Install WSUS server on Hyper-V virtual machine

As organizations continue to move away from the use of physical servers, a frequent question arises:   Is it a good idea to virtualize WSUS servers?  Short answer: yes. Read on to find out how to run WSUS in a Hyper-V machine.

Will WSUS run in a virtual machine?

In a word, yes. If you plan on hosting a WSUS virtual machine on Hyper-V, it is generally recommended that you run WSUS on top of the Windows Server 2008 R2 operating system. In order to do that, you will have to deploy WSUS 3 SP2. Until SP2, WSUS did not work properly with Windows Server 2008 R2, and it did not support the management of Windows 7 clients.

What is the easiest way to virtualize a WSUS server?

If you are currently running WSUS 3 on a physical server then I would recommend doing a migration upgrade. To do so, set up a virtualized WSUS server and then configure it to be a replica of your physical WSUS server and then perform synchronization. Once the sync process completes reconfigure the virtual WSUS server to be autonomous. Then, you can decommission your physical WSUS server.

This technique offers two main advantages. First, it makes it easy to upgrade the WSUS server’s operating system if necessary. The other advantage is that this method offers far less down time than a standard P2V conversion because your physical WSUS server continues to service users while your virtual WSUS server is being put into place.

What kind of capacity can I get from a virtualized WSUS server?

A single WSUS server should be able to handle up to 25,000 clients. However, this assumes that sufficient resources have been provisioned and that SQL Server is running on a separate server (physical or virtual). Some organizations have been able to achieve higher capacities by using multiple front-end servers.

What are the options for making WSUS fault-tolerant?

In a physical server environment, WSUS is made fault-tolerant by eliminating any single points of failure. Normally you would create a Network Load Balancing (NLB) cluster to provide high availability for your WSUS servers. Of course WSUS is dependent on SQL Server and the preferred method for making SQL Server fault-tolerant is to build a failover SQL Server cluster.

While it is possible to recreate this high-availability architecture in a Hyper-V infrastructure, it is usually considered to be a better practice to build a Hyper-V cluster instead.  If your host servers are clustered then clustering your WSUS servers and your SQL servers becomes unnecessary (at least from a fault tolerance standpoint).

If Hyper-V hosts are not clustered (and building a Hyper-V cluster is not an option for whatever reason) then I would recommend going ahead and creating a clustered architecture for the virtualized WSUS and SQL servers. However, you should make sure not to place multiple WSUS or SQL servers onto a common Hyper-V server because doing so will undermine the benefits of clustering WSUS and SQL Server.

What do I need in terms of network bandwidth?

There are no predetermined rules for providing network bandwidth to a virtualized WSUS server. Keep in mind, however, that there are a number of different issues that can occur as a result of insufficient bandwidth. If at all possible, I would recommend dedicating a physical network adapter to your virtual WSUS server. If you are forced to share a network adapter across multiple virtual servers then use network monitoring tools to verify that the physical network connection isn’t saturated.

If saturation becomes an issue, remember that WSUS can be throttled either at the server itself or at the client level through the use of group policy settings. You can find client throttling policies in the Group Policy Object Editor at Computer Configuration> Administrative Templates > Network > Background Intelligent Transfer Service.

Are there any special considerations for the SQL database?

It is generally recommended to run SQL Server on a separate machine (physical or virtual) so that you can allocate resources directly to the database server. I also recommend running the Cleanup Wizard and defragmenting the database every couple of months. Doing so will help the database to run optimally, which is important in a virtualized environment.

Another thing to keep in mind is that SQL Servers tend to be I/O intensive. Therefore, if you are planning to virtualize your SQL server then you might consider using dedicated physical storage so that the I/O load generated by SQL does not impact other virtual machines.

Script to list all global and local groups on a given server

Used to list all global and local groups on a given server.

Usage: $script /[s]erver /[g]lobal /[l]ocal /[v]erbose

/server Name of server for which to list all groups.
Server can be a domain controller. If no server
is specified, this defaults to localhost.
/global List only global groups.
/local List only local groups.
/verbose Show group comments.
/help Displays this help message.
use Getopt::Long;
use diagnostics;
use strict;
use Win32::Console;
use Win32::Lanman;

##################
# main procedure #
##################
my (%config);

p_parsecmdline(%config, @ARGV);
p_checkargs();

# set console codepage
Win32::Console::OutputCP(1252);

if ($config{global}) {
p_listglobalgroups($config{server});
} elsif ($config{local}) {
p_listlocalgroups($config{server});
} else {
p_listglobalgroups($config{server});
p_listlocalgroups($config{server});
}

exit 0;

##################
# sub-procedures #
##################

# procedure p_help
# displays a help message
sub p_help {
my ($script)=($0=~/([^\/]*?)$/);
my ($header)=$script." v1.1 - Author: alin@keptprivate.com";
my ($line)="-" x length($header);
print < <EOT;

$header
$line
Used to list all global and local groups on a given server.

