ECX3.0+FileShare+sd+win2008

合集下载

ECX3.0+SQL2008+sd+win2008

ExpressCluster X3.0+SQLServer2008 在Windows平台上的共享型集群配置手册NEC中国有限公司销售部2011.1.10目录1.安装准备 (3)1.1系统环境 (3)1.2网络配置 (3)1.3硬盘配置 (6)2.ExpressClusterX3.0安装和基础配置 (7)2.1ExpressClusterX3.0安装 (7)2.2ExpressClusterX3.0的基础配置 (13)2.3添加监视资源 (26)2.4应用配置文件和重启集群 (29)3.SQLServer导入 (33)3.1 SQLServer数据库实例创建 (33)3.2 SQLServer实例资源添加 (36)3.3 SQLServer选件监视资源添加 (39)4.基础测试 (41)4.1 ExpressCluster正常运行确认 (41)4.2手动失效切换 (42)4.3日志收集 (43)1.安装准备1.1系统环境1.2网络配置1．主机ec01网络配置设置公网IP。

图 1设置公网设置私网IP。

图 2设置私网ec01网络配置完成。

2．ec02网络配置。

ec02网络配置和ec01一样，如下图：图 3设置公网图 4设置私网ec02网络配置完成。

1.3硬盘配置在共享磁盘上构建数据分区，在构建cluster和数据分区前，请事先备份重要数据分区如下：F盘为数据分区.磁盘大小为4.39G。

E盘大小200M。

（cluster分区一般20M以上即可，且不需要格式化）。

图 5设置共享分区由于ec01和ec02使用的是共享磁盘，所以ec01上磁盘划分好之后，就不用在ec02上划分磁盘了，在ec02机器上，点击左上角的刷新按钮，就可以看到磁盘分区了，如下图：图 6设置共享分区这样两台主机安装Cluster前的准备工作已全部完成,可以开始安装cluster。

2.ExpressClusterX3.0安装和基础配置2.1ExpressClusterX3.0安装图 7安装向导图 8选择目的文件夹图 9安装程序端口默认。

windows_server_2008_句柄数__解释说明

windows server 2008 句柄数解释说明1. 引言1.1 概述Windows Server 2008是微软公司发布的一款服务器操作系统，具有稳定性和安全性高的特点。

句柄数作为Windows Server 2008中一个重要的概念，对于服务器性能和应用程序运行起着至关重要的作用。

本文将深入探讨Windows Server 2008中的句柄数及其对系统的影响，以及如何优化和管理句柄数以提升性能。

1.2 文章结构本文共分为五个部分进行阐述。

首先，在引言部分，我们将对文章进行简单介绍，并概述文章其他各节的主要内容。

其次，在第二部分，我们将详细解释什么是句柄以及在Windows Server 2008中句柄的作用。

然后，在第三部分，我们将针对句柄数增加对系统性能的影响进行讨论，并提供一些优化和管理句柄数的建议。

紧接着，在第四部分，我们将分享一些实际案例，并介绍相应的解决方案。

最后，在结论部分，我们将总结文章中的主要观点，并提出进一步研究的建议。

1.3 目的本文旨在帮助读者更好地理解Windows Server 2008中句柄数的概念和作用，以及句柄数对服务器性能的影响。

通过本文的阅读，读者将能够学习到如何优化和管理句柄数，从而提升服务器的性能和稳定性。

此外，本文还将通过实际案例的分享，为读者提供解决方案和经验，以应对可能出现的问题和挑战。

最终，本文希望能够为进一步研究句柄数和服务器性能优化提供参考和启示。

2. Windows Server 2008 句柄数2.1 什么是句柄在Windows操作系统中，句柄是一种用于标识和访问资源的数据结构。

它可以看作是对资源的引用或代表，例如打开的文件、应用程序窗口、网络连接等。

每个句柄都有一个唯一的标识符，操作系统利用这些标识符来追踪和管理各种资源。

2.2 句柄在Windows Server 2008中的作用Windows Server 2008是一款基于Windows NT框架的服务器操作系统，它广泛应用于企业级环境中。

Windows server 2003到Windows server 2008 R2的迁移(一)：共存

Windows server 2003到Windows server 2008 R2的迁移:共存2010-04-12 17:21:19标签：Windows迁移休闲职场server 2008 R2 2003原创作品，允许转载，转载时请务必以超链接形式标明文章原始出处、作者信息和本声明。

否则将追究法律责任。

/333093/294230自Windows Server 2008 正式发布以来，已受到广泛的好评，它是对已使用5年之久的Windows操作系统的重大改进，将会在未来几年内极大的增强IT界支持业务和组织创新的能力。

随着Windows Server 2008 R2的发布，它又提供了像Direct Access、Branch Cache、Powershell 2.0、Hyper-v 2.0等全新的功能特性，并且在AD服务中又添加了诸多令人兴奋的功能，像AD回收站、离线加入域。

这些优秀技术的加入，使得IT技术人员可以更加灵活方便的进行管理，提高工作效率的同时让工作充满了乐趣。

Contoso公司目前就面临了这样一个问题：使用Windows Server 2003作为基础架构平台，但随着公司业务的发展，公司规模的不断扩展，需要在外地建立分支机构，并且拥有一支人数不少的业务团队，并且团队需要与总部保持通讯，由于业务需要，工作人员需要使用笔记本在公网接入公司内网，查询信息。

这样就对目前基础架构发起了挑战，IT部门经过讨论决定，将基础架构升级至Windows Server 2008 R2，并使用其新的功能特性来满足公司需求。

Contoso公司目前服务器情况如下：一台配置主流的服务器A运行Windows Server 2003 R2 64位操作系统作为域控制器，DNS和DHCP服务器。

一台配置已经过时的服务器B运行Windows Server 2003 R2 32位操作系统作为辅助域控制器，DNS。

一台配置刚好的服务器C运行Windows Server 2003 R2 64位操作系统作为Exchange 2007 邮件服务器。

Windows+Server+2008配置指南

禁用 UAC
开始菜单右上角的图标打开或关闭“用户账户控制”取消选择那个复选框，点击确定，重新启动。
3
Wi ndows Server 2008 配置指南 Nocturne Studio Copyri ght Reserved zqus tc@
2007
迁移个人文件夹
参见《Vista 配置指南》
在安装的时候，请拔掉网线，并且事先将确保无毒的驱动程序以及杀毒软件刻成光盘（或复制到可以设为只读的 U 盘上）。整个安装最好是在一块新的硬盘上进行，否则请确信备份了所有重要资料，并且所有分区确认无毒。
建立用户
第一次启动，会让你设置 Administrator 的密码。当完成之后，请立刻新建自己的用户帐户并为其设置密码。一般要求新建的用户应该是一个普通帐户，但为了方便起见，我们还是建立管理员帐户。建立完毕之后，Logout，以新用户身份登陆 Windows。
2007
Nocturne Studio 雨夜工作室 URL: E-Mail: zqustc@ MSN: zqustc@ 瀚海星云 BBS ID: orochi
操作没有版权，但是文章却有版权。本文和任何一篇讲述操作系统配置、优化的文章一样，文中提到的操作、优化系统的方法，都是对操作系统的“发现” 。任何人都没有权利说自己发现的某种操作（无论这种操作是不是他“原创”发现的）具有版权，而不许别人在自己的操作系统上实施这种操作；但是他若写文章描述这种操作，那么这篇文章的文字，作者当然享有其不被随意转载、抄袭的权利。本文中所提及的各项操作，有的是作者自己摸索出来的，有的是查阅微软的官方帮助文档获得的，也有的是从网上各路高人的帖子、文章中学习来的。正如我前面所说，我在我的机器上实施这种操作，又或者是告诉别人怎样运用这些操作，不牵涉到任何所谓“版权“问题。任何人都没有理由说： ”这种操作明明是我提出来的，你凭什么写在你自己的文章里，却不提及是我教你的？“ 当然，如果有人发现我的文章中有从某处抄袭来的地方，本人愿意承担一切责任。上面说的既适用于作者本人，也适用于每一个阅读这篇文章的读者。谢谢大家！

