Tuesday, April 24, 2012

Quick Check Facts for Windows Server 2008, Active Directory Network Infrastructure

Print Friendly and PDF

  • IPv6 address space is 128 bits (16 bytes)
    • Large address space. Divided along 16-bit boundaries, converted to 4 digit hexadecimal numbers, separated by colons - known as colon hexadecimal .
  • Simpler host configuration. IPv6 supports dynamic client configuration by using DHCPv6 and IPv6 also enables routers to configure hosts dynamically.
  • Improved routing efficiency. Reduces how many routes the Internet must process by supporting hierarchical routing.
  • Built-in security. IPv6 ensures all hosts encrypt data while in transit by including native IPSec support.
  • IPv6 address types
    • Unicast. Packets delivered to a unicast address are delivered to a single interface, one-to-one communication
    • Multicast. Packets are delivered to multiple interfaces, one-to-many. One-to-many communication between computers that are defined as using the same multicast address. Multicast addresses have the first 8 bits set to 1111 1111 or FF
    • Anycast. Identifies multiple interfaces, but delivered to a single interface, the closest one.  Used for locating services or the nearest router.
  • Global Unicast address
    • Equivalent to IPv4 public addresses
    • Identified by the FP (Format Prefix) of 001 (globally routable and reachable on the IPv6 Internet
    • The scope of a global unicast address is the entire IPv6 Internet
    • The address prefix of a currently assigned global address is 2000::/3
    • The combination of the first 3 high-order fixed bits and the 45-bit Global Routing Prefix is a 48-bit prefix assigned to an individual site
    • The next 16 bits are the Subnet ID 
    • The Interface ID field is the next 64-bits 
  • Link-local  Unicast address 
    • Used by nodes to communicate on the local network segment and for neighbor discovery processes
    • Identified by the FP of 1111 1110 10
    • Link-local addresses are equivalent to APIPA IPv4 addresses and always automatically configured
    • Link-local addresses always begin with FE80
    • The prefix for link-local addresses is always FE80::/64
    • An IPv6 router never forwards a link-local address beyond the link
  • Site-local Unicast address 
    • Equivalent to the IPv4 private site addressing
    • Identified by the FP of 1111 1110 11
    • The scope of the site-local address is the site/organization
    • The site-local address must be assigned through stateless or stateful address configuration
    • The first 10 bits of a site-local address are always fixed, FEC0::/10
    • The next 54 bits is a subnet identifier (Subnet ID field)
    • After the 54-bit Subnet ID field, is the 64-bit Interface ID field that identifies a specific interface in the subnet
  • Special IPv6 Unicast address
    • Unspecified address 0.0.0.0.0.0.0.0 or :: indicates the absence of an address
    • Loopback address 0.0.0.0.0.0.0.1 or ::1 identifies a loopback interface, enables a node to send packets to itself; equivalent to the IPv4 loopback address of 127.0.0.1
  • Compatibility Unicast address
    • To aid in the migration of IPv4 to IPv6 and the coexistence of both types
  • To enable ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)
    • IPv6 transition mechanism to transmit IPv6 packets on top of an IPv4 network
    • Disabled by default in Server 2008
    • netsh interface isatap set state enabled


