This article provides a comprehensive guide to deploying Active Directory and DNS Services on Windows Server 2022, encompassing the Essential, Standard, and Datacenter editions. Our guide also includes step-by-step instructions for promoting the Windows server to a Domain Controller (DC). To enhance user experience, we've included plenty of helpful screenshots, ensuring a smooth and uncomplicated installation process.

Key Topics

• Installation of Active Directory and DNS Services
• Promoting the Windows server to a Domain Controller
• Summary

Explore our dedicated section on Windows Servers for a rich collection of articles providing in-depth coverage and insights into various aspects of Windows Server functionality.

Installation of Active Directory and DNS Services

To begin, in Server Manager, select Dashboard from the left pane, then Add roles and features from the right pane:

Recommended Article: How to install and configure a Windows CA Server

Enabling the Web Server certificate template is a simple and non-disruptive process. From the Administrative Tools, open the Certification Authority tool. Next, right-click on the Certificate Templates folder and select Manage:

This will open the Certificate Templates Console as shown below.  Double-click on the Web Server template:

The Web Server Properties window will now appear. Click on the Security tab and select the Authenticated Users from the Group or user names section.  In the Permissions for Authenticated Users section tick the Allow action for the Enroll permission. When ready, click on OK:

Congratulations - you’ve now successfully enabled the Web Server certificate template option. Your Windows CA server should now present the previously mission option as shown below:

Summary

This article explained how to enable the Web Server certificate template option on your Windows Certification Authority (Windows CA) Server. We included step-by-step screenshots to ensure its a detailed and yet simple process to follow.

In our example we will enable the SNMP agent and configure a SNMP community string to allow our Network Monitoring System (NMS) monitor our server resources.

Execution Time: 10 minutes

Step 1 – Install SNMP on Windows Server 2016

Open the Control Panel on your Windows Server and Double-click on the Program and Features icon:

This will open the Add Roles and Features Wizard. Keep clicking on the Next button until you reach the Features section. From there, select the SNMP Service option:

When prompted, click on the Add Features button to include the installation of the Administration SNMP Tools:

Optionally you can include the SNMP WMI Provider option located under the SNMP Service. When ready click on the Next button.

This is the final screen – simply click on the Install button. Ensure the “Restart the destination server automatically if required” option is not selected:

The SNMP Service will now be installed on your Windows 2016 Server. This process will require around 3 minutes to complete. When done, click on the Close button to exit the installation wizard:

Step 2 – Configure SNMP Service & Read-Only or Read-Write Community String

Configuring the Windows 2016 Server SNMP Service is a simple task. As an administrator, run services.msc or open the Services console from the Administrative Tools. Double-click the SNMP Service and go to the Security tab:

To add a Read-Only community string, click on the Add button under the Accepted community names. Enter the desirable Community Name and set the Community rights to READ ONLY. When done, click on the Add button:

Next, in the lower section of the window, click on the Add button and insert the IP address which will be allowed to poll this server via SNMP. This would be the IP address of your Network Monitoring Service. In our environment our NMS is 192.168.5.25. When done, click on Apply then the OK button:

To confirm SNMP is working correctly, we configured our NMS to query and retrieve information from our server every 5 minutes. After a while we were able to see useful information populating our NMS:

Depending on your Network Monitoring System you'll be able to obtain detailed information on your server's status and state of its resources:

Summary

This article briefly explained the purpose of SNMP and how it can be used to monitor network devices and collect useful information such as CPU, RAM and Disk usage, processes running, host uptime and much more. We also showed how to install and configure the SNMP Service for Windows Server 2016. For more technical Windows articles, please visit our Windows Server section.

This guide will show you how to quickly install and setup a Certification Authority server on Windows 2016 server. The guide includes the installation of the Certification Authority Web Enrollment service to allow your organization to request, renew and download certificates via a simple web interface.

Execution Time: 10 - 15 minutes

Step 1 – Installation of Windows Active Directory Certificate Services

Launch Server Manager and go to Manage > Add Roles and Features:

 At the next screen select simply click on the Next button:

 Ensure Role-based or feature-based installation is selected and click on Next:

 At the next screen select the destination server from the available Server Pool and click on the Next button:

Next, tick the Active Directory Certificate Services from the available roles:

The Add Roles and Features Wizard will immediately pop up a new window requiring you to confirm the installation of additional tools needed to manage the CA feature. To confirm, click on the Add Features button:

You will now return to the previous window. Simply click on the Next button to continue.

At the Select Features window just click on the Next button:

The next section is around the Certificate Services we want to install. The initial window warns that once the computer/server name cannot be changed after a certification authority (CA) has been installed. Take a moment to read through the information and click on Next when ready:

The next window allows you to select the desired Certification Authority services to be installed. The first one, Certification Authority is selected by default however it is advisable to also select the Certification Authority Web Enrollment feature as it will provide a simple web interface from where you can submit certificate signing requests, download certificates and more.

As soon as the Certification Authority Web Enrollment feature is selected a pop up window will appear requesting confirmation to install additional features needed. Click on Add Features:

You’ll now be returned back to the previous window, click on Next to continue.

The next screen is required for the installation of IIS Web Services. If you already have IIS installed, you won’t need to run through these steps. Click on Next to continue:

At the next screen, IIS Web Server options, we can easily accept the default selected services. Feel free to scroll down and check the available options otherwise simply click on Next to continue:

The final window is a simple confirmation of all selected services and features. Note the automatic restart option at the top – it’s advisable not to use it as the Window Server might restart once installation is complete.

When ready, click on the Install button to begin the installation:

Installation can take from 5 to 10 minutes depending on how busy the server is. Once complete it is necessary to configure Active Directory Certificate Services on the destination server by clicking on the link provided at the end of the installation wizard:

Step 2 - Configuring Active Directory Certificate Services (AD CS)

Configuring Active Directory Certificate Services is a simple and quick process. You can initiate this process from the previous step or from the Server Manager Dashboard by clicking on the exclamation mark and selecting Configure Active Directory Certificate Services on the destination server:

Once the configuration process is initiated, the system will require credential confirmation to install the necessary role services. Enter a username that belongs to the Local and Enterprise Admin group. By default the Administrator username will appear. When ready click on Next:

Next, select the Role Services to be configured. The two services available for us are Certification Authority and Certification Authority Web Enrollment. Select them both and click on Next:

At the next screen select Enterprise CA (default) as CA setup type and click on Next:

Next, assuming this is the first and possibly only CA in your organisation, select Root CA (default) as the type of CA and click on Next:

Next, we will create a new private key (default option) and click on Next to configure its options:

On the next screen we can leave all options to their default settings and continue. Alternatively a different hash algorithm can be selected e.g SHA384 or SHA512 with a larger Key Length. When ready, click on Next:

Here we can change or leave the suggested Common Name (CN) for our Certification Authority (CA). When ready, click on Next:

The Validity Period determines how long the certificate generated for our CA will be valid. By default this is 5 years however it can be adjusted either way. Enter the desirable amount of years and click on Next:

Last option is the configuration of the database locations. Accept the default locations and click on Next:

Finally, we are presented with a confirmation window with all settings. This is the last chance to change any settings or values. When ready, click on Configure:

After a few seconds the Results window will appear confirming all roles, services and features have been successfully configured.  Click on Close to exit the configuration wizard:

We’ll now find the Certificate Authority MMC available in the Administrative Tools:

We can also visit the CA Server’s web site to request and download signed certificates by visiting the URL:  http://<server IP>/certsrv e.g http://192.168.1.10/certsrv:

Summary

This article explained the role and importance of a Windows Certificate Authority Server provided a step-by-step guide how to install and configure a Windows 2016 Certification Authority Server including the Certification Authority Web Enrollment component.

Altaro has launched a great contest in celebration of SysAdmin Day on 27^th July!

They will be giving away Amazon eGift Cards to the first 100 eligible entries and 1 Grand Prize to 1 lucky winner.

The Grand Prize winner will be able to choose any prize from the following: a PlayStation 4 Pro, Xbox One X, a 3-year membership of Amazon Prime, an Unlimited Plus Edition of Altaro VM Backup, and more!

All contest participants will even get FOREVER FREE backup for 2 VMs when they download Altaro VM Backup!

Want to WIN?

Here’s what you need to do to:

1. Download Altaro VM Backup from https://goo.gl/Zvedfs using a valid work email address
2. Set up a virtual machine on Altaro VM Backup and take a screenshot. Only screenshots that show at least 1 VM added for backing up will be considered as eligible.
3. Upload the screenshot and the Grand Prize choice at the link you will receive via email once you download Altaro VM Backup from the contest landing page.

Good luck!

Aimed toward Hyper-V and VMware admins this webinar will cover critical topics such as:

• vSphere basics and a crash course in HA, DRS, and vMotion
• Management differences between vSphere and Hyper-V
• How to migrate VMs from Hyper-V to VMware using the VMware vSphere Converter

The entire session will be geared towards Hyper-V admins who are looking to broaden their horizons by adding VMware know-how to their toolbox.

Webinar Date: Tuesday, June 27th 2017 - Click here to join.

Time: Time for US attendees: (10am PDT / 1pm EDT), Time for EU attendees: (2pm CEST)

While the event date has passed, it has been recorded and is available for viewing. All material are available as direct downloads. Click here to access the event.

There’s a lot of new exciting features we are covering so without any further delay, let’s take a look at what we have in hand for you:

• Hyper-V Hypervisor Technology Overview
• Hyper-V in Windows Server 2016
• Hyper-V Containers
• Hyper-V Security Features
• Generation2 VMs Performance and Features
  • Hyper-V Backups & Checkpoints
  • Hyper-V Rolling Cluster Upgrades
  • Hyper-V Networking
  • Hyper-V Storage
  • Miscellaneous Hyper-V Improvements
• Hyper-V Requirements on Windows Server 2016
• Hyper-V Shielded Virtual Machines
• Discrete Device Management
• Hyper-V Supported Windows Guest O/S
• Linux Support
• Hyper-V Scalability

Users new to Hyper-V can also read our Introduction to Hyper-V Concepts article

Hyper-V Hypervisor Technology Overview

Hyper-V was first released in 2008 as a re-brand of Microsoft’s Virtual PC. It lets users create a virtual machine (VM), a complete, software version of a computer. Users don’t have to install an OS through the normal route, and instead run a program on top of their current one.

This is made possible by a hypervisor – a layer between the physical and virtual environments that can manage the system’s hardware between VMs. It isolates the host machine from its underlying hardware.

This opens some natural benefits. Firstly, a virtual machine is in a separate environment to the host computer. As a result, any problems that occur do not affect the regular operating system. This makes virtual machines ideal testing environments.

This is furthered by the ability to run multiple operating systems at once. Most modern computers have more hardware than needed for day to day tasks, and users can run, for example, a Windows, Windows Server, and Linux operating system simultaneously. Instead of requiring three different servers, only one is required. This cuts down on hardware, power, maintenance, and cooling costs.

It also allows for more flexible deployment. At a hefty fee, admins can purchase a Windows Datacenter license and create infinite virtual machines without having to pay any extra. In testing or production environments, this cuts out vital slowdown while employees check licenses. With virtualization, new servers can be deployed in minutes.

Another flexibility is hardware resources. Users can configure Hyper-V to utilize different amounts of resources, including the processor, storage, and memory. This is particularly useful if an organization uses a Virtual Desktop Infrastructure (VDI). A Windows operating system is hosted on a central server, and users are given virtual desktops over the network. Not only does this save on licensing costs, it means admins can scale the amount of resources users have depending on various factors.

Hyper-V also lets admins make easy backups. It’s simple to copy a VM and restore it later if anything goes wrong. With Hyper-V, there are two options – saved states, and Volume Shadow Copy Service (VSS). VSS lets admins make backups even when files are in use, meaning the process can be completed on demand.

This ease of movement can be useful in other scenarios. Built-in features like live and storage migration make virtual machines much more portable. Users can access the exact same environment on a different machine, without the need for complex procedures. That combines with security features like Secure Boot to protect the host OS from viruses, malware, and attacks.

Hyper-V in Windows Server 2016

One of the most popular hosts for a virtual machine is Microsoft’s Windows Server OS. For the past few years, admins have been running Windows Server 2012 R2, a Windows 8.1-based platform. However, the release of Windows 10 has prompted a Windows Server 2016 variant, and it comes with plenty of new functionality.

A big example is the introduction of Microsoft’s Nano Server. A purpose-built OS, Nano Server is a lightweight version of Windows Server Core that’s designed to run born-in-the-cloud applications and containers. It’s complementary to Windows Server 2016, has no GUI, and is optimized for Hyper-V. The service provides an environment with a low overhead and fewer avenues of attack.

Windows Server 2016 also introduces nested virtualization. Essentially, this lets you run a VM inside another VM. Though it’s a strange concept, the usage scenarios are more common than you may think. Many companies now use the virtual infrastructure we mentioned earlier, and this means those systems can still use Hyper-V. It also makes for a good test environment, letting trainees try out different Oss and situations without the need for separate hardware.

Other big improvements come to the Hyper-V manager. An updated WS-MAN management protocol lets admins do a live migration without having to enable extra settings in Azure Active Directory. This also enables CredSSP, Kerbos or NTLM authentication, and makes it easy to enable a host for remote management.

This is furthered by support for alternate credentials when connecting to another Windows 10 or 2016 remote host. This includes a save functionality so that you don’t have to type it every time. Though earlier versions don’t support this functionality, you can still use the Hyper-V manager in Windows Server 2016 to control earlier versions. The new manager supports Windows Server 2012, 2012 R2, Windows 8, and 8.1.

The next major change is PowerShell Direct. The process runs between the host and virtual machine, meaning there’s less need to configure firewalls and networks. It lets users remotely run cmdlets in multiple VMs without complex setup. PowerShell functionality extends to NanoServers, where it can run directly.

Hyper-V Containers

It’s no secret that containers are on the rise, and are becoming increasingly common in production scenarios. With Windows Server 2016, Microsoft has introduced Windows and Hyper-V Containers for the first time.

For those unfamiliar, containers let users create an isolated environment in which to run an application. The environment lets an app run without affecting the rest of the system, and vice versa. In comparison to a VM, they’re more lightweight and don’t emulate hardware in the same way.

Traditionally, containers were limited to Linux Oss. Through a collaboration with Docker, Windows Server 2016 now offers two type of containers.

• A Windows Server Container uses namespace and isolation technology, but shares a kernel with the container host and all other running containers.
• A Hyper-V container instead runs each container in an optimized VM. In this case, the kernel isn’t shared with the host, or other containers.

Windows Containers have several important features, including HTTPS support, data management through container shared folders, and the ability to restrict container resources.

Hyper-V Security Features

Hyper-V on Windows Server 2016 also comes with new security features. The first is the ability to use Secure Boot with Linux VMs. This feature was previously restricted to Windows 8 and Server 2012, and checks the signature of boot software on launch to prevent malware and unauthorized OSs launching during start up.

Host resource protection also has some security and stability improvements. It stops VMs from hogging system resources by monitoring activity and downgrading VMs with excessive usage. It can be enabled through PowerShell and prevents performance degradation with the host or other machines.

Shielded virtual machines provide further protection. In essence, they provide a stronger barrier against spying by administrators and malware. Encryption is applied to the state and data, meaning admins can’t see the activities or intercept information. This combines with further encryption options for operating system disks on generation 1 virtual machines. Users can utilize BitLocker to do this, creating a small drive that contains the encryption key. To start the machine, hosts need either access to the private key or to be part of an authorized guarded fabric.

Generation 2 Virtual Machines, Performance and Features

Generation 2 VMs have some new features, too. Namely, they can use a lot more memory and virtual processors. Gen 2 supports up to 12 TB of virtual memory versus the previous 1 TB, and up to 24 TB per physical host server. It also supports 240 Virtual Processors instead of 64, and 512 logical processors rather than 320.

The result is a huge increase in performance, suitable for large-scale online transaction processing and data warehousing. Microsoft benchmarks reveal up to 343,000 transactions per second with a 4 TB in-memory database and 128 virtual processors. That’s 95% of a physical server’s performance.

Figure 2. Physical server vs. Hyper-V performance

Generation 2 VMs also offer new, virtualization-based security. Microsoft’s Device Guard and Credential Guard offers protection against malware and operating systems in guest VMs that are version 8 or higher.

Further functionality comes with the ability to hot add and remove network adapters and memory. In simple terms, this lets users add or remove network adapters while a machine is still running. While that feature is exclusive to Gen 2, both generations can now adjust the amount of memory utilised on-the-fly, even with the “dynamic memory” option disabled.

Backups and Checkpoints

Though Hyper-V offers significantly easier backups, the VSS system can be a little unreliable. In 2016, Microsoft has built change tracking into Hyper-V, which makes it easier for third-party software vendors to create backup solutions.

However, a backup system isn’t much use if you have faulty checkpoints and snapshots. In Windows Server 2012, snapshots could cause serious problems in a production environment. Restoring a VM from a snapshot could put the database server out of sync, creating problems down the line.

Thankfully, this is remedied in Windows Server 2016. It introduces “production checkpoints”, which complies with support policies. The new checkpoints use VSS rather than saved states, greatly reducing the risks. The feature is enabled by default in Hyper-V.

Rolling Cluster Upgrades

An efficient, reliable upgrade system is equally important. Microsoft has made upgrading from 2012 R2 to 2016 far easier than previous versions. Rather than requiring a separate cluster to start the migration process, 2016 introduces rolling cluster upgrades.

This lets admins upgrade a cluster without any downtime. Clusters run at the feature level of 2012 R2 until all the nodes are upgraded, at which point the user can either reverse it or enable the 2016 features with a PowerShell cmdlet.

Networking

Further functionality is introduced to Hyper-V networking. Microsoft has enabled Remote direct memory access for switch embedded teaming (SET). This lets admins group up to eight network adapters into a single virtual one, whilst still able to use RMDA. For those unfamiliar, RDMA allows you to read and write memory without the use of a remote CPU, leading to less CPU utilization and latency.

Another new feature is Virtual machine multi queues, or VMMQ. This builds on the previous VMQ by allowing multiple hardware queues for each VM. Thus, default queues are actually a set, with traffic spread between them.

Storage

Windows Server 2016 also makes changes to storage options for a more manageable experience. Shared virtual hard disks can now be resized while the machine is still online. New functionality also extends to guest clusters, which can protect virtual hard disks with Hyper-V replica.

Microsoft has updated its storage Quality of Service policies. QoS lets admins manage and monitor storage performance using scale-out file server roles. Windows Server 2016 makes several tweaks to that system.

Storage QoS now makes sure a VM can’t take all the storage resources, cutting out other machines’ options. This combines with the ability to define performance minimum’s and maximums for individual VMs, providing a more reliable experience.

Finally, the storage of virtual machines can be monitored as soon as they start. These details are all viewable from a new, single location.

There are other options available for those struggling with storage space. Data Deduplication searches for redundant data by looking for duplicate files. The data is then sorted and compressed, optimizing the drive without compromising data integrity. Further improvements come in the form of a new VM configuration format. Vmcx files make data reading and writing more efficient, and lessen the chance of corruptions.

Miscellaneous Hyper-V Improvements

Though Windows Server 2016 introduces some major improvements, there are also smaller ones that are very interesting. One is the ability to connect PCIe hardware directly to a VM. Microsoft calls it Discrete Device Assignment and currently supports NVMe storage, allowing for fast SSD speeds.

However, more exciting is the future of PCIe in Windows Server. Microsoft is working with GPU vendors to add support for specific GPUs, which could be useful for graphic intensive programs like rendering software and Photoshop.

There’s also a minor but important feature for Always On computers. A Connected Standby power state is now available, even with the Hyper-V role installed. Connected Standby is available with select CPUs, and lets the PC listen for notifications in a similar way to phones. If a message appears, the screen will light up, notifying the user.

Hyper-V System Requirements on Windows Server 2016

Naturally, some of these new features come with hardware requirements. Though those prerequisites haven’t changed dramatically since 2012 R2, Hyper-V still won’t work with every system. This is especially true if you want to utilize new features such as shielded VM and discrete device assignment.

General Requirements

First off, the general Hyper-V requirements. You’ll need the following specifications as a base, regardless of any extra features you want:

• A processor that’s 64-bit and supports Second-Level Address Translation (SLAT). This is required for virtualization, but not for Hyper-V management tools.
• At least 4 GB of RAM, preferably more, and higher amounts for multiple VMs.
• VM Monitor Mode extensions
• Virtualization turned on in BIOS of UEFI, including hardware-assisted virtualization and hardware-enforced Data Execution prevention (DEP).

There are several ways to tell if you meet these requirements, but the easiest is through command prompt or PowerShell. You can follow these steps:

1. Press Windows + R
2. Type cmd.exe (powershell.exe alternatively)
3. In the command line, enter Systeminfo.exe and press Enter
4. View your report under Hyper-V Requirements

Hyper-V Shielded Virtual Machines

As mentioned earlier, Shielded Virtual Machines have further requirements. The host needs the following:

• UEFI 2.3.1c for secure and measured booting
• TMP v2.0 if you want platform security asset protection
• IOMMU (Intel VT – D) for direct memory access protection

In addition, VMs need to be Generation 2, and the guest operating system must be Windows Server 2016, 2012 R2, or 2012.

Discrete Device Management

The feature with the most requirements is Discrete Device Management. Hosts need supported processors, chipsets and firmware table, as follows:

• Processor: Support for Intel Extended Page Table (EPT) or AMD Nested Page Table (NPT)
• Chipset: Interrupt Remapping support, either Intel VT-d2, or AMD I/O memory management. It must also support DMA remapping and Access control services for PCI-e root ports.
• Firmware tables: I/O MMU exposure to the Windows hypervisor is a must, and needs to be enabled in UEFI or BIOS.

Hyper-V Supported Guest Operating Systems

The availability of guest operating systems also varies slightly with Windows Server 2016. While Windows Server has the best virtual processor support, other systems still provide great functionality. Here’s the full list of Windows guest operating systems and their differences:

• Windows Server 2016: 240 virtual processors (gen 2), 64 (gen 1)
• Windows Server 2012 R2: 64 virtual processors
• Windows Server 2012: 64 virtual processors
• Windows Server 2008 R2 with SP 1: 64 virtual processors
• Windows Server 2008 with SP 2: 4 virtual processors
• Windows Small Business Server 2011: 4 virtual processors (standard edition) 2 (essentials edition)
• Windows 10: 32 virtual processors
• Windows 8.1: 32 virtual processors
• Windows 7 with SP 1: 4 virtual processors (must be Professional, Enterprise, or Ultimate)
• Windows Vista with Service Pack 2 (SP2): 2 virtual processors (must be Business, Enterprise, or Ultimate)

Guest OSs also vary in the support for Integration Services. In general, Windows 8.1 (Windows Server 2012) or higher has Integration Services built-in. Other versions usually require an upgrade or install after the guest operating system is set up.

Hyper-V Linux Support

Hyper-V support for Linux is a little more complex. Microsoft provides both emulated and Hyper-V specific devices, but the performance and features of emulated devices is limited. As a result, the software giant recommends using Hyper-V specific devices for Linux, alongside its Linux Integration Services (LIS) drivers.

LIS is integrated into the Linux kernel and is regularly updated, but this may not extend to users on older distributions. Thus, some users must download LIS manually.

That said, support for Linux in Windows Server 2016 is good, and builds on previous versions. Microsoft has LIS support for the following distributions:

CentOS

• RHEL/CentOS 7.x, 64-bit
• RHEL/CentOS 6.x, 64-bit (No built-in LIS for 6.0-6.3)
• RHEL/CentOS 5.x, 32-bit (No built-in LIS before 5.9

It’s worth noting that CentOS has some feature limitations, though these can vary depending on version. There are issues with StaticIP injection across the board when Network Manager is configured for a synthetic network adapter. In addition, VLAN trunking only works in 7.x, PCI pass through and SR-IOV only work on 7.3 and higher. Live virtual machine backups aren’t possible in 5.2, 5.3, or 5.4.

Debian

• Jessie [8.0-8.5]
• Wheezy [7.0-7.11]

Debian also has some restrictions. The main one is the inability to create file systems on VHD’s larger than 2TB. There are live virtual machine backup problems here too, not working with ext2 filesystems.

Oracle

• Red Hat (No built-in LIS for 6.0-6.3)
  • 6.x - 32-bit, 32-bit PAE, 64-bit
  • 7.x - 64-bit
• Unbreakable Enterprise Kernel

With RedHat, VLAN trunking only works on versions 7.0-7.2. It also has issues with virtual fibre channels, where the machine may not be able to mount correctly if LUN 0 has not been populated. Both RedHat and UEK may have to undergo a filesystem check if there are open file handles during backup and may fail silently if there is an iSCSI or pass-through disk attached.

SUSE

• SLES SP2
• SLES SP1 – 64-bit only
• SLES 12 – 64-bit only
• SLES 11 SP4
• SLES 11 SP3
• SLES 11 SP2
• Open SUSE 12.3

SUSE has the same Static IP injection limitations as CentOS, so Network Manager must be turned off or configured correctly. Similarly, live backup issues mirror that of Oracle VMs. Finally, Windows Server 2016 users must type memory parameters in multiples of 128 MB or there will be Hot-Add failures and lack of a memory increase.

Ubuntu

• 16.10
• 16.04
• 14.04
• 12.04

Ubuntu suffers from some of the limitations mentioned earlier. Specifically, there are static IP injection problems with Network Manager, virtual fibre channel issues if LUN 0 isn’t populated (except for 12.04), and similar problems with live backups in 14.04+.

It’s worth noting that most of these problems can be solved by proper configuration. It’s worth checking the TechNet documentation for a full list of issues and solutions for each version. Microsoft also has some best practices for running Linux on Hyper-V.

Hyper-V Scalability

Other than OS and feature support, Hyper-V varies in its scalability. While we have mentioned some of the virtual hardware increases in Gen 2 VMs, there are other factors to consider too. Here are the maximum numbers for each virtual machine component:

• Checkpoints: 50
• Memory: 12 TB for Gen 2, 1 TB for Gen 1
• Serial ports: 2
• Virtual Fibre Channel adapters: 4
• Virtual Floppy devices: 1
• Virtual hard disk capacity: 64 TB VHDX, 2040 GB VHD
• Virtual IDE disks: 4
• Virtual processors: 240 for Gen 2, 64 for Gen 1, 320 for host OS
• Virtual SCSI controllers: 4
• Virtual SCSI disks: 256
• Virtual network adapters: 12 (8 Hyper-V specific, 4 legacy)

There are also some limitations for each Hyper-V host, though many components are uncapped:

• Logical processors: 512 (320 for host OS partition)
• Memory: 24 TB
• Virtual machines per server: 1024
• Virtual processors per server: 2048

Finally, Hyper-V has some Failover Clustering maximums. There’s a maximum of 64 nodes per cluster, so admins need to be aware of that when planning. There’s also an 8,000 per cluster limit for running virtual machines. However, this can vary significantly depending on the use of physical memory by each VM, number of disk spindles, and networking and storage bandwidth.

Summary

Windows Server 2016 takes many of the traditional advantages of virtualization and extends them. With its latest release, Microsoft has managed to provide major increases in performance, security, and management without complex system requirements or lack of OS support.

The Redmond giant’s latest server OS brings huge improvements in the form of Nano Servers, Containers, Shielded VMs, and hardware virtualization. The result is an undeniably better operating system for hosting Hyper-V machines.

However, there are still some possible issues admins should be aware of. Windows Server 2016 collects telemetry data by default, and there’s no option to turn it off entirely. It consists of security information, basic device information, how apps are used, and more. Naturally, all this data is anonymised and is used to create significant improvements. Still, some users may not be happy with this change from 2012 R2.

Microsoft is moving to a different update model with 2016, which can be positive in some cases but negative in others. The company rolls out two updates per month, one with security fixes and another with quality fixes. Each falls on a different day of the month.

On the plus side, this removes the issue of security updates being unnecessary once the quality update rolls out. The annoyance comes from the automatic updates and restarts that are enabled by default. Naturally, admins don’t want their server restarting without their express permission, and it’s not uncommon for updates to cause an issue with certain applications. Though this can be configured in 2016, it’s not as simple as previous versions.

