Windows Technologies « Govardhan Gunnala

Assign software – A program can be assigned per-user or per-machine. If its assigned per-user, it will be installed when the user logs on. However, if its assigned per-machine then the program will be installed for all users when the machine starts.
Publish software – A program can be published for one or more users. This program will be added to the Add or Remove Programs list and the user will be able to install it from there.

2. Create a distribution point

The first step in deploying a MSI through GPO is to create a distribution point on the publishing server. This can be done by following these steps:

log on to the server as an Administrator user
create a shared network folder (this folder will contain the MSI package)
set permissions on this folder in order to allow access to the distribution package
copy the MSI in the shared folder

In the shared folder you can also perform an administrative install for a MSI package contained by an EXE bootstrapper.

3. Create a Group Policy Object

A MSI package is deployed (distributed) through GPO as a Group Policy Object. In order to create an object for your package, you can follow these steps:

click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
right-click your domain name in the console tree and select the Properties context menu
select the Group Policy tab and click New
set the name of the policy (for example MyApplication)
click Properties and select the Security tab
check the Apply Group Policy checkbox only for the groups to which the policy will be applied
click on the OK button

4. Assign a MSI package

A package can be assigned per-user or per-machine. Also, if the package is assigned, it will automatically be installed silently. In order to assign a package you can follow these steps:

click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
right-click your domain name in the console tree and select the Properties context menu
go to the Group Policy tab, select the object you want and click Edit
expand Software Settings under Computer Configuration
right-click Software Installation, select the New context menu and then click on Package
in the Open dialog type the full UNC path of the shared package you want to assign
click on the Open button
click on Assigned and then click OK (the package will be added to the right pane of the "Group Policy" window)
close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in
when the client computers start, the assigned package will be installed automatically

Do not use the Browse button in the Open dialog to access the UNC location. Make sure that you use the UNC path to the shared package.

5. Publish a MSI package

When using Group Policy, you can publish a package in order to allow the target user to install it by using Add or Remove programs. The steps for publishing a package are:

click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
right-click your domain name in the console tree and select the Properties context menu
go to the Group Policy tab, select the object you want and click Edit
expand Software Settings under User Configuration
right-click Software Installation, select the New context menu and then click on Package
in the Open dialog type the full UNC path of the shared package you want to publish
click on the Open button
click on Publish and then click OK (the package will be added to the right pane of the "Group Policy" window)
close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in
test the package:
- log on to the target computer
- click on the Start button and go to Control Panel
- double-click the Add or Remove programs applet and select Add New Programs
- in the Add programs from your network list select the program you published
- use the Add button to install the package
- click OK and then Close

Do not use the Browse button in the Open dialog to access the UNC location. Make sure that you use the UNC path to the shared package.

6. Redeploy a MSI package

Sometimes you may need to redeploy a package (for example when doing an upgrade). For redeploying a package you can follow these steps:

click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
right-click your domain name in the console tree and select the Properties context menu
go to the Group Policy tab, select the object you used to deploy the package and click Edit
expand the Software Settings element (per-user or per-machine) which contains the deployed package
expand the Software Installation element which contains the deployed package
right-click the package in the right pane of the Group Policy window
select the All Tasks menu and click Redeploy application
click the Yes button for reinstalling the application wherever it is installed
close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

7. Remove a MSI package

Group Policy also allows you to remove packages which have been deployed in the past. Here are the steps for removing a package:

click on the Start button, go to Programs, select Administrative Tools and then select Active Directory Users and Computers
right-click your domain name in the console tree and select the Properties context menu
go to the Group Policy tab, select the object you used to deploy the package and click Edit
expand the Software Settings element (per-user or per-machine) which contains the deployed package
expand the Software Installation element which contains the deployed package
right-click the package in the right pane of the Group Policy window
select the All Tasks menu and click Remove
select from the following options:
- Immediately uninstall the software from users and computers
- Allow users to continue to use the software but prevent new installations
click the OK button to continue
close the Group Policy snap-in, click OK and exit the Active Directory Users and Computers snap-in

8. Troubleshooting Active Directory/GPO deployments

Here is an article that shows how to troubleshoot an Active Directory/GPO installation: How do I create an installation log?

The End

This concludes our tutorial.

Source: Deploying a MSI through GPO

Categories: Group Policy, Repackaging

Managed Service Accounts Frequently Asked Questions (FAQ)

May 13, 2012 gunnalag Leave a comment

The following questions and answers provide important information about using managed service accounts (MSA) with Microsoft server applications.

Two new types of service accounts are available in Windows Server® 2008 R2 and Windows® 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as IIS with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts. It is a managed domain accounts that provides automatic password management and simplified SPN management. Virtual accounts are "managed local accounts" that can use a computer’s credentials to access network resources.

This topic contains the following information:

Installation and location

Can a managed service account be installed on more than one computer?

No. A managed service account can only be installed on a single computer.

Do managed service accounts work across domain boundaries?

Yes. Although managed service accounts can only be installed on a single computer, they otherwise function just like normal accounts and can access resources across domains if the appropriate Active Directory trusts exist.

Can a managed service account be placed in a security group?

Yes. A managed service account can be placed in a security group just like any other user or computer account.

Where in the directory can I create a managed service account?

The Managed Service Account container in in the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in is the default container for managed service account objects. However, they can be stored anywhere in the directory.

How are passwords managed using a managed service account?