Usage: $script /[s]erver /[g]lobal /[l]ocal /[v]erbose

/server Name of server for which to list all groups.
Server can be a domain controller. If no server
is specified, this defaults to localhost.
/global List only global groups.
/local List only local groups.
/verbose Show group comments.
/help Displays this help message.
EOT

exit 1;
}
# procedure p_parsecmdline
# parses the command line and retrieves arguments values
sub p_parsecmdline {
my ($config) = @_;
Getopt::Long::Configure("prefix_pattern=(-|/)");
GetOptions($config, qw(
server|s=s
global|g
local|l
verbose|v
help|?|h));
}
# procedure p_checkargs
# checks the arguments which have been used are a valid combination
sub p_checkargs {
p_help() if defined($config{help});
if (!$config{server}) {
$config{server} = Win32::NodeName();
}
}
# procedure p_listglobalgroups
# lists all global groups on a given server
sub p_listglobalgroups {
my $server = shift;
$server =~ s/\//g;
my (@groups,$group);
my ($header)="Global groups on '\\$server':";
my ($line)="-" x length($header);

if (!$config{verbose}) {
print "n$headern$linen";
}
if (Win32::Lanman::NetGroupEnum("\\$server",@groups)) {
foreach $group (sort (@groups)) {
next if (${$group}{name} eq "None");
if ($config{verbose}) {
$~ = 'GLOBAL';
write;
} else {
print "${$group}{name}n";
}
}
} else {
print "ERROR: ".Win32::FormatMessage(Win32::Lanman::GetLastError());
}

format GLOBAL_TOP =
Group Name Comment Type
--------------------------------- ---------------------------------- -------
.
format GLOBAL =
@< <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< global
${$group}{name},${$group}{comment}
~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
${$group}{comment}
.

}
# procedure p_listlocalgroups
# lists all local groups on a given server
sub p_listlocalgroups {
my $server = shift;
$server =~ s/\//g;
my (@groups,$group);
my ($header)="Local groups on '\\$server':";
my ($line)="-" x length($header);

if (!$config{verbose}) {
print "n$headern$linen";
}
if (Win32::Lanman::NetLocalGroupEnum("\\$server",@groups)) {
foreach $group (sort (@groups)) {
if ($config{verbose}) {
$~ = 'LOCAL';
write;
} else {
print "${$group}{name}n";
}
}
} else {
print "ERROR: ".Win32::FormatMessage(Win32::Lanman::GetLastError());
}

format LOCAL_TOP =
Group Name Comment Type
--------------------------------- ---------------------------------- -------
.
format LOCAL =
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< local
${$group}{name},${$group}{comment}
~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
${$group}{comment}
.

}

Script to display local and global groups only in the ACL of a specified share

Used to display local and global groups only in the ACL of a specified share, this script has been  designed to facilitate the UAR process. Only groups are shown so that the admin may get an idea
 of what group a user should belong to in order to have specific rights on a share.

 Usage: $script /[s]hare <UNC path> /[v]erbose /[h]elp

        /share      UNC path to the share (exp: \\server1\share1)
        /verbose    Show all groups in NTFS permissions
        /help       Displays this help message

use Getopt::Long;
#use diagnostics;
#use strict;
use Win32::Console;

use Win32;
use Win32::Lanman;
use Array::Compare;
use Win32::NetAdmin;
use Win32::Perms;

##################
# main procedure #
##################
my (%config);

sub_parseCmdLine(%config, @ARGV);
sub_checkArgs();

# set console codepage
Win32::Console::OutputCP(1252);

########################
### INSERT CODE HERE ###

my @array = split(/\+/,$config{share});
my $server = $array[1];
my $share = $array[2];
my $localhost = Win32::NodeName();

# step 1: retrieve share permissions
my %sharePerm = sub_listACL($config{share});
if ($sharePerm{Everyone} ne “Full Control”) {
print “n”;
print “##############################################################n”;
print “WARNING: Everyone group does not have Full Control permission!n”;
print “##############################################################n”;
}

# step 2: retrieve share full path
my $sharePath = sub_getShareInfo($server,$share);
my $savedSharePath = $sharePath;
$sharePath =~ s/:/$/;
$sharePath = “\\”.$server.”\”.$sharePath;

# step 3: retrieve NTFS permissions
my %ntfsPerm = sub_listACL($sharePath);

# print header
print “n”;
print “Hostname: $servern”;
print “Share Name: $sharen”;
print “Share Path: $savedSharePathn”;

my $account;

# print share permissions
print “n”;
print “Share permissions:n”;
print “——————n”;

foreach $account (sort(keys %sharePerm)) {
$permission = $sharePerm{$account};
$~ = ‘Permissions’;
write;
}

# delete common user groups from NTFS permission list
# if verbose option has not been specified
my $count = 0;
unless ($config{verbose}) {
foreach my $key (keys %ntfsPerm) {
if ($key =~ /administrators|domain admins|creator owner|system|server operators|backup operators|power users/i) {
delete $ntfsPerm{$key};
++$count;
}
}
}

# print NTFS permissions
print “n”;
print “NTFS permissions:n”;
print “—————–n”;

foreach $account (sort(keys %ntfsPerm)) {

# find out who can determine the account type for us
my $authority = “”;
my @array = split(/\/,$account);
if (@array > 1) {
unless ($array[0] =~ /builtin|$server|nt authority/i) {
# determine who is the PDC of the account’s domain
Win32::NetAdmin::GetDomainController(“\\$localhost”,$array[0],$authority);
$authority =~ s/\//g;
} else {
$authority = $server;
}
} else {
$authority = $server;
}

# determine if $account is a user, a local group, or a global group
my $accountType = “”;
my @members;
if (@array < 2) { $array[1] = $array[0]; } if (Win32::NetAdmin::GroupGetMembers($authority,$array[1],@members)) { $accountType = “global group”; } elsif (Win32::NetAdmin::LocalGroupGetMembersWithDomain($authority,$array[1],@members)) { $accountType = “local group”; } else { $accountType = “user”; ++$count; } # display permission for $account $permission = $ntfsPerm{$account}; if (($config{verbose}) or ($accountType ne “user”)) { $~ = ‘Permissions’; write; } # if $account is a local group, then display members if ($accountType eq “local group”) { foreach my $entry (@members) { # determine account type $authority = “”; @array = split(/\/,$entry); if (@array > 1) {
unless ($array[0] =~ /builtin|$server|nt authority/i) {
# determine who is the PDC of the account’s domain
Win32::NetAdmin::GetDomainController(“\\$localhost”,$array[0],$authority);
$authority =~ s/\//g;
} else {
$authority = $server;
}
} else {
$authority = $server;
}
$accountType = “”;
my @phonyMembers;
if (@array < 2) { $array[1] = $array[0]; } if (Win32::NetAdmin::GroupGetMembers($authority,$array[1],@phonyMembers)) { $accountType = “global group”; } else { $accountType = “user”; } # exclude users if (($config{verbose}) or ($accountType ne “user”)) { print “t$entryn”; } } } } # show if any groups have been excluded if (($count > 0) and (!$config{verbose})) {
print “nNumber of entries excluded from NTFS permissions: $countn”;
print “Use /verbose option to view all users and groups.n”;
}

