2008r1differences r2 Ver 1

Windows Server 2008 R2: Summary of Changes from R1 to R2 1

Windows Server 2008 R2

Summary of Changes from R1 to R2

Windows Server 2008 was Microsofts most ambitious server operating system update since Windows

2000 Server. Windows Server 2008 R2 improves upon the original release of Windows Server 2008 in

many key areas. Some of the changes, which enhance functionality, can be clearly seen in the user

interface: others are subtle, behind-the-scenes changes that improve reliability, security, and performance.

This supplementary document is intended to be used with the Microsoft Windows Server 2008 books

published by Course Technology that prepare students for the Microsoft MCTS and MCITP certification

exams. This document is organized according to the objectives of the 70-640, 70-642, and 70-643 MCTS

certification exams. Because the MCITP exams (70-646 and 70-647) focus on planning and implementing

the technologies covered in the MCTS exams instead of introduce new technologies, the MCITP exam

objectives are not explicitly covered, but they are covered implicitly. Changes that do not fit neatly with a

particular exam objective are covered in the section General Changes from Windows Server 2008 to

Windows Server 2008 R2.

This document does not attempt to be exhaustive in its coverage of R2 changes; rather, it focuses on

changes that most pertain to the certification exams and changes that most affect a reader's ability to work

with Windows Server 2008.

General Changes from Windows Server 2008 R1 to Windows Server 2008 R2

Changes between Windows Server 2008 and Windows Server 2008 R2 that are not necessarily related to a

particular certification exam objective include:


Windows Server 2008 Foundation editionIn addition to the usual Standard, Enterprise, and

Datacenter editions, Microsoft introduced Windows Server 2008 R2 Foundation edition. This is

designed to be pre-installed on original equipment manufacturer (OEM) servers and used in businesses

with 15 or fewer users. Windows Server 2008 R2 Foundation does not require client access licenses

and cannot operate in multi-domain forests. For more on Windows Server 2008 R2 Foundation, see

www.microsoft.com/windowsserver2008/en/us/foundation.aspx.

64-bit onlyWith Windows Server 2008 R2, Microsoft has made the plunge into an exclusively 64-bit

OS. All editions of Windows Server 2008 R2 are 64-bit OSs and can only be run on a 64-bit CPU. If

you are running older 32-bit hardware, you cannot upgrade to Windows Server 2008 R2 on that

hardware. In most cases, this limitation will not be a problem because all modern CPUs since about

2005, particularly those designed for servers, are 64-bit CPUs. However, this 64-bit-only limitation

does not apply to the Windows client line of OSs as of this writing.

256 CPU cores supportedUp from 64 CPU cores supported in the original Windows Server 2008,

Windows Server 2008 R2 supports 256 CPU cores.

Server Manager enhancementsServer Manager has undergone some changesmost notably, the

ability to use it to remotely manage a Windows Server 2008 R2 server. This allows you to connect

Server Manager to a remote server running Windows Server 2008 R2. You can create a custom MMC

and add multiple instances of the Server Manager snap-in, with each instance connected to a different

server. Figure 1 shows a custom MMC with three instances of Server Manager, each connected to a

different server.


Figure 1. Server Manager remote management with a custom MMC

Other Server Manager enhancements include the Best Practices Analyzer, additional Windows

PowerShell cmdlets, and additional roles and features that can be installed from Server Manager. The

Best Practices Analyzer (BPA), available for selected roles, provides administrators with a report that

lists violations to best practices for the installation and configuration for the selected role. Figure 2

shows an example of a report produced by the BPA for the Active Directory Domain Services role.


Figure 2. Best Practices Analyzer in Server Manager

Windows PowerShell 2.0, now installed by default on Windows Server 2008 R2, contains new

cmdlets for managing Windows Server 2008 R2, including the ability to install, uninstall, and view

information about roles and features. These cmdlets are: Add-WindowsFeature, Get-WindowsFeature,

and Remove-WindowsFeature.

Changes to the available roles and features in Server Manager include the renaming of Terminal

Services to Remote Desktop Services which now supports the Aero Glass UI, multiple monitors and

Direct X versions 9-11, and the renaming of Print Services to Print and Document Services. Windows

Software Update Services (WSUS) can now be installed using Server Manager instead of requiring a

separate download. Several new features are available in Windows Server 2008 R2 and can be

installed using Server Manager. They are discussed in the appropriate sections of this document.

Server Core supports the .NET frameworkThe Server Core installation option of Windows Server

2008 R2 now supports a subset of the .NET framework, which, among other things, allows Server

Core to run PowerShell 2.0 and ASP.NET applications.

User Account Control (UAC) changesUAC was introduced in Windows Vista and Windows Server

2008 and is designed to reduce the likelihood that malicious software will be inadvertently installed.

However, some users and administrators felt that the number of prompts they had to answer to perform

common tasks was excessive. UAC in Windows Server 2008 R2 is improved by increasing the number

of tasks that can be performed without administrator approval. The new and improved UAC also


allows administrators to configure UAC in Control Panel (see Figure 3) to choose aspects of its

behavior, such as when and if the desktop should be dimmed and whether UAC should prompt when

making changes to Windows settings.

Figure 3. User Account Control configuration

Core parkingMost systems today run one or more CPUs with multiple cores. Core parking enables

the OS to suspend cores that are not in use, thereby reducing power consumption. When CPU

requirements increase, suspended cores can be reactivated immediately to meet the increase in

performance requirements.


70-640 Exam Objectives R2 Changes

We will now cover the most important changes in Windows Server 2008 R2 as they pertain to the 70-640:

Windows Server 2008 Active Directory, Configuring MCTS exam. The first section discuses general

changes that apply to Active Directory administration but do not fit directly with an exam objective. The

subsequent sections are organized by the individual exam objectives. If no relevant changes apply to an

exam objective, the objective is omitted.

General Changes that Pertain to 70-640 Exam Content

The following subsections describe changes in Windows Server 2008 R2 that pertain to the 70-640 exam

but do not fit a specific exam objective; instead, they apply to Active Directory configuration in general:

Active Directory Administrative Center (ADAC)

Active Directory Web Service (ADWS)

Active Directory PowerShell 2.0 New Cmdlets

Active Directory Administrative Center (ADAC)

Perhaps the biggest visual change in Active Directory configuration is the new Active Directory

Administrative Center. Whereas Active Directory Users and Computers is a more data-oriented tool,

ADAC is task-oriented, providing administrators with easy access to commonly performed tasks. The

initial screen of ADAC, shown in Figure 4, illustrates the task-oriented nature of this new tool, giving

administrators quick access to password changes and Active Directory search. ADAC does not replace

Active Directory Users and Computers or the other Active Directory-specific management consoles, but it

will eventually include functions for Active Directory Domains and Trusts and Active Directory Sites and

Services as well as provide graphical interfaces to functions such as the new Active Directory Recycle Bin

and fine-grained password policies. Built on Windows PowerShell, this new tool will give administrators a

single interface to manage almost every aspect of their Active Directory infrastructure. For now,

administrators can perform most of the functions provided in Active Directory Users and Computers, but

with a new task-oriented interface. The tasks that can be performed include:

Connecting to and managing remote domains and domain controllers


Filtering Active Directory data

Creating new and managing existing user, group, and computer accounts

Creating new and managing existing organizational units

In addition to running on Windows Server 2008 R2, ADAC can be installed on Windows 7 as part of

the Remote Server Administration Tools (RSAT) available on the Microsoft download site.