IPv4

  • IPv4 address space is 32-bit binary (Base 2)
    • Divided along 8-bit boundaries called octets, converted to decimal, separated by periods called a dotted decimal notation
    • The number of hosts depends on the number of bits in the subnet mask
    • The subnet mask determines which part is the network address and which part is the host address
  • To calculate the number of hosts bits in a subnet mask
    • 2^n-2, where n is the number of host bits
  • Types of IPv4 addresses
    • Unicast. One-to-one communication, a single network interface assigned to one subnet
    • Multicast. One-to-many communication, assigned to one or more interfaces assigned to multiple subnets
    • Broadcast. One-to-everyone communication, assigned to all network interfaces located on a subnet
  • Network classes
    • Class A. Default subnet mask 255.0.0.0 and have 0-127 as their first octet.
      • 10.0.0.0 - 10.255.255.255 are used for private IP addressing
      • 127.0.0.1 is used for a loopback address
    • Class B. Default subnet mask 255.255.0.0 and have 128-192 as their first octet.
      • 169.254.0.1 - 169.254.255.254 are used for APIPA 
      • 172.16.0.0 - 172.31.255.255 are used for private IP addressing
    • Class C. Default subnet mask 255.255.255.0 and have 192-223 as their first octet.
      • 192.168.0.0 - 192.168.255.255 are used for private IP addressing
DHCP
  • DHCPv6 can provide stateless configuration settings or stateful address configuration to IPv6 hosts.
    • Stateless autoconfiguration is used for configuration settings from the DHCP server.
    • Stateful address auto configuration is used to configure both IP addresses and other configuration settings from the DHCP server.
  • With IPv6, you don't need DHCP to configure addresses, although your network might benefit from using a DHCP.
  • When a DHCP server is configured on a domain, the DHCP server checks itself against the domain's list of authorized DHCP servers and if the DHCP server's IP address is not on the list, the DHCP server will shut itself down.
  • Use netsh to authorize the server in Active Directory and configure DHCP scope information if a server is running Windows Server 2008 Server Core and is part of a domain in Active Directory.
  • Standalone DHCP servers cannot coexist with another authorized DHCP server on the same subnet.
  • Reservations in DHCP
    •  Permanent lease assignments used for clients that require a constant IP address.
  • User Classes in DHCP are used to specify a different DHCP configuration from the default DHCP configuration.
    • When a client computer sends a request for an IP address, the DHCP will check to see if there is a user class before assigning an IP address to the client.
    • To identify clients in certain sites and locations. For example, clients using specific printers in a department could be in the same user class.
    • To assign certain options based on the user class. For example, you might want to assign Internet access to only certain user classes.
  • DHCP Options
    • Additional configuration parameters for clients. The most common options for IPv4 are:
      • 003 Router Perferred list of IPv4 router addresses that are on the same subnet as the DHCP clients .
      • 006 DNS Servers IP addresses for DNS name servers.
      • 015 DNS Domain Name The domain name DHCP clients use when resolving unqualified names, and also allows clients to perform dynamic DNS updates.
      • 044 WINS/NBNS Servers Primary and secondary WINS servers IPv4 addresses.
      • 046 WINS/NBT Node Type  In order for WINS to function properly, you must set option 046. The perferred NetBIOS name resolution method, such as b-node or h-node.
      • 051 Lease A special lease duration for remote access clients.
  • Dism command in Windows Server 2008 R2 Server Core is used to add the DHCP Server role.
    • Dism /online /enable-feature /featurename:DHCPServerCore


