Beruflich Dokumente
Kultur Dokumente
6419A
Configuring, Managing and
Maintaining Windows Server 2008 ®
Servers
Volume 1
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted
in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Active Directory, ActiveX, BitLocker, Excel, Hyper-V, Internet Explorer, MS,
MSDN, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows
Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Released: 02/2009
MICROSOFT LICENSE TERMS
OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER
EDITION – Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They
apply to the Licensed Content named above, which includes the media on which you received it, if any. The
terms also apply to any Microsoft
• updates,
• supplements,
• Internet-based services, and
• support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply.
By using the Licensed Content, you accept these terms. If you do not accept them, do not use
the Licensed Content.
If you comply with these license terms, you have the rights below.
1. DEFINITIONS.
a. “Academic Materials” means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the
Licensed Content.
b. “Authorized Learning Center(s)” means a Microsoft Certified Partner for Learning Solutions
location, an IT Academy location, or such other entity as Microsoft may designate from time to time.
c. “Authorized Training Session(s)” means those training sessions authorized by Microsoft and
conducted at or through Authorized Learning Centers by a Trainer providing training to Students
solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or
“MOC”) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions
Courseware). Each Authorized Training Session will provide training on the subject matter of one
(1) Course.
d. “Course” means one of the courses using Licensed Content offered by an Authorized Learning
Center during an Authorized Training Session, each of which provides training on a particular
Microsoft technology subject matter.
e. “Device(s)” means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f. “Licensed Content” means the materials accompanying these license terms. The Licensed
Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student
Content, (iii) classroom setup guide, and (iv) Software. There are different and separate
components of the Licensed Content for each Course.
g. “Software” means the Virtual Machines and Virtual Hard Disks, or other software applications that
may be included with the Licensed Content.
h. “Student(s)” means a student duly enrolled for an Authorized Training Session at your location.
i. “Student Content” means the learning materials accompanying these license terms that are for
use by Students and Trainers during an Authorized Training Session. Student Content may include
labs, simulations, and courseware files for a Course.
j. “Trainer(s)” means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer
and b) such other individual as authorized in writing by Microsoft and has been engaged by an
Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its
behalf.
k. “Trainer Content” means the materials accompanying these license terms that are for use by
Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content
may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and
demonstration guides and script files for a Course.
l. “Virtual Hard Disks” means Microsoft Software that is comprised of virtualized hard disks (such as
a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single
computer or other device in order to allow end-users to run multiple operating systems concurrently.
For the purposes of these license terms, Virtual Hard Disks will be considered “Trainer Content”.
m. “Virtual Machine” means a virtualized computing experience, created and accessed using
Microsoft® Virtual PC or Microsoft® Virtual Server software that consists of a virtualized hardware
environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the
virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard
Disks will be considered “Trainer Content”.
n. “you” means the Authorized Learning Center or Trainer, as applicable, that has agreed to these
license terms.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and
electronic), Trainer Content, Student Content, classroom setup guide, and associated media.
License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center
location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS.
a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may:
i. either install individual copies of the relevant Licensed Content on classroom Devices only for
use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided
that the number of copies in use does not exceed the number of Students enrolled in and the
Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by
classroom Devices and only for use by Students enrolled in and the Trainer delivering the
Authorized Training Session, provided that the number of Devices accessing the Licensed
Content on such server does not exceed the number of Students enrolled in and the Trainer
delivering the Authorized Training Session.
iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to
use the Licensed Content that you install in accordance with (ii) or (ii) above during such
Authorized Training Session in accordance with these license terms.
i. Separation of Components. The components of the Licensed Content are licensed as a single
unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license
terms will apply to the use of those third party programs, unless other terms accompany those
programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized
Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for
your own personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own
personal training Use and for preparation of an Authorized Training Session.
4. PRE-RELEASE VERSIONS. If this is a pre-release (“beta”) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We
may change it for the final, commercial version. We also may not release a commercial version.
You will clearly and conspicuously inform any Students who participate in each Authorized Training
Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with
any further content, including but not limited to the final released version of the Licensed Content
for the Course.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
Microsoft, without charge, the right to use, share and commercialize your feedback in any way and
for any purpose. You also give to third parties, without charge, any patent rights needed for their
products, technologies and services to use or interface with any specific parts of a Microsoft
software, Licensed Content, or service that includes the feedback. You will not give feedback that is
subject to a license that requires Microsoft to license its software or documentation to third parties
because we include your feedback in them. These rights survive this agreement.
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary
to Microsoft and its suppliers.
i. Use. For five years after installation of the Licensed Content or its commercial release,
whichever is first, you may not disclose confidential information to third parties. You may
disclose confidential information only to your employees and consultants who need to know
the information. You must have written agreements with them that protect the confidential
information at least as much as this agreement.
ii. Survival. Your duty to protect confidential information survives this agreement.
iii. Exclusions. You may disclose confidential information in response to a judicial or
governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not
include information that
• becomes publicly known through no wrongful act;
• you received from a third party who did not breach confidentiality obligations to
Microsoft or its suppliers; or
• you developed independently.
d. Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs
you is the end date for using the beta version, or (ii) the commercial release of the final release
version of the Licensed Content, whichever is first (“beta term”).
e. Use. You will cease using all copies of the beta version upon expiration or termination of the beta
term, and will destroy all copies of same in the possession or under your control and/or in the
possession or under the control of any Trainers who have received copies of the pre-released
version.
f. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta
version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If
Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you
for such copies and distribution.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.
a. Authorized Learning Centers and Trainers:
i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft
Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced
Server and/or other Microsoft products which are provided in Virtual Hard Disks.
A. If the Virtual Hard Disks and the labs are launched through the Microsoft
Learning Lab Launcher, then these terms apply:
Time-Sensitive Software. If the Software is not reset, it will stop running based upon the
time indicated on the install of the Virtual Machines (between 30 and 500 days after you
install it). You will not receive notice before it stops running. You may not be able to
access data used or information saved with the Virtual Machines when it stops running and
may be forced to reset these Virtual Machines to their original state. You must remove the
Software from the Devices at the end of each Authorized Training Session and reinstall and
launch it prior to the beginning of the next Authorized Training Session.
B. If the Virtual Hard Disks require a product key to launch, then these terms
apply:
Microsoft will deactivate the operating system associated with each Virtual Hard Disk.
Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized
Training Session, you will obtain from Microsoft a product key for the operating system
software for the Virtual Hard Disks and will activate such Software with Microsoft using such
product key.
C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with
the terms and conditions of this agreement and the following security
requirements:
o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or
Devices that are accessible to other networks.
o You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at
the end of each Authorized Training Session, except those held at Microsoft Certified
Partners for Learning Solutions locations.
o You must remove the differencing drive portions of the Virtual Hard Disks from all
classroom Devices at the end of each Authorized Training Session at Microsoft Certified
Partners for Learning Solutions locations.
o You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or
downloaded from Devices on which you installed them.
o You will strictly comply with all Microsoft instructions relating to installation, use,
activation and deactivation, and security of Virtual Machines and Virtual Hard Disks.
o You may not modify the Virtual Machines and Virtual Hard Disks or any contents
thereof.
o You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the
Course.
iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip
art, animations, sounds, music, shapes, video clips and templates provided with the Licensed
Content solely in an Authorized Training Session. If Trainers have their own copy of the
Licensed Content, they may use Media Elements for their personal training use.
iv. iv Evaluation Software. Any Software that is included in the Student Content designated as
“Evaluation Software” may be used by Students solely for their personal training outside of the
Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft
PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for
providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree
or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of
obscene or scandalous works, as defined by federal law at the time the work is created; and
(b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training
Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those
portions of the Licensed Content that are logically associated with instruction of the Authorized
Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer
agrees: (a) that any of these customizations or reproductions will only be used for providing an
Authorized Training Session and (b) to comply with all other terms and conditions of this
agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and
use the Academic Materials. You may not make any modifications to the Academic Materials
and you may not print any book (either electronic or print version) in its entirety. If you
reproduce any Academic Materials, you agree that:
• The use of the Academic Materials will be only for your personal reference or training use
• You will not republish or post the Academic Materials on any network computer or
broadcast in any media;
• You will include the Academic Material’s original copyright notice, or a copyright notice to
Microsoft’s benefit in the format provided below:
Form of Notice:
© 2009 Reprinted for personal reference use only with permission by Microsoft
Corporation. All rights reserved.
Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the US and/or other countries. Other
product and company names mentioned herein may be the trademarks of their
respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that
could harm them or impair anyone else’s use of them. You may not use the services to try to gain
unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you
more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that
only allow you to use it in certain ways. You may not
• install more copies of the Licensed Content on classroom Devices than the number of Students and
the Trainer in the Authorized Training Session;
• allow more classroom Devices to access the server than the number of Students enrolled in and the
Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network
server;
• copy or reproduce the Licensed Content to any server or location for further reproduction or
distribution;
• disclose the results of any benchmark tests of the Licensed Content to any third party without
Microsoft’s prior written approval;
• work around any technical limitations in the Licensed Content;
• reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent
that applicable law expressly permits, despite this limitation;
• make more copies of the Licensed Content than specified in this agreement or allowed by applicable
law, despite this limitation;
• publish the Licensed Content for others to copy;
• transfer the Licensed Content, in whole or in part, to a third party;
• access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not
been authorized by Microsoft to access and use;
• rent, lease or lend the Licensed Content; or
• use the Licensed Content for commercial hosting services or general business purposes.
• Rights to access the server software that may be included with the Licensed Content, including the
Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft
intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply
to the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed
Content marked as “NFR” or “Not for Resale.”
10. ACADEMIC EDITION. You must be a “Qualified Educational User” to use Licensed Content marked as
“Academic Edition” or “AE.” If you do not know whether you are a Qualified Educational User, visit
www.microsoft.com/education or contact the Microsoft affiliate serving your country.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of these license terms. In the event your status as an
Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is
terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this
agreement, you must destroy all copies of the Licensed Content and all of its component parts.
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed
Content and support services.
13. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed “as-is.” You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have
additional consumer rights under your local laws which this agreement cannot change. To
the extent permitted under your local laws, Microsoft excludes the implied warranties of
merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT
RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL,
INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to
• anything related to the Licensed Content, software, services, content (including code) on third party
Internet sites, or third party programs; and
• claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in
this agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre
garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont
exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de
dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation
pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de
bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence , aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers ; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte,
de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel
dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages
indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne
s’appliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de
votre pays si celles-ci ne le permettent pas.
Configuring, Managing and Maintaining Windows Server® 2008 Servers xi
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their
contribution towards developing this title. Their effort at various stages in the
development has ensured that you have a good classroom experience.
Contents
Module 1: Introduction to Managing Microsoft Windows Server 2008
Environment
Lesson 1: Server Roles 1-3
Lesson 2: Overview of Active Directory 1-15
Lesson 3: Using Windows Server 2008 Administrative Tools 1-28
Lesson 4: Using Remote Desktop for Administration 1-36
Lab: Administering Windows Server 2008 1-44
Course Description
This five-day instructor-led course provides students with the knowledge and skills
to configure and manage Microsoft® Windows Server® 2008 servers. The course
focuses heavily on Active Directory® Domain Services object creation and Group
Policy management. The course also focuses on configuring security, storage,
Network Access Protection, troubleshooting, and server data protection.
Audience
The primary audience for this course is IT Professionals who want to increase their
hands-on deployment and day-to-day management skills for Windows Server 2008
servers in an enterprise organization. The primary audience for this course will be
responsible for day-to day management of the server OS, file, and directory
services; software distribution, patches, and updates; profiling and monitoring; and
Tier 2 troubleshooting for a subset of the organizations servers.
The secondary audiences for this course are individuals who are network
infrastructure technology specialists.
Student Prerequisites
This course requires that you meet the following prerequisites:
• At least one year experience operating Windows Servers daily in the area of
account management, server maintenance, server monitoring, or server
security
• A+, Server+, hardware portion of Net+, and familiarity with Microsoft
Windows® (client side)
• Working knowledge of networking technologies
• Intermediate understanding of network operating systems
• Working experience with Windows Server 2003 and Windows Server 2008
• Basic knowledge of Active Directory
About This Course xx
Course Objectives
After completing this course, students will be able to:
• Describe the different administrative tools and tasks in Windows Server 2008
• Configure AD DS user and computer accounts
• Create Groups and Organizational Units
• Manage access to shared resources in an AD DS environment
• Configure Active Directory Objects and Trusts
• Create and configure Group Policy Objects
• Configure user and computer environments by using Group Policy
• Implement security by using Group Policy
• Configure and analyze server security and security update compliance
• Configure and manage storage technologies included with
Windows Server 2008
• Configure and manage Distributed File System
• Configure Network Access Protection
• Configure availability of network resources
• Plan and Maintain Windows Server 2008 monitoring
• Manage a Windows Server 2008 Backup and Restore
About This Course xxi
Note: To access the full course content, insert the Course Companion CD into the
CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training
facility, and instructor.
Important: At the end of each lab, you must close the virtual machine and must not
save any changes. To close a virtual machine without saving the changes, perform
the following steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do?
list, click Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course:
Course Files
There are files associated with the labs in this course. The lab files are located in
the folder E:\ModXX\Labfiles within the virtual machines.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the
same way.
Windows Server 2008 is configured by adding and removing server roles and
features. This is a new method of organizing the addition and removal of services.
Understanding server roles and features allows you to install and support only the
Windows Server 2008 components you need in your environment.
1-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Server 2008 is available in several editions to meet the needs of various
organizations. The editions are available for x86, x64, and Itanium processors.
Windows HPC Server 2008 is designed for clustering hundreds of computers
together to work on a single processing task. Hyper-V™ is a role that is provided
for 64-bit installations of Windows Server 2008. You can order Standard,
Enterprise, and Datacenter editions that do not have Hyper-V included.
Question: Describe the criteria you will use when deciding what edition of
Windows Server to deploy.
Introduction to Managing Microsoft Windows Server 2008 Environment 1-5
Key Points
Server roles are a way to configure a computer running Windows Server 2008 to
perform a specific function. In a large enterprise, computers can be configured to
perform a single role to ensure greater scalability. In a small organization, many
roles can be combined on a single computer.
