Le novità di Windows Server 2008 per la gestione degli uffici remoti Fabrizio Grossi v-fabrig@microsoft.com

Agenda Read-Only Domain Controller RODC Active Directory Protezione Dati Novità nel networking Server Core

Read-only Domain Controller (RODC) Riduce la superficie d’attacco dei DC situati in una locazione fisica non sicura (Branch Office) Minore impatto su AD in caso di furto di un DC Per defult in RODC non vengono salvati username/pswrd Viene ridotta la superficie di attacco di AD per un DC compromesso Read-only state Replica unidirezionale per AD e FRS/DFSR Ogni RODC ha il suo account KrbTGT Permission per scrivere in AD molto limitate RODC sono account workstation Facilita la gestione configurazione dei DC nei Branch Office

Password Replication Policy No Account Cached (Default) Pro: Massima sicurezza, comunque fornisce Autenticazione veloce e processa le policy Contro: Nessun accesso Offline. Richiede connettività WAN per il logon Most Account Cached Pro: Facilità la gestione delle Password (diminuisce la sicurezza) Contro: Più Password esposte al RODC Few accounts (branch-specific accounts) cached Pro: Permette l’accesso offline per gli utenti che ne hanno bisogno, e massimizza la sicurezza per gli altri Contro: maggiore amministrazione

Active Directory Role Separation Troppi Domain Administrators La maggior parte sono dei server administrators Role Separation Fornisce un nuovo livello di accesso ai RODC: “local administrator” Include i gruppi Built-in (Backup Operators, ecc.) Impedisce la modifica accidentale dell’AD dagli amministratori del server NON previene un “local administrator” dal modificare il DB locale

Active Directory Re-start Stop/Start dei Directory Services (DS) senza Reboot Riduce il DS downtime per operazioni offline Mantiene gli altri servizi running mentre i DS sono Offline Mentre i DS sono stoppati Funziona come un member server nel dominio Può contattare un altro DC per il domain logon Se non c’è un altro DC attivo, si può fare logon con la password di restore mode (invariato) Si possono fare logon con: Cached credential, Smart Card, biometric

Data Protection: Server Backup Server Backup è un’applicazione per il backup/recovery integrata in Windows Server 2008 che permette di proteggere in modo semplice i server Windows Server 2008 e i dati Protegge file, cartelle, volumi, dati applicativi e componenti del SO Supporta una granularità di recovery che va da tutto il sistema a singoli file o cartelle Richiede una configurazione minima e supporta Wizard che semplificano backup/recovery Utilizza una tecnologia VSS a livello di blocchi e basata su immagini Ottimizzato per i dischi (locali, SAN, iSCSI), ma supporta anche media ottici (DVD) e file server Non supporta tape ...

Data Protection: Server Backup Prima fa un backup completo In seguito esegue automaticamente dei backup incrementali, salvando solo i dati che sono cambiati dall’ultimo backup. Non è necessario, come nelle versioni precedenti, preoccuparsi di impostare manualmente i backup full o incrementali.

Data Protection: Server Restore Restore semplificato: Prima - Per un backup incrementale dovevo fare Restore manualmente da backup multipli Adesso - E’ sufficiente scegliere l’oggetto di cui si vuole fare un Restore e la data. Il Backup lavora con i nuovi tool di Windows Recovery Recovery del SO semplificato. Recovery del Server Disaster Recovery: Recovery su un nuovo hardware.

