Windows Server 2008 R2 is chock full of hidden capabilities, utilities and tools that could make any IT Pro’s life a little easier. IT Pros supporting Windows Server 2008R2 will find these utilities a must have, while planning for the transition to Windows Server 2012, or even use those new-found tips and tricks to breathe some additional life into a Server destined for replacement.
While Microsoft may be touting the enhancements and advantages offered by Windows Server 2012, there is still a significant number of IT Pros that still have to support Windows Server 2008 environments. The reasons are many, ranging from limited budgets to Windows Server 2008 meeting current needs. Simply put, a majority of IT Pros are in no rush to move over to Windows Server 2012.
Further delaying that move is the fact that Windows Server 2008 R2 is loaded with little known features and capabilities that are sure to extend the life of Microsoft’s last generation server operating system. Unearthing those tips and tricks takes a little bit of detective work and research to expose the value of those "un-documented" capabilities -- truth be told, most are documented, just impossible to find. Nevertheless, here is a list of important capabilities that every IT Pro should be aware of when working with Windows Server 2008 R2.
Although most every IT Pro knows about Windows PowerShell, many do not know or fully appreciate how much power it actually brings to the management of a Windows Server 2008 system. PowerShell features a vast array of commands and syntax that can make everyday chores a lot easier. What’s more, PowerShell proves to be an excellent aid for solving technical problems, quickly and easily. With that in mind, it becomes obvious why an IT Pro would want to master PowerShell, especially the commands that can help to solve problems quickly.
Here are a few examples of commands that can be executed via PowerShell:
- Determine the make and model of a computer: Get-WmiObject -Class Win32_ComputerSystem
- Discover information about the BIOS: Get-WmiObject -Class Win32_BIOS –ComputerName
- Determine the username of who is logged on: Get-WmiObject -Class Win32_ComputerSystem -Property UserName –ComputerName
- Get IP addresses assigned to the current computer: Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Format-Table -Property IPAddress
- Install an MSI package on a remote computer: (Get-WMIObject -ComputerName TARGETMACHINE -List | Where-Object -FilterScript {$_.Name -eq "Win32_Product"}).Install(\MACHINEWHEREMSIRESIDESpathpackage.msi)
- Remove an MSI package from the current computer: (Get-WmiObject -Class Win32_Product -Filter "Name='product_to_remove'" -ComputerName . ).Uninstall()
- Remotely shut down another machine after one minute: Start-Sleep 60; Restart-Computer –Force –ComputerName TARGETMACHINE
- Enter into a remote PowerShell session (you must have remote management enabled): enter-pssession TARGETMACHINE
- Upgrade an installed application with an MSI-based application upgrade package: (Get-WmiObject -Class Win32_Product -ComputerName . –Filter "Name='name_of_app_to_be_upgraded'").Upgrade(\MACHINEWHEREMSIRESIDESpathupgrade_package.msi)
- Get a more detailed IP configuration report for the current machine: Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName . | Select-Object -Property [a-z]* -ExcludeProperty IPX*,WINS*
Of course, the above is only a sampling of what can be done with PowerShell. However, it is those commands that illustrate how powerful PowerShell can be for managing both Local and Remote servers. What’s more, many of the commands can be run on remote client PCs as well, further easing administration and troubleshooting.
There are plenty of resources available out there to help you learn PowerShell for free, one of which is powershellmagazine.com.
Secure and reliable remote access has become a must have for most organizations. Normally an IT Pro has had to implement a third party product to make that a reality, adding complexity and cost to what should be a simple accomplishment. With Windows Server 2008 R2, secure remote access, which is also reliable, is now integrated directly into the operating system, making a once tedious chore relatively simple.
DirectAccess allows remote client computers running Windows 7 to connect directly to intranet-based resources without the complexity of VPN client software. What’s more, DirectAccess enables mobile users to experience the same type of connectivity both in and outside of the office, which is unlike a typical VPN connection.
DirectAccess connections can be established even before the user logs on (although mobile users must be logged on to access intranet resources). IT Pros can also manage remote computersthat are connected through DirectAccess regardless of whether the user is logged on.
Agile VPN solves one of the most common problems with traditional VPNs, which are not resilient against connection failures or device outages. Normally, when outages occur, the VPN tunnel terminates and the connection must be reestablished -- resulting in lost connectivity that can range from a few minutes to hours or more.
Agile VPN solves those problems by providing multiple network paths between VPN tunnel connection points. In the event of a connection failure or device outage, Agile VPN is designed to automatically use another network path to maintain the existing VPN tunnel.
Windows Server 2008 R2 BranchCache feature can speed up perceived access to files for users at branch offices while allowing you to save on data line and bandwidth costs. Implementing BranchCache can make an IT Pro look like a performance Wizard. Simply put, as the name implies, BranchCache caches frequently accessed data for remote locations (or branches), which effectively speeds up access to data.
BranchCache can be used to mitigate performance problems for remote sites and can delay the need to purchase more bandwidth, saving money, while increasing productivity. BranchCachereduces wide area network (WAN) traffic and boosts network application responsiveness. It works by caching frequently used content on the network in remote or branch office locations to enhance productivity -- allowing remote users to work with files in an environment that is designed to be identical to the experience of their peers in the central office.