Routing
  • RIP (Routing Information Protocol)
    • Used to maintain routing information and routing tables in Windows Server 2008 R2.
    • Enables RRAS servers to exchange routing information with other routers.
    • RIP needs to be enabled on a RRAS server.
    • Disadvantage of RIP is its inability to scale to large networks.
      • Maximum hop count used by RIP routers is 15.
  • Administer DHCP remotely
    • Add UDP ports 67 and 2535 and Tcpsvcs.exe to the Windows Firewall exception list. 
  • Netsh add route command
    •  Add IPv6 routing information
  • route command is used to view and change entries in the local IP routing table (you can administer routes more quickly using the command line rather than the Routing and Remote Access console).
    • add to add a route
    • change to make changes to an existing route
    • delete to delete a route or several routes
    • print to view routing tables
    • -p to make persistent entries in the routing table by adding a static route directly to the registry
  • route command parameters 
    • route [-f] [-p] [Command [Destination] [mask Netmask] [Gateway] [metric Metric]] [if Interface]]
    • Destination is used to configure the network destination for a route
    • mask Netmask is used to configure the subnet mask 
    • Gateway is used to configure the next hop address
    • metric Metric is used to configure an integer cost metric for a route
    • if Interface is used to configure the interface index on the interface for which the destination network can be reached
Windows Firewall with Advanced Security
  • Manage firewall and IPSec configuration settings
    • Netsh advfirewall
    • Windows Firewall with Advanced Security Group Policy settings using GPMC
  • Authenticate IPSec with domain user accounts using Kerberos
    • Windows Vista or later OS 
    • Windows Server 2008 and later servers
  • IPSec can be used for both
    •  Authentication and encryption
  • Authentication bypass rule
    •  Lets traffic protected by IPSec bypass Windows firewall regardless of incoming rules.
  • UDP ports 67 and 2535
    • Support remote administration for DHCP servers
    • Should be added to the Windows Firewall exceptions list on the target server
  • Inbound rules
    • Explicitly allow or block traffic directed to the computer from other hosts that match the criteria of the rule.
  • Outbound rules
    •  Explicitly allow or block traffic originating from the computer if it matches the criteria of the rule.
  • netsh firewall show state
    •  Displays the current firewall configuration
DNS server
  • Recursion
    • By default, DNS performs recursion on behalf of its DNS clients and servers that have forwarded DNS client queries to it. DNS servers query other DNS servers for the requesting client to fully resolve the name and sends an answer back to the client.
    • Attackers can use recursion to deny the DNS Server service. Unless recursion is needed, you should disable it. If you disable recursion, the DNS server will only resolve names for which it is authoritative.
  • Conditional forwarder
    •  A DNS server used to forward DNS queries according to the DNS domain name in the query.
  • Root hints
    • Used to provide a list of names and addresses of DNS servers that are authoritative for the root zone of the DNS namespace. Root hints can be used for resolving external names that cannot be resolved from a DNS server or by sending the request to a forwarder. Root hints are contained in a file named CACHE.DNS that is located in the \\Windows\System32\DNS folder. It is a text listing of IP addresses with the matching root DNS servers.
  • Stub zone
    •  A copy of a zone that contains only the resource records that are necessary to identify the authoritative DNS servers for the zone. A Stub zone consist of:
      • Start of Authority (SOA) resource record, Name Server (NS) resource records, and glue A resource records for the zone.
      • IP address of one or more master servers that can be used to update the zone.
      • Stub zones help reduce the amount of DNS traffic on your network.
  • dnscmd /clearcache
    • Command to clear the DNS server cache. Name resolution problems can occur when a DNS server has cached a record that has changed. Clearing the cache removes the stale records.
  • dnscmd /resetlistenaddresses
    • Command to set the IP address to service DNS requests. 
    • Example: dnscmd dns1 resetlistenaddresses 192.168.10.1
  • netsh interface reset
    • Command to reset an interface's configuration.
  • netsh interface delete
    •  Command to delete an interface.
  • start /w ocsetup DNS-Server-Core-Role
    • Install the DNS Server Role in Server Core. Using the /w prevents the command prompt from returning until the installation is complete.
  • oclist
    • To discover the available server roles. It also lists the server roles and features currently installed. 
DNS zones
  • GlobalNames zone
    • Provides single-name resolution for networks without a WINS server.
    • Global Names zone resolution must have all authoritative DNS servers running Windows Server 2008 or later.
    • Global Names zone must be integrated with Active Directory for deployment across multiple domains and forests.
  • Active Directory Integrated zones
    •  Provide name resolution even when a WAN link is temporarily unavailable between domains if there is an authoritative DNS server installed on a domain controller.
  • Stub zone
    • A copy of a zone that contains only the resource records that are necessary to identify the authoritative DNS servers for the zone. This enables the DNS server hosting the parent zone to be aware of the authoritative servers for the child zones. A stub zone is kind of like a secondary zone because it obtains its resource records from other name servers, and a stub zone is read-only like a secondary zone. However, stub zones contain only three types of resource records: a copy of the SOA record for the zone, copies of NS records for all name servers that are authoritative for the zone, and copies of A records for all the name servers authoritative for the zone.
  • Secondary zone 
    • A read-only copy of a zone that was copied from the master server during zone transfer.
  • Automatic scavenging
    •  Removes outdated DNS records that can accumulate in the zone over time. Disabled by default, must be enabled for a zone. DNS records that are manually created by an Administrator are NEVER scavenged.
  • dnscmd
    • Used to view and change the properties of DNS servers, zones, resource records, and zone types.
    • Three zone types:
      • Primary
      • Secondary
      • Stub
  • Expiry field of the SOA record
    •  Determines how long the secondary zone server can service records without being able to contact the primary zone server for an update.
DNS Records
  • AAAA
    • IPv6 resource record used to resolve FQDN host names to IPv6 addresses.
  • CNAME
    • Sometimes called canonical name, the resource record enables you to register a different FQDN for a computer already registered with a host A record.
  • HINFO (host information) record
    • Contains recorded information about a host's CPU type and operating system.
  • SRV records
    • Used to locate computers running specific services.
  • PTR records
    • Used for reverse lookups.
  • WKS (Well Known Service) record
    • Identifies a server that hosts a well-known service, such as the FTP service.
    • Includes the host, the IP address of the host, whether the protocol is TCP or UDP, and a list of services the host provides.