windos server 2008集成usb3.0

Windows 2008 server r2 集成usb3.0驱动在生产工作中发现，现在大部分新生产的机器主板都将usb的接口更换成usb3.0，而作为前
置机的设备安装的windows 2008 server r2系统本身并没有usb3.0驱动，导致安装启动U盘不
能正常安装操作系统，现将Windows 2008 server r2 集成usb3.0的方法分享给大家。

一·工具/镜像
1.Windows server 2008 X64 With SP2 简体中文版安装镜像
2.UltraISO软碟通软件（注册码）用于制作镜像
3.Windows usb installation tool软件
二．步骤
1.将windows 2008 server r2系统镜像用UltraISO软碟通软件制作成系统启动盘
a.打开UltraISO软碟通软件找在系统中找到对一个的windows 2008 server r2系统镜像
b.依次单击启动---写入硬盘映像---便捷启动---写入USB-HDD+---写入等待写入完成
2.将usb
3.0驱动写入到镜像中
a.用管理员身份运行Windows usb installation tool
右击选择以管理员身份运行
b.添加usb3.0驱动按如图勾选，点击start，等待即可
按照上述过程即可完成Windows 2008 server r2 集成usb3.0的驱动。

Bcdedi用法实例--打造XP_2003_VISTA_WIN2008多盘多系统引导菜单

##添加windows内存诊侧到主菜单工具列表的最后一项(addfirst是显示在顶部)
bcdedit /store c:\boot\bcd /set {memdiag} locale "zh-CN"
##设置windows内存诊侧的语言为中文
###第7步#################################################################################################################
bcdedit /export c:\456
##备份原有的系统引导记录到 c:\456
bcdedit /import c:\boot\bcd
##记录文件信息导入到系统引导记录
bcdedit /enum all
##察看系统引导记录中的所有信息
###OK完成了!!##############################################################################################################
bcdedit /store c:\boot\bcd /default {数字Id}
##设置Vista操作系统为默认启动的系统, {legacy}是旧版本的Windows
###第5步################################################################################################################
multi(0)disk(0)rdisk(这括号里填硬盘号)partition(这括号里填分区号)\WINDOWS="windows xp或windows 2003&相同)

Windows+2008中文版安装实录

Windows 2008中文版安装实录Windows server 2008作为windows 2003的下一代服务器版操作系统，在安全性和应用等多个方面都有着不俗的表现。

相信不少网络管理员也对windows server 2008寄予希望，然而网上太多的都是英文版windows server 2008的安装操作过程，还有部分文章是讲解如何在英文版windows 2008上进行汉化操作的。

实际上这些都不太适合中小企业的网管，今天笔者就为各位讲解如何拒绝英文用windows 2008中文版安装系统。

笔者拿到的是微软发布的中文版Windows server2008——zh-Hans_windows_server_2008_datacenter_enterprise_standard_x86_dvd_x14-26742.i so，在安装时我们要确认的是你的计算机属于X86类型的设备。

第一步：将zh-Hans_windows_server_2008_datacenter_enterprise_standard_x86_dvd_x14-26742.iso文件刻录成光盘，整个文件大小是2G，所以我们需要通过DVD盘来刻录。

第二步：选择光盘启动这时系统提示在加载光盘启动文件——windows is loading files。

（如图1）第三步：等待光盘启动后我们就能够看到windows server 2008的安装界面，由于我们使用的光盘是windows 2008中文版，所以在安装的语言处能够看到“简体中文”的字样，其他两项“时间和货币格式”以及“键盘和输入方法”也都选择中文即可，点“下一步”按钮继续。

（如图2）第四步：接下来我们点“现在安装”按钮进入正式的windows server 2008安装阶段。

（如图3）第五步：首先选择要安装的windows server 2008版本，众所周知windows server 2008和windows 2003一样有多个版本，每个版本内置的组件都不相同，我们一定要事先确定安装版本。

高手分享修复Win7与win2008双系统错误的秘笈

高手分享修复Win7与win2008双系统错误的秘笈导读:电脑预装win7 系统，平时工作娱乐使用挺好的，但有时开发程序需要使用服务器功能的系统,为此又安装了Server2008,安装的部分运行正常;在安装完Office 2007和Live Services之后，只剩下少量程序没有安装以及少量设备没有配置，此时笔者开始导入旧数据。

笔者之所以没能立刻意识到问题的存在是因为笔者首先就启动了重新加载备份数据。

当笔者安装DVD时，系统弹出“找不到启动设备”的错误信息。

这时候就懵了,脑袋第一反应如何解决呢?首先，笔者以前在CD指令消失后等待启动未果的情况下，会尝试使用F8键。

然后会选择“修复我的系统”以及“启动修复”，Windows便会找到症结所在。

这一次，虽然换成了安装DVD，但是笔者还是选择了与上面相同的步骤且得到相同的结果。

它只是需要一些命令提示符，并给出一些能看到哪些部分被用作启动的启动配置数据编辑器(BCDEDIT)。

要查看这些细节，命令提示符必须和Run作为Admimistrator一起给出。

BootMgr从选项出调用的设备是D：驱动——也就是笔者的外部eSATA驱动。

为了对其值进行编辑，笔者输入：bcdedit/set{bootmgr} device “partition=C:” 。

笔者很肯定C：驱动包含了D：驱动曾使用过的bootmgr。

不过这对解决问题没有多大帮助。

下一步，笔者通过输入:bcdedit/export c: \filename来提取bootmgr的备份。

然后，从DVD装置中重启电脑，并选择“修复系统”。

然后选择转到命令提示符，并将电脑内部驱动和外部eSATA驱动中的bootmgr.efi文件都删除。

最后，关闭系统，并切断外部eSATA驱动的连接。

然后接通电源，从DVD 装置中启动。

笔者选择了“修复系统”，而当自动化进程为Windows安装进行扫描时，它会立刻发现启动的问题所在，并建议对其进行修复。

U盘安装win2003、win2008,集成PE

Win03_x86+08R2+SGUIDE 9.40+SGUIDE9.61+CFT- V1.3启动U盘制作教程制作：PHJ一、准备工作：1. WIN2003_SP2全驱动版32X.iso （或者win2003原版+nLite）2. cn_windows_server_2008_r2_with_sp1_x64_dvd.iso3. ibm_utl_sguide_9.40_anyos_i386.iso (不需要的可以不用或者其他版本)4. ibm_utl_sguide_9.61_anyos_i386.iso (不需要的可以不用或者其他版本)5.CFT-v1.3.iso (不需要的可以不用或者其他版本)6. WinSetupFromUSB （核心软件）7.8GB优盘一个，如果做过其他启动盘，要用分区软件清除分区，重建MBR引导，清除引导扇区，最好删除分区，再在“我的电脑”-磁盘管理里面新建主分区，否则可能导致win2003安装程序无法引导。

