server 2008 tool

7/31/2019 Server 2008 Tool

1/28

Windows Server 2008 Quick Reerence Guide

www.learnsmartsystems.com n 1-800-418-6789

Windows Server 2008 Quick Reerence GuideWindows Server 2008 is the latest and greatest Windows Server Platorm available rom Microsot. With its enhancementsin Active Directory, DNS Management, and inrastructure coordination, Server 2008 has set the bar to the highest level thatMicrosot has ever attempted. Accordingly, with the new eatures o Windows Server 2008, new challenges have arisen inhow these technologies should be administered. Thereore, LearnSmart has released this quick reerence guide or you, reeto download, as a useul tool in your process o administering your network.

The Quick Reerence Guide helps experienced and new Windows Server Administrators navigate Server 2008s new eatures

more quickly and eectively. For those o you whove worked with previous versions o Windows Server, the Windows Server2008 Quick Reerence Guide helps you pinpoint and master the new and expanded capabilities o the 2008 edition. Usethis Quick Reerence Guide to bring your resh, new Server 2008 expertise to the table and get ahead o the curve at yourcompany. For those o you just getting started, the Windows Server 2008 Quick Reerence Guide will help you become morecompetitive with the other members in your eld. For more inormation and training or Server 2008, or any other ITskills and certications, you can always contact LearnSmart at 1-800-418-6789. Enjoy your Windows Server 2008 QuickReerence Guide.

Windows Server 2008 Improvements

Active Directory Lightweight Directory Services

A replacement or Active Directory Application Mode, Active Directory Lightweight Directory Services (AD LDS) is a systemused in Windows Server 2008 to provide directory services or applications requiring access to specic directories. It is do-

main and orest independent, and provides an extra level o security so applications do not have direct access to the systemles. The gure on the next page outlines the eatures o AD LDS.

1

7/31/2019 Server 2008 Tool

2/28



Active Directory Lightweight Directory Services

AD LDS Usage Scenarios

Application-Specic DirectoryServices Scenarios

Application Development Scenarios

Extranet Access Management

X.500/LDAP Directory Migration Scenarios

Deployment in Datacenters andPerimeter Networks (BranchOces, DMZs)

AD LDS Users and Groups

AD LDS authenticates the identity ousers who are represented by AD LDSuser objects

AD LDS allows the use o WindowsSecurity principles rom the localmachine and AD or access control.

Authentication process or these userprinciples is redirected to the localmachine and AD respectively

Four deault groups: Administrators,Instances, Readers, and Users

AD LDS Tools

ADScema AnalyzerHelps migrate the AD schema to AD LDS,rom one AD LDS instance to another, orrom any LDAP- compliant directory to anAD LDS instance

Active Directory to AD LDS SynchronizerCommand-line tool that synchronizes datarom an AD orest to a conguration set oan AD LDS database

Snapshot BrowserUses LDAP client to bind to VSS snapshot(taken by NTDS UTIL) and view read-onlyinstance o AD LDS database

Active Directory Sites and ServicesAssists in administrating AD LDSreplication topology

Install rom Media (IFM)IFM can also be used to install an AD LDS

AD LDS Platorm Support

AD LDS is a Windows Server 2008 role

AD LDS Access Control

Uses ACLs on directory objects todetermine which objects user can access

AD LDS

Replication Overview

AD LDS instances replicatedata based on participationin a conguration set

The AD LDS instances ina conguration set canhost all or a subset o theapplications partitions in

the conguration set

AD LDS replication andschedule is independentrom Active Directory

AD LDS Instance

CongurationPartition 1

Schema 1

App Partition 1

App Partition 2

AD LDS Instance


Schema 1

App Partition 1

App Partition 2NOT Hosted

AD LDS Instance


Schema 2

App Partition 3

App Partition 4

AD LDS Instance


Schema 2

App Partition 3NOT Hosted

App Partition 4

Computer 3

Computer 2Computer 1

Conguration Set 1

Conguration Set 2

AD LDS Computer 1

AD LDS Computer 2 AD LDS Computer 3

Replication

Directory Clients

Using Applications

Client(s)Directory-enabled App 3

Client(s)Directory-enabled App 4

2

7/31/2019 Server 2008 Tool

3/28



Active Directory Rights Management Services

Author uses AD RMS or the rst time - receives Rights Account Certicate (RAC) and Client Licensor Certicate (CLC).Happens once and enables user to publish online or oine and consume rights-protected content.

Using AD RMS-enabled application, author creates le and species user rights. Policy license containing user policiesis generated.

Application generates content key, encrypts content with it. Online Publish - Encrypts content key with AD RMS serverpublic key and sends to AD RMS server. Server creates and signs publishing license (PL). Oine Publish - Encryptscontent key with CLC public key, encrypts copy o key with AD RMS server public key. Creates PL and signs with CLCprivate key. Append PL to encrypted content.

AD RMS-protected content le sent to Inormation Recipient. AD RMS-protected content may also be represented by e-mail.

Recipient receives le, opens using AD RMS-enabled application or browser. I no account certicate on the currentcomputer, the AD RMS server will issue one (AD RMS document noties application o the AD RMS server URL).

Application sends request or use license to AD RMS server that issued publishing license (i le published oine, sendto server that issued the CLC). Request includes RAC and PL or le.

AD RMS server conrms recipient is authorized, checks or a named user, and creates use license or the user. Serverdecrypts content key using private key o server and re-encrypts content key with public key o recipient, then addsencrypted session key to the use license. This means only the intended recipient can access the le.

AD RMS server sends use license to inormation recipients computer.

Application examines both the license and the recipients account certicate to determine whether any certicate ineither chain o trust requires a revocation list. User granted access as specied by inormation author.

1

2

3

4

5

6

7

8

9

7

SQL Server

(Separate SQL server or, or smallcongurations, SQL on AD RMS server)

Conguration Database stores:

Primary key pairs or securerights management

Data needed to manage accountcertication, licensing & publishing

AD RMS-enabled client installed

AD RMS-enabled applications.For example: IE, Oce 2003/2007,Oce SharePoint Server 2007.

