TECHPRO.MS

If you are a Volume Licensing customer, you have probably downloaded Windows Server 2008 already or you will be receiving it soon as part of your monthly DVD shipments.  As you start testing and getting ready for deployment, one thing you’ll need to plan for is Volume Activation.  Since we launched the Windows Server 2008 a couple of weeks ago, we have updated a few resources to help you understand activation better and make it easier to use in your existing environment.

Windows Server 2008 uses the same volume activation technology as Windows Vista, so if you are familiar in how it works for Vista, the same principles apply with some minor changes.  For more details, see Volume Activation 2.0 Changes for Windows Server 2008 and Windows Vista SP1. On the other hand, if you are new to volume activation and need to ramp up quickly, there is a new Silverlight overview that goes over the basics and a KMS Setup Demo that you can download.  As well, we have updated most of the documents in the Volume Activation 2.0 Technical Guidance Center.

In addition to the new and updated content, we’ve updated the Key Management Service (KMS) for Windows Server 2003 so that you can run a single KMS host which supports volume license editions of both Windows Vista RTM & SP1 and Windows Server 2008.  The new KMS will also allow you to run it in a Windows Server 2003 virtual machine -- a big change from the original KMS.  If you plan to keep your KMS on WS2003, you’ll need this update right away.

KMS v1.1 for Windows Server 2003 is now available on the Microsoft Download Center at:

X86 (EN-US) - http://go.microsoft.com/fwlink/?LinkId=82964

X64 (EN-US) - http://go.microsoft.com/fwlink/?LinkId=83041

More details about the update are outlined on Michael Greene’s blog and on the download site.

Julius Sinkevicius

Before you can install Exchange Server 2007 SP1 on a Windows Server 2008 there are varying prerequisites that need to be installed, depending on the Exchange 2007 Server role you plan on installing. Details on how to install those prerequisites manually can be found in the Exchange 2007 SP1 documentation:

How to Install Exchange 2007 SP1 Prerequisites on Windows Server 2008 or Windows Vista

In this blog post, we wanted to share a set of XML files that you can use to simplify the process of installing those prerequisites. Please see the attached ZIP file near the end of this post.

The following XML files are available:

Exchange-Base.xml - this will install the prerequisites that are common for majority of Exchange server roles. Note: To complete the installation, a reboot will be necessary. The reboot must be done before proceeding with the remaining Operating System prerequisites that are detailed below. If the AD management tools are not installed prior to installation of IIS 7 components, there are potential issues with IIS 7 configuration that can crop up as a result, hence the recommendation for a reboot.

Exchange-MBX.xml - this will install the rest of prerequisites that the Mailbox Server role requires.

Exchange-CAS.xml - this will install the rest of prerequisites that the Client Access Server role requires

Exchange-Edge.xml - this will install the rest of prerequisites that the Edge role requires.

Exchange-UM.xml - this will install the rest of prerequisites that the Unified Messaging role requires.

Exchange-ClusMBX.xml - this will install the rest of prerequisites that a clustered Mailbox Server role requires. When compared to the previously mentioned Exchange-MBX.XML, this XML file also installs Failover Clustering.

The Hub Transport Server Role requires no further Operating System prerequisites, other than what is already specified in Exchange-Base.xml.

To run those XML files and install the OS prerequisites you need, you should run the following from the CMD line:

ServerManagerCmd -ip <path>\<Exchange-role>.XML

So to put this into real life - if you wanted to install let's say the Mailbox server role, you would first run the Exchange-Base.xml followed by Exchange-MBX.xml.

Using those XML you can also test if correct Operating System prerequisites have already been installed. For example, let say I thought I had installed the clustered Mailbox Server prerequisites. I could run the following to verify:

ServerManagerCmd -w -ip <path>\exchange-clusmbx.xml

Note: Running in 'WhatIf' Mode.
Skipping [Web Server (IIS)] Web Server (IIS) because it is already installed on this computer.
Skipping [Web Server (IIS)] Basic Authentication because it is already installed on this computer.
Skipping [Web Server (IIS)] Windows Authentication because it is already installed on this computer.
Skipping [Web Server (IIS)] ISAPI Extensions because it is already installed on this computer.
Skipping [Web Server (IIS)] IIS 6 Metabase Compatibility because it is already installed on this computer.
Skipping [Web Server (IIS)] IIS 6 Management Console because it is already installed on this computer.
Specified for installation: [Failover Clustering]

This server may need to be restarted after the installation completes.

The above tells us that all the Operating System prerequisites have been installed, except for Failover Clustering. The remaining will be skipped, since they were installed sometime in the past. It does no harm to re-run the <Exchange-Role>.xml file if some of the prerequisites have already been installed, they will simply be skipped.

