0
Windows Server 2008
Released in February 2008, Windows Server 2008 is a Microsoft operating system that shares the same code as Windows Vista. Ask questions about its features and system requirements here.
313 Questions
Kerberos Policy. This is found under:
+Computer Configuration
+Windows Settings
+Security Settings
+Account Policies
+Kerberos Policies
Free licence key for window server 2008?
Download the Windows Evaluation copy - you get up to 180 days of usage.
Who is the marker and what is the value of a Sears 22 caliber model 43 rifle?
marlin was the maker with a value of 100.00 more or less
What is used to enable windows server 2008 to support unix and Linux clients?
The Subsystem for UNIX-based Applications (SUA)
For a UNIX or Linux client, SUA creates a multiuser environment complete with commands, case-sensitive abilities, programming tools, shells (runtime environments), and scripts. With SUA installed, even UNIX/Linux programs can be ported over to Windows Server 2008.
Subnets, from Microsoft sever 2008 book
Why is 64-bit architecture an advantage in Windows Server 2008?
· Physical memory
A 32-bit system architecture can directly address only a 4-GB address space. A 64-bit system architecture that is running a 64-bit edition of Windows Server can support up to 1,024 GB of both physical and addressable memory.
· Virtual memory
The 64-bit editions of Windows Server can address 16 terabytes of virtual memory by using a flat addressing model. Virtual memory is divided equally between virtual address space for applications and the operating system. Even 32-bit applications can benefit from increased virtual memory address space when they are running in a 64-bit environment. For example, although a 32-bit application is still restricted to 4 GB of virtual memory, it no longer has to share that memory space with the operating system. As a result, it receives an effective increase in available virtual memory.
· Continuous memory
Poor performance in 32-bit systems is often not the result of a lack of available memory, but the unavailability of large enough blocks of continuous memory. In a typical Windows SharePoint Services 3.0 deployment, Windows, Internet Information Services (IIS), common language runtime (CLR), ASP.NET, SharePoint Products and Technologies, SSPs, and MDACs can all claim a portion of a server's available virtual memory and can leave a 32-bit address space quite fragmented. When the CLR or SharePoint services request new memory blocks, it can be difficult to find a 64-MB segment in the crowded 32-bit address space. A 64-bit system offers practically unlimited address space for user mode processes.
· Better parallel processingA server that is using 32-bit architecture is limited to 32 CPUs. Improvements in parallel processing and bus architectures enable 64-bit environments to support as many as 64 processors and provide almost linear scalability with each additional processor.· Faster bus architectureA 64-bit architecture provides more and wider general-purpose registers, which contribute to greater overall application speed. When there are more registers, there is less need to write persistent data to memory and then have to read it back just a few instructions later. Function calls are also faster in a 64-bit environment because as many as four arguments at a time can be passed in registers to a function.· More secureThe 64-bit editions of Windows Server offer the following enhanced security features· Buffer overflow protection
A buffer overflow occurs when a data buffer is congested with more data than it is designed to handle. In 64-bit editions of Windows Server, the first parameters of a procedure call are passed in registers. As a result, it is less likely that the buffer will overflow, because the correct values have to be set up in registers and the variables and addresses have to be aligned on the stack.
· Data execution protection
The 64-bit processors made by AMD and Intel include hardware support for data execution prevention (DEP). Windows Server uses DEP to prevent malicious code from being able to execute, even when a buffer overrun occurs. Even without a processor that supports DEP, Windows Server can detect code that is running in memory locations where it should not be.
· Patch Guard
Microsoft Patch Guard technology prevents non-Microsoft programs from patching the Windows kernel. This technology prevents kernel mode drivers from extending or replacing kernel services, including system service dispatch tables, the interrupt descriptor table (IDT), and the global descriptor table (GDT). Third-party software is also prevented from allocating kernel stacks or patching any part of the kernel.
· Better scalabilityIn a 64-bit environment, not only can database servers gain nearly unlimited virtual memory address space, but they also gain support for more physical memory. It is possible for a 64-bit server that is running 64-bit editions of Windows Server and SQL Server to get very large working data sets entirely into RAM, thereby improving performance and scalability. In addition, the number of application servers that are required to support a given user base can be substantially reduced because a 64-bit environment does not require worker processes to cycle as often. This reduced cycling results in fewer lost connections, improved I/O handling, and a better user experience.· Lower total cost of ownershipAll the benefits of 64-bit operation that are listed in the previous sections enable you to do more with less. A 64-bit environment allows you to manage more data, serve more users, and run more applications while using less hardware. By reducing hardware, you are also able to reduce license, operations, and infrastructure costs. It takes up less floor space in your data center and costs less to maintain. Finally, because a Windows SharePoint Services 3.0 farm that uses 64-bit hardware and software provides more room for growth, you can spend less over time on equipment because the life cycle of your equipment is likely to be longer.What bridgehead server in Active Directory?
The bridgehead server is a domain controller that has been either administratively assigned or automatically chosen to replicate changes collected from other domain controllers in the site to bridgehead servers in other sites.
What are reasonable requirements that a superpeer should meet?
1. Normal nodes should have low latency access to super peers. 2. Superpeers should be evenly distributed accross the overlay network. 3. There should be a predefined portion of superpeers relative to the total number of nodes in the overlay network. 4. Each super peer should not need to serve more than a fixed number of normal nodes.
What naming context is replicated across the domain?
Schema naming context and configuration naming context is replicated across domain in the forest
standard secondary zone
What is whitespace in active directory?