Data Protection: Server Backup vs. NT Backup Miglioramenti introdotti da Server Backup Grande facilità d’uso (Wizard) Gestione efficiente del Backup (mmc) Remote Administration (supporta script) Aumenta la disponibilità (VSS, nessun Downtime) Aumenta l’affidabilità Protegge i dati delle applicazioni (VSS, provider) Aumenta la granularità (dall’intero server al file) Supporta i dischi (interni, DAS, FC, iSCSI) Supporta media ottici (DVD) Supporta i File Server (target) Semplifica il recovery dei dati (Browse) Total System Recovery (One Reboot)

Data Protection: BitLocker Drive Encryption E’ sempre più spesso necessario proteggere certe tipologie di informazioni Problemi derivanti dalla perdita di computer contententi informazioni sensibili BitLocker è una soluzione di Volume Encryption integrata in Windows Server 2008 Protegge dalla perdita di un computer o di un disco contentente dati sensibili Combinato con il TPM (o con Flash Drive USB se il BIOS lo supporta), offre un adeguato livello di sicurezza fisica Aiuta a ridurre la superficie di attacco Funziona per tutti i volumi

Agenda Read-Only Domain Controller RODC Active Directory Protezione Dati Novità nel networking Server Core

Agenda NetIO – Stack di Rete di Windows Vista e Windows Longhorn Server Miglioramenti nelle performance di Rete Policy Based Quality of Service CPU Scalability Miglioramenti di Connettività

Windows Filtering Platform Architettura dello Stack di Rete Winsock User Mode Kernel Mode WSK Clients AFD TDI Clients TDI WSK TDX Next-Generation TCP/IP Stack (tcpip.sys) TCP UDP RAW Windows Filtering Platform IPv4 IPv6 802.3 WLAN 1394 Loop-back IPv4 Tunnel IPv6 Tunnel NDIS

Limiti della Finestra di ricezione in Windows XP e Windows Server 2003 3/27/2017 2:28 AM Continental US Intercontinental Fiber Satellite Default in Win XP/Win 2003 MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Autotuning Receive Window Scenario: Performance di Rete limitate in scenari WAN o FTTH La TCP receive window di default limita il throughput a 5Mbps su una connessione con latenza di 100ms (coast to coast) Il throughput è anche minore su connessioni intercontinentali o satellitari con latenza più alta Soluzione: Windows Vista/Window Longhorn Server modificano continuamente la TCP Receive Window per ogni connessione Si verificano banda e latenza e si modifica la TCP receive windows di conseguenza Impatto: Applicazioni vedono upload/download più veloci Copia di file SMB tra Redmond e Australia aumenta di 10x Backup tra la bay area e il Data Center a Tukwila aumenta di 40x I benefici variano a seconda del networking (Schede di rete – Congestione dei Router)

Performance delle applicazioni con Windows Vista/Windows Longhorn Server tra Redmond e Sydney Throughput (Mbps) Per lo scenario di sharepoint tra Win 2003 Server e Vista client, bisogna modificare una chiave di registry sul server Win 2003 modificare "MaxBytesPerSend" HKLM\System\CurrentControlSet\Services\HTTP\Parameters to value 0xFFFFF

Miglioramenti dei Protocolli: SMB 2.0, Transactional File I/O SMB 2.0 aumenta le costanti per il file sharing (utenti, file aperti, numero di share, ecc.) Supporta l’invio di comandi multipli nello stesso pacchetto SMB Supporta buffer più grandi Supporta handle durevoli, link e semplifica gli algoritmi di firma Transactional File I/O (TxF) Il transaction framework del kernel, in Windows Server 2008, è stato esteso nel SO (DB, registry, file system, ecc.) per garantire che le operazioni di I/O abbiano successo o falliscono nella loro interezza. Il transaction framework del kernel è stato migliorato per garantire i requisiti di performance di operazioni più grandi o più complesse Benefici Miglioramento del protocollo fornisce nuove funzionalità di storage

