Certification-kb11 070-643 Configuring Windows Server 2008 Applications Infrastructure - Exam Notes

From JBKB

Version: 1.0.0
Difficult level: n/a
Status: Ready

Contents 1 Introduction 2 Deploying Servers 2.1 Deploy images by using Windows Deployment Services 2.2 Configuring Microsoft Windows Activation 2.3 Configure Windows Server Hyper-V and virtual machines 2.4 Configure high availability 2.5 Configure storage 2.6 Exam test check 3 Configuring Terminal Services 3.1 Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp) 3.2 Configure Terminal Services Gateway 3.3 Configure Terminal Services load balancing 3.4 Configure and monitor Terminal Services resources 3.5 Configure Terminal Services licensing 3.6 Configure Terminal Services client connections 3.7 Configure Terminal Services server options 3.8 Exam test check 4 Configuring a Web Services Infrastructure 4.1 Configure Web applications 4.2 Manage Web sites 4.3 Configure a File Transfer Protocol (FTP) Server 4.4 Configure Simple Mail Transfer Protocol (SMTP) 4.5 Manage Internet Information Services (IIS) 4.6 Configure SSL Security 4.7 Configure Web site authentication and permissions 4.8 Exam test check 5 Configuring Network Application Services 5.1 Configure Windows Media Server 5.2 Configure Digital Rights Management (DRM) 5.3 Configure Microsoft Windows SharePoint Services server options 5.4 Configure Windows SharePoint Services e-mail integration 5.5 Exam test check 6 Links

[edit] Introduction

This KB takes up some Exam Notes for 070-643 Deploying Configuring Windows Server 2008 Applications Infrastructure. All notes are written by John Bryntze.

Important! This is NOT a braindump or alike.

The 070-643 Exam objectives are the following:

• Deploying Servers
• Configuring Terminal Services
• Configuring a Web Services Infrastructure
• Configuring Network Application Services

[edit] Deploying Servers

[edit] Deploy images by using Windows Deployment Services

Know about WIM format that is it hardware independent and can be modified/mounted offline and ACL and settings are defined in XML files.
Install and use WAIK, and look at especially imageX and Windows SIM.

Capture Windows Deployment Services images/Configure Windows Deployment Services
Windows Deployment Services (from now on WDS in this KB) needs the following to work:

• Active Directory (which of course need DNS)
• DHCP - with an scope to provide IP address to deployment clients and provide PXE option.
• Clients to be PXE compatible and enabled. (if clients aren't PXE bootable you can create a discover image that create a bootable CD/DVD or USB flash disk and run it from there, the discover image contains info such as which WDS server to respond)
  

Example of a WDS client (in Virtual PC 2007) PXE booting and waiting for F12 to be pressed to download an boot image


When configuring WDS server be sure to understand the 3 PXE Server options
1. Do not respond to client computer - This is like disable WDS.
2. Respond only to known computers - Only machines who already been pre-staged in Active Directory will work


Machine account created in ADUC, adding MAC address to pre-stage an account for WDS deployment

3. Respond to all (known and unknown) client computers - will respond to pre-staged and unknown clients


in WDS add a boot image, example boot.wim (WinPE 2.0), to be able to just boot the client. Then add an install image, example install.wim, to do the actual installation of the OS.
To automate further you create answer files in xml format with help of example SIM.

Remember that if DHCP service is running on the same server as WDS you need to make WDS listen to port 60 (instead of default 67).

The command line util has the easy name wdsutil and can do the most such as add a boot image, install image, set WDS to use DHCP port 60 instead of 67, how to answer to clients etc.
wdsutil /Set-Server /AnswerClients:All - this command configure the WDS server to reponde to all clients requests
wdsutil /Add-Image /ImageFile:D:\source\install.wim /ImageType:install /ImageGroup:JBKBGroup - this command adds a install image to the group JBKBGroup.


Install from Media
If you install from DVD media you can create an Autounattend.xml answer file (with help of Windows SIM) and windows setup will look for this file in the root of all removable devices such as CD/DVD/USB disks to get an automated installation.

