Installing FCI on Server 2008

Although FCI comes with all versions of Server 2008 R2, it is not installed by default in line with Microsoft’s strategy of installing only the necessary services and roles on each server based upon its functionality within the network. FCI is installed as a component of the File Services role, and implemented via the File Server Resource Manager console. Once installed, FCI is at once deceptively easy to use, and at the same time, infinitely complex in its possibilities.

The first step in using File Classification Infrastructure is to define what the tags are. There are no default tags or tagging systems, because FCI is designed to be custom tailored to a particular business environment. One need only think about the difference between what confidential or secret mean to a chain of dry cleaners, versus what they mean to a defense contractor to see why defaults would not be particularly useful in this case.

Tagging files is done by “classifying” them. FCI classification is a two-step process. The first step is to define the classifications. The second step is to apply the classifications to files.

Defining classifications is done within FSRM under Classification Management. Under Classification Management, is Classification Properties, where one creates the classification structure. Here the rules are defined that determine whether or not a file is classified as a particular kind of data. For example, a file might be classified as “confidential” if is stored in the “Confidential” directory of the Legal Department’s file server area. Obviously, more complex criteria are possible. A file might be classified as internal financial data if it is created by a member of the Accounting group, during the first week of the month, and the file name contains the words “monthly report.”

FCI supports classifications based upon date and time, numbers, multiple choice lists, ordered lists, strings, multiple strings, or Boolean criteria. There is no need to stick with generalized classifications like Confidential, Secret, or Internal Use Only, although these can be set as high-level classifications. The real power of FCI comes from more granular classifications, such as classifying all Excel spreadsheets, stored in the project folder “New Products”, created between January and March of 2009, that contain the words “projected internal costs”, as Internal Prototyping Projections.

Using FCI To Improve Security and Better Manage Data

Defining the classifications doesn’t actually do anything. No files are tagged just by defining the components of a classification. In order to do anything with these classifications, the real files must be tagged. Doing so requires creating Classification Rules.

To create a classification rule, one first defines a name and a scope for the rule in the Rule Settings tab. The name is what the tag attached to the file will be called. The scope defines which files to evaluate to determine if they are assigned that classification. The actual rules for classifying files are done in the Classification Tab. Classifying can be done by simply evaluating whether or not a file is within a certain folder (Remember the tag follows the file as it is moved and copied.). It can also be done by checking for certain words or phrases within the documents themselves. Powerful classification can be done using the PowerShell classifier. This limits your ability to evaluate files only by your ability to write a PowerShell script to do what you want.

An analogy can help make the process a little clearer.

Classifications Properties are the things that matter for determining speed limits. For example, how close is the road to a school, is the road an Interstate, is the road two-lanes, three-lanes, four-lanes, etc. Notice that these are just the properties that CAN be evaluated; there is no structure here for how a road is assigned a particular speed limit, only what properties will need to be examined in order to assign a speed.

Classification Rules are like the actual criteria that determines which speed limit a road gets. For example, roads within 100 feet of a school should be classified as 20 MPH roads. At this point, all you have is rules in the city planner’s office. In order to actually implement the speed limits, the possible criteria need to be evaluated against the rules.

At this point, you can actually apply the rules to the roads. Doing so requires choosing which roads to evaluate against which criteria (scope). Based on that evaluation, you can actually “tag” the roads by putting up speed limit signs that say 20 MPH (name).

Finally, the files are classified. However, nothing has actually been done based on those classifications.

To actually DO SOMETHING with all these tagged files, the administrator has several choices. First, both file management and reporting based on the classification tabs are available in FSRM. These tools can be used to move, copy, rename, or delete files, as well as setting more traditional file properties. Just as important, reports can be generated to alert administrators or managers that files tagged as Sensitive or Confidential are residing in insecure locations. Using just these two tools can resolve a lot of headaches, as well as create better processes. No doubt the first time that guy in accounting gets asked why he is saving proprietary budget documents to a public share, he won’t even know he was doing that. (“We’ve always saved them to the G Drive.”)

However, even more powerful management can be achieved using PowerShell. Once classified, the FCI system can be used inside PowerShell scripts in order to perform complex tasks or create additional reporting or alert levels.

Creating an entire file classification system from scratch is a daunting prospect. However, building some basic rules to generate reports is a good starting place. From there, needs and concerns will arise that can be easily solved by using the FCI system. Eventually, a file classification as robust and as well-defined as your Active Directory structure will emerge. After all, you didn’t start out the first day of the Active Directory implementation by creating all the objects you have today.

Related posts:

• File Classification Infrastructure in Server 2008 R2 SP2
• Active Directory Rights Management Services: Data Access Controls
• Server 2008: Installing Distributed File System (DFS)

Ironically, these data breaches were seldom the fault of corporate IT professionals who were properly performing their duties of keeping the company file servers up and running, and secure behind firewalls and security protocols. However, when a problem with computers or data arises, everyone turns to IT for answers. Fortunately, Microsoft Windows Server 2008 R2 comes with a free data management tool that can help IT be more proactive in managing data.

File Classification Infrastructure (FCI) in Server 2008 R2

File Classification Infrastructure, or FCI, was released with Server 2008 R2. Although FCI comes bundled for free with all editions of Server 2008 R2, it is not enabled by default. FCI is primarily a function of file servers.

To install FCI, the administrator must first install the File Server Resource Manager (FSRM) role service to the File Services role. All FCI functions, reporting, and configuration are handled from inside of the FSRM console.

Understanding FCI

Understanding the potential power of FCI is done best through example. Consider the following scenario.

Our intrepid hero this episode is a Microsoft Certified Systems Engineer (MCSE) named Clyde. Clyde works for a company that processes third-party transactions of all types (including financial transactions for some clients) for both businesses and customers.

As is the case at most well run corporate IT departments, the server and network infrastructure is housed in secure data centers behind an assortment of firewalls, security protocols, and monitoring systems. Getting at the company’s data by coming in the front door (or the backdoor, sidedoor, or windows) is difficult at best, and impossible for all but the most skilled intruders.

However, the company continues to have embarrassing incidents where confidential, proprietary, or personal information has been unintentionally disclosed in a variety of ways. None of these breaches has been the result of a hacker penetrating the company’s security, but rather mishaps ranging from sensitive data being left on a public share, to files with confidential information being passed on to clients, customers, or in one very embarrassing incident, directly to the media. In each case, internal investigations revealed that all IT systems functioned correctly.