# FORMATS
format Permissions =
^<<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<
$account,$permission
~~ ^<<<<<<<<<<<<<<<<<<<<<<<<<
$account
.

### CODE ENDS HERE ###
########################

exit 0;

##################
# sub-procedures #
##################

# procedure sub_help
# displays a help message
sub sub_help {
my ($script)=($0=~/([^\/]*?)$/);
my ($header)=$script.” v1.1.2 – Author: alin.dumenica@siemens.com – October 2007″;
my ($line)=”-” x length($header);
print <

$header
$line
Used to display local and global groups only in the ACL of a specified share, this script has been
designed to facilitate the UAR process. Only groups are shown so that the admin may get an idea
of what group a user should belong to in order to have specific rights on a share.

Usage: $script /[s]hare/[v]erbose /[h]elp

/share UNC path to the share (exp: \\server1\share1)
/verbose Show all groups in NTFS permissions
/help Displays this help message
EOT

exit 1;
}
# procedure sub_parseCmdLine
# parses the command line and retrieves arguments values
sub sub_parseCmdLine {
my ($config) = @_;
Getopt::Long::Configure(“prefix_pattern=(-|/)”);
GetOptions($config, qw(
share|s=s
verbose|v
help|?|h));
}
# procedure sub_checkArgs
# checks the arguments which have been used are a valid combination
sub sub_checkArgs {
sub_help() if defined($config{help});
sub_help() if !defined($config{share});
unless ($config{share} =~ /z\/) {
$config{share} .= “\”;
}
}
# procedure sub_listACL
# lists an ACL
sub sub_listACL {
no strict ‘refs’;

my $targetobject = shift;
my $targetSD;
unless ($targetSD = new Win32::Perms($targetobject)) {
print “ERROR: $^En”;
exit 2;
}
my (@perms,@ACL,%ACLhash);
my $comp = Array::Compare->new;

# define reference arrays for friendly NTFS permissions
my @read = qw(
READ_CONTROL
SYNCHRONIZE
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES);
my @readNT4 = qw(
GENERIC_EXECUTE
GENERIC_READ);
my @change = qw (
DELETE
READ_CONTROL
SYNCHRONIZE
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES);
my @changeNT4 = qw (
DELETE
GENERIC_EXECUTE
GENERIC_WRITE
GENERIC_READ);
my @full = qw (
STANDARD_RIGHTS_ALL
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES);
my @fullNT4 = qw (
GENERIC_ALL);
my @write = qw (
READ_CONTROL
SYNCHRONIZE
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES);

# define reference arrays for user friendly share permissions
my @shareRead = qw (
FILE_SHARE_READ
READ_CONTROL
SYNCHRONIZE
FILE_READ_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES);
my @shareChange = qw (
FILE_SHARE_READ
FILE_SHARE_WRITE
FILE_SHARE_DELETE
DELETE
READ_CONTROL
SYNCHRONIZE
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES);
my @shareFullControl = qw (
FILE_SHARE_READ
FILE_SHARE_WRITE
FILE_SHARE_DELETE
STANDARD_RIGHTS_ALL
FILE_READ_EA
FILE_WRITE_EA
FILE_EXECUTE
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES);

# retrieve all ACLs (DACL and SACL) for target object
unless ($targetSD->Get(@ACL)) {
print “ERROR: Could not retrieve ACL on $targetobject: $^En”;
exit 2;
}
# process each entry in all ACLs of target object
foreach my $ACE (@ACL) {
# ignore entry if it is not a DACL
next unless (“DACL” eq $ACE->{Entry});
my $account=””;
# format user name in ACE with domain name or if it can’t be resolved, show SID
if (“” eq $ACE->{Account}) {
my $machine;
my $domain;
my @targetobject;
my $SID;
my $binSID;
my $sidtype;
if ($targetobject =~ /\\/) {
#extract machine name
@targetobject = split (/\/,$targetobject);
$machine = $targetobject[2];
} else {
$machine = “”;
}
$SID = $ACE->{SID};
$binSID = Win32::Lanman::StringToSid($SID) or die “ERROR: $^En”;
unless (Win32::LookupAccountSID($machine,$binSID,$account,$domain,$sidtype)) {
$account = $SID;
} else {
my $useraccount = (“” ne $domain)? “$domain\”:””;
$account = $useraccount.$account;
}
} else {
my $useraccount = (“” ne $ACE->{Domain})? “$ACE->{Domain}\”:””;
$account .= $useraccount.$ACE->{Account};
}
Win32::Perms::DecodeMask($ACE,@perms);

