Archive for August, 2011

Keys serve as containers in the registry. Keys can contain other keys (subkeys). Keys can also contain value entries, or simply, values. These are the ‘‘substance’’ of the registry. Values comprise three parts: name, data type, and value. The name identifies the setting. The data type describes the item’s data format. The value is the actual data. The following list summarizes data types currently defined and used by the system:


  • Binary Value: This data type stores the data in raw binary format, one value per entry. The Registry Editor displays this data type using hexadecimal format.
  • DWORD value: This data type stores data as a four-byte number (32-bit), one value per entry. The Registry Editor can display this data type in binary, hexadecimal, or decimal formats.
  • QWORD value: This data type stores data as a 64-bit number, one value per entry. The Registry Editor can display this data type in binary, hexadecimal, or decimal formats.
  • Expandable string value: This is a variable-length string that includes variables that are expanded when the data is read by a program, service, and so on. The variables are represented by % signs; an example is the use of the %systemroot% variable to identify the root location of the Windows Server 2008 folder, such as a path entry to a file stored in systemroot\System32. One value is allowed per entry.
  • Multi-String value: This data type stores multiple string values in a single entry. String values within an item are separated by spaces, commas, or other such delimiters.
  • String value: This data type stores a single, fixed-length string, and is the most common data type used in the registry.

A backup is an exact copy of a file (including documentation) that is kept on a storage medium (usually in a compressed state) in a safe place (usually at a remote location) for use in the event that the working copy is destroyed. Notice that we placed emphasis on “including documentation”, because every media holding backups must include a history or documentation of the files on the media. This is usually in the form of labels and identification data on the media itself, on the outside casing, and in spreadsheets, hard catalogs, or data ledgers in some form or another. Without history data, restore media cannot locate your files, and the backup is useless. This is why you can prepare a tape for overwriting by merely formatting the label so that the magnetic head thinks the media is blank.


Various types of backups are possible, depending on what you back up and how often you back it up, as the following list describes:

  • Archived backup: A backup that documents (in header files, labels, and backup records) the state of the archive bit at the time of copy. The state (on-off) of the bit indicates to the backup software that the file has been changed since the last backup. When Windows Server 2008 Backup does an archived backup, it sets the archive bit accordingly.


  • Copy backup: An ad hoc “raw” copy that ignores the archive bit state. It does not set the archive bit after the copy. A copy backup is useful for quick copies between DR processes and rotations or to pull an “annual” during the monthly rotation


  • Daily backup: This does not form part of any rotation scheme. It is just a backup of files that have been changed on the day of the backup. We question the usefulness of the daily backup in Backup, because mission-critical DR practice dictates the deployment of a manual or automated rotation scheme. In addition, Backup does not offer a summary or history of the files that have changed during the day


  • Normal backup: A complete backup of all files (that can be backed up), period. The term normal is more a Windows Server 2008 term, because this backup is more commonly called a full backup in DR circles. The full backup copies all files and then sets the archive bit to indicate (to Backup) that the files have been backed up. You would do a full backup at the start of any backup scheme. You would also need to do a full backup after making changes to any scheme. A full backup, and documentation or history drawn from it, is the only means of performing later incremental backups. Otherwise, the system would not know what has or has not changed since the last backup.


  • Incremental backup: A backup of all files that have changed since the last full or incremental backup. The backup software sets the archive bit, which thereby denotes that the files have been backed up. Under a rotation scheme, a full restore would require you to have all the incremental media used in the media pool, all the way back to the first media, which contains the full backup. You would then have the media containing all the files that have changed (and versions thereof) at the time of the last backup.


  • Differential backup: This works exactly like the incremental, except that it does not do anything to the archive bit. In other words, it does not mark the files as having been backed up. When the system comes around to do a differential backup, it compares the files to be backed up with the original catalog. Differential backups are best done on a weekly basis, along with a full, or normal, backup, to keep differentials comparing against recently backed up files.

.NET Framework 3.0


Provides .NET Framework 3.0 APIs for application development. Additional sub features include .NET Framework 3.0 Features, XPS Viewer, and Windows Communication Foundation (WCF) Activation Components.


