).

  • Enable USB selective suspend (as opposed to disabling selective suspend).

  • Use moderate power savings for idle PCI Express links (as opposed to maximum power savings being on or off).

  • Use active system cooling by increasing the fan speed before slowing processors (as opposed to using passive system cooling to slow the processors before increasing fan speed).

  • Use minimum processor and maximum processor states if supported (as opposed to using a fixed state).

Note

Power consumption is an important issue, especially as organizations try to become more earth friendly. Saving power also can save your organization money and, in some cases, allow you to install more servers in your data centers. If you install Windows Server 2012 R2 on a laptop—for testing or for your personal computer, for example—your power settings will be slightly different, and you’ll also have settings for when the laptop is running on battery.

Power management options

When working with power management, important characteristics to focus on include the following:

  • Cooling modes

  • Device states

  • Processor states

ACPI defines active and passive cooling modes. These cooling modes are inversely related to each other:

  • Passive cooling reduces system performance but is quieter because there’s less fan noise. With passive cooling, Windows lessens power consumption to reduce the operating temperature of the computer but at the cost of system performance. Here, Windows reduces the processor speed in an attempt to cool the computer before increasing fan speed, which would increase power consumption.

  • Active cooling allows maximum system performance. With active cooling, Windows increases power consumption to reduce the temperature of the machine. Here, Windows increases fan speed to cool the computer before attempting to reduce processor speed.

Power policy includes an upper and lower limit for the processor state, referred to as the maximum processor state and the minimum processor state, respectively. These states are implemented by making use of a feature of Advanced Configuration and Power Interface (ACPI) 3.0 and later versions called processor throttling, and they determine the range of currently available processor performance states that Windows can use. By setting the maximum and minimum values, you define the bounds for the allowed performance states, or you can use the same value for each to force the system to remain in a specific performance state. Windows reduces power consumption by throttling the processor speed. For example, if the upper bound is 100 percent and the lower bound is 5 percent, Windows can throttle the processor within this range as workloads permit to reduce power consumption. In a computer with a 3-gigahertz (GHz) processor, Windows would adjust the operating frequency of the processor between .15 GHz and 3.0 GHz.

Processor throttling and related performance states were introduced with Windows XP and are not new, but these early implementations were designed for computers with discrete-socketed processors and not for computers with processor cores. As a result, they are not effective in reducing the power consumption of computers with logical processors. Windows 7 and later releases of Windows reduce power consumption in computers with multicore processors by taking advantage of a feature of ACPI 4.0 called logical processor idling and by updating processor throttling features to work with processor cores.

Logical processor idling is designed to ensure that Windows uses the fewest number of processor cores for a given workload. Windows accomplishes this by consolidating workloads onto the fewest cores possible and suspending inactive processor cores. As additional processing power is required, Windows activates inactive processor cores. This idling functionality works in conjunction with management of process performance states at the core level.

ACPI defines processor performance states, referred to as p-states, and processor idle sleep states, referred to as c-states. Processor performance states include P0 (the processor/core uses its maximum performance capability and can consume maximum power), P1 (the processor/core is limited below its maximum and consumes less than maximum power), and Pn (where state n is a maximum number that is processor-dependent, and the processor/core is at its minimal level and consumes minimal power while remaining in an active state).

Processor idle sleep states include C0 (the processor/core can execute instructions), C1 (the processor/core has the lowest latency and is in a nonexecuting power state), C2 (the processor/core has longer latency to improve power savings over the C1 state), and C3 (the processor/core has the longest latency to improve power savings over the C1 and C2 states).

More Info

ACPI 4.0 was finalized in June 2009, and ACPI 5.0 was finalized in December 2011. Computers manufactured prior to this time will likely not have firmware that is fully compliant, and you will probably need to update the firmware when a compatible revision becomes available. In some cases, and especially with older hardware, you might not be able to update a computer’s firmware to make it fully compliant with ACPI 4.0 or ACPI 5.0. For example, if you are configuring the power options and you don’t have minimum and maximum processor state options, the computer’s firmware isn’t fully compatible with ACPI 3.0 and likely will not fully support ACPI 4.0 or ACPI 5.0 either. Still, you should check the hardware manufacturer’s website for firmware updates.

Windows switches processors/cores between any p-state and from the C1 state to the C0 state nearly instantaneously (fractions of milliseconds) and tends not to use the deep sleep states, so you don’t need to worry about performance impact to throttle or wake up processors/cores. The processors/cores are available when they are needed. That said, the easiest way to limit processor power management is to modify the active power plan and set the minimum and maximum processor states to 100 percent.

Logical processor idling is used to reduce power consumption by removing a logical processor from the operating system’s list of nonprocessor-affinitized work. However, because processor-affinitized work reduces the effectiveness of this feature, you’ll want to plan carefully prior to configuring processing affinity settings for applications. Windows System Resource Manager allows you to manage processor resources through percent processor usage targets and processor affinity rules. Both techniques reduce the effectiveness of logical processor idling.

Windows saves power by putting processor cores in and out of appropriate p-states and c-states. On a computer with four logical processors, Windows might use p-states 0 through 5, where P0 allows 100 percent usage, P1 allows 90 percent usage, P2 allows 80 percent usage, P3 allows 70 percent usage, P4 allows 60 percent usage, and P5 allows 50 percent usage. When the computer is active, logical processor 0 would likely be active with a p-state of 0 through 5, and the other processors would likely be at an appropriate p-state or in a sleep state. Figure 1-1 shows an example. Here, logical processor 1 is running at 90 percent, logical processor 2 is running at 80 percent, logical processor 3 is running at 50 percent, and logical processor 4 is in the sleep state.

Diagram of processor cores working at different p-states, showing the total utilization of the logical processor.
Figure 1-1. Processor cores working at different p-states have different usage patterns.

