Mastering Windows Server 2012 R2

By Mark Minasi, Kevin Greene, Christian Booth and 5 more

Check out the new Hyper-V, find new and easier ways to remotely connect back into the office, or learn all about Storage Spaces—these are just a few of the features in Windows Server 2012 R2 that are explained in this updated edition from Windows authority Mark Minasi and a team of Windows Server experts led by Kevin Greene. This book gets you up to speed on all of the new features and functions of Windows Server, and includes real-world scenarios to put them in perspective. If you're a system administrator upgrading to, migrating to, or managing Windows Server 2012 R2, find what you need to do the job in this complete resource.

Learn all about:

• Installing or upgrading to and managing Windows Server 2012 R2
• Understanding Microsoft NIC teams 2012 and PowerShell
• Setting up via GUI or updated Server Core 2012
• Migrating, merging, and modifying your Active Directory
• Managing address spaces with IPAM
• Understanding new shared storage, storage spaces, and better tools
• Controlling access to file shares—a new and improved approach
• Using and administering Remote Desktop, Virtual Desktop, and Hyper-V®

• Language: English
• Publisher: Wiley
• Release date: Dec 3, 2013
• ISBN: 9781118331729

Book preview

Chapter 1

What’s New in Windows Server 2012 R2

Windows Server 2012 R2 has over 300 new features, and it’s the first Microsoft Server OS that has connectivity with the cloud. Explaining all of those features would take much more than a chapter (which is, of course, why we wrote a book!), but let’s use these first few pages to give you the lay of the land. Now, we realize that some reading this book are just getting started with Windows Server, and so for them, everything is new, but many others of you reading this already know tons about Windows networking and would just like a summary of what’s new in Server—this chapter summarizes that and where to find it in the book.

By now, we’ve sat through about a zillion Microsoft presentations on Windows Server, and they all start the same way, so apparently we’re required by law (or at least by custom) to present the following as the first heading when doing an overview.

In this chapter, you’ll learn about:

The dramatic changes to the user interface

New Active Directory features enhancing deployment and manageability

Improvements to PowerShell

New technology added to Hyper-V

Enhancements to Windows networking, making it faster and more secure

The new management tools

The important features of IIS 8.0

Windows Server 2012 R2 Introduction

Well, with a slogan like, Built from the cloud up, it doesn’t take a mental heavyweight to figure out what was intended with Windows Server 2012 R2. So what is cloud technology? In a nutshell, it’s the practice of using a network of remote servers to store, manage, and process data, rather than a local server. Windows Server 2012 R2 extends these technologies to corporations to be used in the same way for their employees. All corporate data using either virtual machines or individual workstations can be backed up directly to the cloud either on or off site. Cloud technologies are the driving force for the way the world conducts business today and in the near future.

From small business to some of the largest datacenters in the world, Windows Server 2012 R2 is one hot ticket. With virtually hundreds of new features from virtualization, networking, storage, usability, and much more, Windows Server 2012 R2 will not disappoint. The more we use it, the more we like it, and we think you will too!

The following sections offer a brief overview of what’s new in this book and where to read more about those features.

Because this is an introductory chapter, all of the topics covered here will be talked about in depth elsewhere in the book.

Windows Server Editions

When Windows Server 2012 was released, you had the choice between Standard and Datacenter editions in both the Server Core and GUI versions. With the release of Windows Server 2012 R2, you have two more editions to choose from: Foundation and Essentials. Not only does each version have different features, but the price for each license reflects each version’s features. Let’s discuss the differences among all the editions.

Standard Edition

This is the enterprise-class cloud server and is the flagship OS. This chapter will cover in detail the changes affecting the Standard edition, because this is the most popular choice. This server is feature rich and will handle just about all your general networking needs. This server can be used for multipurpose or individual roles. It can be stripped down to its core for an even more secure and better-performing workhorse.

Datacenter Edition

This is Microsoft’s heavy-duty virtualization server version. This is best used in highly virtualized environments because it sports unlimited virtual instance rights. That’s right, I said unlimited! This is really the only difference between Datacenter and Standard, and of course this is reflected in the price; Datacenter costs about four times as much as Standard edition.

Foundation Edition

Foundation contains most core features found in the other editions, but there are some important limitations you should understand before you deploy it. Active Directory certificate service roles are limited to only certificate authorities. Here are some other limitations:

The maximum number of users is 15.

The maximum number of Server Message Block (SMB) connections is 30.

The maximum number of Routing and Remote Access (RRAS) connections is 50.

The maximum number of Internet Authentication Service (IAS) connections is 10.

The maximum number of Remote Desktop Services (RDS) Gateway connections is 50.

Only one CPU socket is allowed.

It cannot host virtual machines or be used as a guest virtual machine.

Essentials Edition

This server is intended for very small companies with fewer than 25 users and 50 devices. This is a very cost-effective way to provide small business networking. Here are some but not all new features of Windows Server 2012 R2 Essentials:

Improved client deployment

Can be installed as virtual machine or on a server

User group management

Improved file history

Includes BranchCache

Uses the dashboard to manage mobile devices

Includes System Restore

Desktop Changes

In Windows Server 2012, Microsoft removed the Start button from the lower left. In R2 the Start button has been put back so you can access your application menu. You can still hit the Windows key to access your menu if you’ve already gotten used to using it. If you’re not familiar with where the Windows key is, it’s to the left of the left Alt key on a standard keyboard. There is also a hotspot in the lower-right corner, which brings up a vertical menu bar. This dynamic menu contains these buttons: the Start menu, the Desktop settings, and Explorer search.

The new look and feel will take a bit of getting used to, but we think you will like the new UI changes. Server Manager has had a major overhaul also and grabs your attention with its colorful display warnings on the dashboard when a problem exists.

One user-requested feature that Server lacked was the ability to switch from the GUI version to Server Core. Often times requirements change that may require you to change over to Server Core. Previously you would have had to do a complete reinstall of Server Core. An administrator now has the ability to convert from the GUI version to Server Core and vice versa.