How did sensitive information end up being exposed to the public?

The answer lies at the heart of what FCI can do for making data management easier, less expensive, and more secure.

What is the Point of FCI?

From our example above, we know that Clyde is a competent systems administrator. Like most admins, he has several responsibilities. He manages all of these different functions by utilizing power tools and utilities that allow him to automate as much as possible, and to monitor everything else.

Unfortunately, one critical tool is missing from his arsenal. While Clyde knows that financial reports are confidential, he has no way of knowing which files ARE financial reports, or which ones contain financial data.

Clyde has done what most IT administrators have done. He created specific places for the Accounting Department to store financial reports and other sensitive financial information. Access is locked down and restricted to certain members of the accounting team via several mechanisms including setting carefully configured permissions on servers, desktops, and laptops. Procedures are in place to require notification of any member of the accounting team leaving the company, and access is frequently audited. Security is monitored by both the security team and the administrators both manually and via detection systems. Accessing the financial data stored in these locations is virtually impossible for all but the most capable hackers.

Unfortunately, for Clyde, the Executive Vice President of Operations, who is preparing for a very important presentation to the Board of Directors on Friday, requested a few years worth of financial data. For a presentation like this one, the high-level numbers presented to the public, and even most people within the company, are not sufficient. This presentation requires details like exactly how much revenue comes from each client, and how much profit that generates, and so on.

The accounting team provided the VP with the data he needed. The executive is no dummy; he knows that this information is very sensitive and that its disclosure could hurt the company’s relationships with very important clients. Therefore, he keeps the data safe by storing it in secure locations he has access to on the network and on the encrypted hard drive of his laptop. Every system has worked perfectly and only authorized personnel have accessed the data.

Four months later, with the Board of Directors presentation long since left in the rear view mirror, a new crisis has erupted. The VP is travelling abroad and an issue is blowing up back at home. If the right people don’t get what they need fast, heads are going to roll. A fully authorized user, acting in a proper manner, accesses the backups of the server location where the necessary information is properly stored. He quickly copies all the files from April, encrypts them, and sends them on to the right people. Since almost all of the information required is confidential or sensitive in some manner, even if the file was in a directory called Confidential, there is no reason to single out a particular file.

The day is saved, but the right people to be getting all of the other April files are the wrong people to be looking at one particular spreadsheet from April. The spreadsheet used for the Board presentation that the VP kept just in case a board member came back later with questions about the data. The VP didn’t forget about it; he kept it a few weeks just in case someone came back with questions about the data, and then deleted the file.

How FCI Helps Manage Data Better, Reduces Costs, and Improves Security

The problem in this scenario would eventually be called “employee error” if investigated fully. However, that is a disingenuous conclusion since no one actually acted improperly.

The VP stored a confidential file in a secure manner. The employee retrieving the data was authorized to do so and can’t realistically be expected to examine every file to see what is in it. In fact, that could be a bigger security risk.

The real issue is that there is no practical way for data to be marked as sensitive (or important, or from a certain project, or …) in such a way that the tag follows the data through its lifespan. Even if the original file had been tagged somehow, the new one created by the VP would not have the same tag.

This is where the new File Classification Infrastructure comes in.

With FCI, data can be tagged in exactly this manner. The original spreadsheet from accounting could have been tagged not just as confidential, but as internal financial data, as well, based on where the file was stored originally. Even the new file created by the VP would be tagged in this manner, not because of where the VP saves the file, but rather based upon being part of a particular project. The off-site backup of the project data would retain the file’s tags because tags are retained within the NTFS properties of the file no matter where it is moved in the enterprise. Finally, even if the data were to somehow lose its tagged status, it could be re-tagged properly based upon its content.

These tags can be used by Clyde to monitor for sensitive files in the wrong places, if the file were copied to the web server, for example. The tags can also be used to manipulate how the file is treated. Files tagged like this one, might never be backed up as part of the regular backups. The tags could even be used to prevent the file from being displayed or included in the subsequent copy because the data tagged like this file are considered expired after a certain amount of time.

For the first time, the right tool is available to Clyde without implementing yet another big infrastructure project, without buying even more tools and utilities, and best of all, without implementing another round of company-wide security procedures. All he has to do is set it up.

Related posts:

• Using File Classification Infrastructure to Improve Security, Save Money, and Manage Data
• Server 2008: Windows System Image Manager and WDS
• Server 2008: Configuring Distributed File Systems (DFS)

What I focused on was my three favorite sessions from TechEd:

• Server 2008 R2 SP1 and Windows 7 SP1
• Turbo Charging Active Directory
• Windows 7 at Mach 5

If you missed TechEd then check out the quick slides and make sure to visit msteched.com for videos of the TechEd presentations that were recorded.

Related posts:

• Server 2008 Active Directory User Groups — the Easy Way!
• As Promised: Photos from TechEd 2009!
• Back from TechEd! Pictures to Follow

PowerShell 1.0 gave systems administrators around the world a new administration tool when it was introduced with Windows Server 2003.

For years, Microsoft has worked to develop a graphical user interface, or GUI, that would make system administration and user administration easier and more user friendly.

In many ways, the company succeeded admirably.

Most admins know at least one or two people who have managed to create a user in a very small Windows Server environment through User Manager and think that they should become a Windows Administrator because they already understand “how to do it.”

However, for administrators in environments where users exceed the number of people it takes to field a couple softball teams, things  are more complicated. In fact, one of the difficulties of properly administering a networked operating system and its servers is keeping all the “little things” consistent across the enterprise. Forgetting a check-box here, and a radio button there, can add up to a security nightmare waiting to happen, or perhaps, a very angry Vice President unable to remotely connect at a critical time.

The solution to some of these problems has been scripting. By writing scripts, Windows system engineers could ensure that repetitive tasks happened correctly and with far less effort than doing them manually. Everything from creating new user accounts, to installing software and upgrades, to basic login scripts has been coded somewhere along the way by a savvy systems admin looking to avoid headaches and spend a little less time on repetitive tasks.