40X Window Auto-Tuning Replica di data tra Redmond e la Bay Area 3/27/2017 2:28 AM Window Auto-Tuning Replica di data tra Redmond e la Bay Area Link dedicato con banda di 1Gbps Configurazioni di Default Su Windows Server 2003 SP1: 100Mbps NICs, 10Mbps throughput Su Windows Longhorn Server: 100Mbps NICs, 80Mbps throughput 1000Mbps NICs, 400Mbps throughput (Copia memory to memory) File copy disk to disk è limitato a 250Mbps perchè il disco diventa il collo di bottiglia 40X MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Limiti del protocollo: gestione della banda molto ampia Scenario: Replica tra data center geograficamente distribuiti connessi da link gigabit Il protocollo TCP (controllo della congestione) taglia drasticamente il sending rate in caso di perdita di pacchetti e aumenta il sending rate lentamente < 1 in 83000 packet loss rate per occupare completamente una banda di 1Gbps/100ms link Soluzione: Compound TCP utilizza informazioni sulla latenza per diminuire il sending rate senza causare perdita di pacchetti Evitare traumi: impatto sulle connessioni esistenti è <10% Può essere abilitato per default su Windows Longhorn server (è necessario solo il supporto lato send) Impatto: replica tra i data center più veloce Tempo di replica di ridotto della metà

Esempio: CompoundTCP Performance 3/27/2017 2:28 AM TCP data transfer using Compound-TCP (blue) and vanilla TCP (red) between Bay Area, CA and Tukwila, WA data centers MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Limiti del protocollo: Gestione dei Random Losses Scenario: Reti Wireless come GPRS, UMTS, WLAN Perdita di pacchetti è interpretata da TCP come indice di congestione Link layer recovery peggiora i problemi poichè il TCP effettua il recovery al proprio livello (spurious retransmissions) Grossi cambiamenti in Round Trip Times (RTT) causano (packet retransmission e) perdita di connettività TCP Soluzione: Detection delle spurious retransmissions usando i meccanismi di Forward Retransmission Timeout Recovery (FRTO) e Delayed Selective Acknowledgement (DSACK) (IETF based) Evitano le ritrasmissioni non necessarie e evitano anche la riduzione del sending rate Meccanismo elastico di gestione del RTT Impatto: migliorate le performance wireless Miglioramento del 10-30% del throughput scenari in GPRS

Detection dei limiti delle performance del TCP: TCP Analyzer 3/27/2017 2:28 AM Scenario: difficile diagnosticare problemi di performance di Rete Può essere nella rete nell’invio o nella ricezione Statistiche per connessione non sono facilmente disponibili Soluzioni: Supporto per statistiche TCP estese Statistiche TCP estese per connessione in tempo reale Disabilitate per default, abilitate per-connessione TCP Analyzer Tool grafico che mostra le statistiche selezionate Mostra automaticamente I colli di bottiglia per le performance MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Policy-based QoS Policy Name: DSCP value: Throttle rate: Desktop Finance -Bulk-traffic Finance users (Windows Vista) -Server-Finance Bulk-traffic Bulk-traffic Policy Other Desktops (Windows Vista) Servers hosting ERP application (Windows Server “Longhorn”) Policy Name: DSCP value: Throttle rate: Deployed to PCs (Organization Units): Description: (None) None Best-effort treatment Bulk-traffic 1 Domain-wide Applies a low-priority DSCP value Desktop Finance Mission Critical 12 Finance Users (user OU) Applies