# create user name reference if it does not exist yet
if (!defined $ACLhash{$account}) {
# creating unique array based on user name
# this is because @perms will be overwritten next time we go into the loop
@$account = @perms;
$ACLhash{$account} = @$account;
}
# compare current ACE list to reference friendly permissions ACLs
if (($comp->compare(@perms,@read)) or ($comp->compare(@perms,@readNT4)) or ($comp->compare(@perms,@shareRead))) {
$ACLhash{$account} = “Read”;
} elsif (($comp->compare(@perms,@change)) or ($comp->compare(@perms,@changeNT4)) or ($comp->compare(@perms,@shareChange))) {
$ACLhash{$account} = “Change”;
} elsif (($comp->compare(@perms,@full)) or ($comp->compare(@perms,@fullNT4)) or ($comp->compare(@perms,@shareFullControl))) {
$ACLhash{$account} = “Full Control”;
} elsif ($comp->compare(@perms,@write)) {
$ACLhash{$account} = “Write”;
} else {
$ACLhash{$account} = “Special”;
}
}
return %ACLhash;
}
# procedure sub_getShareInfo
# retrieves full path information for a given share
sub sub_getShareInfo {
my ($server,$share) = @_;
my %shareInfo;

unless (Win32::Lanman::NetShareGetInfo(“\\$server”,$share,%shareInfo)) {
my $error = Win32::FormatMessage(Win32::Lanman::GetLastError());
print “ERROR:NetShareGetInfo:$errorn”;
}
return $shareInfo{‘path’};
}

How to Implement Microsoft Forefront Server for SharePoint

Introduction

Microsoft Forefront Server Security for SharePoint Services is a tool that will help network administrators prevent vulnerabilities that can occur within SharePoint workspaces. SharePoint workspaces are areas on the network where users can create, edit, and save fi les and folders. If these storage locations on the network are used in a malicious manner, an enterprise can be vulnerable.

SharePoint Services, replacing the less robust and discontinued SharePoint Team Services, is a relatively recent addition to Microsoft’s line of products. SharePoint Services has become increasingly popular among companies where employees need to collaborate on documents and spreadsheets. The explosion in popularity of Share Point Services means that additional security mechanisms need to be in place in order to prevent the network from becoming vulnerable.

The Microsoft Forefront Server Security allows network administrators to centrally manage the security of the SharePoint servers. Administrators using Forefront Server Security can conduct filtering, scanning, and job scheduling of SharePoint repositories from a central management console. Reports can give the network engineer using Forefront Server Security Administrator an indication of how end users are utilizing the SharePoint workspaces. If end users are improperly utilizing SharePoint Services, additional filters can be added. Using Forefront Server Security can help network administrators deal with vulnerabilities related to SharePoint Services.

Implementing Microsoft Forefront Server for SharePoint

Microsoft’s SharePoint server provides a collaboration environment that allows people to share documents and contacts, and it provides a single place for project management. While antivirus software on the server can scan fi les for viruses, Forefront Security for SharePoint allows for a higher level of integration, including real-time scanning and the ability to use up to five scanning engines at once for maximum protection. Implementation of Forefront Security for SharePoint can be broken into two components: installation and configuration. The installation of Forefront must be planned ahead of time to ensure all of the requirements are met. If they are not, both hardware and software upgrades may be required. A thorough implementation plan will allow you to determine if upgrades are needed. Once installed, you must configure Forefront properly in order to provide the security and protection planned for during the design phase. The ability to customize Forefront to fit different corporate models is a key strength that allows every installation to be optimized to fi t goals decided during the design phase.

 

Install and Configure Forefront Security for SharePoint

Microsoft has made the installation of Forefront Security for SharePoint quick and straightforward, allowing you to begin configuration as quickly as possible. Once you have the installation media, it is only a matter of minutes to install Forefront. While the installation itself is straight forward, don’t be fooled into thinking you don’t need to plan. The decision to do a local installation or remote installation will require the installer to have account information readily available with the proper access to the target server.

ForeFront Security for SharePoint Requirements

Before we start the installation, let’s take a look at the minimum server requirements to install Forefront Security for SharePoint. It is also important to make sure that the software requirements for Forefront security have been met. If they have not, you will be notified upon installation with a dialog box and the installation will stop.

■ Processor: Dual-processor computer rated at 2.5 GHz or higher

■ Operating System: Microsoft Windows Server (Standard, Enterprise, Datacenter, or Web Edition) with Service Pack 1

■ Hard Disk: 550MB of available disk space

■ SharePoint Requirement: Microsoft Office SharePoint Server 2007 or Microsoft Windows SharePoint Services, version 3

■ Microsoft Windows Workflow Foundation Runtime Components

■ Microsoft .NET Framework

■ Internet Information Services 6 in worker process isolation mode

■ NTFS fi le system

■ MAPI client such as Microsoft Outlook

Installation

Forefront Security for SharePoint has the option to install on the local server or on a remote server. To initiate either installation, you will need to log on to the server with an account that has administrative rights. For an installation on a remote server, the local account you use to log in needs to have administrative rights on the remote server. This is usually accomplished by using a domain account that is the administrators group of both computers. Because the installation registers services on the target server, it requires administrative access.

A great new feature of Forefront for SharePoint is the ability to use Hot Upgrade technology. This allows installations of Windows SharePoint Services without interrupting existing SharePoint service because a restart of the Windows SharePoint Services is not needed.

Forefront installs two main components that service the requests from the Forefront administrator and control all of the back-end functionality. The FSCController is installed as a service and coordinates all scanning activities within Forefront Security for SharePoint Server. The FSSPController is also an installed service, which communicates between Forefront and the SharePoint SQL server database.

1. To begin installation, insert the Forefront Security for SharePoint CD

or download the installation fi le from the Microsoft Download Center.

2. At the initial Welcome screen, select Next.

3. At the License Agreement screen, read the agreement and if you accept the terms, click Yes to continue.

4. At the Customer Information screen, enter the User Name and Company Name for the installation and click Next. Both are needed for the Next button to be active.