Real World

ACPI 4.0 and ACPI 5.0 define four global power states. In G0, the working state in which software runs, power consumption is at its highest and latency is at its lowest. In G1, the sleeping state, in which software doesn’t run, latency varies with sleep state and power consumption is less than the G0 state. In G2 (also referred to as S5 sleep state), the soft off state where the operating system doesn’t run, latency is long and power consumption is very near zero. In G3, the mechanical off state, where the operating system doesn’t run, latency is long, and power consumption is zero. There’s also a special global state, known as S4 nonvolatile sleep, in which the operating system writes all system context to a file on nonvolatile storage media, allowing system context to be saved and restored.

Within the global sleeping state, G1, are sleep-state variations. S1 is a sleeping state where all system context is maintained. S2 is a sleeping state similar to S1 except that the CPU and system-cache contexts are lost and control starts from a reset. S3 is a sleeping state where all CPU, cache, and chip-set context are lost and hardware maintains memory context and restores some CPU and L2 cache configuration context. S4 is a sleeping state in which it is assumed that the hardware has powered off all devices to reduce power usage to a minimum and only the platform context is maintained. S5 is a sleeping state in which it is assumed that the hardware is in a soft off state, where no context is maintained and a complete boot is required when the system wakes.

Devices also have power states. D0, the fully on state, consumes the highest level of power. D1 and D2 are intermediate states that many devices do not use. D3hot is a power-saving state, where the device is software enumerable and can optionally preserve device context. D3 is the off state, where the device context is lost and the operating system must reinitialize the device to turn it back on.

Networking tools and protocols

Windows Server 2012 R2 has a suite of networking tools that includes Network Explorer, Network And Sharing Center, and Network Diagnostics. Figure 1-2 shows Network And Sharing Center.

Screen shot of the Network And Sharing Center, showing access to configuring sharing, discovery, and networking options.
Figure 1-2. Network And Sharing Center provides quick access to sharing, discovery, and networking options.

Understanding networking options

The sharing and discovery configuration in Network And Sharing Center controls basic network settings. When network discovery settings are turned on and a server is connected to a network, the server can see other network computers and devices and is visible on the network. When sharing settings are turned on or off, the various sharing options are allowed or restricted.

In Windows 8.1 and Windows Server 2012 R2, networks are identified as one of the following network types:

  • Domain. A network in which computers are connected to the corporate domain to which they are joined

  • Work. A private network in which computers are configured as members of a workgroup and are not connected directly to the public Internet

  • Workplace. A private network in which computers are configured as members of a workplace to which devices can connect over the public Internet (Windows 8.1 only)

  • Home. A private network in which computers are configured as members of a homegroup and are not connected directly to the public Internet

  • Public. A public network in which computers are connected to a network in a public place, such as a coffee shop or an airport, rather than an internal network

These network types are organized into three categories: private, domain, and public. Each network category has an associated network profile. Because a computer saves sharing and firewall settings separately for each network category, you can use different block and allow settings for each network category. When you connect to a network, a dialog box is displayed in which you can specify the network category. If you select Private, and the computer determines that it is connected to the corporate domain to which it is joined, the network category is set as Domain Network.

Based on the network category, Windows Server configures settings that turn discovery on or off. The On (enabled) state means that the computer can discover other computers and devices on the network and that other computers on the network can discover the computer. The Off (disabled) state means that the computer cannot discover other computers and devices on the network and that other computers on the network cannot discover the computer.

Using Advanced Sharing Settings in Network And Sharing Center, you can enable discovery and file sharing. However, discovery and file sharing are blocked by default on a public network, which enhances security by preventing computers on the public network from discovering other computers and devices on that network. When discovery and file sharing are disabled, files and printers you have shared from a computer cannot be accessed from the network. Additionally, some programs might not be able to access the network.

Working with networking protocols

To allow a server to access a network, you must install TCP/IP networking and a network adapter. Windows Server uses TCP/IP as the default wide area network (WAN) protocol. Normally, networking is installed during installation of the operating system. You can also install TCP/IP networking through local area connection properties.

The TCP and IP protocols make it possible for computers to communicate across various networks and the Internet by using network adapters. Windows 7 and later releases of Windows have a dual IP-layer architecture in which both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) are implemented and share common transport and network layers. IPv4 has 32-bit addresses and is the primary version of IP used on most networks, including the Internet. IPv6, alternatively, has 128-bit addresses and is the next-generation version of IP.

Note

DirectAccess clients send only IPv6 traffic across the DirectAccess connection to the DirectAccess server. Thanks to the NAT64/DNS64 support, DirectAccess clients can initiate communications with IPv4-only hosts on the corporate intranet. NAT64/DNS64 work together to translate incoming connection traffic from an IPv6 node to IPv4 traffic. The NAT64 translates the incoming IPv6 traffic to IPv4 traffic and performs the reverse translation for response traffic. The DNS64 resolves the name of an IPv4-only host to a translated IPv6 address.

Real World

The TCP Chimney Offload enables the networking subsystem to offload the processing of a TCP/IP connection from the computer’s processors to its network adapter as long as the network adapter supports TCP/IP offload processing. Both TCP/IPv4 connections and TCP/IPv6 connections can be offloaded. For Windows 7 and later releases of Windows, TCP connections are offloaded by default on 10 gigabits per second (Gbps) network adapters, but they are not offloaded by default on 1-Gbps network adapters. To offload TCP connections on a 1-Gbps or 10-Gbps network adapter, you must enable TCP offloading by entering the following command at an elevated, administrator command prompt: netsh int tcp set global chimney=enabled. You can check the status of TCP offloading by entering netsh int tcp show global. Although TCP offloading works with Windows Firewall, TCP offloading won’t be used with IPsec, Windows virtualization (Hyper-V), network load balancing, or the Network Address Translation (NAT) service. To determine whether TCP offloading is working, enter netstat-t and check the offload state. The offload state is listed as offloaded or inhost.

Windows also uses receive-side scaling and network direct memory access (NetDMA). You can enable or disable receive-side scaling by entering netsh int tcp set global rss=enabled or netsh int tcp set global rss=disabled, respectively. To check the status of receive-side scaling, enter netsh int tcp show global. You can enable or disable NetDMA by setting a DWord value under the EnableTCPA registry entry to 1 or 0, respectively. This registry entry is found under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters.