high-priority DSCP for Finance client traffic Server Finance Mission Critical 20 Servers (machine OU) Applies high-priority DSCP for Finance server traffic 24 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Quality of Service Impact: 3/27/2017 2:28 AM Quality of Service Scenario: Shared constrained resource like shared WAN Line of business apps Customer facing services Solution: Policy-based quality of service IT admin specified prioritization of applications and users Priority marking on end hosts based on specified policy using standard DSCP marking in IP headers Prioritization at routers to provide differential treatment Impact: By just enabling priority queues at WAN routers (bottleneck), end to end quality of service possible Microsoft IT deployed QoS policies across Microsoft network MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Benefici per le aziende 3/27/2017 2:28 AM Benefici per le aziende Aumenta la user satisfaction nei branch office File download (da Windows Longhorn Server), web download, ecc dai server remoti sono più veloci Utilizzo efficiente della banda WAN Server consolidation Riduce i costi di supporto associati ottimizzando le performance di rete Permette di utilizzare applicazioni nei branch office che prima non si potevano utilizzare per le scarse performance di rete MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3/27/2017 2:28 AM CPU Scalability MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TCP Offload: Chimney and NetDMA 3/27/2017 2:28 AM TCP Offload: Chimney and NetDMA Scenario: Server’s performance often limited by CPU for network intensive application OS is involved in mundane tasks involving every packet like segmentation & reassembly, processing TCP ACKs,transmit & receive buffer processing Solution: Offload TCP processing (not just task offload like LSO, checksum) to the NIC TCP Chimney Stateful offload where NIC does all TCP processing once the connection is offloaded NetDMA Data directly DMA’ed to app buffer without CPU involvement Compressed TCP stack: fast path highly optimized Impact: TCP Offload NICs reduce CPU load by over 75% under heavy network workloads Most servers nowadays ship with TCP Offload Enabled NICs MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Chimney Architecture Application Logical Switch Top Protocol State 3/27/2017 2:28 AM Chimney Architecture Chimney: Data only enters/exists from the top and bottom of the chimney Application: Existing binaries run over either software stack or hardware Logical Switch: Controls whether data transfer is through the host stack or the offload target stack Top Protocol: The top layer of the protocol stack which is offloaded Intermediate Protocol: One or more protocols under the Top Protocol; Chimneys are “stackable” Stateful, cross-request offload Application Logical Switch Top Protocol Intermediate Protocol(s) NDIS Miniport NDIS NIC hardware State Updates Data Transfer MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Receive-Side Scaling (RSS) 3/27/2017 2:28 AM Receive-Side Scaling (RSS) Scenario: multi-proc servers (web, file, etc) CPU starvation in handling inbound traffic Only single CPU used in processing network traffic even on a multi-proc system Solution: “Receive-Side Scaling” Intelligently distributes incoming traffic across multiple CPUs Impact: CPU scalability MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