You can read more about this throughout the book starting in Chapter 2, Installing and Upgrading to Windows Server 2012 R2.

Active Directory Changes

As you may know, Active Directory (AD) is in many ways the keystone piece of Windows networking, in other words, the central database of user and machine authentication data. Server 2012 R2 ADs include several useful new capabilities for Active Directory Certificate Services, Active Directory Rights Management Services, and Active Directory Domain Services. Collectively, the new features focus on deployment and manageability. The plan is to make it fast and easy to deploy Active Directory services and to have more flexibility accessing files while having better file security. Administration has also improved to make graphical and scripted management more consistent and user friendly.

You can read more about this in Chapter 7, Active Directory in Windows Server 2012 R2.

Active Directory Domain Services Changes

Microsoft is always striving to make Active Directory Domain Services (AD DS) a more robust directory structure service. In the following sections we will explain what has been improved pertaining to Active Directory Domain Services.

Cloning Domain Controllers

Windows Server 2012 R2 gives you the ability to clone an existing domain controller to speed up deployment. Using the domain controller interface in Server Manager, you can promote a single virtual domain controller. You may then, within the same domain, deploy additional virtual domain controllers.

Cloning will reduce the number of repetitive steps in the deployment process. It will also let you deploy additional domain controllers configured and authorized by Active Directory. This is achieved by creating a copy of a virtual domain controller and then authorizing the source controller and running the appropriate Windows PowerShell cmdlets. Windows PowerShell will create a configuration file with promotion instructions. This file will contain Domain Name Server (DNS) information, name, IP address, and other pertinent information.

You can read more about this in Chapter 7.

Fine-Grained Password Policy Improvements

Active Directory does a lot of things besides just keeping a list of user account names and passwords, but if we had to choose the most important of its tasks, we think it’d be reasonable to say that protecting and maintaining passwords would be that task.

Prior to Windows Server 2008, the issue that we all faced was that everyone in the domain had to follow the same password rules. So, for example, the admin staff had to follow the same password rules as the sales team. Administrators should know how to protect their passwords better than salespeople. If not, you better find new administrators!

In Windows Server 2008, Microsoft introduced fine-grained password policies. This allows you to put separate password policies on separate groups. So now, the administrators can have their own policies and the salespeople can have their own.

In Windows Server 2012 R2, fine-grained password policies have been improved so that you now have the option to create and administer your password-settings objects (PSO) using the Active Directory Administrative Center. This new feature helps simplify your PSO management. Prior to Server 2012 R2, all PSOs had to be created using the Active Directory Schema Interface (ADSI Edit) tool.

You can read more about this in Chapter 7 also.

Active Directory Recycle Bin

We think the best way to explain the Active Directory Recycle Bin is to give you a real-world example and how this technology can save the day.

John is junior administrator for Wiley Books. It took him hours to add 20 new authors to Active Directory. Later when John was finished, he accidently deleted one of the company’s Organizational Units (OU).

Wiley backs up all of their data on a nightly basis using Microsoft Windows Backup. Because of this, when restoring Active Directory, it is an all-or-nothing restore. Microsoft Windows Backup does not give you the ability to restore just the OU. So now that we have to restore Active Directory, John would lose those hours of work because Active Directory’s version would be from the previous night’s tape backup. This is where the Active Directory Recycle Bin can help.

With Active Directory Recycle Bin, John can simply restore the OU without reverting to another location in time using backups.

Through the use of its new graphical user interface, administrators can now easily un-delete Active Directory objects without going through the tedious process that Windows Server 2008 offered. You can see it in action in Figure 1.1.

Figure 1.1 Sample Recycle Bin GUI

You can read more about Active Directory Recycle Bin in Chapter 7 as well.

PowerShell and AD Administrative Center

Ever since the advent of Windows, Microsoft has shipped operating systems whose administrative tools have, in the main, been graphically based tools; in fact, many Windows administrators can go weeks at a time without having to open a command line. That’s good in that it means learning Windows administration is easier for new administrators than it would be for novices trying to learn Unix/Linux administration, because that latter group of operating systems is more heavily dependent on command-line administrative tools than GUI-based administrative tools.

What being command-line-centric does for the Unix/Linux world, however, is to make automating administrative tasks easier in Unix/Linux than it would be to automate many Windows administrative tasks. (You can put a command-line instruction into a batch file, which can then automate whatever task you’re trying to accomplish. You can’t put mouse clicks in a batch file.) So, Microsoft is trying to give Windows the automate ability that it lacks and that Unix and Linux have with a command shell called PowerShell. It’s designed to let you take boring, repetitive tasks and automate them easily. Until now the learning curve to use PowerShell was quite steep.

Windows Server 2012 R2 introduces the PowerShell History Viewer, which allows administrators using Active Directory Administrative Center to view the Windows PowerShell commands that are executed. The PowerShell 3.0 improvements are as follows:

Windows PowerShell workflow

Windows PowerShell web access

New Windows PowerShell ISE features

Support for Microsoft .NET Framework 4.0

Support for Windows’ preinstallation environment

Disconnected sessions

Robust session connectivity

Updatable help system

Enhanced online help

CIM integration

Session configuration files

Scheduled jobs and Task Scheduler integration

Windows PowerShell language enhancements

New core cmdlets

Improvements to existing core cmdlets and providers

Remote module import and discovery

Enhanced tab completion

Module autoloading

Module experience improvements

Simplified command discovery

Improved logging, diagnostics, and Group Policy support

Formatting and output improvements

Enhanced console host experience

New cmdlet and hosting APIs

Performance improvements

RunAs and shared host support

Special character-handling improvements

As you can see by the long list of improvements, Microsoft intends to make PowerShell (see Figure 1.2) as important an administrative platform as the host of GUI tools that exist today.

Figure 1.2 Using PowerShell to install a server role

You will read more about PowerShell throughout the entire book starting in Chapter 2, where you will use it to add roles and features.