[edit] Configuring Microsoft Windows Activation

Know the difference activation types:

• MAK (Multiple Activation Key) - Work fine for smaller environment, one activation and the server is activated forever (unless bigger changes in hardware then a reactivation might be needed. If you have for example laptop machines that will not be connected to your net for 180 then MAK is your choice for those clients. You enter MAK key locally on the server or remotely with Volume Activation Management Tool (VAMT). To active Server Core you need to use slmgr command. If the machines cannot be activated over Internet due to no Internet Access a MAK Proxy activation can be used with VAMT that uses the activation requests for other computers in an XML file with Confirmation IDs (CIDs). The Internet connected VAMT machine sends the XML file for activation and then updates the requesting machines XML files.
• KMS (Key Management Service) - The KMS host connects to Microsoft once, after that all clients can activate directly to a local KMS host. Each client that has been activated by the local KMS host must renew the activation each 180 days if not the client will get reduced functionality. KMS needs a minimum of physical computers to connect before working - for Windows Server 2008 at least 5 clients (Windows Server 2008 or Vista) and for Vista at least 25 clients (Windows Server 2008 or Vista).

KMS clients default look in DNs for a SRV record (_vlmcs._TCP that points to the KMS host on port 1688/TCP, if this port is blocked you will have problem), called Autodiscovery.
You can manually (called Direct connection) activate with slmgr.vbs (%systemroot%\system32) and specify a KMS host by following command:
cscript %systemroot%\system32\slmgr.vbs -skms KMSHost.JBKB.LOCAL - Where KMSHost.JBKB.LOCAL is the DNS name of the KMS host.

---

Exam Tip: KMS clients uses default to contact DNS to find a SRV record to find the KMS host to active. This SRV record is created automatically but if it fails you will need to create it yourself

---

Install a KMS server (KMS Host)
KMS Host/server is already installed and just needs to be activated with slmgr.vbs command: cscript %systemroot%\system32\slmgr.vbs -ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx and then active it on the internet with: cscript %systemroot%\system32\slmgr.vbs -ato.

[edit] Configure Windows Server Hyper-V and virtual machines

Know the differences and benefits between Virtual PC 2007/Virtual Server 2005 R2 SP1/Hyper-V
Virtual PC 2007: Support VHD files, host OS can be 32 or 64 bit - guest OS can only be 32-bit, only one single-core CPU per guest.
Virtual Server 2005 R2 SP1: include all Virtual PC 2007 include plus support some Linux distributions such as Red Hat/SuSe and Sun Solaris as gust OS, cluster and NLB support, Multiprocessor support, SCSI support and convert physical machine to virtual (VHD).
Hyper-V: Is the only one of the 3 who support 64-bit guest OS, assign 32GB of RAM per guest, Virtual machine snapshot.

Hyper-V
Hyper-V is a Windows Server 2008 host OS only and probably more tested on the exam due to that. know this (in bold extra important):

1. Hyper-V has a extra layer called Hypervisor which give each host and guest OS direct access to hardware layer (without passing the host OS as guest OS must do on for example Virtual PC)
2. Hyper-V support 64-bit guest OS
3. Multicore and multiprocessor guest support
4. A Hyper-V guest can assign up to 32 GB of RAM
5. Hyper-V support Virtual machine snapshots or running machines to easily revert back to an earlier state.
6. Integration Components (called VM additions in Virtual PC/Server)
7. Enhanced NLB support

Important to know that Hyper-V can run on all 64-bit versions of Windows Server 2008 version (even core!) except the Web edition and supportable CPU:s needed such as Intel VT/XD bit or AMD-V/NX bit (enabled in BIOS).

On Server Core Hyper-V is installed by this command (case sensitive)
start /w /ocsetup Microsoft-Hyper-V

Hyper-V supports 3 different hard disk types (VHD)

1. Dynamically expanding - Starts small and grow as needed, doesn't auto shrink when files are deleted.
2. Fixed - As the name implies the size is fixed (like in Virtual PC and Server)
3. Differencing - this disk is a child to another disk (preferable none Differencing), all changes goes to child disk and then merge on demand to original disk.

Hyper-V supports 3 different networks

1. External - Uses the physical NIC and can act as a DHCP client on a "real" net
2. Internal - A protected virtual net where all virtual machines can communicate (but not externally to the Internet)
3. Private - Like Internal but can only connect to other guest virtual machines, not to the host machine.

Know that Hyper-V support logical VLAN making it possible to have different internal networks by setting different VLAN IDs.

[edit] Configure high availability

Round-Robin DNS that uses DNS with multiple A records pointing to different server IP addresses to share the load. If one server goes down the DNS will still direct request there so it is not the best solution.