You can also quickly verify the OS components that have been installed by running:

ServerManagerCmd -q

Finally, you can download the XML files from here.

- Matt Richoux, Roman Maddox

Share this post :

In the course of talking to many Microsoft partners and customers, the Windows Small Business Server team has learned that there are sometimes misperceptions about the product, in many cases based on experiences with the earlier versions of SBS.  In hopes of dispelling some of these "myths," the team has created a video log by an "SBS guru" named Tom.  Take a look at some of the first videos, maybe have a few laughs, and play a game of "punch a wizard."  Look for new posts, too. 

 

This site discusses some of the SBS myths in a more, shall we say, staightforward way - such as:

I can't add additional servers to a Windows SBS domain

I can't run Terminal Services in the SBS domain.

SBS doesn't scale.

I can't upgrade my current server.

I'm going to outrgrow SBS.

The Exchange mail store limit is too small.

SBS has scaled-down versions of the included applications.

I can't use tools from Windows Server in Windows SBS.

SBS isn't secure.

 

 

 

 

Ragnar Harper is a senior consultant and Advisor at Crayon AS in Norway.  Ragnar is also a big fan of PowerShell.  Recently he won a demo contest putting PowerShell through its paces.  At one point he did an import-csv of a large file and created Active Directory entries.   This took a while so while that was going, he used Guitar Hero and jammed to the following latest and greatest edition of Highway to PowerShell.  This is REALLY good stuff.  Check it out:

http://video.msn.com/video.aspx?mkt=en-us&vid=b75260ae-1736-4b15-8b86-aaef20644e52

10,000 thanks for sharing that Ragnar - you've made my day!

Just wait till you see V2!

Jeffrey Snover [MSFT]
Windows Management Partner Architect
Visit the Windows PowerShell Team blog at:    http://blogs.msdn.com/PowerShell
Visit the Windows PowerShell ScriptCenter at:  http://www.microsoft.com/technet/scriptcenter/hubs/msh.mspx

OK, so today's isn't really something "Performance" related, but nevertheless, I think we can all safely agree that this is something that all administrators should be aware of.  During our Windows Vista and Windows Server 2008 posts we've been talking about "reducing the attack surface" and other security enhancements.  So today we're going to go over some security concepts at a very high level.  If you have read through the Windows 2003 Resource Kit or the Windows Security Resource Kit, then this information will be quite familiar to you.

The basic skill in securing your environment is to understand the big picture.  In other words, not only how to secure your computers and networks, but also what your limitations might be.  We've all heard of the principle of least privilege.  If an application or user has privileges beyond what they really require to perform their tasks, then the potential exists for an attacker to take advantage of that fact to compromise your environment.  In the past, many domain administrators only had one account that they used for everything - reading email, administering the domain, writing documentation etc.  So if that administrator's account was somehow used to launch an attack, the attack was carried out with all of the domain administrator's privileges - often to devastating effect.  Many environments now separate the accounts based on the work being done.  For reading email etc, a domain administrator would have a normal user account.  However they would have a second account that they would use for administrative tasks.  By separating the roles, the you reduce the risks of widespread compromise.

Another key phrase that we're used to hearing is "Defense in Depth".  What does this mean?  If you use the analogy of the onion, then each layer that you peel away gets you closer to your critical asset(s).  At each layer you should protect your assets as if that was the outermost layer.  The net result is an aggregated security model.  The most common example of this is when dealing with email - incoming mail is filtered by the server for spam and malware, as well as on the client when email attachments are scanned before they are opened.

We mentioned the "Attack Surface" in the first paragraph.  What exactly does that mean?  If you think about it, an attacker only needs to know about a single vulnerability in your environment.  As the administrator, you have to know about all of your potential weaknesses - your attack surface.  The smaller the attack surface, the fewer potential targets for an attacker to exploit.  Reducing the attack surfaces takes a number of forms, such as limiting access to a machine, not installing unnecessary software, and disabling unneeded services.  One of the offerings in the Windows Server 2008 family, Server Core, dramatically reduces the attack surfaces by providing a minimal environment to run specific server roles.  We discussed this in an earlier post, called "Getting Started with Server Core."

One of the keys to security in an environment is the design.  Security should be an integral component of network and infrastructure design - the old adage, "an ounce of prevention is worth a pound of cure" is perhaps the best way to express this.  Beyond the initial design however, the actual deployment and ongoing maintenance of the environment have a major impact on security.  One example of where you may run into problems is if you attempt to secure a database application after it is implemented.  The very real risk in this scenario is that the application may not work after you secure it - and oftentimes, the pressure to maintain the application availability will trump the need to secure the application - or at least push the task of securing the application lower on the priority list.

