Forefront TMG and BranchCache Hosted Cache deployed on the same host

BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

1. Install and configure TMG Server (Upstream Proxy)
2. Add FQDN of branch TMG server in DNS server
3. Prepare necessary routing for both TMG

Branch Office:

1. Install and configure TMG server
2. Create DFS share in Branch Office
3. Install and configure Branchcache File Server
4. Configure GPO for Branchcache
5. Validate hosted cache is working

By default, Forefront TMG blocks most traffic that is destined explicitly for the host or originating from the host. To allow BranchCache to function in Hosted Cache mode, you must define specific Forefront TMG policy rules so that BranchCache clients and the BranchCache Hosted Cache must communicate. To allow this communication you must define two Forefront TMG policy rules:

1. Allow Hosted Cache Inbound Connections—A rule that allows clients to advertise new content to the Hosted Cache server, and retrieve data from the Hosted Cache server.
2. Allow Hosted Cache Outbound Connections—A rule that allows the Hosted Cache server to retrieve advertised content from the client.

Step1: Connect Branch TMG (downstream TMG) with Head office TMG (Upstream TMG), Microsoft Active Directory and DNS.

1.Click on Monitoring, click Connectivity Verifiers, Click Create New Connectivity Verifier, Type the name of new connectivity verifier, Click Next.

2. Select Web Connectivity from drop down list, Type FQDN of Upstream proxy, Click Next and Click Finish.

3. Repeat step 1 and step 2 to create connectivity for Active Directory, and DNS.

4. Apply changes and Click ok.

Step 2: Write down which ports clients are actually configured to use

Choose any BranchCache client and check the registry. The registry keys below will contain the actual value if the defaults were modified.

• The Retrieval port registry key (if not specified, the default is 80):
  HKLM\Software\Microsoft\WindowsNT\CurrentVersion\PeerDist\

             DownloadManager\Peers\Connection

• The Hosted Cache port registry key (if not specified, the default is 443):
  HKLM\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\HostedCache\Connection

Step 3: Define the Retrieval protocol

1. Select the Firewall Policy node.
2. Select the Toolbox tab.
3. Expand Protocols.
4. Click New and then select Protocol.
5. Enter the protocol definition name as “BranchCache -Retrieval” and click Next.
6. Click New and add the new protocol, as follows:
   1. Protocol Type: TCP
   2. Direction: Outbound
   3. Port Range: From 80 to 80 (replace 80 if otherwise identified in step 1)
   4. Click OK.

  Step 4: Define the Hosted Cache protocol

1. Select the Firewall Policy node.
2. Select the Toolbox tab.
3. Expand Protocols.
4. Click New and then select Protocol.
5. Enter the protocol definition name as “BranchCache -Advertise” and click Next.
6. Click New and add the new protocol, as follows:
   1. Protocol Type: TCP
   2. Direction: Outbound
   3. Port Range: From 443 To 443 (replace 443 if otherwise identified in step 1)
   4. Click OK.

 Step 5: Create a rule to allow Hosted Cache Inbound Connections

1. Select the Firewall Policy node.
2. Select the Tasks tab.
3. Click Create Access Rule.
4. Define the rule name as “Allow Hosted Cache Inbound Connections” and then click Next.
5. On the Rule Action page, select Allow and then click Next.
6. On the This rule applies to page:
   1. Choose Selected Protocols from the list, and then click the Add button.
   2. In the Add Protocols dialog box, expand User-defined protocols.
   3. Select BranchCache -Retrieval protocol and click Add.
   4. Select BranchCache -Advertise protocol, click Add and then click Close.
   5. Click Next.
7. On the Access Rule Sources page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
   3. Click Next.
8. On the Access Rule Destinations page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
   3. Click Next.
9. On the User Sets page, click Next to apply the rule to all users.
10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.

