Windows Server 2012 Virtual Labs

When it releases later this year, Windows Server 2012 will bring a stack of exciting new features and enhancements, like the fantastic multi-server management features of the new Server Manager, and of course PowerShell v3.0!

If you want to get ahead of the curve on Server 2012, then there’s no better way that digging in and getting your hands dirty, although not everyone has a whole load of spare hardware to setup a test lab, and even if you do, then it’s sometimes difficult to know where to start, especially since pre-release software tends to be lacking some of the documentation that you might want to really explore a feature in depth.

To that end, Microsoft have produced a load of Windows Server “8” Beta Virtual Labs (put together before the Windows Server 2012 name was announced). These are self-contained modules focusing on the following:

  • Active Directory Deployment and Management Enhancements
  • Configuring a Highly Available iSCSI Target
  • Configuring Hyper-V over Highly Available SMB Storage
  • Implementing Storage Pools and Storage Spaces
  • Introduction to Windows PowerShell Fundamentals
  • What’s New in Windows PowerShell 3.0
  • Managing Branch Offices
  • Managing Network Infrastructure
  • Managing Your Network Infrastructure with IP Address Management
  • Managing Windows Server “8” with Server Manager and Windows PowerShell 3.0
  • Online Backup Service
  • Using Dynamic Addess Control to Automatically and Centrally Secure Data

In addition, you might want to check out some of the Resources for IT Professionals that Microsoft have published in relation to the TechEd conference that will start in a month in Orlando.

(Thanks to my friend @Alexandair for both of those links)

The dangers of using the bin to store things you want to keep

When you build IT systems and you put limitations on how they are intended to be used, it goes without saying that people will try to find ways of getting round those limitations. We’ve always been fairly liberal about what users can do with our systems, but there are some times that we have to put limits in place. For example, we don’t have an unlimited amount of disk space, so we have to put quotas on storage capacity for each user’s email and files.

It turns out that some people try to work around these quotas by deleting email messages or files that they want to keep and take advantage of Exchange’s Recover Deleted Items feature and the shadow copies of home folders on file servers (seen as Previous Versions in Windows Explorer). Some people may get away with working like that for some time, simply recovering the content during the retention period and then deleting it again so that it doesn’t impact their quota.

As a way of working that’s about as safe as storing your important paperwork in the bin and hoping that you’re always there to take it out before the cleaner comes along to empty it. From time to time, routine maintenance on the file servers will result in shadow copies being lost – it’s not that we’re being careless with them; that’s just the way it works. If your mailbox has to be moved from one Exchange mailbox store to another, you’ll lose the ability to recover your deleted items. We try to keep these instances to a minimum because those features are useful for quickly recovering when accidents do happen, but sometimes they are necessary in the course of keeping the systems running as reliably as possible.

Throwing things away and then hoping that the bin doesn’t get emptied is not a solution. If there are legitimate reasons why your quota isn’t big enough, then there are better ways to work. We have a system for requesting increases to home folder quotas and a Home Archive Service for infrequently accessed data (and other solutions for even bigger data requirements, such as large sets of research data), and we have an Exchange Archiving System to store larger amounts of old mail. If none of those meet the specific need, then we’re happy to help to find a solution that works.

Re-assigning Administrator permissions on filestores

You may be aware that if you remove the Administrator permissions from your home folder (or any other shared folder) this will cause all sorts of problems as well as prevent backups being taken. Therefore it is strongly advised not to do this.
Who has access to my filestore?

To re-assign administrator permissions start by opening COMPUTER (or MY COMPUTER if using windows XP) and type the path of the share you want to fix. If you are unsure what the path is then use cmdinfo to find out.
CMDInfo

My home folder is on tower 1 and home 01 therefore I shall type \\tower1\home01 and I should only be able to see folders I have permission on.

Right click on your folder and select properties. Then select the security tab.

You may notice tower1\administrators is not there as it should be so click the Add button.

Type towerX\administrators

Tick the full control box to allow full control to towerX\administrators then click apply

Click OK. All child folders and files should now have the administrator permission.

Scheduling a Backup in Windows Server 2008 using WBADMIN

The Windows Server Backup feature provides a basic backup and recovery solution for computers running the Windows Server 2008 operating system and offers significant improvements over its predecessor. Windows Server Backup introduces new backup and recovery technology and replaces the previous Windows Backup (Ntbackup.exe) feature that was available with earlier versions of the Windows operating system.

One or two people have asked recently how to schedule a backup using the Windows Server Backup feature in Windows Server 2008. This is certainly a legitimate question as the GUI tools provides little or no flexibility is choosing which volumes to backup and to where. As such we need to look to the command line for WBADMIN

In order to schedule the task you will either need a dedicated hard disk and it’s drive letter or a UNC path to a share.

The following command will backup drives H, I and Z to a share called weekly backup on server1.

wbadmin start backup -backupTarget:\\server1\weeklybackup -include:H:,I:,Z:: -quiet

The command can be broken down in to 4 parts:

Wbadmin start backup

Runs a one-time backup. If used with no parameters, uses the settings from the daily backup schedule.

backupTarget

Specifies the destination to which the backups will be stored.