DNS Replication
  • Background zone loading in Windows Server 2008 R2
    • Allows DNS to respond to queries more quickly because zone data is loaded in the background from AD DS while the DNS server restarts. Enables the server to respond to client requests by requesting data from other available zones.
  • dnscmd ServerName /zoneupdatefromds ZoneName
    • Use to manually update Active Directory Integrated zones.
  • dnscmd /zonerefresh
    • Forces a refresh of the secondary zone from the master zone.
    • The minimum amount of time before a record can be removed is equal to the refresh interval plus the no-refresh interval
  • RODC
    • Read-only copy of a domain controller.
    • The DNS Server Role provides primary read-only zones on RODCs.
    • RODCs are good for branch offices that are not physically secure enough for a domain controller.
Name Resolution for client computers
  • Primary DNS server
    • Should be the physically nearest domain controller for a client.
  • DNS server addresses list box
    •  Used to specify the IP address of each DNS server.
    • Priority is determined by the order. If the first DNS server is not able to respond to a name-resolution request, the next one is used.
  • Caching-only DNS servers
    • Also known as forwarding only servers
    • DNS servers that build a local server cache of names learned while querying recursively on behalf of clients. The names are then available when answering subsequent queries.
    • Caching-only DNS servers do not host any zones.
    • Caching-only DNS servers are not authoritative.
    • Good for remote sites with a slow network link where full zone transfers might consume too much bandwidth.
  • Conditional forwarder
    • DNS server configured to forward DNS queries, according to the DNS domain name in the query, to the authoritative DNS server.
    • Helps to keep traffic generated by name requests to a minimum by limiting the number of DNS servers that have to connect to the Internet and other external networks.
  • LLMNR (Link-local multicast name resolution)
    • Provides host name resolution on the local subnet for IPv4 and IPv6 addresses.
  • GNZ (Global Names Zone)
    • Provides single-name resolution throughout the network, across forest boundaries.
    • DNS records in a GNZ must be entered manually.
  • HOST file
    • Stored on a local computer.
    • Contains a list of host names and IP addresses.
    • Used for host-name resolution.
    • The client first checks the local DNS cache (the Hosts file is loaded here), before querying the DNS server.
  • Block name resolution for a computer on DNS
    • Configure a global query block list 
    • All domain controllers must run Windows Server 2008 R2