Figure 4. Active Directory Administrative Center

Active Directory Web Service (ADWS)

Active Directory Web Service (ADWS) is a new service that provides a Web interface to Active Directory

domains, Active Directory Lightweight Directory Services (ADLDS) instances, and Active Directory

Database Mounting Tool instances. Both the Active Directory Windows PowerShell module and ADAC


depend on this service, so it is installed and enabled by default when Active Directory or ADLDS instances

are installed. ADWS requires TCP port 9389 to be open, and a Windows firewall exception is

automatically created. However, if Group Policy is used to configure the server firewall, the relevant GPO

must be edited to allow this exception. ADWS (referred to as Active Directory Management Gateway

Service) can be installed as an update for Windows Server 2008 and Windows Server 2003 servers.

Active Directory PowerShell 2.0 New Cmdlets

The Active Directory module for Windows PowerShell provides over 75 new cmdlets for managing Active

Directory and Active Directory objects. These new cmdlets allow administrators to perform a host of

configuration, administration, and diagnostic tasks in the Active Directory (and ADLDS) environment.

Although the cmdlets are too numerous to list here, the following list describes a few of the tasks that can

be performed using PowerShell:

Unlock-ADAccountUnlock an account

Set-ADAccountPasswordChange an account password

New-ADComputerCreate a new computer account

Set-ADDefaultDomainPasswordPolicyChange the default password policy

Set-ADDomainModeSet the domain functional level

Set-ADFineGrainedPasswordPolicyModify a fine-grained password policy

New-ADGroupCreate a new group account

New-ADUserCreate a new user account

For a complete list of cmdlets available with PowerShell 2.0 and the Active Directory module, see

http://technet.microsoft.com/en-us/library/ee617195.aspx.

Configuring DNS for Active Directory

DNS configuration and management is a topic in the 70-640 and 70-642 exams. Most of the changes in

DNS relate to the DNS service in general and are covered under Configuring Names Resolution in the 70-

642 section of this document. The DNS topics covered might pertain to both exams, however, so if you are


preparing for the 70-640 exam, you should study the DNS changes outlined in that section. The DNS topics

discussed in that section are:

DNS Security Extensions

DNS Cache Locking

DNS Socket Pool

DNS Devolution

Configuring the Active Directory Infrastructure

Most of the R2 changes that pertain to the Configuring the Active Directory Infrastructure section of the

70-640 exam objectives are related to the sub-objective Configure a forest or domain, as detailed in the

following section.

Configure a Forest or Domain

The R2 changes that affect this objective pertain to these new Windows Server 2008 R2 functional levels:

Windows Server 2008 R2 domain functional levelWith Windows Server 2008 R2 comes the

Windows Server 2008 R2 domain functional level. By upgrading your domain to the new R2

functional level, your domain controllers can take advantage of the new authentication mechanism

assurance feature (discussed under Configuring Active Directory Certificate 2.0 Services) and

managed service accounts (discussed under Creating and Maintaining Active Directory Objects). All

domain controllers in the domain must be running Windows Server 2008 R2 in order to raise the

functional level. In the past, it was impossible to revert to an earlier functional level once it was raised.

With Windows Server 2008 R2, there is one exception to this rule: If the forest functional level is

lower than Windows Server 2008 R2, you can revert the domain functional level from Windows

Server 2008 R2 to Windows Server 2008.

Windows Server 2008 R2 forest functional levelThe R2 forest functional level brings with it one

new feature: the Active Directory Recycle Bin, discussed under Maintaining the Active Directory

Environment. You can raise the forest functional level to Windows Server 2008 R2 if all domain

controllers in all domains are running Windows Server 2008 R2. As with the R2 domain functional

level, you can roll back the forest functional level from Windows Server 2008 R2 to Windows Server


2008, but only if the Active Directory Recycle Bin feature has not been enabled. Once it has been

enabled, the forest functional level cannot be changed to Windows Server 2008.

Configuring Active Directory Roles and Services

This 70-640 objective encompasses Active Directory Lightweight Directory Service (ADLDS), Active

Directory Rights Management Services (ADRMS), Read-Only Domain Controllers (RODCs), and Active

Directory Federation Services (ADFSv2).

Configure Active Directory Lightweight Directory Service (ADLDS)

ADLDS is affected by the changes in functional level afforded by Windows Server 2008 R2. In particular,

by raising the functional level of your ADLDS instance, you can take advantage of the new AD Recycle

Bin. ADLDS can also take advantage of the new PowerShell tools made available in PowerShell 2.0 and

ADWS, allowing you to manage ADLDS objects using PowerShell cmdlets.

Configure Active Directory Rights Management Service (ADRMS)

No major changes to this Active Directory role have been made aside from the ability of administrators to

manage ADRMS from the command line using PowerShell cmdlets. PowerShell cmdlets are available to

install and provision the ADRMS role and administer most aspects of the role once installed.

Configure the Read-Only Domain Controller (RODC)

On Windows Server 2008, changes could be made to the SYSVOL folder on a RODC, potentially causing

problems until the folder was overwritten by a read-write DC. On Windows Server 2008 R2, the SYSVOL

folder is read-only, preventing changes to the folder except by the replication process.

Configure Active Directory Federation Services (ADFSv2)

The ADFS role has not substantially changed, but administrators who deploy ADFS using certificate-based

authentication will be interested in the new authentication mechanism assurance feature used to

differentiate users who authenticate using certificates versus other methods. Authentication mechanism

assurance is discussed in more detail under Configuring Active Directory Certificate 2.0 Services.

Creating and Maintaining Active Directory Objects


R2 introduces several changes in Active Directory object maintenance and group policy. Some changes

have already been discussed, such as the plethora of PowerShell cmdlets available for managing Active

Directory objects. The following sections discuss other changes as they pertain to this objective.

Automate Creation of Active Directory Accounts

A new process for joining Windows 7 or Windows Server 2008 R2 computers to a domain, called offline

domain join, has been introduced to allow administrators to join computers without network connectivity

to a domain. Computers can be joined to the domain the first time they start up after a new OS installation,

and they do not require a restart. The command-line program djoin.exe is used to preprovision the accounts

in Active Directory. The steps for performing an offline domain join can be found at

http://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx, or you can

go to the Microsoft Technet site and search for "offline domain join."

Maintain Active Directory Accounts

Most services installed on a server require access to system and/or network resources. To gain access to a

resource, a running service, just like a user, must logon to the system and have the appropriate rights and

permissions granted. Windows Server 2008 has two built-in accounts that have sufficed for this purpose:

the Local System Account and the Network Service Account. However, using these two accounts for each

and every running service poses some security problems. Running services are likely to have more

privileges than they actually need, and system auditing becomes more difficult when a single account is

involved in many different types of actions.

Although you can often create a domain account for some services to use and then assign only the

necessary privileges to that account, there are problems with that solution. The biggest problem is that of

the account password. The built-in accounts automatically change their password periodically, but a

managed domain account must either have its password changed manually when the password expires or

have its password set to never expire. Both scenarios can be problematic. If an administrator must manually

change the password for an account used by a service and yet fails to do so, the service will fail to run if the

password expires. If the administrator sets the account password to never expire, the system will likely fail

a security audit. To resolve these dilemmas, Microsoft introduced managed service accounts (MSAs) in

Windows Server 2008 R2.


MSAs are accounts you can create using the New-ADServiceAccount PowerShell cmdlet. You cannot

use the GUI to create MSAs. MSAs solve the password problem by using automated password

regeneration provided by the netlogon service. MSA passwords are changed every 30 days and are 240

random characters in length. You can only use MSAs on a server running Windows Server 2008 R2 or a

computer running Windows 7; however ,neither the domain nor the forest functional level need be R2. To

use MSAs, you must first run adprep /forestprep at the forest level and adprep /domainprep in each domain

where you will use MSAs. New MSAs are located in a new Active Directory folder named Managed

Service Accounts located at the root of the domain in Active Directory Users and Computers or ADAC.