Active Directory Rights Management Services

Passing secure documents and files within your company is vital to the company’s information integrity. Your company’s CFO, for example, may have a report listing the salaries of all the employees in the company. The CFO wants only other executives in the company to have access to the file. This is where Active Directory Rights Management Services (AD RMS) will be called on to secure the file. With AD RMS the CFO can encrypt or apply authentication to the file.

Prior to Windows Server 2012 R2, AD RMS setup required that only a user with local administrator privileges be allowed to install on the computer that hosted the SQL Server database. This was because AD RMS needed to read the SQL Server settings from the registry during installation. Microsoft implemented the following changes to deal with the AD RMS and how SQL Server is accessed:

AD RMS now requires that the installer have sysadmin permissions in the SQL Server installation.

The browser service for SQL Server must be running in order to locate any available SQL Server instances.

Any ports used by AD RMS setup on the SQL Server computer should have Firewall exceptions enabled. You will need to enable TCP port (default port 1433) for the SQL instance and the UDP port (default port 1434) for the SQL Server Browser Service.

Another piece of AD RMS setup was upgraded. In previous server versions you would have to deploy from the computer where AD RMS was installed. In Windows Server 2012 R2 you are allowed to remotely deploy at targeted server computers.

You can read more about AD RMS starting in Chapter 7.

Active Directory Certificate Services

You can bind the identity of services, devices, and people to a private key using Active Directory Certificate Services (AD CS). This enhanced security feature allows access only to participating applications that support AD CS.

Listed here are some of the changes affecting Windows Server 2012 R2:

Server Manager integration.

Deployment and management using Windows PowerShell.

AD CS role services can be run on Server Core on any version of Windows Server 2012 R2.

Automatic certificate renewal is now supported for joined computers not in a domain.

Certificate renewal with same key is enforced.

International domain name support.

CA role service has increased security enabled by default.

You can read more about AD CS starting in Chapter 7.

Virtualization

Virtualization allows you to put multiple computer operating systems on one physical machine. In the past, you would have used four servers for your domain controller, Exchange Server, DNS server, and DHCP server. Now you can have one physical box and four virtual servers. This saves money (on hardware) and also saves space (four servers before/one server now). Virtualization in Windows Server 2012 R2 is continuing to improve.

Hyper-V

Server virtualization—breaking one physical server up into a bunch of virtual machines—is one of the most significant changes in server management in the past 10 years. We wrote server management in lowercase because it’s used not just in Windows Server but in various flavors of Linux, Unix, Sun Solaris, and so on. Being able to buy one big, powerful, reliable piece of hardware and fool it into believing that it’s actually 10 or 20 smaller separate pieces of computer hardware and then installing separate server OSes on those bits of virtual server hardware has greatly simplified server management for operations big and small. Furthermore, it has solved a server management problem that has bedeviled server room planners for years: underutilized hardware. The tool that fools the computer into thinking that it is actually many separate computers is generically called a virtual machine manager (VMM).

You see, ever since the start of server computing, most organizations have preferred to put each server function—email, AD domain controller, file server, web server, database server—on its own separate physical server. Thus, if you needed a domain controller, a web server, and an email server for your domain, you would commonly buy three separate server computers, put a copy of Windows Server on each one, and make one a DC, one a web server (by enabling Internet Information Services, R2’s built-in web server software, on the server), and one an Exchange Server. The downside of this was that each of those servers would probably run at fairly low load levels: it wouldn’t be surprising to learn that the DC ran about 5 percent of the CPU’s maximum capacity, the web server a bit more, and the email server a bit more than that. Running a bunch of pieces of physical server hardware below their capacity meant wasting electricity, and that’s just not green thinking, y’know? In contrast, buying one big physical server and using a VMM to chop it up into (for example) three virtual servers would probably lead to a physical server that’s working near capacity, saving electricity and cooling needs.

First, let’s cover the new technology added in this version. Since there are so many improvements to Hyper-V, we’re just going briefly touch on each one:

Client Hyper-V gives desktop Windows Hyper-V technology without the need for installing a server OS.

A Hyper-V module for Windows PowerShell provides more than 160 cmdlets to manage Hyper-V.

Hyper-V Replica allows you to replicate virtual machines between storage systems, clusters, and datacenters in two sites. This helps provide business continuity and disaster recovery.

Resource metering helps track and collect data about network usage and resources on specific virtual machines.

Simplified authentication groups administrators as a local security group. By doing so, fewer users need to be created to access Hyper-V.

Single-root I/O virtualization (SR-IOV) is a new feature that allows you to assign a network adapter directly to a virtual machine.

Storage migration allows you to move the virtual hard disks to a different physical storage while a virtual machine is running.

SMB 3.0 file share is a new feature that provides virtual machines with shared storage, without the use of a storage area network (SAN).

The virtual Fibre Channel allows you to virtualize workloads and applications that require direct access to Fibre Channel-based storage. It also makes it possible to configure clustering directly within the guest operating system (sometimes referred to as guest clustering).

Virtual Non-Uniform Memory Architecture (NUMA) allows certain high-performance applications running in the virtual machine to use NUMA topology to help optimize performance.

Now let’s briefly talk about some of the enhancements made to existing Hyper-V technology that many administrators will find useful.

Dynamic memory allows you to configure Smart Paging so your virtual machines can more efficiently restart. If a virtual machine has less startup memory, dynamic memory can be configured to support it.

Importing virtual machines has received a tune-up to better handle configuration problems that would normally prevent an import. Until now the process included copying a virtual machine but never checked for configuration issues.

Live migrations make it possible to complete a live migration in a nonclustered environment. This improvement will make moving a live virtual machine easier.

Larger storage resources, increased scale, and better hardware error-handling are offered in this version. The intention is to help you configure large, high-performance virtual machines with the ability to scale.

Virtual Hard Disk Format (VHDX) increases the maximum storage size of each virtual hard disk. The new format supports up to 64 terabytes of storage. It also comes with built-in hardware protection against power failures. This format will also prevent performance falloff on large-sector physical disks.

You no longer need to shut down the live virtual machine to recover deleted storage space. Virtual machine snapshots will now free up the space the snapshot consumed once it is deleted.