 
Remote Access
  • Remote Desktop Gateway (RD Gateway)
    • Formerly known as Terminal Services
    • Provides Remote Desktop Services for authorized clients with access to internal resources.
    • RD Gateway uses Transport Layer Security (TLS) to encrypt communications.
    • RD Gateway uses Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users on the Internet and internal resources. You should get user certificates from the internal certificate authority and every server must be configured for Network Level Authentication to only allow Remote Desktop client computers access.
    • When the Remote Desktop session is active, RD locks the target computer to prevent interactive logons for the session.
    • Use Remote Desktop Services CAP (Connection Authorization Policy) to identify user or computer groups to secure access to the server resources.
    • Define a Remote Desktop Services Resource Authorization Policy (RAP) to identify the resources for which they have access.
  • Network Policy and Access Services (NPAS) role
    • Network Policy Server (NPS)
      • Replacement for Internet Authentication Service (IAS)
      • Microsoft implementation of the RADIUS server
      • Must have a server certificate.
      • Can use either Protected Extensible Authentication Protocol (PEAP)  or Extensible Authentication Protocol (EAP).
      • NPS performs centralized authentication, authorization, and accounting for network access, including:
        • VPN
        • Wireless. Wireless access points must support 802.1x to be configured as clients to NPS.
          • Configure them as RADIUS clients to pass authentication requests to NPS. 
          • By default, Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) version 2. PEAP helps to prevent rogue wireless access points on the network. MS-CHAPv2 uses passwords for authentication. 
      • NPS as a RADIUS proxy
        • NPS forwards authentication and accounting messages to other RADIUS servers
      • NPS can be configured as a NAP policy server
        • Acts as a health evaluation server for Network Access Protection (NAP)
      • Configure connection request policies:
        • Use the policies node of the Network Policy Server snap-in or use the netsh command-line utility to create connection request policies
    • Routing and Remote Access Service (RRAS)
      • Allows remote users or site-to-site connectivity to access your private network over:
        • VPN. Routing and Remote Access tunnels data through the Internet and acts as a gateway to the internal network. Data transferred through a VPN is encrypted. RRAS includes support for three standards-based VPN protocols:
          1. A new VPN protocol Secure Sockets Tunneling Protocol (SSTP) allows Point-to-Point (PPP) protocol packets to be sent over Hypertext Transfer Protocol (HTTP) over SSL (HTTPS) using port 443.
            • SSTP supported by Windows Vista and Windows Server 2008.
          2. L2TP/IPSec allows end-to-end encryption and computer authentication on a VPN. L2TP/IPSec uses PPP for user authentication and IPSec for machine authentication.
            • L2TP traffic is sent over UDP port 1701.
            • L2TP/IPSec authenticates both the user and the computer.
              • User and computer client certificates are required.
          3. PPTP
            • Traffic uses TCP port 1723 to create a connection
            • Uses IP protocol 47 to send data.
            • A PPTP control connection is established from a dynamically-allocated TCP port on the PPTP client to TCP port 1723 on the PPTP server.
            • Uses Point-to-Point Protocol (PPP) for user authentication, and 128-bit Microsoft Point-to-Point Encryption (MPPE) for data encryption.
            • Client computer is not authenticated with PPTP.
        • EAP-TLS supports smart card authentication for VPN clients
        • Dial-up networking
        • Internet Protocol (IP) router for connecting subnets in a private network
        • Network address translator (NAT) for connecting a private network to the Internet
        • Dial-up and VPN site-to-site-demand-dial router
    • Health Registration Authority (HRA)
    • Host Credential Authorization Protocol (HCAP)
Network Access Protection (NAP)
  • NAP controls network access based on a client computer's health compliance requirements. 
  • Health checks make sure
    • Firewall software is enabled.
    • Antivirus is running and signatures are up to date. 
  • NAP Policy Server
    • Evaluates statements of health that are sent by NAP-capable client computers attempting to communicate with the network.
  • Remediation Server
    • Placed on the restricted network and can be accessed by non-compliant clients.
    • Remediation servers are added to the Remediation server groups
      • Remediation server groups can be used with NAP only when you deploy DHCP NAP enforcement or VPN Nap enforcement
    • Remediation server is responsible for
      • Installing necessary patches, configurations, or applications to bring a non-compliant client computer to a healthy state.
Direct Access
  • Allows remote access to intranet resources using bi-directional connectivity
    • Clients are able to access resources anytime they have an Internet connection without having to connect to a VPN.
    • Administrators can restrict who has access and to what resources.
    • Remote users are able to receive updates and be centrally managed as if they are local.
  • Requirements for using DirectAccess
    • One or more DirectAccess servers with Windows Server 2008 R2 with two NICs
      • One for the internal network
      • One for the Internet
        • The NIC connected to the Internet must be assigned two public consecutive IPv4 addresses 
    • DirectAccess servers and clients are required to be domain members
    • Clients require Windows 7 Enterprise or higher
    • DirectAccess uses IPv6 over IPSec, so both client and server required to use IPv6 over IPSec
    • Domain controller and DNS server running Windows Server SP2 or Windows Server 2008 R2
    • Clients required to use the internal DNS server to locate intranet servers and resolve using a AAAA resource record
    • PKI required because certificates are used for authentication
  • DirectAccess Setup Wizard used to configure client computers for DirectAccess
    • Add computers to a security group