二、制作win2003 安装U盘1.用nlite给win2003集成驱动。

可参考下面的教程/link?url=VxDAR1Sh_DSTPm-aKtuERVsq6o1CAUvI-u7YkRlgxThzjQtm nIRI0YvTTy2djSRM-oHAlnofM7g1x2IJRgMnaAIvXcUJ76wW202uF4GzHL7或者直接提取“WIN2003_SP2全驱动版32X.iso”里面的system/ENTX 目录（32位企业版）2.打开WinSetupFromUSB_1-3_x64.exe（我是64位系统），如下图，选择你准备好的win2003安装文件夹选好路径后点点开始安装，接着就是等待了，会自动完成的。

三、复制文件1.不需要sguide_9.40的可以略过提取ibm_utl_sguide_9.40_anyos_i386.iso 里面的所有文件到你刚刚做好的U盘（我是加载的虚拟光驱），重命名SOURCES目录里面的boot.wim为boot2.wim（切记）2.不需要sguide_9.61的可以略过提取ibm_utl_sguide_9.61_anyos_i386.iso 里面的所有文件到你刚刚做好的U盘，提示相同文件名时，全部选择合并和替换。

securing-windows-server-2008-and-active-directory

Corelan Team:: Knowledge is not an object, it's a flow ::Securing Windows Server 2008 and Active DirectoryCorelan Team (corelanc0d3r) · Friday, April 18th, 2008According to Microsoft, Windows Server 2008 is the most secure Windows server version ever.Windows 2008 does include many features that will help increase overall security of the OS, or assist you with securing AD, the network, etc. Most of the features/roles available in Windows 2008 are not being installed in a default installation of Windows 2008, leaving the OS in a more or less ‘secure’state right after installation. The attack surface of a default Windows 2008 server may be smaller than it was under NT4, 2000 and 2003, but concluding that Windows Server 2008 is secure, may be one bridge too far.Microsoft has published a paper on the differences between 2003 and 2008, which includes some security related information. The document can be downloaded from “Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008“I’ll use this post to explain some of the recommended hardening techniques, and list some additional tweaks/settings that can (and imho should) be applied to a Windows 2008 server in an attempt to further harden the OS.This document consists of the following partsFor Windows 2008/AD servers :- Using GPOAccelerator to create GPO’s that can be applied to AD and to regular servers- Provide some recommended settings that should be configured to a Domain GPO, including Domain Password Policies and Fine Grained Password Policies- Provide some recommended settings that should be configured to the Domain Controller’s GPO,- Provide some recommended settings that should be configured to regular server GPO’s- Using GPOAccelerator SCE Extensions to further secure AD and servers using GPO’s- Create your own extensions and create custom Security Templates- Use the custom Templates to actually set out the various GPO’s (based on the recommendations that are given in this document). You don’t want to go in and change all the GPO’s manually. It is better to create your own templates and then apply these templates to the corresponding GPO’s.- Using Security Configuration Wizard to secure servers that have a specific roleFor standalone/”high security” servers :- Using GPOAccelerator and Security Templates to secure “standalone” serversFor all servers- Additional (Custom) settings that should be applied to any server, and general security recommendations to secure ADDownload section : I have made my customized Security Templates for AD Domains, for AD DC’s, for member servers and for high security hosts available for download. You can find the link at the bottom of this post.Note : this document is not the ultimate complete security guide for 2008. It just provides some tips & tricks to increase the overall security level.GeneralBefore going into the various procedures of securing AD and servers, I’ll briefly discuss some of Microsoft’srecommendations on tackling the attack surface that is still present in Windows 2008. The Windows Server 2008 Security Guide document (content also available on Technet at /en-us/library/cc264463.aspx) makes a clear distinction between (EC) Enterprise Security (I’ll interpret this as being servers that need to be part of the Enterprise, the Domain, or have roles/features that require integration and/or interaction with AD DS and/or other services within the Enterprise… for whatever reason) and servers that requires specialized security (SSLF). I’ll interpret the latter as servers that don’t need to be part of the domain, or that can have an elevated security level applied. Some of the settings in this blog post will apply to both environments, others will only apply to the servers with a higher security level requirement. If a setting only needs to be applied to these servers, I’ll mention this (so you don’t break stuff. After all, the SSLF model focusses primarily on security, and this will result in limited functionality)In both scenario’s, a Tool / Windows Shell script called GPOAccelerator can be used to set up a security baseline, either using EC Settings, or SSLF Settings (SSLF is not a supplement on top of EC, it’s just a different set of rules). GPOAccelerator can be downloaded from /downloads/info.aspx?na=47&p=2&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=12ac9780-17b5-480c-aef7-5c0bde90 60b0&u=details.aspx%3ffamilyid%3dA46F1DBE-760C-4807-A82F-4F02AE3C97B0%26displaylang%3denFirst things firstRight after installing the Windows 2008 OS, you should consider running the following steps :- Secure the filesystems. Change the NTFS Security on all non-System partitions to :(Basically, remove “Everyone” and “SERVER\Users”)- Change NTFS Security on the following executables, and change the ACL to BUILTIN\Administrators and System (Full Control) only :arp.exeat.execacls.execmd.exedebug.exeedlin.exefinger.exeftp.exetracert.exeipconfig.exenbtstat.exenet.exenetsh.execscript.exewscript.exenslookup.exenetstat.exeregedit.exeregedt32.exeroute.exersh.exerunonce.exesyskey.exetelnet.exercp.exexcopy.exeNote : some of these files may be missing on a Windows 2008 machine, other Windows 2008 files may be missing from this list, but I’m still reviewing the list of files… In the meantime, you can use the same list for hardening a Windows 2000/2003 server as well.- Do NOT run services as NetworkService or LocalService, but use regular accounts instead. On IIS7 servers, do not run in Full trust or don’t run websites with NetworkService or LocalService accountsThis setting will prevent Token Kidnapping (/research/TokenKidnapping.pdf)For Active Directory, take the following steps as well (in fact, you need to think about these things when you design your AD)- Keep your DC’s dedicated to the DC role.- Delegate access, don’t use the admin accounts. Create the toplevel OU structure, create admin user accounts and a Admin Group. Change the security on this group so only a limited set of admins can change membership of this admin group. Delegate Full Control to the toplevel OU structure, but NOT to the domain. This will help you ensuring the integrity, availability and security of your AD.Don’t forget to set strong passwords to your admin accounts.- DON’T use the Domain Admins group. Don’t make anyone member of this group, and keep the password secret. There’s nothing really that cannot be delegated. For more information about delegating access to your custom admin groups in order to be able to perform certain admin tasks, see near the bottom of this post.