You can read more about this in Chapter 27, Virtualization with Hyper-V.

Removed or Deprecated Items in Windows Server 2012 R2

VM Chimney, also referred to as TCP offload, has been removed and will no longer be available to guest operating systems. The WMI root\virtualization namespace is changed to just root\virtualization\v2 and will eventually be taken out completely in future Server versions. Authorization Manager (AzMan) has also been deprecated in this version and will be phased out in future releases. The new management tools for virtual machines will be the new standard.

Virtual Desktop Infrastructure

In Windows Server 2012 R2, Microsoft has made vast improvements to the virtual desktop infrastructure (VDI), with simpler administration, increased value, and better overall user experience.

Supporting mobile devices is a must in today’s market. Virtual desktop infrastructure helps bridge the compatibility gap between devices by virtualizing resources. VDI provides stronger security and higher efficiency that improves productivity with a UI that the user is familiar with. Windows Server 2012 R2 and VDI make it a snap to deploy virtual resources across devices.

Windows Server 2012 R2 VDI, if running in a datacenter, will allow access for mobile devices using Hyper-V and Remote Desktop Services. Microsoft offers three different deployment types in a single solution: pooled desktops, personal desktops, and remote desktop sessions.

You can read more about VDI in Chapter 27.

Networking Changes

Servers are no good without the ability to talk to one another, but—of course—the downside of being able to communicate with other systems means that infected systems can try to spread their malware joy. (Want to secure your server? Easy . . . disconnect the Ethernet cable!) Server 2012 R2 offers some networking changes to make Windows networking a bit faster and a bit more secure.

EAP-TTLS

With Windows Server 2012 R2 an exclusive protocol is being introduced as an Extensible Authentication Protocol (EAP) type called Tunneled Transport Layer Security (TTLS). This protocol is used with 802.1X Authenticated Wired and Wireless access. This new standards-based protocol provides a secure tunnel for client authentication. 802.1X provides a security shield that prevents unauthorized access to your intranet.

DNS

Although DNS has been around forever, the process by which it translates names seems to get better with each version. Changes in Windows Server 2012 R2 affect both DNS Server and Client. Let’s take a look at the changes for Windows Server 2012 R2.

In PowerShell, DNS management has received some improvements. The DNS Server role, for example, has had some improvements to installation and removal using PowerShell. Additional developments in PowerShell include user interface, client query, and server configuration on older operating systems. The LLMNR query time-out has been 300 msec, which was not enough time for computers in power save mode. With the new improvements to DNS Client, this time-out has been increased to 820 msec.

IP Address Management

The IP Address Management (IPAM) framework is a new set of technologies for managing, monitoring, and auditing IP address space. By monitoring DHCP and DNS, IPAM can locate IP address servers within your network and allows you to manage them from a single central UI.

NIC Teaming

NIC Teaming technology in Windows Server 2012 R2 can take multiple network interface cards and team them together to interface as one. Doing so helps with failover should one device become inoperative. Load balancing is also improved when NICs are teamed because the bandwidth is combined into a single larger bandwidth.

You can read more about these topics and new features in Chapter 4, Windows Server 2012 R2 Networking Enhancements, and Chapter 5, IP Address Management and DHCP Failover.

Management Tools

Any good networking operating system should offer ways to simplify the job of keeping one server or one thousand servers up and running. The server should also stay up and running with the smallest amount of effort possible on the part of the humans doing the server administration. No one operating system has the answer for server administration, but Windows Server has gotten a bit better in 2012 R2 with some useful new tools.

Server Manager

Prior to Windows Server 2008, when an administrator had to configure and maintain a server, the administrator would have to use many different tools. Windows Server 2008 changed all that by introducing Server Manager, a one-stop shop for all of your configuration and management tools.

In Windows Server 2012 R2 (Figure 1.3), Microsoft has expanded this functionality even further. Server Manager now lets administrators manage multiple servers (virtual or physical/local or remote) as long as they are no older than Windows Server 2003.

Figure 1.3 Server Manager

Adding roles and features in Server Manager has gotten even smarter. As you make your selections, the Add Roles and Features Wizard dynamically changes. The wizard assists you in deciding which subset of tools and features are needed for the requested role.

Server Manager has a new dashboard that can show you if problems exist using color-coded boxes. If, for example, an error occurred from within the DNS event log, the DNS box on the dashboard would turn red. This is an excellent tool for troubleshooting your server, and since the dashboard is the first thing you see when you log in, you can’t miss it.

Speaking of troubleshooting your server, Server Manager has a host of new troubleshooting tools that we will show you more about in Chapter 2. These tools are all inside the role, inside Server Manager, so you do not have to open multiple applications like Event Viewer or Performance Analyzer to see the results—they’re all in one spot!

You can read more about Server Manager in Chapter 2.

The Remote Tools: WinRM and WinRS

It’s the case all too often that new operating systems include some really important and useful features that go largely unnoticed. Windows Server 2012 R2 contains one of those neat but largely unknown features in a new network protocol called Windows Remote Management (WinRM). To understand why WinRM is a great feature, let’s consider what WinRM is intended to replace: a protocol known as the Remote Procedure Call (RPC).

Even if you’ve never heard of RPC, chances are that you’ve been using it for years. RPC’s job is to allow one program to talk to another program, even if those programs are running on different computers. For example, if you’ve ever started up Outlook to read your email on an Exchange Server instance, then you’ve used RPC: it’s how Outlook can tap Exchange on the shoulder and say, Can I have my email, please? Or if you’ve ever used an MMC snap-in like DNS, DHCP, or Computer Management to remotely control those functions on a remote computer from your desktop, you’ve used RPC.

RPC is a protocol that has provided much service over the years, but it has one big problem: it’s hard to secure. Microsoft invented RPC back in the days when there was no Internet, and the vast majority of LANs extended no farther than the distance from the first floor to the top floor in an office building, so security wasn’t all that big a concern. Years later, when security became a big concern, Microsoft tried to retrofit security onto RPC with some optional changes wrought first by XP SP2, but by that point the horse was out of the barn, and requiring RPC security would just end up breaking hundreds or perhaps thousands of RPC-dependent applications.