Step 6: Create a rule to allow Hosted Cache Outbound Connections

1. Select the Firewall Policy tab.
2. Select the Tasks tab.
3. Click Create Access Rule.
4. Define the rule name as “Allow Hosted Cache Outbound Connections” and click Next.
5. On the Rule Action page, select Allow and then click Next.
6. On the This rule applies to page:
   1. Choose Selected Protocols from the list, and then click the Add button.
   2. In the Add Protocols dialog box, expand User-defined protocols.
   3. Select BranchCache -Retrieval protocol and click Add.
   4. Click Next.
7. On the Access Rule Sources page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Local Host, click Add, and then click Close.
   3. Click Next.
8. On the Access Rule Destinations page:
   1. Click Add.
   2. In the Add Network Entities dialog box, expand the Networks folder, select Internal Network, click Add, and then click Close.
   3. Click Next.
9. On the User Sets page, click Next to apply the rule to all users.
10. On the Completing the New Access Rule Wizard page, click Finish to close the wizard.
11. Click Apply to save the changes and update the configuration.

 Step 7: (Optional) Reduce the impact of NIS Inspection on Hosted Cache traffic

NIS is a protocol decode-based traffic inspection feature of Forefront TMG that uses signatures of known vulnerabilities to detect and potentially block attacks on network resources (for more information about NIS,

This topic is not applicable if NIS is not enabled. To check if NIS is enabled:

1. Select the Intrusion Prevention System node.
2. On the Tasks pane, click Configure Properties.
3. On the General tab, verify that the Enable NIS check box is selected.

When enabled, NIS inspects all traffic, including traffic destined explicitly to the host or originating from the host. As a result, users may experience increased latency when retrieving cached objects from the Hosted Cache server.

In the case of a significant impact, it is recommended to choose one of the following options to mitigate the issue:

Disable the NIS inspection exclusively for traffic destined explicitly to the host or originating from the host.

The risk of disabling NIS for traffic destined explicitly to the host or originating from the host is small, for the following reasons:

• NIS is applied to all other traffic, continuing to defend all internal un-patched machines. Forefront TMG itself, as an edge-located security device, is expected to be patched at all times, and thus protected from all known threats.
• By default, NIS does not inspect non HTTP/HTTPS traffic destined explicitly to the host or originating from the host; thus disabling NIS on the local host has no impact on other protocols.
• Forefront TMG does not initiate outbound web-access. As a result, the vulnerability of the host itself to web-originating threats is very low. As a common security practice, administrators are advised not to browse the Internet from the Forefront TMG host.

To disable NIS for traffic destined explicitly to the host or originating from the host:

1.The following registry key has a default value of 1. To disable localhost traffic inspection, use Regedit on the host to assign it a value of 0.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray

\Debug\IPS\IPS_LOCALHOST_INSPECTION_MODE

2. Re-apply the Forefront TMG policy:
Open any of the firewall policy rules and add a space anywhere in the rule description. Click Apply.

3.Change the BranchCache protocols default port numbers (from 80 and 443) to custom port numbers.
Explanation: By default NIS inspects only HTTP and HTTPS on localhost traffic. To retain that inspection without impacting BranchCache performance requires that BranchCache default ports be changed to any other available ports.

Branch Forefront TMG also provides:

• Secure web-access via anti-malware, URL filtering and HTTPS inspection.
• Firewall and Network Inspection System (NIS).
• Reverse proxy (web-publishing) of web-applications at the branch.
• Site-to-site VPN.
• Roaming-user VPN.

Step8: Installing BranchCache File Server on TMG

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Step 10: Use Group Policy to configure branch cache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Step 9: use registry editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Step 10: Setup branchcache support tag on a file server

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Step 11: Configure client using GPO

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Step 12: Validate the Hosted Cache is working properly

1. Choose any client on the Branch Office.
2. Open the Performance Monitor and track the BranchCache “Bytes from Cache” counter and take note of the current value
3. Open your Internet Browser. Clear the browser cache to make sure it is not utilized in this validation.