Configure a File Server
  • File Services Resource Manager (FSRM) MMC has three components for managing storage resources on local or remote servers:
    • Quota Management
      • Can apply quota templates or can apply quotas manually on individual folders
        • If you later change the settings in the template, the new quota will be reflected for all quotas created in the template
      • Configure quotas by volume or folder (Windows Server 2008 R2)
      • Quota Usage report shows quotas that have reached the specified level
    • File-screening management
      • Can apply screening templates to filter certain file types from being saved
      • By volume or directory tree
    • Configure Notification Types for exceeding quota limits or attempting to save an unauthorized file
      • Email
      • Event log
      • Command
      • Report
    • Storage reports management
      • Built-in reports to track quota usage, file screening, and storage management
Distributed File System (DFS)
  • DFS offers WAN-friendly replication and simplified access and high-availability to geographically dispersed files. Two technologies are available in DFS:
    • DFS Namespaces lets you group shared folders located on different servers into one or more namespaces that appear to the user as one folder with a series of sub-folders
      • dfscmd /add
        • Add a shared folder as a target folder to an existing DFS folder
      • Access-based enumeration.
        • Enable so users will only see files and folders they have permission to access. Not enabled by default, though it is enabled by default on newly created shared folders in Windows Server 2008.
        • dfsutil property abde enable \\
      • dfsdiag
        • Used to diagnose and help resolve namespace issues.
      • dfsradmin
        •  Command-line utility for configuring and managing DFS replication.
    • DFS Replication
      • Replaces FRS as the replication engine for DFS.
      • Uses multimaster replication engine to keep folders synchronized across servers for limited-bandwidth network connections.
      • Replicates AD DS SYSVOL for domains using Windows Server 2008.
      • DFS Manager
        • Used to check DFS replication efficiency
Backup and Restore * Windows Server Backup feature
  • Non-authoritative restore.
    • Default method for restoring Active Directory. 
    • Start the domain controller in DSRM (Directory Services Restore Mode) and restore to a state at the time of the backup and then normal replication overwrites that state with any changes after the backup.
  • Wbadmin in Windows Server 2008 R2 
    • Replaces Ntbackup for backing up from the command line.
  • Windows Server 2008 R2 supports backing up directly to removable media, including DVD.
  • Scheduled backups must go to a second local volume or a shared folder.
  • Windows creates a WindowsImageBackup folder in the root of the backup media. Inside that folder, it creates a folder with the current computer name. The backup is stored in \\WindowsImageBackup\FileServer\
  • Start the Windows Recovery Environment:
    • Boot from the Windows Server 2008 R2 installation CD
      • Choose Repair Computer
        • Once in the Windows Recovery Environment, use the wbadmin command to recover volumes.
          • Use the wbadmin start sys recovery command to recover volumes
            Specify -restoreallvolumes to recover all volumes. Otherwise, only the operating system will be restored.
          • systemstaterecovery option restores only system state. It does not recover the operating system files or data files.
Manage File Server Resources
  • Shadow copies should be written to a volume on a different hard disk than the shared files.
    • Maintain up to 64 copies of each shared file.
    • Enabled at the volume level (enabled for all shared folders or none of the shared folders).
    • vssadmin create shadow creates a shadow copy
    • vssadmin add shadowstorage adds a volume shadow copy storage association
  • File Service Resource Management (Quotas)
    • Can apply quota templates or can apply quotas manually on individual folders
      • If you later change the settings in the template, the new quota will be reflected for all quotas created in the template
    • Configure quotas by volume or folder (Windows Server 2008 R2)
    • Quota Usage report shows quotes that have reached the specified level
  • NFS Network File System.
    • Services for NFS provides UNIX and Linux clients with access to resources on a file server running Windows Server 2008 R2.
Print Services
  • Printer Management 
    • A single interface administrators can use to administer multiple print servers and printers
    • A GUI utility not supported on Server Core Installs. Located in Administrative Tools.
    • Add a printer in Printer Management lets you search for network printers.
  • Print filter can be used to manage a set of printers
    • Send notification when a print condition occurs.
    • Run a script when a printer condition occurs.
  • Printbrm.exe
    • Command-line utility used to migrate printer settings from one print server to another .
    • Can export printer settings as a backup.
    • Cannot migrate directly from older operating systems to Windows Server 2008 R2.
  • Lpq Line Printer Queue 
    • View print jobs queued through the Line Printer Daemon (LPD). The LPD is a network protocol for submitting print jobs to a remote printer.
  • Publishing printer in Active Directory
    •  Controlled by the List in Active Directory check box on the Sharing tab of the Properties sheet for each printer.