Despite this, Windows Server 2016 remains a huge step forward for Hyper-V virtualization. It introduces some great new virtualization features, and its fleshed out free version makes it a natural choice for small businesses.

Altaro’s unique Augmented Inline Deduplication delivers faster backups and restores on local and offsite locations by making sure that only new data is transferred to the backup or offsite location. This augmented inline deduplication technology solves a common problem found in conventional backup solutions which deduplicates data after the transfer process. With Altaro VM Backup, that process happens before the data is transferred. This process not only provides quicker backups, but it also reduces the amount of storage needed to store said backups significantly more than any other solution on the market today.

"VM Backup is an important milestone at Altaro” said David Vella, CEO of Altaro. "Not only does it fully support all Windows Servers, our new and unique Augmented Inline Deduplication technology offers our customers the best storage savings in the industry"

Boot from Backup is another innovation in Altaro VM Backup that enables users to instantly boot any VM version from the backup location without affecting integrity of the backup. If disaster strikes, the VM can be booted up instantly from the backup drive with minimal downtime, while the VM is restored back to the Hypervisor in the background. A simple VM reboot completes the recovery process and preserves any changes done while the VM was booted.

For more information about Altaro VM Backup, visit altaro.com/vm-backup

Taking into consideration that the Intel Xeon E7-8890v4 contains a total of 24 cores capable of supporting up to 48 threads, one can quickly understand the software giant’s intention and why it is no longer continuing the per CPU Pair model for its Standard and Datacenter server editions.

Windows Server 2016 License Models

The Windows Server 2016 licensing model consists of per-core/processor + Client Access Licenses (CALs). Each user or device accessing a Windows Server Standard, Datacenter or Multipoint edition requires a Windows CAL or a Windows Server and a Remote Desktop Services (RDS) CAL.

In addition to these changes many would be surprised to know that there is now a minimum number of Per-Core licenses required per physical CPU and Server:

• A minimum of 8 core licenses is required for each physical CPU.
• A minimum of 16 core licenses is required for each server.
• A 2-core license pack is the minimum amount of core licenses you can purchase. E.g you’ll need four 2-core license packs (4x2) to fully license an 8-core CPU.
• The 2-core license is priced at 1/8 (one eighth) the price of a 2-CPU license for corresponding Windows 2012 R2 editions in order to keep the pricing similar. This means the pricing of a 16-core Windows 2016 Datacenter server is equal to a 2-CPU Windows 2012 R2 Datacenter server.

How Licensing Changes Affect Small Windows Server Deployments

Thankfully not much. Microsoft has adjusted its per-Core license pricing in such a way so that a small deployment of up to 16-cores per physical server will be the same pricing as a Windows server 2012 2-CPU License.

Running Windows or Linux Server under ESX or Hyper-V? Get an award-winning backup solution for Free! Download Now!

The price difference becomes apparent for larger customers with a server deployed that exceeds 8-cores per CPU and 16-cores per server. These customers will end up paying additional money for their licenses. For example a server with 2 x Intel Xeon E7-8890v4 CPUs means a total of 48 cores. Installing a Windows server 2012 Standard server means that the initial license will cover up to 16 out of the 48 cores and the customer will need to purchase additional licenses to cover the 32 extra cores! It’s now clear why big customers are going to be paying the big bucks!

The following table explains where additional licenses are required depending on the number of CPUs (processors) and cores per CPU. Remember - Minimum 8 cores/processor; 16 cores/server:

Figure 1. Windows Server 2016 Licensing: Calculating Licensing needs per CPU & Core

Windows Server 2016 Editions Overview, Licensing Models & CAL Requirements

Microsoft offers its Windows Server 2016 in 6 different editions. Let’s take a look at them and explain their primary role and usage:

Windows Server 2016 Datacenter: This edition targets highly virtualized datacenter and cloud environments. Main characteristics include its support for unlimited Hyper-V containers or Operating System Environments (OSEs or virtual machines). It also supports an unlimited number of Windows Server containers and boasts features such Host Guardian Service, Storage Spaces Direct and Storage Replica, Shielded Virtual Machines (VMs), Networking stack and more.

Windows Server 2016 Standard: Used for physical servers or environments with minimal virtualized requirements. This edition supports two Hyper-V containers or Operating System Environments (OSEs or virtual machines) alongside the Host Guardian Service.

The Host Guardian Service is a server role introduced in Windows Server 2016 and found on Windows Datacenter and Standard edition. It serves as a critical security component in protecting the transport key, and works in conjunction with other Windows Server 2016 components to ensure high security levels for Shielded VMs.

Figure 2. Host Guardian Service helps ensure high security levels for Shielded VMs

Windows Server 2016 Essentials: Ideal for small businesses with no more than 25-30 users and 50 devices. This edition is also a great replacement for businesses running Windows Server 2012 Foundation as the same edition is not available for Windows Server 2016.

Windows Server 2016 MultiPoint Premium Server: Allows multiple users to share a single computer while having their own applications and Windows experience and is suitable for academic environments.

Windows Storage Server 2016: Suitable for dedicated storage solutions. It’s available in Standard and Workgroup editions and mainly used by OEM manufactureres.

Microsoft Hyper-V Server 2016: The well-known Free Hypervisor which you can download. This is a stand-alone product that runs directly on the bare-metal server and is built using the same technology as the Hyper-V role on a Windows Server 2016.

Readers can also download here the Free Microsoft Windows Server 2012/2016 Licensing Datasheet that provides additional useful information.

The table below shows the licensing model adopted by each Windows Server 2016 edition:

 Table 1. Windows Server 2016 Editions and Licensing Models

Summary

With Windows Server 2016 out it’s only a matter of time before organizations begin to upgrade their servers and use it for new rollouts. Understanding the Windows Server 2016 Licensing model and server editions is critical to ensuring the right choices are made based on the organization’s requirements and server hardware availability. The new Windows Server core-based licensing can be slightly tricky so make sure you know your hardware and license theory well!

Check out our "Windows Server 2016 Licensing Made Easy – Understand Your Licensing Requirements & Different Server Editions" article

Altaro software, a reputable software vendor offering robust Virtualization Backup for Hyper-V & VMware,is hosting a free Webinar on Tuesday the 29^th of November 2016 that will cover the following important topics:

• Licensing a Windows 2016 Server environment
• Nested Hypervisors and containers in Windows 2016 Server
• Understanding Licensing complexity

While this event has passed, it is still available as a recorded session alongside with all material available as a free download. There is also a bonus Windows 2016 Server Licensing eBook available for free! Click here to access all resources!

Learn all about the new hot virtualization features offered by Windows Server 2016 by attending the free webinar hosted by Altaro and presented by two Microsoft Cloud and Datacenter Managerment MVP’s Andy Syrewicze and Aidan Finn.

To learn more about the free webinar and register click here.

Note: While this webinar's date has passed, a complete recording is available, at the above url, alongside with all free downloadable material presented.

Running Windows or Linux Server under ESX or Hyper-V? Get an award-winning backup solution for Free! Download Now!

Windows Hyper-V is also capable of taking advantage of NIC Teaming, which further increases the reliability of our virtualization infrastructure and the bandwidth available to our VMs.

Figure 1. Windows 2012 Server – Hyper-V NIC Teaming with Cisco Catalyst Switch

There are two basic NIC Teaming configurations: switch-independent teaming & switch-dependent teaming. Let’s take a look at each configuration and its advantages.

Switch-Independent Teaming

Switch-independent teaming offers the advantage of not requiring the switch to participate in the NIC Teaming process. Network cards from the server can connect to different switches within our network.

Switch-independent teaming is preferred when bandwidth isn’t an issue and we are mostly interested in creating a fault tolerant connection by placing a team member into standby mode so that when one network adapter or link fails, the standby network adapter automatically takes over. When a failed network adapter returns to its normal operating mode, the standby member will return to its standby status.

Switch-dependent teaming requires the switch to participate in the teaming process, during which Windows Server 2012 negotiates with the switch creating one virtual link that aggregates all physical network adapters’ bandwidth. For example, a server with four 1Gbps network cards can be configured to create a single 4Gbps connection to the network.

Switch-dependent teaming supports two different modes: Generic or Static Teaming (IEEE 802.3ad) and Link Aggregation Control Protocol Teaming (IEEE 802.1ax, LACP). LACP is the default mode in which Windows NIC Teaming always operates.

Load Balancing Mode - Load Distribution Algorithms

Load distribution algorithms are used to distribute outbound traffic amongst all available physical links, avoiding bottlenecks while at the same time utilizing all links. When configuring NIC Teaming in Windows Server 2012, we are required to select the required Load Balancing Mode that makes use of one of the following load distribution algorithms:

Hyper-V Switch Port: Used primarily when configuring NIC Teaming within a Hyper-V virtualized environment. When Virtual Machine Queues (VMQs) are used a queue can be placed on the specific network adapter where the traffic is expected to arrive thus providing greater flexibility in virtual environments.

Address Hashing: This algorithm creates a hash based on one of the characteristics listed below and then assigns it to available network adapters to efficiently load balance traffic:

• Source and Destination TCP ports plus Source and Destination IP addresses
• Source and Destination IP addresses only
• Source and Destination MAC addresses only
  • Distributes outgoing traffic based on a hash of the TCP Ports and IP addresses with real-time rebalancing allowing flows to move backward and forward between networks adapters that are part of the same group.
  • Inbound traffic is distributed similar to the Hyper-V port algorithm

Dynamic: The Dynamic algorithm combines the best aspects of the two previous algorithms to create an effective load balancing mechanism. Here’s what it does:

The Dynamic algorithm is the preferred Load Balancing Mode for Windows 2012 and the one we are covering in this article.

Click here for more teachnical articles covering Windows Server

Configuring NIC Teaming in Windows Server 2012

In this example, we’ll be teaming two 100Mbps network adapters on our server. Both network adapters are connected to the same switch and configured with an IP address within the same subnet 192.168.10.0/24.

To begin, open Server Manager and locate the NIC Teaming section under Local Server:

Figure 2. Locating NIC Teaming section in Server Manager Windows 2012 Server

The lower right section of the NIC Teaming window displays the available network adapters that can be assigned to a new team. In our case these are two 100Mbps Ethernet adapters.

From the TEAM area, select Tasks and then New Team from the dropdown menu to create a new NIC Team:

Figure 3. Creating a new NIC Team in Windows Server 2012

At the NIC Teaming window select the adapters to be part of the new NIC Team. Ensure Teaming mode is set to the desired mode (LACP in our case) and Load balancing mode is set to Dynamic. The Standby Adapter option will be available when more than two network adapters are available for teaming. Optionally we can give the new NIC Team a unique name or leave it as is.

Finally, we can select the default VLAN under the Primary Team Interface option (not shown below). When ready, click on OK to save the configuration and create the NIC Team:

Figure 4. Configuring Teaming Mode, Load Balancing Mode and NIC Team members

Notice how the State of each network adapter is reported as Active – this indicates the adapter is correctly functioning as a member of the NIC Team.

When the new NIC Team window disappears we are brought back to the NIC Teaming window where Windows Server 2012 reports the NIC Teams currently configured, speed, status, Teaming Mode and Load Balancing mode:

Figure 5. Viewing NIC Teams, their status, speed, Teaming mode, Load balancing mode and more

As mentioned earlier, NIC Teaming creates a virtual adapter that combines the speed of all network adapters that are part of the NIC Team. As we can see below, Windows Server has created a 200Mbps network adapter named Team-1:

Figure 6. The newly created NIC Team Adapter in Windows 2012 Server

We should note that the MAC address used by the virtual adapter will usually be the MAC address from either physical network adapters.

Free Virtualization Backup with Award Winning Altaro Backup - Free Download Now!

Cisco Catalyst Switch Configuration

Depending on the type of NIC Teaming selected, the switch attached to the server might need to be configured. Cisco Catalyst switches fully support NIC Teaming and other types of link aggregation technologies through the use of EtherChannel. Cisco Catalyst provides support of the Link Aggregation Control Protocol (LACP) which also happens to be the default aggregation protocol when configuring EtherChannel.

More Information on Cisco Switches and configuration articles can be found in our dedicated Cisco Switches section

Create the Etherchannel interface by dedicating an equal number of switch ports to that of the physical network adapters participating in the NIC Teaming. In our example, we’ve got two network adapters so we’ll be using two switch ports.

Configure both switch ports to be part of Channel-Group 1 and set it to active mode. The Port-Channel interface will be configured in Trunk mode for our example:

Note: First create the Port-Channel interface and assign the physical interfaces to it using the channel-group 1 mode active command. After that, any commands entered under the Port-Channel interface will automatically be replicated to all port members (FastEthernet 1/0/1 & 1/0/2 in our example).

In case VLAN Trunking support is required, do not forget to use the switchport mode trunk command to enable trunking and then switchport trunk native vlan X to configure the native VLAN for the EtherChannel, replacing X with the necessary vlan number.

Additional Information: Configure VLANs and InterVLAN Routing on Cisco Catalyst switches

At this point, we are able to connect our server to the network. The show interface port-channel 1 command will provide a plethora of information about our Port-Channel, including bandwidth, interface members and other useful information:

The show Etherchannel 1 summary command provides additional information, including the aggregation protocol used, port members, their status and more:

This article covered Windows Server NIC Teaming and explained the different type of NIC Teaming, protocols involved, load & balancing distribution algorithms, configuration of Windows 2012 Server plus configuration of Cisco Catalyst switch configuration. To read more on Cisco switches, make sure you visit our Cisco Technical Knowledgebase which contains technical articles on Cisco switches, routers, firewalls and IP Telephony.

Broadly, this encompasses four rules which we've briefly outlined below:

• Backups must be performed automatically
• Backups must have redundancy
• A copy of the backup must be available offsite
• Backups must be regularly tested
• Usage of high-quality backup applications for Virtualized environments e.g VM Backup

Running Windows or Linux Server under ESX or Hyper-V? Get an award-winning backup solution for Free! Download Now!

Most often, people will not remember to take backups on time. They may keep deferring the task because of laziness, oversight or work pressure. Whatever the cause, it defeats the very purpose of backing up. Therefore, a backup solution that automates the task is essential. Simply configure it once and let it take backups at regular intervals.

Although backing up is essential and one backup is better than not backing up at all, there remains the risk of that single backup failing at the time of need. Therefore, your strategy must include having two different types of backup. Another advantage of this is you have greater flexibility when restoring data.

Unexpected events can lead to data loss at any time. Fire, floods, theft, power surge, lightning strikes and so many other things can play havoc with the best laid plans. If your systems and backups are at the same location, you are most likely to lose both. As a contingency measure, you must keep a copy of the backup at a site physically and geographically separated from your primary workplace. Accomplishing offsite backups is simple with automatic cloud backup services that also allow automated updating.

Your backups are stored on physical devices that can also fail. Testing them regularly is one way to avoid unpleasant surprises when you need them most. Have a backup verification day, at least once every few months, to test and verify the integrity of the drive. Essentially, you need to ensure it is possible to restore files and, in case of clone backups, boot from the drive.

Full Backup

A full backup creates an image file containing all disk sectors with data from within the operating system. Although the simplest form of backup, it is the least flexible, most time consuming and a hugely space-intensive method. Full backups are usually done about once a week as part of an overall backup plan, such as after a major operating system upgrade or software install.

Differential Backup

Typically, only a very small percentage of the information in a partition or disk changes daily or weekly, therefore it is enough to back up only the data that has changed. You are doing a differential backup if you are backing up only the files that have changed since the last full backup. Differential backups are faster and more flexible than full backups because of the lower amount of data involved. However, the amount of data being backed up grows with each differential backup. That makes it unwieldy to create more than one differential backup a day.

Incremental Backup

You are doing an incremental backup if you are backing up only the data that changed since the last backup – whether full or incremental. Therefore, the shorter the time interval between incremental backups, the lower the amount of data to be backed up – you may backup hourly or even more frequently, depending on the importance of your work. Although incremental backups are the most flexible and granular of the three methods, restoring from incremental backups takes longer.

Backing up Virtual Machines

While most companies have moved to a virtualized environments, the above backup methods are quickly being replaced by smarter and more efficient backup strategies. For example, VM backup software, free for two VMs, supports both Hyper-V and VMware and offers complete backup and restore functionality with the click of only a few buttons. It’s advanced backup algorithms and smart design makes backing up and restoring virtual machines or individual files/folders a very simple process.

Don't miss out on this exclusive Hyper-V webinar and make sure you grab your free copy of Altaro's Hyper-V & VMware backup software!

Note: While this event's date has passed, you can access the recorded version while also download all material provided. Simply follow the above link to access it.

The screenshot below shows our Windows 2012 R2 server configured with two network cards. We’ve renamed the network cards to easily identify them, as such Ethernet0 was renamed to “Ethernet0 – WAN Adapter”, while Ethernet1 was renamed to “Ethernet1 – LAN Adapter”.

Backup any Virtual Environment (Hyper-V or VMware) with Altaro, quickly and Free for a Limited Time – Download Now!

The Windows Network Location Awareness (NLA) has incorrectly identified Ethernet0 to be connected to a Private network, while Ethernet1 is also incorrectly identified to be connected to a Public network, as shown below:

Figure 1. Windows Network Location Awareness (NLA) incorrectly identifies the Private & Public networks on our network interface cards

We should note that incorrect network profiles (Private or Public) also means that the Windows Firewall is applying the incorrect rules to the network cards. For example, a Public network could have very strict rules configured, while the Private network might have less restrictive rules applied. As one can understand, this also creates a serious security hole and therefore the correct network profiles (Private or Public) must be applied to each network interface card (network adapter).

Quickly Change Network Profiles (Public or Private) via PowerShell

To begin, launch the Windows PowerShell console by click on the PowerShell icon located on the taskbar:

Figure 2. Launching the Windows PowerShell console

Next, at the prompt enter the command Get-NetconnectionProfile to obtain a list of all network interfaces on the Windows Server, along with their identified network category (Private / Public):

Figure 3. Executing Get-NetconnectionProfile PowerShell cmd to obtain network profile & ID info

Notice that the command output is identical to what we saw in the Network and Sharing Center screenshot at the beginning of the article.

Looking closely to the ouput, we’ll notice that each network card has an InterfaceAlias and InterfaceIndex value. The InterfaceAlias is the name of the network card, in our case Ethernet0 – WAN Adapter and Ethernet1 – LAN Adapter respectively, while the InterfaceIndex represents the index number of the physical interface - that is 12 for Ethernet0 and 24 for Ethernet1.

The final step is using the Set-NetConnectionProfile command used to configure each adapter to a network profile. First we set the LAN Network card (Ethernet 1) to the Private network profile and then the WAN Network card (Ethernet 0) to the Public network profile as shown below:

Figure 4. Changing network profile for both network cards using the Set-NetConnectionProfile command

Users can use either the –InterfaceAlias or -InterfaceIndex parameter to select the network interface to be changed. Here are the full commands for each parameter:

Don’t miss out on your Free Altaro Virtualization backup solution for Hyper-V & VMware. Limited Time Download!

Moving back to the Network and Sharing Center, we can see that both network interfaces are now bound to the correct network profile:

Figure 5. Network interfaces are now bound to the correct network profile

This article explained how to change the network profiles configured on a Windows Server 2012 network interface cards. We talked about the importance of having the correct network profiles configured to each network interface card and how this affect the Windows Firewall rules. We also showed two different PowerShell commands (Set-NetConnectionProfile -InterfaceIndex & Set-NetConnectionProfile –InterfaceAlias) that can be used to make the network profile changes.

Click and Download Your Free Hyper-V or VMware backup solution Now!

Are you looking to get grips with automation and scripting?

Join Thomas Maurer, Microsoft Datacenter and Cloud Management MVP, who will use this webinar to show you how to achieve automation in your Hyper-V environments, even if you don’t have SCVMM.

Remember, any task you have to do more than once, should be automated. Bring some sanity to your virtual environment by adding some scripting and automation know-how to your toolbox.

Note: While the Webinar date has passed, you can still access the presentation and download all resources for free. Click below to access it:

Register for the webinar here:

About the presenter:

Thomas Maurer

Thomas Maurer works as a Cloud Architect at itnetx gmbh, a consulting and engineering company located in Bern/Switzerland, which has been awarded by Microsoft as “Microsoft Datacenter Partner of the Year for the past three years (2011,2012,2013). Thomas is focused on Microsoft Technologies, especially Microsoft Cloud Solutions based Microsoft System Center, Microsoft Virtualization and Microsoft Azure. This includes Microsoft Hyper-V, Windows Server, Storage, Networking and Azure Pack as well as Service Management Automation.

About the host:

Andrew Syrewicze

Andy is a Technical Evangelist for Altaro Software, providing technical marketing and pre-sales expertise. Prior to that Andy spent the last 12+ years providing technology solutions across several industry verticals including, education, fortune 500 manufacturing, healthcare and professional services working for MSPs and Internal IT Departments. During that time he became an expert in VMware, Linux, and Network Security, but his main focus over the last 7 years has been in Virtualization, Cloud Services and the Microsoft Server Stack, with an emphasis on Hyper-V.

Figure 1. Personalize Menu is not available by default on Windows 2012 Server

To bring back the Desktop icons, administrators must first install the Desktop Experience feature on Windows 2012 Server.

Running Windows 2012 Server in a virtual environment? Get an award-winning backup solution for Free!! Download Now!

Note: Once the Desktop Experience Feature is installed, the server will require a restart.

To do so, click on the Server Manager icon on the taskbar:

Figure 2. Server Manager icon on Windows 2012 Server taskbar

 Now select Add Roles and Features:

Figure 3. Selecting Add roles and features in Windows 2012 Server

Now, click Next on the Before you Begin page and at the Installation Type page select Role-based or feature-based installation. Next, select your server from the server pool and click Next:

Figure 4. Selecting our destination server

At the next window, click on Features located at the left side, do not select anything from the Server Roles which is displayed by default. Under Features, scroll down to User Interfaces and Infrastructure and click to expand it. Now tick Desktop Experience:

Figure 5. Selecting Desktop Experience under User Interfaces and Infrastructure

When Desktop Experience is selected, a pop up window will ask us to confirm the installation of a few additional services or features required. At this point, simply click on Add Features. Now click on Next and then the Install button.

This will install all necessary server components and add-ons:

Figure 6. Installation of server components and add-ons - Windows 2012 Server

Once complete, the server will require a restart. After the server restart, we can right-click in an empty area on our desktop and we’ll see the Personalize menu. Select it and then click on Change desktop icons from the next window:

Figure 7. Selecting Change desktop icons - Windows 2012 Server

Now simply select the desktop icons required to be displayed and click on OK:

Figure 8. Select Desktop icons to be displayed on Windows 2012 Server Desktop

Free Award-Winning Backup solution for VMware and Hyper-V virtualization environments. Click here!

This article showed how to enable Desktop Icons (Computer, User files, Network , Control Panel) on Windows 2012 Server. We explained this process using a step-by-step process and included all necessary screenshots to ensure a quick and trouble-less installation. For more Windows 2012 Server tutorials, visit our Windows Server Section.

History has shown that backup procedures were always a major pitfall for most IT departments and companies. With virtualization environments, the need of a backup solution is more important than ever, especially when we consider that physical servers now host multiple virtual servers.

While creating a backup plan and verifying backups can become an extremely complicated and time-consuming process, Altaro has managed to deliver a backup solution that guarantees the backup process of the virtualized environment and ensures the data integrity of servers. Furthermore, Altaro’s backup solution is complimented with a simple recovery procedure, guaranteeing quick and easy recovery from the failure of any virtual machine and hypervisor host. 

What’s even better is that Altaro’s Hyper-V & VMware backup solution is completely free for a limited number of virtual servers!

Download your Free Hyper-V & VMware Altaro Backup Solution Now - Limited Offer!

Altaro Hyper-V & VMware backup is a feature-rich application that allows users to backup and restore VMs literally with just a few clicks. The user interface of Altaro VM backup is easy-to-use with all the necessary features to make the Hyper-V or VMware backup & restore process, an easy and simple task.

Main Features Of Altaro VM Backup

• User-friendly easy to use admin console.
• Supports Microsoft Windows Server 2012 R2, 2012, 2008 R2, Hyper-V & ESX/ESXi server core.
• Backup virtual machines per schedule.
• Restore single or multiple virtual machines to different Hyper-V/VMware host or same host.
• Rename virtual machines while restoring the virtual machine to same host or different host.
• Backup Linux VMs without shutting down the machine.
• Secured backups with AES encryption.
• Reduced backup file size with powerful compression.
• Central Altaro Hyper-V backup management for multiple Hyper-V host.
• File level restore allows you to mount backup up VHDs and restore individual files without actually restoring the whole virtual machine.
• Business continuity with offsite backup with WAN acceleration.
• Backup Exchange Server VM (Supports Exchange 2007, 2010, 2013) and can restore Exchange item level restore options.
• Support backup for Hyper-V cluster shared volumes for larger deployments.
• Support for Microsoft SQL Database VM backup.
• Free for up to two Virtual Machines.
• Extremely low pricing per host (not per socket) provides unbeatable value.

It is evident that Altaro Hyper-V backup provides a plethora of features that makes it a viable solution for companies of any size.

Altaro Hyper-V  Backup Installation Requirements

Installing the Altaro Hyper-V backup application is no different than installing any other windows application, it is very easy.
It is important to note that Altaro Hyper-V backup must be installed in Hyper-V host machine, and not a guest machine. Altaro Hyper-V supports the following host server editions:

• Windows 2008 R2 (all editions)
• Windows Hyper-V Server 2008 R2 (core installation)
• Windows Server 2012 (all editions)
• Windows Hyper-V Server 2012 (core installation)
• Windows Server 2012 R2 (all editions)
• Windows Hyper-V Server 2012 R2 (core installation)

Minimum system requirements of Altaro Hyper-V Backup are:

• 350 MB Memory
• 1 GB free Hard Disk space for Altaro Hyper-V Backup Program and Settings files
• .NET Framework 3.5 on Windows Server 2008 R2
• .NET Framework 4.0 on Windows Server 2012

Following is a list of supported backup destinations. This is where you would save the backup of your Hyper-V virtual machines:

• USB External Drives
• eSata External Drives
• USB Flash Drives
• Fileserver Network Shares using UNC Paths
• NAS devices (Network Attached Storage) using UNC Paths
• RDX Cartridges
• PC Internal Hard Drives (recommended only for evaluation purposes)

Grab a Free Copy of VM Altaro Backup Solution Now!

Installing Altaro Hyper-V Backup Software

First step is to grap a fresh copy of Altaro’s Hyper-V backup application by downloading the application from Altaro’s website.
Run the installation file. We will receive the application’s welcome screen. Click Next  to continue through the next windows until the installation is finally complete.

Figure 1. Installation Welcome Screen

After few moments, the installation completes. At this point, check the Launch Management Console and click Finish:
 

Figure 2. Altaro Hyper-V Installation Complete

At this point, Altaro Hyper-V Backup has been successfully installed on our Hyper-V server and is ready to run by ticking the Launch Management Console option and clicking on the Finish button.

Alternatively, Administrators can also install the Altaro Hyper-V Backup application on a workstation or different server, connect remotely to the Hyper-V server and perform all necessary configuration and backup tasks from there.

We found the ‘remote management’ capability extremely handy and proceeded to try it out on our Windows 7 workstation.
It’s worth noting that it makes no difference whether you select to run Altaro’s Hyper-V Backup directly on the Hyper-V host or remotely as we did.

After installing the application on our Windows 7 workstation, we ran it and entered the necessary details to connect with the Hyper-V host:

Figure 3. Connecting to the Hyper-V Agent Remotely

Users running the application directly on the Hyper-V host would select the ‘This Machine’ option from above.

Once connected the Hyper-V agent, the Altaro Hyper-V Backup main screen appears:

Figure 4. Altaro Hyper-V Backup - Main Screen (click to enlarge)

Altaro’s Hyper-V Backup solution offers an extensive number of options. When running the application for the first time, it provides a quick 3-step guide to help quickly setup a few mandatory options and begin performing your first Hyper-V backup in just a couple of minutes!  