Bit Locker Drive Encryption


Provides hardware-based security to protect data through full-volume encryption that prevents disk tampering while the operating system is offline. Computers that have Trusted Platform Module (TPM) can use BitLocker Drive Encryption in Startup Key or TPM-only mode. Both modes provide early integrity validation.


Background Intelligent Transfer Service (BITS) Server Extensions


Provides intelligent background transfers. When this feature is installed, the server can act as a BITS server that can receive file uploads by clients. This feature isn’t necessary for downloads to clients using BITS.


Connection Manager Administration Kit (CMAK)


Provides functionality for generating Connection Manager Profiles.


Desktop Experience


Provides additional Windows Vista desktop functionality on the server. Windows Vista features added include Windows Media Player, desktop themes, and Windows Photo Gallery. Although these features allow a server to be used like a desktop computer, they can reduce the server’s overall performance.


Failover Clustering


Provides clustering functionality that allows multiple servers to work together to provide high availability for services and applications. Many types of services can be clustered, including file and print services. Messaging and database servers are ideal candidates for clustering.


Group Policy Management


Installs the Group Policy Management Console (GPMC), which provides centralized administration of Group Policy.


Internet Printing Client


Provides functionality that allows clients to use HTTP to connect to printers on Web print servers.


Internet Storage Name Server (iSNS)


Provides management and server functions for Internet SCSI (iSCSI) devices, allowing the server to process registration requests, de-registration requests, and queries from iSCSI devices.


Line Printer Remote (LPR) Port Monitor


Installs the LPR Port Monitor, which allows printing to devices attached to UNIX-based computers.


Message Queuing


Provides management and server functions for distributed message queuing. A group of related sub features is available as well.


Multipath I/O (MPIO)


Provides functionality necessary for using multiple data paths to a storage device.


Network Load Balancing (NLB)


NLB provides failover support and load balancing for IP-based applications and services by distributing incoming application requests among a group of participating servers. Web servers are ideal candidates for load balancing.


Peer Name Resolution Protocol (PNRP)


Provides Link-Local Multicast Name Resolution (LLMNR) functionality that allows peer-to-peer name-resolution services. When you install this feature, applications running on the server can register and resolve names using LLMNR.


Remote Assistance


Allows a remote user to connect to the server to provide or receive Remote Assistance.


Remote Server Administration Tools (RSAT)


Installs role- and feature-management tools that can be used for remote administration of other Windows Server 2008 systems. Options for individual tools are provided or you can install tools by top-level category or subcategory.


Removable Storage Manager (RSM)


Installs the Removable Storage Manager tool, which you can use to manage removable media and removable media devices.


Remote Procedure Call (RPC) over HTTP Proxy


Installs a proxy for relaying RPC messages from client applications over HTTP to the server. RPC over HTTP is an alternative to having clients access the server over a VPN connection.


Simple TCP/IP Services


Installs additional TCP/IP services, including Character Generator, Daytime, Discard, Echo, and Quote of the Day.


Simple Mail Transfer Protocol (SMTP) Server


SMTP is a network protocol for controlling the transfer and routing of e-mail messages. When this feature is installed, the server can act as a basic SMTP server. For a full-featured solution, you’ll need to install a messaging server such as Microsoft Exchange Server 2007.


Simple Network Management Protocol (SNMP) Services


SNMP is a protocol used to simplify management of TCP/IP networks. You can use SNMP for centralized network management if your network has SNMP-compliant devices. You can also use SNMP for network monitoring via network management software.


Storage Manager For SANs


Installs the Storage Manager for SANs console. This console provides a central management interface for storage area network (SAN) devices. You can view storage subsystems, create and manage logical unit numbers (LUNs), and manage iSCSI target devices. The SAN device must support Visual Disk Services (VDS).


Subsystem for UNIX based Applications (SUA)


Provides functionality for running UNIX-based programs. You can download additional management utilities from the Microsoft Web site.


Windows Internal Database


Installs SQL Server 2005 Embedded Edition. This allows the server to use relational databases with Windows roles and features that require an internal database, such as AD RMS, UDDI Services, Windows Server Update Services (WSUS), Windows SharePoint Services, and Windows System Resource Manager.


Windows PowerShell


Installs Windows PowerShell, which provides an enhanced command-line environment for managing Windows systems.


