If you’re installing an x64 version of WS08, you will run through the same process as for x86 versions, with minor differences. For example, the x64 OS will support a non-destructive upgrade from x86 operating systems—that is, replacing the existing OS and maintaining data on the system—but the end result will retain all data as well as application folders, except that applications will be non-functional and will need to be reinstalled because the installation is not an actual upgrade. The best way to perform this type of installation is to actually move the data off the system if there is data to protect, or at least ensure that data is not on the OS partition, then reformat the OS partition and install a fresh version of the x64 OS.
In addition, x64 versions of WS08 require digitally signed drivers and only digitally signed drivers. If your hardware provider does not offer signed drivers for its systems, then you might have to install an x86 version of WS08 on the system until such drivers are available.
PA
RT
II
• Installing updates • Completing installation
There is no time-to-finish information display anymore; instead, it displays the percentage of each step. It takes about 40 minutes for an installation, depending on hardware and the options you select.
When the system reboots, it will request a password change at the first logon. The default password is blank. Change the password to something complex because it is for the default administrative account. The password should include at least eight characters and complex characters, such as numbers, uppercase and lowercase letters, as well as special characters. If you have difficulty remembering passwords, you can replace letters with special characters. For example, replace the “a” with “@”, replace the “e” with “€”, and so on. This makes passwords more difficult to crack. Even so, if a hacker or an attacker has access to the system, they can use password-cracking tools to display the text of the
password. If this is an issue, you can use a combination of alt plus a four- number Unicode key code to enter characters into your password (example, alt 0149). The advantage of this method is that these characters often display as a blank square or rectangle ( ) when displayed as text by password-cracking software. If you’re really concerned about password security, then either use more than 14 characters—password-cracking tools stop at 14—or implement a two-factor authentication system for IT administrators.
NOTE
NOTE
You also have the opportunity to create a password reset disk at this point.Post-Setup Configuration Tasks for Full Installations
Post-setup configuration tasks are similar for full installations and for Server Core. On full installations, WS08 will reboot the system once the installation is complete and, after generating the initial profile, will display a wizard: the Initial Configuration Tasks (ICT) Wizard (see Figure 4-8). This screen includes three categories of post-installation tasks:
• Provide computer information • Update this server
• Customize this server
Unlike previous versions of Windows, the WS08 setup reserves all of these configuration steps for the post-installation process.
As you can see, the ICT screen covers the first part of the post-installation tasks listed in the post-installation checklists (refer to Figures 4-3 and 4-4 presented earlier in this chapter). This makes it handy to perform these initial tasks. You’ll also need to use other tools to finalize your discovery of the preparation process. Be sure to document all configuration modifications you retain. This will be important for when you prepare your reference computer for the massive deployment staging process. This documentation also forms the heart of the kernel for each server. This documentation must also be specific; i.e., it must specifically detail the steps you need to perform to complete the core system’s configuration. This process should include all the steps in the appropriate post-installation checklist, but special attention should be paid to the following:
• Set the time zone (if required) • Configure networking
• Provide the computer name and domain • Enable updates and feedback
• Download and installing updates • Add core system features
• Enable the Remote Desktop • Configure the Windows Firewall • Configure the Event Log • Configure devices
• Rename the administrator account • Create a backup administrator account • Configure paging file and recovery settings
• Install administration, support and resource kit tools • Install the Windows Recovery Environment
PA
RT
II
• And, for service offerings running the full installation:
• Enable the Themes service and configuring the Windows Vista interface • Update default user settings
On full installations, begin with the tasks in the ICT.
Begin by setting the time zone if required and move on to configure networking. Once the Network Connections screen appears, either right-click a connection to select its properties or select the connection you want to modify and click the breadcrumb commands displayed under the menu bar. To modify the settings, choose the Change Settings of This Connection command. By default, WS08 installs and enables two versions of the TCP/IP protocol: IPv4 and IPv6. IPv4 is set to receive an automatic address from a server running the Dynamic Host Configuration Protocol (DHCP). IPv6 is set to a private local link address by default.
The Network Properties dialog box is the same as in Windows Server 2003, so it should be familiar to most administrators. Use your corporate guidelines to assign settings to both IPv4 and IPv6. One configuration parameter that may be different for the IPv4 configuration is the link to a Windows Internet Naming Service (WINS) server, since the Domain Name System (DNS) running in WS08 now supports a GlobalName feature. More on this topic will be covered during the design of the network infrastructure in Chapter 6, but if you can do it at all, you should get rid of WINS servers as much as possible, since they provide outdated services in today’s networks. Modify the properties of each connection on the server. Close the Network Connections window when done.