Network Load Balancing usable for web farms who share the requests. The NLB cluster get notified when a NLB node is offline and stop directing requests there.

Failover Clustering is the best but most costly solution. The Cluster nodes need cluster certified hardware and all nodes need to have the "same" hardware. In case one node goes down it can failover all those services to another node. Know that Witness disk (before called Quorum) is a shared volume that contains the cluster configuration.

[edit] Configure storage

Network Attached Storage (NAS)
NAS is file based and is slower than DAS but is easy to implement and can easy provide disk storage to a lot of different servers over the LAN.

Storage-Area Networks
The exam might ask regarding two different, Fiber-Channel (FC) and iSCSI, they both have in common: Fast data transfer, can move from server to server, but only one server can access it at the same time. SAN uses block based transferring of data.
Fiber-Channel: Support normally up to 10km of distance between storage and server. Well known technique but expensive. Needs HBA (Host Bus Adapter) to connect to storage.
iSCSI: Uses TCP/IP and should preferable have a dedicated network just for this which can make this normally cheap technique more expensive and limits the speed to the Ethernet network speed.. Support very long distances (due to TCP/IP) and can be secured by CHAP/IPSec. Uses software agents called iSCSI initiator and iSNS that can be thought as a DNS for iSCSI. iSCSI target could be switches. SAN Fabric is all that is between clients and the storage.

Know for the exam that VDS (Virtual Disk service) is an API for vendors to expose SAN hardware to windows admin tools.

RAID types
Know that Microsoft's software raid needs dynamic disks and those are converted automatically in Windows Server 2008, older Windows OS cannot read dynamic disks.
Spanned Volumes gives more disk space but no fault tolerance, striped volumes (RAID 0) gives very good performance but no fault tolerance, mirrored volumes (RAID 1) gives only 50% of disk for data but gives high fault tolerance and good read performance, RAID 5 volume lose one disk in the set for parity data and gives fairly high fault tolerance and good read performance..

Shrink volume is a new feature in Windows Server 2008 and you can decrease a volume that doesn't use all data (exists in Vista also and in reality volumes that have system files can be harder to shrink)


Mount Points can be used to mount in an volume into an empty folder on an existing disk.

[edit] Exam test check

[edit] Configuring Terminal Services

Know that to enable Terminal Services on a Windows Server 2008 core you need to type in the following command:
cscript scregedit.wsf /AR 0

and to allow RDP clients before 6.0 and OS not supporting NLA use the following command: cscript scregedit /CS 0

[edit] Configure Windows Server 2008 Terminal Services RemoteApp (TS RemoteApp)

Applications that shows up in TS RemoteApp needs to be installed in Install Mode by one of 3 different ways

1. Msiexec (msi package sets it default in Terminal Installation mode)
2. CMD: Change User /install or chguser /execute
3. Control Panel -> Install application on Terminal Server

Then the application needs to be added to the RemoteApp Program List by the Add RemoteApp Program wizard.




TS RemoteApp is a way to publish only a program (not like earlier versions of Terminal Services where you could only publish a full desktop and start a program from there) in either 2 ways.

• Through the web with TS Web Access (needs IIS) - use the Add RemoteAdd Programs and the program will by default be visible by URL http://JBKB-TS01/ts or https://JBKB-TS01/ts
• Through RDP files or MSI files - RDP files just launches the program (if server name change the RDP file needs to be recreated). MSI file can create shortcuts and do file extension association to the program.

---

Exam Tips: If you need shortcuts or file extension association MSI is your choice, know that for the exam

---

TS RemoteApp application Calculator selected and got options to create RDP file or MSI package


Remember for the exam and real life that TS Web Access is needed for displaying remote apps by web browser and that TS Web Access can only display programs from one TS server.

[edit] Configure Terminal Services Gateway

Terminal Services Gateway (rest of this KB it will be called TS Gateway) is normally used to let external users connect over HTTPS (443/tcp) to a Terminal Service server or farm (this has been possible in Citrix for a long time but new to Windows terminal Services in Windows Server 2008) and then the TS Gateway continue the communication on normal RDP (3389/tcp) back to Terminal Services hosting a desktop or a RemoteApp.
If you have an ISA server let that one redirect traffic to a TS gateway on the inside, if you have no ISA server you should put the TS Gateway server in the DMZ and open up TCP/IP ports for RDP and all ports needed for Active Directory Domain Services that needs to reside in DMZ or TS Gateway (huge security risk). The ISA server needs certificate installed that remote clients and Terminal Services trust
TS Gateway is a separate installation and needs Active Directory Domain Services, IIS, NPS (Network Policy server) to work.