You can create an MSA for as many services as you wish and assign individual permissions and rights to

each account according to the needs of the particular service. For more information on MSAs, see

http://technet.microsoft.com/en-us/library/dd548356(WS.10).aspx.

Similar to a managed service account, a virtual account is designed primarily to be used in place of

the Network Service Account. Virtual accounts use the computer account's credentials to access the

network in a domain environment. You don't create virtual accounts like you do MSAs, however. Virtual

accounts are created automatically when you configure a service by specifying "NT Service\ServiceName"

on the Log On tab of a service's properties and restarting the service. The service name can be found on the

General tab of the service's properties page. Both password fields must remain blank as the password is

automatically generated (see Figure 5). As with MSAs, virtual accounts can only be used on Windows

Server 2008 R2 or Windows 7 systems, but no change to the Active Directory schema is necessary. For

more information on virtual accounts, see http://technet.microsoft.com/en-

us/library/dd548356(WS.10).aspx.


Figure 5. Creating a virtual account

Create and Apply Group Policy Objects

Changes in the creation and application of GPOs can be broken into three categories:

Group Policy PreferencesWindows Server 2008 R2 adds several new Group Policy Preference

items. New power plan options improve flexibility in assigning power options to domain computers. A

Scheduled Task preference item can be used to create, update, and delete scheduled tasks on domain

computers running Windows Vista, Windows 7, and Windows Server 2008. In addition, an Immediate

Task preference item has been added to allow administrators to create tasks that are run immediately

after the next Group Policy refresh. The task is run once and then removed. Internet Explorer 8

preference items have been added to support IE8.


Starter GPOsA number of new Starter GPOs are available in Windows Server 2008 R2 that contain

recommended Group Policy settings for the Windows Vista Enterprise Client, Windows XP SP2

Enterprise Client, and several others. These Starter GPOs can be downloaded in Windows Server 2008

but are included in R2.

Administrative TemplatesThe primary change in Administrative Templates is an improved user

interface in which the tabbed interface (consisting of Setting, Explain, and Comment) is replaced by a

single box showing the content of all three tabs, as shown in Figure 6. Over 300 policy settings have

been added for Windows Server 2008 R2 and Windows 7.

Group Policy PowerShell cmdletsOver 25 new cmdlets are available in PowerShell to automate

Group Policy tasks, including GPO creation and deletion, GPO linking, and creating and editing

Starter GPOs.


Figure 6. New look for Group Policy Administrative Templates

Deploy and Manage Software by Using Group Policy Objects

The new Application Control Policies (or AppLocker) section of a GPO replaces the Software Restriction

Policies. However, the Software Restriction Policies is still available for older Windows OSs, because

AppLocker is only available for Windows Server 2008 R2 and Windows 7 systems.

AppLocker reduces overhead for administrators who need to restrict which applications can be used

by users in their organization. AppLocker allows administrators to define application rules based on the

application's digital signature, publisher, name, file name, and version. Rules can be assigned to individual


users or security groups, and exceptions can be created for specific .exe files. An audit-only mode allows

you to see what files would be affected by the policy without actually enabling it live in the domain.

Configure Audit Policy by Using Group Policy Objects

Security auditing has been improved in Windows Server 2008 R2 by giving administrators an increased

level of detail in the information contained in auditing logs and by simplifying the deployment of auditing

policies. The new features in security auditing policy are:

Advanced audit policy settingsThere are 53 audit policy settings in 10 categories available under the

Advanced Audit Policy Configuration node of a GPO (see Figure 7). The original nine audit policy

settings found under Local Policies/Audit Policy should not be used if these settings are configured.

Details on all the settings under each category can be found at http://technet.microsoft.com/en-

us/library/dd772712(WS.10).aspx.

Figure 7. Advanced Audit Policy Configuration node


Global Object Access AuditingOne of the 10 categories of advanced audit policies, Global Object

Access Auditing allows the creation of System Access Control Lists (SACLs) on files or registry keys

for an entire computer (or all computers in the scope of the GPO) rather than the administrator having

to set audit policies on individual files. Keep in mind that auditing of the file system or registry must

also be enabled for auditing events to be created. You do this by enabling the Object Access\Audit File

System or Object Access\Audit Registry policies. Figure 8 shows the relevant dialogs involved in

enabling Global Object Access Auditing.

Figure 8. Global Object Access Auditing


Reason-for-access reportingWhen an audited object access is allowed or denied, the event

information now includes the relevant permissions that caused the object access audit event.

Maintaining the Active Directory Environment

This section details changes in R2 that pertain to the Maintaining the Active Directory Environment exam

objective and its sub-objectives.

Configure Backup and Recovery

The addition of the new Active Directory Recycle Bin is perhaps the most heralded of enhancements in

Windows Server 2008 R2. The Active Directory Recycle Bin allows administrators to recover deleted

Active Directory and ADLDS objects without having to perform a DS restore operation or tombstone

reanimation procedure. In addition, no restart of Active Directory or reboot of domain controllers is

necessary to restore deleted objects.

When the Active Directory Recycle Bin is enabled, deleted Active Directory objects can be restored in

their entirety, including all attributes and linked values. For example, if a user account is restored, the

account's group memberships are also restored.

The Active Directory Recycle Bin is disabled by default and can only be enabled if the forest

functional level is Windows Server 2008 R2. Once enabled, the Recycle Bin cannot be disabled, and the

forest functional level cannot be rolled back. Active Directory Objects that are deleted undergo a series of

state changes over time. Initially, a deleted object enters the logically deleted state in which it is stored in

the Deleted Objects container and all attributes and linked values (such as group memberships) are

preserved. The length of time a logically deleted object remains in the Deleted Objects container is

determined by the deleted object lifetime, which is a value stored in the msDS-deletedObjectLifetime

attribute. It is only during this period that a deleted object can be restored using the Recycle Bin. The

default deleted object lifetime is 180 days. Once the deleted object lifetime expires, the object enters the

recycled object state. Most of the attributes and linked values of a recycled object are deleted. When a

recycled object's lifetime expires, the garbage collection process will completely remove the object from

the Active Directory database.

To enable the Active Directory Recycle Bin, the Active Directory schema must be changed. If the

forest was installed using Windows Server 2008 R2 domain controllers from scratch, there is no need to


manually change the schema, but if the forest was upgraded from earlier versions, you must run adprep

/forestprep on the schema operations master. Next, prepare the domain by running adprep /domainprep

/gpprep on the infrastructure operations master in each domain. On RODCs, you must also run adprep

/rodcprep. Additionally, the forest functional level must be set to Windows Server 2008 R2. To enable the

Active Directory Recycle Bin once the forest and domain have been prepared at the R2 functional level,

you start the Active Directory Module for Windows PowerShell and enter the following command:

Enable-ADOptionalFeature Identity CN=Recycle Bin Feature,CN=Optional

Features,CN=Directory Service,CN=Windows

NT,CN=Services,CN=Configuration,DC=domain, DC=top-level-domain Scope

ForestOrConfigurationSet Target fullyqualifieddomainname

In this command, the italicized arguments are replaced by the appropriate domain components. For

example, if your domain name is allaboutcomputernetworks.com, you will replace domain with

allaboutcomputernetworks and top-level-domain with com. The argument fullyqualifieddomainname is

replaced by allaboutcomputernetworks.com.

Note: You start the Active Directory Module for Windows PowerShell on a

Windows Server 2008 R2 domain controller by going to Start/Administrative

Tools, right-clicking Active Directory Module for Windows PowerShell, and

clicking Run as administrator. Also note that you must run all the commands

discussed in this section as a member of Enterprise Admins.

