Looking for:

Windows server 2008 r2 active directory administrative center download free. A Guide to Restore Deleted Objects in Active Directory

Click here to Download

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

When you specify the name of the object you want to use as a template on the New-ADUser command line, using the —instance parameter, the system copies all of the attribute values from the template to the new object, except for those overridden by other parameters on the command line.

Yet another method, suitable for creating multiple Active Directory objects using a single command, is to create a comma-separated value CSV file containing a list of the objects you want to create and their attribute values. The preced- ing are some extremely basic examples of how, with a little study and a little practice, you can learn to enhance and streamline the processes by which you perform your regular Active Directory management tasks, using the tools provided in Windows Server R2.

Active Directory Administrative Center: Better Interactive Administration Of course, there are some administrators who are simply not comfortable working from the command line. Indeed, there are some who scarcely know it exists. However, the capabili- ties provided by the Active Directory Module for Windows PowerShell need not be lost on those who prefer a graphical interface.

The console works by taking the selections you make and the information you supply in the ADAC graphical interface and translating them into the proper command-line syntax, using the cmdlets in the Active Direc- tory Module. The program then executes the commands, receives the results, and displays the results in a graphical fashion. The Overview page provides access to the root of your domain, as well as basic functions, such as directory search and password reset.

As with most pages in ADAC, you can customize the appearance of the page, in this case by clicking the Add Content link and specifying which tiles should appear in the details pane. For anything else, you have to create the user first and then open its Prop- erties sheet to configure it, often switching between many different tabbed pages in the process.

With ADAC, the Create User page, shown in Figure , contains a great many more configuration settings—in fact, more than can fit in this figure. NOTE Not coincidentally, the list of configuration settings on the Create User page closely resembles the list of parameters for the New-ADUser cmdlet discussed earlier in this chapter.

In addition to creating new Active Directory objects, ADAC also enables you to move, dis- able, rename, and delete objects, and configure their properties. Customizing the Interface ADAC includes a Tree View that you can use to browse your domain, in the style of Active Directory Users and Computers, but it also has a List View option, to which you can add your own navigation nodes, as shown in Figure Navigation nodes are essentially shortcuts that point to specific containers anywhere in your domain or in other domains.

Using the Add Navigation Nodes page, shown in Figure , you can browse your enterprise and select the containers you need to access on a regular basis. For AD DS installations that span multiple domains, or even multiple forests, administra- tors can manage objects in containers anywhere in the enterprise, as long as there are trusts in place between the domains or forests. You can build complex queries by specifying the exact object criteria you want to search within, limiting the scope of the search to specific navigation nodes, and using the Lightweight Directory Access Protocol LDAP query syntax.

Suppose, for example, you are managing a large, multidomain Active Directory installation, and you have to locate the user object of the vice president who just called to complain that he is locked out of his account. You can then save the query for later reuse when the vice president locks himself out again. Introducing Active Directory Web Services ADAC might appear to be nothing more than a new management interface for Active Directory, but there is actually quite a bit that is new beneath the surface.

ADWS requires Microsoft. This is true not just in remote management scenarios, but for activities confined to the local system as well. If the ADWS service stops or fails to start, or you disable it, you will not be able to use Windows PowerShell or ADAC to manage the directory service, even when working at the domain controller console.

In a remote management scenario, no matter how you install the Active Directory Module for Windows PowerShell, the system will not be able to import the module successfully unless it has access to Active Directory Web Services on a computer running Windows Server R2.

If the computer is not a member of a domain, or it is a member of a domain without a Windows Server R2 domain controller, you cannot use the Active Directory Module cmdlets to manage Active Directory. NOTE Although there has been no official announcement as of yet, it is rumored that Microsoft will eventually release a version of Active Directory Web Services for comput- ers running Windows Server and possibly earlier versions as well. Unfortunately, this will be no benefit to administrators running Windows Server Server Core because the pre-R2 version of the operating system lacks the support for.