Eventually, new Windows Server features and enhancements began to outstrip the capabilities of the DOS-based scripting that server administrators had been cobbling together. Fortunately, new tools and utilities were also developed that helped reduce some of the reliance on login scripts. For example, User and Group profiles have long since made mapping drive letters via login script obsolete. However, administrators still needed a more powerful scripting environment.

PowerShell 2.0 Upgrades Features and Capabilities

PowerShell has been slightly underrated within the administrator community. One reason is that in order for PowerShell to really perform throughout the enterprise, it needs to be usable on the servers and all the desktops.

Fortunately, Windows 7 comes ready to execute PowerShell scripts. Windows 7 SP1 is set to ship in the near future, which sounds the bell for many long-time IT professionals who live by the rule to always wait for SP1 before upgrading, and Server 2008 R2 comes with PowerShell 2.0 installed by default. As Windows 7 is installed in the enterprise, PowerShell 2.0 will grow even more useful.

Another reason PowerShell has not gotten its fair share of affection from systems administrators is that there were a few nagging things about how PowerShell worked conspiring to make it seem less powerful than it actually was. However, Microsoft has addressed many of these issues and thrown in a few new features as well.

Let’s take a look at some of these new features now.

Remoting

Nothing has been a bigger thorn in the side of PowerShell than Remoting. Remoting is the ability to run commands via PowerShell on remote computers. Technically, some remoting was possible in PowerShell one, but it was limited to the Get-WMIObject cmdlet within Windows Management Instrumentation (WMI). Even worse, WMI required RPC connections which meant having to go to the networking guys to get ports opened and firewall exceptions allowed. Not fun.

PowerShell 2.0 allows administrators to run commands on remote computers using the WS-Man (WS-Management) protocols which establish secure connections to remote computers using ports 80 and 443 by default. In many environments these ports will already be open, and in those that they are not, they’ll be a much easier sell to the networking team.

There is one little catch to remoting in PowerShell 2.0. In order to use remoting, it must be enabled on both machines. However, this only needs to be done once. Once enabled, remoting can be used on multiple machines at the same time allowing the administrator to execute the same commands on several computers at once. The applications for this ability are limited only by the admin’s ability (and the availability of the right cmdlet).

New cmdlets

Speaking of cmdlets, PowerShell 2.0 comes with over 100 built-in cmdlets. While this covers a lot of ground, there is no doubt that Microsoft Server administrators will quickly find functions and tasks that require other commands. Fortunately, Microsoft has implemented a way to handle this eventuality as well.

Modules are also new to PowerShell 2.0 and allow script developers to organize code into self-contained reusable units. This functionality has already been used to create a PowerShell 2.0 Active Directory Module which brings more possibilities to managing Active Directory via PowerShell.

Run Background Jobs in PowerShell

Another big addition to the PowerShell feature set is the ability to run background jobs. This means that those PowerShell scripts that take a long time to run can continue to perform in the background while the command prompt returns control immediately to the console.

An admin performing numerous tasks late at night can get them all running right away instead of having to wait until 2:00 AM to run that last command. This is especially useful while remoting multiple machines, especially when those machines are separated by various network connection speeds.

System Events Integration

PowerShell 2.0 now offers the ability to monitor and act on system events which can allow for more proactive scripting.

PowerShell ISE GUI

The most curious edition to PowerShell 2.0 is the PowerShell GUI, which, on the surface, appears to defeat the whole point of PowerShell. However, the GUI is really more of a basic script editor complete with color coded syntax, partial execution, stepping, and graphic debugging. The GUI also includes context sensitive help which can save admins from scanning through the verbose output of some help commands.

With Windows 7 coming to many businesses in the near future and the upcoming release of Windows Server 2008 R2 SP1, PowerShell 2.0 will be already waiting to go for enterprise-wide control and administration. The time is now for Microsoft systems engineers and administrators to learn how to take advantage of PowerShell 2.0.

PowerShell 2.0 Demonstration

Take a look at the video below to see a short demo of PowerShell 2.0.

Related posts:

• Active Directory PowerShell Scripts Management Tool For Admins
• Don’t be Afraid of PowerShell
• Take Command of Server 2008 with Windows PowerShell – Part 1

As always, Windows Server 2008 R2 SP1 will include a rollup of patches and fixes developed since the original release shipped. Microsoft has also started banging the drum about two new features that are slated to be a part of the first Service Pack for Server 2008 and Windows 7.

New Features in Server 2008 R2 SP1 Update

The two new features mentioned in various statements and internal Microsoft blogs, such as Windows Server Division WebLog (no word on the appropriateness of the capitalized “L” in weblog) are Dynamic Memory and RemoteFX, both of which are functions for Microsoft virtualization.

Dynamic Memory in Server 2008 R2 SP1

Dynamic Memory is a new feature to Hyper-V which allows administrators to allocate all the memory available on a physical host and then have it dynamically distributed among the virtual machines that run on that host. They say that the best laid plans of mice and men often go awry. Plans for projecting how much memory a given VM may not have been the inspiration for that saying, but they certainly fit. Dynamic memory is a way to try and nudge the plans of Windows Server systems engineers back on track.

Dynamic Memory is similar to the Memory Overcommit feature in VMware that allows for greater VM density on a given set of hardware, but with a different twist. Memory Overcommit works by essentially over-promising how much RAM each VM can have. The theory is that most machines do not use their full allotment of RAM all of the time. Thus, when one virtual machine goes over its “real” memory limit, the virtual manager lets it use some of the memory that a different VM is not currently utilizing. As long as all VMs aren’t trying to use all of their allocation at the same time, there is no problem.

Microsoft has long claimed that Memory Overcommit is a dangerous solution and advocated against using it. While Dynamic Memory is very similar, the twist is that instead of fooling a VM into thinking it has more RAM than it really does, the Hyper-V manager monitors the percentage of memory being used on all the VMs and then changes the maximum amount of RAM the OS has to work with based on those percentages. The net effect is the same; more VMs can be installed on the same hardware.

The whole point of virtualization is to be able to create numerous virtual servers on a single set of hardware, or host, without having to have big reserves of hardware resources, “just in case.” By virtually allocating all hardware resources to virtual machines, IT professionals are able to maximize how costly hardware is used.

But, what happens when a formerly sleepy virtual machine suddenly becomes mission critical?