IPv4’s 32-bit addresses are commonly expressed as four separate decimal values, such as 127.0.0.1 or 192.168.10.52. The four decimal values are referred to as octets because each represents 8 bits of the 32-bit number. With standard unicast IPv4 addresses, a variable part of the IP address represents the network ID, and a variable part of the IP address represents the host ID. A host’s IPv4 address and its media access control (MAC) address used by the host’s network adapter have no correlation.

IPv6’s 128-bit addresses are divided into eight 16-bit blocks delimited by colons. Each 16-bit block is expressed in hexadecimal form, such as FEC0:0:0:02BC:FF:BECB:FE4F:961D. With standard unicast IPv6 addresses, the first 64 bits represent the network ID, and the last 64 bits represent the network interface. Because many IPv6 address blocks are set to 0, a contiguous set of 0 blocks can be expressed as “::”, a notation referred to as double-colon notation. Using double-colon notation, the two 0 blocks in the previous address can be compressed as FEC0::02BC:FF:BECB:FE4F:961D. Three or more 0 blocks would be compressed in the same way. For example, FFE8:0:0:0:0:0:0:1 becomes FFE8::1.

When networking hardware is detected during installation of the operating system, both IPv4 and IPv6 are enabled by default; you don’t need to install a separate component to enable support for IPv6. The modified IP architecture in Windows 7 and later releases of Windows is referred to as the Next Generation TCP/IP stack, and it includes many enhancements that improve the way IPv4 and IPv6 are used.

For Windows 8.1 and Windows Server 2012 R2, Group Policy Preferences have been updated to support IPv6 addresses for TCP/I Printers and VPN connections. Item-level Targeting options also allow you to configure IPv6 address ranges.

For traffic routing between virtual and physical networks, Windows Server 2012 R2 includes Windows Server Gateway, which is integrated with Hyper-V Network Virtualization. You can use Windows Server Gateway to route network traffic regardless of where resources are located, allowing you to support integration of public and private cloud services with your internal networks in addition to multitenant implementations with Network Address Translation (NAT) and virtual private network (VPN) connections.

Domain controllers, member servers, and domain services

When you install Windows Server 2012 R2 on a new system, you can configure the server to be a member server, a domain controller, or a stand-alone server. The differences between these types of servers are extremely important. Member servers are part of a domain but don’t store directory information. Domain controllers are distinguished from member servers because they store directory information and provide authentication and directory services for the domain. Stand-alone servers aren’t part of a domain. Because stand-alone servers have their own user databases, they authenticate logon requests independently.

Working with Active Directory

Windows Server 2012 R2 supports a multimaster replication model. In this model, any domain controller can process directory changes and then replicate those changes to other domain controllers automatically. Windows Server distributes an entire directory of information, called a data store. Inside the data store are sets of objects representing user, group, and computer accounts in addition to shared resources such as servers, files, and printers.

Domains that use Active Directory are referred to as Active Directory domains. Although Active Directory domains can function with only one domain controller, you can and should configure multiple domain controllers in the domain. This way, if one domain controller fails, you can rely on the other domain controllers to handle authentication and other critical tasks.

Microsoft changed Active Directory in several fundamental ways for the original release of Windows Server 2008. As a result, Microsoft realigned the directory functionality and created a family of related services, including the following:

  • Active Directory Certificate Services (AD CS). AD CS provides functions necessary for issuing and revoking digital certificates for users, client computers, and servers. AD CS uses certificate authorities (CAs), which are responsible for confirming the identity of users and computers and then issuing certificates to confirm these identities. Domains have enterprise root CAs, which are the certificate servers at the root of certificate hierarchies for domains and the most trusted certificate servers in the enterprise, and subordinate CAs, which are members of a particular enterprise certificate hierarchy. Workgroups have stand-alone root CAs, which are the certificate servers at the root of nonenterprise certificate hierarchies, and stand-alone subordinate CAs, which are members of a particular nonenterprise certificate hierarchy.

  • Active Directory Domain Services (AD DS)AD DS provides the essential directory services necessary for establishing a domain, including the data store that stores information about objects on the network and makes that information available to users. AD DS uses domain controllers to manage access to network resources. After users authenticate themselves by logging on to a domain, their stored credentials can be used to access resources on the network. Because AD DS is the heart of Active Directory and is required for directory-enabled applications and technologies, I typically refer to it simply as Active Directory rather than Active Directory Domain Services or AD DS.

  • Active Directory Federation Services (AD FS). AD FS complements the authentication and access-management features of AD DS by extending them to the World Wide Web. AD FS uses web agents to provide users with access to internally hosted web applications and proxies to manage client access. After AD FS is configured, users can use their digital identities to authenticate themselves over the web and access internally hosted web applications with a web browser such as Internet Explorer.

  • Active Directory Lightweight Directory Services (AD LDS). AD LDS provides a data store for directory-enabled applications that do not require AD DS and do not need to be deployed on domain controllers. AD LDS does not run as an operating system service and can be used in both domain and workgroup environments. Each application that runs on a server can have its own data store implemented through AD LDS.

  • Active Directory Rights Management Services (AD RMS). AD RMS provides a layer of protection for an organization’s information that can extend beyond the enterprise, allowing email messages, documents, intranet webpages, and more to be protected from unauthorized access. AD RMS uses a certificate service to issue rights account certificates that identify trusted users, groups, and services; a licensing service that provides author-ized users, groups, and services with access to protected information; and a logging service to monitor and maintain the rights management service. After trust is established, users with a rights account certificate can assign rights to information. These rights control which users can access the information and what they can do with it. Users with rights account certificates can also access protected content to which they’ve been granted access. Encryption ensures that access to protected information is controlled both inside and outside the enterprise.