Windows Process Activation Service


Provides support for distributed Web-based applications that use HTTP and non-HTTP protocols.


Windows Recovery Environment


You can use the recovery environment to restore a server using recovery options if you cannot access recovery options provided by the server manufacturer.


Windows Server Backup


Allows you to back up and restore the operating system, system state, and any data stored on a server.


Windows System Resource Manager (WSRM)


Allows you to manage resource usage on a per-processor basis.


WINS Server


WINS is a name-resolution service that resolves computer names to IP addresses. Installing this feature allows the computer to act as a WINS server.


Wireless Networking


Allows the server to use wireless networking connections and profiles.

Active Directory Certificate Services (AD CS)


AD CS provides functions necessary for issuing and revoking digital certificates for users, client computers, and servers. Includes these role services: Certification Authority, Certification Authority Web Enrollment, Online Certificate Status Protocol, and Microsoft Simple Certificate Enrollment Protocol (MSCEP).


Active Directory Domain Services (AD DS)


AD DS provides functions necessary for storing information about users, groups, computers, and other objects on the network and makes this information available to users and computers. Domain controllers give network users and computers access to permitted resources on the network.


Active Directory Federation Services (AD FS)


AD FS complements the authentication and access management features of AD DS by extending them to the World Wide Web. Includes these role services and subservices: Federation Service, Federation Service Proxy, AD FS Web Agents, Claims-Aware Agent, and Windows Token-Based Agent.


Active Directory Lightweight Directory Services (AD LDS)


AD LDS provides a data store for directory-enabled applications that do not require AD DS and do not need to be deployed on domain controllers. Does not include additional role services.


Active Directory Rights Management Services (AD RMS)


AD RMS provides controlled access to protected e-mail messages, documents, intranet Web pages, and other types of fi les. Includes these role services: Active Directory Rights Management Server and Identity Federation Support.


Application Server


Application Server allows a server to host distributed applications built using ASP.NET, Enterprise Services, and .NET Framework 3.0. Includes more than a dozen role services.


DHCP Server


DHCP provides centralized control over Internet Protocol (IP) addressing. DHCP servers can assign dynamic IP addresses and essential TCP/IP settings to other computers on a network. Does not include additional role services.


DNS Server


DNS is a name resolution system that resolves computer names to IP addresses. DNS servers are essential for name resolution in Active Directory domains. Does not include additional role services.


Fax Server


Fax Server provides centralized control over sending and receiving faxes in the enterprise. A fax server can act as a gateway for faxing and allows you to manage fax resources, such as jobs and reports, and fax devices on the server or on the network. Does not include additional role services.


File Services


File Services provide essential services for managing fi les and the way they are made available and replicated on the network. A number of server roles require some type of fi le service. Includes these role services and subservices: File Server, Distributed File System, DFS Namespace, DFS Replication, File Server Resource Manager, Services for Network File System (NFS), Windows Search Service, Windows Server 2003 File Services, File Replication Service (FRS), and Indexing Service.


Network Policy And Access Services (NPAS)


NPAS provides essential services for managing routing and remote access to networks. Includes these role services: Network Policy Server (NPS), Routing And Remote Access Services (RRAS), Remote Access Service, Routing, Health Registration Authority, and Host Credential Authorization Protocol (HCAP).


Print Services


Print Services provide essential services for managing network printers and print drivers. Includes these role services: Print Server, LPD Service, and Internet Printing.


Terminal Services


Terminal Services provide services that allow users to run Windows-based applications that are installed on a remote server. When users run an application on a terminal server, the execution and processing occur on the server, and only the data from the application is transmitted over the network. Includes these role services: Terminal Server, TS Licensing, TS Session Broker, TS Gateway, and TS Web Access.


Universal Description Discovery Integration (UDDI) Services


UDDI provides capabilities for sharing information about Web services both within an organization and between organizations. Includes these role services


Web Server (IIS)


Web Server (IIS) is used to host Web sites and Web-based applications. Web sites hosted on a Web server can have both static content and dynamic content. You can build Web applications hosted on a Web server using ASP.NET and .NET Framework 3.0. When you deploy a Web server, you can manage the server configuration using IIS 7.0 modules and administration tools.