Select to install Terminal Services Gateway


Services that needs to be installed for Terminal Services Gateway, those are IIS and NPS.


Terminal Services Connection Authorization Policy (TS CAP)
Terminal Services Connection Authorization Policy (will be written TS CAP for rest of this KB) is used between external client (normally from the Internet) to the TS Gateway and can do the following:

• Decide which groups can connect (default only Administrators)
• Prevent client devices such as local printers, USB drives (this apply only to external clients)

Terminal Services Resource Authorization Policy (TS RAP)
Terminal Services Resource Authorization Policy (will be written TS RAP for rest of this KB) is used from TS Gateway to inside (resources) to specify which user/computer group can connect to which Terminal Service server.
You can also in this policy specify which port clients should use (default is 3389/tcp).


TS RAP changing default port from 3389 to 1976 and 10033

---

Exam Tips: Know about TS CAP and TS RAP, know that TS CAP is first and is used when externally connected to TS Gateway and TS RAP is used from TS Gateway to resources (Terminal Services servers).

---

[edit] Configure Terminal Services load balancing

TS Session Broker
The server having TS Session Broker installed on needs to be member of the domain and is used to balance sessions in a terminal service farm. To add a Terminal Service server into a farm following needs to be done:

• Check the Join a farm in TS Session Broker
• Enter in the TS Session Broker server and the Farm name (example at the image below)

---

Exam Tips: Know that all TS servers that join the Farm must be member of local security group "Session Directory Computers" on the TS Session Broker server.

---

Settings through group policies
There are several GPO settings for several different settings, know these Printer related settings

• Do Not allow Client Printer Redirection - No printer jobs can go to the local client.
• Redirect Only The Default Client Printer - If the client have multiple local printers only the default printer will be redirected.
• Do Not Set Default Printer To Be Default Printer in A Session - By default the local default printer is also the default printer in a TS session, if this GPO is enable that will not be the case.
• Specify Terminal Server Fallback Printer Driver Behavior - What to do if the Terminal Server doesn't have a matching printer driver to a clients printer; fall back on PCL or PS or both.
• Use Terminal Services Easy Printer Driver First - The Terminal Server will first try the Easy Printer Driver first and if that doesn't work try the specific printer driver (this setting is ignored if Do Not allow Client Printer Redirection is enabled.

[edit] Configure and monitor Terminal Services resources

Windows Server Resource Manager
With WSRM (Server Resource Manager) you can guarantee that not one single user/process takes all CPU/RAM of the Terminal Server, with help of Resource Allocation Policies. There are default 4 built-in Resource Allocation Policies in Windows Server 2008 whereas 2 are Terminal Server specific:

• Equal_Per_User - shared CPU by all users (5 users = 20% each)
• Equal_Per_Session - shared CPU by sessions/processes.

You can do your own Resource Allocation Policy and allocate CPU/RAM resources.

[edit] Configure Terminal Services licensing

Know that you got User or Device Licenses, if there are 2 machines used by 10 users a User CAL is probably to prefer but if there are 20 machine/devices with RDP and only 12 users a Device CAL is probably preferable. You got the choice to not set any license mode but then the Terminal Server will stop to work after 120 days.
License Server is a Role Service called TS Licensing.

[edit] Configure Terminal Services client connections

Single sign-on
SSO (single sign-on) is basically that the existing logged on users credentials are used while connecting with mstsc. This can be enabled by GPO by enable: Computer Configuration\Policies\Administrative Templates\System\Credentials Delegration


Here you can specify each Terminal Server who accept existing credentials (Allow Delegating Default Credentials) for example:
TERMSRV/JBKB-TS01
Or for all servers in a domain
TERMSRV/*.JBKB.LOCAL
or for ALL Terminal Servers
TERMSRV/*


Terminal Services Profiles
Know that default the user profile is saved locally on the Terminal Server at c:\users\%UserName% unless other is stated on the users object in ADUC Terminal Services Profile tab.


It is not recommended to use normal roaming user profiles but to use Terminal Services user profiles, that either can be specified per user as image above or more preferred set path by GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles and set the path to the profile location in Set Path for TS Roaming User Profile (remember you don't have to specify %UserName% or alike, the Terminal Server set this automatically)



It is important to remember that you can restrict/limit profile size with help of Disk Quotas that can be useful on Terminal Servers that hosts profiles and have many users and limited disk size.


Terminal Services home folders
Just like the profile the home folder is default located on the Terminal Service Server; this can be changed either by specify another home folder path directly on the user object in ADUC or by GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Profiles - Set TS User Home Directory

[edit] Configure Terminal Services server options

Know that:

• Log Off - ends a user sessions and none saved data is lost. CMD tool is called Logoff
• Disconnect - disconnect a user from session, but the session itself is still active and takes server resources. Permission needed are either Full Control or Disconnect on RDP-TCP. CMD tool is called Tsdiscon.
• Reset - Deletes a session (without login off), good to use when a session stops to respond (if only a process doesn't respond use End Process (see below). Permission needed is Full Control on RDP-TCP. CMD tool is called Rwinsta or reset session.
• Remote Control - can view or control a user session. Permission needed are either Full Control or Remote Control on RDP-TCP. CMD tool is shadow.

RDP-TCP permission set for JBKBAdmin1 user.

• End Process - end a process within a session, for example if Internet Explorer hang and takes a lot of resources you can close only the iexplore.exe process to release server resources. CMD tool is tskill.

C:\>logoff /?
Terminates a session.

LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V]

  sessionname         The name of the session.
  sessionid           The ID of the session.
  /SERVER:servername  Specifies the Terminal server containing the user
                      session to log off (default is current).
  /V                  Displays information about the actions performed.


C:\>Tsdiscon /?
Disconnects a terminal session.

TSDISCON [sessionid | sessionname] [/SERVER:servername] [/V]

  sessionid           The ID of the session.
  sessionname         The name of the session.
  /SERVER:servername  Specifies the Terminal server (default is current).
  /V                  Displays information about the actions performed.


C:\>rwinsta /?
Reset the session subsytem hardware and software to known initial values.

RESET SESSION {sessionname | sessionid} [/SERVER:servername] [/V]

  sessionname         Identifies the session with name sessionname.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server containing the session (default is current).
  /V                  Display additional information.


C:\>shadow /?
Monitor another Terminal Services session.

SHADOW {sessionname | sessionid} [/SERVER:servername] [/V]

  sessionname         Identifies the session with name sessionname.
  sessionid           Identifies the session with ID sessionid.
  /SERVER:servername  The server containing the session (default is current).
  /V                  Display information about actions being performed.


C:\>tskill /?
Ends a process.

TSKILL processid | processname [/SERVER:servername] [/ID:sessionid | /A] [/V]

  processid           Process ID for the process to be terminated.
  processname         Process name to be terminated.
  /SERVER:servername  Server containing processID (default is current).
                         /ID or /A must be specified when using processname
                         and /SERVER
  /ID:sessionid       End process running under the specified session.
  /A                  End process running under ALL sessions.
  /V                  Display information about actions being performed.

[edit] Exam test check

[edit] Configuring a Web Services Infrastructure

[edit] Configure Web applications

Know that ApplicationHost.config file (XML file) has system wide settings and Web.config is per Web application/site, where Web.config wins over ApplicationHost.config for conflicts.

Know that if you have an IIS server farm all the servers can share the same configuration by exporting the configuration you want from a IIS server (with password) to a central place and then point all the farm members to that UNC, it's called Shared Configuration

Application Pools
For each new web site an application pool is created with the same name, but you don't need to use that for the site, many sites can share one application pool. The down side to share an application pool is if it crash or other problems then it affect all sites using that application pool.
Default there are 2 Application Pools; Classic .NET AppPool and DefaultAppPool.



.NET version can be chosen with what version is installed on the server.
Manages Pipeline method: Integrated (for newer IIS7 applications) and Classic (for older IIS6 applications)

Instead of stopping a Application Pool you can use the Recycle function to fix memory leak or other problem. Recycle will try to retire current worker process and replace with new once.

[edit] Manage Web sites

Migrate sites and Web applications
To migrate from IIS6 to IIS7 either

• Do a (risky) in place upgrade of the Windows Server 2003 to Windows Server 2008 and it will upgrade and add components/support for existing IIS6 features
• Copy all files from IIS6 server to the IIS7 server and apply settings.