Passwords are automatically created for the MSA when the account is created, and refreshed every 30 days. You can change a password manually.

Can the password be updated automatically?

Yes. The default behavior is that the password for the managed service account is automatically updated. However, this can cause a failed authentication attempt because the NTLM and Kerberos security support providers will not recognize the new password. To rectify this problem permanently, install the hot fix as described in the knowledge base article “Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2 (KB 2494158).”

Does a service need to be stopped when a managed service account password is being updated?

No. Managed service accounts were designed to simplify the management of critical applications. A service does not need to be stopped when a managed service account is updated.

Can a managed service account password be reset manually if needed?

Yes. You can use the Reset-ADServiceAccount Windows PowerShell cmdlet to manually reset a managed service account password. You can also reset a managed service account password by using the Nltest.exe command-line tool. For more information about resetting managed service account passwords, see the Service Accounts Step-by-Step Guide.

Supported technologies

Technology	Can use MSA	Notes
Microsoft Exchange	Yes	Exchange Server does not allow you to send e-mails from a managed service account on behalf of a service or application. To overcome this limitation, use the managed service account to run the service, but create a separate conventional user account for the service and configure the service to send e-mails using this account.
Microsoft IIS	Yes	You can configure IIS application pools to run managed service accounts.
Microsoft SQL Server	No
Task Scheduler	No
Active Directory Lightweight Directory Services (AD LDS)	Yes	Specific procedures are required to enable AD LDS support.

Using managed service accounts with Active Directory Lightweight Directory Services?

To enable Active Directory Lightweight Directory Services (AD LDS) to run under a managed service account, you need to install and configure the managed service account on the computer that will host AD LDS. For basic procedures for installing a managed service account, see the Service Accounts Step-by-Step Guide. After you have installed the managed service account on the computer hosting AD LS, you must complete the following procedure.

To configure a managed service account for AD LDS

Open the PowerShell module for Active Directory Domain Services (AD DS), and run the following cmdlet: Install-ADServiceAccount <ManagedServiceAccountName>.

Note

For information about installing and using the PowerShell module for AD DS, see the Service Accounts Step-by-Step Guide.

Stop the AD LDS service, either by using the Services snap-in console or by running the following cmdlet: Stop-Service ADAM_<InstanceName>.
Grant the managed service account Read and Write permissions to the AD LDS data and log folders and to the directory information tree (DIT) file.

Tip

If this is a typical installation, you will apply these permissions to the folder %ProgramFiles%\Microsoft AD LDS\<InstanceName>\data and all files within this folder.

Grant the managed service account Allow permissions to the registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_<InstanceName> and to these subkeys:
- Query Value
- Enumerate Subkeys
- Notify
- Read Control
Grant the managed service account Full Control permissions to the registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADAM_<InstanceName>\Parameters.
Grant Backup permissions for the managed service account to the Volume Shadow Copy (VSS) service. To do this, go to \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VSS\VssAccessControl, and create a registry entry with $ appended to the account name.

Tip

For example, if the managed service account in domain MyDomain is MyMSA, the registry entry name should be MyDomain\MyMSA$.

Set the value of this registry entry to 1.

Note

For VSS security considerations see Security Considerations for Writers.

Add security audit permissions to the managed service account by following the steps in Event ID 2521 — Auditing.
Select the computer object in AD LDS, and assign Create child and Delete child rights to the managed service account. This allows AD LDS to create service connection point objects.

Note

For more information about service connection point objects and AD LDS, see Administering AD LDS Service Publication.

Open the Services snap-in console, right-click the service to be used with the managed service account, and click Properties.
Click the Log On tab, click This account, and type the name of the managed service account in the format domainname\accountname or click Browse to search for the account. Confirm that the password field is blank, and then click OK.
Start the <InstanceName> service by running Start-Service ADAM_<InstanceName> or by starting the service in the Services snap-in console.

For more information about creating and using managed service accounts, see the Service Accounts Step-by-Step Guide.

Where can I find additional information about managed service accounts?

For more information, see:

What’s New in Service Accounts
Introducing Managed Service Accounts
Active Directory Administration with Windows PowerShell
KB 2494158: Managed service account authentication fails after its password is changed in Windows 7 or in Windows Server 2008 R2.

Source: Managed Service Accounts Frequently Asked Questions (FAQ)

Categories: Server 2008 R2

Windows Administration Delegation: Implement Role-Based Administration

May 13, 2012 gunnalag Leave a comment

You can use role-based administration to organize certification authority (CA) administrators into separate, predefined CA roles, each with its own set of tasks. Roles are assigned by using each user’s security settings. You assign a role to a user by assigning that user the specific security settings that are associated with the role. A user that has one type of permission, such as Manage CA permission, can perform specific CA tasks that a user with another type of permission, such as Issue and Manage Certificates permission, cannot perform.

The following table describes the roles, users, and groups that can be used to implement role-based administration. To assign a role to a user or group, you must assign the role’s corresponding security permissions, group memberships, or user rights to the user or group. These security permissions, group memberships, and user rights are used to distinguish which users have which roles.