Clearly, the time had come for a change in how Windows programs talk to each other, so Microsoft decided to adopt a protocol that did the same sort of thing that RPC did, with a few changes:

It’s not proprietary but is standards-based and platform-independent—there are similar implementations popping up on Linux and Mac OS.

It’s a modified form of HTTPS.

Its communications are encrypted.

It requires authentication to use.

Components of Windows 2012 R2 that use WinRM include event log collection; the ability to use the new Server Manager snap-in on remote servers; and my personal favorite, a secure remote command shell called Windows Remote Shell, or winrs. If you need a secure, low-bandwidth remote-control tool, look to winrs. Read more about WinRM in Chapter 17, Remote Server Administration.

Remote Desktop Services

In Windows Server 2012 R2 Microsoft has made large strides in improving the user and management experience. Microsoft intended to improve the user experience regardless of the kind of device being used to connect. They wanted to make sure connecting through a WAN or LAN (to virtual desktops, RemoteApp programs, or session-based desktops) provides a rich experience to the user. Microsoft also wanted to make the remote desktop management experience better. We agree that they did make it better by adding a centralized console so administrators can manage Remote Desktop Services from a single location.

You can read more about Remote Desktop Services in Chapter 17.

Group Policy Object Improvements

What got better? Plenty. Managing Group Policy objects (GPOs) got easier with the built-in Group Policy Management Console. In previous Windows versions, one problem that administrators had was manually forcing a GPO to update. Even though GPOs automatically update every 90 minutes, there are times when you need a GPO to take effect immediately. Administrators had to remote in to the specific computer and run gpupdate.exe from the command line to manually update a GPO.

Now if an administrator wants to manually force a GPO update, the administrator can use the context menu for an OU in the Group Policy Management Console and schedule gpupdate.exe to run on multiple computers at the same time. Administrators can also achieve this by using the PowerShell utility and the new Invoke-GPUpdate cmdlet.

Here are some additional changes to Group Policy in Windows Server 2012 R2:

When dealing with monitoring replication issues at the domain level, you no longer need to download and run separate tools.

For devices running Windows RT, you can now configure local Group Policy. By default it is disabled, and the service must be started and set to automatic.

Group Policy has been upgraded to support Internet Explorer 10.

You can read more about Group Policy in Chapter 9, Group Policy: AD’s Gauntlet and Active Directory Delegation.

File and Print Sharing

Back before we ran web or email services on our Windows servers, we only used Server to share two things: big hard drives and expensive printers. File and print are the oldest services offered by Microsoft networks, but apparently they’re not too old to learn a few new tricks.

BranchCache

BranchCache is a technology that optimizes WAN bandwidth by copying content from either your main location or cloud server to your branch office. Once content is copied to the branch, users can access it locally rather than over the WAN. Having the ability to cache files will conserve bandwidth and improve security. BranchCache can support any size office and is not limited to how many it can service. BranchCache can be deployed with just a single Group Policy object (GPO). This technology uses the Windows file server to divide files into small encrypted pieces. The cool thing about dividing the files into smaller pieces is that client computers can download only the pieces that changed. BranchCache will also check for duplicate content and only download one instance of the content, saving disk space.

In Windows Server 2012 R2, BranchCache improvements include automatic client computer configuration and big performance and scalability increases. Client computers can be configured through the use of a Group Policy object. If a GPO has not been configured for BranchCache, then BranchCache will check the hosted cache server and use those settings by default.

One of the new advantages of BranchCache is the ability to preload specific content, like media and DVDs, on a hosted cached server and then have that content sent to the client cache.

Another very nice advantage is the improvements that have been made to allow for better database performance. BranchCache has done this by using the Extensible Storage Engine (ESE). This is the same database technology used by Microsoft Exchange Server. It allows scaling of a single hosted cache server to handle the increased demands of more people without having to increase hardware.

Hosted cache servers no longer need a server certificate issued by a certificate authority (CA). This will greatly reduce costs involved with deploying a public key with multiple CAs.

SMB 3.0

Windows’ file server service bears the official name of SMB, which stands unhelpfully for Server Message Block. (Blame IBM, not Microsoft, because an IBM guy first designed it.) SMB has changed little over its roughly 25 years of life, with its biggest changes being support of somewhat bigger block sizes so as to be able to make use of networks faster than 100 Mbps (appeared in 2000), the ability to handle multiple paths, and the addition of digital signatures so as to foil man-in-the-middle attacks (appeared in 2001).

Windows Server 2012 R2 sports a somewhat reworked version of SMB that handles slow networks better, handles encryption more intelligently, cranks up throughput on file transfers, and supports PowerShell.

File Server Resource Manager

You can manage data stored on a file server using the tools in File Server Resource Manager. Some of the tools included help you to automate classification and reporting and manage files and quotas.

With Dynamic Access Control’s File Classification Infrastructure you can control and audit access to files on the file server. You can now get more control on how your files are classified on your file servers. With the enhanced features, classifying files can be done manually or automatically.

You can read more about this topic starting in Chapter 13, Files, Folders, and Basic Shares.

Web-based Services

Finally, there’s the subset of the Internet that’s become more important than all the rest of the Net put together: the Web and related services. They’re important to Windows, and they saw some big changes in 2012 R2.

Web Server IIS

Windows’ file services may not have changed much over the years, but that’s not the case for Windows’ web server. One key to hardening any server product is to keep the amount of code exposed to the Internet to a bare minimum; if a web server can support, for example, something called FastCGI but your website doesn’t need FastCGI, then why run FastCGI on an Internet-facing server and risk the possibility that someone discovers a way to use IIS’s FastCGI to hack the server? Clearly you wouldn’t, so it’d be nice to just strip your web server software of the things that you aren’t going to need. (Security folks call this minimizing the attack surface. Sometimes we think they play too much Halo.)