NOTE
NOTE
Reference Computer: The networking properties for the reference computer might best be left at default values, unless you have specific values you can use for default settings. Remember that whatever is configured in the reference computer will be retained in the system image you create from it.Next, you’ll want to provide a computer name for the system. By default, the installation process generates a random computer name. Once again, this dialog box has not changed from previous versions. Click the Change button to rename the computer and join it to a domain. Use an appropriate naming convention for servers and locations in your network. You can choose to restart later, as you still have several options to modify.
You can also activate the Remote Desktop option here, since it is in the same dialog box. If your organization allows remote connections to servers for administrative purposes, then click the Remote tab and select the appropriate setting. The most secure setting uses network- level authentication, but requires connections from systems running the Remote Desktop Connections 6.0 client update. Make sure this update has been deployed in your network before you deploy either Vista or WS08 systems.
NOTE
NOTE
Reference Computer: It is a good idea to name the reference computer, but keep it in a workgroup instead of joining it to a domain, since it will be depersonalized to generate a system image. Ideally, you can create a workgroup that uses the down-level or NetBIOS name for your domain so that it appears in the same groupings when viewing available networks. Then, you can join it to the domain during the setup process as you configure the image.You should also enable updates according to the settings in your organization. Select Manually Configure Settings in the Enable Windows Updates and Feedback dialog box,
because choosing the automatic option will install updates automatically as well as send all feedback to Microsoft. Most organizations prefer different settings. In the Manually Configure Settings dialog box, use the Change Settings button to set Windows Updates to your corporate setting. If you do not use a corporate updates management tool, then set updates to be downloaded but allowing you to choose when to install them. This automatically downloads updates, but lets you choose to apply them during maintenance windows not affecting any users. In addition, choosing to download them automatically will save time when you apply them, since they will already be available on the server. Finally, select the Include Recommended Updates option so that it will also provide updates for device drivers and other optional software. Close the window when done. The other options in this section include error reporting and customer feedback. Modify these according to your organization’s recommended settings. Error reporting, in particular, can be fed to a central error-reporting server within your network, allowing you to identify issues with your servers as they occur.
Now that updates are configured, you can download and install any available updates. Click the link in the ICT. This Windows Update screen is displayed. Before you check for updates, make sure you click the Get Updates For More Products link. This takes you to the Microsoft Update web site and installs the utility that will allow you to get updates for drivers and other software. Accept the terms of use and click the Install button. This will automatically get the server to check for updates. Install them if they are available. Close the windows and return to the ICT when done. This is a good time to restart the server.
TIP
TIP
If for some reason, you lose the ICT window, simply type ‘oobe’ in the Start Search box in the Start menu and press Enter to display it once again.Once the server is restarted, the next task in the ICT is to add roles. If you are performing a discovery with the intention of creating a reference computer, do not use this setting here. It is also available through Server Manager and should really be used once the baseline server is completely configured. You can, however, use the next option to add features. Here you should add the following to a full installation:
• XPS Viewer under .NET Framework 3.0 to view XML Paper Specification (XPS) documents on any server.
• BitLocker Drive Encryption, but only if this server is destined for a physically unprotected zone, though this feature can be enabled later so long as the system includes at least two NTFS partitions.
• Desktop Experience, since it will be necessary to enable the Windows Vista Theme service later on.
• Simple Network Management Protocol (SNMP) services if your organization enables the Simple Network Management Protocol on servers to monitor their status. Make sure you secure it properly.
• Windows Server Backup to protect both the operating system and data on the server. All other features should be installed only when the server has been provisioned and needs to be assigned a specific role in the network.
Finally, verify the Windows Firewall settings. In any corporate network, firewall settings will be controlled centrally through Group Policy, so you only need a default level of protection on this server.
PA
RT
II
Before you close the ICT window, make sure you select the Do Not Show This Window At Logon check box in the lower-left corner, since the configuration options in this window are complete.
