Thursday, July 30, 2009

Performance Monitoring

Performance Monitoring on Windows 2003 serverIntroduction
Server performance is an important issue in a mission-critical business environment. Poor performance can have a huge negative impact on the ability of workers to do their jobs, and thus on productivity and the company’s bottom line. Monitoring and optimizing performance of network servers is one of the administrator’s most important tasks, and it is important to continually collect and analyze performance data to ensure that any problems can be taken care of before they impact end users. Security events are another important area that the administrator must stay on top of, to protect the integrity of the organization’s network and data.
Windows Server 2003 provides administrators with built in tools for monitoring performance issues and detecting security breaches (or attempted breaches). These include both simple monitoring tools such as Task Manager, powerful monitoring tools such as the System Monitor, and a set of useful command line utilities. For auditing security events, the security log provides vital information for tracking successful and failed breaches of security.
Using the Performance Utility to Monitor Performance

Let’s try to learn about the utilities that monitor performance. The main utilities are the System Monitor and the Performance logs. These tools provide us a graphical user interface to analyze performance data. We will also investigate the command line tools available in Windows 2003 Server. Let’s start with the System Monitor
Using the System Monitor
The System monitor is the primary tool for monitoring system performance. In Windows NT, it was called the Performance Monitor; in Windows 2000, Microsoft changed the name to System Monitor, within the Performance MMC.
In keeping with its old name, The System Monitor interface can be invoked by clicking Start Run and typing perfmon, or by clicking Start Administrative Tools Performance and selecting System Monitor . The System Monitor runs as an ActiveX control inside the Performance Monitor console. Because the System Monitor is built as an ActiveX control, you can embed the System Monitor into a web page or a web form application. You can also monitor remote computer activity from your local System Monitor console. A screen shot of the System Monitor is displayed in Figure 1.
Figure 1 System Monitor.

The System Monitor can be displayed in 3 formats. Figure 1 shows the System Monitor as a graph. We can also display the System Monitor as a Histogram or as a text report. You can alter these views by clicking on one of the three buttons in the button bar directly above the graph.(The first button is the fifth from the left of the button bar and next to the database sign) If you hover your cursor over these buttons, you will that they are labeled View Graph, View Histogram and View Report.
There are three performance counters that are activated and monitored by default. These are displayed in Figure 9.2, and include the following:
· Memory object: Pages/sec counter
· Physical disk object: Average disk queue length counter
· Processor object: % processor time counter
You can right click on any performance counter in the lower pane and select Save As to save the log information as an HTML file (.htm) or a tab delimited file (.tsv) .
Adding Performance Counters
You can add performance counters by doing one of the following:
· Right click the counter pane and select Add counters
· Select the Data tab from Properties dialog box of the System Monitor, as shown in Figure 2. To open the Properties dialog box, right click within the graph area or on an item in the counter pane, and click Properties, or click CTRL+L.
· Click the Add button on the button bar, which appears as a plus sign (+).
· Click CTRL+I.
Figure 2 Properties for System Monitor

You will see the existing counters in the Counters space. When you click the Add button or click CTRL + I, you should see the Add Counters dialog box as shown in Figure 3.
Figure 3 Add Counter screen
In the Add Counters dialog box, first select the machine you wish to monitor. You can monitor counters on the local computer by selecting Use local computer counters, or you can monitor counters on a remote machine by selecting Select counters from computer: and typing the UNC path to the remote system or choosing it from the dropdown box if you’ve monitored it from this computer previously.
Next, select the performance object. A performance object is a specialized object that has performance counter information on a particular application, service or hardware device. (e.g., SQL Server has specialized performance objects that will enable System monitor to monitor their activity. There are a large number of objects from which to choose. Some of the most commonly monitored objects include:

· Processor
· Memory
· Logical Disk
· Physical Disk
· DNS
· DHCP Server
· Network interface
· Web service
Note
Some applications and services add performance objects and counters to the System Monitor when you install them. Thus, you might not see all of the listed objects/counters if you don’t have the related applications or services installed on the computer you’re monitoring. For example, if you don’t have SQL Server installed, you will not see the SQLServer:Databases object.
Finally, select the counters you are interested in that pertain to your selected object, or select All Counters to track all counters that pertain to that object. (The counters are different from one performance object to another, and some objects have a large number of counters).
Next, select the instance to which the counters apply if there is more than one instance of the object on the machine. For example, if you have dual processors installed, there will be two instances for the Processor object. If you have two logical disks (C: and D:), both of these will show up as separate instances and can be monitored individually or you can select All instances to monitor them all.
Tip
You can select a counter and click Explain button to get help information about it. A window will pop up beneath the Add Counters dialog box with the explanation of the counter. You can remove a counter by selecting it and clicking Remove.
It is important for you to be familiar with the functions of the major performance counters and their thresholds. The performance counters we will discuss are memory, disk and process related. Table 1 discusses some of these counters and their thresholds. Some recommendations are given for thresholds values that should trigger actions on your part. There can be a myriad of reasons that the threshold is met. It is an indication that the system is not responding correctly if the counter thresholds are met, so it is important to know when this is occurring (or about to occur) and take action. System administrators should investigate the cause anytime a performance threshold is reached. You can also configure the Performance utility to notify you when a threshold is met.