In our upcoming articles, we’ll be taking a closer look on how Altaro’s Hyper-V Backup application manages to make life easy for Virtualization administrators, with its easy backup and restore procedures.

Summary

This article introduced Altaro’s Hyper-V Backup application – a complete backup and restore solution that manages to take away the complexity of managing backup and restore procedures for any size Hyper-V virtualization environment. Altaro’s Hyper-V Backup solution is completely FREE for a limited number Virtual Machines!

Microsoft designs and configures Windows systems to capture information about the state of the operating systems if a total system failure occurs, unlike a failure of an individual application. You can see and analyze the captured information in the dump files, the settings of which you can configure using the System Tool in the Control Panel. By default, BSOD provides minimal information about the possible cause of the system crash and this may suffice in most circumstances to help in identifying the cause of the crash.

However, some crashes may require a deeper level of information than what the stop screen provides – for example, when your server simply hangs and becomes unresponsive. In that case, you may still be able to see the desktop, but moving the mouse or pressing keys on the keyboard produces no response. To resolve the issue, you need a memory dump. This is basically a binary file that contains a portion of the server's memory just before it crashed. Windows Server 2012 R2 provides five options for configuring memory dumps.

SafeGuard your Hyper-V & VMware servers from unrecoverable crashes with a reliable FREE Backup – Altaro’s VM Backup. Download Now!

Different Types Of Memory Dump Files

1. Automatic Memory Dump

Automatic memory dump is the default memory dump that Windows Server 2012 R2 starts off with. This is really not a new memory dump type, but is a Kernel memory dump that allows the SMSS process to reduce the page file to be smaller than the size of existing RAM. Therefore, this System Managed page file now reduces the size of page file on disk.

2. Complete Memory Dump

A complete memory dump is a record of the complete contents of the physical memory or RAM in the computer at the time of crash. Therefore, this needs a page file that is at least as large as the size of the RAM present plus 1MB. The complete memory dump will usually contain data from the processes that were running when the dump was collected. A subsequent crash will overwrite the previous contents of the dump.

3. Kernel Memory Dump

The kernel memory dump records only the read/write pages associated with the kernel-mode in physical memory at the time of crash. The non-paged memory saved in the kernel memory dump contains a list of running processes, state of the current thread and the list of loaded drivers. The amount of kernel-mode memory allocated by Windows and the drivers present on the system define the size of the kernel memory dump.

4. Small Memory Dump

A small memory dump or a MiniDump is a record of the stop code, parameters, list of loaded device drivers, information about the current process and thread, and includes the kernel stack for the thread that caused the crash.

5. No Memory Dump

Sometimes you may not want a memory dump when the server crashes.

Configuring Dump File Settings

Windows Server 2012 R2 allows you to configure an Automatic memory dump. To start the configuration, you have to log in as a local administrator and click on Control Panel in the Start menu:

Figure 1. Invoking the Windows Server Control Panel

From the Control Panel, click on System and Security icon. Next, click on System:

Figure 2. System and Security

In the System Properties that opens up, click on the Advanced tab as shown below:

Figure 3. System Properties – Advanced Tab

 In the Advanced System Properties, look for and click on Settings under Startup and Recovery section:

Figure 4. Startup and Recover dialog

Figure 5. The five types of debugging information (memory dumps) available

Here, you have the choice to let your server Automatically restart on System failure. Under Write Debugging information, you can select between one of the five types of memory dumps to be saved in the event of a server crash.
 
You can also define the name of the dump file the server should create and specify its location. The default location is in the System Root and the default name of the file is MEMORY.DMP. If you do not want the previous file to be overwritten by the new dump file, remove the tick mark from Overwrite any existing file (visible in figure 4).

When done, you will need to restart the server for the changes to take place.

Manually Generating A Dump File

Although the server will create the dump files when it crashes, you do not have to wait indefinitely for the crash to occur. As described in Microsoft’s support pages Generating a System Dump via Keyboard and Forcing a System Crash via Keyboard, you can induce the server to crash with a select combination of keys. Of the several methods described by Microsoft, we will discuss the method via USB keyboards.

Forcing a System Crash From the Keyboard

Begin with a command prompt with administrative privileges. For this, begin with the Start menu and click on Command Prompt (Admin):

Figure 6. Invoking the Command Prompt with Elevated Privileges

In the command prompt window that opens, type in “regedit” to and hit Enter:

Figure 7. Opening and Editing the Windows Registry

This opens the Registry Editor screen. Now expand all the way to the following section:

HKEY_LOCAL_MACHINE\SYSTEM\CurrrentControlSet\Control\CrashControl

Right-click on CrashControl and create a new DWORD with the name CrashDumpEnabled which will appear in the right hand pane. Next, modify its value by right-clicking on CrashDumpEnabled in the right hand pane and selecting Modify:

Figure 8. Editing the Registry. Modifying the new registry DWORD CrashDumpEnabled

In the Edit DWORD Value dialog that opens enter Value data as 1 and click on OK:

Figure 9. Editing the Value Data of CrashDumpEnabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrrentControlSet\Services\kbdhid\Parameters

Right-click on Parameters and create a new DWORD with the name CrashOnCtrlScroll, which will appear in the right pane:

Figure 10. Editing the Registry. Creating the new Registry DWORD CrashOnCtrlScroll

Now, modify the CrashOnCtrlScroll value by right-clicking on CrashOnCtrlScroll in the right pane and selecting Modify:

Figure 11. Modifying the Registry DWORD entry CrashOnCtrlScroll

 In the Edit DWORD Value dialog that opens, enter Value data as 1 and click on OK:

Figure 12. Editing the Value data of CrashOnCtrlScroll

Restart the server for the new values to take effect.

Next, to crash the server, press the combination of keys:

CTRL + SCROLL LOCK + SCROLL LOCK

Note: Press SCROLL LOCK key twice while holding down the CTRL key.

The server will crash and restart and should have created a new dump file.

Note: However, as described in the Microsoft support pages referred above, this method does not always work and for other methods, you can refer to additional Microsoft support pages here.

This article explained why Windows Server dump files are considered important and how we can configure Windows Server 2012 R2 to save crash dump files. We saw the different memory Dumps (Automatic Memory Dump, Complete Memory Dump, Kernel Memory Dump, Small Memory Dump, No Memory Dump) and how to configure the dump’s settings. More articles on Windows Server 2012 can be found in our Windows Server 2012 Section.

1. Using the Windows PowerShell

2. Using the Active Directory Administrative Center or ADAC

In earlier Windows Server editions, it was possible to configure Fine-Grained Password Policy only through the command line interface (CLI). However with Windows Server 2012 a graphical user interface has been added, allowing the configuration of the Fine-Grained Password Policy via the Active Directory Administrative Center. We will discuss both the methods.

Before you begin to implement the Fine-Grained Password Policy, you must make sure the domain functional level must be Windows Server 2008 or higher. Refer to relevant Windows 2012 articles on our website Firewall.cx.

Backup your Windows Server 2012 R2 host using Altaro’s Free Hyper-V & VMware Backup solution. Download Now!

Configuring Fine-Grained Password Policy From Windows PowerShell

Use your administrative credentials to login to your Windows Server 2012 domain controller. Invoke the PowerShell console by Right clicking on the third icon from the left in the taskbar on the Windows Server desktop and then clicking on Run as Administrator.

Figure 1. Executing Windows PowerShell as Administrator

Clicking on Yes to the UAC confirmation will open up an Administrator: Windows PowerShell console.

Within the PowerShell console, type the following command in order to begin the creation of a new fine grained password policy and press Enter:

C:\Windows\system32> New-ADFineGrainedPasswordPolicy

Figure 2. Creating a new Fine Grained Password Policy via PowerShell

Type a name for the new policy at the Name: prompt and press Enter. In our example, we named our policy FGPP:

Figure 3. Naming our Fine Grained Password Policy

Type a precedence index number at the Precedence: prompt and press Enter. Note that policies that have a lower precedence number have a higher priority over those with higher precedence numbers. We’ve set our new policy with a precedence of 15:

Figure 4. Setting the Precedence index number of our Fine Grained Password Policy

Now the policy is configured, but has all default values. If there is need to add specific parameters to the policy, you can do that by typing the following at the Windows PowerShell command prompt and press Enter:

C:\Windows\system32> New-ADFineGrainedPasswordPolicy -Name FGPP -DisplayName FGPP -Precedence 15 -ComplexityEnabled $true -ReversibleEncryptionEnabled $false -PasswordHistoryCount 20 -MinPasswordLength 10 -MinPasswordAge 3.00:30:00 -MaxPasswordAge 30.00:30:00 -LockoutThreshold 4 -LockoutObservationWindow 0.00:30:00 -LockoutDuration 0.00:45:00

In the above command, replace the name FGPP with the name of your password policy, which in our example is FGPP.

The parameters used in the above are mandatory and pretty much self-explanatory:

Attributes for Password Settings above include:

• Enforce password history
• Maximum password age
• Minimum password age
• Minimum password length
• Passwords must meet complexity requirements
• Store passwords using reversible encryption

Attributes involving account lockout settings include:

• Account lockout duration
• Account lockout threshold
• Reset account lockout after

To apply the policy to a user/group or users/groups, use the following command at the PowerShell command prompt:

For confirming whether the policy has indeed been applied to the groups/users correctly, type the following command at the PowerShell command prompt and press Enter:

Remember, it is necessary to replace FGPP in the above with the name of your password policy. Also replace Chris_Partsenidis with the name of the group or user to whom you want to apply the policy.

The screenshot below shows the execution of the commands and output:

Figure 5. Applying and verifying a Fine Grained Password Policy to a User or Group

Check the AppliesTo section from the output to verify if the policy is applied to the intended user or group.

Configuring Fine-Grained Password Policy Using The Active Directory Administrative Center (ADAC)

Use your administrative credentials to login to your Windows Server 2012 domain controller. Invoke the Server Manager Dashboard by left-clicking on the second icon in the taskbar on the Windows Server desktop:

Figure 6. Opening Server Manager Dashboard

In the Server Manager Dashboard, go to the top right hand corner, click on Tools and then click on Active Directory Administrative Center:

Figure 7. Launching Active Directory Administrative Center

Once the Active Directory Administrative Center screen is open, from the left panel, select the Active Directory (local) to expand.

In our example, the active directory is firewall (local). Locate Systems, expand it and click on Password Settings Container:

Figure 8. Locating the Password Settings Container

On the right panel, under Tasks and Password Settings Container, click on New:

Figure 9. Accessing Password Settings Container

Now click on Settings, which will open up the Create Password Settings screen. Enter a name for the Fine-Grained Password Policy and a number for its precedence.

For our example, we are using the name FGPP or Firewall Group Password Policy with a precedence index of 15. Also, configure the remainder of the policy settings as required:

 
Figure 10. Configuring settings for our FGPP Policy

Once satisfied with the settings, click on Add at the bottom right hand corner. This will open up the Select Users or Groups dialog.

Click on Object Types to select either Users or Groups or both. Click on Locations to select the domain, which in our case is firewall.local.

Under the object names to select, type the name of the group or user on whom you want to apply the password policy. In our example, this is Chris_Partsenidis as shown below:

Figure 11. Selecting the Active Directory object to which the Fine Grained Password Policy will be applied to

Click on OK, and you will return to the Create Password Settings screen, which will now have the new name FGPP on top and the name of the user (to whom the policy will apply) at the bottom:

Figure 12. Our Fine Grained Password Policy

Click on OK to complete the process and go back to the Active Directory Administrative Center, which will now show the new Password Settings Container with the name FGPP and the precedence index in the center panel:

Figure 13. Our Fine Grained Password Policy appearing in the Password Settings Container

To modify any parameter, double click on the Password Settings Container in the central panel. Finally, when you are done, close the Active Directory Administrative Center window.

This article covered the installation and configuration of Fine-Grained Password Policies for Windows Server 2012. We explained how Fine-Grained Password Policies can be installed via PowerShell and the Active Directory Administrative Center. Our step-by-step guide shows all the necessary details to ensure a successful installation and configuration. More high-quality articles can be found in visit our Windows 2012 Section.

Microsoft operating systems since Windows NT have included the Telnet client as a feature. However, later Operating Systems beginning with the Windows Server 2008 and Windows Vista prefer not to enable it by default. Although you can always use a third-party tool for assisting you in remote connections and for troubleshooting connectivity, you can enable the Telnet client on your Windows Server 2012 any time needed.

Backup your Windows Server 2012 R2 host using Altaro’s Free Hyper-V & VMware Backup solution. Download Now!

Primarily, there are three ways you can install or enable the Telnet client for Windows Server 2012. You can install the Telnet client from the Graphical User Interface, Windows command prompt or from PowerShell. We will discuss all the methods in this article.

Installing Telnet Client From The GUI

Invoke the Server Manager by clicking on the second icon on the bottom taskbar on the desktop of the Windows Server 2012 R2:

Figure 1. Launching Windows Server Dashboard

On the Dashboard, click on Add Roles and Features, which opens the Add roles and features wizard:

 
Figure 2. Selecting Add roles and features on Windows Server 2012

Click on Installation Type and select Role Based or Feature Based Installation. Click on Next to proceed:

Figure 3. Selecting Installation Type – Role-based or feature-based installation

On the next screen, you can Select a server from the server pool. We select the server FW-DC1.firewall.local:

 
Figure 4. Selecting our server, DC1.firewall.local

Clicking on Next brings you to the Server Roles screen. As there is nothing to be done here, click on Next to continue to the Features screen. Now Scroll down under the Features until you arrive at the Telnet Client. Click within the box in front of the entry Telnet Client to select it, then click on Next to continue:

Figure 5. Selecting the Telnet client for installation

The following screen asks you to Confirm Installation Selections. Click the Restart the destination server automatically if required tick box and click on Yes to confirm the automatic restart without notifications. Finally, click on Install to start the installation of the Telnet Client:

Figure 6. Final confirmation and initiation of the Windows Telnet Client installation

Once completed, the Results screen will inform the success or failure of the process:

Figure 7. Successful installation of Windows Server Telnet Client

Click on Close to end the installation and return to the Server Manager screen.

Running a Windows Hyper-V or VMware server? Hyper-V & VMware backup made easy with Altaro’s Free VM Backup solution. Download Now!

Installing Telnet Client From The Command Prompt

You need to invoke the Command Prompt window as an Administrator. For this, right click on the Windows Start icon located on the lower left corner on the desktop taskbar, then Click on Command Prompt (Admin) and click on Yes to the User Account Control query that opens up.

Figure 8. Launching a Command Prompt with Administrator privileges

 Once the Administrator: Command Prompt window opens, type the following command and press Enter:

Figure 9. Installing Telnet Client via Elevated Command Prompt

The command prompt will provide a real-time update within the command prompt window and inform you once the Telnet Client has been successfully installed.

To exit the command prompt window, simply click on the X button (top right corner) or type Exit and press Enter.

Note: It is possible to also install Windows Telnet Client on Windows 8 & Windows 8.1 using the same commands at the Command Line Prompt or PowerShell interface.

Installing Telnet Client From PowerShell

You need to invoke the PowerShell with elevated permissions, i.e., run as Administrator. For this, right click on the third icon from the left on the bottom taskbar on the desktop of the Windows Server 2012 R2:

Figure 10. Running PowerShell with Administrator privileges

Click on Run as Administrator and click on Yes to the User Account Control query that opens up.

Within the PowerShell window, type the following two commands, pressing Enter after each one:

Figure 11. Installing Telnet Client via PowerShell On Windows 2012 R2 Server

Windows PowerShell will commence installing Telnet Client and will inform you if the Telnet Client has been successfully installed and whether the server needs a restart.

Type Exit and press Enter to close the Windows PowerShell window.

This article showed how to install the Telnet Client on Windows Server 2012 R2 using the Windows GUI Interface, Elevated Command prompt and Windows PowerShell. For more exciting articles on Windows 2012 R2 server, visit our Windows 2012 Section.

The shadow copy feature for backups is a much faster solution compared to the traditional backup solution. We should keep in mind that shadow copy is not meant as a replacement for the traditional backup process. The shadow copy process never copies all the files and folders, but only keeps track of the changes made to them. This is the reason shadow copy cannot replace the traditional backup process. Typically, shadow copies are useful in scenarios where one needs to restore an earlier version of files or folders.

To configure shadow copy of a shared folder in Windows Server 2012, at first, you have to enable the shadow copy feature on the disk volume containing the shared folder. The shadow copy process works only at volume level and not on individual files or directories. Additionally, it works only on NTFS volumes and not on FAT volumes. After generating a snapshot of the data, the server keeps track of changes occurring to the data.

Typically, the server stores the changes on the same volume as the original, but you can change the destination. Additionally, you can define the disk space allocated to shadow copies. As the allocated disk space fills up, the server deletes the oldest shadow copy snapshot, thereby making room for newer shadow copies. Once the server has deleted a shadow copy snapshot, you cannot retrieve it. Windows Server 2012 R2 can keep a maximum of 64 shadow copies per volume.

Running a Windows Hyper-V or VMware Server?  Hyper-V & VMware Backup made easy with Altaro’s Free VM Backup Solution.  Download Now!

Install File & Storage Services

The shadow copy feature requires prior installation of all the File and Storage Services. For installing or verifying the installation of all the File and Storage Services, logon to the server as a local administrator, go to the Server Manager Dashboard and click on Add Roles and Features.

Figure 1. Server Manager Dashboard

This opens the Add Roles and Features Wizard, wherein go to Server Selection to select the server on which you want to install the File and Storage Services:

Figure 2. Selecting our Windows 2012 R2 Server from the server pool

Click on Next and select Server Roles. Expand the File and Storage Services and the File and iSCSI Services. Check that tick marks are visible against all the services. Click on those missing the tick marks:

Figure 3. Selecting File & Storage Services, plus iSCSI Services for installation

Click Next four times until you arrive at Confirmation:

Figure 4. Add roles and Features – Final confirmation Window

Click on Install to enable all the File and Storage Services. Once the server has completed the installation, click on Close.

Enabling The Shadow Copy Feature

After having confirmed that the server has enabled all File and Storage Services, go to the server desktop and open the File Explorer. You can do this by pressing the WINDOWS+E keys together on your keyboard or by clicking on the fourth icon from left on the bottom toolbar on the Windows Server 2012 R2 desktop:

Figure 5. Opening Windows File Explorer

We will enable shadow copy for the volume C:\. Within this volume, we have our folder C:\Users\Chris_Partsenidis_Share for which we would like to ensure shadow copy is enabled:

Figure 6. Location of the folder we will be using as a Shadow-Copy example

Right-click on the Local Disk or volume C:\ (Or any other volume depending on your requirements) and select Configure shadow copies from the drop-down menu:

Figure 7. How to enable Shadow Copy for a Windows Volume

When the UAC confirmation dialog box opens, confirm with Yes. This opens the screen for Shadow Copies. Under Select a volume, click to select the volume C:\ from the list or any other volume for which you want to turn on shadow copies. Now, click on Enable.

A confirmation dialog will appear to Enable Shadow Copies along with a warning about file servers with high I/O loads:

Figure 8. Enable Shadow Copy confirmation window

Click on Yes to complete the process. You will be returned to the Shadow Copies screen and under Shadow copies of the selected volume, you can see the newly created Shadow Copy for volume C:\:

Figure 9. Viewing the status of Shadow Copy for our Volume

Click on Settings to open the Settings dialog. In the Settings dialog, under Maximum size, you can select either No limit for the space reserved or set a limit for it by selecting Use limit. Note that as stated in the dialog box, a minimum limit of 300MB is necessary for the space reserved for shadow copies:

Figure 10. Setting the maximum size to be used by Shadow Copy for our volume

Next, you can either go with the default schedule of two snapshots of shadow copies every day, or define your own by clicking on Schedule to open the Schedule dialog:

Figure 11. Configuring the Shadow Copy Schedule

In the Schedule dialog, tweak the settings to fit your environment in the best possible way and click on Ok to return to the Shadow Copies dialog.

To create a current snapshot, click on Create Now and under Shadow Copies of Selected Volume, a date and time entry will appear, signifying that the server has created a shadow copy snapshot. Click on Ok to close the dialog.

Accessing Shadow Copies

Users can access the shared volume/folders from either their local server or from a client PC over the network. They can see the previous versions (shadow copies) of their folders and files from the Properties of the shared folder or file.

Go to File explorer and click on a shared volume - volume C:\ in our case. Select the shared folder within the shared volume – which, in our example, is C:\Users\Chris_Partsenidis. Right-click on the shared folder and go to Restore previous versions:

Figure 12. Viewing the Shadow Copy status of our shared folder

This opens the Properties dialog for the share folder - C:\Users\Chris_Partsenidis. The list under Folder versions has all the shadow copies created for the share folder – C:\Users\Chris_Partsenidis. From this list, you can select a specific previous version (shadow copy) and choose to Open, Copy or Restore it.

Figure 13. Accessing previous versions of our shared folder

After you have completed your work, click on Ok or Cancel to exit the dialog box.

This article explained the purpose Windows Shadow Copy services, how to enable and configure Shadow Copy for a Windows Volume. We also saw how administrators and users can access previous versions of folders/files that are located in a shadow-copy enabled volume.

Before you can begin blocking file extensions, you may need to install and configure FSRM on your Windows Server 2012 R2. Installation of FSRM can be achieved through the Server Manager GUI or by using the PowerShell console.

This article will examine the installation of FSRM using both methods, Server Manager GUI and Windows Server PowerShell console, while providing all necessary information to ensure a successful deployment and configuration of FSRM services.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Installing FSRM On Server 2012 Using The Server Manager GUI

Assuming you are logged in as the administrator, start with the Server Manager – click on the second icon from left on the bottom toolbar on the desktop as shown below:

Figure 1. Launching the Server Manager Dashboard

This brings up the Server Manager Dashboard. Proceed to the top right hand corner and click on Manage, then click on Add Roles and Features.

This opens the Add Roles and Features Wizard, where you need to click on Server Selection. Depending on how many servers you are currently managing, the right hand side will show one or multiple servers in the pool. Select the file server on which you want to install FSRM, and click on Next to proceed.

Figure 3. Selecting a Server to add the FSRM role

The next screen shows the server roles that you can install on the selected server. On the right hand side, locate File and Storage Services and expand it. Locate the File and iSCSI services and expand it. Now, locate the File Server Resource Manager entry.

 
Figure 4. Selecting the File Server Resource Manager role for installation

Click on the check box in front of the entry File Server Resource Manager. This will open up the confirmation dialog box for the additional features that you must first install before installing FSRM.

 
Figure 5. Confirming the installation of additional role services required for FSRM

Click on Add Features and you are all set to install FSRM, as the check box for File Server Resource Manager now has a tick mark (shown below).

Figure 6. Back to the Server Role installation – Confirming FSRM Role Selection

Clicking on Next allows you to Select one or more features to install on the selected server. We don’t need to add anything here at this stage, so click Next to go to the next step.

This brings up a screen asking you to Confirm installation selections. This is the stage where you have the last chance to go back and make any changes, before the actual installation starts.

 
Figure 7. Confirm installation selections

Click on Install to allow the installation to commence and show the progress on the progress bar on the Results screen. Once completed, you can see the Installation successful on … under the progress bar.

 
Figure 8. Completion of FSRM role installation

Click on Close to exit the process.

To check if the FSRM has actually started running, go to the Server Manager Dashboard and click on File and Storage Services on the left hand side of the screen.

 
Figure 9. Server Manager Dashboard

The Dashboard now shows all the servers running under the File and Storage Services. Go down to Services and you will see FSRM running with an automatic start up.

Figure 10. File and Storage Services – Confirming FSRM Service

Installing FSRM On Server 2012 Using The PowerShell Console

This is a comparatively easier and faster process compared to the GUI method.

To invoke the PowerShell, click the third icon from left on the bottom toolbar on the desktop.

 
Figure 11. Launching Windows PowerShell

 This will open up a console with an administrative level command prompt. At the command prompt, type:

Figure 12.  Executing PowerShell command to install FSRM

A successful installation will be indicated as True , under the Success column as shown above.

FREE Hyper-V & VMware Backup:  Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Configuring File Screening

Invoke FSRM from the Tools menu on the top right hand corner of the Server Manager Dashboard.

Figure 13. Running the File Server Resource Manager component

The File Server Resource Manager screen opens up. On the left panel, expand the File Screening Management and go to File Groups. The central panel shows the File Groups, the Include Files and the Exclude Files in three columns.

Under the column File Groups, you will find file types conveniently grouped together. The column Include Files lists all file extensions that are included in the specific file group. For a new server, the column Exclude Files is typically empty.

Figure 14 – File Groups, Include File and Exclude Files

On the left panel, go to File Screen Templates and click on it. The central panel shows predefined rules that apply to folders or volumes.

Figure 15. File Server Resource Manager - File Screen Templates

For instance, double-click on Block Image Files in the central panel. This opens up the File Screen Template Properties for Block Image Files. Here you can define all the actions that the server will take when it encounters a situation where a user is trying to save a file belonging to the excluded group.

Figure 16. FSRM - File Screen Template Properties for Block Image Files

You can choose to screen the specified file type either actively or passively. Active screening disallows users from saving the specified file group. With passive screening, users are not prevented from saving the files while the administrator can monitor their actions.

The server can send from one to four basic alerts when it encounters an attempt to save a forbidden file. The server can send an Email message to the administrator, create an entry in the Event Log, run a specified Command or Script and or generate a Report. You can set up the details for each action on individual tabs. When completed, exit by clicking on OK or Cancel.

To edit the existing template or to create a new one based on the chosen template, go to the File Screen Templates and in the central panel, right-click on the predefined template you would like to edit. From the Actions menu on the right panel, you can either Create File Screen Template or Edit Template Properties.

 
Figure 17. FSRM – Creating or editing a File Screen Template

Clicking on Create File Screen Template opens up a dialog where you can click on Browse to select a folder or volume on which the new rule would be applied. Under How do you want to configure file screen properties? You can either Derive or Create the file screen properties. Click on Create to allow the new file screen rule to appear in the central panel.

Figure 18. FSRM - Creating a File Screen

Creating Exceptions

Exceptions are useful when you want to allow a blocked file type to be saved in a specific location. Go to the left panel of the FSRM screen and right-click on File Screens.

Figure 19. FSRM – Creating a File Screen Exception

From the menu on the right panel, click on Create File Screen Exception. On the menu that opens up, click on Browse to select a folder or volume on which the new rule would be applied and select the group you would like to exclude under the File groups. Click OK and complete the process.

Figure 20. FSRM – File Screen Exception settings and options

Summary

This article showed how to we can use Windows Server File Server Resources Manager (FSRM) to block file types and extensions from being uploaded or saved to a directory or volume on a  Windows 2012 R2 server.  We explained how to perform installation of FSRM via GUI interface and Powershell, and covered the creation or editing of File Screen Templates used to block or permit access for specific files.

Don't lose this opportunity to stay ahead of the rest, learn about the new Hyper-V vNext features and have your questions answered by Microsoft Hyper-V experts!

Click here to view this Free Webinar.

Their Hyper-V experts will also be available to answer all questions presented during the free webinar.  Registration and participation for this webinar is complete free.

Webinar Details: This webinar has passed however a recorded version is available at the below url along with all necessary resources.

As a bonus, a free eBook written by Hyper-V expert Eric Siron, covering Licensing Microsoft Server in a Virtual Environment, is now available as a free download.

The Altaro PowerShell Hyper-V Cookbook has been written by Jeffery Hicks - a well known PowerShell MVP, covers a number of very important topics that are guaranteed to help you discover more about your Hyper-V server(s) and help you make the most out of what they can offer.

Topics covered include:

• Hyper-V Cmdlets - Understand what they are, how to use them and create a Hyper-V virtual machine
• Discover and display information about your VMs and Hyper-V host
• Easily Identify VHD/VHDX files
• Mount ISO files
• Delete obsolete snapshots and query Hyper-V event logs
• and much more!