These Web service protocols use SOAP, the native WCF mes- sage representation which at one time stood for Simple Object Access Protocol but, mysteri- ously, is no longer an acronym , to generate Extensible Markup Language XML code, which the system transmits over the network using an application layer or transport layer protocol. If you prefer, you can also install the features using Windows PowerShell cmdlets or the Servercmd.

Both modules require you to install the. After opening a Windows PowerShell session with elevated privileges by right-clicking the shortcut and selecting Run As Administrator , use the following command to import the ServerManager module: Import-Module ServerManager Once you have done this, you can install individual features by name using the Add- Windowsfeature cmdlet. The cmdlet automatically installs all of the depen- dent elements the two features require. Here too you must open your command prompt session with elevated privileges, and then execute the following two commands, individually: Servercmd.

Selecting Functional Levels in Windows Server R2 In Windows Server R2, as in all of the previous Windows Server releases since Windows , functional levels are essentially a version control system for domain controllers. Because all of the domain controllers in a domain and in some cases a forest have to communicate with each other, they must all be running the same Active Directory code to implement cer- tain new features. When a Windows Server release adds new functionality to Active Directory, it is often necessary for all participating domain controllers to be running that same release.

Raising a domain or a forest to a specific functional level prevents domain controllers not supporting the same functional level from joining the domain or the forest. This ensures that all of the domain controllers support the same set of features. For example, if you create a new domain and specify that it use the Windows Server domain functional level, then any additional domain controllers you add to the domain must be running Windows Server or a newer version as well.

In the same way, if you set the forest functional level to Windows Server , all of the domains you create in that forest will operate at the Windows Server domain functional level. Administrators can set functional levels while promoting a server to a domain controller using the Active Directory Domain Services Installation Wizard Dcpromo.

One you have raised a domain func- tional level or forest functional level, you cannot undo that action, except in certain highly specific circumstances. When you select the Windows Server R2 forest functional level, the following modifi- cations apply: n All of the new domains you create in the forest will operate at the Windows Server R2 domain functional level by default.

Active Directory will not permit you to add any domain controller running an operating system prior to Windows Server R2 to any domain in the forest. Note, however, that this restriction affects only domain controllers, not member servers or workstations. This feature enables administrators to restore deleted Active Directory objects while Active Directory Domain Services is running.

Using the Windows Server R2 Domain Functional Level If you select the Windows Server R2 forest functional level while creating a new for- est, you have no choice regarding the domain functional level because all of the domains in a Windows Server R2 forest must use the Windows Server R2 domain functional level.

This page enables you to select any functional level for the domain equal to or higher than the forest functional level setting. Although it might seem counterintuitive, it is possible to set the domain functional level higher than the forest functional level, and this is the only scenario in which it is possible to lower a functional level after you have raised it.

If your forest is set to the Windows Server forest functional level, you can raise your domain to the Windows Server R2 domain functional level, and then lower it back down to the Windows Server domain functional level, if necessary. You cannot roll back the domain functional level to Windows Server , no matter what the value of the forest functional level. When you elevate the domain functional level to Windows Server R2, the domain controllers for the domain implement all of the features provided by the lower domain functional levels.

The information takes the form of a global group membership. This enables the system to grant users access to certain protected resources only when they meet specific authentication requirements, such as when they use a smart card or when the smart card they use has a certificate with 2,bit encryption.

At one time, when a user deleted an important file, it was necessary for an adminis- trator to restore it from a system backup. Microsoft then introduced the Recycle Bin feature to the Windows operating systems, which enables users to reclaim their deleted files them- selves.

For years, administrators have requested a similar feature for Active Directory. In Windows Server and earlier versions, it is possible to restore a deleted Active Directory object from a backup, but the process is daunting. After performing the restoration from the backup medium, you have to mark the object as authoritative, to ensure that it repli- cates to all of your domain controllers, and you have to do this in Directory Services Restore Mode, which means the domain controller must be offline.

With Windows Server R2, however, we finally have a Recycle Bin for Active Directory that enables administrators to restore deleted objects with all of their attributes and permissions intact.

