Donald Hester October 7, 2010 For audio call Toll Free 1-888-886-3951 and use PIN/code 386162 IT series – What’s New in Windows Server 2008 R2
Dec 14, 2015
Donald HesterOctober 7, 2010
For audio call Toll Free 1-888-886-3951and use PIN/code 386162
IT series – What’s New in Windows Server 2008 R2IT series – What’s New in Windows Server 2008 R2
• Maximize your CCC Confer window.• Phone audio will be in presenter-only mode.• Ask questions and make comments using the chat window.
Housekeeping
Adjusting Audio
1) If you’re listening on your computer, adjust your volume using the speaker slider.
2) If you’re listening over the phone, click on phone headset.
Do not listen on both computer and phone.
Saving Files & Open/close Captions
1. Save chat window with floppy disc icon
2. Open/close captioning window with CC icon
Emoticons and Polling
1) Raise hand and Emoticons
2) Polling options
Donald Hester
IT series – What’s New in Windows Server 2008 R2
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
History What’s new in Hyper-V What’s new in NTFS What’s new with Service Accounts What’s new in User Account Control What’s Direct Access What’s new with BitLocker What’s AppLocker What’s new in Biometric support What’s new in SmartCard support What’s new in Backup What’s BranchCache What’s new in DNS What's New in Failover Clusters What's New in Microsoft iSCSI Initiator What's New in Remote Desktop Services What’s new in performance and reliability monitoring What’s new in Event Auditing What’s new in Server Core What’s New in Active Directory
Windows HistoryWindows History
Server OS Corresponding Client OS Kernel Version Build
Server 2008 R2 Windows 7 NT 6.1 7600
Server 2008 Windows Vista NT 6.0 6000
Server 2003 R2 NT 5.2 3790
Server 2003 Windows XP Pro (x64) NT 5.2 3790
Windows XP Pro (x86) NT 5.1 2600
Server 2000 Windows 2000 Pro NT 5.0 2195
Windows NT 4 Server Windows NT 4 Workstation NT 4.0 1381
Windows NT 3.51 Windows NT 3.51 NT 3.51 1057
Windows NT 3.1 Windows NT 3.1 NT 3.1 528
9
Note the following versions of Windows were DOS based:Windows 3.11, Windows 95, Windows 98, Windows Me
What’s new in Hyper-V?What’s new in Hyper-V?
The following changes to existing features:• Dynamic virtual machine
storage
• Enhanced processor support
• Enhanced networking support
New• Live Migration
10
Quick Migration vs. Live MigrationQuick Migration vs. Live Migration
Quick Migration(Windows Server 2008 Hyper-V)
• Save state• Create VM on the target• Write VM memory to shared
storage• Move virtual machine
• Move storage connectivity from source host to target host via Ethernet
• Restore state & Run• Take VM memory from shared
storage and restore on Target• Run
Live Migration(Windows Server 2008 R2 Hyper-V)
• VM State/Memory Transfer• Create VM on the target• Move memory pages from the
source to the target via Ethernet
• Final state transfer and virtual machine restore
• Pause virtual machine• Move storage connectivity
from source host to target host via Ethernet
• Un-pause & Run
Host 2Host 1 Host 1 Host 2
What’s new in NTFS?What’s new in NTFS?
• VHD Boot in Windows• Native VHD support• Chkdsk performance
improvements• Robocopy performance
enhancement• Local file copy
improvements• Improvements in
Volume Shrink• Improved performance
for solid state disks (SSD)
• Defrag for metadata
What’s new with Service Accounts?What’s new with Service Accounts?
