Blog: Windows 2008 Server

For a little added security you can move your inetpub directory to a seperate partition from your operating system files.  By default the IIS7 Inetpub directory is created on the same partition as the Window Server 2008 install.  There is no way to specify a different location during the setup process.  You can create a new inetpub directory on a different partition, set the correct permissions, and change all the IIS settings to point to the new directory.  However, a program manager on the IIS team wrote a great script that will do all that for you.  Here are the steps to move inetpub using his batch file: [more]

• First download the batch file from his blog post.
• Unzip the batch file
• Open a command prompt
• Browse to the directory where you unzipped the batch file
• Type "moveiis7root.bat" <the drive letter of the partition you would like to move it to> and press enter

Example: "moveiisroot.bat w"

If the batch file runs successfully you'll have a new inetpub directory on the partition you specified with the correct access permissions set and IIS will be configured to use the new folder.  You can then delete the old c:\inetpub directory.

With Windows Server 2008, Windows Vista, and Windows 7 Microsoft changed the group policy template files to an XML format (.ADMX file extension).  These files are stored in the PolicyDefinitions folder under %systemroot%.   If you open the Group Policy Editor from a 2008 or higher system, it will automatically access these files on the local system.  However if you want to automatically have access to the templates across the network you can create a central store on a domain controller and they will be automatically replicated with other domain controllers in the domain.  Using this method I was able to make the newer Windows 7 ADMX files available on our 2008 domain controllers. [more]

http://technet.microsoft.com/en-us/library/cc748955%28WS.10%29.aspx

I had a situation come up this week where a user was able to change the security on a file that they had created. This type of action was not desirable and I was having a hard time tracking down how this was happening. It turned out to be the following: User had modify permissions for the folder and subfolders so they were free to create and delete files. However, the CREATOR OWNER permission was also on the folder and was set to FULL CONTROL. Thus, when the user created a new file, they were the owner. As such, they were then given the ability to change the permissions. So, the gotcha is be careful how the CREATOR OWNER permission is used…and keep a watchful eye on curious users.

I was recently configuring an ISA server for a network support customer including automatic configuration using WPAD.  The customer had a 2008 SBS server and a 2003 ISA server (running ISA 2006).  I added a "wpad" alias (CNAME) to the DNS server on the SBS box to allow clients to automatically detect the new ISA server.  However, when I tried to resolve the entry on the SBS server as well as other hosts on the network, it never would resolve.  I tried other CNAME entries on the server, and they all worked fine.  I tried removing the entry and reading it, but got the same behavior.  I decided to let it sit overnight to see if it was a timing issue.  The next day, I still couldn’t resolve "wpad" or "wpad.bofc.local".  I started digging and found that the DNS service on Windows Server 2008 has a built-in "block list" for some potentially dangerous DNS names.  The default list includes "wpad" and "isatap".  Gotcha!  Since I wasn’t concerned with blocking any DNS names, I decided to turn off the "block list".  I used the following dnscmd command: [more]

dnscmd /config /enableglobalqueryblocklist 0

Other helpful commands when dealing with this include (from http://technet.microsoft.com/en-us/library/cc995158.aspx):

To check whether the global query block is enabled, type the following:
dnscmd /info /enableglobalqueryblocklist

To display the host names in the current block list, type the following:
dnscmd /info /globalqueryblocklist

To disable the block list and ensure that the DNS Server service does not ignore queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To enable the block list and ensure that the DNS Server service ignores queries for names in the block list, type the following:
dnscmd /config /enableglobalqueryblocklist 0

To remove all names from the block list, type the following:
dnscmd /config /globalqueryblocklist

To replace the current block list with a list of the names that you specify, type the following:
dnscmd /config /globalqueryblocklist name [name]…

This seems to be something that my Windows Vista book did not mention about disk management in comparison with the past versions.  Windows Vista/7/2008 Server have an improved Disk Management feature in that it allows you to shrink basic partitions.  Whereas in the past we have had to use 3rd party utilities (such as gparted or partition magic) to resize drives, Windows has the option to shrink the partition size.  Simply open up disk management and right click on the partition you wish to shrink and select “Shrink”. 

Windows will calculate exactly how much it can shrink so that you can use the new unallocated space to make additional partitions.  Limitations to this of course depend on where the data is currently stored on the disk.  If it is scattered, you may be able to claim more by defragmenting and moving your data towards the first sectors of the disk.

In a News Press Release yesterday, Microsoft Corp. announced the release to manufacturing (RTM) of Windows 7 and Windows Server 2008 R2.  Windows 7 should be generally available to customers around the world in mid to late October, and Windows Server 2008 R2 should be generally available on or before October.  To learn more, visit http://www.microsoft.com/Presspass/press/2009/jul09/07-22Windows7RTMPR.mspx

Microsoft has come out with a new way to handle license keys called Key Management Service. Through this new way of volume licensing, Server 2008 and Vista machines will check in with a server to be authenticated instead of having to check in at the Microsoft site.  To do this, you have to set up a KMS server (with software from Microsoft) as well as install a KMS Volume License Key (which is different than a traditional VLK). [more]

From Microsoft.com:

Microsoft Key Management Service (KMS) for Windows Server 2003 SP1 and later is part of Microsoft Windows Volume Activation 2.0. It allows enterprise users to host KMS on Windows Server 2003 to enable activation of Windows Vista and Windows Server 2008 using a KMS key.

Microsoft Volume Activation 2.0 is a set of technical and policy solutions provided by Microsoft’s Software Protection Platform (SPP) that gives Microsoft customers more secure and easier methods to manage their volume license keys.

KMS based activation allows enterprise customers to host a local service within their environment to enable activation of machines running Windows Vista and Windows Server 2008 volume editions within their environment, instead of activation directly with Microsoft. Computers that have been activated using KMS are required to reactivate by connecting to a KMS host at least once every 6 months.

KMS keys are provided through Microsoft’s Volume Licensing System portals (MVLS, eOpen). The KMS host needs to be activated once with Microsoft either online or via telephone.

The drawback to this service is that you have to obtain the key from MS using a volume license agreement. Another issue is that you have to have 5 Server 2008 installations or 25 Vista installs for this to work (and VM machines do not count towards this number).

Download the Microsoft Key Management Service