6419B ENU StudentHandbook Vol1

8/13/2019 6419B ENU StudentHandbook Vol1

http://slidepdf.com/reader/full/6419b-enu-studenthandbook-vol1 1/750

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6419BConfiguring, Managing, and MaintainingWindows Server® 2008-based Servers

Volume 1

Nova 4, LLC

7 2011 9:58PMrning: This is Nova 4, LLC's unique copy. It is illegal to reprint, redistribute, or resell this content. The Licensed Content isnsed “as-is.” Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties,rantees or conditions. Please report any unauthorized use of this content to [email protected] or by calling +1



ii Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

Information in this document, including URL and other Internet Web site references, is subject to change without notice.Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,places, and events depicted herein are fictitious, and no association with any real company, organization, product, domainname, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyrightlaws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may bereproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of MicrosoftCorporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subjectmatter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of thisdocument does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes norepresentations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of theproducts with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement ofMicrosoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control ofMicrosoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or anychanges or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received fromany linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not implyendorsement of Microsoft of the site or the products contained therein.

© 2011 Microsoft Corporation. All rights reserved.

Microsoft, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/orother countries.

All other trademarks are property of their respective owners.

Product Number: 6419B

Part Number: X17-53274

Released: 04/2011

Nova 4, LLC




Configuring, Managing, and Maintaining Windows Server® 2008-based Servers i

Nova 4, LLC




iv Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

Nova 4, LLC




Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

Nova 4, LLC






Configuring, Managing, and Maintaining Windows Server® 2008-based Servers v

Nova 4, LLC




viii Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

AcknowledgementsMicrosoft Learning would like to acknowledge and thank the following for their contribution towardsdeveloping this title. Their effort at various stages in the development has ensured that you have a goodclassroom experience.

Andrew J. Warren–Content DeveloperAndrew Warren (MCSE, MCITP, and MCT) has more than 22 years of experience in the IT industry, many ofwhich have been spent in writing and teaching. He has been involved as the subject matter expert (SME)for the 6430B course for Windows Server 2008 and the technical lead on a number of other courses. Healso has been involved in TechNet sessions on Microsoft® Exchange Server 2007. Based in the UnitedKingdom, he runs his own IT training and education consultancy.

Conan Kezema–Content DeveloperConan Kezema, B.Ed, MCSE, MCT, is an educator, consultant, network systems architect, and author whospecializes in Microsoft technologies. As an associate of S.R.Technical Services, Conan has been a subjectmatter expert, instructional designer, and author on numerous Microsoft courseware developmentprojects.

Gary Dunlop–Content DeveloperGary Dunlop is a Microsoft Trainer and consultant in Winnipeg, Canada since 1997. He has authored orco-authored several MOC courses. He specializes in Windows Server and Client systems. He is currently aSenior Systems Engineer for Broadview Networks.

Jason Kellington–Content DeveloperJason Kellington is a trainer, consultant and author who specializes in several Microsoft products. He has abroad range of experience in the IT industry as an administrator, developer, educator and technical writer.Jason is an MCT, MCITP and MCSE and has been involved in a number of Microsoft Learning coursewaredevelopment projects.

William Stanek–Technical ReviewerWilliam R. Stanek (http://www.williamstanek.com/ ) is a leading technology expert, a pretty-darn-goodinstructional trainer, and the award-winning author of over 100 books. Current or forthcoming booksinclude Active Directory Administrator’s Pocket Consultant, Group Policy Administrator’s PocketConsultant, SQL Server 2008 Administrator’s Pocket Consultant 2nd Edition, Windows 7: The DefinitiveGuide, and Windows Server 2008 Inside Out. Follow William on Twitter athttp://www.twitter.com/WilliamStanek .

Nova 4, LLC


http://www.williamstanek.com/



http://www.twitter.com/WilliamStanek






Configuring, Managing, and Maintaining Windows Server® 2008-based Servers i

ContentsModule 1: Overview of the Windows Server 2008 Management Environment

Lesson 1: Understanding the Windows Server 2008 Environment 1-3

Lesson 2: Overview of Windows Server 2008 Server Roles and Features 1-11Lesson 3: Windows Server 2008 Administration Tools 1-20

Lesson 4: Managing Windows Server 2008 Server Core 1-28

Lab: Managing Server Roles in a Windows Server 2008 Environment 1-35

Module 2: Managing Windows Server 2008 Infrastructure RolesLesson 1: Understanding IPv6 Addressing 2-3

Lesson 2: Overview of the DNS Server Role 2-18

Lesson 3: Configuring DNS Zones 2-29

Lab A: Installing and Configuring the DNS Server Role 2-41Lesson 4: Overview of the DHCP Server Role 2-46

Lesson 5: Configuring DHCP Scopes and Options 2-53

Lab B: Installing and Configuring the DHCP Server Role 2-65

Module 3: Configuring Access to File ServicesLesson 1: Overview of Access Control 3-3

Lesson 2: Managing NTFS File and Folder Permissions 3-13

Lesson 3: Managing Permissions for Shared Resources 3-23

Lesson 4: Determining Effective Permissions 3-36

Lab: Managing Access to File Services 3-43

Module 4: Configuring and Managing Distributed File SystemLesson 1: Distributed File System Overview 4-3

Lesson 2: Configuring DFS Namespaces 4-14

Lesson 3: Configuring DFS Replication 4-20

Lab: Installing and Configuring Distributed File System 4-28

Module 5: Managing File Resources Using File Server Resource ManagerLesson 1: Overview of File Server Resource Manager 5-3

Lesson 2: Configuring Quota Management 5-11

Lab A: Installing FSRM and Implementing Quota Management 5-19

Lesson 3: Implementing File Screening 5-22

Lesson 4: Managing Storage Reports 5-28

Lab B: Configuring File Screening and Storage Reports 5-33

Nova 4, LLC




x Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

Lesson 5: Implementing Classification Management andFile Management Tasks 5-36

Lab C: Configuring Classification and File Management Tasks 5-49

Module 6: Configuring and Securing Remote Access

Lesson 1: Configuring a Virtual Private Network Connection 6-3Lesson 2: Overview of Network Policies 6-16

Lab A: Implementing a Virtual Private Network 6-26

Lesson 3: Integrating Network Access Protection with VPNs 6-31

Lesson 4: Configuring VPN Enforcement Using NAP 6-39

Lab B: Implementing NAP into a VPN Remote Access Solution 6-48

Lesson 5: Overview of DirectAccess 6-56

Module 7: Managing Active Directory Domain Services

Lesson 1: Overview of the Active Directory Infrastructure 7-4Lesson 2: Working with Active Directory Administration Tools 7-17

Lesson 3: Managing User Accounts 7-26

Lesson 4: Managing Computer Accounts 7-36

Lab A: Creating and Managing User and Computer Accounts 7-45

Lesson 5: Managing Groups 7-50

Lesson 6: Using Queries to Locate Objects in AD DS 7-63

Lab B: Managing Groups and Locating Objects in AD DS 7-68

Module 8: Configuring Active Directory Object Administration and Domain TrustLesson 1: Configuring Active Directory Object Administration 8-3

Lab A: Configuring Active Directory Delegation 8-15

Lesson 2: Configuring Active Directory Trusts 8-20

Lab B: Administering Trust Relationships 8-29

Module 9: Creating and Managing Group Policy ObjectsLesson 1: Overview of Group Policy 9-3

Lesson 2: Configuring the Scope of Group Policy Objects 9-14

Lab A: Creating and Configuring GPOs 9-22

Lesson 3: Managing Group Policy Objects 9-26

Lab B: Creating and Configuring GPOs 9-35

Lesson 4: Evaluating and Troubleshooting Group Policy Processing 9-39

Lab C: Troubleshooting Group Policy 9-53

Module 10: Using Group Policy to Configure User and Computer SettingsLesson 1: Using Group Policy to Configure Folder Redirection and Scripts 10-3

Nova 4, LLC




Configuring, Managing, and Maintaining Windows Server® 2008-based Servers x

Lab A: Using Group Policy to Configure Scripts and Folder Redirection 10-14

Lesson 2: Using Administrative Templates to Manage Users and

Computers 10-17

Lab B: Configuring Administrative Templates 10-24

Lesson 3: Deploying Software Using Group Policy 10-27Lab C: Deploying Software Using Group Policy 10-37

Lesson 4: Deploying Group Policy Preferences 10-39

Lab D: Deploying Group Policy Preferences 10-46

Module 11: Implementing Security Settings Using Group PolicyLesson 1: Overview of Security Settings 11-3

Lesson 2: Implementing Fine-Grained Password Policies 11-14

Lab A: Implementing Security by Using Group Policy 11-21

Lesson 3: Restricting Group Membership and Access to Software 11-26Lab B: Configuring Restricted Groups and Application Control Policies 11-36

Module 12: Providing Efficient Network Access for Remote OfficesLesson 1: Overview of Remote Office Requirements 12-3

Lesson 2: Implementing Read-Only Domain Controllers 12-6

Lab A: Deploying a Read-Only Domain Controller 12-16

Lesson 3: Implementing BranchCache 12-21

Lab B: Deploying BranchCache 12-34

Module 13: Monitoring and Maintaining Windows Server 2008Lesson 1: Planning Monitoring Tasks 13-3

Lesson 2: Calculating a Server Baseline 13-9

Lesson 3: Interpreting Performance Counters 13-18

Lesson 4: Selecting Appropriate Monitoring Tools 13-26

Lab: Creating a Baseline of Performance Metrics 13-33

Module 14: Managing Window Server 2008 Backup and RecoveryLesson 1: Planning and Implementing File Backups on

Windows Server 2008 14-3

Lesson 2: Planning and Implementing File Recovery 14-14

Lab A: Implementing Windows Server Backup and Recovery 14-19

Lesson 3: Recovering Active Directory 14-23

Lesson 4: Troubleshooting Windows Server Startup 14-29

Lab B: Recovering Active Directory Objects 14-37

Nova 4, LLC




xii Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

Appendix A: Implementing DirectAccessExercise 1: Configuring the AD DS domain controller and DNS A-4

Exercise 2: Configuring the PKI environment A-6

Exercise 3: Configuring the DirectAccess clients and test Intranet Access A-9

Exercise 4: Configuring the DirectAccess server A-11Exercise 5: Verifying DirectAccess functionality A-13

Nova 4, LLC




About This Course xiii

About This CourseThis section provides you with a brief description of the course, audience, suggested prerequisites, andcourse objectives.

Course DescriptionThis course is designed to provide foundation skills in networking and Windows Server® security, networkservices, and administration.

AudienceCandidates for this course are information technology (IT) professionals who work in medium to largeorganizations. The primary candidate is a Windows Server administrator who operates Windows Serverson a daily basis and who requires the skills for configuring, managing, and maintaining servers installedwith Windows Server 2008, including the Release 2 (R2) edition. Candidates are typically responsible forday-to-day management of the server operating system and various server roles such as Dynamic HostConfiguration Protocol (DHCP), Domain Name System (DNS), file and print services, directory services, andsoftware distribution. This course may also be considered in combination with other exam preparation

materials for candidates wishing to prepare for Microsoft Certified Technology Specialist (MCTS) andMicrosoft Certified IT Professional (MCITP) certification in Windows Server 2008.

Student PrerequisitesThis course requires that you meet the following prerequisites:

• At least one year experience in operating Windows Servers in the area of account management,server maintenance, server monitoring, or server security

• Certification related to the Microsoft Technology Associate (MTA) Networking Fundamentals, SecurityFundamentals, and Windows Server Administration Fundamentals designations, or equivalentknowledge as outlined in course 6419B: Fundamentals of Windows Server 2008

• A+, Server+, hardware portion of Network+, or equivalent knowledge

• Working knowledge of networking technologies

• Intermediate understanding of network operating systems

• Basic knowledge of Active Directory

• An understanding of security concepts and methodologies (for example, corporate policies)

• Basic knowledge of TCP/IP

• Basic knowledge of scripting tools such as PowerShell and WMI

Course ObjectivesAfter completing this course, students will be able to:

• Describe the Windows Server 2008 environment including the roles, features, and tools used toperform effective server management.

• Describe IPv6 addressing and how to install and configure the DNS and DHCP server infrastructureroles.

• Configure secure and efficient access to file services.

• Configure and manage a Distributed File System infrastructure.

Nova 4, LLC




xiv About This Course

• Use File Server Resource Manager to assist in data storage capacity management.

• Secure remote access by using features such as Virtual Private Networks, Network Access Protection(NAP), and DirectAccess.

• Describe Active Directory infrastructure and how to manage AD DS objects.

• Configure and manage AD DS object permissions, and configure trust between AD DS domains.

• Create and manage Group Policy Objects (GPOs).

• Understand the specific settings that can be managed by using Group Policy.

• Secure network clients by using Group Policy.

• Describe solutions that can be implemented to provide efficient remote office network access.

• Plan for and implement performance baselines and perform server monitoring by using monitoringtools.

• Plan for and identify backup and restore strategies and identify steps needed to recover from server startupissues .

Course OutlineThis section provides an outline of the course:

Module 1, “Overview of the Windows Server 2008 Management Environment” In this module, youwill gain familiarity with the components of the operating system and the concepts and terminologyfound within the Windows Server 2008 environment.

Module 2 , “Managing Windows Server 2008 Infrastructure Roles” In this module, students will learnthe benefits and technologies associated with IPv6. You will learn the features and configuration optionsavailable to implement the DNS and DHCP server roles.

Module 3 , “Configuring Access to File Services” In this module, you will learn the concepts andterminology involved in file services, and also provide guidance in the practical management of a file

services infrastructure within the Windows Server 2008 environment.Module 4 , “Configuring and Managing Distributed File System” In this module, you will learn aboutthe Distributed File System (DFS) solution that you can use to meet challenges by providing fault-tolerantaccess and WAN-friendly replication of files located throughout an enterprise.

Module 5 , “Managing File Resources Using File Server Resource Manager” In this module, you willlearn about the various options available for installing Windows Server, and complete an installation. Youwill also launch a local media setup and then perform the post-installation configuration of a server.

Module 6 , “Configuring and Securing Remote Access” In this module, you will understand how toconfigure and secure your remote access clients by using network policies, and where appropriate,Network Access Protection (NAP).

Module 7 , “Managing Active Directory Domain Services” In this module, you will learn how to reviewkey concepts and directory services structure. You will take a high-level look at the major components ofAD DS and how they fit together. You will also receive hands-on experience working with thesecomponents and their associated tools.

Module 8, “Configuring Active Directory Object Administration and Domain Trust” In this module,you will learn how to configure permissions and delegate administration for Active Directory objects. Thismodule also describes how to configure and manage Active Directory trusts.

Nova 4, LLC




About This Course xv

Module 9 , “Creating and Managing Group Policy Objects” In this module, you will understand howadministrators deliver and maintain customized desktop configurations, ensure the security of ageographically and logistically dispersed collection of computers, and provide administration andmanagement for an increasingly complex and growing computing environment.

Module 10, “Using Group Policy to Configure User and Computer Settings” In this module, you will

learn the skills and knowledge that you need to use Group Policy to configure Folder Redirection, andhow to use scripts.

Module 11, “Implementing Security Settings Using Group Policy” In this module, you willunderstand security-related components that can assist you in implementing security policies in yourenvironment.

Module 12 , “Providing Efficient Network Access for Remote Offices” In this module, you will learnhow to provide fast and secure logons at remote offices and place a read only domain controller (RODC)at the remote office. You will also learn how to use BranchCache to speed up access to data across theWAN and reduce WAN utilization.

Module 13, “Monitoring and Maintaining Windows Server 2008” In this module, you will learn howto identify components that require additional tuning, and improve the efficiency of your servers.

Module 14, “Managing Window Server 2008 Backup and Recovery” In this module, you will learnnecessary planning for backup and restore procedures, and startup issues, to ensure that you protect dataand servers sufficiently against disasters.

Nova 4, LLC




xvi About This Course

Course MaterialsThe following materials are included with your kit:

• Course Handbook A succinct classroom learning guide that provides all the critical technical information in acrisp, tightly-focused format, which is just right for an effective in-class learning experience.

• Lessons: Guide you through the learning objectives and provide the key points that are critical tothe success of the in-class learning experience.

• Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learnedin the module.

• Module Reviews and Takeaways: Provide improved on-the-job reference material to boostknowledge and skills retention.

• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when it’sneeded.

Course Companion Content on the http://www.microsoft.com/learning/companionmoc/ Site:

Searchable, easy-to-navigate digital content with integrated premium on-line resources designed tosupplement the Course Handbook.

• Modules: Include companion content, such as questions and answers, detailed demo steps and additionalreading links, for each lesson. Additionally, they include Lab Review questions and answers and ModuleReviews and Takeaways sections, which contain the review questions and answers, best practices, commonissues and troubleshooting tips with answers, and real-world issues and scenarios with answers.

• Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN®, Microsoft Press®

Student Course files on the http://www.microsoft.com/learning/companionmoc/ Site: Includes theAllfiles.exe, a self-extracting executable file that contains all the files required for the labs anddemonstrations.

• Course evaluation At the end of the course, you will have the opportunity to complete an online evaluationto provide feedback on the course, training facility, and instructor.

• To provide additional comments or feedback on the course, send e-mail [email protected] . To inquire about the Microsoft Certification Program, send e-mailto [email protected] .

Nova 4, LLC


http://www.microsoft.com/learning/companionmoc/






mailto:[email protected]











About This Course xvii

Virtual Machine EnvironmentThis section provides the information for setting up the classroom environment to support the businessscenario of the course.

Virtual Machine ConfigurationIn this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save anychanges. To close a virtual machine without saving the changes, perform the following steps: 1. Onthe virtual machine, on the Action menu, click Close . 2. In the Close dialog box, in the What do youwant the virtual machine to do? list, click Turn off and delete changes , and then click OK .

The following table shows the role of each virtual machine used in this course:

Virtual machine Role

6419B-NYC-DC1 Windows Server 2008 R2 domain controller in the Contoso.comdomain

6419B-NYC-DC2 Windows Server 2008 R2 domain controller in the Contoso.comdomain

6419B-NYC-SVR1 Windows Server 2008 R2 member server in Contoso.com

6419B-NYC-EDGE1 Windows Server 2008 R2 member server in Contoso.com

6419B-INET1 Windows Server 2008 R2 standalone server

6419B-NYC-CL1 A Windows 7 computer in the Contoso.com domain

6419B-NYC-CL2 A Windows 7 computer in the Contoso.com domain

6419B-NYC-SVRCORE Windows Server 2008 R2 standalone server with core installation

6419B-VAN-DC1 Windows Server 2008 R2 domain controller in the Adatum.com domain

Software ConfigurationThe following software is installed on each VM:

• Windows Server 2008 R2 Enterprise

• Windows® 7

Classroom SetupEach classroom computer will have the same virtual machine configured in the same way. All the virtualmachines are deployed on each student computer.

Course Hardware LevelTo ensure a satisfactory student experience, Microsoft Learning requires a minimum equipmentconfiguration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions(CPLS) classrooms in which Official Microsoft Learning Product courseware are taught.

Nova 4, LLC




xviii About This Course

• Intel Virtualization Technology (IntelVT) or AMD Virtualization (AMD-V) processor

• Dual 120 GB hard disks 7200 RM SATA or better*

• 4 GB RAM

• DVD drive

• Network adapter• Super VGA (SVGA) 17-inch monitor

• Microsoft Mouse or compatible pointing device

• Sound card with amplified speakers

• *Striped

Nova 4, LLC




Overview of the Windows Server 2008 Management Environment 1-

Module 1Overview of the Windows Server 2008 ManagementEnvironmentContents:Lesson 1: Understanding the Windows Server 2008 Environment 1-3

Lesson 2: Overview of Windows Server 2008 Server Roles and Features 1-11

Lesson 3: Windows Server 2008 Administration Tools 1-20

Lesson 4: Managing Windows Server 2008 Server Core 1-28

Lab: Managing Server Roles in a Windows Server 2008 Environment 1-35

Nova 4, LLC




1-2 Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

Module Overview

Familiarity with the operating system of your servers is the first and most important step towardseffectively managing a server infrastructure. Knowledge of the operating system structure, keycomponents, common management tools, versions and editions, features, and even its limitations willhelp you to configure your server infrastructure in a way that best utilizes the capabilities of your serversto serve your business needs.

This module will provide you with an overview of all of the above areas as they pertain to WindowsServer® 2008. You will gain familiarity with the components of the operating system and the conceptsand terminology found within the Windows Server 2008 environment.

ObjectivesAfter completing this module, you will be able to:

• Describe the considerations for implementing and managing a Windows Server 2008 environment.

• Explain Windows Server 2008 server roles and features.

• Describe Windows Server 2008 administration tools.

• Manage Windows Server 2008 Server Core.

Nova 4, LLC





Lesson 1

Understanding the Windows Server 2008Environment

Windows Server 2008 builds upon the familiar Windows operating system features that most users andadministrators are familiar with. The initial release of Windows Server 2008 shares its core buildfundamentals and its look and feel with Windows Vista ® . Windows Server ® 2008 R2 shares the sameaspects with Windows 7.

However, unlike the desktop client operating systems, Windows Server 2008 is designed to provide arobust and complete server platform to meet all the server-based needs of most network environments.

ObjectivesAfter completing this lesson, you will be able to:

• Describe the Windows Server 2008 Editions.

• Describe the considerations for implementing Windows Server 2008 R2.

• Describe the factors for choosing between physical vs. virtual implementations.

• Describe the factors to consider for server management.

Nova 4, LLC





Overview of Windows Server 2008 Editions

Key PointsWindows Server 2008 is available in different editions to support the various server and workload needs ofnetwork environments. Each edition of Windows Server 2008 is packaged with a unique set of featuresthat target that edition to a particular environment or even a specific role. The seven editions of WindowsServer 2008 deal with almost every possible type of server implementation you would find or require in anetwork environment.

Note: This course covers functionality for both releases of Windows Server 2008. The initial release ofWindows Server 2008 was made available in early 2008. A second release, Windows Server 2008 R2,came available in the middle of 2009. These two releases are treated as distinct versions of WindowsServer. When discussing the Windows Server 2008 operating system, three separate terms will be usedto differentiate which release is being referenced.The term “Windows Server 2008 initial release” will be used to refer the initial, early 2008 release of theoperating system.The term “Windows Server 2008 R2” will be used to refer to the 2009 second release.The term “Windows Server 2008” will be used to refer to features or discussion relating to both releasesand as a general term for the Windows Server 2008 operating system.

The following table lists the most commonly used Windows Server 2008 R2 editions.

Edition Description Windows Server2008 R2 Foundationoperating system

A cost-effective advanced server platform that targets small business owners andinformation technology (IT) generalists. Windows Server Foundation is designedto provide core server features at a low cost. Windows Server Foundation iscapable of supporting only one processor and up to 8 gigabytes (GB) of RandomAccess Memory (RAM).

Nova 4, LLC





Edition Description Windows Server2008 R2 Standardoperating system

The Windows Server Standard edition offers the most commonly used features inWindows Server 2008 and is designed to meet almost all general servercomputing requirements. It adds features like Server Core, Hyper-V™, andDirectAccess to the functionality of Windows Server Foundation. Windows Server

Standard supports up to 4 processors and up to 32 GB of RAM.Windows Server2008 R2 Enterpriseoperating system

Windows Server Enterprise expands upon Windows Server Standard, addingenterprise-level capabilities such as clustering, extended remote access, andincreased virtualization capabilities. In addition, Windows Server Enterpriseprovides support for up to 8 processors and 2 terabytes of RAM.

Windows Server2008 R2 Datacenteroperating system

Windows Server Datacenter provides the full capabilities of the WindowsServer 2008 platform. Designed for business critical applications and large scalevirtualization implementations, Windows Server Datacenter provides everythingrequired for complex server solutions. Windows Server Datacenter supports up to64 processors and 2 terabytes of RAM, and support for hot-swappable processorsand memory.

The following specialized editions of Windows Server 2008 are also available.Edition Description

Windows® WebServer 2008 R2operating system

A Web application and services platform, Windows Web Server 2008 includesInternet Information Services (IIS) 7.5 and is designed as an Internet-facing server.Windows Web Server 2008 includes Web server and Domain Name System (DNS)server roles.

Windows Server2008 R2 HPCEdition

Provides an enterprise-class platform for high-performance computing (HPC). Itcan scale to thousands of processing cores and includes management consolesthat help you to proactively monitor and maintain system health and stability.Job scheduling interoperability and flexibility enables integration betweenWindows and Linux-based HPC platforms.

Windows Server2008 for Itanium-based Systemsoperating system

Built specifically to support Itanium-based IA64 processor architecture, WindowsServer 2008 for Itanium-based Systems provides the same feature set as WindowsServer Datacenter, and it is designed for high workload scenarios.

Note: When discussing processor support, it is important to note that the numbers provided here referto physical processors, not processor cores. A single physical processor may have multiple cores thatallow for multiple applications or threads to use the processor at the same time in a co-operativemanner.

These charts list the editions available for the most recent version of Windows Server, Windows Server2008 R2. The Foundation edition is not available in the initial release of Windows Server 2008.Additionally, the initial release of Windows Server 2008 is available with or without Hyper-V, which is theWindows Server 2008 virtualization platform. Windows Server 2008 R2 ships with Hyper-V included bydefault.

Note: Windows Server 2008 R2 is available only for 64-bit hardware platforms. 32-bit hardwareplatforms are no longer supported.

Nova 4, LLC





Windows Server 2008 R2 Considerations

Key PointsWindows Server 2008 R2, the most recent version of the Windows Server platform, provides a number ofimprovements and new features not found in the initial release of Windows Server 2008.

While the improvements and features provide a more robust and powerful operating system,implementing Windows Server 2008 R2 in your environment requires special considerations.

64-bit Hardware ArchitectureFirst, and most critical from a deployment and upgrade perspective, is the requirement for 64-bithardware platform architecture. When upgrading to Windows Server 2008 R2 on older servers, it isimportant to examine and catalog hardware architecture to ensure that your existing servers are based onthe 64-bit architecture.

Windows Server 2008 R2 operates on two separate 64-bit hardware architectures.

• x64 is the industry standard architecture found in most AMD and Intel-based platforms. The x64architecture is the most common 64-bit architecture found in 64-bit servers.

• Itanium-based systems are built around Intel 64-bit Itanium (IA64) processors and are mostcommonly used for mathematically complex or intensive application such as large databases.

Windows Server 2008 R2 will be the last version of Windows Server to support the Itanium processor

architecture.Because of the 64-bit requirement, servers being upgraded or migrated to Windows Server 2008 R2 willneed to be examined to ensure they are based on a 64-bit platform.

There may be instances in you environment where a 32-bit version of Windows Server 2003 or the initialrelease of Windows Server 2008 is running on a 64-bit hardware platform. These systems are capable ofrunning Windows Server 2008 R2. However, there is no direct upgrade path between 32-bit and 64-bitversions of Windows Server.

Nova 4, LLC





Upgrade PathsWhen directly upgrading a previous version of Windows Server, only specific upgrade paths are supportedbetween versions. Keep in mind that because of the 64-bit requirement of Windows Server 2008 R2, allprevious versions of Windows Server operating systems must be 64-bit operating systems.

The following tables illustrate the most common supported upgrade paths.

Windows Server 2003 (SP2, R2) Windows Server 2008 R2 Version

Standard Standard, Enterprise

Enterprise Enterprise, Datacenter

Datacenter Datacenter

Windows Server 2008 (RTM, SP1, SP2) Windows Server 2008 R2 Version

Standard Standard, Enterprise

Enterprise Enterprise, Datacenter

Datacenter Datacenter

Web Standard, Web

Operating System ConsistencyIn some instances, the new features and functionality that Windows Server 2008 R2 provides may not berequired on pre-existing servers in your environment. It is important to note, however, that WindowsServer 2008 and Windows Server 2008 R2 are different versions of the Windows Server operating system.Enhancements, bug fixes, and service packs are developed and released separately for each operatingsystem. If you operate in an environment where consistency and a unified environment are important, youshould consider upgrading all capable (64-bit) servers to Windows Server 2008 R2. It is important to notethat if you still have 32-bit hardware in your environment, you will not be able to upgrade all of yourservers to Windows Server 2008 R2.

Migration and Server RolesThe functionality contained in Windows Server 2008 R2 has changed since the original version ofWindows Server 2008 and even more so since Windows Server 2003. As a result, the functionalityprovided by previous versions of the operating system need to be examined and mapped to the featuresand functionality provided by Windows Server 2008 R2.

Microsoft provides a number of documents covering this migration process called, Role Migration Guides.These guides provide information to assist you in planning a smooth transition between the servicesprovided by your existing server infrastructure and your new Windows Server 2008 R2 infrastructure and

are downloadable from the Microsoft website.

Nova 4, LLC





Physical vs. Virtual Server Implementations

Key PointsServer virtualization enables you to configure one or more virtual machines that emulate a physicalcomputer. Multiple virtual machines can run on one physical server, with all the virtual machines sharingthe resources available on the physical server.

Windows Server 2008 introduces Hyper-V as the first integrated virtualization platform of WindowsServer. Hyper-V provides software infrastructure and basic management tools that you can use to createand manage a virtualized server computing environment.

Server virtualization can overcome the limitations of physical server and provide a solution for challengesthat organizations face with their physical environments. The following list describes commonorganization challenges:

• Data Centers Are Reaching Capacity In many organizations, data centers quickly reach capacity for power and space. These organizationsfrequently deploy new servers for every new project or requirement. The data centers also requirelarge amounts of power for cooling and running the servers. Virtualization often results insignificantly fewer physical servers which require less space and less power.

• Server Resource Utilization Is Very Low Many servers run at very low utilization, which is a problem that often aggravates data centercapacity. It is common for some servers to run at less than ten percent of processor capacity.Virtualization combines several virtual servers onto a single physical server, thereby making moreefficient use of physical resources.

• Managing Servers Requires Significantly More Effort As organizations deploy more servers running many different roles, the effort required to deploy,support and secure the servers also increases. If several servers can be virtualized and run on a singlephysical server, there are fewer physical objects in your environment to support and maintain.

Nova 4, LLC





• Supporting Legacy Systems Is Difficult Legacy hardware and systems become increasingly costly to maintain. Many organizations havebusiness applications that were developed many years ago and have not been upgraded to run onnew operating systems (OS) or on new hardware. Often, a virtualized environment can overcomephysical constraints and allow legacy systems to be integrated into your server environment

The factors that make a server a good candidate vary, but any server facing one of the above challengesshould be assessed for potential virtualization.

The Microsoft Assessment and Planning (MAP) Toolkit provides the ability to assess your current ITinfrastructure for a variety of Windows Server 2008 migration projects, including virtualization. The MAPToolkit is a powerful inventory, assessment, and reporting tool that can be used to simplify the migrationplanning process for a virtualized environment.

Nova 4, LLC





Server Management Considerations

Key PointsWhen configuring a server, many aspects of server management need to be considered to ensure thatyour server environment is functioning in the most efficient and consistent manner possible.

The following questions should be answered when configuring and managing a Windows Server 2008server:

• What roles does the server perform within the network infrastructure? The functionality of a server is

determined by the operating system software components that are installed and configured.• Are there specific security needs associated with this server? If a server has specific security needs or is

being located in a physical or network environment where the threat of unauthorized malicious use ishigh, steps need to be taken to ensure that users with malicious intent have the fewest areas of theoperating system exposed to them.

• How will the server be managed? As you will learn, Windows Server 2008 has a number of differenttools that allow you to manage a Windows Server 2008 server. Different tools allow differentmanagement tasks and capabilities, such as scripting, remote access, high level overviews, or multipleadministrators.

• Is there a requirement for server availability? Depending on the role of your Windows Server 2008server, server availability may be a requirement. Your server may be required by policy or businesslogic to provide its services in a consistently available manner. Larger organizations and publicorganizations such as emergency services, hospitals, phone and power companies, and many otherscannot afford even a few seconds a year of downtime for important services. The servers providingthese services need to be configured in some type of redundant or fault-tolerant configuration toensure consistent availability.

Question: Does your organization manage servers that may have some of the requirements in this topic?

Nova 4, LLC




Overview of the Windows Server 2008 Management Environment 1-1

Lesson 2

Overview of Windows Server 2008 Server Roles andFeatures

The usefulness and functionality of a server are determined by the set of components installed andconfigured on the server.

In a production environment, determining what components of an operating system need to be installed,activated, and configured to provide a specific piece of functionality can be an imposing task. In previousversions of Windows Server, the responsibility was placed on the administrator to determine this list ofcomponents, ensure they were configured correctly, and provide a method of effectively managing thesecomponents.

Windows Server 2008 changes all this with server roles and server features.


• Describe server roles.

• Describe Infrastructure and Application Services roles.

• Describe Active Directory server roles.

• Describe server features.

• Install server roles and features by using Server Manager.

Nova 4, LLC





What Are Server Roles?

Key PointsWindows Server 2008 uses a role-based configuration. Operating system functionality is controlledprimarily through server roles.

Server RolesA server role is a collection of operating system components that work together to provide a specific

aspect of server functionality. Rather than having to determine the components required to provide sometype of functionality, as in previous versions, a Windows Server 2008 server administrator can simplyinstall the role associated with that functionality. Installing a role prompts Windows Server 2008 to enablethe necessary operating system components required to perform the functionality associated with therole. This ensures that all the components required are enabled when a role is installed. Also, thosecomponents will be disabled if the role is removed from the server.

Role ServicesServer roles comprise one or more role services that represent the individual aspects of functionality that arole provides. Depending on how a role is being implemented, some role services may or may not beinstalled as part of the overall role functionality. Role services allow administrators to build onto thefunctionality of a role, depending on the requirements.

For example, Print and Document Services is composed of the following role services:• Print Server

• LPD Service

• Internet Printing

• Distributed Scan Server

Nova 4, LLC





If you are configuring a Windows Server 2008 server to function as a print server, but do not specificallyrequire scan services, you should not select the Distributed Scan Server role service to be installed as partof the Print and Document Services Role.

Multiple RolesWhile some roles are typically installed as the only role on a server and provide the core of that serverfunctionality, multiple roles are often installed to work together to provide multiple aspects offunctionality; or they can be combined to better utilize server hardware resources.

When deploying multiple server roles on a single computer, consider the following:

• The capacity of the computer should be sufficient for all the installed roles.

• The security requirements for the roles you plan to install must co-exist on a single computer.

• The security settings should be configured appropriately for all installed roles.

• Possible migration paths should be planned in advance, if the computer becomes overloaded.

Question: How do server roles and role-based configuration make it easier to configure functionality on aWindows Server 2008 server? Are there ways that role-based configuration makes configuration moredifficult?

Nova 4, LLC





Infrastructure and Application Services Server Roles

Key PointsWindows infrastructure services roles are used to form the underlying framework of software and servicesthat are used by other applications within the organization and provide application-based services to therest of the network.

The following table describes Windows Server 2008 infrastructure and application services roles:

Role Description

Application Server Provides a solution for hosting and managing distributed applications

DHCP Server Automatically allocates IP addresses and IP configuration informationto clients

DNS Server Provides name resolution for TCP/IP networks

Fax Server Sends and receives faxes electronically rather than requiring paper-based copies of documents

File Services Provides technologies for storage management, file replication, andfile searching

Hyper-V™

Provides server virtualization functionality

Network Policy and AccessServices

Provides support for LAN or WAN routing, network access policyenforcement, VPN connections, and dial-up connections

Print and Document Services Enables and manages network printing, scanning, and documentrouting

Remote Desktop Services Allows users to run programs on a remote server but view the results ina Remote Desktop window

Nova 4, LLC





Role Description

Web Services (IIS) Enables the capability to act as a web server, installing InternetInformation Server (IIS) and related components

Windows Deployment Services Deploys Windows operating systems to computers over the network

Windows Server UpdateServices (WSUS)

Allows network administrators to control Microsoft Update distributionto clients and servers

Windows Server 2008 R2 ConsiderationsThe WSUS server role is new in Windows Server 2008 R2.

Also, the following server roles have been renamed from the initial release of Windows Server 2008 toWindows Server 2008 R2.

Window Server 2008 Server Role Windows Server 2008 R2 Server Role

Print Services Print and Document Services

Terminal Services Remote Desktop Services

Also, the Universal Description, Discovery, and Integration Services (UDDI) server role has been removedfrom Windows Server 2008 R2. UDDI provides capabilities for sharing information about Web servicesbetween servers, but the server role is unsupported on 64-bit platforms, the only platform on whichWindows Server 2008 R2 will run. A new, stand-alone version of UDDI that supports 64-bit platforms isavailable for download from the Microsoft website.

Nova 4, LLC





Active Directory Server Roles

Key PointsActive Directory roles form the core of identity and access management within a Windows Server-asednetwork. The various Active Directory roles allow for full control over management and access to variousserver-based network resources, including users, computers files, folders, and printers. Also, the ActiveDirectory server roles allow separate Active Directory infrastructures to seamlessly integrate, allowing forsecured unified administration and information exchange.

The following table lists the Active Directory server roles.Role Description

Active Directory®Domain Services (ADDS)

Stores information about users, computers, and other devices on the network.AD DS helps administrators securely manage this information and facilitatesresource sharing and collaboration between users and organizations.

Active DirectoryCertificate Services(AD CS)

Provides customizable services for issuing and managing certificates in softwaresecurity systems that use public key technologies.

Active DirectoryFederation Services(AD FS)

Provides Web single sign-on (SSO) technologies to authenticate a user tomultiple Web applications that use a single user account.

Active DirectoryLightweight DirectoryServices (AD LDS)

Organizations that have applications which require a directory for storingapplication data can use AD LDS as the data store. AD LDS runs as a non-operating-system service.

Active DirectoryRights ManagementServices (AD RMS)

Information protection technology that works with AD RMS-enabledapplications to help safeguard digital information from unauthorized use.

Nova 4, LLC





What Are Server Features?

Key PointsServer features are Windows Server 2008 components that do not specifically fall into the scope of one ofthe server roles. Although they are not directly part of a server role, server features can support or add acomplementary functionality to one or more roles, or improve the functionality of the server, regardless ofwhich roles are installed.

Server features are typically installed individually, independent of other server features and server roles.Similar to server roles, server features are installed, configured, and managed primarily through the ServerManager console in Windows Server 2008 R2.

Windows Server 2008 R2 ConsiderationsThe following features are available in Windows Server 2008 R2, but not in the initial release of WindowsServer 2008:

• Windows BranchCache

• Direct Access Management Console

• Ink and Handwriting Services

• Windows Biometric Framework

• Windows Server Migration Tools• Windows Remote Management (WinRM) IIS Extension

• XPS Viewer

• Remote Server Administration Tools now includes Active Directory® Administrative Center, RemoteDesktop (RD) Connection Broker tools, and BitLocker® Recovery Password Viewer.

Nova 4, LLC





Note: Windows 2000 Client Support has been removed from Message Queuing in Windows Server2008 R2

Also, several features are available only to certain editions of Windows Server 2008. Enterprise levelcapabilities like BranchCache Hosted Server and Failover Clustering are not available in the Foundation or

Standard editions. Additionally, DirectAccess Management is not available in the Foundation edition.

Nova 4, LLC





Demonstration: How to Install Server Roles and Features

Key Points

Server Manager is the key tool used in Windows Server 2008. This demonstration will show you how bothserver soles and server features are managed within Server Manager.

In this demonstration, you will learn how to:• Add a server role by using Server Manager.

•

Add a server feature by using Server Manager.• Configure a server role by using Server Manager.

Nova 4, LLC





Lesson 3

Windows Server 2008 Administration Tools

Windows Server 2008 is a robust and powerful operating system that contains a large number ofcomponents and capabilities.

To harness the power of Windows Serer 2008, you need to be familiar with the management toolsavailable, which allow you to effectively manage and administer your Windows Server 2008 servers.


• Describe the methods used to manage a server environment.

• Manage Windows Server 2008 by using Server Manager.

• Describe how to use Remote Server Administration Tools (RSAT).

• Describe the use and advantages of Windows PowerShell.

Nova 4, LLC





Methods Used to Manage a Windows Server 2008 Environment

Key PointsThere are a variety of methods used to manage a Windows Server 2008 environment. The specific tool ortools that you will use with Windows Server 2008 may vary, according to you how you are managing yourservers.

The most common management tools are briefly described as follows:

Server ManagerServer Manager is the core tool for management of a Windows Server 2008 server. Built on the MicrosoftManagement Console (MMC), Server Manager contains console add-ins for all installed server roles andserver features, and a unified collection of tools and operating system information useful in managingWindows Server 2008, including the following:

• Event Viewer

• Services console

• Performance monitoring

• Device Manager

• Task Scheduler

• Disk Management

Windows Server 2008 R2 introduces several enhancements to Server Manager that are not available in theinitial release of Windows Server 2008.

• Server Manager can now connect to remote servers.

• Server Manager has built in Best Practice Analyzers (BPAs) from Microsoft to help administratorsensure their servers are configured in the most secure and optimal manner possible.

Nova 4, LLC





• New PowerShell cmdlets have been added that allow you to install, remove, or view informationabout available roles by using Windows PowerShell.

Command-Line ToolsWindows Server 2008 has a huge number of command-line tools for use by administrators directly fromthe command line or for inclusion in administrative scripts batch files or scripting languages such

VBScript.

RSATThe RSAT download is available for Windows client operating systems (Windows Vista, and Windows 7)and allows for the remote management of Windows Servers from desktop computers.

Windows PowerShellWindows PowerShell is a task-based command-line shell and scripting language designed specifically forsystem administration. It allows administrators to automate and control the management of Windowscomputers and applications that run on Windows.

Nova 4, LLC





Demonstration: Overview of Server Manager

Key PointsThis demonstration will show you the Server Manager interface, highlighting the most commonly usedtools and console windows.

In this demonstration, you will learn how to:

• Describe how Server Manager unifies administrative consoles for server roles, server features, andother operating system components.

• Navigate the Server Manager console.

• Find commonly used management tools and console windows within Server Manager.

Nova 4, LLC





What Are the Remote Server Administration Tools?

Key PointsRSAT enables administrators to remotely manage server roles, server features and other operating systemfunctionality for a Windows Server 2008 server.

Essentially, RSAT installs MMC consoles for server components on the client operating systems and usesthose consoles to connect remotely to Windows Server 2008 computers to perform management tasks.When you install RSAT onto the client operating system, you will be given a choice of which consoles youwant to install.

RSAT is typically installed on a Windows client operating system used by someone requiringadministrative access to a Windows Server 2008 server. RSAT is available for both Windows Vista andWindows 7 client operating systems and offers varying functionality, depending on both the operatingsystem of the client RSAT is installed on and the version of Windows Server 2008 that is being managed.

When running RSAT on a Windows 7 computer, and connecting to a Windows Server 2008 R2 server, thefollowing remote management tools are available.

Server Administration Tools:• Server Manager

Role Administration Tools:• Active Directory Certificate Services (AD CS) Tools• Active Directory Domain Services (AD DS) Tools

• Active Directory Lightweight Directory Services (AD LDS) Tools

• DHCP Server Tools

• DNS Server Tools

• File Services Tools

Nova 4, LLC





• Hyper-V Tools

• Terminal Services Tools

Feature Administration Tools:• BitLocker Password Recovery Viewer

•

Failover Clustering Tools• Group Policy Management Tools

• Network Load Balancing Tools

• SMTP Server Tools

• Storage Explorer Tools

• Storage Manager for SANs Tools

• Windows System Resource Manager Tools

Nova 4, LLC





What Is Windows PowerShell?

Key Points

Windows PowerShell is a task-based command-line shell and scripting language designed specifically forsystem administration. Built on the .NET framework, PowerShell allows administrators to automate andcontrol the management of Windows computers and applications that run on Windows. Windows PowerShell was introduced as part of Windows Vista and the initial release of Windows Server2008. PowerShell comprises a large number of single instance commands, called cmdlets.

Cmdlets are the core building block of PowerShell. They are typically very narrow in scope, performingonly a single task. This provides for a large number of cmdlets with relatively simple syntax and options,rather than a smaller list with more complex syntax and methods for use.

CmdletsCmdlets in PowerShell are composed by using a verb-noun syntax that makes it relatively easy todetermine the intended purpose of a cmdlet simply by knowing the cmdlet name. The following listprovides some examples of PowerShell cmdlets:

• Get-Date

• Start-Service

• Restart-Computer• Set-ItemProperty

• Get-Help

• Clear-Eventlog

PowerShell cmdlets allow the management of almost any aspect of the Windows operating system, andany installed applications that support PowerShell.

Nova 4, LLC





PowerShell 2.0PowerShell 2.0, introduced with Windows Server 2008 R2 and Windows 7, adds a number of importantnew features and improvements in functionality over the original version of PowerShell shipped with theinitial release of Windows Server 2008 and Windows Vista ® . The following is a list of the new featuresavailable with PowerShell 2.0:

•

Integrated Script Editor (ISE)The new Integrated Scripting Environment (ISE) is a multi-tabbed graphical PowerShell developmentplatform that features color-coded syntax, debugging capabilities, and script-output managementcapabilities.

• RemotingRemoting is one of the most important changes in PowerShell 2.0, and it provides support forrunning scripts on remote systems. PowerShell Remoting lets you run scripts on remote networkedsystems in a one-to-one, or one-to-many configuration. This new remoting support requires thatPowerShell 2.0 be installed on both the local and remote systems.

Note: PowerShell remoting relies on Windows Remote Management (WinRM). In order for remotingto work, WinRM must be enabled on the remote computer.To enable WinRM with its default configuration, you can execute the following command from thecommand prompt on the remote computer.winrm qc

• EventingPowerShell Eventing lets you respond to the notifications that many PowerShell objects support.

• Added cmdlets, functions, and modulesPowerShell 2.0 adds a host of new cmdlets and other features that make server management by usingPowerShell far more powerful. The following areas have been given new or improved functionality inPowerShell 2.0.

• Active Directory

• AppLocker™

• Best Practices Analyzer

• Background Intelligent Transfer Service (BITS)

• Failover Cluster

• Group Policy

• Server Manager

• Windows Server Backup

• Windows Server Migration Tools

Note: The additional modules mentioned are installed with their corresponding server role or serverfeature. They are not part of the default installation of Windows PowerShell V2. For example, theActive Directory module and its corresponding cmdlets are installed when the Active DirectoryDomain Services server role is installed.

Nova 4, LLC





Lesson 4

Managing Windows Server 2008 Server Core

The Server Core installation option was first introduced in the initial release of Windows Server 2008. Itintroduces a stripped down, streamlined version of Windows Server 2008.

This lesson will look at Server Core, its features, capabilities, and limitations, and the tools used to managea Server Core installation of Windows Server 2008.


• Describe the benefits of a Server Core installation.

• Describe server roles that are supported by Server Core.

• Describe features that are supported by Server Core.

• Manage Windows Server 2008 Server Core.

Nova 4, LLC





Benefits of a Server Core Installation

Key PointsThe Server Core installation option in Windows Server installs Windows Server 2008 with a minimalfeature set.

Server Core offers a smaller subset of server roles and features than the full installation of Windows Server2008. Additionally, Server Core does not include the Windows Explorer graphical interface. All localinteraction with a Server Core installation must be done by using command-line tools.

The Server Core minimal feature set provides the following benefits:• The attack surface is minimized because of limited roles and features.

• Malicious users must be familiar with the command line to make changes to the operating systemwhen accessing a Server Core installation locally.

• Hardware requirements are less restrictive for a Server Core installation because of the stripped downnature of the operating system.

• A Server Core installation requires less maintenance than a full installation. The reduced number ofservices and applications require fewer updates than a full-featured operating system. Fewer updatesmean fewer restarts of the operating system. This, in turn, leads to increased availability of the server.

Nova 4, LLC





Roles Supported by the Server Core Installation Option

Key PointsServer Core supports a subset of the standard Windows 2008 roles, primarily roles that are designed toprovide core network infrastructure.

Server Core supports the following server roles in Windows Server 2008:

• Active Directory Domain Services

•

Active Directory Lightweight Directory Services• DHCP Server

• DNS Server

• File Services

• Print Server

• Streaming Media Services

• Hyper-V

Windows Server 2008 R2 adds the following role changes:

• Active Directory Certificate Services

• File Server Resource Manager component of the File Services Role

• A subset of ASP.NET in the Web Server role

• Streaming Media Services has been removed

Nova 4, LLC





Features Supported by the Server Core Installation Option

Key PointsSimilar to server roles, Server Core supports a subset of standard Windows Server 2008 features.

Server Core supports the following server features in Windows Server 2008:

• Windows Server Backup

• Bitlocker Drive Encryption

• Failover Clustering• Multipath input\output

• Network Load Balancing

• Removable Storage

• Subsystem for UNIX-based applications

• Telnet client

• WINS

Windows Server 2008 R2 adds the following feature changes:

•

.NET Framework• Windows PowerShell

• Windows-on-Windows 64-bit (WoW64)

• Removable storage feature removed

• Ability to be remotely configured by using Server Manager

Nova 4, LLC





Methods Used to Manage the Server Core Installation Option

Key PointsServer Core management is a slightly more complicated task than managing a full installation of WindowsServer 2008.

For the initial release of Windows Server 2008, manually entering command-line executables is the onlymethod available to configure a Server Core installation of Windows Server 2008. While this method is adeterrent to users with malicious intent who gain access to the server, it also means a more complicatedand tedious work load for those who manage the servers.

Adding and Removing Server Roles and Server FeaturesManaging the roles and features installed on your computer requires you to work from the commandline. The following tools will allow you to manage installed server roles and server features in WindowsServer 2008.

• Ocestup.exe and Oclist.exeOcsetup is the default tool used to manage the addition and removal of server roles and serverfeatures in Windows Server 2008. The ocestup.exe command is issued from the command line,followed by argument that determine which role or feature is being added or removed. For example,the following command installs the DHCP role on a Server Core installation.

ocsetup DHCPServerRole

To uninstall the role, execute the following command.

ocsetup DHCPServerRole /uninstall

Oclist.exe can be executed to show a list of roles and features available on the current server, alongwith the current installation status of those roles.

Nova 4, LLC





• Dism.exeDism.exe is the Deployment Image Servicing Management Tool, included with Windows Server 2008R2. This tool has a wide number of applications to Windows image and configuration management.

One of those applications is the installation removal of Server Core server roles and server features.Issuing the following command using Dism.exe wil install the DHCP role on a Server Core installation.

Dism /online /enable-feature /featurename:DHCPServerRole

In the line of code above, the command line switches perform the following actions.

• The /online switch forces Dism.exe to perform the operation on the currently runninginstallation of windows. Dism.exe can be used to perform operations on offline images ofWindows as well.

• The /enable-feature switch ensures that the feature specified will be installed or enabled. It isimportant to note that the word “feature” in this switch does not refer only to server features.

/enable-feature is used to install both server roles and server features. The /disable-feature switch will remove an installed role.

• The /featurename switch is used to specify the server role or server feature to be installed orremoved. In the case of our example, we are performing our operation on the DHCP server role.

To determine the current status of server roles and features, execute the following command.

Dism /online /get-features

Note: The role and feature names used for ocsetup and dism are the same. DHCPServerCore is used torefer to the DCHP server role for both tools. It is important to note that these names are also casesensitive. For example, using dhcpservercore as a feature name will result in an error using either tool.

Other Improvements in Windows Server 2008 R2In Windows Server 2008 R2, two very important changes have been made to the Server Core installationoption that greatly decrease the administrative workload required for Server Core computers.

• Sconfig.exeSconfig is a command-line executable that starts a text-based menu for administering a Server Coreinstallation. Common administration tasks are available in a numbered list for execution. When anadministrator chooses a number from the list, sconfig carries out the configuration command byusing command-line programs without the administrator having to manually enter code.

Sconfig supports the following configuration areas on a Server Core installation of Windows Server2008 R2.

•

Computer name and domain/workgroup membership• Add local Administrative users

• Configure Remote Management

• Windows Update Settings

• Configure Remote Desktop

• Network Settings

Nova 4, LLC





• Date and Time Settings

• Shutdown/Restart server

• Server Manager and RSATIn Windows Server 2008 R2, Server Manager on Windows Server 2008 R2 computers and the RSAT onWindows Vista or Windows 7 computers can be used to remotely connect to a Server Coreinstallation and manage the server by using familiar graphical-based tools. This is a greatimprovement over previous management methods, because it allows a Server Core installation to bemanaged alongside full installations of Windows Server 2008 R2 remotely for a more unifiedmanagement environment.

Nova 4, LLC





Lab: Managing Server Roles in a Windows Server 2008Environment

Nova 4, LLC





Exercise 1: Determine Server Roles and Installation Types

Lab SetupFor this lab, you will use the available virtual machine environment. Before you begin the lab, you mustcomplete the following steps:

1.

On the host computer, click Start , point to Administrative Tools , and then click Hyper-V™Manager .2. In Hyper-V Manager , click 6419B-NYC-DC1 , and in the Actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on by using the following credentials:

• User name: Administrator

• Password: Pa$$w0rd

• Domain: Contoso

5. Repeat steps 2 through 4 for 6419B-NYC-SVR1. 6. Repeat steps 2 and 3 for 6419B-NYC-SVRCORE. Do not log on until directed to do so.

Lab ScenarioYou have been asked to complete the final configuration for a server being deployed to the Contoso,Ltd.’s New York City location. Your supervisor, Ed Meadows, has sent you an email detailing therequirements for the final configuration steps that need to be taken on the server.

The main tasks for this exercise are as follows:

1. Review the supporting documentation.2. Determine the server roles, server features, and installation types, and record them in the answers to

the questions in the deployment plan document.

Task 1: Review the supporting documentation.

1.

Review the following email message received from Ed Meadows.To: YouFrom: Ed Meadows [[email protected]]Sent: Apr 20 2010 14:20To: [email protected]: NYC-SVR1 deployment

Hi,

We’ve arranged to have the new server for the New York City location physically deployed while you areonsite there.

The server name is NYC-SVR1 and it’s to be configured as a print server for the New York office. They’ve

just deployed Windows 7 to all desktops in that location and they’re switching away from users havingprinters connected directly to their machines and setting up network printers in various locations in theoffice, instead.

After you’ve completed the initial configuration, the server administration team in New York will take overthe management of the server. They’re located on the fifth floor and this server will be on the eighth floor,so they’d like to have some type of remote access to the server to perform their management tasks. Ibelieve there are four of them who will be working together to manage the server; I’ll leave the solutionfor this up to you.

Nova 4, LLC





One more thing, the New York admins would also like to be able to back up the server on a regular basis,so I’d like you to configure the server to give them the ability to do local backups.

That’s it for now, let me know if you need anything, and enjoy New York.

Regards,

Ed Task 2: Determine the server roles, server features, and installation types.

1. Complete the requirements document by answering the following questions:

New York Location New Server Final Configuration Plan

Document Reference Number: CW010210/1

DocumentAuthorDate

YouApr 24, 2011

Requirements OverviewTo determine the server roles and features to be installed on the newly deployed NYC-SVR1

Additional InformationThe server must be able to provide network printing capabilities for the New York City office.Administrators in New York will manage the server from their desktop computers and will also beresponsible for ensuring the new server is backed up.

Questions1. What server role(s) should be installed on NYC-SVR1? How should the server role(s) beconfigured?2. What additional server features will be needed to fulfill the requirements specified by Ed?3. Are there any additional management considerations that need to be considered for theongoing management of NYC-SVR1?

Results: After completing this exercise, you should have determined the server roles, server features,and installation types to install on NYC-SVR1, according to the requirements document.

Nova 4, LLC





Exercise 2: Install Windows Server 2008 Server Roles and Features

Lab ScenarioYou have read the requirements document and determined what server roles and features need to beinstalled on NYC-SVR1. Using your implementation proposal, you have been asked to implement therecommended server roles and server features on NYC-SVR1 and report to Ed regarding whichmanagement tools need to be installed on the desktop computers of the Server Admins group.


1. Use Server Manager to install the Print and Document Services Server Role.2. Use Server Manager to install the Windows Server Backup Features.

Task 1: Use Server Manager to install the Print and Document Services Server Role.1. Connect to the 6419B-NYC-SVR1 virtual machine and log on with a user name, Administrator , and

the password, Pa$$w0rd .2. Open Server Manager from the Start Menu .3. Open the Roles node in Server Manager and add the Print and Document Services server role.

Task 2: Use Server Manager to install the Windows Server Backup Features.1. Within Server Manager , select the Features node.2. Add the Windows Server Backup feature.3. Close Server Manager .

Result: After completing this exercise, you will have used Server Manager to install server roles andserver features.

Nova 4, LLC





Exercise 3: Manage Windows Server 2008 Server Core

Lab ScenarioYou have been asked to complete the configuration for another server in the New York location.

A new server running the Windows 2008 R2 Server Core installation has been installed in the New York

location. You have been asked to finalize the network configuration on the server and configure the newlynamed NYC-SVRCORE to enable Server Manager access for remote management.

The network information is as follows.

NYC-SVRCORE Configuration Spec Sheet

IP StateIP AddressSubnet MaskDefault GatewayPrimary DNSSecondary DNS

Domain membershipComputer name

STATIC10.10.0.20255.255.0.010.10.0.110.10.0.10None

Contoso.comNYC-SVRCORE

• Please install the Windows Server Backup feature on this server so the New York IT staff can performbackup and recovery operations.

• Please enable remote administration to allow the New York IT staff to manage this server remotely byusing Server Manager.


1. Use Sconfig to configure Server Core installation options.

2. Use Dism to enable the Windows Server Backup feature.

3. Configure Server Core to enable Server Manager remote administration.

4. Use Server Manager connect to Server Core

Task 1: Use Sconfig to configure Server Core installation options.1. Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator ,

and the password, Pa$$w0rd .

2. Start Sconfig and use the menu options to configure the IP address settings according to theinformation supplied.

3. Join the computer to the Contoso.com domain and rename it to NYC-SVRCORE.

Task 2: Use Dism to install the Windows Server Backup feature1. Connect to the 6419B-NYC-SVRCORE virtual machine and log on with the user name, Administrator ,

and the password, Pa$$w0rd .

2. Run the Dism command using the /online and /get-features switches to confirm that theWindowsServerBackup feature is not installed..

3. Run the Dism command using the /online , /enable-feature and /featurename: switches to installthe WindowsServerBackup feature.

Nova 4, LLC





4. Run the Dism command using the /online and /get-features switches to verify the Windows ServerBackup feature has been installed.

Task 3: Use Sconfig to configure Server Core remote management1. Start Sconfig and navigate to the Configure Remote Management screen,

2. Enable both Windows Powershell and Server Manager remote administration options. Restartwhen prompted and log back on as Administrator with the password of Pa$$w0rd .

Task 4: Use Server Manager to connect to Server Core1. Connect to the 6419B-NYC-DC1 virtual machine and log on with the user name, Administrator, and

the password, Pa$$w0rd.

2. Open Server Manager from the Administrative Tools section on the Start Menu .

3. In Server Manager , connect to NYC-SVRCORE.

4. View the Server Manager nodes available.

Result: After completing this exercise, you should have performed management tasks on a Server Coreinstallation of Windows Server 2008.

To prepare for the next moduleWhen you finish the lab, revert the virtual machines back to their initial state. To do this, complete thefollowing steps:

1. On the host computer, start Hyper-V Manager.2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .3. In the Revert Virtual Machine dialog box, click Revert .4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-SVRCORE.

Nova 4, LLC





Module Review and Takeaways

Review Questions1. Why would an organization want to limit the server roles installed on a server?

2. What management tool would you recommend for a new junior administrator who has been asked tomanage a Server Core installation of Windows Server 2008 R2?

Common Issues Related to Using Server Manager Remotely

Issue Troubleshooting Tip

Cannot connect toremote servers by usingServer Manager

ToolsTool Use for Where to find it

WindowsServer 2008 R2Server RoleMigrationGuides

• Determining how tomigrate server rolesfrom previous versionsof the Windows Serveroperating system

MicrosoftAssessment andPlanning(MAP)Toolkit

• Simplifying andstreamlining the ITinfrastructureplanning by assessingexisting environments

•

Server Manager • Managing a Windows • Start Menu

Nova 4, LLC





Tool Use for Where to find it

Server 2008 server

Remote ServerAdministrationTools (RSAT) forWindows 7

• Managing WindowsServer 2008 R2 serversremotely

•

Ocsetup.exe • Adding and removingServer Core roles andfeatures

• Command-line

Dism.exe • Adding and removingServer Core roles andfeatures in WindowsServer 2008 R2

• Command-line

Sconfig.exe • Managing a ServerCore installation ofWindows Server 2008(R2 only)

• Type Sconfig.exe at the command line

New Features and ChangesFeature Version Module Reference

Foundation Edition licensing option

64-bit hardware support only

New Server Roles available

New Features Available

Server Manager remote management

New RSAT

New Server Core Roles available

New Server Core Features available

Administer Server Core remotely by usingServer Manager

Deployment Image Servicing ManagementTool (Dism.exe)

Sconfig configuration tool for Server Core

Nova 4, LLC




Managing Windows Server 2008 Infrastructure Roles 2-1

Module 2Managing Windows Server 2008 Infrastructure RolesContents:Lesson 1: Understanding IPv6 Addressing 2-3

Lesson 2: Overview of the DNS Server Role 2-18

Lesson 3: Configuring DNS Zones 2-29

Lab A: Installing and Configuring the DNS Server Role 2-41

Lesson 4: Overview of the DHCP Server Role 2-46

Lesson 5: Configuring DHCP Scopes and Options 2-53

Lab B: Installing and Configuring the DHCP Server Role 2-65

Nova 4, LLC







Lesson 1

Understanding IPv6 Addressing

Internet Protocol (IP) version 4 is the most commonly used communication protocol for both the Internetand internal network environments. Although IPv4 is robust and scalable, new technologies and higherdemand have paved the way for the eventual adoption of IPv6.

To use the various Windows Server 2008 features, such as Network Discovery and DirectAccess (WindowsServer 2008 R2), you need a better understanding of the IPv6 address space and its integration with the

existing IPv4 networks through transition and tunneling technologies.


• Describe the differences between IPv4 and IPv6.

• Describe the benefits of using IPv6.

• Describe the IPv6 address space.

• Describe the types of IPv6 addresses.

• Describe the IPv6 address autoconfiguration process.

• Describe IPv6 over IPv4 tunneling.

• Describe IPv6 tunneling technologies.

Nova 4, LLC





Differences Between IPv4 and IPv6

Key PointsTraditionally, IPv4, due to its simplicity and interoperability, has been used to meet the growing demandsof both internal networks and the Internet. However, it is quickly becoming outdated in both publicaddress space availability and supported functionality.

The various challenges faced by IPv4 include:

• Unavailability of the IPv4 address space . With IPv4 public address spaces becoming scarce, many

organizations have started implementing the network address translator (NAT) technology to mapmultiple private IP addresses to a single public IP address. NAT decreases the number of public IPaddresses required for internal networks, but it does not support standards-based network layersecurity or map all high layer protocols. This can cause connectivity issues between organizations thatuse private IP addressing schemes. In addition, the rise of IP-based devices, such as mobile assistantsand household appliances, has increased the need for an efficient method for IP streaming, security,and address allocation.

• Need for simpler configuration . IPv4 relies on manual configuration or automatic configurationthrough DHCP. The auto-address configuration of DHCP and IPv4 supports only a local subnet. Withthe need to manage and communicate with Internet-based devices, automatic configuration ofaddresses and settings that do not rely on a DHCP infrastructure has become important.

• Need for more efficient real-time data delivery . The increased use of multimedia streaming over

the Internet has paved the way for quality of service (QoS) requirements that are only efficientlyaddressed when integrated within the IP protocol itself.

• Security requirements at the IP level . Security over a public network, such as the Internet, requiresencryption services that protect data from being viewed or modified during transit. IPv4 supports theInternet Protocol Security (IPsec) standard. However, implementation of IPsec in IPv4 is optional andis typically implemented by using a variety of solutions.

Nova 4, LLC





Note: To address many of these concerns, the Internet Engineering Task Force (IETF) has developedIPv6 as described in Request for Comments (RFC) 4291.

IPv4 and IPv6 ComparisonThe following table lists the differences between IPv4 and IPv6:

IPv4 IPv6

Source and destination addresses are32 bits (4 bytes) in length

Source and destination addresses are 128 bits (16 bytes) inlength

IPsec support is optional IPsec support is required

The IPv4 header does not include anypacket flow identification for QoS

Packet-flow identification for QoS handling by routers isincluded in the IPv6 header that uses the Flow Label field

Fragmentation is done by routers andthe sending host

Fragmentation is only by the sending host

Header includes a checksum Header does not include a checksumHeader includes options All optional data is moved to IPv6 extension headers

Address Resolution Protocol (ARP)uses broadcast ARP Request framesto resolve an IPv4 address to a link-layer address

ARP Request frames are replaced with multicast NeighborSolicitation messages

Internet Group Management Protocol(IGMP) is used to manage localsubnet group membership

IGMP is replaced with Multicast Listener Discovery (MLD)messages

Internet Control Message Protocol

(ICMP) Router Discovery, which isoptional, is used to determine theIPv4 address of the best defaultgateway

ICMP Router Discovery, which is required, is replaced with

ICMPv6 router solicitation and router advertisement messages

Broadcast addresses are used to sendtraffic to all nodes on a subnet

There are no broadcast addresses in IPv6, their function beingsuperseded by multicast addresses. Link-Local Unicast addressesare designed to be used for addressing on a single link forpurposes such as automatic address configuration,neighbor discovery, or when no routers are present. Link-Localmulticast scope spans the same topological region as thecorresponding unicast scope.

Must be configured either manually

or through DHCP

Does not require manual configuration or DHCP

Uses host address (A) resourcerecords in the DNS to map hostnames to IPv4 addresses

Uses host address (AAAA) resource records in DNS to map hostnames to IPv6 addresses

Uses pointer (PTR) resource records inthe IN-ADDR.ARPA DNS domain tomap IPv4 addresses to host names

Uses PTR resource records in the IP6.ARPA DNS domain to mapIPv6 addresses to host names

Nova 4, LLC





IPv4 IPv6

Must support a 576-byte packet size(possibly fragmented)

Must support a 1280-byte packet size (without fragmentation)

Nova 4, LLC





Benefits of Using IPv6

Key PointsThe IPv6 standard introduces several benefits to the networking infrastructure such as the following:

• Large address space . IPv6 uses a 128-bit address space, which allows for 3.4x10 38 or340,282,366,920,938,463,463,374,607,431,768,211,456 possible addresses.

• Hierarchical addressing and routing infrastructure . The IPv6 address space is designed to be moreefficient for routers, which means that even though there are many more addresses, routers canprocess data much more efficiently because of address optimization.

• Stateless and Stateful address configuration . Stateless address configuration refers to host IPconfiguration without a DHCP server. Stateful address configuration refers to host IP configurationthat uses a DHCP server. IPv6 supports both stateless and stateful address configuration. Withstateless address configuration, hosts automatically configure themselves with IPv6 link-localaddresses along with additional addresses advertised by local routers.

• Built-in security . IPv6 has built-in IP security, which facilitates configuration of secure networkconnections.

• Prioritized delivery . IPv6 contains a field in the packet that allows network devices to determine thespecified rate at which the packet should be processed. This allows traffic prioritization or QoS. Forexample, when streaming video traffic, it is critical that the packets arrive in a timely manner. You canset this field to ensure that network devices determine that the packet delivery is time-sensitive.

• Neighbor detection . IPv6 uses the Neighbor Discovery protocol to manage the interaction betweennodes within the same network link. Neighbor Discovery replaces the broadcast-based AddressResolution Protocol (ARP) with more efficient multicast and unicast communication within the samenetwork segment.

• Extensibility . IPv6 has been designed so that it can be extended with fewer constraints than IPv4.

Nova 4, LLC





IPv6 Address Space

Key PointsA traditional IPv4-based IP address is expressed in four groups of decimal numbers, such as 192.168.1.1.

Each set of numbers represents a binary octet. In the binary system, the preceding number is:

11000000.10101000.00000001.00000001

(4 octets = 32 Bits)

The size of an IPv6 address is 128 bits, which is four times the larger than an IPv4 address. IPv6 addressesare expressed as hexadecimal addresses. For example, an IPv6 address may look like:

2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

This may seem counterintuitive for end users. However, the average user relies on DNS name resolutionand seldom types IPv6 addresses manually.

Hexadecimal Numbering System (Base 16)The hexadecimal system (Hex) uses a base 16 represented by sixteen distinct symbols. These symbolsinclude:

• 0-9 –Represent values 0 to 9

• A-F –Represent values 10 to 15

For example, if you convert the decimal number 9 to Hex, the result will be Hex 9. However if youcontinue and convert the decimal number 10 to Hex, the result will be Hex A. Similarly, the decimalnumber 11 will result in Hex B.

Nova 4, LLC





Using Letters to Represent NumbersLetters represent numbers, because in the Hex system (base 16), there must be 16 unique symbols foreach position. Because 10 symbols (0 through 9) already exist, the new six symbols for the Hex system is Athrough F.

To convert an IPv6 binary address, which is 128 bits in length, to hexadecimal, perform the following

steps:

00100000000000010000110110111000000000000000000000101111001110110000001010101010000000001111111111111110001010001001110001011010

1. Organize the 128-bit address into eight groups of 16 bits.

0010000000000001 0000110110111000 00000000000000000010111100111011 0000001010101010 00000000111111111111111000101000 1001110001011010

2. Break down each set of 16 bits into sets of four bits and assign a value of 1, 2, 4, or 8 to each ofthe four binary numbers starting from the right and moving left.

If the first bit, starting on the right, has a value of 1 assign a value of 1. If the second bit has avalue of 1 assign of a value of 2. If the third bit has a value of 1, assign a value of 4. If the fourth(and leftmost) bit has a value of 1, assign a value of 8.

To derive the hexadecimal value for this section of four bits, add up the values assigned to eachbit where the bits are set to 1. For the first group [0010], the only bit that is set to 1 is the bitassigned the 2 value. The rest are set to zero. Thus, the hex value of this set of four bits is 2.

The first 16 bits in the example is equal to Hex 2001.

Student ExerciseIn the given table, calculate the Hex values for the given binary numbers the 128-bit address. The first oneis done for you.

Binary Hexadecimal

0010 0000 0000 0001 2001

0000 1101 1011 1000

0000 0000 0000 0000

0010 1111 0011 1011

0000 0010 1010 1010

0000 0000 1111 1111

1111 1110 0010 1000

1001 1100 0101 1010

Each 16-bit block, expressed as four Hex characters, is delimited by using colons. The result is as follows:

2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

Nova 4, LLC





3. You can simplify IPv6 representation by removing the leading zeros within each 16-bit block.However, each block must have at least a single digit. After you remove the leading zeros, theresult is as follows:

2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

4. To further simplify IPV6 notation, a contiguous sequence of 16-bit blocks that are set to 0 can becompressed by using the double colon (::). The computer recognizes “::” and substitutes the colonsequence with the number of zeros necessary to make the appropriate IPv6 address.

In the following example, the address is expressed by using zero compression:

2001:DB8::2F3B:2AA:FF:FE28:9C5A

To determine how many 16-bit blocks are represented by the (::), you can count the number of blocks inthe compressed address, subtract this number from eight. Using the above example, there are sevenblocks. Subtract seven from eight and the result is one. Thus, there's one block of zeros in the addresswhere the double colon is located.

In a given address, you can use zero compression only once. Otherwise, you cannot determine thenumber of 0 bits represented by each instance of a double colon (::).

Nova 4, LLC





Types of IPv6 Addresses

Key PointsThere are three main types of IPv6 addresses:

• Unicast . Identifies a single interface within the address scope. Packets that are addressed to thisaddress are delivered to a single interface.

• Multicast . Identifies multiple interfaces and delivers packets to all interfaces that are identified by theaddress. It is used for one-to-many communication over a network infrastructure.

• Anycast . Identifies multiple interfaces, but delivers packets to the nearest interface. It is used for one-to-many communication, with delivery to a single interface.

Types of Unicast IPv6 AddressesUnicast addresses can consist of the following scopes:

• Global . Global unicast addresses can be compared with public IPv4 addresses. This type of address isglobally routable throughout the IPv6 portion of the Internet. The global address starts with 2000: oris typically written as 2000:/3. The first three bits are always set to 001 to identify and distinguish thistype of address from other IPv6 addresses.

• Link-Local . Link-Local addresses can be compared with the IPv4 Automatic Private IP Addressing(APIPA) that uses 169.254.0.0/16. IPv6 link-local addresses can communicate with hosts on the samelink, and are not routable. Link-local addresses are automatically assigned and always begin with FE80or FE80::/64.

• Unique-Local . Unique-local addresses represent an entire organizational site or a portion of the site.This type of IPv6 address can be compared with IPv4 private address spaces 10.0.0.0/8, 172.16.0.0./12,and 192.168.0.0/16. Unique-local addresses are routable throughout an organization, but are notconfigured to be routed outside of the organization network. These types of addresses are notautomatically generated, and must be assigned by using auto-assignment methods, which aresupported by IPv6. Unique-local addresses are always expressed as FC00::/7 or FD00::/8.

Nova 4, LLC





Note: Unique-Local replaces a previous IPv6 type called Site-local addresses, which were defined forblock FEC0::/10. For more information on the deprecating of site local addresses, read RFC 3879 athttp://tools.ietf.org/html/rfc3879.

• Loopback Address . A loopback address is used to identify a loopback interface, which allows a node

to send packets to itself. The IPv6 loopback address is expressed as 0:0:0:0:0:0:0:1 or ::1. This can becompared with the IPv4 loopback address of 127.0.0.1.

Nova 4, LLC





Address Autoconfiguration for IPv6

Key PointsA network client proceeds through several states as it goes through the autoconfiguration process, andthere are several ways to assign an IP address and additional options. Based on how the router is set up, aclient may use stateless configuration (no DHCP service) or stateful configuration with the DHCP serverinvolved. Stateful configuration can be used to assign an IP address and additional network settings oronly assign options such as DNS server references and router IP addresses.

During autoconfiguration, the client computer proceeds through the following high-level process:

1. The IPv6 client autoconfigures a link-local address for each interface used to communicate with otherhosts on the same link.

2. IPv6 Neighbor Discover performs neighbor solicitation to ensure that there are no address conflicts.

3. Router discovery takes place to determine the local routers on an attached link.

4. It is determined whether the node should use a stateful address protocol, such as DHCPv6, foraddresses and other configuration parameters. A host uses stateful address configuration when arouter advertisement is received with either the Managed Address Configuration flag or the OtherStateful Configuration flag is set to 1. Stateful address configuration is also performed if there are norouters on the local link.

5. All network prefixes defined for the link are obtained from the router. Prefixes include the range ofaddresses for nodes on the local link and the valid and preferred lifetimes. If the appropriate statefulflags are set, information may be obtained from DHCP.

Communication with DHCPWhen an IPv6-based host attempts to communicate with a DHCP server, it uses its link-local, self-assignedIP address. This is different from the IPv4, which uses ARP broadcasts.

Nova 4, LLC





Using stateful configuration allows organizations to control how IP addresses are assigned by usingDHCPv6. By default, an IPv6 host uses stateless autoconfiguration, but will use stateful addressautoconfiguration, if the following is configured in the Router Advertisement message that a neighboringrouter sends:

• Managed Address Configuration flag . This flag is also known as the M flag. If this flag is

configured, it instructs the IPv6 host to use DHCPv6 to obtain an IP address.• Other Stateful Configuration flag . This flag is also known as the O flag. If this flag is configured, it

instructs the IPv6 host to use DHCPv6 to obtain other configuration settings such as DNS Server IPaddresses. If your organization wants to leverage technologies such as Network Access Protection(NAP), you must configure clients with additional options that integrate into DHCP. If there are anyspecific scope options that you need to configure, you needs a DHCP server.

It is possible to use a combination of both stateless and stateful configuration. In such a case, you can usethe router to assign IP address ranges and then use DHCPv6 to assign other configuration settings.

Note: On Windows Server 2008-based routers, you can use the following command to configure the Mand O flags:

netsh interface ipv6 set interface “Local Area Connection” managedaddress=enabledotherstateful=enabled

Autoconfigured Address StatesAutoconfigured addresses are in one or more of the following states:

• Tentative . Verification occurs to determine whether the address is unique. This verification is calledduplicate address detection. A node cannot receive unicast traffic to a tentative address. It can,however, receive and process multicast Neighbor Advertisement messages sent in response to theNeighbor Solicitation message, which is been sent during the duplicate address detection. Thisensures that the interface can validate that its address is unique.

• Valid . The address has been verified as unique, and can send and receive unicast traffic. The validstate covers the preferred and deprecated states. The Valid Lifetime field in the Prefix Informationoption of a Router Advertisement message determines the time that an address remains in thetentative and valid states. The valid lifetime must be greater than or equal to the preferred lifetime. Avalid address is either preferred or deprecated.

• Preferred . The address enables a node to send and receive unicast traffic. The Preferred Lifetime field in the Prefix Information option of a Router Advertisement message determines the time thatan address can remain in the tentative and preferred states.

• Deprecated . The address is valid, but its use is discouraged for new communication. Existingcommunication sessions can continue to use a deprecated address. A node can send and receiveunicast traffic to and from a deprecated address.

• Invalid . The address no longer allows a node to send or receive unicast traffic. An address enters the

invalid state after the valid lifetime.

Nova 4, LLC





IPv6 over IPv4 Tunneling

Key PointsAs organizations transition from an IPv4-only network to IPv6, hosts must be able to communicate byusing both IP standards. Windows Vista, Windows 7, and Windows Server 2008 support a dual layer IParchitecture that contains both IPv4 and IPv6 Internet layers with a single implementation of the protocolstack. This dual layer architecture allows for IPv4 packets, IPv6 packets, and IPv6 over IPv4 packets.

Windows Server 2003 and Windows XP use a dual stack architecture that contains a separate

implementation of TCP and UDP for both IPv4 and IPv6. The dual stack architecture provides the samefunctionality as dual layer IP architecture to provide support for legacy operating systems.

To communicate over an IPv4 infrastructure, IPv4 tunneling can be used. IPv6 over IPv4 tunnelingencapsulates IPv6 packets within an IPv4 header so that IPv6 packets can be sent over an IPv4infrastructure.

Within the IPv4 header:

• The IPv4 Protocol field is set to 41 to indicate an encapsulated IPv6 packet.

• The Source and Destination fields are set to IPv4 addresses of the tunnel endpoints. You canconfigure tunnel endpoints manually as part of the tunnel interface. Otherwise, they are derivedautomatically from the next-hop address of the matching route for the destination and the tunnelinginterface.

Nova 4, LLC





Overview of IPv6 Tunneling Technologies

Key PointsThe tunneling technologies used for IPv6 over IPv4 tunneling include:

• ISATAP. Local intranets can use Intra-site Automatic Tunnel Addressing Protocol (ISATAP), whichtakes advantage of neighbor discovery and autoconfiguration, and it is the primary way in whichinternal IPv6 nodes communicate over IPv4. ISATAP uses the interface identifier ::0:5EFE:w.x.y.z, where w.x.y.z is the private IPv4 address. For public IPv4 addresses, the identifier is written as::200:5EFE:w.x.y.z.

To allow for ISATAP hosts to communicate between subnets, an ISATAP router can be deployed. AnISATAP router is an IPv6-based router, which can be used to advertise address prefixes, forwardpackets between subnets, and act as a default router for ISATAP hosts.

Note: Windows Server 2008, Windows Vista Service Pack 1, and later do not automatically configurelink-local ISATAP addresses, unless the name ISATAP can be resolved to an ISATAP-based router.

• 6to4 . 6to4 tunneling allows IPv6 routers to communicate over the IPv4 Internet. 6to4 is alsoautoconfigured on the host and may require the manual configuration of a 6to4 router. 6to4addressing converts a standard IPv4 address to an equivalent 6to4 address. For example, IPv4 address157.60.0.1 would be converted to 2002:9D3C:1::/48. A 6to4 address always starts with 2002.

• Teredo . Teredo is a tunneling technology that traverses IPv4 NATs to allow IPv6 networks tocommunicate.

IPv6 changes in Windows Server 2008 R2 and Windows 7

Note: The content in this section only applies to Windows Server 2008 R2 and Windows 7.

Nova 4, LLC





Windows Server 2008 R2 and Windows 7 introduces additional support for IPv6. New features include:

• IP-HTTPS. As discussed earlier, 6to4 and Teredo are used to tunnel IPv6 traffic across the IPv4Internet. However, there may be situations where firewalls or web proxy servers are configured toblock this type of traffic. Windows 7 and Windows Server 2008 R2 can use IP-HTTPS to establishconnectivity through firewalls or web proxy servers. IP-HTTPS tunnels IPv6 packets inside an IPv4-based secure HTTPS session. You can configure IP-HTTPS by using Netsh.exe or Group Policy settings.

• Teredo Server and Relay . Windows Server 2008 R2 includes support for configuring a Teredo serverand relay functionality. When implemented, a client communicates with a Teredo server to configurea Teredo-based IPv6 address and initiate communication with other Teredo clients on the Internet.Windows Server 2008 R2 DirectAccess uses the Teredo server functionality to facilitate DirectAccesswith Internet-based clients.

• Group Policy Settings for Transition Technologies . Windows Server 2008 R2 and Windows 7provide Group Policy settings related to IP-HTTPS, Teredo, 6to4, and ISATAP. You can find thesesettings in the Group Policy Management Editor at:Computer Configuration\Policies\Administrative Templates\Network\TCPIP Settings\IPv6Transition Technologies

Nova 4, LLC





Lesson 2

Overview of the DNS Server Role

The DNS server role is a critical component of a Windows Server 2008 domain infrastructure. DNSprovides name resolution and service location to clients on the network. This lesson provides generalinformation about the DNS server role and how the DNS name space works. This lesson also providesdetails about what has changed for the DNS server role in Windows Server 2008 and Windows Server2008 R2.


• Describe DNS enhancements for Windows Server 2008.

• Describe the types of DNS Resource Records that are available.

• Describe how name resolution works in DNS.

• Describe how DNS Forwarding works.

• Describe how Conditional Forwarding works.

• Configure DNS Forwarding

Nova 4, LLC





DNS Enhancements in Windows Server 2008

Key PointsWindows Server 2008 and Windows Server 2008 R2 both provide enhancements to DNS that improve theperformance of DNS.

DNS Improvements in Windows Server 2008Windows Server 2008 includes several enhanced features that improve the DNS server role. These featuresinclude:

• Background zone loading . DNS servers that host large DNS zones that are stored in AD DS are ableto respond to client queries quicker during restarts, because zone data is now loaded in thebackground during the startup process.

• IP version 6 support . The DNS server role fully supports IPv6, which includes IPv6 host records(AAAA records) and IPv6 reverse lookup zones.

• Support for read-only domain controllers . The DNS Server role in Windows Server 2008 providessupport for primary read-only zones on read-only domain controllers (RODCs). The RODC is a newtype of domain controller that is typically deployed to remote sites that lack physical security. AnRODC is not allowed to write information back to the full Active Directory servers and DNS servers.When you install the DNS Server service on an RODC, a read-only copy of the Domain DNS zone(DomainDNSZones) and the Enterprise DNS zone (ForestDNSZones) is replicated to the RODC. Clients

can query DNS on an RODC but cannot update information directly..• Global single names . The DNS Server service in Windows Server 2008 provides a new zone type

called the GlobalNames zone (GNZ), which you can use to hold unique, single-label names across anentire forest. This eliminates the need to use the NetBIOS-based Windows Internet Name Service(WINS) to provide support for single-label names. The GNZ provides single-label name resolution forlarge enterprise networks that do not deploy WINS. Some networks may require the ability to resolvestatic, global records with single-label names that WINS currently provides. These single-label namesrefer to well-known and widely used servers with statically assigned IP addresses. A GNZ is manuallycreated and does not support dynamic registration of records. The GNZ is intended to help

Nova 4, LLC





organizations migrate to from WINS to DNS for all name resolution requirements. To create a GNZ,simple create an AD DS- integrated forward lookup zone called GlobalNames. After the zone iscreated, it can be enabled by using the following command on every authoritative DNS server in theforest:

Dnscmd <ServerName> /config /enableglobalnamesupport 1

• Global query block list . By default, well-known host names for services such as Web Proxy Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) arelisted in a global query block list. This is to help reduce the chance of malicious users fromdynamically registering host computers that pose as legitimate servers for these services. If you needto use these services, you have to specifically remove the WPAD or ISATAP name from the globalquery block list. To modify the block list, you can use the dnscmd command-line tool.

Note: For more information about the DNS server global query block list, read the DNS server globalquery block list .DNS Improvements in Windows Server 2008 R2

Note: The content in this section applies only to Windows Server 2008 R2 and Windows 7.

In addition to the enhancements listed above, Windows Server 2008 R2 and the Windows 7 client supportseveral additional features. These features include:

• DNS Security Extensions (DNSSEC) . DNSSEC provides the ability for a DNS zone and all records inthe zone to be cryptographically signed. DNS is often subject to various attacks, such as man-in-the-middle, spoofing, and cache-poisoning. DNSSEC helps protect against these threats and provides amore secure DNS infrastructure. When a DNS server hosting a signed zone receives a query, it returnsthe digital signatures in addition to the records queried for. A resolver or another server can obtainthe public key of the public/private key pair and validate that the responses are authentic and havenot been tampered with. To do so, the resolver or server must be configured with a trust anchor forthe signed zone, or for a parent of the signed zone. The DNSSEC implementation in Windows Server

2008 R2 DNS server provides the ability to sign both file-backed and Active Directory–integratedzones through an offline zone signing tool. This signed zone will then replicate or zone transfer toother authoritative DNS servers. When configured with a trust anchor, a DNS server is capable ofperforming DNSSEC validation on responses received on behalf of the client.

• DNS Devolution . Devolution is a feature of the DNS client that allows network hosts to resolve servernames by appending portions of the primary DNS domain suffix. For example, when a client that is amember of corp.contoso.com attempts to resolve the name fileserver, the client will attempt toresolve fileserver.corp.contoso.com and fileserver.contoso.com. In previous versions of Windows, DNSdevolution is always set to 2. This can cause problems with organizations that use more than twolabels for their root domain. Windows Server 2008 and Windows 7 change this default configurationso that the devolution level is automatically set to the number of labels in the forest root domain. Forexample, if the forest root domain is corp.contoso.com, the devolution level is set to 3. When a clientattempts to resolve the name fileserver, it will only attempt fileserver.corp.contoso.com and notattempt to resolve the second level domain name of contoso.com.