NOTE Another form of Active Directory object recovery, called tombstone reanima- tion, has also been available since the Windows Server release, and this recovery process does not require any server downtime. However, objects in their tombstone state lose some of their attribute values, so the recovered objects are lacking some of their properties. Understanding Windows Server R2 Object Recovery On an installation using the Windows Server forest functional level or lower, when you delete an Active Directory object, it experiences a change of state, becoming a tombstone object and losing many of its attributes in the process.

With the Windows Server forest functional level and the Active Directory Recycle Bin enabled, deleting an object causes its state to change to logically deleted, with all of its attributes left intact. This is a new state in Windows Server R2, during which it is possible to restore the object without the loss of any properties or permissions. The system moves objects in this state to a Deleted Objects container and mangles their distinguished names so that they are not accessible by the usual means.

This is also a new state in Windows Server R2, and although objects in this state lose most of their attributes like tombstone objects, they are not recover- able at this point, using either the Recycle Bin or the authoritative restore process in Directory Services Restore Mode. TIP Administrators can change the lifetime values from their defaults by modifying the msDS-deletedObjectLifetime attribute for the deleted object lifetime, and the tombstone- Lifetime attribute for the recycled object lifetime.

Once you enable it, you cannot disable it again. You cannot use Recycle Bin to restore objects you deleted before you enabled Recycle Bin. These are already tombstone objects, and most of their attributes are irrevocably lost. After opening a session with elevated privileges, restoring deleted objects requires two cmdlets: Get-ADObject, to locate the desired object in the Deleted Objects folder, and Restore-ADObject, to perform the actual restoration.

When restoring multiple objects, and especially organizational units OUs that contain other objects, the order in which you restore the objects can be critical and the filter strings can be more complex. With the Active Directory Recycle Bin, you can only restore objects to a live parent. This means, for example, that if you accidentally delete an OU object, you must restore the OU itself before you can restore any of the objects in that OU.

If you delete an OU that contains other OUs, you must start by restoring the parent OU that is, the highest deleted OU in the hierarchy before you can restore the subordinate ones. TIP When restoring a hierarchy of objects, a series of exploratory Get-ADObject com- mands might be necessary to ascertain the correct order for the restorations. In these cases, you might want to use commands that include the —Properties lastKnownParent parameter to determine parental relationships between the deleted objects.

Many IT organi- zations prefer to install and configure their servers and workstations at a central location, and then deploy them to their final destinations. In many cases, this means that the domain the computer will eventually join is not available at the time of the installation. The result is that IT personnel have to wait to join the computer to the domain until the system is on site, which is often an impractical solution.

The offline domain join capability in Windows Server R2 enables administrators to gather the information needed to join a computer running Windows Server R2 or Windows 7 to a domain and save it to the computer without it requiring access to the domain controllers. When the computer starts for the first time in its final location, it automatically joins to the domain using the saved information, with no interaction and no reboot necessary.

Once this is complete, you copy the file to the computer you want to join to the domain and run Djoin. The first computer, called the provisioning computer, must be running Windows Server R2 or Windows 7, and it must have access to a domain controller. By default, the domain controller must be running Windows Server R2. Optional parameters enable you to specify the name of an OU where you want to create the computer object, and the name of a specific domain controller to use.

To deploy the metadata on the target computer, which must also be running Windows Server R2 or Windows 7, you copy the file Djoin. The system does not have to have access to its eventual domain, or even be connected to a network. Once you have provisioned the computer, you can move it to its final location. The next time you restart the system, it will be joined to the domain you specified and ready to use.

To do the latter, you insert a reference to the metadata file that Djoin. Service Accounts Applications and services require accounts to access network resources, just as users do.

These accounts are simple to manage, but they do have draw- backs. First, they are local accounts, which means administrators cannot manage them at the domain level. Second, these system accounts are typically shared by multiple applications, which can be a security issue. It is possible to configure an application to use a standard domain account.

This enables you to isolate the account security for a particular applica- tion, but it also requires you to manage the account passwords manually. If you change the account password on a regular basis, you must reconfigure the application that uses it, so that it supplies the correct password when logging on to the domain.