AD DC

Authenticates users o AD RMS

Stores AD RMS Service Discovery Location

Group expansion or AD RMS

AD RMS Server

Root Certication ServerProvides certicates to AD

RMS-enabled clients

2

RMS ProtectedContent

3

1

Inormation Author Inormation Recipient

License AD RMS-protected content

Enroll servers and users

Administer AD RMS unctions

4

6

8

9

5

3

7/31/2019 Server 2008 Tool

4/28



Active Directory Read-Only Domain Controller

Read-only replica AD DB

Unidirectional replication

Credential caching

Read-only AD-integratedDNS zone

Branch Ofce

UserCredentials Cache

ComputerCredentials Cache

RODCRODC perorms normalinbound replication orAD DS and DFS changes

RODC GC supportor Outlook clients


RODC

Branch Ofce

UserCredentials Cache


RODC

1

Requests

Branch Ofce

Hub Site

3

2 4

Authenticate user and queuerequest to replicate credentialsto RODC i allowed

RODC contacts writable DCat hub site and requestscopy o credentials

Writable DC veries requestis coming rom an RODCand consults PasswordReplication Policy or RODC

Password Replication Policy

Hub Site Writable DCsChanges madeon a writeable-DC are replicatedback to RODC, butnot vice versa

PasswordReplication

PolicySelectively enable passwordcaching. Only passwords oraccounts that are in the Allowgroup are replicated to RODC

Delegated Administration or RODC

RODC administrators can be dierent users rom domain

administrator users. Benets include: Prevents accidental modications o directory dataexisting outside RODC

Delegated installation and recovery o RODC

Delegated Installation and Administration

Process or RODC

(Note: Steps 1 and 2 are not necessarily perormed romthe same computer)

Pre-Create and Delegate

Domain Administrator uses AD Users and ComputersMMC snap-in to pre-create RODC

Species RODCs FQDN and DelegatedAdministration group

Promote RODC

Delegated Administrator (non-DA) uses DCPROMOWizard rom server to congure as RODC

Replicates over network, with support or secure IFM

Reboots as RODC

1

2

4

7/31/2019 Server 2008 Tool

5/28



New Group Policy Features

Group Policy Delivery and Enorcement

Workstation / Member Server Delivery

Workstation / Member Server Startup

Processed every 90-120 minutes (random) Rereshes on NLA notications (WindowsVista and Windows Server 2008)

User Delivery

At user logon

Processed approximately every 90-120minutes (random)

Domain Controller Delivery

Domain Controller Startup

Processed approximately every

5 minutes

Network Location Awareness

Using Network Location Awareness, GroupPolicy has access to resource detection andevent notication capabilities in the operatingsystem. This allows Group Policy to rereshater detecting the ollowing events:

Recovery rom hibernation or standby

Establishment o VPN sessions

Moving in or out o a wireless network

Network Location Awareness also:

Removes the reliance on the ICMPprotocol (PING) or assisting policyapplication across slow link connections

Is used or bandwidth determination(applying GP over slow links)

Advantages oCentral Storeinclude reducedSYSVOL size andreduced tracbetween DCs

FRS/ DFS-RUse File ReplicationService (FRS) onWindows 2000 andWindows Server2003Use Distributed FileSystem Replication(DFS-R) on WindowsServer 2008Forest unctionalenvironment

SYSVOL

Group Policy Central Store

Central Storage or

Administrative Templates

1) Create Central Store on PDC Emulator

2) Central Store created or each domain

3) I Central Store available when

administering domain-based GPOs, thecentral store is used by deault

Policies

[GUID]

ADM

Policy Denitions(stores all .admx les)

en-US (All .adml lesstored in language-specic olders. Forexample, en-US orUS English)

Central Store Benets

Single point o storage

Multilingual support

Central Store hosted onWindows Server 2000,Windows Server 2003, &Windows Server 2008

Multiple Local Group Policy Objects

MLGPO Site Domian OUs

GPO Processing Order

Local Computer

Policy

LGPOComputerConguration

LGPO UserConguration

Admin orNon-AdminGroup Policy

Local UserAccountPolicy

1 2 3

Group Policy Tools

Windows Vista, Windows Server 2008

Manage new Windows Vista/WindowsServer 2008 Policy Settings

Manage Windows 2000, WindowsServer 2003, and Windows XP Machine

Policy Settings

Windows 2000, Windows Server 2003,Windows XP

Cannotmanage new Windows Vista/Windows Server 2008 Policy Settings

Manage Windows 2000, WindowsServer 2003 and Windows XP MachinePolicy Settings

5

7/31/2019 Server 2008 Tool

6/28



Active Directory Federation Services

Federation Scenarios

Federated Web SSO with

Forest Trust

Forests located in the DMZ andinternal network. A ederationtrust is established so accounts ininternal orest can access Web-basedapplications in perimeter network(including intranet or Internet access).

Web SSO

Users must authenticate only

once to access multiple Web-based applications. All usersare external, and no ederationtrust exists.

Federated Web SSO

Federation trust relationship

established between twobusinesses. FS routesauthentication requests rom useraccounts in adatum to Web-basedapplications that are located in thetreyresearch network.

AD FS Authentication Flow

Client tries to access Web application in treyresearch.net. Web server requests token or access.

Client redirect to Federation Server on treyresearch.net. Federation server has list o partners that have access to theWeb application. Reers client to its adatum.com Federation Server.

Instruct client to get a token rom adatum.com Federation Server.

Client is member o its domain. Presents user authentication data to adatum.com Federation Server.

Based on authentication data, SAML token generated or the client.

User obtains SAML token rom adatum.com Federation Server or treyresearch.net Federation Server.

Redirects client to treyresearch.net Federation Server or claims management.

Based on policies or the claims presented by the adatum.com token, a treyresearch.net token or the Web applicationis generated or the client.

The treyresearch.net token is delivered to client.

Client can now present treyresearch.net token to Web server to gain access to the application.

1

2

3

4

5

6

7

8

9

10

adatum.com (Account Forest) treyresearch.net (Resource Forest)

AD DS / AD LDS

Authenticate users

Map attributes

Federation Server

Issue tokens

Map attribute to claims

Manage Trust Policy

Generate token-basedauthentication data

Active Directory Forest

Requires IIS6.0 or greater

5

6

4

User Tokens

User Tokens

Web Server

Enorce userauthentication

Create applicationauthorizationcontext rom claims

Federation Server

Generate token-based

authentication data

8

9

7

3

2

110

Requires IIS6.0 or greater

Federation Trust

Extend AD to accessresources oered by

partners across the Internet

6

7/31/2019 Server 2008 Tool

7/28



Active Directory Management

Fine-Grained Password Policies

Fine-grained password policyremoves the restriction o a singlepassword policy per domain.

Set Attributes onPasswordSettings Object:

Precedence

Password Settings

Account Lockout Settings

Distinguished Name oUsers and/or Groups thesettings apply to

PasswordSettings objectsstored in ...Password Settings

Container

cn=Password SettingsContainer, cn=System,dc=northwind, dc=com

RequiresWindowsServer 2008

Domain Mode

msDS-Password-SettingsObject(s)

Applied toUsers and/or Groups

At User Logon andPassword Change,check i a PasswordSettings Object hasbeen assigned tothis user

GlobalNames Zone

Resolution o single-label, static, global names or servers using DNS.