We have investigated the “Data” tab of the System Monitor. Lets look at the other properties of the System Monitor now.

General tab of the System Monitor

The General tab lets you configure the System Monitor view. Figure 4 displays the General tab of the System Monitor’s properties. We can view the System Monitor as a Graph, Histogram or a report by selecting the option from the View group box. We can customize the System Monitor display by selecting the options from the Display elements group box. We can use the Report and histogram data group box to filter through the amount of data to be monitored. The maximum will display the maximum values of counters and minimum will display the minimum values. We can view the System Monitor as 3D or one dimension (The option Flat) by selecting the Appearance select box. Then we can apply a border using the Border option. The Sample automatically every X seconds box will let you configure the refresh interval of the System Monitor. We can also let duplicate counters by selecting the Allow duplicate counter instances option box.
Figure 4 : General tab of System Monitor

Source tab of the System Monitor

The Source tab describes the data source for the System Monitor. There are three major sources. The first one is the current activity of the System. The can be selected by enabling the Current Activity option. The second option is from a log file. This can be enabled by the selecting the Log files option. Then we have to point to the correct log files by adding them by utilizing the Add button. You can also remove the unwanted log files by using the Remove button. The third option is a data base source. We need to enter the Data Source Name (DSN) and select the correct log file database by using the Log set options. We can also filer the data sources according to time ranges by using the Time Range option. Please refer to Figure 5 for details.
Figure 5 : Source tab of System Monitor
Graph tab of the Systems Monitor

The Graph tab will let you configure the display format of the System Monitor graph. You can add titles and vertical axis names for the graph using this tab. We ca also display the graph as a grid using vertical and horizontal lines using this. Then finally we can configure the scale of the graph. Figure 6 displays the Graph tab of the System Monitor.
Figure 6 : Graph tab of System Monitor
Appearance tab of the System Monitor

The final tab is the Appearance tab. This controls the physical appearance of the System Monitor graph. We can change the back ground and foreground colors and font sizes using this tab. The Appearance tab is similar to Figure 7.
Figure 7 : Appearance tab of System Monitor

Using Performance Logs and Alerts
This section of the Performance utility is used to configure logging of performance related information and set up the system to alert you when thresholds are reached. Let’s look closely at the Performance Logs and Alerts section.
In the left pane of the Performance MMC, expand the Performance Logs and Alerts node, and you will see that this section has three child nodes. These are:
· Counter Logs
· Trace Logs
· Alerts
All these logs and alerts can be configured, started or stopped using the Performance utility. Let’s investigate the Counter logs first.
Counter Logs
The Counter logs will store the performance counter information. We can use these logs to analyze data at a later opportunity. Let’s learn how to create a counter log.

1. Click Start Run and type Perfmon.exe
2. Select Performance logs and counters from the Performance Monitor screen.
3. Right click on Counter Logs and select New Log Settings.
4. A text box will appear to enter the counter log name. We will enter Test_Memory_Log for demonstration purposes. Then you will be presented with a Properties screen for the newly created log. The image should be similar to Figure 8
Figure 8 : General tab of Counter Log
The log file name will be automatically assigned by the system. Then we can configure the counters we monitor by utilizing the Counters section. We can first add objects we like to monitor by using the Add Objects button. Then we can select the individual counters for each object by clicking on the Add Counters button. (We will select the memory counters to monitor memory activity for our demonstration purposes.) We can also configure the frequency of the log file entries by utilizing the Interval and Units option boxes. We can configure more settings by using the Log Files and the Schedule tabs. The Log Files tab is shown in Figure 9.
Figure 9 : Log Files tab of Counter Logs
You can configure the log file type using the Log file type option box. Some valid types are binary format, comma separated file format, tab delimited format or database. You can configure these options by clicking on the Configure button. The End file name with option box will let us append a time stamp to the log file. We have selected month- day – year format in Figure 9. We can also put a comment about the log by using the Comment field. We can also instruct the system to overwrite the existing log file by clicking on the bottom option box. Let’s investigate the Schedule tab now. (Please refer to Figure 10)
Figure 10 : Schedule tab for Counter Logs
You can configure the start date and the end date by suing this tab. You can either start the log manually or assign a time. This is done by the controls in the Start log group box. The Stop log group box will let you configure the end time and the subsequent operations of the termination of the log file. You can terminate log manually, after X number of day or at an exact time. Then you can use the Start a new log file command or Run this command option boxes to configure the subsequent events.
5. Click OK or Apply button to apply the changes.