RSS Improves SMP Scalability Demo: Web Bench 5.0 With RSS web traffic is more evenly distributed on multiple CPUs Web Bench delivers up to 50% more requests/sec

Connectivity Improvements 3/27/2017 2:28 AM Connectivity Improvements MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Challenge End to end connectivity broken today 3/27/2017 2:28 AM Challenge End to end connectivity broken today NATs used to share single IPv4 address across multiple hosts/devices Breaks (or requires point solutions for) several scenarios requiring client to client communication Increased cost associated with relaying all traffic through servers Hides home network from ISP and hence, blocks ISP from providing services like remote assistance, remote monitoring Global IP address is becoming more and more premium IPv6 enables end hosts to have global address and hence restore end to end connectivity MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3/27/2017 2:28 AM IPv6 Ready, Real and Leveraged with Windows Vista and Windows Longhorn Server Ready: Enabled by default on Windows Vista and Windows Longhorn Server Pervasive IPv6 support in OS components: All components validated functionality in IPv6 only configuration IPv6 connectivity preferred over IPv4 Real: Usable on existing IPv4 networks Transition technologies (ISATAP, teredo, 6to4) enable low cost, automatic IPv6 deployment Leveraged: IPv6 only scenarios and applications Windows Meeting Space enables shared views, text messaging, presentations, file sharing Remote assistance possible through NATs by using IPv6 ©2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Enabling IPv6 in Enterprises: ISATAP 3/27/2017 2:28 AM Enabling IPv6 in Enterprises: ISATAP ISATAP provides IPv6 connectivity throughout enterprise by deploying few ISATAP servers No infrastructure upgrade needed Works by tunneling IPv6 packets over IPv4 ISATAP addresses contain embedded IPv4 addresses [64-bit prefix]:0:5EFE:w.x.y.z: w.x.y.z is a public or private IPv4 address. Example: FE80::5EFE:157.59.137.133 Clients communicate directly without going through ISATAP server Entire IPv4 intranet appears as a single IPv6 subnet MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enabling IPv6 over Internet: 6to4 3/27/2017 2:28 AM Enabling IPv6 over Internet: 6to4 Provides IPv6 connectivity over IPv4 internet Windows Vista clients with global IPv4 addresses derive 6to4 address automatically 6to4 router provides IPv6 addresses to Windows Vista clients without global IPv4 addresses 6to4 addresses begin with 2002: and include embedded IPv4 address 6to4 hosts communicate directly with each other or through a 6to4 router Single 6to4 router can provide IPv6 connectivity to an entire location MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Enabling IPv6 for consumers: Teredo 3/27/2017 2:28 AM Enabling IPv6 for consumers: Teredo Teredo provides IPv6 connectivity behind an IPv4 NAT Teredo tunnels IPv6 over UDP/IPv4 Enables NAT traversal Teredo uses servers in the IPv4 internet that facilitate the creation of global IPv6 addresses for Teredo clients Automatically determines the type of the local NAT and adjusts behavior accordingly Communication with the server is used to establish port mappings in the NAT which clients use to communicate directly thereafter Host firewall runs on the Teredo interface, so Teredo does not leave your machine open to attacks Teredo is dormant by default on Windows Vista but any application can trigger it to become active MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Managing IPv6 on Windows Vista and Windows Longhorn Server 3/27/2017 2:28 AM Managing IPv6 on Windows Vista and Windows Longhorn Server Each IPv6 technology can be independently controlled UI options in TCP/IP properties to enable/disable IPv6 (and IPv4) Disabling IPv6 in UI does not disable transition technologies Netsh command line options Registry key options HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponents Set to 0xFFFFFFFF to disable IPv6 completely Use default configuration as it will enable IPv6 to be used automatically as your network/infrastructure in IPv6 enabled MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Benefits for Enterprises 3/27/2017 2:28 AM Benefits for Enterprises Build new experiences leveraging IPv6 Client to client communication can be used to enable new scenarios without much cost Windows Meeting Space Reduce support costs by using remote assistance over IPv6 Reduce management costs for your networks MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Getting Ready for NetIO 3/27/2017 2:28 AM Getting Ready for NetIO MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Preparing Network/Infrastructure for NetIO 3/27/2017 2:28 AM Preparing Network/Infrastructure for NetIO Network Change in traffic patterns on your network Shorter higher spikes Need for QoS to protect real time traffic Better management of router buffers to control network latency for latency sensitive traffic Possible higher utilization of networks Customers may do more with Windows Vista and Windows Longhorn Server networking since they can do more Infrastructure Interoperability issues with proxies/WAN accelerator devices eg old NetApp proxies do not support Window Scaling Develop procurement/deployment guidelines around IPv6 MICROSOFT CONFIDENTIAL © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Related Content Websites Forums and Blogs Cable Guy and other articles 3/27/2017 2:28 AM Related Content Websites http://technet.microsoft.com/en-us/windowsvista/aa905087.aspx www.microsoft.com/ipv6 Forums and Blogs http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=716&SiteID=17 http://blogs.msdn.com/wndp/default.aspx Cable Guy and other articles http://www.microsoft.com/technet/technetmag/issues/2006/11/VistaNetworking/default.aspx http://www.microsoft.com/technet/community/columns/cableguy/cg0905.mspx http://www.microsoft.com/technet/community/columns/cableguy/cg1005.mspx http://www.microsoft.com/technet/community/columns/cableguy/cg1105.mspx © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. 42

Windows Server 2008 Server Core 3/27/2017 2:28 AM Windows Server 2008 Server Core © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Agenda Le sfide di oggi Overview e benefici di Server Core Architettura di Server Core Installazione e configurazione iniziale di Server Core Aggiunta di ruoli server e funzionalità Amministrazione di Server Core Demo