All authoritative DNS servers or a domain must be running WindowsServer 2008 to provide GlobalNames support or clients

Implemented as a Regular Forward Lookup zone, which must benamed GlobalNames

GlobalNames zone should be Active Directory integrated andreplicated orest-wide

The GlobalNames zone is manually congured with CNAME records toredirect rom servers host name to Fully Qualied Domain Name

Restartable Active Directory Service

Active Directory Domain Services (AD DS) in WindowsServer 2008 has the capability to start and stop theActive Directory Service via the MMC or command line

RestartingAD requiresmembershipo the built-in

Administrators group onthe DC

Stop/Start DS

without Reboot

I the DC iscontactedwhile the DCservice is stopped,server acts as

member server

Another DC isused or logon,and normal GroupPolicy is applied

Restartable DS

Start

Stop

Directory Service States

AD DS Started AD DS Stopped(Ntds.dit oine)

AD DirectoryRestore Mode

I another DC cannot becontacted, administratorcan log on either by usingcached credentials or usingthe DSRM credentials

Client types intranetinto browser. DNSClient appends domainname suxes to thissingle-label name.

DNS serverauthoritative orwest.contoso.com

172.20.1.1

1

Query orIntranet.west.contoso.com

Query

for

serve

r.east

.conto

so.com 2

DNS server authoritativeor east.contoso.com

Queryfor

Intranet.east.contoso.com

2

1

East

West

172.20.1.1

3

DomainController

7

7/31/2019 Server 2008 Tool

8/28



DNS InormationThe ollowing types o Zones are now Available in Windows Server 2008 and can be used in accordance with your DNSdesign. Additionally, Microsot requently likes to test on the dierence between these dierent types o Zones on MCTS andMCITP level exams. Table 1 should answer these questions eectively.

Zone Type Description

PrimaryA primary zone is the primary source or inormation about this zone, and it stores the master copy ozone data in a local le or in AD DS. When the zone is stored in a le, by deault, the primary zone leis namedzone_name.dns and is located in the %windir%\System32\Dns older on the server.

Secondary

A secondary zone is the secondary source or inormation about this zone. The zone at this servermust be obtained rom another remote DNS server computer that also hosts the zone. This DNSserver must have network access to the remote DNS server that supplies it with updated inormationabout the zone. Because a secondary zone is merely a copy o a primary zone that is hosted onanother server, it cannot be stored in AD DS.

StubA stub zone is a copy o a zone that contains only the resource records that are necessary to identiy theauthoritative DNS servers or that zone. A stub zone keeps a DNS server hosting a parent zone aware o

the authoritative DNS servers or its child zone. This helps maintain DNS name-resolution eciency.

GlobalNames

The GlobalNames zone was added in Windows Server 2008 to hold single-label names and providesupport or organizations still utilizing WINS. Unlike WINS, the GlobalNames zone is intended toprovide single-label name resolution or a limited set o host names, typically corporate servers andWeb sites that are centrally (IT) managed. The GlobalNames zone is not intended to be used orpeer-to-peer name resolution, such as name resolution or workstations, and dynamic updates inthe GlobalNames zone are not supported. Instead, the GlobalNames zone is most commonly used tohold CNAME resource records to map a single-label name to a ully qualied domain name (FQDN).

Forward lookupForward lookup zones support the primary unction o Domain Name System (DNS), that is, theresolution o host names to IP addresses. Forward lookup zones provide name-to-address resolution.

Reverse lookupA reverse lookup zone contains pointer (PTR) resource records that map IP addresses to the host name.Some applications, such as secure Web applications, rely on reverse lookups.

8

7/31/2019 Server 2008 Tool

9/28



Windows Server 2008 Available Domain and Forest Functional LevelsWindows Server 2008 has changed the unctional level at which Windows Server can unction. Now, the minimum level is Win-dows Server 2000 and the maximum is Windows Server 2008. Mixed mode is no longer available. Table 2 outlines these changes:

Domain Function Level Available Features SupportedDomain

ControllerOperating Systems

Windows 2000 Native

All o the deault AD DS eatures and the ollowingdirectory eatures are available:

Universal groups or distribution and security.

Group nesting.

Group conversion between security anddistribution groups.

Security identier (SID) history.

Windows 2000Windows Server 2003Windows Server 2008

Windows Server 2003

All the deault AD DS eatures, all the eatures that areavailable at the Windows 2000 native domain unctionallevel, and the ollowing eatures are available:

Netdom.exe

Logon time-stamp updates.

Able to set the userPasswordattribute asthe eective password on inetOrgPersonand user objects.

Able to redirect Users and Computers containers.

Authorization Manager is able to store itsauthorization policies in AD DS.

Constrained delegation.

Selective authentication.

Windows Server 2003Windows Server 2008

Windows Server 2008

All o the deault AD DS eatures, all o theeatures romthe Windows Server 2003 domain unctional level, andthe ollowing eatures are available:

Distributed File System (DFS) replicationsupport or the Windows Server 2003SystemVolume (SYSVOL).

Advanced Encryption Standard (AES 128 and AES256) support Kerberos.

Last Interactive Logon Inormation.

Fine-grained password policies.

Windows Server 2008

9

7/31/2019 Server 2008 Tool

10/28



Network DesignPart o the process o designing a unctioning Windows Server 2008 network is to pick an appropriate design or your net-work. With Windows Server 2008 we are really limited to two appropriate logical topologies in order to maximize networkbandwith. These two topologies are the Star and Mesh topology.

Forest TrustsWith Windows Server 2008 there are several dierent types o Domain and Forest trusts that we can choose rom. In short, theollowing 5 diagrams here will summarize the dierent types available, as well as their advantages and disadvantages.

A one-way trust exists between either two orests or two domains and signies a ONE-WAY trust between those orest ordomains. In other words, the orest trust exists in a single direction. In the above example, LearnSmart.com would trustCramsession.com because the orest trust points toward Cramsession. It s basically saying I trust this!

Star TopologyMesh Topology

Star

The Star topology isocused around a centralnetwork device, such as aswitch or a router, and thenextends out to externalcomputers. With WindowsServer 2008, this caneven be a server runningWindows Server 2008.

Mesh

A Mesh topology is acompleted linked logicaltopology that is designedto provide redundancy inthe case o the ailure oone or two links connectingdierent computers. This isthe preerred method orWindows Server 2008.

Preplogic.com

Sales.Preplogic.com Adv.Preplogic.com

Cramsession.com

Sales.Cramsession.com Adv.Cramsession.com

One-Way Trust

10

7/31/2019 Server 2008 Tool

11/28



In a TWO-WAY trust, the trusts that exist between two orest or two domains exist in both directions. Technically, a two-way trustis eectively two one-way trusts. One orest says I trust this and the other orest says I trust this.

Trusts in Windows Server 2008 arms (or earlier versions o Windows Server supporting Windows Active Directory) can exist in

two orms: Transitive and Non-Transitive. With a non-transitive trust, the trust exists solely between two domains and doesntnecessarily extend to other domains. In the case above, PrepLogic.com trusts Cramsession.com, but the subdomains Sales.Preplogic.com and Adv.Preplogic.com do not trust Cramsession.com.