Restart the server, since you have several operations pending a restart to complete. Once the server has restarted, log in with the Administrator account. Once the session is open, launch Server Manager. An icon for it is found in the Quick Launch area beside the Start button. You will use it for several discovery steps. When Server Manager opens, you will see several of the options you configured in the ICT screen. First, review the settings for the Event Logs. Expand the Diagnostics section in the left tree pane, then Event Viewer, and then Windows Logs. Logs are used to register information about events on the system. Each log has a given size and is set to a rotation mechanism, usually overwriting older events when the log fills up. Your organization may have a different policy. By default, logs are set to:
• Application: 20 MB with oldest events overwritten • Security: 20 MB with oldest events overwritten • Setup: 1 MB with oldest events overwritten • System: 20 MB with oldest events overwritten
• Forwarded Events: 20 MB with oldest events overwritten
NOTE
NOTE
You use the oldest events overwritten setting because logs will stop your server when they fill up. Right-click the name of each log, and select Properties to set its file size and determine its looping mechanism. Don’t forget that they are backed up every day—based on your organization’s backup schedule—so you only need the size that will be convenient without having to resort to a backup. Note that you can’t change the Forwarded Events log, since it stores events that are forwarded from other machines and none are available.Next, move to the Device Manager. You can also find it under Diagnostics. Use it to view any potential hardware problems. Review any item that has either an exclamation mark or a stop sign. You might have to install new drivers or update existing ones. This is where the notes you acquired from your hardware manufacturer’s web site will come in handy. Continue until there are either no conflicts or no critical conflicts left. A system where all the items are closed is what you’re aiming for.
Add the Desktop Experience feature, then once the system has rebooted, move to the services node under Configuration to enable the Themes service. This service is disabled by default because it uses system resources. If you’re up to date and are already using Windows Vista on your desktops, you’ll want this service activated in order to have the same look and feel on servers and workstations. Otherwise, you’ll always be moving from one interface to another. In fact, every server should have this service activated by default.
1. Find the Themes service in the Services list in the middle pane, right-click it, and select Properties. In the drop-down list on the General tab, select Automatic, then click Apply, and click Start. Click OK when done.
2. Next, minimize Server Manager, right-click the desktop, choose Personalize, and then select Theme.
Now that you are using the Vista interface, customize the Quick Launch area. You want to do this to ensure that every administrator in your organization will have the same, or at least a very similar, experience whenever they access a server to perform activities on it. Begin by doubling the size of the taskbar. Do so by moving the mouse pointer to the top of the taskbar beside the Windows Start button until the pointer transforms into an up-down arrow. Drag upwards to expand the taskbar.
The taskbar includes running programs as well as the Quick Launch area. Each area is preceded by a row of four series of dots at the very left of it. Move the pointer on top of this row for the running programs list until it turns into a left-right arrow. Drag the running programs bar to the lower-left of the Start button. Now you should have running programs displayed below the Quick Launch area. Right-click the taskbar and select Lock The Taskbar.
Next, click the Start button, then click All Programs, and run through the default programs as well as the administrative tools to add the ones you will use the most to the Quick Launch area. To add each program shortcut, right-click it and select Add To Quick Launch. For example, you might consider adding the following items:
• Internet Explorer, customized according to your corporate standard • Under Accessories:
• Command Prompt • Notepad
• Windows Explorer
• Under Accessories | System Tools: • System Information
• Under Administrative Tools: • Computer Management • Local Security Policy
• Terminal Services | Remote Desktops • System Configuration
The resulting taskbar should include most of the tools anyone will need to use to administer this server or even remote servers. Arrange the tools in the order of most used from left to right (see Figure 4-9). Your interface is set.
Now, rename the administrator account. To do this, return to Server Manager. Expand Server Manager | Configuration | Local Users and Groups and click Users. Right-click Administrator and select Rename. Type in the new name and press Enter. When done, log off and log back on because you need to open a new session with the new account name.
CAUTION
CAUTION
By default, the administrator account is set to have passwords expire based on the account policy of the server. Though it is not good practice, you may want to change this feature. To do so, right-click the account to choose Properties and check Password Never Expires on the General tab, click OK when done.FIGURE 4-9
A well-managed server taskbar
PA
RT
II
Return to Server Manager to create a backup administrator account. This account may or may not be required according to your organization’s security policy, but it is required, at least temporarily, to update the default user profile. Expand Configuration, then Local Users and Groups, then right-click Users and select New User. Name the account BUAdmin—or use your organizational standard—give it a full name of Backup Administrator, add a description, give it a strong password, and assign the PasswordNever Expires right. Click Create and then click Close. Next, right-click BUAdmin and select Properties. Move to the Member Of tab and select Add. Once the dialog box appears, click Advanced, then Find Now. Double-click Administrators and OK. Click OK to close the dialog box. Your account is ready.
Now, open Control Panel, make sure you are using Control Panel Home view, and click System and Maintenance. Select System, and in the left pane, select Advanced System Settings. Several modifications are required here. Begin by setting Startup and Recovery options. Use the following settings in this dialog box: