Windows Server roles told as one growing restaurant chain. Watch this before we open the kitchen on M11.
HTTP.sys, WAS, W3SVC, w3wp. Four layers, top to bottom.
A request enters at the kernel, escalates through user-mode services, and ends in a worker process.
applicationHost.config, manages worker process lifecycle, fires up an app pool when its first request arrives.The trick that keeps long-lived workers healthy without downtime.
Recycling drains the old worker while a new one starts. Zero-downtime patch for memory leaks.
Pick by client type, network topology, and what you can ask the user to install.
IIS supports five built-in auth modes. Most apps end up with two stacked.
FormsAuthentication.Bind the cert, configure the protocols, force HTTPS.
Three knobs cover 90% of TLS hardening on IIS.
HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL).
Each role services a specific function. Together they cover the full session lifecycle.
Client connects to Gateway, Broker assigns a Host, Host serves the session, Licensing tracks the CAL.
Same RDS plumbing. Two very different deployment models.
Session-Based shares one OS across many users. VDI gives each user their own VM.
RDP over HTTPS. Two policies (CAP, RAP) for who and where.
RD Gateway is the public-facing edge that tunnels RDP through 443 so clients do not need VPN.
gateway.hexworth.com. Gateway terminates TLS, authenticates, tunnels the RDP session to an internal host.Pick by your user-to-device ratio.
CALs are required even though Windows licenses the server. RDS CALs are an additional layer.
A cert is only as trusted as the chain that signed it.
Every X.509 certificate has a chain. The bottom is what you present; the top is what your OS already trusts.
Two CA personalities. AD integration is the deciding factor.
Enterprise CA lives in AD. Standalone CA does not. That single choice cascades into everything.
Templates define what gets issued. GPO triggers automatic issuance.
Template = recipe. Permissions = who can use the recipe. GPO = when to bake automatically.
Computer Config → Public Key Policies → Certificate Services Client - Auto-Enrollment. Enable, set "Renew expired", "Update certificates".certutil -pulse to force enrollment.When autoenrollment is not the answer.
Web enrollment is the user-facing case. CRL + OCSP let you revoke a cert before it expires.
https://ca-server/certsrv. Optional role service. User browses, submits CSR, downloads issued cert. Common for non-domain devices.
Bond multiple physical NICs into one logical interface.
A team is multiple physical NICs presenting as one logical NIC to the OS. Three teaming modes; pick by switch capability.
Same hostname. Two answers. Depending on who asks.
Internal clients get internal IP. External clients get external IP. One hostname, two views.
app.hexworth.com internal = 10.0.0.50. External = 52.84.12.45. You want clients to use the closer one.ipconfig /flushdns. Or TTLs too long; lower for split-brain hosts.Stops DNS cache poisoning. Verifies the answer came from the authoritative source.
DNS itself has no integrity check. DNSSEC adds digital signatures to records so resolvers can verify authenticity.
Resolve-DnsName hexworth.com -DnssecOk. Show the AD flag (authentic data) in the response.Route DNS answers based on client subnet, time of day, query type.
DNS Policies turn one zone into a conditional one. Filter what to return based on who is asking.
Add-DnsServerClientSubnet, Add-DnsServerZoneScope, Add-DnsServerQueryResolutionPolicy.Apps, identity, and networking — the whole week on one page.
Apps + identity at scale. What's coming.