I was very excited when I started to play around with the first beta versions of Windows Server 2008 and experiment with the latest security improvements. At first, I wanted to start with one of the more basics and important things on this new server: Active Directory. Several improvements were made on security matters that we can find it related to Active Directory: Read-Only DCs, more group policies, auditing enhancements, etc. After installing a small lab to check all these features, I finally arrive to another important Active Directory matter: Backing up and Restoring Data from a Domain Controller. I was pretty disappointed at first when I realized that there was no easy way to backup a system state from a Domain Controller. Even more disappointed when I couldn’t find out the way to schedule a system state backup! Well on this post I want to review the way to simply schedule a system state backup on a Domain Controller and maintain those backups by removing the old ones from the backup catalog. Requirements a. A secondary hard drive on the domain controller. It cannot be a network drive.The only storage point possible for backing up your server is using a secondary hard drive that can only be attached locally. b. Having the Windows Server Backup feature installed. The first thing that you must know to start backing up data from Windows Server 2008 is that the backup tool is […]
Ok then, after completing the first configurations made on the Part I of this guide we can perform a clean but attended network installation of Windows Vista. There are two main steps to take and complete a full image and unattended deployment: 1. Creating the base image to deploy: OS, programs and other special configurations + uploading it to the WDS server. 2. Making an unattended file to be used with that image. Creating the Base Image Note: On this series of posts we are only considering to deploy Windows Vista or Windows Server 2008 images. The files used on WDS Native mode as unattended files are only valid to those operating systems, if you want to make unattended deployment with Windows XP or 2003 OS; you will need to use RIS or WDS Legacy Mode. The first step it’s pretty simple, it consists on installing the operating system with all the features, programs and configurations that you want. But there are some considerations first: After you complete the image, there’s a process where you release all the specific data involving the computer where it’s installed, like the Security Identifier (SID), computer name, etc. Here are some of the things that the image won’t keep after the release process: · Computer name· Owner and Company name· SID· Domain or workgroup membership· TCP/IP Settings· Regional and keyboard settings· Specific hardware drivers. This refers to specific computer hardware, like video or audio […]
I’ve prepared a complete guide to configure a WDS Server on Windows Server 2008 or Windows Server 2003 to deploy complete operating systems images, this is the first part. In this post I’ll be setting the WDS requirements, installation, first configurations and images needed. Introduction Deploying operating systems it’s always a hard thing to do. Annoying, uncomfortable, but necessary for every environment. Why? Because every desktop computer on every organization has their own life cycle (even servers, a longer one, but cycle at last). Even if your organization doesn’t have many desktops and even if those desktops don’t seem to need an image refresh in several months; the dynamics of today’s technology makes your base operating systems to change: Updates available, service packs, a new version of your organization’s software, newer operating systems, etc. And don’t forget the consequences of any user’s intervention: overloading the hard drive, personal software installation, etc; transforming always into a need to a fresh new installation. No need to keep enumerating things that normally happens; you probably know all of them. Common Base Image Life Cycle The bottom line is that a good and automated system to deploy your full operating systems images will significantly (and I do mean significantly) improve your daily tasks: Making an awkward job of following the installations steps for maybe 2 or 3 hours and transforming it to 30mins of a complete unattended provisioning. Here’s where Windows Deployment Services comes […]
Did you get the feeling that your WSUS was not downloading all the drivers that your clients needed? Well, let me tell you if you have that feeling probably you are right. WSUS does not automatically recognize or download all the drivers needed for all devices. Why is this happening? Because by default WSUS only receives and distributes drivers that are digitally signed by Microsoft (meaning that the driver was fully and properly tested by Microsoft). I’ve recently had several problems with machines that are part of my domain, like the newer IBM ThinkPad T60 and T61 models with Vista installations. Some of their drivers were missing and I had to use IBM official site to download them because WSUS did not recognize any updates on that machines. But you actually don’t have to worry, within a few steps you can configure your WSUS to import all the drivers that you are requiring by your clients. The only thing that must be clear to you first is the model of each device you need to update the driver (you can easily find out all the details by accessing the manufacturer’s official site, like IBM Lenovo downloads and support site). Here are the steps: 1 – Open your WSUS console and access “Action” and select “Import Updates”. The Microsoft Update Catalog site will appear 2 – Insert the model of the device that you need to update the driver. For example: […]
Now that we saw in the previous posts of WSUS (Part I and Part II) about the first steps of the deployment, we are going to take a quick look about handling the tool itself. Once you get to know the WSUS interface, you’ll see that everything it’s pretty much intuitive. You have to know that when there are tools like WSUS involved, the process of patching that you defined (testing the updates, defining how and when you’ll apply those updates, period of time involved, etc.) is the crucial matter to get WSUS work as you planned. In this case, the process it’s even more important than the technology. Let’s take a final look to the group policies. We already talk about that it’s a common best practice to implement different layers of GPOs, but which are the ones that you actually have to enable for each OU? This is an example of a GPO applied on an OU with all the testing computers. We decide that in those testing computers the updates will download and install automatically at a certain hour of the day. But what happens if that computer is not available at that time? Then you must use the option “Reschedule Automatic Updates schedule installations”, when you enable it, you can set that the updates will install on those computers at the moment that they become available again (you actually have to set only the minutes that […]
Recently I found out that there was no way to implement different password policies on domains running on Windows Server 2003. It didnt sound right to me, why I cannot keep different password complexity, for example, in different OUs for different users? You can actually link to separate OUs with different policies with different values on passwords options, but theyll be ignored by Default Domain Policy. It seems that there’s a way to accomplish this (not an easy way, but anyhow) running domains with Windows Server 2008 and of course in the highest domain functional level. The tools involved: GPMC (included with Windows Server 2008) and ADSI Edit. Here’s the solution: http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part2.html Cheers!
To pull off some of the best practices that we talked about on the first part of the WSUS 3.0 posts, we’ll take a look to some technical configurations. At this point you must already have set different OUs for the type of computers you have in your environment. This OU separation will help you to improve your patching process. · Group Policies Configuration If you are using Windows Server 2003, first of all let me say that you must install Group Policies Management Console to apply and access all of the policies on your domain, this tool gives you a nice interface to interact with those objects. But if you are using Windows Server 2008, this console comes integrated with the operating system, so there’s no need on installing it. Like you remember, on the first part we talk about applying different policies for different computers and also different levels of GPOs: A “common” GPO for the entire domain and over the OUs (and sub OUs if is the case) applying another GPO for more restrictive options. Let’s start then opening the GPMC and over our domain click on “Create and Link a GPO Here”: After we insert the proper name for our WSUS GPO, we right click on the GPO and select “Edit”. The “Group Policy Object Editor” opens. The location of the most important group policies that we need to configure are located in “Computer Configuration” -> […]