For more information on how the Active Directory Recycle Bin works and how to use it, see


Monitor Active Directory

The major change in an administrator's ability to monitor Active Directory comes with the new Active

Directory Best Practices Analyzer (BPA), discussed earlier, and the new cmdlets for the Active Directory

Module for Windows PowerShell. The BPA is available for Active Directory Domain Services (ADDS),

DNS Server, Remote Desktop Services, and Active Directory Certificate Services (ADCS). The BPA can

be run using Server Manager or PowerShell cmdlets.


The BPA works by comparing actual configuration information of installed services to a set of rules

that defines a best-practices configuration. A report is generated showing discrepancies between the actual

configuration and the best-practices configuration. The configuration settings verified include:

DNS configurationVerifies that all required host (A or AAAA), global service (SRV), and alias

(CNAME) records exist and that the DNS server can be reached by the domain controller.

FSMOsVerifies all operations masters are present and reachable.

Two DCs are presentVerifies that two domain controllers for the domain are present and reachable.

Required servicesVerifies that all required services are present and running, including ADDS,

ADWS, and the Active Directory Module for PowerShell.

BackupVerifies that critical partitions have been backed up and that OUs are protected from

deletion.

For more information on the Best Practices Analyzer, see http://technet.microsoft.com/en-

us/library/dd759260.aspx.

Configuring Active Directory Certificate Services

Most of the changes related to Active Directory Certificate Services (ADCS) are related to enrollment

management and authentication. In general, ADCS in Windows Server 2008 R2 makes your PKI

deployment more flexible and provides better Network Access Protection (NAP) support. The following

section discusses specific changes related to certificate enrollments and related authentication.

Manage Enrollments

New role services called Certificate Enrollment Web Service and Certificate Enrollment Policy Web

Service enable certificate enrollment over HTTP. Certificate enrollment can occur over the Internet and

across forests that have established a two-way trust because the Web services act as a proxy between the

certificate authority and the client. This allows administrators to consolidate their PKI infrastructure in a

multi-forest network.


In addition, organizations that use NAP with IPSec, which generally results in high-volume CAs with

large databases, can choose to bypass some of the standard CA database operations. The result is smaller

database sizes and higher performance certificate operations.

Authentication mechanism assurance is designed for domains that utilize federation services

(ADFS) or certificate-based authentication methods, such as smart card or token-based authentication. This

mechanism adds information to the users kerberos token about the type of authentication used. This allows

administrators to modify permissions based on how the user authenticates. For example, users can have

access to different resources if they log in with certificates versus when they log in with just their

usernames and passwords.

When authentication mechanism assurance is enabled and a user authenticates using a certificate, a

universal group membership is added to the user's kerberos access token. This universal group can be used

to assign permissions and rights to users based on the fact that they authenticated via a certificate they

wouldnt have if they authenticated using some other method. To learn more about this feature, see



We will now cover the most important changes in Windows Server 2008 R2 that pertain to the 70-642:

Windows Server 2008 Network Infrastructure, Configuring MCTS exam. The first section discuses general

changes that apply to configuring the network infrastructure but do not fit directly with an exam objective.

The subsequent sections are organized by the individual exam objectives. If no relevant changes apply to an

exam objective, the objective is omitted.

General Changes that Pertain to 70-642 Exam Content

The following subsections describe changes in Windows Server 2008 R2 that pertain to the 70-640 exam

but do not fit a specific exam objective; instead, they apply to network infrastructure configuration in

general:

URL-based QoSQoS has typically been based on IP addresses and port numbers contained in the

packet headers. URL-based QoS allows administrators to prioritize packets based on the source URL


so that important Web traffic is routed first and less-important or non-work-related Web traffic can be

assigned a lower priority.

Multiple active firewall profilesIn Windows Server 2008 and Windows Vista, only a single firewall

profile can be active at a time. A system with multiple network adapters connected to two different

networks (e.g., one domain and one public) can only have one firewall profile active the most

restrictive, which in this example would be the public profile. With this new feature in Windows

Server 2008 R2 (and Windows 7), traffic coming into the domain network is protected by the domain

profile and traffic coming into the public network is protected by the public profile.

TCP chimney offloadThis performance enhancement for Windows Server 2008 R2 and Windows 7

allows an administrator to configure some of the TCP processing to occur on a compliant network

interface rather than on the computers CPU. The feature is enabled by default on 10 GB Ethernet

adapters. To enable it on capable 1 GB Ethernet adapters, the administrator must enter the following

command at an administrator command prompt: nets hint tcp set global

chimney=enabled.

Configuring Names Resolution

Changes to names resolution are primarily related to DNS security, although one change is specific to the

way the DNS resolver handles DNS queries. These changes are detailed in the following two subsections.

Configure a Doman Name System (DNS) Server

At the DNS Server level, there are two security enhancements:

DNS Cache LockingA DNS server's cache is used to store recently resolved queries from recursive

lookups. The results of the recent queries are stored in cache so that subsequent identical queries can

be resolved immediately from the server's cache rather than after a time-consuming recursive lookup.

A cached entry remains in cache until the entry's TTL expires. However, a technique called DNS cache

poisoning can be employed by an attacker to change the cached information, therefore providing an

incorrect response to queries. The incorrect information can redirect network traffic to malicious sites.

DNS cache locking prevents the cached record from being overwritten until the TTL expires. Once the

TTL expires, the record is deleted and is only added back to the cache as a result of an authoritative


lookup. Cache locking can be configured as a percentage of the TTL. By default, the value is set to

100, which means cached entries cannot be overwritten for the entire TTL duration. A value of 50

would cause the cache to be locked until half the TTL time elapsed. Configuration is done by changing

the value stored by the CacheLockingPercent registry key.

DNS Socket PoolDNS socket pools cause the DNS server to choose a random source port from a

pool rather than use a predictable source port. A predictable source port makes the server susceptible to

DNS cache-poisoning attacks by allowing an attacker to send a spoofed response to a DNS server. This

feature is enabled by default on servers with security update MS08-037 installed. The dnscmd.exe

command-line program can be used to configure the size of the socket pool and excluded port ranges.

Configure DNS Zones

DNS zone security is enhanced by the DNS security extensions (DNSSEC). DNSSEC is an Internet

standard set of DNS security enhancements defined by RFCs 40334035. In a nutshell, DNSSEC uses

public key cryptography and digital signatures to validate the identity of a server providing a DNS

response. DNSSEC requires four new record types to facilitate public key cryptography. A DNS Public

Key (DNSKEY) record holds the zone's public key. The RRSIG record holds the digital signature of the

DNS response. Delegation Signer (DS) records are used between parent and child zones that are DNSSEC

enabled. And the NSEC, or Next Secure, record allows zones to authenticate denial of existence responses.

A denial of existence response is a signed positive response returned when a queried record does not exist.

DNSSEC can be used in both standard and Active Directory-integrated zones and is effective in preventing

man-in-the-middle, spoofing, and cache-poisoning attacks that non-DNSSEC-enabled DNS zones are

vulnerable to. For details on deploying DNSSEC, see http://technet.microsoft.com/en-

us/library/ee649268(WS.10).aspx.

Configure Name Resolution for Client Computers

DNS devolution is a new feature on Windows Server 2008 R2 and Windows 7 DNS resolvers that allows

administrators to configure how the DNS resolver devolves DNS queries. DNS devolution is the process of

a DNS resolver climbing up the DNS namespace until a match is found or the maximum number of

devolutions is reached. For example, suppose a host named ServerA is a resource in the

SUVS.NA.Honda.com namespace. My computer is a member of the CRV.SUVS.NA.Honda.com domain.