-include

This switch allows you to specify which volumes you would like to backup.

-quiet

Supresses any prompts to the user allowing you to run the command unattended as a the task.

Important:

If you save a backup to a remote shared folder, that backup will be overwritten if you use the same folder to back up the same computer again. In addition, if the backup operation fails, you may end up with no backup because the older backup will be overwritten, but the newer backup will not be usable. You can avoid this by creating subfolders in the remote shared folder to organize your backups. If you do this, the subfolders will need twice the space as the parent folder.

Configure Bitlocker on a TPM Enabled Machine

Introduction:

This guide is based on a detailed article from the Vista TechCenter tested and modified for use on CAMPUS.

BitLocker Drive Encryption is an integral new security feature in the Windows Vista operating system that provides considerable protection for the operating system on your computer and data stored on the operating system volume. BitLocker ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running. This helps protect against “offline attacks,” attacks made by disabling or circumventing the installed operating system, or made by physically removing the hard drive to attack the data separately.

This guide demonstrates how to configure a basic installation of Bitlocker with a TPM Enabled machine and assumes you are performing a clean build on a new machine using a network based WDS build.

Important thinks to remember before you begin

  • Bitlocker is particularly reccomended to users of Laptops within the University.
  • Backups are more important than ever on enrypted disks as recovery will be all but impossible if the disks hardware fails.
  • Changing a systems hardware will cause the TPM to react and have the system lock down. This can easily be fixed by using the Bitlocker recovery key but only if you sill have it!

Prerequisites

A Machine with a TPM chip
Windows Vista DVD
Windows Vista Business, Enterprise or Ultimate Editions
A USB Key, preferably one you can dedicate to use with Bitlocker.
Access to a Printer

1. Copy the contents of

\\campus\software\ucs\SystemSW\Bitlocker to your USB Key.

2. Boot the new machine from the Windows Vista DVD. It is necessary to do this as the WDS build on the Campus Network will not allow access to the command prompt.

3. Select the locale; accept the license and call-up a command prompt by selecting SHIFT + F10.

4. At this point you can either manually run the DISKPART tool or use the script you copied on to the USB Key in Step 1.

For BitLocker to work, you must have at least two partitions on your hard disk. The first partition is the system volume and labeled S in this document. This volume contains the boot information in an unencrypted space. The second partition is the operating system volume and labelled C in this document. This volume is encrypted and contains the operating system and user data.

The script you copied to your USB key will automatically:

Select the first disk in the system (Disk 0)
Clean the partition table.
Create a 1.5GB System Partition, sets it as active and assign it the letters S.
Partition the rest of the disk and assigns it the letter C
Quick Format both volumes with the NTFS file system.

IMPORTANT: Running this script will destroy all data on the system.

To run the script, change drive to your USB Key and run bitprep.bat

5. When the script has completed, restart your machine and build the machine using WDS as normal installing Windows on drive C

6. Now would be a good time to enable your TPM in the BIOS if it is not already.. There does not seem to be any convention on how the TPM is referred to but with HP machines it is so as the ‘Embedded Security Device’

7. When your machine has finished building, installing software and is fully patched you can start to configure Bitlocker. Click Start > Control Panel > Security > BitLocker Drive Encryption.

8. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. If your TPM is not initialised, you will see the Initialize TPM Security Hardware wizard. Follow the directions to initialize the TPM and restart your computer.

9. On the Set BitLocker start-up preferences page, select the start-up option you want. You can choose only one of these options:

  • No additional security.
  • Require PIN at every start-up . You will see the Set the startup PIN page. Enter your PIN, confirm it, and then click Set PIN.
  • Require Startup USB key at every start-up . You will see the Save your start-up Key page. Insert your USB flash drive, choose the drive location, and then click Save.

In this scenario Bitlocker supports the following security permutations.

TPM only
TPM + PIN
TPM + PIN + USB Key
TPM + USB Key

BL0

BL1

10. On the Save the recovery password page, you will see the following options:

  • Save the password on a USB drive. Saves the password to a USB flash drive.
  • Save the password in a folder. Saves the password to a network drive or other location.
  • Print the password. Prints the password.

The recovery password will be required in the event the encrypted drive must be moved to another computer, or changes are made to the system startup information. This password is so important that it is recommended that you make additional copies of the password stored in safe places to assure you access to your data. You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to recover encrypted data from any other BitLocker encryption session. You should store recovery passwords apart from the computer for maximum security.

BL3

11. When you have finished backing up your recovery passwords you are ready to Encrypt the volume. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and BitLocker verifies if the computer is BitLocker-compatible and ready for encryption.

12. If the system passed the checks you will see a ‘Encryption in Progress’ notifier in the system tray.

BL5

13. You can now have an enrypted disk!

BL5

14. If you would like to add more volumes and encrypt them then create the volumes as normal and then turn on Bitlocker for that drive.

BL8