5. At the Installation Location screen, you will select the type of installation you wish to perform, Local or Remote, and then click Next.

6. This step is only for Remote Installations. If you are completing a local install, go to step 7. At the Remote Server Information screen, enter the target Server Name that you want to install Forefront Security for SharePoint on and the Share Directory. The default Share Directory is C$.

7. At the Installation Type screen, you can select Client—Admin Console Only or Full Installation. To install the Forefront Security for SharePoint application on the server, you will need to select Full Installation. The Client—Admin Console Only installation type only installs the administrator console to manage the server remotely.

8. At the Engines screen, you will see eight antivirus scan engines that Forefront Security can use to protect the server. Microsoft Antimalware Engine is selected by default and cannot be changed, allowing for you to select between the remaining seven scan engines. A maximum of five engines can be used, so you will be able to select four of the seven available to you. Just remember that each antivirus engine you select will require more memory to be dedicated to Forefront. If you have a server without the minimum amount of memory, you may want to select fewer antivirus engines. The installation automatically selects

four engines randomly which you can keep or change. Once you have determined which antivirus engines you will enable, click Next. You can find out more about the scan engines by going to the following the Web sites:

1. AhnLab Antivirus Scan Engine http://global.ahnlab.com

2. CA Vet http://www.ca.com

3. Authentium Command Antivirus http://www.authentium.com/command

4. Kapersky Antivirus Technology http://www.kaspersky.com

5. Norman Virus Control http://www.norman.com

6. Sophos Virus Detection http://www.sophos.com

7. VirusBuster Antivirus http://www.virusbuster.hu

9. At the Engine Updates Required screen, click Next. Forefront Security for SharePoint Server will automatically search and update the virus definitions hourly starting five minutes after the service is started. This is necessary to ensure the antivirus engines are up to date, protecting the server from the latest threats.

10. At the Choose Destination Location screen, select the destination folder for the installation. The default installation folder is C:Program FilesMicrosoft Forefront SecuritySharePoint, which should be suitable for most installations. If you decide to change the installation folder path, remember that Forefront

Security for SharePoint does not support an install path length over 170 characters. Once you have entered the new location for the installation or accepted the default, click Next.

11. At the Select Program Folder screen, click Next.

12. At the SharePoint Database Account Information screen, you will need to enter the account used for SharePoint database access. This account needs to be a member of the SharePoint server’s local administrators group as well as the database server’s local administrators group if the database was installed on a separate server. The format for entering the username is DomainUserAccount or MachinenameUserAccount.

13. At the Start Copying Files screen, you should review your settings to ensure that everything is correct prior to the installation. If you want to change a setting, use the Back button to go back to that screen and enter the new information. If you are ready to continue with the installation, click Next.

14. Forefront Security for SharePoint is now going to install on your SharePoint server. This process can take a few minutes, during which time you will see a

few command screens pop up as part of the installation.

15. Once installed, you will have the option to view the README fi le and click Finish. The installation is complete and you can now move on to configuring Forefront.

How to manage Hyper-V with powershell

Many admins use PowerShell to automate components like user creation and folder permissions, but virtualization technologies can also be managed from the command line, including Microsoft Hyper-V.

While there are several ways to manage Hyper-V with PowerShell, this article will focus on the free approaches using Windows Management Instrumentation (WMI) scripting and an open source tool from CodePlex.

Before using WMI scripting to manage Hyper-V, it’s important to understand what classes are available. Microsoft’s list includes a significant number of classes and while is fairly complete, they are not necessarily easy to use and are certainly not intuitive. Therefore, using WMI to manage Hyper-V is not for the faint of heart.

One of the more popular methods for managing Hyper-V with PowerShell is with PowerShell Management Library for Hyper-V (PSHyperV) a free, open source CodePlex project written by James O’Neil. This is by far the best free option out there and gives administrators a very thorough collection of cmdlets that do everything from virtual machine inventory to virtual network management. Let’s touch on a few of them:

Get-VM — returns all the virtual machines on a given Hyper-V server

The following code demonstrates the Get-VM command:
Function Get-VM
{# .ExternalHelp MAML-VM.XML
param(
[parameter(ValueFromPipeLine = $true)]
[ValidateNotNullOrEmpty()][Alias("VMName")]
$Name = "%",

[parameter()][ValidateNotNullOrEmpty()]
$Server = ".", #May need to look for VM(s) on Multiple servers
[Switch]$Suspended,
[switch]$Running,
[switch]$Stopped
)
Process {
# In case people are used to the * as a wildcard...
if ($Name.count -gt 1 ) {[Void]$PSBoundParameters.Remove("Name")
; $Name | ForEach-object {Get-VM -Name $_ @PSBoundParameters}}
if ($name -is [String]) {
$Name = $Name.Replace("*","%")
# Note in V1 the test was for caption like "Virtual%" which
did not work in languages other than English.
# Thanks to Ronald Beekelaar - we now test for a processID ,
the host has a null process ID, stopped VMs have an ID of 0.
$WQL = "SELECT * FROM MSVM_ComputerSystem WHERE ElementName
LIKE '$Name' AND ProcessID >= 0"
if ($Running -or $Stopped -or $Suspended) {
$state = ""
if ($Running) {$State += " or enabledState = " +
[int][VMState]::Running }
if ($Stopped) {$State += " or enabledState = " +
[int][VMState]::Stopped }
if ($Suspended) {$State += " or enabledState = " +
[int][VMState]::Suspended }
$state = $state.substring(4)
$WQL += " AND ($state)"
}
Get-WmiObject -computername $Server -NameSpace $HyperVNamespace -Query $WQL | Add-Member -MemberType ALIASPROPERTY -Name "VMElementName" -Value "ElementName" -PassThru
}
elseif ($name.__class) {
Switch ($name.__class) {
"Msvm_ComputerSystem" {$Name}
"Msvm_VirtualSystemSettingData" {get-wmiobject -
computername $Name.__SERVER -namespace $HyperVNamespace -Query
"associators of {$($name.__path)} where
resultclass=Msvm_ComputerSystem"}
Default get-wmiobject -
computername $Name.__SERVER -namespace $HyperVNamespace -Query
"associators of {$($Name.__path)} where
resultclass=Msvm_VirtualSystemSettingData" |
ForEach-Object
{$_.getRelated("Msvm_ComputerSystem")} | Select-object -unique }
}
}
}
}