IIS6 web application that support ASP.NET might need the application pool to be set on Classic pipeline mode (not the IIS7 .NET Integrated Mode pipeline.)


Configure Virtual Directories
For virtual directories only an alias name, physical path to the folder and authentication method are needed (default set to Pass-through authentication, but can be changed to a user name)


Delegation of administrative rights
To enable Remote Management do the following:

• Add IIS Management Service role
• Check the Enable remote connection check box and specify which users can administer (Windows and/or IIS Manager credentials)
• Make sure port 8172/tcp is allowed (default and needed for remote administration)
• Decide what remote user can administer by selecting in Feature Delegation (permission such as Read Only, Read/Write, Configuration Read/Write)

[edit] Configure a File Transfer Protocol (FTP) Server

Default with Windows Server 2008 you get FTP version 6 with it that is managed with IIS 6.0 console. On download you can get FTP version 7 (well actually version 7.5 as I'm writing this KB: http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619 (32 bit).

Know that in order to install FTPv7 you must first uninstall FTPv6. FTPv7 support SSL encrypted connections and easier to FTP bindings for web sites.


Creating a FTP site binding

[edit] Configure Simple Mail Transfer Protocol (SMTP)

SMTP Relay
Know that to for security (so not spammers send on your SMTP server) make sure that default anonymous access isn't enabled on the external interface to Internet. You can also specify so only certain IP addresses can send through the SMTP.

You can configure the SMTP virtual server to send to a smart host, masquerade domain (change outgoing email domain, for example @jbkb.local to @jbkb.com) or let the server do a Reverse DNS lookup (reduce performance but increase security)

[edit] Manage Internet Information Services (IIS)

IIS configuration backup
Save a copy of Web.config file (described earlier in this KB) is a good manual backup of configuration but even better is using AppCmd.exe.
AppCmd add backup "JBKB Backup"
Will do a backup IIS configuration to a text file.

AppCmd restore backup "JBKB Backup"
Will restore the backup "JBKB Backup"

Know that IIS configuration settings are automatically stored in c:\Inetpub\history so any backup running on that directory will have a backup of the IIS configuration.

[edit] Configure SSL Security

Know that there are 3 different types of certificates in IIS

1. 3rd party certificates (from for example verisign http://www.verisign.com/ssl/), most expensive but most secure and useful
2. Internal CA certificate, no external trust this certificate by default unless they set to trust the CA root certificate.
3. Self signed certificate, easy setup but low security and only really useful for lab and test.

Create a cert request including organization legal name and cryptographic info.
Submit the request to the CA.
Get the certificate and import it into IIS
Check that site requires SSL (if not users can still access the site on HTTP 80/tcp).

[edit] Configure Web site authentication and permissions

IIS 7.0 got a standard user account named IUSR and group IIS_IUSR that is used for anonymous access.

Client certificate mappings
There are 3 different client certificate mapping.

1. One-to-One mapping - each client has a separate client certificate and the server must have all those (high security but harder to manage)
2. Many-to-One mapping - uses wildcard matching rules that verify whether a client certificate contains specific information, such as issuer or subject. This mapping does not compare the actual client certificate, but rather accepts all of the client certificates that fulfill the specific criteria. If a client gets another certificate containing all of the same user information, the existing mapping will work.
3. Active Directory mapping - as the name imply, you use Active Directory Certificate Service, easy to implement but you need an internal certificate infrastructure and works best for domain users (not external Internet users)

Configure site permission
You have 2 types of web users, IIS internal users that could be a good idea if you have external users who doesn't need Active Directory accounts and you have Active Directory that always can be used.

know the different Challange-based authentication

• Basic authentication - less secure, needs SSL or TLS to make it encrypted.
• Digest authentication - more secure since it transfer logon credentials secure. Requires HTTP 1.1 (all newer browsers support this).
• Windows authentication - NTLM/Kerberos authentication, secure but works best for Intranets.

Know that you can restrict access to web site/folder/file by IPv4 Address And Domain Restriction based on which IP or sub net the client comes from.