Optimizing Servers for Application Performance
In a production environment, you need to optimize your servers to get the maximum throughput for your mission critical applications. In the following sections, we will address the specifics of monitoring and optimizing memory objects, network objects, process objects and disk objects to provide the best performance for your servers. The source data for the optimization is obtained by analyzing the performance counters related to each object. You can use the System Monitor, discussed earlier in the chapter, to monitor these counters. In each of the following sections, we will discuss which counters should be monitored and the actions you can take to address the problems you detect. Please refer to table 1 to learn about the thresholds for each counter.
Common optimization tips
The lack of memory is one of the most common performance issues on client workstations. You should initially investigate memory issues first when you have workstation performance problems. Servers, on the other hand, are more prone to disk and network problems. Here are some guidelines to help you with optimization methods:
· Make one optimization change at a time. Make the change and test the system to observe the outcome. You will not be able to determine the change if you make multiple changes simultaneously.
· Observe the Event Log closely when you are making modifications to the system. The Event log will display errors when the applications are unstable.
· Try to run the application locally on your system. (As apposed to running it on a network server). This can give you an indication of whether a network problem is present.
Monitoring memory objects
Memory issues often contribute to performance problems. You can use the System Monitor to monitor various counters related to the memory object. The most important performance counters that can be monitored to detect memory problems include the following:
· Memory:Available Bytes
· Memory:Pages/sec

Memory:Available Bytes indicates the available memory capacity. We recommend that you have at least 4MB of memory available to run the server effectively. You should take immediate action if the memory falls below 4MB.
Memory: Pages/sec indicates the rate at which pages are written to or read from disk, in number of pages. The recommended threshold for the Memory:Pages/sec counter is 20. It this counter exceeds 20, you should take action. (Alerts can be used to notify the system administrator of these events Refer to the Alerts section under System Monitor.). The most common memory problem is a memory leak due to incorrect application code. Following are some recommendations to remedy memory issues:
· Investigate the minimum memory requirement for your applications to run. This can be easily done by using the Task Manager. (Read the memory values before and after the application is loaded to the memory). Make sure the available memory exceeds this value. Add more physical RAM to the machine if it is not sufficient.
· Create multiple paging files on multiple disks. This will allow faster disk access between the disks.
· Reevaluate the paging file size. It is recommended that the paging file size be 1.5 times the physical RAM installed. If the paging file/ virtual memory used exceeds this limit, add extra physical memory or decrease the page file size.
· Run your most memory intensive applications on your highest performing computers. You can also reschedule such applications to run when the system work load is light.
Note
The first step in detecting a memory leak is to observe the memory data by using the Memory:Available Bytes and Memory:Committed Bytes performance counters. You should suspect a memory leak when the available memory figure declines by more than 4MBs. You need to isolate the applications and run them against these counters to determine which application is causing the memory leak. You might need to monitor the Process:Private Bytes, Process:Working Set and Process:Handle Count counters on the suspected process to confirm the memory leak. A kernel mode application can also be leaking memory. In that case, you need to use the Memory:Pool Nonpaged Bytes, Memory:Pool Nonpaged Allocs, Process (Process name):Pool Nonpaged Bytes counters. The kernel mode applications do not refer to paging mechanisms; therefore you should use nonpagesd counters.
Monitoring network objects
Monitoring network objects involves tracking the overall network traffic. You also need to track the server’s process and memory data in conjunction with the network traffic. Server memory problems can be initiated by malfunctions of the network architecture.

You should monitor network counters in conjunction with Processor:Processor Time, Physical Disk:% Disk Time and Memory:Pages/sec . Most network resources (network adapters and protocol software) use nonpaged memory. If the computer is doing excessive paging, this might be due to the fact that networking activities are consuming the resources and the applications are being swapped to the disk. This is indicated by an increase in Memory:page/sec and a decrease in Processor:Total Bytes performance counters. Please check the event viewer in this case to confirm that you are running out of paged or non paged memory.
Note
The paging capabilities of a system should be approximately 1.5 times the amount of installed RAM. This is automatically set by the operating system. The system will be unstable if you exceed the 1.5 limit (A common cause is a network issue that causes excessive swapping of applications.)
There are specialized performance counters that can be used to optimize network usability. The following are important network related performance counters:
· Network Interface\:Bytes Total/sec, Bytes Sent/sec, and Bytes Received/sec These counters will describe how the network adapters are performing against the network traffic. You should investigate any Bytes received or Send abnormalities indicated by these counters. (the recommended threshold depends on the network adapters and network topologies).
· Protocol_layer_object: Segments Received/sec, Segments Sent/sec, Frames Sent/sec, and Frames Received/sec The Protocol_layer object will be TCPv4, TCPv6, IPv6 etc.. These are based on a single protocol at a time. This will provide you with information on how the protocols perform against the network availability. A frame is a unit of data sent to a machine over the network. You should be concerned if the frames received or sent do not correspond to your preferred settings for the organization.
· Server: Bytes Total/sec, Bytes Received/sec, and Bytes Sent/sec These counters indicate how the server is using the network to receive and send data. This data is closely coupled to protocol layer and Network Interface layer data. The protocol and network activity should be high if these counters are high. We should investigate if the protocol activity and the network activity do not follow the server trends. (e.g. It could be a hardware malfunction that consumes the resource of the server. Therefore network and protocol activity will be slow in face of a high server utilization rate)
You need to constantly monitor network traffic and make sure it does not exceed your Local Area Network (LAN) capacity. You should be using the Network Monitor tool to manage large network traffic situations. (This is not installed by default in the Windows Server 2003 installation. You might need to install it via Add/Remove Programs in Control Panel in order to use it). Here are some recommendations to optimize your network performance:

· Unbind unwanted and infrequently used network adapters. They will put an extra burden on the system that has to manage them.
· Try to place all domain users in one subnet to prevent unwanted replication traffic on the network.
· The order in which network/transport protocols are bound makes a difference if you are using multiple protocols for network communications. For example, if you have both TCP/IP and IPX/SPX installed and bound to your NIC, put the most used protocol at the top of the protocol list. Some protocols are optimized for specific network topologies, so you should spend some time identifying the protocols you need and configuring the protocols for maximum throughput.
Monitoring process objects
Monitoring processor and system counters will give you a good indication of how the processors are utilized in your Windows Server 2003 server. The most important performance counters to monitor in this regard include the following:
· Processor: % Processor Time and Process(process): % Processor Time These counters will show how active the processor is. The Process(process) counter will display the statistics for a single process. The server is handing a lot of requests if the percentage is higher. If the counter is low then the server is idle most of the time. It is common practice to apply more processors if the counter gets more than 80%. (This threshold will change depending on what the server is dedicated to do).
· System: Processor Queue Length These are the requests in line to be processed. This value shouldn’t be greater than 1. If it is, that means that there are requests waiting in the queue to be processed . If this happens often, you should add more processors or upgrade to a faster processor to handle the extra load.
· Processor: Interrupts/sec This counter indicates the number of interrupts the system gets from devices (Disks, network adapters, etc.). If the number of interrupts is higher, you should upgrade the device drivers or assign other processors to control these devices. (The number of interrupt threshold can be different from a processor to processor. A common benchmark is 1000 interrupts per processor per processor. We should investigate if the interrupts are higher than 1000 per second.)
· Server Work Queues:Queue Length This counter indicates the queue length of the Server Work queue at a given time. The recommended threshold for this queue is 4. It is an indication of processor congestion of if there are more than 4 items in the queue. You should add processing power to redirect queries or install another processor to eradicate this problem.
You can observe these counters to monitor the process objects, and you will be able to tell if the processor(s) is creating a bottleneck on the system that needs to be addressed. After memory, the processor is the most common system bottleneck.
Monitoring disk objects
Another component that it is important to monitor in order to optimize your server’s performance is disk activity. The hard disk is often a system bottleneck in today’s fast processor, memory packed computers. One way to increase disk performance is to spread the workload over multiple disks. Disk activity can be monitored using the following performance counters.
· PhysicalDisk: % Disk Time and % Idle Time These two counters will indicate the percentage of time the disk was used and the percentage of time the disk has been idle. If the disk usage time is high, you should consider moving some applications to other servers. The threshold for these counters is 90%. We should investigate if these counters exceed 90%.
· PhysicalDisk: Disk Reads/sec and Disk Writes/sec This will indicate the speed of writing data on to the disk and the speed it was read from the disk, by showing the number of times the disk reads or writes per second. A long delay might indicate a disk hardware problem or a long queue of data. The thresholds for these counters change form disk manufacturer to manufacturer. (e.g. An Ultra Wide SCSI disk driver can handle 50 to 70 inputs and output transactions per second.). We should upgrade the disk or try to eliminate the queue length if the disk threshold is met.
· PhysicalDisk: Avg. Disk Queue Length This indicates the length of the queue involved in writing or reading from the disk, in number of requests that are waiting when the counter is measured, including requests in service. The threshold is the number of spindles plus two requests. The disk transactions are going to be slower if we exceed this queue length. Therefore we have to assign more disk space to accommodate the extra requests.
· LogicalDisk: % Free Space This counter indicates the amount of free space available on the disk, as a percentage of the total disk capacity. Paging problems can occur if you have little disk space to which the system can swap data out of memory, and operating system errors can occur if the partition on which the OS is installed becomes too full.
Note
Log the performance data onto another drive when you are testing the disk speed of a particular logical disk. Otherwise the logging process will interfere with the statistics.
· Logical Disk sec/Transfer This counter describes how long the disk is taking to fulfill the requests. The more time it spends on fulfilling the requests, the slower the disk controller is. It is recommended that this value be less than .3 second for most disk controllers.
· Physical Disk Bytes/sec This will give you the throughput of the disk activity.