As you can see, the code basically wraps the WMI class with some helper logic and reports the results.

Get-VMSwitch — Returns all the virtual switches on the Hyper-V server

Function Get-VMSwitch
{# .ExternalHelp MAML-VMNetwork.XML
param(
[parameter(ValueFromPipeline = $true)][Alias("Name")]
[String]$VirtualSwitchName="%",

[parameter()][ValidateNotNullOrEmpty()]
$Server = "." #Can query multiple servers for switches
)
process {
$VirtualSwitchName=$VirtualSwitchName.replace("*","%")
Get-WmiObject -computerName $server -NameSpace $HyperVNamespace
-query "Select * From MsVM_VirtualSwitch Where elementname like '$VirtualSwitchname' "
}
}

Get-VMSnapShot — Provides all the snapshots on the Hyper-V server

The following command demonstrates the Get-VMSnapShot command:

Function Get-VMSnapshot
{# .ExternalHelp MAML-VMSnapshot.XML
Param(
[parameter(Position=0 , ValueFromPipeline = $true)]
$VM = "%",

[String]$Name="%",

[parameter()][ValidateNotNullOrEmpty()]
$Server="." ,
[Switch]$Current,
[Switch]$Newest,
[Switch]$Root
)
process{
if ($VM -is [String]) {$VM=(Get-VM -Name $VM -Server $server) }
if ($VM.count -gt 1 ) {[Void]$PSBoundParameters.Remove("VM") ; $VM |
ForEach-object { Get-VMSnapshot -VM $_ @PSBoundParameters}}
if ($vm.__CLASS -eq 'Msvm_ComputerSystem') {
if ($current) {Get-wmiobject -computerNam $vm.__server -
Namespace $HyperVNamespace -q "associators of {$($vm.path)} where assocClass=MSvm_PreviousSettingData"}
else {$Snaps=Get-WmiObject -computerName $vm.__server -NameSpace $HyperVNameSpace -Query "Select * From MsVM_VirtualSystemSettingData Where systemName='$($VM.name)' and
instanceID <> 'Microsoft:$($VM.name)' and elementName like '$name' "
if ($newest) {$Snaps | sort-object -property
creationTime | select-object -last 1 }
elseif ($root) {$snaps | where-object {$_.parent -eq
$null} }
else {$snaps}
}
}
}
}

PSHyperV includes several additional functions to help admins perform related tasks, including finding, manipulating and configuring different components of the hypervisor and can be found on the CodePlex website.

Writing WMI wrappers and using PSHyperV are just a few of the ways admins can manage Hyper-V using PowerShell. Note that the latest release of PSHyperV isn’t a complete version, and thus, isn’t as stable as other options may be.

 

 

view membership of a group – ListGoupMembers.pl

Used to view membership of a group.

Usage: $script /s[server] /g[roup]

/server Remote server name. By default, this is the
localhost.
/group Name of group to view.
use Getopt::Long;
#use diagnostics;
#use strict;
use Win32::Lanman;
use Win32::NetAdmin;
use Win32;
use Win32::AdminMisc;
use Win32::Console;

##################
# main procedure #
##################
my (%config);

p_parsecmdline(%config, @ARGV);
p_checkargs();

# set console codepage
Win32::Console::OutputCP(1252);

p_viewgroup($config{server},$config{group});

##################
# sub-procedures #
##################

# procedure p_help
# displays a help message
sub p_help {
my ($script)=($0=~/([^\/]*?)$/);
my ($header)=$script.” v2.1 – Author: alin.dumenica@siemens.com – June 2007″;
my ($line)=”-” x length($header);
print < <EOT;

$header
$line
Used to view membership of a group.

Usage: $script /s[server] /g[roup]

/server Remote server name. By default, this is the
localhost.
/group Name of group to view.
EOT

exit 1;
}
# procedure p_parsecmdline
# parses the command line and retrieves arguments values
sub p_parsecmdline {
my ($config) = @_;
Getopt::Long::Configure(“prefix_pattern=(-|/)”);
GetOptions($config, qw(
server|s=s
group|g=s
global
help|?|h));
}
# procedure p_checkargs
# checks the arguments which have been used are a valid combination
sub p_checkargs {
if ($config{help}) {
p_help();
}
unless ($config{group}) {
p_help();
}
if (!$config{server}) {
$config{server} = Win32::NodeName();
}
}
# procedure p_viewgroup
# adds a local group on target server
sub p_viewgroup {
my ($server,$group) = @_;
my (@members,$user,%info,%attribs);
my $scope = “unknown”;

if (Win32::NetAdmin::GroupGetMembers($server,$group,@members)) {
Win32::Lanman::NetServerGetInfo(“\\$server”, %info, 1);
print “nGroup membership for global group ‘$info{domain}\$group’:nn”;
$scope = “global”;
} elsif (Win32::NetAdmin::LocalGroupGetMembersWithDomain($server,$group,@members)) {
print “nGroup membership for local group ‘$server\$group’:nn”;
$scope = “local”;
} else {
print “ERROR: “.Win32::FormatMessage(Win32::NetAdmin::GetError());
exit 1;
}