When remote clients attempt to retrieve data from servers located in the central data center, a copy of the retrieved content is stored on the local network at the remote location. Subsequent requests for the same content can be served from replicas help protect digital assets by providing branch offices and remote locations with read-only access to information replicated to those locations. Because the information is read-only, it prevents remote users from modifying or accidentally deleting information.
IT Pros are finding that they need to support remote workers that are using their own hardware. In other words, those remote users are accessing company resources with machines that IT Pros have no control over. Nevertheless, providing secure remote access to intranet-based resources from public computers or Internet kiosks can boost productivity considerably.
IT Pros can use a combination of the Remote Workspace, Presentation Virtualization, andRemote Desktop Gateway features in Windows Server 2008 R2, to allow remote clientcomputers to access internal resources without the installation of additional software.
That allows mobile users to remotely access their desktop images. When paired with Windows 7, the remote user is provided with an experience that is identical to the experience they would have when using their desktop computers at the central office location -- including the same desktop icons, Start menu items, and installed applications. When the user closes the session, the remote Windows 7 client desktop environment reverts to the previous configuration.
NAP:-
Network Access Protection with DHCP Step-By-Step Guide Network Access Protection or NAP is a service which validates the health status of different type of clients which intend to use some specific services on the network. Once the client is trying to use the service, its health status is checked by using the health validation agent of NAP service installed on NAP server and if approved, the client is allowed to use that service. One of the services that can be well-integrated with NAP is DHCP. If the client trying to receive an IP address does not pass the health validation check, it is not allowed to receive an IP address and therefore is not able to connect to the network. Of course one of the disadvantages of using DHCP integrated with NAP is that it could be easily bypassed if the client avoided using a dynamic IP address configuration and the user set its IP address manually and joined the network. This actually would all go back to how much privilege is given to the user to be able to change its IP address manually. For this part, we would not talk about in this post as we would try to solely focus on the DHCP and NAP configuration both on the DHCP and NAP Servers and also on the client. First of all we need to install Network Policy Server Role. Open up Server Manager and click on Add Roles and then from the roles check Network Policy and Access Services and click Next. Then from the available Role Services, check Network Policy Server, click Next and then Install: Then from the Administrative Tools, click on Network Policy Server and then in the new windows click on Configure NAP: From the Network Connection Methods, choose Dynamic Host Configuration Protocol (DHCP) and then choose a name for the Policy: Since we do not have a Radius Server in our scenario, click Next again and in the next step click on Add and then give a name to the specified DHCP Scope: Click Next again so that this policy will be applied to all the users. Click Next again and in the new window you should specify a remediation server by clicking on the New Group. In the new Window, give it a name like Rem-Server. Click on Add and then give the IP address of the Remediation Server. Here I entered 10.10.0.10 Notes: A remediation server is the server that gives non-compliant computers (Unhealthy computers) the needed patches and updates to change their status to compliant and healthy. After you added the New Group, then do not enter any URL as the Troubleshooting URL since in this scenario we do not need one and then click Next and then click Next again and then click Finish. Then on the Network Policy Server console and under Network Access Protection click on System Health Validators and then on the right hand side right click on Windows System Health Validator and click Properties: in the new Windows click on Configure: and then in the following Windows you can specify what tests you need to be run on different types of clients (Windows Vista and Windows XP): I let them all on and then click OK twice and finish it all. And then on the server click on Run and type mmc and then from the File menu, choose Add/Remove Snap-in and then choose NAP Client Configuration and click Add and then choose the local computer and click on OK twice to open the following console. On the left pane, click on NAP Client Configuration and then Enforcement Clients and then on the right right click on DHCP Quarantine Enforcement Client and click Enable. Now you are done with the NAP Configuration on the server and you have to move to your Domain Controller and if you want this policy to be applied to all the computers, make some modification on the default domain policy using Group Policies. So on the domain controller open up Group Policy Management Console from the administrative Tools and then right click on the Default Domain Policy and click Edit: Go to Computer Configuration->Windows Settings->Security Settings->Network Access Protection->NAP Client Configuration->Enforcement Clients and then from the right hand side right click on DHCP Quarantine Enforcement Client and click Enable. Then Go to Computer Configuration->Windows Settings->Security Settings-> System Services and then on the right hand side double click on Network Access Protection Agent and from this Window apply the following configuration: Then go to your DHCP Server and open up DHCP from the administrative Tools, and we assume that you already have one scope: Right click on the scope name and then click Properties and then go to the Network Access Protection tab and click on Enable for this scope and then click OK. and then go to the scope Options and right click on it and then choose Configure Options and go to the Advanced Tab and from the User Class choose Default Network Access Protection Class and then in the options check DNS Server and add a DNS Server IP Address and then click OK. Now you are done and everything works fine. All you need to do is to go to your client and disable the firewall or disable your antivirus program or do something which makes your client NOT HEALTHY and then you will see that you will get an IP Address from the DHCP Server but this time with a DNS address of 100.100.100.100 You want to learn more about Network Access Protection and see more scenarios such as integration with VPN? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book.