Using a Transitive Trust, Windows Server 2008 replicates this trust to all subdomains so that they trust each other as well as theirparents. This method is used so domains do not have to be given explicit permission, but rather inherit it automatically.

Preplogic.com


Cramsession.com


Two-Way Trust

Preplogic.com


Cramsession.com


Transitive Trust

Preplogic.com


Cramsession.com


Non-Transitive Trust

11

7/31/2019 Server 2008 Tool

12/28



Additional Trust TypesWindows Server 2008 supports various trust types that can be used with inrastructures that do not support active directory.Namely, Windows Server 2008 supports External and Realm trusts. These two dierent types o trusts are used to support theUNIX and Windows NT4 (pre-active-directory) inrastructure. This allows an administrator to conveniently add in detail that isntnormally asssociated with Windows Active Directory with very little administrative eort.

Windows Server 2008 Terminal ServicesArguably Windows Server 2008s most powerul eature is its robust set o Terminal Services and Application Virtualizationutilities, such as Remote Desktop, Application Virtualization, and Easy Print.

Remote Desktop

Windows Server 2008

Windows Server 2008 UNIX

Windows Server 2008

Windows Server 2008 Windows NT4

Realm Trust External Trust

Applications sent rom server

Windows Server 2008Terminal Server

The simplest orm o Terminal Services is Remote Desktop,which is an easy way o accessing a standard userss desktopover the TCP/IP protocol in a secure manner.

NOTE: Remote Desktop uses TCP/IP Port 3389.

12

7/31/2019 Server 2008 Tool

13/28



Application Virtualization

The Windows Server 2008 Hypervisor

Using Windows Server 2008 Hyper-V, Windows Server 2008 can virtually emulate various operating systems produced bothby Microsot and other vendors at the hardware level through the use o virtualization technology that divides processorsinto logical units, as shown in the diagram below.

3.1415

3.1415

3.1415

3.1415

3.1415 Application Virtualization is the concept o oolinga user into believing that an application is actuallybeing run on their own local machine, but is actuallybeing run on a remote server. In the above diagram,

a calculator application is being run on our WindowsServer 2008 server and then being accessed viaterminal services by the client using Windows Vista.

Server 2008 SUSE Linux

VCPU1 VCPU2

CPU

Using Hyper-V, Windows Server 2008 can divide a single CPU, or evenmultiple CPUs, into dedicated logical units. These virtual processorsare divided between each other, running separate threads that staycompletely apart. This way, multiple processors can have completeaccess to hardware components without interering with the overallarchitecture o the platorm.

Server 2008 SUSE Linux

13

7/31/2019 Server 2008 Tool

14/28



Easy Print

One o the new eatures o Windows Server 2008 is easy print. Beore easy print, i a user was connected to an applicationthrough terminal services and pressed the print button, they may have accidentally caused the terminal servers printerto print, instead o their local printer. Now, instead o this occuring, easy print ensures that only the locally attached userprinter will print.

In the diagram below, the user requests the server to print and the server tells the computer on the local users network toprint. To the user, its as easy as simply pressing the Print button.

Internet

Print!!

Internet

!

14

7/31/2019 Server 2008 Tool

15/28



Preparing a Forest or Windows Server 2008When you decided to use Windows Server 2008 in a current running environment, youre required to prepare the rest oyour Windows Servers or the reception o a new Windows Server. The way this is achieved is by using a standard command,provided by Microsot with ocial documentation. This command is adprep.

ADprep

Parameter Description

/orestprep This switch, combined with the Adprep command, prepares a orest or the introduction o a domaincontroller that runs Windows Server 2008. You run this command only once in the orest. You must runthis command on the domain controller that holds the schema operations master role (also known asfexible single master operations or FSMO) or the orest. You must be a member o all the ollowinggroups to run this command:

The Enterprise Admins group

The Schema Admins group

The Domain Admins group o the domain that hosts the schema master

/domainprep Prepares a domain or the introduction o a domain controller that runs Windows Server 2008. Yourun this command ater the orestprep command nishes and ater the changes replicate to all thedomain controllers in the orest.

Run this command in each domain where you plan to add a domain controller that runs WindowsServer 2008. You must run this command on the domain controller that holds the inrastructureoperations master role or the domain. You must be a member o the Domain Admins group to runthis command.

/domainprep/gpprep

Perorms similar updates as domainprep. However, this command also provides updates that arenecessary to enable Resultant Set o Policy (RSOP) Planning Mode unctionality.

/rodcprep Updates permissions on application directory partitions to enable replication o the partitions toread-only domain controllers (RODCs). This operation runs remotely; it contacts the inrastructuremaster in each domain to update the permissions. You need to run this command only once in the

orest. However, you can rerun this command any time i it ails to complete successully because aninrastructure master is not available. You can run this command on any computer in the orest. Youmust be a member o the Enterprise Admins group to run this command.

/wssg Returns an expanded set o exit codes, instead o just 0 (Success) and 1 (Failure).

/silent Species that no standard output is returned rom an operation. This parameter can be used only i/wssg is also used.

quit Returns to the prior menu.

Help Displays Help or this command.

? Displays Help or this command.

15

7/31/2019 Server 2008 Tool

16/28



Conguring Active Directory Certicate ServicesObviously, one o the most important parts o Windows architecture is the Public Key Inrastructure. Using Windows Server2008, we can use the Active Directory Certicate Services to setup our Server as a Certicate authority that can issue certi-cates to users, as well as several other important key unctions. The manner in which this is done has chnaged since WindowsServer 2008, but weve outlined it here in this section o the reerence guide.

Install Active Directory Certicate Services

Follow the steps below to install an enterprise root CA:

1. ClickStart; point to Administrative Tools, and clickServer Manager.

2. In the Roles Summary section, clickAdd roles.

3. On the Select Server Roles page, select the Active Directory Certicate Services check box. ClickNext two times.

4. On the Select Role Services page, select the Certication Authority check box, and clickNext.

5. On the Speciy Setup Type page, clickEnterprise, and then clickNext.

6. On the Speciy CA Type page, clickRoot CA, and then clickNext.

7. On the Set Up Private Key and Congure Cryptography or CA pages, you can congure optional congurationsettings, including cryptographic service providers. ClickNext.

8. In the Common name or this CA box, type the common name o the CA, and clickNext.9. On the Set the Certicate Validity Period page, accept the deault validity duration or the root CA or speciy a

dierent duration, and clickNext.

10. On the Congure Certicate Database page, accept the deault values or speciy other storage locations or thecerticate database and the certicate database log, and clickNext.