 Don't miss this opportunity and grab your free copy for a limited time!

 BONUS: All PowerShell scripts are included FREE in a separate ZIP file!

The DNS Server can be installed during the deployment of Active Directory Services or as a stand-alone service on any Windows server. We'll be covering both options in this article.

FREE Hyper-V & VMware Virtualization Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

DNS Server Installation via Active Directory Services Deployment

Administrators who are in the process deploying Active Directory Services will be prompted to install the DNS server role during the AD installation process, as shown in the figure 1 below:

Figure 1. DNS Installation via Active Directory Services Deployment

Alternatively Administrators can select to install DNS server role later on or even on a different server, as shown next. We decided to install the DNS Server role on the Active Directory Domain Controller Server.

DNS Server Installation on Domain Controller or Stand Alone Server

To begin the installation, open Server Manger and click Add Roles and Features. Click Next on Before you begin page. Now choose Role-based or feature-based installation and click Next:

Figure 2. Selecting Role-based or feature-based installation

In the next screen, choose the Select a server from this server pool option and select the server for which the DNS server role is intended. Once selected, click the Next button as shown in figure 3:

Figure 3. Selecting the Server that will host the DNS server role

 The next screen allows us to choose the role(s) that will be installed. Select the DNS server role from the list and click Next to continue:

Figure 4. Selecting the DNS Server Role for installation

The next screen is the Features page, where you can safely click Next without selecting any feature from the list.

The next screen provides information on the DNS Server role that's about to be installed. Read the DNS Server information and click Next:

Figure 5. DNS Information

The final screen is a confirmation of roles and services to be installed. When ready, click on the Install button to for the installation to begin:

Figure 6. Confirm Installation Selections

The Wizard will provide an update on the installation progress as shown below. Once the installation has completed, click the Close button:

Figure 7. Installation Progress

FREE Hyper-V & VMware Virtualization Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

Configuring Properties of DNS Server

Upon the successful installation of the DNS server role, you can open the DNS Manager to configure the DNS Server. Once DNS Manager is open, expand the server, in our example the server is FW-DC1. Right below the server we can see the Forward Lookup Zones and Reverse Lookup Zones listed. Because this is an Active Directory Integrated DNS server there is a firewall.local and _msdcs.firewall.local zone installed by default, as shown in figure 8:

Figure 8. DNS Manager & DNS Zones

To configure the DNS server properties, right-click the DNS server and click properties. Next, select the Forwarders tab. Click Edit and add the IP address of DNS server that this server will query if it is unable to resolve the IP address of the listed domains. This is usually the ISP's DNS server or any public DNS server such as Google (e.g 8.8.8.8, 4.2.2.2). There is another feature called root hints which also does similar job (queries the Root DNS servers of the Internet) but we prefer using forwarders alongside with public DNS servers:

Figure 9. DNS Forwarders – Add your ISP or Public DNS Servers here

Next, click on the Advanced tab. Here you can configure advanced features such as round robin (in case of multiple DNS servers), scavenging period and so on. Scavenging is a feature often used as it deletes the stale or inactive DNS records after the configured period, set to 7 days in our example:

Figure 10. Advanced Options - Scavenging

Next up is the Root Hints tab. Here, you will see list of 13 Root Servers. These servers are used when our DNS server is unable to resolve DNS requests for its clients. The Root Servers are used when no DNS Forwarding is configured. As we can see, DNS forwarding is pretty much an optional but recommended configuration. It is highly unlikely administrators will ever need to change the Root Hints servers:

Figure 11. Root Hints

Our next tab, Monitoring is also worth exploring. Here you can perform the DNS lookup test that will run queries against your newly installed DNS server. You can also configure automated test that will run at a configured time interval to ensure the DNS server is operating correctly:

Figure 12. Monitoring Tab – Configuring Automated DNS Test Queries

Next, click on the Event Logging tab. Here you can configure options to log DNS events. By default, all events are logged. So you can configure to log only errors, warnings, combination of errors & warnings, or turn off logging (No events option):

Figure 13. Event Logging

When Event Logging is enabled, you can view any type of logged events in the Event Viewer (Administrative Tools) console.

The Debug Logging tab is next up. Debug Logging allows us to capture to a log file any packets sent and received by the DNS server. Think of it as Wireshark for your DNS server. You can log DNS packets and filter them by direction, protocols, IP addresses, and other parameters as shown below. You can setup the log file location and set the maximum file size in bytes:

Figure 14. Debug Logging – Capturing DNS Packets & Configuring DNS Debugging

Zone – Domain Properties

Each Zone or Domain has a specific set of properties which can be configured as shown in figure 15 below. In our example, firewall.local is an Active Directory-integrated zone as indicated by the Type field. Furthermore the zone's status is shown at the top area of the window – our zone is currently in the running state and can be paused by simply clicking on the pause button on the right:

Figure 15. Zone Properties

Right below, you can change the zone type to primary, secondary or stub. You can also setup dynamic updates to be secure or not. Similarly, you can setup aging or scavenging properties to automate the cleanup of stale records.

The Start of Authority (SOA) tab provides access to a number of important settings for our DNS server. Here, you can configure the serial number increments automatically every time there is a change in the DNS zone. The serial number is used by other DNS servers to identify if any changes have been made since the last time they replicated the zone. The Primary server field indicates which server is primary server where the zone or domain is hosted. In case there are multiple DNS servers in the network, we can easily select a different server from here:

Figure 16. Start Of Authority Settings

In addition, you can also configure the TTL (Time to Live) value, refresh, retry intervals and expiry time of the record.

Next is the Name Servers tab. In this tab, you can add list of name servers where this zone can be hosted:

Figure 17. DNS Name Servers

Finally, the Zone Transfers tab. In this tab, you can add DNS servers which can copy zone information (zone transfer) from this DNS server:

Figure 18. Zone Transfers

Once all configuration changes have been completed, click Apply and your zone is good to go.

FREE Hyper-V & VMware Virtualization Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

This article showed how to install and configure Windows 2012 DNS Server Role and explained all DNS Server options available for configuration.

In-Depth information and analysis of the DNS protocol structure can be found at our DNS Protocol Analysis article.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

How DNS Resolution Works

When installed on a Windows Server, DNS uses a database stored in Active Directory or in a file and contains lists of domain names and corresponding IP addresses. When a client requests a website by typing a domain (URL) inside the web browser, the very first thing the browser does is to resolve the domain to an IP address.

To resolve the IP address the browser checks into various places. At first, it checks the local cache of the computer, if there is no entry for the domain in question, it then checks the local hosts file (C:\windows\system32\drivers\etc\hosts), and if no record is found their either, it finally queries the DNS server.

The DNS server returns the IP address to the client and the browser forms the http request which is sent to the destination web server.

The above series of events describes a typical http request to a site on the Internet. The same series of events are usually followed when requesting access to resources within the local network and Active Directory, with the only difference that the local DNS server is aware of all internal hosts and domains.

A DNS Server can be configured in any server running Windows Server 2012 operating system. The DNS server can be Active Directory integrated or not. A few important tasks a DNS server in Windows Server 2012 is used for are:

• Resolve host names to their corresponding IP address (DNS)
• Resolve IP address to their corresponding host name (Reverse DNS)
• Locate Global Catalog Servers and Domain Controllers
• Locate Mail Servers

DNS Zones & Records

A DNS Server contains Forward Lookup Zone and Reverse Lookup Zone. Each zone contains different types of resource records. A Forward Lookup Zone maps host name to an IP address while Reverse Lookup Zone maps the IP address of the host name. The DNS Zone is stored in a file or in the Active Directory database. Only one copy of zone is writable and others are read-only if the zone is stored in Active Directory database. Resource records specify the type of resource.

Resource records in Forward Lookup Zone include:

Table 1. Resource Record Types

Similarly, resource records in Reverse Lookup Zone include:

Table 2. Reverse Lookup Zone Resource Record Types

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Types Of DNS Zone

There are four DNS zone types:

Primary Zones: This is a Master DNS Server for a zone and stores the master copy of zone data in AD DS or in a local file. This zone is the primary source for information about this zone.

Secondary Zones: This is a Secondary DNS Server for a zone and stores read-only copy of zone data in a local file. Secondary Zones cannot be stored in AD DS. The server that hosts Secondary Zones, retrieves DNS information from another DNS server where the original zone is hosted and must have network access to the remote DNS server.

Stub Zones: A Stub Zone contains only those resource records that are required to identify the authoritative DNS servers of that zone. A Stub Zone contains only SOA, NS and A type resource records which are required to identify the authoritative name server.

Active Directory-Integrated Zones: An Active Directory-Integrated Zone stores zone data in Active Directory. The DNS server can use Active Directory replication model to replicate DNS changes between Domain Controllers. This allows for multiple writable Domain Controllers in the network. Similarly, secure dynamic updates are also supported, which means that computers that have joined to the domain can have their own DNS records in the DNS server.

This article provided information about DNS services and a brief description of the DNS resolution process. We also explained the importance of DNS Services in Active Directory and saw which are the four different type of DNS Zones. Next article will show how to install the DNS Server role in Windows Server 2012.

Group Policy Enforcement, Inheritance and Block Inheritance provide administrators with the necessary flexibility allowing the successful Group Policy deployment within Active Directory, especially in large organizations where multiple GPOs are applied at different levels within the Active Directory, causing some GPOs to accidently override others.

Thankfully Active Directory provides a simple way for granular control of GPOs:

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Group Policy Object Inheritance

GPOs can be linked at Site, Domain, OUs and child OUs. By default, group policy settings that are linked to parent objects are inherited to the child objects in the active directory hierarchy. By default, Default Domain Policy is linked to the domain and is inherited to all the child objects of the domain hierarchy.

GPO inheritance let’s administrators to set common set of policies to the domain level or site level and configure more specific polices at the OU level. GPOs inherited from parent objects are processed before GPOs linked to the object itself.

As shown in the figure below, the Default Doman Policy GPO with precedence 2 will be processed first, because the Default Domain Policy is applied at the domain level (firewall.local) where as the WallPaper GPO is applied at the organization unit level:

Figure 1. Group Policy Inheritance

Block Inheritance

As GPOs can be inherited by default, they can also be blocked, if required using the Block Inheritance. If the Block Inheritance setting is enabled, the inheritance of group policy setting is blocked. This setting is mostly used when the OU contains users or computers that require different settings than what is applied to the domain level.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

As shown in the figure below, to configure blocking of GPO inheritance, right-click the OU container and select the Block Inheritance option from the list:

         Figure 2. GPO Block Inheritance

Enforced (No Override)

This option prevents a GPO from being overridden by other GPO. For example, if you apply a GPO to domain and check the Enforced option, then this policy will be enforced to all the child objects in active directory and takes precedence of child GPO objects even if you have configured another similar GPO child object with a different value. In previous Windows Server versions, the GPO enforced option used to be called No Override.

To enable the GPO Enforced option, right-click on a particular GPO and click on the Enforced option:

Figure 3. Enforcing a GPO

This article explained the importance of GPO inheritance and how it can be enforced or blocked via Group Policy Enforcement, Inheritance and Block Inheritance throughout the Active Directory. For more information on Group Policies and how they are created or applied, refer to our article Configuring Windows 2012 Active Directory Group Policies or visit our Windows 2012 Server Section.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Before we dive into Group Policy configuration, let's explain what exactly Group Policies are and how they can help an administrator control its users and computers.

A Group Policy is a computer or user setting that can be configured by administrators to apply various computer specific or user specific registry settings to computers that have joined the domain (active directory). A simple example of a group policy is the user password expiration policy which forces users to change their password on a regular basis. Another example of a group policy would be the enforcement of a specific desktop background picture on every workstation or restricting users from accessing their Local Network Connection properties so they cannot change their IP address.

A Group Policy Object (GPO) contains one or more group policy settings that can be applied to domain computers, users, or both. GPO objects are stored in active directory. You can open and configure GPO objects by using the GPMC (Group Policy Management Console) in Windows Server 2012:

Figure 1. GPO Objects

Group Policy Settings are the actual configuration settings that can be applied to a domain computer or user. Most of the settings have three states, Enabled, Disabled and Not Configured. Group Policy Management Editor provides access to hundreds of computer and user settings that can be applied to make many system changes to the desktop and server environment.

Group Policy Settings

Group Policy Settings are divided into Computer Settings and User Settings. Computer Settings are applied to computer when the system starts and this modifies the HKEY Local Machine hive of registry. User Settings are applied when the users log in to the computer and this modifies the HKEY Local Machine hive.

Figure 2. Group Policy Settings

Computer Settings and User Settings both have policies and preferences.

These policies are:

Software Settings: Software can be deployed to users or computer by the administrator. The software deployed to users will be available only to those specific users whereas software deployed to a computer will be available to any user that on the specific computer where the GPO is applied.

Windows Settings: Windows settings can be applied to a user or a computer in order to modify the windows environment. Examples are: password policies, firewall policy, account lockout policy, scripts and so on.  

Administrative Templates: Contains a number of user and computer settings that can be applied to control the windows environment of users or computers. For example, specifying the desktop wallpaper, disabling access to non-essential areas of the computers (e.g Network desktop icon, control panel etc), folder redirection and many more.

Preferences are a group policy extension that does the work which would otherwise require scripts. Preferences are used for both users and computers. You can use preferences to map network drives for users, map printers, configure internet options and more.

Next, let’s take a look at how we can create and apply a Group Policy.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Creating & Applying Group Policy Objects

By default, GPOs can be created and applied by Domain Admins, Enterprise Admins and Group Policy Creator Owner user groups. After creating the GPO, you can apply or link the GPOs to sites, domains or Organizational Units (OUs), however you cannot apply GPO to users, groups, or computers. GPOs are processed in following top to bottom order:

1. Local Group Policy: Every windows operating system has local group policy installed by default. So this local group policy of the computer is applied at first.
2. Site GPO: The GPOs linked to the Site is then processed. By default, there is no site level group policy configured.
3. Domain GPO: Next, the GPO configured at domain level is processed. By default, GPO named default domain policy is applied at the domain level. This applies to all the objects of the domain. If there is policy conflict between domain and site level GPOs, then GPO applied to domain level takes the precedence.
4. Organizational Unit GPO: - In the end, GPO configured at OU is applied. If there is any conflict between previously applied GPOs, the GPO applied to OU takes the most precedence over Domain, Site and Local Group Policy.

Let’s now take a look at a scenario to apply a group policy to domain joined computers to change the desktop background. We have a domain controller named FW-DC01 and two clients FW-CL1 and FW-CL2 as shown in the diagram below. The goal here is to set the desktop wallpaper for these two clients from a group policy:

Figure 3. GPO Scenario

In our earlier articles we showed how Windows 8 / Windows 8.1 join an Active Directory domain, FW-CL1 and FW-CL2 are workstations that have previously joined our domain – Active Directory. We have two users MJackson and PWall in the FW Users OU.

Open the Group Policy Management Console (GPMC) by going into Server Manager>Tools and select Group Policy Management as shown below:

Figure 4. Open GPMC

As the GPMC opens up, you will see the tree hierarchy of the domain. Now expand the domain, firewall.local in our case, and you will see the FW Users OU which is where our users reside. From here, right-click this OU and select the first option Create a GPO in this domain and Link it here:

Figure 5. Select FW Users and Create a GPO

Now type the Name for this GPO object and click the OK button. We selected WallPaper GPO:

Figure 6. Creating our Wallpaper Group Policy Object

Next, right-click the GPO object and click edit:

Figure 7. Editing a Group Policy Object

At this point we get to see and configure the policy that deals with the Desktop Wallpaper, however notice the number of different policies that allow us to configure and tweak various aspects of our domain users.

To find the Desktop Wallpaper, go to Expand User Configuration> Policies> Administrative Templates> Desktop> Desktop. At this point we should be able to see the setting in right window. Right-click the Desktop Wallpaper setting and select Edit:

Figure 8. Selecting and editing Desktop Wallpaper policy

The settings of Desktop Wallpaper will now open. First we need to activate the policy by selecting the Enabled option on the left. Next, type the UNC path of shared wallpaper. Remember that we must share the folder that contains the wallpaper \\FW-DC1\WallPaper\ and configure the share permission so that users can access it. Notice that we can even select to center our wallpaper (Wallpaper Style). When ready click Apply and then OK:

Figure 9. Configure Desktop Wallpaper

Now that we’ve configured our GPO, we need to apply it. To do so, we can simply log off and log back in the client computer or type following command in domain controller’s command prompt to apply the settings immediately:

Once our domain user logs in to their computer (FW-CL1), the new wallpaper policy will be applied and loaded on to the computer’s desktop.

Figure 10. User Login

As we can see below, our user's desktop now has the background image configured in the group policy we created:

Figure 11. Computer Desktop Wallpaper Changed

This example shows how one small configuration setting can be applied to all computers inside an organization. The power and flexibility of Group Policy Objects is truly unbelievable and as we’ve shown, it’s even easier to configure and apply them with just a few clicks on the domain controller!

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

This article explained what Group Policies Objects are and showed how to Configure Windows 2012 Active Directory Group Policies to control our Active Directory users and computers. We also highly recommend our article on Group Policy Enforcement, Inheritance throughout the Active Directory structure. More articles on Windows 2012 & Hyper-V can be found at our Windows 2012 Server section.

Our previous article covered the installation of Windows Server 2012 Active Directory Services role and Domain Controller installation using the Windows Server Manager (GUI) interface.

FREE Hyper-V & VMware Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

What Is Active Directory?

Active Directory is a heart of Windows Server operating systems. Active Directory Domain Services (AD DS) is central repository of active directory objects like user accounts, computer accounts, groups, group policies and so on. Similarly, Active Directory authenticates user accounts and computer accounts when they login into the domain. Computers must be joined to the domain in order to authenticate Active Directory users.

Active Directory is a database that is made up of several components which are important for us to understand before attempting to install and configure Active Directory Services on Windows Server 2012. These components are:

1. Domain Controller (DC): - Domain Controllers are servers where the Active Directory Domain Services role is installed. The DC stores copies of the Active Directory Database (NTDS.DIT) and SYSVOL (System Volume) folder.
2. Data Store: - It is the actual file (NTDS.DIT) that stores the Active Directory information.
3. Domain: - Active Directory Domain is a group of computers and user accounts that share common administration within a central Active Directory database.
4. Forest: - Forest is a collection of Domains that share common Active Directory database. The first Domain in a Forest is called a Forest Root Domain.
5. Tree: - A tree is a collection of domain names that share common root domain.
6. Schema: - Schema defines the list of attributes and object types that all objects in the Active Directory database can have.
7. Organizational Units (OUs): - OUs are simply container or folders in the Active Directory that stores other active directory objects such as user accounts, computer accounts and so on. OUs are also used to delegate control and apply group policies.
8. Sites: - Sites are Active Directory object that represent physical locations. Sites are configured for proper replication of Active Directory database between sites.
9. Partition: - Active Directory database file is made up of multiple partitions which are also called naming contexts. The Active Directory database consists of partitions such as application, schema, configuration, domain and global catalog.

Checking Active Directory Domain Services Role Availability 

Another method of installing an Active Directory Services Role &  Domain Controller is with the use of Windows PowerShell. PowerShell is a powerful scripting tool and an alternative to the Windows GUI wizard we covered in our previous article. Open PowerShell as an Administrator and type the following cmdlet to check for the Active Directory Domain Services Role availability:

The system should return the Install State as Available, indicating the role is available for immediate installation. We can now safely proceed to the next step.

Install Active Directory Services Role & Domain Controller Using Windows PowerShell

To initiate the installation of Active Directory Services Role on Windows Server 2012 R2, issue the following cmdlet:

The system will immediately begin the installation of the Active Directory Domain Services role and provide an update of the installation's progress:

Figure 1. Installing Active Directory Domain Services with PowerShell

Once the installation is complete, the prompt is updated with a success message (Exit Code) as shown below:

Figure 2. Finished Installing ADDS with PowerShell

The following figure shows the command execution and system output:

Figure 3. Prerequisite Installation

Now it's time to promote the server to a domain controller. For this step, we need to save all parameters in a PowerShell script (using notepad), which will then be used during the domain controller installation.

FREE Hyper-V & VMware Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

Below are the options we used - these are identical to what we selected in our GUI Wizard installation covered in our Windows Server 2012 Active Directory Services role and Domain Controller installation using the Windows Server Manager (GUI) article:

Save the script at an easy accessible location e.g Desktop, with the name InstallDC.ps1.

The following figure shows the command execution and system output:

Figure 4. Changing the Execution Policy of PowerShell

Now we can execute our script from within PowerShell by changing the PowerShell directory to the location where the script resides and typing the following cmdlet:

Once executed, the server is promoted to Domain Controller and installation updates are provided at the PowerShell prompt:

Figure 5. Promoting Server to Domain Controller

After the installation is complete, the server will reboot and the server will have Active Directory Domain Services installed with the server being a Domain Controller.

This completes the installation and setup of Windows 2012 Active Directory Services Role & Domain Controller using Windows 2012 PowerShell.

FREE Hyper-V & VMware Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

Readers interested in performing the installation via Windows PowerShell can read this article.

FREE Hyper-V & VMware Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

What is Active Directory?

Active Directory is a heart of Windows Server operating systems. Active Directory Domain Services (AD DS) is a central repository of active directory objects such as user accounts, computer accounts, groups, group policies and so on. Similarly, Active Directory authenticates user accounts and computer accounts when they login into the domain. Computers must be joined to the domain in order to authenticate Active Directory users.

Active Directory is a database that is made up of several components which are important for us to understand before attempting to install and configure Active Directory Services on Windows Server 2012. These components are:

1. Domain Controller (DC): - Domain Controllers are servers where the Active Directory Domain Services role is installed. The DC stores copies of the Active Directory Database (NTDS.DIT) and SYSVOL (System Volume) folder.
2. Data Store: - It is the actual file (NTDS.DIT) that stores the Active Directory information.
3. Domain: - Active Directory Domain is a group of computers and user accounts that share common administration within a central Active Directory database.
4. Forest: - Forest is a collection of Domains that share common Active Directory database. The first Domain in a Forest is called a Forest Root Domain.
5. Tree: - A tree is a collection of domain names that share common root domain.
6. Schema: - Schema defines the list of attributes and object types that all objects in the Active Directory database can have.
7. Organizational Units (OUs): - OUs are simply container or folders in the Active Directory that stores other active directory objects such as user accounts, computer accounts and so on. OUs are also used to delegate control and apply group policies.
8. Sites: - Sites are Active Directory object that represent physical locations. Sites are configured for proper replication of Active Directory database between sites.
9. Partition: - Active Directory database file is made up of multiple partitions which are also called naming contexts. The Active Directory database consists of partitions such as application, schema, configuration, domain and global catalog.

Installing Active Directory Domain Controller In Server 2012

In Windows Server 2012, the Active Directory Domain Controller role can be installed using the Server Manager or alternatively, using Windows PowerShell. The figure below represents our lab setup which includes a Windows Server 2012 (FW-DC01) waiting to have the Active Directory Domain Services server role installed on it:

Notice that there are two Windows 8 clients waiting to join the Active Directory domain once installed.

A checklist before installing a Domain Controller in your network is always recommended. The list should include the following information:

• Server Host Name – A valid Hostname or Computer Name must be assigned to domain controller. We've selected FW-DC01 as a server's host name.
• IP Address – You should configure a static IP address, which will not be changed later on. In our example, we've used 192.168.1.1/24 which is a Class C IP address.
• Domain Name – Perhaps one of the most important items on our checklist. We've used firewall.local for our setup. While many will want to use an existing public domain, e.g their company's domain, it is highly recommended this practice is avoided at all costs as it can create a number of problems with DNS resolution when internal hosts or servers are trying to resolve hosts that exist on both private and public name spaces.

Microsoft doesn't recommend the usage of a public domain name in an internal domain controller, which is why we selected firewall.local instead of firewall.cx.

Installing Active Directory Domain Controller Using Server Manager

Initiating the installation of Active Directory is a simple process; however it does require Administrator privileges. Open Server Manager, go to Manage and select Add Roles and Features:

Figure 2. Add Roles and Features

Click Next on the Before you begin page.

On the next screen, choose Role-based or feature-based Installation and click Next:

 Figure 3. Choose Role Based Installation

Select the destination server by choosing Select a server from the server pool option and select the server and click Next. In cases like our lab where there is only one server available, it must be selected:

 Figure 4. Select Destination Server

In the Select server roles page, select the Active Directory Domain Services role and click Next:

Figure 5. Select AD DS role

The next page is the Features page which we can safely skip by clicking Next

The Active Directory Domain Services page contains limited information on requirements and best practices for Active Directory Domain Services:

Figure 6. AD DS Page

Once you've read the information provided, click Next to proceed to the final confirmation page.

FREE Hyper-V & VMware Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

On the confirmation page, select Restart the destination server automatically if required and click on the Install button. By clicking Install, you confirm you are ready to begin the AD DS role installation:

Figure 7. AD DS Confirmation

Note: You cannot cancel a role installation once it begins

The Add Roles and Feature Wizard will continuously provide updates during the Active Directory Domain Services role installation, as shown below:

Figure 8. Installation Progress

Once the installation has completed successfully, we should expect to see the Installation succeeded message under the installation progress bar:

Figure 9. Successful Installation & Promote Server to DC

Promoting Server To Domain Controller

At this point we can choose to Promote this server to a domain controller by clicking on the appropriate link as highlighted above (Blue arrow).

After selecting the Promote this server to a domain controller option, the Deployment Configuration page will appear. Assuming this is the first domain controller in the network, as is in our case, select the Add a new forest option to setup a new forest, and then type the fully qualified domain name under root domain name section. We've selected to use firewall.local:

Figure 10. Configure Domain Name

Administrators who already have active directory installed would most likely select the Add a domain controller to an existing domain option. Having at least two Domain Controllers is highly advisable for redundancy purposes. When done click the Next button.

Now select Windows Server 2012 R2 for the Forest functional level and Domain functional level. By setting the domain and forest functional levels to the highest value that your environment can support, you'll be able to use as many Active Directory Domain Services as possible. If for example you do not plan to ever add domain controllers running Windows 2003, but might add a Windows 2008 server as a domain controller, you would select Windows Server 2008 for the Domain functional level. Next, click on the Domain Name System (DNS) server option as shown in the below figure:

Figure 11. DC Capabilities

The DNS Server role can be later on installed. If for any reason you need to install the DNS Server role later on, please read our How to Install and Configure Windows 2012 DNS Server Role article.

Since this is the first domain controller in the forest, Global Catalog (GC) will be selected by default. Now set the Directory Services Restore Mode (DSRM) password. DSRM is used to restore active directory in case of failure. Once done, click Next.

The next window is the DNS Options page. Here we might encounter the following error which can be safely ignored simply because of the absence of a DNS server (which we are about to install):

Ignore the error and click Next to continue.

In the next window, Additional Options, leave the default NetBIOS domain name and click Next. The Windows AD DS wizard will automatically remove the .local from the domain name to ensure compatibility with NetBIOS name resolution:

Figure 12. Additional Options

The next step involves the Paths selection which allows the selection of where to install the Database, Log Files and SYSVOL folders. You can either browse to a different location or leave the default settings (as we did). When complete, click Next:

Figure 13. Paths

Note: When the installation is complete, the Database folder will contain a file named NTDS.DIT. This important file is database file of your active directory.

Finally, the next screen allows us to perform a quick review of all selected options before initiating the installation: Once reviewed, click Next.

Figure 14. Review Options

The server will now perform some prerequisites check. If successful, it will show green check mark on the top. Some warnings may appear, however if these are non-critical, we can still proceed with the installation. Click the Install button to promote this server to domain controller:

Figure 15. Prerequisites Check

The installation begins and the server's installation progress is continuously updated:

Figure 16. Installation Begins

When the installation of Active Directory is complete, the server will restart.

Assuming we've restarted, we can now open Active Directory Users and Computers and begin creating user accounts, computer accounts, apply group policies, and so on.