Roles and groups	Security permission	Description
CA administrator	Manage CA	Configure and maintain the CA. This is a CA role and includes the ability to assign all other CA roles and renew the CA certificate. These permissions are assigned by using the Certification Authority snap-in.
Certificate manager	Issue and Manage Certificates	Approve certificate enrollment and revocation requests. This is a CA role. This role is sometimes referred to as CA officer. These permissions are assigned by using the Certification Authority snap-in.
Backup operator	Back up file and directories Restore file and directories	Perform system backup and recovery. Backup is an operating system feature.
Auditor	Manage auditing and security log	Configure, view, and maintain audit logs. Auditing is an operating system feature. Auditor is an operating system role.
Enrollees	Read Enroll	Enrollees are clients who are authorized to request certificates from a CA. This is not a CA role.

All CA roles are assigned and modified by members of local Administrators, Enterprise Admins, or Domain Admins. On enterprise CAs, local administrators, enterprise administrators, and domain administrators are CA administrators by default. Only local administrators are CA administrators by default on a stand-alone CA. If a stand-alone CA is installed on a server that is joined to an Active Directory domain, domain administrators are also CA administrators.

The CA administrator and certificate manager roles can be assigned to Active Directory users or local users in the Security Accounts Manager (SAM) of the local computer, which is the local security account database. As a best practice, you should assign roles to group accounts instead of individual user accounts.

Only CA administrator, certificate manager, auditor, and backup operator are CA roles. The other users described in the table are relevant to role-based administration and should be understood before assigning CA roles.

Only CA administrators and certificate managers are assigned by using the Certification Authority snap-in. To change the permissions of a user or group, you must change the user’s security permissions, group membership, or user rights.

To set CA administrator and certificate manager security permissions for a CA

Open the Certification Authority snap-in.
In the console tree, click the name of the CA.
On the Action menu, click Properties.
Click the Security tab, and specify the security permissions.

Roles and activities

Each CA role has a specific list of CA administration tasks associated with it. The following table lists all the CA administration tasks along with the roles in which they are performed.

Activity	CA administrator	Certificate manager	Auditor	Backup operator	Local administrator	Notes
Install CAs					X
Configure policy and exit modules	X
Stop and start the Active Directory Certificate Services (AD CS) service	X
Configure extensions	X
Configure roles	X
Renew CA keys					X
Define key recovery agents	X
Configure certificate manager restrictions	X
Delete a single row in the CA database	X
Delete multiple rows in the CA database (bulk deletion)	X	X				The user must be both a CA administrator and a certificate manager. This activity cannot be performed when role separation is enforced.
Enable role separation					X
Issue and approve certificates		X
Deny certificates		X
Revoke certificates		X
Reactivate certificates that are placed on hold		X
Renew certificates		X
Enable, publish, or configure certificate revocation list (CRL) schedules	X
Recover archived keys		X				Only a certificate manager can retrieve the encrypted key data structure from the CA database. The private key of a valid key recovery agent is required to decrypt the key data structure and generate a PKCS #12 file.
Configure audit parameters			X			By default, the local administrator holds the system audit user right.
Audit logs			X			By default, the local administrator holds the system audit user right.
Back up the system				X		By default, the local administrator holds the system backup user right.
Restore the system				X		By default, the local administrator holds the system backup user right.
Read the CA database	X	X	X	X		By default, the local administrator holds the system audit and system backup user rights.
Read CA configuration information	X	X	X	X		By default, the local administrator holds the system audit and system backup user rights.

Additional considerations

Enrollees are allowed to read CA properties and CRLs, and they can request certificates. On an enterprise CA, a user must have Read and Enroll permissions on the certificate template to request a certificate. CA administrators, certificate managers, auditors, and backup operators have implicit Read permissions.
An auditor holds the system audit user right.
A backup operator holds the system backup user right. In addition, the backup operator has the ability to start and stop the Active Directory Certificate Services (AD CS) service.

Assigning roles

The CA administrator for a CA assigns users to the separate roles of role-based administration by applying the security settings required by a role to the user’s account. The CA administrator can assign a user to more than one role, but the CA is more secure when each user is assigned to only one role. When this delegation strategy is used, fewer CA tasks can be compromised if a user’s account becomes compromised.

Administrator concerns

The default installation setting for a stand-alone CA is to have members of the local Administrators group as CA administrators. The default installation setting for an enterprise CA is to have members of the local Administrators, Enterprise Admins, and Domain Admins groups as CA administrators. To limit the power of any of these accounts, they should be removed from the CA administrator and certificate manager roles when all CA roles are assigned.

As a best practice, group accounts that have been assigned CA administrator or certificate manager roles should not be members of the local Administrators group. Also, CA roles should only be assigned to group accounts and not individual user accounts.

Note

Membership in the local Administrators group on the CA is required to renew a CA certificate. Members of this group can assume administrative authority over all other CA roles.

Source: Implement Role-Based Administration

Categories: Server 2008 R2

Windows Server 2008 R2: Storage Manager for SANs

May 13, 2012 gunnalag Leave a comment

Applies To: Windows Server 2003 R2

Storage Manager for SANs helps you create and manage logical unit numbers (LUNs) on Fibre Channel and iSCSI disk drive subsystems that support Virtual Disk Service (VDS) in your storage area network (SAN).

A LUN is a logical reference to a portion of a storage subsystem. A LUN can comprise a disk, a section of a disk, a whole disk array, or a section of a disk array in the subsystem. Using LUNs simplifies the management of storage resources in your SAN because they serve as logical identifiers through which you can assign access and control privileges.