 
Windows Server Update Services (WSUS) 
  • WSUSutil.exe
    • Command-line management utility for WSUS.
  • When you create a WSUS Website during WSUS install, the Website is configured to use HTTP port 8530 for unencrypted communication.
    • Open port 8530 to enable communication with the servers.
    • Port 443 is used for secure communication.
  • Upstream server
    • Server on which updates are approved.
  • Downstream server
    • Receives updates from the upstream server.
  • WSUS allows you to approve updates before they are made available to the WSUS clients
    • You can create a group of computers and approve updates only for specific groups (WSUS 3.0)
Performance Monitoring
  • Performance and Reliability Monitor
    • Reliability Monitor (Windows Server 2008 R2)
      • Computer required to have been running for at least 24 hours 
      • RACAgent, Reliability Analysis Component, a hidden scheduled task that must be running on the computer. It is automatically configured during system install. Responsible for gathering the reliability data and displaying in the chart view.
      • System Stability report shows a graph of these events:
        • System clock changes
        • Successful and failed software installs
        • Server failures due to hardware problems
        • Server failures due to operating system problems
        • Application failures
    • Reliability and Performance Monitor Resource View
      • Provides detailed info about system resource use and how the resources are allocated
    • Data collector set
      • Can be created with  the performance counters you want to log
      • Choose the default creation settings to have the data collector set based on the currently selected performance counters.
Event Logs
  • Wevutil (Windows Event Logs) 
    • Command-line utility lets you view and manage Windows Event Logs
    • wevutil qe
      • The ge or query-event command is used to retrieve a list of events in the Windows Event Logs
    • wevutil gl
      • The gl or qet-log command is used to retrieve info about the log, such as its location
  • Wecutil (Windows Event Collector) 
    • Command-line utility lets you view and manage info about event subscriptions like hardware events that are forwarded from a remote computer which support WS-Management protocol
    • You can use the wecutil utility to automatically configure a computer to collect events
  • Audit events
    • Written to the Windows Security Event Log
      • Windows Server 2008 R2 Active Directory audit policy (auditpol.exe) supports:
        • Directory Service Access
        • Directory Service Changes
        • Directory Service Replication
        • Detailed Directory Service Replication
Gather Network Data
  • Task Manager
    • Gives a quick overview of total network bandwidth usage.
  • Network Monitor
    • Collect and save detailed network usage statistics like individual packets transmitted across the network (note: log file would be huge)
    • Create an address database first to specify address pairs in a capture filter
    • Must be an Administrator or member of the netmon users group
    • Must be downloaded from the Microsoft website (free)
    • nmcap /? command line
    • Carefully choose the location to install Network Monitor
    • To capture all traffic switch on promiscuous mode (p-mode)
    • SNMP. Simple Network Management Protocol, is supported by Windows Server 2008
      • SNMP is an Internet standard protocol for managing devices on an IP network
      • 3rd party software required to analyze SNMP data
  • Netcap
    • Network Monitor Capture command-line utility can capture network traffic using the Network Monitor driver
    • Netcap installs the Network Monitor driver and binds it to all adapters when you first run the Netcap command
    • Monitors traffic on a LAN and write the information to a log file
    • Can consume lots of system resources. Not recommended in a production environment, best to use netcap.exe command line version to monitor production.
  • Data Collector Set.
    • You can create a data collector set with the network performance counters you want to monitor, and schedule Windows Reliability and Performance Monitor to start automatically and log counter values at various times during the day.







No comments:

Post a Comment

"Comment As:" anonymous if you would rather not sign into an account!