Summary

This document provides information about server 2019 versions, upgrading/downgrading procedures, and various features, such as BitLocker, EFS, BOOT/INSTALL.WIM, DNS, AD CS, SCCM, and FSRM. It also includes descriptions of different server roles and configurations.

Full Transcript

**Server 2019 Versions** **Server 2019 Versions, each can be installed without the desktop experience** **Essentials - Up to 25 users - lower price** **Standard - 2 Hyper-V VM's** **Datacenter - unlimited VM's - very expensive** **Upgrading / Downgrading** **Upgrade:** **1. 2012 R2 & 2016 onl...

**Server 2019 Versions** **Server 2019 Versions, each can be installed without the desktop experience** **Essentials - Up to 25 users - lower price** **Standard - 2 Hyper-V VM's** **Datacenter - unlimited VM's - very expensive** **Upgrading / Downgrading** **Upgrade:** **1. 2012 R2 & 2016 only to 2019** **2. Backup first** **3. Mount installation ISO 4. Run Setup 5. Choose to keep settings** **Downgrade:** **1. Only to server 2016** **2. Must have downgrade rights from Microsoft** **3. Backup first!** **BitLocker / EFS** **All Server 2019 version support bitlocker but you have to enable it in PowerShell or using** **Server Manager** ** A full volume encryption feature included with Microsoft Windows versions starting** **with Windows Vista** ** It is designed to protect data by providing encryption for entire volumes** ** When you use BitLocker on a file it becomes a small volume** ** BitLocker allows only the Authorised User to access the data** ** EFS - The Encrypting File System is a feature introduced in version 3.0 of NTFS that** **provides filesystem-level encryption** **BOOT / INSTALL.WIM** **The default boot and wim images are available from the DVD** ** The windows image file boot.wim - is to boot the operating system** ** The boot file contains Windows PE** ** WDS sends the boot file out to the target computers first** ** The windows machine unpacks and boots into windows PE using the boot.wim file,** **then a basic operating system allows the administrator to choose options** ** Windows PE then facilitates the installation of an INSTALL.WIM file containing the full** **operating system, applications and settings** ** Obviously the boot.wim file is often much smaller than the install.wim file** **WDS Terminology** **When you create an image to deploy with WDS this is called a Standard Image** ** The image comes from a Reference Computer** ** If you do not have PXE compliant network cards you need to create a Discover** **Image (rare nowadays)** ** Auto cast multicasts the image to all machines, this begins after the first client** **connects when multiple machines are being deployed** ** There are two main files in a windows image** **○ INSTALL.WIM - containing the OS and Settings/Applications** **○ BOOT.WIM with drivers and windows PE** **DNS Records** **The DNS zone used for AD DS is a forward lookup zone** ** A forward lookup zone can have multiple record types, but it is most commonly used** **to convert host names to IP addresses** ** If you have an AD DS domain named contoso.com, you need to have a DNS zone** **named contoso.com to support the domain** ** DNS Record Types include - A IPv4, AAAA - IPv6, CNAME - Alias, MX - Mail, NS - Name** **Server** **AD CS (Certificate Services)** **Standalone signs certificates offline (root authority) - this is often kept offline -** **subordinate certificate servers only trusts the root CA** ** Enterprise within a domain (intermediate)** ** Subordinate below a higher authority (issuing server)** ** Certificate Servers maintain lists of valid and invalid certificates, certificates can be** **invoked or revoked, revoked certificates go onto a CRL (certificate revocation list)** **SCCM** **System Centre configuration manager lets you deploy software based on a schedule** ** Administrators can deploy applications and get reports on the success/failure of the** **deployments** ** We must pay for it so we cannot set it up in a lab, SCCM does not come with windows** **server out of the box - it must be downloaded and installed onto the server after a** **licence is purchased** ** SCCM also allows advanced administration tasks such as remote installation, patch** **management and OS deployment** **FSRM Role** ** A role in Windows Server that enables you to manage and classify data stored on file** **servers** ** Can automatically classify files, perform tasks based on these classifications, set** **quotas on folders, and create reports monitoring storage usage:** **1) Quota Management -- how much storage is allowed per directory** **2) File screening management -- what kind of data may be stored** **3) Classification Management (criticality)** **4) File Management Tasks (runs based on classification) 5) Storage Reports** **Management** **FSRM use cases:** **Create a 200 megabyte quota for each user's home directory and notify them when they** **are using 180 megabytes** ** Do not allow any music files to be stored in personal shared folders** ** Schedule a report that runs every Sunday night at midnight that generates a list of the** **most recently accessed files from the previous two days** **○ This can help you determine the weekend storage activity and plan your server** **downtime accordingly:** **Role Description** **Print and Document Services enables you to centralize print server and network printer** **tasks. With this role, you can also receive scanned documents from network scanners** **and route the documents to a shared network resource, Windows SharePoint Services** **site, or email addresses** ** Fax Server sends and receives faxes and allows you to manage fax resources such as** **jobs, settings, reports, and fax devices on your fax server** **Print Spooler** **ard to set up in a virtual environment!