The managed service account is a new feature in Windows Server R2 that takes the form of a new Active Directory object class. Because managed service accounts are based on computer objects, they are not subject to Group Policy—based password and account poli- cies as are domain users.

Managed service policies also do not allow interactive logons, so they are an inherently more secure solution for applications and services. Most importantly, managed service accounts eliminate the need for manual credential management.

When you change the password of a managed service account, the system automatically updates all of the applications and services that use it. To use a managed service account for a particular application or service, you must run the Install- ADServiceAccount cmdlet on the computer hosting the application.

The BPA has a collection of predefined rules for each role it supports—rules specifying the recommended architectural and configurational parameters for the role. For example, one AD DS rule recommends that each domain have at least two domain controllers.

When you run a BPA scan, the system compares the recommendations to the actual role configura- tion and points out any discrepancies. The scan returns a status indicator for each rule that indicates whether the system is compliant or noncompliant. There is also a warning status for rules that are compliant at the time of the scan, but that configuration settings might render noncompliant under other operational conditions. After a delay as the analyzer performs the scan, the results appear, as shown in Figure The analyzer then compares its preconfigured rules to the information in the XML file and reports the results.

Although storage space is cheaper and more plentiful than ever before, the increased emphasis on audio and video file types, whether business related or not, has led to a storage consumption rate that in many instances more than equals its growth. There is only one new role service in the File Services role, but there are innovative new features introduced into some of the existing role services. In an enterprise with multiple sites, increased storage capacity typically leads to increased consumption of bandwidth between sites, and these new features can help administrators manage this bandwidth consumption and improve file access times in the process.

Using the File Classification Infrastructure An enterprise network can easily have millions of files stored on its servers, and admin- istrators are responsible for all of them.

However, different types of files have different management requirements. Enterprise networks typically have a variety of storage tech- nologies to accommodate their different needs. For example, drive arrays using Redun- dant Array of Independent Disks RAID for fault tolerance are excellent solutions for business-critical files, but they are also more expensive to purchase, set up, and maintain.

Storing noncritical files on a medium such as this would be a waste. At the other end of the spectrum, an offline or near-line storage medium, such as magnetic tape or optical disks, can provide inexpensive storage for files that are not needed on a regular basis, or that have been archived or retired. The big problem for the administrator with a variety of storage options is determining which files should go on which medium, and then making sure that they get there.

However, determining which files require a certain treatment and seeing that they receive it can be a major administrative problem. Traditional methods for classifying files include storing them in designated folders, ap- plying special file naming conventions, and, in the case of backups, the long-standing use of the archive bit to indicate files that have changed.

None of these methods are particularly efficient for complex scenarios on a large scale, however, because of the manual maintenance they require or their limited flexibility. Who is going to be responsible for making sure that files are named properly, or moved to the appropriate folders? It would not be practical for IT personnel to monitor the file management practices of every user on the network.

Also, if you designate one folder for files containing sensitive data and another for files that are modified often, what do you do with a file that is both sensitive and frequently updated? Introducing the FCI Components The File Classification Infrastructure FCI introduced in Windows Server R2 is a system that enables administrators to define their own file classifications, independent of directory structures and file names, and configure applications to perform specific actions based on those classifications.

FCI consists of four components, as follows: n Classification Properties Attributes created by administrators that identify certain characteristics about files, such as their business value or level of sensitivity n Classification Rules Mechanisms that automatically apply classification properties to certain files based on specific criteria such as file contents n File Management Tasks Scheduled operations that perform specified actions on files with certain classification properties n Storage Reports Management Engine that can generate reports that, among oth- er things, document the distribution of classification properties on file server volume For example, an administrator might create a classification property that indicates whether a file contains personal or confidential information.

Also new is the File Management Tools node, which you use to execute specific actions based on the file classifications you have created. The Storage Report Management node now includes the ability to generate reports based on FCI properties, as well as other, traditional criteria. FCI is designed to be more of a toolkit for storage administrators than an end-to-end solution. FCI provides various types of classification properties, but it is up to the individual administrator to apply them to the particular needs of an enterprise.