if ($scope eq “global”) {
foreach $user (@members) {
# retrieve user’s full name
Win32::AdminMisc::UserGetMiscAttributes(“\\$server”,$user,%attribs);
$~ = ‘REPORT’;
write;
}
} elsif ($scope eq “local”) {
foreach $user (@members) {
# get the user’s domain
my @user = split(/\/,$user);
# if user is not local to the server, then get the domain’s PDC, then retrieve user’s full name
unless ((lc ($user[0]) eq lc ($server)) or ($user[0] eq “BUILTIN”)) {
my $pdc;
if (Win32::NetAdmin::GetDomainController(“\\$server”,$user[0],$pdc)) {
$pdc =~ s/\//g;
Win32::AdminMisc::UserGetMiscAttributes(“\\$pdc”,$user[1],%attribs);
}
$~ = ‘REPORT’;
write;
} else {
Win32::AdminMisc::UserGetMiscAttributes(“\\$server”,$user[1],%attribs);
$~ = ‘REPORT’;
write;
}
}
}
format REPORT_TOP =
User Name Full Name
——————————— ———————————-
.
format REPORT =
@<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$user,$attribs{USER_FULL_NAME}
.

}

How to shrink and extend Server 2008 under Disk Management?

How to shrink and extend Server 2008 under Disk Management?

Shrink and Extend feature of Windows 2008 Server

Comparing to the old Server operating systems, Windows Server 2008 has a new feature – Shrink and Extend partition, with which you can resize partitions without data loss, fast and safely. However, there are huge disadvantages of these features to resize partitions. In this article, I’ll tell you how to shrink and extend Server 2008 partition under Disk Management, the disadvantages of Disk Management and how to resize Server 2008 with Server partition software.

How to shrink Server 2008 partition under Disk Management?

Right click My Computer > Manage > Storage > Disk Management, you will see the main window of Disk Management.
Step1: Right-click the partition you want to shrink and select “Shrink Volume…”

 

Step2: In the pop-up window, enter the amount of space to shrink. The default amount of this box is the maximum amount you can shrink from the partition.

 

Click Shrink, the partition will be shrank automatically without reboot.

 

 

How to extend Server 2008 partition under Disk Management?

Step1: Right-click the partition you want to extend and select “Extend Volume…”

 

Step2: In the pop-up window, enter the amount to extend from the total Unallocated space.

 

After that, the system C drive will be extended.

 

Disadvantages of Disk Management to shrink and extend Server 2008

To solve drive low disk space problem under Server 2008 Disk Management using Shrink and Extend, you’ll find that in some conditions, you cannot extend C drive, as the pictures below:

 

The fact is, to extend a partition, there must be unallocated space behind it. The Shrink feature could shrink partition and get some Unallocated space, but you cannot extend C drive by shrinking Partition D, as the Unallocated space is behind Partition D. So the Shrink and Extend feature is useless to resize partitions, except that it could “move” the partitions.

In fact, there are many disadvantages in Disk Management, comparing to professional partition software, such as Partition Wizard Server, the features below is unavailable,

Extend/Shrink FAT partition
Move partition
Change cluster size without reformatting
Copy disk/partition
Wipe disk/Unallocated space
Recover lost/deleted partition
Convert Partition Primary <=> Logical
Convert dynamic disk to basic without deleting

 

How to Install Active Directory on Windows Server 2003

How to Install Active Directory on Windows Server 2003

System Hardware Requirements

For an x86-based computer:

Recommended minimum speed of 550 megahertz (MHz). The minimum supported speed is 133 MHz. Maximum of eight processors per computer is supported. Processors any one Intel Pentium/Celeron , AMD K6/Athlon/Duron . 256 MB of RAM recommended. And 128 MB is the minimum supported, and 32 gigabytes GB is the maximum supported.

For an Itanium-based computer:

Minimum speed of 733 MHz. and maximum of eight processors per computer is support. 1 GB of RAM minimum, and maximum.1024 GB.

For an x64-based computer:

Minimum speed of 1.4 GHz. and maximum of eight processors per computer is support. 1 GB of RAM minimum, and maximum.1024 GB Installation of Active Directory

Now I am describing how to install and configure Active Directory in a company environment on Windows Server 2003. Note that we will need two networked servers that are running on Windows Server 2003 for this purpose in company environment.

Just after installation Windows Server 2003, run the Active Directory installation command Wizard to create the new Active Directory by following these steps;

Insert the Server 2003 disk in CD-ROM or DVD-ROM drive. Now Click on Start, and then click Run, and then type dcpromo. Click OK to start the Active Directory Installation Wizard, and then click Next. Click Domain controllers for a new domain, and then click Next. Click Domain in a new forest, and then click Next. Specify the full DNS name for the new domain. such as iyogi.local, for this setting. Click Next. Accept the default domain NetBIOS name Click Next. We can Set the database and log file location to the default setting of the c:winntntds folder, and then click Next. Set the Sysvol folder location to the default setting of the c:winntsysvol folder, and then click Next. Click Install and configure DNS server on this computer, and then click Next. Click Permissions compatible only with Windows 2000 or Windows Server 2003 servers or operating systems, and then click Next. Because this is a company environment, leave the password for the Directory Services Restore Mode Administrator blank. Note that in a full production environment, this password is set by using a secure password format. Click Next. Review and confirm the options that we selected, and then click Next. The installation of Active Directory proceeds. May be this process take several minutes. After the computer restarts, confirm that the DNS service location records for the new domain controller have been created.