To install and start working with Storage Manager for SANs, see Deploying Storage Manager for SANs.
For an overview of managing LUNs with Storage Manager for SANs, see Overview of Storage Manager for SANs.
For a list of steps about how to create a LUN using Storage Manager for SANs, see Checklist: Prepare and Create a LUN.
For information about the connections between the servers in your SAN and the LUNs that you create using Storage Manager for SANs, see Manage Server Connections.
To create and manage LUNs, see Manage LUNs.
To create and manage targets on iSCSI subsystems, see Manage iSCSI Targets.
For information about Fibre Channel and iSCSI subsystems, see Manage Subsystems.
For information about disk drives in the Fibre Channel and iSCSI subsystems, see Manage Drives.
For information about DiskRAID, see DiskRAID.

Source: Storage Manager for SANs

Categories: Server 2008 R2

Introducing Enhanced Storage Access

May 13, 2012 gunnalag Leave a comment

Introducing Enhanced Storage Access

Applies To: Windows 7, Windows Server 2008 R2

This product evaluation topic for the IT professional describes the Enhanced Storage Access settings that are new in Windows 7 and Windows Server 2008 R2.

Enhanced Storage Access settings

Enhanced Storage devices are devices that support the IEEE 1667 protocol to provide functions such as authentication at the hardware level of the storage device. These devices can be very small, such as USB flash drives, to provide a convenient way to store and carry data. At the same time, the small size makes it very easy for the device to be lost, stolen, or misplaced.

The Enhanced Storage Access settings in Windows 7 and Windows Server 2008 R2 enable you to use Group Policy to administer policies for Enhanced Storage devices that support certificate and password authentication silos in your organization.

For definitions of various storage devices, see Definitions for Storage Silo Drivers in the MSDN Library.

These Group Policy settings are located in Computer Configuration\Administrative Templates\System\Enhanced Storage Access.

Policy setting descriptions

The following Group Policy settings control the behavior of Enhanced Storage devices.

Policy setting

Description

If not configured…

Allow Enhanced Storage certificate provisioning

Allows users to provision certificates on devices that support the Certificate Authentication Silo.

Note

This setting is applicable only to Enhanced Storage devices that support the Certificate Authentication Silo.

Users cannot provision certificates on devices that support the Certificate Authentication Silo.

Allow only USB root hub connected Enhanced Storage devices

Allows only Enhanced Storage devices that are connected to USB root hubs.

Enhanced Storage devices connected to both USB root hubs and non-root hubs are allowed.

Configure list of approved Enhanced Storage devices

Allows you to configure a list of devices by manufacturer and product ID that are allowed on the computer.

Note

Manufacturer ID is a 6-character value. Product ID is up to 40 characters in length. To specify that all devices by a manufacturer are allowed, type the manufacturer ID of the manufacturer. To specify that only specific devices by a manufacturer are allowed, type the manufacturer ID, a hyphen, and the product ID or IDs of the allowed devices; for example: <Manufacturer ID>-<Product ID>. The manufacturer ID and product ID values are case-sensitive. Contact the device manufacturer to get the manufacturer and product ID values.

All devices are allowed.

Configure list of approved IEEE 1667 silos

Allows you to create a list of approved silos that can be used on the computer.

The Certificate Authentication Silo is always on the approved list.

All silos are allowed.

Do not allow password authentication of Enhanced Storage devices

Blocks the use of a password to unlock an Enhanced Storage device.

Permits the use of a password to unlock Enhanced Storage devices.

Do not allow non-Enhanced Storage removable devices

Limits the use of removable devices to Enhanced Storage devices.

Blocks the use of other storage devices on the computer.

Non-Enhanced Storage removable devices are allowed.

Lock Enhanced Storage when the machine is locked

Locks the device when the computer is locked.

The security state of the device remains unlocked even if the computer is locked with CTRL+ALT+DELETE.

Policy setting implementation

Enhanced Storage Access settings are administered in the same manner as any other Group Policy setting on the domain controller. When policy settings are enabled, the following actions are taken:

The policy settings are periodically sent to the client computers that are members of the domain.
The Group Policy service on the client computer creates registry keys corresponding to the policy settings.
The Enhanced Storage components read the registry keys to determine which policy settings are enabled and then take actions to comply with the policy settings.

Source: Introducing Enhanced Storage Access

Categories: Server 2008 R2

Windows Clustering: Network Load Balancing (NLB); Clustering Services

May 12, 2012 gunnalag Leave a comment

Windows Clustering

15 out of 18 rated this helpful – Rate this topic

Updated: January 21, 2005

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows Clustering

Windows Clustering provides three different, but complementary, clustering technologies. The clustering technologies, which ship in a number of different products, can be used separately or combined to provide scalable and highly-available services.