File Management Tools provides a basic file expiration function and the ability to execute custom commands against particular file classifications. However, FCI is also designed with an extensible infrastructure so that third-party developers can integrate property-based file selection into their existing products. Creating FCI Classification Properties The first step in implementing FCI is to create the classification properties that you will apply to files with certain characteristics.

Classification properties are simple attributes, consisting only of a name, a property type, and sometimes a list of values. Property types indicate the nature of the classification you want to apply to your files; they do not have to contain the classification criteria themselves. FCI supports seven classification property types, as listed in Table Aggregation refers to the behavior of a classification property type when a rule or other process attempts to assign the same property to a file, but with a different value.

An attempt to assign a second property value to an already-classified file results in an error. You can configure a rule to reevaluate files with these properties, but the rule will simply assign a new value that overwrites the old one, without considering the existing value of the property.

When there is a value conflict, such as if one rule assigns a file High Security and another rule assigns it Low Security, the High Security value takes precedence, as shown on the left side of Figure , enabling the property to err on the side of caution and use the greatest possible security measures.

However, if you are seeking to categorize files based on subject, the Multiple Choice List property would probably be prefer- able, because it enables you to assign multiple properties to a single file, as shown on the right side of the figure.

High Security 3. After specifying a name for the property, and optionally a description, you select a Property Type, and the controls change depending on the type you have chosen. The types that do not support a selection of possible values Date-time, Num- ber, and String require no additional configuration. The other types enable you to add the possible values that your classification rules can assign to files, based on criteria you select.

Creating FCI Classification Rules Once you have created your classification properties, you can assign them to your files by cre- ating classification rules. On the Rule Settings tab, shown in Figure , you supply a name for the rule, and optionally a description, and then click Add to define the scope; that is, specify the volumes or folders containing the files to which you want to apply properties.

NOTE These classification mechanisms take the form of plug-in modules, of which Windows Server R2 includes only two relatively rudimentary examples. Microsoft has designed this part of the FCI to be extensible, so that administrators and third-party developers can use the FCI application programming interface API to produce their own classification plug-ins, as well as scripts and applications that set properties on files.

In the Property Name and Property Value fields, you specify which of your classification properties you want to assign to the files the rule selects, and what value the rule should insert into the property. Clicking Advanced displays the Additional Rule Parameters dialog box, in which you find the following tabs: n Evaluation Type Enables you to specify how the rule should behave when it en- counters a file that already has a value defined for the specified property.

You can elect to overwrite the existing property value or aggregate the values for properties that support aggregation. If you en- crypt files after they have classification properties assigned, they retain those properties and applications can read them, but you cannot modify the properties or assign new ones while the files are in their encrypted state.

Once you have created your classification rules, you must execute them to apply proper- ties to your files. You can click Run Classification With All Rules Now to execute your rules immediately, or you can click Configure Classification Schedule to run them at a later time or at regular intervals.

TIP Administrators new to FCI have a tendency to create large numbers of properties and rules, simply because they can. Be aware that processing rules, and especially those that search for complex regular expressions, can take a lot of time and consume a significant amount of server memory. Microsoft recommends only applying classifications that your current applications can utilize. Performing File Management Tasks Once you have classified your files, you can use File Server Resource Manager to create file management tasks, which can manipulate the files based on their classification properties.

Here again, the capabilities provided with Windows Server R2 are relatively rudimen- tary, but as with the classification mechanisms, administrators and third-party developers can integrate property-based file processing into their applications. Here, as in the Classification Rule Definitions dialog box, you supply a name, a description, and a scope for the task. On the Action tab, you can select one of the following action types: n File Expiration Enables you to move files matching specified property values to another location n Custom Enables you to execute a program, command, or script on files matching specified property values, using the interface shown in Figure On the Condition tab, you specify the property values that files must possess for the file management task to process them, using the Property Condition dialog box, as shown in Fig- ure The Schedule tab enables you to configure the task to execute at specified intervals, and the Notification and Report tabs specify the types of information administrators receive about the task processing.