4. Instructions for clearing the cache using Internet Explorer 8:

   1. On the Tools menu, select Internet Options.
   2. On the General tab, in the Browsing History section, click the Delete… button.
   3. In the opened dialog box, select the Temporary Internet Files check box and clear the other check boxes, then click Delete.
   4. Wait for the operation to complete, and then close the dialog boxes.
5. Using the client, access or download an object with a known size from an HTTP/S application on a Windows 2008 R2 server.
6. Expected result:
   • If the object was never accessed from the Branch, the counter should increment by the object size on the third attempt to access it (between attempts, make sure you clear the browser cache).
   • If the object was already accessed from the Branch, the counter should increment by the object size on the first or second attempt.

Relevant Study:

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

DFS Step-by-Step Guide for Windows Server 2008

How to configure DFS to use fully qualified domain names in referrals

How to configure Windows Server Update Services (WSUS) to use BranchCache

Share this

How to configure Windows Server Update Services (WSUS) to use BranchCache

What is branchCache? BranchCache™ is a new feature in Windows® 7 and Windows Server® 2008 R2 that can reduce wide area network (WAN) or bandwidth utilization and enhance network application responsiveness when users access content in a central office from branch office locations. When you enable BranchCache, a copy of the content that is retrieved from the Web server or file server is cached within the branch office. If another client in the branch requests the same content, the client can download it directly from the local branch network without needing to retrieve the content by using the Wide Area Network (WAN).

How Branchcache works? When a Windows 7 Client from a branch office request data such as WSUS content to a head office Server then server check authentication and authorise data to pass on to the client. This is an ordinary communication happens without branchcache also.

But with branchcache, The client uses the hashes in the metadata to search for the file in the Hosted Cache server. Because this is the first time any client has retrieved the file, it is not already cached on the local network. Therefore, the client retrieves the file directly from the content server. The Hosted Cache server connects to the client and retrieves the set of blocks that it does not have cached.

When a second Windows 7 client from the same branch requests the same WSUS content from the content server or WSUS server. The content server authorizes the user/client and returns content identifiers. The second client uses these identifiers to request the data from the Hosted Cache server residing in branch. This time, it does not retrieve data from the DFS share residing in head office.

To configure a Web server or an application server that uses the Background Intelligent Transfer Service (BITS) protocol, you must install the BranchCache feature using server manager. To configure a file server to use BranchCache, you must install the BranchCache for Network Files feature and configure the server using Group Policy. This article discuss and show how to configure WSUS to use  branchcache. The followings are the steps involve in head office and Branch Offices.

Head Office:

1. Install and configure back end SQL Server
2. Create DFS share
3. Install and configure front end WSUS Server
4. Configure GPO for WSUS client

Branch Office:

1. Install and configure Branchcache File Server
2. Configure GPO for Branchcache
3. Install and configure front end WSUS server
4. Configure GPO for WSUS client

Installing BranchCache File Server

1. Click Start, point to Administrative Tools, and then click Server Manager.

2. Right-click Roles and then click Add Roles.

3. In the Add Features Wizard, select File Server and BranchCache for network files and then click Next.

4. In the Confirm Installation Selections dialog box, click Install.

5. In the Installation Results dialog box, confirm that BranchCache installed successfully, and then click Close.

Using Group Policy to configure BranchCache

1. Open the Group Policy Management Console. Click Start, point to Administrative Tools, and then click Group Policy Management Console.

2. Select the domain in which you will apply the Group Policy object, or select Local Computer Policy.

3. Select New from the Action menu to create a new Group Policy object (GPO).

4. Choose a name for the new GPO and click OK.

5. Right-click the GPO just created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates, Network, and then click Lanman Server.

7. Double-click Hash Publication for BranchCache.

8. Click Enabled.

9. Under Options, choose one of the following Hash publication actions:

a. Allow hash publication for all file shares.

b. Allow hash publication for file shares tagged with “BranchCache support.”

c. Disallow hash publication on all file shares.

10. Click OK.

Using the Registry Editor to configure disk use for stored identifiers

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator).