• DNS Cache Locking . When a recursive DNS server responds to a query, it will cache the resultsobtained so that it can respond quickly if it receives another query requesting the same information.The period of time the DNS server will keep information in its cache is determined by the Time to Live(TTL) value for a resource record. Until the TTL period expires, information in the cache might beoverwritten if updated information about that resource record is received. When you enable cachelocking, the DNS server will not allow cached records to be overwritten for the duration of the TTLvalue. Cache locking provides for enhanced security against cache-poisoning attacks.

Nova 4, LLC







DNS Resource Records

Key PointsMany organizations implement DNS to support both an internal Active Directory scope as well as anexternal Internet presence. With both types of implementations, resource records are used to provide thename and service resolution requirements for your network.

Resource records contain information about the resources that are managed within a specific DNS zone.They include information such as the owner of the record, the resource record type, how long the

resource record can remain in the cache, and data specific to the resource record, such as a host IPaddress.

Resource records can be added manually, or they can be added automatically by using a process calleddynamic update.

The following table describes the most common types of resource records:

DNS Resource Record Description

SOA Start of authority resource record identifies the primary name server for aDNS zone

NS Name Server resource record identifies all the name servers in a domain

A Host (A) resource record Is the main record that maps a host name to an IPaddress

AAAA IPv6 Hostresource record is usedto map host names to IPv6 IP addresses

CNAME Alias (CNAME) resource record is an alias record type used to point morethan one name to a single hostFor example, www can be used to point to a DNS host name called Server1

Nova 4, LLC





DNS Resource Record Description

MX Mail exchanger resource record is used to specify an email server for aparticular domain

SRV Service location resource record identifies a service that is available in the

domain, such as a domain controller or global catalog server. Active Directoryuses these records extensively

PTR Pointer resource record is used to look up and map an IP address to adomain name. The reverse lookup zone stores the addresses

Nova 4, LLC





How DNS Name Resolution Works

Key PointsDNS name resolution begins with a query from a client to a DNS server. A DNS query can be of two types:Recursive and iterative.

• Recursive . By default, when a DNS server receives a query request from a client, the query isrecursive. Recursion is where the DNS server either answers the query or continues to query otherDNS servers on behalf of the requesting client. The recursive query has one of two possible outcomes,

the IP address of the host is returned to the requesting client or an error message stating that theserver cannot resolve the IP address is sent to the requesting client

Note: If a DNS server is not intended to receive recursive queries, recursion should be disabled on thatserver by using the DNS Manager or the dnscmd command-line utility. If you disable recursion on aDNS server, root hints will not be queried, and you will not be able to use forwarders to other DNSservers for name resolution.

• Iterative . When a DNS server receives a request from a client that it cannot answer by using its localor cached information, it forwards the request to another DNS server by using an iterative query.When a DNS server receives an iterative query, it may answer with either the IP address for therequested host name (if known) or by referring the request to the DNS servers that are responsible forthe domain being queried.

A DNS server can be either authoritative or nonauthoritative for the query’s namespace.

• Authoritative . A DNS server is authoritative when it hosts a primary or secondary copy of a DNSzone. If the DNS server is authoritative for the query’s namespace, the DNS server will check the zoneand either return the requested address or return an authoritative denial of the request because thename does not exist in the zone.

Nova 4, LLC





• Nonauthoritative . If the local DNS server is nonauthoritative for the query’s namespace, the DNSserver will do one of the following:

• Check its cache and return a cached response.

• Forward the unresolvable query to a specific server called a forwarder.

• Use root hints to well-known addresses of multiple root servers to find an authoritative DNSserver to resolve the query.

Nova 4, LLC





DNS Forwarding

Key PointsDNS Forwarding can be used to manage name resolution for names outside your network. Using aforwarder, you can minimize the work and traffic that results from your DNS server performing its owniterative queries.

When you designate a server as a forwarder, that server is responsible for all external queries. Manyorganizations designate an external DNS forwarder located at an ISP, which contains a large cache ofexternal DNS information due to the extensive amount of DNS queries that are resolved through it.

When a DNS server sends a request to a forwarder, the request is a recursive query. This is different fromthe standard name resolution, which uses iterative queries to other DNS servers.

Note: By default, root hints will be used if no forwarders are available. You can use DNS Manager tomodify this default setting on the properties of the DNS server.

Nova 4, LLC





What Is Conditional Forwarding?

Key PointsYou can use a conditional forwarder to provide more efficient name resolution between specific DNSnamespaces.

For example, you can configure a DNS server to forward all queries that it receives for names ending withadatum.com to the IP address of a specific DNS server, or to the IP addresses of multiple DNS servers. Anyquery that is specific to the adatum.com domain will be forwarded directly to the appropriate DNS serverinstead of the standard iterative query process.

Windows Server 2008 also provides the ability to store conditional forwarders in Active Directory. If youconfigure a conditional forwarder to be stored in Active Directory, you can choose to replicate it to allDNS servers in the forest, all DNS servers in the domain, or all domain controllers in the domain.

Note: If you have conditional forwarders defined for a specific domain, the conditional forwarders willbe used instead of server-based forwarders.

Nova 4, LLC





Demonstration: How to Configure DNS Forwarding

Key PointsIn this demonstration, you will see how to:

• Configure a DNS Forwarder.

• Configure a Conditional Forwarder.

Demonstration Steps:

1.

Open the DNS Manager .2. Right-click the server name and then click Properties .

3. In the server properties dialog box, click the Forwarders tab, and then configure a forwarder. ClickOK to close the properties dialog box.

4. To configure a conditional forwarder, click the Conditional Forwarders node.

5. Right-click the Conditional Forwarders node and click New Conditional Forwarder. Configure theconditional forwarder by providing the DNS domain and IP address of the authoritative server.

6. Configure the conditional forwarder to be stored in Active Directory and configure replicationrequirements.

Nova 4, LLC





Lesson 3

Configuring DNS Zones

A DNS zone hosts all or a portion of a DNS domain. A zone is typically configured to be a forward or areverse lookup zone and can be replicated to additional DNS servers for redundancy. Zone data can bestored in a local file that contains the mapping information, or a zone can be integrated into ActiveDirectory to provide enhanced security and availability. This lesson provides information on the types ofDNS zones and how zones can be replicated between DNS servers.


• Describe forward and reverse lookup zones.

• Describe DNS zone types.

• Describe the use and requirements for Active Directory integrated zones.

• Create forward and reverse lookup zones.

• Describe DNS zone transfer.

• Manage DNS zone settings.

• Identify tools used to troubleshoot DNS.

Nova 4, LLC





What Are Forward and Reverse Lookup Zones?

Key PointsYou can configure a DNS server to host both forward lookup zones and reverse lookup zones. Each ofthese zone types provides name resolution capabilities as described below.

Forward Lookup ZoneDNS clients use a forward lookup zone to resolve an IP address to a DNS domain name or a networkservice. This zone hosts the common DNS records such as the Start of Authority (SOA), Name Server (NS),

Host (A) records, and Active Directory-based SRV records.

Reverse Lookup ZoneDNS can also be configured to support a reverse lookup process called a Reverse Lookup zone. Whenconfigured, a DNS client can use a known IP address and look up a computer name based on its address.

To support reverse lookup queries, two special domains have been standardized for DNS:

• In-addr.arpa . The in-addr.arpa domain is reserved in the DNS namespace to provide a way toperform reverse queries for IPv4-based IP addresses. The reverse namespace consists of subdomainswithin the in-addr-arpa domain, which uses the reverse ordering of the number of an IP address.

• Ip6.arpa . The Ip6.arpa domain provides reverse lookup for IPv6-based IP addresses.

A reverse lookup zone is optional. However, you may need to configure a reverse lookup zone if you haveapplications that rely on looking up hosts by their IP addresses. Many applications will log this informationin security or event logs. If you see suspicious activity from a particular IP address, you can resolve thehost by using the reverse zone information. In addition, many email security gateways use reverse lookupsto validate that the IP address sending messages is associated with an authorized and approved domain.

To support reverse lookup functionality, perform the following tasks:

1. Create a reverse lookup zone that corresponds to the subnet network address.

Nova 4, LLC





2. In the reverse lookup zone, add a pointer record that maps the IP address to the host name.

DNS Dynamic UpdateForward and reverse lookup zones both support the ability to perform dynamic updates. These updatesenable DNS clients to automatically register and update their resource records whenever changes occur.

Dynamic updates take place in the following instances:• At startup time when the computer is turned on.

• When the ipconfig/registerdns command is used to manually force a refresh of the client nameregistration.

• When an IP address lease changes or is renewed.

• When an IP address is added, removed, or modified in the TCP/IP properties of the client.

Nova 4, LLC





What Are DNS Zone Types?

Key PointsA forward or reverse lookup zone can be configured to support one of three main types of zones:

• Primary zone

• Secondary zone

• Stub zone

Primary ZoneWith a standard primary zone, all DNS records are stored in a zone data file located on the DNS servercalled zone_name.dns (where zone_name is the name of the zone) which is stored in the%windir%\System32\Dns folder. When a zone file is used, the server hosting the Primary zone is the onlyserver that has a writable copy of the DNS database. If the DNS server is a writable domain controller, youcan also choose to store the zone data in Active Directory Domain Services to provide efficient replicationand increased security of the DNS infrastructure. With Active Directory-integrated primary zones, all datafor a zone resides in the directory.

Secondary ZoneA secondary zone is a copy of a primary zone that is hosted on another DNS server. A secondary zonemust be obtained from another DNS server, and is used to provide load balancing and redundancy for

name resolution.

Secondary zones cannot be stored in AD DS.

Stub ZoneA stub zone is a specific type of zone that only provides information about the authoritative name serversfor the zone. When you create a stub zone, you specify one or more authoritative DNS servers that hoststhe zone. The stub zone replicates data from the authoritative server such as the SOA resource record, NSresource records, and glue records (which are host (A) records) that are used to locate the name servers.

Nova 4, LLC





Stub zones are quite useful when an organization contains a large AD DS forest structure consisting ofseveral parent and child domains. Stub zones are used in this scenario to:

• Improve name resolution . When a DNS client queries the DNS server hosting a stub zone, the DNSserver performs recursion by using the stub zone’s list of name servers. This minimizes the need toquery the Internet or root hints to perform name resolution.

• Maintain delegated zone information . The stub zone is updated regularly to ensure that thecurrent list of authoritative name servers is provided in the stub zone.

• Minimize zone transfer traffic . You can use stub zones to distribute a list of authoritative DNSservers for a zone without using secondary zones. This can minimize zone transfer traffic and improvename resolution efficiency. However, stub zones do not enhance redundancy or provide load sharingcapabilities like secondary zones.

Note: A stub zone can be configured to store its zone data in Active Directory.

Nova 4, LLC





What Is an Active Directory–Integrated Zone?

Key Points

Primary and stub zones can be stored in the AD DS database when the DNS server is an AD DSdomain controller. This creates an Active Directory–integrated zone. The benefits of ActiveDirectory–integrated zones are significant:• Multimaster updates . Unlike standard primary zones, which can be modified only by a single

primary server, Active Directory–integrated zones can be written to by any DC to which the zone isreplicated. This removes a single point of failure in the DNS infrastructure. It is particularly importantin geographically distributed environments that use dynamic update zones, because they allow clientsto update their DNS records without having to connect to a potentially distant primary server.

• Replication of DNS zone data by using AD DS replication . One of the characteristics of ActiveDirectory replication is attribute-level replication, in which only changed attributes are replicated. AnActive Directory–integrated zone can leverage these benefits of Active Directory replication, ratherthan replicating the entire zone file as in traditional DNS zone transfer models.

• Secure dynamic updates . An Active Directory–integrated zone can enforce secure dynamic updates.When you configure an Active Directory-integrated zone to support secure dynamic updates, you canthen use the access control list (ACL) to specify which users or groups have the ability to modify thezone and the records in the zone. When you create a new Active Directory-integrated zone, it isconfigured to use secure dynamic updates by default. Members of the Authenticated Users group are

able to create a new object in the zone. Also, by default, when an authenticated user or computercreates an object in the zone, it is considered the owner of the object and has full control to modifyor remove the DNS registration as needed.

• Granular security . As with other Active Directory objects, an Active Directory–integrated zone allowsyou to delegate administration of zones, domains, and resource records by modifying the accesscontrol list (ACL) on the object.

Nova 4, LLC





Demonstration: How to Create Forward and Reverse Lookup Zones


• Create a forward lookup zone.

• Create a reverse lookup zone.


1.

Open the DNS Manager.2. Right-click the Forward Lookup Zones node and then click New Zone.

3. Use the New Zone Wizard to create the new forward lookup zone.

4. Right-click the Reverse Lookup Zones node and then click New Zone.

5. Use the New Zone Wizard to create the new reverse lookup zone.

Nova 4, LLC





Overview of DNS Zone Transfer

Key PointsA zone transfer occurs when a zone is transferred from one DNS server to another DNS server. Zonetransfers synchronize primary and secondary DNS server zones.

A full zone transfer occurs when the entire zone is copied from one DNS server to another. A full zonetransfers is known as an All Zone Transfer (AXFR).

An incremental zone transfer occurs when there is an update to the DNS server, and only the resource

records that were changed are replicated to the other server. This is an Incremental Zone Transfer (IXFR).

Windows Servers also perform fast transfers, which is a type of zone transfer that uses compression andsends multiple resource records in each transmission.

Not all DNS server implementations support incremental and fast zone transfers. When integrating aWindows 2008 DNS server with a Berkeley Internet Name Domain (BIND) DNS server, you must ensurethat the features you need are supported by the BIND version that is installed.

You can configure zone transfers from the Zone Transfers tab of the zone properties dialog box.

DNS NotifyBy default, secondary servers query for updated information every 15 minutes. To ensure that secondary

servers receive zone changes as quickly as possible, you can configure the source server to notify specifiedsecondary servers when a zone is updated.

Nova 4, LLC





What Is Time Stamping, Aging, and Scavenging?

Key PointsDNS Dynamic update provides many advantages for automatically adding records to the DNS database.However, there may be times when the records are not automatically removed when devices leave thenetwork. For example, if a device registers its own host (A) record and then is improperly disconnectedfrom the network, a stale resource record may remain in the DNS database.

Having a large number of stale resource records can lead to many problems such as out-of-date resourcerecords that cause clients to experience name resolution issues and unnecessarily long zone transfers.

The DNS Server service addresses this problem by using the following features:

• Time Stamping . Any resource record that is dynamically added to a primary zone contains a timestamp that is based upon the current date and time of the DNS server. This time stamp is used toassist in the aging and scavenging process.

Note: If you manually add a resource record, a time stamp of 0 is used. This indicates that the record isnot affected by the aging or the scavenging process.

• Aging You can configure a specified refresh time period for the entire DNS server or for specificzones stored on the server. This refresh period is used to determine when scavenging can take place.

• Scavenging . Any records that are beyond the specified refresh period can be automatically removedby the scavenging process. You can configure scavenging to take place automatically, or you canmanually initiate scavenging.

Configuring Aging and ScavengingBy default, aging and scavenging are disabled. You can enable scavenging of stale resource records at theserver level or the zone level by using the following process:

1. In the DNS Manager console, open DNS server properties dialog box.

Nova 4, LLC





2. On the Advanced tab, select the Enable automatic scavenging of stale records check box andconfigure an appropriate scavenging period. The default is 7 days.

3. If you want to configure aging settings for all zones on the server, right-click the DNS server and clickSet Aging\Scavenging for All Zones . You can configure server-based settings in the Zone D:\rahul m\MSL_SCD_COURSES\03_Production\03_Production\6_Integration\KonaH\6419Bdialog box.

4. If you want to configure aging settings for a specific zone, right-click the zone and click Properties . On the General tab, click the Aging button. You can configure zone-based settings in the ZoneAging/Scavenging Properties dialog box.

Nova 4, LLC





Tools Used to Troubleshoot DNS

Key PointsDNS functionality may be affected by the following issues:

• Network connectivity with other DNS servers . If your DNS server is configured to forward requeststo another DNS server, network connectivity must be maintained to the other DNS server. DNS roothint queries also require appropriate network connectivity.

• Missing records . If a record for a specific host is not registered in the DNS server, name resolutionwill fail. This can be caused by incorrectly configured clients, or the records may have been scavengedprematurely.

• Incomplete records . Records require information. If the information is missing to locate the resourcethey represent, it can cause clients requesting the resource to return invalid information. A servicerecord that does not contain a port address is an example of an incomplete record.

• Incorrectly configured records . Records that point to an invalid IP address or have invalidinformation in their configuration also cause problems when DNS clients try to locate resources.

Tools used to troubleshoot these and other configuration issues include: • IPconfig . Use this command to view and modify IP configuration details that the computer uses. This

utility includes additional command-line options that you can use to troubleshoot and support DNSclients. You can view the client’s local DNS cache by using the ipconfig /displaydns command, and

you can clear the local cache by using ipconfig /flushdns .• Monitoring . The Monitoring tab on the Server Properties dialog box can be used to verify the server

configuration by performing a simple query against the DNS server or a recursive query to other DNSservers.

• Global Logs . The Global Logs node in the DNS Manager provides a list of DNS events that havetaken place on the server. This can be useful to determine scavenging or zone transfer details.

• Nslookup . Use this to query DNS information. The tool is very flexible and can provide a lot ofvaluable information about DNS server status. You also can use it to look up resource records and

Nova 4, LLC





validate their configuration. You also can test zone transfers, security options, and MX recordresolution.

• Dnscmd . Use this command-line tool to manage the DNS server. This tool is useful in scripting batchfiles to help automate routine DNS management tasks or to perform simple unattended setup andconfiguration of new DNS servers on your network.

•

Dnslint . Use this tool to diagnose common DNS issues. This command-line utility diagnosesconfiguration issues in DNS quickly and can generate a report in the HTML format regarding thedomain status you are testing.

Nova 4, LLC







Exercise 1: Installing and Configuring DNS Server Role and Zones

ScenarioTo support the latest DNS requirements, you need to install and configure the DNS server role on NYC-

SVR1. After you have installed the DNS server role, you will create a secondary zone and a reverse lookupzone for Contoso.com.


1. Install the DNS Server role on NYC-SVR1.

2. Allow zone transfers for Contoso.com.

3. Configure a secondary zone for Contoso.com.

4. Configure a reverse lookup zone.

Task 1: Install the DNS Server role on NYC-SVR1.1. On NYC-SVR1, open Server Manager and install the DNS Server role.

Task 2: Allow Zone Transfers for Contoso.com.1. On NYC-DC1, open the DNS Manager.

2. For the Contoso.com zone, configure the following:

• Allow zone transfers : enabled

• Only to the following servers : 10.10.0.11

• Automatically notify : 10.10.0.11

Task 3: Configure a Secondary Zone for Contoso.com.1. On NYC-SVR1, open DNS Manager.

2. Configure a new Forward Lookup zone with the following parameters:

• Zone Type : Secondary zone

• Zone Name : Contoso.com

• Master DNS Servers : 10.10.0.10

3. Verify that all of the resource records are available in the secondary zone.

Task 4: Configure a Reverse Lookup Zone.1. On NYC-DC1, configure a new Reverse Lookup zone with the following parameters:

• Zone Type : Primary zone (store the zone in Active Directory)

• Active Directory Zone Replication Scope : All DNS servers running on domain controllers inthe Contoso.com domain

• Reverse Lookup zone name : IPv4

• Network ID : 10.10.0

• Dynamic Update : Allow only secure dynamic updat es

2. Update the associated pointer record for NYC-SVR1.

Nova 4, LLC





Results: At the end of this exercise, you will have installed the DNS Server role and configuredsecondary and reverse lookup zones.

Nova 4, LLC





Exercise 2: Configuring Resource Records, Aging, and Scavenging

ScenarioYou have been provided additional requirements for the Contoso.com DNS zone. You need to create analias for NYC-SVR1 called www. You also need to enable aging and scavenging.

The main tasks for this exercise are as follows:1. Add resource records for Contoso.com.

2. Configure aging and scavenging for Contsoso.com.

Task 1: Add resource records for Contoso.com.1. On NYC-DC1, use DNS Manager to add an alias for NYC-SVR1.Contoso.com called www.

Task 2: Configure aging and scavenging for Contoso.com.1. On NYC-DC1, enable automatic scavenging of stale records to take place every 10 days.

2. Enable zone aging and scavenging for Contoso.com by using the default 7-day no-refresh andrefresh intervals.

Results: At the end of this exercise, you will have configured a resource record for Contoso.com andenabled aging and scavenging.

Nova 4, LLC





Exercise 3: Verifying DNS Settings

ScenarioYou need to verify that the DNS settings work as expected. You also need to produce a report on the DNSsettings to verify that DNS is configured correctly.

The main tasks for this exercise are as follows:1. Verify that the secondary zone is functional.

2. Verify records by using Nslookup and DNSlint.

Task 1: Verify that the secondary zone is functional.1. Switch to the NYC-SVR1 virtual machine.

2. In DNS Manager, refresh the Contoso.com zone and verify that www has been transferredsuccessfully from the authoritative server.

3. Open the Local Area Network Properties and modify the TCP/IPv4 settings to use 10.10.0.11 as thepreferred DNS Server.

4. Ping www.contoso.com and verify that the name is resolved.

5. Close all open windows.

Task 2: Verify records by using Nslookup and DNSlint1. Switch to the NYC-DC1 virtual machine.

2. Use NSlookup to verify the SOA information.

3. Run DNSLint from C:\Tools\Dnslint and create a zone report. Hint: use the following command.

Dnslint /s 10.10.0.10 /d contoso.com

4. Read through the report results and then close all open windows.

Results: At the end of this exercise, you will have verified settings by using NSlookup and DNSLint.

Note: Do not shut down the virtual machines; you will need them for the next lab.

Nova 4, LLC





Lesson 4

Overview of DHCP Server Role

DHCP is used to assign (also called a lease) IPv4-based or IPv6-based IP addresses and other networksettings to computers and devices, which are enabled as DHCP clients. This lesson provides information onusing DHCP and how DHCP is installed and configured to support IP allocation to network clients.


• Describe new DHCP features for Windows Server 2008.

• Describe DHCP Server Authorization.

• Describe how DHCP lease generation works.

• Describe how DHCP lease renewal works.

• Add and authorize the DHCP Server role.

Nova 4, LLC





New DHCP Features in Windows Server 2008

Key PointsThe DHCP protocol simplifies the configuration of IP clients in a network environment. Before DHCP wasused widely, each time you added a client to a network, you had to configure it with information aboutthe network on which you installed it, including the IP address, the network’s subnet mask, and thedefault gateway for access to other networks.

With the DHCP server role, you can ensure that all clients are consistent with the same types of

configuration information, which eliminates human error during configuration. When key configurationinformation changes in the network, you can update it on the DHCP Server without having to change theinformation directly on each computer

The DHCP role on Microsoft Windows Server 2008 supports several new features:

• Support for DHCPv6 . Stateful and stateless configuration is supported for clients in an IPv6environment. Stateful configuration occurs when the DHCPv6 server assigns the IP address to theclient, along with additional DHCP data. Stateless configuration occurs when the DHCPv6 IP isassigned automatically by an IPv6-supported router without the need for a DHCP server.

• Support for Network Access Protection (NAP) . DHCP can be configured to integrate with NAP toisolate unauthorized computers from the corporate network. NAP is part of a Windows Server 2008–based toolset that controls access to network resources to ensure that a client is compliant with

internal security policies. For example, a configured policy may require all network clients to haveWindows Firewall enabled and have a valid, up-to-date antivirus program installed.

• Support for Windows Server 2008 Server Core . You can install DHCP as a role on a WindowsServer 2008 Server Core installation.

DHCP Improvements in Windows Server 2008 R2

Note: The content in this section applies only to Windows Server 2008 R2.

Nova 4, LLC





In addition to these enhancements, Windows Server 2008 R2 supports several additional features, whichare listed as follows:

• Link-Layer Filtering . Link-Layer filtering allows you to allow or deny DHCP leases based upon themedia access control (MAC) address presented by the client. You can specify either a full MACaddress, or you can specify a MAC address pattern by using the * as a wildcard. This feature iscurrently available only for IPv4 networks.

• DHCP Split-Scope Configuration Wizard . A DHCP split-scope configuration allows for increasedfault tolerance and redundancy by using two DHCP servers. The Split-scope Wizard provides anautomated method for configuring the scope properties and minimizes errors that are commonduring a manual configuration. The split-scope configuration places part of the DHCP scope on asecondary server with a time delay, which is configured in scope properties. The time delay on thesecondary server ensures that it will only respond to DHCP clients if the primary DHCP serverbecomes unavailable. The secondary DHCP server distributes IP addresses until the primary server isavailable again to service clients. This feature is only used for IPv4-based scopes.

• DHCP Name Protection . Name protection prevents non-Windows-based computers from directlyregistering a name and IP address in DNS. When you enable name protection in DHCP, the DHCPserver registers the A and PTR records into DNS on behalf of the client. If a client already exists with

the same registered name, the update fails. Name protection can be configured for both IPv4 andIPv6 at the server or scope level and will only work for DNS zones that are configured to supportSecure Dynamic Updates.

Nova 4, LLC





DHCP Server Authorization

Key PointsThe DHCP Server role in Windows Server 2008 must be authorized in Active Directory before it beginsleasing IP addresses. It is possible to have a single DHCP server providing IP addresses for subnets thatcontain multiple Active Directory domains. Therefore, an Enterprise Administrator account must authorizethe DHCP server.

A DHCP server that is part of the Active Directory domain queries Active Directory for a list of authorizedDHCP servers. If it’s own IP address is on the list, the DHCP services start, and the server begins to serviceDHCP requests. If its IP address is not on the list, the DHCP service does not start and does not serviceDHCP requests until it has been authorized.

Stand-Alone DHCP Server ConsiderationsA stand-alone DHCP server is a computer running Windows Server 2008 that is not part of an ActiveDirectory domain, and that has the DHCP Server role installed and configured on it. If the stand-aloneDHCP server detects an authorized DHCP server in the domain, it will not lease IP addresses and will shutdown automatically.

Rogue DHCP ServersMany network devices and network operating systems have DHCP server services that might be enabledunintentionally. These types of DHCP services will not check for authorization in Active Directory and willbe enabled on the network. In this case, clients may obtain incorrect configuration data.

To eliminate an unauthorized DHCP server, you must locate and disable it from communicating on thenetwork either physically or by disabling the DHCP service on the network device in which it is running.

Nova 4, LLC





How DHCP Lease Generation Works

Key PointsThe DHCP protocol lease-generation process includes four steps that enable a client to obtain an IPaddress. :

1. The DHCP client broadcasts a DHCPDISCOVER packet. This message is broadcast to each computer inthe subnet. The only computer that responds is the computer that has the DHCP server role or if thecomputer is running the DHCP server agent. In the latter case, the agent forwards the message to theDHCP server with which it is configured.

2. Any DHCP Server in the subnet will respond by broadcasting a DHCPOFFER packet. This packetprovides the client with a potential address.

3. The client receives the DHCPOFFER packet. It may receive packets from multiple servers. If the clientreceives offers from more than one server, it usually chooses the server that made the fastestresponse to its DHCPDISCOVER. This typically is the DHCP server closest to the client. The client thenbroadcasts a DHCPREQUEST. The DHCPREQUEST contains a server identifier. This informs the DHCPservers that the client has chosen to accept the DHCPOFFER.

4. DHCP servers receive the DHCPREQUEST. The servers that the DHCPREQUEST message does notaccept use the message as notification that the client has declined that server’s offer. The chosenserver stores the IP address client information in the DHCP database and responds with a DHCPACK

message. If for some reason the DHCP server cannot provide the address that was offered in theinitial DHCPOFFER, the DHCP server sends a DHCPNAK message.

Nova 4, LLC





How DHCP Lease Renewal Works

Key PointsWhen the DHCP lease has reached 50 percent of the lease time, the client attempts to renew the lease.This is an automatic process that occurs in the background. Computers may have the same IP address fora long period of time if they operate continually on a network without being shut down.

To renew the IP address lease, the client sends a unicast DHCPREQUEST message to the original DHCPserver that provided the lease. The server that originally leased the IP address sends a DHCPACK messageback to the client that contains any new parameters that have changed since the original lease wascreated.

If the client fails to receive a new IP address lease, it continues to use its previously assigned lease until87.5 percent of the lease duration has expired. At this point, the client attempts to contact any availableDHCP server by broadcasting DHCPRequest messages and will start a new lease-generation process.

Nova 4, LLC





Demonstration: Adding and Authorizing the DHCP Server Role

Key Points

In this demonstration, you will see how to:

• Install the DHCP server role.

• Verify that the DHCP server is authorized.

Demonstration Steps:1. Open Server Manager and install the DHCP server role.

2. After the server role is installed, open the DHCP console, right-click DHCP, and then verify that theserver is listed as an authorized DHCP server.

Nova 4, LLC





Lesson 5

Configuring DHCP Scopes and Options

To effectively manage the DHCP server role, you need to understand scopes and options. This lessonprovides information on how to configure a scope, and the various types of options that can beconfigured to support the scope. Finally, the lesson will introduce common issues that you may face andhow to address those issues.


• Describe DHCP scope.

• Configure a DHCP scope.

• Describe DHCP options.

• Describe DHCP class-level options.

• Describe DHCP reservations.

• Configure a DHCP option and a reservation.

• Describe how DHCP options are applied.

• Describe common DHCP troubleshooting issues.

Nova 4, LLC





What Are DHCP Scope?

Key PointsA DHCP scope is a group of IP addresses on a subnet that are available for lease to network clients.

Each scope will contain the following:

• A scope name.

• A range of IP addresses to include and exclude.

• For IPv4 scopes: A subnet mask to determine the subnet for addresses.

• For IPv6 scopes; a prefix and preference.

• Lease duration values.

• Reservations used to ensure that a DHCP client always is assigned the same IP address.

• DHCP scope options such as the IP address of the DNS server and the IP address of the router.

To create a DHCP scope, you need to be a member of the Administrators group or the DHCPAdministrators group on the server.

What Are Superscopes and Multicast Scopes?A superscope is a collection of scopes that are grouped together into a single administrative unit. This

allows clients to receive an IP address from multiple logical subnets, even when they are on the samephysical subnet.

A superscope is useful in several situations. For example, if a scope has been depleted of addresses, andyou cannot add additional addresses from the subnet, you can add a new scope to the DHCP server. Thisscope leases addresses to clients in the same physical network, but clients will be in a separate networklogically. This is known as multinetting. You need to configure routers to recognize the new subnet toensure local communication on the physical network.

Nova 4, LLC





A superscope is also useful when there is a need to move clients gradually into a new IP-numberingscheme. By having both numbering schemes coexist for the original lease’s duration, you can move clientsinto the new subnet transparently. When you have renewed all client leases in the new subnet, you canretire the old one.

Multicast scopesA multicast scope is a collection of IPv4 multicast addresses from the class D IP address range of 224.0.0.0through 239.255.255.255. These addresses are used when applications need to efficiently communicatewith numerous clients simultaneously. A multicast scope is also known as a Multicast Address ClientAllocation Protocol (MADCAP) scope. Applications that request addresses from these scopes need tosupport the MADCAP application programming interface (API).

Nova 4, LLC





Demonstration: Configuring a DHCPv4 Scope


• Create and activate a DHCP scope.

Demonstration Steps:1. Open the DHCP console.

2.

Right-click the IPv4 node and use the New Scope Wizard to create a new scope. Provide the Name ,IP Address Range , Exclusions , and Options .

Nova 4, LLC





What Are DHCP Options?

Key PointsA DHCP server typically provides more than just an IP address to a client. DHCP also provides informationabout network resources such as the IP address of DNS servers and the router. You can apply DHCPoptions at the following levels:

• Server Options . Scope options configured at the server level affect all scopes hosted on the server.

• Scope Options . Scope options configured at the scope level only affect the scope that the optionsare configured for.

An option code identifies the DHCP options, and most option code come from the RFC documentationfound on the IETF website.

The following table provides a list of sample IPv4 option codes:.

Option Code Option Name

003 Router

006 DNS servers

015 DNS domain name

023 Default IP Time-to-live

031 Perform router discovery

033 Static route option

043 Vendor-specific information

044 WINS/NBNS servers

Nova 4, LLC







What Are DHCP Class-Level Options?

Key PointsYou may have a group of computers or users that require different configuration options than the rest ofthe standard scope. For example, computers that access the network by using a VPN may need toconfigure alternate router settings than users who access the network from an internal location.

Option classes provide the ability to receive configuration options based on the following:

• User class . You can specify user-class options when you want to set options for a certain class of

users, such as users who connect by using Routing and Remote access or users who are affected byNAP. You can also configure your own user-class category by using the ipconfig/setclassid command on each client computer. For example, you may want to provide only laptop computerswith a specific option setting.

• Vendor class . The DHCP server role supports the ability to distribute options based on the vendorclass. An example of using DHCP with a vendor class is disabling NetBIOS over TCP/IP for clients thatreport a vendor class matching Windows 2000 or Windows XP. Another example is configuringspecific options for a certain computer brand.

Nova 4, LLC





What Is a DHCP Reservation?

Key PointsA DHCP reservation occurs when an IPv4 address within a scope is set aside for use with a specific DHCPclient.

It is often desirable to provide servers and printers with a reserved IP address. This ensures that IPaddresses in a predefined scope will not be assigned inadvertently to another device and cause an IPaddress conflict. This also ensures that devices with reservations are guaranteed to have an IP address if ascope is depleted of addresses. Configuring a reservation enables you to centralize the management of IPaddresses without resorting to manually configuring a static IP address.

Configuring a DHCP ReservationYou can configure custom DHCP options for reservations. These settings will override all other DHCPoptions that you configure at higher levels.

To configure an IPv4 DHCP reservation, you must know the device’s MAC or physical address. This addressindicates to the DHCP server that the device should have a reservation. You can acquire a networkinterface’s MAC address by using the ipconfig /all command.

MAC addresses for network printers and other network devices are printed on the device itself. Somelaptop computers may also note this information on the lower part of their chassis.

Nova 4, LLC





Demonstration: Configuring DHCP Options and Reservations


• Configure a DHCP scope option.

• Configure a DHCP user class option

• Enable scope and configure client computer user class.

• Configure a DHCP reservation.

Demonstration Steps:1. Open the DHCP console.

2. Expand the scope, and then click the Scope Options node.

3. Right-click the Scope Options node and click Configure Options .

4. Configure options as needed.

5. Under the scope, click Reservations .

6. Right-click Reservations , and click New Reservation .

7. Create a new reservation by providing the IP address and MAC address for the client.

8. Configure reservation-specific options for the client.

Nova 4, LLC





How DHCP Options Are Applied

Key PointsIf you have configured DHCP options at multiple levels (server, scope, class, and reservation levels), DHCPapplies options to client computers in the following order:

1. Server level

2. Scope level

3. Class level

4. Reserved-client level

For example, if you configure a specific router setting at the Server level, and a router setting is configuredat the Class level, the Class level will override the original setting. Also note that any options configuredfor reserved clients will always take precedence over the other levels.

You need to understand these options when you are troubleshooting DHCP.

Nova 4, LLC





Common DHCP Issues

Key PointsThe following table describes and provides examples of common DHCP issues:

Issue Description Possible cause

DHCP servicedoes not start

You install DHCP and configure ascope but it will not start.

The DHCP server is not in the list of authorizedDHCP servers.

Addressconflicts The same IP address is offered totwo different clients. An administrator deletes a lease. However, theclient who had the lease still believes the lease isvalid. If the DHCP server does not verify the IP, itmay release the IP to another machine, causing anaddress conflict. This also can occur if two DHCPservers have overlapping scopes.

Failure toobtain a DHCPaddress

The client does not receive aDHCP address and insteadreceives an APIPA self-assignedaddress.

If a client’s network adapter is configuredincorrectly, it may cause a failure to obtain a DHCPaddress.

Addressobtained from

incorrect scope

The client is obtaining an IPaddress from the wrong scope,

causing it to experiencecommunications problems.

This often occurs because the client is connected tothe wrong network.

DHCPdatabasesuffers datacorruption orloss

The DHCP database becomesunreadable or is lost due to ahardware failure.

A hardware failure can cause the database tobecome corrupted.

DHCP server The DHCP server’s IP scopes have All IPs assigned to a scope are leased.

Nova 4, LLC





Issue Description Possible cause

exhausts its IPaddress pool

been depleted. Any new clientrequesting an IP address will berefused.

Nova 4, LLC





Lab B: Installing and Configuring DHCP Server Role


1. On the host computer, click Start , point to Administrative Tools , and then click Hyper-V Manager .

2. In Hyper-V Manager , click 6419B-NYC-DC1 , and in the Actions pane, click Start .

3.

In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on by using the following credentials:



• Domain: Contoso

5. Repeat the steps 2 through 4 for 6419B-NYC-SVR1.

Lab ScenarioYou are the network administrator at Contoso, Ltd. You have just deployed a new subnet and havedecided to configure the DHCP service to provide IP addresses and configuration options. You need to

address the following requirements:• Install the DHCP server role on NYC-DC1.

• Configure an IPv4-based scope for the IP range 10.10.0.50/16 to 10.10.0.100/16.

• Lease duration for clients need to be 5 days.

• Scope options need to include:

• DNS Domain Name: Contoso.com

Nova 4, LLC





• DNS Servers: 10.10.0.10

• Router: 10.10.0.1

• A reservation needs to be configured for NYC-SVR1 to automatically assign 10.10.0.55 with thedefault scope options.

Nova 4, LLC







Exercise 2: Configuring DHCP Scopes, Options, and Reservations

ScenarioNow that you have installed the DHCP server role, you need to configure a valid DHCP scope. You alsoneed to configure the options as outlined in the requirements list. Finally, you need to configure thereservation setting for NYC-SVR1.


1. Configure a DHCP scope.

2. Configure scope options.

3. Configure a DHCP reservation.

Task 1: Configure a DHCP Scope.1. On NYC-DC1, in the DHCP console, use the New Scope Wizard to configure a scope with the

following settings:

• Scope Name : ContosoScope1

• Start IP Address : 10.10.0.50

• End IP Address : 10.10.0.100

• Length : 16

• Lease Duration : 5 days

• DHCP Options : Domain Name and DNS Servers set at default

• Activate Scope : Yes

Task 2: Configure Scope Options.1. On NYC-DC1, in the DHCP console, under Scope [10.10.0.0] ContosoScope1 , click Scope Options .

2. Add a new scope option for 003 Router with an IP address of 10.10.0.1.

Task 3: Configure a DHCP Reservation.1. On NYC-SVR1, open a command prompt and use ipconfig/all to determine the physical MAC address

for the server. Write down the MAC address here:On NYC-SVR1, open the Local Area Properties dialog box and configure the network adapter toobtain both the IP address and DNS server automatically.

2. On NYC-DC1, configure a DHCP reservation with the following settings:

• Reservation name : NYC-SVR1

• IP address : 10.10.0.55

• MAC Address : [Enter the value entered for step 1. For example: 00-15-5D-01-71-71]3. Switch back to NYC-SVR1 and use the ipconfig command to release and then renew the IP address

configuration.

4. Verify that NYC-SVR1 receives an IP address of 10.10.0.55 with valid scope options.

Results: At the end of this exercise, you will have configured a DHCP scope, scope options, and a DHCPreservation.

Nova 4, LLC






1. On the host computer, start Hyper-V Manager.

2.

Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .3. In the Revert Virtual Machine dialog box, click Revert .

4. Repeat these steps for 6419B-NYC-SVR1.

Nova 4, LLC







Windows Server 2008 R2 feature Description

to be cryptographically signed.

DNS Devolution Automatically set to the number of labels in the forest rootdomain.

DNS Cache Locking When enabled, the DNS server will not allow cached records to beoverwritten for the duration of the TTL value.

DNS Socket Pool Uses a random port number for issuing queries.

Link-Layer Filtering Allows you to specifically allow or deny DHCP leases based on theMAC address presented by the client.

DHCP Split-Scope ConfigurationWizard

The split-scope Wizard provides an automated method forconfiguring a split-scope configuration.

DHCP Name Protection Prevents non-Windows-based computers from directly registeringa name and an IP address in DNS.


Server Manager • Managing aWindows Server2008 server

• Start Menu

DHCP console • Managing DHCP • Administrative Tools

DNS Manager • Managing a DNSserver

• Administrative Tools

DNSLint • Generating DNSconfigurationreports

• http://download.microsoft.com/download /2/7/2/27252452-e530-4455-846a-dd68fc020e16/dnslint.v204.exe

Nova 4, LLC





Nova 4, LLC




Configuring Access to File Services 3-1

Module 3Configuring Access to File ServicesContents:Lesson 1: Overview of Access Control 3-3

Lesson 2: Managing NTFS File and Folder Permissions 3-13

Lesson 3: Managing Permissions for Shared Resources 3-23

Lesson 4: Determining Effective Permissions 3-36

Lab: Managing Access to File Services 3-43

Nova 4, LLC







Lesson 1

Overview of Access Control

To manage access to resources, you must understand how the Windows Server 2008 operating systemuses a number of different objects and methods to control access to resources. You need to evaluatecertain aspects of the operating system environment to ensure that the level of access for any givenscenario is clearly defined.

This lesson helps you understand what these objects, methods, and operating system variables are and

how they work together to provide a secure and reliable access control mechanism for the WindowsServer environment.


• Describe the concept of security principals and security identifiers.

• Describe access tokens.

• Describe how permissions control access to resources.

• Describe how access control works.

• Describe access-based enumeration.

Nova 4, LLC




3-4 Configuring, Managing and Maintaining Windows Server® 2008-based Servers

What Are Security Principals?

Key PointsIn basic terms, a security principal defines who you are within the Windows Server environment.Specifically, a security principal is represented by a user, group, or computer object that you can use forauthentication and assigning access to resources, such as files or folders, on an NTFS volume or objectswithin an Active Directory domain.

In Windows Server 2008, a security principal is stored and managed in one of the following two locations:

• Local Security Accounts Manager databaseEach Windows Server 2008 computer maintains its own, local security database called the SecurityAccounts Manager (SAM). You can use the security principals located in a computer’s local SAM tomanage access to resources on that specific computer.

• Active Directory Domain Services database

When a Windows Server 2008 computer is joined to an Active Directory Domain, security principalsfor users and groups using that computer are commonly stored in the Active Directory DomainServices (AD DS) database, which functions as the primary container for storing objects within thedomain, like security principals. The AD DS database is typically replicated between multiple servers inthe domain, and is queried whenever information regarding a domain security principal or resource isneeded.A security principal created and stored in the Active Directory can be used to manage access toresources on any computer that belongs to the domain.

Note: The AD DS database is used for much more than storing security principal and resourceinformation. You will learn more about Active Directory and its various components later in thiscourse.

Nova 4, LLC





Security IdentifierEach security principal created, whether stored in the local SAM or the Active Directory, is issued a securityidentifier (SID).

A security principal’s SID is issued when the security principal is created. A SID is represented by analphanumeric value that uniquely identifies the security principal within the Windows environment,

whether in a local SAM database or within Active Directory.When displayed in text, each SID begins with the letter S followed by its various numeric components,separated by hyphens.

S-1-5-21-1673587447-2629168963-360789496-1000

In the above SID, a user account in a Windows Server 2008 domain is referenced. Like all SIDs, it startswith the letter number. The second number, 1, refers to the SID’s revision number. The number 5represents the SID authority value; in this case, the Windows security authority. The next four numberedgroupings represent the sub-authority values or what makes this particular SID unique. In the case of acomputer not joined to a domain, this represents the computer itself as a security principal. In a domainenvironment, this number represents both the domain itself and the first computer that was declared as adomain controller for the domain. The last value, in this case, 1000, is referred to as the relative identifieror RID.

Relative Identifier

The relative identifier (RID) is used to uniquely identify user accounts or groups within an individualcomputer or domain. Each user-created account and group is represented by a system-generated RID,beginning with 1000. System-generated accounts and groups, such as the Administrator and Guestaccounts or the BUILTIN\Administrators group, are represented by constant value RIDs that remain thesame across any installation of Windows. For example, a RID of 500 will always be used to identify theSystem Administrator account in any computer or domain. As such, the SID for the Administrator accountin the domain that the given SID belongs to appears as follows:

S-1-5-21-1673587447-2629168963-360789496-500

The following table illustrates the RID value for some other common Windows accounts and groups:

Relative Identifier(RID) Value Windows Account or Group Object

500 Administrator account

501 Guest account

512 Domain Admins group

544 BUILTIN\Administrators group

545 BUILTIN\Users group

Nova 4, LLC







What Are Permissions?

Key PointsPermissions are the rules used to determine what operations can be performed on a specific object, suchas a file or a folder by a specific user. Permissions can be granted or denied by the owner of an object andby anyone with rights to modify permissions for that object. Typically, this includes administrators on thesystem and on the domain. If you own an object, you can grant any user or security group any permissionon that object, including the permission to take ownership.

Permissions are assigned in the Windows environment by either granting or denying a specific level ofaccess to a security principal; most often a user or a group. Local principals are used to assign permissionsfor local resources, and domain-based principals are used to assign permissions for resources in an ActiveDirectory domain.

Permissions can be assigned to an object in one of two ways.

Explicit PermissionsWhen permissions are set directly on an object within the Windows environment, such as a file or folder,the permissions are explicitly applied. The permissions have been assigned to the object directly bymodifying the security settings in the objects properties dialog box.

Inherited PermissionsResources in a Windows environment, such as files and folders, are typically arranged in a nested or treestructure. Typically, a folder contains other folders or files, and those folders may contain further files orfolders.

Permission inheritance allows for child objects to inherit the permissions settings of their parent object.This behavior allows explicit permissions to be assigned to a small number of objects and have inheritancepass those permissions settings down to child objects within the object structure.

Nova 4, LLC





Inheritance behavior can be controlled for each object, either choosing to inherit its parent’s permissionsettings or to have its own explicitly defined set of permissions.

Nova 4, LLC





How Access Control Works

Key PointsThe main idea behind access control is that principals, such as users, groups, or computers, request accessto resources, such as files, folders, and printers.

Access Control EssentialsThe details of access control are complex. For example, consider a user named Adam Carter attempts toopen a document, Report.doc, in Microsoft Word. In this case, it’s not Adam’s account that requests access

to Report.doc. Rather, the Microsoft Word application process uses an internal object referred to as athread that requests access by using Adam’s access token. Provided that Adam is granted the appropriatepermissions, the document opens in Word and Adam is able to view and possibly edit the contents,depending on the level of permission granted to his user and group accounts.

Access Control Components

Discretionary Access Control ListThe Discretionary Access Control List (DACL) is the key component in managing access control toWindows-based resources. For each resource, a DACL determines which principals have access to thatresource and exactly what level of access they have. Each DACL consists of zero or more Access ControlEntries.

Access Control EntryEach Access Control Entry (ACE) that exists within the DACL defines a specific rule containing thefollowing three key elements:

• Access type. This can either be allow or deny.

• A SID for the principal to which the rule is applied. This is typically the SID of a user or group.

• A list of the types of access controlled by the ACE. This list contains specific capabilities (read, write,modify, and full control) that the SID is either allowed or denied.

Nova 4, LLC





Note: If a DACL contains no ACEs, access is denied to the object for everyone.

How Windows Uses DACLs and ACEs to Control AccessThe following table represents a DACL for an object in Windows and two threads running under thecontext of different users attempting to access the object.

Processing ACEs in a DACLThe ACEs within each DACL are processed in the following order:

1. All explicit ACEs are placed in a group before any inherited ACEs. This means that explicitly definedpermissions always override those inherited from a parent.

2. Within the group of explicit ACEs, access-denied ACEs are placed before access-allowed ACEs.

3. Inherited ACEs are placed in the order in which they are inherited. ACEs inherited from the childobject's parent come first, followed by ACEs inherited from the grandparent, and so on.

4. For each level of inherited ACEs, access-denied ACEs are placed before access-allowed ACEs.

In general, according to these rules, explicitly defined permissions take priority over inherited permissionsand within those two groups, denied permissions take precedence over allowed permissions.

The results for the example below are as follows:

• Thread 1 that uses Adam Carter’s access token is denied access to the object.

• Thread 2 that uses Bobby Moore’s access token is permitted to Read, Write, and Execute the object inquestion.

DACL

ACE

1

Deny Access

Adam Carter (SID)

Read, Write, Execute

ACE2

Allow Access

Production Group(SID)

Write

ACE3

Allow Access

Everyone Group (SID)

Read, Execute

Thread 1

Access Token

Adam CarterMarketing GroupProduction GroupResearch Group

Thread 2

Access Token

Bobby Moore

Production Group

Although the example in the table does not specifically denote whether the permissions are explicitlydefined or inherited, you can see that the Deny Access for Read, Write, and Execute permissions takesprecedence over any of the Allow Access permissions, thereby denying Adam’s thread the access to thisobject.

Nova 4, LLC





Note: Objects also have System Access Control Lists (SACLs) that can contain ACEs just like a DACL.However, the ACEs in an SACL are used to record access to an object for auditing purposes ratherthan control access for security purpose like the DACL.

Nova 4, LLC







Lesson 2

Managing NTFS File and Folder Permissions

NTFS has been the primary file system of the Windows Server operating system for more than 15 years.One of the keys to its longevity is the logical and efficient way that NTFS manages file properties likepermissions and the way that NTFS has evolved and enhanced its interaction with Windows operatingsystems.

To manage and use a Windows Server environment effectively, you need to know the methods that NTFS

uses to assign and propagate properties to files and folders.ObjectivesAfter completing this lesson, you will be able to:

• Describe NTFS permissions.

• Describe standard and advanced permissions.

• Discuss NTFS permission inheritance.

• Determine the effect of copying or moving files and folders.

Nova 4, LLC





What Are NTFS Permissions?

Key PointsNTFS permissions are assigned to files or folders on a storage volume formatted with NTFS. Thepermissions assigned to NTFS files and folders govern user access of these files and folders.

The following points describe the key aspects of NTFS permissions:

• NTFS permissions can be assigned to an individual file or folder, or sets of files or folders.

• NTFS permissions can be assigned individually to objects which include users, groups and computers.

• NTFS permissions are controlled by denying or allowing specific types of NTFS file and folder access,such as read or write.

• NTFS permissions can be inherited from parent folders. By default, the NTFS permissions assigned to afolder will be also assigned to newly created folders or files within that parent folder.

NTFS Permissions ExamplesThe following describes a basic example of assigning NTFS permissions.

For the Marketing Pictures folder, an administrator has chosen to assign Allow permissions to AdamCarter for the Read permission type. Under default NTFS permissions behavior, Adam Carter will haveRead access to the files and folders contained in the Marketing Pictures folder.

When applying NTFS permissions, the results are cumulative. For example, let’s carry on with the givenexample and say that Adam Carter is also a part of the Marketing group. The Marketing group has beengiven Write permissions on the Marketing Pictures folder. When we combine the permissions assigned toAdam Carter’s user account with the permissions assigned to the Marketing group, Adam would haveboth Read and Write permissions for the Marketing Pictures folder.

NTFS Permissions: Important RulesThere are a few key rules to examine when working with NTFS permissions.

Nova 4, LLC





There are two groupings of NTFS permissions.

• Explicit vs. Inherited . When you apply NTFS permissions, permissions that are explicitly applied to afile or a folder take precedence over those that are inherited from a parent folder.

• Deny vs. Allow . After NTFS permissions have been divided into explicit and inherited permissions,any Deny permissions that exist override conflicting Allow permissions within the group.

Therefore, taking these rules into account, NTFS permissions apply in the following order:

1. Explicit Deny

2. Explicit Allow

3. Inherited Deny

4. Inherited Allow

It is important to remember that NTFS permissions are cumulative, and these rules are applied only whentwo NTFS permission settings conflict with each other.

Note: Further detail regarding conflicting and inherited permissions will be covered later in this lesson.

How to Configure NTFS PermissionsYou can view and configure NTFS permissions by following these steps:

1. Right-click the file or folder you want to assign permissions for and click Properties .

2. In the Properties window, click the Security tab.

In this tab, you can select the current users or groups that have been assigned permissions to view thespecific permissions assigned to each principal.

3. To open an editable permissions dialog box so you can modify existing permissions or add new usersor groups, click the Edit button.

Note: More complex permissions settings will be discussed later in this lesson.

Nova 4, LLC





What Are Standard and Advanced Permissions?

Key PointsAssignable NTFS permissions fall into two categories, Standard and Advanced.

Standard PermissionsStandard permissions provide the most commonly used permission settings for files and folders, and arepresented for assignment in the main NTFS permissions assignment window.

Standard permissions for NTFS files and folders consist of the following:

File permissions Description

Full Control Allows the user complete control of the file/folder, including control ofpermissions.

Modify Allows the user read and write file/folder

Read and Execute Allows the user to read a file and start programs.Allows the user to see folder content and start programs.

Read Allows the user read only access.

Write Allows the user to change file contents and delete files.

Allows the user to change folder content and delete files.List folder contents(folders only)

Allows the user to view the contents of the folder only; no access is given toactual folder contents.

Note: Giving users Full Control permissions on a file or a folder not only gives them the ability toperform any file system operation on the object, but also the ability to change permissions on theobject. They can also remove permissions on the resource for any or all users, including you.

Nova 4, LLC





Advanced PermissionsAdvanced permissions allow for a much finer level of control over NTFS files and folders. Advancedpermissions are accessible from the Security tab of a file or folder’s Properties sheet by clicking theAdvanced button.

Advanced permissions for NTFS files and folders consist of the following:

File Permissions Description

TraverseFolder/Execute File

The Traverse Folder permission applies only to folders. This permission allows ordenies the user from moving through folders to reach other files or folders,even if the user has no permissions for the traversed folders. The Traverse foldertakes effect only when the group or user is not granted the Bypass TraverseChecking user right. The Bypass Traverse Checking user right checks user rightsin the Group Policy snap-in. By default, the Everyone group is given the BypassTraverse Checking user right.The Execute File permission allows or denies access to program files that arerunning.If you set the Traverse Folder permission on a folder, the Execute File

permission is not automatically set on all files in that folder.List Folder/Read Data The List Folder permission allows the user to view file names and subfolder

names. The List Folder permission applies only to folders and affects only thecontents of that folder. This permission is not affected if the folder that you aresetting the permission on is listed in the folder list. Also, this setting has noeffect on viewing the file structure from the command-line interface.The Read Data permission applies only to files and allows or denies the userfrom viewing data in files.

Read Attributes The Read Attributes permission allows the user to view the basic attributes of afile or a folder such as read-only and hidden attributes. Attributes are definedby NTFS.

Read ExtendedAttributes The Read Extended Attributes permission allows the user to view the extendedattributes of a file or folder. Extended attributes are defined by programs andcan vary by program.

Create Files/Write Data The Create Files permission applies only to folders and allows the user to createfiles in the folder.The Write Data permission applies only to files and allows the user to makechanges to the file and overwrite existing content by NTFS.

CreatedFolders/Append Data

The Create Folders permission applies only to folders and allows the user tocreate folders in the folder.The Append Data permission applies only to files and allows the user to makechanges to the end of the file but not from deleting or overwriting existingdata.

Write Attributes The Write Attributes permission allows the user to change the basic attributesof a file or folder, such as read-only or hidden. Attributes are defined by NTFS.The Write Attributes permission does not imply that you can create or deletefiles or folders; it includes only the permission to make changes to theattributes of a file or folder. To allow Create or Delete operations, see CreateFiles/Write Data, Create Folders/Append Data, Delete Subfolders and Files, andDelete.

Nova 4, LLC





File Permissions Description

Write ExtendedAttributes

The Write Extended Attributes permission allows the user to change theextended attributes of a file or folder. Extended attributes are defined byprograms and can vary by program.The Write Extended Attributes permission does not imply that the user can

create or delete files or folders; it includes only the permission to make changesto the attributes of a file or folder. To allow Create or Delete operations, viewthe Create Files/Write Data, Create Folders/Append Data, Delete Subfolders andFiles, and Delete sections in this article.

Delete Subfolders andFiles

The Delete Subfolders and Files permission applies only to folders and allowsthe user to delete subfolders and files; even if the Delete permission is notgranted on the subfolder or file.

Delete The Delete permission allows the user to delete the file or folder. If you havenot been assigned Delete permission on a file or folder, you can still delete thefile or folder if you are granted Delete Subfolders and Files permissions on theparent folder.

Read Permissions Read permissions allows the user to read permissions about the file or folder,such as Full Control, Read, and Write.

Change Permissions Change Permissions allows the user to change permissions on the file or folder,such as Full Control, Read, and Write.

Take Ownership The Take Ownership permission allows the user to take ownership of the file orfolder. The owner of a file or folder can change permissions on it, regardless ofany existing permissions that protect the file or folder.

Synchronize The Synchronize permission allows different threads to wait on the handle forthe file or folder and synchronize with another thread that may signal it. Thispermission applies only to multiple-threaded, multiple-process programs.

Note: Standard permissions are actually combinations of several individual Advanced permissionsgrouped into commonly file and folder usage scenarios.

Nova 4, LLC





What Is NTFS Permissions Inheritance?

Key PointsBy default, NTFS uses inheritance to propagate permissions throughout an NTFS folder structure. When afile or a folder is created, it is automatically assigned the permissions set on any folders that exist above itin the hierarchy of the folder structure.

How Inheritance Is AppliedConsider the following example structure because it applies to Adam Carter and the groups he is member

of:Adam Carter

Marketing GroupNew York Editors

Folder or File NTFS Permission Adam’s Permissions

Marketing (folder)• Marketing Pictures (folder)

• New York (folder)• Fall_Composite.jpg (file)

Read–Marketing GroupNone explicitly setWrite–New York EditorsNone explicitly set

ReadRead (inherited)Read (i) + WriteRead (i) + Write (i)

In this example, Adam is a member of two groups that are assigned permissions for files or folders withinthe folder structure.

• The top-level folder, Marketing, has an entry for the Marketing Group giving them read access.

• In the next level, the Marketing Pictures folder has no explicit permissions set, but because ofpermissions inheritance, Adam also has Read access to this folder and its contents from thepermissions set on the Marketing folder.

Nova 4, LLC





• In the third level, the New York folder has Write permissions assigned to one of Adam’s groups, NewYork Editors. In addition to this explicitly assigned Write permission, the New York folder also inheritsthe Read permission from the Marketing folder. These permissions will continue to pass down to fileand folder objects, cumulating with any explicit permissions set on those files.

• The fourth and last level is the Fall_Composite.jpg file. Even though no explicit permissions have beenset for this file, Adam has both Read and Write access to the file, due to the inherited permissionsfrom both the Marketing folder and the New York folder.

Permission ConflictsIt is possible that explicitly set permissions on a file or folder will conflict with permissions inherited from aparent folder. In these cases, the explicitly assigned permissions will always override the inheritedpermissions.

In the given example, if Adam Carter was denied Read access to the Marketing folder, but then explicitlyallowed Read Access to the New York folder, this access permission would take precedence over theinherited Deny Read access permission.

Blocking Inheritance

It is also possible to disable the inheritance behavior for a file or a folder (and its contents) on an NTFSvolume. This can be done to explicitly define permissions for a set of objects without including any of theinherited permissions from any parent folders.

Windows provides an option for blocking inheritance on a file or a folder within the Advanced section ofthe Security tab. To block inheritance on a file or folder, complete the following steps:

1. Right-click the file or folder where you want to block inheritance and click Properties .

2. In the Properties window, click the Security tab and then click the Advanced button.

3. In the Advanced Security Settings window, click the Change Permissions button.

4. In the next window, clear the Include inheritable permissions from this object’s parent check box.

Note: At this point, you are prompted to either add the existing permissions as a starting point for yourexplicitly assigned permissions or remove existing permissions on the object to start with a blankpermissions slate.

Resetting Default Inheritance BehaviorAfter the inheritance is blocked, changes made to permissions on the parent folder structure will nolonger have an effect on the permissions for the object (and its contents), which has blocked inheritance,unless that behavior is reset from one of the parent folders by selecting the Replace all child objectswith inheritable permissions from this object check box. When this box is selected, the existing set ofpermissions on the current folder will be propagated down to all child objects down the tree structure,overriding all explicitly assigned permissions for those files and folders. This check box is found directlyunder the Include inheritable permissions from this object’s parent check box.

Nova 4, LLC





Effects on NTFS Permissions When Copying or Moving Files and Folders

Key PointsNTFS permissions depend on the NTFS structure to maintain their integrity. When you move or copy filesor folders from their original location, NTFS permissions can be affected, depending on the nature of themove or copy operation.

Note: It is important to define the move and copy process prior to defining the rules that apply tomoving and copying files.Moving a file or folder causes the object to be relocated to the new destination. After a move operationis complete, the file or folder no longer exists in the old location.Copying a file or folder simply makes a copy of the object and places it in the new destination. Theoriginal copy of the file remains in the same state in the original location.

The following rules apply when moving or copying files or folders to another location:

1. When moving or copying files or folders to another volume, all NTFS permissions are lost. If thedestination volume is NTFS, your files or folders will inherit the NTFS permissions of the parent folderon the destination volume.

Note: When files are sent to another volume, it is always a copy operation. If you select move fromthe Windows Explorer interface, the actual file operation copies the file to the destination and deletesthe files from the original location.

2. When copying files or folders to another location on the same NTFS volume, the original NTFSpermissions assigned to the original objects are lost. The objects inherit NTFS permissions settingsfrom the destination parent folder.

Nova 4, LLC







Lesson 3

Managing Permissions for Shared Resources

Configuring and maintaining NTFS permissions for your file and folder structure is an important part ofadministering a file server. However, if your file server must provide those files and folders to your userson the network, the resources must be set up as shared folders in Windows Server 2008.

Shared folders provide the basis for providing network access to file resources, and their configurationand deployment should be planned and managed effectively. This lesson will introduce you to the File

Services role in Windows Server 2008 and provide details on sharing and protecting your file structure.ObjectivesAfter completing this lesson, you will be able to:

• Describe the File Services role.

• Describe the use of shared folders.

• Describe shared folder permissions.

• Create shared folders by using Windows Explorer and Share and Storage Management.

• Describe offline files.

• Describe the file enhancements in Windows Server 2008 R2.

• Configure offline file availability and access.

Nova 4, LLC





Overview of the File Services Role in Windows Server 2008

Key PointsThe File Services role provides not only the ability to share your files and folders, but also helps managestorage, enable file replication, provide network resources to non-Windows clients, and manage access toand use of your shared folder structure proactively.

The File Services role consists of the following role services that work together to provide a full-featuredfile management solution:

• File Server is the core of the File Services role. It manages shared folders and enables users to accessfiles on the server from the network.

• Distributed File System (DFS) allows administrators to configure a distributed system for sharedfolders. This distribution allows for the same set of shared folders to be hosted on different servers.DFS Replication allows you to replicate shared folders between servers, and DFS Namespace makes itpossible to use a single network share address to allow access to multiple physical DFS locations.

• File Server Resource Manager (FSRM) enables the management of file usage through quotas, filescreening policies, and storage reports.

• Services for Network File System allow you to configure NFS to allow access to your shared foldersfrom UNIX client computers.

• Windows Search Service permits indexing of files and folders on your file server. This allows for more

efficient searches from clients that are compatible with Windows Search Service.• Windows Server 2003 File Services provides file services for Windows Server 2003 computers.

• BranchCache for Network Files enables computers in branch offices to cache commonly downloadedfiles from shared folders and then provide those files to other computers in the branch office. Thisreduces network bandwidth usage and provides faster access to the files. This Role Service is availableonly in Windows Server 2008 R2.

Nova 4, LLC





Note: The commonly used File Services components (DFS, FSRM, and BranchCache) will be covered inmore detail later in this course.

Nova 4, LLC





What Are Shared Folders?

Key PointsShared folders are the key component of accessing files on your server from the network.

When you share a folder, the folder and all its contents are made available to multiple userssimultaneously over the network. Shared folders maintain a separate set of permissions from the NTFSpermissions on folder’s contents. These permissions are used to provide an extra level of security for filesand folders made available on the network.

Most organizations deploy dedicated file servers to host shared folders. You can store files in sharedfolders according to categories or functions. For example, you can put shared files for the Salesdepartment in one shared folder and shared files for the Marketing department in another.

Note: The sharing process happens strictly at the folder level. It is not possible to share only anindividual file or a group of files.

Accessing a Shared FolderA shared folder is accessed most commonly over the network by using its Universal Naming Convention(UNC) address, which contains the name of the server the folder is hosted on and the actual shared foldername, separated by a backward slash (\) and preceded by two backward slashes (\\). For example, the

UNC name for the Sales shared folder on the NYC-SVR1 server would be:

\\\NYC-SVR1\Sales

Sharing a Folder on the NetworkWindows Server 2008 provides a number of ways to share a folder.

• Using the Provision a Shared Folder Wizard from the Share and Storage Management console.

Nova 4, LLC







Shared Folder Permissions

Key PointsShared folder permissions apply only to users who access the folder over the network. They do not affectusers who access the folder locally on the computer where the folder is stored.

Just like NTFS permissions, you can assign shared folder permissions to user, group, or computer objects.However, unlike NTFS permissions, shared folder permissions are not configurable for individual files orfolders within the shared folder. Shared folder permissions are set once for the shared folder itself andapply universally to the entire contents of the shared folder for users who access the folder over thenetwork.

The following permissions can be applied to a shared folder:

Shared Folder Permission Description

Read Users can display folder and file names, display file data and attributes, runprogram files and scripts, and navigate the folder structure within theshared folder.

Change Users can create folders, add files to folders, change data in files, appenddata to files, change file attributes, delete folders and files, and perform alltasks permitted by the Read permission.

Full Control Users can change file permissions, take ownership of files, and perform alltasks permitted by the Change permission.

Note: When you assign Full Control permissions on a shared folder to a user, that user can modifypermissions on the shared folder, which includes removing all users, including you, from the sharedfolders permissions list. In most cases, Change permission should be assigned instead of Full Control.

When a shared folder is created, the default assigned shared permission is Read for the Everyone group.

Nova 4, LLC





By default, Windows Server 2008 allows the following groups to create shared folders: Administrators andServer Operators.

Question: Can you list at least one example of when an administrator might give Full Control permissionsto a user for a shared folder?

Nova 4, LLC





Demonstration: Creating Shared Folders


• Create a shared folder and assign permissions by using Windows Explorer.

• Create a shared folder and assign permissions by using the Share and Storage Management console.


1.

Open Windows Explorer.2. Create a new folder named C:\Research .

3. Share the folder by using the Advanced Sharing button on the Sharing tab of the propertieswindow.

4. Assign Change permission to the Contoso\Research group.

5. Open the Share and Storage Management console.

6. Use the Provision a Shared Folder Wizard to create and share the C:\Marketing folder, givingChange permissions to the Contoso\Marketing group.

Nova 4, LLC





Offline File Configuration

Key PointsWindows Server 2008 provides the ability to cache network file for offline use. Files can be made availablefor clients to cache locally, so the files are available for use when the client computer is disconnected fromthe network.

Optionally, offline files and folders are edited or modified by the client, and the changes are synchronizedwith the network copy of the files the next time the client is reconnected to the network. The

synchronization schedule and behavior of offline files is controlled by the client operating system.Offline files are available to Windows XP, Windows Vista ® , Windows 7, Windows Server2003, WindowsServer 2008 and Windows Server 2008 R2 clients.

On a Windows Server 2008 computer, the Caching button in the Advanced Sharing window brings up theOffline Settings window for a shared folder. The following options are available within the Offline Settingswindow:

• Only the files and programs that users specify are available offline . This is the default optionwhen you set up a shared folder. When you use this option, no files or programs are available offlineby default, and users control which files and programs they want to access when they are notconnected to the network.

Note: There is an Enable BranchCache option that enables BranchCache for the shared folder.BranchCache will be discussed in more detail later in this course.

• No files or programs from the shared folder are available offline. This option blocks Offline Fileson the client computers from making copies of the files and programs on the shared folder.

• All files and programs that users open from the shared folder are automatically availableoffline. Whenever a user accesses the shared folder or volume and opens a file or program in it, thatfile or program is automatically made available offline to that user. Files and programs that are

Nova 4, LLC





automatically made available offline remain in the Offline Files cache and synchronize with theversion on the server until the cache is full or the user deletes the files. Files and programs that arenot opened are not available offline.

If you select the Optimized for performance check box, executable files (EXE, DLL) that are run fromthe shared folder by a client computer are automatically cached on that client computer. The nexttime the client computer runs the executable files, it will access its local cache instead of the sharedfolder on the server.

Note: The Offline Files feature must be enabled on the client computer for files and programs to beautomatically cached. In addition, the Optimized for performance option does not have any effect onclient computers that use Windows Vista or later as these operating systems automatically performthe program-level caching specified by this option.

Question: Which client computer type would make the best use of offline files?

Nova 4, LLC







Exclusion ListThe Exclusion List feature allows for the exclusion of certain file types (large audio or video files) from theOffline Files synchronization process on Windows 7 clients. This reduces synchronization overhead anddisk space usage on the server and speeds up backup and restore operations. The list of file types isconfigured by using Group Policy.

Transparent CachingWith transparent caching, the first time a user opens a file in a shared folder, Windows 7 reads the filefrom the server and then stores it in the Offline Files cache on the local hard disk drive. The subsequenttimes that a user opens the same file, Windows 7 retrieves the cached file from the hard disk drive insteadof reading it from the server. To provide data integrity, Windows 7 always contacts the server to ensurethat the cached copy is up to date. The cache is never accessed if the server is unavailable, and updates tothe file are always written directly to the server.

Transparent caching is not enabled by default. IT administrators can use a Group Policy setting to enabletransparent caching, improve the efficiency of the cache, and configure the amount of hard disk drivespace that the cache uses.

Note: All the features mentioned in this topic require the client computer to be running Windows 7Professional, Enterprise, or Ultimate edition. The features also apply to Windows Server 2008 R2computers acting as offline files clients.

Nova 4, LLC







Lesson 4

Determining Effective Permissions

Assigning permissions for a single user or a group on a single resource is a straightforward task, and it isnot difficult to determine the results. However, in a typical enterprise environment, permissionassignments are not often simple. Multiple group membership, blocked inheritance and combined NTFSand shared folder permissions can make determining the actual permissions a user is assigned a complextask.


• Describe factors that influence effective NTFS permissions.

• Determine effective NTSF permissions.

• Describe the effects of combining NTFS and Shared Folder permissions.

• Determine the effect of combining Shared Folder and NTFS permissions.

• Describe best practices for implementing NTFS and Shared folder permissions.

Nova 4, LLC







Effective Permissions ToolWindows Server 2008 provides a tool (Effective Permissions) that shows effective permissions, which arecumulative permissions based on group membership. You can access this tool by using the followingsteps:

1. Right-click the file or folder that you want to analyze permissions for and then click Properties .

2. In the Properties window, click the Advanced button.

3. In the Advanced Security Settings window, click the Effective Permissions tab.

4. Choose a user or group to evaluate by using the Select button.

Nova 4, LLC





Discussion: Determining Effective NTFS Permissions

Key PointsIn this discussion, you are presented with a scenario in which you are asked to apply NTFS permissions.You need discuss in class the possible solutions to the scenario.

ScenarioAdam is a member of the Marketing group and the Sales group. The graphic on the slide shows foldersand files on the NTFS partition.

Question: The Marketing group has Write permission, and the Sales group has Read permission for theReports folder. Which permissions does Adam have for the Reports folder?

Question: The Marketing group has Read permission for the Reports folder. The Sales group has Writepermission for the New York folder. Which permissions does Adam have for the Region file?

Question: The Marketing group has Modify permission for the Reports folder. The Region file should beavailable only to the Sales group, and the Sales group should only be able to read the Region file. Whatdo you do to ensure that the Sales group has only Read permission for the Region file?

Nova 4, LLC





Effects of Combining Shared Folder and NTFS Permissions

Key PointsWhen enabling access to network resources on an NTFS volume, use the most restrictive NTFS permissionsto control access to folders and files, combined with the most restrictive shared folder permissions thatcontrol network access.

NTFS and shared folder permissions work together to control access to file and folder resources accessedfrom the network.

How Combining NTFS and Shared Folder Permissions WorksThe key rule to remember while applying NTFS and shared folder permissions is that the most restrictiveof the two permission sets dictates the access a user will have to a file or folder where both shared folderpermissions and NTFS permissions applied.

If a user has Full Control permissions on an NTFS folder but the shared folder permissions are set to Read,that user will be able to obtain Read permissions to the file when accessing the folder over the network.Access is restricted at the shared folder level, and any greater access at the NTFS permissions level doesnot apply. Likewise, if the shared folder is set to Full Control, and the NTFS permissions are set to Write,the user runs into no restrictions at the shared folder level, but the NTFS permissions on the folder willallow only Write permissions for that folder.

The user must have appropriate permissions on both the NTFS resource and the shared folder. If nopermissions exist for the user on either resource, access is denied.

Nova 4, LLC





Discussion: Determining Effective NTFS and Shared Folder Permissions

Key PointsIn this discussion, you will determine effective NTFS and shared folder permissions.

ScenarioThe figure shows two shared folders that contain folders or files that have NTFS permissions. Look at eachexample and determine a user’s effective permissions.

In the first example, the Users folder has been shared, and the Users group has the shared folderpermission Full Control. User1, User2, and User3 have been granted the NTFS permission Full Control onlyto their folder. These users are all members of the Users group.

Question: In diagram 1, discuss what the effective permissions are for User1, User2, and User3. Can User1take full control of User2’s directory? Give reasons. How does using the share permission instead of theNTFS permission prevent users from accessing other User’s directories?

Question: In diagram 2, you have shared the Data folder to the Sales group, granting Full Controlpermissions. Within the Data directory, you have given the Sales group Read permissions on the NTFSSales folder. When users in the Sales group try to save a file in the \Data\Sales directory, they get anaccess-denied error. Give reasons. Which permission must be changed and why?

Nova 4, LLC





Considerations for Implementing NTFS and Shared Folder Permissions

Key PointsHere are several considerations to make administering permissions more manageable:

• Grant permissions to groups instead of users. Groups can always have individuals added ordeleted, while permissions on a case-by-case basis are difficult to track.

• Use Deny permissions only when necessary. Because deny permissions are inherited exactly likeallow permissions, assigning deny permissions to a folder can result in users not being able to accessfiles lower in the folder structure. Deny permissions should be assigned in the following situations:

• To exclude a subset of a group that has Allow permissions.

• To exclude one specific permission when you have granted Full Control permissions already to auser or a group.

• Never deny the Everyone group access to an object. If you deny everyone access to an object, youdeny administrator’s access. Instead, remove the Everyone group, as long as you grant permissions forthe object to other users, groups, or computers.

• Grant permissions to an object that is as high in the folder structure as possible so that thesecurity settings are propagated throughout the tree. For example, instead of bringing groupsrepresenting all departments of the company together into a Read folder, assign Domain Users(which is a default group for all user accounts on the domain) to the share. In this manner, you

eliminate the need to update department groups before new users receive the shared folder.• Use NTFS permissions instead of shared permissions for fine-grained access. Configuring both

NTFS and shared folder permissions can be difficult. Consider assigning the most restrictivepermissions for a group that contains many users at the shared folder level and then by using NTFSpermissions to assign more specific permissions.

Nova 4, LLC





Lab: Managing Access to File Services


1. On the host computer, click Start , point to Administrative Tools , and then click Hyper-V Manager .2. In Hyper-V® Manager, click 6419B-NYC-DC1 , and in the Actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.

4.

Log on by using the following credentials:5. User name: Administrator

6. Password: Pa$$w0rd

7. Domain: Contoso

8. Repeat steps 2 through 4 for 6419B-NYC-SVR1 9. Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.

Lab ScenarioContoso, Ltd has recently deployed a new file server, NYC-SVR1, to its New York location. The New Yorkoffice has staff from both the Production and Research departments. Both departments require the abilityto save their documents to the new file server. Their files will be created in the E:\Labfiles\Mod03 folder.

The Production department work together on tasks and projects, and all members need the ability to savefiles to the folder from their desktop. Any member of the Production team should be able to modify thefolders saved by anyone in the Production department. The Production department manager, SusannaStubberod, needs a folder for her monthly reports configured, so her staff can view the reports, but onlyshe should be able to make changes to files in the folder.

The Research department needs a folder to store the project results. All project results will be saveddirectly to the server locally from an application installed on NYC-SVR1. All members of the Research

Nova 4, LLC





department should be able to make modifications to the files if they are logged on to NYC-SVR1. TheResearch department needs to access their files from the network, but no changes should be allowed tobe made to the files, because that will interfere with the application. Max Stevens of the Researchdepartment also uses a laptop, NYC-CL1, which he frequently takes offsite. He needs access to theResearch department files when he is not connected to the network.

The main tasks for this exercise are as follows:1. Planning the shared folder implementation.

2. Implementing the shared folder structure.

3. Evaluating the shared folder structure.

Nova 4, LLC







Exercise 2: Implementing a Shared Folder ImplementationIn this exercise, you will create the shared folder implementation based on the discussions in the previousexercise.

The main tasks are as follows:

1. Verify the File Services Role on NYC-SVR1.

2. Create a shared folder structure by using Windows Explorer.

3. Create a shared folder structure by using the Share and Storage Management console.

4. Configure offline files.

Task 1: Verify the File Services Role on NYC-SVR11. On NYC-SVR1, open Server Manager.

2. Verify that the File Services role has been installed with the File Server role service.

3. Close Server Manager.

Task 2: Create a shared folder structure by using Windows Explorer1. On NYC-SVR1, open Windows Explorer.

2. Create the E:\Labfiles\Mod03\Production folder and assign the Production group Full Controlpermissions.

3. Share the Production folder, assign the Contoso\Production group Change permissions on the sharedfolder, and remove the Everyone group.

4. Create a new text document in E:\Labfiles\Mod03\Production.

5. Create the E:\Labfiles\Mod03\Production\Reports folder and create a new text document inE:\Labfiles\Mod03\Production\Reports named Report1.txt

6. Assign Susanna Stubberod Full Control permissions on the E:\Labfiles\Mod03\Production\Reportsfolder. Block permissions inheritance to ensure that no other users have permissions on this folder.

Task 3: Create shared folders by using the Share and Storage Management Console1. On NYC-SVR1, open the Share and Storage Management console.

2. Run the Provision a Shared Folder Wizard to provision a share named Research located atE:\Labfiles\Mod03\Research.

3. Assign the following NTFS permissions to the E:\Labfiles\Mod03\Research folder. Assign Full Controlfor the Research group.

4. Assign the following shared folder permissions to the Research shared folder. Assign Read for theResearch group.

Task 4: Configure Offline files1. Log on to NYC-CL1 as Contoso\Max , with password Pa$$w0rd .

2. Map the \\NYC-SVR1\Research network location to the R: drive.

3. Configure Drive R to be always available offline.

Results: In this exercise, you implemented a shared folder structure.

Nova 4, LLC





Exercise 3: Evaluating the Shared Folder ImplementationIn this exercise, you will evaluate the shared folder implementation you created in the previous exercise.

Task 1: Test Research Folder Permissions1. If necessary, log on to NYC-CL1 as Contoso\Max with password Pa$$w0rd .

2. Test to ensure that Max cannot create any new documents on the Research folder (Drive R).3. Log off of NYC-CL1.

Task 2: Test Production Shared Folder Permissions1. Log on to NYC-CL1 as Contoso\Scott with password Pa$$w0rd .

2. Test to ensure that Scott has Full Control to \\NYC-SVR1\Production and no access to \\NYC-SVR1\Production\Reports.

3. Log off NYC-CL1.

4. Log on to NYC-CL1 as Contoso\Susanna with password Pa$$w0rd .

5. Test to ensure that Susanna has Full Control to \\NYC-SVR1\Production and \\NYC-

SVR1\Production\Reports.6. Log off NYC-CL1.

Results: In this exercise, you evaluated a shared folder implementation.


1. On the host computer, start Hyper-V Manager .

2.

Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .3. In the Revert Virtual Machine dialog box, click Revert .

4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1

Nova 4, LLC






Review Questions1. What is a common reason to use advanced NTFS permissions rather than the standard set of NTFS

permissions?

2. What advantages does creating a shared folder by using the Share and Storage Management toolshave over using Windows Explorer?

Windows Server 2008 R2 Features Introduced in this ModuleWindows Server 2008 R2 feature Description

Offline Files enhancements New features that enhance the Offline Files experience for WindowsServer 2008 R2 and Windows 7 computers.


Share and StorageManagementConsole

• Provisioning sharedfolders and storageobjects

Installed with the File Services role and found onthe Administrative Tools menu.

Nova 4, LLC




Configuring and Managing Distributed File System 4-1

Module 4Configuring and Managing Distributed File SystemContents:Lesson 1: Distributed File System Overview 4-3

Lesson 2: Configuring DFS Namespaces 4-14

Lesson 3: Configuring DFS Replication 4-20

Lab: Installing and Configuring Distributed File System 4-28

Nova 4, LLC





Module Overview

Many organizations maintain a large number of file servers containing vast amounts of data needed byusers. With so many file resources on the network, it is often a challenge for users to locate files quicklyand efficiently.

Larger enterprise organizations may manage multiple data sites, which often introduces additionalchallenges, such as increased network traffic over wide area network (WAN) connections, and ensuringthe availability of files during WAN or server failures.

This module introduces the Distributed File System (DFS) solution that you can use to meet thesechallenges by providing fault-tolerant access and WAN-friendly replication of files located throughout anenterprise.


• Describe the Distributed File System.

• Configure DFS Namespaces.

• Configure DFS Replication.

Nova 4, LLC





Lesson 1

Distributed File System Overview

DFS in Microsoft® Windows Server® 2008 incorporates technology to provide efficient access and highavailability to file resources.

This lesson introduces DFS Namespaces and DFS Replication, and discusses scenarios and requirements fordeploying a DFS solution within your network environment.


• Define DFS.

• Describe how DFS namespaces and DFS replication function.

• Describe common DFS Scenarios.

• Describe the types of DFS Namespaces.

• Describe folders and folder targets.

• Install the DFS role service.

• Describe new DFS features for Windows Server 2008 R2.

Nova 4, LLC





What Is the Distributed File System?

Key PointsTo access a typical file share, most users need to know which file server the share is located on, and thename of the share to access. Many large organizations may have hundreds of file servers, dispersedgeographically. This introduces a number of challenges for users to find and access files efficiently.

Distributed File System is a Windows Server 2008 role service that is included with the File Server role. TheDFS role service can be used to logically combine shared folders located on different servers into a virtual“namespace.” Users only need to know the name of the virtual namespace, to access the shared folderstructure.

Another benefit of DFS is the ability to replicate both the virtual namespace and the shared folders tomultiple servers within the organization. This can ensure that the shares are fault tolerant and the sharedfolders are located as close as possible to users, thereby providing efficient access to the data.

DFS includes two technologies that are implemented as role services. These technologies are:

• DFS Namespaces . DFS Namespaces (DFS-N) allows administrators to group shared folders locatedon different servers into one or more logically structured namespaces. Each namespace appears tousers as a single shared folder with a series of subfolders. The subfolders typically point to sharedfolders that are located on various servers in multiple geographical sites throughout the organization.

• DFS Replication . DFS Replication (DFS-R) is a multi-master replication engine used to synchronize

files between servers for both local and WAN network connections. DFS-R supports replicationscheduling, bandwidth throttling, and Remote Differential Compression (RDC). When enabled andapplied, RDC updates only the portions of files that have changed since the last replication. DFS-R canbe used in conjunction with DFS Namespaces or can be used as a stand-alone file replicationmechanism.

Nova 4, LLC









branch office file shares fault tolerant. If the branch office server fails, clients in the branch office canaccess the replicated data at the hub site.

Data DistributionYou can use DFS-N and DFS-R to publish and replicate documents, software, and other line-of-businessdata throughout your organization. DFS-N and folder targets can increase data availability and distributeclient load across various file servers.

Note: Do not use DFS Replication in an environment where multiple users update or modify the samefiles simultaneously on different servers. Doing so can cause DFS Replication to move conflicting copiesof the files to the hidden DfsrPrivate\ConflictandDeleted folder. When multiple users need to modifythe same files at the same time on different servers, use the file check-out feature of a product such asWindows SharePoint Services to ensure that only one user is working on a file.

Nova 4, LLC





Types of DFS Namespaces

Key PointsYou can create either a domain-based or stand-alone namespace. Each type has different characteristics.

Domain-Based NamespaceA domain-based namespace can be used when:

• Namespace high availability is required, which is accomplished by replicating the namespace to

multiple namespace servers.• You need to hide the name of the namespace servers from users. This also makes it easier to replace a

namespace server or migrate the namespace to a different server. Users will then use the \\domainname\namespace format as opposed to the \\servername\namespace format.

If you choose to deploy a domain-based namespace, you will also need to choose whether to use theWindows 2000 Server mode or the Windows Server 2008 mode. Windows Server 2008 mode providesadditional benefits such as support for access-based enumeration; increased replication performance, andit increases the number of folder targets from 5,000 to 50,000. Access-based Enumeration enables you tohide folders that users do not have permission to view.

To use Windows Server 2008 mode, the following requirements must be met:

• The Active Directory forest must be at Microsoft Windows Server

®

2003 or higher forest functionallevel.

• The Active Directory domain must be at the Microsoft Windows Server ® 2008 domain functionallevel.

• All namespace servers must be Windows Server 2008.

Nova 4, LLC





Note: You can migrate a domain-based namespace from Windows 2000 Server mode to WindowsServer 2008 mode by using the DFSutil command-line tool. You can also enable or disable Access-basedEnumeration by using the Share and Storage Management MMC.

Stand-Alone Namespace

A standalone namespace must be used when:• Your organization has not implemented AD DS.

• Your organization does not meet the requirements for a Windows Server 2008 mode, domain-basednamespace, and you have requirements for more than 5,000 DFS folders. Stand-alone DFSnamespaces support up to 50,000 folders with targets.

Nova 4, LLC





What Are Folders and Folder Targets?

Key PointsA DFS namespace is a virtual view of shared folders in an organization. As the administrator, you selectwhich shared folders to present in the namespace, design the hierarchy in which those folders appear, anddetermine the names that the shared folders show in the namespace. When a user views the namespace,the folder structure appears to reside on a single disk.

Folders

Folders are the primary namespace elements. They appear under the namespace root (\\server\rootnameor \\domain\rootname) and help build the namespace hierarchy. As with standard disk structures, foldersare organized into tree structures similar to the way you use folders on a hard disk to organize files. Whenyou create a folder by using the DFS Management console, you type a name for the folder and specifywhether to add any folder targets.