** ** The print spooler is a software program that is responsible for managing all print jobs** **currently being sent to the computer printer or print server** ** It is recommended that if you have a lot of printers, or users sending large documents** **to your printers, that you move the print spooler off your C drive and onto a different** **hard drive** ** The print spooler program allows a user to delete a print job being processed or** **otherwise manage the print jobs currently waiting to be printed** **RAID - Redundant Array of Inexpensive Disks** **RAID properties can be verified in Disk Management, raid disks are configured with LUN** **(logical unit numbers** ** RAID 0 Striping** ** RAID 1 Mirroring** ** RAID 5 Parity bit** ** Raid 10 = 1+0** **Accessing Resources through RDS** ** If remote access users have to be able to access network based resources from** **home but also access their local drives when using their remote access connection** ** How would we configure this?** ** On the Remote Desktop Connection \> click Show Options \> Local Resources \> Local** **devices and resources \> More \>** ** Check the appropriate Drives check box (or boxes) as required** ** As more and more workers work from home making "cloud" services available** **through azure/office 365 will become more and more important** **Space saving technologies** **NTFS data compression - built in feature of the file system** ** Compression tools like WinZip copies files then compress them into an archive** **however - must remove the compression to work with the files** ** Data deduplication - Identifies repeated patterns and eliminates duplicate patterns** **potentially excellent, depending on the data type (VDI files, software installation files** **being excellent)** **Automating Tasks** **PowerShell offers ways to automate tasks through:** **○ Cmdlets - very small classes appear as system commands** **○ Scripts - combinations of cmdlets and associated logic** **○ Executables - standalone tools** **○ Install-WindowsFeature - replaces an old cmd utility called servermanagercmd.exe** **for adding roles to the server** **DHCP Process** **The client sends a DHCPDiscover packet broadcast to which all available DHCP servers** **can respond** ** DHCP servers reply with a DHCPOffer unicast packet containing IP addressing** **information that can be used by the client** ** The client sends a DHCPRequest broadcast indicating it accepts the DHCPOffer, the** **first DHCPOffer received is the one accepted** ** All DHCP servers identify which offer was accepted, so they don't reserve addresses** **for this client** ** The DHCP server responds with a DHCPAck unicast packet, this identifies that the** **DHCP client knows the offer was accepted and that the client can begin using the IP** **address** **DHCP Leases:** **Default lease length in windows server is eight days, clients will attempt to renew that** **lease with the original DHCP server at 50% of lease length (4 days) if not successful,** **again at 87.5% (7 days)** ** If the lease cannot be renewed and expires, the client loses its IP address and might** **obtain a lease from another DHCP server or begin using APIPA** ** Eight days ensures clients can use the IP for an extended period, it also makes it** **difficult to make network changes** ** Routers almost always block broadcast packets from passing between networks,** **DHCP Discover packets are not normally able to cross from one network to another** **through routers** ** To allow a single DHCP server to service multiple subnets, you need to implement a** **DHCP relay** **DHCP Options** ** Reservations an IP in the scope that is given to a specific DHCP client, the DHCP** **server identifies the client based on the client's MAC address** ** Options within a DHCP Packet many options can be set some examples include- 002** **Time Offset, 003 Router, 004 NTP Server, 006 DNS Servers, 015 DNS Domain Name** ** Availability three options for redundancy:** **○ Scope Splitting (80:20)** **○ Hot Standby (Failover Relationship)** **○ Load-Balanced (the servers have to communicate to prevent duplicate address** **allocation)** **Delegation of Control Wizard:** **From Active Directory Users and Computers - The Delegation of Control Wizard** **facilitates delegating control of different portions of Active Directory to other** **administrators and users** ** The wizard simplifies the process by allowing only the administrator to assign** **permissions at the level of organizational units (OUs)** ** Assigning permissions to OUs rather than to particular directory objects ultimately** **simplifies the Active Directory administrator's work** **Enable the Windows Defender Gui** **By default, Microsoft Defender Antivirus is installed and functional on Server 2016 2019** ** The GUI is installed by default on some systems, but is not required because you can** **use PowerShell or other methods to manage Microsoft Defender Antivirus** ** Add the GUI using the Add Roles and Features or PowerShell** ** Under Windows Defender Features, select 'GUI for Windows Defender** **Objects** **Active Directory structures are arrangements of information about objects** ** Objects fall into two broad categories: resources (e.g., printers) and security** **principals (user or computer accounts and groups) each object represents a single** **entity** ** Certain objects can contain other objects - like OU's** ** An object is uniquely identified by its name and has a set of attributes---the** **characteristics and information that the object represents--- defined by a schema,** **which also determines the kinds of