11. Ater veriying the inormation on theConrm Installation Options page, clickInstall.

Follow the steps below to install a stand-alone root CA:




4. On the Speciy Setup Type page, clickStandalone, and then clickNext.

5. On the Speciy CA Type page, clickRoot CA, and then clickNext.

6. On the Set Up Private Key and Congure Cryptography or CA pages, you can congure optional settings, in-cluding cryptographic service providers. ClickNext.

7. In the Common name or this CA box, type the common name o the CA, and clickNext.

8. On the Set the Certicate Validity Period page, accept the deault validity duration or the root CA, and clickNext.



Follow the steps below to set up a subordinate issuing CA:




4. On the Speciy Setup Type page, clickStandalone or Enterprise, and then clickNext.

5. On the Speciy CA Type page, clickSubordinate CA, and then clickNext.

6. On the Set Up Private Key and Congure Cryptography or CA pages, you can congure optional settings, in-cluding cryptographic service providers. ClickNext.

7. On the Request Certicate page, browse to locate the root CA, or i the root CA is not connected to the network,save the certicate request to a le so that it can be processed later. ClickNext.

16

7/31/2019 Server 2008 Tool

17/28



The subordinate CA setup will not be usable until it has been issued a root CA certicate and this certi-cate has been used to complete the installation o the subordinate CA.

8. In the Common name or this CA box, type the common name o the CA.

9. On the Set the Certicate Validity Period page, accept the deault validity duration or the CA, and clickNext.



Congure CA server settings

The basic steps or conguring a CA or key archival are:

1. Create a key recovery agent account or designate an existing user to serve as the key recovery agent.

2. Congure the key recovery agent certicate template and enroll the key recovery agent or a key recoveryagent certicate.

3. Register the new key recovery agent with the CA.

4. Congure a certicate template, such as Basic EFS, or key archival, and enroll users or the new certicate. I usersalready have EFS certicates, ensure that the new certicate will supersede the certicate that does not includekey archival.

5. Enroll users or encryption certicates based on the new certicate template. Users are not protected by key archival until they have enrolled or a certicate that has key recovery

enabled. I they have certicates that were issued beore key recovery was enabled, data encrypted withthese certicates will not be covered by key archival.

Follow the steps below to back up a CA by using the Certication Authority snap-in:

1. Open the Certication Authority snap-in.

2. In the console tree, click the name o the CA.

3. On the Action menu, point to All Tasks, and clickBack Up CA.

4. Follow the instructions in the CA Backup Wizard.

Follow the steps below to back up a CA by using the Certutilcommand-line tool:

1. Open a command prompt.

2. Type certutil -backup , where BackupDirectoryis the path used to store the backup data.

3. Press Enter.

Follow the steps below to restore a CA rom a backup copy by using the Certication Authority snap-in:



3. On the Action menu, point to All Tasks, and clickRestore CA.

4. Follow the instructions in the Certication Authority Restore Wizard.

Follow the steps below to restore a CA by using the Certutilcommand-line tool:

1. Open a command prompt.

2. Type certutil -restore , where BackupDirectoryspecies the path where the backup datais located.

3. Press Enter.

17

7/31/2019 Server 2008 Tool

18/28



Manage certicate templates

The ollowing table lists and denes the dierent certicate templates available in Windows Server 2008:

Name Description Key Usage

Applications used

or extended key

usage (EKU)

Administrator Allows trust list signing and userauthentication

Signature andencryption

Microsot Trust ListSigning EFS Secure EmailClient Authentication

AuthenticatedSession

Allows subject to authenticate to aWeb server

Signature Client Authentication

Basic EFS Used by Encrypting File System (EFS) toencrypt data

Encryption EFS

CA Exchange Used to protect private keys as they are sentto the CA or private key archival

Encryption Private Key Archival

CEP Encryption Allows the holder to act as a registrationauthority (RA) or simple certicateenrollment protocol (SCEP) requests.(The Windows Server 2008 NDES uses thistemplate, by deault, or its key exchangecerticate to keep communications withdevices secret.)

Encryption CerticateRequest Agent

Code Signing Used to digitally sign sotware Signature Code Signing

Computer Allows a computer to authenticate itsel onthe network


Client AuthenticationServer Authentication

Cross-Certication

Authority

Used or cross-certication and qualied

subordination.

Signature

Certicate signingCRL signing

Directory E-mailReplication

Used to replicate e-mail withinActive Directory


Directory ServiceE-mail Replication

Domain Controller All-purpose certicates used by domaincontrollers (Superseded by two separatetemplates: Domain Controller Authenticationand Directory E-mail replication)



Domain ControllerAuthentication

Used to authenticate Active Directorycomputers and users


Client AuthenticationServer AuthenticationSmart Card Logon

EFS RecoveryAgent

Allows the subject to decrypt les previouslyencrypted with EFS

Encryption File Recovery

Enrollment Agent Used to request certicates on behal oanother subject

Signature CerticateRequest Agent

Enrollment Agent(Computer)

Used to request certicates on behal oanother computer subject

Signature CerticateRequest Agent

Table continued on next page

18

7/31/2019 Server 2008 Tool

19/28



ExchangeEnrollment Agent(Oine request)

Used to request certicates on behal oanother subject and supply the subject namein the request (The Windows Server 2008NDES uses this template or its enrollmentagent certicate, by deault.)

Signature Certicate RequestAgent

ExchangeSignature Only

Used by Microsot Exchange KeyManagement Service to issue certicates toExchange users or digitally signing e-mail

Signature Secure E-mail

Exchange User Used by Exchange Key Management Serviceto issue certicates to Exchange users orencrypting e-mail

Encryption Secure E-mail

IPSec Used by IPSec to digitally sign, encrypt, anddecrypt network communication


IPSec Internet KeyExchange (IKE)intermediate

IPSec (Oinerequest)

Used by IPSec to digitally sign, encrypt, anddecrypt network communication when thesubject name is supplied in the request.

(The Windows Server 2008 SCEP serviceuses this template, by deault, or devicecerticates.)


IPSec IKE intermediate

KerberosAuthentication

New in Windows Server 2008, this templateis similar to the Domain ControllerAuthentication template and oers enhancedsecurity capabilities or Windows Server 2008domain controllers authenticating ActiveDirectory users and computers.

Signature andEncryption

Client AuthenticationServer AuthenticationSmart Card LogonKDC Authentication

Key RecoveryAgent (KRA)

Recovers private keys that are archived onthe CA.

Encryption Key Recovery Agent

OCSP ResponseSigning

New in Windows Server 2008, this templateissues certicates used by the OCSP ServiceProvider to sign OCSP responses.(By deault, these certicates contain aspecial OCSP No Revocation Checkingextension and no AIA or CDP extensions.)