Now we confirm the DNS service location records have been created, go these steps:

Click Start, point to Administrative Tools, and then click DNS to start the DNS Administrator Console. Expand the server name, expand Forward Lookup Zones, and then expand the domain.

If still you have not able to install Active Directory, then please login here, for further assistance; http://www.iyogibusiness.com/

Andrew Demm is a Small Business Expert. His specialization of field is Active Directory services, windows 2003 server configuration, setup, install and migration. He is providing tech assistance to various company, include iyogibusiness. It provides complete server solution, including server installation, setup,configuration and monitoring.

For more information, please login at www.iyogiBusiness.com

Article from articlesbase.com

How to reset Windows Server 2008 DC password

How to reset Windows Server 2008 DC password

Forgetting or Losing Windows server 2008 DC password is more complicated than local password. There are many ways can help you recover or reset windows local password, but little can help in Windows server 2008 DC password. When you are facing these problems, you will be mad if you deal with it in a wrong way. Then two tips on how to reset Windows Server 2008 DC password may help you a lot.

 

Tip 1: Using Installation CD to reset password

It’s possible to reset your Windows Sever 2008 / R2 Domain Controller administrator password using your installation CD. See below.

 

1. Restart your Windows server 2008 DC with the installation CD

 

 

2. Choose your language and click next

 

 

3. Select your partition and installation version and click Next

 

 

4. Click on Comm and Line Prompt

 

 

5. Change directory to the access the system 32 directory. Then your original C:drive is changed to D: or E: depending on the number of drive and partitions you have on that system.

 

6. Rename the file Utilman.exe to Utilman.exe.bak using the comm and Copy Utilman.exe  Utilman.exe.bak.

 

 

7. Using Command Move Cmd.exe Utilman.exe to move CMD.exe file into Utilman.exe. Press O or Y to accept after that restart your Computer normaly

 

8. At the user logon screen, press a combinaison of Windows KEY+U, then the CMD.exe will appear. Type net user “Username””new password”;

 

Then your system Admin Password is reset. Please don’t forget to rename back Utilman. Exe ->Cmd.exe and Utilman.exe.bak-> Utilman.exe after getting back access.

 

 

Tip 2: Using Windows Password Key Enterprise to reset 2008 password

 

The first method is not easy for you to understand and operation. However, if you don’t have an installation CD, it is better to find a windows password recovery program to solve your lost windows password problem. There is no need to worry about how to use it ,what’s more, it save more time. Only a few minutes can get back into your server again.

 

1. Get a blank CD or USB flash drive

 

2. Log in any available Computer which allow you to download. Find Windows Password Key and download the Enterprise version. The program is aim to reset lost Windows 2008 DC password for home group users and company.

 

3. Install the program and burn the ISO image file to CD or USB Flash Drive.

 

 

4. Insert the newly created CD or USB to your computer. In order to make the computer boot from CD or USB, you need to enter Bios to set up first.

 

 

 

5. Follow the instruction, in a few minutes you will have successfully reset the Windows Server 2008 DC password.

 

Related guidance:

How to use Windows Password Key Enterprise?

Article Source:

http://www.lostwindowspassword.com/reset-windows-server-2008-dc-password.html

Lost or forgot windows password?With no way to get into the system?
Do not be so anxious.This tutorial can help you remove the lost windows password in one second.Supports Windows of all versions, 7, Vista, XP, 2008, 2003, 2000:

Welcome to lost windows password solution blog

Article from articlesbase.com

Creating a dump file, user-level process in Windows Server 2008

Creating a dump file, user-level process in Windows Server 2008

This article describes how to create a dump file (. Dmp file) user-level process in Windows Server 2008. Windows Error Reporting feature in Windows Server 2008 is that it creates a file monitor dump and heap dump file. However, you can not use the Windows Error Reporting for creating a dump file of the process running in user mode.

Creating a dump file, user-level process in Windows Server 2008

To create a dump file of the user level in Windows Server 2008, use one of the following methods.

Method 1: Use Task Manager

If you use Windows Task Manager to create a dump file of the user level, follow these steps:

1. Start Task Manager. To do this, use one of the following methods:
* Right click a blank spot on the taskbar, then select Task Manager.
* Press CTRL + SHIFT + ESC.
2. Choose the tab Processes, right click on the name of the desired process, then select Create Dump File. If you are prompted for an administrator password or confirmation, type the password or click Continue. The dump file will be created in the following process:

Drive: UsersUserNameAppDataLocalTemp

1. When you receive a message that a dump has been successfully created, click OK.

Method 2: Use the utility ADPlus

You can use the utility ADPlus to create a dump file of the user level. Utility ADPlus is part of the Debugging Tools for Windows.

How to estimate the size of the dump file, user-level process that will be created

You can use Performance Monitor to assess the size of the dump file, user-level process that will be created. To do this, follow these steps:

1. Click Start, type perfmon in the line Start Search, then click perfmon.exe in the list of Programs. If you are prompted for an administrator password or confirmation, type the password or click Continue.
2. Expand Monitoring Tools, and then click Performance Monitor.
3. Right-click in free space in the display area and click Add Counters.
4. Among Available counters in the dialog box Add Counters, click the next box below the object characteristics of Process, and then click Counter Virtual Bytes.
5. Among the Instances of selected object, click the process name, click Add, and then click OK.

Value that appears will be the approximate size of the dump file.

Note: Before you create a dump file of the user level, make sure there is enough free space on your hard drive to where the dump file will be saved.

Leif is a webmaster and a writer who writes articles on various topics that include Internet Marketing, SEO, Hosting, Dedicated Server, Cloud Services, Server Colocation and much more.

Article from articlesbase.com