So before we wrap up, there are a couple of very good articles to refer you to that discuss some of the principles we've talked about above.  Both of them were written by Scott Culp of the Microsoft Security Response Center.  The first article discusses "The 10 Immutable Laws of Security".  Very briefly, the 10 laws are:

1. If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
2. If a bad guy can alter the operating system on your computer, it's not your computer anymore
3. If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
4. If you allow a bad guy to upload programs to your website, it's not your website anymore
5. Weak passwords trump strong security
6. A computer is only as secure as the administrator is trustworthy
7. Encrypted data is only as secure as the decryption key
8. An out of date virus scanner is only marginally better than no virus scanner at all
9. Absolute anonymity is not practical, in real life or on the web
10. Technology is not a panacea

Scott's other article is titled "The 10 Immutable Laws of Security Administration" - and is a listing of ten basic laws regarding the nature of security.

Well, that's it for this post.  This was a little departure from what we normally cover, but hopefully you found this information useful!  Until next time ...

Additional Resources:

• Microsoft Security Center
• Technet: The 5-Minute Security Advisor
• Technet: As Us About ... Security Series

- CC Hameed

Share this post :

On March 3 at the SharePoint Conference in Seattle, Bill Gates announced that Microsoft will offer Microsoft Online Services to businesses of all sizes. Microsoft Online Services include Exchange Online, SharePoint Online, Office Live Meeting, and Exchange Hosted Filtering.  These are enterprise-class software delivered as a subscription service, hosted by Microsoft and sold with partners.

For more information about the announcement, click through to the Press Pass article on the Microsoft site: http://www.microsoft.com/presspass/press/2008/mar08/03-02AllSizeBusinessesPR.mspx

For more information on Microsoft Online Services, visit: http://www.microsoft.com/online. You can also start following the team blog: http://blogs.technet.com/msonline/.

- Paul Englis

Share this post :

Today, Apple announced they have licensed the Exchange ActiveSync (EAS) protocol and are building support into the iPhone. We are happy to have them join the list of mobile device manufacturers supporting EAS.

Here is the Apple press release. Our official press piece is here.

By the way, our own Terry Myerson was in Cupertino for the announcement this morning. :)

 

Apple Senior VP of WW Product Marketing Phil Schiller and Exchange Corporate VP Terry Myerson chat at the iPhone press conference.

Obviously, we have been working together for a while on their implementation. What can we say today? They are doing Direct Push and most of the Exchange 2003 SP2 policies (including remote wipe). They are doing email, calendar and contacts sync, and global address lists. While previously you could get you Exchange mail on an iPhone via IMAP, getting contacts and calendar required a tethered sync through iTunes. Doing it wirelessly will be much better (IMHO).

Particularly noteworthy, Apple will implement a couple key Exchange 2007 EAS features.

1. Autodiscover - This means those of you running Exchange 2007 can now make it super easy for your users to configure their iPhones to sync with Exchange. Here's what you do as an admin. All the iPhone user does is enter his/her email address and password. Pretty cool.
2. HTML Mail - See your mail in its full HTML glory. Obviously the iPhone shows mail in HTML format today, so it's safe to assume your Exchange mail will retain its HTML formatting on the iPhone as well.

I don't have a lot more to say about the iPhone. Perhaps after I'm worked with it a bit I'll share some more thoughts.

While we're here, let's note a couple updates from some other EAS licensees since our last post.

• Nokia has revved their Mail for Exchange application and now supports it on most of the N and E Series smartphones. (I personally prefer the Nokie E61i as a workday phone, and the Nokia E90 when I travel for business.) Mail for Exchange can be downloaded here.
• Sony Ericsson is shipping some cool phones with EAS support. Check out the W960i Walkman. And two that often get grabbed out of my hands are the Z750i featuring a "hidden" external display (mine is "Mysterious Purple") and the sleek K630 (mine is in "Chocolate").
• Palm is shipping the Palm Centro with EAS support.
• Remoba announced its EAS implementation, RemoSync, and expects to make it available soon.

Here's a list of publicly announced Exchange ActiveSync protocol licensees.

- Ed Hott

Share this post :

Hello, Bill here.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

I wanted to let you know that we just posted our Advance Notification for next week’s bulletin release which will occur on Tuesday, March 11, 2008 around 10 a.m. Pacific Standard Time.

It is important to remember that while the information posted below is intended to help with your planning, because it is preliminary information, it is subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

 

·        Four Microsoft Security Bulletins rated Critical. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

 

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

 

Finally, we are planning to release three high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as two high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS).

 

As always, we’ll be holding the March edition of the monthly security bulletin webcast on Wednesday, March 12, 2008 at 11 a.m., Pacific Standard Time.  We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

 

You can register for the webcast here:

 

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357217&Culture=en-US

Thanks,

 

Bill Sisk

*This posting is provided "AS IS" with no warranties, and confers no rights.*