When deploying multiple server roles on a single computer, consider the
following:
• The capacity of the computer should be sufficient for all the installed roles.
• Ensure that security requirements for the roles you plan to install can co-exist
on a single computer.
1-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows infrastructure services roles are used to form the underlying framework
of software and services that are used by other applications within the
organization.
The table below describes Microsoft Windows® infrastructure services roles:
Role Description
Active Directory Certificate Creates and manages certification authorities.
Services Certification authorities are used to create digital
certificates for identification and encryption.
Active Directory Rights Helps protect information from unauthorized use and
Management Services generates licenses that specify what actions can be
taken with protected content and by whom.
Role Description
Network Policy and Access Provides support for LAN or WAN routing, network
Services access policy enforcement, VPN connections, and dial-
up connections.
Question: List the Windows infrastructure services roles used in your work
environment.
Introduction to Managing Microsoft Windows Server 2008 Environment 1-9
Key Points
Windows application platform services roles are used as a platform for the
development of applications.
The table below describes Windows application platform services roles:
Role Description
Key Points
The Active Directory roles allow you to implement and control Active Directory for
your organization.
Question: Briefly describe one or two scenarios where you would implement each
server role.
1-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Many of the other Windows Server 2008 server roles integrate with AD DS. Server
roles, such as the following, rely on AD DS:
• Active Directory Federation Services (AD FS)
• Active Directory Rights Management Services (AD RMS)
• Active Directory Certificate Services (AD CS)
Question: Describe any other applications you aware of that can leverage AD DS.
Introduction to Managing Microsoft Windows Server 2008 Environment 1-13
Key Points
Server features support server roles or enhance the functionality of a server.
Key Points
Server Core is a new installation option for Windows Server 2008. It provides a
minimal environment for running specific server roles. A graphical interface is not
included as part of the Server core installation.
Key Points
Active Directory is a central repository of network information that is used for
logon security and application configuration. The information stored in Active
Directory includes:
• User accounts
• Computer accounts
• Application configuration information
• Subnet addresses
• Group accounts
• Printer objects
• Published folder objects
Introduction to Managing Microsoft Windows Server 2008 Environment 1-17
Key Points
Active Directory provides a single repository of information that is used for
network management. A workgroup is a peer-to-peer network without a centralized
security database. When Windows computers are not joined to a domain, they are
considered members of a workgroup. Each workgroup member has its own
security database and group policy store.
Key Points
A domain is a logical grouping of objects such as:
• User accounts. These are required for users to log on and access network
resources. Information such as e-mail addresses and mailing addresses can be
stored as part of a user account.
• Computer accounts. These are required for a computer to participate in the
domain and become part of the security infrastructure. To log on with a
domain user account, you must use a computer that has a computer account
in the domain.
• Groups. These are used to organize users and computers into sets for
assigning permissions to resources. Using groups make it easier to manage
access to resources such as files.
1-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
An organizational (OU) unit is a grouping of objects within a domain. OUs can
contain:
• Users
• Groups
• Computers
• Other OUs
1-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Describe one scenario when you would use a domain to organize a
network. Describe one scenario when you would use an OU to organize a network.
Introduction to Managing Microsoft Windows Server 2008 Environment 1-23
Key Points
A forest is collection of domains that:
• Share a common schema
• Share a common Global Catalog
• Are connected by two-way transitive trusts
When domains have a trust relationship, accounts in the trusted domain can be
granted access to resources in the trusting domain.
Domain trees in a forest are not required to have the same naming structures.
Key Points
The following are characteristics of a domain controller:
• A domain controller is a computer that holds a copy of Active Directory
information.
• Domain controllers update this copy of Active Directory information through
multi-master replication with other domain controllers in the domain and
forest.
• At minimum, a domain controller holds a copy of the local domain partition,
the configuration partition, and the schema partition.
Note: A global catalog server is a domain controller that holds a subset of the domain
information for all domains in the entire forest.
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports.
An RODC hosts read-only partitions of the AD DS database. This means that no
changes can ever be made to the database copy stored by RODC, and all AD DS
replication uses a one-way connection from a domain controller that has a
writeable database copy to the RODC.
Key Points
RODCs provide several features designed to work together to increase security.
These features minimize the risks of deploying a domain controller in a location
with low physical security or high exposure to attack.
Question: If you plan to use one or more RODCs in your work environment,
which RODC features do you plan to use?
Introduction to Managing Microsoft Windows Server 2008 Environment 1-27
Key Points
• Join NYC-CL1 to the WoodgroveBank.com domain.
• View the results of joining the domain.
1-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Each administrative tool included with Windows Server 2008 is used to manage
different system components. Administrative tools include:
• Microsoft Management Console
• Problem Reports and Solutions
• Server Manager
• Computer Management
• Device Manager
Key Points
• A snap-in is a program that allows you to perform specific administrative tasks.
• New snap-ins are added when you install additional software components. For
example, the snap-ins for managing Microsoft Exchange Server 2007 are
added when you install Exchange Server 2007.
• You can remotely administer a server by re-focusing the MMC snap-in to the
remote server.
• Custom consoles allow you to create a console with only the capabilities that
you require as part of your job role.
Question: Will you create customized consoles for most of your management
tasks?
1-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Combining frequently used snap-ins into a single console simplifies administration
of your server.
Key Points
This administrative tool is included with Microsoft Windows 2000 Server and
Windows Server 2003 operating systems. Many of the snap-ins found in Server
Manager are also found in Computer Management.
Question: Will you use Computer Management or Server Manager to manage your
servers?
1-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• On of the most common uses for Device Manager is updating device drivers.
Device drivers are used by the operating system to communicate with devices
such as network adapters or video adapters. When an incorrect driver is used,
the device will typically have limited functionality or no functionality at all.
• Device Manager visually indicates if a device is disabled or is not functioning
properly. This makes it easy to identify malfunctioning components.
Question: Why would you update a device driver if a device appears to be working
properly?
Introduction to Managing Microsoft Windows Server 2008 Environment 1-33
Key Points
Problem Reports and Solutions is a utility for monitoring and resolving system
problems. Problem Reports and Solutions records the details of a system problem,
and then contacts Microsoft for a resolution of the problem.
Question: How do Problem Reports and Solutions improve upon the Dr. Watson
utility found in previous versions of Microsoft Windows operating system?
1-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Use Problem Reports and Solutions.
• Use Server Manager.
• Use Computer Management.
• Use Device Manager.
Question: Which of the administrative tools demonstrated will you use most
often?
Introduction to Managing Microsoft Windows Server 2008 Environment 1-35
Key Points
Administrative tools can be grouped by the task in which each tool will commonly
be used. Sometimes multiple tools may be used to carry out a single task.
Question: Describe one or more common administrative tasks you carry out in
your work environment and a tool that would be used to carry out this task.
1-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Remote Desktop for Administration is a service that allows administrators to access
the desktop of a computer running Windows Server 2008 remotely. This service
can be used to access a server from a corporate desktop or a remote location.
Note the following primary differences between Remote Desktop for
Administration and the Windows Server 2008 Terminal Services role:
• Remote Desktop for Administration is limited to two concurrent remote
connections.
• Remote Desktop for Administration requires no extra licensing.
• Remote Desktop for Administration is installed by default but is not enabled
by default.
1-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: What concerns are there about allowing a server administrator to use
Remote Desktop for Administration from home?
Introduction to Managing Microsoft Windows Server 2008 Environment 1-39
Key Points
Remote Desktop for Administration is a useful tool with several benefits.
Note: Even though Server Core does not include a graphical desktop, you can enable
Remote Desktop for Administration. Once connected, you are presented with a
command prompt rather than a Windows desktop.
Question: Can Remote Desktop for Administration result in cost savings for an
organization?
1-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• View the Remote Desktop options on NYC-CL1.
• Describe the options on the following tabs:
• General tab
• Display tab
• Local Resources tab
• Programs tab
• Experience tab
• Advanced tab
Question: Why would you disable client features such as local drives and printers?
Introduction to Managing Microsoft Windows Server 2008 Environment 1-41
Key Points
• The first level of securing Remote Desktop for Administration is controlling
who can use it.
• Remote Desktop for Administration is disabled by default. You can leave it
disabled for high security installations.
• When enabled, access can be controlled by making users members of the
Remote Desktop Users group. Members of the Local Administrators group are
allowed to connect by default.
• The Security layer determines the type of encryption that is performed
between the client and server.
1-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Why should you not use the low encryption level?
Introduction to Managing Microsoft Windows Server 2008 Environment 1-43
Key Points
• On NYC-DC1, enable Remote Desktop for Administration.
• Configure security settings on NYC-DC1.
• Connect to the console with the /console switch.
Question: When is connecting to the server console, rather than a remote session,
useful?
1-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have successfully installed the DNS Server role
and successfully verified domain membership.
1-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have successfully used Axel Delgado's account
to remotely access NYC-SVR1 and run Reliability and Performance Monitor.
Lab Shutdown
After you complete the lab, you must shut down the 6419A-NYC-DC1, 6419A-
NYC-CL1, and 6419A-NYC-SVR1 virtual machines and discard any changes.
1-48 Configuring, Managing and Maintaining Windows Server 2008 Servers
Review Questions
1. Which server role must be installed to configure Windows Server 2008 as a
domain controller?
2. What is the relationship between Active Directory domains and Active
Directory forests?
3. Which administrative tool tracks system crashes and attempts to resolve them?
4. When monitoring performance, which tools can you use to track CPU
utilization over time?
Introduction to Managing Microsoft Windows Server 2008 Environment 1-49
Active Directory Domains and View and manage trusts Administrative Tools
Trusts
Active Directory Sites and View and manage Active Administrative Tools
Services Directory sites
In AD DS for Windows Server 2008, all users that require access to network
resources must be configured with a user account. With this user account, users
can be authenticated to the AD DS domain and granted access to network
resources. As the AD DS administrator, you will need to know how to create and
configure user accounts.
2-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
A user account is an object that contains all of the information that defines a user
in Windows Server 2008. The account can be either a local or a domain account. A
user account includes the user name and password as well as group memberships.
A user account also contains many other settings that can be configured based
upon your organizational requirements.
Creating Active Directory Domain Services User and Computer Objects 2-5
Question: List at least one advantage of creating local accounts. List at least one
advantage of creating domain accounts.
2-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When creating a user account, an administrator provides a user logon name. User
logon names must be unique in the domain/forest in which the user account is
created.
Question: Provide at least one example of good scalable unique domain user
name.
Creating Active Directory Domain Services User and Computer Objects 2-7
Key Points
As a systems administrator, you can manage user account password options. These
options can be set when the user account is created or in the Properties dialog box
of a user account.
Systems administrators can also change the default domain password complexity
settings by accessing the Group Policy Management Editor. Administrators can
configure these settings by navigating to: Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies\Password Policy.
Key Points
Some common standard user tasks are resetting passwords, configuring group
management, assigning user profiles, creating home directories and setting user
expiration.
• The Resetting Password function is accessed through the Active Directory
Users and Computers management console. Administrators can easily access
any user record and reset their password through a context menu.
• The Group Management functionality is also accessed through the Active
Directory Users and Computers management console. Administrators can
create groups and then assign users to these groups by selecting the user and
adding them to a group.
• Administrators can set an expiration date for users in the Active Directory
Users and Computers management console when new users are created.
• In the Active Directory Users and Computers management console,
administrators can set logon hours, which provide specific times when a user
can access a computer.
Creating Active Directory Domain Services User and Computer Objects 2-9
Question: How many times can users attempt to login before they are locked out
(by default)?
2-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Csvde
The Csvde command-line tool uses a comma-delimited text file, also known as a
comma-separated value format (Csvde format) as input to create multiple accounts
in AD DS.
Creating Active Directory Domain Services User and Computer Objects 2-11
Windows PowerShell
Use Windows PowerShell™ when you want to change the attribute values for
multiple Active Directory objects or when the selection criteria for these objects are
complex.
Question: List at least two criteria required when selecting from the available
methods for automating user creation.
2-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points:
• Add a User in Active Directory Users and Computers.
• Add a User through the dsadd.
• Review User Account and Properties.
• Rename Account in Active Directory Users and Computers.
• Rename Account using dsmod.
• Review Password Complexity Settings.
Creating Active Directory Domain Services User and Computer Objects 2-13
Question: Under what circumstances would you disable a user account rather
than delete it?
Question: Why are you prompted to change the additional names when you
change the user name?
Question: Why would you rename a user name in AD DS when a user changes
their name rather than deleting the account and creating a new account with the
new name?
2-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
A user account template is an account that has commonly used settings and
properties already configured. You can use user account templates to simplify the
process of creating domain user accounts.
• To perform this procedure, you must be a member of the Account Operators
group, Domain Admins group, or the Enterprise Admins group in Active
Directory, or you must have been delegated the appropriate authority.
• To open Active Directory Users and Computers, click Start, click Control
Panel, double-click Administrative Tools, and then double-click Active
Directory Users and Computers.
• To prevent a particular user from logging on for security reasons, you can
disable user accounts rather than deleting user accounts.
• By creating disabled user accounts with common group memberships, you can
use disabled user accounts as account templates to simplify user account
creation.
Creating Active Directory Domain Services User and Computer Objects 2-15
Question: List at least one example of how your company uses account templates.
2-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Use Active Directory Users and Computers to add a new user to the Users
container.
• Copy the template account, and rename its identity attributes.
Question: What are some fields not populated when you create a new user from a
template?
Question: How could you make a template account easy to find in AD DS?
Creating Active Directory Domain Services User and Computer Objects 2-17
In AD DS, computers are security principals, just like users. This means that
computers must have accounts and passwords. To be fully authenticated by
AD DS, a user must have a valid user account, and the user must also log on to the
domain from a computer that has a valid computer account. All computers
running Microsoft Windows NT® or later operating systems must have computer
accounts in AD DS.
2-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Computers access network resources to perform key tasks such as authenticating
user log on, obtaining an IP address, and receiving security policies. To have full
access to these network resources, computers must have valid accounts in AD DS.
The two main functions of a computer account are performing security and
management activities.
Question: List at least one way your company manages their computer accounts.