Clustering Technology	Network Load Balancing (NLB) clusters	Component Load Balancing (CLB) clusters	Server clusters
Available in …	Microsoft® Windows Server™ 2003, Web Edition; Microsoft® Windows Server® 2003, Standard Edition; Microsoft® Windows Server™ 2003, Enterprise Edition; and Microsoft® Windows Server™ 2003, Datacenter Edition	Microsoft Application Center 2000	Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition
Maximum number of nodes	32	12	8
Application	Load balancing Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic	Single point of management and configuration for Web farms	Failover and failback of applications
Specialized hardware required?	No Note If you use teaming network adapters, you must select network adapters listed in the Windows Catalog. For more information, see Network Load Balancing system requirements and the compatibility information in Support resources.	No	Yes To confirm that your server cluster hardware is designed for Windows Server 2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition, see the compatibility information in Support resources.
Typical deployments	Web servers, Microsoft Internet Security and Acceleration (ISA) server, virtual private networks, Windows Media™ servers, Mobile Information servers, Terminal Services	Web farms	MS SQL Server, MS Exchange Server, file and print servers, Message Queuing
Stateful or stateless?	Stateless	Stateless	Stateful

Important

Microsoft will not support the configuration of server clusters and Network Load Balancing clusters on the same server. For more information about how the Windows Clustering technologies can be combined in a multitiered approach to provide highly available services, see "Planning for High Availability" in the Microsoft Windows Server 2003 Deployment Kit at the Microsoft Windows Resource Kits Web site. In addition, see "Server Clusters and Network Load Balancing" in the Microsoft Windows Server 2003 Resource Kit at the Microsoft Windows Resource Kits Web site.

Network Load Balancing clusters. Network Load Balancing clusters provide scalability and high availability for TCP- and UDP-based services and applications by combining up to 32 servers running Windows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition, into a single cluster. By using Network Load Balancing to build a group of cloned, or identical, clustered computers, you can enhance the availability of these servers: Web and File Transfer Protocol (FTP) servers, ISA servers (for proxy servers and firewall services), virtual private network (VPN) servers, Windows Media servers, Terminal Services over your corporate LAN.
You can install Network Load Balancing clusters through Network Connections or by using the Network Load Balancing Manager. For more information about Network Load Balancing clusters, see Network Load Balancing Overview.
Component Load Balancing clusters. Component Load Balancing clusters provide high scalability and availability by enabling COM+ applications (for example, a shopping cart application on an e-commerce Web site) to be distributed across multiple servers. For more information, see the documentation for Microsoft Application Center 2000 in Microsoft TechNet at the Microsoft Web site.
Important
- Component Load Balancing clusters is a feature of Microsoft Application Center 2000. It is not a feature of Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.
server clusters. server clusters provide high availability for applications through the failover of resources. server clusters focus on preserving client access to applications and system services, such as Microsoft Exchange for messaging, Microsoft SQL Server for database applications, and file and print services.
Server clusters can combine up to eight nodes. In addition, a cluster cannot be made up of nodes running both Windows Server 2003, Enterprise Edition, and Windows Server 2003, Datacenter Edition. In server clusters with more than two nodes, all nodes must run Windows Server 2003, Datacenter Edition, or Windows Server 2003, Enterprise Edition, but not both.
By default, all clustering and administration software files are automatically installed on your computer when you install any operating system in the Windows Server 2003 family. For more information about server clusters, see Understanding Server Clusters.

For more information about Network Load Balancing clusters and server clusters, see the following topics:

For conceptual and procedural information on Network Load Balancing clusters, see Network Load Balancing Clusters.
For conceptual and procedural information on server clusters, see Server Clusters.
For guidelines on securing a Network Load Balancing cluster, see Network Load Balancing Best practices.
For guidelines on securing a server cluster, see Best practices for securing server clusters.

Source: Windows Clustering: Network Load Balancing (NLB); Clustering Services

Categories: Server 2008 R2

Windows Server 2008 Edition Comparison

May 12, 2012 gunnalag Leave a comment

Windows Server 2008 comes in several major editions derived from the same code base. The most important differences among editions are in the number of processors, amount of physical memory, and high-availability features supported.

The edition specifically targeted at servers with Itanium CPUs, Windows Server 2008 for Itanium-Based Systems (IA64), is not listed in the chart, but its features and price are almost identical to the Datacenter Edition listed in the rightmost column.

	Windows Server 2008 Web Edition	Windows Server 2008 Standard Edition	Windows Server 2008 Enterprise Edition	Windows Server 2008 Datacenter Edition
Supersedes	Windows Server 2003 Web Edition	Windows Server 2003 R2 Standard Edition Windows Server 2003 R2 Standard x64 Edition	Windows Server 2003 R2 Enterprise Edition Windows Server 2003 R2 Enterprise x64 Edition	Windows Server 2003 R2 Datacenter Edition Windows Server 2003 R2 Datacenter x64 Edition
Hyper-V virtualization technology	Not included	Included¹	Included¹	Included¹
OS instances permitted per server license	One instance (physical or virtual)	One physical instance plus one virtual instance²	One physical instance and up to 4 virtual instances²	Unlimited number of OS instances
Maximum server RAM supported ³	32-bit: 4GB 64-bit: 32GB	32-bit: 4GB 64-bit: 32GB	32-bit: 64GB 64-bit: 2TB	32-bit: 64GB 64-bit: 2TB
Maximum number of CPUs	4	4	8	64
Hot swap RAM and CPUs	No	No	No⁴	Yes
Cluster Service (failover)	No	No	Yes, up to 16 nodes per cluster	Yes, up to 16 nodes per cluster
Terminal Server	No	Yes⁵	Yes	Yes
Network Access Protection	No	Yes⁶	Yes	Yes
U.S. estimated retail price ⁷	US$470 per server ( available only without Hyper-V)	US$800 per server (US$772 without Hyper-V)	US$3,000 per server (US$2,972 without Hyper-V)	US$3,000 per processor (US$2,972 per processor without Hyper-V)
CALs or External Connector required ⁸	No	Yes	Yes	Yes

¹ Windows Server 2008 Standard, Enterprise, and Datacenter are also offered in "without Hyper-V" editions that do not include the hypervisor technology.