- Rename the administrator account, create a fake “administrator”. Don’t forget to copy the contents of the personal/account information fields, so the fake administrator really looks like the administrator :) Of course, keep this fake administrator disabled.GPOAccelerator – Creating a baselineGPOAccelerator will allow you to create, test and deploy security settings. The tool creates OU’s / GPO’s, so you can link them in your production AD environment, or you can use the .inf files that come with GPOAccelerator to apply settings to standalone servers. It is advised to test GPOAccelerator before using it in production AD.When you unzip GPOAccelerator, you will find these files :Start by installing GPOAccelerator.msiRoughly, this is what gets installed :C:\Program Files\GPOAccelerator>dirVolume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator17/04/2008 23:52 <DIR> .17/04/2008 23:52 <DIR> ..15/11/2007 21:10 617 Accelerator.xml17/12/2007 03:10 237 command-line here.cmd17/04/2008 23:52 <DIR> GPMCFiles20/02/2008 20:09 389.120 GPOAccelerator.exe18/02/2008 00:31 44.570 GPOAccelerator.wsf18/02/2008 23:47 141.648 License Terms.rtf14/02/2008 02:49 5.424 Localization.ini17/12/2007 03:10 3.189 Path.xml17/04/2008 23:52 <DIR> SCE Update17/04/2008 23:52 <DIR> Security Templates7 File(s) 584.805 bytes5 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>dir GPMCFilesVolume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator\GPMCFiles17/04/2008 23:52 <DIR> .17/04/2008 23:52 <DIR> ..17/12/2007 03:10 39.886 CreateEnvironmentFromXML.wsf17/04/2008 23:52 <DIR> OSG17/04/2008 23:52 <DIR> VSG17/04/2008 23:52 <DIR> WSSG17/04/2008 23:52 <DIR> XPG1 File(s) 39.886 bytes6 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>dir “SCE Update”Volume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator\SCE Update17/04/2008 23:52 <DIR> .17/04/2008 23:52 <DIR> ..17/12/2007 03:10 21.160 Restore_SCE_to_Default.vbs17/12/2007 03:10 48.214 sce.reg17/12/2007 03:10 14.961 sceregvl_Vista.inf.txt17/12/2007 03:10 19.391 sceregvl_W2K3_SP1.inf.txt17/12/2007 03:10 14.961 sceregvl_W2K8_SP1.inf.txt17/12/2007 03:10 17.278 sceregvl_XPSP2.inf.txt17/12/2007 03:10 4.188 Strings-sceregvl.txt17/12/2007 03:10 16.775 Update_SCE_with_MSS_Regkeys.vbs05/02/2008 00:49 2.905 Values-sceregvl.txt9 File(s) 159.833 bytes2 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>dir “Security Templates”Volume in drive C has no label.Volume Serial Number is ACFE-FB99Directory of C:\Program Files\GPOAccelerator\Security Templates17/04/2008 23:52 <DIR> .17/04/2008 23:52 <DIR> ..17/04/2008 23:52 <DIR> VSG17/04/2008 23:52 <DIR> WSSG17/04/2008 23:52 <DIR> XPG0 File(s) 0 bytes5 Dir(s) 10.402.938.880 bytes freeC:\Program Files\GPOAccelerator>As you can see, a Windows Shell Script file (Command Line, gpoaccelerator.wsf) and an executable (GUI, gpoaccelerator.exe) were placed in the installation folder, along with some other files and folders.For example, the folder “GPMC files” contains 4 folders.OSG = Office Security GuideVSG = Vista Security GuideWSSG = Windows Server Security GuideXPG = XP Security GuideThe WSSG folder contains the following files and folders :Directory of C:\Program Files\GPOAccelerator\GPMCFiles\WSSG17/04/2008 23:52 <DIR> .17/04/2008 23:52 <DIR> ..21/02/2008 22:54 31.186 EC-WSSG-GPOs-LAB.xml21/02/2008 22:51 12.646 EC-WSSG-GPOs.xml24/02/2008 21:21 3.727 EC-WSSGApplyAuditPolicy-DC.CMD24/02/2008 21:21 3.727 EC-WSSGApplyAuditPolicy-MS.CMD24/02/2008 21:21 3.845 EC-WSSGAuditPolicy-DC.CMD21/02/2008 11:38 4.729 EC-WSSGAuditPolicy-DC.txt24/02/2008 21:22 3.845 EC-WSSGAuditPolicy-MS.CMD27/12/2007 04:20 4.737 EC-WSSGAuditPolicy-MS.txt21/02/2008 23:03 14.011 manifest.xml21/02/2008 22:59 31.266 SSLF-WSSG-GPOs-LAB.xml21/02/2008 22:59 12.688 SSLF-WSSG-GPOs.xml24/02/2008 21:22 3.728 SSLF-WSSGApplyAuditPolicy-DC.CMD24/02/2008 21:22 3.728 SSLF-WSSGApplyAuditPolicy-MS.CMD24/02/2008 21:22 3.852 SSLF-WSSGAuditPolicy-DC.CMD21/02/2008 11:40 4.825 SSLF-WSSGAuditPolicy-DC.txt24/02/2008 21:22 3.852 SSLF-WSSGAuditPolicy-MS.CMD27/12/2007 04:37 4.809 SSLF-WSSGAuditPolicy-MS.txt17/04/2008 23:52 <DIR> {05BBE0FC-5EB9-42FB-B446-90BE4BD2399A}17/04/2008 23:52 <DIR> {086C17BC-F733-4DC2-A47B-78A31F14E4EA}17/04/2008 23:52 <DIR> {0A78C5FB-E931-4D5A-83E2-78293109928F}17/04/2008 23:52 <DIR> {1F620490-1BFE-4C30-AF06-299584460C80}17/04/2008 23:52 <DIR> {2F1705AF-65DD-4A94-8EE6-ADDB849EBD6A}17/04/2008 23:52 <DIR> {31714DC9-8666-4BAA-8E54-CC4947882E9F}17/04/2008 23:52 <DIR> {3F4C29A4-0D71-405B-874F-14B0C08C99FD}17/04/2008 23:52 <DIR> {4F86A66E-A827-422C-B42C-03FCA32B77CE}17/04/2008 23:52 <DIR> {5A57478B-56B7-4AE6-A3B6-950B228BE45A}17/04/2008 23:52 <DIR> {69D76DED-9157-458D-AACC-50BEB12428B2}17/04/2008 23:52 <DIR> {6D3D68A1-6ED4-4E0D-A7BF-4D7603AB0BF9}17/04/2008 23:52 <DIR> {72D0C62E-6645-43AF-B374-D4A2192533D3}17/04/2008 23:52 <DIR> {98550823-6F63-447B-AF25-5E6FE5697DF3}17/04/2008 23:52 <DIR> {B5E5C2BD-6A23-4284-9306-AD41068D34DB}17/04/2008 23:52 <DIR> {BBC153BA-8DDD-4829-A7C6-185148F7F7E5}17/04/2008 23:52 <DIR> {BD1CAB21-1AE0-4786-ACC2-0D93DFF66EE6}17/04/2008 23:52 <DIR> {BD61819B-3414-4C25-B6D0-11275D44A235}17/04/2008 23:52 <DIR> {C23B1C0B-0C81-46B9-B2EE-83386BB5391A}17/04/2008 23:52 <DIR> {D09EE5EA-1565-455C-BF62-1BAACB445AAC}17/04/2008 23:52 <DIR> {E4977B95-BD5E-40C9-8EF7-D016832235F7}17/04/2008 23:52 <DIR> {F3C3960B-93C2-4C02-BD4A-A1F26A21B182}17/04/2008 23:52 <DIR> {F3DE561D-93FE-4FD9-99B2-2F85E2792956}17 File(s) 151.201 bytes24 Dir(s) 10.403.004.416 bytes freeThese files will be used by the GPOAccelerator tool to create GPO objects, in this case for Windows Servers.If you are only interested in creating the GPO’s with the EC settings, run GPOAccelerator.wsf /WSSG /EnterpriseIf you want to create special OU’s, then use the /LAB option (so GPO’s are linked to these OU’s, and not to OU’s in your production environment) (Review the “How To Use the GPOAccelerator.doc” document for more command-line options.)We’ll come back to the command line features, let’s have a look at the GUI component first, which is in fact nothing more than a wizard that will create the exact syntax/parameters to run the Script.Log on as Domain Admin and launch the GUI by running GPOAccelerator.exeYou can either create GPO objects in the domain, or create a Security Policy that can be applied to standalone systems. Finally, the GUI allows you to update the SCE to display MSS security settings. You’ll need this last option (so you need to run this at least once) in order to be able to display/edit the settings that were written by the “Microsoft Solutions for Security” group. Don’t run this yet, I’ll show you how this works later on.Click “Domain” and select the desired Security Baseline from the dropdown list. In our example, this is Windows Server 2008Select either the Enterprise Client (EC) or SSLF environment.We’ll start with the EC firstThe next page will ask you whether you want to implement the baseline in lab or production environment. Normally, if you have a clean LAB environment, you could choose LAB, but since I don’t want the tool to start messing up my own OU structure, I just want the GPOs to be