Microsoft introduced additional changes in Windows Server 2012 R2. These changes include a new domain functional level, called Windows Server 2012 R2 domain functional level, and a new forest functional level, called Windows Server 2012 R2 forest functional level. The many other changes are discussed in Chapter 7

Using read-only domain controllers

Windows Server 2008 and later releases support read-only domain controllers (RODCs) and restartable AD DS. An RODC is an additional domain controller that hosts a read-only replica of a domain’s Active Directory data store. RODCs are ideally suited to the needs of branch offices, where a domain controller’s physical security cannot be guaranteed. Except for passwords, RODCs store the same objects and attributes as writable domain controllers. These objects and attributes are replicated to RODCs through unidirectional replication from a writable domain controller that acts as a replication partner.

Because RODCs by default do not store passwords or credentials other than for their own computer account and the Kerberos Target (Krbtgt) account, RODCs pull user and computer credentials from a writable domain controller that is running Windows Server 2008 or later. If allowed by a password replication policy that is enforced on the writable domain controller, an RODC retrieves and then caches credentials as necessary until the credentials change. Because only a subset of credentials is stored on an RODC, this limits the number of credentials that can possibly be compromised.

Important

Any domain user can be delegated as a local administrator of an RODC without granting any other rights in the domain. An RODC can act in the role of a global catalog but cannot act in the role of an operations master. Although RODCs can pull information from domain controllers running Windows Server 2003, RODCs can pull updates of the domain partition only from a writable domain controller running Windows Server 2008 or later in the same domain.

Using restartable Active Directory Domain Services

Restartable AD DS is a feature that allows an administrator to start and stop AD DS. In the Services console, the Active Directory Domain Services service is available on domain controllers, allowing you to easily stop and restart AD DS in the same way as for any other service that is running locally on the server. While AD DS is stopped, you can perform maintenance tasks that would otherwise require restarting the server, such as performing offline defragmentation of the Active Directory database, applying updates to the operating system, or initiating an authoritative restore. While AD DS is stopped on a server, other domain controllers can handle authentication and logon tasks. Cached credentials, smart cards, and biometric logon methods continue to be supported. If no other domain controller is available and none of these logon methods applies, you can still log on to the server by using the Directory Services Restore Mode account and password.

All domain controllers running Windows Server 2008 or later support restartable AD DS—even RODCs. As an administrator, you can start or stop AD DS by using the Domain Controller entry in the Services utility. Because of restartable AD DS, domain controllers running Windows Server 2008 or later have three possible states:

  • Active Directory Started. Active Directory is started, and the domain controller has the same running state as a domain controller running Windows 2000 Server or Windows Server 2003. This allows the domain controller to provide authentication and logon services for a domain.

  • Active Directory Stopped. Active Directory is stopped, and the domain controller can no longer provide authentication and logon services for a domain. This mode shares some characteristics of both a member server and a domain controller in Directory Services Restore Mode. As with a member server, the server is joined to the domain. Users can log on interactively by using cached credentials, smart cards, and biometric logon methods. Users can also log on over the network by using another domain controller for domain logon. As with Directory Services Restore Mode, the Active Directory database (Ntds.dit) on the local domain controller is offline. This means you can perform offline AD DS operations, such as defragmentation of the database and application of security updates, without having to restart the domain controller.

  • Directory Services Restore Mode. Active Directory is in restore mode. The domain controller has the same restore state as a domain controller running Windows Server 2003. This mode allows you to perform an authoritative or nonauthoritative restore of the Active Directory database.

When working with AD DS in the Stopped state, you should keep in mind that dependent services are also stopped when you stop AD DS. This means that File Replication Service (FRS), Kerberos Key Distribution Center (KDC), and Intersite Messaging are stopped before Active Directory is stopped, and that even if they are running, these dependent services are restarted when Active Directory restarts. Further, you can restart a domain controller in Directory Services Restore Mode, but you cannot start a domain controller in the Active Directory Stopped state. To get to the Stopped state, you must first start the domain controller in the customary way and then stop AD DS.

Name-resolution services

Windows operating systems use name resolution to make it easier to communicate with other computers on a network. Name resolution associates computer names with the numerical IP addresses that are used for network communications. Thus, rather than using long strings of digits, users can access a computer on the network by using a friendly name.

Current Windows operating systems natively support three name-resolution systems:

  • Domain Name System (DNS)

  • Windows Internet Name Service (WINS)

  • Link-Local Multicast Name Resolution (LLMNR)

The sections that follow examine these services.

Using Domain Name System

DNS is a name-resolution service that resolves computer names to IP addresses. Using DNS, the fully qualified host name computer84.cpandl.com, for example, can be resolved to an IP address, which allows it and other computers to find one another. DNS operates over the TCP/IP protocol stack and can be integrated with WINS, Dynamic Host Configuration Protocol (DHCP), and Active Directory Domain Services.

DNS organizes groups of computers into domains. These domains are organized into a hierarchical structure, which can be defined on an Internet-wide basis for public networks or on an enterprise-wide basis for private networks (also known as intranets and extranets). The various levels within the hierarchy identify individual computers, organizational domains, and top-level domains. For the fully qualified host name computer84.cpandl.com, computer84 represents the host name for an individual computer, cpandl is the organizational domain, and com is the top-level domain.

Top-level domains are at the root of the DNS hierarchy; they are also called root domains. These domains are organized geographically, by organization type, and by function. Normal domains, such as cpandl.com, are also referred to as parent domains. They’re called parent domains because they’re the parents of an organizational structure. Parent domains can be divided into subdomains that can be used for groups or departments within an organization.

Subdomains are often referred to as child domains. For example, the fully qualified domain name (FQDN) for a computer within a human resources group could be jacob.hr.cpandl.com. Here, jacob is the host name, hr is the child domain, and cpandl.com is the parent domain.

Active Directory domains use DNS to implement their naming structure and hierarchy. Active Directory and DNS are tightly integrated, so much so that you should install DNS on the network before you install domain controllers that use Active Directory. During installation of the first domain controller on an Active Directory network, you’re given the opportunity to install DNS automatically if a DNS server can’t be found on the network. You are also able to specify whether DNS and Active Directory should be fully integrated. In most cases, you should respond affirmatively to both requests. With full integration, DNS information is stored directly in Active Directory. This allows you to take advantage of Active Directory’s capabilities.