For example, consider a hypothetical cable TV channel that is typically lost somewhere “in the middle” of the channel numbers. Let’s assume that like many of its competitors this particular channel has some reality TV show starring a not-so-famous famous person when news breaks that the channel’s reality TV star backed over the Pope with his car.

The virtual machine that houses the application used to route incoming phone calls, that annoying, “Press 1 for this. Press 2 for that,” system doesn’t usually require much in the way of resources. On this day, however, it’s running full-speed when some “helpful” person reconfigures the phone lines to allow a lot more incoming call lines.

Now the VM is swamped and bogging down. If it were a submarine, the captain would be ordering Engineering to go to 105% on the reactor, but since it’s a virtual machine, it is paging everyone in IT with monitoring errors.

For even the most foolhardy server administrators, manually reallocating memory among virtual machines isn’t the kind of thing you want to do during business hours while systems are live and users are counting on those critical business systems. Without Dynamic Memory, our heroes are in a jam, having to rush through an emergency change control ticket and notifying users that some of their server-based software is about to reboot.

However, with Dynamic memory, memory is reallocated on the fly without any service interruptions, leaving our poor sys admin to deal with the sudden flood of incoming email and website traffic, instead.

RemoteFX for Windows Server 2008 R2 SP1

The other major update coming in Service Pack 1 is called RemoteFX. RemoteFX is an improvement that should help iron out some of the unpleasantness of using Microsoft Remote Desktop Services on thin clients. Essentially what RemoteFX does is handle all the heavy lifting for graphics. Rendering is done server-side and then displayed on clients without using their resources. This means that intensive effects like Microsoft Aero should start being a lot more usable on thin clients configured without a lot of hardware power.

This technology comes from Calista Technologies which Microsoft bought two years ago. Microsoft has integrated it into the session virtualization environment (Terminal Services to those of you who don’t update your lingo with every press release). Using a standard RDP connection, resource hogging multimedia presentations, full-motion video, and Silverlight animations can all be viewed seamlessly even on clients that don’t have powerful enough hardware to handle them on their own.

RemoteFX has also been licensed out to Citrix for its XenDesktop VDI, so those enterprises running these systems will be able to take advantage of this new capability as well. Citrix has been promoting HDX as a similar feature, but both companies have said that the technologies are complimentary and not competitive. Time will tell how (or if) the two will integrate.

While Microsoft hasn’t provided any details yet, they have also said that Windows 7 will get an updated RDP client as part of the Windows 7 SP1, which would allow those systems to use the feature as well. While traditional workstations wouldn’t require the feature for standard use, something like high-resolution 3-D rendering could potentially benefit from RemoteFX.

These new features show Microsoft’s willingness to roll out new technologies without a full product release or add-on pack like in the past. However, neither technology is a game changer, and just as important to those enterprises with tight change control and testing procedures, neither function makes core changes to the OS and can be disabled at install.

In the end, SP1 is what it should be, a boring accumulation of patches and a handful of improvements without any major surprises.

Related posts:

• Hyper-V and VMware — Part 2: Features
• Windows 7 Features That Require Server 2008 R2
• Windows Server 2008 R2 Green Features

Let me guess… is it increasing productivity, while at the same time saving your company some time and money?

Well, you’re not alone. These days, the main goal for many businesses is increasing productivity and having a mobile workforce that can access information instantly, saving valuable resources. Internal employees and external clients need accurate up-to-date information, even when they are on the go.

If your network is running Windows Server 2008 R2 and your clients are using Windows 7 you can take advantage of Direct Access to connect your mobile workforce.

Why Use Direct Access?

Direct Access has many advantages over Virtual Private Networks (VPNs) and is meant to be a VPN replacement. With Direct Access the connection between the client computer and the company Intranet is as seamless as using the Internet, while at the same time being more secure than a VPN. P

lus your clients won’t have to worry about authentication and the several steps involved with establishing a VPN connection or dealing with the hassles of re-establishing a connection if the VPN is lost. Going through a VPN can also slow down Internet connections, so that is another advantage of using Direct Access instead of a VPN.

In spite of Direct Access creating a seamless connection on the client side, you as the administrator will have some work to do, to get Direct Access installed and configured correctly. But it is well worth the effort because not only is client productivity increased, network security is increased as well.

Direct Access creates a bi-directional connection which allows you to update client computers behind the scenes, whenever they are connected to the Internet. This means that you can install software updates and other security patches without the client actually being connected to the company Intranet.

If you truly want to understand how Direct Access works Microsoft suggests you familiarize yourself and understand:

• TCP/IP architecture,
• IPv6 addressing,
• IPv6 forwarding and routing,
• IPv6 transition technologies,
• how Internet Protocol security (IPsec) protocols work to protect network traffic,
• and how to create a public key infrastructure (PKI) with Active Directory Certificate Service (AD CS).

In this article I will touch on all these subjects but I won’t go in depth; consider this your introduction to Direct Access.

Network Requirements For Using Direct Access

If you would like to use Direct Access on your network you will need a minimum of a direct access server running Windows Server 2008 R2 with two network adapters, one for the Internet and one for the Intranet. This server needs to be a member of an Active Directory Domain Services domain.

The Direct Access server also needs at least two IPv4 addresses assigned to the network adapter. Client computers need to be running Windows 7 Enterprise or Ultimate and be members of the AD DS domain. There needs to be at least one domain controller and one DNS server. You will also need a public key infrastructure (PKI) to issue certificates.

According to Microsoft the steps below can be used to create a Direct Access compatible network.

Steps For Setting Up A Direct Access Network

1. Windows Server 2008 R2 needs to be installed on a server with two network adapters.
2. Join the server to the AD DS server.
3. Install a computer certificate for IPsec authentication.
4. Configure the direct access server so one adapter is connected to the Internet and one adapter is connected to the Intranet. If your network does not have IPv6 connectivity enable both adapters and make sure their IPv4 Addresses are configured. This is necessary so that the Direct Access server can use automatic configuration.
5. Verify open ports and protocols in firewall exceptions.
6. The Direct Access server will need at least two consecutive, public static IPv4 addresses that are externally resolvable through DNS.
7. Enable IPv6.
8. Create a group security policy in Active Directory and add the client computer accounts.
9. If the Direct Access server is also the network location server, install the IIS server role on the Direct Access server.
10. Designate one of the server network adapters as the Internet-facing interface. That interface will require two consecutive, public IPv4 addresses. Both IPv4 addresses must be assigned to the same interface.
11. On the Direct Access server, ensure the Internet-facing interface is configured to be either a “Public” or a “Private” interface (depending on your network design) and the intranet interfaces are configured to be “Domain” interfaces.