objects that can be stored in Active Directory** ** If an object is deleted it goes into the active directory recycle bin for its "tombstone** **lifetime"** **Delegation** From Active Directory Users and Computers - The Delegation of Control Wizard facilitates delegating control of different portions of Active Directory to other administrators and users The wizard simplifies the process by allowing only the administrator to assign permissions at the level of organizational units (OUs ) Assigning permissions to OUs rather than to particular directory objects ultimately simplifies the Active Directory administrator's work **GPtool** GPOTool.exe is the tool for troubleshooting GPO's - anytime you wish to troubleshoot GPO's use this GPupdate is the CMD command to use when you want to update group policy on a client machine: gpupdate \[/target:{computer \| user}\] \[/force\] \[/wait:\\] \[/logoff\] \[/boot\] \[/sync\] \[/?\] gpupdate /force gpupdate /sync gpupdate /wait:\ In PowerShell you can run: Get-GPO -All -Domain \"ec.com\" **WSUS** WSUS Terminology: Synchronize -- Connect the WSUS server to Windows Update (download) Approve -- Approve updates to be deployed into the environment (push out to clients) Security Group -- Any group that a GPO is configured to target WSUS updates to Auto-approval rule when an update is in a specific classification Auto-approval rule when an update is in a specific product WSUS Reporting: Update Status Summary -- Provides an overview of WSUS operation Update Detailed Status report -- provides detailed information on what updates have/have not been installed on each machine Simple - most basic WSUS deployment consists of a server inside the corporate firewall serving client computers on a private intranet - server connects to Microsoft Update to download updates (synchronization) Multiple WSUS servers administrators can deploy multiple servers running WSUS that synchronize all content within their organization\'s intranet, you might expose only one server to the Internet, which would be the only server that downloads updates from Microsoft Update Disconnected WSUS administrators can set up an internal server to run WSUS a server that is connected to the intranet but is isolated from the Internet, after downloading, testing, and approving the updates on this server, an administrator would export the update metadata and content to a DVD - The update metadata and content is imported from the DVD to servers running WSUS within the intranet **ADREPLSTATUS** The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published for download which can use to analyze the replication status of active directory environment this is useful to: Expose Active Directory replication errors occurring in a domain or forest Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis. **Perfmon** Establishes baselines of performance Creation of custom collector sets on specified server features For example - if you had an issue with slow bandwidth and email users sending mails, you could create a custom data collector set that gatherted network data and also email data and use this to troubleshoot the problem You may wish to monitor the CPU usage of the print server and also monitor the disk utilisation of the disk on which the print spooler lives When you create Data Collector Set, the data that is collected for performance counters is stored to a log file in the location that was defined when the Data Collector Set was created If a server has an issue that you wish to monitor, create a custom data collector set **NPAS** Allows administrators to provide local and remote network access and allows administrators to define and enforce policies for network access authentication, authorization and client health, NPAS includes includes - Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Host Credentials Authorization Protocol (HCAP) HCAP allows integration of solution with Cisco Network Access Control Server NPS can centrally manage network access through a variety of network access servers, including RADIUS compliant 802.1X-capable wireless access points, VPN servers, dial-up servers, and 802.1X-capable Ethernet switches. In addition, you can use Example - NPS to deploy secure password authentication with Protected Extensible Authentication Protocol (PEAP)-MS-CHAP v2 for wireless connections - good **EFS** EFS - The Encrypting File System is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption 15 B **AD CS** Standalone signs certificates offline (root authority) - this is often kept offline - subordinate certificate servers only trusts the root CA Enterprise within a domain (intermediate) Subordinate below a higher authority (issuing server) Certificate Servers maintain lists of valid and invalid certificates, certificates can be invoked or revoked, revoked certificates go onto a CRL (certificate revocation list) **VM supported** Essentials - Up to 25 users - lower price Standard - 2 Hyper-V VM's Datacenter - unlimited VM's - very expensive **RDS** **Cloud Migration** **VPN/RDS** **SCCM** System Centre configuration manager lets you deploy software based on a schedule Administrators can deploy applications and also get reports on the success/failure of the deployments We have to pay for it so we cannot set it up in a lab, SCCM does not come with windows server out of the box - it must be downloaded and installed onto the server after a licence is purchased SCCM also allows advanced administration tasks such as remote installation, patch management and OS deployment. **FRSM** A role in Windows Server that enables you to manage and classify data stored on file servers Can automatically classify files, perform tasks based on these classifications, set quotas