created, and I’ll link them to whatever OU I want later on. So I’ll choose Production for nowThe last page shows the command that will be run as a result of our selections. As stated before, this tool is nothing more than a GUI wizard on top of the script.So basically, if you would run “GPOAccelerator.wsf /WSSG /Enterprise” from command line, then you would get the same results.Just keep in mind, if you want to use the command line in production environment :- Log on with Domain Admin rights- Launch “Command-line here.cmd” with administrator privileges (Run as administrator)- type cscript GPOAccelerator.wsf /WSSG /EnterpriseAnyways, we’ll let the GUI run the scripts for now – the result should be exactly the same.If you press “Continue”, you’ll get the following warningClick “YES” to continue (at your own risk, of course :-) )Click OK when askedWait until the process has completedand accept the fact that you will have to link the GPOs to the appropriate OUs yourself.Open Group Policy Management console and verify that the objects have been createdYou can use these GPOs in conjunction with the corresponding roles and features to secure these installed roles/features.Let’s have a look at some common GPO’s and what we can do to further secure these GPO’s before you apply themModifying the WSSG EC Domain PolicyWhile this GPO does not really apply directly to one particular server, it is still good practise to set/review these settings as your overall security plan for your servers.Default Domain Password PolicyThe Domain (Password) Policy that is created by GPOAccelerator statesPassword history : 24 passwordsMax password age : 90 daysMin password age : 1 daysMin password length : 8 charactersPassword complexity : enabledStore passwords using reversible encryption : disabledAccount lockout : 15 minutesAccount lockout threshold : 50 invalid attemptsReset lockout counter after : 15 minutesI would strongly recommend- change the Account lockout during to forever (until admin unlocks) : change value to 0- change the lockout threshold to 3 or 5 attempts- change the lockout counter to 30 minutes or moreAdditionally, I would recommend configuring the following settings for the Domain Policy :Computer Configuration – Policies – Windows Settings – Security Settings – Account Policies – Kerberos PolicyEnforce user logon restrictions : EnabledMax lifetime for service ticket : 600 minutesMax lifetime for user ticket : 10 hoursMax lifetime for user ticket renewal : 7 daysMax tolerance for computer clock synchronization : 5 minutesNote : Depending on how you want to keep the client’s clock up to date, you may have to allow your users to change the system time (For example : if you are running some command to sync the clock from a loginscript, then the user account needs to have permissions to change the system time). You can define this setting under “Local Policies – User Rights Assignments”. If you are using NTP, then this setting is irrelevant and can be limited to your IT Admin groupFine Grained Password PoliciesWindows 2008 introduces the concept of Fine Grained Password Policies. This feature allows you to specify multiple password policies in a domain, by basically linking a password policy to a set of users (inetOrg Person objects, or Global Groups). Unfortunately you cannot assign a Fine Grained Password Policy to members of a OU.In order to be able to define a Policy, the domain needs to be in 2008 functional mode. By default, only Domain Admins can set Fine Grained Password Policies, but you can delegate these rights.One of the possible implementations of multiple password policies is setting a different password policy to administrative accounts (IT Staff who is managing AD, or have other elevated permissions, including the Domain administrator account (SID 500), with more restrictive policy settings, and setting another password policy for system accounts (used for example to run services)This is how it works: /windowsserver2008/en/library/056a73ef-5c9e-44d7-acc1-4f0bade6cd751033.mspx?mfr=true Configuring a PSO is easy : Open the Fine Grained Password Policy MMC GUI…. just kidding :-) Microsoft has not built a nice wizard or GUI around this,so you’ll have to do this the hard way. Luckily, Microsoft has done an excellent job in documenting most of the Windows configuration steps over the l a s t c o u p l e o f y e a r s,s o T e c h n e t c o n t a i n s d e t a i l e d i n f o r m a t i o n o n h o w t o s e t t h i s u p.Y o u c a n v i s i t /windowsserver2008/en/library/1e1c9618-cda9-489b-a1cb-bbc182216aee1033.mspx?mfr=true or /blogs/jorge/archive/2007/08/09/windows-server-2008-fine-grained-password-policies.aspx for more information on how to set up the PSO. Furthermore, some clever individuals decided to wrap a GUI around the process. One of the really excellent (and free) tools that can be u s e d t o m a n a g e t h e P S O s(u s i n g P o w e r s h e l l c o m p o n e n t s)c a n b e f o u n d a t h t t p://d m i t r y s o t n i k o v.w o r d p r e s s.c o m/2007/06/19/f r e e-u i-c o n s o l e-f o r-f i n e-g r a i n e d-p a s s w o r d-p o l i c i e s/Password policy settings :For administrators, a min. password length of 12 characters should not be a big problem, or if you want to keep the passwords shorter, then at least consider setting the password expiry to 2 weeks.For service accounts it may be hard to change passwords all the time, so setting no password expiration may be acceptable in certain scenario’s, but the password length should be something like 30 or 40 charactersModifying the WSSG EC Domain Controller Baseline PolicyThe second GPOAccelerator-created GPO I am going to review is the one that can be applied to Domain Controllers. This GPO is quite detailed and configures a lot of settings compared to the Default DC policy in Windows.However, the following settings should be changed (these could be settings that are already configured to something else, or could be settings that have not been configured yet, and should be set in addition to the already existing settings) :Policies – Windows Settings – Security Settings – Local PoliciesAudit PolicyThe WSSG EC Policy will only log the success events. In certain cases, logging the failure events as well can help you troubleshooting as well as tracing back attempts to access data/objects by unauthorized users.I would at least consider auditing success AND failure events forAudit account logon eventsAudit account managementAudit directory service accessAudit logon eventsAudit object accessThese settings can be found under “Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies – Audit Policy”User Rights AssignmentsAccess this computer from the networkThe WSSG EC Policy changes the default settings (which are indeed way to broad) to BUILTIN\Administrators, NT AUTHORITY\Authenticated Users, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSTHis is a lot better already, however I don’t like “Authenticated Users” It would be better to create a Group in AD, add all of your known users into that group, and replace Authenticated Users with your