 Installing the Direct Access Management Console

Once you have your network setup, you will need to install the Direct Access Management Console Feature. 

In order to install the Direct Access Management Console use the Add Feature Wizard in Server Manager. Once the snap-in is installed you can run it by going to Administrative Tools and clicking on Direct Access Management.

The management console simplifies configuration of Direct Access with a four step wizard. In order to configure Direct Access click on setup and run the wizard. When you are finished going through the wizard you can save the settings as a script file or apply it to the Direct Access Server.

The Wizard will guide you through each step in configuring Direct Access. You will not be able to move on to another step until the previous step is configured. In the first step you will identify the client computers by selecting their security groups. Which you should already have created.

During the next step you enter information about which server connects to the Internet and which one connects to the Intranet. There is also information about whether you are using native IPv6 or tunneling with IPv4. You also have the option of using smart cards for added remote client security.

The second part of Step 2 is selecting which certificates you will be using. Direct Access requires PKI so you will need to set up a root certificate which will be used by clients during IPsec authentication and certificate for HTTPS connectivity.

Step 3 is configuring the infrastructure servers. A network location needs to be configured so the clients will know if they are inside or outside the Intranet. A certificate also has to be associated with that server.

Another part of step 3 is configuring name resolution policy tables these are used to tell the client  how to access certain infrastructure servers of the network according to the DNS of the servers.

An optional setting in step 3 is setting up remote client management but you will probably want to set it up because managing remote clients is one of the advantages of Direct Access.

Step 4 can add or limit connectivity to certain machines using authentication with IPsec.

Once you are done with your configuration you can save it and work on it later or save the settings in a script file. You will also get a report of your configuration settings that you can double check before you apply them. Once you hit Apply the wizard configures Direct Access and builds group policy objects.

Advantages of Using Direct Access

The advantages of using Direct Access are many. From improved management of remote users to IT simplification and cost reduction. This flexibility in remote user management enables you to keep security and health policies up to date.

Using IPv6 and IPsec makes authentication and encryption easier and faster. Access Control is also simplified because you can configure which Intranet resources users have access to. Also, control of whether Internet traffic goes through the Intranet or not, keeping the two separate can save on resources and increase speed.

If your network has the capability to run Direct Access, the effort of setting it up will save you valuable time in the long run.

Related posts:

• How To Install, Configure & Use SNMP on Sever 2008
• Configure DHCP on Windows Server 2008
• Migrating to IPv6 with Windows Server 2008

Server 2008 is easier to deploy and has added reliability. Security has increased enabling you to create a policy driven network that will keep your servers, data, and business safe.

Improvements in virtualization help to consolidate servers and make more efficient use of hardware.

There are also many enhancements to terminal services. Web administration is much easier from diagnostics and development to applications. Plus there are enhancements with the latest version of Internet Information Services.

Those who are creating a new Server 2008 R2 network from the ground up, can take advantage of all of these enhancements and more.

7 Server Management Improvements in Server 2008 R2

Today we’ll focus on seven improvements in managing your network, which is one of the most time consuming tasks for any network admin. Fortunately, Server 2008 R2 has several improvements in server management that will make your job much easier.

Here are the 7 server management improvements we’ll cover today:

1. Server Manager — the first one is the improved server manager itself, which makes administration of a single server a snap using the integrated Microsoft Management Console (MMC).
2. Windows PowerShell — management of multiple servers can be automated using the Windows Power Shell command line scripting language.
3. Windows Deployment Services — is an updated version of the Remote Installation Services which is used to set up new workstations and servers.
4. Windows Reliability and Performance Monitor — makes it easy to monitor system performance.
5. Data Center Power Consumption Management — improvements in the methods of reducing power consumption.
6. Remote Administration — enhancements for remote management through graphical management consoles that integrate with Server Manager.
7. Identity Management — which helps keep your network as secure as possible.

1. Server Manager

Server Manager is installed by default as part of Server 2008 and it is available to you as long as you are logged on to the computer as a member of the Administrators group. Using the new Server Manager streamlines the process of installing and configuring servers in an enterprise environment. When you first begin server installation, the Initial Configuration Tasks (ICT) will guide you through the initial process of setup.

In the past when installing and configuring a new server you would have to use different components such as Configure Your Server, Manage Your Server, or Add or Remove Windows Components to add or remove server roles or other software. Configuring new servers also took a lot longer because dependency components needed to be installed manually and server roles could only be installed one at a time. Also each installation had to be completed before the next one could start.

Using the Server Manager console in Server 2008 you can view all of the information about your servers, server configurations, and installed roles and features. You can also install new servers, add roles, and change configuration settings in one place at one time. Not only that but the Add Roles Wizard will automatically check for dependencies and install required services.

If the installed server role requires additional configuration then the Add Roles Wizard will provide configuration pages that allow you to correctly configure the role as part of the installation process. This is especially useful when installing Terminal Services or Active Directory Certificate Services.

Recommended security settings are also configured by default allowing you to have your server completely ready for deployment in one session. These improvements in Server 2008 make server installation and configuration easier and faster.

2. Windows PowerShell

Windows PowerShell is a scripting environment that uses Cmdlets. Having the power to run scripts can increase automation and make large scale configuration fast and easy.

Because PowerShell has standard Cmdlets that can be combined to create powerful functions, you can run scripts without having to know how to program. To find out more about Windows PowerShell you can always visit the Windows PowerShell Script Center where you will be able to find Cmdlets for common administration tasks as well as information on how to create your own Cmdlets.

To use PowerShell you need to install it and then run PowerShell.exe after which you will get a command screen that looks a lot like a DOS window and all you’ll have to do is type in the Cmdlets you want to run. If you would like a list of Cmdlets you can always type in Get-Command and you will get a list of all of the Cmdlets.

PowerShell is especially useful for remote desktop management and configuring Internet Information Services 7.5.