2. At the command prompt, type Regedit.exe, and then press Enter.

3. Navigate to HKLM\CurrentControlSet\Service\LanmanServer\Parameters.

4. Right-click the HashStorageLimitPercent value, and then click Modify.

5. In the Value box, type the percentage of disk space that you would like BranchCache to use. Click OK.

6. Close the Registry Editor.

Setting the BranchCache support tag on a file share

1. Click Start, point to Administrative Tools, and then click Share and Storage Management.

2. Right-click a share and then click Properties.

3. Click Advanced.

4. On the Caching tab, select Only the files and programs that users specify are available offline.

5. Select Enable BranchCache, and then click OK.

6. Click OK, and then close the Share and Storage Management Console.

To replicate cryptographic data

1. Open an elevated command prompt (click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator). 2. At the command prompt, type netsh branchcache set key passphrase=“MY_PASSPHRASE”, and then press Enter. Choose a phrase known only to you. Repeat this process using the same phrase on all computers that are participating in the cluster.

Client configuration using Group Policy

1. Click Start, point to Administrative Tools, and click Group Policy Management Console.

2. In the console tree, select the domain in which you will apply the GPO.

3. Create a new GPO by selecting New from the Action menu.

4. Choose a name for the new GPO, and then click OK.

5. Right click the GPO you created and choose Edit.

6. Click Computer Configuration, point to Policies, Administrative Templates: Policy definitions (ADMX files) retrieved from the local machine, Network, and then click BranchCache.

7. Double-click Turn on BranchCache.

8. Click Enabled, and then click OK.

9. To use Distributed Cache mode, double-click Turn on BranchCache – Distributed Caching mode, click Enabled, and then click OK.  or

To use Hosted Cache mode, double-click Turn on BranchCache – Hosted cache mode, click Enabled, and then click OK.

10. To enable BranchCache for SMB traffic, double-click BranchCache for network files, click Enabled, select a latency value under Options, and then click OK.

Configuring a Branch WSUS server to use BranchCache

In addition to enabling BranchCache in your environment, the WSUS server must be configured to store update files locally (both the update metadata and the update files are downloaded and stored locally on the WSUS server). This ensures that the clients get the update files from the WSUS server rather than directly from Microsoft Update.

Install SQL Server 2005/2008 with Management Studio Express on the back-end computer

1. Click Start, point at All Programs, point at SQL Server 2005, point at Configuration Tools, and select SQL Server Surface Area Configuration.

2. Choose Surface Configuration for Services and Connections.

3. In the left window, click the Remote Connections node.

4. Select Local and remote connections and then select Using TCP/IP only.

5. Click OK to save the settings.

To ensure administrative permissions on SQL Server

1. Start SQL Server Management Studio (click Start, click Run, and then type sqlwb).

2. Connect to the SQL Engine on the server where SQL Server 2005 was installed in Step 1.

3. Select the Security node and then select Logins.

4. The right pane will show a list of the accounts that have database access. Check that the person who is going to install WSUS 3.0 on the front-end computer has an account in this list.

5. If the account does not exist, then right-click the Logins node, select New Login, and add the account.

6. Set up this account for the roles needed to set up the WSUS 3.0 database. The roles are either dbcreator plus diskadmin, or sysadmin. Accounts belonging to the local Administrators group have the sysadmin role by default.

Install Branch WSUS Server

To install WSUS on the front-end computer At the command prompt, navigate to the folder containing the WSUS Setup program, and type:

WSUSSetup.exe /q FRONTEND_SETUP=1 SQLINSTANCE_NAME=server\instance CREATE_DATABASE=0

Here, Server\instance is the name of the remote SQL server that is holding the instance of WSUS database. If you do not want silent installation then don’t use /q switch and follow WSUS installation link

Important! Microsoft recommend 1GB free space for Systems Partition and 30GB for WSUS contents. But this minimum recommended space will create havoc when WSUS log, database log and content grow over the years. So, I used 50GB as systems partition and 100GB as WSUS contents in DFS share.