on folders, and create reports monitoring storage usage: 1) Quota Management -- how much storage is allowed per directory 2) File screening management -- what kind of data may be stored 3) Classification Management (criticality) 4) File Management Tasks (runs based on classification) 5) Storage Reports Management. Create a 200 megabyte quota for each user's home directory and notify them when they are using 180 megabytes Do not allow any music files to be stored in personal shared folders Schedule a report that runs every Sunday night at midnight that generates a list of the most recently accessed files from the previous two days ○ This can help you determine the weekend storage activity and plan your server downtime accordingly: docs.microsoft.com/en-us/windows-server/storage/fsrm/fsrm-overview **Folder redirection** Folder redirection allows an administrator to forward a user\'s home directory to a central location This can be done through group policy and will mean if employees hot-desk they will have greatly increased log-on times The administrator can specify where to keep a users files. **Offline Files** Offline files can be enabled in a shared folder so that users can connect and download the files to their local machine, this may be useful for people who only work some days in the office The default setting for offline files is that only the files specified will be made available offline If lots of users arrive at once and try to sync the folder contents, this can consume large amounts of network resources - to fix this enable the 'optimise for performance' option Optimise for performance will make caching take place in the background Caching for offline files can be configured on the server with additional options such as optimise for performance Only files needed for caching should be enabled for offline caching to client computers Sync options on the client computers - these can enable optimisation on the network and can prevent large groups of users connecting at the same time to sync The Always available offline option on the client will allow a network resource to always be cached. **DFS** DFS is the Distributed File System DFS replication will allow data to be replicated across two disks - it is a server role DFS can let files share between two windows servers in different locations **RAID** RAID - Redundant Array of Inexpensive Disks RAID properties can be verified in Disk Management, raid disks are configured with LUN (logical unit numbers) RAID 0 Striping RAID 1 Mirroring RAID 5 Parity bit Raid 10 = 1+0 **DNS** DNS Records The DNS zone used for AD DS is a forward lookup zone A forward lookup zone can have multiple record types, but it is most commonly used to convert host names to IP addresses If you have an AD DS domain named contoso.com, you need to have a DNS zone named contoso.com to support the domain DNS Record Types include - A IPv4, AAAA - IPv6, CNAME - Alias, MX - Mail, NS - Name Server DNS Caching & Logging To minimize the number of DNS lookups on a network, the results from DNS requests are cached, caching can occur on DNS clients and non-authoritative DNS servers To view the DNS client cache on a Windows computer use ipconfig /displaydns or Get-DnsClientCache To avoid waiting for cache entries to time out use ipconfig /flushdns or Clear-DnsClientCache View DNS logs in the Event Viewer, by default windows does all queries that are performed on the server To track individual queries against a DNS server for troubleshooting, enable debug Logging !WARNING debug logging generates very large amounts of data **ISS** Get-ADUser Gets one or more Active Directory users: Get-ADUser -Filter \* -SearchBase \"OU=Finance,OU=UserAccounts,DC=Example,DC=com\" Get a filtered list of users: Get-ADUser -Filter \'Name -like \"\*SvcAccount\"\' \| Format-Table Name,SamAccountName -A Name SamAccountName \-\-\-- \-\-\-\-\-\-\-\-\-\-\-\-- SQL01 SvcAccount SQL01 SQL02 SvcAccount SQL02 IIS01 SvcAccount IIS0 Powershell ISE Integrated Scripting Environment (ISE) is a graphical user interface that allows you to run commands and create, modify and test scripts without having to type all the commands in the command line The tool allows the development of scripts which are collections of commands where you can add complex logic for their execution The ISE tool is designed for the needs of the administrators of Windows systems that need to run repeatedly sequences of commands that manipulate the configuration of these system **Backups** Windows Server backup feature is installed via server manager or with PowerShell Differential backup is faster because there is less administrative overhead: **AD Tombstone** Active Directory structures are arrangements of information about objects Objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups) each object represents a single entity Certain objects can contain other objects - like OU's An object is uniquely identified by its name and has a set of attributes---the characteristics and information that the object represents--- defined by a schema, which also determines the kinds of objects that can be stored in Active Directory If an object is deleted it goes into the active directory recycle bin for its "tombstone lifetime" 180 days **Gpo backup** backup & Recovery GPO's can be backed up from within the GPMC Find the GPO in the GPMC, then right-click, in the right-click menu click Back Up After selecting this, you will be presented with a dialog box that will ask you where to store the backed up GPO To restore a GPO go to the Group Policy Objects node in GPMC, right-click and select Manage Backups This will open up the window, click the GPO to restore and choose \... restore

Use Quizgecko on...
Browser
Browser