The perfect web server, then, would be composed of dozens of small modules, each of which could be removed or added as needed to allow the web administrator to build a web server that did exactly what she needed it to do . . . but no more. That was the guiding light for Windows Server 2008’s IIS 7.0, a complete overhaul of IIS including some of the latest security technologies, including WinRM. (When you’re doing remote administration of an IIS 7 box, you’re using that protocol rather than RPC.)

Hacking IIS 7.0

No one has hacked IIS 7 yet to my knowledge, nor have they taken down IIS 7.5, which is the update shipped with Windows Server 2008 R2. Web admins also liked the cleaner, task-oriented interface of 7.x’s IIS administration tools.

Knowing how companies live and breathe on the Internet in today’s market, we would expect no less from Microsoft than for it to wave its technology wand across the web server. With the release of Windows Server 2012 R2 comes the newest version of the web server, IIS 8.0 (Figure 1.4). IIS 8.0 has also received a wealth of new rich features to administer and secure your website. Here are a few important changes made in IIS 8.0:

Figure 1.4 IIS’s new management tool

Application initialization

Dynamic IP address restrictions

Centralized SSL Certificate Support

CPU throttling

FTP logon attempt restrictions

Server Name Indication (SNI) support

Improved SSL and configuration scalability

Support for multicore scaling on NUMA hardware

Even if you’re not a webslinger by trade, it’s never a bad idea to understand the current Windows web server—so don’t skip Chapter 19, Web Server Management with IIS.

Microsoft Management Console Gets the Ax!

In Windows Server 2012 R2 the Microsoft Management Console (MMC) snap-in is deprecated for Internet Information Services (IIS) Manager 6.0. In future releases of Windows Server, this will be removed.

FTP Server

Microsoft gets some things right and some things wrong. In a few cases, the company gets things terribly wrong, as was the case with the built-in File Transfer Protocol (FTP) server software that shipped with Windows for the past 15 years or so. It was so clunky, was so difficult to configure, and offered such minimally useful logs and an inability to configure things that should have been childishly easy to configure (such as user home directories) that just about everyone who needed a Windows FTP server ended up shelling out a few bucks for a third-party FTP server. Starting with Windows Server 2008 and R2, however, things changed considerably. As far as we can see, Microsoft tossed out all the FTP server code and rebuilt it from scratch. In Windows Server 2012 R2, they also added the ability to restrict the number of failed logon attempts that can be made to an FTP account in a certain period. So if you need a Windows-based FTP server, flip over to the IIS chapter (Chapter 19) to learn about the new changes to the FTP server.

You can read more about web server management in Chapter 19.

Chapter 2

Installing and Upgrading to Windows Server 2012 R2

Experienced Windows Server administrators and consultants might feel the urge to skip this chapter. You might be thinking that you don’t need to go through this material again. We urge you to think twice about that. We will be covering the fundamentals, but we will also be going through some details that you will probably not already know and that you will find useful.

Your first experience of Windows Server is probably going to be a manual installation of the operating system on a lab or virtual machine. Depending on the complexity of your environment and your upgrade/migration plans, you may decide to continue with manual installations or even consider automated installations. No matter what you choose, you’ll probably want to read this chapter to understand what the typical installation steps are.

In this chapter, we’ll cover a clean manual installation and a manual upgrade of Windows Server. From there we’ll delve into installation and upgrade strategies for Active Directory. If you are performing many installations of Windows Server, then you will like this next piece. We will discuss how you can save some time and keyboard wear and tear by automating your installations of Windows Server 2012 R2 using an unattended installation answer file that you will create using Windows System Image Manager.

In this chapter, you’ll learn to:

Upgrade your old servers

Configure your server

Build a small server farm

What Has Changed?

We think you’ll find installing Windows Server 2012 R2 much simpler than installing any previous version of Windows Server. If you have installed Windows 8 or Windows Server 2008, then you have a good idea of what to expect from Windows Server 2012 R2 installations. The installation routine really has been trimmed down to ask for just the basics to give you a secure installation that you can then customize.

Let’s look at that last sentence. It’s something we’ve heard before, but you might not have noticed much of a difference. You’ll see it straightaway with Windows Server 2012 R2. What does that mean? There is much less functionality installed. Microsoft has not made any assumptions about what you will need this server to do. A clean, default installation of Windows Server 2012 R2 can’t really do very much. It has no functionality installed. It’s actually up to you to decide what this server will do on your network and what functionality should be installed. The result of this is that the server has a much smaller attack surface. What does that mean? The more functionality you install on a computer, the more targets you present to attackers. The goal should be to install only the functionality you require, in other words, to reduce the number of targets or minimize your attack surface. Furthermore, on the security side, the operating system is locked down by default. The first thing it does when it initially boots up is request a new administrator password. You’ll also find that the Windows Firewall is on by default. This operating system pretty much isolates itself from the network until you configure it. Microsoft puts you in total control of how this new server interacts with your network and/or the Internet.

Does this sound like it is going to be a lot of work to get a server up and running? Maybe, but actually Microsoft has made it pretty easy. If you are doing a few manual installations or upgrades, then you can quickly configure your servers using Group Policy and Server Manager. We’ll talk about Server Manager later. If you’re deploying many servers, then you’ll want to look at automated solutions such as Windows Deployment Services or your favorite third-party solution. Again, you can use Group Policy to deploy policies and use the command-line version of Server Manager, called PowerShell, in a scripted manner to customize the roles and features of the server.

How about Server Core?

You can learn a bit more about the Server Core installation of Windows Server in Chapter 3, Managing a Server without a Desktop: Server Core. The Server Core installation uses some different tools for configuring the functionality installed on a server.

How are you going to deploy Windows Server 2012 R2? There are some complications here. Windows Server 2012 R2 is available with only 64-bit architectures. Microsoft is shifting all of its server products to be 64-bit only. This means you cannot upgrade from 32-bit installations of Windows Server 2008. You’ll have to do a clean install on new hardware and move any services or data. If you have 64-bit server deployments, then you can do an in-place upgrade. This can be a time-saver, but it’s not usually recommended. Microsoft pretty much urges you to do a clean install every time. However, if your server is running just Microsoft features, roles, and applications (all being 64-bit), then an in-place upgrade is possible. We’ve done this and had reliable servers afterward.