Folder TargetsA folder target is based upon a Universal Naming Convention (UNC) path to one of the followinglocations:

• A shared folder, for example, \\server\share

• A folder within a shared folder, for example, \\server\share\folder

• A path to another namespace, for example, \\domainname\rootname

To increase the folder’s redundancy, you can specify multiple folder targets. If one of the folder targets isnot available, the client will attempt to access the next folder target in the referral. This increases the dataavailability in the folder.

Nova 4, LLC





Demonstration: Installing the Distributed File System Role Service


• Install the DFS Role Service.

Demonstration Steps:1. Open Server Manager.

2. If necessary, use the Add Roles Wizard to install the File Services server role. If the role is alreadyinstalled, use the Add Role Services Wizard to install the required role services.

3. Select the Distributed File System role services. Note that you can select the DFS Namespaces andDFS Replication role services individually, if required.

Nova 4, LLC





DFS Enhancements in Windows Server 2008 R2

Key PointsMicrosoft Windows Server ® 2008 R2 provides a number of enhancements and new features to both DFS-N and DFS-R. The following sections discuss these new capabilities:

Note: The content in this section only applies to Windows Server 2008 R2.

Updates to DFS Namespaces• Performance improvements . The DFS Namespaces service takes less time to start, which increases

performance especially with large domain-based namespaces with 5,000 or more folder targets.Windows Server 2008 R2 also includes three new performance counters that can be used to monitorDFS Namespaces:

• DFS Namespace Service API Queue . Displays the number of requests in the queue waiting tobe processed by the DFS Namespace service.

• DFS Namespace Service API Requests . Provides a number of objects showing the informationof DFS requests as average response time, requests processed, requests failed, and requestsprocessed per second.

• DFS Namespace Service Referrals . Provides a number of objects showing the information ofreferral requests processed by the DFS Namespace service. Information includes averageresponse time, requests processed, requests failed, and requests processed per second.

• New DFS Management tool support . A number of enhancements to the DFS Management toolinclude the following:

• Access–based enumeration management improvements . When access-based enumeration isenabled on a shared folder or DFS folder, users will only see folders and files for which they haveRead (or equivalent) permissions. Previously, access-based enumeration could only be enabled on

Nova 4, LLC





a shared folder by using Share and Storage Management, or by using the Dfsutil command forDFS folders. Windows Server 2008 R2 provides an additional enhancement by allowing you toenable and configure access-based enumeration for a namespace by using the DFS Managementtool.

• Support for selectively enabling or disabling namespace root referrals . The DFS Managementtool provides the ability to enable or disable namespace servers. This allows you to controlwhether a server is available for referrals.

• Improvements to the Dfsdiag.exe command-line tool . Windows Server 2008 R2 includeschanges to the Dfsdiag.exe command-line tool’s help text. When you type Dfsdiag /?, the helpand error message text has been rewritten to provide more clear and descriptiveinformation.

Updates to DFS Replication• Failover cluster support . The DFS Replication service in Windows Server 2008 R2 is now designed to

coordinate with a Windows Server 2008 R2-based failover cluster. You can add a failover cluster as amember of a replication group.

• Read-only replicated folders . Prior to Windows Server 2008 R2, the only way to configure a read-

only replicated folder was to manually set share permissions and access control lists on the folders,which required additional administrative effort. Windows Server 2008 R2 provides the ability toconfigure a replicated folder as a read-only or a read-write member. You can use either the DFSManagement tool or the Dfsradmin command-line tool to configure read-only replicated folders .

Note: Read-only domain controllers based upon Windows Server 2008 R2 use read-only replicatedfolders to secure the SYSVOL folder.

• Improvements to the Dfsrdiag.exe command-line tool . Windows Server 2008 R2 includes changesto the Dfsrdiag.exe command-line tool. The following switches provided enhanced diagnosticcapabilities:

•

Replstate . Displays a summary of the replication status across all connections on the specifiedreplication group member.

• IdRecord . Displays the DFS Replication ID record and version of a specified file or folder. You canuse this information to determine if a file has replicated properly to another member.

• FileHash . Computes and displays a hash value for a particular file. This can be used to comparetwo files to ensure that they are identical.

Nova 4, LLC





Lesson 2

Configuring DFS Namespaces

Configuring a DFS Namespace consists of several tasks, including creating the namespace structure,creating folders within the namespace, and adding folder targets. You may also choose to performadditional management tasks, such as configuring the referral order, enabling client fail back, andimplementing DFS replication. This lesson provides information on how to complete these configurationand management tasks to deploy an effective DFS solution.


• Describe the process for deploying namespaces to publish content.

• Describe the permissions required to create and manage a namespace.

• Create and configure DFS namespaces and folder targets.

Nova 4, LLC





Deploying Namespaces for Publishing Content

Key PointsYou use DFS namespaces to publish content for users. To configure a namespace for publishing contentto users, perform the following procedures:

1. Create a namespace . Use the New Namespace Wizard to create the namespace from within the DFSManagement console. To create a namespace, you must specify a namespace server, a namespacename and a namespace type (either domain-based or stand-alone). You can also specify whether thenamespace is enabled for Windows Server 2008 mode.

2. Create a folder in the namespace . After the namespace is created, add a folder in the namespacethat will be used to contain the content that you want to publish. During the folder creation, youhave the option to add folder targets, or you can perform a separate task to add, edit, or removefolder targets later.

3. Add folder targets . After a folder is created within the namespace, the next task is to create foldertargets. The folder target is a shared folder’s UNC path on a specific server. You can browse for sharedfolders on remote servers and create shared folders as needed. You can also add multiple foldertargets to increase the folder’s availability in the namespace. If you add multiple folder targets,consider using DFS-R to ensure that the content is the same between the targets.

4. Set the ordering method for targets in referrals . A referral is an ordered list of targets that a clientcomputer receives from the namespace server when a user accesses a namespace root or folder.When a client receives the referral, the client attempts to access the first target in the list. If the targetis not available, the next target is attempted. By default, targets in the client’s site are always listedfirst in the referral. You can configure the method for ordering targets outside the client’s site on theReferrals tab of the Namespace Properties dialog box. You have the choice of configuring thelowest cost , random order , or configuring the ordering method to exclude targets outside theclient’s site .

Nova 4, LLC







Permissions Required to Create and Manage a Namespace

Key PointsTo perform DFS namespace management tasks, a user either has to be a member of an administrativegroup or has to be delegated specific permission to perform the task. You can right-click the namespaceand then click Delegate Management Permissions to delegate the required permissions.

The following table describes the groups that can perform DFS administration by default, and the methodfor delegating the ability to perform DFS management tasks:

Task

Groups that canperform the taskby default

Delegation method

Create a domain-basednamespace.

Domain admins • Delegate Management Permissions.• Add user to local administrators group on the

namespace server.

Add a namespace serverto a domain-basednamespace.

Domain admins • Delegate Management Permissions.• Add user to local administrators group on the

namespace server.

Manage a domain-basednamespace.

Localadministrators oneach namespaceserver

• Delegate Management Permissions.

Create a stand-alonenamespace.

Localadministrators oneach namespaceserver

• Add user to local administrators group on thenamespace server.

Manage a stand-alone Local • Delegate Management Permissions.

Nova 4, LLC





Task

Groups that canperform the taskby default

Delegation method

namespace. administrators oneach namespaceserver

Create a replicationgroup or enable DFSreplication on a folder.

Domain admins • Delegate Management Permissions.

Nova 4, LLC





Demonstration: How to Create Namespaces


• Create a new namespace.

• Create a new folder and folder target.

Demonstration Steps:1. Open DFS Management.

2. Use the New Namespaces Wizard to create a new namespace. Configure options such as thenamespace type and Windows Server 2008 mode.

3. Use the New Folder dialog box to create a main folder, and then add Folder Targets as required.

Nova 4, LLC





Lesson 3

Configuring DFS Replication

To configure DFS-R effectively, it is important to understand the terminology and requirements associatedwith the feature. This lesson provides information on the specific elements, requirements, and scalabilityconsiderations as they relate to DFS-R, and provides a process for configuring an effective replicationtopology.


• Describe DFS replication.

• Describe replication groups and replicated folders.

• Describe DFS-R requirements.

• Deploy a replication group.

• Discuss tools used to troubleshoot DFS-R.

• Generate diagnostic reports and perform propagation tests.

Nova 4, LLC







• DFS-R uses a version vector exchange protocol to determine which files need to be synchronized. Theprotocol sends less than 1 KB per file across the network to synchronize the metadata associated withchanged files on the sending and receiving members.

• DFS-R uses a conflict resolution heuristic of “last writer wins” for files that are in conflict (that is, a filethat is updated at multiple servers simultaneously) and “earliest creator wins” for name conflicts. Filesand folders that lose the conflict resolution are moved to a folder known as the Conflict and Deletedfolder. You can also configure the service to move deleted files to the Conflict and Deleted folder forretrieval, should the file or folder be deleted. Each replicated folder has its own hidden Conflict andDeleted folder, which is located under the local path of the replicated folder in theDfsrPrivate\ConflictandDeleted folder.

• DFS-R is self-healing and can automatically recover from USN journal wraps, USN journal loss, or DFSReplication database loss.

• DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces toobtain configuration and monitoring information from the DFS Replication service.

Nova 4, LLC





What Are Replication Groups and Replicated Folders?

Key PointsA replication group consists of a set of member servers that participate in replicating one or morereplicated folders. There are two main types of replication groups:

• Multipurpose replication group . Use to configure replication between two or more servers forpublication, content sharing, or other scenarios.

• Replication group for data collection . Configures a two-way replication between two servers, such

as a branch office server and a hub server. This group type is used to collect data from the branchoffice server to the hub server. You can then use standard backup software to back up the hub serverdata.

A replicated folder is a folder that is synchronized between each member server.

Creating multiple replicated folders within a single replication group helps to simplify the following forthe entire group:

• Replication Group type

• Topology

• Hub and spoke configuration

• Replication schedule

• Bandwidth throttling

The replicated folders stored on each member can be located on different volumes in the member.Replicated folders do not need to be shared folders or part of a namespace, though the DFS Managementsnap-in makes it easy to share replicated folders, and optionally, publish them in an existing namespace.

Nova 4, LLC





DFS-R Requirements

Key PointsTo use DFS-R, you must be aware of specific replication requirements. These requirements include:

• Ensure that the Active Directory schema has been updated to include the new DFS replication objects.If you plan to use DFS Replication, the Active Directory schema must be updated to at least theversion equal to Microsoft Windows Server ® 2003 R2, so that it includes the Active Directory classesand attributes that DFS Replication uses. To use read-only replicated folders, the schema must includethe Windows Server 2008 or newer schema additions. To upgrade the schema, on the schema

operations master, run adprep.exe /forestprep. This tool is available in the Windows\sources\adprepfolder of the Windows Server 2008 installation media.

• All Servers in a replication group must be in the same forest. You cannot enable replication acrossservers in different forests.

• The servers that will participate in DFS Replication must run a Windows Server 2003 R2, WindowsServer 2008, or Windows Server 2008 R2 operating system. You must install the DFS Replicationservice role on each server that will take part in replication, and you must install the DFS Managementsnap-in on one server to manage replication. DFS replication is supported on all x64 editions ofWindows Server 2008 R2 and on all x86 and x64 editions of Windows Server 2008. DFS is notsupported on Itanium-based computers..

• To support failover clustering, the failover cluster server must be running Windows Server 2008 R2.

• Antivirus software must be compatible with DFS Replication in that antivirus software can causeexcessive replication if their scanning activities alter the timestamp on files in a replicated folder.Contact your antivirus software vendor to check for compatibility.

Nova 4, LLC





Demonstration: How to Deploy a Replication Group


• Create a new folder target for replication.

• Create a new replication group.


2. Use the New Folder Target dialog box to create an additional folder target to be used forreplication.

3. Use the New Replication Group Wizard to configure options such as the Replication Group Type ,Replication Group name , Replication group members , and Topology selection .

Nova 4, LLC





Tools Used to Troubleshoot DFS-R

Key PointsWindows Server 2008 provides a number of tools that can be used to monitor and troubleshoot DFS-R.The tools include:

• Diagnostic Reports . You can run a diagnostic report for the following:

• Health Report . Shows extensive replication statistics and reports on replication health andefficiency.

• Propagation Test . Generates a test file in a replicated folder to be used to verify replication andprovide statistics for the propagation report.

• Propagation Report. Provides information about the progress for a test file that is generatedduring a propagation test. This report will ensure that replication is functional.

Verify Topology . Used to verify and report on the status of the replication group topology. This willreport any members that are disconnected.

• Dfsrdiag.exe . This command-line utility can be used to monitor the replication state of the DFSreplication service.

Nova 4, LLC





Demonstration: How to Generate Diagnostic Reports and PropagationTests


• Generate a Health Report.

• Generate a Propagation Test and Report.


2. Under the Replication node, right-click the replication group, and then click Create DiagnosticReport .

3. Select either Health Report , Propagation test , or Propagation report .

4. Complete the Diagnostic Report Wizard .

Nova 4, LLC





Lab: Installing and Configuring the Distributed FileSystem Role Service



2.

In Hyper-V™ Manager, click 6419B-NYC-DC1 , and in the Actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.

4. Log on by using the following credentials:



• Domain: Contoso

5. Repeat steps from 2 through 4 for 6419B-NYC-SVR1.

Lab ScenarioYou are a network administrator for Contoso, Ltd. Your organization currently stores files on a number ofservers located throughout the infrastructure. To simplify file access for users and provide high availabilityand redundancy of the file services, you decide to implement a DFS solution. For this project, you mustcomplete the following tasks:

• Install the DFS role service to include DFS namespaces and DFS replication.

• Create a domain-based DFS namespace called, CorpDocs, with NYC-SVR1 as the namespace server.

• Enable Access-Based Enumeration for the CorpDocs namespace.

Nova 4, LLC





• Add the following folders to the CorpDocs namespace:

• MarketingTemplates folder target located on NYC-DC1

• PolicyFiles folder target located on NYC-SVR1

• Configure availability and redundancy by adding additional folder targets and replicating the foldertargets for the PolicyFiles folder.

• Configure the replicated folder target for PolicyFiles to be read-only.

• Provide reports on the health of the CorpDocs folder replication.

Nova 4, LLC





Exercise 1: Installing the Distributed File System Role Service

ScenarioIn this exercise, you will install the DFS role service on NYC-DC1 and NYC-SVR1.


1. Install the DFS role service on NYC-SVR1.

2. Install the DFS role service on NYC-DC1.

Task 1: Install the Distributed File System Role Service on NYC-SVR1.1. On NYC-SVR1, open Server Manager.

2. Use the Add Role Services wizard to install the Distributed File System role services and configurethe following:

• Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication .

• Create a DFS Namespace: Create a namespace later.

Task 2: Install the Distributed File System Role Service on NYC-DC1.1. On NYC-DC1, open Server Manager.

2. In the details pane, under the File Services section, use the Add Role Services wizard to install theDistributed File System role services and configure the following:

• Select Role Services: File Server, Distributed File System, DFS Namespaces, DFS Replication .

• Create a DFS Namespace: Create a namespace later.

Results: After completing this exercise, you have installed the DFS role service on NYC-SVR1 and NYC-DC1.

Nova 4, LLC





Exercise 2: Creating a DFS Namespace

ScenarioYou decide to create the CorpDocs namespace on NYC-SVR1. As per the requirements, the namespacewill be domain-based and will have access-based enumeration enabled.

The main tasks for this exercise are as follows:1. Use the New Namespace Wizard to create the CorpDocs namespace.

2. Enable access-based enumeration for the CorpDocs namespace.

Task 1: Use the New Namespace Wizard to create the CorpDocs namespace.1. On NYC-SVR1, open the DFS Management console.

2. Start the New Namespace Wizard and configure the following:

• Namespace Server: NYC-SVR1

• Namespace Name and Settings: CorpDocs

• Namespace Type: Domain-based namespace

• Enable Windows Server 2008 mode: Enabled

3. Use the DFS Management console to verify that the \\NYC-SVR1\CorpDocs namespace is enabled.

Task 2: Enable access-based enumeration for the CorpDocs namespace.1. From the \\Contoso.com\CorpDocs Properties dialog box, enable access-based enumeration.

Results: After completing this exercise, you have created the CorpDocs namespace and configured it touse access-based enumeration.

Nova 4, LLC





Exercise 3: Configuring Folder Targets

ScenarioTwo folders need to be added to the CorpDocs workspace. One folder is located on NYC-DC1 and iscalled, MarketingTemplates. The other folder is located on NYC-SVR1 and is called, PolicyFiles.

The main tasks for this exercise are as follows:1. Add the MarketingTemplates folder to the CorpDocs Namespace.

2. Add the PolicyFiles folder to the CorpDocs Namespace.

3. Verify the CorpDocs Namespace.

Task 1: Add the MarketingTemplates folder to the CorpDocs namespace.1. Switch to the NYC-SVR1 virtual machine.

2. In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the followingconfiguration:

• Name: MarketingTemplates

• Folder Target: \\NYC-DC1\MarketingTemplates

Task 2: Add the PolicyFiles folder to the CorpDocs namespace.1. In DFS Management, under \\Contoso.com\CorpDocs, create a new folder with the following

configuration:

• Name: PolicyFiles

• Folder Target: \\NYC-SVR1\PolicyFiles

Task 3: Verify the CorpDocs namespace.1. On NYC-SVR1, access the \\Contoso.com\Corpdocs namespace and verify that both

MarketingTemplates and PolicyFiles are visible.

Results: After completing this exercise, you have configured Folder Targets for the CorpDocsnamespace.

Nova 4, LLC





Exercise 4: Configuring DFS Folder Replication

ScenarioYour requirements state to configure the PolicyFiles folder to be highly available and redundant. Youdecide to add a second folder target for the PolicyFiles folder on NYC-DC1 and configure replication tokeep the two folders synchronized.


1. Create another Folder Target for PolicyFiles.

2. Configure DFS Replication.

3. View Diagnostic Reports.

Task 1: Create another Folder Target for PolicyFiles.1. Switch to the NYC-SVR1 virtual machine.

2. In DFS Management, under Contoso.com\CorpDocs\PolicyFiles , create a new folder target with thefollowing configuration:

• Folder Target: \\NYC-DC1\PolicyFiles• Local path of shared folder: C:\PolicyFiles

• Shared folder permissions: Administrators have full access; other users have read and writepermissions

• Click Yes to start the Replicate Folder Wizard .

Task 2: Configure DFS Replication.1. In DFS Management, complete the Replicate Folder Wizard with the following configuration:

• Replication Group and Replicated Folder Name : Default settings

• Replication Eligibility : Verify that both servers are eligible

• Primary Member : NYC-SVR1

• Topology Selection : Full mesh

• Replication Group Schedule and Bandwidth : Replicate continuously using the specifiedbandwidth

2. Verify that the replicated folder is shown on both NYC-DC1 and NYC-SVR1.

3. From the DFS Management console, configure the NYC-DC1 member to be read-only.

Task 3: View Diagnostic Reports.1. On NYC-SVR1, in the DFS Management console, under Replication, use the Diagnostic Report

Wizard to create a Health report . Use NYC-SVR1 as the reference member.2. Review the DFS Replication Health Report for errors.

Results: After completing this exercise, you will have configured DFS Folder Replication and produced adiagnostic report.

Nova 4, LLC








Review Questions1. How can you use DFS in your File Services deployment?

2. What kind of compression technology is used by Windows Server 2008 DFS?

3. What is the difference between a domain-based DFS namespace and a stand-alone DFS namespace?

4. What is the default ordering method for client referral to folder targets?

5. What does the Primary Member configuration do when setting up replication?

6. Which folder is used to cache files and folders where conflicting changes are made on two or moremembers?

Windows Server 2008 R2 Features Introduced in this ModuleWindows Server 2008 R2Feature Description

Read-only replicatedfolders

Ability to configure read-only replicated folders from the DFS Managementconsole

Failover cluster support Failover cluster support for DFS

ToolsTool Used for Where to Find It

Dfsutil Performing advancedoperations on DFSnamespaces

On a namespace server, type Dfsutil at the command prompt.

Nova 4, LLC





Tool Used for Where to Find It

Dfsdiag Configure and monitorDFS

On a namespace server, type Dfsdiag at the command prompt.

Dfsrdiag Monitoring replication On a namespace server, type Dfsrdiag at the command

prompt.Dfscmd.exe Scripting basic DFS tasks

such as configuring DFSroots and targets

On a namespace server, type Dfscmd at the command prompt.

DFSManagement

Performing tasks relatedto DFS namespaces andreplication

Click Start , point to Administrative Tools, and then click DFSManagement .

Nova 4, LLC




Managing File Resources Using File Server Resource Manager 5-

Module 5Managing File Resources Using File Server ResourceManagerContents:Lesson 1: Overview of File Server Resource Manager 5-3

Lesson 2: Configuring Quota Management 5-11

Lab A: Installing FSRM and Implementing Quota Management 5-19

Lesson 3: Implementing File Screening 5-22

Lesson 4: Managing Storage Reports 5-28

Lab B: Configuring File Screening and Storage Reports 5-33

Lesson 5: Implementing Classification Management andFile Management Tasks 5-36

Lab C: Configuring Classification and File Management Tasks 5-49

Nova 4, LLC





Module Overview

The files on your servers are constantly changing with content being added, removed, and modified. TheMicrosoft Windows Server® 2008 File Service role is designed to help administrators in an enterpriseenvironment manage the continually growing amount of data. The file storage requirements anddemands within an enterprise are constantly changing and adapting to new requirements or policies.

When storage requirements change and the data being stored changes as well, you need to manage anincreasingly larger and complex storage infrastructure. Therefore, to meet the needs of your organization,

you need understand and control how the existing storage is used.

This module introduces you to File Server Resource Manager (FSRM), a built-in component of WindowsServer 2008 that helps you address and manage these issues.


• Describe FSRM.

• Configure Quota Management.

• Implement File Screening.

• Manage storage reports.

• Implement Classification Management and file management tasks.

Nova 4, LLC





Lesson 1

Overview of File Server Resource Manager

FSRM is a set of tools that allow you to understand, control, and manage the quantity and type of datastored on your servers. Using FSRM, you can place quotas on storage volumes, screen files and folders,generate comprehensive storage reports, control the file classification infrastructure, and use filemanagement tasks to perform scheduled actions on sets of files. These tools not only help you monitorexisting storage resources, but also aid in planning and implementing future policy changes.


• Describe common capacity management challenges.

• Describe the features available within FSRM.

• Describe FSRM configuration options.

• Install and configure the FSRM role service.

Nova 4, LLC





Capacity Management Challenges

Key PointsCapacity management is a proactive process of determining the current and future capacity needs foryour enterprise's storage environment. As the size and complexity of the data increase, the need forcapacity management also increases. To effectively meet the storage needs of your organization, youneed to track how much storage capacity is available, how much storage space you need for futureexpansion, and how you are using the environment’s storage.

Key Capacity Management ChallengesCapacity management brings with it the following key challenges:

• Determining existing storage use . To manage your storage environment and ensure that you canperform the simplest capacity management task, you need to understand your environment’s currentstorage requirements. Knowing how much data is being stored on your servers, what types of data isbeing stored, and how that data is currently being used is the benchmark for measuring the variousaspects of capacity management in your environment.

• Establishing and enforcing storage use policies . Capacity management includes ensuring that yourstorage environment is being used to its full potential. Managing growth is important to ensure thatyour storage environment is not overwhelmed by unplanned or unauthorized data storage on yourservers. Modern media data such as audio, video, and graphic files consume a large amount ofstorage space and, if left unchecked, the unauthorized storage of these types of files can consume the

storage space required for legitimate business use.• Anticipating future requirements . Storage requirements are constantly changing. New projects and

new organizational initiatives require increased storage. New applications and imported data requireadditional storage. If you are not able to anticipate or prepare for events like these, your storageenvironment may not be able to meet the storage requirements.

Nova 4, LLC





Addressing Capacity Management ChallengesTo address these key challenges, you need to implement basic capacity management measures toroactively manage the storage environment and prevent challenges from becoming problems.

• Analyze how storage is being used . The first step in capacity management is analyzing the currentstorage environment. Accurate analysis begins with proper tools that provide usable and organized

information regarding the current state of your storage environment.• Define storage resource management policies . A robust set of policies are necessary to maintain

the current storage environment and ensure that storage growth happens in a manageable andpredictable way. Preventing unauthorized files from being saved to your servers, ensuring that data isstored in the right location, and ensuring that users have the required storage are a few of the keyareas your capacity management policies may address.

• Implement policies to manage storage growth . After implementing capacity management policies,you need to have an effective tool to ensure that the policies established are technically enforced.Quotas placed on a user’s data storage must be maintained, restricted files must be prevented frombeing saved, and business files must be stored in the proper locations.

• Implement a system for reporting and monitoring . Also, a reporting and notification system must

be established to inform you how policies are enforced, besides the general state of your capacitymanagement system and data storage situation.

Nova 4, LLC





What Is File Server Resource Manager?

Key PointsFSRM is a role service of the File Services role in Windows Server 2008. You can install it as part of the FileServices role by using Server Manager. Then, you can use the FSRM console to manage FSRM on yourserver.

FSRM is intended to act as a capacity management solution for your Windows Server2008 server. Itprovides a robust set of tools and capabilities that allow you to effectively manage and monitor yourserver’s storage capacity.

FSRM contains five components that work together to provide a capacity management solution.

Quota ManagementQuota management allows you to create, manage, and obtain information about quotas that are used toset a storage limit on a volume or folder (and its contents). By defining notification thresholds, you cansend email notifications, log an event, run a command or script, or generate reports when users approachor exceed a quota.

Quota management also allows you to create and manage quota templates to simplify the quotamanagement process.

File Screening ManagementFile screening management allows you to create, manage, and obtain information about file screens. Thisinformation can be used to prevent specific file types from being stored on a volume or folder or notifyyou when those files are being stored. When users attempt to save unauthorized files, file screening canblock the process and notify the administrators to allow for proactive management.

Like quota management, file screening management allows you to create and manage file screentemplates to simplify file screening management. You can also create file groups that allow you tomanage which file types may be blocked or allowed.

Nova 4, LLC





Storage Reports ManagementStorage reports management allows you to schedule and configure storage reports. These reports provideinformation regarding the components and aspects of FSRM including:

• Quota usage

• File screening activity

• Files that may negatively affect capacity management, such as large files, duplicate files, or unusedfiles

• List and filter files according to owner, file group, or a specific file property.

Note: Storage reports can be run based on a schedule or generated on demand.

Classification Management (Windows Server 2008 R2 Only)Classification Management allows you to create and manage classification properties that you can assignto files. You can assign property values to files by using classification rules, which can be applied ondemand or based on a schedule. Classification allows you categorize and manage files by using a widearray of properties to identify and group your files.

File Management Tasks (Windows Server 2008 R2 Only)With file management tasks, you can schedule and configure specific tasks, which can automate theapplication or expiration of custom commands, allowing for automated file management procedures.

File management tasks leverage the capabilities of Classification Management to allow you to delete oldfiles or move files to a specific location based on a file property (file name or file type).

Note: Volumes that FSRM manages must be formatted by using the New Technology File System(NTFS). FSRM is included with Windows Server 2003 SP1 and later.

Question: Do you currently implement any capacity management functionality in your serverenvironment? If so, which of the FSRM features does it provide?

Nova 4, LLC





FSRM Configuration Options

Key PointsFSRM has several configuration options that apply globally to all FSRM components.

You can access these options by using the following steps:

1. Open the File Server Resource Manager console.

2. Right-click the root File Server Resource Manager node in the left pane, and then click ConfigureOptions .

FSRM OptionsIn the File Server Resource Manager Options properties sheet, several tabs allow you to configure variousaspects of FSRM.

Email NotificationsThis tab allows you to provide the name or address of an SMTP server name, along with other details thatFSRM will use to send email notifications.

Notification LimitsNotification limits allow you to specify a time period that FSRM will wait between sending notifications toavoid excessive notifications from a repeatedly exceeded quota or unauthorized file detection. It allows

you set separate values for email notifications, entries recorded to the event log, and commands beingrun or reports being generated. The default value for each is 60 minutes.

Storage ReportsThe Storage Reports tab allows you to configure and view the default parameters for any existing storagereports.

Nova 4, LLC





Report LocationsThis tab allows you to view and modify the location in which the following three different types of storagereports are stored: incident reports, scheduled reports, and on demand reports. By default, each categoryis stored in its own folder: %systemdrive%\Storage Reports .

Note: If FSRM generates a large number of storage reports, you may want to relocate the storagereport folders to another physical volume to decrease disk I/O load on your system volume. You mayalso want to change the location if the size of your storage reports causes a capacity issue on yoursystem volume.

File Screen AuditOn the File Screen Audit tab, a single check box allows to enable or disable the recording of file screeningactivity to the auditing database. You can view the resulting file screening activity when you run the FileScreening Audit report from Storage Reports Management.

Automatic Classification

This tab allows you to provide a schedule that governs the automatic classification of files. Within the tab,you can specify which logs to generate and if and how to generate a report of the classification process.

Managing FSRM RemotelyYou can connect remotely to another server running FSRM by using the FSRM console. From here, youmanage FSRM in the same way that you manage resources on your local computer.

To remotely manage FSRM:

• Both servers must be running Windows Server 2008 R2 with FSRM installed.

• The Remote File Server Resource Manager Management exception must be enabled from withinWindows Firewall manually through the Control Panel applet or by using Group Policy.

• You must be logged on to the local computer with an account that is a member of the localAdministrators group on the remote computer.

FSRM Command-Line ToolsIf you prefer to work from the command line, you can use the following tools:

• Dirquota.exe : Create and manage quotas, auto-apply quotas, and quota templates.

• Filescrn.exe : Create and manage file screens, file screen exceptions, file screen templates, and filegroups.

• Storrept.exe : Configure report parameters and generate storage reports on demand. You can alsocreate report tasks and then use Schtasks.exe to schedule the tasks.

Note: The command-line tools are added to the system path when you install File Server ResourceManager, and they must be run from an Administrator Command Prompt window.

Nova 4, LLC





Demonstration: Installing and Configuring FSRM


• Use Server Manager to install the FSRM role service.

• View FSRM configuration options.

Demonstration Steps:1. Open Server Manager.

2. Add the File Server Resource Manager role service.

3. Open File Server Resource Manager.

4. View the FSRM configuration options.

5. View the FSRM Quota Management, File Screening Management, Storage Report Management,Classification Management, and File Management Tasks components.

Nova 4, LLC




Managing File Resources Using File Server Resource Manager 5-1

Lesson 2

Configuring Quota Management

Data is the core component of your server infrastructure. Under most circumstances, the serverinfrastructure provides the data contained in the files on the server to your users or applications.

The requirement for data storage continues to grow. Whether files are added to your servers by users orapplications, quota management can help you to ensure that users and applications use the only theamounts of space allotted to them.


• Describe quota management by using FSRM.

• Compare FSRM quotas with NTFS Disk quotas.

• Define quota templates.

• Create and configure a quota.

• Describe methods used to monitor quota usage.

Nova 4, LLC





What Is Quota Management?

Key PointsIn FSRM quota management allows you to limit the disk space that is allocated to a volume or folder. Thequota limit applies to the entire folder subtree.

Using quotas, you can manage capacity restrictions in a variety of ways. For example, you can use a quotato ensure that individual users do not consume excessive amounts of storage with their home drives, orlimit the amount of space consumed by multimedia files in a particular folder.

Quota TypesTwo different types of quotas can created within quota management.

• A hard quota prevents users from saving files after the space limit is reached, and it generatesnotifications when the volume of data reaches each configured threshold.

• A soft quota does not enforce the quota limit, but it generates all the configured notifications.

Quota NotificationsTo determine what happens when the quota limit approaches, you can configure notification thresholds.For each threshold you define, you can send email notifications, log an event, run a command or script, orgenerate storage reports. For example, you might want to notify the administrator and the user whosaved the file when a folder reaches 85 percent of its quota limit and then send another notification when

the quota limit is reached. In some cases, you might want to run a script that raises the quota limitautomatically when a threshold is reached.

Creating QuotasWhen you create a quota on a volume or a folder, you can base the quota on a quota template or usecustom properties. Whenever possible, base a quota on a quota template. You can reuse a quota templateto create additional quotas, and it simplifies ongoing quota maintenance.

Nova 4, LLC





FSRM can also generate quotas automatically. When you configure an auto-apply quota, you apply aquota template to a parent volume or folder. Then, a quota based on the template is created for each ofthe existing subfolders, and a quota is automatically generated for each new subfolder that is created.

Question: In which scenario would you want to use a soft quota?

Nova 4, LLC





FSRM Quotas vs. NTFS Disk Quotas

Key PointsIn the earlier versions of Windows, the only option for managing storage was by using the native NTFSquota system.

NTFS quotas allow an administrator to declare a general storage limit on a per user basis for an NTFSformatted volume. This method governs a user’s storage consumption across the volume, regardless ofwhich folder it is in. NTFS quotas do not account for NTFS compression, which means that even though acompressed file may take up less physical room than if it were uncompressed, the quota will be appliedbased on the file’s uncompressed size.

NTFS disk quotas are based on file ownership, so operating system accounts are not immune to diskquotas. System accounts such as the local system are also susceptible to running out of disk space due todisk quotas having been set.

FSRM quota management introduces some key advantages over NTFS quotas. The following tableoutlines the key difference between FSRM-based quota management and using NTFS disk quotas.

Quota Feature NTFS Quotas FSRM Quotas

Quota Tracking Per user on a volume By folder or by volume

Disk usage calculation Logical file size reportedby NTFS

Actual physical disk space

Notification mechanisms Event logs only Email, custom reports, running commands orscripts, event logs

Nova 4, LLC





What Are Quota Templates?

Key PointsFSRM gives you the flexibility in creating, using, and managing templates for quotas.

A quota template defines a space limit, the quota type (hard or soft), and a set of notifications to begenerated when the quota limit is approached or exceeded.

Quota templates simplify the creation and maintenance of quotas. Using a quota template, you can applya standard storage limit and a standard set of notification thresholds to many volumes and folders on

servers throughout your organization.Template-Based Quota UpdatingIf you base your quotas on a template, you can update all quotas that are based on the template byediting that template. This feature simplifies the updating the properties of quotas by providing a centralpoint where IT administrators can make all changes.

For example, you can create a User Quota template that you use to place a 200 MB limit on the personalfolder of each user. For each user, you would then create a quota based on the User Quota template andassign it to the user’s folder. If you later decide to allow each user additional space on the server, you onlychange the space limit in the User Quota template and choose to update each quota that is based on thatquota template.

Quota Template ExamplesFile Server Resource Manager provides several quota templates. For example:

• You can use the 200 MB Limit Reports to User template to place a hard 200 MB limit on the personalfolder of each user and send storage reports to users who exceed the quota.

• For some folders, you might want to use the 200 MB Limit with 50 MB Extension template to grant aone-time 50MB quota extension to users who exceed the 200 MB quota limit.

Nova 4, LLC





• Other default templates are designed for monitoring disk usage through soft quotas such as theMonitor 200 GB Volume Usage template and the Monitor 500 MB Share template. When you usethese templates, users can exceed the quota limit, but email and event log notifications are generatedwhen they do so.

Question: What advantage does creating 50 quotas from a template have over creating each quota

individually?

Nova 4, LLC





Demonstration: Creating and Configuring a Quota


• Create a new quota template.

• Create a new quota based on a quota template.

• Generate a quota notification.

Nova 4, LLC





Monitoring Quota Usage

Key PointsIn addition to the information in the notifications sent by quotas, you can find about quota usage byviewing the quotas in quota management within the FSRM console by generating a Quota Usage reportor by creating soft quotas for monitoring the overall disk usage.

Quota Usage ReportUse the Quota Usage report to identify quotas that may soon be exceeded so that you can take the

appropriate action. Generating a Quota Usage report will be covered in greater detail in the ManagingStorage Reports lesson.

Templates for Monitoring Disk UsageTo monitor the overall disk usage, you can create soft quotas for volumes or shares. FSRM provides thefollowing default templates that you can use (or adapt) for this purpose.

• Monitor 200 GB Volume Usage

• Monitor 500 MB Share

Nova 4, LLC





Lab A: Installing FSRM and Implementing QuotaManagement


1. On the host computer, click Start , point to Administrative Tools , and then click Hyper-V ™ Manager .

2. In Hyper-V Manager, click 6419B-NYC-DC1 , and in the Actions pane, click Start .

3. In the Actions pane, click Connect . Wait until the virtual machine starts.




• Domain: Contoso

5. Repeat steps 2 through 4 for 6419B-NYC-SVR1

Lab ScenarioYou need to begin the implementation and configuration of FSRM for NYC-SVR1. The first step in thisprocess is installing the FSRM role service.

You have also been asked to establish an initial quota governing user data directories. You must configurea quota template that allows users a maximum of 100 MB of data in their user folders. When users exceed85 percent of the quota, or when they attempt to add files larger than 100 MB, an event should be loggedto the Event Viewer on the server.

Nova 4, LLC





Exercise 1: Installing the FSRM Role ServiceYou need to install the FSRM role service on NYC-SVR1.

The main task is as follows:

1. Install the FSRM Role Service.

Task 1: Install the FSRM role service.1. On NYC-SVR1, open Server Manager.

2. Add File Server Resource Manager role service.

3. In the Configure Storage Usage Monitoring page, select Allfiles (E:) .

4. After the installation is complete, close the Add Role Services Wizard.

5. Close Server Manager.

Nova 4, LLC





Exercise 2: Configuring Storage QuotasYou must configure a quota template that allows users a maximum of 100 MB of data in their user folders.When users exceed 85 percent of the quota, or when they attempt to add files larger than 100 MB, anevent should be logged to the Event Viewer on the server.


1. Create a quota template.

2. Configure a quota based on the quota template.

3. Test that the quota is functional.

Task 1: Create a quota template.1. In the File Server Resource Manager console, use the Quota Templates node to configure a template

that sets a hard limit of 100 MB on the maximum folder size. Make sure this template also notifies theEvent Viewer when the folder reaches 85 percent and 100 percent capacity.

Task 2: Configure a quota based on the quota template.1. Use the File Server Resource Manager console and the Quotas node to create a quota on the

E:\Labfiles\Mod05\Users folder by using the quota template that you created in Task 1. Configurethe quota to auto apply on existing and new subfolders.

2. Create an additional folder named Max in the E:\Labfiles\Mod05\Users folder, and ensure that thenew folder is listed in the quotas list in FSRM.

Task 3: Test that the quota is functional.1. Open a command prompt and use the fsutil file createnew file1.txt 89400000 command to create

a file in the E:\Labfiles\Mod05\Users\Max folder.

2. Check the Event Viewer for an Event ID of 12325 .

3. Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then press

Enter.Hint: fsutil file createnew file2.txt 16400000

4. Close the command prompt.

5. Close all open windows on NYC-SVR1.

Results: In this exercise, you configured a storage quota.

Nova 4, LLC





Lesson 3

Implementing File Screening

Both the integrity of the data stored on your servers and the availability of free storage space for creatingnew data are extremely important in your storage environment. If non-business files are allowed to bestored on servers, both integrity and availability can be compromised.

File screening by using FSRM allows you prevent unauthorized files from being stored on your servers.


• Describe File Screening Management.

• Describe File Groups.

• Configure File Screen Templates.

• Implement File screening.

• Describe File Screen Exceptions.

Nova 4, LLC





What Is File Screening Management?

Key PointsFile Screening Management allows you to create file screens to block files from being saved on a volumeor in a folder tree. A file screen affects all folders in the designated path. You use file groups to control thetypes of files that file screens manage. For example, you might create a file screen to prevent users fromstoring audio and video files in their personal folders on the server.

Like all components of FSRM, you can choose to generate email or other notifications when a filescreening event occurs.

File Screen TypesA file screen can be active or passive:

• Active screening prevents users from saving unauthorized file types on the server and generatesconfigured notifications when they attempt to do so.

• Passive screening sends configured notifications to users who are saving specific file types, but it doesnot prevent users from saving those files.

File Screening Management ConsiderationsTo simplify managing file screens, base your file screens on file screen templates, which will be coveredlater in this lesson.

For additional flexibility, you can configure a file screen exception in a subfolder of a path where you havecreated a file screen. When you place a file screen exception on a subfolder, you allow users to save filetypes there that would otherwise be blocked by the file screen applied to the parent folder.

Note: A file screen does not prevent users and applications from accessing files that were saved to thepath before the file screen was created, regardless of whether the files are members of blocked filegroups.

Nova 4, LLC





What Are File Groups?

Key PointsBefore you begin working with file screens, you must understand the role of file groups in determiningwhich files are screened. A file group is used to define a namespace for a file screen or a file screenexception, or to generate a Files by File Group storage report.

File Group CharacteristicsA file group consists of a set of file name patterns, which are grouped as files to include and files to

exclude:• Files to include: Files to which the file group apply.

• Files to exclude: Files to which the file group does not apply.

For example, an Audio Files file group might include the following file name patterns:

• Files to include:*.mp*: Includes all audio files created in the current and future MPEG formats (MP2,MP3, and so forth).

• Files to exclude:*.mpp: Excludes files created in Project® (.mpp files), which would otherwise beincluded by the *.mp* inclusion rule.

FSRM provides several default file groups, which you can view in File Screening Management by clickingthe File Groups node. You can define additional file groups or change the files to include and exclude.Any change that you make to a file group affects all existing file screens, templates, and reports to whichthe file group has been added.

Note: For convenience, you can modify file groups when you edit the properties of a file screen, filescreen exception, file screen template, or the Files by File Group report. Note that any changes that youmake to a file group from these property sheets affect all items that use that file group.

Nova 4, LLC





What Is a File Screen Template?

Key PointsTo simplify file screen management, you can create your file screens based on file screen templates. A filescreen template defines the following:

• File groups to block.

• Screening types to perform.

• Notifications to be generated.

You can configure two screening types in a file screen template. Active screening does not allow users tosave any files related to the selected file groups configured with the template. Passive screening allowsusers to save files, but provides notifications for monitoring.

FSRM provides several default file screen templates, which you can use to block audio and video files,executable files, image files, and email files, to meet common administrative needs. To view the defaulttemplates, select the File Screen Templates node in the File Server Resource Manager console tree.

By creating file screens exclusively from templates, you can manage your file screens centrally by updatingthe templates instead of individual file screens.

Note: File Screens are created from File Screen Templates just like Quotas are created from QuotaTemplates, as discussed in Lesson 2.

Nova 4, LLC





Demonstration: How to Implement File Screening


• Create a File Group.

• Create a File Screen Template.

• Create a File Screen by using a File Screen Template.

Demonstration Steps:1. Open the File Server Resource Manager console.

2. Expand the File Screening Management node.

3. Create a new File Group called MPx Media Files that includes all files with a file extension beginningwith .mp. Exclude .mpp files from this File Group.

4. Create a new File Screen Template called Block MPx Media Files by using the MPx Media Files FileGroup and configure it to send a warning to the event log.

5. Create a new File Screen for E:\Labfiles\Mod05 by using the Block MPx Media Files File ScreenTemplate.

Nova 4, LLC





What Is a File Screen Exception?

Key PointsOccasionally, you need to allow exceptions to file screening. For example, you might want to block videofiles from a file server, but you need to allow your training group to save video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception.

A file screen exception is a special type of file screen that overrides any file screening that wouldotherwise apply to a folder, and all its subfolders in a designated exception path. That is, it creates anexception to any rules derived from a parent folder. To determine which file types the exception will allow,file groups are assigned.

File Screen Exceptions are created by specifically choosing the Create File Screen Exception from the FileScreens node under File Screening Management in FSRM.

Note: File Screen Exceptions always override File Screens with conflicting settings. Therefore, you mustplan and implement File Screen Exceptions carefully.

Nova 4, LLC





Lesson 4

Managing Storage Reports

Knowing and using the tools to enforce capacity management measures is only part of a capacitymanagement solution. To effectively manage your storage environment, you need to stay informedregarding the status of your servers and how your enforcement policies are working.

This lesson will introduce storage reports in FSRM. Storage reports allow you to view information abouthow FSRM components are operating on your server.


• Describe the storage reports feature of FSRM.

• Configure and schedule a Report Task.

• Generate On-Demand Reports.

Nova 4, LLC





What Are Storage Reports?

Key PointsFSRM can generate reports that help you understand file usage on the storage server. You can use thestorage reports to monitor disk usage patterns (by file type or user), identify duplicate files and dormantfiles, track quota usage, and audit file screening.

From the Storage Reports Management node, you can create report tasks, which are used to schedule oneor more periodic reports, or you can generate reports on demand. For on-demand and scheduled reports,current data is gathered before the report is generated. Reports can also be generated automatically tonotify you when a user exceeds a quota threshold or saves an unauthorized file.

Storage Report TypesThe following table describes each storage report that is available.

Report Description

Duplicate Files Lists files that appear to be duplicates (files with the same size andlast-modified time). Use this report to identify and reclaim disk spacethat is wasted due to duplicate files.

File Screening Audit Lists file screening events that have occurred on the server for aspecific number of days. Use this report to identify users or

applications that violate screening policies.

Files by File Group Lists files that belong to specific file groups. Use this report to identifyfile group usage patterns and file groups that occupy large amountsof disk space. This can help you determine which file screens toconfigure on the server.

Files by Owner Lists files, grouped by file owners. Use this report to analyze usagepatterns on the server and users who use large amounts of disk space.

Nova 4, LLC





Report Description

Files by Property Lists files by the values of a particular classification property. Use thisreport to observe file classification usage patterns.

Large Files Lists files that are of a specific size or larger. Use this report to identify

files that are consuming the most disk space on the server. This canhelp you quickly reclaim large quantities of disk space.

Least Recently Accessed Files Lists files that have not been accessed for a specific number of days.This can help you identify seldom-used data that might be archivedand removed from the server.

Most Recently Accessed Files Lists files that have been accessed within a specified number of days.Use this report to identify frequently used data that must be highlyavailable.

Quota Usage Lists quotas for which the quota usage is higher than a specifiedpercentage. Use this report to identify quotas with high usage levels sothat you can take appropriate action.

Configuring Report ParametersExcept for the Duplicate Files report, all reports have configurable report parameters that determine thecontent in the report. The parameters vary with the type of report. For some reports, report parameterscan be used to select the volumes and folders on which to report, set a minimum file size to include, orrestrict a report to files owned by specific users.

Saving ReportsRegardless of how you generate a report, or whether you choose to view the report immediately, thereport is saved on the disk. Incident reports are saved in the Dynamic HTML (DHTML) format. You cansave scheduled and on-demand reports in DHTML, HTML, XML, CSV, and text formats.

Scheduled reports, on-demand reports, and incident reports are saved in separate folders within adesignated report repository. By default, the reports are stored in the subdirectories of the%Systemdrive%\StorageReports\ folder. To change the default report locations, in the File ServerResource Manager Options dialog box, on the Report Locations tab, specify where to save each type ofstorage report.

Nova 4, LLC





What Is a Report Task?

Key PointsA report task is a set of storage management reports that run based on a schedule.

The report task specifies which reports to generate and what parameters to use, which volumes andfolders to report on, how often to generate the reports, and which file formats to save them in.

When you schedule a set of reports, the reports are saved in the report repository. You also have theoption of sending the reports to a group of administrators by email.

Report tasks can be scheduled by using the following steps from within FSRM.

1. Click the Storage Reports Management node.

2. Right-click Storage Reports Management and click Schedule a New Report Task (or clickSchedule a New Report Task in the Actions pane). The Storage Reports Task Properties dialogbox appears.

Note: To minimize the impact of report processing on server performance, generate multiple reports onthe same schedule so that the data is only gathered once.

Nova 4, LLC





Generating On-Demand Reports

Key PointsDuring daily operations, you may want to generate reports on demand to analyze the different aspects ofthe current disk usage on the server. Before the reports are generated, current data is gathered.

When you generate reports on demand, the reports are saved in the report repository, but no report taskis created for later use. You can optionally view the reports immediately after they are generated or sendthe reports to a group of administrators by email.

1.

Click the Storage Reports Management node.2. Right-click Storage Reports Management , and then click Generate Reports Now (or click

Generate Reports Now in the Actions pane). The Storage Reports Task Properties dialog boxappears.

Note: When generating an on-demand report, you can wait for the reports to be generated and thenimmediately display them. If you choose to open the reports immediately, you must wait while thereports are generated. Processing time varies, depending on the types of reports and the data scope.

Nova 4, LLC







Exercise 1: Configuring File ScreeningYou need to ensure that unauthorized files are not being saved in user directories on NYC-SVR1. Youneed to enable file screening on NYC-SVR1 so that no media files with the extension .mp* can be savedon the server. Your manager has asked you to ensure that the saving of Project files (.mpp) is not affectedby your file screening setup.

Task 1: Create a file group.1. Open the File Server Resource Manager console.

2. Open the File Server Resource Manager Configuration Options dialog box and enable the Recordfile screening activity in auditing database option on the File Screen Audit tab.

Note: This step is to allow recording of File Screen events that supply data for the a File Screen Auditreport to be run in Exercise 2

3. Create a new File Group with the following properties.

• File group name: MPx Media Files

• Files to include: *.mp*

• Files to exclude *.mpp

Task 2: Create a file screen template.1. Create a File Screen Template with the following properties.

• Template name: Block MPx Media Files

• Screening type: Active

• File groups: MPx Media Files

• Event Log: Send a warning to the event log

Task 3: Create a file screen.1. Create a File Screen based on the Block MPx Media Files File Screen Template for the

E:\Labfiles\Mod05\Users directory.

2. Close the File Server Resources Manager.

Task 4: Test the file screen.1. Click Start , and then click Computer .

2. Create a new text document in E:\Labfiles\Mod05 and rename it as musicfile.mp3 .

3. Copy musicfile.mp3 into E:\Labfiles\Mod05\Users . You will be notified that the system was unableto copy the file to E:\Labfiles\Mod05\User .

Results: After this exercise, you should have configured file screening by creating a file group, a filescreen template, and a file screen.

Nova 4, LLC





Exercise 2: Generating Storage ReportsYou need to provide a report that documents attempts to save these media files on NYC-SVR1.

Task 1: Generate an On-Demand Storage Report.1. Open the File Services Resource Manager console.

2. Right-click Storage Reports Management , select Generate Reports Now and then provide thefollowing parameters:

• Report on E:\Labfiles\Mod05\Users.

• Generate only the File Screening Audit report.


Results: In this exercise, you generated a storage report.

Nova 4, LLC





Lesson 5

Implementing Classification Management and FileManagement Tasks

Most applications manage files based on the directory they are contained in. This leads to complicated filelayouts that require a lot of attention from administrators. Such layout can also lead to frustration amongthe users.

In Windows Server 2008 R2, Classification Management and File Management tasks enable administratorsto manage groups of files based on various file and folder attributes. With Classification Management andFile Management tasks, you can automate file and folder maintenance tasks such as cleaning up stale dataor protecting sensitive information.

In this lesson, you will learn how Classification Management and File Management tasks work to togetherto make it easier for you to manage and organize the files and folders on your servers.

Note: The capabilities and components described in this lesson are available only in Windows Server2008 R2.

Objectives

After completing this lesson, you will be able to:• Describe the Classification Management feature of FSRM.

• Describe how to create Classification Properties.

• Describe how Classification Rules are used to automatically assign Classification Properties.

• Configure Classification Management.

• Describe considerations for using Classification Management.

Nova 4, LLC





• Describe File Management Tasks.

• Configure File Management Tasks.

Nova 4, LLC





What Is Classification Management?

Key PointsMost applications manage files based on their location or the folder they are contained in. This leads tocomplicated folder structure that often negatively affects the usability of the files and folders andincreases administrative requirements.

To reduce the cost and risk associated with this type of data management, the File Classificationinfrastructure uses a platform that allows administrators to classify files and apply policies based on thatclassification. The storage layout is unaffected by data management requirements, and the organizationcan adapt more easily to a changing business and regulatory environment.

Classification Management is designed to ease the burden and management of data that is spread out inyour organization. Files can be classified in a variety of ways. In most scenarios, classification is performedmanually. The File Classification infrastructure in Windows Server 2008 R2 allows organizations to convertthese manual processes into automated policies. Administrators can specify file management policiesbased on a file’s classification and apply corporate requirements for managing data based on businessvalue. They can easily modify the policies and use tools that support classification to manage their files.

You can use file classification to perform the following actions:

1. Define classification properties and values, which can be assigned to files by running classificationrules.

2. Create, update, and run classification rules. Each rule assigns a single predefined property and valueto files within a specified directory based on installed classification plug-ins.

3. When running a classification rule, reevaluate files that are already classified. You can choose tooverwrite existing classification values or add the value to properties that support multiple values.

Nova 4, LLC





What Are Classification Properties?

Key PointsClassification properties are used to assign values to files. There are many property types that you canchoose from, as listed in the table below. You can define these properties based on the needs of yourorganization. Classification properties are assigned to files that use classification rules, which will bediscussed in the next topic.

The following table defines the available property types and the policy that is applied when a file isreclassified:

Yes/No A Boolean property that can be Yes or No. When multiple values arecombined, a No value overwrites a Yes value.

Date-Time A simple date and time property. When multiple values are combined,conflicting values prevent reclassification.

Number A simple number property. When multiple values are combined,conflicting values prevent reclassification.

Multiple Choice List A list of values that can be assigned to a property. More than onevalue can be assigned to a property at a time. When multiple valuesare combined, each value in the list is used.

Ordered List A list of fixed values. Only one value can be assigned to a property at atime. When multiple values are combined, the value highest in the listis used.

String A simple string property. When multiple values are combined,conflicting values prevent reclassification.

Multi-string A list of strings that can be assigned to a property. More than one

Nova 4, LLC





value can be assigned to a property at a time. When multiple valuesare combined, each value in the list is used.

Nova 4, LLC





What Is Classification Rule?

Key PointsA classification rule assigns a Classification Property to a file system object. A classification rule includesinformation detailing when to assign a classification property to a file.

Key Classification Rule PropertiesTo define the behavior of a classification rule, ask yourself the following questions:

• Is the rule enabled? On the Rule Settings tab, the Enabled check box allows you to specifically

disable or enable the classification rule.• What is the scope of the rule? On the Rule Settings tab, the scope parameter allows you to select a

folder or folders that the classification rule will apply to. When the rule is run, it processes andattempts to classify all file system objects within this location.

• What classification mechanism will the rule use? On the rule’s Classification tab, you must choosea classification method that the rule will use to assign the classification property. By default, there aretwo methods that you can choose from:

• Folder Classifier. The folder classifier mechanism assigns properties to a file based on the file’sfolder path.

• Content Classifier: The content classifier searches for strings or regular expressions in files. Thismeans that the content classifier classifies a file based on the textual contents of the file, such aswhether it contained a specific word, phrase, or numeric value or type.

• What property will the rule assign? The main function of the classification rule is to assign aproperty to a file object based on how the rule applies to that file object. You must specify a propertyand the specific value of that property to be assigned by the rule on the Classification tab.

• What additional classification parameters will be used? The core of the rule’s logic lies in theadditional classification parameters. Clicking the Advanced button on the Classification tab takes youto the Additional Classification Parameters window. Here, you can specify additional parameters likestrings or regular expressions that, if found in the file system object, will cause the rule to apply itself.

Nova 4, LLC





This could be something like looking for the phrase “Social Security Number” or any number with theformat 000-000-000 to apply a “Yes” value for a “Confidential” classification property to the file. Thisclassification could then be leveraged to perform some tasks on the file system object like moving itto a secure location.

A classification parameter can be one of the following three types:

• RegularExpression . Match a regular expression by using the .NET syntax. For example, “\d\d\d”will match any three-digit number.

• StringCaseSensitive : Match a case-sensitive string. For example, Confidential will only matchConfidential’ and not confidential or CONFIDENTIAL.

• String : Match a string, regardless of case. Confidential will match both Confidential andCONFIDENTIAL.

Classification SchedulingYou can run classification rules in two ways, on-demand or based on a schedule. Either way you choose,each time you run classification, it uses all rules that you have left in the Enabled state.

Configuring a schedule for classification allows you to specify a regular interval at which file classificationrules will run, ensuring that your server’s files are regularly classified and up to date with the latestclassification properties.

Nova 4, LLC





Demonstration: How to Configure Classification Management

Key PointsIn this demonstration you will see how to:

• Create a Classification Property.

• Create a Classification Rule.

• Modify the Classification Schedule.

Demonstration Steps:1. Open File Server Resource Manager and expand the Classification Management node.

2. Using the Classification Properties node, create a new Classification Property named Confidentialwith the Yes/No property type.

3. Using the Classification Rules node, create a new Classification Rule named ConfidentialDocuments .

4. Configure the rule to classify documents with a value of Yes for the Confidential classificationproperty if the file contains the string value payroll .

5. Create a classification schedule that runs daily at 8:30 A.M.

6. Using the Classification Rule node, manually run Classification With All Rules Now and view the

report.

Nova 4, LLC





Considerations for Using File Classification

Key PointsAlthough Classification Management provides a powerful mechanism to catalog, categorize, and classifyyour file system objects, you should consider certain factors when dealing with ClassificationManagement.

How Classification Properties Are StoredThe properties are stored in an alternate data stream, which is a feature of NTFS. Alternate data streams

move with a file if the file moves within NTFS file systems, but they do not appear in the file’s contents.The properties are also stored within file formats in Office products as custom document properties orserver document properties.

Movement Can Affect a File’s Classification PropertiesA file retains its classification properties if the file is moved to another NTFS file system by using astandard mechanism such as Copy or Move. If a file is moved to a non-NTFS volume, file classificationproperties are not retained. However, the classification properties for files in Microsoft Office productsremain attached, regardless of how the file is moved.

The Classification Management Process Exists Only in Windows Server 2008 R2Classification properties are available only to servers running Windows Server 2008 R2. However,

Microsoft Office documents will retain classification property information in Document Properties, whichis viewable regardless of the operating system being used.

Classification Rules Can ConflictThe File Classification infrastructure attempts to combine property where a potential conflict exists. Thefollowing behaviors will occur with their corresponding property.

• For Yes or No properties, a Yes value takes priority over a No value.

• For ordered list properties, the highest property value takes priority.

Nova 4, LLC





• For multiple choice properties, the property sets are combined into one set.

• For multiple string properties, a multistring value is set that contains all the unique strings of theindividual property values.

• For other property types, an error occurs.

Classification Management Cannot Not Classify Certain FilesThe File Classification Infrastructure will not identify individual files within a container file such as a .zip or.vhd file. Also, FCI will not allow content classification for the contents of encrypted files.

Nova 4, LLC





What Are File Management Tasks?

Key PointsFile management tasks automate the process of finding subsets of files on a server and applying simplecommands to them on a scheduled basis. Files are identified by classification properties that have beenassigned to the file by a classification rule.

File management tasks include a file expiration command, and you can also create custom tasks. You candefine files that will be processed by a file management task through the following properties:

• Location

• Classification properties

• Creation time

• Modification time

• Last accessed time

• File name

You can also configure file management tasks to notify file owners of any impending policy that will beapplied to their files.

File Expiration TasksFile expiration tasks are used to automatically move all files that match certain criteria to a specifiedexpiration directory, where an administrator can back up those files and delete them.

When a file expiration task is run, a new directory is created within the expiration directory. The newdirectory is grouped by the server name on which the task was run, and it is named according to thename of the file management task and the time it was run. When an expired file is found, it is moved intothe new directory, while preserving its original directory structure.

Nova 4, LLC





Custom File Management TasksExpiration is not always a desired action to be performed on files. File management tasks allow you to runcustom commands. Using the custom commands dialog box, you to run an executable file, script, or othercustom commands to perform an operation on the files within the scope of the file management task.

Note: Custom tasks are configured by selecting the Custom type on the Action tab of the Create FileManagement Task window.

Nova 4, LLC





Demonstration: How to Configure File Management Tasks


• Create a File Management Task.

• Configure a File Management Task to Expire Documents.


1. Open FSRM and expand the File Management Tasks node.

2. Create a file management task named Expire Confidential Documents with a scope ofE:\Labfiles\Mod05\Data .

3. On the Action tab, configure the task for file expiration to E:\Labfiles\Mod05\Expired .

4. Add a condition that Confidential equals Yes .

5. Run the File Management Task and view the report.

Nova 4, LLC





Lab C: Configuring Classification and FileManagement Tasks








• Domain: Contoso

5. Repeat steps 2 through 4 for 6419B-NYC-SVR1

Lab ScenarioThe Finance department of Contoso, Ltd has discovered that several payroll documents are being stored

in locations that are not secure.

You have been asked to use the Classification Management and File Management Tasks components ofFSRM to ensure that all payroll-related files are located in a secure location.

Nova 4, LLC





Exercise 1: Configuring Classification ManagementThe Finance department wants all documents related to the company payroll to be classified asconfidential. You must create a Classification Property and a Classification Rule that classifies any filescontaining the word “payroll” as confidential.

Task 1: Create a classification property.1. Create a Classification Property with the following attributes.

• Property name: Confidential

• Description: Assigns a confidentiality value of Yes or No

• Property Type: Yes/No

Task 2: Apply classification properties by using classification rules.1. Create a new Classification Rule .

2. Configure the Rule Settings tab with the following attributes.

• Rule name: Confidential Payroll Documents

• Description: Classify documents containing the word “payroll” as confidential• Scope: E:\Labfiles\Mod05\Data

3. Configure the Classification tab with the following attributes

• Classification Mechanism: Content Classifier

• Property name: Confidential

• Property value: Yes

4. On the Classification tab, click Advanced .

5. Click the Additional Classification Parameters tab and add the following parameters.

• Name: String

• Value: payroll

6. Right-click the Classification Rules node and Run Classification With All Rules Now and selectingthe Wait for classification to complete execution option.

7. View the generated report and ensure that January.txt is displayed in the report.

8. View the contents of E:\Labfiles\Mod05\Data\January.txt.


Results: In this exercise, you configured Classification Management.

Nova 4, LLC





Exercise 2: Implementing File Management TasksYou have been notified that the Finance department wants all payroll-related documents that you haveclassified to be relocated to a more secure location. Your task is to create a File Management task that willmove any documents classified as confidential to the E:\Labfiles\Mod05\Confidential folder.

Task 1: Configure file management tasks based on classification properties.1. Open the File Server Resource Manager and create a File Management task and configure the

properties according to the following steps.

2. On the General tab, configure the following attributes:

• Task name: Move Confidential Files

• Description: Move confidential documents to another folder

• Scope: E:\Labfiles\Mod05\Data.

3. On the Action tab, configure the following attributes.• Type: File expiration

• Expiration directory: E:\Labfiles\Mod05\Confidential

4. On the Condition tab , configure the following attributes.

• Property conditions :

• Property: Confidential

• Operator: Equals

• Value: Yes

5. On the Schedule tab, create a schedule to run at 9:00 A.M. every day, starting today.

6. Right-click the newly created task, and then click Run File Management Task Now . Select theoption to wait for task to complete execution and then review the report. Ensure that January.txt islisted in the report.

7. In Windows Explorer , browse to the E:\Labfiles\Mod05\Confidential folder. January.txt should belocated in this folder and no longer in E:\Labfiles\Mod05\Data.

Results: In this exercise, you implemented File Management Tasks.

To prepare for the next module.When you finish the lab, revert the virtual machines back to their initial state. To do this, complete thefollowing steps:


2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .3. In the Revert Virtual Machine dialog box, click Revert .


Nova 4, LLC






Configuring and Securing Remote Access 6-1

Module 6Configuring and Securing Remote AccessContents:Lesson 1: Configuring a Virtual Private Network Connection 6-3

Lesson 2: Overview of Network Policies 6-16

Lab A: Implementing a Virtual Private Network 6-26

Lesson 3: Integrating Network Access Protection with VPNs 6-31

Lesson 4: Configuring VPN Enforcement Using NAP 6-39

Lab B: Implementing NAP into a VPN Remote Access Solution 6-48

Lesson 5: Overview of DirectAccess 6-56

Nova 4, LLC





Module Overview

For an organization to support its distributed workforce, it must implement technologies that enableremote users to connect to the organization’s network infrastructure. These technologies include virtualprivate networks (VPNs) and DirectAccess. You need to understand how to configure and secure yourremote access clients by using network policies and, where appropriate, Network Access Protection (NAP).This module explores these remote access technologies.


• Configure a VPN Connection.

• Explain network policies.

• Describe VPN enforcement with NAP.

• Configure NAP.

• Describe and deploy DirectAccess.

Nova 4, LLC





Lesson 1

Configuring a Virtual Private Network Connection

A VPN provides a point-to-point connection between the components of a private network through apublic network, such as the Internet. Tunneling protocols enable a VPN client to establish and maintain aconnection to a VPN server’s listening virtual port.

To properly implement and support a VPN environment within your organization, you must understandhow to select a suitable tunneling protocol, configure VPN authentication, and configure the Network

Policy and Access Services server role to support your chosen configuration.ObjectivesAfter completing this lesson, you will be able to:

• Describe virtual private networking.

• Describe methods used to authenticate remote systems.

• Identify the tunneling protocols used for a VPN Connection.

• Describe considerations for installing a VPN server.

• Configuring a VPN server.

• Describe additional tasks related to managing and configuring a VPN server.

• Describe VPN Reconnect.

Nova 4, LLC





What Is Virtual Private Networking?

Key PointsTo emulate a point-to-point link, the data is encapsulated or wrapped and prefixed with a header. Thisheader provides routing information that enables the data to traverse the shared or public network toreach its endpoint.

To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted onthe shared or public network are indecipherable without encryption keys. The link in which the privatedata is encapsulated and encrypted is known as a VPN connection.

There are two types of VPN connections:

• Remote access

• Site-to-site

Remote Access VPN connections enable your users working at home, customer site, or through a publicwireless access point to access resources on your organization’s private network by using theinfrastructure that a public network provides, such as the Internet.

From the user’s perspective, the VPN is a point-to-point connection between their computer, the VPNclient, and your organization’s resources. The exact infrastructure between the client and the resource isirrelevant because it appears logically as if the data is sent over a dedicated private link.

Site-to-Site VPNSite-to-site VPN connections, which are also known as router-to-router VPN connections, enable yourorganization to have routed connections between separate offices or with other organizations over apublic network while helping to maintain secure communications.

A VPN connection routed across the Internet logically operates as a dedicated wide area network (WAN)link. When networks connect over the Internet, a router forwards packets to another router across a VPNconnection.

Nova 4, LLC





A site-to-site VPN connection connects two portions of a private network. For example, a branch officerouter, acting as a VPN server, can create a VPN connection between itself and a corporate hub routeracross the Internet. As the calling router, the branch office router authenticates itself to the answeringrouter on the corporate hub, and, for mutual authentication, the answering router authenticates itself tothe calling router. In a site-to site VPN connection, the packets sent from either router across the VPNconnection typically do not originate at the routers.

In a site-to site VPN connection, the packets sent from either router across the VPN connection typicallydo not originate at the routers.

Properties of VPN ConnectionsVPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol withInternet Protocol Security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP) have the followingproperties:

Note: These tunneling protocols are discussed in the next few topics.

• Encapsulation . With VPN technology, private data is encapsulated with a header that containsrouting information that allows the data to traverse the transit network.

• Authentication . Authentication for VPN connections takes the following three different forms:

• User-level authentication by using PPP authentication.

To establish the VPN connection, the VPN server authenticates the VPN client that is attempting theconnection by using a PPP user-level authentication method and verifies that the VPN client has theappropriate authorization. If you use mutual authentication, the VPN client also authenticates theVPN server, which provides protection against computers that are masquerading as VPN servers.

• Computer-level authentication by using Internet Key Exchange (IKE).

To establish an IPsec security association, the VPN client and the VPN server use the IKE protocol to

exchange either computer certificates or a preshared key. In either case, the VPN client and serverauthenticate each other at the computer level. It is recommended that you use computer-certificateauthentication because it is a much stronger authentication method. Computer-level authentication isonly performed for L2TP/IPsec connections.

• Data origin authentication and data integrity.

To verify that the data sent on the VPN connection originated at the connection’s other end and wasnot modified in transit, the data contains a cryptographic checksum based on an encryption keyknown only to the sender and the receiver. Data origin authentication and data integrity are onlyavailable for L2TP/IPsec connections.

• Data encryption . To ensure the confidentiality of data as it traverses the shared or public transitnetwork, the sender encrypts the data and the receiver decrypts it. The encryption and decryptionprocesses depend on both the sender and the receiver by using a common encryption key.

Intercepted packets sent along the VPN connection in the transit network are unintelligible to anyonewho does not have the common encryption key. The encryption key’s length is an important securityparameter. You can use computational techniques to determine the encryption key. However, suchtechniques require more computing power and computational time as the encryption keys get larger.Therefore, it is important to use the largest possible key size to ensure data confidentiality.

Nova 4, LLC





Types of VPN Authentication Methods

Key PointsAuthentication of access clients is an important security concern. Authentication methods typically use anauthentication protocol that is negotiated during the connection establishment process.

PAPPassword Authentication Protocol (PAP) uses plaintext passwords and is the least secure authenticationprotocol. It is negotiated if the remote access client and remote access server cannot negotiate a more

secure form of validation.CHAPThe Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authenticationprotocol that uses the Message Digest 5 (MD5) one-way encryption scheme to hash the response to achallenge issued by the remote access server. CHAP is an improvement over PAP because the password isnever sent over the link. Instead, the password is used to create a one-way hash from a challenge string.The server, knowing the client's password, can duplicate the operation and compare the result with thatsent in the client's response.

A server running routing and remote access supports CHAP so that remote access clients that requireCHAP are authenticated. Because CHAP requires the use of a reversibly encrypted password, you shouldconsider using another authentication protocol, such as MS-CHAP version 2.

MSCHAPv2Microsoft Challenge Handshake Authentication Protocol (MSCHAP v2) is an encrypted password, andmutual-authentication process that works as follows:

1. The authenticator (the remote access server or the computer running Network Policy Server) sends achallenge to the remote access client that consists of a session identifier and an arbitrary challengestring.

Nova 4, LLC





2. The remote access client sends a response that contains a one-way encryption of the receivedchallenge string, the peer challenge string, the session identifier, and the user password.

3. The authenticator checks the response from the client and sends back a response containing anindication of the success or failure of the connection attempt and an authenticated response basedon the sent challenge string, the peer challenge string, the client’s encrypted response, and the userpassword.

4. The remote access client verifies the authentication response and, if correct, uses the connection. Ifthe authentication response is not correct, the remote access client terminates the connection.

Extensible Authentication Protocol

EAPWith the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates aremote access connection. The remote access client and the authenticator (either the remote access serveror the Remote Authentication Dial-In User Service (RADIUS) server) negotiate the exact authenticationscheme to be used. Routing and Remote Access includes support for EAP-Transport Level Security (EAP-TLS) by default. You can plug in other EAP modules to the server running Routing and Remote Access toprovide other EAP methods.

Using Smart Cards for Remote AccessUsing smart cards for user authentication is the strongest form of authentication in the Windows Server2008 family. For remote access connections, you must use EAP with the Smart card or other certificate(TLS) EAP type, also known as EAP-TLS.

To use smart cards for remote access authentication, you must:

• Configure remote access on the remote access server.

• Install a computer certificate on the remote access server computer.

• Configure the smart card or other certificate (TLS) EAP type in network policies.

• Enable smart card authentication on the dial-up or VPN connection on the remote access client.

Nova 4, LLC





Tunneling Protocols for a VPN Connection

Key PointsPPTP, L2TP, and SSTP depend heavily on the features originally specified for PPP. PPP was designed tosend data across dial-up or dedicated point-to-point connections. For IP, PPP encapsulates IP packetswithin PPP frames and then transmits the encapsulated PPP packets across a point-to-point link. PPP wasdefined originally as the protocol to use between a dial-up client and a network access server.

PPTP

PPTP enables you to encrypt and encapsulate in an IP header multi-protocol traffic, which is then sentacross an IP network or a public IP network, such as the Internet. You can use PPTP for remote access andsite-to-site VPN connections. When using the Internet as the VPN public network, the PPTP server is aPPTP-enabled VPN server with one interface on the Internet and a second interface on the intranet.

• Encapsulation: PPTP encapsulates PPP frames in IP datagrams for network transmission. PPTP usesTransmission Control Protocol (TCP) connection for tunnel management and a modified version ofGeneric Routing Encapsulation (GRE) to encapsulate PPP frames for tunneled data. Payloads of theencapsulated PPP frames can be encrypted, compressed, or both.

• Encryption: The PPP frame is encrypted with Microsoft Point-to-Point Encryption (MPPE) by usingencryption keys generated from the MS-CHAPv2 or EAP-TLS authentication process. VPN clients mustuse the MS-CHAPv2 or EAP-TLS authentication protocol so that the payloads of PPP frames can beencrypted. PPTP is taking advantage of the underlying PPP encryption and encapsulating a previouslyencrypted PPP frame.

L2TPL2TP enables you to encrypt multi-protocol traffic to send over any medium that supports point-to-pointdatagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP andLayer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F.

Nova 4, LLC







• Encryption: The message is encrypted with one of the following protocols by using encryption keysgenerated from the IKEv2 negotiation process: Advanced Encryption Standard (AES) 256, AES 192,AES 128, and 3DES encryption algorithms.

IKEv2 is supported only on computers running Windows 7 and Windows Server 2008 R2.

Note : IKEv2 is the default VPN tunneling protocol in Windows 7.

Nova 4, LLC





Considerations for Installing a VPN Server

Key PointsBefore you deploy your organization’s VPN solution, consider the following factors:

• To accept incoming connections, your VPN server requires two network interfaces: determine whichnetwork interface connects to the Internet and which network interface connects to your privatenetwork. During configuration, you must choose which network interface connects to the Internet. Ifyou specify the incorrect interface, your remote access VPN server will not operate correctly.

• Determine whether remote clients receive IPv4 addresses from a Dynamic Host ConfigurationProtocol (DHCP) server on your private network or from the remote access VPN server that you areconfiguring. If you have a DHCP server on your private network, the remote access VPN server canlease ten addresses at a time from the DHCP server and assign those addresses to remote clients. Ifyou do not have a DHCP server on your private network, the remote access VPN server can generateand assign IP addresses automatically to remote clients. If you want the remote access VPN server toassign IP addresses from a range that you specify, you must determine what that range should be.

• Determine whether you want connection requests from VPN clients to be authenticated by a RADIUSserver or by the remote access VPN server that you are configuring. Adding a RADIUS server is usefulif you plan to install multiple remote access VPN servers, wireless access points, or other RADIUSclients to your private network.

• Determine whether IPv4 VPN clients can send DHCP messages to the DHCP server on your private

network. If a DHCP server is on the same subnet as your remote access VPN server, DHCP messagesfrom VPN clients will be able to reach the DHCP server after the VPN connection is established. If aDHCP server is on a different subnet from your remote access VPN server, ensure that the routerbetween subnets can relay DHCP messages between the clients and the server. If your router isrunning Windows Server 2008 or Windows Server 2008 R2, you can configure the DHCP Relay Agentservice on the router to forward DHCP messages between subnets.

• Ensure that the individual responsible for the deployment of your VPN solution has the necessaryadministrative group memberships to install the server roles and configure the necessary services;membership of the local Administrators group is required to perform these tasks.

Nova 4, LLC





Demonstration: Configuring a VPN Server


• Configure user dial-in settings.

• Configure Routing and Remote Access as a VPN server.

• Configure a VPN client.

Demonstration Steps:1. Verify the dial-in permission of Adam Carter.

2. Determine group memberships of Adam Carter.

3. Add the Network Policy Server role to NYC-EDGE1.

4. Configure and enable a VPN server on NYC-EDGE1.

5. Disable existing NPS policies on NYC-EDGE1.

6. Create a VPN connection on NYC-CL1.

7. Attempt to connect to NYC-EDGE1 by using the VPN.

Nova 4, LLC





Additional Configuration Tasks for VPN Servers

Key PointsAfter you complete the steps in the Add Roles Wizard and complete the configuration in Routing andRemote Access, your server is ready for use as a remote access VPN server.

The following are the additional tasks that you can perform on your remote access/VPN server:

• Configure static packet filters. Add static packet filters to better protect your network.

• Configure services and ports. Choose which services on the private network you want to make

available for remote access users.• Adjust logging levels for routing protocols. Configure the level of event details that you want to log.

You can decide which information you want to track in log files.

• Configure the number of VPN ports. Add or remove VPN ports.

• Create a Connection Manager profile for users. Manage the client connection experience for usersand simplify troubleshooting of client connections.

• Add Active Directory Certificate Services (AD CS). Configure and manage a certification authority (CA)on a server for use in a PKI.

• Increase remote access security. Protect remote users and the private network by enforcing use ofsecure authentication methods, requiring higher levels of data encryption, and more.

• Increase VPN security. Protect remote users and the private network by requiring use of securerouting and tunneling protocols, configuring account lockout, and more.

• Consider implementing VPN Reconnect. VPN Reconnect uses IKEv2 technology to provide seamlessand consistent VPN connection, automatically re-establishing a VPN when users temporarily lose theirInternet connections.

Nova 4, LLC





What Is VPN Reconnect?

Key PointsIn dynamic business scenarios, users must be able to securely access data anytime, from anywhere andaccess it continuously, without interruption. For example, users might want to securely access data on thecompany’s server in the head office, from a branch office, or while on the road.

To meet this requirement, you can configure the VPN Reconnect feature that is available in WindowsServer 2008 R2 and Windows 7. This enables users to securely access the company’s data by using a VPNconnection, which will automatically reconnect if connectivity is interrupted. It also enables roamingbetween different networks.

VPN Reconnect uses the Internet Key Exchange version 2 (IKEv2) technology to provide seamless andconsistent VPN connectivity. VPN Reconnect automatically re-establishes a VPN connection when Internetconnectivity is available again. Users who connect by using a wireless mobile broadband benefit mostfrom this capability.

Consider a user with a laptop running Windows 7. When the user travels to work in a train, the userconnects to the Internet by using a wireless mobile broadband card and then establishes a VPNconnection to the company’s network. When the train passes through a tunnel, the Internet connection islost. After the train comes out of the tunnel, the wireless mobile broadband card automatically reconnectsto the Internet. With earlier versions of Windows client and server operating systems, VPN did notreconnect automatically. Therefore, the user needed to manually repeat the multistep process ofconnecting to the VPN. This was time-consuming for mobile users with intermittent connectivity.

With VPN Reconnect, Windows Server 2008 R2 and Windows 7 automatically re-establish active VPNconnections when the Internet connectivity is re-established. Even though the reconnection might takeseveral seconds, users stay connected and have uninterrupted access to internal network resources.

The system requirements for using the VPN Reconnect feature are as follows:

• Windows Server 2008 R2 as a VPN server

Nova 4, LLC





• Windows 7 or Windows Server 2008 R2 client

• PKI infrastructure, because a computer certificate is required for a remote connection with VPNReconnect. Certificates issued by either an internal or public CA can be used.

Nova 4, LLC





Lesson 2

Overview of Network Policies

Network policies determine whether a connection attempt is successful, and if such an attempt issuccessful, the network policy defines connection characteristics, such as day and time restrictions, sessionidle-disconnect times, and other settings.

Understanding how to configure network policies is essential if you are to successfully implement VPNsbased on the Network Policy and Access Services Server role within your organization.


• Describe the Network Policy and Access Services role.

• Describe how network polices are used to control and secure a VPN connection.

• Describe the process for creating and configuring a Network Policy.

• Create a Network Policy to be used for VPN connections.

• Describe how network policies are processed.

Nova 4, LLC





What Is the Network Policy and Access Services Role?

Key PointsThe Network Policy and Access Services role in Windows Server 2008 R2 provides the following networkconnectivity solutions:

• NAP. NAP is a client health policy creation, enforcement, and remediation technology that isincluded in the NAP included with Windows XP with SP3, Windows Vista, Windows 7 client operatingsystems and in the Windows Server 2008 and Windows Server 2008 R2 operating systems. With NAP,you can establish and automatically enforce health policies, which can include software requirements,

security update requirements, required computer configurations, and other settings. If clientcomputers do not comply with a health policy, you can restrict their network access until theirconfiguration is updated and brought into compliance. Depending on how you choose to deployNAP, noncompliant clients can be updated automatically so that users can regain full network accessquickly without manually updating or reconfiguring their computers.

• Secure wireless and wired access . When you deploy 802.1X wireless access points, it provideswireless users with a secure password-based authentication method, which is easy to deploy. Whenyou deploy 802.1X authenticating switches, wired access allows you to secure your network byensuring that intranet users are authenticated before they can connect to the network or obtain an IPaddress by using DHCP.

• Remote access solutions . With remote access solutions, you can provide users with VPN andtraditional dial-up access to your organization’s network. You also can connect branch offices to yournetwork with VPN solutions, deploy full-featured software routers on your network, and shareInternet connections across the intranet.

• Central network policy management with RADIUS server and proxy . Rather than configuringnetwork access policy at each network access server, such as wireless access points, 802.1Xauthenticating switches, VPN servers, and dial-up servers, you can create policies in a single locationthat specify all aspects of network connection requests, including who is allowed to connect, whenthey can connect, and the level of security they must use to connect to your network.

Nova 4, LLC





What Is a Network Policy?

Key PointsNetwork policies are sets of conditions, constraints, and settings that enable you to designate who isauthorized to connect to the network and the circumstances under which they can, or cannot, connect.Additionally, when you deploy NAP, health policy is added to the network policy configuration so thatNPS performs client health checks during the authorization process.

You can view network policies as rules; each rule has a set of conditions and settings. NPS compares therule’s conditions with the properties of connection requests. If a match occurs between the rule and theconnection request, the settings that you define in the rule are applied to the connection.

When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks eachconnection request against the list’s first rule, then the second, and so on, until a match is found.

Note: After a matching rule is determined, further rules are disregarded. It is important to order yournetwork policies appropriately.

Each network policy has a Policy State setting that allows you to enable or disable the policy. When youdisable a network policy, NPS does not evaluate the policy when authorizing connection requests.

Network Policy PropertiesEach network policy has four categories of properties:

• Overview . These properties allow you to specify whether the policy is enabled; whether the policygrants or denies access; and whether a specific network connection method, or type of networkaccess server, is required for connection requests. Overview properties also enable you to specifywhether to ignore the dial-in properties of user accounts in AD DS. If you select this option, NPS usesonly the network policy’s settings to determine whether to authorize the connection.

Nova 4, LLC





• Conditions . These properties allow you to specify the conditions that the connection request musthave to match the network policy. If the conditions configured in the policy match the connectionrequest, NPS applies the network-policy settings to the connection. For example, if you specify thenetwork access server IPv4 address (NAS IPv4 Address) as a condition of the network policy and NPSreceives a connection request from a NAS that has the specified IP address, the condition in the policymatches the connection request.

• Constraints . Constraints are additional parameters of the network policy that are required to matchthe connection request. If the connection request does not match a constraint, NPS automaticallyrejects the request. Unlike the NPS response to unmatched conditions in the network policy, if aconstraint is not matched, NPS does not evaluate additional network policies. The connection requestis denied.

• Settings . These properties allow you to specify the settings that NPS applies to the connectionrequest if all of the policy’s network policy conditions are matched.

When you add a new network policy by using the NPS MMC snap-in, you must use the New NetworkPolicy Wizard. After you have created a network policy by using the wizard, you can customize the policyby double-clicking it in NPS to obtain the policy properties.

Nova 4, LLC





Process for Creating and Configuring a Network Policy

Key PointsNPS uses network policies and the dial-in properties of user accounts to determine whether to authorize aconnection request to your network. You can configure a new network policy in either the NPS MMCsnap-in or the Routing and Remote Access Service MMC snap-in.

Creating Your PolicyWhen you use the New Network Policy Wizard to create a network policy:

• The value that you specify as the network connection method is used to configure the Policy Typecondition automatically. If you keep the default value, NPS evaluates the network policy that youcreate for all network connection types through any type of network access server. If you specify anetwork connection method, NPS evaluates the network policy only if the connection requestoriginates from the type of network access server that you specify. For example, if you specify RemoteDesktop Gateway, NPS evaluates the network policy only for connection requests that originate fromRemote Desktop Gateway servers.

• On the Specify Access Permission page, you must select Access granted if you want the policy toallow users to connect to your network. If you want the policy to prevent users from connecting toyour network, select Access denied. If you want user account dial-in properties in AD DS to determineaccess permission, you can select the Access is determined by User Dial-in properties (which overrideNPS policy) check box.

Note: To complete this procedure, you must be a member of the Domain Admins group or theEnterprise Admins group.

Adding a Network Policy by Using the Windows InterfaceTo add a network policy by using the Windows interface:

1. Open the NPS console, and expand Policies .

Nova 4, LLC





2. In the console tree, right-click Network Policies , and then click New . The New Network PolicyWizard opens.

3. Use the New Network Policy Wizard to create a policy.4. Configure the Network Policy properties (described in the remainder of this topic).

Configuring Your PolicyAfter you have created your policy, you can use the properties dialog box for the policy to view orreconfigure its settings.

Network Policy Properties–Overview TabFrom the Overview tab of the Properties sheet for a network policy, or while running the New NetworkPolicy wizard, you can configure the following:

• Policy Name . Type a friendly and meaningful name for the network policy.

• Policy State . Designate whether to enable the policy.

• Access Permission . Designate whether the policy grants or denies access. Also, specify whether NPSshould ignore the dial-in properties of user accounts in AD DS when using the policy to perform theconnection attempt’s authorization.

• The network connection method to use for the connection request:

• Unspecified . If you select Unspecified, NPS evaluates the network policy for all connectionrequests that originate from any type of network access server and for any connection method.

• Remote Desktop Gateway . If you specify Remote Desktop Gateway, NPS evaluates the networkpolicy for connection requests that originate from servers that are running Remote DesktopGateway.

• Remote Access Server (VPN-Dial-up) . If you specify Remote Access Server (VPN-Dial-up), NPSevaluates the network policy for connection requests that originate from a computer runningRouting and Remote Access service configured as a dial-up or VPN server. If another dial-up orVPN server is used, the server must support the RADIUS protocol and the authentication

protocols that NPS provides for dial-up and VPN connections.• DHCP Server . If you specify DHCP Server, NPS evaluates the network policy for connection

requests that originate from servers that are running DHCP.

• Health Registration Authority . If you specify Health Registration Authority, NPS evaluates thenetwork policy for connection requests that originate from servers that are running HealthRegistration Authority.

• HCAP Server . If you specify HCAP server, NPS evaluates the network policy for connectionrequests that originate from servers that are running HCAP.