Note
The following are recommendations for optimizing disk activity on the server:
· When you upgrade a disk, upgrade the disk controller and bus associated with it. It does no good to install a fast disk if the controller and bus don’t support the faster speed.
· Try to distribute applications across multiple disks. That is, place different applications on different disks, However, you should also ensure that each individual application is not cross referencing to multiple disks, so as to minimize disk activity.
· Use Disk Defragmenter on a regular basis (especially after deleting large amounts of data) to rearrange the data on each partition so that data belonging to a specific file is contiguous on the disk; this minimizes disk access time.

Thursday, April 2, 2009

Install Windows Server 2008 Server Roles

Install Windows Server 2008 Server Roles with Server Manager

Server roles in Windows Server 2008
The following server roles are available in Windows Server 2008.

Active Directory Certificate Services. Active Directory® Certificate Services (AD CS) provides customizable services for creating and managing public key certificates used in software security systems employing public key technologies.

File Services. File Services provides technologies for storage management, file replication, distributed namespace management, fast file searching, and streamlined client access to files.

Active Directory Domain Services. Active Directory Domain Services (AD DS) stores information about users, computers, and other devices on the network. AD DS helps administrators securely manage this information and facilitates resource sharing and collaboration between users.

Hyper-V. Hyper-V provides the services that you can use to create and manage virtual machines and their resources. Each virtual machine is a virtualized computer system that operates in an isolated execution environment. This allows you to run multiple operating systems simultaneously.

Active Directory Federation Services. Active Directory Federation Services (AD FS) provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications by using a single user account. AD FS accomplishes this by securely federating, or sharing, user identities and access rights, in the form of digital claims, between partner organizations.

Network Policy and Access Services. Network Policy and Access Services delivers a variety of methods to provide users with local and remote network connectivity, to connect network segments, and to allow network administrators to centrally manage network access and client health policies.

Active Directory Lightweight Directory Services. Organizations that have applications that require a directory for storing application data can use Active Directory Lightweight Directory Services (AD LDS) as the data store.

Print Services. Print Services enables the management of print servers and printers. A print server reduces administrative and management workload by centralizing printer management tasks.

Active Directory Rights Management Services. Active Directory Rights Management Services (AD RMS) is information protection technology that works with AD RMS-enabled applications to help safeguard digital information from unauthorized use.

Terminal Services. Terminal Services provides technologies that enable users to access Windows-based programs that are installed on a terminal server, or to access the Windows desktop itself from almost any computing device. Users can connect to a terminal server to run programs and to use network resources on that server.

Application Server. Application Server provides a complete solution for hosting and managing high-performance distributed business applications. Integrated services, such as the .NET Framework, Web Server Support, Message Queuing, COM+, Windows Communication Foundation, and failover Ccusters boost productivity throughout the application life cycle.

Universal Description, Discovery, and Integration Services. Universal Description, Discovery, and Integration (UDDI) Services provides UDDI capabilities for sharing information about Web services within an organization's intranet, between business partners on an extranet, or on the Internet. UDDI Services can help improve the productivity of developers and IT professionals with more reliable and manageable applications.

DHCP Server. Dynamic Host Configuration Protocol (DHCP) allows servers to assign, or lease, IP addresses to computers and other devices that are enabled as DHCP clients. Deploying DHCP servers on the network automatically provides computers and other TCP/IP-based network devices with valid IP addresses and the additional configuration parameters these devices need.

Web Server. Web Server, or Internet Information Services (IIS), enables sharing of information on the Internet, an intranet, or an extranet. It is a unified Web platform that integrates IIS 7.0, ASP.NET, and Windows Communication Foundation. IIS 7.0 also features enhanced security, simplified diagnostics, and delegated administration.

DNS Server. Domain Name System (DNS) provides a standard method for associating names with numeric Internet addresses. This makes it possible for users to refer to network computers by using easy-to-remember names instead of a long series of numbers.

Windows Deployment Services. You can use Windows Deployment Services to install and configure Windows operating systems remotely on computers by using Pre-Boot Execution Environment (PXE) boot ROMs. Administration overhead is decreased through the implementation of the WdsMgmt Microsoft Management Console (MMC) snap-in, which manages all aspects of Windows Deployment Services.