Installation Requirements

In previous versions of Windows Server, there would be different requirements for each edition of Server you wanted to install, that is, Enterprise versus Standard edition. In Windows Server 2012 R2, Enterprise edition is no longer available and the requirements have been scaled down to just one set for all editions.

As usual, you are given a set of minimum and recommended requirements with the operating system. Be aware that minimum means exactly that; the operating system will run, but it will not necessarily run very well. You should also take account of the applications that will be installed and the load that will be placed on your server.

This can vary wildly depending on applications and organizations, so there are no hard-and-fast rules on what your server specifications should be. The best thing to do to get accurate specifications is to develop a pilot environment and generate loads on your proof-of-concept servers while monitoring the performance and responsiveness of the servers and applications. However, if your server is going to have moderate loads in a small environment, then you’re probably going to be OK with the recommended specifications.

Table 2.1 describes the requirements from Microsoft for Windows Server 2012 R2.

Table 2.1: Windows Server 2012 R2 Requirements

Auditing Your Current Infrastructure

It is critical that you accurately audit your existing infrastructure if planning a major change such as a server operating system deployment. Microsoft has provided a free suite of tools in the Microsoft Assessment and Planning Toolkit for Windows Server 2012 R2 (http://tinyurl.com/ycpuk3l). This easy-to-use toolkit can audit your servers as well as check hardware and driver compatibility. From this you can create reports to plan any changes.

64-Bit Support

Windows Server 2012 R2 is available only as a 64-bit product. We’ll reinforce that: there are no x86 or 32-bit versions of Windows Server 2012 R2.

Here are some notes on deploying x64 servers:

Your hardware support for x64 is probably not a huge issue: The major vendors have been selling x64 processors for years for their mainstream products. You can do a quick audit of your server hardware and check for 64-bit support.

A lot of 32-bit applications should be able to run on the x64-only Windows Server 2012 R2: This is thanks to 32-bit emulation provided by the Windows-on-Windows (WOW32) subsystem. Don’t count just on this; please check with application vendors, and test in a lab before making firm plans to upgrade servers from Windows Server 2008 to Windows Server 2012 R2.

You cannot do an upgrade from x86 to x64: This precludes upgrading from an x86 installation of Windows Server 2003 or Windows Server 2008 to Windows Server 2012 R2. Getting your servers from x86 to x64 will require a migration plan from one physical server to another.

64-bit builds of Windows require digitally signed kernel mode drivers: Sure, the operating system will allow you to install those drivers with a warning, but they will never actually load. Make sure your hardware vendor provides suitably signed x64 drivers for Windows Server 2012 R2. Very often we see people complaining about Microsoft for driver issues, but this is really something that your hardware vendor is responsible for. Printer drivers do appear to be something in particular to watch out for!

As with any project, preparation is the key to success. Review the hardware requirements, and check out application and service compatibility before moving forward with any deployment of Windows Server 2012 R2.

So, What Are You Going to Deploy?

Many who deployed Windows Server 2008 knew that x86 support from Microsoft in the datacenter was ending. They deployed x64-builds wherever possible. They did the same for their customers. Key products like SQL Server 2008 have native x64 editions. When deploying Windows Server 2008, they were already doing an operating system deployment project, so they decided this was the best time to make that 64-bit jump. Sure, there have been times when they have been forced to go with x86 builds because of third-party application vendor support statements. That’ll mean there will be a migration at some later point.

Check the hardware, drivers, application vendor support, and printers. Test everything in a lab. If all is well, then deploy that server as Windows Server 2012 R2 depending on your licensing and your project aims.

For a lab, you might want to look at Microsoft’s virtualization solution, Hyper-V. Hyper-V is included as part of Windows Server 2012 R2; you run virtual machines with x64 or x86 operating systems, even Xen-enabled Linux. Hyper-V also requires CPU-assisted virtualization and Data Execution Prevention (DEP) to be turned on in the BIOS. We recommend taking advantage of this technology (or even one of the competitors if you prefer them). You can learn more about Hyper-V later in this book.

Installing the Operating System

Your first installations of Windows Server 2012 R2 in your live or laboratory environment will probably be either a clean installation or an upgrade installation. There are some other, more advanced ways to install Windows:

An unattended installation: We’ll talk about that a little later in this chapter.

A cloned installation using ImageX from the Windows Automated Installation Kit.

One of Microsoft’s deployment solutions such as Windows Deployment Services (WDS): This is an advanced installation performed over the network using functionality that is included in Windows Server 2012 R2.

Third-party solutions: Ghost is the classic example of a third-party cloning solution that works in conjunction with Microsoft’s sysprep tool.

We’re going to look at the clean installation and the upgrade installation processes now. We’ve already mentioned that the installation process is pretty simple.

The clean installation process is very simple in Windows Server 2012 R2. You’re pretty much only being asked to do the following:

1. Select a language, time and currency format, and keyboard method.

2. Choose an edition and build of Windows Server.

3. Agree to the license agreement.

4. Choose between a manual and upgrade installation.

5. Configure the disk.

6. Set the default administrator password.

7. Log in.

There are some options during this flow:

Install a driver if needed.

Repair an existing installation of the operating system on the computer.

In the next section, we’ll cover completing this flow for a clean installation and an upgrade installation. Then we’ll cover some of the options that are presented during the installation and follow that up with showing how to customize the installation of the operating system.

Performing a Clean Installation

A clean installation refers to installing the operating system onto a computer that does not have an installation present or one that you want to keep. In our example, we are dealing with a computer that has no previous installation. We are assuming that you have not done any of this before, so we are going to get back to basics. More advanced readers might be tempted to skip ahead to another section, but we recommend that you at least skim this section to see what has changed.

Windows Server 2012 R2 comes on a DVD. It’s a pretty large installation. Ensure your server has a DVD-ROM drive, and then insert the DVD media. Alternatively, if you are using a virtual machine, you can redirect the virtual CD/DVD to the Windows Server DVD ISO image that you have downloaded from Microsoft or created from your original media.