My domain suffix is set to CRV.SUVS.NA.Honda.com, so when my computer generates a DNS query for

ServerA, by default the query generated will be ServerA.CRV.SUVS.NA.Honda.com. When that query

produces a negative result, the resolver devolves the query by using the next part of the DNS namespace

namely, SUVS.NA.Honda.com. The number of domain components (not including the host name) present

in the query is called the devolution level. So a query of ServerA.NA.Honda.com represents a devolution

level of 3, and a query of ServerA.Honda.com is devolution level 2. Whats new is that administrators can

set the devolution level on DNS clients using Group Policy, thereby controlling to which level the DNS

resolver will attempt a query before giving up.

Configuring Network Access

Changes to remote access configuration involve all the following sub-objectives under this 70-642

objective, including an entirely new objective: Configure Direct Access.

Configure Remote Access

A helpful new feature for road warriors in Routing and Remote Access Services (RRAS) is called VPN

Reconnect. After an Internet connection disruption, VPN Reconnect automatically reestablishes a VPN

connection without requiring the user to reenter credentials. The user must be running Windows 7 and must

be connected to a Windows Server 2008 R2 RRAS VPN server.

Configure Network Access Protection

A new feature for Network Access Protection (NAP) in Windows Server 2008 R2 is the Multi-

configuration System Health Validator (SHV). Administrators can specify multiple SHV configurations

that can be selected when a health policy is configured. By allowing multiple SHVs, different types of

network clients can be assigned different policies. For example, a locally connected client can be subject to

a different set of policies than a VPN-connected client. For more about configuring SHVs, see


Configure DirectAccess

DirectAccess is a new feature in Windows Server 2008 R2 that allows seamless, secure, and flexible client

connections from a Windows 7 Enterprise or Ultimate client to a Windows Server 2008 R2 DirectAccess

server.


Note: You can also connect to DirectAccess from Windows Server 2008 R2.

DirectAccess-enabled Internet-connected client computers are constantly connected to the private network;

there is no need for manual connections. In addition, administrators can manage the remote computers as

long as they are connected to the Internet; there is no need for clients to have an active VPN connection as

is the case with traditional VPN remote access. This allows mobile computers to stay updated with current

policies and software updates transparently; users do not even have to be logged on for the computer to be

managed.

DirectAccess is built upon existing technologiesprimarily, IPSec and IPv6. IPSec is used to

authenticate the computer and the user so the computer is available to be managed before the user even logs

on. IPv6 is used for communication between the client computer and DirectAccess server through an IPSec

tunnel. Unlike with traditional VPNs, this process works even when the client computer is behind a

firewall. There are a number of configuration details involved in setting up a DirectAccess infrastructure

that are beyond the scope of this document. For a technical description of DirectAccess and setup details,

see http://technet.microsoft.com/en-us/library/dd637827(WS.10).aspx.

Configure Network Policy Server

Network Policy Server (NPS) improvements in Windows Server 2008 R2 are fairly minor, but heavy users

of NPS for centralizing the management of network access will benefit from these changes. NPS templates

can be used to configure elements of NPS, such as RADIUS. The templates can be used on NPS servers

and exported for use on other NPS servers, thus providing a more manageable and consistent NPS

environment. Improvements in RADIUS accounting allow easy configuration of either text file or

Microsoft SQL Server logging.

Configuring File and Print Services

A number of changes and enhancements to the file and print services role and related role services make

managing shared files and folders an easier task in Windows Server 2008 R2. The following subsections

discuss the major changes under each sub-objective.

Configure a File Server

Perhaps the biggest enhancement to the file server function of Windows Server 2008 R2 is the introduction

of a feature called BranchCache, which is available to Windows 7 client computers accessing Windows


Server 2008 R2 servers. BranchCache uses the Background Intelligent Transfer Service (BITS) in a

domain-based environment. BranchCache allows clients located in branch offices to access copies of

shared files located in the cache of a local server rather than having to access remote servers across a

WAN. The first time a client accesses a file, the file is retrieved from the remote server hosting the file.

From that point on, subsequent requests for the file are served from the local BranchCache server until the

file changes. BranchCache works with both the HTTP and SMB protocols, so files from both Web and file

servers can be cached.

BranchCache has two operational modes:

Host cache modeCached files are stored on a local Windows Server 2008 R2 server and clients

access the files using a typical client/server model.

Distributed cache modeEach Windows 7 client computer hosts its own cache, and the Windows 7

clients operate in a peer-to-peer network model. When a Windows 7 client computer accesses a file for

the first time, the file is retrieved from the remote server and cached locally. The Windows 7 client

computer then makes the file available to other Windows 7 computers that request it.

Another file server enhancement will be useful for administrators using a combination of Windows,

Linux, Unix, and/or Mac OS in their networksnamely, Services for NFS, which adds several features to

enhance manageability and security. A feature called Netgroup allows administrators of the Service for

NFS on Windows Server 2008 R2 servers to create named groups of hosts that will simplify NFS login and

NFS access control lists. A remote procedure call (RPC) security feature called RPCSEC_GSS enables the

Service for NFS feature to use Kerberos authentication, thereby simplifying and improving security.

Administrators who like to take advantage of the scripting capabilities of Windows Management

Instrumentation (WMI) will be happy to know that Service for NFS can be managed using Web-Based

Enterprise Management (WBEM) through WMI.

Configure Distribute File System

A number of changes to Distributed File System (DFS) have found their way into Windows Server 2008

R2. Most of them focus on performance management and improved replication features. Here are short

descriptions of them:


Support for access-based enumerationAccess-based enumeration (ABE) is not new, but it is for

DFS. With ABE enabled on a DFS namespace, users can only see the folders in the namespace for

which they have at least Read permission. In the past, if a user had access to the namespace root, they

could see all the folders underneath the root whether they had permission or not.

Large namespace performance gainsNetworks with more than 5000 domain-based DFS folders will

see an improvement in the time it takes for the DFS Namespace service to start. Overall domain-based

DFS performance is improved when the number of DFS folders exceeds 50,000.

DFS replication on failover clustersFailover clusters can be added as members of a DFS replication

group, allowing DFS replication to failover to another server when the primary server fails.

Read-only replicated foldersThe ability to use DFS Management to mark a folder read-only, thereby

disallowing user changes to the files in that folder, has been added to DFS. Marking a replicated folder

as read-only can also be done using the command-line program Dfsradmin.

New performance countersYou can monitor DFS performance more closely using three new DFS

Namespace counters in Performance Monitor: DFS Namespace Service API Queue, DFS Namespace

Service API Requests, and DFS Namespace Service Referrals. For explanations about these counters,

open Performance Monitor, select the counter, and click Show description.

Configure Backup and Restore

Windows Server Backup in Windows Server 2008 R2 has some sorely needed enhancements to the backup

tool provided in Windows Server 2008. The changes make backing up your servers faster and considerably

more flexible. These changes include:

Incremental backupsAll backups are incremental except the initial backup, but each backup

functions like a full backup, allowing you to recover any file from a single backup. Windows Server

Backup also automatically manages disk space by deleting older backups as necessary to make room

for new backups.

No need for dedicated disksScheduled backups can be stored on a network share or local volume

that contains other data avoiding the need to dedicate an entire disk for backups.


Selected folders and filesIndividual files and folders can be backed up rather than requiring full-

volume backups, and files or folders can be excluded from a backup.

System state backupsSystem state backups can be included with data backups and can be scheduled

from the Windows Server Backup program rather than requiring the command-line wbadmin program.

Configure and Monitor Print Services

The biggest change here is that the Print Services role in Windows Server 2008 has been changed and

expanded to the Print and Document Services role in Windows Server 2008 R2. Printer migration is made

easier and more flexible with the Printer Migration Wizard, which replaces the Printmig utility.