Windows Server Core

Le sfide di oggi Windows Server è spesso usato per un unico ruolo server o workload Gli amministratori devono installare e amministrare tutti i servizi di Windows Server I servizi non necessari possono dare problemi di manutenzione e di sicurezza Gli amministratori pensano i server in termini di ruoli e servizi forniti

Le sfide di oggi Proposta di valore Installare solo il necessario Server ottimizzati per ruolo sono più semplici da gestire Meno patch Il ciclo di gestione ruota intorno ai ruoli Lo staff IT può specializzarsi per specifici ruoli Aumento della disponibilità e sicurezza Meno cose installate  meno cose in esecuzione

Server Core è Un’opzione di installazione minimale di Windows Server Server 2008 Inclusa nelle versioni Standard, Enterprise e Datacenter Disponibile nelle versioni x86 e x64

Fornisce Include Server Core… Funzionalità minimali Minore numero di servizi per ruoli specifici Include Alcuni ruoli server DHCP, File, AD, AD LDS, Media Services, DNS e Windows Virtualization Services Alcune funzionalità opzionali: WINS, Failover Clustering, Subsystem for UNIX-based applications (SUA), Backup, Multipath IO, Removable Storage Management, Bitlocker Drive Encryption, SNMP, Telnet Client Solo interfaccia Command Line, non c’è GUI

Il desktop di Server Core

Benefici di Server Core Minore necessità di patch Riduzione del numero di patch di ~60% Rimozione dei componenti più frequentemente corretti Maggiore sicurezza e disponibilità con minore necessità di gestione Rimozione dei componenti client, legacy e non utili per i ruoli gestibili dal server

L’architettura di Server Core Ruoli server di Windows Server (solo per esempio) TS IAS Web Server Share Point Ecc… Server Con .NetFx, Shell, Tool, ecc. Ruoli server in Server Core DNS DHCP File AD AD LDS Media Server WVS Server Core Sicurezza, TCP/IP, File Systems, RPC, altri sottosistemi GUI, CLR, Shell, IE, Media, OE, Ecc.

Installazione di Server Core Durante l’installazione è possibile scegliere tra: Server con shell e tutti i ruoli server Server Core con command line e ruoli supportati La configurazione iniziale di Server Core può essere fatta: Manualmente usando i tool da command line Usando un file unattend

Installazione unattended Identiche modalità e opzioni di Windows Vista e Windows Server È possibile impostare opzioni che richiederebbero la modifica del registry Risoluzione e profondità di colore <settings pass="oobeSystem"> <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86"> <Display> <HorizontalResolution>1024</HorizontalResolution> <VerticalResolution>768</VerticalResolution> <ColorDepth>16</ColorDepth> </Display> </component> </settings>

Installazione unattended Per abilitare l’amministrazione remota via TS Nella sezione <settings pass="specialize"> aggiungere: <component name="Microsoft-Windows-TerminalServices-LocalSessionManager" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86"> <fDenyTSConnections>false</fDenyTSConnections> </component> Per abilitare il supporto ai client TS pre Windows Vista/Longhorn <component name="Microsoft-Windows-TerminalServices-RDP-WinStationExtensions" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86"> <UserAuthentication>0</UserAuthentication>

Selezionare Server Core in installazioni unattend Dopo la sezione </InstallTo>, aggiungere la sezione <InstallFrom> appropriata Server Core: <InstallFrom> <MetaData> <Key>/IMAGE/Name</Key> <Value>Windows Longhorn Server Core</Value> </MetaData> </InstallFrom> Server <Value>Windows Longhorn Server</Value>

Nessun upgrade È supportata solo un’installazione da zero Non è possibile fare upgrade da una precedente versione di Windows Server Non è possibile fare upgrade da Server Core a Windows Server "Longhorn“ Non è possibile fare upgrade da Windows Server "Longhorn" a Server Core