Signature OCSP Signing

Remote AccessService (RAS)and InternetAuthenticationService (IAS)Server

Enables RAS and IAS servers to authenticatetheir identity to other computers

Signature andEncryption


Root CA Used to prove the identity o the root CA SignatureCerticate signingCRL signing

Router(Oine request)

Used by a router when requestedthrough SCEP rom a CA that holds a CEPEncryption certicate


Client Authentication


19

7/31/2019 Server 2008 Tool

20/28



Smart Card Logon Allows the holder to authenticate using asmart card


Client AuthenticationSmart Card Logon

Smart Card User Allows the holder to authenticate and protecte-mail using a smart card


Secure E-mailClient AuthenticationSmart Card Logon

Subordinate CA Used to prove the identity o the subordinateCA. It is issued by the parent or root CA.

SignatureCerticate signingCRL signing

Trust List Signing Allows the holder to digitally sign a trust list Signature Microsot Trust ListSigning

User Used by users or e-mail, EFS, and clientauthentication


EFS Secure E-mailKey Usage

User SignatureOnly

Allows users to digitally sign data Signature Secure E-mailClient Authentication

Web Server Proves the identity o a Web server Signature and

encryption

Server Authentication

WorkstationAuthentication

Enables client computers to authenticatetheir identity to servers


Client Authentication

Follow the steps below to add a certicate template to a CA:

1. Open the Certication Authority snap-in, and double-click the name o the CA.

2. Right-click the Certicate Templates container; clickNew, and then clickCerticate Template to Issue.

3. Select the certicate template, and clickOK.

Follow the steps below to set CA administrator and certicate manager security permissions or a CA:



3. On the Action menu, clickProperties.

4. Click the Security tab, and speciy the security permissions.

Follow the steps below to dene permissions to allow a specic security principal to enroll or certicates based on acerticate template:

1. Log on as a member o the Enterprise Admins or the orest root domains Domain Admins group, or as a user whohas been granted permission to perorm this task.

2. Open the Certicate Templates MMC (Certtmpl.msc).

3. In the details pane, right-click the certicate template you want to change, and then clickProperties.4. On the Security tab, ensure that Authenticated users is assigned Read permissions.

This ensures that all authenticated users on the network can see the certicate templates.

5. On the Security tab, clickAdd. Add a global group or universal group that contains all security principals requiringEnroll permissions or the certicate template, and clickOK.

6. On the Security tab, select the newly added security group, and then assign Allow permissions or the Read andEnroll permissions.

7. ClickOK.

20

7/31/2019 Server 2008 Tool

21/28



Follow the steps below to congure a key recovery agent:

1. Log on as Administrator o the server or CA Administrator, i role separation is enabled.

2. On the Administrative Tools menu, open Certication Authority.

3. In the console tree, select the CA.

4. Right-click the CA name, and then clickProperties.

5. Click the Recovery Agents tab.6. To enable key archival, clickArchive the key.

7. By deault, the CA will only use one KRA. However, a KRA certicate must rst be selected or the CA to begin archi-val. To select a KRA certicate, clickAdd.

The system will nd valid KRA certicates and display the available KRA certicates. KRA certicates are normallypublished to Active Directory by an Enterprise CA when enrollment occurs. KRA certicates are stored under theKRA container in the Public Key Services branch o the conguration partition in Active Directory. Since a CA mayissue multiple KRA certicates, each KRA certicate will be added to the multi-valued userAttribute attribute o theCA object.

8. Select one certicate and clickOK. You may view the highlighted certicate to ensure that you have selected theintended certicate.

9. Ater one or more KRA certicates have been added, clickOK to enable key archival on the CA. However, CerticateServices must be stopped and started to enable the use o the selected KRAs. KRA certicates are only processed atservice start.

Manage enrollments

Follow the steps below to congure the deault action or certicate requests:




4. On the Policy Module tab, clickProperties.

5. Click the option you want:

a. To have the CA administrator review every certicate request beore issuing a certicate, clickSet thecerticate request status to pending.

b. To have the CA issue certicates based on the conguration o the certicate template, clickFollow thesettings in the certicate template, i applicable. Otherwise, automatically issue the certicate.

6. Stop and restart the CA.

Follow the steps below to set up and congure the Network Device Enrollment Service (NDES):



3. On the Select Role Services page, clear the Certication Authority check box, and select Network DeviceEnrollment Service.

Unless already installed on the selected server, you are prompted to install IIS and WindowsActivation Service.

4. ClickAdd Required Role Services, and then clickNext three times.

5. On the Conrm Installation Options page, clickInstall.

6. When the installation is complete, review the status page to veriy that the installation was successul.

7. I this is a new installation with no pending SCEP certicate requests, clickReplace existing RegistrationAuthority (RA) certicates, and then clickNext.

NOTE: When the Network Device Enrollment Service is installed on a computer where a registration au-thority already exists, the existing registration authority, and any pending certicate requests, are deleted.

21

7/31/2019 Server 2008 Tool

22/28



8. On the Speciy User Account page, clickSelect User, and type the user name and password or this account, whichthe Network Device Enrollment Service will use to authorize certicate requests. ClickOK, and then clickNext.

9. On the Speciy CA page, select either the CA name or Computer name check box; clickBrowse to locate the CAthat will issue the Network Device Enrollment Service certicates, and then clickNext.

10. On the Speciy Registry Authority Inormation page, type computer name in the RA name box. Under Country/region, select the check box or the country/region you are in, and clickNext.

11. On the Congure Cryptography page, accept the deault values or the signature and encryption keys, and clickNext.12. Review the summary o conguration options, and clickInstall.

Follow the steps below to congure the autoenrollment options in Group Policy:

1. On a domain controller running Windows Server 2008, clickStart; point to Administrative Tools, and clickGroupPolicy Management.

2. In the console tree, double-clickGroup Policy Objects in the orest and domain containing the Deault DomainPolicy Group Policy object (GPO) that you want to edit.

3. Right-click the Deault Domain Policy GPO, and then clickEdit.

4. In the Group Policy Management Console (GPMC), go to User Conguration, Windows Settings, SecuritySettings, and clickPublic Key Policies.

5. Double-clickCerticate Services Client - Auto-Enrollment.

6. Select the Enroll certicates automatically check box to enable autoenrollment. I you want to block autoenroll-ment rom occurring, select the Do not enroll certicates automatically check box.

7. I you are enabling certicate autoenrollment, you can select the ollowing check boxes:

a. Renew expired certicates, update pending certicates, and remove revoked certicates

b. Update certicates that use certicate templates

8. ClickOK to accept your changes.

Follow the steps below to install Web enrollment support:


2. ClickManage Roles. Under Active Directory Certicate Services, clickAdd role services. I a dierent AD CS roleservice has already been installed on this computer, select the Active Directory Certicate Services check box in

the Role Summary pane, and clickAdd role services.3. On the Select Role Services page, select the Certication AuthorityWeb Enrollment Support check box.

4. ClickAdd required role services, and then clickNext.

5. On the Speciy CA page, i a CA is not installed on this computer, clickBrowse to select the CA that you want toassociate with Web enrollment; clickOK, and then Next.

6. ClickNext; review the inormation listed, and clickNext again.


8. When the installation is complete, review the status page to veriy that the installation was successul.

Follow the steps below to congure an Enterprise CA to issue a KRA certicate or use with smart card enrollment:

1. On the Administrative Tools menu, open the Certication Authority snap-in.

2. In the console tree, expand Certication Authority, and clickCerticate Templates.3. Right-click the Certicate Templates node; clickNew, and then clickCerticate Template to Issue.

4. In the Select Certicate Template dialog box, clickKey Recovery Agent, and then clickOK.

5. Close the Certication Authority MMC snap-in.

22

7/31/2019 Server 2008 Tool

23/28



Follow the steps below to dene permissions to allow a specic security principal to enroll or certicates based on acerticate template

1. Log on as a member o the Enterprise Admins or the orest root domains Domain Admins group, or as a user whohas been granted permission to perorm this task.

2. Open the Certicate Templates MMC (Certtmpl.msc).

3. In the details pane, right-click the certicate template you want to change, and then clickProperties

.4. On the Security tab, ensure that Authenticated users is assigned Read permissions.

This ensures that all authenticated users on the network can see the certicate templates.

5. On the Security tab, clickAdd. Add a global group or universal group that contains all security principals requiringEnroll permissions or the certicate template, and clickOK.

6. On the Security tab, select the newly added security group, and then assign Allow permissions or the Read andEnroll permissions.

7. ClickOK.

Manage certicate revocations

Follow the steps below to install the Online Responder:

1. Ensure that IIS has already been installed on the Windows Server 2008 computer.


3. ClickManage Roles. In the Active Directory Certicate Services section, clickAdd role services.

4. On the Select Role Services page, select the Online Responder check box.

5. You are prompted to install IIS and Windows Activation Service.

6. ClickAdd Required Role Services, and then clickNext three times.


Follow the steps below to congure the CA or OCSP Response Signing certicates:

1. Log on to the server as a CA administrator.

2. Open the Certicate Templates snap-in.

3. Right-click the OCSP Response Signing template, and then clickDuplicate Template.

4. Type a new name or the duplicated template.

5. Right-click the newcerticate template, and then clickProperties.

6. Click the Security tab. Under Group or user name, clickAdd, and type the name or browse to select the computerthat will be hosting the Online Responder service.

7. Click the computer name, and in the Permissions dialog box, select the Read and Autoenroll check boxes.

8. While you have the Certicate Templates snap-in open, you can congure certicate templates or users andcomputers by substituting the desired templates in step 3, and repeating steps 4 through 7 to congure additionalpermissions or the server and your user accounts.

Follow the steps below to congure a CA to support the Online Responder service:

1. Open the Certication Authority snap-in.2. In the console tree, click the name o the CA.


4. Click the Extensions tab. In the Select extension list, clickAuthority Inormation Access (AIA).

5. Select the Include in the AIA extension o issue certicates and Include in the online certicate status proto-col (OCSP) extension check boxes.

6. Speciy the locations rom which users can obtain certicate revocation data.

7. In the console tree o the Certication Authority snap-in, right-clickCerticate Templates, and then clickNewCerticate Templates to Issue.

23

7/31/2019 Server 2008 Tool

24/28



8. In Enable Certicate Templates, select the OCSP Response Signing template and any other certicate templatesthat you congured previously, and clickOK.

9. Open Certicate Templates, and veriy that the modied certicate templates appear in the list.

Follow the steps below to create a revocation conguration:

1. Open the Online Responder snap-in.

2. In the Actions pane, clickAdd Revocation Conguration to start the Add Revocation Conguration wizard, andthen clickNext.

3. On the Name the Revocation Conguration page, type a name or the revocation conguration, and clickNext.

4. On the Select CA certicate Location page, clickSelect a certicate rom an existing enterprise CA, and thenclickNext.

5. On the ollowing page, the name o the CA should appear in the Browse CA certicates published in ActiveDirectory box.

a. I it appears, click the name o the CA that you want to associate with your revocation conguration, andthen clickNext.

b. I it does not appear, clickBrowse or a CA by Computer name and type the name o the computer, orclickBrowse to locate this computer. When you have located the computer, clickNext.

c. You might also be able to link to the CA certicate rom the local certicate store or by importing it romremovable media in step 4.

6. View the certicate and copy the CRL distribution point or the parent root CA. To do this:

1. Open the Certicate Services snap-in. Select an issued certicate.

2. Double-click the certicate, and then click the Details tab.

3. Scroll down and select the CRL Distribution Points eld.

4. Select and copy the URL or the CRL distribution point that you want to use.

5. ClickOK.

7. On the Select Signing Certicate page, accept the deault option, Automatically select signing certicate, andclick Next.

8. On the Revocation Provider page, clickProvider.

9. On the Revocation Provider Properties page, clickAdd; enter the URL o the CRL distribution point, and clickOK.

10. ClickFinish.

11. Using the Online Responder snap-in, select the revocation conguration, and then examine the status inormationto veriy that it is unctioning properly. You should also be able to examine the properties o the signing certicate toveriy that the Online Responder is congured properly.

Follow the steps below to revoke a certicate:


2. In the console tree, clickIssued Certicates.

3. In the details pane, click the certicate you want to revoke.

4. On the Action menu, point to All Tasks, and clickRevoke Certicate.

5. Select the reason or revoking the certicate; adjust the time o the revocation, i necessary, and then clickYes.Available reason codes are:

a. Unspecied

b. Key Compromise

c. CA Compromise

d. Change o Aliation

e. Superseded

. Cease o Operation

g. Certicate Hold. This is the only reason code that can be used when you might want to unrevoke thecerticate in the uture.

24

7/31/2019 Server 2008 Tool

25/28



Follow the steps below to congure the Authority Inormation Access (AIA) extension:

1. Open the Certication Authority snap-in; right-click the name o the issuing CA, and then clickProperties.

2. Click the Extensions tab.

3. In the Select extension list, clickAuthority Inormation Access (AIA), and then clickAdd.

4. In the Add Location dialog box, type the ull URL o the Online Responder, which should be in the ollowing orm:

http:/// NOTE: When installing the Online Responder, the deault virtual directory used in IIS is OCSP.

5. ClickOK.

6. Select the location rom the Location list.

7. Select the Include in the online certicate status protocol (OCSP) extension check box, and clickOK.

RepAdmin


Repadmin /kcc Forces the Knowledge Consistency Checker (KCC) on targeted domain controllers toimmediately recalculate the inbound replication topology.

Repadmin /prp Species the Password Replication Policy (PRP) or read-only domain controllers (RODCs).

Repadmin /queue Displays inbound replication requests that the domain controller must issue to becomeconsistent with its source replication partners.

Repadmin /replicate Triggers the immediate replication o the specied directory partition to a destinationdomain controller rom a source domain controller.

Repadmin /replsingleobj Replicates a single object between any two domain controllers that have commondirectory partitions.

Repadmin /replsummary Identies domain controllers that are ailing inbound replication or outbound replication,and summarizes the results in a report.

Repadmin /rodcpwdrepl Triggers replication o passwords or the specied users rom the source domain controllerto one or more read-only domain controllers. (The source domain controller is typically ahub site domain controller.)

Repadmin /showattr Displays the attributes o an object.

Repadmin /showobjmeta Displays the replication metadata or a specied object that is stored in AD DS, such asattribute ID, version number, originating and local update sequence numbers (USNs),globally unique identier (GUID) o the originating server, and date and time stamp.

Repadmin /showrepl Displays the replication status when the specied domain controller last attempted toperorm inbound replication on Active Directory partitions.

Repadmin /showutdvec Displays the highest, committed USN that AD DS, on the targeted domain controller,shows as committed or itsel and its transitive partners.

Repadmin /syncall Synchronizes a specied domain controller with all replication partners.

25

7/31/2019 Server 2008 Tool

26/28



MountVol


[:] Species the existing NTFS directory where the mount point will reside.

Species the volume name that is the target o the mount point. The volume name uses the

ollowing syntax, where GUID is a globally unique identier: \\?\Volume\{GUID}\

The brackets { } are required.

/d Removes the volume mount point rom the specied older.

/l Lists the mounted volume name or the specied older.

/p Removes the volume mount point rom the specied directory, dismounts the basic volume, andtakes the basic volume oine, making it unmountable. I other processes are using the volume,mountvol closes any open handles beore dismounting the volume.

/r Removes volume mount point directories and registry settings or volumes that are no longer inthe system, preventing them rom being automatically mounted and given their ormer volume

mount point(s) when added back to the system.

/n Disables automatic mounting o new basic volumes. New volumes are not mounted automaticallywhen added to the system.

/e Re-enables automatic mounting o new basic volumes.

/s Mounts the EFI system partition on the specied drive. Available on Itanium-based computers only.

/? Displays help at the command prompt.

Mount

Term Denition

-o rsize= Sets the size in kilobytes o the read buer. Acceptable values are 1, 2, 4, 8, 16,and 32; the deault is 32 KB.

-o wsize= Sets the size in kilobytes o the write buer. Acceptable values are 1, 2, 4, 8, 16,and 32; the deault is 32 KB.

-o timeout= Sets the time-out value in seconds or a remote procedure call (RPC). Acceptablevalues are 0.8, 0.9, and any integer in the range 1-60; the deault is 0.8.

-o retry= Sets the number o retries or a sot mount. Acceptable values are integers in therange 1-10; the deault is 1.

-o mtype={sot | hard} Sets the mount type (deault is sot). Regardless o the mount type, mountwill return i it cannot immediately mount the share. Once the share has beensuccessully mounted, however, i the mount type is hard, Client or NFS willcontinue to try to access the share until it is successul. As a result, i the NFSserver is unavailable, any Windows program trying to access the share will appearto stop responding, or hang, i the mount type is hard.

-o anon Mounts as an anonymous user.


26

7/31/2019 Server 2008 Tool

27/28



-o nolock Disables locking (deault is enabled).

-o casesensitive Forces le lookups on the server to be case sensitive.

-o leaccess= Species the deault permission mode o new les created on the NFS share.Speciy mode as a three-digit number in the orm ogw, where o, g, and w are eacha digit representing the access granted the les owner, group, and the world,respectively. The digits must be in the range 0-7 with the ollowing meaning:

0: No access

1: x (execute access)

2: w (write access)

3: wx

4: r (read access)

5: rx

6: rw

7: rwx

-o lang={euc-jp|euc-tw|euc-kr|shit-

jis|big5|ksc5601|gb2312-80|ansi}

Species the deault encoding used or le and directory names and, i used,

must be set to one o the ollowing:

ansi

big5 (Chinese)

euc-jp (Japanese)

euc-kr (Korean)

euc-tw (Chinese)

gb2312-80 (Simplied Chinese)

ksc5601 (Korean)

shit-jis (Japanese)

I this option is set to ansi on systems congured or non-English locales, theencoding scheme is set to the deault encoding scheme or the locale. Theollowing are the deault encoding schemes or the indicated locales:

Japanese: SHIFT-JIS

Korean: KS_C_5601-1987

Simplied Chinese: GB2312-80

Traditional Chinese: BIG5

-u: Species the user name to use or mounting the share. I username is notpreceded by a backslash (\), it is treated as a UNIX user name.

-p: The password to use or mounting the share. I you use an asterisk (*), you will beprompted or the password.

27

7/31/2019 Server 2008 Tool

28/28


DSmod

Command Description

Dsmod computer Modies attributes o one or more existing computers in the directory.

Dsmod contact Modies attributes o one or more existing contacts in the directory.

Dsmod group Modies attributes o one or more existing groups in the directory.

Dsmod ou Modies attributes o one or more existing organizational units (OUs) in the directory.

Dsmod server Modies properties o a domain controller.

Dsmod user Modies attributes o one or more existing users in the directory.

Dsmod quota Modies attributes o one or more existing quota specications in the directory.

Dsmod partition Modies attributes o one or more existing partitions in the directory.

DCPromo


/answer[:] Species an answer le that contains installation parameters and values.

/unattend[:] Species an answer le that contains installation parameters and values. Thiscommand provides the same unction as /answer[:].

/unattend Species an unattended installation in which you provide installation parametersand values at the command line.

/adv Perorms an install rom media (IFM) operation.

/UninstallBinaries Uninstalls AD DS binaries.

/CreateDCAccount Creates a read-only domain controller (RODC) account. Only a member o theDomain Admins group or the Enterprise Admins group can run this command.

/UseExistingAccount:Attach Attaches a server to an existing RODC account. A member o the Domain Adminsgroup or a delegated user can run this command.

/? Displays Help or Dcpromo parameters.

/?[:{Promotion | CreateDCAccount |UseExistingAccount | Demotion}]

Displays parameters that apply to the dcpromo operation. For example,dcpromo /?:Promotion displays all o the parameters that you can use or apromotion operation.

More Training or Windows Server 2008

We hope youve enjoyed your Windows Server 2008 Quick Reerence Guide. But the Quick Reerence Guide is only the begin-ning o your Server 2008 training. Microsot has launched a ull complement o certications or Windows Server 2008. To ndout how you can add these certications to your transcript, contact the Microsot Career Counselors at LearnSmart. They canhelp you navigate through the required exams and get the training you need to earn you Windows Server 2008 certications.To learn more about training or Windows Server 2008, call LearnSmart at 1-800-418-6789.

server 2008 tool

Documents