Creating Active Directory Domain Services User and Computer Objects 2-19
Key Points
You can create computer accounts in AD DS by joining the computer to the
domain, or by pre-staging computer accounts before joining the computer to the
domain. Both administrators and users can join computers to the domain.
Pre-staging the account is simply creating the computer account in AD before
joining the computer to the domain. If you need to secure the pre-staged account,
then you can provide a staging GUID that will then be used only by the computer
that matches the GUID.
Key Points
The most commonly used properties for computer accounts in AD DS are the
Location and Managed by properties. To maintain computers, you must find the
physical location of the computers.
• The Location property can be used to document the computer’s physical
location in your network.
• The Managed By property lists the individual responsible for the computer.
This information can be useful when you have a data center with servers for
different departments and you need to perform maintenance on the server.
You can call or send e-mail to the person who is responsible for the server
before you perform maintenance on the server.
Question: How can the Location and Managed by properties be used to automate
computer account management?
2-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create a normal user account in Active Directory Users and Computers.
• Configure the Computer Account Settings.
• Disable and Reset an Account.
Creating Active Directory Domain Services User and Computer Objects 2-23
Question: You are pre-staging 100 computer accounts for workstations that will
be added to the domain over the next few weeks. You want to ensure that only
members of the desktop support team can add the computers to the domain. What
should you do?
2-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Server 2008 provides a number of tools that you can use to create or
modify multiple user accounts automatically in AD DS. Some of these tools require
that you use a text file containing information about the user accounts that you
want to create. You also can create Windows PowerShell scripts to add objects or
make changes to Active Directory objects.
Administrators can still use Microsoft Visual Basic Scripting Edition (VBScript) to
manage Active Directory objects. If students already have VB scripts developed,
they should be able to reuse those scripts with very little modification.
Question: List at least one way your organization has employed these tools to
automate AD DS Objects.
2-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Use these command-line tools to configure AD DS objects.
Examples:
• Dsadd - dsadd user "cn=Keith Harris,cn=users,dc=contoso,dc=com" –samid
Keith fn Keith –ln Harris –display "Keith Harris" –pwd Pa$$w0rd
• Dsmod - dsmod computer "cn=sales2,ou=sales,dc=contoso,dc=com" -loc
Downtown –desc Workstation
• Dsrm - dsrm -subtree -c "cn=sales2,ou=sales,dc=contoso,dc=com"
• Dsget - dsget user "cn=Keith Harris,cn=users,dc=contoso,dc=com" -memberof
• net user - net user “Gregory Weber” Pa$$w0rd /ad
Creating Active Directory Domain Services User and Computer Objects 2-27
Question: List at least one example of why an administrator would want to use
command line tools.
2-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You can use the Ldifde command-line tool to create and make changes to multiple
accounts. When you use the Ldifde tool, you will use a line-separated text file to
provide the command’s input information.
Question: List at least one way that LDIFDE makes user management more
scalable and reliable.
Creating Active Directory Domain Services User and Computer Objects 2-29
Key Points
You can use the Csvde command-line tool to create multiple accounts in AD DS;
however, you only can use the Csvde tool to create accounts, not to change them.
Question: List at least one advantage of using CSVDE over LDIFDE when
managing user objects.
2-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows PowerShell is an extensible scripting and command-line technology
that developers and administrators can use to automate tasks in a Windows
environment. Windows PowerShell uses a set of small cmdlets that each performs
a specific task, but can also be combined in multiple cmdlets to perform complex
administrative tasks.
Windows PowerShell is directly accessible through the new command shell, called
PowerShell.exe. When you run Windows PowerShell from this command shell,
you can perform many of the tasks you could perform using the traditional
command shell (cmd.exe), plus many more.
Question: What is the difference between the command prompt and Windows
PowerShell?
Creating Active Directory Domain Services User and Computer Objects 2-31
Key Points
Windows PowerShell is easy to learn because the use of Cmdlets. Pipelining is
consistent across all Cmdlets.
Key Points
• Examine built in cmdlet commands.
• Build Complex Commands using Pipelines and Auto-Complete.
• Examine and run a pre-existing script.
Key Points
There are several options available in the Windows Server 2008 administration
tools that can increase the efficiency of looking for user accounts in domains with
many users.
To sort the order of objects in Active Directory Users and Computers:
1. View the user accounts in their container in Active Directory Users and
Computers.
2. Click any of the column headings to sort the order of the objects (either
ascending or descending).
You can also add more columns to the display and then sort the display based on
the additional column.
Creating Active Directory Domain Services User and Computer Objects 2-35
Key Points
• Create a Saved Query.
• Export a query to an .xml file.
Question: You need to update the phone number for a user. You have only been
given the user’s first name and last name and you do not know which OU contains
the object. What is the quickest way to locate the user account?
Question: You need to create a new user account and want to check if a user name
is already in use in the domain. How could you do this?
Creating Active Directory Domain Services User and Computer Objects 2-37
Key Points
The Active Directory Users and Computers management tool has a Saved Queries
folder in which you can create, edit, save, and organize saved queries. Saved
queries use predefined LDAP strings to search only the specified domain partition
allowing you to focus searches to a single container object. You can also create a
customized saved query that contains an LDAP search filter.
Queries are specific to the domain controller on which they were created. After you
successfully create your customized set of queries, you can copy the .msc file to
other Windows Server 2008 domain controllers that are in the same domain, and
reuse the same set of saved queries. Queries can also be shared throughout the
domain by exporting them to XML files and then importing those files to other
domain controllers.
Question: List at least one way that saved queries help with the long term
maintainability of your organization.
2-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create a Saved Query.
• Export a query to an .xml file.
Question: You need to find all user accounts in your AD DS domain that are no
longer active. How would you do this?
Creating Active Directory Domain Services User and Computer Objects 2-39
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has deployed AD DS for Windows
Server 2008. As one of the network administrators, one of your primary tasks will
be to create and manage user and computer accounts.
2-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
Property Value
First name CustomerService
Password Pa$$w0rd
Member Of NYC_CustomerServiceGG
f Task 7: Modify the user account properties for all Branch Managers
1. In Active Directory Users and Computers, search the WoodgroveBank.com
domain.
2. Use an advanced search and search for all user accounts that have a job title of
Branch Manager.
3. Select all of the user accounts located by the search, and add them to the
BranchManagersGG group.
Result: At the end of this exercise, you will have created and configured user accounts.
You will have created a template and a user account based on the template. And you
will have created a saved query and verified its ability to return expected search results.
2-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Result: At the end of this exercise, you will have created and configured computer
accounts, deleted a computer account and joined a computer to an AD DS domain.
2-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
f Task 4: Modify and run the CreateUser.ps1 script to add a new user to
AD DS
1. On NYC-DC1, in E:\Mod02\LabFiles, open CreateUser.ps1.
2. Under #Assign the location where the user account will be created,
note the entry $objADSI =
[ADSI]"LDAP://ou=ITAdmins,DC=WoodgroveBank,DC=com".
3. Enable execution in PowerShell by typing the following at a command prompt:
Set-ExecutionPolicy AllSigned, and then press ENTER.
4. Run the script: E:\Mod02\Labfiles\CreateUser.ps1
Result: At the end of this exercise, you will have examined several options for
automating the management of user objects.
Creating Active Directory Domain Services User and Computer Objects 2-49
Review Questions
1. You are responsible for managing accounts and access to resources for
members of your group. A user in your group leaves the company, and you
expect a replacement for that employee in a few days. What should you do
with the previous user’s account?
2. A user in your group must create a test lab with 24 computers that will be
joined to the domain but the account must be created in a separate OU. What
is the best way to do this?
3. You are responsible for maintaining the servers in your organization. You want
to enable other administrators in the organization to determine the physical
location of each server without adding any additional administrative tasks or
creating any additional documents. How can you do this?
2-50 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Groups are a logical collection of AD DS objects, such as users, computers, or
other groups. Groups can be made up according to their departments, locations,
or resources. Groups are an important administrative tool for simplifying
administration, and enable you to assign permissions for resources to multiple
users or computers concurrently instead of individually.
Note: Groups can be converted from distribution to security (or vice versa) if the domain
functional level is Microsoft® Windows® 2000 native or later versions.
Question: Describe a situation where you would use a distribution group instead
of a security group.
3-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Functional levels determine the available AD DS domain or forest capabilities. They
also determine which Windows Server operating systems that you can run on
domain controllers in the domain or forest. However, functional levels do not
affect which operating systems you can run on workstations and member servers
that are joined to the domain or forest.
When you deploy AD DS, set the domain and forest functional levels to the highest
value that your environment can support. This way, you can use as many AD DS
features as possible. For example, if you are sure that you will never add domain
controllers that run Microsoft Windows Server® 2003 to the domain or forest,
select the Microsoft Windows Server 2008 functional level during the deployment
process. However, if you might retain or add domain controllers that run
Windows Server 2003, select the Windows Server 2003 functional level.
Creating Groups and Organizational Units 3-7
Key Points
A global group is a security or distribution group that can contain users, groups,
and computers that are from the same domain as the global group. You can use
global security groups to assign user rights, delegate authority to AD DS objects, or
assign permissions to resources in any domain in the forest or any other trusting
domain in another forest.
Use groups with global scope to manage directory objects that require daily
maintenance, such as user and computer accounts. Because groups with global
scope are not replicated outside their own domain, you can change accounts in a
group having global scope frequently without generating replication traffic to the
global catalog.
The domain functional level must be Microsoft Windows 2000 native, Windows
Server 2003 or Windows Server 2008 to create global groups.
Question: In what ways could you use global groups in your organization?
Creating Groups and Organizational Units 3-9
Key Points
A universal group is a security or distribution group that can contain users, groups,
and computers from any domain in its forest. You can use universal security
groups to assign user rights and permissions to resources in any domain in the
forest.
Changes to the universal groups are registered in the Global Catalog. Therefore,
you shouldn't change the membership of a group with universal scope frequently.
Any changes to the membership of this type of group cause the entire membership
of the group to be replicated to every global catalog in the forest.
When the domain functional level is set to Windows 2000 mixed, security groups
with universal scope cannot be created, although distribution groups with
universal scope are still permitted. At the Windows 2000 native domain functional
level and higher, universal groups are available for both distribution and security
groups.
Question: In what ways could you use universal groups in your organization?
3-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
A domain local group is a security or distribution group that can contain user
accounts from the local domain, any domain in the forest, or any trusted domain.
Domain local groups also can contain universal or global groups from any domain
in the forest or any trusted domain, and domain local groups from the local
domain.
• The domain functional level must be Windows 200 native or higher to create
domain local groups.
• Use a domain local group to assign permissions to resources that are located
in the same domain as the domain local group. You can put all global groups
that have to share the same resources into the appropriate domain local group.
Question: How could you provide members of a Sales department that travel
frequently between domains in a multi-city company with access to printers on
various domains that are managed by using domain local groups?
Creating Groups and Organizational Units 3-11
Key Points
A local group is a collection of user accounts or domain groups that are created
on a member server of an AD DS domain or a stand-alone server; as well as, a
workstation. You can create local groups to grant permissions for resources
residing on the local computer. Local groups can contain local or domain user
accounts, computers, global groups, and universal groups.
You cannot create local groups on AD DS domain controllers. Domain controllers
do not have local users and groups, as the only security database located on a
domain controller is the AD DS database.
3-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Describe a situation where you would use a local group instead of one
of the domain groups.
Creating Groups and Organizational Units 3-13
Key Points
Discuss these scenarios with the classroom, led by your instructor.
3-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When you use nesting, you add a group as a member of another group. You can
use nesting to combine group management. Nesting increases the member
accounts that are affected by a single action, and reduces replication traffic caused
by the replication of changes in group membership.
Group nesting is available when the domain functional level is Windows 2000
native, Windows Server 2003 or Windows Server 2008.
Note: You should avoid nesting multiple levels of groups. Tracking permissions is more
complex with multiple levels.
Creating Groups and Organizational Units 3-15
Question: Describe a scenario where you could use nesting in your organization to
simplify management.
3-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Discuss these scenarios with the classroom, led by your instructor.
Creating Groups and Organizational Units 3-17
Key Points
A large organization might have many security and distribution groups. A
standardized naming convention can help you locate and identify groups more
easily. Keeping the names concise, using departmental, geographic, or project
names all are helpful ways to identify groups more easily.
Question: You want to create a security group for the finance department at
Contoso Corporation. Contoso has worldwide locations; however, the finance
department is only located in the New York office. Within the finance department,
there are separate departments for accounts receivable and accounts payable. How
many security groups would you create? What would be the name(s) for the
security group(s) you would create?
Creating Groups and Organizational Units 3-19
Key Points
• Create a security group.
• Create a distribution group.
Question: Your organization requires a group that can be used to send e-mail to
users in multiple domains. The group will not be used to assign permissions. What
type of group should you create?
Key Points
Use Active Directory Users and Computers to determine the membership status of
both users and groups. All user accounts have a Member Of attribute that lists all
the groups of which the user is a member. All groups have a Members attribute
and a Member Of attribute. The Members attribute lists all user accounts or other
group accounts that are members of the group, while the Member Of tab indicates
into which groups the group has been added or nested.
The Managed By tab on the properties of a group lists the users or groups that
manage the group. You can easily delegate administration of the group on this tab.
Question: In what ways can the Member tab and the Members Of tab simply
management of groups?
Creating Groups and Organizational Units 3-21
Key Points
• In Active Directory Users and Computers, open a group and change its group
type.
• Return the Group Type to its original setting.
• Change the Group scope to a different scope.
Question: Describe a situation where you would want to change a group type.
Question: List some problems that may arise from changing a group type from
security to distribution.
3-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Another option for collecting several user and computer accounts for
administrative purposes is to create organizational units (OUs). In this lesson, you
will learn to create OUs. You also will learn about the available options for creating
OU hierarchies, and how to move objects between OUs.
Creating Groups and Organizational Units 3-23
Key Points
An OU is an AD DS object that is contained in a domain. You can use OUs to
organize hundreds of thousands of directory objects into manageable units. OUs
are useful in grouping and organizing objects for administrative purposes, such as
delegating administrative rights and assigning policies to a collection of objects as a
single unit.
Question: Describe an example of how you can create an OU to isolate file and
print server accounts, and allow only a particular administrator to access these
accounts.
3-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
AD DS OUs are used to create a hierarchical structure within a domain. By creating
an OU structure, you are grouping objects that you can administer as a unit.
An organizational hierarchy should logically represent an organizational structure.
That organization could be based on geographic, functional, resource-based, or
user classifications. Whatever the order, the hierarchy should make it possible to
administer AD DS resources as flexibly and effectively as possible. For example, if
all the computers that are used by IT administrators must be configured in a
certain way, you can group all the computers in an OU, and assign a policy to
manage the computers in the OU.
Key Points
Organizations may deploy OU hierarchies by using several different models.
Geographic OUs
If the organization has multiple locations and network management is distributed
geographically, you should use a location-based hierarchy. For example, you might
decide to create OUs for New York, Toronto, and Miami in a single domain.
Departmental OU
A Departmental OU is based only on the organization's business functions,
without regard to geographical location or divisional barriers. This approach works
well for small organizations with a single location.
3-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Management-based OUs
Management-based OUs reflect the various administrative divisions within the
organization by mirroring its structure in the OU structure. Responsibilities to
manage users and groups, when they are placed into nested departmental OUs,
can be delegated to managers of those departments.
The eventual OU design should represent how the business will be administered.
Delegation of authority, separation of administrative duties, central versus
distributed administration, and design flexibility are important factors you must
consider when you design Group Policy and select the scenarios to use for your
organization.
Question: How would you structure the OU hierarchy in your organization? If you
already have an OU structure in your organization, would you make any changes
based on this information?
Creating Groups and Organizational Units 3-27
Key Points
• Create a new OU named Vancouver.
• Create subOUs within the newly created OU.
• Place two user accounts in Marketing: Claus Hansen and Arno Harteveld.
• Create several other objects within OUs.
Question: When you move a user, what can happen to a user in regards to Group
Policy and delegated authority?
Question: Why would you locate user accounts and computer accounts in
separate OUs?
3-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The main difference between OUs and groups is that security groups can be used
as security principals, whereas OUs can not be used to apply permissions.
If your organization typically creates many user groups or OUs at the same time,
explore using LDIFDE, CSVDE, or Windows PowerShell™ scripts to automate
creating the accounts. These tools can save you significant time when you are
adding or modifying multiple AD DS objects.
Question: You have a collection of users that you want to give permissions to
access certain file servers. Would you create an OU or a group for these users?
Describe the reason for your choice.
Creating Groups and Organizational Units 3-29
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank is opening a new subsidiary in Vancouver,
and they need an OU design for the subsidiary. Woodgrove Bank has deployed
AD DS on servers running Windows Server 2008, and one of your primary tasks
will be to create a new OU design and move users from current positions to the
new subsidiary.
3-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
2. Press ENTER.
3. Use the Find command to locate the new group in the WoodgroveBank.com
OU.
3-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Result: At the end of this exercise, you will have created three new groups by using
Active Directory Users and Computers, and one new group by using Dsadd. You also
will have added users to the groups and inspected the results.
Creating Groups and Organizational Units 3-33
Scenario
A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have
the following departments:
• Management
• Customer Service
• Marketing
• Investments
Discussion Questions
1. Which approach to extending the organizational hierarchy of
WoodgroveBank.com is the most likely to be applied in creating the new
subsidiary’s resources: Geographic, Organizational, or Functional? Why?
2. What would be the most logical way to additionally subdivide the subsidiary’s
organizational unit (Geographic, Organizational, or Functional)?
3. What does the pattern of naming second level OUs in other centers suggest for
the new Vancouver OU?
4. What would be a simple but effective way of delegating administrative tasks
(such as adding users and computers to the domain, and changing user
properties such as password resets, and employee contact details) to certain
users within a department?
Result: At the end of this exercise, you will have discussed and determined how to
plan an OU hierarchy.
3-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
3. Press ENTER.
4. In Active Directory Users and Computers, refresh the WoodgroveBank.com
domain object, and note the presence of the new OU.
Note: There is a potential risk associated with the movement of security groups from one
OU into another. Group Policies that are in effect in one OU may no longer be applied in
the new location. By default, AD DS notifies administrators of that risk whenever a group
is moved between OUs.
3-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Note: There are several ways to move objects between OUs in Active Directory Users and
Computers. You can use the Move command, drag the object into a new OU, or use the
Cut and Paste commands.
4. When prompted, restart the computer and log on as Yvonne. Start Server
Manager as an Administrator, and let the installation complete.
5. Start Active Directory Users and Computers.
6. Reset the password of Monika Buschmann using the password Pa$$w0rd
again. You should see the following message:
“Password for Monika Buschmann has been changed.”
7. Try to move a user from the Miami BranchManagers OU into the Vancouver
BranchManagers OU. You should see the following message: “Windows
cannot move object [user name] because: Access denied.”
3-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Result: At the end of this exercise, you will have created OUs by using Active Directory
Users and Computers and Dsadd. You also will have delegated administrative
permissions and tested them.
Creating Groups and Organizational Units 3-39
Review Questions
1. You are responsible for managing accounts and access to resources for
members of your group. A user in your group transfers into another
department within the company. What should you do with the user’s account?
2. A project manager in your department is starting a group project that will
continue for the next year. Several users from your department and other
departments will be dedicated to the project during this time. The project team
must have access to the same shared resources. The project manager must be
able to manage the user accounts and group accounts in AD DS. However, you
do not want to give her permission to manage anything else in AD DS. What is
the best way to do this?
3. You are responsible for maintaining access to local resources, such as printers,
in your organization. You want to establish an efficient way to maintain
printing permissions to members in each work group, even while those
members may change frequently. You also want to simplify the replacement of
printers when one has to be taken offline for repairs, or replaced with a new
one. How can you do this with the least disruption and effort on your part?
3-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
One of the primary reasons to deploy Active Directory® Domain Services (AD DS)
is to enable users to access shared resources on the network. The previous
modules introduced users and groups as the primary way to enable access to those
resources. This module describes how to configure shared folders to enable those
users and groups to gain access to the resources.
Specifically, this module helps you learn the skills and knowledge necessary to:
• Understand how permissions enable resource access.
• Manage access to files and folders by using shared folder permissions, NTFS
file system permissions, or special permissions.
• Manage permissions inheritance.
Managing Access to Resources in Active Directory Domain Services 4-3
Key Points
A security principal is an AD DS entity that can be authenticated by a Windows
operating system. Security principals include the following:
• User and computer accounts
• A thread or process that runs in the security context of a user or computer
account
• Groups of the previous accounts
Managing Access to Resources in Active Directory Domain Services 4-5
Question: When a user is deleted and then recreated, they will be issued a new
SID. What are the ramifications of this?
4-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
An access token is a protected object that contains information about the identity
and rights associated with a user account.
Key Points
Permissions define the type of access that is granted to a security principal for an
object.
When you assign permissions, you can:
• Explicitly apply permissions. When you apply permissions explicitly, you
access the shared resource object directly and configure permissions on that
object. You can apply permissions explicitly on folders or files.
• Configure permission inheritance. When you configure permissions on a
folder, the permissions are inherited by default on all subfolders or files in that
folder. You can accept the default permission inheritance or modify the default
behavior by blocking permission inheritance or by assigning explicit
permissions to lower level folders or files.
Managing Access to Resources in Active Directory Domain Services 4-9
Question: List at least one way that administrators can easily maintain permissions
on an object?
4-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The process of accessing an AD DS resource is called access control and it is based
on the verification of security principals.
All objects in AD DS, and all securable objects on a local computer or on the
network, have security descriptors assigned to them to help control access to the
objects. Security descriptors include information about who owns an object, who
can access it and in what way, and what types of access are audited.
Question: Which access control resource, DACL or SACL, plays a more critical role
in security?
Managing Access to Resources in Active Directory Domain Services 4-11
Key Points
NTFS permissions specify which users, groups, and computers can access files and
folders. NTFS permissions also dictate what users, groups, and computers can do
with the contents of the file or folder.
NTFS file permissions include:
• Read. Read the file, attributes, and permissions, and view owner.
• Write. Write to the file, change attributes, and view permissions and owner.
• Read & Execute. Execute applications plus all Read permissions.
• Modify. All the previous permissions, plus ability to delete files.
• Full Control. All the previous permissions, plus the ability to change
permissions and take ownership of the file.
Managing Access to Resources in Active Directory Domain Services 4-13
Key Points
NTFS permissions fall into two categories: standard and special. Standard
permissions are the most frequently assigned permissions. The permissions
described in the previous topic are standard permissions.
Special permissions give you a finer degree of control for assigning access to
objects.
Key Points
By default, the permissions that you grant to a parent folder are inherited by its
subfolders and files.
A security principal that is inheriting permissions can have additional NTFS
permissions assigned, but the inherited permissions cannot be removed until
inheritance is blocked.
Question: List one or two ways permission inheritance can reduce administration
time.
Managing Access to Resources in Active Directory Domain Services 4-17
Key Points
• Browse a directory, view the standard permissions.
• View the advanced NTFS permissions.
• View permission inheritance.
Question: If you deny NTFS permission to a group for a particular resource while
allowing the same permission to another group for that resource, what will happen
to the permissions of an individual who is a member of both groups?
Key Points
When you copy or move a file or folder, the permissions might change, depending
on where you move the file or folder. You should understand the changes that the
permissions undergo when they are copied or moved.
Copying a file
When you copy a file or folder from one folder to another folder, or from one
partition to another partition, permissions for the files or folders might change.
When you copy a file or folder:
• Within a single NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
• To a different NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
Managing Access to Resources in Active Directory Domain Services 4-19
Moving a file
When you move a file or folder, permissions might change, depending on the
permissions of the destination folder. When you move a file or folder:
• In the same NTFS partition, the folder or file keeps its original permissions. If
the permissions of the new parent folder are changed later, the file or folder
will inherit the new permissions. Permissions explicitly applied to the folder
will be retained. Permissions previously inherited will be lost.
• To a different NTFS partition, the folder or file inherits the permissions of the
destination folder. When you move a folder or file between partitions,
Windows Server 2008 copies the folder or file to the new location and then
deletes it from the old location.
• To a non-NTFS partition, the folder or file loses its NTFS permissions, because
non-NTFS partitions do not support NTFS permissions.
Question: Provide one or two examples where moving files and folders within the
same partition reduces administration time.
4-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Shared folders give users access to files and folders over a network. Users can
connect to the shared folder over the network to access its folders and files. Shared
folders can contain applications, public data, or a user’s personal data. Using
shared data folders provides a central location for users to access common files
and makes it easier to back up data that is contained in those files.
Managing Access to Resources in Active Directory Domain Services 4-21
Key Points
When you share a folder, it is made available to multiple users simultaneously over
the network. As soon as they are granted permission, users can access all the files
and subfolders in the shared folder.
Most organizations deploy dedicated file servers to host shared folders. You can
store files in shared folders according to categories or functions. For example, you
can put shared files for the Sales department in one shared folder and shared files
for executives in another.
When you create a shared folder by using the Provision a Shared Folder Wizard in
the Share and Storage Management console, or by using the File Sharing Wizard,
you can configure the permissions assigned to each share as you create it.
Key Points
Windows Server 2008 automatically creates shared folders on computers running
Windows that enable you to perform administrative tasks. These default
administrative shares have a dollar sign ($) at the end of the share name.
Appending the dollar sign at the end of the folder name hides the shared folder
from users who browse the network. Administrators can quickly administer files
and folders on remote servers by using these hidden shared folders.
Question: List at least one benefit of having and creating your own hidden shares.
Managing Access to Resources in Active Directory Domain Services 4-23
Key Points
Shared folder permissions apply only to users who connect to the folder over the
network. They do not restrict access to users who access the folder at the computer
where the folder is stored. You can grant shared folder permissions to user
accounts, groups, and computer accounts.
By default, users will have the same level of access to subfolders under a shared
folder as they have on the parent folder.
Question: List at least one example of when an administrator might give Full
Control to a folder.
4-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create two test directories, populate each with a text file and some data.
• Use Windows Explorer to create a share.
• Using the Share and Storage Management Microsoft Management Console
(MMC) snap-in to create a hidden share.
• Using the Share and Storage snap in to modify the share permissions.
• Test share access.
In Windows Server 2008, the only groups that can create shared folders are the
Administrators, Server Operators, and Power Users groups. These groups are built-
in groups that are put in the Groups folder in Computer Management or the Built-
In container in Active Directory Users and Groups.
Managing Access to Resources in Active Directory Domain Services 4-25
Question: How would you begin to create a shared folder by using the Using
Share and Storage Management MMC?
Key Points
After you create a shared folder, users can access the folder over the network by
using multiple methods. Users can access a shared folder on another computer by
using:
• The Network window (in Microsoft Windows Server® 2008 or Microsoft
Windows Vista®)
• My Network Places (in Microsoft Windows Server 2003 or Microsoft Windows
XP)
• The Map Network Drive feature
• Searching AD DS
• The Run command on the Start menu
Managing Access to Resources in Active Directory Domain Services 4-27
Note: The Computer Browser service is disabled by default in Windows Server 2008.
Question: List at least one benefit of accessing resources through mapped drives.
4-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create two test directories.
• Use Windows Explorer to create a share.
• Using the Share and Storage Management Microsoft Management Console
(MMC) snap-in, create a hidden share.
• Modify the share permissions.
Question: What would happen if the user was editing the file but had not saved
the changes, and then an administrator used the Close File feature?
Managing Access to Resources in Active Directory Domain Services 4-29
Key Points
When you are managing access to shared folders, consider the following best
practices when granting permissions:
• Use the most restrictive permissions possible. Do not grant more
permissions for a shared folder than the users legitimately require. For
example, if a user only has to read the files in a folder, grant Read permission
for the folder to the user or group to which the user belongs.
• Avoid assigning permissions to individual users. Use groups whenever
possible. Because it is inefficient to maintain user accounts directly, avoid
granting permissions to individual users.
4-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: List one or two reasons why administrators should not leave the
Everyone group in a share’s permissions.
Managing Access to Resources in Active Directory Domain Services 4-31
Key Points
Offline files are available in Windows XP, Vista, Server 2003 and Server 2008:
• Select a folder at a networking place, synchronize and then disconnect
computer. Users can set up a folder that will be taken offline by selecting it
and synchronizing it with the network files.
• Make edits to documents on a disconnected computer. After the folder is
taken offline, the user can make edits to any of the documents in the folder.
The changes are made locally and can only be seen by the person making the
changes until the files are synchronized again.
4-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: List at least one example of how offline files are useful.
Managing Access to Resources in Active Directory Domain Services 4-33
You can assign user access to a shared folder by using shared folder permissions or
NTFS permissions. You also can assign permissions to individual user accounts or
group accounts. To determine what level of access the user actually has on the
network, you must understand how effective permissions are determined and how
you can view effective permissions.
4-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Server 2008 provides a tool (Effective Permissions tool) that shows
effective permissions, which are cumulative permissions based on group
membership.
The following principles determine effective permissions:
• Cumulative permissions are the combination of the highest NTFS
permissions granted to the user and all the groups of which the user is a
member. For example, if a user is a member of a group that has Read
permission and a member of a group that has Modify permission, the user has
Modify permission.
• Explicit Deny permissions override equivalent Allow permissions.
However, an explicit Allow permission can override an inherited deny
permission. For example, if a user is denied write access to a folder explicitly
but explicitly allowed write access to a subfolder or a particular file, the explicit
Allow would override the inherited Deny.
Managing Access to Resources in Active Directory Domain Services 4-35
In this discussion, you are presented with a scenario in which you are asked to
apply NTFS permissions. You and your classmates will discuss possible solutions
to the scenario.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the
slide shows folders and files on the NTFS partition.
Question: The Users group has Write permission, and the Sales group has Read
permission for Folder1. What permissions does User1 have for Folder1?
Managing Access to Resources in Active Directory Domain Services 4-37
Question: The Users group has Modify permission for Folder1. File2 should be
accessible only to the Sales group, and they should only be able to read File2.
What do you do to ensure that the Sales group has only Read permission for File2?
4-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Open a directory, and assign permissions to a user.
• Use the effective permissions tool.
• Deny user permission.
Questions: Can the Effective Permissions tool return the actual permissions of a
user?
Managing Access to Resources in Active Directory Domain Services 4-39
Key Points
When enabling access to network resources on an NTFS volume, it is
recommended that you use the most restrictive NTFS permissions to control
access to folders and files, combined with the most restrictive shared folder
permissions that control network access.
In this discussion, you will determine effective NTFS and shared folder
permissions.
Scenario
The figure shows two shared folders that contain folders or files that have NTFS
permissions. Look at each example, and determine a user’s effective permissions.
In the first example, the Users folder has been shared, and the Users group has the
shared folder permission Full Control. User1, User2, and User3 have been granted
the NTFS permission Full Control to only their folder. These users are all members
of the Users group.
Managing Access to Resources in Active Directory Domain Services 4-41
Question: You have shared the Data folder to the Sales Group. Within the Data
directory, you have given the Sales Group Full Control over the Sales Group. When
users in the Sales Group try to save a file in the \Data\Sales directory, they get an
access denied error. Why? What permission needs to be changed, and why?
4-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Here are several considerations to make administering permissions more
manageable:
1. Grant permissions to groups instead of users. Groups can always have
individuals added or deleted, while permissions on a case-by-case basis are
difficult to track.
2. Use Deny permissions only when necessary. Because deny permissions are
inherited exactly like allow permissions, assigning deny permissions to a
folder can result in users not being able to access files lower in the folder
structure. Deny permissions should be assigned in the following situations:
• To exclude a subset of a group that has Allow permissions.
• To exclude one permission when you have granted Full Control
permissions already to a user or group.
Managing Access to Resources in Active Directory Domain Services 4-43
Question: List one or two examples of best practices that you have implemented
when assigning Shared Folder or NTFS permission in your organization.
4-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities
throughout the world. Woodgrove Bank has deployed AD DS in Windows Server
2008. They have recently opened a new subsidiary in Toronto, Canada. As a
network administrator assigned to the new subsidiary, one of your primary tasks
will be to create and manage access to resources, including the shared folder
implementation. For example, groups that mirror the departmental organization of
the bank need shared file storage areas. You must also have shared folders to
enable files to be shared during special projects between departments.
Managing Access to Resources in Active Directory Domain Services 4-45
Discussion Questions:
1. The Woodgrove Bank Toronto subsidiary has an organizational hierarchy, as
outlined by its organizational units (OUs) that supports the activities of its
four departments: Marketing, Investments, Management, and Customer
Service. Each department has groups populated with the employees in that
department. How could you give each department separate file-sharing spaces?
2. All members of the Toronto subsidiary must be able to read documents posted
by management about topics such as staffing, targets and projections, and
company news. To create a series of folders that will enable this information to
be available to all employees in the subsidiary, and managers from other parts
of the Woodgrove Bank, what sorts of groups would be needed? What sorts of
permissions would each require? What sorts of folder structures might be
needed?
3. A task force on reducing the subsidiary’s carbon footprint (that is, its negative
impact on the natural environment) is collecting data from various
departments. They plan to keep the information private until they can publish
a report. How can individuals from various departments have contributing
status while restricting access to those outside their project?
Result: At the end of this exercise, you will have discussed and determined solutions
for a shared folder implementation.
4-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
Result: At the end of this exercise, you will have created a shared folder
implementation.
Managing Access to Resources in Active Directory Domain Services 4-49
Result: At the end of this exercise, you will have verified that the shared folder
implementation meets security requirements.
Managing Access to Resources in Active Directory Domain Services 4-51
Review Questions
1. What is the role of ACLs in granting access to resources on an AD DS
network?
2. How do DACLs differ from SACLs?
3. What happens to the shared folder configuration when you copy or move a
shared folder from one hard disk to another on the same server? What
happens to the shared folder configuration when you copy or move the shared
folder to another server?
4. You have to assign permissions to a shared folder so that all users in your
organization can read the contents of the folder. Which of these approaches
would be the best way to do this: accept the default permissions, assign read
permissions to the folder for the Domain Users group, or add groups
representing whole departments? How would this configuration change if your
organization had multiple domains?
4-52 Configuring, Managing and Maintaining Windows Server 2008 Servers
After the initial deployment of Active Directory® Domain Services (AD DS), the
most common tasks for an AD DS administrator are configuring and managing AD
DS objects. In most organizations, each employee is issued a user account, which is
added to one or more groups in AD DS. The user and group accounts enable
access to Windows Server-based network resources such as Web sites, mailboxes,
and shared folders.
This module describes how to perform many of these administrative tasks, and
options available for delegating or automating these tasks. This module also
describes how to configure and manage Active Directory trusts.
Configuring Active Directory Objects and Trusts 5-3
Key Points
Active Directory object permissions secure resources by enabling you to control
which administrators or users can access individual objects or object attributes,
and to control the type of access they have. You use permissions to assign
privileges for administrators to manage an organizational unit or a hierarchy of
organizational units, and the Active Directory objects contained within those
organizational units.
• Denied permissions take precedence over any permission that you otherwise
allow to user accounts and groups.
• You should use Deny permissions explicitly only when it is necessary to
remove a permission that a user is granted by being a particular group’s
member.
• When permission to perform an operation is not allowed, it is implicitly
denied.
Configuring Active Directory Objects and Trusts 5-5
Question: What are the risks with using special permissions to assign AD DS
permissions?
Question: What permissions would a user have on an object if you granted them
full control permission, and denied the user write access?
5-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Enable the Advanced view in Active Directory Users and Computers.
• Disable permission inheritance by child items.
• View the Effective Permissions for the object.
Question: What would happen to an object’s permissions if you moved the object
from one OU to another if the OUs had different permissions applied?
Question: What would happen if you removed all permissions from an OU when
you blocked inheritance and did not assign any new permissions?
Configuring Active Directory Objects and Trusts 5-7
Key Points
Accessible from an object's advanced properties settings, the Effective Permissions
tool helps you to determine the permissions for an Active Directory object. This
tool calculates the permissions that are granted to the specified user or group, and
takes into account the permissions that are in effect from group memberships and
any permission inherited from parent objects.
Key Points
Delegation of control is the ability to assign management responsibility of Active
Directory objects to another user or group.
Delegated administration helps to ease the administrative burden of managing
your network by distributing routine administrative tasks to multiple users. With
delegated administration, you can assign basic administrative tasks to regular users
or groups. For example, you could give OU administrators the right to add or
remove user or computer objects, or an administrative assistant the right to reset
passwords.
By delegating administration, you give groups in your organization more control of
their local network resources. You also help secure your network from accidental
or malicious damage by limiting the membership of administrator groups.
Configuring Active Directory Objects and Trusts 5-9
You can define the delegation of administrative control in the following four ways:
• Grant permissions to create or modify all objects in a specific organizational
unit or in the domain.
• Grant permissions to create or modify some types of objects in a specific
organizational unit or at the domain level.
• Grant permissions to create or modify a specific object in a specific
organizational unit or at the domain level.
• Grant permissions to modify specific attributes of an object, (such as granting
the permission to reset passwords on a user account) in a specific
organizational unit or at the domain level.
5-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Discussion Questions
• What are the benefits of delegating administrative permissions?
• How would you use delegation of control in your organization?
Key Points
• Use the Delegation of Control Wizard to delegate permissions to manage user
and computer accounts.
• Use the Delegation of Control Wizard to delegate the administration of
individual attributes.
• Use a Microsoft Windows® PowerShell™ script to delegate the Password Reset
task.
5-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Scenario
To optimize the use of AD DS administrator time, Woodgrove Bank would like to
delegate some administrative tasks to interns and junior administrators. These
administrators will be granted access to manage user and group accounts in
different OUs. User accounts must also be configured with a standard
configuration. The organization also requires AD DS groups that will be used, to
assign permissions to a variety of network resources. The organization would like
to automate the user and group management tasks, and delegate some
administrative tasks to junior administrators.
Configuring Active Directory Objects and Trusts 5-13
Result: At the end of this exercise, you will have delegated the administrative tasks for
the Toronto office.
5-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Many organizations that deploy AD DS will deploy only one domain. However,
larger organizations, or organizations that need to enable access to resources in
other organizations or business units, may deploy several domains in the same
Active Directory forest or a separate forest. For users to access resources between
the forests, you must configure the forests with trusts. This lesson describes how to
configure and manage trusts in an Active Directory environment.
Configuring Active Directory Objects and Trusts 5-17
Key Points
Trusts allow security principals to traverse their credentials from one domain to
another, and are necessary to allow resource access between domains. When you
configure a trust between domains, a user can be authenticated in their domain,
and their security credentials can then be used to access resources in a different
domain.
• Trusts can be defined as transitive or non-transitive.
• The user accounts are located in the trusted domain, while the resources are
located in the trusting domain.
• The two protocol options for configuring trusts are the Kerberos protocol
version 5, and Microsoft Windows NT® Local Area Network (LAN) Manager
(NTLM).
Key Points
All trusts in Microsoft Windows 2000 Server, Microsoft Windows Server 2003, and
Microsoft Windows Server 2008 forests are transitive, two-way trusts. Therefore,
both domains in a trust relationship are trusted; however one-way trusts can be
configured.
This diagram illustrates a two-way trust between Forests 1 and 2, and a one-way
trust between domains E and A and domains B and Q.
Question: If you were going to configure a trust between a Windows Server 2008
domain and a Windows NT 4.0 domain, what type of trust would you need to
configure?
Question: If you need to share resources between domains, but do not want to
configure a trust, how could provide access to the shared resources?
Configuring Active Directory Objects and Trusts 5-19
Key Points
When you set up trusts between domains either within the same forest, across
forests, or with an external realm, information about these trusts is stored in AD
DS so you can retrieve it when necessary. A trusted domain object (TDO) stores
this information.
The TDO stores information about the trust such as the trust transitivity and type.
Whenever you create a trust, a new TDO is created and stored in the System
container in the trust’s domain.
Question: In this slide Domain B and Domain C have what type of Trust in this
forest? What are the limitations?
5-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest
to access resources in another forest. When a user attempts to access a resource in
a trusted forest, AD DS must first locate the resource. After the resource is located,
the user can be authenticated and allowed to access the resource.
Question: Why would clients not able to access resources in a domain outside the
forest?
Configuring Active Directory Objects and Trusts 5-21
Key Points
• Review the Active Directory Domains and Trusts MMC.
Question: When you set up a forest trust, what information will need to be
available in DNS in order for the forest trust to work?
5-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
A user principal name (UPN) is a logon name that is used only to log on to a
Windows Server 2008 network. There are two parts to a UPN, which are separated
by the @ sign, for example, suzan@WoodgroveBank.com.
• The user principal name prefix, which in this example is suzan.
• The user principal name suffix, which in this example is WoodgroveBank.com.
By default, the suffix is the domain name in which the user account was created.
You can use the other domains in the network, or additional suffixes that you
created, to configure other suffixes for users. For example, you may want to
configure a suffix to create user logon names that match users’ e-mail addresses.
Key Points
Another option for restricting authentication across trusts in a Windows
Server 2008 forest is selective authentication. With selective authentication, you
can restrict which computers in your forest can be accessed by another forest’s
users.
Scenario
Woodgrove Bank also has established a partner relationship with another
organization. Some users in each organization must be able to access resources in
the other organization. However, the access between organizations must be limited
to as few users and as few servers as possible.
Configuring Active Directory Objects and Trusts 5-25
f Task 2: Configure the Network and DNS Settings to enable the forest
trust
1. On VAN-DC1, modify the Local Area Network properties to change the IP
address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred
DNS server to 10.10.0.110, and then click OK.
2. Synchronize the time on VAN-DC1 with NYC-DC1.
5-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Result: At the end of this exercise, you will have configured trusts based on a trust
configuration design.
5-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Review Questions
1. If a there is a trust within a forest, and the resource is not in the user’s domain
how does the domain controller use the trust relationship to access the
resource?
2. The BranchOffice_Admins group has been granted full control of all user
accounts in the BranchOffice_OU. What permissions would the
BranchOffice_Admins have to a user account that was moved from the
BranchOffice_OU to the HeadOffice_OU?
3. Your organization has a Windows Server 2008 forest environment, but it has
just acquired another organization with a Windows 2000 forest environment
that contains a single domain. Users in both organizations must be able to
access resources in each other’s forest. What type of trust do you create
between the forest root domain of each forest?
Configuring Active Directory Objects and Trusts 5-29
Question: How could you remove Write share permissions from a single file that is
located inside a folder that is inheriting Write permissions from shared folder in
which it is located?
This lesson introduces you to how to use Group Policy to simplify managing
computers and users in an Active Directory environment. You will learn how
Group Policy Objects (GPOs) are structured and applied, and about some of the
exceptions of how GPOs are applied.
This lesson also discusses Group Policy features that are included with Windows
Server 2008, which also will help simplify computer and user management.
6-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Group Policy is a Microsoft technology that supports one-to-many management of
computers and users in an Active Directory environment. By editing Group Policy
settings and targeting a Group Policy Object (GPO) at the intended users or
computers, you can centrally manage specific configuration parameters. In this
way, you can manage potentially thousands of computers or users by changing a
single GPO.
A Group Policy object is the collection of settings that are applied to selected users
and computers.
Group Policy can control many aspects of a target object’s environment, including
the registry, NTFS file system security, audit and security policy, software
installation and restriction, desktop environment, logon/logoff scripts, and so on.
Creating and Configuring Group Policy 6-5
Key Points
Group Policy has thousands of configurable settings (approximately 2,400). These
settings can affect nearly every area of the computing environment. You cannot
apply all of the settings to all versions of Microsoft Windows operating systems.
For example, many of the new settings that came with the Microsoft Windows XP
Professional operating system, Service Pack (SP) 2, such as software restriction
policies, only applied to that operating system. Equally, many of the hundreds of
new settings only apply to the Microsoft Windows°Vista® operating system and
Windows Server 2008. If a computer has a setting applied that it cannot process, it
simply ignores it.
Creating and Configuring Group Policy 6-7
Section Description
Feature Function
Feature Function
User Account Control Controls the behavior of the User Account Control
feature.
Note: A number of settings appear in both the user and the computer configuration, for
example, Offline file or Windows Messenger settings. With few exceptions, in case of a
conflict between the user and computer setting, the user settings will be ignored, and the
computer setting will be applied.
Question: Which of the new features will you find the most useful in your
environment?
6-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Clients initiate Group Policy application by requesting GPOs from AD DS. When
Group Policy is applied to a user or computer, the client component interprets the
policy, and then makes the appropriate environment changes. These components
are known as Group Policy client-side extensions. As GPOs are processed, the
gpsvc service passes the list of GPOs that must be processed to each Group Policy
client-side extension. The extension then uses the list to process the appropriate
policy, when applicable.
Key Points
Different factors can change the normal Group Policy processing behavior, such as
logging on using a slow connection. Also, different types of connections or
operating systems handle Group Policy processing differently.
Key Points
You can use Group Policy templates to create and configure Group Policy settings,
which are stored by the GPOs. The GPOs in turn are stored in the System Volume
(SYSVOL) container in AD DS. The SYSVOL container acts as a central repository
for the GPOs. In this way, one policy may be associated with multiple Active
Directory containers through linking. Conversely, multiple policies may link to one
container.
Group Policy has three major components:
• Group Policy templates
• Group Policy container
• Group Policy objects
Question: Think of at least one example of how your organization can benefit by
using the Group Policy components.
Creating and Configuring Group Policy 6-13
Key Points
ADM Files
Traditionally, ADM files have been used to define the settings the administrator
can configure through Group Policy. Each successive Windows operating system
and service pack has included a newer version of these files. ADM files use their
own markup language. Because of this, it is difficult to customize ADM files. The
ADM templates are located in the %SystemRoot%\Inf folder.
ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying
registry-based policy settings. Registry-based policy settings are defined using a
standards-based XML file format known as ADMX files. These new files replace
ADM files. Group Policy tools on Windows Vista and Server 2008 will continue to
recognize custom ADM files you have in your existing environment, but will ignore
any ADM file that ADMX files have superseded.
6-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: List one benefit of the ADMX format with Group Policy Objects.
Creating and Configuring Group Policy 6-15
Key Points
For domain-based enterprises, administrators can create a central store location of
ADMX files that is accessible by anyone with permission to create or edit GPOs.
The GPO Editor on Microsoft Windows Vista and Windows Server 2008
automatically reads and displays Administrative Template policy settings from
ADMX files that the central store caches, and ignores the ones stored locally. If the
domain controller is not available, then the local store is used.
You must create the central store, and then update it manually on a domain
controller. The use of ADMX files is dependant on the computer’s operating
system where you are creating or editing the GPO. Therefore, the domain
controller can be a server with Microsoft Windows 2000, Microsoft Windows
Server°2003, or Windows Server 2008. The File Replication Service (FRS) will
replicate the domain controller to that domain’s other controllers.
6-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
For example, to create a Central Store for the Test.Microsoft.com domain, create a
PolicyDefinitions folder in the following location:
\\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies
Copy all files from the PolicyDefinitions folder on a Windows Vista-based client
computer to the PolicyDefinitions folder on the domain controller. The
PolicyDefinitions folder on a Windows Vista-based computer resides in the same
folder as Windows Vista. The PolicyDefinitions folder on the Windows Vista-based
computer stores all .admx files and .adml files for all languages that are enabled on
the client computer.
Question: What would be the advantage of creating the central store in your
environment?
Creating and Configuring Group Policy 6-17
Key Points
• Open the Group Policy Management Console (GPMC).
• Create a new Group Policy named Desktop in the Group Policy container.
• In the computer configuration, prevent the last logon name from displaying,
and prevent Windows Installer from running.
• In the user configuration, remove the Search menu from the Start menu, and
hide the Screen Saver tab.
Question: When you open the GPMC on your Windows XP computer, you do not
see the new Windows Vista settings in the Group Policy Object Editor. Why not?
6-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The GPOs that apply to a user or computer do not all have the same precedence.
GPOs are applied in a particular order. This order means that settings that are
processed first may be overwritten by settings that are processed later. For
example, a policy that restricts access to Control Panel applied at the domain level
could be reversed by a policy applied at the OU level for that particular OU.
If you link several GPOs to an organizational unit, their processing occurs in the
order that the administrator specifies on the Linked Group Policy Objects tab for
the organizational unit in the Group Policy Management Console (GPMC).
Question: Your organization has multiple domains spread over multiple sites. You
want to apply a Group Policy to all users in two different domains. What is the best
way to accomplish this?
6-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
In Microsoft operating systems prior to Windows Vista, there was only one user
configuration available in the local Group Policy. That configuration was applied to
all users logged on from the local computer. This is still true, but Windows Vista
and Windows Server 2008 have an added feature. In Windows Vista and Windows
Server 2008, it now is possible to have different user settings for different local
users, although there remains only one computer configuration available that
affects all users.
Domain administrators can disable Local Group Policy objects processing on
clients running Windows Vista or Windows Server 2008 by enabling the “Turn off
Local Group Policy objects processing” policy setting in a domain GPO.
Question: When would multiple local Group Policy objects be useful in a domain
environment?
Creating and Configuring Group Policy 6-21
Key Points
There may be occasions when the normal behavior of Group Policy is not
desirable. For example, certain users or groups may need to be exempt from
restrictive Group Policy settings, or a GPO should be applied only to computers
with certain hardware or software characteristics. By default, all Group Policy
settings apply to the Authenticated Users group in a given container. However, you
can modify that behavior through various methods.
• Using block inheritance prevents the child level from automatically inheriting
GPOs linked to higher sites, domains, or organizational units.
• GPO-links that are enforced cannot be blocked from the parent container.
• By denying or granting the Apply Group Policy permission, you can control
which users, groups, or computers actually receive the GPO settings. Security
group filtering will override enforcement.
6-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: You have created a restrictive desktop policy and linked it to the
Finance OU. The Finance OU has several child OUs that have separate GPOs that
reverse some of your desktop restrictions. How would you ensure that all users in
the Finance department receive your desktop policy?
Creating and Configuring Group Policy 6-23
Key Points
• Link the policy you created in the previous demo to the Toronto OU.
• Log on as one of the Toronto users to test the results.
• Disable the computer or user side of the policy. Doing this gives some
performance advantage by not processing parts of the policy that are known to
be empty.
• Disable the entire policy. Occasionally you may need to do this for
troubleshooting policies.
Key Points
• Create a new OU and a new user in the OU.
• In the Default Domain policy, enable the setting to remove the Help menu
from the Start menu. Test the settings.
• Block inheritance for the new OU. Test the settings.
• Enforce the Default Domain policy. Test the settings.
• Turn off enforcement and inheritance blocking.
Question: Your domain has two domain-level policies, GPO1 and GPO2. You need
to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs.
How could you accomplish this?
Creating and Configuring Group Policy 6-25
Key Points
• Create a new user in the OU that you created for the last demo.
• Create a link between the OU and the GPO that removes the Search link from
the Start menu.
• Use security filtering to exempt the new user from the GPO setting.
• Log on as the first and test that there is no Help menu link.
• Log on as the new and test that the Help menu link appears because security
filtering is in place.
Question: You want to ensure that a specific policy linked to an OU will only affect
the members of the Managers global group. How would you accomplish this?
6-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Use the GPMC to create a new WMI filter that targets only XP Professional
clients:
Root\CimV2; Select * from Win32_OperatingSystem where Caption =
“Microsoft Windows XP Professional”
• Use the GPMC to create a new GPO named software.
• Assign the WMI to the software GPO.
Key Points
User policy settings are normally derived entirely from the GPOs associated with
the user account, based on its AD DS location. However, Loopback processing
directs the system to apply an alternate set of user settings for the computer to any
user who logs on to a computer affected by this policy. Loopback processing is
intended for special-use computers where you must modify the user policy based
on the computer being used, such as the computers in public areas or classrooms.
When you apply loopback, it will affect all users except local ones.
Both the user objects and the computer objects can potentially have different
group policy settings applied (depending upon where each object resides in AD).
Loopback processing ensures that the computer objects policy takes precedence
over the user objects group policy settings.
6-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Scenario
Use the following scenario information for your discussion.
Physical structure
Woodgrove bank has a single domain that spans two sites, Head Office and
Toronto. The Toronto site is connected to the Head Office site across a high-speed
link. Within the Head Office site, there is a branch office in Winnipeg. This office is
connected to Head Office across a slow link. There are five users in the Winnipeg
office. There is no domain controller in the Winnipeg office, but there is a SQL
server.
This organization has deployed both Windows XP Professional and Windows
Vista computers.
6-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: How would you construct a Group Policy scheme to satisfy the
requirements?
Creating and Configuring Group Policy 6-31
System administrators need to know how Group Policy settings affect computers
and users in a managed environment. This information is essential when planning
Group Policy for a network, and when debugging existing GPOs. Obtaining the
information can be a complex task when you consider the many combinations of
sites, domains, and organizational units that are possible, and the many types of
Group Policy settings that can exist. Further complicating the task are security-
group filtering, and GPO inheritance, blocking, and enforcement. The Group
Policy Results (GPResult.exe) command-line tool and the GPMC provide reporting
features to simplify these tasks.
6-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation
and troubleshooting easier. Two main reporting tools are the GPResult.exe
command-line tool, and the Group Policy Results Wizard in the GPMC. The Group
Policy Results feature allows administrators to determine the resultant policy set
that was applied to a given computer and/or user that logged on to that computer.
Although these tools are similar, they each provide different information.
The built in Windows firewall must be configured to allow the incoming traffic we
want by using a Group Policy Object (GPO), so ironically, such a policy is the only
one we definitely cannot force to firewall-enabled remote computers.
Creating and Configuring Group Policy 6-33
Question: You want to know which domain controller delivered Group Policy to a
client. Which utility would you use to find that out?
6-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling
Wizard in the GPMC to model environment changes before you actually make
them. The Group Policy Modeling Wizard calculates the simulated net effect of
GPOs. Group Policy Modeling also simulates such things as security group
membership, WMI filter evaluation, and the effects of moving user or computer
objects to a different OU or site. You also can specify slow-link detection, loopback
processing, or both when using the Group Policy Modeling Wizard.
The Group Policy Modeling process actually runs on a domain controller in your
Active Directory domain. Because the wizard never queries the client computer, it
cannot take local policies into account.
Creating and Configuring Group Policy 6-35
a. Loopback processing
b. Moving a user to a different domain in the same forest
c. Security group filtering
d. Slow link detection
e. WMI filtering
f. All of the above
6-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Login using the WOODGROVEBANK\Administrator account.
• Run GPResult.
• Use the GPMC to run the Group Policy Reporting Wizard for a User. Examine
the output, and save the report as an HTML file.
• Use the GPMC to run the Group Policy Modeling Wizard to simulate what
would happen if the User moved to a different OU, and then compare the
differences.
Question: A user reports that they are unable to access Control Panel. Other users
in the department can access Control Panel. What tools might you use to
troubleshoot the problem?
Creating and Configuring Group Policy 6-37
GPMC provides mechanisms for backing up, restoring, migrating, and copying
existing GPOs. This is very important for maintaining your Group Policy
deployments in the event of error or disaster. It helps you avoid manually
recreating lost or damaged GPOs, and having to again go through the planning,
testing, and deployment phases. Part of your ongoing Group Policy operations
plan should include regular backups of all GPOs.
GPMC also provides for copying and importing GPOs, both from the same domain
and across domains.
6-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Like critical data and Active Directory-related resources, you must back up GPOs to
protect the integrity of AD DS and GPOs. The GPMC not only provides the basic
backup and restore options, but also provides additional control over GPOs for
administrative purposes.
• You can back up GPOs individually or as a whole with the GPMC.
• The restore interface provides the ability for you to view the settings stored in
the backed-up version before restoring it.
• Importing a GPO allows you to transfer settings from a backed-up GPO to an
existing GPO. It does not modify the existing security or links on the
destination GPO.
• You can copy GPOs using the GPMC, both in the same domain and across
domains.
Creating and Configuring Group Policy 6-39
Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a
single object. Starter GPOs only contain Administrative Templates. You can import
and export Starter GPOs to distribute them to other areas of your enterprise.
When you create a new GPO from a Starter GPO, the new GPO has all the
Administrative Template settings that the Starter GPO defined. In this way, Starter
GPOs act as templates for creating GPOs, which helps provide consistency in
distributed environments.
Individual Starter GPOs can be exported into .Cab files for easy distribution. You
then can import these cab files back into the GPMC. The GPMC stores Starter
GPOs in a folder named StarterGPOs, which is located in SYSVOL.
Key Points
• Open the Group Policy Management console.
• In the GPMC console tree, click Starter GPOs.
• In the results pane, click the Contents tab, and then click Load Cabinet.
• In the Load Starter GPO dialog box, click Browse for CAB.
• Click the name of the Starter GPO cabinet file that you want to install, and
then click Open.
• In the Load Starter GPO dialog box, confirm that the correct Starter GPO
cabinet file is specified, and then click OK.
• On the Contents tab, confirm that the name of the Starter GPO that you
installed appears in the list of Starter GPOs. The Starter GPO will be created in
the shared SYSVOL folder found on domain controllers, in all 24 languages in
which Windows Vista and Windows XP SP2 are available.
6-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Use the GPMC to copy the Desktop policy that you created in the previous
demonstration.
• Rename the resulting GPO with the name of your choice.
Key Points
• Create a folder named GPO_Back to hold the backed up GPOs.
• Back up an individual GPO.
• Back up all GPOs.
• Delete one of the GPOs from the Group Policy folder.
• Restore the GPO from the backup version.
Key Points
• Create a new GPO named Redirect.
• Configure the Redirect policy to redirect the My Documents folder to a UNC
path of \\server\share.
• Backup the Redirect policy.
• Create a new GPO named Imported.
• Import the policy settings from the Redirect policy to the Imported policy.
Creating and Configuring Group Policy 6-45
Key Points
The ADMX Migrator allows you to convert custom ADM templates into ADMX
templates. The associated ADML file is also created. Converted files are saved into
the user’s documents folder by default. Once you create the new files, copy the
ADMX file into the PolicyDefinitions folder, or the central store, and copy the
ADML file into the appropriate subfolder. The new Administrative Templates then
become available in the GPMC.
Question: List at least one benefit of using the ADMX Migrator utility.
Creating and Configuring Group Policy 6-47
Key Points
Delegation allows the administrative workload to be distributed across the
enterprise. One group could be tasked with creating and editing GPOs, while
another group performs reporting and analysis duties. A separate group might be
in charge of WMI filters.
The following Group Policy tasks can be independently delegated:
• Creating GPOs
• Editing GPOs
• Managing Group Policy links for a site, domain, or OU
• Performing Group Policy Modeling analyses on a given domain or OU
• Reading Group Policy Results data for objects in a given domain or OU
• Creating WMI filters in a domain
Creating and Configuring Group Policy 6-49
Question: List one of the benefits of the administrator delegating rights to create
new Group Policies.
6-50 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Use the Delegation of Control Wizard to delegate to a user the right to link an
existing GPO, and to use the Group Policy reporting tools.
• Use the GPMC to delegate a different user the right to create Group Policy.
• Use the GPMC to delegate the user the right to edit the desktop policy.
Scenario
The Woodgrove Bank has decided to implement Group Policy to manage user
desktops and to configure computer security. The organization already
implemented an OU configuration that includes top-level OUs by location, with
additional OUs within each location OU for different departments. User accounts
are in the same container as their workstation computer accounts. Server computer
accounts are spread throughout various OUs.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings and may not always follow best practices.
Result: At the end of this exercise, you will have created and configured GPOs.
Creating and Configuring Group Policy 6-55
f Task 4: Create and apply a WMI filter for the Vista and XP Security
GPO
1. Create a new WMI query to retrieve users from the Windows XP and
Windows Vista operating systems.
2. Open GPMC and create a new WMI Filter.
3. Write a query to retrieve Windows XP and Windows Vista users in the
WMI Query box.
Result: At the end of this exercise, you will have configured the scope of GPO settings.
Creating and Configuring Group Policy 6-57
Scenario
The enterprise administrator has created a GPO deployment plan. You have been
asked to create GPOs so that certain policies can be applied to all domain objects.
Some policies are considered mandatory. You also want to create policy settings
that will apply only to subsets of the domain’s objects, and you want to have
separate policies for computer settings and user settings. You must delegate GPO
administration to administrators within each company location.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings and may not always follow best practices.
6-58 Configuring, Managing and Maintaining Windows Server 2008 Servers
f Task 2: Verify that a Miami branch user is receiving the correct policy
1. Ensure that there is no link to the Run menu in the Accessories folder on the
Start menu.
2. Ensure that there is no link to Control Panel on the Start menu.
3. Log off.
Hint: When you attempt to access display settings you will receive a message
informing you that this has been disabled.
5. Log off.
f Task 6: Verify that the last logged on username does not appear
• Verify that the last logged on username does not appear.
Result: At the end of this exercise, you will have tested and verified a GPO application.
Creating and Configuring Group Policy 6-61
Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.
Creating and Configuring Group Policy 6-63
Note: This step is included in the lab to enable you to test the delegated permissions. As
a best practice, you should install the administration tools on a Windows workstation
rather than enable Domain Users to log on to domain controllers.
1. On NYC-DC1, start Group Policy Management, and then edit the Default
Domain Controllers Policy.
2. In the Group Policy Management Editor window, access the User Rights
Assignment folder.
3. Double-click Allow log on locally. In the Allow log on locally Properties
dialog box, click Add User or Group.
4. Grant the Domain Users group the log on locally right.
5. Open a command prompt, type GPUpdate /force, and then press ENTER.
Result: At the end of this exercise, you will have backed up, restored, and imported
GPOs.
6-66 Configuring, Managing and Maintaining Windows Server 2008 Servers
Considerations
Keep the following considerations in mind when creating and configuring Group
Policy:
• Create multiple local Group Policy objects when necessary
• Upgrade and replace ADM files or use ADMX and ADML files for better
extensibility
• Utilize different methods to control Group Policy, inheritance, filtering,
enforcement
• Use the correct Group Policy tools and reporting to enhance Group Policy
Maintenance
Creating and Configuring Group Policy 6-67
This module introduces the job function of configuring the user environment
using Group Policy. Specifically, this module provides the skills and knowledge
that you need to use Group Policy to configure Folder Redirection, as well as how
to use scripts. You also will learn how Administrative Templates affect Microsoft®
Windows Vista® and Windows Server® 2008, and how to deploy software using
Group Policy.
This module also describes troubleshooting procedures for Group Policy
processing clients and computers. These troubleshooting procedures may include
incorrect or incomplete policy settings, or lack of policy application to the
computer or user. You will learn the knowledge and skills necessary for
troubleshooting these issues.
Configure User and Computer Environments By Using Group Policy 7-3
Group Policy can deliver many different types of settings. Some setting are simply a
matter of “turning them on”, while others are more complex to configure. In
addition, Group Policy can be used to deploy software to some or all users in an
organization. Using Group Policy to deploy software can reduce the effort required
to keep computers up to date with required software. This lesson will describe how
to configure the various Group Policy settings.
7-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
For a Group Policy setting to have an effect, you must configure it. Most Group
Policy settings have three states. They are:
• Enabled: For example, to prevent access to Control Panel, you would enable
the policy setting Prohibit access to the Control Panel.
• Disabled: For example, if you disable the Prohibit access to the Control Panel
at the child container level, you specifically are allowing access to Control
Panel.
• Not Configured: A Group Policy setting that is set to Not Configured means
that the normal default behavior will be enforced, and that particular Group
Policy will have no effect on that setting.
Configure User and Computer Environments By Using Group Policy 7-5
Question: A domain level policy restricts access to the Control Panel. You want the
users in the Admin organizational unit (OU) to have access to the Control Panel,
but you do not want to block inheritance. How could you accomplish this?
7-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create and link a GPO to configure Windows Update settings.
• Log on to client computer and test results.
Question: How could you prevent a lower-level policy from reversing the setting of
a higher-level policy?
Configure User and Computer Environments By Using Group Policy 7-7
Windows Server 2008 enables you to use Group Policy to deploy scripts to users
and computers. You can also redirect folders that the user’s profile includes, from
the user’s local hard disks to a central server.
7-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You can use Group Policy scripts to perform any number of tasks. There may be
actions that you need performed every time a computer starts or shuts down, or
when users log off or on. For example, you can use scripts to:
• Clean up desktops when users log off and shut down computers.
• Delete the contents of temporary directories.
• Map drives or printers.
• Set environment variables.
For many of these settings, using Group Policy Preferences is a better alternative to
configuring them in Microsoft Windows® images or using logon scripts. Group
Policy Preferences is covered in more detail later in this module.
Question: You keep logon scripts in a shared folder on the network. How could
you ensure that the scripts will always be available to users from all locations?
Configure User and Computer Environments By Using Group Policy 7-9
Key Points
• Create a login script that uses the command net use t: \\nyc-dc1\data.
• Create and link a GPO to configure a logon script using the script you just
created.
• Log on to client computer and test results.
Question: What other method could you use to assign logon scripts to users?
7-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Folder Redirection makes it easier for you to manage and back up data. By
redirecting folders, you can ensure user access to data regardless of the computers
to which they log on.
• When you redirect folders, you change the folder’s storage location from the
user’s computer local hard disk to a shared folder on a network file server.
• After you redirect a folder to a file server, it still appears to the user as if it is
stored on the local hard disk.
Key Points
There are three available settings for Folder Redirection: none, basic, and
advanced.
• Basic folder redirection is for users who must redirect their folders to a
common area or users who need their data to be private.
• Advanced redirection allows you to specify different network locations for
different Active Directory security groups.
Question: Users in the same department often log on to different computers. They
need access to their My Documents folder. They also need the data to be private.
What folder redirection setting would you choose?
7-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
While you must manually create a shared network folder in which to store the
redirected folders, Folder Redirection can create the user’s redirected folders for
you.
• When you use this option, the correct permissions are set automatically.
• If you manually create folders, you must know the correct permissions.
Question: What steps could you take to protect the data while it is in transit
between the client and the server?
Configure User and Computer Environments By Using Group Policy 7-13
Result: At the end of this exercise, you will have configured logon scripts and folders
redirection.
Configure User and Computer Environments By Using Group Policy 7-17
Key Points
Administrative Templates allow you to control the environment of the operating
system and user experience. There are two sets of Administrative Templates: one
for users, and one for computers.
• Administrative Templates are the primary means of configuring the client
computer’s registry settings through Group Policy.
• Administrative Templates are a repository of registry-based changes.
• By using the administrative template sections of the GPO, you can deploy
hundreds of modifications to the computer (the HKEY_LOCAL_MACHINE
hive in the registry,) and user (the HKEY_CURRENT_USER hive in the
registry) portions of the Registry.
Question: What sections of the Administrative Templates will you find most useful
in your environment?
Configure User and Computer Environments By Using Group Policy 7-19
Key Points
• On NYC-DC1, edit the Demo GPO.
• Under Computer Configuration, under Internet Explorer, disable the ability to
delete browsing history.
• Under User Configuration, hide the Screen Saver tab.
• On NYC-CL1, log on as WOODGROVEBANK\Administrator and then review
the settings.
Question: You need to ensure that Windows Messenger is never allowed to run on
a particular computer. How could you use Administrative Templates to implement
this?
7-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Because ADMX files are XML based, you can use any text editor to edit or create
new ADMX files.
• There are programs that are XML-aware, (such as Microsoft Visual Studio,)
that administrators or developers can use to create or modify ADMX files.
• Once you have a valid ADMX file, you need only to place it in the Policy
Definitions folder, or in the Central Store, if one exists.
Tip: Leave the default ADMX files untouched, and create your own customized versions
for custom settings.
Configure User and Computer Environments By Using Group Policy 7-21
Key Points
• Add a custom ADM file.
• Copy sample ADMX files to the central store.
• Review custom ADMX files.
Question: Can you still use custom ADM files to deliver Group Policy settings in
Windows Server 2008?
Question: What are two differences between ADM and ADMX files?
7-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You should consider creating a policy setting for the following purposes:
• To help administrators manage and increase security of their desktop
computers.
• To hide or disable a user interface that can lead users into a situation in which
they must call the helpdesk for support.
• To hide or disable new behavior that might confuse users. A policy setting
created for this purpose allows administrators to manage the introduction of
new features until after user training has taken place.
• To hide settings and options that might take up too much of users' time.
Configure User and Computer Environments By Using Group Policy 7-23
Result: At the end of this task, you will have enabled remote administration through
the firewall. This allows the Group Policy Results Wizard to query target computers.
f Task 3: Create and assign a GPO to encrypt offline files for executive
computers
1. In the Group Policy Management window, create a new GPO named Encrypt
Offline Files, linked to the Executives OU.
2. Configure the Encrypt Offline Files GPO with the following settings:
• Under Computer Configuration, Policies, Administrative Templates,
Network, Offline Files, enable Encrypt the Offline Files cache.
Configure User and Computer Environments By Using Group Policy 7-25
f Task 5: Create and assign a policy to limit profile size and turn off
Windows Sidebar for branch users
1. In the Group Policy Management window, create a new GPO named Branch
Users Policy, linked to the Miami, NYC, and Toronto OUs.
2. Configure the Branch Users Policy GPO with the following settings:
• Under User Configuration, Policies, Administrative Templates, System,
User Profiles, enable Limit profile size and assign a Max Profile size of
1000000 KB.
• Under Windows Components, Windows Sidebar, enable Turn off
Windows Sidebar.
7-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
f Task 1: Verify that the settings for Executives have been applied
1. On NYC-CL1, log on as WOODGROVEBANK\Tony.
Note: Some user settings can only be applied during logon or may not apply due to
cached credentials. These include roaming user profile path, Folder Redirection path, and
Software Installation settings. If the user is already logged on when these settings are
detected, they will not be applied until the next time the user is logged on.
f Task 3: Use the Group Policy Results Wizard to review Group Policy
application for a target user and computer
1. On NYC-DC1, in the Group Policy Management window, run the Group Policy
Results Wizard against NYC-CL1 for the user Tony.
2. Review the list of applied computer and user GPOs.
Result: At the end of this exercise, you will have configured several Administrative
Templates policy settings for various OUs in the organization and then verified
successful GPO application.
7-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The software life cycle consists of four phases: preparation, deployment,
maintenance, and removal.