Configurazione iniziale di Server Core Impostare la password di amministrazione CTRL+ALT+DEL e Change password net user administrator * Attivazione Slmgr.vbs –ato (in c:\Windows\System32) Configurazione di un indirizzo IP statico (se necessario) Netsh interface ipv4 show interfaces set address name="ID" source=static address=StaticIP mask=SubnetMask gateway=DefaultGateway add dnsserver name="ID" address=DNSIP index=1 Join al dominio (se richiesto) Netdom

Aggiunta di ruoli server Solo via command line Start /w Ocsetup <package desiderato> DHCP = DHCPServerCore DNS = DNS-Server-Core-Role File = File-Server-Core-Role File Replication service = FRS-Infrastructure Distributed File System service = DFSN-Server Distributed File System Replication = DFSR-Infrastructure-ServerEdition Network File System = ServerForNFS-Base Media Server = MediaServer Active Directory Dcpromo /unattend:<file unattended> Dcpromo ora installa Active Directory Ocsetup non è supportato per Active Directory

Aggiunta di funzioni opzionali Start /w ocsetup <pacchetto desiderato> Failover Cluster = FailoverCluster-Core Network Load Balancing = NetworkLoadBalancingHeadlessServer Subsystem for UNIX-bases applications = SUA Multipath IO = Microsoft-Windows-MultipathIO Removable Storage Management = Microsoft-Windows-RemovableStorageManagementCore Bitlocker Drive Encryption = BitLocker Backup = WindowsServerBackup Simple Network Management Protocol (SNMP) = SNMP-SC Telnet Client = TelnetClient WINS = WINS-SC

Disinstallazione di ruoli e funzioni Start /w Ocsetup <pacchetto desiderato> /uninstall Ad esclusione di Active Directory Si deve usare DCPromo e fare demote Vengono rimossi anche i binari di Active Directory Nessuna GUI remota per installare o disinstallare ruoli e funzioni

OCList.exe Tool a linea di comando per il solo Server Core Elenca i pacchetti con i ruoli server e le funzioni addizionali usabili con OCSetup Indica se i pacchetti sono o meno installati

Gestire Server Core CMD per l’esecuzione locale di comandi CMD via Terminal Server WS-Management e WinRS per l’esecuzione remota di comandi WMI Task Scheduler per programmare job e task Event Logging e Event Forwarding RPC e DCOM per MMC da remoto SNMP Non c’è codice managed  non c’è PowerShell

Gestione di Server Core con Windows Remote Shell Windows Remote Management (WinRM) WS-Management – protocollo di gestione sicuro e firewall friendly Windows Remote Shell (WinRS) Esegue remotamente tool e script da linea di comando Richiede Windows Vista o Longhorn Server Solo script e tool command line senza UI possono essere eseguiti I prompt possono creare (modalità interattiva non disponibile) “Premere un tasto per proseguire” NO!

Configurazione di WinRM su Server Core WS-Management lato server Configurato Via command line: WinRM quickconfig Con file unattended aggiungere alla sezione <settings pass="specialize"> : <component name="Microsoft-Windows-Web-Services-for-Management-Core" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="x86"> <ConfigureWindowsRemoteManagement>true</ConfigureWindowsRemoteManagement> </component> Via GPO

Uso di WinRS Lato client di WS-Management WinRS –r:<endpoint remoto> commando L’endpoint remoto può essere -r:https://myserver.com -r:myserver -r:http://127.0.0.1 -r:http://169.51.2.101:80 Esempio: Winrs –r:myserver dir c:\windows\system32\*.dll WinRS -? Per l’help

Esempi d’uso di WinRS Abilitazione dell’amministrazione remota via TS winrs -r:myserver cscript \windows\system32\scregedit.wsf /ar 0 Abilitazione dei client TS pre-Vista/Longhorn winrs -r:myserver cscript \windows\system32\scregedit.wsf /cs 0 Join a un dominio winrs -r:myserver netdom add myserver /domain:testdomain /userd:administrator /passwordd:<password> Aggiunta degli amministratori del dominio agli amministratori locali winrs -r:myserver net localgroup administrators testdomain\administrator /add