3. Windows Deployment Services

Windows Deployment Services, the updated and redesigned version of Remote Installation Services (RIS), is a suite of components that work together on Server 2008 R2 to enable the deployment of Windows operating systems.

WDS can be used to set up new computers using a network-based installation, which means that you don’t have to be physically present at each new computer and you don’t need to use a CD or DVD. The new service also has imaging capabilities which means you don’t have to use a third party software such as Symantec Ghost to copy your configured OS onto each new machine.

4. Windows Reliability and Performance Monitor

In order to maintain a network you need to know how well it is functioning, this is where the new Windows Reliability and Performance Monitor really shines. Instead of having to scour over several different tools such as System Monitor, Performance Logs and Alerts, and Server Performance Advisor, you can now collect all of your data from one single tool using a graphical interface.

Other enhancements include Data Collector Sets which are reusable and make scheduling and collecting data, fast and easy. There are also easy to use wizards and templates for creating logs, a resource view, and a reliability monitor with user-friendly diagnostic reports.

5. Improved Data Center Power Consumption Management

Power consumption in data centers is increasingly becoming an issue, not only because of cost considerations, but because there is only a limited amount of power for all of the computers in the larger data centers.

Windows Server 2008 R2 has three main methods of reducing power consumption. The first method is Core Parking which tries to reduce the number of processing cores used with multicore processors. Power consumption is also reduced by adjusting processor speed to reduce consumption while still maintaining maximum effectiveness. The final method used to reduce power usage is centralizing storage though the use of a Storage Area Network (SAN).

6. Improved Remote Administration

Server computers are rarely administered locally, that is why improvements in remote administration are so important. Server 2008 offers several enhancements for remote management through graphical management consoles that integrate with Server Manager.

And the improvements in PowerShell make remote administration using scripts much more efficient and easy to implement.

7. Improved Identity Management

Identity management is always a huge security concern. Server 2008 R2 includes identity management improvements in the Active Directory Domain Services and Active Directory Federated Services roles. The purpose of these enhancements is to keep the network secure on-premises and off-premises, keeping all access points secure from all users while extending security across the entire network, while at the same time simplifying user account management.

Managing a network is still a lot of work and a big responsibility but with the new improvements in Server 2008 R2 that responsibility is beginning to get a little easier. Having a single console for server administration along with an easier to use scripting tool and easier remote deployment will make the daily admin tasks easier.

Combine that with improved performance monitoring, power management, and increased security and remote administration and the upgrade to Server 2008 R2 will begin to make sense.

Related posts:

• PowerShell 2.0: Server 2008 R2 Top New Management Feature
• Active Directory PowerShell Scripts Management Tool For Admins
• Active Directory Improvements in Windows Server 2008

Threats from malware and viruses are not only increasing they are also becoming more sophisticated.

Enterprise networks also have a larger mix of global users accessing the companies’ intranet, Internet and databases; these global users include customers, contractors, consultants, suppliers, partners, and internal employees.

More users are also connecting using Wireless LAN, Wi-Fi, and 3G which creates the need for ever increasing enforcement of security policies.

Windows Server 2008 has a built in core security feature called Network Access Protection. NAP requires a client computer to be compliant with system health policies before it can connect to other computers within the network.

Once NAP is set up properly the system administrator should be able to rest easier.

In this article I’ll give you an overview of how NAP can protect your network from malware and other threats and talk about the required services and configurations you’ll need to run and setup NAP.

Monitoring Client Computers

When a client computer attempts to connect with a computer within the network, NAP monitors and accesses the health of the client computer. If a client computer meets all of the required software and configuration settings it is considered to be healthy and the client is granted access to the network.

If client computers are non-compliant with NAP policies they can be automatically updated to meet current security policies. They may need the latest operating system updates or an anti-virus signature. Clients that don’t meet certain health policy standards may be granted restricted access or connected to various remediation resources, where health status can be updated.

Required NAP Components

NAP is a core windows component with Windows Server 2008 and can run with clients using Windows XP with Service Pack 3, Windows Vista, and Windows 7. The server components include a Network Policy Server (NPS) which provides centralized health policy configuration. NPS is a replacement for Internet Authentication Service (IAS) in Server 2003.

A System Health Validator (SHV) must be configured to define computer requirements for connecting to the network. It is possible to have a multi-configuration SHV and some or all of the following may be required on a client computer:

• Firewall Configuration
• Virus Protection
• Spyware Protection
• Security Update Protection

A Health Registration Authority (HRA) is used to validate client credentials by checking with NPS to make sure that the credentials are compliant with the networks health requirements. A Remediation Server is used to provide updates when the client does not pass the health requirements to access the network.

In order for NAP to work on the client computer the NAP Agent and System Health Agent (SHA) must be installed.

NAP Enforcement

Once the client and server requirements for NAP are met the mode of enforcement must be configured. There are four different enforcement configurations for NAP:

• IPSec
• 802.1X
• VPN
• DHCP

These can be configured alone or combined for even more protection. Let’s go into a little detail about each one.

Dynamic Host Configuration Protocol (DHCP) is one of the easiest NAP enforcements to deploy because all DHCP client computers must lease an IP address. Therefore if the client computer does not meet the health policy requirements the DHCP server will either assign an invalid IP address, such as 0.0.0.0., to the client or route the client to the remediation server for updates. This way the client can only access the IP address of the network if all health requirements are met.

IPSec enforcement is a stronger more robust system that works at the Internet layer of the TCP/IP protocol. With IPSec policy settings the administrator can limit access on a per-server and per-application basis. The way IPSec works is that it divides the network into three logical networks consisting of a secure network, a boundary network, and a restricted network.

802.1X enforcement is port based enforcement that requires 802.1X compliant switches and wireless access points. This enforcement provides more security than DHCP enforcement because connections are only allowed after the client health is validated and the identity is authenticated.

VPN enforcement is used by creating a VPN server at the perimeter of the network. There are many different configurations that can be used in this set up, but the basic process is a NAP client computer will request network access through a VPN connection. If the client is compliant it will be granted access otherwise access will be denied or the client will be routed to a remediation server.
Windows 7 And Server 2008 R2

Implementing NAP security in a network takes careful planning and usually should be rolled out in stages ensuring that clients that need access to the network will continue to have access until all health policy updates have been applied. Once the policies have been implemented securing and managing the network should be easier.