To configure the proxy server on WSUS front-end servers

1. In the WSUS administration console, select Options, then Update Source and Proxy Server.

2. Select the Proxy Server tab, then enter the proxy server name, port, user name, domain, and password, then click OK.

3. Repeat this procedure on all the front-end WSUS servers.

To specify where updates are stored

1. In the left pane of the WSUS Administration console, click Options.

2. In Update Files and Languages, click the Update Files tab.

3. If you want to store updates in WSUS, select the Store update files locally on this server check box.

To specify whether updates are downloaded during synchronization or when the update is approved

1. In the left pane of the WSUS Administration console, click Options.

2. In Update Files and Languages, click the Update Files tab.

3. If you want to download only metadata about the updates during synchronization, select the Download updates to this server only when updates are approved check box.

To specify language options

1. In the left pane of the WSUS Administration console, click Options.

2. In Update Files and Languages, click the Update Languages tab.

3. In the Advanced Synchronization Options dialog box, under Languages, select one of the following language options, and then click OK.

4. Select Download updates only in these languages: This means that only updates targeted to the languages you select will be downloaded during synchronization.

How to configure automatic updates by using Group Policy

Log on to Domain Controller using Administrative Privilege. Open GPO management Console>Select Organisational unit>Right client>create and link a new GPO> Name it as WSUS policy>right click>Edit. Go to Computer Configuration\Administrative Templates\Windows Components\Windows Updates\

Now Specify Client target group, Intranet update server location i.e. http://servername:8530 , update schedule, installation schedule.

To set up a DFS share

Note:This DFS share will be used by all front end WSUS servers.

1. Go to Start, point at All Programs, point at Administrative Tools, and click Distributed File System.

2. You will see the Distributed File System management console. Right-click the Distributed File System node in the left pane and click New Root in the shortcut menu.

3. You will see the New Root Wizard. Click Next.

4. In the Root Type screen, select Stand-alone root as the type of root, and click Next.

5. In the Host Server screen, type the name of the host server for the DFS root or search for it with Browse, and then click Next.

6. In the Root Name screen, type the name of the DFS root, and then click Next.

7. In the Root Share screen, select the folder that will serve as the share, or create a new one. Click Next.

8. In the last screen of the wizard, review your selections before clicking Finish.

9. You will see an error message if the Distributed File System service has not yet been started on the server. You can start it at this time.

10. Make sure that the domain account of each of the front-end WSUS servers has change permissions on the root folder of this share.

Important! If you are using a DFS share, be careful when uninstalling WSUS from one but not all of the front-end servers. If you allow the WSUS content directory to be deleted, this will affect all the WSUS front-end servers.

To configure IIS for remote access on the front-end WSUS servers

1. On each of the servers, go to Start, point at All Programs, point at Administrative Tools, and click Internet Information Services (IIS) Manager.

2. You will see the Internet Information Services (IIS) Manager management console.

3. Click the server node, then the Web Sites node, then the node for the WSUS Web site (either Default Web Site or WSUS Administration).

4. Right-click the Content node and select Properties.

5. In the Content Properties dialog box, click the Virtual Directory tab. In the top frame you will see The content for this resource should come from:

6. Select A share located on another computer and fill in the UNC name of the share.

7. Click Connect As, and enter the user name and password that can be used to access that share.

8. Be sure to follow these steps for each of the front-end WSUS servers that are not on the same machine as the DFS share.

To move the content directories on the front-end WSUS servers

1. Open a command window.

2. Go to the WSUS tools directory on the WSUS server:

   cd \Program Files\Update Services\Tools

3. Type the following command:

   wsusutil movecontent DFSsharename logfilename

   where DFSsharename is the name of the DFS share to which the content should be moved, and logfilename is the name of the log file.

To configure Network Load Balancing

1. Enable Network load balancing

• a) Click Start, then Control Panel, Network Connections, Local Area Connection, and click Properties.
• b) Under This connection uses the following items, you may see an entry for Network Load Balancing. If you do not, click Install, then (on the Select Network Component Type screen) select Service, then click Add, then (on the Select Network Service screen) select Network Load Balancing, then OK.
• c) On the Local Area Connection Properties screen, select Network Load Balancing, and then click OK.