Printer administration can be delegated so that non-administrators can now be allowed to perform

specific printer tasks without wider permissions. Another new feature of interest to administrators with a

mobile workforce is location-aware printing. This feature allows mobile users to set different default

printers for the different networks they connect to.

Printer driver isolation allows printer drivers to run in a process isolated from the print spooler. The

isolation prevents misbehaving print drivers from bringing down the entire print spooler process. Printer

driver isolation is enabled by default and can be disabled through Group Policy.

Monitoring and Managing a Network Infrastructure

Three new network monitoring and diagnostic tools are available to help you troubleshoot and monitor

your Windows 7 network. Even though these changes are related to Windows 7, it is important for a

Windows Server 2008 R2 administrator to be able to use them:

Network Diagnostic Framework (NDF)NDF simplifies network troubleshooting by automating steps

in the troubleshooting process. Network events and packets can be logged in a single file, providing a

single location to analyze collected data. When a user runs a Windows Network Diagnostics session,

results are logged in Action Center/Troubleshooting/View History automatically.

Network TracingNetwork tracing, along with NDF, provides a more convenient method for

grouping network-related events. Grouped events are placed in an Event Trace Log (ETL), which can

then be analyzed using Network Monitor or Event Viewer.


Netsh TraceThe familiar Netsh command includes a trace context that integrates with NDF and

network tracing and allows network packet capture and filtering. Using Netsh trace, particular network

components can be selected, such as TCP/IP or Wireless LAN Services to troubleshoot specific issues

related to those components.


We will now cover the most important changes in Windows Server 2008 R2 that pertain to the 70-643:

Windows Server 2008 Applications Infrastructure, Configuring MCTS exam. The sections are organized

by the individual exam objectives. If no relevant changes apply to an exam objective, the objective is

omitted.

Deploying Servers

The deployment of servers is a topic that covers quite a bit of ground. The most relevant changes made in

Windows Server 2008 R2 pertain to Windows Deployment Services, Hyper-V, high availability

configuration, and storage configuration, as detailed in the following sections.

Deploying Images by Using Windows Deployment Services

The process of deploying Windows Server 2008 R2 and Windows 7 images has been improved by several

new tools, including the following:

Windows Automated Installation Kit (WAIK)The WAIK has been improved with tools such as the

Deployment Image Servicing and Management command-line program that is used to add and remove

device drivers, enable/disable Windows features, configure updates, and add or remove language

packs. The User State Migration Tool (USMT) has been upgraded to version 4.0 and is now part of the

WAIK. USMT 4.0 makes migration of user accounts and their profiles to new Windows systems more

streamlined; and hard-link migration, a new feature in USMT, allows in-place migrations where the

old OS is removed and the new one installed on the same system. Finally, virtual hard disks (VHDs)

can be used to boot a system, obviating the need to image physical disks. Since a VHD is nothing more

than a large file, it can be deployed to compatible systems by simple file copies rather than the more

complex disk imaging process.


Microsoft Deployment ToolkitThis collection of tools automates Windows installations using Zero

Touch Installation (ZTI), requiring no user interaction, or Lite Touch Installation (LTI), using

minimal user interaction. ZTI requires the Microsoft System Center Configuration Manager 2007.

Windows Deployment ServicesWindows Deployment Services (WDS) is a familiar server role

available in Windows Server 2008. However, the new version in Windows Server 2008 R2 includes

enhanced multicast support and driver provisioning. Multicast allows you to deploy images to multiple

systems by sending the image only once across the network. Driver provisioning allows you to deploy

boot images along with driver packages specific to the system hardware. Another improvement to

WDS includes support for VHDs in unattended installations.

Configure Windows Server Hyper-V and Virtual Machines

Some of the most anticipated changes in Windows Server 2008 R2 are related to the Hyper-V 2.0 server

role. With virtualization now a standard part of the IT datacenter, improvements to Hyper-V are much

welcomed by server managers. The highlights of these changes include:

Live migrationLive migration adds to the already considerable flexibility afforded by virtualization

technologies. With live migration, a running virtual machine (VM) can be moved between Hyper-V

servers without disconnecting client computers that are using the VM. This feature brings IT managers

closer to the goal of zero downtime. All Hyper-V servers involved in live migration must have the

Failover Clustering feature installed, and to get the best results from live migration, you should be

using Cluster Shared Volumes (CSVs) between the Hyper-V servers. There are some limitations of

live migration. It cannot be completed automatically, due to server failover; it must be instigated

manually. Only one live migration at a time on both the source and destination server can be in

progress. Live migration requires that the virtual disk be located in shared storage, accessible to both

the source and destination Hyper-V host. Live migration copies the memory being used by VM to the

destination Hyper-V host's memory. Once the memory is copied, the VM on the source server is

paused and the VM on the destination server is started. This process results in essentially no downtime.

Another migration option, quick migration, copies the VM memory to disk storage, and when the new

server takes over the VM, the memory is read from disk storage. This scenario involves some VM


downtime as the memory exchange does not occur in real time. However, as part of a planned Hyper-V

host migration, quick migration can be used to migrate several VMs to a new host at the same time.

Dynamic VM storageHyper-V 2.0 supports hot-add/hot remove storage. Both virtual and physical

disks can be added to or removed from a running VM as long as Hyper-V integration services is

installed on the VM.

Improved scalabilityHyper-V 2.0 supports up to 8 (or 64 in the Datacenter edition) physical

processors, up to 64 CPU cores, and up to a terabyte of RAM. As many as 384 guests can be running at

a time on a Hyper-V server, and 16 nodes per cluster are supported. Network enhancements include

VM chimney, which provides the aforementioned TCP offload feature by mapping virtual networks to

specific virtual network interfaces on the host machine. Jumbo frames (frames from 1518 bytes to over

900 bytes) are also supported.

Configure High Availability

Changes to the configuration of Windows Server 2008 R2 high availability technologies primarily involve

failover clusters. Failover cluster management has been improved with a Windows PowerShell interface

and new PowerShell cmdlets. The new cmdlets allow common management and configuration tasks to be

scripted. Enhancements in cluster shared volumes make clustered VM configuration easier and make the

use of shared volumes more flexible; for example, VHDs no longer must be stored on a separate physical

disk and can instead be shared by other VHDs using the same LUN.

The Cluster Validation Wizard has been improved with additional validation tests that allow

administrators to fine-tune their cluster configuration before deploying it. DFS and Remote Desktop

Connection Broker can now be configured as clustered services, bringing additional aspects of your

applications infrastructure into the high availability realm. In addition, the Migration Wizard allows cluster

settings for additional services to be migrated from clusters running on Windows Server 2003, Windows

Server 2008, and Windows Server 2008 R2 servers. For more information on specific migration paths, see

http://technet.microsoft.com/en-us/library/ee791924(WS.10).aspx.

Configure Storage

Storage configuration has been enhanced in Windows Server 2008 R2 in the following areas:


iSCSI initiatorThe UI has been redesigned and can now be run on Server Core installations. A new

feature called Quick Connect, shown in Figure 9, allows fast, single-click connections to storage

devices. In addition, servers booting from external iSCSI devices have the option of up to 32 boot

paths.

MPIO improvementsBecause MPIO supports multiple paths, it was sometimes difficult for

administrators to diagnose path health. New health and configuration reporting improves on MPIO

device management and troubleshooting. In addition, load balancing policies can be displayed and

configured using the new MPClaim command-line utility.