Windows Deployment Services (WDS)


WDS provides services for deploying Windows computers in the enterprise. Includes these role services: Deployment Server and Transport Server.


Windows SharePoint Services


Windows SharePoint Services enable team collaboration by connecting people and information. A SharePoint server is essentially a Web server running a full installation of IIS and using managed applications that provide the necessary collaboration functionality.


Windows Server Update Services


Microsoft Windows Server Update Services (WSUS) allows you to distribute updates that are released through Microsoft Update to computers in your organization using centralized servers rather than individual updates.



The /32 and /64 parameters for the mmc command are meaningful only on 64-bit Windows versions. The 64-bit versions of the Windows operating system can run both 32-bit and 64-bit versions of the MMC. For 32-bit versions of the MMC, you use 32-bit snap-ins. For 64-bit versions of the MMC, you use 64-bit snap-ins. You can’t mix and match MMC and snap-in versions, though. The 32-bit version of the MMC can be used only to work with 32-bit snap-ins. Similarly, the 64-bit version of the MMC can be used only to work with 64-bit snap-ins. In most cases, if you aren’t sure which version to use, don’t use the /32 or /64 parameter. This lets the Windows operating system decide which version to use based on the snap-ins contained in the .msc file you are opening.


When a console contains both 32-bit and 64-bit snap-ins and you don’t specify the /32 or /64 parameter, Windows will open a subset of the configured snap-ins. If the console contains more 32-bit snap-ins, Windows will open the 32-bit snap-ins. If the console contains more 64-bit snap-ins, Windows will open the 64-bit snap-ins. If you explicitly use /32 or /64 with a console that contains both 32-bit and 64-bit snap-ins, Windows will open only the snap-ins for that bitness. On 64-bit systems, 32-bit versions of snap-ins are stored in the %SystemRoot%\SysVoL64 folder and 64-bit versions of snap-ins are stored in the %SystemRoot%\System32 folder. By examining the contents of these folders, you can determine when 32-bit and 64-bit versions of snap-ins are available.

Windows Server 2008 provides several tools that can be used when troubleshooting Kerberos Authentication


Klist.exe: Kerberos List: This tool is installed on Windows Server 2008 domain controllers and is available for download as part of the Windows Server 2003 Resource Kit tools.


Kerberos List is a command-line tool that is used to view and delete Kerberos tickets granted to the current logon session. To use Kerberos List to view tickets, you must run the tool on a computer that is a member of a Kerberos realm.


Kerbtray.exe: Kerberos Tray: Kerberos Tray is available for download as part of the Windows Server 2003 Resource Kit tools.


Kerberos Tray is a graphical user interface tool that displays ticket information for a computer running Microsoft’s implementation of the Kerberos version 5 authentication protocols. You can view and purge the ticket cache by using the Kerberos Tray tool icon located in the notification area of the desktop. By positioning the cursor over the icon, you can view the time left until the initial TGT expires. The icon also changes in the hour before the Local Security Authority (LSA) renews the ticket.


Tokensz.exe: Kerberos Token Size: Kerberos Token Size is available for download from the Microsoft download center.


You can use Kerberos Token Size to verify if the source of the Kerberos errors stems from a maximum token size issue. The tool will simulate an authentication request and report the size of the resulting Kerberos token. The tool will also report the maximum supported size for the token.


Setspn.exe: The Setspn utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.


The Setspn utility allows you to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account. Because SPNs are security-sensitive, you can only set SPNs for service accounts if you have domain administrator privileges.


Ksetup.exe: The Ksetup utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.


The Ksetup utility configures a client connected to a server running Windows Server 2008 to use a server running Kerberos V5. The client then uses a Kerberos V5 realm instead of a Windows Server 2008 domain.


Ktpass.exe: The Ktpass utility is installed on Windows Server 2008 domain controllers and is included in the Windows Server 2003 Support Tools.


The Ktpass utility is used to configure a non–Windows Server Kerberos service as a security principal in the Windows Server 2008 AD DS.


W32tm.exe: Windows Time: This tool is included in Microsoft Windows server and client operating systems.


W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service.