Network Policy Properties–Conditions TabYou must configure at least one condition for every network policy. NPS provides many conditions groups

that allow you to define the properties clearly that the connection request that NPS receives must have tomatch the policy.

The available condition groups are:

• Groups . These specify user or computer groups that you configure in AD DS and to which you wantthe other rules of the network policy to apply when group members attempt to connect to thenetwork.

• HCAP. These conditions are used only when you want to integrate your NPS NAP solution with CiscoNetwork Admission Control. To use these conditions, you must deploy Cisco Network Admission

Nova 4, LLC





Control and NAP. You also must deploy an HCAP server running both Internet Information Services(IIS) and NPS.

• Day and Time Restrictions . The Day and Time Restrictions condition allows you to specify, at aweekly interval, whether to allow connections on a specific set of days and times.

For example, you can configure this condition to allow access to your network only between the

hours of 8 A.M. and 5 P.M., Monday through Thursday. With this condition value, users whoseconnection requests match all conditions of the network policy cannot connect to the network onFridays, Saturdays, Sundays, and during other weekdays between the hours of 5 P.M. and 8 A.M., butthey can connect between Monday and Thursday between 8 A.M. and 5 P.M.

Conversely, you can specify the days and times during which you want to deny network connections.If you specify days and times during which to deny connections, users can access your network on theunspecified days and times. For example, if you configure this condition to deny connections all dayon Sunday, users cannot connect at any time on Sundays, but they can connect Monday throughSaturday at any time.

• NAP. Settings include Identity Type, MS-Service Class, NAP-Capable Computers, Operating System,and Policy Expiration.

Note: The Identity Type condition is for NAP DHCP and IPsec deployments to allow client healthchecks when NPS does not receive an Access-Request message that contains a value for the User-Name attribute. In these circumstances, client health checks are performed, but authentication andauthorization are not.

• Connection Properties . Settings include Access Client IPv4 Address, Access Client IPv6 Address,Authentication Type, Allowed EAP Types, Framed Protocol, Service Type, and Tunnel Type.

• RADIUS Client Properties . Settings include Calling Station ID, Client Friendly Name, Client IPv4Address, Client IPv6 Address, Client Vendor, and MS RAS Vendor.

Important: Client computers, such as wireless laptop computers and other computers running client-operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wirelessaccess points, 802.1X authenticating switches, virtual private network (VPN) servers, and dial-upservers—because they use the RADIUS protocol to communicate with RADIUS servers such as NPSservers.

• Gateway . Settings include Called Station ID, NAS Identifier, NAS IPv4 Address, NAS IPv6 Address, andNAS Port Type.

Network Policy Properties–Constraints TabConstraints are optional additional network policy parameters that differ from network policy conditions

in one substantial way; that is, when a condition does not match a connection request, NPS continues toevaluate other configured network policies to find a match for the connection request. When a constraintdoes not match a connection request, NPS does not evaluate additional network policies, but rejects theconnection request, and the user or computer is denied network access.

The following list describes the constraints that you can configure in network policy:

• Authentication Methods . Allows you to specify the authentication methods that are required for theconnection request to match the network policy.

Nova 4, LLC





• Idle Timeout . Allows you to specify the maximum time, in minutes, that the network access servercan remain idle before the connection disconnects.

• Session Timeout . Allows you to specify the maximum amount of time, in minutes, that a user can beconnected to the network.

• Called Station ID . Allows you to specify the telephone number of the dial-up server that clients use

to access the network.• Day and time restrictions . Allows you to specify when users can connect to the network.

• NAS Port Type . Allows you to specify the access media types that are allowed for users to connect tothe network.

Network Policy Properties–Settings TabNPS applies the settings, which you configure in the network policy, to the connection, if all of theconditions and constraints that you configure in the policy match the connection request’s properties.

The available groups of settings that you can configure are:

• RADIUS Attributes

Important: If you plan to return to RADIUS clients any additional RADIUS attributes or vendor-specificattributes (VSAs) with the responses to RADIUS requests, you must add the RADIUS attributes or VSAsto the appropriate network policy.

RADIUS attributes are described in Request for Comments (RFC) 2865, RFC 2866, RFC 2867, RFC 2868, RFC2869, and RFC 3162. RFCs and Internet drafts for VSAs define additional RADIUS attributes.

• NAP. With NAP Enforcement, you can specify how you want to enforce NAP, remediation servergroups, troubleshooting URL, and auto-remediation.

• Routing and Remote Access . Includes Multilink and Bandwidth Allocation Protocol (BAP), IP filters,encryption, and IP settings.

Nova 4, LLC





Demonstration: How to Create a Network Policy

Key PointsIn this demonstration, you will see how to create a VPN policy and test it.

Demonstration Steps:1. Create a VPN policy based on Windows Groups condition.

2. Test the VPN you previously created.

Nova 4, LLC





How Network Policies Are Processed

Key PointsWhen NPS performs authorization of a connection request, it compares the request with each networkpolicy in the ordered list of policies, starting with the policy with the highest processing order and movingdown the list.

If NPS finds a network policy in which the conditions match the connection request, NPS uses thematching network policy and the dial-in properties of the user account to perform the authorization.

If you configure the dial-in properties of the user account to grant or control access through networkpolicy, and the connection request is authorized, NPS applies the settings that you configure in thenetwork policy to the connection.

• If NPS does not find a network policy that matches the connection request, NPS rejects theconnection unless the dial-in properties on the user account are set to grant access.

• If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.

Nova 4, LLC





Lab A: Implementing a Virtual Private Network








• Domain: Contoso

5. Repeat these steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Lab ScenarioContoso, Ltd. would like to implement a remote access solution for its employees, so they can connect to

the corporate network while away from the office. Contoso, Ltd. requires a network policy that mandatesthat VPN connections are encrypted for security reasons. You are required to enable and configure thenecessary server services to facilitate this remote access.

For this project, you must complete the following tasks:

• Configure Routing and Remote Access as a VPN remote access solution.

• Configure a custom Network Policy.

Nova 4, LLC





Exercise 1: Configuring Routing and Remote Access as a VPN RemoteAccess Solution

ScenarioIn this exercise, you will install and configure the Network Policy and Access Services role to support therequirements of the Contoso, Ltd. workforce.


1. Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.

2. Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool for Remote Access clients.

3. Configure available VPN ports on the (RRAS) server to allow 25 PPTP, 25 L2TP, and 25 SSTPconnections.

Task 1: Install the Network Policy and Access Services role on 6419B-NYC-EDGE1.1. Switch to the NYC-EDGE1 virtual server.

2. Open Server Manager .

3. Add the Network Policy and Access Services role with the following role services:

a. Network Policy Server

b. Routing and Remote Access Services

Task 2: Configure 6419B-NYC-EDGE1 as a VPN server with a static address pool forRemote Access clients.1. On NYC-EDGE1, open Routing and Remote Access .

2. In the list pane, select and right-click NYC-EDGE1 (Local), and then click Configure and EnableRouting and Remote Access .

3. Use the following settings to configure the service:

a. On the Configuration page, accept the defaults.

b. On the Remote Access page, select the VPN check box.

c. On the VPN Connection page, select the Public interface.

d. On the IP Address Assignment page, select the From a specified range of addresses option.

e. On the Address Range Assignment page, create an address pool with 75 entries with a startaddress of 10.10.0.60 .

f. On the Managing Multiple Remote Access Servers page, accept the defaults.

g. Accept any messages by clicking OK .

Task 3: Configure available VPN ports on the (RRAS) server to allow 25 PPTP and 25L2TP connections.1. In the Routing and Remote Access management tool interface, expand NYC-EDGE1, select and then

right-click Ports , and then click Properties .

2. Use the following information to complete the configuration process:

a. Number of WAN Miniport (SSTP) ports: 25

b. Number of WAN Miniport (PPTP) ports: 25

Nova 4, LLC





c. Number of WAN Miniport (L2TP) ports: 25

3. Click OK to confirm any prompts.

4. Close the Routing and Remote Access tool.

Results: At the end of exercise, you enabled routing and remote access on the NYC-EDGE1 server.

Nova 4, LLC





Exercise 2: Configuring a Custom Network Policy

ScenarioIn this exercise, you will create and verify a custom network policy in accordance with the requirements ofContoso, Ltd. The requirements for this policy are:

• Supported tunnel types: L2TP, PPTP

• Supported authentication methods: MS-CHAP-v2 with strongest authentication

• Constraints: Connections disallowed between 11P.M. and 6 A.M. Monday through Friday


1. Open the Network Policy Server management tool on 6419B-NYC-EDGE12. Create a new network policy for RRAS clients3. Create and test a VPN Connection.

Task 1: Open the Network Policy Server management tool on 6419B-NYC-EDGE1.1. Switch to the NYC-EDGE1 virtual computer.

2. Open the Network Policy Server tool.

Task 2: Create a new network policy for RRAS clients.1. In the Network Policy Server console, create a new policy with the following settings:

a. Name: Secure VPN .

b. Type of network access server: Remote Access Server (VPN-Dial up) .

c. Conditions: Tunnel Type = L2TP, PPTP, SSTP .

d. Access permission: Access granted .

e. Authentication methods: Microsoft Encrypted Authentication version 2 (MS-CHAP-v2) .

f.

Constraints: Day and time restrictions = 11PM to 6AM Monday thru Friday Denied .g. Settings: Encryption = Strongest encryption (MPPE 128-bit) .

2. Ensure that the Secure VPN policy is the first in the list of any policies.

3. Close the Network Policy Server tool.

Task 3: Create and Test a VPN Connection.1. Switch to the NYC-CL1 computer.

2. Open Network and Sharing Center .

3. Change the network adapter settings as follows:

a. IP Address: 131.107.0.20

b. Subnet mask: 255.255.255.0

c. Default gateway: 131.107.0.1

4. Create a VPN with the following settings:

a. Internet address to connect to: 131.107.0.2.

b. Name: Contoso VPN.

5. Connect with the new VPN properties as follows:

Nova 4, LLC





a. User name: Administrator

b. Password: Pa$$w0rd

c. Domain: Contoso

Note : The VPN connects successfully.

6. Disconnect the VPN and close all open windows.

Results: In this exercise, you created and tested a VPN connection.

To prepare for the next labWhen you finish the lab, revert the virtual machines back to their initial state. To do this, complete thefollowing steps:


2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .

3. In the Revert Virtual Machine dialog box, click Revert .

4. Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Nova 4, LLC





Lesson 3

Integrating Network Access Protection with VPNs

NAP enables you to create customized health-requirement policies to validate computer health beforeallowing access or communication, as well as automatically update compliant computers to ensureongoing compliance and limit the access of noncompliant computers to a restricted network until theybecome compliant.

NAP with VPN protection enables you to control access to your organization’s private network based

upon the health characteristics of the VPN client’s health status. It is important that you can configureNAP appropriately if you wish to implement this protection.


• Describe NAP.

• Describe the advantages of using Network Access protection with a VPN solution.

• Describe the NAP client and server components.

• Describe how NAP enforcement works for VPN connections.

Nova 4, LLC





What Is Network Access Protection?

Key PointsNAP for Windows Server 2008, Windows Server 2008 R2, Windows 7, and Windows Vista providescomponents and an application programming interface (API) that help you enforce compliance with yourorganization’s health-requirement policies for network access or communication.

NAP enables you to create solutions for validating computers that connect to your networks, as well asprovide needed updates or access to needed health update resources and limit the access orcommunication of noncompliant computers.

You can integrate NAP’s enforcement features with software from other vendors or with customprograms. You can customize the health-maintenance solution that developers within your organizationmay develop and deploy, whether for monitoring the computers accessing the network for health policycompliance, automatically updating computers with software updates to meet health policy requirements,or limiting the access of computers that do not meet health policy requirements to a restricted network.

Remember that NAP does not protect a network from malicious users. Rather, it helps you maintain thehealth of your organization’s networked computers automatically, which in turn helps maintain yournetwork’s overall integrity. For example, if a computer has all the software and configuration settings thatthe health policy requires, the computer is compliant and will have unlimited network access; however.NAP does not prevent an authorized user with a compliant computer from uploading a maliciousprogram to the network or engaging in other inappropriate behavior.

Aspects of NAPNAP has three important and distinct aspects:

• Health state validation . When a computer attempts to connect to the network, the computer’shealth state is validated against the health-requirement policies that the administrator defines. Youalso can define what to do if a computer is not compliant. In a monitoring-only environment, allcomputers have their health state evaluated and the compliance state of each computer is logged foranalysis. In a limited access environment, computers that comply with the health-requirement policies

Nova 4, LLC





have unlimited network access. Computers that do not comply with health-requirement policies mayfind their access limited to a restricted network.

• Health policy compliance . You can help ensure compliance with health-requirement policies bychoosing to update noncompliant computers automatically with missing software updates orconfiguration changes through management software, such as Microsoft System CenterConfiguration Manager. In a monitoring-only environment, computers will have network accessbefore they are updated with required updates or configuration changes. In a limited accessenvironment, noncompliant computers have limited access until the updates and configurationchanges are complete. In both environments, computers that are compatible with NAP can becomecompliant automatically and you can define exceptions for computers that are not NAP compatible.

• Limited access . You can protect your networks by limiting the access of noncompliant computers.You can base limited network access on a specific amount of time or on what the noncompliantcomputer can access. In the latter case, you define a restricted network containing health updateresources, and the limited access will last until the noncompliant computer comes into compliance.You also can configure exceptions so that computers that are not compatible with NAP do not havetheir network access limited.

Nova 4, LLC





Advantages of Implementing VPN Enforcement

Key PointsWith NAP with VPN enforcement, a computer must be compliant to obtain unlimited network accessthrough a remote access VPN connection. For noncompliant computers, network access is limited througha set of IP packet filters that the VPN server applies to the VPN connection.

VPN enforcement enforces health policy requirements every time a computer attempts to obtain aremote access VPN connection to the network. VPN enforcement also actively monitors the health statusof the NAP client and applies the restricted network’s IP packet filters to the VPN connection if the clientbecomes noncompliant.

The components of VPN enforcement consist of NPS in Windows Server 2008 R2 and a VPN EC that ispart of the remote access client in Windows 7, Windows Vista, Windows XP Service Pack 3, and WindowsServer 2008 R2. VPN enforcement provides strong limited network access for all computers accessing thenetwork through a remote access VPN connection.

Nova 4, LLC





Components of a VPN Enforcement Solution

Key PointsThe components of a VPN enforcement solution consist of the following:

• NAP clients . Computers that support the NAP platform for system health-validated network accessor communication.

• NAP enforcement points . Computers or network-access devices that use NAP or that you can usewith NAP to require evaluation of a NAP client’s health state and provide restricted network access orcommunication. NAP enforcement points use a NPS that is acting as a NAP health policy server toevaluate the health state of NAP clients, whether network access or communication is allowed, andthe set of remediation actions that a noncompliant NAP client must perform. NAP enforcementpoints include the following:

• VPN server . This is a computer that runs Windows Server 2008 R2 and Routing and RemoteAccess, and that enables VPN intranet connections via remote access.

• DHCP server . This is a computer that runs Windows Server 2008 R2 and the DHCP Server service,and that provide automatic IPv4 address configuration to intranet DHCP clients.

• NAP health policy servers . These are computers that run Windows Server 2008 R2and the NPSservice, and that store health-requirement policies and provide health-state validation for NAP. NPS isthe replacement for the Internet Authentication Service (IAS) and the RADIUS server and proxy thatWindows Server 2003 provides. NPS also acts as an authentication, authorization, and accounting

(AAA) server for network access. When acting as an AAA server or NAP health policy server, NPStypically runs on a separate server for centralized configuration of network access and health-requirement policies. The NPS service also runs on Windows Server 2008 R2––based NAPenforcement points that do not have a built-in RADIUS client, such as an HRA or DHCP server.However, in these configurations, the NPS service is acting as a RADIUS proxy to exchange RADIUSmessages with a NAP health policy server.

• Health requirement servers . These are computers providing the current system health state for NAPhealth policy servers. An example of these would be a health-requirement server for an antivirusprogram that tracks the latest version of the antivirus signature file.

Nova 4, LLC





• AD DS. This Windows directory service stores account credentials and properties and Group Policysettings. Although not required for health-state validation, Active Directory is required for IPsec-protected communications, 802.1X-authenticated connections, and remote access VPN connections.

• Restricted network . This is a separate logical or physical network that contains:

• Remediation servers . These are computers that contain health update resources that NAP

clients can access to remediate their noncompliant state. Examples include antivirus signaturedistribution servers and software update servers.

• NAP clients with limited access . These are computers placed on the restricted network whenthey do not comply with health-requirement policies.

Nova 4, LLC





How VPN Enforcement Determines Remote Access

Key PointsVPN enforcement uses a set of remote-access IP packet filters to limit VPN client traffic so that it canreach only the resources on the restricted network. The VPN server applies the IP packet filters to the IPtraffic that it receives from the VPN client, and silently discards all packets that do not correspond to aconfigured packet filter.

VPN Enforcement Process

The following process occurs when a NAP-capable VPN client connects to a NAP-capable VPN server:1. VPN Initiation . The VPN client initiates a connection to the VPN server. The VPN server requests that

the VPN client identify itself. The NAP enforcement client (EC) on the VPN client responds, providingthe VPN client’s user name.

2. Request SSoH . The VPN server sends this response to the NAP health policy server. The NAP healthpolicy server contacts the VPN client, and the two exchange a series of messages to negotiate asecure session. Then the NAP health policy sends a System Statement of Health (SSoH) request to theVPN client.

3. Generate SSoH . The VPN NAP EC, on the client, queries the local NAP Agent for the SSoH and passesit to the NAP health policy server.

4. Authentication . The NAP health policy server requests that the VPN client authenticate itself, and the

VPN client authenticates itself to the NAP health policy server.5. Generate SoHR . The NPS service on the NAP health policy server passes the SSoH to the NAP

Administration Server component which in turn passes it to the appropriate System Health Validators(SHVs). The SHVs analyze their SoH contents and return Statement of Health Response (SoHRs) to theNAP Administration Server, which in turn passes it to the NPS.

6. Compare SoHR with health policies . The NPS service compares the SoHRs with the configuredhealth policies and creates the SSoHR and then sends the SSoHR to the VPN client.

7. Determine access . The NPS service sends a RADIUS Access-Accept message to the VPN server:

Nova 4, LLC





• If the VPN connection is limited, the RADIUS Access-Accept message also contains a set of IPpacket filters that limit the VPN client to the restricted network.

• If the VPN connection is unlimited, the RADIUS Access-Accept message does not contain IPpacket filters to limit network access. After the VPN connection completes, the NAP client willhave unlimited network access.

8. Complete connection . The VPN client and VPN server complete the VPN connection.If the VPN client is noncompliant, the VPN connection has the packet filters applied, and the VPN clientonly can reach the resources on the restricted network.

Nova 4, LLC





Lesson 4

Configuring VPN Enforcement Using NAP

To ensure the correct configuration of VPN enforcement with NAP, you must understand whichcomponents you must deploy and how to configure the required settings.


• Configure a VPN server to support NAP.

• Describe how System Health Validators are used to define requirements.

• Describe how Health Policies are used to designate configuration requirements.

• Describe the concept of Remediation servers.

• Describe general configuration settings for the NAP components.

• Configure NAP policies for VPN enforcement.

• Configure client settings to support NAP for VPN access.

Nova 4, LLC





What Is a System Health Validator?

Key PointsSHAs and SHVs, which are NAP infrastructure components, provide health-state tracking and validation.Windows 7 includes a Windows Security Health Validator SHA that monitors the Windows Security Centersettings. Windows Server 2008 R2 includes a corresponding Windows Security Health Validator SHV. NAPis designed to be flexible and extensible, and interoperates with any vendor’s software that provides SHAsand SHVs that use the NAP API.

An SHV receives a SoH from the NAP Administration Server and compares the system health statusinformation in the SoH with the required system health state. For example, if the SoH is from an antivirusSHA and contains the last virus-signature file version number, the corresponding antivirus SHV can checkwith the antivirus health requirement server for the latest version number to validate the NAP client’s SoH.

The SHV returns a SoHR to the NAP Administration Server. The SoHR can contain information about howthe corresponding SHA on the NAP client can meet current system-health requirements. For example, theSoHR that the antivirus SHV sends could instruct the NAP client’s antivirus SHA to request the latestversion, by name or IP address, of the antivirus signature file from a specific antivirus signature server.

Nova 4, LLC





What Is a Health Policy?

Key PointsHealth policies consist of one or more SHVs and other settings that allow you to define client-computerconfiguration requirements for the NAP-capable computers that attempt to connect to your network.

When NAP-capable clients attempt to connect to the network, the client computer sends a SoH to theNPS. The SoH is a report of the client configuration state, and NPS compares the SoH with therequirements that the health policy defines. If the client configuration state does not match therequirements that the health policy defines, NPS takes one of the following actions, depending on theNAP configuration:

• It rejects the connection request.

• It places the NAP client on a restricted network where it can receive updates from remediation serversthat bring the client into compliance with health policy. After the NAP client achieves compliance,NPS enables it to connect.

• It allows the NAP client to connect to the network despite its noncompliance with health policy.

You can define NPS client-health policies by adding one or more SHVs to the health policy.

After you configure a health policy with one or more SHVs, you can add it to the Health Policies conditionof a network policy that you want to use to enforce NAP when client computers attempt connection toyour network.

Nova 4, LLC







Overview of VPN NAP Enforcement Configuration

Key PointsTo correctly establish VPN NAP enforcement, you must complete the following high-level configurationtasks.

NAP Health Policy ServerYou must define the following on the NAP health policy server:

• RADIUS clients . If you deployed Routing and Remote Access on a separate server computer, you

must configure the NAP VPN server as a RADIUS client in NPS.• Connection request policy . Configure the following settings:

• Source is set to remote access server.

• Policy is configured to authenticate requests on this server.

• Override network policy authentication settings is selected

• Protected Extensible Authentication Protocol (PEAP) is configured to enable health checks andallow secure password or certificate-based authentication.

• Network policies . Configure the following settings:

• Source is set to remote access server.

• Compliant, noncompliant, and non-NAP-capable policies are set to grant access.

• Compliant network policy conditions are set to require the client to match compliant healthpolicy.

• Noncompliant network policy conditions are set to require the client to match noncomplianthealth policy.

• Non-NAP-capable network policy conditions are set to require the client is not NAP-capable.

Nova 4, LLC





• Access settings: Full access is granted for compliant computers. In full enforcement mode, limitedaccess is granted for noncompliant computers. Either full or limited access is granted for non-NAP-capable computers. If remediation server groups are not used, IP filters are configured innoncompliant policy settings and optionally, in non-NAP-capable policy settings to providerestricted access.

• Health policies . Configure the following settings:

• Compliant health policy is set to pass selected SHVs.

• Noncompliant policy is set to fail selected SHVs.

• System health validators . Error codes are configured, and depending on the SHV, health checks areconfigured on the NAP health policy server or the health requirement server.

• Remediation server groups . Remediation server groups are required if IP filters are not used toconfigure restricted access settings.

NAP VPN ServerYou must define the following on the NAP VPN server:

• Authentication provider . If the NAP VPN server and the NAP health policy server are on differentcomputers, you must configure the NAP VPN server for RADIUS authentication by using the NAPhealth policy server.

• Authentication methods . Configure the NAP VPN server to allow the PEAP authentication method.

• Client address assignment . Choose whether to assign VPN clients an IPv4 address by using DHCP ora static address pool.

VPN NAP-Enabled Client ComputerYou must define the following settings on a VPN NAP-enabled client computer:

• NAP Agent service . You can start the NAP Agent service by using either Group Policy or local policysettings.

• VPN connection . You must configure a VPN connection on each client computer. You mustconfigure logon security settings to use Protected Extensible Authentication Protocol (PEAP) witheither MSCHAP v2 or certificate-based authentication.

• Quarantine checks . When configuring client PEAP properties in the advanced security settings of theVPN connection, you must select the Enable Quarantine checks check box.

• Remote access enforcement client . You can enable the remote access enforcement client witheither Group Policy or local policy settings.

Nova 4, LLC





Demonstration: How to Configure NAP for VPN Enforcement


• Configure the NPS role for NAP.

• Create VPN NAP policies.

• Configure VPN enforcement on the NPS server.

Demonstration Steps:1. Install the required certificate on the VPN server.

2. Configure the NPS server as a health policy server.

3. Configure System Health Validators.

4. Configure Health Policies.

5. Configure Network Policies.

Nova 4, LLC





Client Settings to Support NAP

Key PointsYou should remember these basic guidelines when you configure NAP clients:

• Some NAP deployments that use Windows Security Health Validator require that you enable SecurityCenter. For example, both Windows Vista and Windows XP with SP3 require Security Center to beenabled.

• The Network Access Protection service is required when you deploy NAP to NAP-capable clientcomputers. By default, this is not.

• You also must configure the NAP enforcement clients on the NAP-capable computers.

Enable Security Center in Group PolicyYou can use this procedure to enable Security Center on NAP-capable clients by using Group Policy. SomeNAP deployments that use Windows Security Health Validator require Security Center.

Note: To complete this procedure, you must be a member of the Domain Admins, the EnterpriseAdmins group, or the Administrators group on the local computer.

To enable Security Center in Group Policy:

1. Open the Group Policy Management console, and then click Add .

2. In the Select Group Policy Object dialog box, click Finish , and then click OK .

3. In the console tree, double-click Local Computer Policy , double-click Computer Configuration ,double-click Administrative Templates , double-click Windows Components , and then double-clickSecurity Center .

4. Double-click Turn on Security Center (Domain PCs only) , click Enabled , and then click OK .

Nova 4, LLC







Lab B: Implementing NAP into a VPN Remote AccessSolution





4. Log on using the following credentials:



• Domain: Contoso

5. Repeat the steps 2 to 4 for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Lab Scenario

Contoso, Ltd. is required to extend its virtual private network solution to include Network AccessProtection.

There have been a number of problems with users connecting to the Contoso network with a VPN fromtheir unmanaged home computers. It is important to ensure that these computers are in compliance withContoso health policies.

As a Contoso, Ltd. technology specialist, you need to establish a way to bring client computersautomatically into compliance. You will do this by using Network Policy Server, creating client compliancepolicies, and configuring an NAP server to check the current health of computers.

Nova 4, LLC






• Configure NAP Server Components

• Configure NAP for VPN clients

Nova 4, LLC





Exercise 1: Configuring NAP Components

ScenarioIn this exercise, you will configure the required server-side components to support the Contoso, Ltd.requirement.

The main tasks for this exercise are as follows:1. Configure a computer certificate.

2. Configure NYC-EDGE1 with NPS functioning as a health policy server.

3. Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS) configured as a VPNserver.

4. Allow ping on NYC-EDGE1.

Task 1: Configure a computer certificate1. Switch to the NYC-DC1 virtual server.

2. Open the Certification Authority tool.

3. From the Certificate Templates console, open the properties of the Computer certificate template.

4. On the Security tab, grant the Authenticated Users group the AllowEnroll permission.

5. Close the Certification Authority tool.

Task 2: Configure NYC-EDGE1 with NPS functioning as a health policy server1. Switch to the NYC-EDGE1 computer Create a management console by running mmc.exe .

2. Add the Certificates snap-in with the focus on the local computer account.

3. Navigate to the Personal certificate store and Request New Certificate .

4. On the Select Certificate Enrollment Policy page, click Active Directory Enrollment Policy andthen click Next .

5. Enroll the Computer certificate listed.

6. Close the console and do not save the console settings.

7. Using Server Manager , install the NPS Server with the following role services: Network PolicyServer and Remote Access Service .

8. Open the Network Policy Server tool.

9. Under Network Access Protection , open Default Configuration for the Windows Security HealthValidator .

10. On the Windows 7/Windows Vista tab, clear all check boxes except A firewall is enabled for allnetwork connections .

11. Create a health policy with the following settings:

a. Name: Compliant

b. Client SHV checks: Client passes all SHV checks

c. SHVs used in this health policy: Windows Security Health Validator

12. Create a health policy with the following settings:

a. Name: Noncompliant

Nova 4, LLC





b. Client SHV checks: Client fails one or more SHV checks

c. SHVs used in this health policy: Windows Security Health Validator

13. Disable all existing network policies.

14. Configure a new network policy with the following settings:

a. Name: Compliant-Full-Access b. Conditions: Health Policies = Compliant

c. Access permissions: Access granted

d. Settings: NAP Enforcement = Allow full network access

15. Configure a new network policy with the following settings:

a. Name: Noncompliant-Restricted

b. Conditions: Health Policies = Noncompliant

c. Access permissions: Access granted

Note: A setting of Access granted does not mean that noncompliant clients are granted full networkaccess. It specifies that the policy should continue to evaluate the clients matching these conditions.

d. Settings:

i. NAP Enforcement = Allow limited access is selected and Enable auto-remediation ofclient computers is not selected.

ii. IP Filters = IPv4 input filter , Destination network = 10.10.0.10/255.255.255.255 andIPv4 output filter , Source network = 10.10.0.10/255.255.255.255 .

16. Disable existing connection request policies.

17. Create a new Connection Request Policy with the following settings:

a. Policy name: VPN connections

b. Type of network access server: Remote Access Server (VPN-Dial up)

c. Conditions: Tunnel type = L2TP, SSTP, and PPTP

d. Authenticate requests on this server = True

e. Authentication methods:

i. Select Override network policy authentication settings

ii. Add Microsoft: Protected EAP (PEAP) .

iii. Add Microsoft: Secured password (EAP-MSCHAP v2)

f. Edit Microsoft: Protected EAP (PEAP) to ensure that Enforce Network Access Protection isenabled.

18. Close the Network Policy Server console.

Task 3: Configure NYC-EDGE1 with the Routing and Remote Access Service (RRAS)configured as a VPN server1. On NYC-EDGE1, open Routing and Remote Access .

2. Select Configure and Enable Routing and Remote Access .

Nova 4, LLC





3. Use the following settings to complete configuration:

a. Select Remote access (dial-up or VPN) .

b. Select the VPN check box.

c. Choose the interface called Public and clear the Enable security on the selected interface bysetting up static packet filters check box.

d. IP Address Assignment: From a specified range of addresses :

i. 10.10.0.100 > 10.10.0.110

e. Complete the process by accepting defaults when prompted and confirming any messages byclicking OK .

4. In the Network Policy Server, click the Connection Request Policies node and disable MicrosoftRouting and Remote Access Service Policy . This was created automatically when Routing andRemote Access was enabled.

5. Close the Network Policy Server management console and the Routing and Remote Access console.

Task 4: Allow ping on NYC-EDGE11. Open Windows Firewall with Advanced Security .

2. Create an Inbound Rule with the following properties:

a. Type: Custom

b. All programs

c. Protocol type: Select ICMPv4 and then click Customize

i. Specific ICMP types: Echo Request

d. Default scope

e. Action: Allow the connection

f.

Default profileg. Name: ICMPv4 echo request

3. Close the Windows Firewall with Advanced Security console.

Results: In this exercise, you configured and enabled a VPN-enforced NAP scheme.

Nova 4, LLC





Exercise 2: Configuring Client Settings to support NAP

ScenarioIn this exercise, you will implement a VPN on NYC-CL1 and test the computer’s health against the NAPconfiguration you previously created.

The main tasks for this exercise are as follows:1. Configure Security Center

2. Enable client NAP enforcement

3. Move the client to the Internet

4. Create a VPN on NYC-CL1

Task 1: Configure Security Center.1. Switch to the NYC-CL1 computer.

2. Open the Local Policy Editor ( gpedit.msc ) and enable the Local Computer Policy/ComputerConfiguration/Administrative Templates/Windows Components/Security Center/Turn on

Security Center (Domain PCs only) setting.3. Close the Local Group Policy Editor.

Task 2: Enable client NAP enforcement.1. Run the NAP Client Configuration tool ( napclcfg.msc ).

2. Under Enforcement Clients , enable EAP Quarantine Enforcement Client .

3. Close the NAP Client Configuration tool.

4. Run services.msc and configure the Network Access Protection Agent service for automatic startup.

5. Start the service.

6. Close the services console.

Task 3: Move the client to the Internet.1. Reconfigure the network settings of NYC-CL1 by changing the following Local Area Connection

Internet Protocol Version 4 (TCP/IPv4) settings:

a. IP address: 131.107.0.20

b. Subnet mask: 255.255.255.0

c. Default gateway: blank

d. Preferred DNS server: blank

2. Verify that you can successfully ping 131.107.0.2

Task 4: Create a VPN on NYC-CL1.1. Create a new VPN connection with the following properties:

a. Internet address to connect to: 131.107.0.2

b. Destination name: Contoso VPN

c. Allow other people to use this connection: True

d. User name: Administrator

Nova 4, LLC





e. Password: Pa$$word

f. Domain: CONTOSO

2. After you have created the VPN, modify its settings by viewing the properties of the connection andthen selecting the Security tab. Use the following settings to reconfigure the VPN:

a. Authentication type: Microsoft: Protected EAP (PEAP) (encryption enabled) .

b. Properties of this authentication type:

i. Validate server certificate: true

ii. Connect to these servers: false

iii. Authentication method: Secured password (EAP-MSCHAP v2)

iv. Enable Fast Reconnect: false

v. Enforce Network Access Protection: true

3. Test the VPN connection:

a. In the Network Connections window, right-click the Contoso VPN connection, and then click

Connect .b. In the Connect Contoso VPN window, click Connect .

c. View the details of the Windows Security Alert. Ensure that the correct certificate information isdisplayed and then click Connect .

4. Verify that your computer meets the health requirements of the NAP policy:

a. Use IPCONFIG /all to verify that the System Quarantine State is Not Restricted.

b. Ping10.10.0.10 .

5. Disconnect the Contoso VPN.

6. Configure Windows Security Health Validator to require an antivirus application:

a. Switch to NYC-EDGE1 and open Network Policy Server .b. Modify the Default Configuration of the Windows Security Health Validator so that An

antivirus application is application is on check box is enabled on the Windows 7/WindowsVista selection.

7. Switch back to NYC-CL1 and reconnect the VPN.

8. Verify your computer does not meet the health requirements of the NAP policy:

a. Verify that a message is displayed in the Action Center that states that the computer doesn’tmeet security standards.

b. Use IPCONFIG /all to verify that the System Quarantine State is Restricted.

9. Disconnect the VPN.

Results: At the end of this exercise, you will have enabled and configured a VPN NAP enforcementpolicy for Contoso.


Nova 4, LLC








4. Repeat these steps for 6419B-NYC-EDGE1 and 6419B-NYC-CL1.

Nova 4, LLC





Lesson 5

Overview of DirectAccess

Organizations often rely on VPN connections to provide remote users with secure access to data andresources on the corporate network. VPN connections are easy to configure and are supported bydifferent clients. However, VPN connections must be first established, and it may require additionalconfiguration on the corporate firewall. Also, VPN connections usually enable remote access to the entirecorporate network. Moreover, organizations cannot effectively manage remote computers. To overcomesuch limitations in VPN connections, organizations can implement DirectAccess, available in WindowsServer 2008 R2 and Windows 7, to provide a seamless connection between the internal network and theremote computer when there is Internet connectivity. Using DirectAccess, organizations can easilymanage remote computers.


• Discuss challenges of typical VPN connections.

• Describe the features and benefits of DirectAccess.

• Describe the components required to implement DirectAccess.

• Describe the use of the Name Resolution Policy table.

• Describe how DirectAccess Works for internally connected clients.

• Describe how DirectAccess Works for externally clients.

• Describe how a DirectAccess client determines its location.

• Describe how to configure DirectAccess

Nova 4, LLC





Discussion: Challenges of VPN Connections

Key PointsWhat are some of the challenges you face when implementing VPNs?

Nova 4, LLC





What Is DirectAccess?

Key PointsWindows Server 2008 R2 and Windows 7 include a feature called DirectAccess that enables seamlessremote access to intranet resources without establishing the VPN connection first. The DirectAccessfeature also ensures seamless connectivity on application infrastructure for internal users and remoteusers.

Unlike VPNs that require user intervention to initiate a connection to an intranet, DirectAccess enablesany application on the client computer to have complete access to intranet resources. DirectAccess alsoenables you to specify resources and client-side applications that are restricted for remote access.

Organizations benefit from DirectAccess because remote computers can be managed as if they are localcomputers—using the same management and update servers—to ensure they are always up to date andin compliance with security and system health policies. You can also define more detailed access controlpolicies for remote access when compared with defining access control policies in VPN solutions.

DirectAccess is designed with the following benefits:

• Always-on connectivity . Whenever the user connects the client computer to the Internet, the clientcomputer is connected to the intranet also. This connectivity enables remote client computers toaccess and update applications easily. It also makes intranet resources always available and enablesusers to connect to the corporate intranet from anywhere and anytime, thereby improving theirproductivity and performance.

• Seamless connectivity . DirectAccess provides a consistent connectivity experience regardless ofwhether the client computer is local or remote. This allows users to focus more on productivity andless on connectivity options and process. This consistency can reduce training costs for users, andfewer support incidents.

• Bidirectional access . DirectAccess can be configured so that DirectAccess clients not only haveaccess to intranet resources, but also have access from the intranet to those DirectAccess clients.Therefore, DirectAccess can be bidirectional so that DirectAccess users have access to intranetresources, and you can have access to DirectAccess clients when they are connecting over a public

Nova 4, LLC





network. This ensures that the client computers are always updated with recent security patches, thedomain Group Policy is enforced, and there is no difference whether users are on the corporateintranet or on the public network.

This bidirectional access also results in:

• Decreased update time.

• Increased security.

• Decreased update miss rate.

• Improved compliance monitoring.

• Improved security . Unlike traditional VPNs, DirectAccess offers many levels of access control tonetwork resources. This tighter degree of control allows security architects to precisely control remoteusers who access specified resources. IPsec encryption is used for protecting DirectAccess traffic sothat users can ensure that their communication is safe. You can use a granular policy to define whocan use DirectAccess and from where.

• Integrated solution . DirectAccess fully integrates with Server and Domain Isolation and NAPsolutions, resulting in the seamless integration of security, access, and health requirement policies

between the intranet and remote computers.

Nova 4, LLC





DirectAccess Infrastructure Components

Key PointsTo deploy and configure DirectAccess, your organization must support the following infrastructurecomponents.

DirectAccess Server• The server must be joined to an Active Directory domain.

• The server must have Windows Server 2008 R2 running.

• The server must have at least two physical network adapters installed, one connected to the Internetand the other to the intranet.

• The server must have at least two consecutive static, public IPv4 addresses assigned to the networkadapter that is connected to the Internet.

• The server should not be placed behind a NAT.

On the DirectAccess server, you can install the DirectAccess Management Console feature by using ServerManager. You can use the DirectAccess Management Console to configure DirectAccess settings for theDirectAccess server and clients and monitor the status of the DirectAccess server. You may need morethan one DirectAccess server, depending on the deployment and scalability requirements.

DirectAccess ClientsTo deploy DirectAccess, you also need to ensure that the client meets certain requirements:• The client should be joined to an Active Directory domain.

• The client should be running Windows 7 Ultimate Edition, Windows 7 Enterprise Edition, or WindowsServer 2008 R2.

• The client must have a relevant computer certificate with which to identify itself.

Nova 4, LLC





Note: You cannot deploy DirectAccess on clients running Windows Vista, Windows Server 2008, orother earlier versions of Windows operating systems.

DirectAccess ServersGenerally installed in the perimeter network, these servers provide intranet connectivity for DirectAccess

clients on the Internet.

Network Location ServerDirectAccess clients use the NLS server to determine their location. If the client can connect with HTTPS,then the client assumes it is on the intranet and disables DirectAccess components. If the NLS is notcontactable, the client assumes it is on the Internet. The NLS server is installed with the Web server role.

Active Directory DomainYou must deploy at least one Active Directory domain with at least one Windows Server 2008 R2 orWindows Server 2008–based domain controller, though it is not necessary to raise the domain or forestfunctional levels to Windows Server 2008 R2.

PKIYou must implement a PKI to issue computer certificates for authentication, and where desirable, healthcertificates when using NAP. You need not implement public certificates.

Group PolicyAlthough not required, it is easier to use Group Policy to provide for centralized administration anddeployment of DirectAccess settings instead of relying on the Netsh command-line tool. The DirectAccessSetup Wizard creates a set of Group Policy objects and settings for DirectAccess clients, the DirectAccessserver, and selected servers.

DNS ServerAt least one running Windows Server 2008 R2, Windows Server 2008 with the Q958194 hotfix(http://go.microsoft.com/fwlink/?LinkID=159951 ), Windows Server 2008 SP2 or later, or a third-party DNS

server that supports DNS message exchanges over the Intra-Site Automatic Tunnel Addressing Protocol(ISATAP).

Nova 4, LLC


http://go.microsoft.com/fwlink/?LinkID=159951







What Is the Name Resolution Policy Table?

Key PointsTo separate Internet traffic from Intranet traffic for DirectAccess, Windows Server 2008 R2 and Windows 7include the Name Resolution Policy Table (NRPT), a feature that allows DNS servers to be defined per DNSnamespace, rather than per interface. The NRPT stores a list of rules. Each rule defines a DNS namespaceand configuration settings that describe the DNS client’s behavior for that namespace. When aDirectAccess client is on the Internet, each name query request is compared with the namespace rulesstored in the NRPT. If a match is found, the request is processed according to the settings in the NRPT

rule.If a name query request does not match a namespace listed in the NRPT, the request is sent to the DNSservers configured in the TCP/IP settings for the specified network interface. For a remote client, the DNSservers will typically be the Internet DNS servers configured through the Internet service provider (ISP).For a DirectAccess client on the intranet, the DNS servers will typically be the intranet DNS serversconfigured through Dynamic Host Configuration Protocol (DHCP).

Single-label names, such as http://internal, will typically have configured DNS search suffixes appended tothe name before they are checked against the NRPT.

If no DNS search suffixes are configured and the single-label name does not match any other single-labelname entry in the NRPT, the request will be sent to the DNS servers specified in the client’s TCP/IPsettings.

Namespaces, for example, internal.contoso.com, are entered into the NRPT, followed by the DNS serversto which requests matching that namespace should be directed. If an IP address is entered for the DNSserver, all DNS requests will be sent directly to the DNS server over the DirectAccess connection. You neednot specify any additional security for such configurations. However, if a name is specified for the DNSserver, such as dns.contoso.com in the NRPT, the name must be publicly resolvable when the clientqueries the DNS servers specified in its TCP/IP settings.

Nova 4, LLC





The NRPT allows DirectAccess clients to use intranet DNS servers for name resolution of internal resourcesand Internet DNS for name resolution of other resources. Dedicated DNS servers are not required forname resolution. DirectAccess is designed to prevent the exposure of your intranet namespace to theInternet.

Some names need to be treated differently with regards to name resolution; these names should not be

resolved by using intranet DNS servers. To ensure that these names are resolved with the DNS serversspecified in the client’s TCP/IP settings, you must add them as NRPT exemptions.

NRPT is controlled through Group Policy. When the computer is configured to use NRPT, the nameresolution mechanism first tries to use the local name cache, second the hosts file, then NRPT, and finallysends the query to the DNS servers specified in the TCP/IP settings.

Nova 4, LLC





How DirectAccess Works for Internal Clients

Key PointsThe DirectAccess connection process happens automatically, without requiring user intervention.DirectAccess clients use the following process to connect to intranet resources:

1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the networklocation server URL.

Because the FQDN of the network location server URL corresponds to an exemption rule in the NRPT,the DirectAccess client sends the DNS query to a locally-configured DNS server (an intranet-basedDNS server). The intranet DNS server resolves the name.

2. The DirectAccess client accesses the HTTPS-based URL of the network location server, during whichprocess; it obtains the certificate of the network location server.

3. Based on the Certificate Revocation List (CRL) Distribution Points field of the network location server’scertificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point todetermine if the network location server’s certificate has been revoked.

4. Based on a HTTP 200 Success of the network location server URL (successful access and certificateauthentication and revocation check), the DirectAccess client removes the DirectAccess rules in theNRPT.

5. The DirectAccess client computer attempts to locate and log on to the AD DS domain using its

computer account.Because there are no longer any DirectAccess rules in the NRPT, all DNS queries are sent via interface-configured DNS servers (intranet DNS servers).

6. Based on the successful computer logon to the domain, the DirectAccess client assigns the Domainprofile to the attached network.

Because the DirectAccess connection security tunnel rules are scoped for the Public and Privateprofiles, they are removed from the list of active Connection Security rules.

Nova 4, LLC





The DirectAccess client has successfully determined that it is connected to its intranet and does not useDirectAccess settings (NRPT rules or Connection Security tunnel rules). It can access intranet resourcesnormally. It can also access Internet resources through normal means, such as a proxy server (not shown).

Nova 4, LLC





How DirectAccess Works for External Clients

Key PointsWhen a DirectAccess client starts, it assumes that it is not connected to the intranet. The NRPT hasDirectAccess-based rules, and Connection Security rules for DirectAccess tunnels are active. Internet-connected DirectAccess clients use the following process to connect to intranet resources:

DirectAccess Client Attempts to Access the Network Location Server1. The client tries to resolve the FQDN of the network location server URL. Because the FQDN of the

network location server URL corresponds to an exemption rule in the NRPT, the DirectAccess clientsends the DNS query to a locally-configured DNS server (an Internet-based DNS server). The InternetDNS server cannot resolve the name.

2. The DirectAccess client keeps the DirectAccess rules in the NRPT.

3. Because the network location server was not found, the DirectAccess client applies the Public orPrivate profile to the attached network.

4. The Connection Security tunnel rules for DirectAccess, scoped for the Public and Private profiles,remain.

The DirectAccess client has the NRPT rules and Connection Security rules to access intranet resourcesacross the Internet through the DirectAccess server.

DirectAccess Client Attempts to Locate a Domain ControllerAfter starting up and determining its network location, the DirectAccess client attempts to locate andlogon to a domain controller. This process creates the infrastructure tunnel to the DirectAccess server.

1. The DNS name for the domain controller matches the intranet namespace rule in the NRPT, whichspecifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS namequery addressed to the IPv6 address of the intranet DNS server and hands it off to the TCP/IP stackfor sending.

Nova 4, LLC





2. Before sending the packet, the TCP/IP stack checks to see whether there are Windows Firewalloutgoing rules or Connection Security rules for the packet.

3. Because the destination IPv6 address in the DNS name query matches a Connection Security rulecorresponding to the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiateand authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess clientauthenticates itself with its installed computer certificate and its NTLM credentials.

4. The DirectAccess client sends the DNS name query through the infrastructure tunnel to theDirectAccess server.

5. The DirectAccess server forwards the DNS name query to the intranet DNS server, which responds.The DNS name query response is sent back to the DirectAccess server and back through theinfrastructure tunnel to the DirectAccess client.

Subsequent domain logon traffic goes through the infrastructure tunnel. When the user on theDirectAccess client logs on, the domain logon traffic goes through the infrastructure tunnel.

DirectAccess Client Attempts to Access Intranet ResourcesThe first time that the DirectAccess client sends traffic to an intranet location that is not on the list of

destinations for the infrastructure tunnel (such as an email server), the following occurs:1. The application or process attempting to communicate constructs a message or payload and hands it

off to the TCP/IP stack for sending.


3. Because the destination IPv6 address matches the Connection Security rule corresponding to theintranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess clientuses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccessserver. The DirectAccess client authenticates itself with its installed computer certificate and the useraccount’s Kerberos credentials.

4. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.

5. The DirectAccess server forwards the packet to the intranet resources, which responds. The responseis sent back to the DirectAccess server and back through the intranet tunnel to the DirectAccessclient.

Subsequent intranet access traffic, which does not match an intranet destination in the infrastructuretunnel Connection Security rule, goes through the intranet tunnel.

DirectAccess Client Attempts to Access Internet ResourcesWhen the user or a process on the DirectAccess client attempts to access an Internet resource (such as anInternet Web server), the following occurs:

1. The DNS Client service passes the DNS name for the Internet resource through the NRPT. There areno matches. The DNS Client service constructs the DNS name query addressed to the IP address of aninterface-configured Internet DNS server and hands it off to the TCP/IP stack for sending.


3. Because the destination IP address in the DNS name query does not match the Connection Securityrules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name querynormally.

4. The Internet DNS server responds with the IP address of the Internet resource.

Nova 4, LLC





5. The user application or process constructs the first packet to send to the Internet resource. Beforesending the packet, the TCP/IP stack checks to see whether there are Windows Firewall outgoing rulesor Connection Security rules for the packet.

6. Because the destination IP address in the DNS name query does not match the Connection Securityrules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.

Subsequent Internet resource traffic, which does not match a destination in either the infrastructureintranet tunnel Connection Security rules, is sent and received normally.

Nova 4, LLC





How a DirectAccess Client Determines Its Location

Key PointsThe following information describes how a DirectAccess client determines its network location.

Network Location ServerA network location server is an internal network server that hosts an HTTPS-based URL. DirectAccessclients try to access a network location server URL to determine whether they are located on the intranetor on the public network. The DirectAccess server can be also the network location server. The network

location server should be highly available, and the Web server on the network location server does nothave to be dedicated just for supporting DirectAccess clients.

It is critical that the network location server is available from each company location, because thebehavior of the DirectAccess client depends on the response from the network location server. Branchlocations may need a separate network location server at each branch location to ensure that networklocation server remains accessible even when there is a link failure between branches.

Intranet DetectionWhen a DirectAccess client experiences a significant network change event, such as a change in link statusor a new IP address, the DirectAccess client assumes that it is not on the intranet and uses DirectAccessrules in the NRPT to determine the location to send DNS name queries. Then, the DirectAccess clientattempts to resolve the fully qualified domain name (FQDN) in the URL for the network location server.Because the NRPT has active rules for DirectAccess, the FQDN should either match an exemption rule orno rule in the NRPT so that the DirectAccess client uses interface-configured DNS servers. If a DirectAccessclient is not on the intranet, it will not be able to successfully resolve the FQDN of the network locationserver, and the name resolution will fail.

If the FQDN resolution is successful, the DirectAccess client attempts to connect to the network locationserver. When the DirectAccess client successfully accesses the HTTPS-based URL of the network locationserver, it determines that it is on the intranet. The DirectAccess client then removes the DirectAccess NRPTrules from the active table and uses interface-configured DNS servers to resolve all names. If the

Nova 4, LLC





DirectAccess client cannot access the network location server or its FQDN resolution is not successful, theDirectAccess client assumes that it is on the Internet and establishes a DirectAccess connection.

To reduce the traffic on the corporate network, DirectAccess separates intranet traffic from Internet traffic.Most VPNs send all traffic, including traffic that is destined for the Internet, through the VPN, whichreduces both intranet and Internet access speed. DirectAccess does not reduce the Internet access speed,

because communications to the Internet do not have to travel to the corporate network and back to theInternet.

Nova 4, LLC





Configuring DirectAccess

Key PointsTo configure DirectAccess, you need to complete the following tasks.

Configure the AD DS domain controller and DNSTo prepare the AD DS and DNS environment, complete the following tasks:

1. Create a security group to hold computers that will be DirectAccess clients.

2. Create a DNS host record for the Network Location Server for intranet DirectAccess clients.

3. Create a DNS host record for the server that hosts the certificate revocation list in the intranet.

4. On your public DNS server, create a DNS host record for the host that will provide access to thecertificate revocation list for Internet-based DirectAccess clients.

Configure the PKI environmentTo prepare the PKI environment, complete the following tasks:

1. Add and configure the Certificate Authority server role.

2. Configure the certificate revocation list distribution settings.

3. Publish the CRL to the designated intranet location.

4. Create the certificate template and configure security settings on the template so that AuthenticatedUsers can Enroll the certificate.

5. Distribute the computer certificates. You can use Group Policy to do this by enabling auto-enrollment.

Configure the DirectAccess clients and test Intranet AccessTo prepare the DirectAccess clients and test the DirectAccess environment, complete the following tasks:

Nova 4, LLC





1. Verify that DirectAccess clients have the computer certificate required for DirectAccess authentication;this should have been distributed with Group Policy.

2. Verify that the client can connect to intranet resources.

Configure the DirectAccess serverTo configure the DirectAccess server, complete the following tasks:

1. Install two network interface cards in the DirectAccess server

2. Install the Web server role on the DirectAccess server.

3. Create a virtual directory to host the CRL.

4. Publish the CRL to the virtual directory.

5. Install the DirectAccess Management Console feature.

6. Run the DirectAccess Management wizard to configure DirectAccess.

Verify DirectAccess functionalityTo verify the DirectAccess functionality, move DirectAccess clients to the Internet and verify connectivity

to intranet resources.

Nova 4, LLC






Review Questions1. Your organization wishes to implement a cost-effective solution that interconnects two branch offices

with your head offices? How can you use VPNs in this scenario?

2. The IT manager in your organization is concerned about opening too many firewall ports to facilitateremote access from users working from home via a VPN. How could you meet the expectations ofyour remote users while allaying your manager’s concerns?

3. You have a VPN server with two configured network policies. The first has a condition that grantsaccess to members of the Contoso group, to which everyone in your organization belongs, but has aconstraint of day and time restrictions for office hours only. The second policy has a condition ofmembership of the Domain Admins group and no constraints. Why are administrators being refusedconnections out of office hours and what can you do about it?

4. On a client computer, what steps must you perform to ensure that it can be assessed for health?

Windows Server 2008 R2 Features Introduced in this ModuleWindows Server 2008 R2 feature Description

DirectAccess DirectAccess is a feature in the Windows 7 and Windows Server2008 R2 operating systems that provides users with a seamless

connection to their organization’s private network from acomputer with an Internet connection.

VPN Reconnect Although DirectAccess can replace VPN connections as a preferredremote access solution for many organizations, smallerorganizations may not meet the infrastructure requirements forDirectAccess. Consequently, Microsoft is improving VPN usability inWindows 7 with VPN Reconnect.VPN Reconnect uses IKEv2 technology to provide seamless andconsistent VPN connectivity, automatically re-establishing a VPN

Nova 4, LLC





Windows Server 2008 R2 feature Description

when users temporarily lose their Internet connections. This isparticular useful for users who implement wireless broadbandsolutions.


Services.msc Managing Windowsservices

Administrative Tools. Otherwise, launch from Run.

Gpedit.msc Editing the Local GroupPolicy

Launch from Run.

Mmc.exe Management Consolecreation and management

Launch from Run.

Gpupdate.exe Managing group policy

application

Run from command-line.

Napclcfg.msc Manage client computerNAP enforcement settings

Launch from Run.

Nova 4, LLC




Managing Active Directory Domain Services 7-1

Module 7Managing Active Directory Domain ServicesContents:Lesson 1: Overview of the Active Directory Infrastructure 7-3

Lesson 2: Working with Active Directory Administration Tools 7-17

Lesson 3: Managing User Accounts 7-26

Lesson 4: Managing Computer Accounts 7-36

Lab A: Creating and Managing User and Computer Accounts 7-45

Lesson 5: Managing Groups 7-50

Lesson 6: Using Queries to Locate Objects in AD DS 7-63

Lab B: Managing Groups and Locating Objects in AD DS 7-68

Nova 4, LLC





Module Overview

Active Directory® Domain Services (AD DS) and its related services form the foundation for enterprisenetworks running Windows because they store information about the identities of users, computers, andservices; authenticate a user or computer; and provide a mechanism to access resources.

This module presents an overview of AD DS. You will review key concepts and directory services structure.You will take a high-level look at the major components of AD DS and how they fit together. You will alsoreceive hands-on experience working with these components and their associated tools.


• Understand the Active Directory infrastructure.

• Work with Active Directory administration tools.

• Manage user accounts.

• Manage computer accounts.

• Manage groups.

• Use queries to locate objects in AD DS.

Nova 4, LLC





Lesson 1

Overview of the Active Directory Infrastructure

Your Active Directory infrastructure is what ties your entire Windows computing environment together. Atthe core of this infrastructure is AD DS. It manages communication and authentication between users andcomputers, stores information about who can access information stored on servers, and managesinformation about network resources and application-specific data from directory-enabled applications.

ObjectivesAfter completing this lesson, you will be able to:• Describe the components of AD DS.

• Describe Active Directory partitions.

• Describe Active Directory replication.

• Describe Active Directory sites.

• Describe domain and forest functional levels.

• Describe operations master roles.

• Manage operations master roles.

Nova 4, LLC





Components of Active Directory Domain Services

Key PointsAdministrators can use AD DS to organize elements of a network, such as users, computers, and otherdevices, into a hierarchical containment structure.

AD DS is not a physical entity in itself. It consists of several key components that work together to provideActive Directory functionality to a Windows environment. The hierarchical containment structure includesthe Active Directory forest, domains in the forest, and organizational units (OUs) in each domain. All thisinformation is stored in the Active Directory database. A server that maintains a copy of this database forthe domain is called a domain controller.

DomainDomains are the key building blocks of AD DS. They define boundaries within the Active Directoryinfrastructure. A domain is a logical grouping of objects that share a common directory database anddomain namespace. This database contains information about users, groups, and computers that are partof the domain, and information about shared resources such as printers and shared folders.

A domain namespace is typically defined by a domain name, such as Contoso.com. Any domain objectssuch as user, groups or computers created within the Contoso domain reside in the Contoso.comnamespace. For example, the Fully Qualified Domain Name (FQDN) for a server named NYC-SVR1 in theContoso domain would be NYC-SVR1.Contoso.com.

Domain ControllerA domain controller is a designated server that holds a copy of the Active Directory database. A computerrunning the Windows Server® 2008 operating system can be made a domain controller by executingdcpromo.exe. Dcpromo.exe begins the AD DS installation Wizard and collects the information necessaryto promote the Windows Server 2008 server to a domain controller. After a computer is configured as adomain controller, it maintains a copy of the Active Directory database and replicates the information inthe database back and forth to the other domain controllers in the domain.

Nova 4, LLC





Note: A domain should have at least two domain controllers. When a domain has at least twodomain controllers, redundant copies of AD DS are available in case one of the domain controllersbecomes unavailable.

Organizational Unit

OUs are used within AD DS to organize collections of Active Directory objects such as users, groups,computers, and even other OUs. OUs act like containers within AD DS, allowing you to organize yourActive Directory objects in a logical way that makes it easier to administer and manage those objects.

For example, you may choose to create an OU for each department of your organization and place thecomputers, users, groups, and printers belonging to those departments into their respective OUs.

TreeAlthough domains are important building blocks for implementing Active Directory structures, onlydomain trees bind those blocks together. Domain trees are logical groupings of domains.

Within the directory, the tree structure represents a hierarchy of domain objects, showing parent-childrelationships between the objects. The first domain created in the tree structure, or the root domain,resides at the top of a logical domain tree diagram, and it is the parent of all other domains for thatparticular domain tree. Other domains that you create in the domain tree are child domains.

Domain trees are typically created to reflect your organization's structure. Domains in a tree share acontiguous namespace. The domain name of a child domain is related to the name of the parent domain.For example, the Marketing.Contoso.com domain is a child of the Contoso.com domain. They share thecommon domain namespace of Contoso.com.

ForestDomain forests are logical groups of one or more domains or domain trees that are separate andindependent. Forests are used to create boundaries in and between organizations to control security,replication and configuration of the Active Directory environment. As such, domain trees that are

members of a forest do not share a contiguous namespace. For example, the domain tree with a parentdomain of Contoso.com can be joined in a domain forest with another domain or domain tree,Adatum.com. In this forest, both domains retain their preexisting domain namespace.

Global CatalogInformation regarding an Active Directory forest is stored in a distributed data repository called the globalcatalog. The global catalog is stored on designated domain controllers in the forest and contains asearchable partial representation of every object in the forest. The global catalog servers distribute theglobal catalog data by using multi-master replication, where all global catalog servers are equal partnersin the replication process.

Nova 4, LLC





What Are Active Directory Partitions?

Key PointsAD DS information is stored within the directory database. This database is divided into a number ofdirectory partitions that contain AD DS information. Each directory partition, also called a naming context,contains objects of a particular scope and purpose. There are four AD DS partitions, as follows:

• Domain. The Domain partition contains all the objects stored in a domain, including users, groups,computers, and Group Policy containers (GPCs).

• Configuration. The Configuration partition contains objects that represent the logical structure ofthe forest, including domains, as well as the physical topology, including sites, subnets, and services.

• Schema. The Schema partition defines the object classes and their attributes for the entire directory.

• Application. The Application partition is an optional partition that stores information aboutapplications in Active Directory.

Each domain controller maintains a copy, or replica, of several partitions. The Configuration is replicatedto every domain controller in the forest, as is the Schema. The Domain partition for a domain is replicatedto all domain controllers within a domain but not to domain controllers in other domains, so each domaincontroller has at least three replicas: the Domain partition for its domain, Configuration, and Schema.

Nova 4, LLC





What Is Active Directory Replication?

Key PointsReplication is the transfer of changes between domain controllers. When you add a user or change auser’s password, for example, the change you make is committed to the directory by one domaincontroller. That change must be communicated to all other domain controllers in the domain.

Replication is designed so that, in the end, each replica of a partition on a domain controller is consistentwith the replicas of that partition hosted on other domain controllers. Not all domain controllers will haveexactly the same information in their replicas at any one moment in time because changes are constantlybeing made to the directory. However, Active Directory replication ensures that all changes to a partitionare transferred to all replicas of the partition. Active Directory replication balances accuracy (or integrity)and consistency (called convergence ) with performance (keeping replication traffic to a reasonable level).This balancing act is described as loose coupling.

The following are the key characteristics of Active Directory replication:

• Multimaster replication. Any domain controller can initiate and commit a change to ActiveDirectory.

• Pull replication. A domain controller requests, or "pulls," changes from other domain controllers. Asyou learn more about replication, it may become easy to forget this, because a DC notifies itsreplication partners that it has changes to the directory, or a DC can poll its partners to see if theyhave changes to the directory. But the changes themselves are, in the end, requested or "pulled" bythe target DC.

• Store-and-forward replication. A domain controller can pull changes from one partner, and thenmake those changes available to another partner. For example, domain controller B can pull changesinitiated by domain controller A. Then, domain controller C can pull the changes from domaincontroller B.

• Partitioning of the data store. Domain controllers in a domain host only the domain namingcontext for their domain, which helps keep replication to a minimum, particularly in multidomain

Nova 4, LLC





forests. Other data, including application directory partitions and the partial attribute set (globalcatalog), are not replicated to every domain controller in the forest, by default.

• Automatic generation of an efficient and robust replication topology. By default, ActiveDirectory will configure an effective, two-way replication topology so that the loss of any one domaincontroller does not impede replication. This topology is automatically updated as domain controllersare added, removed, or moved between sites.

• Attribute-level replication. When an attribute of an object is modified, only that attribute, andminimal metadata that describes that attribute, is replicated. The entire object is not replicated,except when the object is created.

• Distinct control of intrasite replication (within a single site) and intersite replication (betweensites). Replication can be distinctly controlled in both these situations.

• Collision detection and management. It is possible, although rare, that an attribute will have beenmodified on two different domain controllers during a single replication window. In such an event,the two changes will have to be reconciled. Active Directory has resolution algorithms that satisfyalmost every such situation.

Nova 4, LLC





What Are Active Directory Sites?

Key PointsActive Directory sites are used to represent the physical structure of your network. AD DS uses informationabout your network’s physical structure, or topology, when performing certain processes.

When administrators describe their network infrastructure, they often mention how many sites comprisetheir enterprise. To most administrators, a site is a physical location, such as an office or a city. Sites areconnected by links, or network links, that might be as basic as dial-up connections or as sophisticated asfiber links. Together, the physical locations and links make up the network infrastructure.

AD DS represents the network infrastructure with objects called sites and site links , and although thewords are similar, these objects are not identical to the sites and links described by administrators.

You need to understand the properties and roles of sites in Active Directory to understand the subtledistinction between Active Directory sites and network sites. Active Directory sites are objects stored in thedirectory created by an administrator. An Active Directory site consists of one or more network subnets.These sites are used to achieve two service management tasks:

• Manage replication traffic

• Facilitate service localization

Replication Traffic

AD DS assumes there are two types of networks within your enterprise, highly connected and less highlyconnected. Conceptually, a change made to AD DS should replicate immediately to other domaincontrollers within the highly connected network in which the change was made. However, you might notwant the change to replicate immediately over a slower, more expensive, or less reliable link to anothersite. Instead, you might want to manage replication over less highly connected segments of yourenterprise to optimize performance, reduce costs, or manage bandwidth.

Nova 4, LLC





An Active Directory site represents a highly connected portion of your enterprise. When you define a site,Active Directory replication within the site happens almost instantly. Replication between sites can bescheduled and managed.

Service LocalizationIn a typical Active Directory environment, you have at least two domain controllers. In this configuration,there are multiple domain controllers providing the same services of authentication and directory access.If you have more than one network site, and if you place a domain controller in each, you want toencourage clients to authenticate against the domain controller in their site. This is an example of servicelocalization.

Active Directory sites help localize services, including those provided by domain controllers. During logon,Windows clients are automatically directed to a domain controller in their site. If a domain controller isnot available in their site, they are directed to a domain controller in another site, which will be able toauthenticate the client efficiently.

Nova 4, LLC





Domain and Forest Functional Levels

Key PointsWithin an Active Directory infrastructure, it is possible to have different versions of the Windows Serveroperating system acting as domain controllers. Previous versions of Windows Server do not support someof the new Active Directory components or data storage methods available in Windows Server 2008 andWindows Server 2008 R2.

A domain functional level and forest functional level are two separate settings that determine the specificfunctional aspects of AD DS that are enabled on domain controllers within the domain or forest.

For example, Windows Server 2008 R2 provides a new feature, the Active Directory Recycle Bin, whichallows for nondestructive deletions of Active Directory objects. However, if any of the domain controllersin your forest are not running Windows Server 2008 R2, the Active Directory Recycle Bin functionality isnot recognized by any domain controller running a previous version of Windows Server. In this case, thedomain functional level is set to a level compatible with your existing domain controllers, and the ActiveDirectory Recycle Bin functionality is not available anywhere in the domain.

Domain Functional LevelsThere are four domain functional available in Windows Server 2008 R2. The following levels govern thefunctionality set on all domain controllers in the domain:

• Windows 2000 native

• Windows Server 2003


• Windows Server 2008 R2

Forest Functional LevelsThe following are the four forest functional levels that define the functionality set for all domaincontrollers and global catalog servers in the forest:

Nova 4, LLC





• Windows 2000 native



• Windows Server 2008 R2

Note: Domain and forest functional levels are only available on Windows Server versions that are atleast as recent as the functional level. For example, the Windows Server 2008 R2 domain functionallevel is not available to a domain containing only Windows Server 2008 domain controllers.

Nova 4, LLC





Operations Master Roles

Key PointsIn an Active Directory domain, all domain controllers are equivalent. They are all capable of writing to theActive Directory database and replicating changes to other domain controllers. However, in AD DS’smultimaster replication topology, certain operations must be performed by only one system. In an ActiveDirectory domain, operation masters are domain controllers that perform a specific function within thedomain.

Forest-Wide Operations Master RolesThe schema master and the domain-naming master must be unique in the forest. Each role is performedby only one domain controller in the entire forest.

Domain Naming Master RoleThe domain-naming role is used when adding or removing domains in the forest. When you add orremove a domain, the domain naming master must be accessible, or the operation will fail.

Schema Master RoleThe domain controller holding the schema master role is responsible for making any changes to theforest’s schema. All other domain controllers hold read-only replicas of the schema. You should modifythe schema or install applications that modify the schema, on the domain controller holding the schema

master role. Otherwise, the changes you request must be sent to the schema master to be written into theschema.

Domain-Wide Operations Master RolesEach domain maintains three single master operations: relative identifier (RID), infrastructure, and primarydomain controller (PDC) Emulator. Each role is performed by only one domain controller in the domain.

Nova 4, LLC





RID Master RoleThe RID master plays an integral part in the generation of security identifiers (SIDs) for security principalssuch as users, groups, and computers. The SID of a security principal must be unique. Because any domaincontroller can create accounts, and therefore, SIDs, a mechanism is necessary to ensure that the SIDsgenerated by a DC are unique. Active Directory domain controllers generate SIDs by assigning a uniqueRID to the domain SID. The RID master for the domain allocates pools of unique RIDs to each domaincontroller in the domain. Therefore, each domain controller can be confident that the SIDs it generatesare unique.

Infrastructure Master RoleIn a multi-domain environment, it is common for an object to reference objects in other domains. Forexample, a group can include members from another domain. Its multivalued member attribute containsthe distinguished names of each member. If the member in the other domain is moved or renamed, theinfrastructure master of the group’s domain updates the group’s member attribute accordingly.

PDC Emulator RoleThe PDC Emulator role performs multiple, crucial functions for a domain:

• Participates in special password update handling for the domainWhen a user's password is reset or changed, the domain controller that makes the change replicatesthe change immediately to the PDC emulator. This special replication ensures that the domaincontrollers know about the new password as quickly as possible.

• Manages Group Policy updates within a domain

If a group policy object (GPO) is modified on two domain controllers at approximately the same time,there could be conflicts between the two versions that could not be reconciled as the GPO replicates.To avoid this situation, the PDC emulator acts as the focal point for all Group Policy changes.

• Provides a master time source for the domain

Many Windows components and technologies rely on time stamps, so synchronizing time across allsystems in a domain is crucial. The PDC emulator in the forest root domain is the time master for theentire forest, by default. The PDC emulator in each domain synchronizes its time with the forest rootPDC emulator. Other domain controllers in the domain synchronize their clocks against that domain’sPDC emulator. All other domain members synchronize their time with their preferred domaincontroller.

• Acts as the domain master browser

When you open network in Windows, you see a list of workgroups and domains, and when you opena workgroup or domain, you see a list of computers. These two lists, called browse lists , are created bythe Browser service. In each network segment, a master browser creates the browse list: the lists ofworkgroups, domains, and servers in that segment. The domain master browser serves to merge thelists of each master browser so that browse clients can retrieve a comprehensive browse list.

Nova 4, LLC





Guidelines for Placing Operations Master Roles• Place the domain-level roles on a high-performance domain controller.• Do not place the Infrastructure Master domain-level role on a global catalog server.• Leave the two forest-level roles on a domain controller in the forest root domain.• In the forest root domain, transfer the three domain-level roles from the first domain controller that

you installed in the forest root domain to an additional domain controller that has a high-performance level.

• Adjust the workload of the PDC emulator, if necessary by offloading non-AD DS roles to other servers.

Nova 4, LLC





Demonstration: How to Manage Operations Master Roles


• Transfer an operations master role to a different domain controller.

• Seize an operations master role.

Demonstration Steps1. Open Active Directory Users and Computers.

2. Transfer the PDC Emulator role to NYC-DC2.

3. Seize the PDC Emulator role from NYC-DC2.

4. Close Active Directory Users and Computers.

Nova 4, LLC





Lesson 2

Working with Active Directory Administration Tools

Most administrators first experience AD DS by opening Active Directory Users and Computers andcreating user, computer, or group objects within the OUs of a domain. While Active Directory Users andComputers is a comprehensive Tool, Windows Server 2008 contains several new tools that can makeadministering a Windows Server simpler and more efficient task. This lesson will introduce you to the toolsavailable to administer AD DS.


• Describe Active Directory Administration snap-ins.

• Describe the Active Directory Administrative Center.

• Manage Active Directory using management tools.

• Describe the Active Directory module for Windows PowerShell.

Nova 4, LLC





Overview of Active Directory Administration Snap-ins

Key PointsMost Active Directory administration is performed by using the following snap-ins and consoles:

• Active Directory Users and Computers . This snap-in manages most common day-to-day resources,including users, groups, computers, printers, and shared folders. This is likely to be the most heavilyused snap-in for an Active Directory administrator.

• Active Directory Sites and Services . This manages replication, network topology, and related services.

•

Active Directory Domains and Trusts . This configures and maintains trust relationships and the domainand forest functional level.

• Active Directory Schema . This schema examines and modifies the definition of Active Directoryattributes and object classes. It is the "blueprint" for Active Directory. It is rarely viewed and evenmore rarely changed. Therefore, the Active Directory Schema snap-in is not installed by default.

Nova 4, LLC





Active Directory Administrative Center

Key Points

Note: The content in this topic applies only to Windows Server 2008 R2.

Windows Server 2008 R2 provides another option for managing AD DS objects. The Active DirectoryAdministrative Center provides a graphical user interface (GUI) built on Windows PowerShell. Thisenhanced interface allows you to perform Active Directory object management by using task-orientednavigation. Tasks that can be performed by using the Active Directory Administrative Center include:

• Creating and managing user, computer, and group accounts.

• Creating and managing organizational units.

• Connecting to and managing multiple domains within a single instance of the Active DirectoryAdministrative Center.

• Searching and filtering Active Directory data by building queries.

Installation RequirementsThe Active Directory Administrative Center can only be installed on computers running Windows Server2008 R2 or Windows 7. You can install the Active Directory Administrative Center by any one of thefollowing methods:• Install the AD DS server role through Server Manager.

• Promote a server to a domain controller by using Dcpromo.exe.

• Install the Remote Server Administration Tools (RSAT) on a Windows Serer 2008 R2 server or Windows7.

Nova 4, LLC





Note: The Active Directory Administrative Center relies on the Active Directory Web Services (ADWS)service which must be installed on at least one domain controller in the domain. The service alsorequires port 9389 to be open on the domain controller where ADWS is running.

Nova 4, LLC





Demonstration: How to Manage Active Directory Using ManagementTools

Key PointsActive Directory Users and Computers and the Active Directory Administrative Center can both be used toperform administrative tasks.


• Manage Active Directory by using standard administration snap-ins.

• Manage Active Directory by using the Active Directory Administration Center.


Active Directory Users and Computers

Viewing ObjectsThe Active Directory Users and Computers snap-in displays the objects in the container (domain,organizational unit, or container) selected in the console tree.

Refreshing the ViewThe view is not refreshed automatically. If you want to see the latest changes to the view of objects, selectthe container in the console tree, and then click the Refresh button on the snap-in toolbar or press F5.

You must select the container in the console tree before clicking Refresh (or pressing F5)—clicking in anempty area of the details pane is not sufficient. This is a quirk of the Active Directory Users and Computerssnap-in.

Nova 4, LLC





Creating ObjectsTo create an object in Active Directory Users and Computers , right-click a domain, or a container (suchas Users or Computers ), or an organizational unit, point to New, and then click the type of object youwant to create.

When you create an object, you are prompted to configure a few of the most basic properties of the

object, including the properties that are required for that type of object.

Configuring Object AttributesAfter an object has been created, you can access its properties by right-clicking the object and thenclicking Properties .

The Properties dialog box that appears displays many of the most common properties of the object.Properties are grouped on tabs to make it easier to locate a specific property.

You can configure as many properties as you want on as many tabs as you want, and then click Apply orOK once to save all changes. The difference between Apply and OK is that the OK button saves thechanges and closes the Properties dialog box, whereas Apply saves the changes and keeps the dialogbox open so that you can make additional changes.

Viewing All Object AttributesA user object has even more properties than are visible in its Properties dialog box. Some of the so-calledhidden properties can be quite useful to your enterprise. To view these hidden user attributes, you mustturn on the Attribute Editor , which is a new feature in Windows Server 2008.

To turn on the Attribute Editor in the Active Directory Users and Computers snap-in, click the View menu, and then click the Advanced Features option.

To open the Attribute Editor for a specific Active Directory object, you need to perform the followingsteps:

1. Right-click the object and then click Properties .

2.

Click the Attribute Editor tab.To change the value of an attribute, double-click the value.

The attributes can also be accessed programmatically with Windows PowerShell™, Windows Visual Basic®Scripting Edition, or the Microsoft .NET Framework.

Note: Modifying hidden attributes can have adverse effects on your AD DS environment. Do so withcaution and only where specifically required.

Active Directory Administrative Center

NavigationThe Active Directory Administrative Center provides a navigation pane that can be set as a List View and aTree View. The List View displays three main nodes: an Overview node, a domain node, and a GlobalSearch node. The Tree View changes the domain node to provide a view of the entire domain structure.

Performing Administrative TasksWhen the Overview node is selected, you can perform specific tasks such as Reset Password and GlobalSearch. Reset Password provides the ability to enter a known user name and reset the password, unlock

Nova 4, LLC





the account, and configure the user to change the password at the next logon. Global Search providesthe ability to search for objects based upon a domain scope or a Global Catalog scope.

Depending on the object selected, you can perform many related tasks. For example, if a user object isselected, you can perform tasks such as Reset the password, Add to a group, Disable the account, Movethe account, Delete the account, locate the account, or open the Properties of the account.

Nova 4, LLC





Active Directory Module for Windows PowerShell

Key PointsIn the previous versions of Windows Server, administrators used a variety of command-line tools andMicrosoft Management Console (MMC) snap-ins to connect to their Active Directory domains to monitorand manage their domains. The Active Directory module in Windows Server 2008 R2 now provides acentralized experience for administering your directory service.

The Active Directory module for Windows PowerShell in Windows Server 2008 R2 is a WindowsPowerShell module (named Active Directory) that consolidates a group of cmdlets used to manage yourActive Directory domains in a self-contained package.

The following table lists the various tasks that can be performed by using the Active Directory forWindows PowerShell module:

Management Category Task

User Management • Creating a user• Modifying an attribute for multiple users• Setting profile attributes• Renaming a user• Finding and unlocking user accounts•

Enabling or disabling user accountsComputer Management • Joining a computer to a domain

• Adding or removing a computer account• Resetting a computer account• Modifying attributes of computer accounts

Group Management • Creating a group• Adding and removing members of a group

Nova 4, LLC





Management Category Task

• Viewing the members of a group• Changing the group scope or type

Organizational Unit

Management

• Creating or deleting an OU• Listing objects in an OU• Assigning or removing a manager of an OU• Moving the objects in an OU

Password PolicyManagement

• Creating and managing Fine-Grained Password policies• Modifying the default domain password policy• Get resultant password policy for a user

Searching andmodifying objects

• Searching the Global Catalog• Importing objects by using a CSV file• Exporting objects to a CSV file• Searching for and restoring deleted objects

Forest and DomainManagement

• Finding the domains in a Forest• Raising the functional level of the domain or Forest• Viewing the trusts for a domain

Domain Controller andOperations MasterManagement

• Finding the domain controllers for a domain• Moving the domain controller to a different site• Enabling and disabling the Global Catalog• Managing operations master roles

Managed ServiceAccount Management

• Create or remove a managed service account• Associate a managed service account with a computer•

Reset the password of a managed service account

Cmdlet Examples• New-ADComputer creates a new computer object in AD DS.

• Remove-ADGroup removes an Active Directory group.

• Set-ADDomainMode sets the domain functional level for an Active Directory domain.

InstallationYou can install the Active Directory module by using any of the following methods:

• By default, on a Windows Server 2008 R2 server, when you install the AD DS or Active DirectoryLightweight Directory Services (AD LDS) server roles

• By default, when you make a Windows Server 2008 R2 server a domain controller by runningDcpromo.exe

• As part of the Remote Server Administration Tools (RSAT) feature on a Windows Server 2008 R2server

• As part of the RSAT feature on a Windows 7 computer

Nova 4, LLC





Note: While the Active Directory module for Windows Powershell must run from a Windows Server2008 R2 or Windows 7 computer, the actual PowerShell cmdlets can be run against servers that runWindows Server 2003 or Windows Server 2008, provided you have installed the Active DirectoryGateway Service on those servers. Active Directory Gateway Service can be downloaded from thefollowing web page:

Nova 4, LLC





Lesson 3

Managing User Accounts

In AD DS for Windows Server 2008 and Windows Server 2008 R2, all users who require access to networkresources must be configured with a user account. With this user account, users can be authenticated tothe AD DS domain and granted access to network resources. As the AD DS administrator, you will need toknow how to create and configure user accounts.

ObjectivesAfter completing this lesson, you will be able to:• Describe a user account object.

• Describe user account password options.

• Describe user account attributes.

• Create and configure user accounts.

• Describe a user account template.

Nova 4, LLC





What Is a User Account?

Key PointsA user account is an object that contains all of the information that defines a user on a local WindowsServer 2008 machine or in an Active Directory domain. A user account includes the user name andpassword as well as group memberships. A user account also contains many other settings, which can beconfigured based on your organizational requirements.

Usage

With a user account, you can perform the following tasks:• Allow or deny users to log on to a computer based on user account identity.

• Grant users access to processes and services for a specific security context.

• Manage users' access to resources such as AD DS objects and their properties, shared folders, files,directories, and printer queues.

User Accounts and SIDsFrom the information provided at the time a security principal (such as a user account) is created,Windows Server 2008 generates an SID and a globally unique identifier (GUID) for the security principal.The internal processes in Windows Server 2008 refer to the SID when a user tries to authenticate in AD DSand when the user tries to access network resources.

Local and Domain User AccountsAs a systems administrator, you must create user accounts to manage your network environment. Domainuser accounts enable users to log on to a domain and access resources anywhere on the network. Localuser accounts enable users to log on and access resources only on the computer on which you create thelocal user account.

The following table describes some differences between a local account and an AD DS account:

Nova 4, LLC





Local User Accounts AD DS User Accounts

• Can be used to log on only to thecomputer where the account iscreated

• Can be used to log on to AD DS from any client computerin the forest

• Provide access to files only on thelocal computer

• Provide access to shared network resources

• Stored locally in the local computersSAM database

• Stored on domain controllers in the AD DS database

Question: List at least one advantage of creating local accounts. List at least one advantage of creatingdomain accounts.

Nova 4, LLC





User Account Password Options

Key PointsUser accounts are typically protected and authorized by a password. User accounts have options thatdictate how passwords are managed. You can help protect your server environment by customizingpassword policy settings, including requiring users to change their password regularly, specifying aminimum length for passwords, and requiring passwords to meet certain complexity requirements.

the following table describes domain’s password policy settings that are controlled by a number of GPOsettings related to accounts and passwords.

Policy What it does Best practice

Password must meetcomplexityrequirements

Requires passwords to:• Contain a combination of at least

three of the following characters:uppercase letters, lowercase letters,numbers, symbols (punctuationmarks).

• Do not contain the user's user nameor screen name.

Enable this setting. Thesecomplexity requirements can helpensure a strong password. Strongpasswords are more difficult tocrack than those containing simpleletters or numbers.

Enforce password

history

Prevents users from creating a new

password that is the same as theircurrent password or a recently usedpassword. To specify how manypasswords are remembered, provide avalue. For example, a value of 1 meansthat only the last password will beremembered, and a value of 5 meansthat the previous five passwords will beremembered.

Use a number that is greater than 1.

Enforcing password history ensuresthat passwords that have beencompromised are not usedrepeatedly.

Nova 4, LLC






Maximum passwordage

Sets the maximum number of days that apassword is valid. After this number ofdays, the user will have to change thepassword.

Set a maximum password age of30–70 days. Setting the number ofdays too high provides hackers withan extended window of opportunity

to crack the password. Setting thenumber of days too low might befrustrating for users who have tochange their passwords toofrequently.

Minimum passwordage

Sets the minimum number of days thatmust pass before a password can bechanged.

Set the minimum password age toat least1 day. By doing so, you require thatthe user can only change theirpassword once a day. This will helpenforce other settings. For example,if the past five passwords areremembered, this will ensure that at

least five days must pass before theuser can reuse the originalpassword. If the minimum passwordage is set to 0, the user can changetheir password six times on thesame day and begin reusing theoriginal password on the same day.

Minimum passwordlength

Specifies the fewest number ofcharacters a password can have.

Set the length between 8 and 12characters (provided that they alsomeet complexity requirements). Alonger password is more difficult tocrack than a shorter password,assuming the password is not a

word or a common phrase.Store passwords byusing reversibleencryption

Stores the password by using encryptionthat can be reversed in order for certainapplications to verify the password.

Do not use this setting unless youuse a program that requires it,enabling this setting decreases thesecurity of stored passwords.

In addition, another group of GPO settings governing account lockout policies are available to controlwhat actions are taken by the operating system if a user repeatedly fails to enter a valid password whenlogging on to the system. These are known as Account Lockout Policy settings. The following tabledescribes various Account Lockout policies:


Account lockoutthreshold

Specifies the number of failedlogin attempts allowed beforethe account is locked out. Forexample, if the threshold is set to3, the account will be locked outafter a user enters incorrect logininformation three times.

A setting between 3 and 5 allows for reasonableuser error as well as limits repeated login attemptsfor malicious purposes.

Account lockout Allows you to specify a time After the threshold has been reached and the

Nova 4, LLC






duration frame, in minutes, after whichthe account will automaticallyunlock and resume normaloperation. If you specify 0, theaccount will be locked outindefinitely until anadministrator manually unlocksit.

account is locked out, the account should remainlocked long enough to block or deter anypotential attacks, but short enough not tointerfere with productivity of legitimate users.Duration of 30 to 90 minutes should work well inmost situations.

Reset accountlockout counterafter

Determines the number ofminutes that must elapse after afailed logon attempt before thebad logon attempt counter isreset to 0 bad logons. This policyonly has an effect when theAccount lockout thresholdsetting is defined.

Using a time frame between 30 and 60 minutes issufficient to deter automated attacks as well asmanual attempts by an attacker to guess apassword.

Note: To access Account Policy settings, click Start , click Run, and type secpol.msc in the Open dialog box. This must be performed on a domain controller to access domain Account Policy settings.Following these steps on a computer that is not configured as a domain controller will open the localsecurity policy for that computer.

Question: What would be the effect on a user’s account if the user enters the password incorrectly fivetimes between 10:00 A.M. and 10:25 A.M. with the following settings applied to the account?

• Account lockout threshold: 4

• Account lockout duration: 60 minutes

• Reset account lockout after: 30 minutes

Nova 4, LLC





User Account Attributes

Key PointsUser account attributes contain the functional details of a user account, and they control how the userinteracts with the environment. User account attributes include organizational information about the usersuch as job title, department, or company; environment-related information like account profile andlogon script location; and access and privilege-related information like group membership, remotecontrol and dial-in access information. User account attributes can be accessed within Active DirectoryUsers and Computers by double-clicking a user account object or right-clicking the object and clicking

Properties.

The following lists the most commonly used user account sections:

• General . The General tab contains personal information about the user, such as the name,description, office location, and other contact information.

• Account . The Account tab contains the user account information such as logon name, logon hours,password, and account expiration information.

• Profile . The Profile tab contains information regarding the user account’s profile location, logonscript, and home folder.

• Organization . The Organization tab contains information regarding a user’s organizationalinformation like job title, department, and company. You can also set the user’s manager by linking to

the manager’s user account. This page also contains a list of other user accounts that have selectedthe current user account as their manager.

• Member Of . The Member Of tab contains a list of the groups to which the user account belongs.

• Dial-in . The Dial-in tab allows you to set information related to dial-in network access.

Nova 4, LLC





Demonstration: Configuring User Accounts


• Create and configure an AD DS user account by using Active Directory Users and Computers.

• Configure an AD DS user account by using Active Directory Administrative Center.

• Create and configure an AD DS user account by using Windows PowerShell.

Demonstration Steps:Create and configure an AD DS user account by using Active Directory Users and Computers

1. Open Active Directory Users and Computers .

2. Create a new user account for David Jones and move the account to Marketing OU .

3. Make David Jones a member of the Contoso\Marketing group.

Configure an AD DS user account by using Active Directory Administrative Center

1. Open Active Directory Administration Center .

2. Navigate to Marketing OU .

3. Make David Jones a member of the Contoso\Research group.

Create and configure an AD DS user account by using Windows PowerShell

1. On NYC-DC1, click Start, point to Administrative Tools, and then click Active Directory Modulefor Windows PowerShell.

2. To create a new user, type the following (Note: By default, the user will be created in the Userscontainer, if no other option is specified):

New-ADUser -name TestUser1 -department IT -city "New York" -organization "Contoso"

Nova 4, LLC





3. To move the user to another organizational unit, type the following:

get-aduser -filter 'Name -eq "TestUser1"' | move-adobject -targetpath"ou=IT,dc=contoso,dc=com"

4. To set the password and enable testuer1, type the following:

Set-ADAccountPassword testuser1 -Reset -NewPassword (ConvertTo-SecureString -AsPlainText"Pa$$w0rd" -Force)

get-aduser -filter 'Name -eq "TestUser1"' | enable-adaccount

Nova 4, LLC





What Is User Account Template?

Key PointsA user account template is a user account that has commonly used settings and properties alreadyconfigured. You can use user account templates to simplify the process of creating domain user accounts,as in the following bullets:

• To perform this procedure, you must be a member of the Account Operators group, Domain Adminsgroup, or the Enterprise Admins group in Active Directory, or you must have been delegated theappropriate authority.

• To prevent a particular user from logging on for security reasons, you can disable user accountsrather than deleting user accounts.

• By creating disabled user accounts with common group memberships, you can use disabled useraccounts as account templates to simplify and secure user account creation.

• Information such as logon hours and groups are retained when a new user is created from atemplate, but the Description and Office attributes are not replicated.

• Additional attributes can be viewed and modified in the Active Directory Schema MMC snap-in.

Nova 4, LLC





Lesson 4

Managing Computer Accounts

In AD DS, computers are security principals just like users and groups. This means that computers musthave accounts and passwords. To be fully authenticated by AD DS, a user must have a valid user account,and the user must also log on to the domain from a computer that has a valid computer account. Allcomputers must have computer accounts created in AD DS to be an active, fully functional member of thedomain.


• Describe requirements for joining a computer to the domain.

• Perform an offline domain join.

• Describe the tools used to automate computer account creation.

• Perform computer account management tasks.

Nova 4, LLC





Considerations for Joining a Computer to a Domain

Key PointsThere are three key points to consider when joining a computer to an Active Directory domain:

• A computer object is created in AD DS. This object can be created ahead of time, or if no matchingaccount has been created in AD DS, the account will be created automatically by the domain joinprocess.

• You must have appropriate permissions in the domain to create computer objects in AD DS.

•

Only members of the local Administrators group can change a computer’s domain or workgroupmembership.

A Computer Object Must Be Created in the Directory ServiceWhen a computer is joined to the domain, a computer object is created in the Active Directory databaseand assigned a unique SID. It is extremely important to consider where you will store this computer withinyour domain, including the following locations:

• The Default Computers Container

When you create a domain, the Computers container is created by default (CN=Computers). Thiscontainer is not an OU; it is an object belonging to the container class. There are subtle but importantdifferences between a container and an OU; You cannot create an OU within a container, so you

cannot subdivide the Computers OU;. Moreover, you cannot link a Group Policy object to a container.Therefore, it is create custom OUs to host computer objects instead of using the Computerscontainer.

• OUs for Computers

Most organizations create at least two OUs for computer objects: one to host computer accounts forclient computers—desktops, laptops, and other user systems—and another for servers. These twoOUs are in addition to the Domain Controllers OU created by default during the installation of ActiveDirectory. In each of these OUs, computer objects would be created prior to a computer joining the

Nova 4, LLC





domain. When the computer joins the domain, the computer is associated with the pre-createdaccount. There is no technical difference between a computer object in a client's OU and a computerobject in a server's or domain controller's OU. But, separate OUs are typically created to provideunique scopes of management so that you can delegate management of client objects to one teamand management of server objects to another.

You Must Have Appropriate Permissions in the Domain to Create Computer Objectsin AD DSBy default, the Enterprise Admins, Domain Admins, Administrators, and Account Operators groups havepermission to create computer objects in any new OU. However, tightly restrict membership in the firstthree groups.

You should delegate the permission to create computer objects to appropriate administrators or supportpersonnel. The permission required to create a computer object is Create Computer Objects. Thispermission, assigned to a group for an OU, allows members of the group to create computer objects inthat OU. For example, you might allow your desktop support team to create computer objects in theclients OU and allow your file server administrators to create computer objects in the file servers OU.

Only Members of the Local Administrators Group Can Change a Computer’s Domainor Workgroup MembershipWhen the domain join process is initiated, the user initiating the join must be a member of theAdministrators group on the computer that is being joined to the domain to modify the computer’sdomain or workgroup membership.

Nova 4, LLC





What Is Offline Domain Join?

Key PointsOffline domain join is a new process that can be used by computers running Windows7 or WindowsServer2008 R2 to join a domain without contacting a domain controller. This makes it possible to joincomputers to a domain in locations where there is no connectivity to a domain controller.

A domain join establishes a trust relationship between a Windows computer and Active Directory domain.This operation requires state changes to both AD DS and the computer that is joining the domain. In thepast, a computer had to be able to establish network connectivity with a domain controller for thedomain before initiating the join process. Offline domain join provides the following advantages over theprevious requirements:

• The Active Directory state changes are completed without any network traffic to the computer ordomain controller.

• Each set of changes (computer and domain controller) can be completed at a different time.

Requirements for Offline Domain JoinYou perform an offline domain join by using a new tool named Djoin.exe. You use Djoin.exe to provisioncomputer account data into AD DS. You also use it to insert the computer account data into the Windowsdirectory of the destination computer, which is the computer that you want to join to the domain. Thefollowing sections explain operating system requirements and credential requirements for performing an

offline domain join.

The offline domain join does not have to be completed within a specific time period. The computeraccount that is provisioned remains in AD DS unless an administrator intervenes. However, manyorganizations run scripts every 30 to 60 days to clean up stale or unused computer accounts.

Operating System RequirementsYou can run Djoin.exe only on computers that run Windows 7 or Windows Server 2008 R2. The computeron which you run Djoin.exe to provision computer account data into AD DS must be running Windows 7

Nova 4, LLC





or Windows Server 2008 R2. The computer that you want to join to the domain must also be runningWindows 7 or Windows Server 2008 R2.

Note: It is important to note that the computer being provisioned and the computer from whereDjoin.exe is being executed do not have to be the same computer. In most cases, offline domain join

is done from a server or an administrative workstation prior to computers being ready to join thedomain.

By default, the Djoin.exe commands target a domain controller that runs Windows Server 2008 R2.However, you can specify an optional /downlevel parameter if you want to target a domain controller thatis running a version of Windows Server that is earlier than Windows Server 2008 R2.

To perform an offline domain join, you must have the rights that are necessary to join workstations to thedomain. Members of the Domain Admins group have these rights by default. If you are not a member ofthe Domain Admins group, a member of the Domain Admins group must complete one of the followingactions to enable you to join workstations to the domain.

Using Djoin.exe to Perform an Offline Domain JoinTo perform an offline domain join for a computer named NYC-CL1 to the Contoso domain, perform thefollowing steps:

1. On a Windows Server 2008 R2 or Windows 7 machine that is connected to the Contoso domain,execute the following command from an administrative command prompt.:

Djoin /provision /domain “Contoso” /machine “NYC-CL1” /savefile blob.txt

2. Copy the blob.txt file to the NYC-CL1 client computer.

3. On the NYC-CL1 client computer, execute the following command from an administrative commandprompt in the same folder where blob.txt is stored:

Djoin /requestODJ /loadfile blob.txt /windowspath %systemroot% /localos

After this command, the offline domain join process is complete. The computer name configuration forNYC-CL1 will show that is a member of the Contoso domain. The next time when NYC-CL1 contacts adomain controller from the Contoso domain, the domain join process will be complete, and NYC-CL1 willbecome a fully functioning member of the domain.

Nova 4, LLC





Tools Used to Automate Computer Account Creation

Key PointsWhile the Active Directory Administrative snap-ins and the Active Directory Administrative Center provideconvenient, easy-to-use tools for managing Active Directory infrastructure, there are certain tasks forwhich a point and click GUI is too cumbersome or tedious.

Windows Server 2008 provides a number of tools that you can use to create or modify multiple computeraccounts automatically in AD DS. Some of these tools require that you use a text file containinginformation about the computer accounts that you want to create. You also can create WindowsPowerShell scripts to add objects or make changes to Active Directory objects.

DSAdd.exeThe DSAdd command is used to create objects in AD DS. To create computer objects, simply type:

dsaddcomputer ComputerDN

where ComputerDN is the distinguished name (DN) of the computer, such as CN=NYC-CL2, OU=NYC,OU=Client Computers, DC=contoso, DC=com.

The DSAdd Computer command can take the following optional options after the DN option:

• -samidComputerName

• -desc Description• -loc Location

NetDom.exeThe NetDom command can also perform a variety of domain account and security tasks from thecommand prompt, including creating a computer account by typing the following command:

Nova 4, LLC





netdom add ComputerName /domain: DomainName [/ou:" OUDN "][/UserD: DomainUsername /PasswordD: DomainPassword ]

This command creates the computer account for ComputerName in the domain indicated by the /domainoption by using the credentials specified by /UserD and /PasswordD. The /ou option causes theobject to be created in the OU specified by the organizational unit distinguished name (OUDN)distinguished name following the option. If no OUDN is supplied, the computer account is created in thedefault computer container.

CSVDE and LDIFDEBoth CSVDE and LDIFDE allow you to import data from flat files into your Active Directory domain. CVSDEimport data contained in Comma Separated Value format and LDIFDE uses the Lightweight DirectoryAccess Protocol Data Interchange Format.

The basic syntax of the CSVDE command is:

csvde [-i] [-f " Filename "] [-k]

The basic syntax of the LDIFDE command is similar to that of the CSVDE command:

ldifde [-i] [-f " Filename "] [-k]

Windows PowerShellAs previously discussed in this lesson, the new Active Directory module for Windows PowerShell providesa large number of cmdlets used for administering Active Directory.

The Add-Computer cmdlet and the New-ADComputer cmdlets are the two most commonly usedcmdlets for new computers to the domain.

Add-ComputerThe Add-Computer cmdlets is used to join a computer to a domain. The following command will join the

local computer to the Contoso.com domain and place the computer in the Production OU.

Add-Computer -DomainOrWorkgroupNameContoso -OUPath‘OU=Production,DC=Contoso,DC=COM’

New-ADComputerThe New-ADComputer cmdlets simply creates a computer account in the domain just like you would ifyou were prestaging computer accounts. The following command will add the computer account namedNYC-CL1 to the Marketing OU in the Contoso.com domain.

New-ADComputer -SamAccountName NYC-CL1 –Path ‘OU=Marketing,DC=Contoso,DC=COM’

Note: Remember , the Active Directory module for Windows PowerShell is available on WindowsServer 2008 R2 and Windows 7 computers.

Windows System Image Manager (SIM)Windows SIM allows you to facilitate the automation process when deploying computers on your domain.One of the functions of Windows SIM is to generate unattend.xml automated installation files, which canbe used to include information relevant to the domain join process, thereby including the domain-joinprocess in your automated deployment.

Nova 4, LLC





Managing Computer Accounts

Key PointsAfter a computer account is created in AD DS, there are several management tasks that may need to beperformed on the computer account during its membership in the domain.

Adding Computer AccountsYou have already learned about several ways to add or create computer accounts within a domain.Creating a computer account object in a domain allows you to administer the computer attached to that

account within AD DS. Tasks like assigning domain-based group policy settings, controlling access tocomputers, and delegating other administrative tasks require the computer to have an account registeredin the domain.

Modifying Computer Account AttributesThe most commonly used properties for computer accounts in AD DS are the Location and Managed by properties. To maintain computers, you must find the physical location of the computers. The following isa description of the Location and Managed by properties:

• The Location property can be used to document the computer’s physical location in your network.

• The Managed By property lists the individual responsible for the computer. This information can beuseful when you have a data center with servers for different departments, and you need to performmaintenance on the server. You can call or send an email message to the person who is responsiblefor the server before you perform maintenance on the server.

Deleting Computer AccountsAs your computing environments change, old computers are replaced by new computers and no longerused in the domain environment. Even though these computers may be decommissioned anddisconnected from the network, their computer accounts still remain in the Active Directory database andwill remain there until deleted. Although deleting a computer account as soon as the decommissionedcomputer is disconnected from AD DS is a best practice, it is sometimes forgotten or not done properly.

Nova 4, LLC





As a result, deletion of computer accounts is typically a regular or scheduled maintenance task performedwithin a domain.

Disabling Computer AccountsAfter an account has been created for a computer and that computer has joined to the domain andregistered with AD DS, the physical computer and the account are connected. The computer account willbe assigned permissions and privileges and placed in an appropriate OU.

Disabling a computer account prevents that computer from authenticating to the domain. If you havecomputers in your environment that are disconnecting from the network for an extended amount of time,disabling their computer accounts prevents the account from being misused for unauthorized access, andit preserves any modifications to the computer account within AD DS–like permissions, location, and otherproperties. When the computer is reconnected to the network, the account can be enabled, and thecomputer will operate exactly like it did prior to disconnecting from the domain.

Resetting Computer AccountsWhen a computer is joined to a domain, the computer and domain establish a shared, secret passwordused to authenticate the computer to the domain. This password is stored by both the computer and the

domain controllers for the domain. Each time the computer attempts to connect to the domain, thepassword is exchanged between the computer and the domain. Under certain circumstances, thepasswords stored in the two locations may conflict, resulting in the computer being unable toauthenticate to the domain.

Resetting a computer account resets this password and forces the computer to rejoin the domain,resynchronizing the password between the computer and the domain in the process.

Nova 4, LLC





Lab A: Creating and Managing User and ComputerAccounts



2. In Hyper-V Manager, click 6419B-NYC-DC1 , and in the actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on using the following credentials:



• Domain: Contoso

5. Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.

Lab ScenarioContoso, Ltd. is expanding its operations and creating a new Finance department. You have been asked to

create the appropriate objects in AD DS, so the Finance department can begin operation as schedulednext month.

Nova 4, LLC





Exercise 1: Creating and Configuring User AccountsThe Finance department has two new users, Eva Corets and Mark Steele. You have been asked to createan OU for the Finance department in the root of the Contoso.com domain where the user accounts willbe stored and create user account objects for Eva and Mark configured as follows:

• User account name: User’s first name

• Password: Pa$$w0rd • Do not prompt for password change at next logon

• Department: Finance

After the accounts are properly set up, you have been asked to test them to ensure that the users can logon and then disable the accounts until Eva and Mark begin their jobs next month.


1. Create the Finance OU.

2. Create a user account template for the Finance users.

3. Create new accounts for Eva and Mark.

4. Confirm the functionality of user accounts.

5. Disable the new user accounts.

Task 1: Create the Finance OU1. On NYC-DC1, from Administrative Tools, open Active Directory Module for Windows

PowerShell .

2. Create a new Finance OU in the root of the Contoso domain by using the New-ADOrganizationalUnit cmdlet.

New-ADOrganizationalUnit -Name Finance -Path "DC=CONTOSO,DC=COM"

3. Close the command prompt.

Task 2: Create a user template account for the Finance users1. On NYC-DC1, open Active Directory Users and Computers.

2. Create a user account in the Finance OU with the following properties

Property Value

First name Finance

Last name Template

Full name Finance Template

User logon name Finance Template

Password Pa$$w0rd

User must change password atnext logon

Not Selected

Nova 4, LLC





Property Value

Account is disabled Selected

Department Finance

Task 3: Create new accounts for Eva and Mark1. Create an account for Eva Corets by copying the Finance template and using the following account

properties.

Property Value

First name Eva

Last name Corets

Full name Eva Corets

User logon name Eva

Password Pa$$w0rd

Account is disabled Not Selected

2. Create an account for Mark Steele by copying the Finance template and using the following accountproperties.

Property Value

First name Mark

Last name Steele

Full name Mark Steele

User logon name Mark

Password Pa$$w0rd

Account is disabled Not Selected

3. Close the Active Directory Users and Computers window.

Task 4: Confirm the functionality of user accounts

1. Switch to the 6149B-NYC-CL1 virtual machine.2. On NYC-CL1, log on as Contoso\Eva with a password of Pa$$w0rd .

3. Log off of NYC-CL1.

4. On NYC-CL1, log on as Contoso\Mark with a password of Pa$$w0rd .


Nova 4, LLC





Task 5: Disable the new user accounts1. Switch to the 6149B-NYC-DC1 virtual machine.

2. On NYC-DC1, open Active Directory Administrative Center .

3. In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, andthen double-click Finance OU in the middle pane.

4. Disable the accounts for Eva Corets and Mark Steele .

Results: At the end of the exercise, you created and configured user accounts.

Nova 4, LLC





Exercise 2: Creating and Configuring Computer AccountsThe Finance department will also be using the two computers, NYC-CL5 and NYC-CL6. Both computerswill be arriving with Eva and Mark in New York when they begin their jobs. You need to prestage thecomputer accounts into the Finance OU, so the desktop support team can join the computers to thedomain after they are configured.

The main tasks are as follows:1. Create computer accounts by using Active Directory management tools.

2. Configure computer account attributes.

Task 1: Create computer accounts by using Active Directory management tools1. On NYC-DC1, open Active Directory Users and Computers.

2. In the Computers container, create a new computer object named NYC-CL5.


4. On NYC-DC1, open Active Directory Module for Windows PowerShell .

5. At the command prompt, type the following command:

New-ADComputer –Name NYC-CL6 –SamAccountName NYC-CL6 -Path‘CN=Computers,DC=CONTOSO,DC=COM'

6. Close the command prompt window.

Task 2: Configure computer accounts attributes1. Open Active Directory Administrative Center .

2. In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, andthen double-click the Computers container in the middle pane.

3. Move NYC-CL5and NYC-CL6to the Finance OU.

4. Close the Active Directory Administrative Center window.

Results: In this exercise, you configured computer account attributes.

Nova 4, LLC





Lesson 5

Managing Groups

Groups allow you to collect items and manage them as a single entity. The implementation of groupmanagement in Active Directory is designed to support large, distributed environments, so it includesdifferent types of groups to allow for grouping Active Directory objects. In this lesson, you will learn thepurpose that each of these groups plays, and you will learn to leverage the capabilities of these groups instructuring your Active Directory objects.


• Describe the importance of using groups for managing object access.

• Describe how role groups and rule groups can solve manageability and scalability issues.

• Describe Active Directory group types and scope.

• Describe Global Groups.

• Describe Universal Groups.

• Describe Domain Local Groups.

• Identify appropriate group usage.

• Describe group nesting.

Nova 4, LLC





Importance of Groups

Key PointsGroups play an important role in the organization of objects within your Active Directory environmentand the assignment of permissions and privileges to those objects.

Access Management without GroupsTo better understand groups, their purpose, and their benefits, let us first look at an example of accessmanagement without using groups. Imagine that all of the 100 users in the Production department

require Read-level access to a shared folder called Production on a file server. It is very time-consuming toassign permissions to each user individually. When new Production people are hired, you must add thenew accounts to the access control list (ACL) of the folder. When the accounts are deleted, you mustremove the permissions from the ACL to avoid leaving orphaned SIDs in the ACL

Note: An orphaned SID occurs when an account is deleted, but references to the account still existwithin the Active Directory database, like when an account’s SID is listed on an ACL and the account isdeleted. This SID listed in the ACL remains in the ACL but no longer points to a valid Active Directoryobject.

Imagine now that all of the 100 users in the Production department require Read access to three shared

folders, with each on different servers. This can cause significant management issues. You would need toapply permissions 300 times to grant appropriate access to the shared folders.

Benefits of Using GroupsThe example of the Production department may seem extreme, because you have no doubt learned thatalthough assigning permissions to a resource for an individual identity—user or computer—is possible,the best practice is to assign a single permission to a group and manage access to the resource bychanging the membership of the group.

Nova 4, LLC





In our example, a group named ProductionDept could be created and assigned Allow Read permission onthe Production folder. All of the users from the Production department are placed in this group. Then, youwill have a single point of management for the users. You can add new users to the group, and they willgain access to the shared folder. When you delete an account, it is automatically deleted from the group.This method also avoids orphaned SIDs on the folder’s ACL, because deleted users are automaticallyremoved from groups.

Groups Add ScalabilityIf the Production department users require Read access to three folders on three separate servers, youcould assign the ProcuctionDept group Allow Read permission on each of the three folders. After youassign the three permissions, the ProductionDept group still provides a single point of management foraccess to all three shared folders. You can add new Production users to the group, and they will gainaccess to the three shared folders on the three servers. As previously mentioned, when you delete anaccount, it is automatically deleted from the group, so you will not have orphaned SIDs on your ACLs.

Nova 4, LLC





Understanding Role-Based Management Using Groups

Key PointsRole-based management is an important concept to understand if you want to effectively and efficientlymanage your groups.

One Type of Group Is Not EnoughContinuing our example, imagine next that it is not only the Production department who require Readaccess to the folders. The Executive and Marketing department employees and the production consultant

hired by your organization also require Read permission to the same folders.You could add those groups to the ACL of the folders, granting each of them Allow Read permission. But,you will soon end up with an ACL with multiple permissions; this time assigning the Allow Readpermission to multiple groups instead of multiple users. To give the three groups and one user permissionto the three folders on the three servers, you will have to add twelve permissions. The next group thatrequires access will require three more changes to grant permissions to the ACLs of the three sharedfolders.

What if eight users who are not production employees, marketing employees, or executives have abusiness need for Read access to the three folders? Do you add their individual user accounts to the ACLs?If so, that is 24 more permissions to add and manage.

You can see that using only one type of group—a group that defines the business roles of users—quicklybecomes an ineffective way of enabling management of access to the three folders. If the managementrule suggests that three roles and nine additional users require access to the resource, you are assigning atotal of 36 permissions on ACLs. It becomes very difficult to maintain compliance and audit. Even simplequestions such as, "Can you list the users who can read the Production folders?" become difficult toanswer.

Nova 4, LLC





Role-Based Management: Role Groups and Rule GroupsThe solution is to recognize that there are two types of management that must take place to effectivelymanage this scenario. You must manage the users as collections based on their business roles. And,separately, you must manage access to the three folders.

The three folders are also a collection of items; they are a single resource—a collection of

Productionfolders—that just happens to be distributed across three folders on three servers. And, you aretrying to manage Read access to that resource. You need a single point of management with which tomanage access to the resource.

This requires another group—a group that represents Read access to the three folders on the threeservers. Imagine that you create a group called ACL_ProductionFolders_Read. This group will be assignedthe Allow Read permission on the three folders. The Production, Marketing, and Executives groups, alongwith individual users, will all be members of the ACL_ProductionFolders_Read group. You assign onlythree permissions—one on each folder, granting Read access to the ACL_ProductionFolders_Read group.

The ACL_ProductionFolders_Read group becomes the focus of access management. As additional groupsor users require access to the folders, they will be added to that group. It also becomes much easier toreport who has access to the folders. Instead of having to examine the ACLs on each of the ten folders,you simply examine the membership of the ACL_ProductionFolders_Read group.

To effectively manage even a slightly complex enterprise, you need two "types" of groups that performtwo distinct purposes:

• Groups that define roles. These groups, referred to as role groups , contain users, computers, and otherrole groups based on common business characteristics, such as location, job type, etc.

• Groups that define management rules. These groups, referred to as rule groups , define how anenterprise resource is being managed.

This approach to managing the enterprise with groups is called role-based management . You define rolesof users based on business characteristics—for example, department or division affiliation such asProduction, Marketing, and Executives, and you define management rules—for example, the rule that

manages which roles and individuals can access the three folders.You can achieve both management tasks by using groups in a directory. Roles are represented by groupsthat contain users, computers, and other roles. Roles can include other roles, such as a Managers rolemight include the Production Managers, Finance Managers, and Research Managers roles. Managementrules, such as the rule that defines and manages Read access to the three folders, are represented bygroups as well. Rule groups contain roles and, occasionally, individual users or computers such as theProduction consultant and eight other users in the example.

The key takeaway is that there are two types of groups: one that defines the role and the other thatdefines how a resource is managed.

Nova 4, LLC





Group Type and Scope

Key PointsGroups in Windows Server 2008 have two unique properties. Group type defines what a group can beused for and group scope defines how the group interacts with other objects in the domain.

Group TypeA Windows Server 2008 group’s type setting defines what the group can be used for within the domain.

• Security groups are used to assign permissions on resources within the domain. Security groups can

be attached to the DACL of an object in the domain such as a shared folder and given specific accesspermissions for the resource.

• Distribution groups are used exclusively with email applications like Microsoft Exchange to sendemail messages to collections of users. Distributions groups cannot be attached to a DACL. Therefore,they cannot be used to control access to resources.

Note: Security groups can also be used with email applications to group users in the same way thatdistribution groups can.

Group ScopeGroup scope impacts each of these characteristics of a group: what it can contain, what it can belong to,and where it can be used.

There are three group scopes available:

• Domain Local

• Global

• Universal

The characteristics that define each scope fall into these categories:

Nova 4, LLC





• Replication . Where is the group defined and to what systems is the group replicated?

• Membership . What types of security principals can the group contain as members? Can the groupinclude security principals from trusted domains?

• Availability . Where can the group be used? Is the group available to add to another group? Is thegroup available to add to an ACL?

Nova 4, LLC





What Are Global Groups?

Key PointsA global group is a security or distribution group that can contain users, groups, and computers that arefrom the same domain as the global group. You can use global security groups to assign user rights,delegate authority to AD DS objects or assign permissions to resources in any domain in the forest or anyother trusting domain in another forest.

Use groups with global scope to manage directory objects that require daily maintenance, such as userand computer accounts. Because groups with global scope are not replicated outside their own domain,you can change accounts in a group having global scope frequently without generating replication trafficto the global catalog.

The domain functional level must be Windows 2000 native, Windows Server 2003, or Windows Server2008 to create global groups.

Nova 4, LLC





What Are Universal Groups?

Key PointsA universal group is a security or distribution group that can contain users, groups, and computers fromany domain in its forest. You can use universal security groups to assign user rights and permissions toresources in any domain in the forest.

Changes to the universal groups are registered in the Global Catalog. Therefore, you should not changethe membership of a group with universal scope frequently. Any changes to the membership of this typeof group are replicated to every global catalog server in the forest.

At the Windows 2000 native domain functional level and later, universal groups are available for bothdistribution and security groups.

Nova 4, LLC





What Are Domain Local Groups?

Key PointsA domain local group is a security or distribution group that can contain user accounts from the localdomain, any domain in the forest, or any trusted domain. Domain local groups also can contain universalor global groups from any domain in the forest or any trusted domain and domain local groups from thelocal domain.

• The domain functional level must be Windows 2000 native or later to create domain local groups.

• Use a domain local group to assign permissions to resources that are located in the same domain asthe domain local group. You can put all global groups that have to share the same resources into theappropriate domain local group.

Note: Domain local groups have no link to the local group on Windows computers. Local groups aregroups that are created on the local computer and are stored in the local SAM database and have nodirect connection to AD DS.

Question : How could you provide members of a Sales department who travel frequently betweendomains in a multi-city company with access to printers on various domains that are managed by domainlocal groups?

Nova 4, LLC





Discussion: Identifying Group Usage

Key PointsDiscuss these scenarios with the classroom, led by your instructor.

Scenario 1: A. Datum Corporation has human resources users spread throughout the domain in severaldifferent geographic locations, but they require access to the same resources.

Scenario 2: Tailspin Toys has two domains, one for the United States and one for Europe. You want to

create a group that enables the centralized help desk to manage resources in both domains.

Scenario 3: A. Datum has users in Sales that are geographically dispersed. They have requested a singleunified group that will allow for all Sales users to access resources. Membership of the Sales groupfrequently changes.

Scenario 4: Trey Research has a single domain. They want to create groups for the users in Sales, IT, andResearch departments, so they can easily send email messages to these groups instead of individual users.

Nova 4, LLC





What Is Group Nesting?

Key PointsWhen you use nesting, you add a group as a member of another group. You can use nesting to combinegroup management. Nesting increases the member accounts that are affected by a single action andreduces replication traffic caused by the replication of changes in group membership.

AGDLP and AGUDLP Best PracticesBest practices for group nesting can be defined by using the AGDLP acronym:

• Accounts• Global

• Domain Local

• Permissions

In this method, accounts are placed inside of global groups for grouping based on organization roles,such as job function, department, or location (role groups).

These global groups are then placed inside of domain local groups, defined by the type of access beinggiven and the object that permission is being configured for (rule groups). These domain local groups arethen assigned the appropriate permissions on the appropriate resources.

The AGUDLP method follows the same guidelines, but is used when universal groups are used to containAD DS objects from multiple domains or assign permissions to objects across multiple domains. Whenusing AGUDLP, global groups are nested within universal groups to provide for cross-domain usage.

Domain Functional LevelsGroup nesting is available when the domain functional level is Windows 2000 native, Windows Server2003, or Windows Server 2008.

Nova 4, LLC





Question: A. Datum has HR users spread throughout the domain in several different geographiclocations, but requires access to the same resources. How can nested groups be used to simplifymanagement?

Question: Tailspin Toys has two domains, the United States and Europe. You want to create a group forthe centralized Help Desk to manage resources in both domains and reduce the replication trafficbetween the domains.

Question: At A. Datum, you have to assign permissions to a folder on a member server for a projectbetween Sales, Marketing, and Finance. All users are geographically dispersed. How would you usenesting groups in this scenario?

Question: Trey Research wants to give the HR department permissions to a file share. The user GSmithneeds to be added to the HR group. How would you use AGDLP in the scenario?

Nova 4, LLC





Lesson 6

Using Queries to Locate Objects in AD DS

Some large organizations have thousands of user accounts in an AD DS domain. Even if these accountsare grouped into different OUs, it can still take some time to find a specific user in the domain. WindowsServer 2008 provides several features that allow you to quickly and effectively locate domain objects.


• Describe options for locating objects in AD DS.

• Describe how to run and save a query.

• Describe how to use DSQuery and PowerShell to find objects in Active Directory.

Nova 4, LLC







locate AD DS objects. For example, dsquery user would be entered to look for a user, whereas dsquerycomputer, dsquery group, and dsqueryou would query for their respective object types.

The following command searches for users whose names begin with Dan, but only in the Marketing OU:

dsquery user "ou=Marketing,dc=Contoso,dc=com" -name "Dan*"

Locating Objects in Windows Server 2008 R2Windows Server 2008 R2 provides two more tools that can be used to locate AD DS objects

Active Directory Administrative CenterThe Active Directory Administrative Center provides a user-friendly and powerful search interface calledGlobal Search. You can choose the search term, the scope of the search, and add common criteria from adrop-down list of common search scenarios and commonly searched fields.

Windows PowerShellThe Active Directory module for Windows Powershell includes options for locating AD DS objects.

The Get-ADObject cmdlet is the most commonly used cmdlet for locating AD DS resources. It allows forrobust and powerful searching throughout the Active Directory environment.

The following example demonstrates how to search for all the computer objects in the Contoso.comdomain:

Get-ADObject -Filter 'ObjectClass -eq "computer"' -SearchBase 'DC=Contoso,DC=com' -Properties Name,sAMAccountName | FT Name,sAMAccountName

The Get-ADDomainController : can also be used to locate AD DS objects, it searches for domaincontrollers based on criteria provided.

Nova 4, LLC





Demonstration: Searching AD DS Using GUI-Based Tools


• Use sorting in Active Directory Users and Computers to locate AD DS objects.

• Use saved queries in Active Directory Users and Computers to locate AD DS objects.

Demonstration Steps:Use sorting in Active Directory Users and Computers to locate AD DS objects


2. View the contents of the IT OU.

3. Add the First Name column to the view and place it second on the list.

4. Sort the IT OU contents by First Name , both ascending and descending.

Use sorting in Active Directory Users and Computers to locate AD DS objects

1. Create a new saved query named Starts with C .

2. Define the query to include users whose Name field starts with the letter c.

3. View the results of the query.

Nova 4, LLC





Demonstration: Searching AD DS Using Command-Line Tools


• Use dsquery to locate AD DS objects.

• Use Windows PowerShell to locate AD DS objects.

Demonstration Steps:1. Open a command prompt.

2. Run the following command:

dsquery user "ou=Marketing,dc=Contoso,dc=com" -name "M*"

3. Open Active Directory Module for Windows PowerShell.

4. Run the following command”

Get-ADObject -Filter 'ObjectClass -eq "computer"' -SearchBase 'DC=Contoso,DC=com' -Properties Name,sAMAccountName | FT Name,sAMAccountName

Nova 4, LLC





Lab B: Managing Groups and Locating Objects in ADDS



2. In Hyper-V Manager, click 6419B-NYC-DC1 , and in the actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on using the following credentials:



• Domain: Contoso

5. Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on until directed to do so.

Lab ScenarioThe Finance department requires access to several folders containing financial documents on several

different servers within the Contoso.com domain.You have been asked to create a group structure that will do the following:

1. Group the Finance department users together in one AD DS group.

2. Allow the Finance group to obtain change access to several folders on company servers. You shouldbe able easily add to this group other users or groups from the organization. You do not have toconfigure the actual access; just create the group that will be assigned access.

Nova 4, LLC





Also, you have been asked to confirm the following properties of the new AD DS objects created for theFinance department:1. The Finance OU should contain:

• Eva Corets (user)

• Mark Steele (user)

• Finance Template (user)

• NYC-CL5 (computer)

• NYC-CL6 (computer)

• Finance (group)

2. Eva Corets and Mark Steele’s user accounts should be disabled.

3. Eva Corets and Mark Steele should be members of the Finance Group.

Nova 4, LLC





Exercise 1: Implement Role-Based Management Using GroupsYou must create a group structure that groups the Finance department users together and allows them tobe assigned Change permissions on a number of shared folders located on different servers in thedomain. Other users and groups should also be able to assign Change permissions on the folders as well.


1. Determine group requirements

2. Use management tools to create AD DS groups

3. Modify group attributes

Task 1: Determine group requirements1. Answer the questions below to determine how the group structure should be created.

Question: What type of group would you create to group the Finance users together?Question: How can you create a group structure that allows the Finance department memberschange permissions and also allows other users and groups from the organization to easily beassigned these permissions as well?

Task 2: Use management tools to create AD DS groups1. On NYC-DC1, clickStart , click Administrative Tools , and then click Active Directory Module for

Windows PowerShell .

2. At the command prompt, type the following and press ENTER.

New-ADGroup –Name “Finance” –SAMAccountName Finance –GroupCategory Security –GroupScopeGlobal –DisplayName “Finance Department” –Path “OU=Finance,DC=CONTOSO,DC=COM”

3. At the command prompt, type the following and press ENTER.

New-ADGroup –Name “Finance_Folders_Change” –SAMAccountName FinanceFoldersChange –GroupCategory Security –GroupScope DomainLocal –DisplayName “Change Access to Finance

Folders” –Path “OU=Finance,DC=CONTOSO,DC=COM”

4. Close the Active Directory Module for Windows PowerShell window.

Task 3: Modify group attributes1. ClickStart , click Administrative Tools , and then click Active Directory Administrative Center .

2. In the Active Directory Administrative Center window, click Contoso (Local) in the left pane, andthen double-click the Finance OU in the middle pane.

3. ClickEva Corets , press and hold the Ctrl key, and then click Mark Steele . Release the Ctrl key, right-click Mark Steele, and then click Add to group .

4. In the Enter the object name to select field, type Finance , and then click Check Names.

5. In the Multiple Names Found window, click Finance, and then click OK.

6. In the Select Groups window, click OK.

7. Close the Active Directory Administrative Center window.

8. On NYC-DC1, clickStart , click Administrative Tools , and then click Active Directory Users andComputers.

9. In the Active Directory Users and Computers window, click the Finance OU in the left pane, right-click the Finance_Folders_Change group in the right pane, and then click Properties .

Nova 4, LLC





10. In the Finance_Folders_Change Properties window, click the Members tab, and then click the Add button.

11. In the Enter the object name to select field, type Finance, and then click Check Names.

12. In the Multiple Names Found window, click Finance, and then click OK .

13. In the Select Users, Contacts, Computers, Service Accounts or Groups window, click OK .

14. In the Finance_Folders_Change Properties window, click OK .


Results: In this exercise, you implemented role-based management using groups.

Nova 4, LLC





Exercise 2: Finding Objects in Active DirectoryYou must confirm the following by examining the Contoso.com AD DS domain.

• The only Finance-related groups are:

• Finance

• Finance_Folders_Change

• Eva Corets and Mark Steele’s user accounts should be disabled.

• Eva Corets and Mark Steele should be members of the Finance group.


1. Create and save an AD DS query

2. Use dsquery to locate AD DS objects.

3. Use Windows PowerShell to locate AD DS objects.

Task 1: Create and save an AD DS query

1. On NYC-DC1, open Active Directory Users and Computers .2. Right-click Saved queries and create a new query.

3. Configure the query to find all groups starting with Finance .

4. Expand Saved Queries, and then click the Finance Groups query to confirm the result.

Task 2: Use dsquery to locate AD DS objects1. Open a command prompt.

2. At the command prompt, type the following command, and then press ENTER.

dsquery user "ou=Finance,dc=Contoso,dc=com" –disabled

3. View the results and confirm that Eva Corets and Mark Steele are listed.

Task 3: Use Windows PowerShell to locate AD DS objects1. On NYC-DC1, clickStart , click Administrative Tools , and then click Active Directory Module for

Windows PowerShell .

2. At the command prompt, type the following command and then press ENTER.

Get-ADGroupMember Finance

3. View the results and confirm that Eva Corets and Mark Steele are listed.

Results: In this exercise, you located objects in Active Directory.

Nova 4, LLC






1. On the host computer, start Hyper-V Manager .2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .3. In the Revert Virtual Machine dialog box, click Revert .4. Repeat these steps for 6419B-NYC-CL1.

Nova 4, LLC






Review Questions1. You have two locations connected to each other by a very limited bandwidth network connection.

You have domain controllers in both locations and you’re finding that traffic generated between thetwo domain controllers is causing performance issues on you network connection. What AD DScomponent that we discussed in this module could be used to alleviate the problem?

2. What tool does Active Directory Administration Center use in the background to carry out itscommands?

3. What are the advantages of using role-based groups and rule-based groups in the same domainenvironment?

Windows Server 2008 R2 Features Introduced in this ModuleWindows Server 2008 R2feature Description

New Domain and Forestfunctional levels

There are new domain and forest functional levels for WindowsServer 2008 R2 that introduce new features to the AD DSinfrastructure.

Active Directory AdministrativeCenter

A web-based administrative GUI console that uses WindowsPowerShell.

Active Directory Module forWindows PowerShell

A new set of Active Directory–related cmdlets that allow robustinteraction with AD DS.

Offline domain join (Djoin.exe) Allows a Windows 7 or Windows Server 2008 R2 computer to join adomain without contacting a domain controller.

Nova 4, LLC






Active DirectoryUsers andComputers

• Managing AD DSobjects

On the Start button under Administrative Tools

Active DirectoryAdministrativeCenter

• Managing AD DSobjects


Active DirectoryModule forWindowsPowerShell

• Managing AD DSobjects using WindowsPowerShell cmdlets


Djoin.exe • Performing an offlinedomain join forWindows 7 or WindowsServer 2008 R2

computers.

Run from the command prompt

DSAdd.exe • Add AD DS objects Run from the command prompt

DSQuery.exe • Locate AD DS objects Run from the command prompt

Netdom.exe • Perform a variety oftasks on AD DS objects


CSVDE and LDIFDE • Perform bulk importsand exports of AD DSdata using flat files


Nova 4, LLC




Configuring Active Directory Object Administration and Domain Trust 8

Module 8Configuring Active Directory Object Administration andDomain TrustContents:Lesson 1: Configuring Active Directory Object Administration 8-3

Lab A: Configuring Active Directory Delegation 8-15

Lesson 2: Configuring Active Directory Trusts 8-20

Lab B: Administering Trust Relationships 8-29

Nova 4, LLC





Module Overview

Many organizations have a number of administrators that manage various levels of the Active Directory ® Domain Services (AD DS) infrastructure. For example, in addition to typical Enterprise and Domainadministrators, your organization may have organizational unit (OU) administrators, security groupadministrators, or users that have rights to perform specific tasks, such as resetting passwords. To ensure asecure and efficient administrative model, it is important to understand how to effectively delegatepermissions and rights within the AD DS structure.

A single Active Directory domain may be adequate for many organizations. However, larger organizationstypically incorporate multiple domains, or collaborate between multiple Active Directory forests.

This module describes how to configure permissions and delegate administration for Active Directoryobjects. This module also describes how to configure and manage Active Directory trusts.


• Configure Active Directory object administration.

• Configure Active Directory trusts.

Nova 4, LLC





Lesson 1

Configuring Active Directory Object Administration

To effectively manage AD DS, you may need to delegate administrative tasks to specific individuals. Bydelegating control, you enable these users to perform specific Active Directory management tasks,without granting them more permissions than they need.

This lesson describes how permissions are applied to AD DS objects. This lesson also describes how todelegate permissions to users responsible for managing specific objects within the AD DS structure.


• Describe Active Directory object permissions.

• Describe how to determine effective permissions.

• Modify permissions inheritance.

• Delegate AD DS permissions.

• Describe managed service accounts.

• Configure managed service accounts.

Nova 4, LLC





Active Directory Object Permissions

Key PointsIn Module 3: Configuring Access to File Services , you were introduced to how NTFS file system and sharedfolder permissions provide access control to secure network resources.

Every container and object within AD DS also has a set of access control information used to controlwhich administrators or users can manage the object. For example, you use permissions to assignprivileges for managing an organizational unit or a hierarchy of organizational units, and the objectscontained within those organizational units.

To modify permissions for AD DS objects, you use either the Active Directory Users and Computers console, or ADSI Edit. To use the Active Directory Users and Computers console, ensure that you haveenabled the Advanced Features option found on the View menu.

Note: ADSI Edit should only be used for specific and unique permission modification requirements.Most permission settings should be performed by using Active Directory Users and Computers.

Standard and Advanced Permissions

You can use standard permissions to configure most Active Directory object permissions tasks. Standardpermissions are the most commonly used and include permissions such as:

• Full control.

• Read.

• Write.

• Create all child objects.

• Delete all child objects.

• Generate resultant set of policy (logging).

Nova 4, LLC





• Generate resultant set of policy (planning).

However, if you need to grant a finer level of permissions, use advanced permissions or specialpermissions. Use special permissions to set permissions on a particular class of object or individualattributes of an object class. For example, you could grant a user Full Control over the group object classin a container, just grant the user the ability to modify group memberships in a container, or just grant

the user the permissions needed to change a single attribute, such as the phone number, on all useraccounts.

When you configure permissions on an AD DS object, consider the following.

Action Description

Configure allow ordeny permissions.

• Selecting the Allow permission enables the security principal to perform thespecific action.

• Selecting the Deny permission prohibits the security principal fromperforming a specific action.

• Denied permissions take precedence over any permission that you otherwiseallow to user accounts and groups. You should use Deny permissions onlywhen it is necessary to remove a permission that a user is granted by being aparticular group’s member. For example, it might be necessary to prevent auser named Don from viewing the properties of a user object. However, Donis a member of the Marketing group, which has permissions to view theproperties of the user object. You can prevent Don from viewing theproperties of the user object by explicitly denying Read permission to him.

When permission toperform an operationis not allowed, it isimplicitly denied.

• For example, if the Marketing group is granted Read permission for an OU,and no other security principal is listed in the discretionary access control list(DACL) for that object, users who are not members of the Marketing groupare implicitly denied access. The operating system does not allow users whoare not members of the Marketing group to read the properties of the OUobject.

By default, permissioninheritance is enabledfor AD DS objects.

• Inherited permissions are those that are propagated to an object from aparent object. Inherited permissions ease the task of managing permissionsand ensure consistency of permissions among all objects within a givencontainer. For example, if you assign permissions at an OU level, by default,all of those permissions are inherited by objects inside the OU.

• You can modify or remove inherited permissions for a specific object fromthe Advanced Security Settings dialog box. When you explicitly assignpermissions to a child object, you must first break the permissioninheritance, and then assign the required permissions. The child objectsautomatically inherit those changes.

• If the Allow and Deny permission check boxes in the various parts of theaccess control user interface are shaded when you view the permissions ofan object, the object has inherited permissions from a parent object. Theonly exception to this is the Special permissions entry. If this entry is shaded

and checked, this means that a special permission has been configured.

Moving an AD DSobject may changepermissions.

• An object inherits permissions from the organizational unit to which it ismoved. An object no longer inherits permissions from the organizationalunit from which it was moved.

• When you move an object between organizational units, permissions thatare set explicitly on the object remain the same.

Nova 4, LLC





Note: Inherited Deny permissions do not prevent access to an object if the object has an explicitAllow permission entry. Explicit permissions take precedence over inherited permissions, eveninherited Deny permissions.

Question: What are the risks with using special permissions to assign AD DS permissions?

Question: What permissions would a user have on an object if you granted them full control permission,and denied the user write access?

Nova 4, LLC





Determining Effective Permissions

Key PointsAccessible from an object's advanced properties settings, the Effective Permissions tool helps you todetermine the permissions applied to an Active Directory object. This tool calculates the permissions thatare applied to the specified user or group, and takes into account the permissions that are in effect fromgroup memberships and any permission inherited from parent objects.

Effective permissions for Active Directory objects have the following characteristics:

• Cumulative permissions are the combination of Active Directory permissions that are applied to boththe user and group accounts.

• Deny permissions override the same level of inherited permissions. Explicitly assigned permissionstake priority.

• An explicit Allow permission set on an object class or attribute will override an inherited Deny permission.

• Object owners can always change permissions. The owner controls how permissions are set on theobject, and to whom permissions are granted. The person who creates an Active Directory object is itsowner. The Administrators group owns objects that are created during Active Directory installation orby any member of the built-in Administrators group. The owner can always change permissions for anobject, even when the owner is denied all access to the object.

Note: The current owner can grant Take Ownership permission to another user, which enables thatuser to take ownership of that object at any time. The user must actually take ownership to completethe ownership transfer.

To retrieve information about effective permissions in AD DS, use the Effective Permissions tool. If thespecified user or group is a domain object, you must have permission to read the object’s membershipinformation on the domain.

Nova 4, LLC





Special identities are not used when calculating the effective permissions. This means that if you assignpermissions to any special identities, they will not be included in the effective permissions list.

More Information: Special identities are used to assign permissions for specific situations for bothActive Directory permissions and for network resources. For example, the Everyone identity includes

all authenticated, dial-up, network, and interactive users and is used to provide permissions toresources. Other common special identities include Authenticated Users , Interactive , and theCreator Owner identity. For more information on special identities refer tohttp://technet.microsoft.com/en-us/magazine/dd637754.aspx.

Question: When retrieving effective permissions, accurate retrieval of information requires permission toread the membership information. If the specified user or group is a domain object, what type ofpermissions does a Domain Administrator need to have to read the object's group information on thedomain? What about a Local administrator?

Nova 4, LLC





Demonstration: AD DS Object Permission Inheritance


• Verify permission inheritance for AD DS objects.

• Modify permission inheritance.

• View effective permissions on an AD DS object.

Demonstration Steps:1. Open Active Directory Users and Computers.

2. Enable the Advanced Features option from the View menu.

3. Open the Properties dialog box for an AD DS object and then click the Security tab.

4. To modify standard permissions, click Add or Remove .

5. To modify advanced permissions, click the Advanced button.

6. To modify permission inheritance, modify the check box next to Include inheritable permissionsfrom this object’s parent .

7. To determine effective permissions for a user or group, click the Effective Permissions tab and thenselect the user or group name.

Nova 4, LLC





What Is Delegation of Control?

Key PointsDelegation of control is the ability to assign the management responsibility of Active Directory objects toanother user or group without the need to add the user or group to the Domain Admins group.

Delegated administration helps to ease the administrative burden of managing your network bydistributing routine administrative tasks. With delegated administration, you can assign basicadministrative tasks to regular users or groups. For example, you could give OU administrators the right toadd or remove user or computer objects, or an administrative assistant the right to reset passwords.

By delegating administration, you give groups in your organization more control of their local networkresources. You also help secure your network from accidental or malicious damage by limiting themembership of the standard administrator groups.

Options for Delegating Control

You can define the delegation of administrative control in the following four ways:

• Grant permissions to create or modify all objects in a specific organizational unit or in the domain.

• Grant permissions to create or modify some types of objects in a specific organizational unit or at thedomain level.

• Grant permissions to create or modify a specific object in a specific organizational unit or at the

domain level.• Grant permissions to modify specific attributes of an object, (such as granting the permission to reset

passwords on a user account,) in a specific organizational unit or at the domain level.

The Delegation of Control Wizard allows you to delegate administrative tasks to users or groups within aspecific administrative scope. This tool is driven by a customizable text file and ships with a base set ofcommon administrative tasks. You can modify the tasks available for delegation by editing Delegwiz.inf ,a file stored in the C:\Windows\System32 folder on the domain controller. The Delegation of ControlWizard also allows you to delegate a custom task.

Nova 4, LLC




Configuring Active Directory Object Administration and Domain Trust 8-

Demonstration: Configuring Delegation of Control


• Delegate administration to manage user accounts.

• Review custom delegation permissions.

• Review permissions on a child OU.

Demonstration Steps:1. Open Active Directory Users and Computers.

2. Right-click the domain or an organizational unit, and then click Delegate Control .

3. Complete the Delegation of Control Wizard steps.

Nova 4, LLC





What Are Managed Service Accounts?

Key PointsMicrosoft Windows Server ® 2008 R2 introduces a new type of account called the managed serviceaccount . The following section describes this new type of account.

Note: The content in this section only applies to Windows Server 2008 R2.

Managed Service Accounts Many network-based applications use an account to run services or provide authentication. For example,an application on a local computer might use the Local Service, Network Service, or Local Systemaccounts. These service accounts may work fine; however, these are typically shared among multipleapplications and services, making it difficult to manage for a specific application. These local serviceaccounts also cannot be managed at the domain level.

Alternatively, an application might use a standard domain account that is configured specifically for theapplication. This is quite common; however, the main drawback is that you need to manually managepasswords, which increases administration effort.

A managed service account can provide an application with its own unique account, while eliminating theneed for an administrator to manually administer the credentials for this account.

Managed service accounts provide the following benefits to simplify administration:

• Automatic password management. A managed service account automatically maintains its ownpassword, including password changes.

• Simplified Service Principal Name (SPN) management. SPN management can be automaticallymanaged if your domain is configured at the Windows Server 2008 R2 domain functional level.

Nova 4, LLC





Requirements for Using Managed Service Accounts

To use a managed service account, the server that runs the service or application must be runningWindows Server 2008 R2. You also must ensure that .NET Framework 3.5.x and the Active Directorymodule for Windows PowerShell are both installed on the server.

Note: A managed service account cannot be shared between multiple computers or be used in serverclusters where the service is replicated between nodes.

To simplify and provide full automatic password and SPN management, we strongly recommend that theAD DS domain be at the Windows Server 2008 R2 functional level. However, if you have a domaincontroller running Windows Server 2008 or Windows Server 2003, you can update the Active Directoryschema to Windows Server 2008 R2 to support this feature. The only disadvantage is that the domainadministrator must manually still configure SPN data for the managed service accounts.

To update the schema in Windows Server 2008, Windows Server 2003, or native-mode environments, youmust perform the following tasks:

1.

Run adprep/forestprep at the forest level and run adprep/domainprep at the domain level.2. Deploy a domain controller running Windows Server 2008 R2, Windows Server 2008 with the Active

Directory Management Gateway Service, or Windows Server 2003 with the Active DirectoryManagement Gateway Service.

Note: The Active Directory Management Gateway Service allows administrators with domaincontrollers running Windows Server 2003 or Windows Server 2008 to use Windows PowerShellcmdlets to manage managed service accounts.

After the domain and server prerequisites have been addressed, you can use the following process tocreate a managed service account:

1. On the domain controller, use the Active Directory module for Windows PowerShell to create a newmanaged service account in Active Directory. The following command can be used as an example ofthe base command.

New-ADServiceAccount [-SAMAccountName <String>] [-Path <String>]

2. Install the managed service account on the server that contains the service or application. Thefollowing command is run on the local server.

Install-ADServiceAccount -Identity <ADServiceAccount>

3. Configure the service or application to use the managed service account.

Windows PowerShell provides a number of cmdlets that can be used to administer managed serviceaccounts. Management tasks include:

• Finding managed service accounts.

• Associating or removing management service accounts on a computer.

• Installing a managed service account on a computer.

• Deleting a managed service account.

• Resetting the password of a managed service account.

Nova 4, LLC





Demonstration: Configuring a Managed Service Account

Key PointsIn this demonstration, you will see how to

Create and associate a managed service account

Install a managed service account.


1. Open Active Directory Module for Windows PowerShell .2. Use Windows PowerShell to create the managed service account.

3. Use Windows PowerShell to associate the managed service account to a specific server.

4. Use Windows PowerShell to install the managed service account on a specific server.

Nova 4, LLC





Lab A: Configuring Active Directory Delegation








• Domain: Contoso

5. Repeat steps 2 and 3 for 6419B-NYC-SVR1. Do not log on to this virtual machine until instructed todo so.

Nova 4, LLC





Lab ScenarioYou are a network administrator for Contoso, Ltd. Each department in Contoso, Ltd. has its ownOrganizational Unit in the AD DS infrastructure. You need to delegate Organizational Unit administrativetasks to the managers of each department.

You have also been asked to implement a managed service account for an application that will be

installed on NYC-SVR1. For this project, you must complete the following tasks:• Delegate the Marketing Managers security group the right to manage user accounts in the Marketing

Organizational Unit.• Create a managed service account called, App1_SVR1, and assign it to NYC-SVR1.• Install the App1_SRV1 service account on NYC-SVR1.

Nova 4, LLC





Exercise 1: Delegating Control of AD DS Objects

ScenarioIn this exercise, you will delegate control of the Marketing Organizational Unit to the Marketing Managerssecurity group. All Marketing Managers should be able to fully manage user accounts in the OU.

The main tasks for this exercise are as follows:1. Delegate management tasks for the Marketing OU.

2. Verify effective permissions assigned for the Marketing OU.

3. Test delegated permissions.

Task 1: Delegate management tasks for the Marketing OU.1. On NYC-DC1, open Active Directory Users and Computers.

2. Use the Delegation of Control Wizard to configure the following:

• Organizational Unit: Marketing

• Users or Groups: Marketing_Managers

• Tasks to Delegate: Create, delete, and manage user accounts

Task 2: Verify effective permissions assigned for the Marketing OU.1. On NYC-DC1, open the properties of the Marketing Organizational Unit.

2. Verify the effective permissions for Don Roessler on the Marketing OU.

Task 3: Test delegated permissions.1. Log on to NYC-SVR1 as Contoso\Don , with the password, Pa$$w0rd .

2. Open Active Directory Users and Computers and verify that Don can create new user accounts.

3. Log off from NYC-SVR1.

Results: After completing this exercise, you will have delegated the right to manage user accounts tothe Marketing Managers.

Nova 4, LLC





Exercise 2: Creating Managed Service Accounts in AD DS

ScenarioYou have been asked to create a managed service account called, App1_SVR1, to be used by anapplication located on NYC-SVR1.

The main tasks for this exercise are as follows:1. Use Windows PowerShell to create and associate a managed service account.

2. Install a managed service account on a server.

Note: Because of the complexity of the PowerShell commands, these steps are the same as the LabAnswer key.

Task 1: Use Windows PowerShell to create and associate a managed service account.1. On NYC-DC1, open the Active Directory Module for Windows PowerShell console.

2. At the prompt, type the following command, and then press ENTER.

New-ADServiceAccount –Name App1_SVR1

3. At the prompt type the following command and then press ENTER:

Add-ADComputerServiceAccount –identity NYC-SVR1 –ServiceAccount App1_SVR1


Get-ADServiceAccount -Filter 'Name -like "*"' | FT Name,HostComputers –A

5. Verify that the App1_SVR1 service account is associated with NYC-SVR1.

6. Close all open windows on NYC-DC1.

Task 2: Install a managed service account on a server.1. Switch to the NYC-SVR1 virtual machine.

2. Log on to NYC-SVR1 as Contoso\Administrator , with the password, Pa$$w0rd .

3. Click Start , point to Administrative Tools , and then click Active Directory Module for WindowsPowerShell . The Administrator: Active Directory Module for Windows PowerShell consoleopens.


Install-ADServiceAccount -Identity App1_SVR1

5. Click Start , point to Administrative Tools , and then click Services .

6. In the Services console, right-click Disk Defragmenter, and then click Properties .

Note: The Disk Defragmenter service is just used as an example for this lab. In a productionenvironment, you would use the actual service that should be assigned the managed service account.

7. In the Disk Defragmenter Properties dialog box, click the Log On tab.

8. On the Log On tab, click This account , and then type Contoso\App1_SVR1$ .

Nova 4, LLC





9. Clear the password for both the Password and Confirm password boxes. Click OK .

10. Click OK at all prompts.

11. Close the Services console.


Results: After completing this exercise, you will have created and installed a managed serviceaccount.

To prepare for the next lab.When you finish the lab, revert the virtual machines to their initial state. To do this, complete thefollowing steps:





Nova 4, LLC





Lesson 2

Configuring Active Directory Trusts

Many organizations might only deploy a single AD DS domain. However, larger organizations, ororganizations that need to enable access to resources in other organizations or business units, may deployseveral domains in the same Active Directory forest or a separate forest. For users to access resourcesbetween the domains in the same forest, two-way transitive trusts are automatically established. To accessresources in a different forest, you need to configure explicit trusts between the forests. This lessondescribes how to configure and manage trusts in an Active Directory environment.


• Describe trust options.

• Describe how trusts work within a forest.

• Describe how trusts work between forests.

• Configure a forest trust.

• Configure resource access for users from a trusted domain.

Nova 4, LLC





Overview of AD DS Trust Options

Key PointsTrusts allow security principals to traverse their credentials from one domain or forest to another, and arenecessary to allow resource access between domains. Within a Forest, two-way transitive trusts are createdautomatically between domains. Between Forests, you have to create an explicit trust relationship to shareresources. When you configure a trust, a user can be authenticated in their domain, and their securitycredentials can then be used to access resources in a different domain.

All trusts have the following characteristics:

• Trusts can be defined as transitive or non-transitive. A transitive trust is one in which the trustrelationship that is extended to one domain is automatically extended to all domains in the domaintree that trusts that domain. For example, as illustrated above, if the Forest (root) domain and DomainA have a transitive trust with each other, as do the Forest (root) and Domain B, then Domain A andDomain B will also trust each other. If the trusts are non-transitive, then the trust is established onlybetween the two domains.

• The trust direction defines where the user accounts and resources are located. The user accounts arelocated in the trusted domain, while the resources are located in the trusting domain. The trustdirection flows from the trusted domain to the trusting domain. In Windows Server 2008, there arethree trust options: one-way incoming, one-way outgoing, and two-way trusts.

• Trusts can also have different protocols that you use to establish the trust. The two protocol options

for configuring trusts are the Kerberos protocol version 5, and Microsoft Windows NT Local AreaNetwork (LAN) Manager (NTLM). In most cases, Windows Server 2008 will use Kerberos to establishand maintain a trust.+

All trusts in Microsoft Windows 2000 Server, Microsoft Windows Server 2003, and Microsoft WindowsServer 2008 forests are transitive, two-way trusts. Therefore, both domains in a trust relationship aretrusted; however, one-way trusts can be configured. The diagram above illustrates a two-way trustbetween Forests 1 and 2, and a one-way trust between domains E and A, (also called a shortcut trust) anddomains B and Q (called an external trust).

Nova 4, LLC





The following table outlines the types of trusts that can exist in an AD DS environment.

Trust Type Description

Parent-child Exists between parent and child domains in the same domain tree. This two-waytransitive trust allows security principals to be authenticated in any domain in theforest. These trusts are created by default, and cannot be removed. Parent-childtrusts always use the Kerberos protocol.

Tree-root Exists between all domain trees in the forest. This two-way transitive trust allowssecurity principals to be authenticated in any domain in the forest. These trusts arecreated automatically, and cannot be removed. Tree-root trusts always use theKerberos protocol.

External Can be created between domains that are not part of the same forest. These trustscan be one-way or two-way, and are non-transitive. External trusts always use theNTLM protocol.

Realm Can be created between a non-Windows operating system domain (referred to as aKerberos realm ,) and a Windows Server 2008 domain. These trusts can be one-wayor two-way, and can be transitive or non-transitive. Realm trusts always use theKerberos protocol.

Forest Can be created between forests that are at the Windows Server 2003 forestfunctional level, or higher. These trusts can be one-way or two-way, and can betransitive or non-transitive. Forest trusts always use the Kerberos protocol.

Question: If you need to share resources between domains, but do not want to configure a trust, how willyou provide access to the shared resources?

Nova 4, LLC





How Trusts Work Within a Forest

Key PointsWhen you set up trusts between domains, either within the same forest, across forests, or with an externalrealm, information about these trusts is stored in the System container in the originating AD DS domain. Atrusted domain object (TDO) stores information about the trust, including the direction of trust,transitivity of trust, and type of trust.

How Trusts Enable Users to Access Resources in a Forest

When a user attempts to access a resource in another domain, the Kerberos authentication protocol mustdetermine whether the trusting domain has a trust relationship with the trusted domain.

To determine this relationship, the authentication process travels the trust path, utilizing the TDO toobtain a referral to the target domain’s domain controller. The target domain controller issues a serviceticket for the requested service. The trust path is the shortest path in the trust hierarchy.

When the user in the trusted domain attempts to access the resource in the other domain, the user’scomputer first contacts the domain controller in its domain to get authentication to the resource. If theresource is not in the user’s domain, the domain controller uses the trust relationship with its parent, andrefers the user’s computer to a domain controller in its parent domain.

This attempt to locate a resource continues up the trust hierarchy, possibly to the forest root domain, anddown the trust hierarchy, until contact occurs with a domain controller in the domain where the resourceis located.

Question: In this slide, what type of trust do Domain B and Domain C have, in this forest? What are thelimitations?

Nova 4, LLC





How Trusts Work Between Forests

Key PointsWindows Server 2008 supports cross-forest trusts, which allow users in one forest to access resources inanother forest. When a user attempts to access a resource in a trusted forest, AD DS must first locate theresource. After the resource is located, the user can be authenticated and allowed to access the resource.

How a Resource Is Accessed

The following is a description of how a client computer locates and accesses a resource in another forestthat has Windows Server 2008 servers:

1. A user who is logged on to the domain, EMEA.WoodgroveBank.com, attempts to access a sharedfolder in the Contoso.com forest. The user’s computer contacts the domain controller inEMEA.WoodgroveBank.com and requests a service ticket by using the SPN of the computer on whichthe resource resides. An SPN can be the Domain Name System (DNS) name of a host or domain, or itcan be the distinguished name of a service connection point object.

2. The resource is not located in EMEA.WoodgroveBank.com, so the domain controller forEMEA.WoodgroveBank.com queries the global catalog to see if the resource is located in anotherdomain in the forest. Because a global catalog only contains information about its own forest, it doesnot find the SPN. The global catalog then checks its database for information about any forest truststhat are established with its forest. If the global catalog finds one, it compares the name suffixes thatare listed in the forest trust TDO to the suffix of the target SPN. After it finds a match, the global

catalog provides routing information about how to locate the resource to the domain controller inEMEA.WoodgroveBank.com.

3. The domain controller in EMEA.WoodgroveBank.com sends a referral for its parent domain,WoodgroveBank.com, to the user’s computer.

4. The user’s computer contacts a domain controller in WoodgroveBank.com for a referral to a domaincontroller in the forest root domain of the Contoso.com forest.

Nova 4, LLC





5. Using the referral that the domain controller in the WoodgroveBank.com domain returns, the user’scomputer contacts a domain controller in the Contoso.com forest for a service ticket to the requestedservice.

6. The resource is not located in the forest root domain of the Contoso.com forest, so the domaincontroller contacts its global catalog to find the SPN. The global catalog finds a match for the SPN,and then sends it to the domain controller.

7. The domain controller sends the user’s computer a referral to NA.contoso.com.

8. The user’s computer contacts the Key Distribution Center (KDC) on the domain controller inNA.contoso.com, and negotiates a ticket for the user to gain access to the resource in theNA.contoso.com domain.

9. The user’s computer sends the server service ticket to the computer on which the shared resource islocated, which reads the user’s security credentials, and then constructs an access token, which givesthe user access to the resource.

Question : Why would clients not be able to access resources in a domain outside the forest?

Nova 4, LLC





Demonstration: Configuring a Forest Trust

Key PointsIn this demonstration, you will see how to configure a forest trust.

Demonstration Steps:1. Open Active Directory Domains and Trusts .

2. From the Properties dialog box of the domain, click the Trusts tab.

3.

Click New Trust to start the New Trust Wizard . Complete the required steps.4. Use the New Trust Wizard or Windows PowerShell to verify the trust relationship.

Nova 4, LLC





Resource Access for Users from Trusted Domains

Key PointsWhen you configure a trust relationship that enables your domain to trust another domain, you open upthe possibility for users in the trusted domain to gain access to resources in your domain. The followingsections examine components related to the security of a trusting domain’s resources.

Authenticated Users

A trust relationship itself does not grant access to any resources; however, it is likely that by creating a

trust relationship, users in the trusted domain will have immediate access to a number of your domain’sresources. This is because many resources are secured with access control lists (ACLs) that give permissionsto the Authenticated Users group.

Membership in Domain Local GroupsThe best practice for managing access to a resource is to assign permissions to a domain local group. Youcan then nest users and groups from your domain into the domain local group, and thereby, grant themaccess to the resource. Domain local security groups can also include users and global groups fromtrusted domains as members. Therefore, the most manageable way to assign permissions to users in atrusted domain is to make them, or their global groups, members of a domain local group in yourdomain.

Add trusted Identities to ACLsYou can also add users and global groups from a trusted domain directly to the ACLs of resources in atrusting domain. This approach is not as manageable as the previous method of using a domain localgroup, but it is possible.

Selective Authentication

When you create an external trust or a forest trust, you can control the scope of authentication of trustedsecurity principals. There are two modes of authentication for an external or forest trust:

Nova 4, LLC





• Selective authentication

• Domain-wide authentication (for an external trust) or forest-wide authentication (for a forest trust)

If you choose domain-wide or forest-wide authentication, all trusted users can be authenticated for accessto services on all computers in the trusting domain. Trusted users can, therefore, be given permission to

access resources anywhere in the trusting domain. With this authentication mode, you must haveconfidence in the security procedures of your enterprise and in the administrators who implement thoseprocedures, so that inappropriate access is not assigned to trusted users. Remember, for example, thatusers from a trusted domain or forest are considered Authenticated Users in the trusting domain, so anyresource with permissions granted to Authenticated Users will be immediately accessible to trusteddomain users, if you choose domain-wide or forest-wide authentication.

If, however, you choose selective authentication, all users in the trusted domain are trusted identities;however, they are allowed to authenticate only for services on computers that you have specified. Forexample, imagine that you have an external trust with a partner organization’s domain. You want toensure that only users from the marketing group in the partner organization can access shared folders ononly one of your many file servers. You can configure selective authentication for the trust relationship,and then give the trusted users the right to authenticate only for that one file server.

To configure the authentication mode for a new outgoing trust, use the Outgoing Trust AuthenticationLevel page of the New Trust Wizard . Configure the authentication level for an existing trust, open theproperties of the trusting domain in Active Directory Domains and Trusts , select the trust relationship,click Properties , and then click the Authentication tab.

After you have selected Selective Authentication for the trust, by default, no trusted users will be able toaccess resources in the trusting domain, even if those users have been given permissions.

To gain access, the users must also be assigned the Allowed to authenticate permission on thecomputer object in the domain.

To assign this permission:

1. Open the Active Directory Users and Computers snap-in and make sure that Advanced Features is selected in the View menu.

2. Open the properties of the computer to which trusted users should be allowed to authenticate—thatis, the computer that trusted users will log on to or that contains resources to which trusted usershave been given permissions.

3. On the Security tab, add the trusted users or a group that contains them, and select the Allow checkbox for the Allowed to authenticate permission.

Nova 4, LLC





Lab B: Administer Trust Relationships



2. In Hyper-V™ Manager, click 6419B-NYC-DC1 , and in the Actions pane, click Start .





• Domain: Contoso

5. Repeat steps 2 and3 for 6419B-VAN-DC1. Log on to VAN-DC1 as Adatum\Administrator, with thepassword, Pa$$w0rd.

Lab ScenarioContoso, Ltd. has initiated a strategic partnership with A. Datum Corporation. Users from the Contoso.comdomain will need to have access to file shares located at Adatum.com. You need to perform the followingtasks:

• Configure name resolution between the two forests.

• Configure a forest trust relationship between Contoso.com and Adatum.com.

• Configure Selective Authentication to only allow Adatum.com domain users to access NYC-SVR1.

Nova 4, LLC





Exercise 1: Configuring Name Resolution between Contoso.com andAdatum.com

ScenarioIn this exercise, you will configure conditional forwarding to provide name resolution between theContoso.com domain and the Adatum.com domain.


1. Configure DNS conditional forwarding on NYC-DC1.

2. Configure DNS conditional forwarding on VAN-DC1.

Note: Conditional Forwarding is covered in detail in Module 2: Managing Windows Server 2008Infrastructure Roles.

Task 1: Configure DNS conditional forwarding on NYC-DC1.1. On NYC-DC1, open DNS Manager .

2. Configure a Conditional Forwarder with the following settings:• DNS Domain: Adatum.com.

• IP address of master servers: 10.10.0.100

Task 2: Configure DNS conditional forwarding on VAN-DC1.1. On VAN-DC1, open DNS Manager .

2. Configure a Conditional Forwarder with the following settings:

• DNS Domain: Contoso.com.

• IP address of master servers: 10.10.0.10

Results: After completing this exercise, you will have configured name resolution between theContoso.com domain and the Adatum.com domain.

Nova 4, LLC





Exercise 2: Configuring a Forest Trust

ScenarioYou need to configure a forest trust between Contoso.com and Adatum.com.


1. Use the New Trust Wizard to create a Forest Trust.

2. Configure Selective Authentication.

Task 1: Use the New Trust Wizard to create a Forest Trust.1. On NYC-DC1, open the Active Directory Domains and Trusts console.

2. Start the New Trust Wizard and configure the following:

• Trust Name: Adatum.com

• Trust Type: Forest Trust

• Direction of Trust: Two-way

• Sides of Trust: Both this domain and the specified domain

• User Name: Administrator


• Outgoing Trust Authentication Level – Local Forest : Forest-wide authentication

• Outgoing Trust Authentication Level – Specified Forest : Forest-wide authentication

• Confirm both the outgoing and incoming trust

3. On NYC-DC1 configure Selective Authentication to only allow Adatum.com domain users toauthenticate to NYC-SVR1.

Task 2: Configure Selective Authentication1. On NYC-DC1, open the Active Directory Domains and Trusts console.

2. Open the Properties pane for the Contoso.com domain and enable Selective Authentication forthe Adatum.com domain.

3. Close Active Directory Domains and Trusts .

4. Open the Active Directory Users and Computers console .

5. Using the Advanced Features, configure NYC-SVR1 to allow the ADATUM\Domain Users group toauthenticate.

6. Close Active Directory Users and Computers .

Results: After completing this exercise, you will have created a Forest Trust and configured SelectiveAuthentication.

Nova 4, LLC





To prepare for the next module.When you finish the lab, revert the virtual machines to their initial state. To do this, complete thefollowing steps:




4. Repeat these steps for 6419B-VAN-DC1 .

Nova 4, LLC






Review Questions1. If a there is a trust within a forest, and the resource is not in the user’s domain, how will the domain

controller use the trust relationship to access the resource?

2. The BranchOffice_Admins group has been granted full control of all user accounts in theBranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that wasmoved from the BranchOffice_OU to the HeadOffice_OU?

3. Your organization has a Windows Server 2008 forest environment, but it has just acquired anotherorganization with a Windows 2000 forest environment that contains a single domain. Users in bothorganizations must be able to access resources in each other’s forest. What type of trust will you createbetween the forest root domains of each forest?

Windows Server 2008 R2 Features Introduced in this ModuleWindows Server 2008 R2 Feature Description

Managed service accounts Used to automate password and SPN management for serviceaccounts used by applications and services

Nova 4, LLC





Nova 4, LLC




Creating and Managing Group Policy Objects 9-1

Module 9Creating and Managing Group Policy ObjectsContents:Lesson 1: Overview of Group Policy 9-3

Lesson 2: Configuring the Scope of Group Policy Objects 9-14

Lab A: Creating and Configuring GPOs 9-22

Lesson 3: Managing Group Policy Objects 9-26

Lab B: Creating and Configuring GPOs 9-35

Lesson 4: Evaluating and Troubleshooting Group Policy Processing 9-39

Lab C: Troubleshooting Group Policy 9-53

Nova 4, LLC





Module Overview

Administrators face increasingly complex challenges in managing the information technology (IT)infrastructure of their organizations. They must deliver and maintain customized desktop configurations,ensure the security of a geographically and logistically dispersed collection of computers, and provideadministration and management for an increasingly complex and growing computing environment.

Group Policy and the Active Directory® Domain Services (AD DS) infrastructure in Microsoft® WindowsServer® 2008 enable IT administrators to automate user and computer management in many areas,

simplifying administrative tasks, and reducing IT costs. With Group Policy and AD DS, administrators canefficiently distribute software, implement security settings, and enforce IT policies consistently across agiven site, domain, or range of organizational units (OUs).


• Explain Group Policy.

• Configure the scope of Group Policy objects (GPOs).

• Manage GPOs.

• Evaluate and troubleshoot Group Policy processing.

Nova 4, LLC





Lesson 1

Overview of Group Policy

This lesson shows you to how to use Group Policy to simplify managing your Active Directoryenvironment. You will learn how GPOs are structured and applied, and how to control the scope andapplication of GPOs. In addition, you will gain experience with tools that aid in implementing GroupPolicy in your environment

This lesson also discusses Group Policy features that are included with Windows Server 2008 and Windows

Server 2008 R2, and which help simplify computer and user management.ObjectivesAfter completing this lesson, you will be able to:

• Describe configuration management and how Group Policy helps to automate the management ofusers and computers.

• Describe the concept of GPOs and Group Policy settings.

• Describe how Group Policy is applied to computers and users.

• Describe exceptions to Group Policy processing.

• Describe the Group Policy components.

• Create a GPO.

Nova 4, LLC





What Is Configuration Management?

Key PointsIf you have only one computer in your environment—at home, for example—and you need to make achange—modify the desktop background, for example—there are several ways to do that. Most peoplewould probably access Personalization in Control Panel and make the change by using the Windowsinterface. That works well for one user, but becomes tedious if you want to make the change acrossmultiple users—for example, if you want the same background for yourself and your family. You have tomake the change multiple times, and then, if you ever change your mind and want to change the

background yet again, you have to return to each user's profile and make the change. Implementing thechange and maintaining a consistent environment becomes even more difficult across multiplecomputers.

In the end, configuration management is a centralized approach to applying one or more changes to oneor more users, computers or both. The key elements of configuration management are:

• A centralized definition of a change, which we will also call a setting. The setting brings a user or acomputer to a desired state of configuration.

• A definition of the user(s) or computer(s) to whom the change applies, which we will call the scope ofthe change.

• A mechanism that ensures that the setting is applied to users and computers within the scope. Wewill call this process the application.

Group Policy is a framework within Windows—with components that reside in Active Directory, ondomain controllers, and on each Windows server and client—that enables you to manage configuration inan AD DS domain.

Nova 4, LLC





What Are Group Policy Objects and Settings?

Key PointsGroup Policy management in an AD DS domain is implemented on the server side by two primarycomponents, Group Policy settings and GPOs.

Group Policy SettingsA Group Policy setting is the most granular component of Group Policy. It defines a specific configurationchange to apply to an object within AD DS, either a computer or a user or both. Group Policy has

thousands of configurable settings. These settings can affect nearly every area of the computingenvironment. You cannot apply all the settings to all versions of Microsoft Windows operating systems.For example, many of the new settings that came with the Microsoft Windows ® XP Professional operatingsystem, Service Pack (SP) 2, such as software restriction policies, only applied to that operating system.Equally, many of the hundreds of new settings only apply to Microsoft ® Windows 7 and MicrosoftWindows Server ® 2008 R2. If a computer has a setting applied that it cannot process, it simply ignores it.

Most policy settings can have three states:

• Not Configured

• Enabled

• Disabled.

By default, GPO policy settings are set to Not Configured. This means that the GPO will not modify theexisting configuration of that particular setting for a user, computer, or both. If you enable a policysetting, it makes that policy setting active. Likewise, if you disable a policy setting, the policy setting ismade inactive.

Note: Multi-valued Group Policy settings contain more configuration options than the typical NotConfigured, Enabled, and Disabled options. They are typically used to provide specific configurationdetails to applications or operating system components.

Nova 4, LLC





The effect of the change depends on the policy setting. For example, if you enable the Prevent Access toRegistry Editing Tools policy setting, users will be unable to start the Regedit.exe Registry Editor. If youdisable the policy setting, you ensure that users can start the Registry Editor. Notice the double negativein this policy setting: You disable a policy that prevents an action, so you allow the action.

Note: Many policy settings are complex, and the effect of enabling or disabling them might not beimmediately clear. Always test the effects of a policy setting and its interactions with other policysettings before deploying a change in the production environment.

Group Policy Settings StructureThe structure of Group Policy settings is split into two distinct areas.

Group Policy Area What It Does

Computer configuration Affects the HKEY_Local_Machine registry hive

User configuration Affects the HKEY_Current_User registry hive

Configuring Group Policy SettingsEach area has three sections.

Section Description

Software settings Software can be deployed to either the user or the computer. Softwaredeployed to a user is specific to that user. Software deployed to the computeris available to all users of that computer.

Windows settings Contain script settings and security settings for both user and computer, andInternet Explorer® maintenance for the user configuration.

Administrativetemplates

Contain hundreds of settings that modify the registry to control variousaspects of the user and computer environment.

Group Policy PreferencesIn addition to the Group Policy structure above, an additional component has been added to the GroupPolicy structure for Windows Server 2008 R2 and Windows 7. A Preferences node is present under theComputer Configuration and User Configuration nodes in the Group Policy Editor for these operatingsystems. Group Policy Preferences and their impact on your organization will be discussed in further detaillater in this course.

Group Policy ObjectsGroup Policy settings are defined and exist within a GPO. A GPO is an object that contains one or more

policy settings and thereby applies one or more configuration settings for a user, computer, or both.GPOs can be managed in Active Directory by using the Group Policy Management Console (GPMC).Within the GMPC, a GPO is opened and edited by using the Group Policy Object Editor (GPO Editor).

Nova 4, LLC





The GPO Editor displays the individual Group Policy settings available in a GPO in an organized hierarchythat begins with the division between computer settings and user settings, the Computer Configurationnode and the User Configuration node. Computer configuration settings are applied to computer objectsin AD DS and User configuration settings are applied to user objects within AD DS.

The GPO must be applied to a domain, site, or OU in the AD DS hierarchy for the settings within the

object to take effect.

Nova 4, LLC





How Group Policy Is Applied

Key PointsIn the previous topic, we established that a group policy setting cannot be applied to a user or computerunless that Group Policy setting is contained in a Group Policy object. In the same manner, a Group Policyobject (and the Group Policy settings contained within) has no effect on user and computer objects until itis applied to a domain, site, or OU within AD DS.

Group Policy Application Scope

The first step of Group Policy application is the attaching or linking of a GPO to an AD DS domain, site, orOU. After a GPO is linked, the domain, site, or OU that it is linked to defines the GPO scope. The scope of aGPO is the collection of users and computers that will apply the Group Policy settings contained in theGPO. Where a GPO is linked determines its top-level scope. For example, the settings in a GPO applied atthe domain level of the Contoso domain will affect all users and computers within the domain. However, ifthat same GPO is applied to the Research OU, the settings in that GPO will affect only the users andcomputers contained in the Research OU.

Group Policy Application ProcessingClients initiate Group Policy application by requesting GPOs from AD DS. When Group Policy is applied toa user, computer, or both, the client component interprets the policy, and then makes the appropriateenvironment changes. These components are known as Group Policy client-side extensions. As GPOs are

processed, the Group Policy Client service passes the list of GPOs that must be processed to each GroupPolicy client-side extension. The extension then uses the list to process the appropriate policy, whenapplicable. The Group Policy Client Services runs on Windows Vista and later only.

Computer Configuration and User Configuration settings are processed and appliedseparately by the client side extensions.Applying Computer ConfigurationThe Group Policy settings in a GPO that are contained in the Computer Configuration portion are appliedwhen the physical computer starts.

Nova 4, LLC





Applying User ConfigurationThe Group Policy settings in a GPO that are contained in the User Configuration portion are applied whenthe user logs on to Windows.

Note: Many Group Policy settings can be applied without having to restart the computer or log off by

running gpupdate /force from the command prompt.

Nova 4, LLC





Exceptions to Group Policy Processing

Key PointsDifferent factors can change the normal Group Policy processing behavior, such the way that clientcomputers handle domain authentication, logging on by using a slow connection, accessing a domainenvironment remotely, and the movement of user and computer objects within the AD DS structure. Also,different types of operating systems handle Group Policy processing differently.

Cached Credentials

By default, Windows client operating systems will maintain a cache for the credentials of the last tendomain accounts that were used to log on to the system. These cached credentials can cause the clientcomputer not to request an immediate refresh of Group Policy settings during the logon process. As aresult, some changes made to Group Policy settings may take two logons to be properly applied.

Slow Link DetectionWhen a Windows computer connects to the network, part of the connection process is detecting therobustness of the link from the client to the closest domain controller. By default, if the measurement ofthis link’s bandwidth is less than 500 Kbps, Windows flags it as a slow link. This value is configurable withinGroup Policy to best suit your organization’s network environment.

When a slow link is detected, Group Policy processes operate differently. Certain client side extensions—the component responsible for enacting Group Policy changes on client computers—are not processedover a slow link by default. This results in a different set of policy settings applied to clients connectingover a slow link.

The following table lists the Group Policy client side extensions that are disabled by default when a slowlink is detected.

Setting Default Slow Link Behavior

Software Installation OFF

Nova 4, LLC





Setting Default Slow Link Behavior

Scripts OFF

Folder Redirection OFF

Deployed Printer Connections OFF

Disk Quota OFF

Registry Security Settings OFF

Certain remote access connections detected over dial-up or ISDN connections also present themselves asslow connections and apply Group Policy settings accordingly

Moving Objects in AD DSWhen a user or computer object is moved to a new location within the AD DS structure, like a differentOU, the client computer does not become aware of the changes until the computer and userauthentication process is completed after the move. As a result, Group Policy settings applied to the newOU does not take effect until a restart/logon has taken place.

Nova 4, LLC





Group Policy Components

Key PointsYou can use Group Policy templates to create and configure Group Policy settings, which are stored bythe GPOs. The GPOs in turn are stored in the System Volume (SYSVOL) container in AD DS. The SYSVOLcontainer acts as a central repository for the GPOs. In this way, one policy may be associated with multipleActive Directory containers through linking. Conversely, multiple policies may link to one container.

Along with the GPO, Group Policy has two more major components:

• Group Policy templates

• Group Policy container

Group Policy TemplatesA Group Policy Template (GPT) is the collection of settings contained within a GPO. Group PolicyTemplates are stored as folders on the SYSVOL folder of AD DS domain controllers. The GPT containsmost of the configurable policy settings specified within a GPO.

Group Policy ContainerThe Group Policy container (GPC) is the logical representation of a GPO stored in AD DS, which resides oneach of a domain’s controllers. The GPC is responsible for keeping references to client-side extensions,version information, path information to the Group Policy templates, paths to software installation

packages, and GPO properties.

Nova 4, LLC





Demonstration: Configuring Group Policy Objects


• Use the GPMC to create a new GPO.

• Configure Group Policy settings.

Demonstration Steps:1. Open the Group Policy Management console.

2. Create a new Group Policy Object named, Desktop , in the Group Policy container.

3. In the computer configuration, prevent the last logon name from displaying, and prevent WindowsInstaller from running.

4. In the user configuration, remove the Search link from the Start menu, and hide the display settingstab.

Nova 4, LLC





Lesson 2

Configuring the Scope of Group Policy Objects

There are several techniques in Group Policy that allow administrators to manipulate how Group Policy isapplied. You can control the default processing order of policy through enforcement, blockinginheritance, security filtering, Windows Management Instrumentation (WMI) filters, or by using theloopback processing feature. In this lesson, you will learn about these techniques.

ObjectivesAfter completing this lesson, you will be able to:• Describe the Group Policy processing order (Local, Site, Domain, and OU).

• Create and manage processing order by using GPO.

• Describe the options for modifying Group Policy processing.

• Describe how to modify the scope of Group Policy by using Security and WMI filtering.

• Describe Loopback processing.

Nova 4, LLC





Group Policy Processing Order

Key PointsThe GPOs that apply to a user, computer, or both do not all apply at once. GPOs are applied in aparticular order. This order means that settings that are processed first may be overwritten by conflictingsettings that are processed later.

Group Policy follows the following hierarchical processing order:

1. Local group policies . Each computer running Windows 2000 or later has at least one local grouppolicy. The local policies are applied first.

2. Site group policies . Policies linked to sites are processed second. If there are multiple site policies,they are processed synchronously in the listed preference order.

3. Domain group policies . Policies linked to domains are processed third. If there are multiple domainpolicies, they are processed synchronously in the listed preference order.

4. OU group policies . Policies linked to top-level OUs are processed fourth. If there are multiple top-level OU policies, they are processed synchronously in the listed preference order.

5. Child OU group policies . Policies linked to child OUs are processed fifth. If there are multiple childOU policies, they are processed synchronously in the listed preference order. When there are multiplelevels of child OUs, policies for higher-level OUs are applied first and policies for the lower-level OUsare applied next.

In Group Policy application, the general rule is that the last policy applied wins. For example, a policy thatrestricts access to Control Panel applied at the domain level could be reversed by a policy applied at theOU level for the objects contained in that particular OU.

If you link several GPOs to an organizational unit, their processing occurs in the order that theadministrator specifies on the Linked Group Policy Objects tab for the organizational unit in the GroupPolicy Management Console (GPMC).

Nova 4, LLC





Disabling GPOsBy default, processing is enabled for all GPO links. You can completely block the application of a GPO fora given site, domain, or organizational unit by disabling that container’s GPO link. Note that if the GPO islinked to other containers, they will continue to process the GPO if their links are enabled.

You can also disable the user or computer configuration of a particular GPO independent of either the

user or computer. If one section of a policy is known to be empty, disabling the other side speeds uppolicy processing. For example, if you have a policy that only delivers user desktop configuration, youcould disable the computer side of the policy.

Question: Your organization has multiple domains spread over multiple sites. You want to apply a GroupPolicy to all users in two different domains. What is the best way to accomplish this?

Nova 4, LLC





Demonstration: How to Manage Processing Order by Using GPO Links


• Create and link GPOs to different locations.

• Disable a GPO link.

• Delete a GPO link.

Demonstration Steps1. Open the Group Policy Management console.

2. Create two new GPOs.

3. Link the first GPO to the domain.

4. Link the second GPO to the IT OU.

5. Disable the first GPO’s link.

6. Delete the second GPO.

7. Re-enable the first GPO’s link.

Nova 4, LLC





Options for Modifying Group Policy Processing

Key PointsThere may be occasions when the normal behavior of Group Policy is not desirable. For example, certainusers or groups may need to be exempt from restrictive Group Policy settings, or a GPO should be appliedonly to computers with certain hardware or software characteristics. By default, all Group Policy settingsapply to the Authenticated Users group in a given container. However, you can modify that behaviorthrough various methods.

Block InheritanceYou can block policy inheritance for a domain or organizational unit. Using block inheritance prevents thechild level from automatically inheriting GPOs linked to higher sites, domains, or organizational units. Bydefault, children inherit all GPOs from the parent. You cannot block individual high-level policies. In otherwords, you must block inheritance of all higher level policies, or none of them.

Enforcement of GPO LinksYou can specify that the settings in a GPO link should take precedence over the settings of any childobject by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parentcontainer. Without enforcement from above, if GPOs contain conflicting settings, then the settings of GPOlinks at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units.This prevents OU administrators from blocking inheritance on higher level policies. Security group filteringwill override enforcement.

Filtering Using Security GroupsSecurity filtering is based on the fact that GPOs have access control lists (ACLs) associated with them.These ACLs contain access entries for different security principals. For a GPO to be applied to a securityprincipal in an OU, the security principal requires, at a minimum, the following permissions set to Allow:

• Read

• Apply Group Policy

Nova 4, LLC





By default, the Authenticated Users group has these permissions. By denying or granting the Apply GroupPolicy permission, you can control which users, groups, or computers actually receive the GPO settings.

Filtering by using WMI FiltersWMI is a set of technologies for managing Windows-based environments. WMI provides access toproperties of almost every hardware and software object in the computing environment. Through WMIscripts, these properties can be evaluated, and decisions about the application of Group Policy are madebased on the results. For example, a WMI query could check for a minimum amount of random accessmemory (RAM), or a specific service pack, to determine if a Group Policy should be applied. You must be amember of Domain Administrators, Enterprise Administrators, or Group Policy Creator Owners groups tocreate WMI filters in the domain.

Loopback ProcessingIn some cases, users may need policies applied to them, based on the computer’s location in AD DS, andnot the user’s identity. You can use the Group Policy loopback feature in any situation where you want toapply GPOs based solely on the computer object in AD DS. Loopback is discussed in more detail later inthis lesson.

Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OUhas several child OUs that have separate GPOs that reverse some of your desktop restrictions. How wouldyou ensure that all users in the Finance department receive your desktop policy?

Nova 4, LLC





Demonstration: Filtering Group Policy Processing


• Filter group policy application by using security group filtering.

• Filter group policy application by using WMI filtering.

Demonstration StepsUse Security Group Filtering

1. Create a GPO that removes the Help menu link from the Start menu and link it to the IT OU.

2. Use security filtering to exempt a user from the GPO.

3. Test Group Policy application.

Use WMI Filtering

1. Use the GPMC to create a new WMI filter that targets only XP Professional clients. (See the followingsyntax.)

Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XPProfessional“.

2. Use the GPMC to create a new GPO named, Software .3. Assign the WMI to the Software GPO .

Nova 4, LLC





How Does Loopback Processing Work?

Key PointsUser policy settings are normally derived entirely from the GPOs associated with the user account, basedon its AD DS location. However, loopback processing directs the system to apply an alternate set of usersettings for the computer to any user who logs on to a computer affected by this policy. Loopbackprocessing is intended for special-use computers where you must modify the user policy based on thecomputer being used, such as the computers in public areas or classrooms. When you apply loopback, itwill affect all users, except local ones.

Both the user objects and the computer objects can potentially have different group policy settingsapplied (depending upon where each object resides in AD). Loopback processing ensures that thecomputer objects policy takes precedence over the user objects group policy settings.

Loopback processing operates by using the following two modes:

• Merge mode applies the user’s normal Group Policy settings and then applies the settings based onthe computer’s location in AD DS. This results in both sets of policy settings being processed, but anyconflicting settings are determined by the list of GPOs for the computer, which was applied last.

• Replace mode ignores the user’s normal Group Policy settings, and instead applies the user settingsassociated with the policy that delivered the loopback settings.

For example, a public access computer in the lobby may have a user policy that locks down the desktop

completely, and allows access only to certain software. Loopback processing in replace mode wouldensure that whoever logged on to the computer would be subject to those restrictions.

Note: You can find the loopback setting by pointing to Computer Configuration, pointing toAdministrative Templates, pointing to System, and then pointing to Group Policy.

Nova 4, LLC





Lab A: Creating and Configuring GPOs








• Domain: Contoso

5. Repeat steps 2 and 3 for 6419B-NYC-CL1. Do not log on to NYC-CL1 until directed to do so.

ScenarioContoso, Ltd. has decided to implement Group Policy to manage user desktops and to configurecomputer security. The organization has already implemented an OU configuration that includes top-levelOUs by different departments. User accounts are in the same container as their workstation computeraccounts. Server computer accounts are spread throughout various OUs.

Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settingsand may not always follow best practices.

Nova 4, LLC





Group Policy Requirements• Domain users will not have access to the Run menu. The policy will apply to all users, except users in

the IT OU.

• All domain computers will have a mandatory baseline security policy applied that does not displaythe name of the last logged on user.

• Computers running Windows 7 or Windows Vista will have additional settings applied to wait for thenetwork at startup.

• Users in the IT OU will have the URL for Microsoft support added to their Favorites.

Nova 4, LLC





Exercise 1: Creating and Configuring Group Policy ObjectsYou will create and link the GPOs that the enterprise administrator’s design specifies. Tasks includemodifying the default domain policy and creating policy settings linked to specific OUs and sites.


1. Create the GPOs.

2. Configure the GPO settings.

3. Link the GPOs to the appropriate containers.

Task 1: Create the GPOs.• On NYC-DC1, open the Group Policy Management console, browse to the Group Policy Objects

container and then perform the following:

• Create a GPO named, Restrict Run Command .

• Create a GPO named, Baseline Security .

• Create a GPO named, Windows 7 and Windows Vista Security .

• Create a GPO named, IT Favorites .

Task 2: Configure the GPO settings.1. Edit the Restrict Run Command GPO (User Configuration\Policies

\Administrative Templates\Start Menu and Taskbar\Remove Run Menu from the Start Menu) toprevent access to the Run menu.

2. Edit the Baseline Security GPO (Computer Configuration\Policies\Windows Settings\SecuritySettings\Local Policies\Security Options\ Interactive logon: Do not display last user name) so that thename of the last logged on user is not displayed.

3. Edit the Windows 7 and Windows Vista Security GPO (Computer Configuration\Policies \Administrative Templates\System\Logon\Always wait for the network at computer startup andlogon) to ensure that computers wait for the network at startup.

4. Edit the IT Favorites GPO (User Configuration\Policies\Windows Settings\Internet ExplorerMaintenance\URLs\Favorites and Links) to include the URL for Microsoft tech support(http://support.microsoft.com) in the Internet Favorites.

Task 3: Link the GPOs to the appropriate containers.• Use the GPMC to perform the following:

• Link the Restrict Run Command GPO to the domain container.

• Link the Baseline Security GPO to the domain container.

• Link the Windows 7 and Windows Vista Security GPO to the domain container

• Link the IT Favorites GPO to the IT OU.

Nova 4, LLC


http://support.microsoft.com/

http://support.microsoft.com/




Exercise 2: Managing the Scope of GPO ApplicationIn this exercise, you will configure the scope of GPO settings based on the enterprise administrator’sdesign. Tasks include blocking and enforcing inheritance, and applying filtering based on security groupsand WMI filters.


1. Configure Group Policy management for the domain container.

2. Configure Group Policy management for the IT Admin OU.

3. Create and apply a WMI filter for the Windows 7 and Windows Vista Security GPO.

Task 1: Configure Group Policy management for the domain container.1. Configure the Baseline Security link to be Enforced.

2. Configure the Windows 7 and Windows Vista Security link to be Enforced.

Task 2: Configure Group Policy management for the IT OU.• Block inheritance at the IT OU, to exempt the IT OU users from the Restrict Run Command GPO.

Task 3: Create and apply a WMI filter for the Windows Vista and Windows 7 SecurityGPO.1. Create a new WMI filter called Windows 7 or Windows Vista Operating Systems configured to find

only Windows 7 and Windows Vista operating systems.

Hint:Select * from Win32OperatingSystem where Caption = “Microsoft Windows 7 Enterprise” ORCaption = “Microsoft Windows Vista Enterprise”

2. Assign the WMI filter to the Windows 7 and Windows Vista Security GPO.

Result: At the end of this exercise, you will have configured the scope of GPO settings.

Nova 4, LLC





Lesson 3:

Managing Group Policy Objects

GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is veryimportant for maintaining your Group Policy deployments in the event of error or disaster. It helps avoidmanually re-creating lost or damaged GPOs, and having to again go through the planning, testing, anddeployment phases. Part of your ongoing Group Policy operations plan should include regular backups ofall GPOs.

GPMC also provides for copying and importing GPOs, both from the same domain and across domains.ObjectivesAfter completing this lesson, you will be able to:

• Describe various GPO management tasks.

• Describe the use of Starter GPOs.

• Use Windows PowerShell to manage GPOs.

• Describe how to delegate GPO administration.

Nova 4, LLC





GPO Management Tasks

Key PointsLike critical data and Active Directory-related resources, you must back up GPOs to protect the integrityof AD DS and GPOs. GPMC not only provides the basic backup and restore options, but also providesadditional control over GPOs for administrative purposes. Options for managing GPOs include thefollowing:

Backing Up GPOs

You can back up GPOs individually or as a whole with GPMC. You must provide only a backup location,which can be any valid local or shared folder. You must have Read permission on the GPO to back it up.Every time you perform a backup, a new backup version of the GPO is created, which provides a historicalrecord.

Scripting BackupsGPMC includes a number of built-in scripts to assist in automating many routine administration tasks. Youcan find them in the Program Files\GPMC\Scripts folder, and can use the BackupAllGPOs.wsf script toautomate GPO backups.

Restoring Backed Up GPOsYou can restore any version of a GPO. If one has become corrupt or deleted, you can restore any of the

historical versions of that GPO. The restore interface provides the ability for you to view the settingsstored in the backed-up version before restoring it.

Importing GPO Settings from a Backed Up GPOYou can import policy settings from one GPO into another. Importing a GPO allows you to transfersettings from a backed up GPO to an existing GPO. Importing a GPO transfers only the GPO settings. Theimport process does not import GPO links. Security principals defined in the source may need to bemigrated to target.

Nova 4, LLC





Note: It is not possible to merge imported settings with the current target GPO settings; the importedsettings will overwrite all existing settings.

Copying GPOsYou can copy GPOs by using GPMC, both in the same domain and across domains. A copy operation

copies an existing, live GPO to the desired destination domain. A new GPO always gets created during thisprocess. The new GPO is named “copy of OldGPOName”. For example, if you copied a GPO named“Desktop”, the new version would be named “Copy of Desktop”. After the file is copied and pasted intothe Group Policy Objects container, you can rename the policy. The destination domain can be anytrusted domain in which you have the rights to create new GPOs. When copying between domains,security principals defined in the source may need to be migrated to target.

Note: It is not possible to copy settings from multiple GPOs into a single GPO.

Migration TablesWhen importing GPOs or copying them between domains, you can use migration tables to modifyreferences in the GPO that need to be adjusted for the new location. For example, you may need toreplace the UNC path for folder redirection with a UNC path that is appropriate for the new user group towhich the GPO will be applied. You can create migration tables ahead of time, or during the import orcross-domain copy operation.

Nova 4, LLC





What Is a Starter GPO?

Key PointsA Starter GPO is used as a template from which to create other GPOs within GPMC. Starter GPOs onlycontain Administrative Template settings. You may use a Starter GPO to provide a starting point for newGPOs created in your domain. The Starter GPO may already contain specific settings that arerecommended best practices for your environment. Starter GPOs can be exported to and imported fromcabinet (.cab) files to make distribution to other environments simple and efficient.

GPMC stores Starter GPOs in a folder named, StarterGPOs, which is located in SYSVOL.

Preconfigured Starter GPOs from Microsoft are available for Windows client operating systems. TheseStarter GPOs contain Administrative Template settings that reflect Microsoft recommended best practicesfor the configuration of the client environment.

Note: Windows Server 2008 R2 comes pre-loaded with client operating system GPOs for Windows XPand Windows Vista. If you are using the initial release of Windows Server 2008, you will have todownload the Starter GPOs from the Microsoft website.

Nova 4, LLC





Using Windows PowerShell to Manage GPOs

Key PointsGroup Policy in Windows Server 2008 R2 provides support for Windows PowerShell. You can use theWindows PowerShell Group Policy cmdlets to automate many of the same tasks for domain-based GPOsthat you perform in the user interface by using GPMC.

To help you complete these tasks, 25 Group Policy cmdlets are provided in Windows Server 2008 R2. Eachcmdlet is a simple, single-function command-line tool. By using combinations of cmdlets, you canautomate more complex tasks. You can also combine actions with scheduled tasks to ensure that specificGroup Policy management tasks occur when you want them to. For example, you can back up a GPO,output the result to a file, and then append the file every time you perform a backup. This creates a reportfor every scheduled backup.

Note: To use the Windows PowerShell Group Policy cmdlets, you must be running Windows Server2008 R2 either on a domain controller or on a member server that has the GPMC installed, or Windows7 with Remote Server Administration Tools (RSAT) installed. RSAT includes GPMC. You must also importthe Group Policy module before you use the cmdlets, at the beginning of every script that uses them,and at the beginning of every Windows PowerShell session.

To import the Group Policy Module for Windows Powershell, run the following cmdlet from the WindowsPowerShell prompt.

Import-Module GroupPolicy –verbose

The Group Policy Module for Windows PowerShell includes the following cmdlets.

Cmdlet Name Description

Backup-GPO Backs up one GPO or all the GPOs in a domain

Nova 4, LLC


http://technet.microsoft.com/en-us/library/ee461052.aspx






Copy-GPO Copies a GPO

Get-GPInheritance Retrieves Group Policy inheritance information for a specified domainor OU

Get-GPO Gets one GPO or all the GPOs in a domain

Get-GPOReport Generates a report in either XML or HTML format for a specified GPOor for all GPOs in a domain

Get-GPPermissions Gets the permission level for one or more security principals on aspecified GPO

Get-GPPrefRegistryValue Retrieves one or more registry preference items under either ComputerConfiguration or User Configuration in a GPO

Get-GPRegistryValue Retrieves one or more registry-based policy settings under eitherComputer Configuration or User Configuration in a GPO

Get-GPResultantSetOfPolicy Outputs the Resultant Set of Policy (RSoP) information to a file, for auser, a computer, or both

Get-GPStarterGPO Gets one Starter GPO or all Starter GPOs in a domain

Import-GPO Imports the Group Policy settings from a backed up GPO into aspecified GPO

New-GPLink Links a GPO to a site, domain, or OU

New-GPO Creates a new GPO

New-GPStarterGPO Creates a new Starter GPO

Remove-GPLink Removes a GPO link from a site, domain, or OURemove-GPO Deletes a GPO

Remove-GPPrefRegistryValue Removes one or more registry preference items from either ComputerConfiguration or User Configuration in a GPO

Remove-GPRegistryValue Removes one or more registry-based policy settings from eitherComputer Configuration or User Configuration in a GPO

Rename-GPO Assigns a new display name to a GPO

Restore-GPO Restores one GPO or all GPOs in a domain from one or more GPObackup files

Set-GPInheritance Blocks or unblocks inheritance for a specified domain or OU

Set-GPLink Sets the properties of the specified GPO link

Set-GPPermissions Grants a level of permissions to a security principal for one GPO or forall the GPOs in a domain

Set-GPPrefRegistryValue Configures a registry preference item under either ComputerConfiguration or User Configuration in a GPO

Nova 4, LLC




















































Set-GPRegistryValue Configures one or more registry-based policy settings under eitherComputer Configuration or User Configuration in a GPO

Nova 4, LLC







Options for Delegating Control of GPOs

Key PointsDelegation of GPO-related tasks allows the administrative workload to be distributed across theenterprise. One group can be tasked with creating and editing GPOs, while another group performsreporting and analysis duties. A third group might be in charge of creating WMI filters.

The following Group Policy tasks can be independently delegated:

• Creating GPOs

• Editing GPOs• Managing Group Policy links for a site, domain, or OU

• Performing Group Policy Modeling analyses on a given domain or OU

• Reading Group Policy Results data for objects in a given domain or OU

• Creating WMI filters in a domain

The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs thatthey have created.

Group Policy default permissionsBy default, the following user and groups have Full Control over GPO management:

• Domain Admins

• Enterprise Admins

• Creator Owner

• Local System

The Authenticated User group has Read and Apply Group Policy permissions.

Nova 4, LLC





Creating GPOsBy default, only Domain Admins, Enterprise Admins, and Group Policy Creator Owners can create newGPOs. You can use two methods to grant a group or user this right:

• Add the user or group to the Group Policy Creator Owners group.

• Explicitly grant the group or user permission to create GPOs by using GPMC.

Editing GPOsTo edit a GPO, the user must have both Read and Write access to the GPO. You can grant this permissionby using the GPMC.

Managing GPO LinksThe ability to link GPOs to a container is a permission that is specific to that container. In GPMC, you canmanage this permission by using the Delegation tab on the container. You can also delegate it throughthe Delegation of Control Wizard in Active Directory Users and Computers.

Group Policy Modeling and Group Policy ResultsYou can delegate the ability to use the reporting tools in the same fashion, through GPMC or theDelegation of Control Wizard in Active Directory Users and Computers.

Create WMI FiltersYou can delegate the ability to create and manage WMI filters in the same fashion, through GPMC or theDelegation of Control Wizard in Active Directory Users and Computers.

Nova 4, LLC





Lab B: Managing Group Policy Objects

Lab ScenarioThe enterprise administrator has created a GPO deployment plan. You have been asked to create GPOs sothat certain policies can be applied to all domain objects. Some policies are considered mandatory.

Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settingsand may not always follow best practices.

Group Policy Requirements• Domain users will not have access to the Run menu. The policy will apply to all users, except users in

the IT OU.

• All domain computers will have a mandatory baseline security policy applied that does not displaythe name of the last logged on user.

• Computers running Windows 7 or Windows Vista will have additional settings applied to wait for thenetwork at startup.

• Users in the IT OU will have the URL for Microsoft support added to their Favorites.

Nova 4, LLC





Exercise 1: Verifying GPO ApplicationIn this exercise, you will test the application of GPOs to ensure that the GPOs are being applied as thedesign specifies. Students will log on as specific users, to verify that GPOs are being applied correctly.


1. Verify that a user in the domain has the Run command removed from the Start menu.

2. Verify that a user in the IT Admin OU is receiving the correct policy.

3. Verify that the user name does not appear.

Task 1: Verify that a user in the domain has the Run command removed from the Startmenu.1. Log on to NYC-CL1 as CONTOSO\Max , with the password, Pa$$w0rd .

2. Ensure that a link to the Run menu does not appear in the Accessories folder on the Start menu.


Task 2: Verify that a user in the IT OU is receiving the correct policy.1. Log on to NYC-CL1 as CONTOSO\Ed , with the password, Pa$$w0rd .

2. Ensure that a link to the Run menu appears in the Accessories folder on the Start menu.

3. Start Internet Explorer, open the Favorites pane, and then ensure that the link to Tech Supportappears. If the Set Up Windows Internet Explorer 8 dialog box opens, click Ask me later .

4. Restart NYC-CL1.

Task 3: Verify that the last logged on user name does not appear.• After NYC-CL1 is restarted, verify that the last logged on user name does not appear.

Note: To see this information, press CTRL-ALT-DEL to see the logon screen.

Result: After completing this exercise, you will have tested and verified a GPO application.

Nova 4, LLC





Exercise 2: Managing GPOsIn this exercise, you will use GPMC to back up, restore, and import GPOs.


1. Back up an individual policy.

2.

Back up all GPOs.3. Delete and restore an individual GPO.

4. Import a GPO.

Task 1: Back up an individual policy.1. On NYC-DC1, open Windows Explorer and create a folder named,

C:\GPO Backup .

2. In GPMC, browse to the Group Policy Objects folder.

3. Right-click the Restrict Run Command policy, and then click Backup .

4. Browse to C:\GPO Backup .

5. Click Backup , and then click OK after the backup succeeds.

Task 2: Back up all GPOs.1. Right-click the Group Policy Objects folder, and then click Back Up All .

2. Ensure that C:\GPOBackup is the backup location. Click OK .

3. Click OK after the backup succeeds.

Task 3: Delete and restore an individual GPO.1. Right-click the IT Favorites policy, and then click Delete . Click Yes , and then click OK when the

deletion succeeds.

2. Right-click the Group Policy Objects folder, and then click Manage Backups .

3. Restore the IT Favorites GPO .

4. Confirm that the IT Favorites policy appears in the Group Policy Objects folder.

Task 4: Import a GPO.1. Create a new GPO named, Import , in the Group Policy Objects folder.

2. Right-click the Import GPO , and then click Import Settings .

3. In the Import Settings Wizard , click Next .

4. On the Backup GPO window, click Next .

5. Ensure the Backup folder location is C:\GPOBackup .

6. On the Source GPO screen, click Restrict Run Command , and then click Next .

Note: If more than one copy of the Restrict Run Command GPO appears, choose the newer one.

Nova 4, LLC





7. Finish the Import Settings wizard.

8. Click Import GPO , click the Settings tab, and then ensure that the Remove Run menu from StartMenu setting is Enabled .

Result: After completing this exercise, you will have backed up, restored, and imported GPOs.

Nova 4, LLC





Lesson 4

Evaluating and Troubleshooting Group PolicyProcessing

System administrators need to know how Group Policy settings affect computers and users in a managedenvironment. This information is essential when planning Group Policy for a domain, and whendebugging existing GPOs. Obtaining the information can be a complex task when you consider the manycombinations of sites, domains, and organizational units that are possible, and the many types of Group

Policy settings that can exist. Further complicating the task are security-group filtering, and GPOinheritance, blocking, and enforcement. The Group Policy Results (GPResult.exe) command-line tool andGPMC provide reporting features to simplify these tasks.

Troubleshooting the unexpected or undesired application of GPOs can be an equally difficult task.Windows Server 2008 provides several tools to assist in the troubleshooting of GPO application.


• Describe Group Policy reporting.

• Determine GPO processing by using Group Policy modeling.

• Evaluate Group Policy processing.

• Describe common scenarios for troubleshooting Group Policy processing.

• Describe a general process for troubleshooting Group Policy.

• List the tools used for troubleshooting Group Policy.

• Troubleshoot Group Policy by using diagnostic tools.

Nova 4, LLC





What Is Group Policy Reporting?

Key PointsGroup Policy Reporting is a feature of Group Policy that makes implementation and troubleshootingeasier. Two main reporting tools are the GPResult.exe command-line tool, and the Group Policy ResultsWizard in GPMC. The Group Policy Results feature allows administrators to determine the resultant policyset that was applied to a given computer or user or to the computer and user who logged on to thatcomputer. Although these tools are similar, each provides different information.

GPResult.exeIntended for administrators, the GPResult.exe command-line tool verifies all policy settings in effect for aspecific user, computer or user and computer combination. Administrators can run GPResult on anyremote computer within their management scope.

Syntaxgpresult;[/s ;Computer [/u ;Domain\User ;/p ;Password]] ;[/user ;TargetUserName];[/scope {user|computer}] ;[/v] ;[/z]

Parameters /s ; Computer ; : Specifies the name or IP address of a remote computer. (Do not use backslashes.) Thedefault is the local computer.

/u ; Domain \ User ; : Runs the command with the account permissions of the user that is specified by Useror Domain\User. The default is the permissions of the current logged-on user on the computer that issuesthe command.

/p ; Password ; : Specifies the password of the user account that is specified in the /u parameter.

/user ; TargetUserName ; : Specifies the user name of the user whose Resultant Set of Policy (RSoP) data isto be displayed.

Nova 4, LLC





/scope { user | computer } : Displays either user or computer results. Valid values for the /scope parameterare user or computer. If you omit the /scope parameter, gpresult displays both user and computersettings.

/v ; : Specifies that the output display verbose policy information.

/z ; : Specifies that the output displays all available information about Group Policy. Because thisparameter produces more information than the /v parameter, you should redirect the output to a text filewhen you use this parameter (for example, gpresult /z >policy.txt).

/? : Displays help at the command prompt.

GPResult OutputWhen you run the GPResult /r command from the command prompt, Windows displays three differentcategories of information: operating system information, computer settings, and user settings.

By default, GPResult returns settings in effect on the computer on which GPResult is run. In the operatingsystem section, GPResult provides:

• Version information.

• Domain and site information.• User profile information.

• Slow link status.

In the computer and user sections, GPResult provides:

• Information about the last time policies were applied.

• Group Policy source.

• Slow link thresholds.

• GPOs that are applied, and their application order.

• GPOs that were not applied.

• Security group membership of users and computers.

GPResult has various switches available to refine the command for specific information. For example, itcan be run for a specific user, computer, or both. It can also be run in verbose mode to provide moreinformation.

Group Policy ResultsThe Group Policy Results tool is useful for troubleshooting Group Policy or verifying that all of theexpected settings were applied. You can use the Group Policy Results Wizard in GPMC to get detailedreports of which policies are applied to users and computers, and you can then print these reports or savethem as HTML files to provide documentation. The results are gathered by querying the WMI-instrumented Group Policy logging facility on a computer that processed Group Policy. The wizard returnsthe settings that were actually applied, including local Group Policy settings.

Requirements for Group Policy ResultsYou must meet the following requirements to use the Group Policy Results Wizard:

If testing a particular user’s settings on a particular computer, that user must have logged on to thatcomputer at least once. If the user has not logged on to the computer since Group Policy settings havechanged, you will see only the settings that were in effect the last time the user logged on.

Nova 4, LLC





If connecting to a remote computer, the remote procedure call (RPC) port (135) must be open on theremote computer. You can accomplish this with a Group Policy setting that allows remote administration.

Nova 4, LLC





What Is Group Policy Modeling?

Key PointsAnother method for testing Group Policy is to use the Group Policy Modeling Wizard in GPMC to modelenvironment changes before you actually make them. The Group Policy Modeling Wizard calculates thesimulated net effect of GPOs. Group Policy Modeling also simulates such things as security groupmembership, WMI filter evaluation, and the effects of moving user or computer objects to a different OUor site. You can also specify slow-link detection, loopback processing, or both when using the GroupPolicy Modeling Wizard.

The Group Policy Modeling process actually runs on a domain controller in your Active Directory domain.Because the wizard never queries the client computer, it cannot take local policies into account.

Nova 4, LLC





Demonstration: How to Evaluate Group Policy Processing


• Use GPResult.exe and the Group Policy Reporting Wizard.

• Use the Group Policy Modeling Wizard.

Demonstration Steps:1. Run GPResult.exe from the command prompt.

2. Run GPResult.exe from the command prompt and output the results to an HTML file.

3. Open GPMC.

4. Run the Group Policy Reporting Wizard and view the results.

5. Run the Group Policy Modeling Wizard and view the results.

Nova 4, LLC





Scenarios for Group Policy Troubleshooting

Key PointsThe two main issues with Group Policy processing are.

• Policies are not applied to the client.

• Policies are applied, but the results are inconsistent or incorrect.

There may be many reasons why policies are not applied or are applied incorrectly, including thefollowing:

• AD DS replication issues may be preventing all domain controllers from receiving policies or policyupdates.

• GPOs may be linked incorrectly to containers.

• Slow network conditions may exist.

• Policy filtering may be set.

• Inheritance or enforcement settings may be applied.

• The loopback setting may be turned on.

• Local computer policies may be affecting the results.

Group Policy PhasesGroup Policy has two distinct phases:

Core Group Policy ProcessingWhen a client begins to process Group Policy, it must determine whether it can reach a domain controller,whether any GPOs changed, and what policy settings (based on client side extension) to process. The coreGroup Policy engine performs this processing during the initial phase.

Nova 4, LLC





Client Side Extension (CSE) ProcessingThe core Group Policy engine calls the required CSEs to process the settings that apply to the client. Theexception is security policies, which are refreshed every 16 hours, regardless of whether they havechanged.

Note: It is important to understand that Group Policy is normally a client-side event. The client pullspolicies; the server does not push them. However, there are methods by which you can force the clientto pull the policies.

Nova 4, LLC





Troubleshooting Group Policy

Key PointsGroup Policy issues may be symptoms of unrelated issues, such as network connectivity, authenticationproblems, domain controller availability, or Domain Name Service (DNS) configuration errors.

Preparing for TroubleshootingYou should begin the troubleshooting process by determining the scope of the issue. For example, is theissue widespread, or affecting a single client only? If the issue affects a single client, you should check for

physical issues, such as incorrect configurations, or hardware or operating system failures. These issues areusually easy to diagnose.

After you eliminate these causes, your first real troubleshooting step is to check Event Viewer entries,Windows logs, and application and service logs, which can provide valuable information about the rootcause of issues. Log entries often direct you to the area in which to begin your investigation. After younarrow down your problem area, you can use other diagnostic tools to pursue the issue.

Troubleshooting InheritanceThe following four settings can be used to alter the default inheritance of GPO processing:

• Block policy inheritance

• GPO enforcement

• GPO filtering of the ACL

• Windows WMI filters

If none of the users or computers in an OU or entire subtree of OUs are receiving policies that were linkedto higher levels, it may be because of inheritance blocking.

GPMC interface provides a visual indicator of a blue exclamation mark when inheritance is blocked.

Nova 4, LLC





Group Policy results reporting (RSoP) lists the GPOs that are being applied, and the GPOs that are beingblocked.

You can run the Gpresult command from the target computer to assess whether any of these settings areprohibiting the policies from applying.

If inheritance is blocked incorrectly, removing the setting returns Group Policy processing to normal.

Troubleshooting FilteringGroup Policy filtering determines which users and computers will receive the GPO settings. Group Policyobject (GPO) filtering is based on two factors:

• Security filtering on the GPO

• WMI filters on the GPO

Group Policy filtering may appear to look like inconsistent application of policies in an OU. If some users,groups, or computers have filtering applied, they will not receive policies that other users in the same OUreceive.

The following steps can be taken to troubleshoot potential filtering-related issues.

• To check filtering on a GPO, in GPMC, open the Group Policy Objects node, select the GPO you aretroubleshooting, and then, in the right pane, select the Scope tab. The Security Filtering and WMIFiltering panels show the current filtering configuration.

• To see the exact set of permissions for users, groups, and computers, select the Delegation tab, andthen click Advanced . Select the security group, user, or computer you want to review.

If the policy object should be applied to the security group, user, or computer, the minimum permissionsshould be set to allow Read and Apply Group Policy.

Note: If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If there is a linkto a non-existent WMI filter, the GPO with that link will not be processed until the link is removed or the

filter is restored.

Troubleshooting ReplicationIn a domain that contains more than one domain controller, Group Policy information takes time topropagate or replicate from one domain controller to another.

• Replication issues are most noticeable in remote sites with slow connections where there is longreplication latency.

• The GPOTool can check for consistency of policies across all domain controllers. Another tool isReadmin, which can provide information about Group Policy synchronization status and generalreplication.

• After you determine that replication is the issue, you must determine if the problem is with the FRS orAD DS replication.

• A simple test for SYSVOL replication is to put a small test file into the SYSVOL directory, and see if itreplicates to other domain controllers.

• Similarly, a simple way to test AD DS replication is to create a test object, such as an OU, and see if itreplicates to other domain controllers.

• In many cases, just waiting for normal replication cycles to complete resolves the problem.

Nova 4, LLC





Troubleshooting Policy RefreshGroup Policy refresh refers to a client’s periodic retrieval of GPOs.

• During Group Policy refresh, the client contacts an available domain controller. If any GPOs changed,the domain controller provides a list of all the appropriate GPOs.

• By default, GPOs are processed at the computer only if the version number of at least one GPO haschanged on the domain controller that the computer is accessing.

• Group Policy reporting provides information about when the last Group Policy refresh occurred, onthe summary page. The report also tells you if the loopback setting is enabled.

Nova 4, LLC





Tools Used for Troubleshooting Group Policy

Key PointsThere are a number of diagnostic tools and logs that you can use to verify whether you can trace aproblem to core Group Policy.

Group Policy Troubleshooting Tools

RSoPRSoP is a query engine that polls existing policies and then reports the query’s results. RSoP polls existingpolicies based on site, domain, domain controller, and OU. This is one of the main troubleshooting tools,and you can use it to reveal common problems without having to resort to any other tool.

GPResultSimilar to Group Policy reporting, the GPResult tool is a command-line utility that displays slightlydifferent RSoP information about the user, computer, and Group Policy affecting them. GPResult listsinformation that GPMC does not provide, including the domain controller that supplied the Group Policyand the slow-link threshold.

GpupdateThis tool refreshes local and AD DS-based Group Policy settings, including security settings. You can alsouse it to force the client to pull policy settings from the domain controller.

DcgpofixThis tool restores the default Group Policy objects to their original state after initial installation. You canrestore the Default Domain Policy, the Default Domain Controller, or both.

GPLogViewThis utility is for use with Windows Vista® and later versions, and is primarily used to export Group Policy-related events from the system, and operational logs into text, HTML, or XML files. You can also run the

Nova 4, LLC





tool with the -m switch, and monitor real-time activities. You can download this utility from the Microsoftdownload site.

Group Policy Management ScriptsGPMC sample scripts perform a number of different troubleshooting tasks, such as providing a list of alldisabled or unlinked GPOs. If you can’t find a sample script that fits your needs, you can easily modify asample script, or create your own script. When you install GPMC, the sample scripts are automaticallyadded.

Group Policy LoggingIf other tools do not provide the information you need to identify the problems affecting Group Policyapplication, you can enable verbose logging, and then examine the resulting log files. Log files can begenerated on both the client and the server to provide detailed information.

Prior to Windows Vista, the Userenv log file performed debug logging of the user profile and the systempolicy processes. Userenv logging contains information about the following:

• Group Policy settings that are not processed or not applied as expected

• Folder redirection that does not occur

• Logon scripts or scripts not applied as expected

• Default behavior occurring because a slow link was detected

• Slow logon issues

• Whether a given GPO is accessible, and if not, why access was denied

• The name of the domain controller that is accessing Sysvol

• Roaming profile issues

In addition to Userenv.log, the following CSEs provide their own verbose logs that you can enable bymodifying the registry:

• Security CSE provides WinLogon.log.• Folder Redirection CSE provides FDeploy.log.

• Software Installation CSE provides AppMgmt.log.

Windows Vista introduces a change to the way that the Group Policy engine provides information. GroupPolicy logging information is no longer kept in the Userenv.log file. Detailed logging now is kept in theSystem event log, and the Group Policy operational log. The System event log can be accessed throughEvent Viewer’s Applications and Services Logs section. You can use GPLogView to aggregate events fromthe Group Policy operational logs into a single-view file that you can review later, or you can enable it torun in monitor mode to see real-time event processing.

Nova 4, LLC





Demonstration: Using Group Policy Diagnostic Tools


• Use various Group Policy Diagnostic Tools.

Nova 4, LLC





Lab C: Troubleshooting Group Policy

Nova 4, LLC





Exercise 1: Troubleshooting Incorrect Policy Settings: Scenario 1

ScenarioUsers in the IT OU should not have access to the Run command on the Start menu. You will restore andlink the TestA GPO to apply this setting.

The local desktop technician has escalated the following issue to the server team:• Description of problem: No users should be able to access the Run command on the Start menu, but

all users in the IT OU currently have access to the Run command.

The main tasks in this exercise are:

1. Restore the TestA GPO.

2. Link the TestA GPO to the IT OU.

3. Test the GPO.

4. Troubleshoot the GPO.

5. Resolve the issue and test the resolution.

Task 1: Restore the TestA GPO.• On NYC-DC1, in the Group Policy Management window, restore the TestA GPO from backup. The

TestA GPO is located at C:\Tools\GPOBackup .

Task 2: Link the TestA GPO to the IT OU.• In the Group Policy Management window, link the TestA GPO to the IT OU.

Task 3: Test the GPO.1. On NYC-CLI, log on as CONTOSO\Ed with the password, Pa$$w0rd.

2. Click Start , and then notice the presence of the Run command. It should not be present.

3.

Log off from NYC-CL1. Task 4: Troubleshoot the GPO.

1. On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.

2. In the report summary, under User Configuration Summary , notice that the TestA GPO is beingapplied.

3. On the Settings tab, under User Configuration , notice that the Add the Run command to theStart Menu setting is enabled.

Task 5: Resolve the issue and test the resolution.1. Edit the TestA GPO.

2. In the Group Policy Management Editor window, under User Configuration , Policies ,Administrative Templates , Start Menu and Taskbar , change Add the Run command to the StartMenu to Disabled , and then click OK .

3. On NYC-CLI, log on as CONTOSO\Ed , with the password, Pa$$w0rd .

Nova 4, LLC





4. Click Start , and notice that the Run command is no longer present.

5. Do not log off from NYC-CL1.

Result : After completing this exercise, you will have resolved a Group Policy object issue.

Nova 4, LLC





Exercise 2: Troubleshooting Incorrect Policy Settings: Scenario 2

ScenarioYou have been asked to restore the TestB GPO and link it to the Loopback OU. This GPO is designed toenhance security.

The local desktop technician has escalated the following issue to the server team:• Description of problem: Since the application of the GPO, Ed has access to the Run command on his

Start menu.


1. Create a new OU named, Loopback.

2. Restore the TestB GPO.

3. Link the TestB GPO to the Loopback OU.

4. Move NYC-CL1 to the Loopback OU.

5. Test the GPO.

6. Troubleshoot the GPO.

7. Resolve the issue and test the resolution.

Task 1: Create a new OU named, Loopback.1. On NYC-DC1, open Active Directory Users and Computers .

2. Create a new Organizational Unit under Contoso.com named, Loopback .

Task 2: Restore the TestB GPO.• On NYC-DC1, in the Group Policy Management window, restore the TestB GPO from backup. The

TestB GPO is located at C:\Tools\GPOBackup.

Task 3: Link the TestB GPO to the Loopback OU.• In the Group Policy Managemen t window, link the TestB GPO to the Loopback OU. You may need

to refresh the Group Policy Management console to view the new OU.

Task 4: Move NYC-CL1 to the Loopback OU.• In Active Directory Users and Computers , move the NYC-CL1 computer from the Computers

container to the Loopback OU.

Task 5: Test the GPO.1. Restart NYC-CL1.

2. When the computer restarts, log on as Contoso\Ed , with the password, Pa$$w0rd .

3. Click Start and notice that the Run command is present once again.

Task 6: Troubleshoot the GPO.1. On NYC-DC1, in the Group Policy Management window, rerun the query for Ed on NYC-CL1.

2. In the summary report, under Computer Configuration , review the applied GPOs and notice thatthe TestB GPO has been applied.

Nova 4, LLC





3. On the Settings tab, under Computer Configuration , notice that loopback processing mode isenabled.

Note : Group Policy applies to the user, computer, or both in a manner that depends on where both theuser and the computer objects are located in Active Directory. However, in some cases, users may needpolicy applied to them based on the location of the computer object alone. You can use the GroupPolicy loopback feature to apply GPOs that depend only on which computer the user logs on to.

Task 7: Resolve the issue and test the resolution.1. In the Group Policy Management window, disable the link for the TestB GPO.

Note : Another alternative would be to disable loopback processing in the GPO itself, especially if therewere other settings in the GPO that you did wish to have applied.

2. Restart NYC-CL1.

3.

When the computer restarts, log on as CONTOSO\Ed , with the password, Pa$$w0rd .4. Click Start and notice that the Run command is no longer present.

Result : After completing this exercise, you will have resolved a Group Policy objects issue.

To prepare for the next moduleWhen you finish the lab, revert the virtual machines to their initial state. To do this, complete thefollowing steps:




4. Repeat these steps for 6419B-NYC-CL1.

Nova 4, LLC






Review Questions1. What methods exist that allow you to modify the application of Group Policy settings within AD DS?

Answer: You control policy processing through link order/precedence, by overriding inheritance, blockinginheritance, enforcing link inheritance, security/WMI filtering, disabling/enabling user/computerconfiguration processing, and/or modifying loopback processing.

2. A user in one of your organization’s branch locations is note receiving a software deploymentpackage that has been assigned to his computer in a GPO. Upon consulting GPMC, you discover thatthe GPO is linked to the proper OU containing the user’s computer and that no filtering orinheritance settings are affecting the GPO. What could be the problem?

Answer: Since the user is connecting from a branch location, the bandwidth available between the user’scomputer and the nearest domain controller may be detected as a slow link.

Windows Server 2008 R2 Features Introduced in this ModuleWindows Server 2008R2 feature Description

Group Policy modulefor WindowsPowerShell

Automate many of the same tasks for domain-based GPOs that you perform inthe user interface by using GPMC.


Group PolicyManagement

• Managing GroupPolicy application

On the Administrative Tools menu.

Nova 4, LLC




9-59


Console in an AD DSdomain.

Group Policymodule forWindowsPowerShell

• Automatingmany of the sametasks for domain-based GPOs thatyou perform inthe user interfaceby using GPMC.

On the Administrative Tools menu.

GPResult.exe • Displaying RSoPinformationabout the user,computer, andGroup Policyaffecting them.

Run from the command line.

Gpupdate.exe • Refreshing localand AD DS-basedGroup Policysettings.

Run from the command line.

Dcgpofix.exe • Restoring thedefault GroupPolicy objects totheir originalstate after initialinstallation.

Run from the command line on a domain controller.

GPLogView • Monitoring andexporting GroupPolicy-relatedevents from thesystem, andoperational logs.

Nova 4, LLC





Nova 4, LLC




Using Group Policy to Configure User and Computer Settings 10-1

Module 10Using Group Policy to Configure User and ComputerSettingsContents:Lesson 1: Using Group Policy to Configure Folder Redirection and Scripts 10-3

Lab A: Using Group Policy to Configure Scripts and Folder Redirection 10-14

Lesson 2: Using Administrative Templates to Manage Users and

Computers 10-17

Lab B: Configuring Administrative Templates 10-24

Lesson 3: Deploying Software Using Group Policy 10-27

Lab C: Deploying Software Using Group Policy 10-37

Lesson 4: Deploying Group Policy Preferences 10-39

Lab D: Deploying Group Policy Preferences 10-46

Nova 4, LLC





Module Overview

In this module, you will learn how to configure a user environment by using Group Policy. Specifically, thismodule provides the skills and knowledge that you need to use Group Policy to configure FolderRedirection and to use scripts. You also will learn how Administrative Templates affect Microsoft Windows7 and Windows Server® 2008, and how to deploy software by using Group Policy. This module will alsodescribe how to use Group Policy preferences to enhance group policy settings.

After completing this module, you will be able to:

• Use Group Policy to configure folder redirection and scripts.

• Use Administrative Templates to manage users and computers.

• Deploy software by using Group Policy.

• Deploy Group Policy Preferences.

Nova 4, LLC





Lesson 1

Using Group Policy to Configure Folder Redirectionand Scripts

Windows Server 2008 enables you to use Group Policy to deploy scripts to users and computers. You canalso redirect folders that the user’s profile includes, from the user’s local hard disks to a central server.

After completing this lesson, you will be able to:

• Describe folder redirection.

• Select the appropriate folder redirection configuration options.

• Describe security settings for redirected folders.

• Configure folder redirection.

• Describe Group Policy scripts.

• Configure scripts by using Group Policy.

Nova 4, LLC





What Is Folder Redirection?

Key PointsWith Folder Redirection, you can easily manage and back up data. By redirecting folders, you can ensureuser access to data regardless of the computers to which the users log on. Folder redirection has thefollowing characteristics:

• When you redirect folders, you change the folder’s storage location from the user’s computer localhard disk to a shared folder on a network file server.

• After you redirect a folder to a file server, it still appears to the user as if it is stored on the local harddisk.

• Offline Files technology can be used in conjunction with redirection to synchronize the data in theredirected folder to the user’s local hard drive. This ensures that users have access to their data if anetwork outage occurs or if the user is working offline.

Advantages of Folder RedirectionThere are many advantages of folder redirection such as the following:

• Users that log on to multiple computers can access their data as long as they can access the networkshare.

• Offline folders allow users to access their data even if they are disconnected from the local areanetwork (LAN).

• Data that is stored on servers in network shares are backed up.

• Roaming profile size can be greatly reduced by redirecting data from the profile.

Question: Can you list some disadvantages of folder redirection?

Nova 4, LLC





Folder Redirection Configuration Options

Key PointsIn a Group Policy object (GPO), the following settings are available for folder redirection: None, Basic,Advanced, and Follow the Documents folder:

• None . None is the default setting. Folder redirection is not enabled.

• Basic . Basic folder redirection is for users who must redirect their folders to a common area or userswho need their data to be private.

• Advanced . Advanced redirection allows you to specify different network locations for different ActiveDirectory security groups.

• Follow the Documents . Follow the Documents folder redirection is available only for the Pictures,Music, and Videos folders. It makes the affected folder a subfolder of the Documents folder.

If you choose Basic or Advanced, you can choose from the following target folder locations:

• Create a folder for each user under the root path . This option creates a folder in the form \\server\share\User Account Name\Folder Name. Each user has a unique path for the redirectedfolder to keep data private. By default, that user is granted exclusive rights to the folder, and in thecase of the Documents folder, the current contents of the folder is moved to the new location.

• Redirect to the following location . This option uses an explicit path for the redirection location. It

causes multiple users to share the same path for the redirected folder. By default, that user is grantedexclusive rights to the folder, and in the case of the Documents folder, the current contents of thefolder is moved to the new location.

• Redirect to the local user profile loca tion. This option moves the location of the folder to the localuser profile under the Users folder.

• Redirect to the user’s home directory . This option is available only for the Documents folder.

Nova 4, LLC





Note : After the initial creation and application of a GPO that delivers folder redirection settings, usersrequire two logons before redirection takes effect. This is because users will log on with cachedcredentials.

Question: Users in the same department often log on to different computers. They need access to heir

Documents folder. They also need the data to be private. Which folder redirection setting should youchoose?

Nova 4, LLC





Security Settings for Redirected Folders

Key PointsYou need to manually create and permission a shared network folder to store the redirected folders.However, folder redirection can also create the user’s redirected folders. Folder permissions are handled asfollows:

• When you use this option, the correct subfolder permissions are set automatically.

• If you manually create folders, you must know the correct permissions. These permissions are

illustrated on the slide.

Question: What steps should you take to protect the data while it is in transit between the client and theserver?

Nova 4, LLC





Demonstration: Configuring Folder Redirection


• Create a shared folder.

• Test folder redirection.

Demonstration Steps:Create a shared folder

1. On NYC-DC1, click Start , click Computer , double-click the C:/ drive, and then create a folder namedC:\Redirect .

2. Share the folder with Everyone with Full Control permission.

Create a GPO to redirect the Documents folder

1. Open the Group Policy Management console and create and link a GPO named Folder Redirection to the Contoso domain.

2. Edit the Folder Redirection GPO.

3. Configure the Documents folder properties to use the Basic-Redirect everyone’s folder to thesame location setting.

4. Ensure that the Target folder location is set to Create a folder for each user under the root path .

5. Make the Root Path \\NYC-DC1\Redirect. 6. Close all open windows on NYC-DC1.

Test the Folder Redirection

1. Log on to the NYC-CL1as Contoso\Administrator .

Nova 4, LLC





2. Check the properties of the Documents folder.The path will be \\NYC-DC1\Redirect.


Note: Due to cached credentials, you will need two logons to see the redirection.

Nova 4, LLC





What Are Group Policy Scripts?

Key PointsYou can use Group Policy scripts to perform any number of tasks. There may be actions that you need toperform every time a computer starts or shuts down, or when users log off or on. For example, you canuse scripts to:

• Clean up desktops when users log off and shut down computers.

• Delete the contents of temporary directories.

• Map drives or printers.• Set environment variables.

Scripts that are assigned to the computer run in the security context of the Local System account. Scriptsthat are assigned to the user logging on run in the security context of that user.

Aspects of how scripts run are controlled by other group policy settings. For example, if multiple scriptsare assigned, you can control whether they run synchronous or asynchronous.

Scripts can be written in any scripting language that the Windows client can interpret, such as VBScript,Jscript, or simple command or batch files.

Note: In Windows Server 2008 R2, the user interface (UI) in Group Policy Editor for Logon, Logoff,Startup, and Shutdown scripts now has an extra tab for PowerShell scripts. You can simply add yourPowerShell script to this tab to deploy it. Windows Server 2008 R2 or Windows 7 can run PowerShellscripts via Group Policy.

Scripts are stored in shared folders on the network. You need to ensure that the client has access to thatnetwork location or scripts fail to run. Although any network location stores scripts, as a best practice, usethe Netlogon share because all users and computers that are authenticated to Active Directory ® DomainService (AD DS) have access to this location.

Nova 4, LLC





For many of these settings, using Group Policy preferences is a better alternative to configuring them inMicrosoft Windows images or using logon scripts. Group Policy preferences are covered in more detaillater in this module.

Question: Which permissions are required on network shares so that clients can connect and run a script?

Nova 4, LLC





Demonstration: Configuring Scripts Using Group Policy


• Create a login script to map a network drive.

• Create and link a GPO to use the script and store the script in the Netlogon share.

• Log on to client computer and test results.

Demonstration Steps:Create a logon script to map a network drive.

1. On NYC-DC1, launch Notepad and enter the following command:Net use t: \\nyc-dc1\marketingtemplates

2. Save the file as Map.bat . In the Save As dialog box, click the Save as type : drop-down arrow andselect All Files (*.*) as the type. Save the file to the default location of Documents .

3. Copy the file to the clipboard.

Create and link a GPO to use the script and store the script in the Netlogon share.

1. Use the Group Policy Management console to create and link a new GPO named Drivemap to theContoso domain.

2. Edit the GPO to configure a user logon script.

3. Paste the Map.bat script into the Netlogon share.

4. Add the Map.bat script to the logon scripts.

Log on to the client to test the results.

1. On NYC-CL1, log on as Contoso\Administrator.

2. Click Start and click Computer and then verify that drive is mapped.

Nova 4, LLC






Question: What other method could you use to assign logon scripts to users?

Nova 4, LLC





Lab A: Using Group Policy to Configure Scripts andFolder Redirection



2. In Hyper-V Manager, click 6419B-NYC-DC1 , and in the actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on by using the following credentials:



• Domain: Contoso


Lab ScenarioContoso, Ltd. has decided to implement Group Policy to manage user desktops. The organization has

already implemented an organizational unit (OU) configuration that includes top-level OUs of differentdepartments. Contoso, Ltd. wants to use Group Policy to map network locations for users and redirect thedocuments of specific users to ensure their data is secured and backed up.

Nova 4, LLC





Exercise 1: Using a Group Policy Logon Script to Map a Network Drive

ScenarioYou need to create a logon script that maps a network drive to the shared folder named Data on NYC-DC1. Then, you need to use Group Policy to assign the script to all users in the Contoso domain. The scriptneeds to be stored in a highly available location.


1. Create a script to map a drive.2. Create and link a GPO.3. Edit the GPO and store the script in Sysvol.4. Test the script.

Task 1: Create a script to map a drive to the data share1. On NYC-DC1, use Notepad to create a batch file named Map.bat that maps drive T to the \\nyc-

dc1\data share.

2. Save the file to the default location. In the Save As dialog box, click the Save as type: drop-down

arrow and select All Files (*.*) as the type. Save the file to the default location of Documents. 3. Browse to the saved location and copy the file to the clipboard.

Task 2: Create and link a GPO• Create a GPO named Drivemap and link it to the Contoso.com domain.

Task 3: Edit the GPO and store the script in Sysvol1. Edit the Drivemap GPO to assign the Map.bat logon script to users.

2. Copy the Map.bat script to the Netlogon share.

Task 4: Test the results

1. On NYC-CL1, log on as Contoso\Administrator with a password of Pa$$word. 2. Verify that drive has been mapped.3. Log off NYC-CL1.

Results: In this exercise, you created a script and a GPO to assign the script and store the script in ahighly available location.

Nova 4, LLC





Exercise 2: Using Group Policy to Redirect Folders

ScenarioYou need to create a network folder on NYC-DC1 and set permissions to share and secure the folder. Youwill create and test a GPO to redirect the Documents folder for all members of the Research OU.

The main tasks for this exercise are as follows:1. Create a shared folder.2. Create a GPO to redirect the Documents folder.3. Test folder redirection.

Task 1: Create a shared folder1. On NYC-DC1, create a new folder C:\Redirect

2. Share the Redirect folder to the Research group and grant them Read/Write permission.

Task 2: Create a GPO to redirect the Documents folder1. Create and link a new GPO named Redirect to the Research OU.

2. Edit the Redirect GPO to redirect the Documents folder with the following settings:

• Setting: Basic – Redirect everyone’s folder to the same location.

• Target folder location: Create a folder for each user under the root path.

• Root Path: \\NYC-DC1\Redirect .

Task 3: Test folder redirection1. Log on to NYC-CL1as Dylan with a password of Pa$$w0rd .

2. Examine the properties of the Documents folder. Note that the location of the folder is now theRedirect network share in a subfolder named for the user.

3. Close all open Windows and log off.

Note: Due to cached credentials, it may require two logons to see the redirection unless the user hasnever logged on to this computer before.

Results: In this exercise, you created and set permissions on a shared folder. You created and linked aGPO to redirect the executive’s documents to the shared folder.

To prepare for the next labWhen you finish the lab, leave the virtual machines running .

Nova 4, LLC





Lesson 2

Using Administrative Templates to Manage Users andComputers

The Administrative Template files provide the majority of available policy settings, which are designed tomodify specific registry keys. This is known as registry-based policy. For many applications, the use ofregistry-based policy that the Administrative Template files deliver is the simplest and the best way tosupport centralized management of policy settings. In this lesson, you will learn how to configure

Administrative Templates.After completing this lesson, you will be able to:

• Describe Group Policy administrative templates.

• Describe ADM and ADMX files.

• Describe the Central Store.

• Describe example scenarios for using administrative templates.

Nova 4, LLC





Overview of Group Policy Administrative Template Settings

Key PointsAdministrative Templates allow you to control the environment of the operating system and userexperience. There are two sets of Administrative Templates: one for users and one for computers. Usingthe administrative template sections of the GPO, you can deploy hundreds of modifications to theregistry. Administrative Templates have the following characteristics:

• They are organized into subfolders that deal with specific areas of the environment, such as Network,System, and Windows Components.

• The settings in the computer section edit the HKEY_LOCAL_MACHINE hive in the registry, andsettings in the user section edit the HKEY_CURRENT_USER hive in the registry.

• Some settings exist for both user and computer. For example, there is a setting to prevent WindowsMessenger from running in both the user and the computer templates. In case of conflicting settings,the computer setting prevails.

• Some settings are available only to certain versions of Windows operating systems, such as a numberof new settings can be applied only to the Windows 7 family of operating systems. Double-clickingthe settings will display the supported versions for that setting.

Question: Which settings are you currently configuring manually or through scripts that you couldconfigure by using Group Policy?

Nova 4, LLC





What Are ADM and ADMX Files?

Key Points

ADM FilesTraditionally, ADM files have been used to define the settings that the administrator can configurethrough Group Policy. Each successive Windows operating system and service pack has included a newerversion of these files. ADM files use their own markup language. Therefore, it is difficult to customize ADMfiles. The ADM templates are located in the %SystemRoot%\Inf folder.

A major drawback of ADM files is that they are copied into every GPO that is created, and consume about3 megabytes (MB) of space. This can cause the Sysvol folder to become very large and increase replicationtraffic.

ADMX FilesWindows Vista ® and Windows Server 2008 introduced a new format for displaying registry-based policysettings. These settings are defined by using a standards-based XML file format known as ADMX files.These new files replace ADM files. Group Policy tools on Windows Vista and later and Windows Server2008 will continue to recognize the custom ADM files that you have in your existing environment, but willignore any ADM file that ADMX files have superseded. Unlike ADM files, ADMX files are not stored inindividual GPOs. The Group Policy Object Editor will automatically read and display settings from the localADMX file store. By default, ADMX files are stored in the Windows\PolicyDefinitions folder, but they can

be stored in a central location.

ADMX files are language neutral. The plain language descriptions of the settings are not part of theADMX files. They are stored in language-specific ADML files. This means that administrators who speakdifferent languages, such as English and Spanish, can look at the same GPO and see the policydescriptions in their own language because they can each use their own language-specific ADML files.ADML files are stored in a subfolder of the PolicyDefinitions folder. By default, only the ADML languagefiles for the language of the installed operating system are added.

Nova 4, LLC





Question: How could you tell if a GPO was created or edited by using ADM or ADMX files?

Question: Can you list one benefit of the ADMX format with Group Policy object?

Nova 4, LLC





What Is the Central Store?

Key PointsFor domain-based enterprises, administrators can create a central store location of ADMX files that isaccessible by anyone with permission to create or edit GPOs. The GPO Editor on Microsoft Windows 7 andWindows Server 2008 automatically reads and displays Administrative Template policy settings fromADMX files that the central store caches and ignores the ones stored locally. If the domain controller isnot available, the local store is used.

You must create the central store and then update it manually on a domain controller. The use of ADMX

files is dependent on the computer’s operating system where you are creating or editing the GPO.Therefore, the domain controller can be a server with Microsoft Windows 2000, or later. The FileReplication Service (FRS) will not replicate the domain controller to that domain’s other controllers. EitherFRS or DFS-R is used to replicate the data, depending on server operating system and configuration.

To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in thefollowing location:

• \\FQDN\SYSVOL\FQDN\policies

For example, to create a central store for the Test.Microsoft.com domain, create a PolicyDefinitions folderin the following location:

• \\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies

A user must copy all files and subfolders of the PolicyDefinitions folder. The PolicyDefinitions folder on aWindows 7–based computer resides in the Windows folder. The PolicyDefinitions folder stores all .admxfiles and .adml files for all languages that are enabled on the client computer.

Nova 4, LLC





Note: A user must log on to the DC with an account that is a member of the Domain Admins group.To ensure the appropriate languages are available, the Win7 desktop used must have the appropriatelanguage packs.

Question: Can the central store exist on a Windows 2003 domain controller?

Nova 4, LLC





Discussion: Practical Uses of Administrative Templates

Key PointsSpend a few minutes examining the administrative templates and consider how some of them could beemployed in your organization.

Be prepared to share information about your organization’s current use of GPOs and logon scripts, suchas:

• How do you currently provide desktop security?

• How much administrative access do users have to their systems?• Which Group Policy settings will you find useful in your organization?

Nova 4, LLC





Lab B: Configuring Administrative Templates


1. Log on to 6419B-NYC-DC1 by using the following credentials:



• Domain: Contoso

2. Do not log on to NYC-CL1 until directed to do so.

Lab ScenarioThe organization has already implemented an OU configuration that includes top-level OUs for differentdepartments. User accounts are in the same container as their workstation computer accounts. All usersare running the Windows 7 operating system. You need to configure several Group Policy settings tocontrol the user environment and make the desktop more secure.

Nova 4, LLC





Exercise 1: Configuring Administrative Templates

ScenarioYou need to control the following areas of desktop systems in the Research OU.

• Users should not have access to registry editing tools.

• Users should not have access to the Run menu.• Users should be denied write access to removable storage.

• Users should not be able to change their desktop background images.

You will also modify the Default Domain Policy to allow remote administration through the firewall,allowing you to run Group Policy Results queries against target computers in the domain.


1. Create and link a GPO to the Research OU.2. Deny access to the registry editing tools.3. Deny access to the Run menu.4. Deny write access to removable storage.5. Deny access to the desktop display settings.6. Allow remote administration through the firewall.

Task 1: Create and link a GPO to the Research OU• On NYC-DC1, open Group Policy Management and create and link a new GPO named

ResearchDesktop to the Research OU .

Task 2: Deny access to the registry editing tools• Edit the ResearchDesktop GPO to Enable the Prevent access to registry editing tools setting .

Task 3: Deny access to the Run menu•

Edit the ResearchDesktop GPO to enable the Remove Run menu from Start Menu setting. Task 4: Deny write access to removable storage

• Edit the ResearchDesktop GPO to enable the Removable disks: Deny write access setting.

Task 5: Deny access to the desktop background settings• Edit the ResearchDesktop GPO to enable the Prevent changing desktop background setting.

Task 6: Allow remote administration through the Windows Firewall• Edit the Default Domain Policy to Enable the Windows Firewall : Allow inbound remote

administration exception for the LocalSubnet.

Task 7: Test the settings1. Log on to NYC-CL1 as Dylan with a password of Pa$$w0rd.

2. Ensure that the Run menu does not appear on the Accessories menu.

3. Ensure that the Change desktop background feature is disabled.

4. Ensure that Regedit.exe does not launch.

5. Close all open windows and log off.

Nova 4, LLC





Results: In this exercise, you created and linked a GPO to control the desktop environment.

To prepare for the next labWhen you finish the lab, leave the virtual machines running.

Nova 4, LLC





Lesson 3

Deploying Software Using Group Policy

Windows Server 2008 includes a feature called Software Installation and Maintenance that AD DS, GroupPolicy, and the WindowsInstaller service use to install, maintain, and remove software from yourorganization’s computers.


• Describe how Group Policy Software Distribution addresses the Software Life Cycle.

• Describe how Windows Installer enhances software distribution.

• Describe the characteristics of assigned and published software.

• Assign and publish software applications.

• Manage software upgrades by using Group Policy.

• Compare Group Policy software distribution with System Center Configuration Manager 2007 R2.

Nova 4, LLC





How Group Policy Software Distribution Addresses the Software Life Cycle

Key PointsThe software life cycle consists of four phases: preparation, deployment, maintenance, and removal.Group Policy can be used to manage all phases except the preparation. You can apply Group Policysettings to users or computers in a site, domain, or organizational unit to automatically install, upgrade, orremove software.

By applying Group Policy settings to software, you can manage the phases of software deploymentwithout deploying software on each computer individually.

Question: How do you currently deploy software in your organization?

Nova 4, LLC





How Windows Installer Enhances Software Distribution

Key PointsTo enable Group Policy to deploy and manage software, Windows Server 2008 uses the Windows Installerservice. This component automates the installation and removal of applications by applying a set ofcentrally defined setup rules during the installation process. The Windows installer service installs theMicrosoft Installer (.MSI) package files. MSI files contain a database that stores all the instructions requiredto install the application. Small applications may be entirely in the MSI files, whereas other largerapplications will have many associated source files that are referenced by the MSI. Many ISVs will provide

MSI files for their applications.The Windows Installer service has the following characteristics:

• This service runs with elevated privileges so that software can be installed by the Windows installerservice no matter which user is logged onto the system. Users only require read access to the softwaredistribution point.

• Applications are resilient. If an application becomes corrupted, the installer will detect and reinstall orrepair the application.

• Windows Installer cannot install .EXE files. To distribute a software package that installs with an .EXEfile, the .EXE file must be converted to an .MSI file by using a third-party utility.

Question: Do users need administrative rights to manually install applications that have MSI files?

Question: What are some disadvantages of deploying software through Group Policy?

Nova 4, LLC





Assigning and Publishing Software Applications

Key PointsThere are two deployment types available for delivering software to clients. Administrators can eitherinstall software for users or computers in advance by assigning the software, or give users the option toinstall the software when they require it by publishing the software in Active Directory Domain Services.Both user and computer configuration sections of a GPO have a Software Settings section. Software isadded to a GPO by adding a new package to the Software Installation node and specifying whether toassign or publish it.

You can also choose advanced deployment of a package. This option is used to apply a customization fileto a package for custom deployment. For example, if you used the Office Customization tool to create asetup customization file to deploy Microsoft Office 2010.

Assigning SoftwareAssigned software has the following characteristics:

• When you assign software to a user, the user’s Start menu advertises the software when the user logson. Installation does not begin until the user double-clicks the application's icon or a file that isassociated with the application.

• Users do not share deployed applications—an application you install for one user through GroupPolicy will not be available to other users.

• When you assign an application to a computer, the application is installed the next time thecomputer starts. The application will be available to all users of the computer.

Publishing SoftwarePublishing software has the following characteristics:

• The Control Panel's Programs applet advertises a published program to the user. Users can install theapplication by using the Programs applet, or you can set it up, so the application is installed bydocument activation.

Nova 4, LLC





• Applications that users do not have permission to install are not advertised to them.

• Applications cannot be published to computers.

Note: When configuring Group Policy to deploy applications, they must be mapped to UNC paths. Ifyou use local paths, the deployment will fail.

Question: What is the advantage of publishing an application over assigning it?

Nova 4, LLC





Demonstration: Assigning and Publishing Software Using Group Policy

Key PointsIn this demonstration, the instructor will show how to:

• Create and populate an application distribution point.

• Assign an application using Group Policy.

• Publish an application via Group Policy.

• Test the deployment.

Demonstration Steps:Create and populate an application distribution folder.

1. On NYC-DC1, click Start , click Computer and then create a folder named C:\AppDeploy .

2. Share the folder to Everyone with Read permission.

3. Copy XMLNotepad.xml from \\NYC-SVR1\E$\labfiles\Mod10 to the AppDeploy folder.

Assign an application to a computer via Group Policy.

• Use the GPMC and expand the Contoso.com node

• Edit the Default Domain Policy to assign\\NYC-DC1\AppDeploy\XMLNotepad.msi to the computer configuration.

Publish an application via Group Policy

• Use the GPMC and expand the Contoso.com node

• Edit the Default Domain Policy to publish\\NYC-DC1\AppDeploy\XMLNotepad.msi to the user configuration.

Nova 4, LLC





Test the deployment.

1. Start 6419B- NYC-CL1.

2. Log on to NYC-CL1 as Contoso\Administrator with a password of Pa$$w0rd .

3. Restart NYC-CL1 and log on as the administrator. A restart is required to install the assignedapplication.

4. Ensure that the XML Notepad 2007 application is installed.

5. Open the Control Panel. From the Programs and Features page, ensure that the XML Notepad2007 application is being advertised on the network.

Note: You require the 6419B-NYC-DC1 and 6419B-NYC-SVR1 virtual machines to complete thisdemonstration. Log on to NYC-DC1 as Contoso\Administrator, with the password, Pa$$w0rd . Donot log on to NYC-SVR1.

Nova 4, LLC





Managing Software Upgrades Using Group Policy

Key PointsSoftware vendors occasionally release software patches. These usually address minor issues, such as a bugfix or feature enhancements that do not warrant a complete reinstallation of the application. Microsoftreleases software patches via .MSP files.

Major upgrades that provide new functionality require an upgrading of a software package to a newerversion. The Upgrades tab allows you to upgrade a package by using the GPO. Upgrades using GroupPolicy has the following characteristics:

• You may redeploy a package if the original Windows Installer file has been modified.

• Upgrades will often remove the old version of an application and install a newer version, usuallymaintaining application settings.

• You can remove software packages if they were delivered originally by using Group Policy. This isuseful if an LOB application is being replaced with a different application. Removal can be mandatoryor optional.

Question: Your organization is upgrading to a newer version of a software package. Some users in theorganization require the old version. How would you deploy the upgrade?

Nova 4, LLC





Comparing Group Policy Software Distribution with System CenterConfiguration Manager 2007 R3

Key PointsOne of the most time-consuming tasks in an information technology (IT) environment is softwaredeployment and maintenance. Automating software deployment is an important step towards loweringthe costs and making your IT department more efficient.

Group Policy is not the only way that software can be deployed. The following table compares GroupPolicy software deployment with System Center Configuration Manager 2007 R3 software deploymentfeatures.

Group Policy Software DeploymentSystem Center Configuration Manager 2007 R3 SoftwareDeployment

Is available at no extra cost as partof the operating system

Must be purchased and licensed

Is a user-driven event that cannot bescheduled

Can be scheduled to occur at a convenient time

Has no reporting ability Provides several reports regarding package status or softwareusage and license requirements

Is designed to use .MSI files Can create and distribute packages that can run any executable

Is relatively simple to implement Requires more administrative effort and a working knowledge ofSystem Center Configuration Manager 2007 R3

Nova 4, LLC





Group Policy Software DeploymentSystem Center Configuration Manager 2007 R3 SoftwareDeployment

Does not scale well to distributelarge applications

Can be used to distribute any applications

Question: Are students using SCCM or any other third-party software distribution application?

Nova 4, LLC





Lab C: Deploying Software Using Group Policy


1. On the host computer, click Start , point to Administrative Tools , and then click Hyper-V Manager .2. In Hyper-V Manager, click 6419B-NYC-SVR1 , and in the actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.

4.

Log on to 6419B-NYC-DC1 by using the following credentials:• User name: Administrator


• Domain: Contoso

5. Do not log on to NYC-CL1 or NYC-SVR1 until directed to do so.

Lab Scenario.Users in the IT department need to have the XML Notepad 2007 application available on the network ifthey need to install it on their computers. It has been decided to use Group Policy Software Installation topublish the application so that it is available to install on any computers that an IT user logs on. You willcreate and populate a software distribution share. Then, you will create and configure a GPO to publishthe software.

Nova 4, LLC





Exercise 1: Deploying a Software Package Using Group Policy

ScenarioUsers in the IT department need to have the XML Notepad 2007 application available on the network ifthey need to install it on their computers. It has been decided to use Group Policy Software Installation topublish the application so that it is available to install on any computers that an IT user logs on. You willcreate and populate a software distribution share. Then, you will create and configure a GPO to publishthe software.


1. Create and populate a shared folder to act as a software distribution point2. Create and link a GPO to deploy the software to the IT OU3. Configure the GPO to publish the XML Notepad 2007 application4. Test the deployment

Task 1: Create and populate a shared folder to act as a software distribution point1. On NYC-DC1, create a folder named C:\AppDeploy .

2. Share the folder to Everyone with Read permission.3. Copy XMLNotepad.msi from \\NYC-SVR1\E$\labfiles\Mod10 to the AppDeploy folder.

Task 2: Create and link a GPO to deploy the software to the IT OU• Create and link a GPO named Software Deploy to the IT OU.

Task 3: Configure the GPO to publish the XML Notepad 2007 application• Edit the Software Deploy GPO to publish a new package located at

\\NYC-DC1\AppDeploy\XMLNotepad.msi .

Task 4: Test the deployment1. Log on to NYC-CL1 as Ed with a password of Pa$$w0rd.

2. Access the Programs applet in Control Panel and install the XML Notepad 2007 from the network.

3. Close all open windows and log off.

Results: In this exercise, you created and populated a software distribution share and created andconfigured a GPO to publish an application

To prepare for the next labWhen you finish the lab, leave the virtual machines running.

Nova 4, LLC





Lesson 4

Deploying Group Policy Preferences

Common settings that affect the user and computer environment could not be delivered through GroupPolicy, such as mapped drives. These settings were usually delivered through logon scripts or imagingsolutions. Windows Server 2008 includes the new Group Policy preferences built-in to the Group PolicyManagement Console (GPMC). Additionally, administrators can configure preferences by installing theRemote Server Administration Tools (RSAT) on a computer running Windows 7. This allows many commonsettings to be delivered through Group Policy.

Note: Specific support for download and install of Group Policy preferences are as follows: WindowsVista RTM or later, Windows XP with Service Pack 2 or later, Windows Server 2003 with Service Pack 1or later.


• Describe Group Policy Preferences.

• Identify the differences between Group Policy settings and preferences.

• Apply Windows setting by using preferences.

• Apply Control Panel settings by using preferences.• Describe Group Policy preference features.

Nova 4, LLC





What Are Group Policy Preferences?

Key PointsGroup Policy preference extensions are more than twenty Group Policy extensions that expand the rangeof configurable settings within a GPO. A number of settings that had to be applied by scripts in the pastcan now be applied via preferences, such as drive mappings.

Group Policy preferences are natively supported on Windows Server 2008 and later and on Windows VistaSP2 and later. Group Policy preferences client-side extensions for Windows Server 2003 and WindowsVista SP1 and earlier can be downloaded and installed to provide support for preferences on thosesystems.

Configuring Group Policy preferences does not require any special tools or software installation. They arenatively part of GPOs in Windows Server 2008 and are applied in the same manner as group policysettings by default. Preferences have two distinct sections, Windows Settings and Control Panel Settings.

When you configure a new preference, you need to perform the following four basic actions:

• Create . Create a new preference setting for the user or computer.

• Delete . Remove an existing preference setting for the user or computer.

• Replace . Delete and re-create a preference setting for the user or computer. The result is that GroupPolicy preferences replace all existing settings and files associated with the preference item.

• Update . Modify an existing preference setting for the user or computer.

Question: Your organization currently has a number of Windows 2000 workstations in the organization.You wish to use Group Policy preferences to map printers for all users. What steps must you take tosupport the Windows 2000 clients?

Nova 4, LLC





Comparing Group Policy Settings to Preferences

Key PointsPreferences are similar to policies in that they apply configurations to the user or computer, but there areseveral differences in the way they are configured and applied. There are many differences betweenGroup Policy settings and Group Policy preferences. One of these differences is that preferences are notenforced. However, preferences can be auto reapplied. The following is a list of differences betweenGroup Policy settings and Preferences:

• Preference settings are not enforced.

• Group Policy settings disable the user interface for settings managed by the policy; preferences donot.

• Group Policy settings are applied at regular intervals. Preferences may be applied once only or atintervals.

• Like Group Policy settings, preferences can be applied to computers or to users.

• The end user can change any preference setting that is applied through Group Policy, but policysettings prevent users from changing them.

• In some cases, the same setting can be configured through a policy setting as well as a preferenceitem. If conflicting preference and group policy settings are configured and applied to the sameobject, the value of the policy setting always applies.

• Group Policy preferences overwrite original settings; Group Policy settings do not.

Nova 4, LLC





Applying Windows Settings Using Preferences

Key PointsWindows settings allow you to control operating system–based settings. This is a valuable tool forperforming common tasks, such as mapping network drives and placing shortcuts on desktops, withouthaving to resort to scripts.

Windows Settings control the following user and computer settings:

• Create, update, replace and delete environmental variables, just as with other preferences.

• Copy, update, replace, or delete attributes of files.• Create, update, replace, and delete folders.

• Create, update, replace and delete a property in a configuration of .ini properties

• Create, update, replace, and delete registry keys and values.

• Create, update, replace, and delete network shares (computer only).

• Create, update, replace, and delete a shortcut to a file system object, such as a folder or a URL.

• Configure settings for application. An application plug-in is required. (User only).

• Create, update, replace, and delete mapped network drives (user only).

Question: How can you configure Group Policy preferences from a Windows 7 system?

Nova 4, LLC





Applying Control Panel Settings Using Preferences

Key PointsControl Panel settings allow access to configure many of the Control Panel applets without a technician.This is especially useful for performing tasks that are often difficult for users, such as configuring datasource names and creating VPN connections.

Control Panel settings control the following user and computer settings:

• Create, replace, update, or delete Open Database Connectivity (ODBC) data sources names.

• Enable or disable hardware devices or classes of devices.• Create, replace, update, or delete Open with extensions for file types.

• Modify user-configurable Internet settings (user only).

• Create, replace, update, or delete local users and groups.

• Create, modify, or delete networking with virtual private networking (VPN) or dial-up connections.

• Modify power options and create, replace, update, or delete power schemes.

• Create, replace, update, or delete TCP/IP, share, or local printer connections.

• Modify regional options (user only).

• Create, replace, update, or delete scheduled tasks.

• Modify services configuration (computer only).

• Modify Start menu options (user only).

Question: You need to configure a service to automatically start at computer startup. You do not wantlocal users to be able to change this behavior. How should you proceed?

Nova 4, LLC





Group Policy Preferences Features

Key PointsAfter you create a Group Policy Preference, you must configure its properties. Different preferences willrequire different input information. For example, shortcut preferences require target paths, whereasenvironment variables require variable types and values. Preferences also provide a number of features inthe common properties to assist in deployment.

General Properties Tab

The General Properties tab is where basic information is provided. The first step is to specify the action forthe preference: Create, Delete, Replace, or Update. Different settings will be available depending on theinitial action selected. For example, when creating a drive mapping, you must provide a Universal NamingConvention (UNC) path and option for the drive letter to assign.

Common Property TabThe common properties are consistent for all preferences. They allow you to control the behavior of thepreference as follows:

• Stop processing items in this extension if an error occurs . If an error occurs while processing apreference, no other preferences in this GPO will process.

• Run in logged-on user’s security context . Preferences can run as the System account or thelogged-on user. This setting forces the logged-on user context.

• Remove this item when it is no longer applied . Unlike policy settings, preferences are not removedwhen the GPO that delivered it is removed. This setting will change that behavior.

• Apply once and do not reapply . Normally, preferences are refreshed at the same interval as GroupPolicy settings. This setting changes that behavior to apply the setting only once on logon or startup.

• Item-level targeting . One of the most powerful features of preferences is item-level targeting. Itallows you to easily specify criteria to determine exactly which users or computers will receive apreference. Criteria includes:

Nova 4, LLC





• Computer name

• IP address range

• Operating system

• Security group

•

User• WMI queries and many other criteria

Question: You have mapped a drive by using preferences, but the user reports that though the driveappears, the user cannot access the drive. What might be the issue?

Nova 4, LLC





Lab D: Deploying Group Policy Preferences


1. Log on to 6419B-NYC-DC1 by using the following credentials:



• Domain: Contoso

2. Do not log on to NYC-CL1 until directed to do so.

Nova 4, LLC





Exercise 1: Deploying Group Policy Preferences

ScenarioTo simplify Group Policy management, including eliminating the need for logon scripts, you need todeploy Group Policy preferences that allow more flexibility for corporate users.

The IT department needs a network location to house their knowledgebase documentation. All membersof the IT department need access to that location no matter where they log on. All corporate users needan application shortcut placed on their desktop.


1. Create a shared folder to contain the IT knowledgebase documents.

2. You will use preferences to map a drive for the IT group to the IT documents folder.

3. You will create a desktop shortcut for the all users.

4. You will verify the settings.

Task 1: Create and share a folder to contain the IT documents1. On NYC-DC1, create C:\ITDocs and share the folder to Everyone .

Task 2: Use preferences to map a drive for the IT group1. Edit the Default Domain policy to configure the following User preferences:

• Create a new mapped drive to \\NYC-DC1\ITDocs.

• Reconnect at logon.

• Use the drive letter R.

• Run the preference in the logged-on user’s security context.

• Configure item-level targeting for the Contoso\IT security group.

Task 3: Use preferences to create a desktop shortcut to the Notepad application1. Edit the Default Domain Policy to configure the following user preferences:

• Create a new shortcut item.

• Name the shortcut Notepad.

• Ensure that the target is a File System Object .

• Set the location to All Users Desktop .

• Set the target path to C:\Windows\System32\notepad.exe .

• On the Common tab, clear the Run in logged-on user’s security context check box .

Task 4: Test the preference settings1. Log on to NYC-CL1 as Ryan with a password of Pa$$w0rd . Ensure that the Notepad shortcut

appears on the desktop.

2. Ensure that drive R is mapped to the ITDocs shared folder.

3. Log on as Dylan with a password of Pa$$w0rd . Ensure that the Notepad shortcut appears on thedesktop.

4. Ensure there is no drive mapped to the ITDocs shared folder.

Nova 4, LLC





Results: In this exercise, you used Group Policy preferences to map a drive to selected users andcreate a desktop shortcut for all users.






Nova 4, LLC






Review Questions1. Can PowerShell scripts be used as Startup scripts?

2. Why do some Group Policy settings take two logons before going into effect?

3. How can you support Group Policy preferences on Windows XP SP2?

Common Issues Related to Group Policy Settings

Identify the causes for the following common issues related to group policy settings and fill out thetroubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting Tip

You have configured folder redirection for anOU, but none of the user’s folders are beingredirected to the network location. When youlook in the root folder, you observe that asubdirectory named for each user has beencreated, but they are empty. What is theproblem?

The problem is most likely permission-related. The user’snamed subdirectories are being created by the GroupPolicy, but the users don’t have enough permission tocreate their redirected folders inside them.

You have assigned an application to an OU.After multiple logons, users report that no onehas installed the application.

The problem may be permission-related. Users needread access to the software distribution share. Anotherpossibility is that the software package was mapped byusing a local path instead of a UNC.

You have a mixture of Windows XP andWindows 7. After configuring several settingsin the Administrative templates of a GPO XP,users report that some settings are beingapplied while others are not.

Not all new settings apply to legacy systems such asWindows XP. Check the setting itself to see whichoperating systems the setting applies to.

Nova 4, LLC





Real-World Issues and Scenarios1. The IT support technicians regularly visit user desktops to troubleshoot issues. They require that their

documents and troubleshooting tools always be available to install. Folder redirection can make theirdocuments and troubleshooting installation files available from any location.

2. All users in the organization are having Microsoft Office 2010 installed. There are approximately 1000users who will receive the application at the same time. What would be the best way to deploy thisapplication? This application should be deployed by using SCCM or a third-party tool. It is too largeto deploy by using Group Policy to many users at the same time.

Best Practices Related to Group PolicySupplement or modify the following best practices for your own work situations:

• Use folder redirection to decrease the size of user profiles and store user data on the network.

• Use folder redirection to ensure that critical data will be backed up.

• Only use group policy software installation to deploy small applications.

• Use Group Policy preferences to perform configurations instead of using scripts.

Nova 4, LLC




Implementing Security Settings Using Group Policy 11-1

Module 11Implementing Security Settings Using Group PolicyContents:Lesson 1: Overview of Security Settings 11-3

Lesson 2: Implementing Fine-Grained Password Policies 11-14

Lab A: Implementing Security by Using Group Policy 11-21

Lesson 3: Restricting Group Membership and Access to Software 11-26

Lab B: Configuring Restricted Groups and Application Control Policies 11-36

Nova 4, LLC





Module Overview

Failure to have adequate security policies can lead to many risks for an organization. A well designedsecurity policy helps to protect an organization’s investment in business information and internalresources such as hardware and software. Having a security policy in itself is not enough, however. Youmust implement the policy for it to be effective. Group Policy has a number of security-relatedcomponents that can assist you in implementing security policies in your environment.


• Understand security settings.

• Implement fine-grained password policies.

• Restrict group membership and access to software.

Nova 4, LLC





Lesson 1

Overview of Group Policy Security Settings

Group Policy provides settings you can use to implement and manage security in your organization.Group Policy contains settings to control a large scope of the Windows environment, including security.Aspects like password and account requirements, auditing behavior are configurable by using GroupPolicy settings. In addition, there are several built-in components of Group Policy that can help you toestablish a consistent and secure environment.


• Describe the security settings that can be configured by using Group Policy.

• Describe the account policies that can be configured by using Group Policy.

• Describe local policies.

• Describe Advanced Audit Policy Configuration settings.

• Describe Windows Firewall with Advanced Security.

Nova 4, LLC





Overview of Security Settings

Key PointsSecurity policies are rules that protect resources on computers and networks. Group Policy allows you toconfigure many of these rules as Group Policy settings. For example, you can configure password policiesas part of Group Policy.

Group Policy has a large security section to configure security for both users and computers. This way, youcan apply security consistently across the organization in Active Directory® Domain Services (AD DS) bydefining security settings in a Group Policy object that is associated with a site, domain, or OU.

Computer security areas that Windows XP, Windows Vista, Windows 7, Windows Server ® 2003 R2,Windows Server 2008, and Windows Server 2008 R2 support are:

Security Area Description

Account Policies Password Policies, Account Lockout Policies, and Kerberos Policies

Local Policies Audit Policy, User Rights Assignment, Security Options

Event Log Application, System, and Security Event Log Settings

Restricted Groups Membership of security groups

System Services Startup and permission for system services

Registry Permissions for registry keys

File System Permissions for folders and files

Wired Network (IEEE802.3) Policies IEEE802.3 policies for wireless connections

Public Key Policies Management and distribution of public keys

Nova 4, LLC






Software Restriction Policies Control access to software

Internet Protocol security (IPsec)Policies

Assign IPsec Policies to computers

New computer security areas that Windows Vista, Windows 7, Windows Server 2008 and WindowsServer ® 2008 R2 support are:


Windows Firewall withAdvanced Security

Configure Windows Firewall settings

Network List Manager Policies Control client network locations

Wireless Network (IEEE802.11)Policies

IEEE802.11 policies for wireless local area network (LAN) interfaces

Network Access Protection Control Network Access Protection settings for computers

New computer security areas that Windows 7 and Windows Server 2008 R2 support are:


Application Control Policies Configure application control settings for AppLocker

Default Security Policies

After installing AD DS, there are two default Group Policy objects (GPOs) that provide security settings:

• Default Domain Policy

• Default Domain Controllers Policy

Nova 4, LLC





What Are Account Policies?

Key PointsAccount policies protect your organization’s accounts and data by mitigating the threat of brute forceguessing of account passwords. In Windows operating systems, and many other operating systems, themost common method for authenticating a user’s identity is to use a secret password. Securing yournetwork environment requires that all users utilize strong passwords. Password policy settings control thecomplexity and lifetime of passwords. You can configure password policy settings through Group Policy.

Where Are Account Policies Implemented?The policy settings under Account policies are implemented at the domain level. A Windows Server 2008domain must have a single password policy, account lockout policy, and Kerberos version 5 authenticationprotocol policy. Configuring these policy settings at any other Active Directory level only affects localaccounts on member computers at those levels.

Note: Fine-grained passwords allow different users and groups to have different password policies.Fine-grained policies are discussed later in this module.

Components of Account Policies

Password PolicyPassword policies that can be configured are.

Policy Function Best Practice

Password must meetcomplexityrequirements

Requires passwords to:• Be at least six characters long.• Contain a combination of at least

three of the following characters:uppercase letters, lowercase letters,

Enable this setting. Thesecomplexity requirements can helpensure a strong password. Strongpasswords are more difficult tocrack than those containing simple

Nova 4, LLC






numbers, symbols (punctuationmarks).

• Must not contain the user's user nameor screen name.

letters or numbers.

Enforce passwordhistory

Prevents users from creating a newpassword that is the same as theircurrent password or a recently usedpassword. To specify how manypasswords are remembered, provide avalue. For example, a value of 1 meansthat only the last password will beremembered, and a value of 5 meansthat the previous five passwords will beremembered.

Use a number that is greater than1. Enforcing password historyensures that passwords that havebeen compromised are not usedrepeatedly.

Maximum passwordage

Sets the maximum number of days thata password is valid. After this number ofdays, the user will have to change thepassword.

Set a maximum password age of30–70 days. Setting the number ofdays too high provides hackers withan extended window ofopportunity to crack the password.Setting the number of days too lowmight be frustrating for users whohave to change their passwords toofrequently.

Minimum passwordage

Sets the minimum number of days thatmust pass before a password can bechanged.

Set the minimum password age toat least1 day. By doing so, you require thatthe user can only change theirpassword once a day. This will helpenforce other settings. For example,if the past five passwords areremembered, this will ensure thatat least five days must pass beforethe user can reuse the originalpassword. If the minimumpassword age is set to 0, the usercan change their password six timeson the same day and begin reusingthe original password on the sameday.

Minimum passwordlength

Specifies the fewest number ofcharacters a password can have.

Set the length between 8 and 12characters (provided that they alsomeet complexity requirements). Alonger password is more difficult tocrack than a shorter password,assuming the password is not aword or a common phrase.

Store passwords byusing reversibleencryption

Provides support for applications thatrequire knowledge of a user passwordfor authentication purposes.

Do not use this setting unless youuse a program that requires it,enabling this setting decreases thesecurity of stored passwords.

Nova 4, LLC





Account Lockout Policy

The Account Lockout Policies that can be configures are.


Account lockoutthreshold

Specifies the number of failedlogin attempts allowed beforethe account is locked out. Forexample, if the threshold is setto 3, the account will be lockedout after a user enters incorrectlogin information three times.

A setting between 3 and 5 allows for reasonableuser error as well as limits repeated loginattempts for malicious purposes.

Account lockoutduration

Allows you to specify a timeframe, in minutes, after whichthe account will automaticallyunlock and resume normaloperation. If you specify 0, theaccount will be locked outindefinitely until anadministrator manually unlocksit.

After the threshold has been reached and theaccount is locked out, the account should remainlocked long enough to block or deter anypotential attacks, but short enough not tointerfere with productivity of legitimate users.Duration of 30 to 90 minutes should work well inmost situations.

Reset accountlockout counterafter

Defines a time frame forcounting the incorrect loginattempts. If the policy is set forone hour, and the accountlockout threshold is set for threeattempts, a user can enter theincorrect login informationthree times within one hour. Ifthey enter incorrect informationtwice, but get it correct the thirdtime, the counter will reset afterone hour has elapsed (from thefirst incorrect entry) so thatfuture failed attempts will againstart counting at one.

Using a time frame between 30 and 60 minutes issufficient to deter automated attacks as well asmanual attempts by an attacker to guess apassword.

Kerberos Policy

This policy is for domain user accounts, and determines Kerberos-related settings, such as ticket lifetimesand enforcement. Kerberos policies do not exist in Local Computer Policy.

How Clients Receive Account PoliciesAlthough you can configure Account policies only at the domain level, clients do not receive theirAccount policies directly from the domain-level policy. Account policies are unique in that domaincontrollers receive Account policies from the domain-level policy. The domain controller, in turn, passesdomain Account Policy to the client at logon. Therefore, blocking inheritance of domain-level policies willnot prevent users from receiving Account policies. However, blocking inheritance at the DomainControllers OU would prevent users from receiving any changes to Account policies, because the domaincontrollers would not receive the new settings.

Note: Account policies on local computers apply to local users only.

Nova 4, LLC





What Are Local Policies?

Key PointsEvery Windows 2000 Server or later computer has Local policies. In these objects, Group Policy settingsare stored on individual computers, regardless of whether they are part of an Active Directoryenvironment. The Local Group Policy Objects (LGPOs) are stored in a hidden folder named%windir%\system32\Group Policy . This folder does not exist until you configure an LGPO.

Local Group Policy Precedence

In an Active Directory environment, LGPOs have the lowest precedence, and always are processed first ifyou have them configured.

Local Computer Security Policies

LGPOs contain fewer settings than domain Group Policy objects, particularly under Security Settings.

For example, LGPOs do not support domain-based GPO features like Folder Redirection or SoftwareInstallation. The LGPO does support some security policy settings. However, LGPO security policy settingssupported by Windows Server 2008 can only contain security settings for the following areas:

• Account Policies

• Local Policies

• Windows Firewall with Advanced Security

• Network List Manager Policies

• Public Key policies

• Software Restriction policies

• Application Control Policies (Windows Server 2008 R2 only)

• IP Security policies

• Advanced Audit Policy Configuration (Windows Sever 2008 R2 only)

Nova 4, LLC





When there are conflicts, security settings that you define in AD DS always override any that you defineon the local computer.

What Are User Rights?

User rights refer to the ability to perform actions on the system. Each computer has its own set of userrights, such as the right to change the system time. Most rights are granted either to the Local System orAdministrator. You can configure rights through LGPOs, or through domain policies. The default domainpolicy has no rights defined by default.

Nova 4, LLC





Advanced Audit Policy Configuration

Key PointsThe nine basic audit policies under Computer Configuration\Policies\Windows Settings\SecuritySettings\Local Policies\Audit Policy allow you to configure security audit policy settings for broad sets ofbehaviors, some of which generate many more audit events than others. An administrator has to reviewall events that are generated, whether they are of interest or not.

In Windows Server 2008 R2 and Microsoft Windows 7, administrators can audit more specific aspects ofclient behavior on the computer or network, thus making it easier to identify the behaviors that are ofgreatest interest. For example, in Computer Configuration\Policies\Windows Settings\SecuritySettings\Local Policies\Audit Policy, there is only one policy setting for logon events, Audit logon events.In Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit PolicyConfiguration\System Audit Policies, you can instead choose from eight different policy settings in theLogon/Logoff category. This provides you with more detailed control of what aspects of logon and logoffyou can track.

These security auditing enhancements can help your organization audit compliance with importantbusiness-related and security-related rules by tracking precisely defined activities, such as:

• A group administrator has modified settings or data on servers that contain finance information.

• An employee within a defined group has accessed an important file.

• The correct system access control list (SACL) is applied to every file and folder or registry key on acomputer or file share as a verifiable safeguard against undetected access.

Nova 4, LLC





Windows Firewall with Advanced Security

Key PointsWindows Server 2008 includes a new and enhanced version of Windows Firewall. The new WindowsFirewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration.

Windows Firewall Enhancements

Windows Firewall with Enhanced Security is a new MMC snap-in that allows you to perform advancedconfiguration of Windows Firewall.

Windows Firewall in Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 hasthe following enhancements:

• Supports filtering for both incoming and outgoing traffic.

• Provides a new Microsoft Management Consoles (MMC) snap-in that you can use to configureadvanced settings.

• Integrates firewall filtering and Internet Protocol security (IPsec) protection settings.

• Enables you to configure rules to control network traffic.

• Provides network location-aware profiles.

• Enables you to import or export policies.

Firewall Rules

Windows Firewall with Advanced Security allows you to create the following rules.

Rule Description

Programrule

This type of rule allows traffic for a particular program. You can identify the program byprogram path and executable name.

Nova 4, LLC





Port rule This type of rule allows traffic on a particular TCP or User Datagram Protocol (UDP) portnumber or range of port numbers.

Predefinedrule

Windows includes a number of Windows functions that you can enable, such as File andPrinter Sharing, Remote Assistance, and Windows Collaboration. Creating a predefined ruleactually creates a group of rules that allows the specified Windows functionality to accessthe network.

Customrule

A custom rule allows you to create a rule that you may not be able to create by using theother types of rules.

Firewall rules can filter connections by user, computer, or groups in AD DS. For rules with these conditions,you must secure the connection with IPsec by using a credential that carries the Active Directory accountinformation, such as Kerberos version 5 (v5).

Many pre-defined rules exist that allow normal network traffic to pass, such as Dynamic HostConfiguration Protocol (DHCP), Domain Name System (DNS) queries, and authentication requests. Youcan modify or disable these rules as necessary.

The default behavior of the new Windows Firewall is to:

• Block all incoming traffic unless it is solicited or it matches a configured rule.

• Allow all outgoing traffic unless it matches a configured rule.

Windows Firewall comes preconfigured with a number of rules enabled to allow typical network traffic inand out of a Windows Server computer.

Firewall Profiles

Windows Firewall with Advanced Security is a network-aware application. Network awareness enablesapplications to sense changes to the network to which the computer is connected. The administrator cancreate a profile for each network category, with each profile containing different firewall policies.

Windows Firewall supports three profiles by default.

Profile Description

Public, for when youare connected to anuntrusted publicnetwork

Other than domain networks, all networks are categorized as public. Bydefault, the Public (most restrictive) profile is used in Windows Vista andWindows 7.

Private, for when youare connected behind afirewall

A network is categorized only as private if an administrator or an applicationidentifies the network as private. This profile is referred to as the Home profilein Windows Vista and Windows 7.

Domain, for when yourcomputer is part of aWindows domain

Windows automatically identify networks on which they can authenticateaccess to the domain controller, for the domain to which the computer is joined in this category. No other networks can be placed in this category. Thisprofile is referred to as the Work profile in Windows Vista and Windows 7.

When a user connects to a network that is not part of the domain category, Windows asks the user toidentify the network as either Public or Private. The user must be a local administrator of the computer toidentify the network as Private. Each profile has its own state, Off or On, its own settings, and its ownlogging.

Nova 4, LLC





Lesson 2

Implementing Fine-Grained Password Policies

Prior to Windows 2008, a single set of account policies, contained in the Default Domain GPO, was usedto control password and account settings. In Windows Server 2008, using fine-grained password policies,you can allow different password requirements and account lockout policies for different Active Directoryusers or groups.

ObjectivesAfter completing this lesson, you will be able to:• Describe fine-grained password policies.

• Describe how fine-grained password policies are implemented.

• Describe considerations for implementing fine-grained password policies.

• Implement fine-grained password policies.

Nova 4, LLC





What Are Fine-Grained Password Policies?

Key PointsIn previous versions of AD DS, you could apply only one password and account lockout policy to all usersin the domain. Fine-grained password policies allow you to have different password requirements andaccount lockout policies for different Active Directory users or groups. This is desirable when you wantdifferent sets of users to have different password requirements, but do not want separate domains. Forexample, the Domain Admins group may need strict password requirements to which you do not want tosubject ordinary users. If you do not implement fine-grained passwords, then the normal default domain

account policies apply to all users.Fine-grained password policies can be used to enhance the security of your domain environment andtypically act to complement the account policies in your Default Domain Policy GPO. Generally, theDefault Domain Policy GPO is used to control the majority of your accounts, and then fine-grainedpassword policies are applied to user accounts or groups that require or warrant a different account policythan the rest of the domain.

Fine-grained password policies are not actual Group Policy settings. Rather, a fine-grained passwordpolicy is contained in an object in Active Directory called a Password Settings Object (PSO). The PSOcontains all of the individual settings used to control AD DS user account behavior. A PSO is then linked toone or more Active Directory users or groups, to whom the settings then apply, overriding the accountpolicy settings in the Default Domain Policy GPO.

Nova 4, LLC







Applying or Modifying a PSO

You can use both the ADSIedit and LDIFDE tools to apply a PSO to a user or group during the PSOcreation, or anytime afterwards. You can use both tools to modify existing PSOs.

Active Directory Users and Computers with Advanced features turned on, can be used to open PasswordSettings Container in the System container, and then apply or modify an existing PSO.

Storing Fine-Grained Password Policies

To store Fine-grained password policies, Windows Server 2008 includes two new object classes in theAD DS schema:

• Password Settings container

• Password Settings object

A Password Settings Container (PSC) is created by default under the System container in the domain. Youcan view it by using the Active Directory Users and Computers snap-in with advanced features enabled. Itstores the Password Settings objects (PSOs) for that domain.

A PSO has attributes for all the settings that can be defined in the Default Domain Policy (except Kerberos

settings). These settings include attributes for the following password settings:• Enforce password history

• Maximum password age

• Minimum password age

• Minimum password length

• Passwords must meet complexity requirements

• Store passwords using reversible encryption

These settings also include attributes for the following account lockout settings:

• Account lockout duration

• Account lockout threshold

• Reset account lockout after

In addition, a PSO has the following two new attributes:

• PSO link. This is a multivalued attribute that is linked to users and/or group objects.

• Precedence. This is an integer value that is used to resolve conflicts if multiple PSOs are applied to auser or group object.

These nine attributes are required attributes. This means that you must define a value for each one.Settings from multiple PSOs cannot be merged.

Defining the Scope of Fine-Grained Password Policies

A PSO can be linked to a user (or inetOrgPerson) or group object that is in the same domain as the PSO.

A PSO has an attribute named msDS-PSOAppliesTo that contains a forward link to only user or groupobjects. The msDS-PSOAppliesTo attribute is multivalued, which means that you can apply a PSO tomultiple users or groups. You can create one password policy and apply it to different sets of users orgroups.

Nova 4, LLC





A new attribute, msDS-PSOApplied, has been added to the user and group objects in Windows Server2008. The msDS-PSOApplied attribute contains a back-link to the PSO. Because the msDS-PSOAppliedattribute has a back-link, a user or group can have multiple PSOs applied to it.

You can link a PSO to other types of groups in addition to global security groups. However, only PSOsthat are linked to global security groups or user objects are considered. PSOs that are linked to

distribution groups or other types of security groups are ignored.

Integer8

Time-related values in a PSO are stored as an Integer8 data type. An Integer8 value is represented inintervals of -100 nanoseconds.

While time-related values in PSO objects can be entered in a DD:HH:MM:SS format within the PSOcreation wizard, understanding the Integer8 format can help you convert Integer8 values you see in PSOsto a more meaningful number.

You can use the following conversion guide table to obtain the corresponding I8 values:

Time unit Multiplication factor

m minutes -60*(10^7) = - 600000000

h hours -60*60* (10^7) = -36000000000

d days -24*60*60*(10^7) = -864000000000

The following are examples of how to obtain appropriate I8 values for the time attributes.

To obtain the msDS-MaximumPasswordAge time attribute I8 value for two days,multiply 2 by -864000000000. For example, use the following equation:

22*(-864000000000) = -1728000000000

To obtain the msDS-MinimumPasswordAge time attribute I8 value for 1 day,multiply 1 by -864000000000. For example, use the following equation:

11*(-864000000000) = -864000000000

To obtain the msDS-LockoutObservationWindow time attribute I8 value for 30minutes, multiply 30 by -600000000. For example, use the following equation:

330*(-600000000) = -18000000000

To obtain the msDS-LockoutDuration time attribute I8 value for 30 minutes,multiply 30 by -600000000. For example, use the following equation:

30*(-600000000) = -18000000000

Note: Although PSO values are stored in Integer8 format, you can use theeasier and more logical DD:HH:MM:SS format for entering time values. Forexample. 30 minutes would be represented as 00:00:30:00 while 4 days wouldbe represented as 04:00:00:00.

Nova 4, LLC





Considerations for Implementing Fine-Grained Password Policies

Key PointsSeveral considerations need to be made when implementing a fine-grained password policy:

• Fine-grained password policies cannot be applied to OUs; they can only be applied to user objectsand global security groups.

• Users or groups can have multiple PSOs applied to them. The PSO that determines the user’s accountsettings is the PSO with the lowest PSO Precedence integer value.

•

If you apply a Password Settings Object (PSO) directly to the user, it takes precedence over all groupassignments.

• If no PSOs are linked to a user account, account policy settings contained in the Default DomainPolicy GPO apply.

• By default, only members of the Domain Admins group can create a PSO or apply a PSO to a groupor user.

• To implement fine-grained password policies, the domain functional level must be Windows Server2008 or higher.

Nova 4, LLC





Demonstration: Implementing Fine-Grained Password Policies


• Create and apply PSOs.

Demonstration Steps:1. Open ADSI Edit.

2. Connect to NYC-DC1.

3. Navigate to the Password Setting Container .

4. Create a new msDS-PasswordSettings object.

5. Configure the policy settings.

6. Apply to the PSO to the Domain Admins global group.

Nova 4, LLC





Lab A: Implementing Security Using Group Policy




3. In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on by using the following credentials:



• Domain: Contoso


Lab ScenarioContoso, Ltd. has decided to implement Group Policy to configure security for users and computers in theorganization. The company recently upgraded all the workstations to Windows 7, and all the servers toWindows Server 2008. The organization wants to utilize Group Policy to implement security settings forthe workstations, servers, and users.

Nova 4, LLC





Exercise 1: Configuring Account and Security Policy SettingsYou have been tasked to implement a domain account policy with the following criteria:

• Domain passwords will be eight characters.

• Strong passwords will be enforced.

• Passwords will be changed exactly every 20 days.

• Accounts will be locked out for 30 minutes after five invalid logon attempts.

You will also configure a local policy on the Windows 7 client that enables the local Administratoraccount, and prohibits access to the Run menu for Non-Administrators.

Then, you will create a wireless network policy for Windows 7 that creates a profile for the Corp wirelessnetwork. This profile will define 802.1x as the authentication method. This policy will also deny access to awireless network named, Research.

Finally, you will configure a policy to prevent the Windows Installer service from running on any domaincontroller.


1. Create an account policy for the domain.

2. Configure local policy settings for a Windows 7 client.

3. Create a wireless network GPO for Windows 7 client.

4. Configure a GPO that prohibits the Windows Installer service on all domain controllers.

Task 1: Create an account policy for the domain.1. On NYC-DC1, start the Group Policy Management Console .

2. In the Group Policy Management console pane, expand Forest: Contoso.com , expand Domains ,expand Contoso.com , and then click Group Policy Objects .

3. In the details pane, right-click Default Domain Policy , and then click Edit .

4. In the Group Policy Management Editor, under Computer Configuration , expand Policies , expandWindows Settings , expand Security Settings , and then expand Account Policies .

5. Edit the Account Policy in the Default Domain Policy with the following values:

• Password Policy:

• Domain passwords: 8 characters in length

• Strong passwords: enforced

• Minimum password age: 19 days

• Maximum password age: 20 days

•

Account lockout policy:• Account Lockout Threshold: 5 invalid logon attempts

• Account lockout duration: 30 minutes

• Lockout counter: reset after 30 minutes

Task 2: Configure local policy settings for a Windows 7 client.1. Start NYC-CL1 and log on as Contoso\Administrator , with the password, Pa$$w0rd .

Nova 4, LLC





2. Create a new MMC, and then add the snap-in for the Group Policy Object Editor for the LocalComputer .

3. Open Computer Configuration’s Windows Settings , open Security Settings , open Local Policies ,open Security Options , and then enable the Accounts: Administrator Account Status setting.

4. Add the Group Policy Object Editor snap-in to the MMC again and then click Browse .

5. Click the Users tab, select the Non-Administrators group, click OK , and then click Finish .

6. In then console pane, expand Local Computer\Non-Administrators Policy , expand UserConfiguration , expand Administrative Templates , and then click Start Menu and Taskbar , andthen enable the Remove Run from Start Menu setting.

7. Close the MMC without saving the changes.

8. Restart NYC-CL1.

Task 3: Create a wireless network GPO for Windows 7 client.1. On NYC-DC1, in the GPMC, create a new GPO named, Windows 7 Wireless .

2. Edit the GPO by right-clicking Windows Settings\Security Settings\Wireless Network (IEEE

802.11) Policies , and then clicking Create a New Wireless Network Policy for Windows Vista andLater Releases .

3. In the New Wireless Network Policy dialog box, click Add , and then click Infrastructure .

4. Create a new profile named, Corporate , and then, in the Network Name (SSID) field, type Corp .

5. Click the Security tab, change the Authentication method to Open with 802.1X , and then click OK .

6. Click the Network Permissions tab, and then click Add .

7. Type Research in the Network Name (SSID): field, set the Permission to Deny , and then click OK twice.

8. Close the Group Policy Management Editor , and then leave the GPMC open.

Task 4: Configure a policy that prohibits a service on all domain controllers.1. On NYC-DC1, in the GPMC, edit the following to disable the Windows Installer service: Default

Domain Controller Policy , Computer Configuration , Policies , Windows Settings , SecuritySettings , and System Services .

2. Close the Group Policy Management Editor and leave the GPMC open.

Result: After completing this exercise, you will have configured account and security policy settings.

Nova 4, LLC





Exercise 2: Implementing Fine-Grained Password PoliciesYour corporate security policy dictates that members of the Domain Admins group will have strictpassword policies. The passwords must meet the following criteria:

• 30 passwords will be remembered in password history.

• Domain passwords will be 10 characters.

• Strong passwords will be enforced.

• Passwords will not be stored with reversible encryption.

• Passwords will be changed every seven days exactly.

• Accounts will be locked out for 30 minutes after three invalid logon attempts.

You will create a fine-grained password policy to enforce these policies for the Domain Admins globalgroup.


1. Create a PSO by using ADSI Edit.

2.

Assign the PSO to the Domain Admins global group. Task 1: Create a PSO by using ADSI Edit.

1. On NYC-DC1, in the Run menu, type adsiedit.msc , and then press ENTER.

2. Right-click ADSI Edit, click Connect to , and then click OK to accept the defaults.

3. Navigate to DC=Contoso, DC=com, CN=System, CN=Password Settings Container, right-clickCN=Password Settings Container , and then create a new object.

4. In the Create Object dialog box, click msDS-PasswordSettings , and then click Next . Provide thefollowing values:

• In Value box, type ITAdmin .

• In the msDS-PasswordSettingsPrecedence value, type 10 .

• In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE.

• In the msDS-PasswordHistoryLength value, type 30 .

• In the msDS-PasswordComplexityEnabled value, type TRUE.

• In the msDS-MinimumPasswordLength value, type 10 .

• In the msDS-MinimumPasswordAge value, type 06:00:00:00 .

• In the msDS-MaximumPasswordAge value, type 07:00:00:00 .

• In the msDS-LockoutThreshold value, type 3.

• In the msDS-LockoutObservationWindow value, type 00:00:30:00 .

• In the msDS-LockoutDuration value, type 00:00:30:00 .

Task 2: Assign the PSO to the Domain Admins global group.1. In ADSI Edit, select the CN=Password Settings Container and then in the details pane, double-click

CN=ITAdmin .

2. In the CN=ITAdmin Properties window, scroll down and then double-click msDS-PSOAppliesTo .

3. Link the Domain Admins account to the object.

Nova 4, LLC





4. Close the ADSI Edit window.

Results: After completing this exercise, you will have implemented a fine-grained password policy.

Nova 4, LLC





Lesson 3

Restricting Group Membership and Access toSoftware

In a large network environment, one of the challenges of network security is controlling the membershipof built-in groups in the directory and on workstations. Another concern is preventing access tounauthorized software on workstations.


• Describe the Restricted Groups.

• Configure Restricted Groups.

• Describe Software Restriction Policy.

• Describe AppLocker.

• Describe the difference between AppLocker and SRPs.

• Configure AppLocker.

Nova 4, LLC





What Are Restricted Groups?

Key PointsIn some cases, you may want to control the membership of certain groups in a domain to preventaddition of other user accounts to those groups, such as the local administrators group.

You can use the Restricted Groups policy to control group membership. Use the policy to specify whatmembers are placed in a group. If you define a Restricted Groups policy and refresh Group Policy, anycurrent member of a group that is not on the Restricted Groups policy members list is removed. This caninclude default members such as domain administrators.

Although you can control domain groups by assigning Restricted Groups policies to domain controllers,you should use this setting primarily to configure membership of critical groups such as Enterprise Adminsand Schema Admins. You can also use this setting to control the membership of built-in local groups onworkstations and member servers. For example, you can place the Helpdesk group into the localAdministrators group on all workstations.

You cannot specify local users in a domain GPO. Local users who currently are in the local group that thepolicy controls will be removed. The only exception is that the local Administrators account will always bein the local Administrators group.

Nova 4, LLC





Demonstration: Configuring Restricted Groups

Key PointsIn this demonstration you will see how to:

• Configure restricted groups for the local administrators group.

Demonstration Steps1. Open the Group Policy Management console.

2. Navigate to Computer Configuration , click Policies , click Windows Settings , Security Settings ,and then click Restricted Groups .

3. Add the IT and Domain Admins groups to the Administrators group.

4. Close the Group Policy Management console.

Nova 4, LLC





What Is a Software Restriction Policy?

Key PointsA primary security concern for client computers is the current applications available on each computer. Todo their jobs, users need access to the applications that meet their specific needs. There is the possibility,however, that unneeded or unwanted applications get installed on the client computers, whetherunintentionally or for malicious or non-business purposes.

Introduced in the Windows® XP operating system and the Windows Server 2003 operating system, SRPsallow an administrator to identify and specify which applications are permitted to run on clientcomputers. SRP settings are configured and deployed to clients by using Group Policy. An SRP setcomprises the following key components.

Rules

Rules govern how SRP responds to an application being run or installed. Rules are the key constructswithin an SRP, and a group of rules together determine how an SRP will respond to applications beingrun. Rules can be based on one of the following criteria that apply to the primary executable file for theapplication in question.

• Hash . A cryptographic fingerprint of the file.

• Certificate . A software publisher certificate used to digitally sign a file.

• Path . The local or Universal Naming Convention (UNC) path of where the file is stored.

• Zone . The Internet Zone.

Security Levels

Each applied SRP is assigned a security level that governs the way the operating system reacts when theapplication that is defined in the rule is run. The three available security levels are as follows.

• Disallowed . The software identified in the rule will not run, regardless of the access rights of the user.

• Basic User . Allows the software identified in the rule to run as a standard, non-administrative user.

Nova 4, LLC





• Unrestricted . Allows the software identified in the rule to run unrestricted by SRP.

Default Security Level

The way a system behaves in general is determined by the Default Security Level, which governs how theoperating system reacts to applications without any SRP rules defined. The following three points outlinea system default behavior, based on the Default Security Level applied in the SRP:

• Disallowed . No applications will be allowed to run unless an SRP rule is created that allows eachspecific application or set of applications to run.

• Basic User . All applications will run under the context of a basic user, regardless of the permissions ofthe user who is logged on, unless an SRP rule is created to modify this behavior for a specificapplication or set of applications. Unrestricted . All applications will run as if SRP was not enabled,unless specifically defined by an SRP rule.

Based on these three components, there are two primary ways to use SRPs:

• If an administrator knows all the software that should be allowed to run on clients, the DefaultSecurity Level can be set to Disallowed. All applications that should be allowed to run can beidentified in SRP rules that would apply either the Basic User or Unrestricted security level to eachindividual application, depending on the security requirements.

• If an administrator does not have a comprehensive list of the software that should be allowed to runon clients, the Default Security Level can be set to Unrestricted or Basic User, depending on securityrequirements. Any applications that should not be allowed to run can then be identified by using SRPrules, which would use a security level setting of Disallowed.

Software Restriction Policy settings can be found in Group Policy at the following location: ComputerConfiguration\Windows Settings\Security Settings\Software Restriction Policies.

Note: Software Restriction Policies are not enabled by default in Windows Server 2008 R2.

Nova 4, LLC





Overview of AppLocker

Key PointsApplication Control Policies represent the next evolution of control over the operations of applicationswithin your domain environment. Application Control Policies are controlled by AppLocker.

AppLocker (introduced in the Windows 7 operating system and Windows Server 2008 R2) provides anumber of enhancements, which improve upon the functionality previously provided by SRP. AppLockerprovides administrators with a variety of methods for quickly and concisely determining the identity ofapplications that they may want to restrict or permit access to.

AppLocker is applied through Group Policy to computer objects within an organizational unit. In addition,individual AppLocker rules can be applied to individual AD DS users or groups.

AppLocker also contains options for monitoring or auditing the application of rules, both as rules arebeing enforced and in an audit-only scenario.

AppLocker can help organizations prevent unlicensed or malicious software from executing, and canselectively restrict ActiveX® controls from being installed. It can also reduce the total cost of ownership byensuring that workstations are standardized across their enterprise and that users are running only thesoftware and applications that are approved by the enterprise.

Specifically, the following scenarios provide examples of where AppLocker can be used to provide somelevel of application management:

• Your organization implements a policy to standardize the applications used within each businessgroup, so you need to determine the expected usage compared to the actual usage.

• The security policy for application usage has changed, and you need to evaluate where and whenthose deployed applications are being accessed.

• Your organization's security policy dictates the use of only licensed software, so you need todetermine which applications are not licensed or prevent unauthorized users from running licensedsoftware.

Nova 4, LLC





• An application is no longer supported by your organization, so you need to prevent it from beingused by everyone.

• A new application or a new version of an application is deployed, and you need to allow certaingroups to use it.

• Specific software tools are not allowed within the organization, or only specific users have access to

those tools.• A single user or small group of users needs to use a specific application that is denied for all others.

• Some computers in your organization are shared by people who have different software usage needs.

AppLocker is available in the following editions of Windows:

• Windows Server 2008 R2 Standard operating system

• Windows Server 2008 R2 Enterprise operating system

• Windows Server 2008 R2 Datacenter operating system

• Windows Server 2008 R2 for Itanium-based Systems operating system

• Windows 7 Ultimate operating system

• Windows 7 Enterprise operating system

Note: AppLocker is not enabled by default in Windows Server 2008 R2.

Nova 4, LLC





AppLocker vs. SRPs

Key PointsWhen implementing SRPs in previous Windows versions, it was particularly difficult to create policies thatwere secure and remained functional after software updates were applied. This was due to the lack ofgranularity of certificate rules and the fragility of hash rules that became invalid when an applicationbinary was updated. To resolve this issue, AppLocker enables you to create a rule that combines acertificate and a product name, file name, and file version. This simplifies your ability to specify thatanything signed by a particular vendor for a specific product name can run.

Certificate rules in SRP allow you to trust all software signed by a specific publisher; however, AppLockergives you greater flexibility. When creating publisher rules, you can trust the publisher, and also drill downto the product level, the executable level, and even the version.

For example, with SRP, you can create a rule that affectively reads “Trust all content signed by Microsoft”.With AppLocker, you further refine the rule to specify: “Trust the Microsoft® Office 2007 Suite if it issigned by Microsoft and the version is greater than 12.0.0.0”.

The AppLocker enhancements over the SRP feature can be summarized as follows:

• The ability to define rules based on attributes derived from a file’s digital signature, including thepublisher, product name, file name, and file version. SRP supports certificate rules, but they are lessgranular and more difficult to define.

• A more intuitive enforcement model; only a file that is specified in an AppLocker rule is allowed to run.• A new, more accessible user interface that is accessed through a new Microsoft Management Console

(MMC) snap-in extension to the Group Policy Management Console snap-in.

• An audit-only enforcement mode that allows administrators to determine which files will be preventedfrom running if the policy were in effect.

The following table outlines other key differences between AppLocker and SRPs.

Nova 4, LLC





Feature SRP AppLocker

Rule scope Specific user or group (perGroup Policy object[GPO])

Specific users or groups (per rule)

Rule conditionsprovided File hash, path, certificate,registry path, Internetzone

File hash, path, publisher

Rule typesprovided

Allow and Deny Allow and Deny

Default Ruleaction

Allow and deny Implicit Deny

Audit only mode No Yes

Wizard to createmultiple rules atone time

No Yes

Policy import orexport

No Yes

Rule collection No Yes

WindowsPowerShell®support

No Yes

Custom errormessages

No Yes

Implementing AppLocker and SRPs

Prior to Windows Server 2008 R2 and Windows 7, Windows operating systems were only able to use SRPrules. In Windows Server 2008 R2 and Windows 7, you can apply SRP or AppLocker rules, but not both.This allows you to upgrade an existing implementation to Windows 7 and still take advantage of the SRPrules defined in group policies.

However, if Windows Server 2008 R2 or Windows 7 have both AppLocker and SRP rules applied in agroup policy, then only the AppLocker rules are enforced and the SRP rules are ignored.

When you add a single AppLocker rule in Windows Server 2008 R2 or Windows 7, all processing of SRPrules stops. Therefore, if you are replacing SRP rules with AppLocker rules, you must implement allAppLocker rules that you require at one time. If you implement the AppLocker rules incrementally, youwill lose the functionality provided by SRP rules that have not yet been replaced with corresponding

AppLocker rules.

Note: SRP is still the standard method to restrict software usage in versions of Windows prior toWindows Server 2008 and Windows 7.

Question: Why must AppLocker rules be defined in a GPO separate from SRP rules?

Nova 4, LLC





Demonstration: How to Configure Application Control Policies


• Create a GPO to enforce the default AppLocker Executable rules.

• Apply the GPO to the domain.

• Test the AppLocker rule.

Demonstration Steps:1. Open the Group Policy Management Console .

2. Create a new GPO.

3. Configure the AppLocker default rules in the GPO.

4. Link the GPO to the Contoso.com domain

5. Switch to NYC-CL1.

6. Attempt to open Wordpad.

Nova 4, LLC





Lab B: Configuring Restricted Groups and ApplicationControl Policies

Lab ScenarioThe enterprise administrator created a design that includes modifications to further security areas.Ensuring that IT staff members have access to the proper administrative rights on client computers iscritical and you have been asked to configure the domain environment to allow this.

In addition, you have been asked to ensure that a widely used application in the environment that hasbeen recently replaced by a new software suite is no longer used at Contoso, Ltd.

Nova 4, LLC





Exercise 1: Configuring Restricted GroupsYou need to ensure that the IT global group is included in the local Administrators group for all of theorganization’s computers.


1. Configure restricted groups for the local Administrators group.

2. Test restricted groups for the local Administrators group.

Task 1: Configure restricted groups for the local administrators group.1. On NYC-DC1, open the GPMC, browse to the Group Policy Objects folder, and then edit the

Default Domain Policy .

2. Navigate to Computer Configuration , expand Policies , expand Windows Settings , expandSecurity Settings , right-click Restricted Groups , and then click Add Group .

3. Add the Administrators group, and then click OK .

4. In the Administrators Properties dialog box, add the following groups:

• Contoso\IT

• Contoso\Domain Admins

5. Close the Group Policy Management Editor .

Task 2: Test restricted groups for the local administrators group.1. Start the 6419B-NYC-CL1 VM. If the VM is already started, shut down and restart NYC-CL1.

2. Log on to NYC-CL1 as Contoso\Ed with a password of Pa$$w0rd .

3. Open the Edit local users and groups window using the Start Menu Search dialog.

4. Confirm that the Administrators group contains both CONTOSO\Domain Admins andCONTOSO\IT as members.

5. Close the local users and groups window and log off NYC-CL1.

Results: After completing this exercise, you configured and tested restricted groups by using GroupPolicy.

Nova 4, LLC





Exercise 2: Configuring Application Control Policies

ScenarioMicrosoft Office 2007 has recently been installed in the Research Department at Contoso, Ltd on all clientcomputers. Previously, WordPad was used for word processing tasks in the Research Department. Toencourage users to use the new word processing capabilities of Office Word 2007, you have been askedto restrict users in the Research Department from running WordPad on their computers.


1. Create a GPO to enforce the default AppLocker® Executable rules.

2. Apply the GPO to the Contoso.com domain.

3. Test the AppLocker rule.

Task 1: Create a GPO to enforce the default AppLocker Executable rules.1. On NYC-DC1, in the Group Policy Management console, create a new GPO entitled, Wordpad

Restriction Policy .

2. Edit the new GPO with the following settings:

• Application Control Policy: Under Executable Rules, create a new executable publisher rule forC:\Program Files\Windows NT\Accessories\wordpad.exe that denies Everyone access torun any version of wordpad.exe.

• Configure Executable rules to be enforced.

• Configure the Application Identity service to run and set it to Automatic .

Task 2: Apply the GPO to the Contoso.com domain.• Apply the WordPad Restriction Policy GPO to the Contoso.com domain container.

Task 3: Test the AppLocker rule.

1. Restart and then log on to NYC-CL1 as Contoso\Alan with the password, Pa$$w0rd .2. Refresh Group Policy by running gpupdate /force from the command prompt.

3. Try to run Start - All Programs - Accessories – WordPad .

Note: The AppLocker policy should restrict you from running this application. If the applicationruns, log off from NYC-CL1 and log on again. It may take a few minutes for the policy setting toapply to NYC-CL1. After the policy setting is applied, the application will be restricted .

Results: After completing this exercise, you will have restricted an application by using AppLocker.

To prepare for the next module.When you finish the lab, revert the virtual machines to their initial state. To do this, complete thefollowing steps:



Nova 4, LLC







Nova 4, LLC






Review Questions1. You want to place an application control policy on a new type of executable file. What must you do

before you can create a rule for this executable code?

2. What setting must you configure to ensure that users are only allowed 3 invalid logon attempts?

3. You want to provide consistent security settings for all client computers in the organization. Thecomputer accounts are scattered across multiple OUs. What is the best way to provide this?

Windows Server 2008 R2 Features Introduced in this ModuleWindows Server 2008R2 Feature Description

Advanced Audit PolicyConfiguration

Expands available audit policy settings from 9 to 53 in Windows Server 2008R2 and Windows 7

Application ControlPolicies

Controls applications by using AppLocker

Nova 4, LLC






12-2 Configuring, Managing and Maintaining Windows Server 2008 Servers

Module Overview

Remote offices have a unique set of challenges for network infrastructure. Many remote offices connect tothe head office over wide area network (WAN) links that are slow and subject to high latency. Slowconnectivity between the remote office and the enterprise network affects network logons and access tofiles. To provide fast and secure logons at remote offices, you can place a read only domain controller(RODC) at the remote office. You can use BranchCache to speed up access to data across the WAN andreduce WAN utilization.

After this module, you will be able to:• Explain remote office requirements.

• Implement read-only domain controllers.

• Implement BranchCache

Nova 4, LLC




Providing Efficient Network Access for Remote Offices 12-

Lesson 1

Overview of Remote Office Requirements

Remote offices have unique management challenges. A remote office typically has slow connectivity tothe enterprise network and limited infrastructure for securing servers. Therefore, the challenge lies inbeing able to provide efficient access to network resources for users in remote offices.

After this lesson, you will be able to:

• Discuss the common challenges in providing efficient remote office access to network resources.

• Describe options for providing efficient access to network resources.

Nova 4, LLC





Discussion: Challenges to Managing Remote Office Connectivity

Key PointsUsually, a head office is a central communication hub for remote offices. Most remote office has a fewerusers than the head office. Each remote office also has slow connectivity to the head office.

For example, a chain of retail stores has a head office with many employees and fast internal networkconnectivity. The branch offices are remotely located with very few employees in each location and slowconnectivity to the data in the head office.

Question: Why are network connections between remote offices and the head office slow and unreliable?

Question: How does slow and unreliable network connectivity affect the users in remote offices?

Question: How does management of computers systems in remote offices compare with themanagement of computer systems in the head office?

Question: How does system security in remote offices compare with system security in the head office?

Nova 4, LLC





Options for Providing Efficient Access to Network Resources

Key PointsYou can meet the challenge of slow and less reliable connectivity of the remote offices by using thefollowing two features of Windows Server 2008:

• Read-only domain controllers

• BranchCache

Read-Only Domain ControllersTo increase logon speed and reliability, you can install a domain controller at a remote office. However, astandard domain controller holds a copy of all user accounts and their passwords for the domain. Givesufficient time, anyone who steals a server with a copy of Active Directory can access the passwords.

A read-only domain controller (RODC) in a remote office limits the passwords it can store. This helps youto address some of the security concerns associated with remote offices. Typically, you limit the passwordson the read-only domain controller in the remote office to only users who work in that office.

BranchCacheAccessing the files in the head office can be very slow for users in the remote offices. BranchCache helpsspeed up access to files by caching them on a local computer or on a server in the remote office. If a filehas not been modified in the head office and is accessed from the remote office, the cached copy of thefile in the remote office is opened rather than the copy of the file from the head office.

In addition to providing faster file access, BranchCache decreases the overall WAN utilization because onlynew and modified files are copied over the WAN. This keeps the WAN free for other activities.

Nova 4, LLC





Lesson 2

Implementing Read-Only Domain Controllers

An RODC helps meet the security and management challenges of remote offices. Therefore, you need tounderstand the features of RODCs, how to deploy them, and how to configure them. Configuring anRODC includes configuring password replication policies and performing local administration tasks on theRODC.


• Discuss the features of RODCs.• Describe how to deploy RODCs.

• Describe a Password Replication Policy.

• Configure a Password Replication Policy

• Administer RODC credential caching.

• Configure administrator role separation for RODCs.

Nova 4, LLC





Read-Only Domain Controller Features

Key PointsAn RODC has a read-only copy of an Active Directory domain, which contains all of the objects in thedomain, but not all of their attributes. System-critical attributes, such as authentication-related data, arenot replicated to an RODC because an RODC is considered not secure. You can prevent additionalattributes from being replicated to RODCs by marking the attribute as confidential.

You cannot make changes to the domain database on an RODC because the Active Directory database onthe RODC is read-only. All requests for changes are forwarded to a writable domain controller. Because nochanges are performed on the RODC, replication of Active Directory changes is one way from writabledomain controllers to the RODC.

Credential CachingUser and computer credentials are not replicated to an RODC by default. To use an RODC to enhance userlogon, you need to configure a Password Replication Policy (PRP) that defines which user credentials canbe cached. Limiting the credentials cached on the RODC reduces the security risks. If the RODC is stolen,only passwords for the cached user and computer accounts need to be reset.

If user and computer credentials are not replicated to an RODC then a writable domain controller must becontacted during the authentication process. Typically, the credentials for local users and computers arecached on an RODC.

Administrator Role SeparationTo manage a writable domain controller, you must be a member of the domain local Administratorsgroup. Any user placed in the domain local Administrators group is given permissions to manage alldomain controllers in the domain. This causes problems for administration of remote offices with awritable domain controller because the administrator in a remote office should not be given access to thedomain controllers in the rest of the organization.

Nova 4, LLC





Permissions to administer a RODC are granted by placing a user account in the local Administrators groupon the RODC. This gives the administrator of a remote office permission to manage only that RODC,which may also be configured to provide other services such a file shares and printing.

Read-Only DNSDomain Name System (DNS) is a critical resource for a Windows network. If an RODC is configured as aDNS server, DNS zones can be replicated through Active Directory Domain Services to the RODC. DNS onthe RODC is read-only. DNS update requests are referred to a writable copy of DNS.

Nova 4, LLC





How to Deploy an RODC

Key PointsTo deploy an RODC, ensure that the following activities are performed:

• Ensure that the forest functional level is Windows Server 2003 or later—all domain controllers mustbe Windows Server 2003 or later, and each domain in the forest must be at the domain functionallevel of Windows Server 2003 or later.

• Run ADPrep /RODCPrep. This configures permissions on DNS application directory partitions to allow

them to be replicated to RODCs. This is required only if the Active Directory forest has beenupgraded.

• Ensure that there is a writable Windows Server 2008 domain controller. An RODC replicates thedomain partition only from the Windows Server 2008 domain controllers. Therefore, each domainwith RODCs must have at least one Windows Server 2008 domain controller. The Schema andConfiguration partitions can be replicated from Windows Server 2003.

• Consider replication patterns. Each remote office with an RODC should have direct connectivity to asite with a Windows Server 2008 domain controller. This minimizes the replication traffic over theWAN.

RODC InstallationLike a writable domain controller, an RODC can be installed by using an attended or an unattended

installation. If you perform an attended installation by using the graphical interface, you select the RODCas one of the additional domain controller options.

You can also delegate the RODC installation to the administrator in the remote office by using a stagedinstallation. In a staged installation, you need to perform the following steps:

1. Ensure that the server to be configured as the RODC is not a member of the domain.

2. A domain administrator uses Active Directory Users and Computers to precreate the RODC account inthe Domain Controllers organizational unit. The wizard for performing this process prompts for the

Nova 4, LLC





necessary information, including the users or groups that are allowed to join the RODC to thedomain.

3. The administrator in the remote office runs dcpromo /UseExistingAccount:Attach and follows thewizard to join the domain as the precreated RODC account.

Note: You can also perform a staged installation by using dcpromo with command-line options or anunattended installation file.

Nova 4, LLC




Providing Efficient Network Access for Remote Offices 12-1

What Is Password Replication Policy?

Key PointsA Password Replication Policy (PRP) determines which user and computer credentials can be cached on aspecific RODC. If PRP allows an RODC to cache an account’s credentials, authentication and service ticketactivities of that account can be processed by the RODC. If an account’s credentials cannot be cached onRODC, authentication and service ticket activities are referred by the RODC to a writable domaincontroller.

The PRP for an RODC contains both an Allowed List and a Denied List. Each list can contain specificaccounts or groups. An account must be on the Allowed List for credentials to be cached. If a group is onthe Allowed List and a member of that group is on the Denied List, caching is not allowed for thatmember.

There are two domain local groups that can be used to globally allow or deny caching to all RODCs in adomain:

• Allowed RODC Password Replication Group is added to the Allowed List of all RODCs. This group hasno members by default.

• Denied RODC Password Replication Group is added to the Denied List of all RODCs. By default,Domain Admins, Enterprise Admins, and Group Policy Creator Owners are the members of this group.

You can configure the Allowed List and Denied List for each RODC. The Allowed List contains only theAllowed RODC Password Replication Group. The default membership of the Denied List includesAdministrators, Server Operators, and Account Operators.

In most cases, you want to add accounts separately to each RODC rather than globally allowing passwordcaching. This allows you to limit the number of credentials cached to only those accounts commonly atthat location. Domain administrative accounts should not be cached on RODCs in remote offices.Computer accounts should be cached to speed up authentication of computer accounts during systemstartup.

Nova 4, LLC





Demonstration: How to Configure a Password Replication Policy

Key PointsThe PRP for an RODC is configured in the properties of the RODC computer account. In thisdemonstration, you will see how to configure the PRP for an RODC.

Demonstration Steps


2. Precreate an RODC account in the Domain Controllers OU.

3. View the Password Replication Policy tab in the Properties of the RODC computer account.

4. Add Adam Carter and allow credentials to be cached.

5. Close the Properties of the RODC computer account.

6. View the Membership tab of the Allowed RODC Password Replication Group .

7. Close the Properties of the Allowed RODC Password Replication Group.

8. View the Membership tab of the Denied RODC Password Replication Group .

9. Close the Properties of the Denied RODC Password Replication Group.

10. Close Active Directory Users and Computers .

Nova 4, LLC





Demonstration: Administering RODC Credentials Caching

Key PointsAfter a PRP has been configured for an RODC, it is useful to see what activity the RODC has beenperforming for accounts. You can view a list of accounts with passwords stored on the RODC. If the RODCsecurity is compromised, you can use this list of accounts to determine which passwords should be reset.

You can also display a list of accounts that have been authenticated by using the RODC. This list hasaccounts that do not have a password stored on the RODC, but authentication was initiated on the RODC.You can use this list to determine which accounts are authenticating locally and identify which accountsshould have credentials cached.

Finally, you can prepopulate passwords for accounts in the cached credentials. This ensures thatauthentication is performed locally the next time the account is used rather than being referred to awritable domain controller and then cached.


• View passwords stored on an RODC.

• Prepopulate passwords on an RODC.

Demonstration Steps

1. Open Active Directory Users and Computers .2. View the Password Replication Policy tab in the Properties of the RODC computer account.

3. Click the Advanced button and view the Policy Usage tab.

4. Use the list box to display Accounts whose passwords are stored on this Read-only DomainController .

5. Use the list box to display Accounts that have been authenticated to this Read-only DomainController .

Nova 4, LLC





6. ClickPrepopulate Password and add Adam Carter . This will fails because the RODC is not active.

7. Close all open windows.

Note: You require the 6419B-NYC-DC1 virtual machine to complete this demonstration. Log on to thevirtual machine as Contoso\Administrator, with the password, Pa$$w0rd .

Nova 4, LLC





Overview of Administrator Role Separation

Key PointsThe management of RODCs is separated from other domain controllers. Therefore, you can delegateadministration of RODCs to local administrators in remote offices without giving those administratorsaccess to writable domain controllers.

You can delegate administration of an RODC in the properties of the RODC computer account on theManaged By tab. You should follow this method to delegate the administration of an RODC because itcan easily be centrally managed.

Only a single security principal can be specified on the Managed By tab of an RODC computer account.Specify a group so that you can delegate management permissions to multiple users by making themmembers of the group.

You can also delegate administration of an RODC by using ntdsutil or dsmgmt with the local roles option.

C:\>dsmgmtDsmgmt: local roleslocal roles: add adam administrators

You should cache the password for delegated administrators to ensure that system maintenance can beperformed when a writable domain controller is unavailable.

Nova 4, LLC





Lab A: Deploying a Read-Only Domain Controller



2. In Hyper-V Manager, click 6419B-NYC-DC1 , and in the actions pane, click Start .

3.

In the actions pane, click Connect . Wait until the virtual machine starts.4. Log on by using the following credentials:



• Domain: Contoso

5. Repeat steps 2 through 4 for 6419B-NYC-SVR1 and 6419B-NYC-CL1.

Nova 4, LLC





Exercise 1: Installing an RODC

ScenarioYou are a server administrator at Contoso, Ltd. Your organization has a head office and many remoteoffices. The remote offices are small and have low speed connectivity to the head office. You want tospeed up authentication at the remote offices containing a file server by configuring the file server as anRODC.

NYC-DC1 is the head office domain controller. NYC-SVR1 is the file server in the remote office beingconfigured as an RODC. NYC-CL1 is a client computer located in the remote office.


1. Verify the prerequisites for a staged installation of an RODC.

2. Stage a delegated installation of an RODC.

3. Complete a staged installation an RODC.

Task 1: Verify the prerequisites for a staged installation of an RODC

1. On NYC-DC1, open Active Directory Users and Computers .2. In the properties of Contoso.com, verify that the forest functional level is at least Windows Server

2003.

3. On NYC-SVR1, open Server Manager and verify whether the computer is a member of a domain.

4. Use the Change System Properties option to place NYC-SVR1 in a workgroup named TEMPORARY.

5. Restart NYC-SVR1.

Task 2: Stage a delegated installation of an RODC1. On NYC-DC1, open Active Directory Users and Computers .

2.

Delete the NYC-SVR1 computer account from the Computers container.3. At the Domain Controllers OU, precreate a read-only domain controller account by using default

settings, except for the following:

• Computer name: NYC-SVR1

• Delegate to: CONTOSO\IT

4. View the DC Type for the NYC-SVR1 computer account in the Domain Controllers OU.

Task 3: Complete a staged installation of an RODC1. Log on to NYC-SVR1 as Administrator with the password of Pa$$w0rd.

2. On NYC-SVR1, run dcpromo.exe.

3. Complete Active Directory Domain Services Installation Wizard by using default options exceptthose listed below:

• Create the domain controller in an Existing forest.

• Add the domain controller to an existing domain.

• Network credentials: Andrea (a member of the IT group)

• Password for Andrea: Pa$$w0rd

Nova 4, LLC





• Directory Services restore mode password: Pa$$w0rd

4. When installation is complete, reboot NYC-SVR1.

Results: In this exercise, you configured NYC-SVR1 as an RODC in the contoso.com domain.

Nova 4, LLC





Exercise 2: Configuring Password Replication Policy and CredentialCaching

ScenarioAfter installing an RODC for a remote office, you need to configure password replication and credentialcaching for the remote office. A specific group of research users who work in the remote office need tohave their passwords cached in this office. You need to verify that password caching is functioningcorrectly.


1. Configure domain-wide password replication.

2. Create a group to manage password replication to the remote office RODC.

3. Configure password replication policy for the remote office RODC.

4. Evaluate resultant password replication policy.

5. Monitor credential caching.

6. Prepopulate credential caching.7. Test cached passwords on NYC-SVR1.

Task 1: Configure domain-wide password replication policy.1. On NYC-DC1, open Active Directory Users and Computers .

2. In the Users container, view the membership of the Allowed RODC Password Replication Group and verify that there are no current members.

3. Add the DNSAdmins group to the Denied RODC Password Replication Group .

4. In the Domain Controllers OU, open the properties of NYC-SVR1.

5. On the Password Replication Policy tab, verify that the Allowed RODC Password ReplicationGroup and Denied RODC Password Replication Group are listed.

Task 2: Create a group to manage password replication to the remote office RODC.1. On NYC-DC1, inActive Directory Users and Computers , in the Research OU, create a new group

named Remote Office Users .

2. Add Alan , Alexander , Dylan , Max , and NYC-CL1 to the membership of Remote Office Users .

Task 3: Configure password replication policy for the remote office RODC1. On NYC-DC1, inActive Directory Users and Computers , click the Domain Controllers OU, and then

open the properties of NYC-SVR1.

2.

On the Password Replication Policy tab, allow the Remote Office Users group to replicatepasswords to NYC-SVR1.

Task 4: Evaluate resultant password replication policy.1. On NYC-DC1, inActive Directory Users and Computers , in the Domain Controllers OU, open the

properties of NYC-SVR1.

2. On the Password Replication Policy tab, open the Advanced configuration.

3. On the Resultant Policy tab, add Alexander and confirm that Alexander’s password can be cached.

Nova 4, LLC





Task 5: Monitor credential caching.1. Attempt to log on to NYC-SVR1 as Alexander. This logon will fail because Alexander does not have

permission to logon to the RODC, but authentication is performed.

2. On NYC-DC1, inActive Directory Users and Computers , in the Domain Controllers OU, open theproperties of NYC-SVR1.


4. On the Policy Usage tab, select the Accounts that have been authenticated to this Read-onlyDomain Controller option. Notice that Alexander’s password has been cached.

Task 6: Prepopulate credential caching.1. On NYC-DC1, inActive Directory Users and Computers , in the Domain Controllers OU, right-click

NYC-SVR1 and click Properties .


3. On the Policy Usage tab, prepopulate the passwords for Alan and NYC-CL1.

4. Read the list of cached passwords and confirm that Alan and NYC-CL1 have been added. Task 7: Test cached passwords on NYC-SVR1.

1. Shut down NYC-DC1.

2. On NYC-CL1, open Network and Sharing Center .

3. In Network and Sharing Center , open the properties of Local Area Connection 3 , and add anAlternate DNS server of 10.10.0.11 in the properties of TCP/IPv4.

4. Log off and log on as Alexander with a password of Pa$$w0rd.

5. Log off and log on as Alan with a password of Pa$$w0rd.

Results: In this exercise, you configured and tested password replication for an RODC.

To prepare for the next labWhen you finish the lab, revert the virtual machines to their initial state. To do this, complete thefollowing steps:




4. Repeat these steps for 6419B-NYC-SVR1 and 6419B-NYC-CL1.

Nova 4, LLC





Lesson 3

Implementing BranchCache

BranchCache is a new feature in Windows Server 2008 R2 and Windows 7 that reduces WAN linkutilization for remote offices. In some cases, it can also improve application performance for remote officeusers that access data in the head office. Remote office client computers use a data cache in the remoteoffice to reduce traffic over a WAN link. If you configure client computers to use the Distributed Cachemode, the cached content is distributed across client computers. If you configure client computers to usethe Hosted Cache mode, the cached content is maintained on a server computer on the remote officenetwork. You can customize BranchCache settings and perform additional configuration tasks afterconfiguring BranchCache. You can also monitor BranchCache events, work, and performance and queryBranchCache infrastructure to verify the configuration of servers and usage of cache.


• Describe BranchCache.

• Compare Hosted Cache mode with Distributed Cache mode.

• Describe BranchCache requirements.

• Describe how to configure servers for BranchCache.

• Describe how to configure clients for BranchCache.

• Configure BranchCache.• Verify and monitor BranchCache status.

Nova 4, LLC





Overview of BranchCache

Key PointsOne of the challenges that remote offices face is improving the performance of intranet resources that areaccessed from head offices or regional data centers. Typically, branch offices are connected by WANs,which usually have slower data rates than the intranet. Reducing the network utilization on the WANconnection provides more bandwidth for other applications and services.

The BranchCache feature in Windows Server 2008 R2 and Windows 7 reduces the network utilization onWAN connections between branch offices and headquarters by locally caching frequently used files oncomputers in the branch office. BranchCache improves the performance of applications that use one ofthe following protocols:

• HTTP or HTTPS. The protocols used by web browsers and other applications.

• SMB, including signed SMB traffic . The protocol used for accessing shared folders.

• BITS. Background Intelligent Transfer Service (BITS) is a Windows component that distributes contentfrom a server to clients by using only idle network bandwidth.

Note: BranchCache can only be utilized for SMB 2.

BranchCache retrieves data from a server when the client requests the data. Because BranchCache is apassive cache, it will not increase the WAN utilization. BranchCache only caches the read requests and willnot interfere when a user saves a file.

BranchCache improves the responsiveness of common network applications that access intranet serversacross slow WAN links. Because BranchCache does not require any additional infrastructure, you canimprove the performance of remote networks by deploying Windows 7 to client computers and WindowsServer 2008 R2 to server computers, and by enabling the BranchCache feature.

Nova 4, LLC





BranchCache works seamlessly with network security technologies, including Secure Sockets Layer (SSL),SMB Signing, and end-to-end IP Security (IPSec). You can use BranchCache to reduce the networkbandwidth utilization and improve application performance even if the content is encrypted.

Nova 4, LLC





Compare Hosted Cache Mode with Distributed Cache Mode

Key PointsYou can configure BranchCache to use the Hosted Cache mode or the Distributed Cache mode.

• Hosted Cache . The Hosted Cache mode operates by deploying a computer that is running WindowsServer 2008 R2 as a host in the branch office. Client computers are configured with the fully qualifieddomain name (FQDN) of the host computer so that they can retrieve content from the Hosted Cachewhen available. If the content is not available in the Hosted Cache, the content is retrieved from thecontent server by using a WAN link and then provided to the Hosted Cache so that the subsequentclient requests can get it from there.

• Distributed Cache . You can configure BranchCache in the Distributed Cache mode for small remoteoffices. In this mode, local Windows 7 clients keep a copy of the content and make it available toother authorized clients that request the same data. This eliminates the need to have a server in thebranch office. However, unlike the Hosted Cache mode, this configuration works across a singlesubnet only. In addition, clients that hibernate or disconnect from the network will not be able toprovide content to other requesting clients.

When BranchCache is enabled on the client computer and the server computer, the client computerperforms the following process to retrieve data by using the HTTP, HTTPS, or SMB protocol:

1. The client computer running Windows 7 connects to a content server computer running Windows

Server 2008 R2 in the head office and requests content similar to the way it would retrieve contentwithout using BranchCache.

2. The content server computer in the head office authenticates the user and verifies that the user isauthorized to access the data.

3. The content server computer in the head office returns identifiers or hashes of the requested contentto the client computer instead of sending the content itself. The content server computer sends thatdata over the same connection that the content would have normally been sent.

Nova 4, LLC





4. Using retrieved identifiers, the client computer does the following:

• If configured to use Distributed Cache, the client computer multicasts on the local network tofind other client computers that have already downloaded the content.

• If configured to use Hosted Cache, the client computer searches for content availability on theHosted Cache.

5. If the content is available in the remote office, either on one or more clients or on the Hosted Cache,the client computer retrieves the data from within the remote office and ensures that the data isupdated and has not been tampered with or corrupted.

6. If the content is not available in the remote office, the client computer retrieves the content directlyfrom the server computer at the data center. The client computer then either makes it available onthe local network to other requesting client computers or sends it to the Hosted Cache, where it ismade available to other client computers.

Question : Can you use BranchCache if both servers in the remote office are running Windows Server2008 when you have deployed Windows 7 to all remote office client computers?

Nova 4, LLC





BranchCache Requirements

Key PointsBranchCache optimizes traffic flow between head office and remote offices, and only Windows Server2008 R2 servers and Windows 7 clients can benefit from it. The earlier versions of Windows operatingsystems will not benefit from this feature. You can cache only the content stored on Windows Server 2008R2 file servers or web servers by using BranchCache.

Requirements for Using BranchCache

To use BranchCache:• You must install the BranchCache feature or the BranchCache for Network Files role service on the

Windows Server 2008 R2 server that is hosting the data.

• You must configure clients either by using Group Policy or the netsh command.

If you want to use BranchCache for caching content from the web server, you must install theBranchCache feature on the web server. Additional configurations are not needed. If you want to useBranchCache to cache content from the file server, you must install the BranchCache for the Network Filesrole service on the file server, configure hash publication for BranchCache, and create BranchCache-enabled file shares.

BranchCache is supported on Full Installation of Windows Server 2008 R2 and on Server Core.

Requirements for Distributed Cache and Hosted Cache ModesIn the Distributed Cache mode, BranchCache works across a single subnet only. If client computers areconfigured to use the Distributed Cache mode, any client computer can search locally for the computerthat has already downloaded and cached the content by using a multicast protocol called WS-Discovery.In the Distributed Cache mode, content servers in the head office must run Windows Server 2008 R2, andthe clients in the branch must run Windows 7 or Windows Server 2008 R2. You should configure the clientfirewall to allow incoming traffic, HTTP, and WS-Discovery.

Nova 4, LLC





In the Hosted Cache mode, the client computers are configured with the FQDN of the host server toretrieve content from the Hosted Cache. Therefore, the BranchCache host server must have a digitalcertificate, which is used to encrypt communication with client computers. In the Hosted Cache mode,content servers in the head office must run Windows Server 2008 R2. Hosted Cache in the branch mustrun Windows Server 2008 R2 and the client in the branch must run Windows 7. You must configure afirewall to allow incoming HTTP traffic from the Hosted Cache server. In both cache modes, BranchCacheuses the HTTP protocol for data transfer between client computers.

Question : You have a mixed computer environment that includes Windows Vista SP2 and Windows 7client computers and Windows Server 2003 SP2, Windows Server 2008 SP2, and Windows Server 2008 R2servers. Your computers are also located in multiple sites. Can you use the BranchCache feature in thisscenario?

Nova 4, LLC





Server Configuration for BranchCache

Key PointsYou can use BranchCache to cache web content, which is delivered by HTTP or HTTPS, and to cacheshared folder content, which is delivered by the SMB protocol. By default, BranchCache is not installed onWindows Server 2008 R2.

The following table lists the servers that you can configure for BranchCache.

Server Description

Web server or BITS server To configure a Windows Server 2008 R2 web server or an application serverthat uses the Background Intelligent Transfer Service (BITS) protocol, youinstall the BranchCache feature. You must ensure that the BranchCacheservice has started. Then, you need to configure clients who will use theBranchCache feature; no additional configuration of the web server isneeded.

File server The BranchCache for the Network Files role service of the File Servicesserver role needs to be installed before you can enable BranchCache forany file shares. After you install the BranchCache for the Network Files roleservice, use Group Policy to enable BranchCache on the server. Finally, youneed to configure each individual file share to enable BranchCache. Youalso need to configure clients who will use the BranchCache feature.

Hosted Cache server For the Hosted Cache mode, you must add the BranchCache feature to theWindows Server 2008 R2 server that you are configuring as a Hosted Cacheserver.To secure communication, client computers use transport layer security(TLS) when communicating with the Hosted Cache server. To supportauthentication, the Hosted Cache server must be provisioned with acertificate that is trusted by clients and is suitable for server authentication.By default, BranchCache allocates five percent of disk space on the active

Nova 4, LLC





Server Description

partition for hosting cache data. However, you can change this value byusing Group Policy or the netsh command.

Question : How can you enable BranchCache support on a Windows Server 2008 R2 content server?

Nova 4, LLC





Client Configuration for BranchCache

Key PointsYou do not need to install the BranchCache feature in Windows 7 because BranchCache is alreadyincluded in Windows 7. However, BranchCache is disabled by default on client computers. To enable andconfigure BranchCache, you need to perform the following steps:

1. Enable BranchCache.

2. Enable the Distributed Cache mode or Hosted Cache mode.

3. Configure the client firewall to allow BranchCache protocols.

Enabling BranchCacheIf you enable the Distributed Cache or Hosted Cache mode without enabling the overall BranchCachefeature, the BranchCache feature will still be disabled on the client computers. However, you can enablethe BranchCache feature on a client computer without enabling the Distributed Cache mode or theHosted Cache mode. In this configuration, the client computer uses only the local cache and does notattempt to download from other BranchCache clients on the same subnet or from a Hosted Cache server.Therefore, multiple users of a single computer can benefit from a shared local cache in this local cachingmode.

Enabling the Distributed Cache mode or Hosted Cache modeYou can enable the BranchCache feature on client computers either by using group policy or the netsh command.

To configure BranchCache settings by using group policy, perform the following steps:

1. Open the Group Policy Management console.

2. Browse to Computer Configuration / Policies / Administrative Templates / Network , and then clickBranchCache .

Nova 4, LLC





3. Turn on BranchCache and set either the Distributed Cache or Hosted Cache mode.

To configure BranchCache settings by using the netsh command, perform the following steps:

1. Use the following netsh syntax for the distributed mode.

netsh branchcache set service mode=distributed

2. Use the following netsh syntax for the hosted mode.

netsh branchcache set service mode=hostedclient location=<Hosted Cache server>

Configuring the Client Firewall to Allow BranchCache ProtocolsIn the Distributed Cache mode, BranchCache clients use the HTTP protocol for data transfer betweenclient computers and the WS-Discovery protocol for cached content discovery. You should configure theclient firewall to allow the following incoming rules:

• BranchCache–Content Retrieval (Uses HTTP)

• BranchCache–Peer Discovery (Uses WSD)

In the Hosted Cache mode, BranchCache clients use the HTTP protocol for data transfer between clientcomputers, but it does not use the WS-Discovery protocol. In the Hosted Cache mode, you shouldconfigure the client firewall to allow the incoming rule, BranchCache–Content Retrieval (Uses HTTP).

Additional configuration tasks for BranchCacheAfter you configure BranchCache, clients can access the cached data in BranchCache-enabled contentservers, available locally in the branch office, and not across a slow WAN link. You can modifyBranchCache settings and perform additional configuration tasks, such as:

• Setting the cache size.

• Setting the location of the Hosted Cache server.

• Clearing the cache.

• Creating and replicating a shared key for using in a server cluster.

Question : How can you configure a Windows 7 client computer to benefit from BranchCache?

Nova 4, LLC





Demonstration: Configuring BranchCache


• Enable branch cache for a file server

• Configure client settings in a GPO


To configure a file share for BranchCache:1. Use ServerManager to install the BranchCache for network files roles service.

2. Use the Local Group Policy Editor to browse to Computer Configuration\AdministrativeTemplates\Network\Lanman Server and enable Hash Publication for BranchCache .

3. In the Properties of a file share, in the Offline Settings , select the Enable BranchCache check box.

4. Use the Local Group Policy Editor to browse to Computer Configuration\AdministrativeTemplates\Network\BranchCache and enable the appropriate client settings for your scenario.

Note: If you use Group Policy Management to edit a GPO, the settings for BranchCache will beprefaced with Policies.

Question : Clients in the remote office and file servers in the head office are configured for BranchCache.Will the branch office client benefit from BranchCache when accessing file in the head office for the firsttime?

Nova 4, LLC





BranchCache Monitoring

Key PointsAfter the initial configuration, you may want to verify that BranchCache is configured correctly andfunctioning properly. You can use the netsh branchcache show status all command to display theBranchCache service status. On client and Hosted Cache servers, additional information such as thelocation of the local cache, the size of the local cache, and the status of the firewall rules for HTTP andWS-Discovery protocols that BranchCache uses is shown.

You can also use the following tools to monitor BranchCache:

• Event Viewer . You can monitor BranchCache events in Event Viewer. BranchCache has two types ofevent logs, operational and audit. The operational log appears in the Event Viewer at Applicationsand Services Logs\Microsoft\Windows\PeerDist\Operational, and you can view the audit log events inthe Security log.

• Performance counters . You can monitor BranchCache work and performance by using theBranchCache performance monitor counters. BranchCache performance monitor counters are usefuldebugging tools for monitoring BranchCache effectiveness and health. You can also use BranchCacheperformance monitor for determining the bandwidth savings in the Distributed Cache mode or in theHosted Cache mode. If you have System Center Operations Manager 2007 SP2 implemented in theenvironment, you can use BranchCache Management Pack for System Center Operations Manager2007.

Question : Which tool should you use for monitoring BranchCache performance and bandwidth savings?

Nova 4, LLC





Lab B: Deploying BranchCache

v




3. In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on by using the following credentials:



• Domain: Contoso

Nova 4, LLC





Exercise 1: Configuring BranchCache in Distributed Cache Mode

ScenarioYou are a server administrator at Contoso, Ltd. Your organization has a head office and many remoteoffices. Many of the remote offices are small and have low speed connectivity to the head office. For thesmallest offices without a server, you are configuring BranchCache in Distributed Cache mode.

NYC-DC1 is the head office file server. NYC-CL1 and NYC-CL2 are the client computers located in aremote office.

Note: Due to lab constraints, some additional configuration is required to simulate the slow connectionbetween the clients and the head office server.


1. Configure NYC-DC1 to use BranchCache.

2. Simulate a slow link to the remote office.

3. Enable a file share for BranchCache.

4. Configure client to use BranchCache in distributed mode.

5. Configure client firewall rules for BranchCache.

6. Apply BrancheCache settings to the clients.

7. Test BranchCache in Distributed Caching mode.

Task 1: Configure NYC-DC1 to use BranchCache.1. On NYC-DC1, use Server Manager to add the BranchCache for network files role service.

2. Run gpedit.msc to open the Local Group Policy Editor console.

3. In the Local Group Policy Editor console, in Computer Configuration \ Administrative Templates \ Network \ Lanman Server , enable Hash Publication for BranchCache only for sharedfolders on which BranchCache is enabled.

4. Leave the Local Group Policy Editor console open for the next task.

Task 2: Simulate a slow link to the remote office.1. On NYC-DC1, in the Local Group Policy Editor console, in Computer Configuration \ Windows

Settings \ Policy -based QoS, create a new policy with the following settings:

• Policy name: Limit to 100 KBps

• Outbound Throttle Rate: 100 KBps

• All other settings as default

Task 3: Enable a file share for BranchCache.1. On NYC-DC1, use Windows Explorer to browse to C:\.

2. Open the properties of the Share folder.

3. On the Sharing tab, open Advanced Sharing .

4. ClickCaching and enable BranchCache.

Nova 4, LLC





Task 4: Configure clients to use BranchCache in distributed cache mode.1. Open the Group Policy Management console in Administrative Tools .

2. In the Group Policy Management console, create a new GPO named BranchCache that is linked toContoso.com.

3.

Edit the BranchCache GPO and browse to Computer Configuration \ Policies \ Administrative Templates \ Network \ BranchCache .

4. To enable BranchCache on all clients, enable the Turn on BranchCache setting.

5. To configure the clients to use BranchCache in distributed mode, enable the Set BranchCacheDistributed Cache mode setting.

6. To force the client to use BranchCache for all file transfers, enable Configure BranchCache fornetwork files setting and set it for 0 milliseconds . This setting is required to simulate access from aremote office and is not typically required.

7. Leave the Group Policy Management Editor open for the next task.

Task 5: Configure client firewall rules for BranchCache.1. On NYC-DC1, in the Group Policy Management Editor , browse to Computer

Configuration \ Policies \ Windows Settings \ Security Settings \ Windows Firewall with AdvancedSecurity \ Windows Firewall with Advanced Security, and then click Inbound Rules.

2. Create a new predefined inbound rule for BranchCache–Content Retrieval (Uses HTTP).

3. Create a new predefined inbound rule for BranchCache–Peer Discovery (Uses WSD).

Task 6: Apply BranchCache settings to the clients.1. Start 6419B-NYC-CL1. After the computer starts, log on as Contoso\Administrator with the

password of Pa$$w0rd.

2. On NYC-CL1, open a command prompt.

3. To force updating of Group Policy objects, type the following code and then press ENTER.

gpupdate /force

4. To verify that BranchCache is enabled and properly configured, type the following code and thenpress ENTER.

netsh branchcache show status all

5. Restart NYC-CL1. After the computer restarts, log on as Contoso\Administrator with the passwordof Pa$$w0rd.

6. Open the Performance administrative tool and remove all existing counters from Performance

Monitor .7. Add all of the BranchCache counters to Performance Monitor .

8. Change Performance Monitor to Report view.

9. Start 6419B-NYC-CL2. After the computer starts, log on as Contoso\Administrator with thepassword of Pa$$w0rd

10. On NYC-CL2, open a command prompt.

11. To force updating of Group Policy objects, type the following code and then press ENTER.

Nova 4, LLC





gpupdate /force

12. To verify that BranchCache is enabled and properly configured, type the following code and thenpress ENTER.


13. Restart NYC-CL2. After the computer restarts, log on as Contoso\Administrator with the passwordof Pa$$w0rd.

14. Open the Performance administrative tool and remove all existing counters from PerformanceMonitor .

15. Add all of the BranchCache counters to Performance Monitor .


Task 7: Test BranchCache in distributed caching mode.1. On NYC-CL1, browse to \\NYC-DC1.contoso.com\Share.

2. Copy mspaint.exe from the share on NYC-DC1 to the desktop of NYC-CL1.

3. Review the performance statistics on Performance Monitor . Notice that the file is downloaded fromthe server.

4. To verify that there is now content in the cache, type the following code and press ENTER.


5. On NYC-CL2, browse to \\NYC-DC1.contoso.com\Share.

6. Copy mspaint.exe from the share on NYC-DC1 to the desktop of NYC-CL2.

7. Review the performance statistics on Performance Monitor . Notice that the file is downloaded fromcache.

8. To view the BranchCache statistics, type the following code and then press ENTER.


Results: In this exercise, you configured BranchCache in the Distributed Cache mode and verified that itis functional.

Nova 4, LLC





Exercise 2: Configuring BranchCache in Hosted Cache Mode (Optional)

ScenarioYou are a server administrator at Contoso, Ltd. Your organization has a head office and many remoteoffices. Many of the remote offices are small and have low speed connectivity to the head office. For theremote offices with a server, you are configuring BranchCache in Hosted Cache mode.

NYC-DC1 is the head office file server. NYC-CL1 and NYC-CL2 are the client computers located in thebranch office. NYC-SVR1 is the BranchCache hosted cache server in the remote office.


1. Configure clients to use BranchCache in hosted cache mode.

2. Install the BranchCache feature on NYC-SVR1.

3. Request a certificate and link it to BranchCache.

4. Start the BranchCache host server.

5. Configure Performance Monitor or NYC-SVR1.

6. Clear BranchCache data and performance statistics on NYC-CL1.

7. Clear BranchCache data and performance statistics on NYC-CL2.

8. Test BranchCache in Hosted Caching mode

Task 1: Configure clients to use BranchCache in hosted cache mode.1. On NYC-DC1, open the Group Policy Management administrative tool.

2. Edit the BranchCache GPO that is linked to Contoso.com.

3. Browse to Computer Configuration \ Policies \ Administrative Templates \ Network \ BranchCache .

4. Modify the Set BranchCache Distributed Cache mode setting to Not Configuration .

5. Enable the Set BranchCache Hosted Cache mode settings and configure NYC-SVR1.contoso.com asthe hosted cache.

6. On NYC-CL1, open a command prompt, type the following code, and then press ENTER.

gpupdate /force

7. To verify the configuration, type the following code, and then press ENTER.


8. On NYC-CL2, open a command prompt, type the following code, and then press ENTER.

gpupdate /force



Task 2: Install the BranchCache feature on NYC-SVR1.1. Start 6419B-NYC-SVR1. After the computer starts, log on as Contoso\Administrator with the

password of Pa$$w0rd.

Nova 4, LLC





2. On NYC-SVR1, use Server Manager to add the BranchCache feature.

Task 3: Request a certificate and link it to BranchCache1. On NYC-SVR1, open a blank Microsoft Management Console and add the Certificates snap-in for

the Computer Account .

2. At the Personal node in the Certificates snap-in, request a new Computer certificate.3. In the Personal node of the Certificates snap-in, open the new certificate.

4. On the Details tab, identify the Thumbprint and copy the value to the clipboard.

5. Open a command prompt.

6. Type the following code and then press Enter. You can paste the certificatehashvalue from thecertificate, but you must remove the spaces.

netsh http add sslcert ipport=0.0.0.0:443 certhash=certificatehashvalue appid={d673f5ee-a714-454d-8de2-492e4c1bd8f8}



Task 4: Start the BranchCache Host Server.1. On NYC-DC1, open Active Directory Users and Computers .

2. In Contoso.com, create a new OU named BranchCacheHost .

3. Move the computer account for NYC-SVR1 into the BranchCacheHost OU .

4. Open the Group Policy Management administrative tool.

5. Block inheritance to the BranchCacheHost OU .

6. Restart NYC-SVR1 and log on as Contoso \ Administrator with the password of Pa$$w0rd ..7. To enable NYC-SVR1 as a BranchCache Hosted Cache server, open a command prompt, type the

following code, and then press ENTER.

netsh branchcache set service hostedserver

Task 5: Configure Performance Monitor or NYC-SVR1.1. On NYC-SVR1, open the Performance administrative tool and remove all existing counters from

Performance Monitor .



Task 6: Clear BranchCache data and performance statistics on NYC-CL1.1. On NYC-CL1, open a command prompt.2. To clear the BranchCache data, at the command prompt, type the following code, and then press

ENTER.

netsh branchcache flush

Nova 4, LLC





3. To clear the BranchCache performance statistics, stop and start the BranchCache service.

4. From the Start menu, open Manage offline files .

5. Delete temporary files from the Disk Usage tab.




Task 7: Clear BranchCache data and performance statistics on NYC-CL2.1. On NYC-CL2, open a command prompt.

2. To clear the BranchCache data, at the command prompt, type the following code, and then pressENTER.

netsh branchcache flush

3. To clear the BranchCache performance statistics, stop and start the BranchCache service.

4. From the Start menu, open Manage offline files .

5. Delete temporary files from the Disk Usage tab.




Task 8: Test BranchCache in hosted caching mode.1. On NYC-CL1, browse to \\NYC-DC1.contoso.com\Share .

2. Copy MSpaint.exe to the desktop.

3. Read the performance statistics on NYC-CL1. This file was retrieved from the NYC-DC1 (Retrieval:Bytes from Server). After the file was cached locally, it was passed up to the hosted cache. (Retrieval:Bytes Served).

4. On NYC-CL2, browse to \\NYC-DC1.contoso.com\Share .

5. Copy MSpaint.exe to the desktop.

6. Read the performance statistics on NYC-CL2. This file was obtained from the hosted cache (Retrieval:Bytes from Cache).

7. Read the performance statistics on NYC-SVR1. This server has offered cached data to clients (Hosted

Cache: Client file segment offers made).




Nova 4, LLC






4. Repeat these steps for 6419B-NYC-SVR1, 6419B-NYC-CL1 and 6419B-NYC-CL2.

Nova 4, LLC






Review Questions1. What is the benefit of implementing an RODC at a branch office?

2. How does BranchCache differ from Distributed File System (DFS)?

3. Why would you want to implement BranchCache in hosted cache mode rather than distributed cachemode?

Real-World Issues and Scenarios1. Your organization has just created a remote office with four users and no server. Users are

complaining that access to files in the head office is very slow. How can you speed up access to filesfor users in the remote office?

2. Your organization has just created a remote office with 15 users. This office has a local file server. Theusers are complaining that their logon process is very slow. How can you speed up the authenticationprocess for users in the remote office?

3. Your organization has just created a remote office with 15 users. This office has a local domaincontroller that does not have a secure storage location. An application run in the remote officemodifies Active Directory Domain Services data. How can you ensure that the Active DirectoryDomain Services data is secure?

Best Practices Related to RODC Password CachingSupplement or modify the following best practices for your own work situations:

• Do not cache passwords for Domain Admins and other sensitive accounts on an RODC

• Use the option to display accounts that have been authenticated to an RODC to identify potentialaccounts that should be cached on the RODC.

Nova 4, LLC





• Review the list of accounts to show passwords are stored on an RODC and verify that sensitiveaccounts are not being cached.

• Remember to cache the passwords of computer accounts in remote offices.

• Use the Resultant Policy tab to verify that password for a particular user can be cached on a RODC.


BranchCache A new feature in Windows Server 2008 R2 and Windows 7 that reduces WANlink utilization for remote offices. In some cases, it can also improveapplication performance for remote office users that access data in the headoffice. It can be configured in Distributed Cache Mode or Hosted CacheMode.

Nova 4, LLC





Nova 4, LLC




Monitoring and Maintaining Windows Server 2008 13-1

Module 13Monitoring and Maintaining Windows Server 2008Contents:Lesson 1: Planning Monitoring Tasks 13-3

Lesson 2: Calculating a Server Baseline 13-9

Lesson 3: Interpreting Performance Counters 13-18

Lesson 4: Selecting Appropriate Monitoring Tools 13-26

Lab: Creating a Baseline of Performance Metrics 13-33

Nova 4, LLC





Module Overview

When a system failure or an event that affects system performance occurs, you need to be able to repairthe problem or resolve the issue quickly and efficiently. With so many variables and possibilities in themodern network environment, the ability to determine the root cause quickly often depends on having aneffective performance monitoring methodology and toolset.

Performance-monitoring tools are used to identify components that require additional tuning andtroubleshooting. By identifying components that require additional tuning, you can improve the efficiency

of your servers.


• Plan Monitoring Tasks.

• Calculate server baselines.

• Interpret performance counters.

• Select appropriate monitoring tools.

Nova 4, LLC





Lesson 1

Planning Monitoring Tasks

Monitoring your server environment provides many benefits. You will be able to identify potential issuesbefore they escalate and affect the users in your organization. You will be able to provide performanceand reliability reports by using historical statistics from your environment when requested. You will also beable to assess the performance status of your environment at any given time, whether or not a specificissue is occurring. These benefits come from a well-planned and tested monitoring environment. If yourmonitoring environment is not properly planned and tested, the act of monitoring performance itself cancause potential issues in your environment.

This lesson will introduce you to the details involved with planning monitoring tasks and how you canensure that your monitoring environment is accurate, stable, and effective.


• Describe the reasons for monitoring.

• Identify the types of monitoring.

• Describe the considerations for planning for event monitoring.

Nova 4, LLC





Reasons for Monitoring Windows Servers

Key PointsMonitoring servers provides a number of benefits, and there are a number of different reasons you mightmonitor a Windows server.

Information Technology (IT) Infrastructure HealthThe effective operation of your server infrastructure is often critical to your organization’s business goals.Properly functioning and configured hardware, and adequate use and assignment of resources play an

important part in maintaining the consistency of server operation.By using performance-monitoring tools, you can record performance statistics that allow you todetermine when a server is really slower at responding to user requests, rather than relying on userperception of "slow" and "fast" response times. You can use these statistics to determine whichcomponent or components of your server infrastructure may be the source of performance-related issues.

Service Level Agreement MonitoringMany organizations maintain service level agreements (SLAs) that dictate the required availability forservers and server-hosted applications. These SLAs may contain stipulations regarding server availability(NYC-DC1 must be available 99.995% of business hours) or they may specify performance relatedrequirements (the average query time for this database server must be less than five seconds for any givenday).

In many cases, violation of a service level agreement results in a reduction of payment for services orsimilar penalties. As a result, you want to ensure that the SLAs imposed upon your environment are meton a continuing basis.

Performance monitoring tools can be used to monitor the specific areas related to your SLAs and helpyou identify issues that could affect your SLA before they become a problem.

Nova 4, LLC





Planning for Future RequirementsThe business and technical needs of your organization are subject to change. New initiatives may requirenew servers to host new applications or increased storage within your environment.

Monitoring these areas over a period of time allows you to effectively assess how your server resourcesare being currently utilized. Then, you can make an informed decision on how your server environment

needs to grow or otherwise change to meet future requirements.

Identifying IssuesTroubleshooting problems that arise in your server environment can be a tedious and potentiallyfrustrating task. Issues that affect your users need to be resolved as quickly as possible and with minimalimpact on the business needs of your organization.

Troubleshooting an issue based solely on symptoms provided by users or anecdotal evidence often leadsto misdiagnosed causes and wasted time and resources. Monitoring your server environment allows youto take a more informed and proactive approach to troubleshooting. When you have an effectivemonitoring solution implemented, you can identify issues within your infrastructure before they cause aproblem for your end users. You can also have more concrete evidence of reported issues and narrow

down the cause of problems, saving you investigative time.

Question: Can you list four troubleshooting procedures that would benefit from server monitoring.

Nova 4, LLC





Types of Monitoring

Key PointsYou should select the most appropriate tool to suit the type of monitoring that is required.

There are different methods that you can use to collect performance data from servers in yourorganization. You should use each of these methods to suit your requirements.

Historical DataReviewing collected or historical data can be useful for tracking trends over time, determining when torelocate resources, and deciding when to invest in new hardware to meet the changing requirements ofyour business.

Historical data may be in the form of Windows event logs or performance data collected over a period oftime and retained for reference.

You should use historical performance data to assist you when you plan future server requirements.Historical data is also useful for establishing a baseline for your server’s performance, which allows you tomake accurate assessments of server performance when performing real time monitoring.

Real Time DataReal-time or interactive monitoring of systems is useful when you want to determine the effect ofperforming a specific action on a server or if you need to troubleshoot specific events.

Real-time monitoring allows you to assess your infrastructure and gain insight into what is happening onyour servers currently. Real-time monitoring can be used to identify an issue with a malfunctioningapplication or failing hardware component. This type of monitoring can also help you to ensure that youare meeting SLAs at any given point in time.