own group. That way, you are sure that someone who is able to create a user account (in any way), cannot necessarily access your DC’s from the network.Add workstations to the domainTypically, you’d only want your IT staff to be able to add computers to the domain. In order to really be able to delegate and secure this kind of activity, there are 2 places that need some configuration1. Edit the GPO that is applied to your DC’s – Go to “Computer Configuration – Policies – Windows Settings – Security Settings – User Rights AssignmentsEdit “Add workstations to the domain”, remove “Authenticated Users” (Default Policy) or “BUILTIN\Administrators” (WSSG EC Policy) and add your IT Staff users. If changing this setting breaks your attempt to add a new DC to the Domain, you may have to add your Domain Admins/Enterprise Admins group as well)2. Open Active Directory Users & Computers. Go to View and enable “Advanced Features”. Right-click “Computers” and go the the Security tab. Make sure regular users (Authenticated Users, etc) have read-only rights. You don’t need to add your IT Staff to the ACL. After all, it would be much better to create a separate OU structure, grant access to that OU, and set necessary permissions to the OU to the IT Staff. This way they can pre-create the computer objects before adding a computer to the domain. That is, imho, the best way to manage your computer objects (or at least the addition of computer objects in your environment)Log on locallyChange this setting from “Not defined” to your local admin group, Domain Admins, BUILTIN\Administrators… whatever, as long as you don’t allow regular users to log on locally on a DC. In most cases, BUILTIN\Administrators will do just fine. If you’re not an admin, there’s nothing you should do on a DC.Backup files & directories, Restore files & directoriesBy default, this setting is set to “not defined”. I would suggest changing this to your admin groups, BUILTIN\Administrators and BUILTIN\Backup OperatorsChange the system timeSet this parameter to your admin group, BUILTIN\Administrators and LOCAL SERVICESecurity OptionsDCOM: Machine Launch Restrictions in Security …set to “configured”Add your IT admins group and grant permissions for “Remote Activation”This setting is required to allow IT admins to perform Group Policy Modelling, on Windows 2003 server SP1 or higher ( /?kbid=914047)Interactive LogonDisplay user information when the session is locked : set to Do Not Display User InformationMessage text for users attempting to log on : enable and enter a security banner. Do NOT include wording/verbiage such as “Welcome to the server”, or “Welcome to the domain” or something like that. Be very specific in your statement. Example text could beThis system is restricted to authorized users. Individuals attempting to gain unauthorized access to this system will be prosecuted. If you are unauthorized, terminate access right now. Clicking on OK indicates your acceptance of the information in the message above.Message title for users attempting to log on : enable and enter a Message Title. Example : “it is a criminal offense to continue without proper authorization”Network SecurityForce logoff when logon hours expire : Set to enabledShutdownClear virtual memory pagefile : set to EnabledModifying the WSSG EC Member Server Baseline PolicyYou can use the WSSG EC Member server baseline policy to apply a good security baseline to all of your servers (non DC’s). Some of the settings above will apply to these servers.I would recommend setting a GPO before configuring other roles. You can also apply some of the custom TCP/IP settings that can be found near the bottom of this post to all of your servers, so don’t forget about these. Next, configure roles/features, install applications. and finally, run a SCW before you put the machine in production.Update the SCE database and apply a MSS Security Template to get more options in your GPOEarlier in this post, I talked about a third option in the GUI wizard : “Update SCE”.Before you will be able to see the MSS specific settings in the GPO editor (SCE), you need to extend the SCE database, and then import a Security Template that contains these MSS settings. Running “Update SCE” will not add any settings to your GPOs, it will only make sure that you will be able to see the new settings when you import one of the MSS Security Templates (that are made available as part of GPOAccelerator)Launch the GPOAccelerator GUI again and click the “Update SCE” button this timeChoose to “Display” the SCE Optionsclick continue and accept the warning, and wait until the process finished. You will now be able to edit the Security Templates (.inf files)Note : You can also extend the SCE from Command Line : cscript GPOAccelerator.wsf /ConfigSCE or remove the settings again using cscript GPOAccelerator.wsf /ResetSCEYou are now ready to import the MSS specific settings into your GPO : Open Group Policy Management Console, edit your GPO, Open “Computer Configuration – Policies – Windows Settings – Security Settings”, right click and choose “Import policy”Navigate to C:\Program Files\GPOAccelerator\Security Templates\WSSG and select the Template that applies to this GPO. In my example, I have edited the Domain Policy, so I’ll select the WSSG EC Domain.inf file (You should do the same for your DC and member server GPO’s as well)If you now open for example Security Options under “Computer Configuration – Policies – Windows Settings – Security Settings – Local Policies”, you’ll see the MSS: specific settings.Further hardening regular (EC) servers using MSS extensionsI would recommend using the following MSS specific settings in a GPO that applies to all of your servers (including Domain Controllers): AutoAdminLogon : disabledDisableIPSourceRouting : enabledNoDriveTypeAutoRun : disabledNoNameReleaseOnDemand : enabledFurther hardening some (EC) servers using MSS extensionsThe following settings should be applied to all servers whenever possible (Test these settings because they might impact the operation of your server) :AutoShareWks : disabledHidden : enabledSecurity Configuration Wizard : role based Firewall rulesets, Services modifications, Registry Security and AuditingWindows 2008 is very much role based. The Security Configuration Wizard will attempt to identify the roles that are installed on a server, and change Firewall rules according to the roles that it has found on the system. The built-in roles can be hardened using built-in SCW templates (xml files), but you can add other templates as well (e.g. for MS Exchange 2007 roles : /en-us/library/aa998208(EXCHG.80).aspx and /en-us/library/bb124977(EXCHG.80).aspx)Basically, these templates link the roles & features to network ports, so the firewall ruleset can be adjusted accordingly, based on the roles that are installed on a given 2008 Server.The SCW wizard is pretty much self-explanatory, however the key component is veryfying that the correct roles have been identified. Otherwise, you’ll end up with a broken system.Launch the SCW Wizard from Start – Programs – Administrative Tools。