2. On the Local Area Connection Properties screen, select Network Load Balancing, and then click Properties.

3. On the Cluster Parameters tab, fill in the relevant information (the virtual IP address to be shared among the front end computers, and the subnet mask). Under Cluster operation mode, select Unicast.

4. On the Host Parameters tab, make sure that the unique host identifier is different for each member of the cluster.

5. On the Port Rules tab, make sure that there is a port rule specifying single affinity (the default). (Affinity is the term used to define how client requests are to be directed. Single affinity means that requests from the same client will always be directed to the same cluster host.)

6. Click OK, and return to the Local Area Connection Properties screen.

7. Select Internet Protocol (TCP/IP) and click Properties, and then click Advanced.

8. On the IP Settings tab, under IP addresses, add the virtual IP of the cluster (so that there will be two IP addresses). This should be done on each cluster member.

9. On the DNS tab, clear the Register this connection’s addresses in DNS checkbox. Make sure that there is no DNS entry for the IP address.

Share this on

Relevant Article: Install and configure WSUS—Step by Step

Step by Step: Volume Activation for Windows 7 and Windows Server 2008

What is Microsoft product activation? Activation is a method of verification that Microsoft Windows Product you have bought is genuine and comply with copyright laws i.e. it checks that you are not using a counterfeit product. Simply Microsoft wants to know did you pay right amount of $$ for the product you are using. Volume Activation is used for enterprise level users who want to deploy Microsoft products such as Windows 7 and Windows Server 2008 in large scale in an organisation or a company. There are two type of Volume Activation—Key Management Service (KMS) and Multiple Activation Key (MAK)—that allow Volume Licensing customers to activate Volume License editions of the Windows 7 and Windows Server 2008 R2. When planning to use Volume Activation, an organization must choose KMS, MAK, or any combination of the two. The activation methods chosen depend on the needs of the organization and the network infrastructure. You don’t need to be a local Administrator in Windows 7 and Windows Server 2008 R2 for activation. However, for volume activation you must be a domain admin because you need to access domain groups, computers and GPO. Windows eliminates the User Account Control (UAC) prompt during activation, enabling any user who has a standard user account to activate Windows on that computer. However, this change does not allow standard users to remove Windows from the activated state.

Typical Activation Warning:

Configure Firewall in Windows7 and Windows server 2008 for Volume Activation to pass through:

You have to configure the following firewall in Windows 7 and Windows Server 2008  master pc before you deploy large scale using windows deployment services. By default these firewall is blocked restraining  windows 7 and windows server 2008 to communicate with activation site.

Log on Windows 7 or Windows Sever 2008. Control Panel>Windows Firewall and Advanced Settings>Allow Program or feature pass through Windows Firewall>Select Windows Management Instrumentation (WMI)>check domain, public and private>Click Ok.

Go back to Windows Firewall and click on Advanced Settings>Click Filter by Group>Click WMI>Select WMI Async-In>Double Click on WMI Async-In>General Tab>Check Enable and Allow>Advanced Tab>Check Public,Private,Domain>Select allow edge traversal>Apply>ok.

 

Configure Windows Firewall using GPO:

Log on to domain controller as an domain admin. Open GPO management console from Admin Tools. Select Specific Windows 7 and Windows Sever 2008 organisational unit where you want to modify Windows Firewall. Right click on that organizational unit>click edit. Go to Computer Configuration>Administrative Templates> Network>Network Connections>Windows Firewall>Domain Profile & Standard Profile>Select and Modify Windows Firewall: Allow remote administration exception>Select Enable and Type “*” in the box.

 

Windows7 Volume Activation:

You must have MAK  license to do the following. Install windows AIK in Admin PC. Go to All Program>Microsoft Windows AIK>VAMT 1.2 >VAMT

 

Provide MAK Product Key and Validate. Click Add to add MAK.