Figure 17. Active Directory Users and Computers

As expected, under the Domain Controllers section, we found our single domain controller. If we were to add our new domain controller to an existing active directory, then we would expect to find all domain controllers listed here.

FREE Hyper-V & VMware Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

Hyper-V

Keeping your Hyper-V virtualization infrastructure running as smoothly as possible can be a daunting task, which is why we recommend engineers follow the best Hyper-V practices.

Different organizations have different setups and requirements: some of you might be moving from VMware to Hyper-V virtualization, while others might be upgrading from an older Hyper-V virtualization server to a newer one. Each scenario must follow the baseline or best practices,  to be able to run the virtualization infrastructure successfully – without problems.

Hyper-V Best Practice List

Best practices for Hyper-V vary considerably depending on whether you're using clustered servers. As a general rule-of-thumb the best thing you can do is try to configure your host server and your Virtual Machines in a way that avoids resource contention to the greatest extent possible.

Organizations who are considering migrating their infrastructure to Hyper-V, or are currently running on the Hyper-V virtualization platform, need to take note of the below important points that must not be overlooked:

Processor

Memory

Minimum: 512 MB.  This is the bare minimum; however a logical approach would be at least 4 Gigs of RAM per virtual server.  If one physical server is to host 4 Virtual Machines, then we would recommend at least 16GBs of Physical RAM, if not more.  SQL servers and other RAM intensive services would certainly lift the memory requirements a lot higher. You can never have enough memory.

Network Adapters

At least one network adapter is required, but two or more are always recommended. Hyper-V allows the creation of three different virtual switches: Internal Virtual Switches, Private Virtual Switches and External Virtual Switches.

Internal virtual switches are used to allow the virtual machine to connect with its host machine (the physical machine that run’s Hyper-V). Private virtual switches are used when we only want to connect virtual machines, which run on the same host, between each other.  External virtual switches are used to allow the virtual machine to connect with our LAN network and this is where physical network adapters come in hand.   
Host machines with only one network adapter will be forced to share that network adapter with all its virtual machines. This is why it’s always best practice to have at least two network adapters available. 

Additional Considerations

The settings for hardware-assisted virtualization and hardware-enforced DEP are usually available from within in the system’s BIOS; however, the names of the settings may differ from the names identified previously.
For more information about whether a specific processor model supports Hyper-V (virtualization), it is recommended to check at the manufacturer’s website.

As noted before, it is important to remember after modifying the settings for hardware-assisted virtualization or hardware-enforced DEP, you may need to turn off the power to the server and then turn it back on to ensure the new CPU settings are loaded.

Microsoft Assessment & Planning Toolkit

Microsoft Assessment and Planning Toolkit (MAP) can be used to study existing infrastructure and determine the Hyper-V requirement. For organizations who are interested in server consolidation and virtualization through technologies such as Hyper-V, MAP helps gather performance metrics and generate server consolidation recommendations that identify the candidates for server virtualization and will even suggest how the physical servers might be placed in a virtualized environment.

The diagram below shows the MAP phases involved to successfully create the necessary reports:

Figure 1. MAP Phases

Below is an overview of the Microsoft Assessment and Planning Toolkit application:

Figure 2. MAP Overview

The following points are the best practices which should be considered before deploying your Windows Server 2012 Hyper-V infrastructure:

Hyper-V Hosts (Physical Servers)

• Ensure hosts are up-to-date with recommended Microsoft updates
• Ensure hosts have the latest BIOS version, as well as other hardware devices (such as Synthetic Fiber Channel, NIC’s, Raid bios, etc.)
• Hosts must be part of a domain before you can create a Hyper-V High-Availability Cluster.
• RDP Printer Mapping should be disabled on hosts, to remove any chance of a printer driver causing instability issues on the host machine. To do this, follow the below steps: Computer Configuration –> Policies –> Administrative Templates –> Windows Components –> Remote Desktop Services –> Remote Desktop Session Host –> Printer Redirection –> Do not allow client printer redirection –> Set to "Enabled”
• Do not install any other Roles on a host besides the Hyper-V role and the Remote Desktop Services roles. Optionally, if the host will become part of a cluster, you can install Failover Cluster Manager. In the event the host connects to an iSCSI SAN and/or Fiber Channel, you can also install Multipath I/O.
• Anti-virus software should exclude Hyper-V specific files using the Hyper-V: Antivirus Exclusions for Hyper-V Hosts article available from Microsoft.
• Default path for Virtual Hard Disks (VHD/VHDX) should be set to a non-system drive, due to this can cause disk latency as well as create the potential for the host running out of disk space.
• If you are using iSCSI: In Windows Firewall with Advanced Security, enable iSCSI Service (TCP-In) for Inbound and iSCSI Service (TCP-Out) for outbound in Firewall settings on each host. This will ensure iSCSI traffic is allowed to pass from host to the SAN device and back. Not enabling these rules will prevent iSCSI communication. To set the iSCSI firewall rules via netsh, you can use the following command:

PS C:\Windows\system32> Netsh advfirewall firewall set rule group=”iSCSI Service” new enable=yes

• Periodically run performance counters against the host, to ensure optimal performance. Recommend using the Hyper-V performance counter that can be extracted from the (free) Codeplex PAL application.

Hyper-V Virtual Machines

• Ensure you are running only supported guests in your environment.
• Ensure you are using sophisticated backup software such as Altaro’s Hyper-V Backup which also includes free lifetime backup for a specific amount of VMs
• If you are converting VMware virtual machines to Hyper-V, consider using MVMC (a free, stand-alone tool offered by Microsoft) or VMM.
• Disk2vhd is a Tool which can be used to convert a Physical Machine to a Hyper-V Virtual Machine (P2V). The VHD file created can then be imported in to Hyper-V.

Hyper-V Physical NICs

• Ensure Network Adapters have the latest firmware and drivers, which often address known issues with hardware and performance.
• TCP Chimney Offload is not supported with Server 2012 software-based NIC teaming, because TCP Chimney has the entire networking stack offloaded to the NIC. If however software-based NIC teaming is not used, you can leave TCP Chimney Offload enabled. To disable TCP Chimney Offload, from an elevated command-prompt, type the following command:

PS C:\Windows\system32> netsh int tcp set global chimney=disabled

• Jumbo frames should be turned on and set for 9000 or 9014 (depending on your hardware) for CSV, iSCSI and Live Migration networks. To verify Jumbo frames have been successfully configured, run the following command from all your Hyper-V host(s) to your iSCSI SAN:

PS C:\Windows\system32> ping 10.50.2.35 –f –l 8000

This command will ping the SAN (e.g. 10.50.2.35) with an 8K packet from the host. If replies are received, Jumbo frames are properly configured. Note that in the case a network switch exists between the host and iSCSI SAN, Jumbo frames must be enabled on that as well.

 Figure 3. Jumbo Frame Ping Test

• Management NIC should be at the top (1st) in NIC Binding Order. To set the NIC binding order: Control Panel --> Network and Internet --> Network Connections. Next, select the advanced menu item, and select Advanced Settings. In the Advanced Settings window, select your management network under Connections and use the arrows on the right to move it to the top of the list.
• If using NIC teaming inside a guest VM, follow this order: Open the settings of the Virtual Machine, Under Network Adapter, select Advanced Features, in the right pane, under Network Teaming, tick the “Enable this network adapter to be part of a team in the guest operating system”. Once inside the VM, open Server Manager. In the All Servers view, enable NIC Teaming from Server:

Figure 4. Enable NIC Teaming

Hyper-V Disks

• New disks should use the VHDX format. Disks created in earlier Hyper-V iterations should be converted to VHDX, unless there is a need to move the VHD back to a 2008 Hyper-V host.
• Disk used for CSV must be partitioned with NTFS. You cannot use a disk for a CSV that is formatted with FAT, FAT32, or Resilient File System (ReFS).
• Disks should be fixed in a production environment, to increase disk throughput. Differencing and Dynamic disks are not recommended for production, due to increased disk read/write latency times (differencing/dynamic disks).
• Shared Virtual Hard Disk: Do not use a shared VHDx file for the operating system disk. Servers should have a unique VHDx (for the OS) that only they can access. Shared Virtual Hard Disks are better used as data disks and for the disk witness.
• Use caution when using snapshots. If not properly managed, snapshots can cause disk space issues, as well as additional physical I/O overhead.
• Page file on Hyper-V Host should manage by the OS and not configured manually.
• It is not supported to create a storage pool using Fiber Channel or iSCSI LUNs.

Hyper-V Memory

• Use Dynamic Memory on all VMs (unless not supported).
• Guest OS should be configured with (minimum) recommended memory

Hyper-V Clusters

• Set preferred network for CSV communication, to ensure the correct network is used for this traffic. The lowest metric in the output generated by the PowerShell command below, will be used for CSV traffic. First, open a PowerShell command-prompt (using “Run as administrator”) Secondly, you’ll need to import the “FailoverClusters” module. Type the following at the PowerShell command-prompt:

PS C:\Windows\system32> Import-Module FailoverClusters

Next, we’ll request a listing of networks used by the host, as well as the metric assigned. This can be done by typing the following:

PS C:\Windows\system32> Get-ClusterNetwork | ft Name, Metric, AutoMetric, Role

In order to change which network interface is used for CSV traffic, use the following PowerShell command:

PS C:\Windows\system32> (Get-ClusterNetwork "CSV Network").Metric=900

This will set the network named "CSV Network" to 900

Figure 5. Get Cluster Network

• Set preferred network for Live Migration, to ensure the correct network(s) are used for this traffic following these steps: Open Failover Cluster Manager, Expand the Cluster , Next, right-click on Networks and select Live Migration Settings , Use the Up/Down buttons to list the networks in order from most preferred (at the top) to least preferred (at the bottom) , Uncheck any networks you do not want used for Live Migration traffic , Select Apply and then press OK , Once you have made this change, it will be used for all VMs in the cluster
• The Host Shutdown Time (ShutdownTimeoutInMinutes registry entry) can be increased from the default time. This setting is usually increased when additional time is needed by VMs in order to ensure they have had enough time to shut down before the host reboots.

Registry Key: HKLM\Cluster\ShutdownTimeoutInMinutes 

Enter minutes in Decimal value.

Note: Changing of this registy value requires a server reboot in order to take effect:

Figure 6. Registry Shutdown Option

• Run the Cluster Validation periodically to remediate any issues

Hyper-V Replica

• Run the Hyper-V Replica Capacity Planner. The Capacity Planner for Hyper-V Replica, allows you to plan your Hyper-V Replica deployment based on the workload, storage, network and server characteristics.
• Update inbound traffic on the firewall to allowTCP port 80 and/or port 443 traffic. (In Windows Firewall, enable “Hyper-V Replica HTTP Listener (TCP-In)” rule on each node of the cluster. Shell commands to achieve the above are:

PS C:\Windows\system32> netsh advfirewall firewall set rule group="Hyper-V Replica HTTP" new enable=yes
PS C:\Windows\system32> netsh advfirewall firewall set rule group="Hyper-V Replica HTTPS" new enable=yes

• Virtual hard disks with paging files should be excluded from replication, unless the page file is on the OS disk.
• Test failovers should be performed monthly, at a minimum, to verify that failover will succeed and that virtual machine workloads will operate as expected after failover

Hyper-V Cluster-Aware Updating

• Place all Cluster-Aware Updating (CAU) Run Profiles on a single File Share accessible to all potential CAU Update Coordinators. Run Profiles are configuration settings that can be saved as an XML file called an Updating Run Profile and reused for later Updating Runs.

Hyper-V SMB 3.0 File Shares

• An Active Directory infrastructure is required, so you can grant permissions to the computer account of the Hyper-V hosts.
• Loopback configurations (where the computer that is running Hyper-V is used as the file server for virtual machine storage) are not supported. Similarly, running the file share in VM’s that are hosted on computer nodes that will serve other VM’s is not supported.

Hyper-V Integration Services

• Ensure Integration Services (IS) have been installed on all VMs. IC's significantly improve interaction between the VM and the physical host.

Hyper-V Offloaded Data Transfer (ODX) Usage

• If your SAN supports ODX; you should strongly consider enabling ODX on your Hyper-V hosts, as well as any VMs that connect directly to SAN storage LUNs.

Be sure to run this command on every Hyper-V host that connects to the SAN, as well as any VM that connects directly to the SAN.

This concludes our Windows 2012 Hyper-V Best Practices article. We hope you’ve found the information provided useful and that it helps make your everyday administration a much easier task.

This article is written to let you know as to why it is important to choose a dedicated Hyper-V Backup tool rather than relying on the existing mechanism as explained in bullet points below.

Users interested can also read our articles on Hyper-V Concepts/VDI, how to install Hyper-V Server & creating a Virtual Machine in Hyper-V.

FREE Hyper-V & VMware Backup:  Easy to use - Powerful features - Just works, no hassle:   It's FREE for Firewall.cx readers!  Download Now!

1. Flexibility

Third-party backup products are designed in such a way that the product is easy to use when it comes to backup or restore a virtual machine running on the Hyper-V Server. For example, using third-party backup product, you can select a virtual machine to backup or restore. In case of any disaster with a virtual machine, it becomes easy for an IT administrator to use the flexible backup product’s console to restore a virtual machine from backup copies and restore the business services as quickly as possible.

2. Verification Of Restores

Third-party backup products provide features to verify restores without impacting the production workload. IT administrators can use the verification feature to restore the backup copies to a standalone environment to make sure these backup copies can be restored successfully in the future, if required.

3. Designed For Use With Hyper-V

A third-party backup product is designed to use with a specific technology. For example, SQL Server Backup products are designed to backup/restore SQL Server database. Similarly, third-party Hyper-V Backup Products are designed to use specifically with Hyper-V Servers. Since these dedicated Hyper-V backup products are integrated with Hyper-V closely, they are more trusted by the IT organizations.

4. Full Backup Copy Of Virtual Machine

Although, starting with Windows Server 2012, Hyper-V Server offers replication services, sometimes referred as Hyper-V Replica, which can be used to build a disaster recovery scenario. The replication takes place every 5 minutes and changed data are replicated to the Hyper-V Servers located on the disaster recovery site. At the disaster site, you only have changed copies to restore virtual machine from a failure. What if you need to restore the full virtual machine? In that case, you would require the full backup copy of the virtual machine which is only possible if you are using a dedicated Hyper-V backup product.

5. Maintaining Different Versions Of Backup Copies

There are several reasons to maintain different versions of backup copies. One of the reasons is to revert back configuration to a point-in-time and another reason is to restore the business services as quickly as possible from a backup copy of your choice. A dedicated Hyper-V backup product can maintain several backup copies of a virtual machine.

6. Agentless Backups/Restores

Most of the third-party Hyper-V Backup products ship without an Agent. An agent is a piece of software which is installed on a Hyper-V server with communicates with the Backup software. In case of an agentless backup software, it is easy for administrators to perform backup/restore operations without worrying about the agent’s response.

7. Timely Backing up virtual machines

As part of the standard IT process, many organizations have a strategy in place in which backups for critical IT components including virtual machines are scheduled in a timely manner. These backups ensure that in case of any disaster (including physical), the service can be restored from a backup copy taken from a dedicated backup product rather than relying on native methods. The backup copy not only allows you to restore services but also helps you understand the impact of restoring a backup copy which is older.

8. Centralized Management

Backup software ships with a centralized management tool. The centralized management tool is capable of managing multiple Hyper-V Servers and checking the backup operations on multiple Hyper-V servers from a single console.

9. Avoid Unnecessary Files Backup

Since the backup software is designed to work with a specific technology, it is designed in such a way that it excludes the files which are not necessary to include in the virtual machine backup copies. This helps in reducing the backup copy size.

10. Compression

A dedicated Hyper-V backup product offers compressing backup data before it is written to the backup drive. You can enable/disable compression for all or selected virtual machines using the third-party backup product’s console.

11. Encryption

Security is the major concern for IT organizations nowadays. Third-party Hyper-V Backup products use encryption technology to encrypt backup copies stored on a backup drive. These backup copies can only be read by the same Hyper-V backup product.

12. Backup & Offsite Location

As part of the IT processes, every organization ensures that the backup copies are kept at an off-site location and these backup copies can be retrieved easily when the disaster takes place at the production site. Native tools do not support taking backup to an off-site location. Third-party backup products can provide off-site backup feature in which backup copiescan be saved to an off-site location without requiring much network bandwidth.

13. Incremental Backup Copies

A dedicated Hyper-V backup product ensures that only changed contents are backed up rather than taking a full backup copy every time the backup job runs.

14. More Backup Options

Third-party backup products provide more backup options like taking daily backups or monthly backups which can be scheduled at a pre-defined interval using the centralized management console.

15. Backup To External Sources

Third-party Hyper-V backup products support backing up virtual machines to external sources including USB external devices, eSata External drives, USB flash drives, Fileserver network shares, NAS devices, and RDX cartriges.

16. Backup Retention Policies

Old backup copies can be deleted if they are not required. You can configure the backup retention policy for each virtual machine. A dedicated Hyper-V Backup product can take automatic actions to delete the older backup copies as per the retention policy you configure.

17. Ability To Restore Individual Files Or Folders

Without using a dedicated Hyper-V backup product, it would be difficult for IT administrators to restore individual files/folders from a virtual machine backup copy. Some backup products provide a feature called “Exchange Level Item Restore” which can be used to restore selected emails or mailboxes from a backup copy of a virtual machine.

18. Application Vendor Recommendation For Backup Products

Many of the application vendors require that an enterprise backup system is installed in the production environment to backup data of their applications running in the virtual machines. Since most of the vendors impose this requirement, or recommend to back up application data using a dedicated Hyper-V backup product, native backup tools fail to do so.

19. Error & Reporting

Error and Reporting are the main features a third-party backup product provides. It lets you take necessary actions if a failure takes place with a backup or restore operation. Using reporting feature of a backup product, you can know how many virtual machines have been backed up successfully and how many virtual machines have failed.

20. Support

In case if you’re not able to restore virtual machine from a backup copy or hit with an error during the restore or backup operation, you can always contact product support to get you out from this situation. Many third-party backup products provide 24/7 support for their products.

FREE Hyper-V & VMware Backup:  Easy to use - Powerful features - Just works, no hassle:   It's FREE for Firewall.cx readers!  Download Now!

Altaro Hyper-V Backup

Altaro Hyper-V Backup offers a simple, easy-to-use solution for backing up Hyper-V VMs. It includes features such as offsite backup, remote management, Exchange item-level Restore, Compression, Encryption, and much more at an affordable cost.

This article will show how to install Windows Server 2012 (the same process can be used for almost all other operating systems) from a USB Flash.

The only prerequisite for this process to work is that you have a USB Flash big enough to fit the ISO image and the server (or virtualization platform) supports booting from a USB Flash. If these two requirements are met, then it’s a pretty straight-forward process.

 FREE Hyper-V & VMware Virtualization Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

The Windows 7 USB-DVD Tool

The Windows 7 USB/DVD Tool is a freely distributed application available in our Administrator Utilities download section. The application is required to transfer/copy the ISO Image of the operating system we want to install, to our USB Flash. The application is also able to burn the ISO image directly on a DVD – a very hand feature.

Download a copy, install and run it on the computer where the ISO image is available.

When the tool runs, browse to the path where the ISO image is located. Once selected, click on Next:

At this point, we can choose to copy the image to our USB device (USB Flash) or directly on to a DVD. We select the USB Device option:

In the next screen, we are required to select the correct USB device. If there are more than one USB storage devices connected, extra care must be taken to ensure the correct USB Flash is selected. In case no USB Flash has been connected, insert it now into your USB port and click on the refresh button for it to appear:

After selecting the appropriate USB device, click on Begin Copying to start the transfer of files to the USB Flash:

Once the copy process is complete, we are ready to remove our USB Flash and connect it to our server:

 FREE Hyper-V & VMware Virtualization Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

This completes our article on how to install Windows Server 2012 from USB Flash device. We recommend users visit our Windows 2012 section and browse our growing database of high-quality Windows 2012 and Hyper-V Virtualization articles.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Steps To Create A Virtual Machine In Hyper-V

To begin the creation of our first virtual machine, open the Hyper-V manager in Windows Server 2012. On the Actions pane located on the right side of the window, click New and select Virtual Machine:

Read the Before you begin page which contains imporant information and then click Next:

Type name of the virtual machine and configure the location to store virtual hard disk of this virtual machine. On server systems with shared storage devices, the virtual hard disk is best stored on the shared storage for performance and redundancy reasons, otherwise select a local hard disk drive. For the purpose of this lab, we will be using the server’s local C Drive:

Choose the generation of virtual machine and click Next. Generation 2 is new with Server 2012 R2. If the guest operating system will be running Windows Server 2012 or 64bit Windows 8, 8.1, select Generation 2, otherwise select Generation 1:

Next step involves assigning the amount of necessary memory. Under Assign Memory configure the memory and click Next. For the purpose of this lab, we will give our Windows 8.1 guest operating system 1 GB memory:

Under configure networking tab, leave the default setting and click Next. You can create virtual switches later and re-configure the virtual machine settings as required:

Next, choose to create a virtual hard disk and specify the size. We allocated a 60 GB disk size for our Windows 8.1 installation. When ready, click Next:

One of the great benefits with virtual machines is that we can proceed with the installation of the new operating system using and ISO image, rather than a CD/DVD.

Browse to the selected ISO image and click the Next button. The virtual machine will try to boot from the selected ISO disk when it starts, so it is important to ensure the ISO image is bootable:

The last step allows us to review the virtual machine’s configuration summary. When ready click the Finish button:

Install Windows 8.1 Guest Operating System In Hyper-V Virtual Machine

With the configuration of our virtual machine complete, it’s time to power on our virtual machine and install the operating system. Open Hyper-V Manager, and under the Virtual Machines section double-click the virtual machine created earlier. Click on the start button from the Action Menu to power on the virtual machine:

After the virtual machine completes its startup process, press any key to boot from the Windows 8.1 disk (ISO media) we configured previously. The Windows 8 installation screen will appear in a couple of seconds. Click Next followed by the Install Now button to begin the installation of Windows operating system on the virtual machine:

After accepting the End User License Agreement (EULA) we can continue our post-installation setup by configuring the hard disk. Windows will then begin its installation and update the screen as it progresses. Finally, once the installation is complete, we are presented with the Personalization screen and finally, the Start Screen:

After the operating system installation and configuration is complete, it is important to proceed with the installation of Integration Services.

Integration Services on Hyper-V is what VM Tools is for VMware. Integration Services will help significantly enhance the VM’s guest operating system performance, allow file copy from the host machine to the guest machine easily, time synchronization between host and guest machines, improve management of the VM by replacing the generic operating system drivers for the mouse, keyboard, video card, network and SCSI controller components.

Other services offered by Integration Services are:

• Backup (Volume Snapshot)
• Virtual Machine Connection Enhancements
• Hyper-V Shutdown Service
• Data Exchange

 To proceed with the installation of Integration Services, Go to the Virtual Machine’s console, selection Action, and click Insert Integration Services Setup Disk as shown below:

In the Upgrade Hyper-V Integration Services dialog box, click OK and when prompted, click Yes to restart the virtual machine.  Using the Hyper-V Manager console, administrators can keep track of all VM's installed along side with their CPU Usage, Assigned memory and uptime:

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

This completes our article covering the installation of a Virtual Machine within Hyper-V and setup of Integration Services. Additional Windows 2012 Server and Hyper-V technical articles can be found in our Windows 2012 Server section.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Hyper-V is a server role used to create virtualized environment by deploying different types of virtualization technologies such as server virtualization, network virtualization and desktop virtualization. The Hyper-V Server role can be installed in Server 2012 R2 Standard, Datacenter or Essentials edition. Hyper-V version 3.0 is the latest version of Hyper V server available in Windows Server 2012 R2 versions. Additional Windows 2012 Server and Hyper-V technical articles can be found in our Windows 2012 Server section.

To learn more about the licensing restrictions on each Windows Server 2012 edition, read our article Windows 2012 Server Foundation, Essential, Standard & Datacenter Edition Differences, Licensing & Supported Features. 

Hyper-V Hardware Requirements

The Hyper-V server role requires specific system-hardware requirements to be met. The minimum hardware requirements are listed in the table below:

Keep in mind that the above table specifies the minimum requirements. If you wanted to install Hyper-V in a production environment along with a number of virtual machines, you will definitely need more than 512MB memory and 32GB disk space.

Click here for Windows Server 2016 Hyper-V Requirements

Installing The Hyper-V Server Role In Server 2012 Using Server Manager

In Windows Server 2012, you can install Hyper-V server role by using the Server Manager (GUI) or windows PowerShell. In both cases, the installation requires the user to be an Administrator or member of Administrators or Hyper-V administrators group.

At first, open Server Manager. Click Manage and select the Add Roles and Features option:

Add Role and Features

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Click Next on the Before you begin page.

Choose Role-based or feature-based Installation option and click Next button:

In the next window, click on Select a server from the server pool option and select the server where you would like to install the Hyper-V server role. Click on Next after selecting the server:

The next screen lists the available roles for installation, check Hyper-V and click Next:

Read the Hyper-V role information and click the Next button:

The next step involves the creation of Virtual Switches. Choose your server’s physical network adapters that will take part in the virtualization:

The selected physical network adapters (in case you have more than one available) will be used and shared by virtual machines to communicate with the physical network. After selecting the appropriate network adaptors, click Next to proceed to the Migration screen.

Under Migration, leave the default settings as is and click Next:

These settings can also be modified later on. Live Migration is similar to VMware’s vMotion, allowing the real-time migration of virtual machines to another physical host (server).

Under Default Stores, you can configure the location of hard disk files and configuration files of all virtual machines. This is a location where all the virtual machine data will reside. You can also configure a SMB shared folder (Windows network folder), local drive or even a shared storage device.

We will leave the settings to their default location and click the Next button.

The final screen allows us to review our configuration and proceed with the installation by clicking on the Install button:

 Windows will now immediately begin the installation of the Hyper-V role and continuously update the installation window as shown below.

Once the installation of Hyper-V is complete, the Windows server will restart.

Installing Hyper-V Role Using Windows PowerShell

The second way to install the Hyper-V role is via Windows PowerShell. Surprisingly enough, the installation is initiated with a single command.

Type the following cmdlet in PowerShell to install the Hyper-V server role your Windows Server 2012:

C:\Users\Administrator> Install-WindowsFeature  –Name Hyper-V  –IncludeManagementTools  –Restart

 

To install Hyper-V server role on remote computer, include the -ComputerName switch.  In our example, the remote computer was named Voyager:

C:\Users\Administrator> Install-WindowsFeature –Name Hyper-V –ComputerName Voyager –IncludeManagementTools –Restart

Once the installation is complete, the server will restart. Once the server has booted, you can open Hyper-V Server Manager and begin creating the virtual machines:

Monitoring Of Hyper-V Virtual Machines

When working in a virtualization environment, it is extremely important to keep an eye on virtualization service and ensure everything is running smoothly.

Thankfully, Microsoft provides an easy way to monitor Hyper-V elements and take action before things get to a critical stage.

The Hyper-V Manager console allows you to monitor processor, memory, networking, storage and overall health of the Hyper-V server and its virtual machines, while other Hyper-V monitoring metrics are accessible through Task Manager, Resource Monitor, Performance Monitor and Event Viewer to monitor different parameters of Hyper-V server.

The screenshot below shows the Hyper-V Manager with one virtual machine installed.  At a first glance, we can view the VM’s state, CPU Usage, Assigned Memory and Uptime:

Under Window’s Event Viewer we’ll find a number of advanced logs that provide a deeper view of the various Hyper-V components, as shown below:

Addition information on Hyper-V can be obtained through the usage of Window’s Performance Monitor, which provides a number of Hyper-V useful counters as shown below:

Most experienced virtualization administrators will agree that managing and monitoring a virtualization environment can be a full-time job. It is very important to ensure your virtualization strategy is well planned and VMs are hosted on servers with plenty of resources such as Physical CPUs, RAM and Disk storage space, to ensure they are not starved of these resources during periods of high-utilization.

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Keeping an eye on Hyper-V’s Manager, Performance Monitor counters and Event Viewer will help make sure no critical errors or problems go without notice.