With the advent of Windows 7 and Server 2008 R2 more improvements have been made to NAP including NPS templates and template management, RADIUS account improvements, support for non-English character sets, multi-configuration SHV, and multiple NAP client user interface improvements.

With continued efforts to streamline the network security process with NAP and other Server 2008 enhancements the days of network vulnerabilities could be coming to an end. Network administrators won’t have to worry about internal employees showing up after a long weekend and infecting the entire network by plugging in their laptop.

Related posts:

• Active Directory Improvements in Windows Server 2008
• Install DHCP Role on Windows Server 2008
• Windows Server 2008: Auditing Active Directory

However, Windows Server 2008 R2 provides many new features and upgrades, including several that go hand in hand with new features found in Windows 7.

That means there are more new reasons to upgrade both the desktop operating system and the server operating system at many companies.

If that doesn’t sound like major undertaking, I don’t know what is.

What is an R2 Release Anyway?

Many businesses have been plugging along comfortably with older combinations of Windows XP and either Server 2003 or Windows Server 2000, and installing only those service packs and features designed to keep those systems running securely and stably.

Therefore, the question that has to be asked is what is an R2 release and exactly what does the R2 version of Sever 2008 have to offer?

Over the past several years, Microsoft has received a lot of feedback from users in the business community who wanted a more predictable release cycle for critical business platforms such as Microsoft’s server operating systems. For businesses that had driven the planning uncertainty out of other areas of operations, the seemingly random release schedule of Server upgrades and service pack releases prevented IT from adequately planning everything from hardware acquisition, to lease schedules, to software budgeting.

In addition, companies wanted to keep the critical security and performance updates to the operating systems separate from updates that added new features. Companies where extensive testing and planning make virtually any downtime unacceptable, didn’t like that in order to keep their systems secure and optimized they had to introduce new, untested, features and services into their environment, or deal with kludgey, file deleting, registry editing, hacks to remove those features from otherwise necessary Service Pack updates.

On the other hand, in the technology industry, five years is a lifetime and Microsoft worried that products would quickly become out of date, with its offerings lacking the latest features and innovations if new feature sets were released only twice a decade. If there was one thing Microsoft did not need, it was to bolster the view of the company as a slow moving dinosaur out of touch with the fast moving pace of business.

The compromise the company struck was that the company would focus on releasing new versions of core business software products approximately every five years. Like with Windows Server 2003 and then Windows Server 2008. Service packs would continue to be released whenever necessary in order to update critical security, stability, and performance issues.

However, Service Packs would not contain new features within them. Instead, Microsoft would update feature sets with an R2 release every 2 to 3 years.

This way, businesses that wanted to keep up to date with the latest security, stability, and performance enhancements, but did not want to introduce new features (and their potential stability and security problems) into the production environment could install Service Packs. And, those companies looking to incorporate the latest technologies and feature set could take advantage of the R2 releases.

Thus, Server 2008 R2 offers much more than just a Service Pack, but not quite as much a new full-scale release.

So, what exactly is in the latest release of Windows Server 2008 R2?

Server 2008 R2 Upgrade Costs

Many of the features and functionalities in Server 2008 were introduced in the original, or “R1″ release of Server 2008. However, for environments currently running Windows Server 2003, these features should also figure heavily in any decision whether to upgrade to Server 2008 R2 or not.

Obviously, migrating from Server 2003 to Server 2008 R2 is not a free update, unless the company is enrolled in certain licensing subscriptions.

For IT groups already running the original Server 2008 system, the question gets a little murkier. For businesses with Software Assurance, the question is merely one of value versus the time and effort to upgrade the server operating system.

For those without Software Assurance, or other business licensing that includes free upgrades, Windows Server 2008 R2 is not a free upgrade. In other words, for those running Server 2008 already, the evaluation involves not only the time and effort, but additional cost as well.

New Features in Server 2008 R2

As before, there are several Editions of Windows Server 2008 R2 available depending upon the needs of an organization. Some features are optional on certain editions or only available on specific editions. Thus, a straight list of all new features is a relatively complicated undertaking.

However, there are certain features that are the “deal-makers” in Server 2008 R2.

  •   Hyper-V and Virtualization

The centerpiece of Server 2008 was the addition of virtualization as a built-in function of the operating system. As is often the case, the company’s first effort was successful and usable if not as scalable or feature filled as competing offerings. However, for companies looking to start down the path toward virtualization or to roll out the new technology on a limited basis, Microsoft’s Hyper-V offered a great entry point without any additional cost.

One area that has received substantial attention for the R2 release of Windows Server is virtualization and Hyper-V.

Features like Live Migration, Hot Add/Remove Virtual Machine Storage, integration with desktop virtualization (VDI), and also presentation or application virtualization (formerly provided in some fashion by Terminal Services) have all been added.

In addition, services like clustering and failover have been improved and expanded. Also, included is the long awaited ability to boot from storage networks.

  •   64-bit Architecture and More

Of course, the R2 release contains upgraded support for more powerful hardware. Server 2008 R2 becomes the first version to be released only in 64-bit architecture, marking the official end of 32-bit computing for Server products.

R2 supports up to 256 logical processor cores and up to 64 logical cores for each host. New power management features allow processor cores to be parked when load is low and then automatically re-enabled when demand increases. In a large data center, the amount of savings just from lowered cooling requirements alone could make an upgrade to R2 worth it.

Other new features receiving a lot of attention are improvements in Remote Administration, as well as secure connections for remote employees without the need for third-party VPN software, updates to Active Directory management, including a recycle bin for AD objects, streamlined performance, improved storage management, and an update to PowerShell.

Add to all of this the fact that many of the high-end features of Windows 7 will only work with Server 2008 R2, or will work much better with it, and it starts to add up to a must upgrade scenario.

The only real question in these trying economic times is when and where the will and funds will meet the need for a much improved server operating system environment.

Related posts:

• Overview of Server 2008 R2 — The Half Version Upgrade
• Windows 7 Features That Require Server 2008 R2
• Windows Server 2008 R2 SP1 New Features: Dynamic Memory and RemoteFX

Most reviewers claim to see not only improvements in speed and functionality, but better usability as well.

Some reviewers are going so far as to proclaim that Windows 7 is as user friendly as the latest Mac OS Snow Leopard.