Figure 9. iSCSI initiator properties with Quick Connect

Configuring Remote Desktop Services


Perhaps the most obvious change to this objective is the name, which was formerly Configure Terminal

Services. All the Terminal Services-related role services now use the term Remote Desktop instead of

Terminal Services (see Figure 10). In most cases, the term "Terminal Services" is simply replaced by

"Remote Desktop,"; for example, the role service Terminal Services Gateway is now Remote Desktop

Gateway. However, there are a few changes in role service and management tool names that go beyond

that, as shown in Table 1.

Figure 10. Remote Desktop role services


Table 1. Role service and management tool name changes from Terminal Services to Remote Desktop Services

Old name New name

Terminal Server Remote Desktop Session Host

Terminal Services Session Broker Remote Desktop Connection Broker

Terminal Services Configuration Remote Desktop Session Host Configuration

Terminal Services RemoteApp Manager RemoteApp Manager

Configure RemoteApp and Remote Desktop Web Access

The RemoteApp feature available in Windows Server 2008 R2 has been extended in Windows Server 2008

R2 with a feature called RemoteApp and Desktop Connection. This new feature places shortcuts to

RemoteApp programs and virtual desktops on the user's Windows 7 Start menu. You configure the client

side of this feature using a new Control Panel applet named RemoteApp and Desktop Connections.

RemoteApp and Desktop Connections can also be automatically configured by users with an administrator-

distributed client configuration file or silently with a logon script.

Remote Desktop Web Access allows RemoteApp and Desktop Connections to be accessed using a

Web browser. Enhancements to this role service include:

Public and private modesWhen choosing public mode, your Remote Desktop Web Access user

name is not remembered by the Web browser, whereas private mode makes your user name available

for four hours.

Per user application filteringAdministrators can configure Remote Desktop Web Access on a per

user basis so that users logging on only see RemoteApp programs intended for them to see.

Single sign-onSingle sign-on between Remote Desktop Session Host and Remote Desktop Web

Access simplifies the logon experience for users who previously had to enter credentials for both the

Remote Desktop Web Access server and the Session Host server that hosted the RemoteApp.

Remote Desktop Virtualization Host is a new role service in Windows Server 2008 R2. Using

Remote Desktop Virtualization Host along with RemoteApp and Desktop Connection, administrators can

create virtual desktops for use as personal desktops or for use in desktop pools. The virtual desktops are


VMs running on a Hyper-V host and are available through the Desktop Connection or Remote Desktop

Web Access interface. Virtual desktops allow users to access their own personal desktop on Hyper-V

servers, making backup and maintenance more manageable than with physical desktop computers. Virtual

desktop pools allow users to check out a desktop, perhaps with a specific application or OS installed, and

then return the desktop to the pool when they are finished. Desktop pools have applications for training and

testing or for running enterprise applications without having to maintain the applications on individual

user's desktops.

Configure Remote Desktop Gateway

Remote Desktop Gateway brings with it a number of enhancements for Windows Server 2008 R2,

primarily as they relate to session control and authentication. Administrators can configure timeouts for idle

sessions, thereby disconnecting users who are not actively using the session and freeing up gateway server

resources. When users become active again, their former session states are reestablished. Session timeouts

allow administrators to enforce new policies on currently active sessions so that changes in accounts or

security policies can take effect almost immediately without administrators having to wait for a user to

terminate an active session.

Another improvement in Remote Desktop Gateway is integration with Network Access Protection

(NAP), allowing Remote Desktop Gateway servers to bring client computers to compliance with health

policies. Furthermore, system and logon messages can be displayed on remote desktops, just as they are on

local desktops, giving administrators a way to inform users of system events like downtime and system

updates as well as logon messages that are displayed before users access remote resources.

Configure Remote Desktop Connection Broker

Remote Desktop Connection Broker can be configured for session load-balancing in a remote desktop

server farm as well as automatic session reconnection. The new session reconnection feature will reconnect

disconnected remote desktop sessions with the same server in a load-balanced server farm. In previous

versions, a disconnected session would, upon reconnection, be connected to the first available server in the

farm, causing the user's previous state to be lost.

Configure Remote Desktop Licensing


A few minor changes have occurred in the Remote Desktop Licensing role service. In earlier versions of

Terminal Services Licensing, discovery scopes were configured, which allowed terminal servers to

automatically discover license servers. In Windows Server 2008 R2, the name of the license server must be

specified to the Remote Desktop Session Host. Client Access License (CAL) management is improved with

a new Remote Desktop Licensing Manager wizard that allows migration of Remote Desktop CALs and

easier rebuilds of the licensing database. To migrate licenses from one License Server to another, both

servers must be running Windows Server 2008 R2.

Configure Remote Desktop Session Host

The most important change to configuring Remote Desktop Session Host involves IP address virtualization

for remote desktop connections. This feature resolves issues in which each instance of an application

running on a Remote Desktop Session Host server requires a unique IP address. In earlier versions, all

sessions shared the IP address assigned to the server. With IP virtualization, an administrator assigns a

network ID, and IP addresses are assigned for each session or application as necessary.

Configuring a Web Services Infrastructure

Rather than discuss changes made under each sub-objective, this section covers the most pertinent changes

in IIS 7.5, which ships with Windows Server 2008 R2. Although trying to cover all the changes between

IIS 7 and IIS 7.5 is beyond the scope of this document, the highlights as they pertain to the 70-643 exam

are covered here:

Best Practices AnalyzerThe BPA was discussed earlier in this document and is accessed through

Server Manager or PowerShell cmdlets. IIS 7.5 best practices can be followed by using BPA to scan an

IIS 7.5 Web server and report configuration issues.

Request FilteringSpecific HTTP requests that may be harmful to the Web server can be blocked

before reaching the server. This feature was previously only available on IIS 7 as an extension and is

now an integral module in IIS 7.5.

WebDAV and FTPThese two functions have been upgraded to be more secure and reliable, allowing

Web authors to publish content more confidently than before.

Web applications improvementsASP.NET and PHP applications have improved security and

diagnostics. Processes in application pools have unique identities with fewer privileges, and services


that once used standard service accounts can now use managed service accounts to further increase

security.

Server Core gets .NETThe Server Core installation option in Windows Server 2008 did not include

the .NET framework, limiting the types of applications you could run on the IIS server role on Server

Core. With Windows Server 2008 R2, .NET framework versions 2.0, 3.0, 3.51, and 4.0 are supported,

allowing ASP.NET applications to run on Server Core as well as on PowerShell cmdlets.

Configuring Network Application Services

The biggest change in Network Application Services is the upgrade to Windows SharePoint Foundation

2010. Windows SharePoint Foundation 2010, formerly Windows SharePoint Services, is supported in

Windows Server 2008 64-bit with at least Service Pack 2 as well as in Windows Server 2008 R2.

Additional requirements include Microsoft SQL Server 2005 64-bit with SP2, SQL Server 2005 Express

64-bit, SQL Server 2008 64-bit or SQL Server 2008 Express 64-bit. Microsoft .NET Framework 3.5 SP1

must be installed. SharePoint Foundation 2010 only supports IE 7 and above, Firefox 3.x and above, and

Safari 3.x and above. Covering all the features in SharePoint Foundation is beyond the scope of this

document. For a full discussion on this new product, see http://sharepoint.microsoft.com/en-

us/product/Related-Technologies/Pages/SharePoint-Foundation.aspx.

Document Summary

General changes from Windows Server 2008 to Windows Server 2008 R2 include a new Windows Server 2008 R2

Foundation edition as well as the move to 64-bit-only versions of the server OS and support for up to 256 CPU

cores, up from 64. Server Manager can now be used to manage remote servers and create custom MMCs to manage

multiple servers with one console.

The new Best Practices Analyzer provides best practice reports for a number of installed server roles, and

PowerShell 2.0 provides dozens of new cmdlets for managing server roles and features. User Account Control

changes make performing common tasks simpler while maintaining security.