Several tools are available to assist you in monitoring your server environment, both historical and realtime. The following is a list of tools to assist you in monitoring your server environment.

Nova 4, LLC





Tool Description

Event Viewer Event Viewer collects information that relates to server operations. Thisdata can help to identify performance issues on a server. You shouldsearch for specific events in the event log file to locate and identifyproblems.

Task Manager Task Manager allows you to monitor the real-time aspects of yourserver. You can view information related to hardware performance,and the applications and processes that are currently running on yourserver.

Resource Monitor Resource Monitor allows you to look deeper into the real-timeperformance of your server. It provides performance informationrelated to the CPU, memory, hard disk, and network components ofyour server.

Performance Monitor Performance Monitor is the most robust monitoring tool in WindowsServer 2008. It allows for both real-time and historical monitoring ofyour server’s performance and configuration data.

Reliability Monitor Reliability Monitor provides a historical view of your server’s reliability-related information like event log errors and warnings.

Nova 4, LLC





Planning for Event Monitoring

Key PointsPlanning for event monitoring means ensuring that your monitoring activities met you technical needsand do not interfere with your organization’s business requirements.

You should ensure that your systems are cost-effective for your organization. Your business may achievestaff reductions through improved management that is realized by efficient event monitoring. You canprevent service and system outages by ensuring that resources retain enough capacity to meet SLAs.

You should consider the cost that monitoring events incurs. The cost that is incurred to monitor systems isan investment in ensuring that your systems continue to run effectively and efficiently. You can measurecosts by using several metrics, including:

• Time allocated to personnel to perform monitoring tasks.

• Money invested in monitoring systems.

By using automated systems, you can monitor servers proactively and possibly reduce the overall numberof staff required to perform monitoring.

By providing a monitoring environment for your server infrastructure to respond automatically to events,you create an environment that allows you to be flexible and dynamic in your response to issues relatedto your servers. Windows Server 2008 enables dynamic system responses through many of the included

tools to automatically respond to events with actions like sending e-mail messages, recording an event inthe event log, or running a custom command or management task.

Nova 4, LLC





Lesson 2

Calculating a Server Baseline

Calculating performance baselines for your server environment allows you to more accurately interpretreal-time monitoring information. A baseline for your server’s performance tells you what theperformance monitoring statistics look like under normal use. A baseline is established by monitoringperformance statistics over a period of time. When an issue or symptom occurs in real time, you can useyour baseline statistics to compare to you real time statistics and identify any anomalies.

This lesson discusses some of the key server components to measure. You will learn how to use analysisand planning techniques from collected performance metrics to improve your server infrastructure.


• Describe strategies for tuning and testing performance.

• Identify performance bottlenecks.

• Describe common performance metrics to monitor.

• Describe the reasons for analyzing performance trends.

• Describe the reasons to plan for future capacity requirements.

Nova 4, LLC





Strategies for Tuning and Testing Performance

Key PointsTuning and testing server performance is critical to the effective operation of your server environment.Done correctly, tuning and testing performance can identify and remove potential hardware-relatedissues, ensure your server is using its resources effectively and provide you with information you can useto prevent performance related issues from affecting your servers’ performance.

Insufficient memory is a common cause of serious performance problems in computer systems. If yoususpect other problems, check memory counters to rule out a memory shortage. Poor response time on aworkstation is most likely to result from memory and processor problems; servers are more susceptible todisk and network problems.

Before you start tuning, consider the following recommendations:

• Make one change at a time. In some cases, a problem that appears to relate to a single componentmight be the result of bottlenecks involving multiple components. For this reason, it is important toresolve problems individually.

Making multiple changes simultaneously may make it impossible to assess the impact of eachindividual change.

• Repeat monitoring after every change. This is important for understanding the effect of the changeand to determine whether additional changes are required. Proceed methodically, making one

change to the identified resource at a time and then testing the effects of the changes onperformance. Because tuning changes can affect other resources, it is important to keep records ofthe changes you make and to review after you make a change.

• In addition to monitoring, review event logs, because some performance problems generate outputthat you can display in Event Viewer.

• To see whether network components are playing a part in performance problems, compare theperformance of programs that run over the network with locally run programs.

Nova 4, LLC





By monitoring the basic hardware components of your servers, you can determine the most likelybottleneck that is affecting the performance of your servers. By adding additional capacity tocomponents, you can tune servers to overcome initial limitations. The following table lists suggestionsfor improving performance on various types of hardware.

Nova 4, LLC





Identifying Performance Bottlenecks

Key PointsAnalysis of your monitoring data can reveal problems such as excessive demand on certain hardwareresources resulting in bottlenecks.

Causes of BottlenecksDemand may become extreme enough to cause resource bottlenecks for the following reasons:

• Resources are insufficient, and additional or upgraded components are required.

• Resources are not sharing workloads evenly and need to be balanced.

• A resource is malfunctioning and needs to be replaced.

• A program is monopolizing a particular resource; this might require substituting another program,having a developer rewrite the program, adding or upgrading resources, or running the programduring periods of low demand.

• A resource is incorrectly configured and configuration settings need to be changed.

By monitoring the basic hardware components of your servers, you can determine the most likelybottleneck that is affecting the performance of your servers. By adding additional capacity tocomponents, you can tune servers to overcome initial limitations. The following table lists suggestions forimproving performance on various types of hardware.

Hardware Suggestions

Processors • You may be able to overcome performance bottlenecks that occurwith processors by:

o Adding processors.o Increasing the speed of processors.o Reducing or controlling process or affinity, or the number

of processor cores an application uses. Limiting an

Nova 4, LLC





Hardware Suggestions

application to only some of the processor cores frees theremaining cores for other applications to use.

Disks You may be able to increase disk performance by:•

Adding faster disks.• Performing routine maintenance tasks such as

defragmenting.• Moving data, applications, and the page files onto

separate disks.

Memory You can improve memory bottlenecks by adding additional physicalmemory. If the amount of memory requested exceeds the physicalmemory, information will be written to virtual memory, which is slowerthan physical memory.However, increasing a computer’s virtual memory can allowapplications that consume a large amount of memory to run on acomputer with limited physical memory.

Alternatively, you can reduce the load on the server by reducing thenumber of users on the server or through application tuning.

Networks You can reduce network bottlenecks by:• Upgrading network infrastructure, including network adapters

to support higher network bandwidth (100 Mbps to 1 Gbps,for example).

• Install multiple network adapters in a server to distributenetwork load.

• Reducing the amount of traffic.You should consider the limitations of network bandwidth andsegment networks where appropriate. You can increase networkthroughput by tuning your network adaptor and other network

devices such as switches, firewalls, and routers.

Nova 4, LLC





Common Performance Metrics

Key PointsYou should familiarize yourself with basic performance measurement objects and counters used tomonitor the main hardware components.

There are a large number of measurement objects available within Performance Monitor that relate to allaspects of the hardware, operating system, and installed applications on a server.

The following table lists some common performance metrics to measure:

Object Descriptions

Cache File system cache. The cache is an area of physical memory that is usedto store recently used data to permit access to the data without havingto read from the disk.

Memory Physical, random access memory (RAM) counters.Virtual memory, RAM, and disk counters.Includes paging, which is the movement of pages of code and databetween the disk and physical memory.

Objects Logical objects in the system, including threads and processes.

Paging File Reserved space on the disk that complements committed physicalmemory.

Physical Disk Hard disk or fixed drives as the computer sees them (hardware RAIDmay not be visible to these counters).

Process Running applications and system processes. All the threads in a processshare the same address space and have access to the same data.

Processor Aspects of processor activity. Each processor is represented as an

Nova 4, LLC





Object Descriptions

instance of the object.

Server Communication between the local computer and network.

System Counters that apply to more than one instance of componentprocesses on the computer.

Thread Counters that measure aspects of thread behavior. A thread is the basicobject that runs instructions on a processor. All running processes haveat least one thread.

Nova 4, LLC





What Is a Performance Trend?

Key PointsYou should give careful consideration to the value of performance data to ensure that it reflects the realserver environment.

You should consider performance analysis alongside business or technology growth and upgrade plans. Itmay be possible to reduce the number of servers in operation after you have measured performance andassessed the required environment.

By analyzing performance trends, you can predict when existing capacity is likely to be exhausted. Youshould review historical analysis with consideration to your business and use this to determine whenadditional capacity is required. Some peaks are associated with one-time activities such as very largeorders. Other peaks occur on a regular basis, such as a monthly payroll, and these peaks may requireincreased capacity to meet increasing numbers of employees.

Planning for future server capacity is a requirement for all organizations. Business planning often requiresadditional server capacity to meet targets. By aligning your IT strategy with the strategy of the business,you can support the business objectives.

You should plan the server capacity to maximize the use of available space, power, and cooling. In manysituations, the applications on a single physical server may not be consuming a significant amount ofserver resources. The underutilization of these resources means that your server environment is not

operating as efficiently as it could. In this case, you should consider virtualizing your environment toreduce the number of physical servers that are required. You can consolidate servers by implementing 64-bit computing and utilizing Hyper-V ™ in the Microsoft Windows Server ® 2008 environment.

Nova 4, LLC





Planning for Future Capacity Requirements

Key PointsCapacity planning focuses on assessing server workload, the number of users that a server can support,and how to scale systems to support additional workload and users in the future.

New server applications and services affect the performance of your IT infrastructure. These services mayreceive dedicated hardware although they often use the same local area network (LAN) and wireless areanetwork (WAN) infrastructure. Planning for future capacity should include all hardware components andhow new servers, services, and applications affect the existing infrastructure. Factors such as power,cooling, and rack space are often overlooked during initial exercises to plan capacity expansion. Youshould consider how your servers can scale up and out to support an increased workload.

Tasks such as upgrading to Windows Server 2008 and updating operating systems may affect your serversand network. It is not unknown for an update to cause a problem with an application. Carefulperformance monitoring before and after updates are applied can identify problems.

An expanding business requires you to provide support for more users. You should consider businessrequirements when you purchase hardware. This consideration will ensure that you can meet futurebusiness requirements through increasing the number of servers or by adding capacity to existinghardware.

Capacity requirements include:

• More servers.

• Additional hardware.

• Reducing application loads.

• Reducing users.

Nova 4, LLC





Lesson 3

Interpreting Performance Counters

Implementing performance monitoring is the first step to having an accurate assessment of your serverenvironment.

The second step is analyzing and interpreting performance monitoring information to derive usefulinformation that allows you to better manage and maintain the servers you are responsible for.

This lesson takes a closer look at performance counters used in performance monitoring to give you abetter understanding what they measure and what the statistics related to these counters can tell youabout your environment.


• Describe object counters related to the central processing unit (CPU).

• Describe object counters related to memory.

• Describe object counters related to disk performance.

• Describe object counters related to network performance.

• Identify performance objects by server role.

Nova 4, LLC





Primary CPU Performance Counters

Key PointsCPU counters measure the server's CPU-related performance information and hardware-related events.

CPU Performance Counters• Processor\% Processor Time . Processor\% Processor Time shows the percentage of elapsed time

that this thread used the processor to run instructions. An instruction is the basic unit of execution ina processor, and a thread is the object that runs instructions. Code run to handle some hardwareinterrupts and trap conditions is included in this count.

• Processor\Interrupts/sec . Processor\Interrupts/sec shows the rate, in incidents per second, at whichthe processor received and serviced hardware interrupts.

• Processor\System Processor Queue Length . The System\Processor Queue Length counter is arough indicator of the number of threads each processor is servicing. The processor queue length,sometimes called processor queue depth, reported by this counter is an instantaneous value that isrepresentative only of a current snapshot of the processor, so it is necessary to observe this counterover a long period of time. Also, the System\Processor Queue Length counter is reporting total queuelength for all processors, and not length per processor.

Nova 4, LLC





Primary Memory Performance Counters

Key PointsThe memory performance object consists of counters that describe the behavior of physical and virtualmemory on the computer. Physical memory is the amount of RAM on the computer. Virtual memoryconsists of space in physical memory and on disk. Many of the memory counters monitor paging, which isthe movement of pages of code and data between disk and physical memory. Excessive paging is asymptom of a memory shortage and can cause delays that interfere with all system processes.

Memory Performance Counters• Pages/sec . Pages/sec shows the rate, in incidents per second, at which pages were read from or

written to disk to resolve hard page faults. This counter is a primary indicator for the kinds of faultsthat cause system-wide delays. It is the sum of Pages Input/sec and Pages Output/sec. It is counted innumbers of pages, so it can be directly compared to other counts of pages such as Page Faults/sec. Itincludes pages retrieved to satisfy faults in the file system cache (usually requested by applications)and noncached mapped memory files.

• Available Bytes . Available Bytes shows the amount of physical memory, in bytes, immediatelyavailable for allocation to a process or for system use. It is equal to the sum of memory assigned tothe standby (cached), free, and zero page lists.

• Committed Bytes . Committed Bytes shows the amount of committed virtual memory, in bytes.

• Pool Nonpaged Bytes . Pool Nonpaged Bytes shows the size, in bytes, of the nonpaged pool. PoolNonpaged Bytes is calculated differently than Process\Pool Nonpaged Bytes, so it might not equalProcess(_Total )\Pool Nonpaged Bytes.

Nova 4, LLC





Primary Disk Performance Counters

Key PointsThe LogicalDisk performance object consists of counters that monitor logical partitions of hard or fixeddisk drives. System Monitor identifies logical disks by their drive letter, such as "C:".

The PhysicalDisk performance object consists of counters that monitor hard or fixed disk drives. Disks areused to store file, program, and paging data. They are read to retrieve these items, and are written torecord changes to them. The values of physical disk counters are sums of the values of the logical disks (orpartitions) into which they are divided.

Disk Performance Counters• % Disk Read Time, % Disk Time, % Disk Write Time, % Idle Time . These counters are of little

value when multiple physical drives are behind logical disks. Imagine a subsystem of 100 physicaldrives presented to the operating system as five disks, each backed by a 20-disk RAID 0+1 array. Nowimagine that the administrator spans the five physical disks that have one logical disk, volume X. Onecan assume that any serious system that needs that many physical disks has at least one outstandingrequest to volume X at the same time. This makes the volume appear to be 100% busy and 0% idle,when in fact the 100-disk array could be up to 99% idle.

• Average Disk Bytes / { Read | Write | Transfer } . This counter collects average, minimum, andmaximum request sizes. If possible, individual or sub-workloads should be observed separately.Multimodal distributions cannot be differentiated by using average values if the request types are

consistently interspersed.• Average Disk Queue Length, Average Disk { Read | Write } Queue Length . These counters collect

concurrency data, including burstiness and peak loads. Guidelines for queue lengths are given later inthis module. These counters represent the number of requests in flight below the driver that takes thestatistics. This means that the requests are not necessarily queued, but could actually be in service orcompleted, and on the way back up the path.

Nova 4, LLC





Primary Network Performance Counters

Key PointsMost workloads require access to production networks to ensure communication with other applicationsand services, and to communicate with users. Network requirements include elements such asthroughput ─ that is the total amount of traffic that passes a given point on a network connection per unitof time.

Other network requirements include the presence of multiple network connections. Workloads mightrequire access to several different networks that must remain secure. Examples include connections for:

• Public network access.

• Networks for performing backups and other maintenance tasks.

• Dedicated remote-management connections.

• Network adapter teaming for performance and failover.

• Connections to the physical host server.

• Connections to network-based storage arrays.

By monitoring the network performance counters, you can evaluate your network performance.

Network Performance CountersThe following are the Network performance counters related to Network Interface > [adapter name]:• Bytes received per second.

• Bytes sent per second.

• Packets received per second.

• Packets sent per second.

Nova 4, LLC





• Output queue length . This counter is the length of the output packet queue (in packets). If this islonger than 2, delays occur. You should find the bottleneck and eliminate it if you can. Because NDISqueues the requests, this length should always be 0.

• Packets received errors . This counter is the number of incoming packets that contain errors thatprevent them from being deliverable to a higher-layer protocol. A zero value does not guarantee thatthere are no receive errors. The value is polled from the network driver, and it can be inaccurate.

Nova 4, LLC





Identifying Performance Objects by Server Role

Key PointsSpecific server roles install a range of performance objects and associated counters.

Windows Server 2008 uses server roles to improve server efficiency and security. By identifying the rolethat a server performs, you can ensure that you measure the necessary counters to monitor performance.

By using server roles, you ensure that you install and activate only the required components on yourservers. Only the performance objects and counters that are relevant to the installed server role are

available to monitor.You should note that you enable missing performance objects and counters by installing additional serverroles or adding features.

Additional performance objects that are installed with each server role can assist with server monitoring.

The following table identifies common server roles and the performance objects that can be monitored toassess performance.

Server role Performance counters to monitor

Active Directory DomainServices (domain controller)

• If you notice slow write or read operations, check the following diskI/O counters under the Physical Disk category to see whethermany queued disk operations exist:

o Avg. Disk Queue Lengtho Avg. Disk Read Queue Lengtho Avg. Disk Write Queue Lengtho If lsass.exe (Local Security Authority Subsystem) uses

lots of physical memory, check the followingDatabase counters under the Database category tosee how much memory is used to cache the databasefor Active Directory Domain Services.

Nova 4, LLC





Server role Performance counters to monitor

o Database Cache % Hito Database Cache Size (MB)

File Server • File Servers are typically heavily dependent on their physical disk

systems for file read and write operations. The following countersshould be measured to ensure that the PhysicalDisk subsystem iskeeping up with serer demand.

o % Disk Timeo Avg. Disk Queue Lengtho Avg. Disk Bytes/Transfer

• Network performance is also a primary component of file serverperformance. These counters can be monitored to ensure thatproper network bandwidth is available to the file server.

o Bytes Received Per Secondo Bytes Sent Per Secondo Output Queue Length

Hyper-V (virtualization) • Performance troubleshooting and tuning can be difficult onvirtualized servers. Virtual hardware provides a less consistentmonitoring environment than physical hardware.

• Two layers of performance monitoring are usually recommended ina virtualized scenario. One at the physical or host server level tomonitor key physical hardware components, and one at thevirtualized server level to monitor the virtual hardware and itsimpact on the operating system and applications of the virtualserver.

Web Server (IIS) • Network-related performance counters are an important tool inmeasuring web server performance.

• Additionally, processor related counters can be helpful in identifyingissues where web server applications are running processorintensive processes.

• The Web Service performance counters provide valuableinformation regarding requests to the web server, bandwidthconsumed and web server-specific statistics like page not founderrors.

Nova 4, LLC





Lesson 4

Selecting Appropriate Monitoring Tools

Windows Server 2008 provides a range of tools to monitor the operating system and applications. Youcan use these tools to tune your system for efficiency and troubleshoot problems. You should use thesetools and complement them where necessary with your own tools.


• Describe Performance Monitor.

• Describe the Reliability Monitor.

• Describe Resource Monitor.

• Describe Event Subscriptions.

Nova 4, LLC





Performance Monitor

Key PointsPerformance Monitor is a Microsoft Management Console (MMC) snap-in used to obtain systemperformance information. You can use this tool to analyze the performance effect of applications andservices. You can use Performance Monitor for an overview of system performance or collect detailedinformation for troubleshooting.

The Performance Monitor includes the following features:

• Monitoring Tools

• Data Collector Sets

• Reports

Monitoring ToolsThe Monitoring Tools node contains the Performance Monitor graph view. It provides a visual display ofbuilt-in Windows performance counters, either in real time or as a way to review historical data.

The Performance Monitor graph view includes the following features:

• Multiple graph views

• Custom views that you can export as data collector sets

Performance Monitor uses performance counters to measure the system state or activity.

Performance Counters can be included in the operating system or can be present as part of installedapplications. Performance Monitor requests the current value of performance counters at specified timeintervals.

You can add performance counters to the Performance Monitor by dragging and dropping the countersor by creating a custom data collector set.

Nova 4, LLC





Performance Monitor features multiple graph views that enable you to visually review performance logdata. You can create custom views in Performance Monitor that can be exported as Data Collector Sets foruse with performance and logging features.

Data Collector SetsThe data collector set is a custom set of performance counters, event traces, and system configurationdata.

After you have created a combination of data collectors that describe useful system information, you cansave them as a data-collector set, and then run the set and view the results.

A data collector set organizes multiple data-collection points into a single, portable component. You canuse a data collector set on its own, group it with other data collector sets and incorporate it into logs, orview it in the Performance Monitor. You can configure a data collector set to generate alerts when itreaches thresholds.

You can also configure a data collector set to run at a scheduled time, for a specific length of time, or untilit reaches a predefined size. For example, you can run the data collector set for ten minutes every hourduring your working hours to create a performance baseline. You can also set the data collector to restart

when set limits are reached, so that a separate file is created for each interval.The Data Collector Sets and Performance Monitor tools enable you to organize multiple data-collectionpoints into a single component that you can use to review or log performance.

Performance Monitor also includes default Data Collector Set templates to help system administratorscollect performance data that is specific to a server role or monitoring scenario.

ReportsUse the Reports node to view and create reports from a set of counters that you create by using DataCollector Sets.

Nova 4, LLC





Reliability Monitor

Key PointsThe Reliability Monitor reviews the computer’s reliability and problem history. The Reliability Monitor canbe used to obtain several kinds of reports and charts that can help you identify the source of reliabilityissues. Access the Reliability Monitor by clicking View System History on the Maintenance tab in theAction Center.

The following topics explain the main features of the Reliability Monitor.

System Stability ChartThe System Stability Chart summarizes system stability, for the past year, in daily increments. This chartindicates any information, error, or warning messages, and simplifies the task of identifying issues and thedate on which they occurred.

Installation and Failure ReportsThe System Stability Report also provides information about each event in the chart. These reports includethe following events:

• Software Installs

• Software Uninstalls

• Application Failures

• Hardware Failures

• Windows Failures

• Miscellaneous Failures

Nova 4, LLC





Records Key Events in a TimelineThe Reliability Monitor tracks key events about the system configuration, such as the installation of newapplications, operating-system patches, and drivers. It also tracks the following events to help you identifythe reasons for reliability issues.

• Memory problems

• Hard disk problems

• Driver problems

• Application failures

• Operating system failures

The Reliability Monitor is a useful tool that provides a timeline of system changes and reports the system’sreliability. You can use this timeline to determine whether a particular system change correlates with thestart of system instability.

Problem Reports and Solution ToolThe Problem Reports and Solutions feature in Reliability Monitor helps users track problem reports and

any solution information that they have received.

The Problem Reports and Solutions tool only helps the user to store information. All Internetcommunication related to problem reports and solutions is handled by Windows Error Reporting.

The Problem Report and Solution Tool provides a list of the attempts made to diagnose your computers’problems.

If an error occurs while an application is running, Windows Error Reporting Services prompts the user toselect whether to send error information to Microsoft over the Internet. If information is available that canhelp the user resolve this problem, Windows displays a message to the user with a link to the resolvinginformation.

You can use the Problem Reports and Solutions tool to track resolving information and recheck to findnew solutions.

You can start the Problem Reports and Solutions tools from the Reliability Monitor. The following optionsare available:

• Save reliability history.

• View problems and responses.

• Check for solutions to all problems.

• Clear the solution and problem history.

Nova 4, LLC







What Are Event Subscriptions?

Key PointsEvent Viewer enables you to view events on a single remote computer. However, troubleshooting an issuemight require you to examine a set of events stored in multiple logs on multiple computers. Event Viewerprovides the ability to collect copies of events from multiple remote computers, and store them locally. Tospecify which events to collect, you create an event subscription. After a subscription is active and eventsare being collected, you can view and manipulate these forwarded events as you would any other locallystored events.

Using the event-collecting feature requires that you configure both the forwarding and the collectingcomputers. The functionality depends on the Windows Remote Management (WinRM) and the WindowsEvent Collector services (Wecsvc). Both of these services must be running on computers participating inthe forwarding and collecting process.

Creating a SubscriptionBefore you can create a subscription to collect events on a computer, you must configure the collectingcomputer (collector), and each computer from which events will be collected (source).

After you configure the computers, you can create a subscription to specify which events to collect, byselecting the Subscriptions folder, and then clicking the link on the Action menu.

Nova 4, LLC





Lab: Creating a Baseline of Performance Metrics


On the host computer, click Start , point to Administrative Tools , and then click Hyper-V Manager .In Hyper-V Manager, click 6419B-NYC-DC1 , and then, in the Actions pane, click Start .In the Actions pane, click Connect . Wait until the virtual machine starts.

Log on by using the following credentials:• User name: Administrator


• Domain: Contoso

Repeat steps 2-4 for 6419B-NYC-SVR1

Lab ScenarioNYC-SVR1 has just been deployed at the New York office of Contoso, Ltd. You have been asked toestablish a performance baseline for this server for comparison to real time performance stats and toensure the server is currently operating properly and efficiently.

Nova 4, LLC





Exercise 1: Determining Performance MetricsYou have been asked to assess NYC-SVR1 and establish a performance baseline for this server by usingPerformance Monitor. Before establishing the baseline, you must identify what performance counters youwill use to record performance information. You have been asked by your manager to ensure the fourprimary hardware components of the server are measured.

The main task is as follows:1. Determine the performance counter objects to use

Task 1: Determine the performance counter objects to use.

Question: What are the main hardware components that you should be measuring on NYC-SVR1?

Question: Which Performance Monitor objects correspond to these components?

Note: After completing this exercise, you will have determined performance metrics.

Nova 4, LLC





Exercise 2: Configuring a Performance BaselineYou have been asked to establish a performance baseline for NYC-SVR1 based on the Processor, Memory,Physical Disk, and Network objects within Performance Monitor. The baseline should be as thorough aspossible, so you have been asked to include all counters from these objects.


1. Create a Data Collector Set to log the counters for the Processor, Memory, PhysicalDisk, and NetworkInterface objects.

2. Review the Data Collector Set Report to ensure that performance data has been captured.

Task 1: Create a Data Collector Set to log the counters for the Processor, Memory,PhysicalDisk, and Network Interface objects.1. On NYC-SVR1, open Performance Monitor .

2. Expand the Data Collector Sets node and create a new User Defined Data Collector Set named,NYC-SVR1 Baseline .

3. Add all counters for the Processer , Memory , PhysicalDisk, and Network Interface objects.

4. Run the Data Collector Set when the wizard is complete.

Note: The Data Collector Set will take a few moments to collect data. Complete Exercise 3 and thencome back to finish Task 2 of this exercise.

Task 2: Review the Data Collector Set report to ensure that performance data has beencaptured.1. Stop the NYC-SVR1 Baseline data collector set.

2. Expand the Reports node and view the most recent report run for the user-defined NYC-SVR1Baseline object.

3. Ensure that the report has collected the performance data.

Note: After completing this exercise, you will have configured a performance baseline.

Nova 4, LLC





Exercise 3: Viewing Performance Using Monitoring ToolsYou have been asked to ensure that there are no significant performance related issues on NYC-SVR1


1. Use Resource Monitor to view system performance statistics.

2.

Use Reliability Monitor to view server reliability history. Task 1: Use Resource Monitor to view system performance statistics.

1. On NYC-SVR1, open Resource Monitor .

2. View the graphs on the right of the screen to ensure none of them are near the top of the graphwindow.

3. Click each tab in the Resource Monitor window to view the real time performance data for theassociated component.

4. Close the Resource Monitor.

Task 2: Use Reliability Monitor to view server reliability history

1. On NYC-SVR1, open Reliability Monitor 2. Check the Reliability Monitor for any Error events represented by a red X icon.

3. Close the Reliability Monitor.

Note: After completing this exercise, you will have viewed performance by using monitoring tools.


1.

On the host computer, start Hyper-V Manager .2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .



Nova 4, LLC






Review Questions1. Why would establishing baseline performance be important in a larger environment?

2. Where would centralized event collection be valuable in obtaining event information from multiplecomputers?


Resource Monitor Resource Monitor offers in-depth real-time performance monitoringand a comprehensive view of your server’s performance-relatedconfiguration.


Event Viewer • Viewing server eventlogs and collectingevent logs from other

computers

Server Manager console

Task Manager • Viewing simple real-timeperformanceinformation

Press Ctrl + Shift + EscOrRight-click the taskbar and select Task Manager

PerformanceMonitor

• Viewing and collectingperformanceinformation for many

Start – Administrative ToolsOrServer Manager console

Nova 4, LLC






aspects of your server

Reliability Monitor • Viewing reliability-related informationand events.

Windows Server 2008 Action Centeror

Type Reliability in the Start Menu Search field

Resource Monitor • Viewing in-depth real-time performanceinformation for yourserver

Start – Administrative ToolsOrThe Performance tab in Task Manager

Nova 4, LLC




Managing Window Server 2008 Backup and Recovery 14-1

Module 14Managing Window Server 2008 Backup and RecoveryContents:Lesson 1: Planning and Implementing File Backups on WindowsServer 2008 14-3

Lesson 2: Planning and Implementing File Recovery 14-14

Lab A: Implementing Windows Server Backup and Recovery 14-19

Lesson 3: Recovering Active Directory 14-23 Lesson 4: Troubleshooting Windows Server Startup 14-29

Lab B: Recovering Active Directory Objects 14-37

Nova 4, LLC





Module Overview

Disaster recovery planning is a critical part of managing any server infrastructure. This module examinesthe necessary planning for backup and restore procedures, and startup issues to ensure that you protectdata and servers sufficiently against disasters. This module will also focus on the improvements in theWindows Server Backup application included with the operating system.

Microsoft Windows Server ® 2008 R2 also has new options for restoring Active Directory ® DomainServices (AD DS), such as the Active Directory Recycle Bin.

The ability to troubleshoot startup issues has been improved for Windows Server 2008. Common startupissues can be automatically detected and repaired to get servers back online in a timely manner.

Restoring data is a riskier operation than backing up data because you can overwrite and lose existingdata through careless restore procedures. You should only permit trusted administrators to performrestore operations; it is likely that the restore operators are a subset of the backup operators, but in someorganizations, the backup and restore teams are separated.

After completing this module, you will be able to:

• Plan and implement file backups on Windows Server 2008.

• Plan and implement file recovery.

• Describe Active Directory recovery methods.• Troubleshoot Windows Server startup.

Nova 4, LLC





Lesson 1

Planning and Implementing File Backups on WindowsServer 2008

This lesson examines the planning elements that are required to create a successful, unobtrusive, andsecure backup process. You can apply these considerations when you are planning backup for varioustypes of data on your network. Typically, you will distribute backup tasks among various servers andpersonnel in your environment.


• Describe decision points for selecting backup software and appointing backup operators.

• Describe changes to Windows Backup in Windows Server 2008 R2.

• Describe the planning process for backup.

• Determine a data retention plan.

• Describe the factors that affect backup policy.

• Describe Windows Server Backup features.

Nova 4, LLC





Selecting Backup Software

Key PointsYou need to use backup software to back up the data and servers on your network. When planning yourbackup strategy, you must choose which backup software to use. You can choose the backup feature inthe Windows Server 2008 operating system or you can choose third-party backup software. Your choicedepends on your backup medium, how you intend to manage your backups across several servers, andlicensing costs, among other factors. For example, the Windows Server 2008 Backup feature has noadditional licensing costs, but it does not support tape backups. This may have a major influence on your

decision.

The Windows Server 2008 Backup feature also supports command-line use through the Wbadmin.execommand. This is useful for scripting or performing specific backups such as system state data.

There are many improvements to the Windows Server Backup feature in Windows Server 2008 R2,including more backup options and more control through the Windows Server Backup MicrosoftManagement Console (MMC). These changes are discussed in the next topic.

You may also have special requirements, such as databases, that you must regularly back up. A databasebackup may require special software or tools to perform the backup.

Question: What backup software or solutions do you currently use?

Nova 4, LLC





Changes to Windows Backup in Windows Server 2008 R2

Key PointsThe Windows Server Backup feature provides a basic backup and recovery solution for computers runningthe Windows Server 2008 operating system, but it has very limited options. For example, it can only backup entire volumes. The Windows Server Backup feature of Windows Sever ® 2008 R2 has many newenhancements, including enhanced wizards, to implement a flexible backup plan. The following tableoutlines feature availability in the different versions.

FeatureSupported inWindows Server 2008 Supported in Windows Server 2008 R2

Volume level backup Yes Yes

Scheduling backups Yes Yes

System State backup Yes (command-line only) Yes

Incremental System Statebackup

No Yes

Back up specific files andfolders

No Yes

Exclude specific files,folders, or file types

No Yes

Back up to volumes ornetwork shares

No (dedicated volumes only) Yes

PowerShell support (localand remote)

No Yes

Bare Metal Recovery No Yes

Nova 4, LLC





FeatureSupported inWindows Server 2008 Supported in Windows Server 2008 R2

backup option

Question: What command-line utility can be used to back up System State in Windows Server 2008?

Nova 4, LLC





Process for Planning Backup in Windows Server 2008

Key PointsWhen you plan your backup strategy, you must plan the elements that are listed in the following table.

Plan Elements Details

List the data toback up.

You must identify all data that requires backup so that you can restore your dataand systems in the event of a disaster.You must identify the quantity of data, which in Windows Server 2008 includeswhich volumes or files and folders to back up, so that you can choose anappropriate storage medium and identify how long a backup or restore operationrequires.

Create a backupschedule.

You must plan how frequently and at what times servers perform automatedbackup tasks. Most organizations perform daily backups at the least.

Choose a backuptype.

Based on the frequency and the time that is taken to perform a backup and arestore operation, you may also need to select a backup type.Your backup software may enable you to choose from the following backup types:

• Full or Normal• Incremental• Differential

Windows Server Backup performs full backups by default. You can enableincremental backups by configuring performance settings in MMC. WindowsServer Backup does not support differential backups.

Choose thebackup medium.

Based on your backup software, the size of backups, and the time to restore data,you should choose an appropriate backup medium.Backup media include:

• Tape (not available with Windows Server 2008 backup)

Nova 4, LLC





Plan Elements Details

• Hard disk (fixed or removable)• DVD• Shared folder

Tape is available in various formats, supporting various data rates and storagecapacities. If you back up to tape, you should ensure that the tape format that youuse is appropriate to the quantity of data that you are backing up.The Windows Server 2008 Backup feature does not support backing up to tape.Volumes and shared folders are the only supported storage media.Consider the length of time that you require to retain backups to restore data. Willyou be able to restore data from one month ago, six months ago, 12 months ago,or longer?You must also consider the storage location of your backup media. Tapes aresusceptible to magnetic fields and heat, so they should be stored away from theseenvironmental factors. Backup media should be stored offsite in case of disastersuch as fire or flood.

Windows Server 2008 Backup TypesThe Windows Server Backup feature in Windows Server 2008 consists of an MMC snap-in and command-line tools. You can use wizards to guide you through running backups and recoveries. You can useWindows Server Backup 2008 to back up a full server (all volumes), selected volumes, or just the systemstate.

In case of disasters such as hard disk failures, you can perform system recovery by using a full serverbackup and the Windows Recovery Environment—this will restore your complete system onto the newhard disk.

The ability to take just a system state backup is not exposed in the GUI interface of backup. If you wish totake just a system state backup, you must use the wbadmin.exe utility. WBadmin.exe is a command-lineutility.

Windows Server 2008 R2 Backup TypesWindows Server Backup in R2 provides the same backup types as Windows Server 2008, including thefollowing options:

• Select specific items for backup.

• Bare metal recovery . Bare metal recovery includes all volumes that are necessary for Windowsto run. You can use this backup type in conjunction with the Windows Recovery Environment torecover from a hard disk failure, or if you need to recover the entire computer image to newhardware.

• System State . System State is the ability to use the GUI interface to create a system state backup

• Individual files and folders . Individual files and folders enables you to back up selected files andfolders, instead of just full volumes

• The ability to exclude selected files or file types. For example, you can exclude .tmp files.

• More storage locations to choose from. You can store backups on remote shares or non-dedicatedvolumes.

Question: You wish to use incremental backups as part of your backup strategy. How will you enable this?

Nova 4, LLC





Creating the Data Retention Plan

Key PointsHow long must you keep data? Must you keep data for legal compliance, such as Sarbanes-Oxley, or forbusiness requirements, such as the ability to audit all projects during the previous five years?

Where should you archive data? Do users require access to archived data regularly, which may requirekeeping the data on a server, or can the data be archived to a static medium such as optical or tapestorage? For static media archival, you must consider that media such as DVD or tape has a finite lifetimefor storing data.

What is the cost of data storage? Different storage mechanisms and media have different costs associatedwith them. If you keep your data archive on your corporate storage area network (SAN), this has arelatively high cost per gigabyte (GB). If you keep archived data on a server hard disk, it has a lower costper GB, and data that is stored on tape has a very low cost per GB. Contrary to this is the ease of access, soyou must balance the cost against the ease of access for the data. Typically, you move older data tocheaper storage media.

What software tools can assist data retention? Your backup software or additional tools may have data-retention capabilities, or you could invest in software to assist data retention in your organization.Consider tools such as Microsoft System Center Data Protection Manager, which can offer backupcapabilities and options to archive older data to media such as tape, instead of hard disk.

Question: What is your current data retention plan?

Nova 4, LLC





Factors that Affect Backup Policy

Key PointsA number of factors affect the formulation of an organization’s backup policy. Most companies cannotendure a major data loss. Some companies are effectively out of business if a critical system is down. Thetime and cost of data or server replacement will be overriding factors. The following table lists the majordecision points to consider when working out a backup strategy.

Factor Details

Service levelagreements(SLAs)

If your information technology (IT) department has agreed on SLAs or intends tocreate SLAs for data or server availability, you must include consideration of backupand restore processes with your SLA. An SLA should specify the data or servers towhich it refers, and it should identify acceptable periods of unavailability. It isimportant that the time that is taken to perform a restore operation does not exceedthe SLA; if it does, the SLA is redundant.

Cost When you plan your backup policy, you must consider the cost of your backupsolution. Costs for your backup solutions can include hardware, software, and media.You should carefully consider cost with respect to backup and restore times, and therequired storage quantities. Larger storage capacities or faster storage media aremore expensive, but you may require these for specific data types in yourorganization, such as database backups.

When you plan for increases in data storage, you should include any necessaryincrease in backup costs that are required to maintain your backup schedule.

Bandwidth If you back up to a different physical location, such as a secure offsite storageprovider or a dedicated disaster recovery site, you must consider bandwidthrequirements. The available bandwidth for these backups directly impacts the timethat is taken to perform a backup and restore operation, and unless fast links areavailable, you would typically use these as additional protection if a physical orenvironmental disaster occurs at your primary location.You might also consider using Distributed File System (DFS) replication to enable

Nova 4, LLC





Factor Details

backup at another location. If you have branch offices, you can decide to perform allregular file-based backups from your main office by replicating content to the mainoffice, and then performing the backup.

Personnel You should also consider who can perform backup tasks. This includes physical taskssuch as loading or changing tape libraries, and system tasks such as performingbackups or changing backup schedules.

Question: Does your IT department fulfill any SLAs?

Nova 4, LLC





Demonstration: Overview of the Windows Server Backup Features

Key PointsIn this demonstration, the instructor will:

• Describe Windows Server Backup features.


Note: You require the 6419B-NYC-DC1 and 6419B-NYC-SVR1 virtual machines to complete thisdemonstration. Log on to the virtual machine as Contoso\Administrator, with the password,Pa$$w0rd .

Install the Windows Server Backup Feature1. On NYC-DC1, use Server Manager to install the Windows Server Backup Feature. Include the

command-line tools in the installation.

Use the backup wizard to schedule a backup.1. On NYC-DC1, run Windows Server Backup and schedule a backup of drive C: to the remote backup

folder on NYC-SVR1.

Use the backup wizard to back up a folder .1. Run the Backup Once wizard to back up the C:\MarketingTemplates folder to the remote backup

folder on NYC-SVR1.

Use the restore wizard to restore the MarketingTemplates folder to the C: drive1. On NYC-DC1, delete the C:\MarketingTemplates folder.

2. In the Windows Server Backup MMC, run the Recovery Wizard with the following options:

• Getting started: A backup stored on another location

Nova 4, LLC





• Location Type : Remote Shared Folder

• Remote Folder : \\NYC-SVR1\Backup

• Backup Date : Today

• Recovery Type : Files and Folders

•

Item to Recover : NYC-DC1\Local Disk (C:)\MarketingTemplates • Recovery destination : Another Location (C:)

3. Navigate to C:\ and ensure that the files have been restored.

Nova 4, LLC





Lesson 2

Planning and Implementing File Recovery

A data loss and recovery event may be as small as a single file that affects a single user or as widespreadas a critical server failure that affects the whole organization. In either case, it is important to have a planin place so that IT personnel know how to deal with the event.


• Describe the considerations for data recovery.

• Describe Windows Server Backup Recovery Types.

• Describe Windows Server Recovery Options.

• Determine when to update backup and recovery policies.

Nova 4, LLC







Windows Server Backup Recovery Types

Key PointsWindows Server Backup in Windows Server 2008 R2 provides the following recovery types:

• Files and folders . Individual files or folders can be recovered as long as backup is on an external diskor in a remote shared folder.

• Applications and data . Applications and their data can be recovered if the application has a VolumeShadow Copy Service writer and has registered with Windows Server Backup.

•

Volumes . Restoring a volume always restores all the contents of the volume. You cannot restoreindividual files or folders.

• Operating system . The operating system can be recovered through Windows Recovery Environment(WinRE).

• Full server . The full server can be recovered through WinRE.

• System state . System state creates a point-in-time backup that can be used to restore a server to aprevious working state .

Question: What type of recovery can you use to repair a corrupted certificate database on the certificateserver?

Nova 4, LLC





Windows Server Recovery Options

Key PointsThe Windows Server Backup Recovery Wizard several options for managing file and folder recovery. TheWindows Server Backup Recovery Wizard manages recovery destination, conflict resolution, and securitysettings. The recovery options are as follows:

Recovery Destination• Original location . The original location restores the data to the location it was backed up originally.

• Another location . Another location restores the data to a different location.

Conflict ResolutionRestoring data from a backup will often conflict with existing versions of the data. Conflict resolutionprovides a way to determine how those conflicts will be handled. When these conflicts occur you have thefollowing options:

• Create copies and have both versions.

• Overwrite existing version with recovered version.

• Do not recover items if they already exist in the recovery location.

Security Settings• Allows you to restore permissions to the data being recovered.

Question: How are copies of recovered files distinguished from the existing version?

Nova 4, LLC





Updating Backup and Recovery Policy

Key PointsYou should review, improve, and update all of your policies and working practices to ensure that youcontinue to meet the requirements of your business.

By increasing the frequency of backups, you can provide access to recent changes in documents for users.

Windows Server 2008 simplifies scheduling backup tasks by using Volume Shadow Copy Service VSS. Thisimproved backup enables users to restore files without resorting to assistance from the IT team.

Backup policies should be reviewed:• After data is restored.

• On a regular basis.

• As technology changes.

• As SLAs change.

• As restore strategies change.

Question: How often do you update the backup and restore policy in your organization?

Nova 4, LLC





Lab A: Implementing Windows Server Backup andRecovery


1. On the host computer, click Start , point to Administrative Tools , and then click Hyper-V Manager .2. In Hyper-V™ Manager, click 6419B-NYC-DC1 , and in the Actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.4. Log on by using the following credentials:



• Domain: Contoso

5. Repeat steps 2 - 4 for 6419B-NYC-SVR1.

Nova 4, LLC





Exercise 1: Evaluating the Existing Backup Plan

ScenarioAt Contoso. Ltd., data for several departments is stored across servers on the network. In the New Yorkoffice, several file servers are part of a domain-based Distributed Files System DFS namespace and hostthe following shares:

Sales . This share holds the shared data for the Sales department. The Sales department updates itregularly with budgets, forecasts, and sales figures.

Finance . This share holds important data for the Finance department that supplements the Financeapplication database. The Finance database should not form part of your backup plan.

Human Resources . This share holds highly confidential data for the Human Resources department. Youhave encrypted some of this data by using Encrypting File System (EFS).

Technical Library . This share holds technical information, such as white papers and guidance documents,for the IT department. The IT department updates this information infrequently.

Projects . This share holds documents that relate to any projects that are running at the New York office,

and changes frequently.In addition to the file servers, you are responsible for ensuring that four intranet Web servers and twodomain controllers can have the data or server restored in the event of a disaster. Web pages on theintranet Web sites do not change frequently.

Currently, there is a scheduled weekly backup of the volumes that contain the shares on the file serversand the volumes that contain the Web page content on the Web servers.

In this exercise, you must review the existing backup plan against requirements that the managementteam at Contoso, Ltd. have specified.


1. Review an existing backup plan.2. Propose changes to the plan based upon scenario requirements.3. Install the Windows Server Backup feature.4. Schedule a full server backup.5. Back up an individual folder.

Task 1: Review an existing backup plan.

Scenario1. You have agreed that no more than one day's critical data should be lost in the event of a disaster.

Critical data includes the Sales, Finance, and Projects data. Does the current backup plan meet thisrequirement?

2.

Currently, you copy the Human Resources confidential data onto a removable hard disk that isattached to a computer in the Human Resources office. This task is performed weekly by using ascript to preserve the encryption on the files. What are the consequences of this process and howwould you deal with them?

3. You have also agreed that if a server fails, you should be able to restore that server, including allinstalled roles, features, applications, and security identity, in six hours. Does the current backup planenable you to restore the servers in this way?

Nova 4, LLC





Task 2: Propose changes to the backup plan.

Scenario1. Propose an appropriate backup frequency for the shares in the following table.

Backup Frequency

Sales

Finance

Human Resources

Technical Library

Projects

2. How would you fulfill the requirement to restore the servers and how frequently would you back upthe servers?

Task 3: Install Windows Server Backup Feature.1. On NYC-DC1, use Server Manager to install the Windows Server Backup feature with the

Command-line tools .

Task 4: Use the backup wizard to schedule a backup.1. Start the Windows Server Backup MMC.

2. Use the Backup Schedule Wizard to create a backup with the following configurations:

• Backup configuration : Full server

• Backup time : Daily at 1:00 A.M.

• Destination type : Back up to a shared network location

• Remote shared folder : \\NYC-SVR1\Backup • Credentials : Contoso\Administrator , with the password, Pa$$w0rd

Task 5: Back up an individual folder.1. Use the Backup Once wizard to back up with the following configurations:

• Backup Options : Different options

• Backup configuration : Custom

• Items for Backup : C:\MarketingTemplates

• Destination Type : Remote shared folder

• Remote Folder : \\NYC-SVR1\Backup

Results: After completing this exercise, you should have reviewed an existing backup plan andproposed changes to that plan. You will also have configured backups to become familiar with theWindows Server Backup feature.

Nova 4, LLC







Lesson 3

Recovering Active Directory

It is possible for a domain controller to fail, or for Active Directory to be damaged or corrupted,intentionally or accidentally. In such an event, you must be prepared to restore the domain controller, thedirectory, or objects within the directory. In this lesson, you will learn about the various methods and toolsto restore AD DS and domain controllers.

After completing this lesson you will be able to:

• Describe the methods used to recover Active Directory.• Describe the Active Directory database mounting tool.

• Describe how to recover objects by using the Active Directory Recycle Bin.

Nova 4, LLC





Methods Used to Recover Active Directory

Key PointsAD DS is one of the most critical systems in any enterprise. Windows Server 2008 R2 provides new ways torecover Active Directory. Prior to Windows Server 2008 R2, there were only three methods of recoveringActive Directory. You could perform a non-authoritative restore or an authoritative restore or atombstone reanimation.

Non-Authoritative RestoreA non-authoritative restore will restore the entire AD DS database from a system state, critical-volume, orfull server backup. A non-authoritative restore returns the domain controller to its state at the time ofbackup. Normal replication will then update AD DS on the restored domain controller with any changesthat occurred since the backup was performed. The most common scenario for a non-authoritativerestore is to recover a domain controller after a full server failure or AD DS database corruption.

Authoritative RestoreIf you need to recover specific objects from AD DS because of accidental deletion, you can perform anauthoritative restore. As in non-authoritative restore, AD DS is restored, but the items that need to berecovered are marked as being authoritative. This prevents the tombstoned version of the item on otherdomain controllers from overwriting the restored version. Authoritative restores have the following

characteristics:• You can restore specific items or collections of items from AD DS, such as a user or an entire

organization unit (OU).

• The Ntdsutil command-line utility is required.

• AD DS service must be stopped during the recovery process.

Nova 4, LLC





Tombstone ReanimationYou can also recover deleted Active Directory objects through tombstone reanimation. When objects aredeleted, they are not physically removed from the AD DS database immediately. Objects are converted totombstones and marked for deletion after 180 days. Tombstones can be reanimated any time before thatperiod runs out. Reanimation is the mechanism for restoring a tombstoned object back into a normalobject. After reanimation, the object has the same objectGUID and objectSid attributes it originally had.An advantage of tombstone reanimation is that it does not require the domain controller to be takenoffline. A disadvantage is that some attributes of the object are stripped when an object is deleted, suchas forward-linked or backward-linked attributes, and these attributes are not recovered with tombstonereanimation.

Active Directory Recycle BinWindows Server 2008 R2 introduces a new recovery method for AD DS, the Active Directory Recycle Bin.The Active Directory Recycle Bin allows you to restore deleted Active Directory objects without restoringActive Directory data from backups, AD DS, or rebooting domain controllers.

Question: One of your three domain controllers has experienced a full server failure. What type of restore

would be appropriate in this situation?

Nova 4, LLC





What Is the Database Mounting Tool?

Key PointsThe Active Directory Database Mounting Tool (Dsamain.exe) allows administrators to view the contents ofa snapshot of AD DS. A snapshot captures the exact state of the directory service at the time of thesnapshot. Unlike a backup, a snapshot cannot be used to restore data.

By taking regular snapshots, you can compare data that was present in AD DS on specific dates anddetermine which backup data needs to be restored. This tool only allows administrators to view data; itcannot be used to restore data. You will need to use other tools to perform the actual restore.

You use the Ntdsutil Snapshot operation to take a point-in-time snapshot of AD DS. You can then useNtdsutil to mount the snapshot to a location. You then expose the data stored in the snapshot. Use thedatabase mounting tool ( Dsamain.exe ) to expose the snapshot as an LDAP server. Then, you can use anyexisting LDAP tools, such as the built-in Ldp.exe, to view the data.

Note: You are not required to run the ntdsutil snapshot operation to use Dsamain.exe. You caninstead use a backup of AD DS or Active Directory Lightweight Directory Services (AD LDS) databaseor another domain controller or AD LDS server. The ntdsutil snapshot operation simply provides aconvenient data input for Dsamain.exe.

Question: What permissions are required to take an AD DS snapshot?

Nova 4, LLC





Recover Objects Using the Active Directory Recycle Bin

Key PointsWindows Server 2008 R2 introduces the Active Directory Recycle Bin. This tool allows you to restoredeleted Active Directory objects without restoring ActiveDirectory data from backups, restarting AD DS, or rebooting domain controllers. Objects in the ActiveDirectory Recycle Bin can be restored within the deleted object lifetime (180 days by default) with all link-valued and non-link-valued attributes of the deleted objects preserved. Objects are restored in theirentirety to the same state that they were in immediately before deletion. For example, a security group

would be restored with its membership list, and its rights and permissions intact.The Active Directory Recycle Bin has no graphical interface. PowerShell commands are used to manipulatedeleted objects.

Requirements for the Active Directory Recycle BinTo use the Active Directory Recycle Bin, there are certain requirements that must be met.

• The forest functional level must be set to Windows Server 2008 R2. All domain controllers must berunning Windows Server 2008 R2. You can use the LDP.exe utility or use the Set-ADForestModePowerShell cmdlet to raise the forest level. This step is irreversible.

Important: If you are performing a clean installation of a Windows Server 2008 R2 Active Directory

forest, you do not have to run Adprep; your Active Directory schema will automatically contain all thenecessary attributes for Active Directory Recycle Bin to function properly. If, however, you areintroducing a Windows Server 2008 R2 domain controller into your existing Windows Server 2003 orWindows Server 2008 forest, and subsequently upgrading the rest of the domain controllers toWindows Server 2008 R2, you must run Adprep. By running Adprep, you update your Active Directoryschema with the attributes that are necessary for Active Directory Recycle Bin to function properly.

Nova 4, LLC





• The Active Directory Recycle Bin must be specifically enabled. You can use the LDP.exe utility or usethe Enable-ADOptionalFeature PowerShell cmdlet to enable the Active Directory Recycle Bin. Thisstep is irreversible.

Question: What permissions are required to enable Active Directory Recycle Bin?

Nova 4, LLC





Lesson 4

Troubleshooting Windows Server Startup

Sometimes a problem can arise that will prevent Windows from starting properly. This lesson will discussthe common causes of startup problems, review startup process that may be affected, and exploredifferent troubleshooting techniques that you can use depending on when the failure occurs.


• Describe common causes of startup issues.

• Describe troubleshooting procedures before the Windows logo appears.

• Describe troubleshooting procedures after the Windows logo appears.

• Describe troubleshooting procedures after logon.

Nova 4, LLC





Common Causes of Startup Problems

Key PointsDiagnosing and correcting hardware and software problems that affect the startup process requiresdifferent tools and techniques than troubleshooting problems that occur after the system has started,because the person troubleshooting the startup problem does not have access to the full suite ofMicrosoft Windows Server 2008 troubleshooting tools. Resolving startup issues requires a clearunderstanding of the startup process, the core operating system components, and the tools used toisolate and resolve problems.

Startup failure can result from a variety of problems, such as user error, driver problems, application faults,hardware failures, disk or file corruption, system misconfiguration, or virus activity. If the condition isserious enough, you might need to reinstall Windows.

Question: Can you think of situations where you had to troubleshoot a Windows startup problem? If so,how did you resolve it?

Nova 4, LLC





Troubleshooting Startup Before the Windows Logo Appears

Key PointsIn earlier versions of Windows, a file called, boot.ini, contained information about the Windows operatingsystems installed on the computer. In Windows Server 2008, the boot.ini file has been replaced with BootConfiguration Data (BCD). This file is more versatile than boot.ini, and it can apply to computer platformsthat use means other than basic input/output system (BIOS) to start the computer. The Windows BootManager uses information from the BCD to manage the operating system startup process.

The boot environment is loaded before the operating system, making the boot environment independentof the operating system. A boot loader, in its most basic form, loads the initial files required to start anoperating system. In a default installation of Windows Server 2008 R2, there is one boot loader referencestored in Windows Boot Manager called Windows Boot Loader, which launches the Windows Server 2008R2 operating system. The Windows Boot Loader is stored in \Windows\System32\winload.exe and whenstarted by Windows Boot Manager, it begins the initial load process of the operating system. WindowsBoot Manager controls the boot process using the information in the boot configuration data (BCD) store.

The BCD can be edited with the BCDEdit.exe command-line utility. This utility is found in theWindows\System32 directory. BCDEdit has parameters that allow you to add, modify, delete, export, andimport entries to the data store. Running the BCDEdit command without any parameters displays thecurrent Windows Boot Manager information and the current Windows Boot Loader information.

In some cases you may need to repair the boot sector and master boot record (MBR), or replace thestartup files entirely. This can be done in the Windows Recovery Environment (WinRE) by booting fromthe Windows Server 2008 installation disc.

If these measures fail to correct the problem, it may be a hardware issue. For example, check the physicalmemory by removing the memory sticks one by one in turn to see if one is corrupted.

Use this flow chart to see how to troubleshoot startup problems that occur before the Windows Server2008 logo appears.

Nova 4, LLC





Question: Based on this flowchart, what would you say are the most common causes of Windows failingto start before the Windows logo appears?

Nova 4, LLC







Question: Based on the flowchart, what would you say are the most common causes of Windows failingto start after the Windows logo appears?

Nova 4, LLC





Troubleshooting Startup Problems After Logon

Key PointsIf your computer fails immediately after a user logs on, use the process shown below to identify anddisable the failing startup application to enable successful logon. If the problem occurs immediately afterupdating or installing an application, try uninstalling the application.

If a problem occurs after installing new software, you can temporarily disable or uninstall the applicationto verify that the application is the source of the problem.

Problems with applications that run at startup can cause logon delays or even prevent you fromcompleting Windows startup in Normal mode. The following section provides techniques for temporarilydisabling startup applications.

Disabling Startup Applications by Using the SHIFT KeyOne way you can simplify your configuration is to disable startup applications. By pressing the SHIFT keyduring the logon process, you can prevent the operating system from running startup programs orshortcuts.

If startup fails after logon, refer to the following flowchart:

Nova 4, LLC





Question: Based on the flowchart, what would you say are the most common causes of Windows failingto start after logon?

Nova 4, LLC





Lab B: Recovering Active Directory Objects



2. In Hyper-V Manager, click 6419B-NYC-DC1 and in the Actions pane, click Start .





• Domain: Contoso

5. Repeat steps 2 - 4 for 6419B-NYC-DC2. Be sure to start 6419B-NYC-DC2 after DC1 has fully started.

Nova 4, LLC





Exercise 1: Enabling Active Directory Recycle Bin

ScenarioThe Contoso, Ltd. domain controller also acts as a file and print server. In the past, the company hasoccasionally had to restore Active Directory objects that were accidentally deleted. This has caused loss ofproductivity because of server downtime. Contoso, Ltd. wants the ability to be able to restore ActiveDirectory objects without causing any downtime of the domain controller.

In this exercise, you will:

• Raise the forest functional level.

• Enable the Active Directory Recycle Bin.

Task 1: Raise the forest functional level.1. On NYC-DC1, start the Active Directory Module for Windows PowerShell .

2. Run the following command.

Set-ADForestMode –Identity contoso.com -ForestMode Windows2008R2F orest

Task 2: Enable the Active Directory Recycle Bin.• In the Active Directory Module for Windows PowerShell, run the following command.

Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature, CN=Optional Features,CN=Directory Service,CN=Windows NT, CN=Services, CN=Configuration, DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’

Results: After completing this exercise, you should have raised the forest functional level and enabledActive Directory Recycle Bin.

Nova 4, LLC





Exercise 2: Restoring a Deleted Active Directory Object

ScenarioYou will test the effectiveness of restore methods by restoring Active Directory objects from the ActiveDirectory Recycle Bin by using different methods.

In this exercise, you will:• Delete an Active Directory object.

• Use LDP.exe to display the deleted objects container.

• Restore a deleted AD object by using LDP.exe.

• Use Windows PowerShell to restore a deleted AD object.

Task 1: Delete Active Directory Objects.• Use Active Directory Users and Computers to delete the following users:

• Dylan Miller

• Allan Brewer

Task 2: Use LDP.exe to display the deleted objects container.1. Start an Administrative command prompt and then start LDP.exe.

2. Configure the LPD to return deleted objects.

3. Connect and bind to the local server.

4. View the Contoso.com tree.

5. Expand the tree to expose the Deleted Objects container.

Task 3: Restore a deleted AD object by using LDP.exe.1. In the Deleted Objects container, modify Dylan Miller as follows:

• Delete the isDeleted attribute.

• Replace the distinguishedname attribute withCN=Dylan Miller,OU=Research,DC=Contoso,DC=Com

• Select the Extended check box.

2. Ensure that Dylan Miller’s user account has been restored to Active Directory.

Task 4: Use Windows PowerShell to restore a deleted Active Directory object.1. Start the Active Directory Module for Windows PowerShell as Administrator.

2. Run the following command.

Get-ADObject -Filter {displayName -eq "Alan Brewer"} -IncludeDeletedObjects | Restore-ADObject

3. Ensure that Alan Brewer’s user account has been restored to Active Directory.

Results: After completing this exercise, you should have used LDP.exe to view deleted objects, andrestored objects by using both LDP.exe and Windows PowerShell.

Nova 4, LLC





To revert the virtual machines.When you finish the lab, revert the virtual machines to their initial state. To do this, complete thefollowing steps:

1. On the host computer, start Hyper-V Manager.2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .3. In the Revert Virtual Machine dialog box, click Revert .

Note: Repeat steps 2 - 3 for 6419B-NYC-SVR1 and 6419B-NYC-DC2.

Nova 4, LLC






Review Questions1. How do you know whether your backups are successful?

2. What provisions should you make for backup storage?

3. What must the forest functional level be to use the Active Directory Recycle Bin?

Common Issues Related to Backup and Recovery Technologies

Identify the causes for the following common issues related to backup and recovery technologies, and fillin the troubleshooting tips. For answers, refer to relevant lessons in the module.

Issue Troubleshooting tip

The system will not startand does not even get tothe Power On Self Test(POST) in the startupprocess. What can be theissue?

When the system cannot even run the POST, the issue can be a corruptmemory.

The system will not startand displays a messagestating that the operatingsystem could not belocated. What can be theissue?

The probable cause is a hardware failure. The disk may be unrecoverable.

Nova 4, LLC





Real-World Issues and Scenarios1. Your company has upgraded all servers to Windows Server 2008 R2 and is now investigating the use

of the Windows Server Backup feature. The company already has a large investment in robotic tapelibraries and tape media that they wish to use. What should you recommend?

2. The domain controller at a branch office has suffered a hardware failure. What type of restore shouldbe performed

Best Practices Related to Backup and Recovery TechnologiesSupplement or modify the following best practices for your own work situations:

• Verify that access to restored data is only available to authorized users.

• Review backup log files after each backup.

• Verify that the restoration of all files has been successful by reviewing the associated log files.

• Regularly review your backup policy by performing a trial restore of data.

• At a minimum, back up two domain controllers in each domain, one of which should be anoperations master role holder.

• Store backup data offsite.


Windows ServerBackup Console

• Scheduling backups of theWindows Server 2008operating system data

• Performing manualbackups of Windows

Server 2008 data

On the Administrative Tools menu, after you haveinstalled the Backup feature

Wbadmin.exe • Scripting Windows Server2008 backup tasks

At the command prompt, after you have installedthe Backup feature

DatabaseMounting Tool

• Exposing AD DS snapshotsas LDAP servers

At the command prompt, Dsamain.exe

Ntdsutil • Creating snapshots of ADDS

• Many other AD DSmanagement functions

At the command prompt

Active Directory

Recycle Bin

• Restoring deleted

Active Directory objects

After it is enabled, you can use the LDP.exe or

PowerShell cmdlets to manage deleted objects

Nova 4, LLC





Course Evaluation

Your evaluation of this course will help Microsoft understand the quality of your learning experience.

Please work with your training provider to access the course evaluation form.

Microsoft will keep your answers to this survey private and confidential, and will use your responses toimprove your future learning experience. Your open and honest feedback is valuable and appreciated.

Nova 4, LLC





Nova 4, LLC




Implementing DirectAccess A-1

Appendix AImplementing DirectAccessContents:Exercise 1: Configuring the AD DS domain controller and DNS A-4

Exercise 2: Configuring the PKI environment A-6

Exercise 3: Configuring the DirectAccess Clients and testing Intranet Access A-9

Exercise 4: Configuring the DirectAccess server A-11

Exercise 5: Verifying DirectAccess functionality A-13

Nova 4, LLC




A-2 Configuring, Managing, and Maintaining Windows Server® 2008-based Servers

Lab: Implementing DirectAccess


1. On the host computer, click Start , point to Administrative Tools , and then click Hyper-V Manager .2. In Hyper-V Manager, click 6419B-NYC-DC1 , and in the Actions pane, click Start .3. In the Actions pane, click Connect . Wait until the virtual machine starts.

4. Log on by using the following credentials:• User name: Administrator


• Domain: Contoso

5. Repeat these steps 2 to 4 for 6419B-NYC-SVR1, 6419B-NYC-EDGE1, 6419B-INET1, and 6419B-NYC-CL1.

Lab ScenarioYou are the server administrator at Contoso, Ltd. Your organization consists of a large mobile workforcethat carries laptops to stay connected. Your organization wants to provide a secure solution to protect

data transfer. To do this, you will use DirectAccess to enable persistent connectivity, centraladministration, and management of remote computers.

Nova 4, LLC






• Configure AD DS and DNS to support DirectAccess.

• Configure the PKI environment.

• Configure the DirectAccess clients and test intranet and Internet access.

• Configure the DirectAccess server.• Verify DirectAccess functionality.

Nova 4, LLC





Exercise 1: Configuring the AD DS domain controller and DNS

Task 1: Create a security group for DirectAccess computers.1. Switch to NYC-DC1.

2. ClickStart , point to Administrative Tools , and then click Active Directory Usersand Computers .

3. In the Active Directory Users and Computers console tree, expand Contoso.com , right-click Users ,point to New , and then click Group .

4. In the New Object - Group dialog box, under Group name, type DA_Clients .

5. Under Group scope, select Global , under Group type, choose Security , and then click OK .

6. In the details pane, double-click DA_Clients .

7. In the DA_Clients Properties dialog box, click the Members tab, and then click Add .

8. In the Select Users, Contacts, Computers, or Groups dialog box, click ObjectTypes , clickComputers , and then click OK .

9. Under Enter the object names to select (examples) , type NYC-CL1, and then click OK .

10. Verify that NYC-CL1 is displayed below Members, and then click OK .11. Close the Active Directory Users and Computers console.

Task 2: Configure firewall rules for ICMPv6 traffic.1. ClickStart , click Administrative Tools , and then click Group Policy Management .

2. In the console tree, open Forest: Contoso.com\Domains\contoso.com .

3. In the console tree, right-click Default Domain Policy , and then click Edit .

4. In the console tree of the Group Policy Management Editor, open ComputerConfiguration\Policies\Windows Settings\Security Settings\Windows Firewall with AdvancedSecurity\Windows Firewall with Advanced Security .

5. In the console tree, click Inbound Rules , right-click Inbound Rules , and then click New Rule .6. On the Rule Type page, click Custom , and then click Next .

7. On the Program page, click Next .

8. On the Protocols and Ports page, for Protocol type, click ICMPv6, and then click Customize .

9. In the Customize ICMP Settings dialog box, click Specific ICMP types , select Echo Request , andthen click OK .

10. ClickNext .

11. On the Scope page, click Next .

12. On the Action page, click Next .

13. On the Profile page, click Next .

14. On the Name page, for Name , type Inbound ICMPv6 Echo Requests , and then click Finish .

15. In the console tree, click Outbound Rules , right-click Outbound Rules , and then click New Rule .

16. On the Rule Type page, click Custom , and then click Next .

17. On the Program page, click Next .

18. On the Protocols and Ports page, for Protocol type , click ICMPv6, and then click Customize .

Nova 4, LLC





19. In the Customize ICMP Settings dialog box, click Specific ICMP types , select Echo Request , andthen click OK .

20. ClickNext .

21. On the Scope page, click Next .

22. On the Action page, click Allow the connection , and then click Next .

23. On the Profile page, click Next .

24. On the Name page, for Name , type Outbound ICMPv6 Echo Requests , and then click Finish .

25. Close the Group Policy Management Editor and Group Policy Management consoles.

Task 3: Create required DNS records on NYC-DC1.1. ClickStart , point to Administrative Tools , and then click DNS.

2. In the console tree of DNS Manager, expand NYC-DC1\Forward Lookup Zones\contoso.com .

3. Right click contoso.com , and then click New Host (A or AAAA) .

4. In the Name box , type nls . In the IP address box , type 10.10.0.11 . ClickAdd Host , click OK .

5. In the New Host dialog box, type CRLin Name (uses parent domain name if blank) . In the IPaddress box , type 10.10.0.15, and then click Add Host .

6. In the DNS dialog box informing you that the record was created, click OK .

7. ClickDone in the New Host dialog box.

8. Close the DNS Manager console.

Task 4: Remove ISATAP from DNS global query block list.1. ClickStart , click All Programs , click Accessories , and then click Command Prompt .

2. In the Command Prompt window, type the following command, and then press Enter.

dnscmd /config /globalqueryblocklistwpad

3. Close the Command Prompt window.

Nova 4, LLC





Exercise 2: Configuring the PKI environment

Task 1: Configure the CRL distribution settings.1. On NYC-DC1, clickStart , point to Administrative Tools , and then click Certification Authority .2. In the details pane, right-click ContosoCA, and then click Properties .3. In the ContosoCAProperties dialog box, click the Extensions tab.4. On the Extensions tab, click Add . In the Location box , type http://crl.contoso.com/crld/ .5. In Variable , click <CAName >, and then click Insert .6. In Variable , click <CRLNameSuffix >, and then click Insert .7. In Variable , click <DeltaCRLAllowed >, and then click Insert .8. In Location , type .crl at the end of the Location string, and then click OK .9. Select Include in CRLs. Clients use this to find Delta CRL locations. and Include in the CDP

extension of issued certificates , and then click Apply . ClickNo in the dialog box asking you torestart Active Directory Certificate Services.

10. ClickAdd .11. In Location , type \\nyc-Edge1\crldist$\ .12. In Variable , click <CaName >, and then click Insert .

13.

In Variable , click <CRLNameSuffix >, and then click Insert .14. In Variable , click <DeltaCRLAllowed >, and then click Insert .15. In Location , type .crl at the end of the string, and then click OK .16. Select Publish CRLs to this location and Publish Delta CRLs to this location , and then click OK .17. ClickYes to restart Active Directory Certificate Services.18. Close the Certification Authority console.

Task 2: Install the web server role on Edge1.1. Switch to NYC-Edge1.

2. On the taskbar, click Server Manager .

3. In the console tree of Server Manager, click Roles . In the details pane, click AddRoles , and then click

Next .4. On the Select Server Roles page, click Web Server (IIS) , and then click Next three times.

5. ClickInstall .

6. Verify that all installations were successful, and then click Close .

7. Leave the Server Manager window open.

Task 3: Create CRL distribution point on NYC-EDGE1.1. ClickStart , point to Administrative Tools , and then click Internet Information Services (IIS)

Manager

2. In the console tree, browse to NYC-EDGE1\Sites\Default Web Site, right-click Default Web Site,

and then click Add Virtual Directory .3. In the Add Virtual Directory dialog box, in the Alias box , type CRLD. Next to Physical path, click the

ellipsis “…” button.4. In the Browse for Folder dialog box, click Local Disk (C:) , and then click Make New Folder .5. Type CRLDist, and then press Enter. Click OK in the Browse for Folder dialog box.6. ClickOK in the Add Virtual Directory dialog box.7. In the middle pane of the console, double-click Directory Browsing , and in the details pane, click

Enable .8. In the console tree, click the CRLD folder.

Nova 4, LLC





9. In the middle pane of the console, double-click the Configuration Editor icon.10. Click the down-arrow for the Section drop-down list, and then browse to

system.webServer\security\requestFiltering .11. In the middle pane of the console, double-click the allowDoubleEscaping entry to change the value

from False to True .12. In the details pane, click Apply .

Task 4: Share and secure the CRL distribution point.1. ClickStart , and then click Computer .2. Double-click Local Disk (C:) .3. In the details pane of Windows Explorer, right-click the CRLDist folder and click Properties .4. In the CRLDist Properties dialog box, click the Sharing tab, and then click Advanced Sharing .5. In the Advanced Sharing dialog box, select Share this folder .6. In Share name, add a “$” to the end so that the share name is CRLDist$.7. In the Advanced Sharing dialog box, click Permissions .8. In the Permissions for CRLDist$ dialog box, click Add .9. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types .

10.

In the Object Types dialog box, select Computers , and then click OK .11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the objectnames to select box , type NYC-DC1, and then click Check Names . ClickOK .

12. In the Permissions for CRLDist$ dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from theGroup or user names list. In the Permissions for NYC-DC1 section, select Allow for Full control .ClickOK .

13. In the Advanced Sharing dialog box, click OK .14. In the CRLDist Properties dialog box, click the Security tab.15. On the Security tab, click Edit .16. In the Permissions for CRLDist dialog box, click Add .17. In the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types .18. In the Object Types dialog box, select Computers . ClickOK .

19. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the objectnames to select box , type NYC-DC1, click Check Names, and then click OK .

20. In the PermissionsforCRLDist dialog box, select NYC-DC1 (CONTOSO\NYC-DC1$) from the Groupor user names list. In the Permissions for NYC-DC1 section, select Allow for Full control, and thenclick OK .

21. In the CRLDist Properties dialog box, click Close .22. Close the Windows Explorer window.

Task 5: Publish the CRL to NYC-EDGE1.1. Switch to NYC-DC1.

2. ClickStart , point to Administrative Tools , and then click Certification Authority .

3. In the console tree, open ContosoCA, right-click RevokedCertificates , point to All Tasks , and thenclick Publish .

4. In the Publish CRL dialog box, click New CRL, and then click OK .

5. ClickStart , type \\NYC-EDGE1\CRLDist$, and then press ENTER.

6. In the Windows Explorer window, you should see the ContosoCA and ContosoCA+ files.

7. Close the Windows Explorer window.

8. Close the Certification Authority console.

Nova 4, LLC





Task 6:Configure permissions on the web server certificate template.1. ClickStart , type certtmpl.msc , and then press ENTER.

2. In the contents pane, right-click the Web Server template, and then click Properties .

3. Click the Security tab, and then click Authenticated Users .

4. In the Permissions for Authenticated Users window, click Enroll under Allow, and then click OK .5. Close the Certificate Templates console

Task 7: Configure computer certificate auto-enrollment.1. ClickStart , click Administrative Tools , and then click Group Policy Management .2. In the console tree, expand Forest: Contoso.com, expand Domains, and then click Contoso.com .3. In the details pane, right-click Default Domain Policy , and then click Edit .4. In the console tree of the Group Policy Management Editor , open Computer

Configuration\Policies\Windows Settings\Security Settings\Public Key Policies .5. In the details pane, right-click Automatic Certificate Request Settings , point to New , and then click

Automatic Certificate Request .6. In Automatic Certificate Request Wizard , click Next .7. On the Certificate Template page, click Computer , click Next , and then click Finish .8. Close the Group Policy Management Editor and close the Group Policy Management console.

Nova 4, LLC





Exercise 3: Configuring the DirectAccess Clients and testing IntranetAccess.

Task 1: Create a shared folder.1. Switch to NYC-SVR1.

2. ClickStart , and then click Computer .3. Double-click Local Disk (C:) .

4. ClickNew folder , type Files, and then press ENTER. Leave the Local Disk window open.

5. ClickStart , click All Programs , click Accessories , right-click Notepad , and then click Run asadministrator .

6. In the Untitled – Notepad window, type This is a shared file .

7. ClickFile, click Save , double-click Computer , double-click Local Disk (C:) , and then double-click theFiles folder.

8. In File name , type example.txt , and then click Save . Close the Notepad window.

9.

In the Local Disk window, right-click the Files folder, point to Share with , and then click Specificpeople .

10. ClickShare , and then click Done .

11. Close the Local Disk window.

Task 2: Request a certificate for NYC-SVR1.1. On the taskbar, click Server Manager .

2. In the console tree of Server Manager, click Roles . In the details pane, click AddRoles , and then clickNext .

3. On the Select Server Roles page, click Web Server (IIS) , and then click Next three times.

4.

ClickInstall .5. Verify that all installations were successful, and then click Close .

6. ClickStart , type mmc , and then press ENTER.

7. ClickFile, and then click Add/Remove Snap-in .

8. ClickCertificates , click Add , select Computer account , click Next , select Localcomputer , clickFinish , and then click OK .

9. In the console tree of the Certificates snap-in, open Certificates(LocalComputer)\Personal\Certificates .

10. Right-click Certificates , point to All Tasks , and then click Request New Certificate .

11. ClickNext twice.

12. On the Request Certificates page, click Web Server , and then click More information is requiredto enroll for this certificate .

13. On the Subject tab of the Certificate Properties dialog box, in Subject name , for Type , selectCommon Name .

14. In Value , type nls.contoso.com , and then click Add .

15. ClickOK , click Enroll , and then click Finish .

Nova 4, LLC





16. In the details pane of the Certificates snap-in, verify that a new certificate with the namenls.contoso.com was enrolled with Intended Purposes of Server Authentication.

Task 3: Change the HTTPS bindings.1. ClickStart , point to Administrative Tools , and then click Internet Information Services (IIS)

Manager .

2. In the console tree of Internet Information Services (IIS) Manager, open NYC-SVR1/Sites , and thenclick Default Web site .

3. In the Actions pane, click Bindings . ClickAdd .

4. In the Add Site Bindings dialog box, click https , in SSL Certificate , click the certificate with thename nls.contoso.com, click OK , and then click Close .

5. Close the Internet Information Services (IIS) Manager console.

Task 4: Install a certificate on the client computer.1. Switch to NYC-CL1.


3. ClickFile, and then click Add/Remove Snap-in .

4. ClickCertificates , click Add , select Computer account , click Next , select Local computer , clickFinish , and then click OK .

5. In the console tree, expand Certificates (Local Computer)\Personal\Certificates .

6. In the details pane, verify that a certificate with the name NYC-CL1.contoso.com is present withIntended Purposes of Client Authentication and Server Authentication.

7. Close the console window. When you are prompted to save settings, click No.

Task 5: Test the intranet access.1. From the taskbar, click the Internet Explorer icon.2. In the Welcome to Internet Explorer 8 window, click Next . In the Turn on Suggested Sites

window, click No, don’t turn on , and then click Next . In the Choose your settings dialog box, clickUse express settings , and then click Finish .

3. On the toolbar, click Tools , and then click Internet Options . On Home page, click Use blank , andthen click OK .

4. In the Address bar, type http://nyc-svr1.contoso.com/ , and then press ENTER. You should see thedefault IIS 7 web page for NYC-SVR1.

5. In the Address bar, type https://nls.contoso.com/ , and then press ENTER. You should see thedefault IIS 7 web page for NYC-SVR1.

6. Leave the Internet Explorer window open.7. ClickStart , type \\NYC-SVR1\Files , and then press ENTER.8. You should see a folder window with the contents of the Files shared folder.9. In the Files shared folder window, double-click the Example.txt file. You should see the contents of

the Example.txt file.10. Close all open windows.

Nova 4, LLC





Exercise 4: Configuring the DirectAccess server

Task 1: Obtain required certificates for NYC-EDGE1.1. Switch to NYC-Edge1.


3. ClickFile, and then click Add/Remove Snap-ins .

4. ClickCertificates , click Add , click Computer account , click Next , select LocalComputer , click Finish ,and then click OK .

5. In the console tree of the Certificates snap-in, open Certificates(LocalComputer)\Personal\Certificates .

6. Right-click Certificates , point to All Tasks , and then click Request New Certificate .

7. ClickNext twice.

8. On the Request Certificates page, click Web Server , and then click More information is requiredto enroll for this certificate .

9. On the Subject tab of the Certificate Properties dialog box, in Subject name , for Type , selectCommon Name .

10. In the Value box , type nyc-edge1.contoso.com , and then click Add .

11. ClickOK , click Enroll , and then click Finish .

12. In the details pane of the Certificates snap-in, verify that a new certificate with the name nyc-edge1.contoso.com was enrolled with Intended Purposes of Server Authentication.

13. Right-click the certificate, and then click Properties .

14. In Friendly Name , type IP-HTTPS Certificate , and then click OK .

15. Close the console window. If you are prompted to save settings, click No .

Task 2: Install the DirectAccess feature on NYC-EDGE1.1. ClickStart , point to Administrative Tools , and then click Server Manager .

2. In the main window, under Features Summary , click Add features

3. On the Select Features page, select DirectAccess Management Console .

4. In the Add Features Wizard window, click Add Required Features .

5. On the Select Features page, click Next .

6. On the Confirm Installation Selections page, click Install .

7. On the Installation Results page, click Close .

Task 3: Run DirectAccess setup wizard on NYC-EDGE1.1. Open a command prompt and type GPUpdate /force . Close the command prompt.

2. ClickStart , point to Administrative Tools , and then click DirectAccessManagement .

3. In the console tree, click Setup . In the details pane, click Configure for step 1.

4. On the DirectAccess Client Setup page, click Add .

5. In the Select Group dialog box, type DA_Clients , click OK , and then click Finish .

6. ClickConfigure for step 2.

Nova 4, LLC





7. On the Connectivity page, for Interface connected to the Internet , select the interface namedPublic. For Interface connected to the internal network , select Local Area Connection , and thenclick Next .

Note : If you receive a warning that the local area connection network adapter must be connected toa domain network, close the Direct Access Management console. Open Server Manager, and clickConfigure Network Connections . Disable Local Area Connection, and re-enable it. Restart the DirectAccess Management console.

8. On the Certificate Components page, for Select the root certificate to which remote clientcertificates must chain , click Browse . In the list of certificates, click the ContosoCA root certificate,and then click OK .

9. For Select the certificate that will be used to secure remote client connectivity over HTTPS ,click Browse . In the list of certificates, click the certificate named IP-HTTPS Certificate , click OK, andthen click Finish .

10. ClickConfigure for step 3.

11. On the Location page, click Network Location server is run on a highly available server , typehttps://nls.contoso.com , click Validate , and then click Next .

12. On the DNS and Domain Controller page, note the entry for the name contoso.com with the IPv6address 2002:836b:2:1:0:5efe:10.10.0.10 . This IPv6 address is assigned to NYC-DC1 and iscomposed of a 6to4 network prefix (2002:836b:2:1::/64) and an ISATAP-based interface identifier(::0:5efe:10.0.0.1). ClickNext .

13. On the Management page, click Finish .

14. ClickConfigure for step 4. On the DirectAccess Application Server Setup page, click Finish .

15. ClickSave , and then click Finish .

16. In the DirectAccess Review dialog box, click Apply . In the DirectAccess Policy Configuration

message box, click OK .

Nova 4, LLC





Exercise 5: Verifying DirectAccess functionality

Task 1: Create DNS records on INET1.1. Switch to INET1.

2. ClickStart , point to Administrative Tools , and then click DNS.

3. In the console tree, right-click contoso.com , and then click New Host (A or AAAA) .

4. In the Name box , type crl. In IP address , type 131.107.0.2 .

5. ClickAdd Host , click OK , and then click Done .

6. Close the DNS console.

Task 2: Update IPv6 configuration on NYC-SVR1 and NYC-DC1.1. Switch to NYC-SVR1.

2. ClickStart , click All Programs , click Accessories , and then click Command Prompt .


net stop iphlpsvc


net start iphlpsvc

5. At the command prompt, type the following command, and then press ENTER. Verify that the serverhas been issued an ISATAP address that ends with 10.10.0.11.

ipconfig


7. Switch to NYC-DC1.



net stop iphlpsvc


net start iphlpsvc

11. At the command prompt, type the following command, and then press ENTER. Verify that the serverhas been issued an ISATAP address that ends with 10.10.0.10.

ipconfig


Task 3: Update GPO and IPv6 settings on NYC-CL1.1. Switch to NYC-CL1.

2. Restart NYC-CL1 and then log back on as Contoso\Administrator with the password of Pa$$w0rd .This is to ensure that the NYC-CL1 computer connects to the domain as a member of the DA_Clientssecurity group.

Nova 4, LLC







gpupdate


net stop iphlpsvc


net start iphlpsvc

7. At the command prompt, type the following command and then press ENTER. Verify that the serverhas been issued an ISATAP address that ends with 10.10.0.51.

ipconfig


Gpresult -R

9. Verify that one Direct Access Group Policy object is being applied to the client computer. If the policyis not being applied, run the gpupdate command again. If the policy is still not being applied, restartNYC-CL1. After the computer restarts, log on as Administrator, and run the Gpresult –R commandagain.

Task 4: Verify ISATAP connectivity.1. At the command prompt, type the following command, and then press ENTER.

Ipconfig /flushdns

2.

At the command prompt, type the following command, and then press ENTER.ping 2002:836b:2:1::5efe:10.10.0.10


ping 2002:836b:2:1::5efe:10.10.0.11


ping NYC-DC1.contoso.com


ping NYC-SVR1.contoso.com

6. All these commands should result in a successful response.

Task 5: Move NYC-CL1 to the Internet.1. ON NYC-CL1, clickStart , click Control Panel and then click Network and Internet .

2. ClickNetwork and Sharing Center .

3. ClickChange Adapter Settings .

Nova 4, LLC





4. Right-click Local Area Connection 3, and then click Properties .

5. In the Local Area Connection Properties dialog box, double-click Internet Protocol Version 4(TCP/IPv4) .

6. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP addressautomatically . ClickObtain DNS server address automatically, and then click OK .

7. In the Local Area Connection Properties dialog box, click Close .

8. In the Set Network Location dialog box, click Public network, and then click Close .

9. Switch to the command prompt, type IPCONFIG, and then press ENTER. The IP address should start131.107.

Task 6: Verify connectivity to Internet resources.1. At the command prompt, type the following command, and then press ENTER.

ping inet1.isp.example.com

2. From the taskbar, click the Internet Explorer icon.

3. In the Address bar, type http://inet1.isp.example.com/ , and then press ENTER. You should see thedefault IIS 7 Web page for INET1.

Task 7: Verify access to web-based and shared folder resources.1. At the command prompt, type the following command, and then press ENTER.

ping NYC-SVR1

2. In Internet Explorer, in the Address bar, type http://NYC-SVR1.contoso.com/ , press ENTER, andthen press F5. You should see the default IIS 7 Web page for NYC-SVR1.

3. Close Internet Explorer.

4. ClickStart , type \\NYC-SVR1\files , and then press ENTER. You should see a folder window with thecontents of the Files shared folder.

5. In the Files shared folder window, double-click the Example.txt file.

6. Close the example.txt - Notepad window and the Files shared folder window.

Task 8: Examine NYC-CL1 IPv6 configuration.1. At the command prompt, type the following command, and then press ENTER.

ipconfig

2. From the display of the Ipconfig.exe tool, notice that an interface named Tunnel adapter 6TO4Adapter has an IPv6 address that begins with 2002:836b:. This is a 6to4 address based on an IPv4

address that begins with 131.107. Notice that this tunnel interface has a default gateway of2002:836b:2::836b:2, which corresponds to the 6to4 address of EDGE1 (131.107.0.2 in colon-hexadecimal notation is 836b:2). NYC-CL1 uses 6to4 and this default gateway to tunnel IPv6 traffic toEDGE1.

Results: In this exercise, you successfully implemented DirectAccess.

Nova 4, LLC






1. On the host computer, start Hyper-V Manager.2. Right-click 6419B-NYC-DC1 in the Virtual Machines list, and then click Revert .3. In the Revert Virtual Machine dialog box, click Revert .4. Repeat these steps for 6419B-NYC-SVR1, 6419B-NYC-EDGE1, 6419B-NYC-INET1 , and 6419B-

NYC-CL1.

Nova 4, LLC




Notes

Nova 4, LLC




Notes

Nova 4, LLC




Notes

Nova 4, LLC




Notes

Nova 4, LLC




Notes

Nova 4, LLC




Notes

Nova 4, LLC