What, No DVD Drive?

You may have a server that doesn’t have a DVD drive. If so, you could look at one of the advanced network installation methods mentioned earlier. But you can also install Windows Server 2012 R2 from a USB thumb drive. You can find a set of instructions on this blog post by a Microsoft employee: http://tinyurl.com/ktz5fq.

Once the media is loaded, you should power up your server and ensure that your server boots from the DVD drive. Normally, a computer with a blank hard disk will boot from the DVD drive by default. If the computer fails to boot from the DVD, then there may be one of a few things going on. There may be a valid operating system on the hard disk that is booting up by default. You might have a boot menu available in your computer that is briefly made available during or after the Power-On Self Test (POST). Alternatively, your server might not get the option to boot from DVD because of a boot configuration. You can alter this by entering the BIOS and making a change there. These two options will vary depending on your hardware, so you should consult your hardware vendor’s documentation or contact their support desk. In most cases it will show something like Boot Order. We have also seen situations where we have burned the DVD from an ISO file but we used a write-speed that was too fast to ensure a good burn.

In the following examples, we’ll cover how to install Windows Server 2012 R2.

Figure 2.1 is the first screen you’ll see. It allows you to customize the installation language, time and currency format, and the keyboard settings of the server. You’ll need to change some settings here if the defaults do not match your language, region, and keyboard. For example, if you are in Ireland using an Irish-based keyboard, then these defaults won’t suit you at all! The time zone won’t work correctly, currency symbols will be wrong, and the keyboard layout will be totally wrong. For example, you will struggle to find the backslash (\), which is kind of important in the Windows world.

Figure 2.1 Setup environment to install Windows

The Language to install option will vary depending on the languages supported by your DVD. Most people reading this book will probably deal with English-based media, even those in non–English speaking nations. But you may be choosing Spanish, French, German, Chinese, and so on, depending on where you are and what your company standards are.

The Time and currency format setting affects how Windows presents and formats those regional-specific settings. You’ll probably always want to ensure that this matches the location where your server is located.

The Keyboard or input method setting should match the keyboard that is physically attached to the computer. Keyboards can often vary from country to country, so make sure that this is correct. Don’t worry; it won’t affect your ability to manage a server using Remote Desktop. An RDP session will use the keyboard settings of the client computer that connects to the server.

The screen shown in Figure 2.2 allows you to do a couple different things:

Figure 2.2 Install Windows now.

You can kick off an installation.

You can troubleshoot and repair an existing installation of Windows Server 2012 R2.

In this example, you’ll install Windows Server 2012 R2, so click the Install Now button.

GUI Installation or Server Core

You’ll also see that you have a choice of installation types. This was introduced with Windows Server 2008. The GUI installation has lots of Windows and graphical user interfaces. The Server Core installation strips that GUI away and assumes you’re comfortable with command-line and remote administration techniques

You’ll learn a lot more about the Server Core installation in Chapter 3.

In this example, we’ll show how to set up a lab, so we want most of the functionality available in Windows Server 2012 R2. Select the Windows Server 2012 R2 Standard Evaluation (Server with a GUI) option (see Figure 2.3).

Figure 2.3 Choosing an edition and installation type

You now get the opportunity to read the legendary Microsoft end user license agreement (EULA), as shown in Figure 2.4. Most techies are going to just click I accept the license terms and click Next without ever reading it.

Figure 2.4 Agreeing to the EULA

This screen in Figure 2.5 allows you to choose between a new or custom installation of Windows Server 2012 R2 and an in-place upgrade. You can choose to do an upgrade only when you have a previous version of Windows Server 2008 R2 to upgrade. Remember that you cannot upgrade from x86 to x64. You also cannot upgrade from a Server Core installation to a full installation, or vice versa. For this example, you’re doing a clean or new installation, so choose Custom. Click Custom to continue.

Figure 2.5 Upgrade or clean installation?

A few different things are going on in Figure 2.6. You’ll probably click Next if you’re dealing with a simple server where you want all the space in your first disk to be in your C drive. Clicking Next will cause Windows to create a volume called C that will consume the entire first disk in the server.

Figure 2.6 Setting up the drive to install Windows

However, what will you do if you want to partition that disk into different volumes? For example, you might want to create a volume to separate web content from the operating system for security reasons. To do this, you would click Drive Options. The screen shown in Figure 2.7 opens.

Figure 2.7 Drive options

On this screen, you can delete, create, and format volumes as you need them. You’ll find yourself coming in here when you don’t want to accept the default of using the entirety of your first disk (Disk 0) for the C drive. If you choose to add a new partition, simply click New and then select the size of the partition you need and select Apply.

But what if your installer fails to find any disks at all? You’ve double-checked your hardware and found nothing wrong. The cables are fine, and your BIOS can see all of your disks. Well, odds are the installer doesn’t have the required driver to access your storage controller. As time goes by, this will become more and more common as newer storage controllers are released into the market. You can add a driver by clicking Load Driver. The dialog box shown in Figure 2.8 opens.

Figure 2.8 Adding a mass storage controller driver

It used to be that the storage controller had to be present on a floppy drive. That would be a problem considering that servers usually don’t come with a floppy drive anymore and Microsoft really wants to kill off the need to use disks. This dialog box allows you to navigate to a floppy disk, CD, DVD, or even a USB flash drive to access the required storage driver. Make sure your driver media is inserted, wait a few moments, and then navigate to find it.

Return to the Where do you want to install Windows? screen, and then configure your disk before continuing.

You’re getting close to the end now. The dialog box in Figure 2.9 is where the installer actually installs Windows Server 2012 R2 for you. It takes a little while, depending on your install media and destination drive. You can probably get a coffee or answer some of those emails that never seem to stop arriving in your inbox.

Figure 2.9 Windows installation progress

Figure 2.10 shows the first screen you’ll see when you come back from your break. Before you can log in, Windows Server 2012 R2 wants you to set the password of the local administrator account. A complex