The difference between partial integration and full integration is very important:

  • Partial integration. With partial integration, the domain uses standard file storage. DNS information is stored in text-based files that end with the .dns extension, and the default location of these files is %SystemRoot%System32Dns. Updates to DNS are handled through a single authoritative DNS server. This server is designated as the primary DNS server for the particular domain or an area within a domain called a zone. Clients that use dynamic DNS updates through DHCP must be configured to use the primary DNS server in the zone. If they aren’t, their DNS information won’t be updated. Likewise, dynamic updates through DHCP can’t be made if the primary DNS server is offline.

  • Full integration. With full integration, the domain uses directory-integrated storage. DNS information is stored directly in Active Directory and is available through the container for the dnsZone object. Because the information is part of Active Directory, any domain controller can access the data, and a multimaster approach can be used for dynamic updates through DHCP. This allows any domain controller running the DNS Server service to handle dynamic updates. Furthermore, clients that use dynamic DNS updates through DHCP can use any DNS server within the zone. An added benefit of directory integration is the ability to use directory security to control access to DNS information.

Real World

Windows Server 2012 R2 allows DNS clients to register both address (A) and pointer (PTR) records or only A records. A records are used for name-to-IP address lookups, also known as forward lookups; PTR records are used for IP address-to-name lookups, also known as reverse lookups. Being able to register only A records is useful when reverse lookups haven’t been configured and you don’t want DNS clients to repeatedly try to register PTR records.

If you look at the way DNS information is replicated throughout the network, you can see more advantages to full integration with Active Directory. With partial integration, DNS information is stored and replicated separately from Active Directory. Having two separate structures reduces the effectiveness of both DNS and Active Directory and makes administration more complex. Because DNS is less efficient than Active Directory at replicating changes, you might also increase network traffic and the amount of time it takes to replicate DNS changes throughout the network.

To enable DNS on the network, you need to configure DNS clients and servers. When you configure DNS clients, you tell the clients the IP addresses of DNS servers on the network. Using these addresses, clients can communicate with DNS servers anywhere on the network, even if the servers are on different subnets.

When the network uses DHCP, you should configure DHCP to work with DNS. To do this, you need to set the DHCP scope options 006 DNS Servers and 015 DNS Domain Name. Additionally, if computers on the network need to be accessible from other Active Directory domains, you need to create records for them in DNS. DNS records are organized into zones; as mentioned earlier in this chapter, a zone is simply an area within a domain.

When you install the DNS Server service on an RODC, the RODC is able to pull a read-only replica of all application directory partitions that are used by DNS, including ForestDNSZones and DomainDNSZones. Clients can then query the RODC for name resolution as they would query any other DNS server. However, as with directory updates, the DNS server on an RODC does not support direct updates. This means that the RODC does not register name server (NS) resource records for any Active Directory–integrated zone that it hosts. When a client attempts to update its DNS records against an RODC, the server returns a referral to a DNS server that the client can use for the update. The DNS server on the RODC should receive the updated record from the DNS server that receives details about the update by using a special replicate-single-object request that runs as a background process.

Windows 7 and later releases add support for DNS Security Extensions (DNSSEC). The DNS client running on these operating systems can send queries that indicate support for DNSSEC, process related records, and determine whether a DNS server has validated records on its behalf. On Windows servers, this allows your DNS servers to securely sign zones and to host DNSSEC-signed zones. It also allows DNS servers to process related records and perform both validation and authentication.

Using Windows Internet Name Service

WINS is a service that resolves computer names to IP addresses. Using WINS, the computer name COMPUTER84, for example, can be resolved to an IP address that enables computers on a Microsoft network to find one another and transfer information. WINS is needed to support pre–Windows 2000 systems and earlier applications that use NetBIOS over TCP/IP, such as the .NET command-line utilities. If you don’t have pre–Windows 2000 systems or applications on the network, you don’t need to use WINS.

WINS works best in client/server environments in which WINS clients send single-label (host) name queries to WINS servers for name resolution and WINS servers resolve the query and respond. When all your DNS servers are running Windows Server 2008 or later, deploying a Global Names zone creates static, global records with single-label names that do not rely on WINS. This allows users to access hosts by using single-label names rather than FQDNs and removes the dependency on WINS. To transmit WINS queries and other information, computers use NetBIOS. NetBIOS provides an application programming interface (API) that allows computers on a network to communicate. NetBIOS applications rely on WINS or the local LMHOSTS file to resolve computer names to IP addresses. On pre–Windows 2000 networks, WINS is the primary name resolution service available. On Windows 2000 and later networks, DNS is the primary name resolution service and WINS has a different function. This function is to allow pre–Windows 2000 systems to browse lists of resources on the network and to allow Windows 2000 and later systems to locate NetBIOS resources.

To enable WINS name resolution on a network, you need to configure WINS clients and servers. When you configure WINS clients, you tell the clients the IP addresses for WINS servers on the network. Using the IP addresses, clients can communicate with WINS servers anywhere on the network, even if the servers are on different subnets. WINS clients can also communicate by using a broadcast method through which clients broadcast messages to other computers on the local network segment that are requesting their IP addresses. Because messages are broadcast, the WINS server isn’t used. Any non-WINS clients that support this type of message broadcasting can also use this method to resolve computer names to IP addresses.

When clients communicate with WINS servers, they establish sessions that have the following three key parts:

  • Name registration. During name registration, the client gives the server its computer name and its IP address and asks to be added to the WINS database. If the specified computer name and IP address aren’t already in use on the network, the WINS server accepts the request and registers the client in the WINS database.

  • Name renewal. Name registration isn’t permanent. Instead, the client can use the name for a specified period known as a lease. The client is also given a time period within which the lease must be renewed, which is known as the renewal interval. The client must reregister with the WINS server during the renewal interval.

  • Name release. If the client can’t renew the lease, the name registration is released, allowing another system on the network to use the computer name, IP address, or both. The names are also released when you shut down a WINS client.

After a client establishes a session with a WINS server, the client can request name-resolution services. The method used to resolve computer names to IP addresses depends on how the network is configured. The following four name-resolution methods are available:

  • B-node (broadcast). Uses broadcast messages to resolve computer names to IP addresses. Computers that need to resolve a name broadcast a message to every host on the local network, requesting the IP address for a computer name. On a large network with hundreds or thousands of computers, these broadcast messages can use up valuable network bandwidth.

  • P-node (peer-to-peer). Uses WINS servers to resolve computer names to IP addresses. As explained earlier, client sessions have three parts: name registration, name renewal, and name release. In this mode, when a client needs to resolve a computer name to an IP address, the client sends a query message to the server and the server responds with an answer.

  • M-node (mixed)Combines b-node and p-node. With m-node, a WINS client first tries to use b-node for name resolution. If the attempt fails, the client then tries to use p-node. Because b-node is used first, this method has the same problems with network bandwidth usage as b-node.

  • H-node (hybrid). Also combines b-node and p-node. With h-node, a WINS client first tries to use p-node for peer-to-peer name resolution. If the attempt fails, the client then tries to use broadcast messages with b-node. Because peer-to-peer is the primary method, h-node offers the best performance on most networks. H-node is also the default method for WINS name resolution.

If WINS servers are available on the network, Windows clients use the p-node method for name resolution. If no WINS servers are available on the network, Windows clients use the b-node method for name resolution. Windows computers can also use DNS and the local files LMHOSTS and HOSTS to resolve network names.

When you use DHCP to assign IP addresses dynamically, you should set the name resolution method for DHCP clients. To do this, you need to set DHCP scope options for the 046 WINS/NBT Node Type. The best method to use is h-node. You’ll get the best performance and reduce traffic on the network.

LLMNR fills a need for peer-to-peer name-resolution services for devices with an IPv4 address, an IPv6 address, or both, allowing IPv4 and IPv6 devices on a single subnet without a WINS or DNS server to resolve each other’s names—a service that neither WINS nor DNS can fully provide. Although WINS can provide both client/server and peer-to-peer name-resolution services for IPv4, it does not support IPv6 addresses. DNS, alternatively, supports IPv4 and IPv6 addresses, but it depends on designated servers to provide name-resolution services.

Windows 7 and later releases support LLMNR. LLMNR is designed for both IPv4 and IPv6 clients in configurations where other name-resolution systems are not available, such as the following:

  • Home or small office networks

  • Ad hoc networks

  • Corporate networks where DNS services are not available

LLMNR is designed to complement DNS by enabling name resolution in scenarios in which conventional DNS name resolution is not possible. Although LLMNR can replace the need for WINS in cases where NetBIOS is not required, LLMNR is not a substitute for DNS because it operates only on the local subnet. Because LLMNR traffic is prevented from propagating across routers, it cannot accidentally flood the network.

As with WINS, you use LLMNR to resolve a host name, such as COMPUTER84, to an IP address. By default, LLMNR is enabled on all computers running Windows 7 and later releases, and these computers use LLMNR only when all attempts to look up a host name through DNS fail. As a result, name resolution works like the following for Windows 7 and later releases:

  1. A host computer sends a query to its configured primary DNS server. If the host computer does not receive a response or receives an error, it tries each configured alternate DNS server in turn. If the host has no configured DNS servers or fails to connect to a DNS server without errors, name resolution fails over to LLMNR.

  2. The host computer sends a multicast query over User Datagram Protocol (UDP) requesting the IP address for the name being looked up. This query is restricted to the local subnet (also referred to as the local link).

  3. Each computer on the local link that supports LLMNR and is configured to respond to incoming queries receives the query and compares the name to its own host name. If the host name is not a match, the computer discards the query. If the host name is a match, the computer transmits a unicast message containing its IP address to the originating host.

You can also use LLMNR for reverse mapping. With a reverse mapping, a computer sends a unicast query to a specific IP address, requesting the host name of the target computer. An LLMNR-enabled computer that receives the request sends a unicast reply containing its host name to the originating host.

LLMNR-enabled computers are required to ensure that their names are unique on the local subnet. In most cases, a computer checks for uniqueness when it starts, when it resumes from a suspended state, and when you change its network interface settings. If a computer has not yet determined that its name is unique, it must indicate this condition when responding to a name query.

Real World

By default, LLMNR is automatically enabled on computers running Windows 7 and later releases. You can disable LLMNR through registry settings. To disable LLMNR for all network interfaces, create and set the following registry value to 0: HKLM/SYSTEM/CurrentControlSet/Services/Dnscache/Parameters/EnableMulticast.

To disable LLMNR for a specific network interface, create and set the following registry value to 0: HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/AdapterGUID/EnableMulticast.

Here, AdapterGUID is the globally unique identifier (GUID) of the network-interface adapter for which you want to disable LLMNR. You can enable LLMNR again at any time by setting these registry values to 1. You also can manage LLMNR through Group Policy.

Frequently used tools

Many utilities are available for administrating Windows Server 2012 R2 systems. The tools you use the most include the following:

  • Control Panel. A collection of tools for managing system configuration. You can organize Control Panel in different ways according to the view you’re using. A view is simply a way of organizing and presenting options. You change the view by using the View By list. Category view is the default view, and it provides access to tools by category, tool, and key tasks. The Large Icons and Small Icons views are alternative views that list each tool separately by name.

  • Graphical administrative tools. The key tools for managing network computers and their resources. You can access these tools by selecting them individually from the Administrative Tools program group.

  • Administrative wizards. Tools designed to automate key administrative tasks. You can access many administrative wizards in Server Manager—the central administration console for Windows Server 2012 R2.

  • Command-line utilities. You can start most administrative utilities from the command prompt. In addition to these utilities, Windows Server 2012 R2 provides others that are useful for working with Windows Server 2012 R2 systems.