Windows2008文件权限修改方法

Windows2008文件权限修改方法玩过windows2008的朋友都知道，windows2008系统文件的安全更改和windows2003以及windows2000已经不一样了，原来的系统我们相对一个文件或文件夹进行安全配置，只需要在安全属性里面把需要的添加，不需要的删除，即可完成安全操作。

但是在windows2008下，当你使用这个方法的时候碰到困难了，因为我们没有权限去配置安全，比如我们以sysytem32下的find.exe文件的安全配置作为例子，当我们右键－属性－安全－编辑，发现所有配置都是灰色：在安全里面－高级－编辑，新窗口中发现只有一个查看按钮可以点击，原来传统的编辑按钮不存在了：点击查看按钮，发现里面的所有配置也都是灰色，无法做任何修改。

当我们使用以往的命令行cacls.exe文件来配置其他文件的权限时候，提示“拒绝访问。

”，也就是说，我们以管理员的身份也无法对系统文件的安全进行任何的修改。

经过我反复研究，发现真正造成这个问题的原因是文件的所有者，在windows2008系统中，我们安装完系统以后，系统所有文件和文件夹的所有者默认都是“TrustedInstaller”：我们在计算机管理里面用户管理界面上找不到这个用户，具体这个用户的属性我没有查找官方的相关说明，不知道他对我们的安全具体起到什么作用。

我们只需要将文件的所有者“TrustedInstaller”修改成“administrators”，那么我们对文件权限的操作就会随心所欲，我们在所有者窗口上，选择administrators，点击应用：这样就会修改文件的所有者为“administrators”：现在我们对文件权限可以进行任何预期的编辑了，以前是灰色无法编辑的部分都已经可以进行修改：具体权限的修改方法我这里就不做任何说明，和原来windows2003上是相同的。

下面我们通过命令行实现所有这的修改，这样可以不需要你去点击，我来先介绍一个工具：takeown.exe该工具的使用说明如下：引用内容TAKEOWN [/S system [/U username [/P [password]]]] /F filename [/A] [/R [/D prompt]]描述:该工具以重新分配文件所有权的方式允许管理员重新获取先前被拒绝访问的文件访问权。

Windows_Storage_Server_2008

Windows Storage Server 2008（以下简称WSS2008）是Windows Server 2008系列中的存储服务器版本，是企业级的文件服务器平台，支持多Administrator文件存储相关的优化特性、副本管理，以及iSCSI功能。

简单来说，就是可以在普通的服务器上，安装上WSS2008,可以作为iSCSI存储服务器来说。

而在以前，存储服务器的硬件、软件成本都非常的昂贵，有了WSS2008,构建低成本、易于管理的存储服务器成为可能。

本节将介绍WSS2008做iSCSI 服务器及其在网络中的应用。

小知识： iSCSI（Internet Small Computer System Interface, Internet 小型计算机系统接口）,由IBM公司研究开发，是一个供硬件设备使用的可以在IP协议的上层运行的SCSI 指令集，这种指令集合可以实现在IP网络上运行SCSI协议，用来建立和管理 IP 存储设备、主机和客户机等之间的相互连接，并创建存储区域网络（SAN）。

1 版本选择Windows Storage Server有32位和64位两个版本，其中64位有基本版（basic）、标准版（standard）、企业版(enterprise)和工作组版（workgroup）版，32位只有基本版。

要使用WSS2008做iSCSI服务器，需要安装64位的企业版或工作组版。

WSS2008对服务器的要求也比较简单，只要能安装64位Windows Server 2008的计算机，都可以。

用WSS2008做存储服务器，主要对硬盘的速度、容量，以及对网卡的速度要求比较高。

一般情况下，具有64位的CPU（不需要虚拟化支持）、2GB内存、千兆网卡及千兆网络、40GB硬盘空间，就可以安装并运行WSS2008,但要做存储服务器，还需要更大的硬盘空间，为网络上的其他设备（或计算机）分配，这可以根据企业的需求配置硬盘，也可以在以后随时增加配置。

Windows Server 2008 支持NFS服务器功能

Windows Server 2008支持NFS服务器功能安装过程 (2)安装Windows Server 2008 (2)安装NFS服务器 (4)安装Active Directory域服务 (12)Active Directory 域服务设置 (16)安装角色服务 (25)配置过程 (29)配置用户名映射 (29)配置NFS服务器 (32)设置目录NFS共享 (34)设置目录Windows共享 (37)直接访问共享目录设置 (39)首先在服务器建立一个用户 (40)修改共享目录的权限 (43)在客户端主机建立同样一个用户 (47)测试NFS连接 (52)VORX2009-04-08安装过程安装Windows Server 2008 在安装时，选择企业版的完全安装。

其他选项就按照缺省选项即可。

安装完成后，需要设置密码。

此密码必须包含大写字母、小写字母及数字，推荐使用7位或以上字符个数（此处只要求6位字符长度）。

安装完成。

说明：安装的时候不需要输入序列号，但是30天后需要激活才能继续使用。

安装NFS服务器首先打开“服务器管理器”。

在“管理工具”菜单项中。

在左边的树中选中“功能”项。

右边窗口中会列出“功能”的详细信息。

单击“添加功能”。

会打开“添加功能向导”窗口。

在“远程服务器管理工具”项下，找到“文件服务工具”，找到下面的“网络文件系统服务工具”项目。

在此项前打勾。

下一步。

点击“安装”，进行功能的安装。

安装成功。

下面，添加“文件服务”角色。

在服务器管理器中，选中“角色”，右边会列出角色的详细信息。

点击“添加角色”文字，会运行“添加橘色向导”。

选中“文件服务”项，在该项前面打勾。

下一步。

请确保“文件服务器”和“网络文件系统服务”项前面打勾。

下一步。

好，下面开始安装。

好，安装成功。

安装Active Directory域服务在服务器管理器中进行安装。

在左边的树中选中“角色”项。

右边窗口中会列出“角色”的详细信息。

备份和还原Windows Server 2008只读域控制器

备份和还原Windows Server 2008只读域控制器Windows Server 2008 AD的备份和还原不再和Windows Server 2000或Windows Server 2003一样备份还原System States，而是需要备份CriticalVolumes.其中包含如下文件:The system volume [This is the volume that hosts the boot files， which consists of the Bootmgr file and the Boot Configuration Data (BCD) store. ] The boot volume[This is the volume that hosts the Windows operating system and the Registry. ]The volume that hosts the SYSVOL treeThe volume that hosts the Active Directory database (Ntds.dit)The volume that hosts the Active Directory database log filesWindows Server 2008的备份模式有如下三种：Full server recoverySystem state recoveryFile/Folder recovery可以使用Bcdedit.exe这个工具来切换使用正常模式还是目录服务还原模式来启动备份工具.目录服务还原模式来启动:bcdedit /set safeboot dsrepair正常模式启动:bcdedit /deletevalue safebootWindows Server 2008中，System state data至少包含如下数据(视服务器上角色的多少有多不同)：RegistryCOM+ Class Registration databaseBoot files， as described earlier in this topicActive Directory Certificate Services databaseActive Directory Domain Services databaseSYSVOL directoryCluster service informationMicrosoft Internet Information Services (IIS) metadirectorySystem files that are under Windows Resource Protection下面就和大家交流一下Windows Server 2008中ADDS的备份和还原文章分为以下部分：1.安装Windows Server Backup备份工具2.为域控制器做Critical-Volumes备份3.为域控制器做Full Server备份4.为域控制器备份做计划任务5.为域控制器做非权威还原6.为域控制器做权威还原7.小结◆一、安装Windows Server Backup备份工具在Windows Server 2008中，默认情况下备份工具没有被预安装，需要自行添加。