Fax Server. Fax Server sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network.
By ajay Singh

Tuesday, February 24, 2009

Overview of Editions of Server 2008

Windows Server 2008 is available in multiple editions to support the varying server and workload needs of organizations. Review the edition summaries below, click on their logos to read a more detailed overview, and then explore the version comparison tool for a view of key differences by server role and features:


Windows Server 2008 Datacenter delivers an enterprise-class platform for deploying business-critical applications and large-scale virtualization on small and large servers. Improve availability with clustering and dynamic hardware partitioning capabilities. Reduce infrastructure costs by consolidating applications with unlimited virtualization licensing rights. Scale from 2 to 64 processors. Windows Server 2008 Datacenter provides a foundation on which to build enterprise-class virtualization and scale-up solutions.

Windows Server 2008 Enterprise delivers an enterprise-class platform for deploying business-critical applications. Help improve availability with clustering and hot-add processor capabilities. Help improve security with consolidated identity management features. Reduce infrastructure costs by consolidating applications with virtualization licensing rights. Windows Server 2008 Enterprise provides the foundation for a highly dynamic, scalable IT infrastructure.

Windows Server 2008 Standard is the most robust Windows Server operating system to date. With built-in, enhanced Web and virtualization capabilities, it is designed to increase the reliability and flexibility of your server infrastructure while helping save time and reduce costs. Powerful tools give you greater control over your servers, and streamline configuration and management tasks. Plus, enhanced security features work to harden the operating system to help protect your data and network and provide a solid, highly dependable foundation for your business.

Windows Web Server 2008 is designed to be used specifically as a single-purpose Web server, and delivers on a rock-solid foundation of Web infrastructure capabilities in the next-generation Windows Server 2008. Integrated with the newly re-architected IIS 7.0, ASP.NET, and the Microsoft .NET Framework, Windows Web Server 2008 enables any organization to rapidly deploy Web pages, Web sites, Web applications, and Web services.

Windows HPC Server 2008, the next generation of high-performance computing (HPC), provides enterprise-class tools for a highly productive HPC environment. Windows HPC Server 2008 can efficiently scale to thousands of processing cores and includes management consoles that help you to proactively monitor and maintain system health and stability. Job scheduling interoperability and flexibility enables integration between Windows and Linux based HPC platforms, and supports batch and service oriented application (SOA) workloads.

Windows Server 2008 for Itanium-Based Systems is optimized for large databases, line of business, and custom applications providing high availability and scalability for up to 64 processors to meet the needs of demanding and mission-critical solutions.
Windows Server 2008 Datacenter without Hyper-V.
Windows Server 2008 Enterprise without Hyper-V.
Windows Server 2008 Standard without Hyper-V.

Creating and Deploying Active Directory

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

This step-by-step guide provides instructions for setting up a test environment for creating and deploying Active Directory Rights Management Services (AD RMS) rights policy templates on the Windows Server® 2008 operating system.
This document supports a preliminary release of a software product that may be changed substantially prior to final commercial release, and is the confidential and proprietary information of Microsoft Corporation. It is disclosed pursuant to a non-disclosure agreement between the recipient and Microsoft. This document is provided for informational purposes only and Microsoft makes no warranties, either express or implied, in this document. Information in this document, including URL and other Internet Web site references, is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the user. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.


Active Directory, Microsoft, MS-DOS, Vista, Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Contents
Creating and Deploying Active Directory Rights Management Services Rights Policy Templates Step-by-Step Guide 4
About this Guide 4
What This Guide Does Not Provide 4
Deploying AD RMS in a Test Environment 5
Step 1: Creating a Shared Folder on the AD RMS Cluster 6
Step 2: Creating an AD RMS Rights Policy Template 7
Step 3: Configuring the AD RMS client 8
Step 4: Verifying AD RMS Functionality using ADRMS-CLNT 9
Creating and Deploying Active Directory Rights Management Services Rights Policy Templates Step-by-Step Guide
About this Guide
This step-by-step guide walks you through the process of creating and deploying Active Directory Rights Management Services (AD RMS) policy templates in a test environment. During this process you create a rights policy template, deploy this template to a client computer running Windows Vista® and Microsoft® Office Word 2007, and verify that the client computer can rights-protect a document by using the newly-created rights policy template.
Once complete, you can use the test lab environment to assess how AD RMS rights policy templates can be created with Windows Server® 2008 and deployed within your organization.
As you complete the steps in this guide, you will:
 Create an AD RMS rights policy template.
 Deploy the rights policy template.
 Verify AD RMS functionality after you complete the configuration.
The goal of an AD RMS deployment is to be able to protect information, no matter where it is moved. Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the content owner is able to remove the protection from the file. The owner can grant rights to other users to perform actions on the content, such as the ability to view, copy, or print the file.
What This Guide Does Not Provide
This guide does not provide the following:
 Guidance for setting up and configuring AD RMS in either a production or test environment. This guide assumes that AD RMS is already configured for a test environment. For more information about configuring AD RMS, see Windows Server Active Directory Rights Management Services Step-by-Step Guide
(http://go.microsoft.com/fwlink/?LinkId=72134).
 Complete technical reference for AD RMS or deploying AD RMS templates within your organization. In a large organization, Systems Management Server (SMS) or Group Policy can provide a way to deploy AD RMS rights policy templates to several workstations at a time.
Deploying AD RMS in a Test Environment
We recommend that you first use the steps provided in this guide in a test lab environment. Step-by-step guides are not necessarily meant to be used to deploy Microsoft products without accompanying documentation and should be used with discretion as a stand-alone document. Before you start the steps in this guide, you will need to use the steps provided in Windows Server Active Directory Rights Management Services Step-by-Step Guide (http://go.microsoft.com/fwlink/?LinkId=72134),
also in a lab environment. That guide prepares the basic infrastructure for an AD RMS deployment, with an AD RMS cluster, AD RMS Logging database, and domain controller. This step-by-step guide builds on the previous guide, so it is important to complete it before starting this one. On completion of this step-by-step guide, you will have a working AD RMS rights policy template. You can then test and verify AD RMS rights policy template functionality through the simple task of restricting permissions on a Microsoft Office Word 2007 document with the rights policy template created in this guide.
The test environment described in this guide includes three computers connected to a private network and using the following operating systems, applications, and services:

AD RMS, Internet Information Services (IIS) 7.0, World Wide Web Publishing Service, Message Queuing (also known as MSMQ), and Windows Internal Database
CPANDL-DC
Windows Server 2003 with Service Pack 1 (SP1)
Active Directory®, Domain Name System (DNS)
ADRMS-DB
Windows Server 2003 with SP1
Microsoft SQL Server™ 2005 Standard Edition
ADRMS-CLNT
Windows Vista
Microsoft Office Word 2007 Enterprise Edition
The computers form a private intranet and are connected through a common hub or Layer 2 switch. This configuration can be emulated in a virtual server environment if desired. This step-by-step exercise uses private addresses throughout the test lab configuration. The private network ID 10.0.0.0/24 is used for the intranet. The domain controller is named CPANDL-DC for the domain named cpandl.com.

The following figure shows the configuration of the test environment:
Step 1: Creating a Shared Folder on the AD RMS Cluster
To ease administration of the rights policy templates, you can store AD RMS rights policy templates in a central location so that they can be copied to the AD RMS clients. Some distribution methods include using Systems Management Server, Group Policy, or manually copying the templates to the AD RMS client. In this guide, the rights policy templates are copied manually.
Note
The AD RMS service account must have Write access to the rights policy template shared folder in order for the rights policy template export function to work correctly.
To create a shared folder for the AD RMS rights policy templates and set appropriate permissions for the AD RMS service account, do the following:
To create an AD RMS rights policy templates shared folder
1. Log on to ADRMS-SRV as CPANDL\Administrator.
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. Create a new folder named ADRMSTemplates. Click Organize, click New Folder, type the name ADRMSTemplates, and then press ENTER.
4. Right-click the ADRMSTemplates folders, and then click Properties.
5. Click the Sharing tab, and then click Advanced Sharing.
6. Select the Share this Folder check box, and then click Permissions.
7. Click Add, in the Enter the object names to select box type CPANDL\ADRMSSRVC, and then click OK.
8. In the Group or user names box, click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the Permissions for ADRMSSRVC box, select the Change check box in the Allow column.
9. Click OK twice.
10. Click the Security tab, and then click Edit.
11. Click Add, in the Enter the object names to select box type CPANDL\ADRMSSRVC, and then click OK.
12. Click ADRMSSRVC (ADRMSSRVC@cpandl.com), and then, in the Permissions forADRMSSRVC box, select the Modify check box in the Allow column, and then click OK.
13. Click Close.
Step 2: Creating an AD RMS Rights Policy Template
As mentioned earlier in this guide, AD RMS rights policy templates are created on the AD RMS cluster and then exported to a shared folder. If your users will be using the AD RMS-enabled application only when connected to the internal network, the templates can be accessed from the shared folder by the clients as needed. In this case, all AD RMS users should have Read access to this shared folder in order for them to use the rights policy template.
Alternatively, the templates can be copied from the shared folder to the client computers. This enables the templates to be used when users are not connected to the network, such as when traveling with a laptop or from another mobile device. Because the most common deployment is to copy the templates to the client computers, this is the approach explained in this guide.
To create a new AD RMS rights policy template
1. Open the Active Directory Rights Management Services Administration console. Click Start, point to Administrative Tools, and then click Active Directory Rights Management Services.
2. In the Active Directory Rights Management Services Administration console, click LocalHost.
3. In the Tasks box in the Results pane, click Manage rights policy templates.
4. To enable exporting of the AD RMS rights policy templates, click Properties in the Actions pane.
5. Select the Enable export check box, type \\adrms-srv\ADRMSTemplates in the Specify templates file location (UNC) box, and then click OK.
6. In the Actions pane, click Create Distributed Rights Policy Template to start Create Distributed Rights Policy template wizard.
7. Click Add.
8. In the Language list, choose the appropriate language for the rights policy template.
9. Type CPANDL.COM CC in the Name box.
10. Type CPANDL.COM Company Confidential in the Description box, and then click Add.
11. Click Next.
12. Click Add, type employees@cpandl.com in The e-mail address of a user or group box, and then click OK.
13. Select the View check box to grant the EMPLOYEES@CPANDL.COM group Read access to any document created by using this AD RMS rights policy template.
14. Click Finish.