Although the File Expiration action type enables administrators to migrate files based on property values, it is the Custom action that provides true power for the savvy administrator. Using the Executable and Arguments fields, administrators can run a command, program, or script on the files having the specified properties.

Some of the possible scenarios for custom- ized tasks are as follows: n Modify the permissions for the selected files using Lcacls. Using BranchCache Branch office technologies were a major priority for the Windows Server R2 and Windows 7 development teams, and BranchCache is one of the results of that concentration. On an enterprise network, a branch office can consist of anything from a handful of work- stations with a virtual private network VPN connection to a fully equipped network with its own servers and IT staff.

In most cases, however, branch offices nearly always require some network communication with the home office, and possibly with other branches as well.

The wide area network WAN connections between remote sites are by nature slower and more expensive than local area network LAN connections, and the primary functions of Branch- Cache are to reduce the amount of WAN bandwidth consumed by branch office file sharing traffic and improve access times for branch office users accessing files on servers at remote locations.

As the name implies, BranchCache is file caching software. Caching is a technique by which a system copies frequently used data to an alternative storage medium, so that it can satisfy future requests for the same data more quickly or less expensively. BranchCache works by caching files from remote servers on the local drive of a branch office computer so that other computers in the branch office can access those same files locally, instead of having to send repeated requests to the remote server.

BranchCache has two operational modes, as follows: n Distributed Cache Mode Up to 50 branch office computers cache files requested from remote servers on their local drives, and then make those cached files available to other computers on the local network, on a peer-to-peer basis. The primary difference between these two modes is that Hosted Cache Mode requires the branch office to have a server running Windows Server R2, whereas Distributed Cache Mode requires only Windows 7 workstations.

The advantage of Hosted Cache Mode is that the server, and therefore the cache, is always available to all of the workstations in the branch office. Workstations in Distributed Cache Mode can only share cached data with computers on the local network, and if a workstation is hibernating or turned off, its cache is obviously unavailable. This is because caching writes is a much more complicated operation than caching reads, due to possible existence of conflicts between multiple versions of the same file.

The BranchCache communication between the clients and the remote server proceeds as follows: 1. The only difference from a standard request is that the client includes an identifier in the message, indicating that it supports BranchCache. When the BranchCache-enabled remote server receives the request and recognizes that the client also supports BranchCache, it replies, not with the requested file, but with content metadata in the form of a hash describing the requested file, as shown in the following graphic.

The metadata is substantially smaller than the requested file itself, so the amount of WAN bandwidth utilized so far is relatively small.

Step 1. Reply with Metadata Office Client 3. On a Distributed Cache Mode installation, the client sends this message as a multicast transmission to the other BranchCache clients on the network, using the BranchCache discovery protocol.

On a Hosted Cache Mode installation, the client sends the message to the local server that hosts the cache, using the BranchCache retrieval protocol. In Distributed Cache Mode, the client fails to receive a reply from another client on the network. In Hosted Cache Mode, the client receives a reply from the local server indi- cating that the requested data is not in the cache, as shown in the following graphic.

Multicast with Metadata Step 4. Forwarded Metadata Step 4. Negative Reply Branch Office Server 5. The client retransmits its original file request to the remote server.

This time, however, the client omits the BranchCache identifier from the request message. The remote server, on receiving a standard non-BranchCache request, replies by transmitting the requested file, as shown in the following graphic. Step 5. Reply with File Office Client 7. The client receives the requested file and, on a Distributed Cache Mode installation, stores the file in its local cache.

On a Hosted Cache Mode installation, the client sends a message to its local caching server using the BranchCache hosted cache proto- col, advertising the availability of its newly downloaded data. Distributed Cache Mode Step 7. Client Advertises File Server Retrieves and Caches File Branch Office Server When another client subsequently requests the same data from the remote server, the communication process is exactly the same up until step 4.

In this case, the client receives a reply from another computer either client or server, depending on the mode indicating that the requested data is present in its cache. The client then uses the BranchCache retrieval protocol to download the data from the caching computer. For this and subsequent requests for that particular file, the only WAN traffic required is the exchange of request messages and content metadata, both of which are much smaller than the actual data file.