Virtualization is an abstraction layer that creates separate distinct virtual environments allowing the operation of different operating systems, desktops and applications under the same or combined pool of resources.   In the past couple of years, virtualization has gained an incredible rate of adoption as companies consolidate their existing server and network infrastructure, in hope to create a more efficient infrastructure that can keep up with their growing needs while at the same time keep the running and administration costs as low as possible.   

Our readers can visit our dedicated Windows Server 2012 Server section to read more on Windows Hyper-V Virtualization and Windows Server 2012 technical articles.

When we hear the word ‘Virtualization’, most think about ‘server virtualization’ – which of course is the most widely applied scenario, however today the term virtualization also applies to a number of concepts including:

• Server virtualization: - Server virtualization allows multiple operating systems to be installed on top of single physical server.
• Desktop virtualization: - Desktop virtualization allows deployment of multiple instances of virtual desktops to users through the LAN network or Internet. Users can access virtual desktops by using thin clients, laptops, or tablets.
• Network virtualization: - Network virtualization also known as Software Defined Networking (SDN) is a software version of network technologies like switches, routers, and firewalls. The SDN makes intelligent decisions while the physical networking device forwards traffic.
• Application virtualization: - Application virtualization allows an application to be streamed to many desktop users. Hosted application virtualization allows the users to access applications from their local computers that are physically running on a server somewhere else on the network.

This article will be focusing on the Server virtualization platform, which is currently the most active segment of the virtualization industry.  As noted previously, with server virtualization a physical machine is divided into many virtual servers – each virtual server having its own operating system.  The core element of server virtualization is the Hypervisor – a thin layer of software that sits between the hardware layer and the multiple operating systems (virtual servers) that run on the physical machine.

The Hypervisor provides the virtual CPUs, memory and other components and intercepts virtual servers requests to the hardware. Currently, there are two types of Hypervisors:

Type 1 Hypervisor – This is the type of hypervisor used for bare-metal servers. These hypervisors run directly on the physical server’s hardware and the operating systems run on top of it. Examples of Type-1 Hypervisors are Microsoft’s Hyper-V, VMware ESX, Citrix XenServer.

Type 2 Hypervisor – This is the type of hypervisor that runs on top of existing operating systems. Examples of Type-2 Hypervisors are VMware Workstation, SWSoft’s Parallels Desktop and others.

Microsoft Server Virtualization – Hyper-V Basics

Microsoft introduced its server virtualization platform Hyper-V with the release of Windows Server 2008. Hyper-V is a server role that can be installed from Server Manager or PowerShell in Windows Server 2012.

With the release of Windows Server 2012 and Windows Server 2012 R2, Microsoft has made lot of improvements in their Hyper-V virtualization platform. Features like live migration, dynamic memory, network virtualization, remoteFX, Hyper-V Replica, etc. have been added to new Hyper-V 3.0 in Server 2012.

Hyper-V is a type 1 hypervisor that operates right above the hardware layer. The Windows Server 2012 operating system remains above the hypervisor layer, despite the fact the Hyper-V role is installed from within the Windows Server operating system. The physical server where Hypervisor or Hyper-V server role is installed is called the host machine or virtualization server. Similarly, the virtual machines installed on Hyper-V are called guest machines.

Understanding Traditional vs Modern Server Deployment Models

Let’s take a look at the traditional way of server configuration. The figure below shows the typical traditional server deployment scenario where one server per application model is applied. In this deployment model, each application has its own dedicated physical server.

Traditional Server Deployment

This traditional model of server deployment has many disadvantages such as increased setup costs, management & backup overhead, increased physical space and power requirements, plus many more. Resource utilization of this type of server consolidation is usually below 10%.  Practically, this means that we have 5 underutilized servers.

Virtualization comes to dramatically change the above scenario.

Using Microsoft’s Windows Server 2012 along with the Hyper-V role installed, our traditional server deployment model is transformed into a single physical server with a generous amount of resources (CPU, Memory, Storage space, etc) ready to undertake the load of all virtual servers.

The figure below shows how the traditional model of server deployment is now virtualized with Microsoft’s Hyper-V server:

Hyper-V Server Consolidation

As shown in the figure above, all the five servers are now virtualized into single physical server. It is important to note that even though these virtual machines run on top of the same hardware platform, each virtual server is completely isolated from other virtual machines.

There are many benefits of this type of virtualized server consolidation. A few important benefits are reduced management overhead, faster server deployment, efficient resource utilization, reduced power consumption and so on.

Network Virtualization With Hyper-V

With the power of network virtualization you can create multi-tenant environment and assign virtual machines or group of virtual machines to different organizations or different departments. In a traditional network, you would simply create different VLANs on physical switches to isolate them from the rest of the network(s). Likewise, in Hyper-V, you can also create VLANs and virtual switches to isolate them from the network in the same way.

Readers can also refer to our VLAN section that analyses the concept of VLANs and their characteristics.

For example, you can configure a group of virtual machines on the 192.168.1.0/24 subnet and other group of virtual machines on 192.168.2.0/24 subnet.

Hyper-V Networking

Each virtual machine can have more than one virtual network adapter assigned to it. Like regular physical network adapters, the virtual network adapters can be configured with IP addresses, MAC addresses, NIC teaming and so on. These virtual network adapters are connected to a virtual switch. A Virtual switch is a software version of physical switch that is capable of forwarding traffic, VLAN traffic, and so on. The virtual switch is created from within the Hyper-V Manager and is then connected to one or more available physical network adapters of the host machine. The physical network adapters on the host machine are then connected to physical switch on the network.

As shown in figure 1.3, three VLANs are created under same virtual switch. The host is then connected to the physical switch by usually combining the multiple physical network cards into one also called LAG (Link Aggregation Group) or EtherChannel (Cisco’s implementation of LAG) interface. LAG or EtherChannel combines the speed of both physical network adapters.  If for example we have two 1Gbps physical network cards, with the use of LAG or EtherChannel, these are combine into a single 2Gbps network card.

 Microsoft’s Hyper-V supports the creation of three different types of virtual switches:

1. Internal: - The internal virtual switch can communicate only between virtual machines.  A common example is a cluster based system where virtual servers connect with each other through a dedicated network connection. Internal virtual switches do not connect to the physical network infrastructure (e.g switches).
2. External: - The external virtual switch can communicate directly with the physical network infrastructure. The virtual switch is used to for the seamless communication between the virtual machines and the physical network.
3. Private: - The private virtual switch can communicate between virtual machines and the physical host only (physical hardware server).

Virtual Deployment Infrastructure (VDI) Deployment With Hyper-V

VDI is a new way of delivering desktops to end users. In VDI, virtual desktops are hosted centrally as virtual machines and are provided or streamed to users via the network or Internet using Remote Desktop Protocol (RDP) service. These virtual desktops can be used or accessed by users with different types of devices like, PCs, laptops, tablets, smart phones, thin clients, and so on. VDI have created a new hype of Bring Your Own Device (BYOD) concept. With BYOD policy implemented in the organization, users can bring their own devices like laptops, tablets, etc. and the company delivers the required virtual desktop via the network infrastructure.

VDI is an upcoming trend that offers many advantages such as:

• Central management and control
• Low cost since there is no need of desktop PCs. Alternate devices such as thin clients usually preferred
• Low power consumption. Tablets, thin clients, laptops require low power compared to traditional desktop or tower PCs
• Faster desktop deployments
• More efficient backup

VDI is fully supported and can be implemented in Windows Server 2012 by installing Remote Desktop Services server role and configuring the virtualization host. You can create virtual machines running Windows XP/7/8 and easily assign the virtual machines to users.

We’ve covered a few of the important virtualization features deployable with Windows Server 2012 and Hyper-V, that allow organizations to consolidate their server, network and desktop infrastructure, into a more efficient model. 

Our readers can visit our dedicated Windows Server 2012 Server section to read more on Windows Hyper-V Virtualization and Windows Server 2012 offerings.

Windows Server 2012 has dozens of new features and services that makes it cloud ready. Windows Server 2012 R2 is the latest version of server operating system from Microsoft and successor of Server 2012. For more technical articles on Windows 2012 Server and Hyper-V Virtualization, visit ourWindows 2012 Server section.

Lets take a look at some of the new features Windows Server 2012 now supports:

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Windows Server Manager

Server Manager is one of the major changes of Windows Server 2012. With a new ‘look and feel’ of the Server Manager user interface, administrators now have the option to group multiple servers on their network and manage them centrally – a useful feature that will save valuable time. With this grouping feature, monitoring events, services, installed roles, performance, on multiple servers from a single window is easy, fast and requires very little effort.

Figure 1. Windows Server 2012 - Server Manager Dashboard (click to enlarge)

Similar to the Server Manager of previous version of windows servers, it can be used to install in Windows Server 2012 to install server roles and features.

Windows PowerShell 3.0

PowerShell 3.0 is another important improvement in Windows Server 2012. PowerShell is a command line and scripting tool designed to stretch greater control of window servers. The graphical user interface (GUI) of Windows Server 2012 is built on top of PowerShell 3.0. When you click buttons in GUI interface, PowerShell cmdlets & scripts are actually running in the background ‘translating’ mouse button commands to executable commands and scripts.

PowerShell scripts allow more tasks to be executed faster and within a short period of time, since the absence of the GUI interface means less crashes and problems.

Figure 2. Windows Server 2012 PowerShell

Hundreds of PowerShell cmdlets have been added to Windows Server 2012 and we expect a lot more to be added in the near future, expanding their functionality and providing a new faster and more stable way to administer a Windows Server 2012.

Hyper-V 3.0

Figure 3. Windows Server 2012 - Hyper-V Manager (click to enlarge)

When combined with Microsoft’s System Center, Windows Hyper-V becomes much more powerful and a very competitive solution that can even support private or public clouds.

Hyper-V Replica

Windows Server 2012 Hyper-V roles introduces a new capability – Hyper-V Replica - a feature many administrators will welcome.

This new feature allows the asynchronous replication of selected VMs to a backup replica server.  On the local LAN, it means you get a full backup copy of your VMs to another hardware server, while on a WAN scale this can also be extended to backup VMs to a designated replicate site across a WAN infrastructure. Common examples of WAN backup replication are disaster recovery sites. The replication cycle has a minimum setting of 15 minute gaps between every replication. This means the backup VM will be 15 minutes behind its source - the primary VM. 

When installed, Hyper-V Replica creates a snapshot of whole server, which usually requires a lot of time depending on the amount of data, and from there on, only changes are replicated. 

Server Message Block (SMB) 3.0

SMB is a file sharing protocol used in windows servers. In Windows Server 2012, SMB is now up to version 3.0 with new interesting features such as support for deduplication, hot pluggable interfaces, multichannel, encryption, Volume Shadow Copy Service (VSS) for shared files, and many more.

In addition, Hyper-V’s Virtual Hard Disk (VHD) files and virtual machines can also be hosted on shared folders. This allows the effective usage of shared folders, ensuring you make the most out of all available resources.

Dynamic Access Control (DAC)

DAC is a central management system used to manage security permissions of files and folders.  In a nutshell, DAC is new and flexible way of setting up permission on files and folders. With DAC, an administrator can now classify the data according to user claims, device claims and resource properties. Once data is classified, you can setup the permissions to control user access to the classified data.

Storage Space

Storage Space is also another new feature of Windows Server 2012. This new feature pools different physical disks together and divides them into different spaces. These spaces are then used like regular disks. In the storage pool control panel (shown below), you can add any type or size of physical disks (e.g SSD, SCSI, SATA etc).  You can also configure mirroring, raid redundancy and more.

Likewise, you can add storage at any time and the new space will be automatically available for use in storage space. Provisioning is also supported in Storage Space, allowing you to specify whether the new space be thin provisioned or thick. With thin provisioning, disk space is incremented automatically on a “as needed” basis, eliminating the need of occupying unnecessary disk space. 

Figure 4. Windows Server 2012 - Storage Space

Following are pointers on the main features provided by Storage Space:

• Obtain and easily manage reliable and scalable storage with reduced cost
• Aggregate individual drives into storage pools that are managed as a single entity
• Utilize simple inexpensive storage with or without external storage
• Provision storage as needed from pools of storage you’ve created
• Grow storage pools on demand
• Use PowerShell to manage Storage Spaces for Windows 8 clients or Windows Server 2012
• Delegate administration by specific pool
• Use diverse types of storage in the same pool: SATA, SAS, USB, SCSI
• Use existing tools for backup/restore as well as VSS for snapshots
• Designate specific drives as hot spares
• Automatic repair for pools containing hot spares with sufficient storage capacity to cover what was lost
• Management can be local, remote, through MMC, or PowerShell

DirectAccess

DirectAccess is Microsoft’s answer to VPN connectivity, allowing remote clients to access your network under an encrypted connection.  Thanks to its easy installation and improved friendly interface, administrators are able to quickly setup and manage VPN services on their Windows Server 2012 system. 

DirectAccess supports SSL (WebVPN) and IPSec protocols for VPN connections. A very interesting feature is the ‘Permanent VPN’ which allows mobile users to establish their VPN initially and then place it ‘on hold’ when their internet connectivity is lost.  The VPN session will then automatically resume once the user has Internet access again. 

This time-saving feature ensures VPN users experience a seamlessly VPN connection to the office without the frustration of login in every time Internet connectivity is lost, while also allowing the automation of other tasks in the background (e.g Remote backup of files).

Data Deduplication

Data Deduplication is a specialized data compression technique for eliminating duplicate copies of repeating data.  In the deduplication process, unique chunks of data, or byte patterns, are identified and stored during a process of analysis. As the analysis continues, other chunks are compared to the stored copy and whenever a match occurs, the redundant chunk is replaced with a small reference that points to the stored chunk. 

We should note that Data Deduplication is not only a Windows 2012 Server feature, but a technology supported by many vendors such as EMC, NetApp, Symantec and others.

Window-less Interface: CLI Only-Mode

Microsoft now supports Windows Server 2012 without a graphical user interface (GUI). This means you can install and configure a Windows Server 2012 with GUI and after finishing the setup, remove the GUI completely!  You also have the option to install the Windows Server 2012 with GUI or without GUI.

Running your server without a GUI interface will help save valuable resources and also increase the system’s stability.

IP Address Management (IPAM)

IPAM is a central IP address management tool of your entire network. IPAM can work with DNS and DHCP to better allocate, discover, issue, lease and renew IP addresses. IPAM gives a central view of where IP addresses are being used within your network.

Resilient File System (ReFS)

ReFS is Microsoft’s latest file system capable of replacing the well-known NTFS file system. The main advantage of ReFS is automatic error correction (verify and auto-corect process) regardless of the underlying hardware. ReFS uses checksum to detect and correct errors. The ReFS file system has the ability to support a maximum file size of 16 Exabytes (16.7 Million TBytes!) and a maximum volume size of 1 Yottabyte (1.1 Trilion TBytes)

FREE Hyper-V & VMware Backup: Easy to use - Powerful features - Just works, no hassle: It's FREE for Firewall.cx readers! Download Now!

Summary

Undoubtedly Windows Server 2012 is packed with new features and additions, designed to help organizations take advantages of cost optimizing features like Hyper V, Storage Spaces, PowerShell 3.0, Data Deduplication, SMB 3.0, new Server Manager and others. Microsoft has also simplified the licensing schemes and introduced  four editions of Server 2012. These are Foundation, Essentials, Standard and Datacenter edition. Follow this link to read our article covering Windows 2012 Server editions and licensing requirements.

Windows Server 2012 Editions

On the 1^st of August, 2012 Microsoft released Windows Server 2012– the sixth release of the Windows Server product family. On May 21^st 2013, Windows Server 2012 R2 was introduced and is now the latest version of Windows Server in the market.  Microsoft has released four different editions of Windows Server 2012 varying in cost, licensing and features. These four editions of Windows Server 2012 R2 are: Windows 2012 Foundation edition, Windows 2012 Essentials edition, Windows 2012 Standard edition and Windows 2012 Datacenter edition.

Let’s take a closer look at each Windows Server 2012 edition and what they have to offer.

Users can also download the free Windows Server 2012 R2 Licensing Datasheet in our Windows Server Datasheets & Useful Resources download section, which provides a detailed overview of the Licensing for Windows Server 2012 and contains extremly useful information on the various Windows Server 2012 edition, examples on how to calculate your licensing needs, Virtualization instances supported by every edition,  server roles, common questions & answers, plus much more.

More technical articles covering Windows 2012 Server and Hyper-V Virtualization are available in our Windows 2012 Server section.

Windows Server 2012 Foundation Edition

This edition of Windows Server 2012 is targeted towards small businesses of up to 15 users. The Windows Server 2012 R2 Foundation edition comes pre-installed on hardware server with single physical processor and up to 32GB of DRAM memory. Foundation edition can be implemented in environments where features such as file sharing, printer sharing, security and remote access are required. Advanced server features such as Hyper V, RODC (Read Only Domain Controller), data deduplication, dynamic memory, IPAM (IP Address Management), server core, certificate service role, hot add memory, windows update services and failover clustering are not available in the Foundation edition.

Windows Server 2012 Essentials Edition

The Windows Server 2012 R2 Essentials edition is the next step up, also geared towards small businesses of up to 25 users.  Windows Server 2012 R2 Essentials edition is available in retail stores around the world making it easy for businesses to install the new operating system without necessarily purchasing new hardware. Similar to the Foundation edition, the Essentials edition does not support many advanced server features, however it does provide support of features like Hyper V, dynamic memory and hot add/remove RAM.

Windows Server 2012 R2 Essentials edition can run a single instance of virtual machine on Hyper V, a feature that was not available in Windows Server 2012 Essentials (non-R2) edition. This single virtual machine instance can be Windows Server 2012 R2 Essential edition only, seriously limiting the virtualization options but allowing companies to begin exploring the benefits of the virtualization platform.

Windows Server 2012 Standard Edition

The Windows Server 2012 R2 Standard edition of windows server is used for medium to large businesses that require additional features not present in the Foundation & Essential edition. The Standard edition is able to support an unlimited amount of users, as long as the required user licenses have been purchased.

Advanced features such as certificate services role, Hyper V, RODC (Read Only Domain Controller), IPAM (IP Address Management), Data deduplication, server core, failover clustering and more, are available to Windows Server 2012 Standard edition. We should note that the Standard edition supports up to 2 Virtual Machines.

Windows Server 2012 Datacenter Edition

The Windows Server 2012 R2 Datacenter edition is the flagship product created to meet the needs of medium to large enterprises. The major difference between the Standard and Datacenter edition is that the Datacenter edition allows the creation of unlimited Virtual Machines and is therefore suitable for environments with extensive use of virtualization technology.

Before purchasing the Windows Server 2012 operating system, it is very important to understand the difference between various editions, the table below shows the difference between the four editions of Windows Server 2012:

Windows  Server 2012 Licensing - Understanding Client Access License (CAL) & Device Access License (DAL) Licensing Models

The standard and datacenter editions of Server 2012 support Client Access License (CAL) or Device Access License (DAL) licensing model. A CAL license is assigned to a user whereas a DAL license is assigned to device (computer). For example, a CAL assigned to a user, allows only that user to access the server via any device. Likewise, if a DAL is assigned to particular device, then any authenticated user using that device is allowed to access the server.

We can use a simple example to help highlight the practical differences between CAL and DAL licensing models and understand the most cost-effective approach:

Assume an environment with Windows Server 2012 R2 standard edition and a total of 50 users and 25 devices (workstations). In this case, we can purchase either 50 CAL licenses to cover the 50 users we have or alternatively 25 DAL licenses to cover the total amount of workstations that need to access the server. In this scenario, purchasing DALs is a more cost effective solution.  

If however we had 10 users with a total of 20 devices , e.g 2 devices per user (workstation & laptop), then it more be more cost effective to purchase 10 CAL licenses.

Windows Server 2012 Foundation Edition Licensing Model

Windows Server 2012 Foundation is available to OEMs (Original Equipment Manufacturers) only and therefore can only be purchased at the time of purchasing a n new hardware server. Windows 2012 Foundation edition supports up to 15 users. CALs or DALs are not required for the Foundation edition servers. In addition, Foundation edition owners cannot upgrade to other editions. The maximum number of SMB (Server Message Block or file sharing) connections to the server is 30. Similarly, maximum number of RRAS (Routing and Remote Access Service) and RDS (Remote Desktop Service) connections is 50.

Windows Server 2012 Essentials Edition Licensing Model

The Essential edition of server 2012 is available to OEMs (with the purchase of new hardware) and also at retail stores. The user limit of this server edition is 25 and device limit is 50. This means that a maximum of 25 users amongst 50 computers can access the Windows Server 2012 Essentials edition. For example, you have 20 users rotating randomly amongst 25 computers accessing the Server 2012 Essentials edition, without any problem. CALs or DALs are not required for Windows Server 2012 Essentials edition because no more than 25 users can access the server.

 A common question at this point is what if the organization expands and increases its users and computers?

 In these cases Microsoft provides an upgrade path allowing organizations to upgrade to the Windows Server 2012 Standard or Datacenter edition license and perform an in-place license transition. Once the transition is complete, the user limitation, and other features are unlocked without requiring migration or reinstallation of the server.

Companies upgrading to a higher edition of Windows 2012 Server should keep in mind that it will be necessary to purchase the required amount of CALs or DALs according to their users or devices.

Administrators will be happy to know that it is also possible to downgrade the Standard edition of Server 2012 to the Essentials edition. For example, it is possible to run Essential edition of Server 2012 as virtual machine utilizing one of two available virtual instances in Standard edition as shown in the figure below. This eliminates the needs to purchase Essential edition of Server 2012.

 FREE Hyper-V & VMware Virtualization Backup:  FREE for Firewall.cx readers for a Limited Time!  Download Now!

With the release of Windows Server 2012 Essentials R2, Microsoft has updated its licensing model. Unlike Windows Server 2012 Essentials (non-R2), you can now run a single instance of a virtual machine.

The Hyper-V role and Hyper-V Manager console are now included with Windows Server 2012 R2 Essentials. The server licensing rights have been expanded, allowing you to install an instance of Essentials on your physical server to run the Hyper-V role (with none of the other roles and features of the Essentials Experience installed), and a second instance of Essentials as a virtual machine (VM) on that same server with all the Essentials Experience roles and features.

Windows Server 2012 Standard Edition & Datacenter Edition Licensing Model

The license of Standard and Datacenter edition is based on sockets (CPUs) and CAL or DAL. Definition of a socket is a CPU or physical processor. Logical cores are not counted as sockets. A single license of Standard and Datacenter edition covers up to two physical processors per physical server. CAL or DAL licenses are then required so that clients/devices can access the Windows server. Standard edition allows up to 2 virtual instances while the Datacenter edition allows unlimited number of virtual instances.

For example, a Windows 2012 Server R2 Standard edition installed on a physical server with one socket (CPU) can support up to two instances of virtual machines. These virtual machines can be Server 2012 R2 Standard or Essentials edition. Similarly, if you install a Windows Server 2012 R2 Datacenter edition, then you can install an unlimited number of virtual machines.

Let’s look at some examples on deploying Standard and Datacenter edition servers and calculating the licenses required:

Scenario 1: Install Server 2012 Standard/Datacenter Edition on a server box with four physical processors and 80 users.

In this scenario, we will be required to purchase two Standard/Datacenter Edition licenses because a single license covers up to two physical processors, plus 80 CAL licenses so our users can access the server resources.

Scenario 2: Install Server 2012 Standard Edition on a physical server with 1 physical processor, running 8 instances of virtual machines. A total of 50 users will be accessing the server.

Here, four Server 2012 Standard edition licenses are required and 50 CALs or DALs. Remember that a single Standard edition license covers up to two physical processors and up to two instances of virtual machines. Since the requirement is to run 8 instances of virtual machines, we need four Standard edition licenses.

If we decided to use the Datacenter edition in this scenario, a single license with 50 CAL would be enough to cover our needs, because the Datacenter edition license supports an unlimited number of virtual instances and up to two physical processors.

Summary

Microsoft’s Windows Server 2012 is an attractive server-based product designed to meet the demands of small to large enterprises and has a very flexible licensing model. It is very important to fully understand the licensing options and supported features on each of the 4 available editions, before proceeding with your purchase – a tactic that will help ensure costs are kept well within the allocated budget while the company’s needs are fully met.

A common problem amongst Windows users is that the Show Desktop icon can accidentally be deleted, thus losing the ability to minimize all open programs and reveal your desktop.

This short article will explain how you can recover and create the Show Desktop icon and restore this functionality. The instructions included are valid for Windows 95, 98, 2000, Windows Vista and Windows 7 operating systems.

To recreate the Show Desktop icon, follow these steps:

1) Click on Start, Run, type Notepad and click on OK or Hit Enter. Alternatively, open the Notepad application.

2) Carefully copy and paste the following text into the Notepad window:

In this article, we will install and configure DNS on a standalone Windows Server 2003. We will begin by setting up a cache-only DNS server and progress to creating a primary forward lookup zone, a reverse lookup zone, and finally some resource records. At the end of this article we will have set up a DNS server capable of resolving internal and external host names to IP addresses and the reverse.

Install DNS on Windows Server 2003

Before installing and configuring DNS on our server we have to perform some preliminary tasks. Specifically, we have to configure the server with a static IP address and a DNS suffix. The suffix will be used to fully-qualify the server name. To begin:

1. Go to Start > Control Panel > Network Connections , right-click Local Area Connection and choose Properties .

2. When the Local Area Connection Properties window comes up, select Internet Protocol (TCP/IP) and click Properties . When the Internet Protocol (TCP/IP) window comes up, enter an IP address , subnet mask and default gateway IP addresses that are all compatible with your LAN.

Our LAN is on a 192.168.1.0/24 network, so our settings are as follows:

3. For the Preferred DNS Server , enter the loopback address 127.0.0.1 . This tells the server to use its own DNS server service for name resolution, rather than using a separate server. After filling out those fields , click the Advanced button.

4. When the Advanced TCP/IP Settings window comes up, click the DNS tab, enter firewall.test on the DNS suffix for this connection text field, check Register this connection's address in DNS , check Use this connection's DNS suffix in DNS registration , and click OK , OK , and then Close:

Now that we have configured our server with a static IP address and a DNS suffix, we are ready to install our DNS Server. To do this:

1. Go to Start > Control Panel > Add or Remove Programs .

2. When the Add or Remove Program window launches, click Add/Remove Windows Components on the left pane.

3. When the Windows Components Wizard comes up, scroll down and highlight Networking Services and then click the Details button.

4. When the Networking Services window appears, place a check mark next to Domain Name System (DNS) and click OK and OK again.

Note that, during the install, Windows may generate an error claiming that it could not find a file needed for DNS installation. If this happens, insert your Windows Server 2003 CD into the server's CD-ROM drive and browse to the i386 directory. The wizard should automatically find the file and allow you to select it. After that, the wizard should resume the install.

After this, DNS should be successfully installed. To launch the DNS MMC, go to Start > Administrative Tools > DNS

As our DNS server was just installed it is not populated with anything. On the left pane of the DNS MMC, there is a server node with three nodes below it, titled Forward Lookup Zones, Reverse Lookup Zones and Event Viewer.

The Forward Lookup Zones node stores zones that are used to map host names to IP addresses, whereas the Reverse Lookup Zones node stores zones that are used to map IP addresses to host names.

Setting Up a Cache-Only DNS Server

A cache-only DNS server contains no zones or resource records. Its only function is to cache answers to queries that it processes, that way if the server receives the same query again later, rather than go through the recursion process again to answer the query, the cache-only DNS server would just return the cached response, thereby saving time. With that said, our newly installed DNS server is already a cache-only DNS server!

Creating a Primary Forward Lookup Zone

With its limited functionality, a cache-only DNS server is best suited for a small office environment or a small remote branch office. However, in a large enterprise where Active Directory is typically deployed, more features would be needed from a DNS server, such as the ability to store records for computers, servers and Active Directory. The DNS server stores those records in a database, or a zone .