Select Appropriate Columns to view computer info.

Click Action>Add Computer>Type Computer Group>Select domain>Check gather info>Click ok.

Now select all windows 7 computer>right click>MAK activate.

Good Luck and happy Australia Day

Microsoft References:

Licensing Centre

Troubleshooting VA

How to Choose the Right Volume License Key for Windows

Windows Firewall

Enhanced Windows Server 2008 Backup Utility

Windows Server 2008  backup utility is completely different from the backup program included with Windows Server 2003. Unlike previous versions, the new utility is designed primarily to back up entire volumes to an external hard disk drive or to an UNC path. The backup utility also uses a different format for its backup files; it uses the Microsoft Virtual Hard Disk (VHD) format, which makes the files accessible to Hyper-V, Virtual PC, and the Complete PC backup utility. Windows Server 2008 backup utility allows you to backup entire drive or selected files or folder. You can perform complete backup or incremental backup. In addition to individual file and folder selection, the backup utility also enables you to create exclusions. An exclusion is a filter that prevents a job from backing up specified files or file types in the selected targets. There are three types of backup destination available in windows backup utility. these are dedicated hard disk drive, volume and UNC path.

System State and Bare Metal Backup

The System State includes the Windows Registry, the Active Directory database if the computer is a domain controller and a number of files that are locked open by the operating system. New windows backup utility enables you to individually select the System State element and a Bare Metal Recovery element. When you select bare metal backup, it will backup system partition and system state also. It will backup in .vhd format. 

To recover an entire computer, you connect your external hard drive containing the backup to the new computer and boot from the Windows Server 2008 R2 installation disk. Select Repair Your Computer in the Windows Setup Wizard>System Recovery Options>Restore Your Computer Using A System Image that you created earlier. Alternatively, you can import that .vhd file into Hyper-v if you desire to decommission physical machine.

Hyper-v Host Backup

To use Windows Server Backup to protect an entire Hyper-V server and its VMs, you must register the VSS Writer with the backup software by creating the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WindowsServerBackup\
Application Support\{66841CD4-6DED-4F4B-8F17-FD23F8DDC3DE}

Right click>Create String value.

Name	Type	Value
Application Identifier	REG_SZ	Hyper-V

With this registry settings, it will backup everything other then virtual network, physical storage attach to VM, iSCSI storage when initiator running inside VM.

How to Screenshots:

 

To schedule a backup, open Windows Server Backup>click on backup schedule>follow the screen as shown below.

 

Here, you can specify destination of backup. I am showing UNC path and disk drive.

Provide domain credential for the safety of backed up data.

You can setup backup performance before taking a backup or scheduling a backup task.

 

To create backup once, click on backup once and follow the screenshots.

Here, you can choose Full (bare metal, disk drive) or custom (files or folders) backup. bare metal will create a .vhd file for Hyper-v.

 

Windows Server 2008: Install and configure windows media services 2008—step by step

Windows Media Services 2008 is an industry standard platform for streaming or on-demand audio/video content for windows XP and Windows 7 clients over private or public networks. Windows Media Services 2008 manages one or more Windows Media servers running on the Windows Server 2008 operating system. Client machine can play contents using Windows Media Player or Silverlight. Windows Media Services 2008 server capable of proxying, caching, or redistributing content.  Custom media content that have been developed using the Windows Media Software Development Kit (SDK) can also be deployed through media services. Windows Media Services 2008 contains a new, built-in cache/proxy plug-in that you can use to configure your Windows Media server either as a cache/proxy server or a reverse-proxy server.

System requirement:

Windows Server 2008 x86 or x64

IIS for web administration and content distribution

Windows Media Services x86 or x64

Media services server must be a member of domain

Windows 7 or Windows XP client

Windows Media Player or Silver light

Installation:

Download Windows Media Services. Install update on server as follows.

 

 

Configuration:

 

Here, I have shown config of IP address authorization property. You have to configure rest of them according to your need.