² When customers exercise the maximum number of OS instances permitted by the server license, the physical OS instance may not be used to run any workload beyond hosting the virtual machines.

³ A single package contains both 32-bit and 64-bit versions. The server license grants the customer the option to use either the 32-bit version or the 64-bit version of the software.

⁴ Supports hot addition of memory, but not hot replacement of memory, nor hot add or replacement of processors.

⁵ Use of Windows Server 2008′s new Terminal Services Gateway capability is limited to 250 connections.

⁶ Includes restrictions limiting scalability.

⁷ Volume licensing customers typically receive additional discounts of 10% to 30%.

⁸ Client Access Licenses (CALs) retail for US$40 apiece but are offered to volume customers for as much as 50% off. External Connectors are available only via volume licensing programs. Pricing for an External Connector starts at approximately US$1,800 in the least-discounted programs.

Source: Windows Server 2008 Edition Comparison

Categories: Server 2008 R2

Memory Limits for Windows Releases

May 12, 2012 gunnalag Leave a comment

Memory Limits for Windows Releases

This topic describes memory limits for supported Windows releases:

· Memory and Address Space Limits

· Physical Memory Limits: Windows 7

· Physical Memory Limits: Windows Server 2008 R2

· Physical Memory Limits: Windows Server 2008

· Physical Memory Limits: Windows Vista

· Physical Memory Limits: Windows Home Server

· Physical Memory Limits: Windows Server 2003 R2

· Physical Memory Limits: Windows Server 2003 with Service Pack 2 (SP2)

· Physical Memory Limits: Windows Server 2003 with Service Pack 1 (SP1)

· Physical Memory Limits: Windows Server 2003

· Physical Memory Limits: Windows XP

· Physical Memory Limits: Windows Embedded

· How graphics cards and other devices affect memory limits

· Related topics

Limits on memory and address space vary by platform, operating system, and by whether the IMAGE_FILE_LARGE_ADDRESS_AWARE value of the LOADED_IMAGE structure and 4-gigabyte tuning (4GT) are in use. IMAGE_FILE_LARGE_ADDRESS_AWARE is set or cleared by using the /LARGEADDRESSAWARE linker option.

4-gigabyte tuning (4GT), also known as application memory tuning, or the /3GB switch, is a technology (only applicable to 32 bit systems) that alters the amount of virtual address space available to user mode applications. Enabling this technology reduces the overall size of the system virtual address space and therefore system resource maximums. For more information, see What is 4GT.

Limits on physical memory for 32-bit platforms also depend on the Physical Address Extension (PAE), which allows 32-bit Windows systems to use more than 4 GB of physical memory.

Memory and Address Space Limits

The following table specifies the limits on memory and address space for supported releases of Windows. Unless otherwise noted, the limits in this table apply to all supported releases.

Memory type	Limit in on X86	Limit in 64-bit Windows
User-mode virtual address space for each 32-bit process	2 GB Up to 3 GB with IMAGE_FILE_LARGE_ADDRESS_AWARE and 4GT	2 GB withIMAGE_FILE_LARGE_ADDRESS_AWAREcleared (default) 4 GB withIMAGE_FILE_LARGE_ADDRESS_AWARE set
User-mode virtual address space for each 64-bit process	Not applicable	With IMAGE_FILE_LARGE_ADDRESS_AWARE set (default): x64: 8 TB Intel Itanium-based systems: 7 TB 2 GB withIMAGE_FILE_LARGE_ADDRESS_AWAREcleared
Kernel-mode virtual address space	2 GB From 1 GB to a maximum of 2 GB with 4GT	8 TB
Paged pool	Limited by available kernel-mode virtual address space or the PagedPoolLimit registry key value. Windows Vista and above: Limited only by kernel mode virtual address space. Starting with Windows Vista with Service Pack 1 (SP1), the paged pool can also be limited by the PagedPoolLimit registry key value. Windows Home Server and Windows Server 2003: 530 MB Windows XP: 490 MB	128 GB Windows Server 2003 and Windows XP: Up to 128 GB depending on configuration and RAM.
Nonpaged pool	Limited by available kernel-mode virtual address space, the NonPagedPoolLimit registry key value, or physical memory. Windows Vista: Limited only by kernel mode virtual address space and physical memory. Starting with Windows Vista with SP1, the nonpaged pool can also be limited by the NonPagedPoolLimit registry key value. Windows Home Server, Windows Server 2003, and Windows XP: 256 MB, or 128 MB with 4GT.	75% of RAM up to a maximum of 128 GB Windows Vista: 40% of RAM up to a maximum of 128 GB. Windows Server 2003 and Windows XP: Up to 128 GB depending on configuration and RAM.
System cache virtual address space (physical size limited only by physical memory)	Limited by available kernel-mode virtual address space or the SystemCacheLimit registry key value. Windows Vista: Limited only by kernel mode virtual address space. Starting with Windows Vista with SP1, system cache virtual address space can also be limited by the SystemCacheLimit registry key value. Windows Home Server, Windows Server 2003, and Windows XP: 860 MB with LargeSystemCache registry key set and without 4GT; up to 448 MB with 4GT.	Always 1 TB regardless of physical RAM Windows Server 2003 and Windows XP: Up to 1 TB depending on configuration and RAM.