DNS has a few different types of zones, and each has a different function. We will first create a primary forward lookup zone titled firewall.test . We do not want to name it firewall.cx , or any variation that uses a valid top-level domain name, as this would potentially disrupt the clients' abilities to access the real websites for those domains.

1. On the DNS MMC, right-click the Forward Lookup Zones node and choose New Zone .

2. When the New Zone Wizard comes up, click Next .

3. On the Zone Type screen, make sure that Primary zone is selected and click Next .

4. On the Zone Name screen, type firewall.test .

5. On the Zone File screen, click Next .

6. On the Dynamic Update screen, make sure that “ Do not allow dynamic updates ” is selected and click Next .

7. On the next screen, click Finish .

We now have a foundation that we can place resource records in for name resolution by internal clients.

Creating a Primary Reverse Lookup Zone

Contrary to the forward lookup zone, a reverse lookup zone is used by the DNS server to resolve IP addresses to host names. Not as frequently used as forward lookup zones, reverse lookup zones are often used by anti-spam systems in countering spam and by monitoring systems when logging events or issues. To create a reverse lookup zone:

1. On the DNS MMC, right-click the Reverse Lookup Zones node and choose New Zone .

2. When the New Zone Wizard comes up, click Next .

3. On the Zone Type screen, make sure that Primary zone is selected and click Next .

4. On the Reverse Lookup Zone Name screen, enter 192.168.1 and click Next .

5. On the Zone File screen, click Next .

6. On the Dynamic Update screen, make sure that “Do not allow dynamic updates” is selected and click Next .

7. On the next screen, click Finish .

There is now a reverse lookup zone titled 192.168.1.x Subnet on the left pane of the DNS MMC. This will be used to store PTR records for computers and servers in those subnets.

Using the instructions above, go ahead and create two additional reverse lookup zones, one for a 192.168.2.x subnet and for a 192.168.3.x subnet.

Creating Resource Records

DNS uses resource records (RRs) to tie host names to IP addresses and the reverse. There are different types of resource records, and the DNS server will respond with the record that is requested in a query.

The most common resource records are: Host (A); Mail Exchanger (MX); Alias (CNAME); and Service Location (SRV) for Active Directory zones. As such, we will create all but SRV records because Active Directory will create those automatically:

1. On the DNS MMC, expand the Forward Lookup Zones node followed by the firewall.test zone.

2. Right-click firewall.test zone and choose Other New Records .

3. On the Resource Record Type window, select Host (A) and click Create Record

4. On the New Resource Record window, type “ webserver001 ” on the Host text field, type “ 192.168.2.200” in the IP address text field, check the box next to “Create associated pointer (PTR) record” and click OK .

This tells DNS to create a PTR record in the appropriate reverse lookup zone. And, for demonstration purposes, it does not matter whether this server actually exists or not.

5. Back at the Resource Record Type window, select Host (A) again and click Create Record .

6. On the New Resource Record window, type “ mailserver001 ” on the Host text field and type “ 192.168.3.200” in the IP address text field. Make sure that the check box next to “Create associated pointer (PTR) record” is checked and click OK . A corresponding PTR record will be created in the appropriate reverse lookup zone.

7. Back at the Resource Record Type window, select Alias (CNAME) and click Create Record .

8. On the New Resource Record window, type “ www ” on the Alias name text field, then click Browse .

9. On the Browse window, double-click the server name, then double-click Forward Lookup Zones, then double-click firewall.test , and finally double-click webserver001 . This should populate the webserver001's fully qualified domain name in the Fully qualified domain name (FQDN) for target host text field. Click OK afterwards.

10. Back at the Resource Record Type window, select Mail Exchanger (MX) and click Create Record .

11. On the New Resource Record window, click Browse , double-click the server name, then double-click Forward Lookup Zones, then double-click firewall.test, and finally double-click mailserver001 . This should populate the mailserver001's fully qualified domain name in the Fully qualified domain name (FQDN) of mail server text field. Click OK afterwards.

12. Back at the Resource Record Type window, click Done .

Summary

Our standalone Windows Server 2003 DNS server now has a primary forward lookup zone, a primary reverse lookup zone, and multiple resource records. As a standard function, it will also cache the answers to queries that it has already resolved.

Backing up the DHCP database

Our DHCP server is fully functional but it may not always remain that way. We definitely want to back it up so we can quickly restore the functionality in the event of a disaster.

The DHCP scopes, settings and configuration are actually kept in a database file, and the database is automatically backed up every 60 minutes. But to manually back it up:

• On the DHCP MMC, right-click the server node and choose Backup
• When the Browse for Folder window comes up, verify that it points to C :\windows\system32\dhcp\backup and click OK:

Restoring the DHCP Database

Let us imagine that a disaster with the DHCP server did occur and that we now have to restore the DHCP functionality. Restoring the DHCP database is just as simple as backing it up:

1. 1. On the DHCP MMC, right-click the server node and choose Restore
2. 2. When the Browse for Folder window comes up, click OK
3. 3. You will receive a prompt informing you that the DHCP service will need to be stopped and restarted for the restore to take place. Click OK

The DHCP database will then be restored.

Troubleshooting DHCP

Let us imagine that, after restoring the database, the DHCP server developed some issues and started malfunctioning. Luckily, DHCP comes equipped with several tools to help us troubleshoot.

Event Viewer

The Event Viewer displays events that the server has reported and whether those events represent actual issues or normal operation. Most of the issue events related to DHCP will be reported in the System log of the Event Viewer with a Source of DHCPServer.

To view the Event Viewer:

1. Go to Start > Administrative Tools > Event Viewer
2. When the Event Viewer window comes up, click the System log on the left pane and its events will be displayed on the right pane.

Depending on how active the server is, the System log may be cluttered with Information, Warning and Error events that are unrelated to DHCP. To see only DHCP issues, filtering non-important events is necessary. To do this:

1. Go to the View > Filter
2. When the System Properties window comes up, click on the Event Source drop-down menu and select DHCPServer . This tells the log to display only DHCP server events.
3. Next, uncheck the box next to Information . This tells the log to display only events regarding issues.
4. (Optional) On the From and To drop-down menus on the bottom, adjust the time and date frame to when an issue was suspected to have occurred.
5. When finished, click OK

The System log is now displaying only DHCP Warning and Error events. This should cause any DHCP-related issues to stick out:

Every event has an Event ID. In case a particular event's description is too vague to understand, you may have to research the Event ID for further clarification.

DHCP Audit Logs

Another DHCP troubleshooting tool is the DHCP audit logs. These logs display detailed information about what the DHCP server has been doing. If a client leases an IP address, renews its IP address, or releases its IP address, the DHCP server will audit this activity.

More concerning events are also audited: if the DHCP server service stops, encounters a rogue DHCP server in the network, or fails to start, the server will audit this issue as well. These logs provide closer visibility into what the DHCP server is doing.

To access the DHCP audit logs:

1. Go to Start > Run
2. When the Run box comes up, type c:\windows\system32 and click OK
3. When the System32 folder comes up, navigate to and double-click the dhcp folder.

In the dhcp folder, the log files will be titled DhcpSrvLog -%WeekDay%. log, where %WeekDay% is a week day. There should be one for the past six days.

The log may appear overwhelming, but it is very simple to read. Each line contains several pieces of information but the most important is the code at the beginning of the line, since that describes what is being audited. That code is defined on the top portion of the log file. As each line is comma-separated you can actually save the log file in .csv format and open it in Excel for easier and more convenient reading and analysis.

Protocol Analyzer

Although a Network protocol analyzer is not an official DHCP troubleshooting tool, it is nonetheless an excellent tool for troubleshooting issues where the server is not servicing clients. In such situations you would use the protocol analyzer on the server to determine whether DHCP Discover/Request packets from clients are arriving at the server at all or if they are arriving but being ignored by the server.

If you find that the packets are not arriving at the server at all, you would have isolated the problem to most likely being a routing issue or an issue with any relay agents/configured IP helpers in the network.

However, if you find that the packets are arriving but being ignored by the server, then you would have isolated the problem to either residing on the server or the configuration of DHCP.

The screen shot below, of Wireshark, shows that the server received a DHCP Discover packet from a client and properly responded to it.

DHCP Migration

Continuing from our previous storyline, let us pretend that we found the issue that was affecting our DHCP server but to fix it we would have to take the DHCP server offline for a considerable amount of time, so for the time being we will just setup a different server as our DHCP server.

To accomplish this, we will have to transfer the DHCP database to our new server. Migrating the DHCP database is not only done in situations such as this. When a DHCP server is decommissioned, for example, you would need to transfer the DHCP database to the new server.

Although the transfer can technically be done in more than one way, presented below is one method. Regardless of the approach chosen, you should aim to minimize the amount of time that both DHCP servers are simultaneously active and able to service clients as this would increase the chances of one server leasing an IP address that is already in use.

1. On the old server, go to Start > Run , type cmd , and click OK .
2. When the Command Prompt window comes up, type netsh dhcp server export c:\dhcp_backup.txt all and hit Enter. This command exports all the scopes in the DHCP database to a file titled dhcp_backup.txt .
3. Copy the export file ( dhcp_backup.txt ) to the new server.
4. On the new server, install the DHCP server role. Do not authorize the DHCP server yet.
5. On the new server, go to Start > Run , type cmd , and click OK .
6. When the Command Prompt window comes up, type netsh dhcp server import c:\dhcp_backup.txt all and hit Enter. This command imports all the scopes in the DHCP database from the file titled dhcp_backup.txt .
7. On the new server, enable conflict detection so IP addresses that have been leased out by the old server since the start of the migration are not reissued.

a. On the DHCP MMC, right-click the server node and choose Properties

b. When the Properties window comes up, click the Advanced tab.

c. On Conflict Detection Attempts , increase the number to 2 just to be safe. This tells the server to ping an IP address before it assigns it. If there is a response, then the DHCP server will not lease out the IP address since that address would already be assigned.

d. Click OK

8. On the new server, authorize the DHCP server.

9. On the old server, unauthorized the DHCP server.

Although we could perform a migration by simply backing up the DHCP database on the old server using the backup procedure and restoring it on the new server using the restore procedure, this approach also restores the old DHCP server's configuration settings, such as audit settings, conflict detection settings, DDNS settings, etc. It may not always be desirable to transfer those settings in a migration. The procedure described above only transfers the scopes and their settings.

Conclusion

Without careful observation, the full capabilities of DHCP can be overlooked. The protocol, in combination with the DHCP MMC, provides numerous methods to control client configuration settings and server administrative functions.

Ok, using our imagination for this purpose may seem silly but doing so will give us the opportunity to indirectly learn how, why, and where these advanced DHCP features and topics come into play in a real-world network and how other networking technologies are involved in a DHCP implementation.

We will imagine that we are building our DHCP server for a company that has two buildings, Building A and Building B, each with a single floor (for now). Building A is on a 192.168.0.0/24 network and Building B is on a 192.168.1.0/24 network.

Although each building has its own DNS server (192.168.0.252 and 192.168.1.252), WINS server (192.168.0.251 and 192.168.1.251) and Cisco Catalyst 4507R-E switch (192.168.0.254 and 192.168.1.254), only a single DHCP server exists – it is the one that we have been building and it resides in Building A.

The clients and servers in each building connect to their respective Cisco Catalyst switches and the switches are uplinked to a Cisco router for Internet connectivity. The only notable configuration is with the Building B switch: It is configured with the ip helper-address 192.168.0.253 command.

The ip helper-address command tells the switch to forward DHCP requests in the local subnet to the DHCP server, since the clients in Building B cannot initially communicate with the DHCP server directly. We are not concerned with any other configuration or networking technologies for now.

Server Options

The specifications of our imaginary company state that the company has two buildings – Building A and Building B. In our first article, we created a scope called “Building A, Floor 1” so a scope for our first building is already made. In this article, we will create a scope for Building B, Floor 1, using the instructions from our Basic DHCP Configuration article and the following specifications for the scope:

After creating the scope, we want to activate it as well.

Notice that, in creating this scope, we had to input a lot of the same information from our “Building A, Floor 1” scope. In the event that we had several other scopes to create, we would surely not want to be inputting the same information each time for each scope.

That is where server options are useful. Server options allow you to specify options that all the scopes have in common. In creating two scopes, we noticed that our scopes had the following in common:

• DNS servers
• WINS servers
• Domain name

To avoid having to enter this information again, we will create these options as server options. To do this:

1. On the DHCP MMC, right-click Server Options and choose Configure Options

When the Server Options window comes up, take a moment to scroll down through the long list of available options. Not all options are needed or used in every environment. In some cases, however, a needed option is not available. For example, Cisco IP phones require Option 150 but because that option is not available it would have to be defined manually. Other than that, options 006 DNS Servers, 015 DNS Domain, and 003 Router are generally sufficient.

2. Scroll down to option 006 DNS Servers and place a checkmark in its box. This will activate the Data Entry section. In that section, type 192.168.0.252 for the IP Address and click Add. Then enter 192.168.1.252 as another IP Address and click Add again. This will add those two servers as DNS servers.

3. Scroll down to option 015 DNS Domain Name and place a checkmark in its box. This will activate the Data Entry section. In that section, enter firewall.cx in the String Value text field.

4. Scroll down to option 044 WINS/NBNS Servers and place a checkmark in its box. This will activate the Data Entry section. In that section, enter 192.168.0.251 for the IP Address and click Add. Then enter 192.168.1.251 as another IP Address and click Add again. This will add those two servers as WINS servers.

5. Scroll down to option 046 WINS/NBT Node Type and place a checkmark in its box to activate the Data Entry section. In that section, enter “0x8” for the Byte text field and click OK . This will set the workstation node type to 'Hybrid' which is preffered.

Back on the DHCP MMC, if you click on the Server Options node you will see the following:

Subsequent scopes will inherit these options if no scope options are specified. However, if scope options are specified then the scope options would override the server options in assignment.

If we did have Cisco IP phones in our environment we would define Option 150 as follows:

1. Right-click the server node on the DHCP MMC and choose Set Predefined Options

2. When the Predefined Options and Values window comes up, click Add

3. When the Options Type window comes up, type a name for the option such as “TFTP Server for Cisco IP Phones”.

4. On the Data Type drop-down menu, select IP Address.

5. On the Code text field, enter 150.

6. On the Description text field, type a description for the scope, such as “Used by Cisco IP Phones”.

7. Check the box next to Array

8. Click OK twice.

If you go back to the Scope/Server Options window again, you will see Option 150 available.

Dynamic DNS

At this point, our imaginary network can service a significant number of clients, but those clients can only be referenced by IP address. Sometimes it is necessary or helpful to reference clients by their host names rather than IP addresses.

DNS resolves client host names to IP addresses. But for DNS to be able to do that, client host names and IP addresses must already be registered in DNS. Servers are typically registered manually in DNS by the administrator, but workstations are not. So how do client workstations get registered in DNS? The answer is to use dynamic DNS (DDNS), a feature that will allow clients, or the DHCP server itself, to register clients in DNS automatically upon the client's assignment of an IP address. Fortunately, DDNS is setup to automatically work in a domain environment, granted that DNS is also setup correctly in the network.

To view the options available for DDNS:

1. On the DHCP MMC, right-click the server node and choose Properties
2. When the Properties window comes up, click the DNS tab.

If the network has some clients that are not in the domain, have legacy Windows operating systems, or are not capable of registering their host names and IP addresses in DNS, the two options marked below would need to be selected:

But if that were the case, you would also have to specify credentials that the DHCP server would use for DDNS on behalf of the clients. To do this, you would:

1. Click the Advanced tab on the Properties window.

1.Click the Credentials button.

2. When the DNS Dynamic Update Credentials window comes up, enter an administrator username and password and firewall for the domain. In a real-world environment, you would create a separate username and password that would be used solely for DDNS and enter it here instead.

3. Click OK twice to exit the Properties window.

Superscopes

Let us imagine that the number of client workstations in Floor 1 of Building A was expanded beyond the number of available IP addresses that our “Building A, Floor 1” scope could offer. What would we do to provide IP addresses to those additional clients?

The following options may appear to be solutions, but they are not always feasible:

1. Extend the scope to include more IP addresses.
2. Create an additional scope for that network segment.
3. Delete and recreate the scope with a different subnetmask that allows for more hosts.

The problem with the first option is that you may not always be able to extend the scope, depending on the scope's subnetmask and whether consecutive scopes were created based on that subnetting. The problem with the second option is that even if you create an additional scope, the DHCP server would not automatically lease out those IP addresses to clients of that physical network segment. Although the third option could work, this option may not always be optimal depending on how much additional network-based changes would also be needed to reach the solution.

There are a few options to solve this issue:

1. Place the additional clients in a separate VLAN and create a scope for that VLAN that is in a completely different network
2. Create a superscope that includes the exhausted scope and a new scope with available IP addresses

The first option could solve the problem but, since this is a DHCP article, we will address the problem by using DHCP features, so the second option will be our choice!

Superscopes allow you to join scopes from separate networks into one scope. Then, when one of the scopes runs out of IP addresses, the DHCP server would automatically start leasing out IP addresses from the other scopes in that superscope. However, solely creating a superscope is not the complete solution. As some clients in that network segment would have IP addresses from a different network, the segment's router interface would also have to be assigned an additional IP address that is in the same network as the additional scope.

To use this solution, we first have to create the additional scope. Here are the scope specifications:

The scope will inherit the server options for DNS domain name, DNS server and WINS server. Activate the scope when done.

Now we will create a superscope and place the two Building A scopes in it:

1. On the DHCP MMC, right-click the server node and choose New Superscope
2. When the New Superscope Wizard comes up, click Next
3. On the next screen, you are prompted to enter a name for the scope. Enter “All of Building A, Floor 1” and click Next
4. On the next screen, you are asked to select the scopes that will be part of the superscope. Select the scopes shown below and then click Next

5. On the next screen, click Finish to complete the wizard.

Back on the DHCP MCC, you will see that the two scopes selected earlier have been placed under a new scope – “Superscope All of Building A, Floor 1”.

Now when the scope titled “Building A, Floor 1” runs out of IP addresses, the server will start issuing IP addresses in “Building A, Floor 1 – Extended”.

Multicast Scopes

The most common systems and applications that use multicasting have multicast IP addresses statically configured or hard-coded in some way. However, for systems and applications that need multicast IP addresses dynamically assigned, they lease them from a MADCAP (Multicast Address Dynamic Client Allocation Protocol) server, such as Windows Server 2003.

One example of such an application that leased a multicast IP address from a MADCAP server is an old application from Windows 2000 called Phone Dialer. This application allowed the creation of video conferences that people could attend. When creating a conference, the application would lease a multicast IP address from the MADCAP server and stream to that IP address. Clients wishing to join the conference would “join” that established multicast group.

Setting up a multicast scope is similar to setting up a standard scope:

1. On the DHCP MMC, right-click the server node and choose New Multicast Scope
2. When the New Multicast Scope Wizard comes up, click Next
3. On the next screen, specify a Scope Name of “Video Conferencing” and a Scope Description of “Multicast scope for conference presenters.” Afterwards, click Next

4. On the next screen, enter 239.192.1.0 in the Start IP Address field and 239.192.1.255 in the End IP Address field. Since this scope will only service video conferences within the company, we define an IP address range in the multicast organization local scope range. Leave the TTL at 32. Click Next when done.

1. On the next screen, click Next again. No exclusions need to be defined.
2. On the next screen, set the Days to 1 and click Next
3. On the next screen, click Next to activate the scope.
4. On the next screen, click Finish
5. Back on the DHCP MMC, expand the multicast scope that we just created and select Address Pool . Notice that an exclusion range encompassing the entire pool is also created. Select it and delete it.

The DHCP server can now provide multicast IP addresses. For the most part, the multicast scope functions the same as a standard scope. One different feature is that you can set a multicast scope to automatically expire and delete itself at a certain time.

To configure this:

1. Right-click the multicast scope and choose Properties
2. When the Properties window comes up, click the Lifetime tab.
3. On the Lifetime tab, select “Multicast scope expires on” and select when you would like it to expire. When this date and time is reached, the server automatically deletes the scope.
   

Conclusion

The Advanced DHCP configuration article continues with part 2, covering the DHCP database backup and restoration, troubleshooting the DHCP service using audit logs and finally DHCP Migration.

To continue with our article, please click here: Windows 2003 Advanced DHCP Server Configuration - Part 2.

This article will discuss and walk you through the steps of installing and configuring DHCP on a Windows Server 2003 member server, specifically focusing on setting up a scope and its accompanying settings. The same configuration can be applied to a standalone server even though the step-by-step details differ slightly. The upcoming 'Advanced DHCP Server Configuration on Windows 2003' article will discuss other DHCP options and features such as superscopes, multicast scopes, dynamic DNS, DHCP Backup and more.

While our articles make use of specific IP addresses and network settings, you can change these settings as needed to make them compatible with your LAN – This won't require you to make changes to your LAN, but you'll need to have a slightly stronger understanding of DHCP and TCP/IP.

Assigning the Server a Static IP Address

Before we install the DHCP server service on Windows Server 2003, we need to assign the Windows server a static IP address. To do this:

1. Go to Start > Control Panel > Network Connections , right-click Local Area Connection and choose Properties .

2.  When the Local Area Connection Properties window comes up, select Internet Protocol (TCP/IP) and click the Properties button.

3.  When the Internet Protocol (TCP/IP) window comes up, enter an IP address , subnet mask and default gateway IP address that is compatible with your LAN.

We've configured our settings according to our network, as shown below:

4. Enter 192.168.0.252 for the Preferred DNS server and 192.168.1.252 for the Alternate DNS server. The Preferred and Alternate DNS server IP addresses are optional for the functionality of the DHCP server, but we will populate them since you typically would in a real-world network. Usually these fields are populated with the IP addresses of your Active Directory domain controllers.

5. After filling out those fields, click OK and OK to save and close all windows.

Install DHCP Server Service on Windows Server 2003

Our server now has a static IP address and we are now ready to install the DHCP server service. To do this:

1. Go to Start > Control Panel > Add or Remove Programs .

2. When the Add or Remove Programs window launches, click Add/Remove Windows Components in the left pane.

3. When the Windows Components Wizard comes up, scroll down and highlight Networking Services and then click the Details button.

4. When the Networking Services window comes up, place a check mark next to Dynamic Host Configuration Protocol (DHCP) and click OK and OK again.

Note that, during the install, Windows may generate an error claiming that it could not find a file needed for DHCP installation. If this happens, insert your Windows Server 2003 CD into the server's CD-ROM drive and browse to the i386 directory. The wizard should automatically find the file and allow you to select it. After that, the wizard should resume the installation process.

Configure DHCP on Windows Server 2003

DHCP has now been successfully installed and we are ready to configure it. We will create a new scope and configure some of the scope's options. To begin:

1. Launch the DHCP MMC by going to Start > Administrative Tools > DHCP .

Currently, the DHCP MMC looks empty and the server node in the left pane has a red arrow pointing down. Keep that in mind because it will be significant later on.

2. Right-click the server node in the left pane and choose New Scope . This will launch the New Scope Wizard.

3. On the New Scope Wizard, click Next .

4. Specify a scope name and scope description. For the scope Name , enter “ Building A, Floor 1 .” For the scope Description , enter “ This scope is for Floor 1 of Building A .” Afterwards, click Next .

The scope name can be anything, but we certainly want to name it something that describes the scope's purpose. The scope Description is not required. It is there in case we needed to provide a broader description of the scope.

5. Specify an IP address range and subnet mask. For the Start IP address enter 192.168.0.1, for the End IP address enter 192.168.0.254 . Finally, specify a subnet mask of 255.255.255.0 and click Next.

Specifying the IP address range of a scope requires some knowledge of subnetting. Each scope in a DHCP server holds a pool of IP addresses to give out to clients, and the range of IP addresses must be within the allowed range of the subnet (that you specify on the subnet mask field).

For simplicity we entered a classful, class C IP address range from 192.168.0.1 to 192.168.0.254. Notice that the range encompasses the IP address of our server, the DNS servers and the default gateway, meaning that the DHCP server could potentially assign a client an IP address that is already in use! Do not worry -- we will take care of that later.

6. Specify IP addresses to exclude from assignment. For the Start IP address , enter 192.168.0.240 and for the End IP address enter 192.168.0.254 , click Add , and then click Next.

Certain network devices, such as servers, will need statically configured IP addresses. The IP addresses may sometimes be within the range of IP addresses defined for a scope. In those cases, you have to exclude the IP addresses from being assigned out by DHCP.

We have the opportunity here to define those IP addresses that are to be excluded. We specified IP addresses 192.168.0.240 to 192.168.0.254 to ensure we've included our servers plus a few spare IP addresses for future use.

7. Specify the lease duration for the scope. Verify that Days is 8 and click Next.

The lease duration is how long clients should keep their IP addresses before having to renew them.

There are a few considerations at this point. If a short lease duration is configured, clients will be renewing their IP addresses more frequently. The result will be additional network traffic and additional strain on the DHCP server. On the other hand if a long lease duration is configured, IP addresses previously obtained by decommissioned clients would remain leased and unavailable to future clients until the leases either expire or are manually deleted.

Additionally if network changes occur, such as the implementation of a new DNS server, those clients would not receive those updates until their leases expire or the computers are restarted.

As Microsoft states, “lease durations should typically be equal to the average time the computer is connected to the same physical network.” You would typically leave the default lease duration in an environment where computers are rarely moved or replaced, such as a wired network. In an environment where computers are often moved and replaced, such as a wireless network, you would want to specify a short duration since a new wireless client could roam within range at any time.

8. Configure DHCP Options. Make sure “ Yes, I want to configure these settings now ” is selected and click Next to begin configuring DHCP options.

DHCP options are additional settings that the DHCP server can provide to clients when it issues them with IP addresses. These are the other settings that help clients communicate on the network. In the New Scope Wizard we can only configure a few options but from the DHCP MMC we have several more options.

9. Specify the router IP address. Enter 192.168.0.254 as the IP address of the subnet's router, click Add , and then click Next .

The first option we can configure is the IP address for the subnet's router for which this scope is providing IP addresses. Keep in mind that this IP address must be in the same network as the IP addresses in the range that we created earlier.

10. Configure domain name and DNS servers. On the next page, enter “firewall.cx" for the domain name. Then enter 192.168.0.252 for the IP address of a DNS server, click Add , enter 192.168.1.252 as the IP address for another DNS server, and click Add again. When finished, click Next.

If you had a DNS infrastructure in place, you could have simply typed in the fully qualified domain name of the DNS server and clicked Resolve .

The DNS servers will be used by clients primarily for name resolution, but also for other purposes that are beyond the scope of this article. The DNS domain name will be used by clients when registering their hostnames to the DNS zones on the DNS servers (covered in the 'Advanced DHCP Server Configuration on Windows 2003' article).

11. Configure WINS servers. On the next screen, enter 192.168.0.251 as the IP address for the first WINS server, click Add , enter 192.168.1.251 as the IP address for the second WINS server, click Add again, and then click Finish .

12. Finally, the wizard asks whether you want to activate the scope. For now, choose “ No, I will activate this scope later ” and click Next and then Finish to conclude the New Scope Wizard and return to the DHCP MMC.

At this point we almost have a functional DHCP server. Let us go ahead and expand the scope node in the left pane of the DHCP MMC to see the new available nodes:

•  Address Pool – Shows the IP address range the scope offers along with any IP address exclusions.

•  Address Leases – Shows all the leased IP addresses.

•  Reservations – Shows the IP addresses that are reserved. Reservations are made by specifying the MAC address that the server would “listen to” when IP address requests are received by the server. Certain network devices, such as networked printers, are best configured with reserved IP addresses rather than static IP addresses.

•  Scope Options – Shows configured scope options. Some of the visible options now are router, DNS, domain name and WINS options.

•  Server Options – Shows configured server options. This is similar to scope options except that these options are either inherited by all the scopes or overridden by them (covered in 'Advanced DHCP Server Configuration on Windows 2003' article).

