As with anything you should be backing up your Hyper-V machines.  I think that just goes without saying.  Backing up Hyper-V has gotten easier with the addition of VSS and Windows Server Backup (WSB).  WSB is a new feature in Windows Server 2008 that replaces the old NTBackup from days gone by.  It is not installed by default but can be easily added with the Add Features wizard in Server Manager.  Once installed there is one last setting you must configure before backing up the Hyper-V virtual machines.

While Hyper-V does support VSS backups, it is not enabled by default.  I am not sure why but you need to set a few registry settings to get WSB to recognize the Hyper-V VSS writer.  You can enable this with the following two registry settings.

Under HKLM\Software\Microsoft\Windows NT\CurrentVersion\WindowsServerBackup\ApplicationSupport add the following key {66841CD4-6DED-4F4B-8F17-FD23F8DDC3DE

Then under that newly created key add a new REG SZ string called Application Identifier with the value Hyper-V.  Once that is done you are ready to go!  To make it a bit easier you can copy and paste the following to a command line (with administrative privileges) and it will get it all set up for you.  You will need to

Here at the LazyAdmin we have talked quite a bit about using BitLocker with Windows Vista. With the introduction of Server 2008 you can now also leverage Bitlocker with your 2008 servers. This is particularly attractive when deploying Read Only Domain Controllers (RODC) to remote locations where physical security is questionable.

One BitLocker features is the ability to backup your Bitlocker encryption key to the Active Directory. In previous articles we have talked about enabling GPOs that can automatically backup BitLocker to AD. However how do you see the BitLocker keys in the event that you need to access them?

The answer is the BitLocker Recovery Password Viewer:

http://www.microsoft.com/downloads/details.aspx?familyid=2786FDE9-5986-4ED6-8FE4-F88E2492A5BD&displaylang=en

The Password Viewer will work on any computer that is runs the Active Directory users and Computers console (ADUC). In fact the viewer integrates into the ADUC console. In order to integrate the add on the you must register the viewer component. In order to properly register the component you must run the installation as an Enterprise Administrator. After the component has been registered a standard domain account will suffice to view BitLocker keys.

After downloading the MSU package and running it, open a command prompt and change

We have talked about enabling BitLocker Active Directory integration in a previous post now we will take a look at prepping your domain to implement this integration.  To take advantage of the several of the more compelling feature such as RODCs and Windows 2008 domain controllers we first need to extend the AD schema in our current environment. These additions also allow you to add take advantage of feature in Windows Vista such as group policy client side extensions, and storing BitLocker keys in Active Directory.

WARNING: Extending the Active Directory Schema makes permanent irreversible changes to Active Directory. Make sure that you have made proper backups, and tested the update steps in a test environment before proceeding to apply these changes in a live environment.

The schema updates are located on the Windows Vista and Windows Server 2008 DVDs. They are located in the:

[DVD-DRIVE]\sources\adprep folder.

The first schema updates need to be applied to the Active Directory Forest. In order to apply them you need to run the adprep application from the domain controller that holds the schema role master. To run the forest schema updates use the following command:

adprep /forestprep

You will

One of the nice things with RODCs is the ability to control cached credentials.  You can also pre-populate passwords for specific users, like a branch office user, in case the branch office connection goes down but this can be a security concern if that server gets stolen.  Server 2008 has a nice way of handling this so you can sleep easier.  This last video will cover what to do when the RODC is stolen.

Note: Double-click on the video to go full screen.

If you want to give these demos a try yourself be sure to grab the lab build guide and demo scripts here!

The next video in our Server Core series is going to cover making our demo server into a RODC or Read-Only Domain Controller.  One pre-requisite for a RODC is an existing Windows 2008 based DC in the domain.  You also need to run adprep /rodcprep before you can add the RODC.  Other than that it is pretty straight-forward but without the DCPromo wizard can cause a challenge.  Let's see how it is done!

Note: Double-click on the video to go full screen.

If you want to give these demos a try yourself be sure to grab the lab build guide and demo scripts here!

In the next video in the Server Core series we look at the remote management options.  There are a number of options, RDP (still just a CLI), remote MMC consoles, PowerShell, WinRM/RS  Because Server 2008 follows the secure by default standards these are all turned off and need to be enabled, again from the command line.  Have no fear this video will ease the configuration :)

Note: Double-click on the video to go full screen.

If you want to give these demos a try yourself be sure to grab the lab build guide and demo scripts here!