Physical Memory Limits: Windows 7

The following table specifies the limits on physical memory for Windows 7.

Version	Limit on X86	Limit on X64
Windows 7 Ultimate	4 GB	192 GB
Windows 7 Enterprise	4 GB	192 GB
Windows 7 Professional	4 GB	192 GB
Windows 7 Home Premium	4 GB	16 GB
Windows 7 Home Basic	4 GB	8 GB
Windows 7 Starter	2 GB	N/A

Physical Memory Limits: Windows Server 2008 R2

The following table specifies the limits on physical memory for Windows Server 2008 R2. Windows Server 2008 R2 is available only in 64-bit editions.

Version	Limit on X64	Limit on IA64
Windows Server 2008 R2 Datacenter	2 TB
Windows Server 2008 R2 Enterprise	2 TB
Windows Server 2008 R2 for Itanium-Based Systems		2 TB
Windows Server 2008 R2 Foundation	8 GB
Windows Server 2008 R2 Standard	32 GB
Windows HPC Server 2008 R2	128 GB
Windows Web Server 2008 R2	32 GB

Physical Memory Limits: Windows Server 2008

The following table specifies the limits on physical memory for Windows Server 2008. Limits greater than 4 GB for 32-bit Windows assume that PAE is enabled.

Version	Limit on X86	Limit on X64	Limit on IA64
Windows Server 2008 Datacenter	64 GB	1 TB
Windows Server 2008 Enterprise	64 GB	1 TB
Windows Server 2008 HPC Edition		128 GB
Windows Server 2008 Standard	4 GB	32 GB
Windows Server 2008 for Itanium-Based Systems			2 TB
Windows Small Business Server 2008	4 GB	32 GB
Windows Web Server 2008	4 GB	32 GB

Physical Memory Limits: Windows Vista

The following table specifies the limits on physical memory for Windows Vista.

Version	Limit on X86	Limit on X64
Windows Vista Ultimate	4 GB	128 GB
Windows Vista Enterprise	4 GB	128 GB
Windows Vista Business	4 GB	128 GB
Windows Vista Home Premium	4 GB	16 GB
Windows Vista Home Basic	4 GB	8 GB
Windows Vista Starter	1 GB

Physical Memory Limits: Windows Home Server

Windows Home Server is available only in a 32-bit edition. The physical memory limit is 4 GB.

Physical Memory Limits: Windows Server 2003 R2

The following table specifies the limits on physical memory for Windows Server 2003 R2. Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version	Limit on X86	Limit on X64
Windows Server 2003 R2 Datacenter Edition	64 GB (16 GB with 4GT)	1 TB
Windows Server 2003 R2 Enterprise Edition	64 GB (16 GB with 4GT)	1 TB
Windows Server 2003 R2 Standard Edition	4 GB	32 GB

Physical Memory Limits: Windows Server 2003 with Service Pack 2 (SP2)

The following table specifies the limits on physical memory for Windows Server 2003 with Service Pack 2 (SP2). Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version	Limit on X86	Limit on X64	Limit on IA64
Windows Server 2003 with Service Pack 2 (SP2), Datacenter Edition	64 GB (16 GB with 4GT)	1 TB	2 TB
Windows Server 2003 with Service Pack 2 (SP2), Enterprise Edition	64 GB	1 TB	2 TB
Windows Server 2003 with Service Pack 2 (SP2), Standard Edition	4 GB	32 GB

Physical Memory Limits: Windows Server 2003 with Service Pack 1 (SP1)

The following table specifies the limits on physical memory for Windows Server 2003 with Service Pack 1 (SP1). Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version	Limit on X86	Limit on X64	Limit on IA64
Windows Server 2003 with Service Pack 1 (SP1), Datacenter Edition	64 GB (16 GB with 4GT)	X64 1 TB	1 TB
Windows Server 2003 with Service Pack 1 (SP1), Enterprise Edition	64 GB (16 GB with 4GT)	X64 1 TB	1 TB
Windows Server 2003 with Service Pack 1 (SP1), Standard Edition	4 GB	32 GB

Physical Memory Limits: Windows Server 2003

The following table specifies the limits on physical memory for Windows Server 2003. Limits over 4 GB for 32-bit Windows assume that PAE is enabled.

Version	Limit on X86	Limit on IA64
Windows Server 2003, Datacenter Edition	64 GB (16 GB with 4GT)	512 GB
Windows Server 2003, Enterprise Edition	64 GB (16 GB with 4GT)	512 GB
Windows Server 2003, Standard Edition	4 GB
Windows Server 2003, Web Edition	2 GB
Windows Small Business Server 2003	4 GB
Windows Compute Cluster Server 2003		32 GB
Windows Storage Server 2003, Enterprise Edition	8 GB
Windows Storage Server 2003	4 GB

Physical Memory Limits: Windows XP

The following table specifies the limits on physical memory for Windows XP.

Version	Limit on X86	Limit on X64	Limit on IA64
Windows XP	4 GB	128 GB	128 GB (not supported)
Windows XP Starter Edition	512 MB	N/A	N/A

Physical Memory Limits: Windows Embedded

The following table specifies the limits on physical memory for Windows Embedded.