The description of how AD DS replication works applies to both intrasite and intersite replication. In both cases, the domain controllers use the same processes to optimize the replication process. However, one of the main reasons to create additional sites in AD DS is to manage replication traffic. Because all of the domain controllers within a site are assumed to be connected with fast network connections, replication between these domain controllers is optimized for maximum speed and reduced latency. However, if the replication traffic has to cross a slow network link, conserving network bandwidth is a much more significant issue. Creating multiple sites allows for this conservation of network bandwidth by enabling features such as data compression and scheduled AD DS replication.


Intrasite Replication


The primary goal for replication within a site is to reduce replication latency, that is, to make sure that all domain controllers in a site are updated as quickly as possible. To accomplish this goal, intrasite replication traffic has the following characteristics:


  • The replication process is initiated by a notification from the sending domain controller. When a change is made to the database, the sending computer notifies a destination domain controller that changes are available. The changes are then pulled from the sending domain controller by the destination domain controller using a remote procedure call (RPC) connection. After this replication is complete, the domain controller notifies another destination domain controller, which then pulls the changes. This process continues until all the replication partners have been updated.
  • Replication occurs almost immediately after a change has been made to the AD DS information. By default, a domain controller will wait for 15 seconds after a change has been made and then begin replicating the changes to other domain controllers in the same site. The domain controller will complete replication with one partner, wait 3 seconds, and then initiate replication with another partner. The reason the domain controller waits 15 seconds after a change is to increase the efficiency of the replication in case additional changes are made to the partition information.
  • The replication traffic is not compressed. Because all the computers within a site are connected with fast network connections, the data is sent without compression. Compressing the replication data adds an additional load on the domain controller server. Uncompressed replication traffic preserves server performance at the expense of network utilization.
  • Replication traffic is sent to multiple replication partners during each replication cycle. Whenever a change is made to the directory, the domain controller will replicate the information to all direct replication partners, which might be all or some of the other domain controllers in the site.


Intersite Replication


The primary goal of replication between sites is to reduce the amount of bandwidth used for replication traffic. This means that intersite replication traffic has the following characteristics:


  • Replication is initiated according to a schedule rather than when changes are made. To manage replication between sites, you must configure a site link connecting the two sites. One of the configuration options on the site link is a schedule for when replication will occur. Another is the replication interval setting for how often replication will occur during the scheduled time. If the bandwidth between company locations is limited, the replication can be scheduled to happen during nonworking hours.
  • Replication traffic is compressed down to about 40 percent of the noncompressed size when replication traffic is more than 32 KB in size. To save bandwidth on the network connection, the bridgehead servers in each site compress the traffic at the expense of additional CPU usage.
  • Notifications are not used to alert a domain controller in another site that changes to the directory are available. Instead, the schedule determines when to replicate. Note You can disable compression for intersite replication and enable notifications.
  • Intersite replication connections can use either an Internet Protocol (IP) or a Simple Mail Transfer Protocol (SMTP) transport. SMTP can be used as a transport protocol only for the configuration, schema, and application directory partitions, not for the domain partition. The connection protocol you use is determined by the available bandwidth and the reliability of the network that connects company locations.
  • Replication traffic is sent through bridgehead servers rather than to multiple replication partners. When changes are made to the directory in one site, the changes are replicated to a single bridgehead server (per directory partition) in that site, and the changes are then replicated to a bridgehead server in the other site. The changes are replicated from the bridgehead server in the second site to all the domain controllers in that site.
  • You can easily modify the flow of replication between sites. Almost every component of intersite replication can be changed.

The Encrypting File System (EFS) is one feature made possible by reparse points in Windows Server 2008 that enhances security for local files on NTFS volumes. EFS is useful for securing files on any system, but it is most useful on systems that can easily be stolen or physically compromised, such as notebook and tablet PCs. EFS is integrated within NTFS and therefore is applicable only to files on NTFS volumes. FAT16 and FAT32 volumes do not support EFS. Only files can be encrypted; folders cannot, even on NTFS volumes. However, folders are marked to indicate that they contain encrypted data. EFS are designed to protect files locally, and therefore don’t support sharing of encrypted files. You can store your own encrypted files on a remote server and access those files yourself. The data is not encrypted during transmission across the network, however, unless you use Internet Protocol Security (IPsec) to encrypt IP traffic (assuming you are using TCP/IP as the network protocol for transferring the file).