All technical videos 

Windows Server 2008 r2 Videos

How to Perform Offline Domain Joins

Q: Is it possible to join a Windows client computer to an Active Directory (AD) domain when the client computer is located in a branch office that has only read-only domain controllers (DCs) or when no network connection is available to the central site holding read-write DCs?

A: Yes, both are possible starting with Windows 7 andWindows Server 2008 R2, thanks to the djoin.exe command-line utility. Administrators can use djoin.exe to provision a computer account in AD and export the account's AD security information to a text file. This text file can then be moved and imported to the client computer, where an administrator then has to run djoin.exe from an elevated command prompt to effectively join the domain. The content of the text file can also be added to an unattended setup answer file to join a computer to the domain as part of the OS installation.

For example, suppose you want to join a Windows client computer named mywindowsclient to the AD domain mydomain.com. First, you need to create the AD computer account for mywindowsclient in mydomain.com and save the domain join data to a text file named offlinejoin.txt. This can be accomplished by running the following Djoin command from an elevated command prompt on a Windows 7 (or later) or Server 2008 R2 (or later) machine that can communicate with a read-write DC:

Djoin /provision /domain mydomain.com
  /machine mywindowsclient /savefile c:\offlinejoin.txt

(Although this command wraps here, you'd put it on all one line in the command shell window.) Next, you need to join mywindowsclient to the mydomain.com domain by running the following Djoin command from an elevated command prompt on the mywindowsclient machine:

Djoin /requestODJ /loadfile c:\offlinejoin.txt
  /windowspath %systemroot% /localos

(Although this command wraps here, you'd put it on all one line in the command shell window.) You must then reboot mywindowsclient. When it comes back up, it'll be joined to the domain.

Note that you can also provision a computer's AD account against DCs running Windows Server 2008 or earlier by using the /downlevel switch in the first Djoin command. For more information about offline domain joins, see TechNet's "Offline Domain Join (Djoin.exe) Step-by-Step Guide."

Easy Way to Protect Active Directory Objects from Being Accidentally Deleted

Q: I want to better protect our Active Directory (AD) user and computer objects against an accidental bulk deletion by an administrator. How can I easily set the Protect object from accidental deletion property for all AD user and computer objects?

A: When the Protect object from accidental deletionproperty is enabled for an AD object, the object's permissions are automatically set to deny the deletion of the object by the built-in Everyone group. Microsoft introduced this property in Windows Server 2008, and by default, it's enabled only in AD organizational units (OUs). When the property is set, it doesn't propagate down to child objects in the OU—it applies to the OU object only.

You can manually enable the Protect object from accidental deletion property on an AD user or computer object from the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or the Active Directory Administrative Center GUI. Another way you can enable the property is by running a Windows PowerShellcommand. With PowerShell, you can even simultaneously enable the property for multiple AD objects. For example, the following command enables it for all AD user and computer objects:

Get-ADObject -filter {(ObjectClass -eq "user")} |
  Set-ADObject -ProtectedFromAccidentalDeletion:$true

As you can see, this command uses the Get-ADObject cmdlet to get any object with the value "user" in the ObjectClass attribute, which includes all AD user and computer objects. The command then uses the Set-ADObject cmdlet to enable the Protect object from accidental deletion property in those objects. Get-ADObject and Set-ADObject are part of the Active Directory Module for Windows PowerShell, which is installed by default on domain controllers (DCs) running Windows Server 2012 or Windows Server 2008 R2. You can also install the module on non-domain DCs running Server 2012 or Server 2008 R2, as well as on computers running Windows 8 or Windows 7.

Windows BranchCache Management Pack Joins the R2 Support

Microsoft has updated the Management Pack for Operations Manager 2012 to support the R2 wave of releases.

BranchCache is a Microsoft technology that caches content to help reduce branch office WAN saturation. Available in Windows 7 and Windows 2008 R2, the technology gives local clients the intelligence to access locally stored copies of data, even when the source resides at a remote location. In essence, the data that you specify will be stored in both places and updated between the source and the cached copy so that the mirrored copy is always up-to-date, while maintaining a secure source.

The Management Pack for BranchCache monitors and reports on potential issues, allowing admins to be proactive to ensure remote clients have accessible data. It also provides a full diagram of the BranchCache deployment, among other things.