To learn how to use any of the .NET command-line tools, type NET HELP at a command prompt followed by the command name, such as NET HELP SHARE. Windows Server 2012 R2 then provides an overview of how the command is used.

Windows PowerShell

For additional flexibility in your command-line scripting, you might want to use Windows PowerShell. Windows PowerShell is a full-featured command shell that can use built-in commands called cmdlets, built-in programming features, and standard command-line utilities. A command console and a graphical environment are available.

Although the Windows PowerShell console and the graphical scripting environment are installed by default, several other Windows PowerShell features are not installed by default. They include the Windows PowerShell 2.0 engine, which is provided for backward compatibility with existing Windows PowerShell host applications, and Windows PowerShell Web Access, which lets a server act as a web gateway for managing the server remotely by using Windows PowerShell and a web client.

Real World

You can install these additional Windows PowerShell features by using the Add Roles And Features Wizard. On the desktop, tap or click the Server Manager button on the taskbar. This option is included by default. In Server Manager, tap or click Manage, and then tap or click Add Roles And Features. This runs the Add Roles And Features Wizard, which you use to add these features. Note, however, that with Windows Server 2012 R2, not only can you disable a role or feature, but you also can remove the binaries needed for that role or feature. Binaries needed to install roles and features are referred to as payloads.

The Windows PowerShell console (Powershell.exe) is a 32-bit or 64-bit environment for working with Windows PowerShell at the command line. On 32-bit versions of Windows, you’ll find the 32-bit executable in the %SystemRoot%System32WindowsPowerShellv1.0 directory. On 64-bit versions of Windows, you’ll find the 32-bit executable in the %SystemRoot%SysWow64WindowsPowerShellv1.0 directory, and the 64-bit executable in the %SystemRoot%System32WindowsPowerShellv1.0 directory.

On the desktop, you can open the Windows PowerShell console by tapping or clicking the Windows PowerShell button on the taskbar. This option is included by default. On 64-bit systems, the 64-bit version of Windows PowerShell is started by default. If you want to use the 32-bit Windows PowerShell console on a 64-bit system, you must select the Windows PowerShell (x86) option.

You can start Windows PowerShell from a Windows command shell (Cmd.exe) by entering the following:

powershell

Note

The directory path for Windows PowerShell should be in your command path by default. This ensures that you can start Windows PowerShell from a command prompt without first having to change to the related directory.

After starting Windows PowerShell, you can enter the name of a cmdlet at the prompt, and the cmdlet will run in much the same way as a command-line command. You can also execute cmdlets in scripts. Cmdlets are named by using verb-noun pairs. The verb tells you what the cmdlet does in general. The noun tells you what specifically the cmdlet works with. For example, the Get-Variable cmdlet gets all Windows PowerShell environment variables and returns their values, or it gets a specifically named environment variable and returns its value. The common verbs associated with cmdlets are as follows:

  • Get-. Queries a specific object or a subset of a type of object, such as a specified performance counter or all performance counters

  • Set-. Modifies specific settings of an object

  • Enable-. Enables an option or a feature

  • Disable-. Disables an option or a feature

  • New-. Creates a new instance of an item, such as a new event or service

  • Remove-. Removes an instance of an item, such as an event or event log

At the Windows PowerShell prompt, you can get a complete list of cmdlets by entering get-help *-*. To get Help documentation on a specific cmdlet, enter get-help followed by the cmdlet name, such as get-help get-variable. Windows PowerShell V3 and later use online and updatable Help files. Because of this, you might see only basic syntax for cmdlets and functions. To get full Help details, you’ll have to either use online Help or download the Help files to your computer. For online Help, add the -online option to your get-help command, as shown here:

get-help get-variable -online

Use the Update-Help cmdlet to download and install the current Help files from the Internet. Without parameters, Update-Help updates the Help files for all modules installed on the computer. However, Update-Help does the following:

  • Downloads files only once a day

  • Installs files only when they are newer than the ones on the computer

  • Limits the total size of uncompressed Help files to 1 GB

You can override these restrictions by using the -Force parameter. You can save Help files to the local computer by using Save-Help.

All cmdlets also have configurable aliases that act as shortcuts for executing a cmdlet. To list all aliases available, enter get-alias at the Windows PowerShell prompt. You can create an alias that invokes any command by using the following syntax:

new-item –path alias:AliasName –value:FullCommandPath

Here AliasName is the name of the alias to create, and FullCommandPath is the full path to the command to run, such as the following:

new-item –path alias:sm –value:c:windowssystem32compmgmtlauncher.exe

This example creates the alias sm for starting Server Manager. To use this alias, you simply type sm and then press Enter when you are working with Windows PowerShell. It’s important to note that Windows PowerShell 3 and later versions automatically import required modules the first time you use a related command. With Windows PowerShell 2, you needed to explicitly import a module before you could run any of its commands.

Real World

Generally speaking, anything you can enter at a command prompt also can be entered at the Windows PowerShell prompt. This is possible because Windows PowerShell looks for external commands and utilities as part of its usual processing. As long as the external command or utility is found in a directory specified by the PATH environment variable, the command or utility is run as appropriate. However, keep in mind that the Windows PowerShell execution order could affect whether a command runs as expected. For Windows PowerShell, the execution order is 1) alternate built-in or profile-defined aliases, 2) built-i Windows n or profile-defined functions, 3) cmdlets or language keywords, 4) scripts with the .ps1 extension, and 5) external commands, utilities, and files. Thus, if any element in 1 through 4 of the execution order has the same name as a command, that element will run instead of the expected command.

Windows Remote Management

The Windows PowerShell remoting features are supported by the WS-Management protocol and the Windows Remote Management (WinRM) service that implements WS-Management in Windows. Computers running Windows 8 and later, and also Windows Server 2012 or later, include WinRM 3.0 or later. If you want to manage a Windows server from a workstation, you need to be sure that WinRM 3.0 and Windows PowerShell are installed and that the server has a WinRM listener enabled. A Microsoft Internet Information Services (IIS) extension, installable as a Windows feature called WinRM IIS Extension, lets a server act as a web gateway for managing the server remotely by using WinRM and a web client.