Service accounts have always had issues• Security hole
• Password never changes
• Nobody knows the passwords
• Not sure what services where are using the service accounts
13
Virtual AccountsVirtual Accounts
Want better isolation than existing service accounts• Don’t want to manage passwords
Virtual accounts are like service accounts:• Process runs with virtual SID as principal
Can ACL objects to that SID
• System-managed password
• Show up as computer account when accessing network
Services can specify a virtual account• Account name must be “NT SERVICE\<service>”
Service control manager verifies that service name matches account name
• Service control manager creates a user profile for the account
Also used by IIS app pool and SQL Server
Managed Service AccountsManaged Service Accounts
Services sometimes require network identity e.g. SQL, IIS
Before, domain account was only option• Required administrator to manage password and Service
Principal Names (SPN)
• Management could cause outage while clients updated to use new password
Windows Server 2008 R2 Active Directory introduces Managed Service Accounts (MSA)• New AD class
• Password and SPN automatically managed by AD like computer accounts
• Configured via PowerShell scripts
• Limitation: can be assigned to one system only
What’s New with User Account Control?What’s New with User Account Control?
29% fewer user account control (UAC) prompts than Windows Vista has, and
fewer prompts in general "We've put users in control and allowed
them the ability to tune the level of prompting" using a slider bar• Paul Cooke, director of Windows Client
Enterprise Security
UAC Slide BarUAC Slide Bar
UAC in GPOUAC in GPO
What’s DirectAccess?What’s DirectAccess?
DirectAccess offers remote workers the same level of seamless and secure connectivity as they have in the office.
The system automatically creates a secure tunnel to the corporate network and workers don't have to manually connect
DirectAccess also allows IT administrators to patch systems whenever a remote worker is on the network
DirectAccessDirectAccess
DirectAccess also uses IPsec to authenticate the computer and user, encrypt the data crossing over the Internet
Can even be used to require employees to authenticate with a smart card
DirectAccess RequirementsDirectAccess Requirements
Active Directory PKI Certificates IPv6 Server 2008 R2 Windows 7
Or you can useForeFront USG
What’s new with BitLocker?What’s new with BitLocker?
Windows Vista users have to repartition their hard drive to create the required hidden boot partition • Windows 7 & Server 2008 R2 creates that
partition automatically when BitLocker is enabled
Windows 7 & Server 2008 R2 extends the Data Recovery Agent (DRA) to include all encrypted volumes • As a result, only one encryption key is needed
on any BitLocker-encrypted Windows machine
What replaces software restriction polices?What replaces software restriction polices?
AppLocker technology that allows administrators to control the software that runs on Windows 7 & Server 2008 R2 machines
This ensures that only authorized scripts, installers, and dynamic load libraries are accessed
It can also be used to keep unlicensed software off machines
What’s new in Biometrics?What’s new in Biometrics?
A Biometric Devices Control Panel Device Manager support for managing drivers for biometric
devices Credential provider support (UAC elevation) Group Policy settings to enable, disable, or limit the use of
biometric data for a local computer or domain Biometric device driver software available from Windows Update
What’s new in Smart Card support?What’s new in Smart Card support?
Windows 7 & Server 2008 R2 extends the smart card support offered in Windows Vista by automatically installing the drivers required to support smart cards and smart card readers, without administrative permission
Smart Card device driver software available from Windows Update
What's new in Backup?What's new in Backup?
Ability to back up/exclude individual files and to include/exclude file types and paths from a volume
Improved performance and use of incremental backups
Expanded options for backup storage Improved options and performance for system
state backups and recoveries Expanded command-line support Expanded Windows PowerShell support
28
What’s BranchCache?What’s BranchCache?
Microsoft recommends that users run Windows 7 clients in conjunction with Windows 2008 R2 servers in order to get the benefit of BranchCache, a caching application that makes networked applications faster and more responsive
What’s BranchCache?What’s BranchCache?
32
What's New in Failover Clusters?What's New in Failover Clusters?
Improvements to the validation process for a new or existing cluster
Improvements in functionality for clustered virtual machines (which run with the Hyper-V feature)
The addition of a Windows PowerShell interface
Additional options for migrating settings from one cluster to another (Live Migration & Quick Migration)
33
What's New in Microsoft iSCSI Initiator?What's New in Microsoft iSCSI Initiator?
User interface enhancement and redesign
iSCSI digest offload support• better CPU utilization
iSCSI boot support for up to 32 paths at boot time• Redundancy needed to protect against
network component failures or outages
34
What’s New with DNS?What’s New with DNS?
DNS Security Extensions (DNSSEC) DNS Devolution DNS Cache Locking DNS Socket Pool
35
DNSSECDNSSEC
Supports Domain Name System Security Extensions (DNSSEC), newly established protocols that give organizations greater confidence that DNS records are not being spoofed
DNS DevolutionDNS Devolution
Helps clients in child domains resolve host names when they are not sure what domain the host is in
This can be set to specific levels of resolution (Domain Child/Parent Levels)
For example:
37
An application attempting to query the host name emailsrv7 will attempt to resolve emailsrv7.central.contoso.com and emailsrv7.contoso.com
DNS Cache LockingDNS Cache Locking
Cache locking is a new security feature available with Windows Server® 2008 R2 that allows you to control whether or not information in the DNS cache can be overwritten.
38
DNS Socket PoolDNS Socket Pool
The socket pool enables a DNS server to use source port randomization when issuing DNS queries
This provides enhanced security against cache poisoning attacks
39
What's New in Remote Desktop Services?What's New in Remote Desktop Services?
Server 2008 R2 with SP 1 Microsoft RemoteFX has been added to
Remote Desktop Services• 3D adapter
• USB redirection Intelligent capture and compression that
adapts for the best user experience All Remote Desktop Services role
services have been renamed
40
What’s new in performance and reliability monitoring?What’s new in performance and reliability monitoring?
41
What’s new in Event Auditing?What’s new in Event Auditing?
Enhancements to event auditing Regulatory and business requirements
are easier to fulfill through management of audit configurations, monitoring of changes made by specific people or groups, and more-granular reporting.
For example, Windows 7 reports why someone was granted or denied access to specific information.
What’s new in Server Core?What’s new in Server Core?
Additional Server Roles Available• The Active Directory® Certificate Services
(AD CS) role
• The File Server Resource Manager component of the File Services role
• A subset of ASP.NET in the Web Server role
43
What’s new in Server Core?What’s new in Server Core?
Additional Features• Support for .NET framework
• Windows PowerShell
• Windows-on-Windows 64-bit (WoW64) Removed
• The removable storage feature New support
• Remote configuration with Server Manager
44
What’s New in Active Directory?What’s New in Active Directory?
Active Directory Recycle Bin Changes to Group Policies Windows PowerShell cmdlets AD Administrative Center AD Best Practices Analyzer Offline domain join Managed Service Accounts Management Pack
45
What’s new in Group Policies?What’s new in Group Policies?
Extended Windows 7 & Server 2008 R2 polices
Windows PowerShell Cmdlets for Group Policy
Additional Group Policy Preferences Improved Starter Group Policy Objects Improved UI Admin Template
Functionality
46
AD Recycle BinAD Recycle Bin
Information technology (IT) professionals can use Active Directory Recycle Bin to undo an accidental deletion of an Active Directory object.
Accidental object deletion causes business downtime. This is the number one cause of Active Directory
recovery scenarios. Active Directory Recycle Bin works for both AD DS
and Active Directory Lightweight Directory Services (AD LDS) objects.
This feature is enabled in AD DS at the Windows Server 2008 R2 forest functional level.
AD Recycle BinAD Recycle Bin
180 Days 180 Days
Your slides here
http://www.microsoft.com/windowsserver2008/en/us/whats-new.aspx
Donald E. HesterCISSP, CISA, CAP, MCT, MCITP, MCTS, MCSE Security, Security+, CTT+
Director, Maze & Associates
University of San Francisco / San Diego City College / Los Positas College
www.LearnSecurity.org
http://www.linkedin.com/in/donaldehester
http://www.facebook.com/group.php?gid=245570977486
Email:
Evaluation Survey Link
Help us improve our seminars by filing out a short online evaluation survey at:
http://www.surveymonkey.com/s/IT-WindowsServer
Thanks for attendingFor upcoming events and links to recently archived
seminars, check the @ONE Web site at:
http://onefortraining.org/
IT series – What’s New in Windows Server 2008 R2