[edit] Exam test check

[edit] Configuring Network Application Services

[edit] Configure Windows Media Server

Windows Media Server is an option role that you need to download (http://www.microsoft.com/downloads/details.aspx?FamilyID=9ccf6312-723b-4577-be58-7caab2e1c5b7&displaylang=en). Like IIS it has a root but in Windows Media Services it is located %SystemDrive%\WMpub\WMRoot.

There is basically 2 different mode:

1. Live broadcast - the media cannot be stopped, fast forwarded, it is live! it can however be recorded and watched later.
2. On-demand - the media can be paused and FF/RW, good for training videos etc.

On-demand it is preferable to use Unicast. Unicast announce with .asx (Announcement File) with URL for example mms://jbkb.local/show
Live Broadcast profit to be sent in Multicast if hardware support it. Multicast can use .ncs (Milticast Information File) together with .asx (Announcement File) to publish to end user.

Real-Time streaming can use RTSP (Real-Time Streaming Protocol) uses port 554/UDP but if RTSP isn't supported (clients need to have Windows Media Player 9 or later) or blocked Windows Media Service can stream over HTTP (80/TCP).

Know that as IIS WMS uses anonymous user for NTFS access, ans the account is named WMUS_servername.


Caching and proxy
By default this setting is disabled.
A Windows Media Service can act both as a content server and a proxy for another server.

Caching
You can enable caching by checking the Enable caching check box.



Other options are:

• set cache limit (quota)
• Enable Freshness check (check that cached data is still up2date)
• Enable play while archiving
• Caching speed from orignial content server (Maximum, Content Bite rate, set value in Kbps)

Know that thereis a Prestuff button to press that cache content that hasn't even been requested.

Proxy
Proxy is a way for a Windows Media Server to take client requests for a another origin/source server to reduce the load on that server, there are 3 different Proxy options:

1. Proxy - default, the server appears to the client as the same as the source server.
2. Proxy Redirect - Client get redirect ot another server (Load Balance)
3. Reverse Proxy - redirect incoming requests to a specific publish point.

[edit] Configure Digital Rights Management (DRM)

Know that you can protect media with DRM and also decide how the media can be used with DRM but the application must be DRM aware/compatible. You can install Active Directory Rights Management Services to support this.

[edit] Configure Microsoft Windows SharePoint Services server options

Install SharePoint Services 3.0 with SP1 included (needs SP1 included for Windows 2008 else it will fail, at current writting of this KB SharePoint Services with SP2 included exist: http://www.microsoft.com/downloads/details.aspx?FamilyID=ef93e453-75f1-45df-8c6f-4565e8549c2a&DisplayLang=en )

Either install standalone (single WSS server) or in farm (multiple WSS servers)

• Stand alone: uses a Windows Internal Database for data storage, needs .NET Framework 3.0.Easy to setup but cannot grow.
• Farm: needs server servers, front end servers and backend SQL server, either SQL 2000 or SQL 2005 for data storage. More advance setup but scalable

Know that all GUI administration is done with a web browser (SharePoint 3.0 Central Administration) but there is also a command line tool that has the strange name stsadm.exe (the reason for this name is that WSS was initially named SharePoint Team Services (STS).)

Antivirus
Default there is no antivirus installed for WSS, but there is a possibility for 3rd party antivirus scan to scan documents that is transferred between WSS and the client.

Backup and restore
Backup is done via Central Administration -> Operations -> Perform a backup
You can select Farm level (even if you installed stand alone) which include all WSS or just part of it such as search index, a specific site or configuration. You also have two choices of backup type, incremental or full backup.

to restore you just point to the folder/backup and then chose what parts to restore and the most important, chose wheter the restore should The Same Configuration (will write over just the files) or New Configuration (can be used to restore to a new location with new settings to keep the old site and settings).

Quota templates
Default there are no quota templates, but those can easily be created with a limit set in MB and also a warning level in MB with an email to the site administrator.

[edit] Configure Windows SharePoint Services e-mail integration

WSS can be configured to use a SMTP server to send and receive emails (if not SMTP server can be used emails can be dropped to a folder instead). By default receive emails from users are disabled. Know that you can configure incoming emails attachments to be saved either in root, folder named after subject in email or sender address.

[edit] Exam test check

[edit] Links

http://www.microsoft.com/learning/en/us/exams/70-643.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=ef93e453-75f1-45df-8c6f-4565e8549c2a&DisplayLang=en - Windows SharePoint Services 3.0 with Service Pack 2 included