SCRegEdit.wsf Non tutte le operazioni possono essere da command line o da remoto SCRegEdit.wsf è incluso in Server Core per: Abilitare gli automatic updates Abilitare TS in modalità Remote Admin Abilitare la gestione di IPSec Monitor Configurare peso e priorità dei record DNS SRV Nuovo switch /cli elenca i comandi e gli switch disponibili In \Windows\System32

Hardware su Server Core Plug and Play è incluso in Server Core Aggiunta di hardware con un driver incluso in Server Core  PnP installa silenziosamente il driver Driver PnP non incluso, ma disponibile: Copiare i file del driver su Server Core Eseguire: Pnputil –i –a driverinf Per elencare i driver installati sc query type= driver Per rimuovere un driver sc delete <nome-servizio>

Control Panel in Server Core? Funzionalità limitate per scenari specifici Per modifica della Time zone control timedate.cpl Per modifica di tastiera e/o lingua control intl.cpl

Notepad in Server Core Incluso ma con limitazioni Help non funziona Dalla versione IDS-1 sono disponibili: Open, Save e Save As Copy, Paste, Find, Replace

Riavvio della CMD.EXE Localmente: In una sessione Terminal Services: Ctrl-Alt-Del  Start Task Manager  File  Run  inserire cmd.exe Log off e log on In una sessione Terminal Services: Log off e log on da remoto via MMC Usare i tool a linea di comando di TS: query session /server:<nome-server> logoff <id-sessione> /server:<nome-server>

Limitazioni di Server Core Nessun supporto per il Managed Code Non c’è PowerShell in Server Code Non ci sono i balloon di notifica La notifica di scadenza della password adesso è un balloon  non apparirà in Server Core Runonce non è supportato in Server Core

Applicazioni su Server Core Server Core non è una piattaforma applicativa Server Core supporta i tool di gestione, le utilità e gli agent I tool di gestione remota non dovrebbero richiedere modifiche È necessario usare uno dei protocolli supportati da Server Core (es. RPC)

Applicazioni su Server Core Gli agent di gestione potrebbero richiedere modifiche per funzionare su Server Core Non devono avere dipendenze da shell o GUI Non possono usare managed code Provare gli agent su Server Core SDK (in beta) include l’elenco delle API supportate in Server Core

Risorse utili Newsgroup Blog di Server Core http://forums.microsoft.com/TechNet/ShowForum.aspx?ForumID=582&SiteID=17 Blog di Server Core http://blogs.technet.com/server_core/default.aspx La “Command-line reference A-Z” nell’help è molto utile Disponibile online a: http://go.microsoft.com/fwlink/?LinkId=20331

Per approfondire TechNet New Wave Tour Microsoft Security Day Data 17 Maggio 22 Maggio 24 Maggio 29 Maggio 31 Maggio 05 Giugno Città Genova Bologna Padova Catania Cagliari Bari Microsoft Security Day Data 07 giugno 12 giugno Città Milano Roma

Per approfondire TechNet Webcast Titolo Data Ora Livello Speaker Overview su Windows Server "Longhorn" 03/04/2007 10:00 200 Malusardi Le novità delle Group Policy in Windows Server “Longhorn” 10/04/2007 300 Costruire un server minimale per workload specifici con Windows Server “Longhorn” Server Core 02/05/2007 Accesso controllato alla rete con Network Access Protection in Windows Server “Longhorn” 15/05/2007 Installazione da remoto di client e server con Windows Deployment Service in Windows Server “Longhorn” 15/06/2007 Windows Server Virtualization: creare un'azienda dinamica 19/06/2007 IPv6: cos'è e come funziona in Windows Server “Longhorn” 22/06/2007

Per informazioni Windows Server “Longhorn” http://www.live.com

3/27/2017 2:28 AM © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.