Enabling and using WinRM

You can verify the availability of WinRM 3.0 and configure Windows PowerShell for remoting by following these steps:

  1. Tap or click Start, and then point to Windows PowerShell. Start Windows PowerShell as an administrator by pressing and holding or right-clicking the Windows PowerShell shortcut and then selecting Run As Administrator.

  2. The WinRM service is configured for manual start by default. You must change the startup type to Automatic and start the service on each computer you want to work with. At the Windows PowerShell prompt, you can verify that the WinRM service is running by using the following command:

    get-service winrm

    As shown in the following example, the value of the Status property in the output should be Running:

    Status   Name               DisplayName
    ------   ----               -----------
    Running  WinRM              Windows Remote Management

    If the service is stopped, enter the following command to start the service, and then configure it to start automatically in the future:

    set-service –name winrm –startuptype automatic –status running
  3. To configure Windows PowerShell for remoting, enter the following command:

    Enable-PSRemoting –force

    You can enable remoting only when your computer is connected to a domain or a private network. If your computer is connected to a public network, you need to disconnect from the public network and connect to a domain or private network and then repeat this step. If one or more of your computer’s connections has the Public Network connection type but you are actually connected to a domain or private network, you need to change the network connection type in Network And Sharing Center and then repeat this step.

In many cases, you are able to work with remote computers in other domains. However, if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, enter the following:

winrm set winrm/config/client '@{TrustedHosts="RemoteComputer"}'

Here RemoteComputer is the name of the remote computer, such as the following:

winrm set winrm/config/client '@{TrustedHosts="CorpServer56"}'

When you are working with computers in workgroups or homegroups, you must use HTTPS as the transport or add the remote machine to the TrustedHosts configuration settings. If you cannot connect to a remote host, verify that the service on the remote host is running and is accepting requests by running the following command on the remote host:

winrm quickconfig

This command analyzes and configures the WinRM service. If the WinRM service is set up correctly, you’ll get output similar to the following:

WinRM already is set up to receive requests on this machine.
WinRM already is set up for remote management on this machine.

If the WinRM service is not set up correctly, you receive errors and need to respond affirmatively to several prompts that allow you to automatically configure remote management. When this process is complete, WinRM should be set up correctly.

Whenever you use Windows PowerShell remoting features, you must start Windows PowerShell as an administrator by pressing and holding or right-clicking the Windows PowerShell shortcut and then selecting Run As Administrator. When starting Windows PowerShell from another program, such as the command prompt, you must start that program as an administrator.

Configuring WinRM

When you are working with an elevated, administrator command prompt, you can use the WinRM command-line utility to view and manage the remote management configuration. Enter winrm get winrm/config to display detailed information about the remote management configuration.

If you examine the configuration listing, you’ll notice there is a hierarchy of information. The base of this hierarchy, the Config level, is referenced with the path winrm/config. Then there are sublevels for client, service, and WinRS, referenced as winrm/config/client, winrm/config/service, and winrm/config/winrs, respectively. You can change the value of most configuration parameters by using the following command:

winrm set ConfigPath @{ParameterName="Value"}

Here ConfigPath is the configuration path, ParameterName is the name of the parameter you want to work with, and Value sets the value for the parameter, as shown in the following example:

winrm set winrm/config/winrs @{MaxShellsPerUser="10"}

Here, you set the MaxShellsPerUser parameter under winrm/config/winrs. This parameter controls the maximum number of connections to a remote computer that can be active per user. (By default, each user can have only five active connections.) Keep in mind that some parameters are read-only and cannot be set in this way.

WinRM requires at least one listener to indicate the transports and IP addresses on which management requests can be accepted. The transport must be HTTP, HTTPS, or both. With HTTP, messages can be encrypted by using NTLM or Kerberos encryption. With HTTPS, Secure Sockets Layer (SSL) is used for encryption. You can examine the configured listeners by entering winrm enumerate winrm/config/listener. As Listing 1-1 shows, this command displays the configuration details for configured listeners.

LISTING 1-1 Sample configuration for listeners
Listener
    Address = *
    Transport = HTTP
    Port = 80
    Hostname
    Enabled = true
    URLPrefix = wsman
    CertificateThumbprint
    ListeningOn = 127.0.0.1, 192.168.1.225

By default, your computer is probably configured to listen on any IP address. If so, no output will be displayed. To limit WinRM to specific IP addresses, the computer’s local loopback address (127.0.0.1) and assigned IPv4 and IPv6 addresses can be explicitly configured for listening. You can configure a computer to listen for requests over HTTP on all configured IP addresses by entering the following:

winrm create winrm/config/listener?Address=*+Transport=HTTP

You can listen for requests over HTTPS on all IP addresses configured on the computer by entering the following:

winrm create winrm/config/listener?Address=*+Transport=HTTPS

Here, the asterisk (*) indicates all configured IP addresses. Note that the CertificateThumbprint property must be empty to share the SSL configuration with another service.

You can enable or disable a listener for a specific IP address by entering the following:

winrm set winrm/config/listener?Address=IP:192.168.1.225+Transport=HTTP @{Enabled="true"}

or

winrm set winrm/config/listener?Address=IP:192.168.1.225+Transport=HTTP @{Enabled="false"}

You can enable or disable basic authentication on the client by entering the following:

winrm set winrm/config/client/auth @{Basic="true"}

or

winrm set winrm/config/client/auth @{Basic="false"}

You can enable or disable Windows authentication using either NTLM or Kerberos (as appropriate) by entering the following:

winrm set winrm/config/client @{TrustedHosts="<local>"}

or

winrm set winrm/config/client @{TrustedHosts=""}

In addition to managing WinRM at the command line, you can manage the service by using Group Policy. As a result, Group Policy settings might override any settings you enter.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.217.208.72