During ordinary operation, the white space in the Active Directory database file becomes fragmented. Each time garbage collection runs (every 12 hours, by default), white space is automatically defragmented online to optimize its use within the database file. The unused disk space is thereby maintained for the database; it is not returned to the file system.
What are the modifications to DNS for accommodating RODC?
AD DS: Read-Only Domain Controllers
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This can increase the amount of time that is required to log on. It can also hamper access to network resources.
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a result, users in this situation can receive the following benefits:
* Improved security
* Faster logon times
* More efficient access to resources on the network
What does an RODC do?
Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.
However, your organization may also choose to deploy an RODC for special administrative requirements. For example, a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. Or, the domain controller might be the only server in the branch office, and it may have to host server applications.
In such cases, the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. This situation creates a security risk that may be unacceptable on a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant a nonadministrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest.
You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat, for example, in an extranet or application-facing role.
Who will be interested in this feature?
RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically have the following characteristics:
* Relatively few users
* Poor physical security
* Relatively poor network bandwidth to a hub site
* Little knowledge of information technology (IT)
You should review this section, and the additional supporting documentation about RODC, if you are in any of the following groups:
* IT planners and analysts who are technically evaluating the product
* Enterprise IT planners and designers for organizations
* Those responsible for IT security
* AD DS administrators who deal with small branch offices
Are there any special considerations?
To deploy an RODC, at least one writable domain controller in the domain must be running Windows Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or higher.
For more information about prerequisites for deploying an RODC,
What new functionality does this feature provide?
RODC addresses some of the problems that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller but not the physical security, network bandwidth, or local expertise to support it. The following RODC functionality mitigates these problems:
* Read-only AD DS database
* Unidirectional replication
* Credential caching
* Administrator role separation
* Read-only Domain Name System (DNS)
Read-only AD DS database
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the RODC. Changes must be made on a writable domain controller and then replicated back to the RODC.
Local applications that request Read access to the directory can obtain access. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This response directs them to a writable domain controller, normally in a hub site.
RODC filtered attribute set
Some applications that use AD DS as a data store might have credential-like data (such as passwords, credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised.
For these types of applications, you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest.
A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008, the replication request is denied. However, if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003, the replication request can succeed.
Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest.
You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).
The RODC filtered attribute set is configured on the server that holds the schema operations master role. If you try to add a system-critical attribute to the RODC filtered set while the schema master is running Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set. This ensures that system-critical attributes are not included in the RODC filtered attribute set.
Unidirectional replication
Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication.
RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
noteNote
Any other shares on an RODC that you configure to replicate using DFS Replication would be bidirectional.
RODCs also perform automatic load balancing of inbound replication connection objects across a set of bridgehead servers in a hub site.
Credential caching
Credential caching is the storage of user or computer credentials. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. By default, an RODC does not store user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. You must explicitly allow any other credential caching on an RODC.
The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts ticket-granting ticket (TGT) requests.
After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy in effect for that RODC.
The Password Replication Policy determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the writable domain controller replicates the credentials to the RODC, and the RODC caches them.
After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller.)
By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials that are cached can potentially be cracked.
Leaving credential caching disabled might further limit exposure, but it results in all authentication requests being forwarded to a writable domain controller. An administrator can modify the default Password Replication Policy to allow users' credentials to be cached at the RODC.
Administrator role separation
You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. This permits a local branch user to log on to an RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user cannot log on to any other domain controller or perform any other administrative task in the domain. In this way, the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain.
Read-only DNS
You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they query any other DNS server.
However, the DNS server on an RODC is read-only and therefore does not support client updates directly. For more information about how DNS client updates are processed by a DNS server on an RODC,
What settings have been added or changed?
To support the RODC Password Replication Policy, Windows Server 2008 AD DS includes new attributes. The Password Replication Policy is the mechanism for determining whether a user's credentials or a computer's credentials are allowed to replicate from a writable domain controller to an RODC. The Password Replication Policy is always set on a writable domain controller running Windows Server 2008.
AD DS attributes that are added in the Windows Server 2008 Active Directory schema to support RODCs include the following:
* msDS-Reveal-OnDemandGroup
* msDS-NeverRevealGroup
* msDS-RevealedList
* msDS-AuthenticatedToAccountList
For more information about these attributes, see the RODC Planning and Deployment Guide
How should I prepare to deploy this feature?
The prerequisites for deploying an RODC are as follows:
* The RODC must forward authentication requests to a writable domain controller running Windows Server 2008. The Password Replication Policy is set on this domain controller to determine if credentials are replicated to the branch location for a forwarded request from the RODC.
* The domain functional level must be Windows Server 2003 or higher so that Kerberos constrained delegation is available. Constrained delegation is used for security calls that must be impersonated under the context of the caller.
* The forest functional level must be Windows Server 2003 or higher so that linked-value replication is available. This provides a higher level of replication consistency.
* You must run adprep /rodcprep once in the forest to update the permissions on all the DNS application directory partitions in the forest. This way, all RODCs that are also DNS servers can replicate the permissions successfully.
http://technet.microsoft.com/en-us/library/cc732801%28WS.10%29.aspx
Why cant you save files as 3ds in 3D studio max nine?
Try export not save as.
You should see other options such as obj which is considered better.
Daniel
What can be measured by tangible benefits such as implementation costs and ongoing support?
Return on investment
False. You cannot upgrade from Server Core to Full version unless you perform a complete operating system re-installation.
What are some reliable Windows server backup solutions?
Acronis Backup and Restore is a reliable Windows server backup solution, though it is costly. Other solutions include programs such as Symantec Backup Exec, Carbonite, and Windows NT Backup.