Step 3: Configuring the AD RMS client
The AD RMS client is included in the default installation of Windows Vista. Previous versions of the client are available for download for other Windows operating systems.
This guide assumes that an AD RMS cluster is already configured in a test environment. Additionally, extra configuration is required on the AD RMS client workstation so that the rights policy templates are accessible. To make the AD RMS rights policy templates accessible, you must copy the AD RMS rights policy templates to the client computer and create a registry entry that points to the location of the rights policy templates.
In order for the AD RMS client computer to locate the templates, you must add a registry entry and copy the AD RMS rights policy templates locally. To do this, you must complete the following steps before rights-protecting a document:
To make AD RMS templates available to users on ADRMS-CLNT
1. Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).
2. Click Start, type regedit.exe in the Start Search box, and then click the regedit.exe icon under Programs.
3. Expand the following registry key:
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Common\DRM
Note
If DRM was not already created as a part of the key, you must create it manually.
4. Select DRM, click Edit, point to New, click Expandable String Value, and then type AdminTemplatePath.
5. Double-click the AdminTemplatePath registry value and type %UserProfile%\AppData\Microsoft\DRM\Templates in the Value data box where %UserProfile% equals C:\Users\, and then click OK.
6. Close Registry Editor.
7. Verify that the path C:\Users\nhollida\AppData\Microsoft\DRM\Templates\ is valid. If it is not, create the appropriate folders.
8. Click Start, type \\ADRMS-SRV\ADRMSTemplates in the Start Search box, and then press ENTER.
9. Copy the exported AD RMS rights policy templates from \\ADRMS-SRV\ADRMSTemplates to C:\Users\nhollida\AppData\Microsoft\DRM\Templates.
Note
Copying the AD RMS rights policy templates to the client computer is not required if the rights policy templates do not have to be available offline.
Step 4: Verifying AD RMS Functionality using ADRMS-CLNT
To verify the functionality of the AD RMS deployment, you log on as Nicole Holliday and then restrict permissions on a Microsoft Word 2007 document by using the AD RMS rights policy template created earlier in this guide. This policy gives CP&L employees the ability to read the document but not to change, print, or copy. All other people have no access at all to the document. You then log on as Stuart Railson and verify that Stuart Railson, a member of the Employees group at CP&L, cannot print the document.
To restrict permissions on a Microsoft Word 2007 document
1. Log on to ADRMS-CLNT as Nicole Holliday (nhollida@cpandl.com).
2. Click Start, click All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.
3. Type CP&L Employees cannot print this document on the blank document page, click the Microsoft Office button, point to Finish, point to Restrict Permission, click Restrict Permission as, select nhollida@cpandl.com in the Select User dialog box, and then click OK.
4. In the Permission dialog box, select the Restrict permission to this document check box, click Read, type the name of the user or group to be restricted. In this case, type employees@cpandl.com, and then click OK twice.
5. Click the Microsoft Office button, click Save As, and then save the file as \\ADRMS-DB\public\ADRMS-TST.docx.
6. Log off as Nicole Holliday.
Next, log on as Stuart Railson and open the document, ADRMS-TST.docx.
To view a protected document
1. Log on as Stuart Railson (srailson@cpandl.com).
2. Click Start, point to All Programs, point to Microsoft Office, and then click Microsoft Office Word 2007.
3. Click the Microsoft Office button, click Open, navigate to \\ADRMS-DB\public, and then double-click ADRMS-TST.docx.
The following message appears: "Permission to this document is currently restricted. Microsoft Office must connect to https://adrms-srv.cpandl.com/_wmcs/licensing to verify your credentials and download your permission."
4. Click OK.
The following message appears: "Verifying your credentials for opening content with restricted permissions…"
5. When the document opens, click the Microsoft Office button. Notice that the Print option is not available.
6. Click View Permission in the message bar. You should see that AD RMS rights policy template has been applied to this document.
7. Click OK to close the My Permissions dialog box, and then close Microsoft Word.
You have successfully deployed and demonstrated the rights templates policy feature of AD RMS, using the simple scenario of applying a rights policy template to a Microsoft Word 2007 document. You can also use this deployment to explore some of the additional capabilities of AD RMS through additional configuration and testing.


By Ajay SIngh Chauhan