BranchCache is not installed by default on Windows Server R2; you must install one or both of the BranchCache modules supplied with the operating system, and then create Group Policy settings to configure them. To enable BranchCache for all three protocols, you must install both of the following two modules using Server Manager.

This setting enables the file server to transmit content metadata to qualified BranchCache clients instead of the actual files they request. When you enable Hash Publication for BranchCache, as shown in Figure , you can elect to allow hash publication for all file shares on the computer, or only for the file shares on which you explicitly enable BranchCache support.

Computers running Windows 7 have the BranchCache client installed by default. Enabling this setting without either one of the mode settings configures the client to cache server data on its local drive only, without accessing caches on other computers.

The default setting is 80 ms. When you decrease the value, the client caches more files; increasing the value causes it to cache fewer files. The default value is 5 percent. To facilitate this communication, administrators must configure any firewalls running on the clients to admit incoming traffic on the ports these two protocols use, which are Transmission Control Protocol TCP port 80 and User Datagram Protocol UDP port , respectively.

You must then provide the server with a certificate issued by a certification authority CA that the clients on the branch office network trust. This can be an internal CA running on the network or a commercial CA run by a third party. Note, however, that client configuration values you set using Group Policy take precedence over those you set with Netsh. However, to do so, the namespace must be hosted on a server running Windows Server R2 or Windows Server If you enable access-based enu- meration on a DFS namespace and on the target shares that the namespace links to using the Share and Storage Management console , the shared folders are completely hidden from unauthorized users.

Prior to the R2 release, you could only do this by manually changing the permissions on the replicated folder. Note, however, that read-only folders impose an additional perfor- mance burden on the servers hosting them, because DFS Replication must intercept every Create and Open function call to determine if the requested destination is in a read-only folder. Since then, as anticipated, the IIS development team has been working on a variety of enhancements and extensions that build on that new architecture.

Although based on the same basic structure as IIS 7. This chapter lists the new features in IIS 7. Installing IIS 7. That dependency is still there, however. The Microsoft Web Platform is an integrated set of servers and tools that enable you to deploy complete Web solutions, includ- ing applications and ancillary servers, with a single procedure. The Microsoft Web Platform Installer is a tool that enables you to select, download, install, and configure the features you want to deploy on your Web server.

The Web Platform Installer file you download is a stub, a tiny file that enables you to select the modules you want to install and then to download them, using the interface shown in Figure The installer provides a selection of collaboration, e-commerce, portal, and blog applications, and enforces the dependencies between the various elements.

During the installation process, Web Platform Installer prompts you for information needed by your selected applications, such as what subdirectory to install them into, what passwords to use, and so on. When the process is complete, you have a fully functional Web site, complete with IIS and applications and ready to use.

Selecting a server, site, or application and clicking Export Application launches a wizard in which you can select the elements that you want to export, as shown in Figure The wiz- ard then creates a package in the form of a Zip file, which contains the original content plus configuration settings in Extensible Markup Language XML format.

The tool also includes a Remote Agent Service, which administrators can use to synchronize Web servers in real time over a network connection.

This enables you to replicate sites and servers on a regular basis so that you can create Web farms for load balancing and fault toler- ance purposes. Now we have the new domain controller. In the preceding command, DC22 is the domain controller running Windows Server Before we upgrade forest and domain functional levels, first we need to decommission the old DC which is running with windows server R2. On the next page, type a new password for the local administrator account. After you demote your last domain controller running with windows server R2, we can raise Domain and Forest Functional level to windows server Windows server is the same.

To upgrade the domain functional level, we can use the following PowerShell command in the Windows server domain controller. The following command will show the current domain functional level of the domain after the migration:. The following command will show the current forest functional level of the domain after migration:. The following screenshot shows events and in the Directory Service log, which verify the forest and domain functional level updates:. We can use the following command to verify the list of domain controllers and make sure that the old domain controller is gone:.