WIN2008安装及设置优化图解

WIN2008安装及设置优化图解这是安装时的初始画面三个版本可自行选择，默认第一项即可开始安装，其中重启2次安装完成可以自定义桌面图标取消UAC用户控制取消系统登陆时，要求输入用户名和密码开始→运行→输入“rundll32 netplwiz.dll,UsersRunDll”命令打开帐户窗口在这里重新输入你的新密码登入时，不显示服务管理器取消IE增强的安全配置两项全都点击禁用主题和高级音频设为自动，为漂亮的画面和优美的音质做准备点击运行：gpedit.msc 设为自动，点击启动。

必须点啊，可别忘了！同上点击运行：gpedit.msc登入时，无需按。

点击运行：gpedit.msc设为禁用，要不关机时太麻烦点击运行：gpedit.msc简单密码模式我的电脑右键属性，进入设备管理器，磁盘属性我的电脑右键属性，进入高级选项打开服务管理器，选择功能桌面体验不装，主题无法运行；会提示重新启动！这是驱动优化设置完成打开特效后的的画面这是激活后的画面，下面附破解文件一些常用小工具激活2008激活2008.rar永不需要激活的破解操作文档永不需要激活的破解操作文档.rar2008设置程序2008设置.rarWindows Server 2008 红外线功能补丁Windows Server 2008红外线功能补丁.rarWindows Server 2008 的主题破解(UXTheme.dll)UXTheme_Patch.rar.rar--------------------------------------------------------------------------------------------------一些常用的技巧和问题1.系统默认的资源分配是优先后台服务，我们做个更改，提高前台程序性能，解决的办法是右击电脑属性打开“高级系统设置”窗口，切换到“高级”选项卡，单击“性能”区域下的“设置”按钮，再次切换的“设置”按钮，再次切换到“高级”选项卡，可以看到这里默认选择的是“后台服务”，请更改为“程序”，确认后即可生效。

ECX3.0+SQL2008+md+win2008

ExpressCluster X3.0+ SQLServer2008 在Windows平台上的镜像型集群配置手册2011.6.16 NEC china 销售部ctc组目录1安装准备 (2)系统环境 (2)网络配置 (2)硬盘配置 (7)2ExpressClusterX3.0安装和基础配置 (8)2.0 ExpressClusterX3.0安装 (8)2.2ExpressClusterX3.0的基础配置 (14)2.2.1添加服务器 (14)2.3添加监视资源 (27)2.4应用配置文件和重启集群 (31)3、sqlserver2008安装 (33)3.1为集群配置sqlserver服务 (33)3.2为集群添加监视器 (35)4、Express Cluster和sqlserver2008的联携测试 (37)1安装准备系统环境硬件环境网络配置1．主机ec01网络配置设置公网IP。

图 1设置公网设置私网IP。

图 2设置私网ec01网络配置完成。

2．ec02网络配置。

ec02网络配置和ec01一样，如下图：图 3设置公网图 4设置私网ec02网络配置完成。

硬盘配置1．在镜像磁盘上构建数据分区，在构建cluster和数据分区前，请事先备份重要数据分区如下：F盘为数据分区.磁盘大小为4.39G。

图 5设置镜像分区由于ec01和ec02使用的是镜像磁盘，所以ec01上磁盘划分好之后，在ec02上进行相同配置如下图：图 6设置镜像分区这样两台主机安装Cluster前的准备工作已全部完成,可以开始安装cluster。

2ExpressClusterX3.0安装和基础配置2.0 ExpressClusterX3.0安装图 7安装向导图 8选择目的文件夹图 9安装程序端口默认。

图 10通信端口号设定图 11镜像磁盘过滤设定跳过图 12镜像磁盘过滤设定确认注册LICENSE。

图 13 License管理找到存放LICENSE的目录,选择LICENSE文件注册,此处依次选择3个文件,分别为BASE30 ,DBAG30，REPL30并依次注册。

windowsServer2008环境下winsxs目录清理方法.：NOVOTSKMS

windowsServer2008环境下winsxs目录清理方法.：NOVOTSKMS因为磁盘空间不够了，所以想起来清理一下系统垃圾文件，主要目标就是臭名昭著的winsxs目录。

这个winsxs就是微软为了解决“dll hell”问题，结果是好比在windows系统里安置了一个毫无节制不断增大的“肿瘤”。

听说微软研究院现在在研究这个问题，不过我想我的硬盘空间不够大，等不到这个补丁出来的时候，所以只好自己动手了。

winsxs目录下的文件都是系统要用的各种库文件，system32下存放了这些dll的最新的版本，所有老版本的dll都放在winsxs下。

所以只要你安装程序或者更新补丁，system32下的文件就会被更新，而同时winsxs就会增加一些旧文件，所以我们的C盘空间就在持续不断地减少，直到磁盘容量不够，被迫重装系统为止，如果你足够幸运，可以直接安装最新的SP的话，或许可以为winsxs节约一点微薄的空间。

winsxs目录下的不同版本文件都存放在特定命名规则的目录下，比如C:\Windows\winsxs>dirmsil_microsoft.transactions.bridge.resources*驱动器 C 中的卷是 vista卷的序列号是 989F-EFF3C:\Windows\winsxs 的目录msil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_6.0.6000.16386_zh-cn_1cde5a17d78fb5ecmsil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_6.0.6000.16716_zh-cn_1cd75781d79605cfmsil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_6.0.6000.20876_zh-cn_060fb27df137fddfmsil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_6.0.6001.18000_zh-cn_1cb2dbd3d7e75eb8msil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_6.0.6001.18106_zh-cn_1cb252ffd7e7f8cfmsil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_6.0.6001.22221_zh-cn_05e71ebbf18d0b5emsil_microsoft.transactions.bridge.resources_b03f5f7f11d50a3a_6.0.6002.18005_zh-cn_1c8e610fd838f2cc0 个文件 0 字节7 个目录 5,382,139,904 可用字节这里的各个部分用下划线分割，其中我们关注的是“6.0.6000.16386”部分，它表示旧文件的版本号，之前则是唯一文件标识，之后是语言，最后部分是散列值（防止名字冲突）。