Even more important for business users and Information Technology Professionals is the list of impressive new features that come with Windows 7. Many of these new Windows 7 technologies allow for IT Departments to better manage, support, and configure Windows 7 machines throughout the enterprise.

It is not surprising then that these Windows 7 features are at the top of the list of reasons IT groups are ready to initiate the massive undertaking of upgrading desktop computers throughout the company.

Server 2008 R2 Required for Windows 7 Functions

But, did you know that some of the best new Windows 7 features only work with Windows Server 2008? In fact, some features actually require the latest Windows Server release, Server 2008 R2.

And, a handful of functions not only require Windows Server 2008 R2, but they require that all domain controllers be Windows Server 2008!

This isn’t a trivial point when evaluating upgrading to Windows 7 in a large environment. Let’s take a look at some of the features of Windows 7 that require Server 2008 R2.

  •   DirectAccess

DirectAccess is one of the much-anticipated features in Windows 7. For the home user, DriectAccess provides little benefit, but in the business environment, it will be invaluable.

Whether they were employees traveling on business trying to connect from hotel rooms or other locations, or whether they were employees working from home, or IT administrators trying to remotely diagnose or fix a systems issue at 3:00 A.M. — the value of remote connectivity could not be denied.

Unfortunately, until the release of Windows 7, businesses had only a few unappetizing choices for providing remote access to workers.

They could open up a giant security hole by allowing full connectivity over unencrypted connections (like the hotel wireless network) and just hope that no one intercepted sensitive data, or worse piggybacked on the connection into the servers themselves. Obviously, this option was not popular.

They could create a DMZ area of sorts allowing connectivity only to specific resources that were sealed off from the “real” corporate network. However, this inevitably meant that whatever access the employee needed was behind the firewall and not available, and it did nothing to solve the problem of unencrypted data transfers.

Finally, companies could install a Virtual Private Network or VPN which would encrypt communications between the remote user and the company network as well as provide a means to authenticate remote users before they connected to the network.

Unfortunately, this required a whole other layer of client software, server setup, firewall configuration, and cost to make it work. Too often, the overall expense and effort of installation, support, and use of the VPN was such a burden that companies strictly limited who was permitted to use the service. Even for those with VPN installed, it was a clunky solution.

With Windows 7, Microsoft implemented DirectAccess. While DirectAccess offers many of the features found in VPN, it is not the same thing.

DirectAccess offers secure connections, like VPN, using IPSec in order to encrypt data passing between the client and network as it travels through the Internet. However, unlike VPN, DirectAccess provides an extra layer of “bi-directional” communications in which the remote computer can be connected and managed, without the user logging in. This is accomplished by authenticating the machine before the user ever attempts to connect.

This provides two huge benefits. First, because the machine must authenticate to the network first, a stolen username and password are worthless without an authorized computer. Thus, not only must a password be compromised, but a machine must be taken as well, which offers a much more obvious flag of a possible security breach.

Secondly, with the machine connected and authenticated over an Internet connection, the system can be remotely administered including installing patches, running scripts, or setting policies or profiles. With DirectAccess, users no longer have to worry that when the connect in a mad rush to download a critical presentation that their connection will be slowed to a crawl while a login script runs and updates are installed. Instead, these things can happen while the employee is asleep or watching T.V. in their hotel room.

DirectAccess is a native part of Windows 7 and integrates seamlessly with Windows Server 2008 R2 eliminating the need for managing an extra layer of security or tying Active Directory entries to VPN users.

Instead, all of the same profiles, policies, and object security features run with full affect ensuring that no one gets access to something they aren’t supposed to, while everyone gets access to everything they do need, all without any frantic 6:30 P.M. phone calls on Friday afternoon.

  •   BranchCache

While network connectivity has become widespread and WAN connections have dropped in price and increased in speed in larger cities, there are still tons of places where connectivity is expensive and slow. For companies with nationwide operations there are unpleasant choices to be made. Spend huge amounts of money on faster connections, or force employees in branch offices to suffer through slow authentication and slower data access.

With BranchCache you can have files stored on-site, either on a server, Windows 2008 Server, of course, or if there is no onsite server, files can be cached on the hard drives of other workstations. This way, if one person pulls down a file at 8:30 am and another person needs the same file at 9:15 am, the second user doesn’t need to download it across the WAN.

  •   BitLocker-to-Go

Windows 7 extends the drive encryption to USB keys and other removable drives. While BitLocker works without Server 2008, if you want to FORCE it to be used on USB key drives, you’ll need the Group Policy updates in Server 2008 R2. (Technically, you can’t force the drive to be encrypted, but you can disallow access to a non-encrypted drive.) Most importantly, the recovery password can be stored in Active Directory.

  •   RemoteApp

If you want to use Presentation Virtualization (making the application appear as if it installed locally) you’ll need Server 2008 (R1 or R2) and Windows 7. While you can technically get away with using Vista, advanced visuals like Aero won’t behave and will eliminate that “local install” feel.

  •   Sever 2008 Without Windows 7 and Vice Versa

In the real world, no upgrade to either the desktop OS nor the server OS will happen overnight. The question then becomes whether or not to upgrade to Windows Server 2008 R2 first or upgrade to Windows 7 first, or go the hybrid route and upgrade some of the server OS while also upgrading some of the desktop OS.

While at first glance, this sounds like the less desirable option, the reality is that this paradigm may actually serve many companies very well. The hybrid upgrade approach allows IT to upgrade by site or location, generally starting with the office with the highest concentration of the right IT personnel. By the time the IT guys are all running Windows 7 and at least a handful of the servers in the datacenter are running Windows Server 2008 R2, much of the infrastructure will not only be in place, but been tested as IT goes about its daily duties.

Working the bugs from a major upgrade out is a lot easier and less politically volatile when the ones dealing with the issues are both the people most capable of figuring out what the problem is, and the ones least likely to complain about the way things are being handled.

In the end, much of the handwringing going on about whether to put the chicken or the egg first may be moot. The only question is, which is the chicken, Windows Server 2008 or Windows 7?

Related posts:

• Windows Server 2008 R2 SP1 New Features: Dynamic Memory and RemoteFX
• Active Directory Rights Management Services: Features & Operational Considerations
• Windows Server 2008 R2 Green Features