Earlier, we only defined exclusions for our servers, router plus a few more spare IP addresses. In case you need to exclude more IP addresses, you can do it at this point by following these instructions:

13. Select and right-click Address Pool and choose New Exclusion Range.

14. When the Add Exclusion window comes up, enter the required range and then click Add. In our example, we've excluded the addition range 192.168.0.230 - 192.168.0.232.

Notice that the server node and scope node still has a red arrow pointing down. These red arrows pointing down mean that the server and scope are not “turned on”.

The concept of “turning on” the scope is called “activating” and the concept of “turning on” the server for DHCP service is called “authorizing”. Security has some influence in the concept of authorizing a DHCP server and, to authorize a DHCP server, you must be a member of the Enterprise Admins Active Directory group.

15. Right-click the server (server001.firewall.cx) and choose Authorize , then right-click the scope (Building A, Floor 1) and choose Activate . If the red arrows remain, refresh the MMC by going to Action > Refresh .

Congratulations! At this point, you should have a working DHCP server capable of providing IP addresses!

However, changing a domain name in Windows Server 2000 is not a simple or straightforward process. It is a time consuming and complex procedure, which requires extensive work.

The renaming of a Windows 2000 domain may impact other server applications that are running in the domain, such as Exchange Server and other custom applications that are closely integrated with Active Directory and use hard coded NETBIOS names.

The major task in renaming a domain is to revert the Windows Server 2000 to Windows NT and then upgrade it to Windows Server 2000 with a new DNS (FQDN) name. If there is more than one domain controller in the domain then all the Windows 2000 domain controllers must be demoted to member servers before renaming the desired domain controller.

Requirements

Renaming the Windows 2000 domain is only possible if the default functional level of the domain is set to mixed mode. The Windows 2000 mixed mode function level means that there is at least one NT 4.0 BDC in the domain/Forest. The functional level of the domain must be in mixed mode because you need use NT 4.0 BDC to complete the renaming procedure.

Note: If the default functional level of the domain is set to native mode, you cannot revert to mixed mode and cannot rename the domain.

If you have one or more child domains then you have to downgrade all the child domains to Windows NT before downgrading the parent domain. You need to then upgrade the parent domain with new FQDN and then upgrade the child domain/s.

Steps To Be Taken

To rename a Windows 2000 domain, you need to follow these steps:

1. Verify that at least one Windows NT 4.0 BDC, having Service Pack 6 or 6a installed on it, exists in the domain.

2. Backup all the domain controllers in the domain.

3. If required, install another Windows NT 4.0 BDC in the domain and force replication to ensure that the backup of all the security information, domain user accounts and SAM database exists. You can use net accounts /sync command on the Windows NT 4.0 BDC to force replication.

4. If you have just one domain controller, simply isolate it from the network by removing all the cables.

If you have more than one domain controller, you need to demote all the Windows 2000 domain controllers to member servers, leaving just one Windows 2000 domain controller, by using dcpromo command.

Then isolate the last Windows 2000 domain controller after ensuring that a Windows NT 4.0 BDC is present on the network.

5. Demote the last Windows 2000 domain controller by using dcpromo command ensuring that the last domain controller option is selected as the domain option.

Note: To run dcpromo command on the last Windows 2000 domain controller, connect it to an isolated active hub because dcpromo command requires an active connection.

6. Promote Windows NT BDC to a PDC and then upgrade it to Windows 2000.

7. Provide the desired domain name at the time of Active Directory installation.

8. Promote all the demoted member servers back to Windows 2000 domain controllers by running dcpromo on them.

Article Summary

In this article we have seen the different scenarios and methods of renaming a Windows 2000 domain. We have learnt that renaming a Windows 2000 domain is a fairly complex process. We must keep in mind that changing domain name in Windows 2000 should not be performed unless it is absolutely necessary.

Careful planning while deciding on the FQDN/DNS name of the Windows 2000 domain at the time of installation can avoid the trouble of renaming a Windows 2000 domain.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

The tombstone lifetime attribute remains same on all the domain controllers and it is deleted from all the servers at the same time. This is because the expiration of a tombstone lifetime is based on the time when an object was deleted logically from the Active Directory, rather than the time when it is received as a tombstone on a server through replication.

Changing Tombstone Lifetime Attribute

The tombstone lifetime attribute can be modified in three ways: Using ADSIEdit tool, using LDIF file, and through VBScript.

Using ADSIEdit Tool

The easiest method to modify tombstone lifetime in Active Directory is by using ADSIEdit. The ADSIEdit tool is not installed automatically when you install Windows Server 2003. You need to install it separately by installing support tools from Windows Server 2003 CD.
If you haven't got your CD's in hand, you can simply download the Windows 2003 SP1 Support Tools from Firewall.cx here.
To install ADSIEdit tool and to modify tombstone lifetime in Active Directory using this tool, you need to:

1. Insert the Windows Server 2003 CD.
2. Browse the CD to locate the Support\Tools directory.
3. Double-click the suptools.msi to proceed with the installation of support tools.
4. Select Run command from the Start menu.
5. Type ADSIEdit.msc to open the ADSI Editor, as shown below:

The ADSI Edit window appears:


6. Expand Configuration node then subsequently expand CN=Configuration, DC Firewall, DC=cx node.
7. Expand CN-Services node.
8. Drill down to CN=Directory Service under CN Windows NT , as shown in the figure below:


9. Right-click CN=Directory Service and select Properties from the menu that appears
The CN=Directory Service Properties window appears, as shown below:
10. Double-click the tombstoneLifetime attribute in the Attributes list.


The Integer Attribute Editor window appears, as shown below:


11. Set the number of days that tombstone objects should remain in Active Directory in the Value field.
12. Click OK .
The Tombstone Lifetime has now been successfully changed.

Other Ways Of Changing The Tombstone Lifetime Attribute

Using an LDIF file

To change the tombstone lifetime attribute using LDIF file, you need to create a LDIF file using notepad and then execute it using LDIFDE tool. To change the tombstone lifetime attribute using LDIF file, you need to:
1. Create a text file using notepad with the following content:

dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, , <ForestRootDN> changetype: modify
replace: tombstoneLifetime
tombstoneLifetime: <NumberOfDays>

2. Provide the appropriate values in the text between <>. For example put the name of your Active Directory Forest Root domain in the <ForestRootDN> and put the number of days you want to set for tombstone lifetime in <NumberOfDays>.

3. Don't forget to put "-" on the last line.

4. Save the file with .ldf extension.

5. Open the Command Prompt and type the following command on the command prompt:
c:\> Ldifde –v –I –f <Path to tombstoneLifetime.ldf> The Tombstone Lifetime is successfully changed.

Using a VBScript

To change tombstone lifetime using VBScript, you need to type the following code with appropriate values and execute the script.

intTombstoneLifetime = <NumberOfDays>  
set objRootDSE = GetObject("LDAP://RootDSE")
set objDSCont = GetObject("LDAP://cn=Directory Service,cn=Windows NT," & _ "cn=Services," & objRootDSE.Get("configurationNamingContext") )
objDSCont.Put "tombstoneLifetime", intTombstoneLifetime
objDSCont.SetInfo
WScript.Echo "The tombstone lifetime is set to " & _ intTombstoneLifetime

Article Summary

This article explained what the Active Directory Tombstone attribute is and how you can change it to control delete operations performed by the Active Directory replication process. We covered three different methods in great detail to give all the necessary information so these actions can be covered by any Windows Administrator.

These settings and configurations are recovered on any network computer as soon as users log in with their credentials.

The roaming user profiles functionality is very useful because it allows mobile users to log on to a variety of computers located at different places and get the same look and feel of their own personalized desktops. However, roaming user profiles in Windows Server 2003 does not allow you to use encrypted files.

A roaming profile is made up of folders that appear under the <username> folder under Documents and Setting, as shown below:

The detailed description of each folder is as follows:

• Desktop: This folder contains all the files, folders, and shortcuts data that is responsible for the appearance of your desktop screen.
• Favorites: This folder contains the shortcuts of the favorite and frequently visited websites of the user.
• Local Settings: This folder contains temporary files, history, and the application data.
• My Documents: This folder contains documents, music, pictures, and other items.
• The Recent: This folder contains the most recently accessed files and folders by the user.
• Start Menu: This folder contains the Start menu items.
• Cookies: This folder contains all cookies stored on the user's computer.
• NetHood: This folder contains shortcuts to sites in My Network Places .
• PrintHood: This folder contains the shortcuts of printers configured for the user's computer.
• Application Data: This folder contains the program-specific and the security settings of the applications that the user has used.
• Templates: This folder contains the templates for applications such as Microsoft Word and Excel.
• SendTo: This folder contains the popular Send To destination on right-clicking a menu.

Creating Roaming User Profiles

You can create roaming user profiles on Windows NT Server 4.0, Windows 2000 Server, or Windows Server 2003 based computers. In addition, you can use Windows NT Workstation 4.0, Windows XP Professional, or Windows 2000 Professional based computer that is running Windows NT Server Administration Tools to create roaming user profiles.

The three major steps involved in creating a roaming user profile include creating a temporary user profile on a local computer, copying that profile to a network server, and then defining the user's profile location through the group policy.

To create a roaming user profile, follow the steps given below:

1. Log on as Administrator, or as a user of local administrator group or Account Operators local group in the domain:

2. Open Administrative Tools in the Control Panel and then click Active Directory Users and Computers, as shown above.

3. Click Users folder under Local Users and Groups node, Right-click Users and then click New User in the menu that appears, as shown below:

Note: If you are using Active Directory then click Users folder under Active Directory Users and Computers node.

The New User dialog box appears as shown below.

4. Provide the User logon name and the Password for the user for whom the roaming profile is being created in their respective fields. Click on Next:

5. Enter the user password and clear the User must change password at next logon option as shown below:

6. Click Create , click Close, and then quit the Computer Management snap-in.

7. Log off the computer and then Log on to your workstation using the user account that you have just created on your server.

8. Verify that a folder with the user name is created under the Documents and Settings folder, as shown below:

9. Configure your desktop by adding shortcuts and modifying its appearance.

8. Configure the Start menu by adding desired options to it.

10. Log off.

Copying The Profile To Your Server

A temporary profile with all the required settings is configured on your local computer. You need to now copy this local profile to a network server which can be accessed centrally by all the computers.

Try not to user a domain controller for this purpose because domain controllers have many other tasks to do, so it is better to keep them away from this task. You can however, choose a member server for this purpose. Make sure that the member server you choose is regularly backed up otherwise you may loose all your roaming profiles.

To copy the profile to a network server, you need to:

1. Log on as Administrator and then create a Profile folder on a network server.

Windows uses Profile folder by default to store roaming user profiles. Although you can give a different name to this folder but this folder is traditionally named as Profile folder.

2. Share the Profile folder and give everyone the full control at share level.

3. Open Control Panel , and then click System icon. The System Properties dialog box appears.

4. Click Advanced tab, and then click Settings under User Profiles section, as shown below:

 The User Profiles dialog box appears.

5. Click the temporary user profile that you had created and then click Copy To, as shown in the Figure below:

Next, The Copy To dialog box appears, a shown below.

6. Type the network path of the Profile folder in the Copy Profile To field.

A folder with the temporary user name will be created automatically under the Profiles folder.

7. Click Change.

8. The Select User or Group dialog box appears.

9. Enter the name of the temporary user that you have created.

10. Click OK four times on all the windows that you have opened recently.

11. Open Administrative Tools in the Control Panel and then click Computer Management, as shown in the second screenshot in this article.

12. Click Users folder under Local Users and Groups node, as shown below:

13. Double-click the temporary user account that you had created.

14. The Properties window for the user account appears as shown in the figure below.

15. Click the Profile tab and then type the path of Profile folder that you had created on a network server in the Profile path field:

16. Click OK and then quit the Computer Management snap-in.

This completes the process of creating a roaming user profile. Now when the user logs into any computer in the domain using his/her credentials, a copy of the user profile stored on the network will be copied to that computer with all the latest changes that the user might have made.

Usually when there are a few roaming profiles enabled in a domain then the login and log off become extremely slow. This happens mostly when roaming users save large files on their computers. Each time a logs off or logs on to a different computer the large files take long time to save on the network and recover from the network.

The solution to this problem is to use Folder Redirection along with roaming user profiles. The Folder redirection feature allows you to redirect folders such as Application Data, Desktop, My Documents, and Start Menu to a different network location. These folders are typically used to save the large files. When Folder Redirection is used then Windows understand that those particular folders need not be touched each time a roaming user logs in/off. These folders will only be touched by Windows when a user actually tries to open a file from them.

Another solution to control the growing size user profiles is to create Mandatory User Profiles for the users. However, you can use such profiles when you want to provide identical desktop configurations to all the roaming users. When mandatory user profiles are configured for the users, the users are not allowed to change their profile settings and thus the profiles size always remain manageable. To make a roaming user profile mandatory, you need to rename the Ntuser.dat file as Ntuser.man in the user's profile folder.

Article Summary

Roaming user profiles are simply collections of settings and configurations that are stored on a network location for each user. Once you perform some fairly simple configurations, every time a user logs on to a machine in your domain with his domain credentials, that user's settings will follow him and automatically be applied to his log-on session for that particular machine.

This article covered the creation of roaming user profiles in a Windows server active directory.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

They give better productivity to administrators and save their time by allowing them to manage all the users and computers centrally in just one go.

The group policies are of two types, Local Group Policy and Domain-based Group Policy. As the name suggests, the Local Group Policies allow the local administrator to manage all the users of a computer to access the resources and features available on the computer. For example an administrator can remove the use of Run command from the start menu. This will ensure that the users will not find Run command on that computer.

The Domain-based Group Policies on the other hand allow the domain/enterprise administrators to manage all the users and the computers of a domain/ forest centrally. They can define the settings and the allowed actions for users and computers across sites, domains, and OUs through group policies.

There are more than 2000 pre-created group policy settings available in Windows Server 2003. A default group policy already exists. You only need to modify it by setting values of different policy settings according to your specific requirements. You can also create new group policies to meet your specific business requirements. The group policies allow you to implement:

• Registry based settings: Allows you to create a policy to administer operating system components and applications.
• Security settings: Allows you to set security options for users and computers to restrict them to run files based on path, hash, publisher criteria, or URL zone.
• Software restrictions: Allows you to create a policy that would restrict users to run unwanted applications and protect computers against virus and hacking attack.
• Software distribution and installation: Allows you to either assign or publish software application to domain users centrally with the help of a group policy.
• Automation of tasks using computer and User Scripts
• Roaming user profiles: Allow mobile users to see a familiar and consistent desktop environment on all the computers of the domain by storing their profile centrally on a server.
• Internet Explorer maintenance: Allow administrators to manage the IE settings of the user's computers in a domain by setting the security zones, privacy settings, and other parameters centrally with the help of group policy.

Configuring a Domain-Based Group Policy

Just as you used group policy editor to create a local computer policy, to create a domain-based group policy you need to use Active Users and Computers snap-in from where you can open the GPMC.

Follow the steps below to create a domain-based group policy

1. Select Active Directory Users and Computers tool from the Administrative Tools.

2. Expand Active Directory Users and Computers node, as shown below.

3. Right-click the domain name and select Properties from the menu that appears:

The properties window of the domain appears.

4. Click the Group Policy tab.

5. The Group Policy tab appears with a Default Domain Policy already created in it, as shown in here:

You can edit the Default Domain Policy or create a new policy. However, it is not recommended to modify the Default Domain Policy for regular settings.

We will select to create a new policy instead. Click New to create a new group policy or group policy object. A new group policy object appears below the Default Domain Policy in the Group Policy tab, as shown below:

Once you rename this group policy, you can either double-click on it, or select it and click Edit.

You'll next be presented with the Group Policy Object Editor from where you can select the changes you wish to apply to the specific Group Policy:

In this example, we have selected to Remove Run menu from Start Menu as shown above. Double-click on the selected setting and the properties of the settings will appear. Select Enabled to enable this setting. Clicking on Explain will provide plenty of additional information to help you understand the effects of this setting.

When done, click on OK to save the new setting.

Similarly you can set other settings for the policy. After setting all the desired options, close the Group Policy Object editor . You new group policy will take effect.

Article Summary

Domain Group Policies give the administrator great control over its domain users by enhancing security levels and restricting access to specific areas of the operating system. These policies can be applied to every organisation unit, group or user in the active directory or selectively to the areas you need. This article shows you how to create a domain group policy that can then be applied as required.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

They give better productivity to administrators and save their time by allowing them to manage all the users and computers centrally in just one go.

Group policies are of two types, Local Group Policy and Domain-based Group Policy. As the name suggests, Local Group Policies allow the local administrator to manage all the users of a computer to access the resources and features available on the computer. For example an administrator can remove the use of the Run command from the start menu. This will ensure that the users will not find Run command on that computer.

Domain-based Group Policies allow the domain / enterprise administrators to manage all the users and the computers of a domain / forest centrally. They can define the settings and the allowed actions for users and computers across sites, domains and OUs through group policies.

There are more than 2000 pre-created group policy settings available in Windows Server 2003 / Windows XP. A default group policy already exists. You only need to modify the values of different policy settings according to your specific requirements. You can create new group policies to meet your specific business requirements. Group policies allow you to implement:

Registry based settings: Allows you to create a policy to administer operating system components and applications.

Security settings: Allows you to set security options for users and computers to restrict them to run files based on path, hash, publisher criteria or URL zone.

Software restrictions: Allows you to create a policy that would restrict users running unwanted applications and protect computers against virus and hacking attacks.

Software distribution and installation: Allows you to either assign or publish software application to domain users centrally with the help of a group policy.

Roaming user profiles: Allows mobile users to see a familiar and consistent desktop environment on all the computers of the domain by storing their profile centrally on a server.

Internet Explorer maintenance: Allows administrators to manage the IE settings of the users' computers in a domain by setting the security zones, privacy settings and other parameters centrally with the help of group policy.

Using Local Group Policy

Local Group Policies affect only the users who log in to the local machine but domain-based policies affect all the users of the domain. If you are creating domain-based policies then you can create policy at three levels: sites, domains and OUs. Besides, you have to make sure that each computer must belong to only one domain and only one site.

A Group Policy Object (GPO) is stored on a per domain basis. However, it can be associated with multiple domains, sites and OUs and a single domain, site or OU can have multiple GPOs. Besides this, any domain, site or OU can be associated with any GPO across domains.

When a GPO is defined it is inherited by all the objects under it and is applied in a cumulative fashion successively starting from local computer to site, domain and each nested OU. For example if a GPO is created at domain level then it will affect all the domain members and all the OUs beneath it.

After applying all the policies in hierarchy, the end result of the policy that takes effect on a user or a computer is called the Resultant Set of Policy (RSoP).

To use GPOs with greater precision, you can apply Windows Management Instrumentation (WMI) filters and Discretionary Access Control List (DACL) permissions. The WMI filters allow you to apply GPOs only to specific computers that meet a specific condition. For example, you can apply a GPO to all the computers that have more than 500 MB of free disk space. The DACL permissions allow you to apply GPOs based on the user's membership in security groups.

Windows Server 2003 provides a GPMC (Group Policy Management Console) that allows you to manage group policy implementations centrally. It provides a unified view of local computer, sites, domains and OUs (organizational units). You can have the following tools in a single console:

• Active Directory Users and Computers
• Active Directory Sites and Services
• Resultant Set of Policy MMC snap-in
• ACL Editor
• Delegation Wizard

The screenshot below shows four tools in a single console.

A group policy can be configured for computers or users or both, as shown here:

The Group Policy editor can be run using the gpedit.msc command.

Both the policies are applied at the periodic refresh of Group Policies and can be used to specify the desktop settings, operating system behavior, user logon and logoff scripts, application settings, security settings, assigned and published applications options and folder redirection options.

Computer-related policies are applied when the computer is rebooted and User-related policies are applied when users log on to the computer.

Configuring a Local Group Policy

To configure a local group policy, you need to access the group policy editor. You can use Group Policy Editor by logging in as a local administrator from any member server of a domain or a workgroup server but not from a domain controller.

Sometimes this tool, or other Active directory tools that you need to manage group policy, does not appear in Administrative Tools. In that case you need to follow steps 1-10 given below to add Group Policy Editor tool in the console.

1. Click Start->Run and type mmc. The Console window appears, as shown below:

2. Select Add/remove Snap-in from the File menu. 

The Add/Remove Snap-in window appears, as shown below:

3. Click Add.

4. The Add Standalone Snap-in window appears.

5. Select Group Policy Object Editor snap-in from the list.

6. Click Add and then click OK in Add/remove Snap-in window.

The Select Group Policy Object window appears, as shown below:

7. Keep the default value “Local Computer”

8. Click Finish.

The Local Computer Policy MMC appears, as shown below.

You can now set the Computer Configuration or User Configuration policies as desired. This example takes User Configuration setting.

9. Expand User Configuration node:

10. Expand Administrative Templates and then select the Start Menu and Taskbar node, as shown in Figure 7.

11. Double-click the settings for the policy that you want to modify from the right panel. In this example double-click Remove Run Menu from Start Menu.

The properties window of the setting appears as shown in the below screenshot:

12. Click Enabled to enable this setting.

Once you click on 'OK', the local policy that you have applied will take effect and all the users who would log on to this computer will not be able to see the Run menu item of the Start menu.

This completes our Local Group Policy configuration section. Next section covers Domain Group Policies, that will help you configure and control user access throughout the Active Directory Domain.

Article Summary

Group Policies are an Administrator's best friend. Group Policies can control every aspect of a user's desktop, providing enhanced security measures and restricting access to specified resouces. Group policies can be applied to a local server, as shown on this article, or to a whole domain.

If you have found the article useful, we would really appreciate you sharing it with others by using the provided services on the top left corner of this article. Sharing our articles takes only a minute of your time and helps Firewall.cx reach more people through such services.

User Accounts

In Windows Server 2003 computers there are two types of user accounts. These types are local and domain user accounts. The local user accounts are the single user accounts that are locally created on a Windows Server 2003 computer to allow a user to log on to a local computer. The local user accounts are stored in Security Accounts Manager (SAM) database locally on the hard disk. The local user accounts allow you to access local resources on a computer

On the other hand the domain user accounts are created on domain controllers and are saved in Active Directory. These accounts allow to you access resources anywhere on the network. On a Windows Server 2003 computer, which is a member of a domain, you need a local user account to log in locally on the computer and a domain user account to log in to the domain. Although you can have a same login and password for both the accounts, they are still entirely different account types.

You become a local administrator on your computer automatically because local computer account is created when a server is created. A domain administrator can be local administrator on all the member computers of the domain because by default the domain administrators are added to the local administrators group of the computers that belong to the domain.

This article discusses about creating local as well as domain user accounts, creating groups and then adding members to groups.

Creating a Local User Account

To create a local user account, you need to:

1. Log on as Administrator, or as a user of local administrator group or Account Operators local group in the domain.

2. Open Administrative Tools in the Control Panel and then click Computer Management, as shown in Figure 1.

Figure 1

3. Click Users folder under Local Users and Groups node, as shown in Figure 2.

Figure 2

4. Right-click Users and then click New User in the menu that appears, as shown in Figure 3:

Figure 3

The New User dialog box appears as shown below in Figure 4.

5. Provide the User name and the Password for the user in their respective fields.

6. Select the desired password settings requirement.

Select User must change password at next logon option if you want the user to change the password when the user first logs into computer. Select User cannot change password option if you do not want the user to change the password. Select Password never expires option if you do not want the password to become obsolete after a number of days. Select Account is disabled to disable this user account.

7. Click Create , and then click Close:

 Figure 4

The user account will appear on clicking Users node under Local Users and Groups on the right panel of the window.

You can now associate the user to a group. To associate the user to a group, you need to:

8. Click Users folder under Local Users and Groups node.

9. Right-click the user and then select Properties from the menu that appears, as shown in Figure 5:

 Figure 5

The Properties dialog box of the user account appears, as shown in Figure 6:

10. Click Member of tab.

The group(s) with which the user is currently associated appears.

11. Click Add.

 Figure 6

The Select Groups dialog box appears, as shown in Figure 7.

12. Select the name of the group/object that you want the user to associate with from the Enter the object names to select field.

If the group/object names do not appear, you can click Advanced button to find them. Also if you want to choose different locations from the network or choose check the users available, then click Locations or Check Names buttons.

13. Click OK .

Figure 7

The selected group will be associated with the user and will appear in the Properties window of the user, as shown in Figure 8:

Figure 8

Creating a Domain User Account

The process of creating a domain user account is more or less similar to the process of creating a local user account. The only difference is a few different options in the same type of screens and a few steps more in between.

For example you need Active Directory Users and Computers MMC (Microsoft Management Console) to create domain account users instead of Local Users and Computers MMC. Also when you create a user in domain then a domain is associated with the user by default. However, you can change the domain if you want.

Besides all this, although, a domain user account can be created in the Users container, it is always better to create it in the desired Organization Unit (OU).

To create a domain user account follow the steps given below:

1. Log on as Administrator and open Active Directory Users and Computers MMC from the Administrative Tools in Control Panel, as shown in Figure 9.

2. Expand the OU in which you want to create a user, right-click the OU and select New->User from the menu that appears.

 Figure 9

3. Alternatively, you can click on Action menu and select New->User from the menu that appears.

The New Object –User dialog box appears, as shown in Figure 10.

4. Provide the First name, Last name, and Full name in their respective fields.

5. Provide a unique logon name in User logon name field and then select a domain from the dropdown next to User logon name field if you want to change the domain name.

The domain and the user name that you have provided will appear in the User logon name (pre-Windows 2000) fields to ensure that user is allowed to log on to domain computers that are using earlier versions of Windows such as Windows NT.

Figure 10

6. Click Next.

The second screen of New Object –User dialog box appears similar to Figure 4.

7. Provide the User name and the Password in their respective fields.

8. Select the desired password settings requirement:

Select User must change password at next logon option if you want the user to change the password when the user first logs into computer. Select User cannot change password option if you do not want the user to change the password. Select Password never expires option if you do not want the password to become obsolete after a number of days. Select Account is disabled to disable this user account.

9. Click Next.

10. Verify the user details that you had provided and click Finish on the third screen of New Object –User dialog box.

11. Follow the steps 9-13 mentioned in Creating a Local User Account section to associate a user to a group.

Creating Groups

Just like user accounts, the groups on a Windows Server 2003 are also of two types, the built in local groups and built in domain groups. The example of certain built in domain groups are: Account Operators, Administrators, Backup Operators, Network Configuration Operators, Performance Monitor Users, and Users. Similarly certain built in local groups are: Administrators, Users, Guests, and Backup operators.

The built-in groups are created automatically when the operating system is installed and become a part of a domain. However, sometimes you need to create your own groups to meet your business requirements. The custom groups allow you limit the access of resources on a network to users as per your business requirements. To create custom groups in domain, you need to:

1. Log on as Administrator and open Active Directory Users and Computers MMC from the Administrative Tools in Control Panel, as shown in Figure 9.

2. Right-click the OU and select New->Group from the menu that appears.

The New Object –Group dialog box appears, as shown in Figure 10.

3. Provide the name of the group in the Group name field.

The group name that you have provided will appear in the Group name (pre-Windows 2000) field to ensure that group is functional on domain computers that are using earlier versions of Windows such as Windows NT.

4. Select the desired group scope of the group from the Group scope options.

If the Domain Local Scope is selected the members can come from any domain but the members can access resources only from the local domain.

If Global scope is selected then members can come only from local domain but can access resources in any domain.

If Universal scope is selected then members can come from any domain and members can access resources from any domain.

5. Select the group type from the Group Type options.

The group type can be Security or Distribution . The Security groups are only used to assign and gain permissions to access resources and Distribution groups are used for no-security related tasks such as sending emails to all the group members.

Figure 11

6. Click OK.

You can add members to group just as you add groups to members. Just right-click the group in Active Directory Users and Computers node in the Active Directory Users and Computers snap-in, select Properties, click Members tab from the Properties window of the group and then follow the steps from 11-13 from Creating Local User Accounts section.

Article Summary

Dealing with User & Group accounts in a Windows Server environment is a very important everyday task for any Administrator. This article covered basic administration of user and group accounts at both local and domain environments.