General changes in Windows Server 2008 R2 that relate to the 70-640 exam objectives include Active Directory

Administrative Center, Active Directory Web Service, and many new PowerShell 2.0 cmdlets for managing all

aspects of Active Directory environments.

Other 70-640-related changes include a new domain and forest functional level, a new feature called offline domain

join, and managed service accounts and virtual accounts for increasing security on services that require system or

network logon. Group Policy changes include new Group Policy Preferences, new Starter GPO templates, and an

improved user interface for working with Administrative Templates. Rounding out the major changes in Active

Directory configuration are the new AppLocker feature for managing user application access and the Active

Directory Recycle Bin. Active Directory Certificate Service changes include the Certificate Enrollment Web Service

and authentication mechanism assurance.

General changes in Windows Server 2008 R2 that relate to the 70-642 exam objectives include URL-based QoS,

multiple active firewall profiles, and TCP chimney offload.

Name resolution is made more secure by DNS cache locking, DNS socket pool, and DNSSEC. DNS devolution

changes enhance DNS resolver management. VPN Reconnect and DirectAccess are two new features that make

remote access to the corporate network more secure and convenient for user and administrator. BranchCache is the

most significant change in configuring a file server; and for Unix/Linux users, Netgroup makes using NFS in a

Windows environment simpler and more secure.

DFS improvements include support for ABE and better performance. Windows Server Backup has been revamped

to be faster and more flexible, while print services has added location-aware printing and printer driver isolation.

Network monitoring is enhanced with Network Diagnostic Framework, Network Tracing, and the Netsh Trace

command.

Changes in Windows Server 2008 R2 that relate to the 70-643 exam objectives include improvements to Windows

Automated Installation Kit, User State Migration Tool 4.0, and Zero Touch Installation and Lite Touch Installation,

which are new features in the Microsoft Deployment Toolkit. WDS adds better multicast support and driver

provisioning.

Hyper-V has seen several improvements, including live migration, dynamic VM storage, and scalability

enhancements, with support for up to 64 CPU cores and a terabyte of RAM. High availability upgrades include the

Cluster Validation Wizard and the addition of several services that can be clustered, including DFS and Remote


Desktop Connection Broker. In addition, improvements were made to the iSCSI initiator and MPIO to enhance

storage configuration options.

The Terminal Services role and related role services have been renamed Remote Desktop Services. RemoteApp and

Remote Desktop Web Access have seen enhancements for client connections to remote desktop hosted applications,

including public and private modes, per-user application filtering, and single sign-on. Remote Desktop

Virtualization Host is a new role service that allows provisioning of personal virtual desktops or a desktop from a

virtualization pool.

Web Services Infrastructure configuration is impacted by the upgrade to IIS 7.5, which includes the Best Practices

Analyzer, request filtering, WebDav and FTP upgrades, and .NET framework availability on Server Core. Network

Application Services configuration is primarily impacted by the change from Windows SharePoint Services to

Windows Sharepoint Foundation 2010.

Key Terms

Active Directory Recycle Bin Allows administrators to recover deleted Active Directory and ADLDS

objects without having to perform a DS restore operation or tombstone reanimation procedure.

AppLocker A new section of a GPO that replaces Software Restriction Policies and reduces overhead for

administrators by allowing them to define application rules based on an application's digital signature,

publisher, name, file name, and version.

authentication mechanism assurance Adds information to the users kerberos token about the type of

authentication used, which allows administrators to modify permissions based on how the user

authenticates, such as by certificate or smart card.

automated password regeneration Passwords used by MSAs that are changed every 30 days and are 240

random characters in length. See managed service accounts (MSAs).

Best Practices Analyzer (BPA) This new Server Manager enhancement shows administrators a report that

lists violations to best practices for the installation and configuration for the selected role.

BranchCache Allows clients located in branch offices to access copies of shared files located in the cache

of a local server rather than having to access remote servers across a WAN.


Certificate Enrollment Web Service Part of Certificate Services, this new role service enables certificate

enrollment over HTTP.

deleted object lifetime A value that defines the period of time that a deleted object can be restored using

the Recycle Bin.

DirectAccess Allows seamless, secure, and flexible client connections from a Windows 7 Enterprise or

Ultimate client to a Windows Server 2008 R2 DirectAccess server. DirectAccess-enabled Internet-

connected client computers are constantly connected to the private network; there is no need for manual

connections.

DNS cache locking A new DNS security feature that prevents the cached record from being overwritten

until the TTL expires.

DNS devolution A new feature on Windows Server 2008 R2 and Windows 7 DNS resolvers that allows

administrators to configure how the DNS resolver devolves DNS queries.

DNSSEC An Internet standard set of DNS security enhancements defined by RFCs 40334035 that uses

public key cryptography and digital signatures to validate the identity of a server providing a DNS

response.

Global Object Access Auditing Allows the creation of System Access Control Lists (SACLs) on files or

registry keys for an entire computer (or all computers in the scope of the GPO) rather than the administrator

having to set audit policies on individual files.

Lite Touch Installation (LTI) Part of the Microsoft Deployment Toolkit, LTI automates Windows

installations requiring minimal user interaction.

live migration Allows a running virtual machine to be moved between Hyper-V servers without

disconnecting client computers that are using it.

location-aware printing A new Print Services feature that allows mobile users to set different default

printers for the different networks they connect to.

logically deleted A deleted object state in which the deleted object is stored in the Deleted Objects

container and all attributes and linked values (such as group memberships) are preserved.


managed service accounts (MSAs) Accounts you can create using the New-ADServiceAccount

PowerShell cmdlet, which enhances security by replacing the Local System Account and Network Service

Account.

multi-configuration System Health Validator (SHV) A new feature for Network Access Protection

(NAP) in which administrators can specify multiple SHV configurations that can be selected when a health

policy is configured.

Netgroup Allows administrators of the Service for NFS on Windows Server 2008 R2 servers to create

named groups of hosts, which will simplify NFS login and NFS access control lists.

NPS templates Used to configure elements of NPS, such as RADIUS. The templates can be used on NPS

servers and exported for use on other NPS servers, thus providing a more manageable and consistent NPS

environment.

offline domain join A new feature that allows administrators to join computers without network

connectivity to a domain. Computers can be joined to the domain the first time they start up after a new OS

installation and do not require a restart.

printer driver isolation Allows printer drivers to run in a process isolated from the print spooler. The

isolation prevents misbehaving print drivers from bringing down the entire print spooler process.

quick migration A method of migrating VMs in which a copy of the VM memory is made to disk storage

and when the new server takes over the VM, the memory is read from disk storage. Requires some

downtime of the VM.

recycled object A deleted object state in which most of the linked values and attributes of the object are

deleted and the object will soon be removed from the Active Directory database.

Remote Desktop Virtualization Host A new role service in Windows Server 2008 R2. Using Remote

Desktop Virtualization Host along with RemoteApp and Desktop Connection, administrators can create

virtual desktops for use as personal desktops or for use in desktop pools.

virtual account Similar to a managed service account, a virtual account is designed primarily to be used in

place of the Network Service Account. Virtual accounts use the computer account's credentials to access

the network in a domain environment. See managed service accounts.


VPN Reconnect After an Internet connection disruption, VPN Reconnect automatically reestablishes a

VPN connection without requiring the user to reenter credentials.

Zero Touch Installation (ZTI) Part of the Microsoft Deployment Toolkit, ZTI automates Windows

installations requiring no user interaction.

Date post:	09-Jan-2016
Category:	Documents
Upload:	joe-huffman
View:	216 times
Download:	0 times

2008r1differences r2 Ver 1

Documents