This marks the end of this blog post. Quick note for those reading this post. Get-EventLog uses a Win32 Application Programming Interface [API] A set of commands, functions, and protocols which programmers can use when building software to interface with another computer system. Microsoft has stated the direction of Windows Server will be without GUI and local management features Thank me later.

Many will be still in Mode. You can find the original article here. Active directory is one of the more impactful services from a security perspective within an organization. January 14th has come and gone which means unless you have either migrated your servers and their workloads to Azure to get free security updates or….

The following video provides an example of these steps: Certain…. Hello everyone! I recently helped a customer with…. In case you missed them, check out post…. Microsoft Cloud Technical Article.

What is New in Active Directory? Businesses are using more and more Cloud. A self-service, pay-as-you-go model of providing computing resources to an organization or to the general public.

You can open the Active Directory Administrative Center is one of two ways – you can either click Start , then select Administrative Tools , then click on Active Directory Administrative Center , or you can click Start , then click Run , and then type dsac.

It is not without its downsides however in that it cannot be used to generate pretty printed reports which might be needed for security audits and compliance reporting, as the best one can do is perhaps export to CSV.

Alternatively, you can download it from here. Summary: In summary, the Active Directory Administrative Center is the first major revision to the Active Directory data management tools since the initial release of Active Directory way back in Posted by MarcJ. No comments:.

 
 

 

A Guide to Restore Deleted Objects in Active Directory

 

Windows Server was released on the 4 th of October Microsoft has also released a new free utility called Windows Admin Center WAC , which can manage your whole production environment via a web-based console. You can manage clusters of servers, Hyper-V clusters, and hosts that run on-premises or in Azure. And this tool is particularly useful when used for hybrid workloads.

Windows Admin Center integrates with Azure services. This environment can be mixed starting with Windows Server R2 with limited functionalities , and the tool can handle all different versions of the server OS from Microsoft. Then, after the final release, the name was changed to Windows Admin Center. Windows Admin Center uses PowerShell under the hood, and there is a way that you can see those scripts, too, which is pretty cool.

Installation is possible on Windows 10 Fall Anniversary Update or newer, or Server core gateway , or on one of the management servers itself — Windows Server or newer. Then, you can manage Windows Server R2 with limited functionality , , or R2, and, lastly, Windows Server Note that you can also manage Windows 10 systems.

Installation of Windows Management Framework 5. There are no other dependencies. You can download Windows Admin Center from here. You can use Windows Admin Center free of charge. After downloading, start the installation by clicking the MSI.

Below, you can see the different installation screens. You have the option to add a shortcut to your desktop or change the default port through which this solution will be accessed. It is very convenient. If the system where WAC is installed has an internet connection, and if you setup your router with port forwarding, you can even manage the whole infrastructure while you are on the go.

Windows Admin Center supports several optional features that integrate with Azure services. There are no extensions installed by default. The tool allows to manage not only server systems, but also Windows 10 client systems. This might give you ideas about integrating it for the sake of your small network of W10 client computers or lab environments. StarWind VSAN is hypervisor and hardware agnostic, allowing you to forget about hardware restrictions and crazy expensive physical shared storage.

Build your infrastructure with off-the-shelf hardware, scale however you like, increase return on investment ROI and enjoy Enterprise-grade virtualization features and benefits at SMB price today! As you can see, getting started is really fast, and this tool will be very popular among server administrators and users.

Microsoft has done a great job on this. By integrating Azure directly into the console, Microsoft hopes that even more admins will embrace Azure services and consume them. Filed under: All by Vladan Seget. System Requirements: Installation is possible on Windows 10 Fall Anniversary Update or newer, or Server core gateway , or on one of the management servers itself — Windows Server or newer.

Figure 3: Adding a server connection And then specify the credentials used for this connection. Figure 5: Different server connections Windows Admin Center supports several optional features that integrate with Azure services. Views All Time.

Views Today. Back to blog. SHARE: The following two tabs change content below. Author Latest Posts. Vladan Seget. IT and Virtualization consultant, owner of vladan. Latest posts by Vladan Seget see all. Author: Vladan Seget. Subscribe for updates:. Thank you for subscribing! Need assistance?