Install Web Certificate and Configure SSL:

Publish Content:

Expand publishing points>select content>select announce tab on right side pan>click run unicast announce wizard

CNAME Record:

Add CNAME record (Example:  media.yourdomain.com.au points windows media server) in DNS server .

Test Media Services:

Log on to a client machine

Open IE 6 or later>type https://media.yourdomain.com.au/test or http://media.yourdomain.com.au/test (here, /test is a test content uploaded in media services server)

Further Study:

Windows Media Player 12

Windows Media Services

Windows Deployment Services: Create and deploy multicast images

I would like to explain a bit about IP Multicast before I start with WDS multicast image distribution because not all the organisation have existing multicast infrastructure. Still, I reckon it would be worthy to know bits and pieces of a technology while working on it.  So what is IP Multicast? Multicast is a technique for one-to-many communication over an IP infrastructure in a network. It scales to a larger receiver population by not requiring prior knowledge of whom or how many receivers there are. Multicast uses network infrastructure efficiently by requiring the source to send a packet only once, even if it needs to be delivered to a large number of receivers resulting bandwidth savings. The nodes in the network take care of replicating the packet to reach multiple receivers only when necessary. The most common low-level protocol to use multicast addressing is User Datagram Protocol (UDP). IP addresses from 224.0.0.0 to 239.255.255.255 are designated as multicast addresses. This range was formerly called “Class D.” The sender sends a single datagram to the multicast address and the intermediary routers take care of making copies and sending them to all receivers that have registered their interest in data from that sender. Multicast IP ranges assigned through DHCP scope. In any case, range 224.0.0.0 through 224.0.0.255 is reserved for local purposes (as administrative and maintenance tasks) and datagram’s destined to them are never forwarded by multicast routers. Similarly, the range 239.0.0.0 to 239.255.255.255 has been reserved for administrative scoping.

WDS Multicast Image Creating multicast images in WDS server is easy and straightforward if you have a functioning multicast infrastructure. For multicast imaging to work properly, the network devices that connect the WDS multicast clients to the WDS server providing the multicast transmission must support and allow multicast traffic as mentioned above. If the WDS server already contains tested boot and install images. One important point to note about multicasting is that only the Windows Server 2008 boot.WIM boot image file contains a WDS multicast client. In WDS server, you have to add Windows Server 2008 boot.WIM file into boot image. Now follow the screenshots bellow to distributive multicast image. Delete Multicast image when distribution no longer required.

Log on to WDS server using Admin Privilege. Go to Administrative Tools>WDS>Servers>Expand WDS Server>Right click on Multicast Transmission>Click Create Multicast Transmission.

Here, you can schedule transmission if bandwidth and distribution time are criteria.

Windows Deployment Services: How to create deployable bootable ISO using WDS and AIK

A bootable ISO is created from an existing WDS boot image and capture image that contains Windows PE and the WDS client can be stored on DVD or CD making it easier to deploy images to older systems or on heterogeneous networks that have PXE issues. To accomplish discover image process, you must have a working WDS in network and Windows 7 AIK installed in WDS server. Log on to WDS server using domain admin credential and follow the screen shots.

Create a folder in e:\DiscoverBootImage or whatever drive you have and provide FQDN of WDS

Now you have e:\DiscoverBootImage\WDSDiscover.WIM . Open Start menu>Microsoft Windows AIK>Deployment Tools Command Prompt>Type CopyPe x86 E:\DiscoverBootImage\Winpe and wait for completion

  

In the same command prompt type

Copy /y E:\DiscoverBootImage\WDSDiscover.WIM
E:\DiscoverBootImage\WinPE\ISO\Sources\Boot.wim

To write WIM file to ISO type following

oscdimg –n –bE:\DiscoverBootImage\Winpe\ISO\Boot\etfsboot.com
E:\DiscoverBootImage\Winpe\ISO E:\DiscoverBootImage\boot.ISO

Now you have created ISO boot image. Burn this ISO on a CD or DVD and boot client machine using this cd and deploy images.