Configuration of FTP over SSL in Microsoft IIS

Q: Does the FTP server that's included with Microsoft IIS support FTP over SSL? If it does, how can I configure it? Can I configure it to secure only the exchange of the FTP user credentials?

A: The IIS FTP server supports FTP over SSL, starting with the IIS 7.0 web server that's bundled with Windows Server 2008. To enable FTP over SSL, you should first make sure that you have a valid SSL certificate configured for your web server. You can create a self-signed certificate or obtain a certificate from your enterprise Certification Authority (CA) or from a commercial CA. You can configure an SSL certificate using the Server Certificates option that shows up in the center pane of IIS Manager when you select your web server object.

You must also allow the use of SSL when you enable the FTP protocol for your website. To enable FTP from IIS Manager, select the website and click Add FTP Publishing in the Actions pane. Next, in the Bindings and SSL Settings section, make sure that you select Allow SSL in the SSL section. Finally, in the Authentication and Authorization Information dialog box, you typically select Basic in the Authentication section, select the Specified Users option in the Allow access to drop-down list, and enter the FTP user logon account in the accompanying text box in the Authorization section.

You can then further configure FTP over SSL using IIS Manager's FTP SSL Settings feature, which you can find in the center pane, both on the web-server level and website level. This is the feature you'd use to configure IIS to secure only the FTP credential exchanges using SSL. It's important that you configure the same settings on both the web-server level and website level. If you don't do so, you'll get "conflicting TLS setting" error messages when you try to connect to your FTP site.

To change the FTP SSL Settings for your website, navigate to your website from IIS Manager and double-click FTP SSL Settings in the center pane to open the FTP SSL Settings dialog box. From the SSL Certificate list, select the certificate that you want to use for securing your FTP connections. Under SSL Policy, you can select one of the following options.

Allow SSL connections. Choose this option if you want your FTP server to support both non-SSL and SSL connections.

Require SSL connections. Select this option if you want to enforce the use of SSL encryption for all FTP communications.

Custom. Choose this option if you want to configure a different SSL policy for the FTP control and data channels. After you select it, click the Advanced button. In the Advanced SSL Policy dialog box, you can select the SSL policies. For the FTP control channel, your options are:

• Allow. Allows SSL for the control channel, meaning that SSL isn't required.
• Require. Enforces the use of SSL for the control channel.
• Require only for credentials. Requires that only the FTP user credentials have to be sent using SSL.

For the FTP data channel, your options are:

• Allow. Allows SSL for the data channel, meaning that SSL isn't required.
• Require. Enforces the use of SSL for the data channel.
• Deny. Denies the use of SSL for the data channel.

In your case, you'd select the Custom option. Then, in the Advanced SSL Policy dialog box, you'd choose Require only for credentials for the FTP control channel and Allow for the FTP data channel. Remember that after you configured these settings for your website, you must also configure the same settings for your web server.

System State Backup from the Command Line

Q: We want to include a server configuration backup of our Windows servers in our change management procedures. How can I start a Windows system state backup from the command line?

A: In Windows Server 2008 and later, you can use the Wbadmin.exe command-line utility to perform a system state backup. Wbadmin.exe is available only if you installed the Windows Server Backup feature on your Windows Server OS.

To perform a system state backup, you must use the following Wbadmin command syntax:

wbadmin start systemstatebackup
  -backuptarget:<targetDrive> -quiet

In this command, you need to replace <targetDrive> with either the local volume identifier or the drive letter of the physical disk drive that will store the system state backup. The -quiet parameter is optional. If you don't want to be prompted to press the letter Y when the backup starts, include this parameter.

For example, to create a system state backup with no prompts and save it to volume D, you must run:

wbadmin start systemstatebackup -backupTarget:D: -quiet

If you want to specify a local volume identifier rather than a drive letter in the above Wbadmin command, you can use the following command to get a list of your local volume identifiers:

wbadmin get disks

To view the complete syntax of the Wbadmin command, run:

wbadmin start systemstatebackup /?

To perform a system state backup with Wbadmin.exe, you must be a member of the Backup Operators group or the Administrators group. Wbadmin.exe must also be run from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt (which you can find in the Accessories folder), then clickRun as administrator.