Version	Limit on X86	Limit on X64
Windows XP Embedded	4 GB
Windows Embedded Standard 2009	4 GB
Windows Embedded Standard 7	4 GB	192 GB

How graphics cards and other devices affect memory limits

Devices have to map their memory below 4 GB for compatibility with non-PAE-aware Windows releases. Therefore, if the system has 4GB of RAM, some of it is either disabled or is remapped above 4GB by the BIOS. If the memory is remapped, X64 Windows can use this memory. X86 client versions of Windows don’t support physical memory above the 4GB mark, so they can’t access these remapped regions. Any X64 Windows or X86 Server release can.

X86 client versions with PAE enabled do have a usable 37-bit (128 GB) physical address space. The limit that these versions impose is the highest permitted physical RAM address, not the size of the IO space. That means PAE-aware drivers can actually use physical space above 4 GB if they want. For example, drivers could map the "lost" memory regions located above 4 GB and expose this memory as a RAM disk.

What Is Microsoft Windows HPC Server?

May 12, 2012 gunnalag Leave a comment

United States Change | All Microsoft Sites

Microsoft Home | Servers and Tools

New to HPC?

get acquainted.

A Competitive Advantage

High Performance Computing gives analysts, engineers and scientists the computation resources they need to make better decisions, fuel product innovation, speed research and development, and accelerate time to market. Some examples of HPC usage include: decoding genomes, animating movies, analyzing financial risks, streamlining crash test simulations, modeling global climate solutions and other highly complex problems.

More Accessible Than Ever

In the past, the most common way to apply multiple compute cycles to a complex problem was to use specialized supercomputing hardware – a solution with a very high cost of entry and technical complexity.

However, recent software and hardware advances have made it possible to leverage existing IT skills and create an HPC environment using off-the-shelf servers and high speed interconnects. These systems can deliver industry-leading computing power with more efficiency and at a significantly lower cost of entry and ownership. This form of HPC is called a commodity HPC cluster.

Basic Architecture of an HPC Cluster

A cluster consists of several servers networked together where each server in the cluster performs one or more specific tasks. Cluster components include Head Nodes, and Compute Nodes, Job Scheduler and Broker Nodes (for SOA enabled clusters.)

Head Node

The single point of management and job scheduling for the cluster. It provides failover and controls and mediates access to the cluster resources.

Compute Node

Carries out the computational tasks assigned to it by the job scheduler.

Job Scheduler

Queues jobs and their associated tasks. It allocates resources to these jobs, initiates the tasks on the compute nodes; and monitors the status of jobs, tasks, and compute nodes.

Broker Node

Act as intermediaries between the application and the services. The broker load-balances the service requests to the services, and finally return results to the application.

Learn more: read Deployment Roadmap for Windows HPC Server 2008 R2 »

Basic cluster: The minimal set of components to run an HPC application on a cluster.
Resilient cluster: Includes redundant Head and Broker nodes so that applications are immune to failures of these critical servers.
Workstation cluster: Includes Windows 7 workstations that can be used as compute nodes to run HPC jobs when they are otherwise idle.
SOA Enabled cluster: Building on the basic cluster, it includes one or more broker nodes required to run SOA-based HPC applications
Azure Cloud cluster: Enables Windows HPC Server jobs to run, partially or completely, in Windows Azure

Azure Cloud cluster: Enables Windows HPC Server jobs to run, partially or completely, in Windows Azure

HPC in Action

See how organizations in various industries are using HPC to gain a competitive advantage or speed research and discovery.

Financial Services: Reduced Modeling Time

Financial Services: Reduced Modeling Time

Western & Southern Financial Group chose an actuarial solution from Milliman that runs on Microsoft® high-performance computing (HPC) technology that made it easy for the company’s IT staff to manage and adjust to meet business needs. The company is using their new solution to reduce modeling time by up to 99 percent and decrease their time-to-market for new products.

Read their story »
Life Sciences: Advancing Cancer Research

Life Sciences: Advancing Cancer Research

The Research Informatics Core at Nationwide Children’s Hospital increased the speed at which it could digitize pathology slides and support researchers through faster data computation.

Read their story »
Digital Content Creation: Faster Image Rendering

Digital Content Creation: Faster Image Rendering

Glukoza Production was able to render animations for their high-definition, full-length film 25 percent faster, making it possible for them to save $200,000 in production costs and release their movie four months earlier.
Government: Driving Productivity

Government: Driving Productivity

The Institute of Geology, China Earthquake Administration (IGCEA) deployed Windows® HPC Server 2008 on a 128-node cluster with a dual boot of the operating systems. As a result, they simplified their HPC cluster management, decreased cluster deployment time by 60 percent, and increased IT productivity by 50 percent.

Read their story »
Manufacturing: Breaking Barriers

Manufacturing: Breaking Barriers

Seer Technology not only tackled a gas chromatography problem that industry experts said was impossible, but they also saved $7 million and cut their time to market by 83 percent with HPC.

Read their story »
Higher Education & Research: Speed Research, Extend Software Resources

Higher Education & Research: Speed Research, Extend Software Resources

Today, researchers at Cornell University and other institutions are more productive, because they can focus on their research rather than on the underlying technology. Using an HPC system has given them access to a broader range of commercial and custom applications.

Read their story »
Stork Thermeq Expands Research Capabilities

Stork Thermeq Expands Research Capabilities

Due to the accelerated performance, Stork Thermeq researchers can run more compute jobs and gain deeper insight for improved products and services.

Watch their story »