• You can apply Group Policy settings to users or computers in a site, domain,
or an organizational unit to automatically install, upgrade, or remove software.
• By applying Group Policy settings to software, you can manage the various
phases of software deployment without deploying software on each computer
individually.
Question: What types of applications would you deploy via Group Policy in your
environment?
7-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008
uses the Windows Installer service. This component automates the installation and
removal of applications by applying a set of centrally defined setup rules during
the installation process.
Key Points
There are two deployment types available for delivering software to clients.
Administrators can either install software for users or computers in advance, or
give users the option to install the software when they require it.
• Users do not share deployed applications, meaning an application you install
for one user through Group Policy will not be available to that computer’s
other users.
• All users need their own instance of the application.
• When you assign software to a user, the user’s Start menu advertises the
software when the user logs on. Installation does not begin until the user
double-clicks the application's icon or a file that is associated with the
application.
• When you assign an application to a computer, the application is installed the
next time the computer starts. The application will be available to all users of
the computer.
7-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Software Installation in Group Policy includes options for configuring deployed
software.
• You use software categories to organize published software into logical groups
so that users can locate applications easily in the Programs and Features applet
in Control Panel.
• There are no predefined software categories. You can create software
categories to arrange different applications under specific headings.
• To determine which software users install when they double click a file, you
can choose a file name extension and configure a priority for installing
applications that are associated with it.
• You can use software modifications, or .MST files (also called transform files),
to deploy several configurations of one application.
7-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Occasionally a software package will need to be upgraded to a newer version. The
Upgrades tab allows you to upgrade a package using the GPO.
• You may redeploy a package if the original Windows Installer file has been
modified.
• You can remove software packages if they were delivered originally using
Group Policy. Removal can be mandatory or optional.
Result: At the end of this exercise, you will have successfully deployed an assigned
software package using Group Policy.
Configure User and Computer Environments By Using Group Policy 7-39
Many common settings that affect the user and computer environment could not
be delivered through Group Policy, for example, mapped drives. These settings
were usually delivered through logon scripts or imaging solutions. Windows
Server 2008 includes the new Group Policy preferences built-in to the Group
Policy Management Console (GPMC). Additionally, administrators can configure
preferences by installing the Remote Server Administration Tools (RSAT) on a
computer running Windows Vista Service Pack 1 (SP1). This allows many
common settings to be delivered through Group Policy.
7-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Group Policy preference extensions are more than twenty Group Policy extensions
that expand the range of configurable settings within a GPO.
• The main difference between policy settings and preference settings is that
preference settings are not enforced.
• The end user can change any preference setting that is applied through Group
Policy, but policy settings prevent users from changing them.
Configure User and Computer Environments By Using Group Policy 7-41
Key Points
The key difference between preferences and Group Policy settings is enforcement.
• In some cases, the same setting can be configured through a policy setting as
well as a preference item.
• If both settings are configured and applied to the same object, the value of the
policy setting always applies.
• Policy settings have a higher priority than preference settings.
7-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Most Group Policy preference extensions support the following actions for each
preference item:
• Create: Create a new item on the targeted computer.
• Delete: Remove an existing item from the targeted computer.
• Replace: Delete and recreate an item on the targeted computer. The result is
that Group Policy preferences replace all existing settings and files associated
with the preference item.
• Update: Modify an existing item on the targeted computer.
Configure User and Computer Environments By Using Group Policy 7-43
Key Points
Group Policy preferences do not require you to install any services on servers.
• Windows Server 2008 includes Group Policy preferences by default as part of
the Group Policy Management Console (GPMC).
• Administrators can configure and deploy Group Policy preferences in a
Windows Server 2003 environment by installing the RSAT on a computer
running Windows Vista with SP1.
• On Windows XP and Windows Vista client computers, Group Policy Client
Side Extensions must be downloaded and installed.
• Client Side Extensions are available through Windows Update.
7-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Note: You aren’t actually deleting the GPO, just the link to it in the domain.
Configure User and Computer Environments By Using Group Policy 7-47
Note: To apply Group Policy preferences to Windows Vista computers, you must
download and install Group Policy Preference Client Side Extensions for Windows Vista
(KB943729).
Result: At the end of this exercise, you will have configured and tested Group Policy
Preferences and verified their application.
7-48 Configuring, Managing and Maintaining Windows Server 2008 Servers
Group Policy can be complex to deploy and manage, and sometimes a setting can
cause unintended consequences for users or computers. This lesson provides
details about Group Policy processing and common problem areas, and describes
some of the troubleshooting tools available.
Configure User and Computer Environments By Using Group Policy 7-49
Key Points
Group Policy processing has two distinct phases:
• Core Group Policy processing. When a client begins to process Group Policy,
it must determine whether it can reach a domain controller, whether any
Group Policy objects (GPOs) have changed, and what policy settings (based
on client-side extension,) must be processed. The core Group Policy engine
performs the processing of this in the initial phase.
• Client side extension (CSE) processing. Policy settings are grouped into
different categories, such as Administrative Templates, Security Settings,
Folder Redirection, Disk Quota, and Software Installation. The settings in each
category require a specific CSE to process them, and each CSE has its own
rules for processing settings. The core Group Policy engine calls the CSEs that
are required to process the settings that apply to the client.
7-50 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Group Policy issues may be a symptom of unrelated issues, such as network
connectivity, authentication problems, domain controller availability, or Domain
Name Service (DNS) configuration errors.
You should begin the troubleshooting process by determining the scope of the
issue. For example, is the issue widespread, or affecting a single client only? If the
issue affects a single client, you should check for physical issues, like incorrect
configurations, or hardware or operating system failures. These issues are usually
easy to diagnose.
Configure User and Computer Environments By Using Group Policy 7-51
Question: What diagnostic tool could you use to determine lease expiration of a
Dynamic Host Configuration Protocol (DHCP) address issued to a client
computer?
7-52 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether
you can trace a problem to core Group Policy:
• Group Policy reporting – RSoP: used to see how multiple Group Policy
objects affect various combinations of users and computers, or to predict the
effect of Group Policy settings on the network.
• GPResult: used to display the Resultant Set of Policy (RSoP) information for a
remote user and computer.
• Gpotool: used to traverse all of your domain controllers and check for
consistency between the Group Policy container (that is, information
contained in the directory service) and the Group Policy template (that is,
information contained in the SYSVOL share on the domain controller).
• Gpupdate: used to refresh local and Active Directory-based Group Policy
settings, including security settings.
Configure User and Computer Environments By Using Group Policy 7-53
Question: What diagnostic tool will quickly display the current Group Policy slow
link threshold?
7-54 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Run GPResult in regular and verbose mode.
• Review the GPOTool included with the Windows Server 2008 Resource Kit.
• Run GPUpdate and review the command line parameters.
• Review the GPLogView tool available as a free download from Microsoft.
• Run GPLogView in monitor mode.
Question: What steps must you take prior to running Group Policy reporting
RSoP on a remote computer?
Configure User and Computer Environments By Using Group Policy 7-55
When troubleshooting Group Policy issues, you need a firm understanding of the
interactions between Group Policy and its supporting technologies, and the ways
in which you manage, deploy, and apply Group Policy objects.
7-56 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
CSEs are dynamic-link libraries (DLLs) that perform the actual processing of
Group Policy settings.
• Policy settings are grouped into different categories, such as Administrative
Templates, Security Settings, Folder Redirection, Disk Quota, and Software
Installation.
• Each category’s settings require a specific CSE to process them, and each CSE
has its own rules for processing settings.
• The core Group Policy process calls the appropriate CSEs to process those
settings.
• Some CSEs behave differently under different circumstances. For example, a
number of CSEs do not process if a slow link is detected.
Configure User and Computer Environments By Using Group Policy 7-57
Question: Users in a branch office log on across a slow modem connection. You
want folder redirection to be applied to them even across the slow link. How
would you accomplish this?
7-58 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The following four settings can be used to alter the default inheritance of GPO
processing:
• Block policy inheritance
• GPO enforcement
• GPO filtering of the access control list (ACL)
• Windows Management Instrumentation (WMI) Filters
Question: Are there scenarios in your organization that would benefit from
blocking inheritance?
7-60 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Group Policy filtering determines which users and computers will receive the
GPO’s settings. Group Policy object (GPO) filtering is based on two factors:
• The security filtering on the GPO.
• Any Windows Management Instrumentation (WMI) filters on the GPO.
• Group Policy filtering may appear to look like inconsistent application of
policies in an OU. If some users, groups, or computers have filtering applied,
they will not receive policies that other users in the same OU receive.
• To check filtering on a GPO, In GPMC, open Group Policy Objects node, select
the GPO you are troubleshooting, and then in the right pane select the Scope
tab. The Security Filtering and WMI Filtering panels show the current filtering
configuration.
• To see the exact set of permissions for users, groups and computers, select the
Delegation tab and then click Advanced. Select the security group, user or
computer you want to review.
Configure User and Computer Environments By Using Group Policy 7-61
Question: You have applied security filtering to limit the GPO to apply only to the
Managers group. You did this by setting the following GPO permissions:
None of the managers are receiving the GPO settings. What is the problem?
7-62 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
In a domain that contains more than one domain controller, Group Policy
information takes time to propagate, or replicate, from one domain controller to
another.
• Replication issues are most noticeable in remote sites with slow connections
where there is long replication latency.
• The GPOTool can check for consistency of policies across all domain
controllers. Another tool is Readmin, which can provide information about
Group Policy synchronization status, and general replication information.
• Once you determine that replication is the issue, then you must determine if
the problem is with the FRS or AD DS replication.
• A simple test for SYSVOL replication is to put a small test file into the SYSVOL
directory, and see if it replicates to other domain controllers.
Configure User and Computer Environments By Using Group Policy 7-63
Question: What tool can be used to force replication across all domain controllers
in the domain?
7-64 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Group Policy refresh refers to a client’s periodic retrieval of GPOs.
• During Group Policy refresh, the client contacts an available domain
controller. If any GPOs changed, the domain controller provides a list of all the
appropriate GPOs.
• By default, GPOs are processed at the computer only if the version number of
at least one GPO has changed on the domain controller that the computer is
accessing.
• Group Policy reporting provides information about when the last Group Policy
refresh occurred, on the summary page. The report also tells you if the
loopback setting is enabled.
Configure User and Computer Environments By Using Group Policy 7-65
Question: One user is getting settings applied that no one else is receiving. What
might be the issue and how would you start troubleshooting?
Configure User and Computer Environments By Using Group Policy 7-67
Group Policy settings issues are usually due to slow-link detection or incorrect
configuration. Understanding how Client Side Extension Processes work and how
slow links are determined assists in troubleshooting these issues.
7-68 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Administrative Templates may not be applied because the operating system is not
capable of interpreting the policy setting. Many of the newer policy settings apply
only to particular operating systems.
If the GPO that delivers true policies is unlinked, then the true policies are
removed. However, the administrator must undo the preference explicitly by
specifying a value in a GPO.
Key Points
The Scripts CSE updates the registry with the location of script files so that the
UserInit process can find those values during its normal processing.
• When a CSE reports success, it might mean only that the script’s location is
placed in the registry.
• Even though the setting is in the registry, there could be problems preventing
the setting from being applied to the client. For example, if a script specified in
a Script setting has an error that prevents it from completing, the CSE does not
detect an error.
7-70 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: A logon script is assigned to an OU. The script executes properly for all
users, but some users report that they get an access-denied message when they try
to access the mapped drive. What is the problem?
Configure User and Computer Environments By Using Group Policy 7-71
Note: If time permits, you can view the Group Policy operational log as Administrator on
NYC-CL1. If you filter the view to show events that Roya generates, you would see that
the log does not detect any errors or warnings for this user. This is because the GPO only
sets a registry value that defines the location of the scripts folder. Group Policy is
unaware if the user has access to the location. The write to the registry was successful.
Therefore, the Group Policy log does not see any errors. You would have to audit Object
Access for the scripts folder to determine access issues.
Note: Another way to resolve the issue would be to move the script to the Netlogon
share, or to eliminate the need for such a logon script altogether, you could configure a
mapped drive in Group Policy Preferences.
Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.
Configure User and Computer Environments By Using Group Policy 7-75
This ticket has been escalated to the server team for resolution.
The main tasks in this exercise are:
1. Restore the Lab7B GPO.
2. Link the Lab7B GPO to the Miami OU.
3. Test the GPO.
4. Troubleshoot the GPO.
5. Resolve the issue and test the resolution.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
7-78 Configuring, Managing and Maintaining Windows Server 2008 Servers
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
7-80 Configuring, Managing and Maintaining Windows Server 2008 Servers
Note: Group Policy applies to the user or computer in a manner that depends on where
both the user and the computer objects are located in Active Directory. However, in
some cases, users may need policy applied to them based on the location of the
computer object alone. You can use the Group Policy loopback feature to apply GPOs
that depend only on which computer the user logs on to.
7-82 Configuring, Managing and Maintaining Windows Server 2008 Servers
Note: Another alternative would be to disable loopback processing in the GPO itself,
especially if there were other settings in the GPO that you did wish to have applied.
2. Restart NYC-CL1.
3. When the computer restarts, log on as WOODGROVEBANK\Roya.
4. Click Start and notice that the Run command is no longer present.
5. Notice that the Control Panel is again absent from the desktop and Start
menu.
6. Open Internet Explorer and notice that Internet Explorer again opens
properly.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
Configure User and Computer Environments By Using Group Policy 7-83
Review Questions
1. You have assigned a logon script to an OU via Group Policy. The script is
located in a shared network folder named Scripts. Some users in the OU
receive the script, while others do not. What might be some causes?
2. What log will give folder redirection details?
3. What visual indicator in the GPMC designates that inheritance has been
blocked?
4. What GPO settings are applied across slow links by default?
5. Given a choice between a small number of GPOs with many settings or a large
number of GPOs with fewer settings, which is preferable?
6. Can you deliver Windows security updates through Group Policy?
7-84 Configuring, Managing and Maintaining Windows Server 2008 Servers
Tool Use
Ping Testing network connectivity.
Group policy reporting Reporting information about the current policies being
RSoP delivered to clients.
Failure to have adequate security policies can lead to many risks for an
organization. A well designed security policy helps to protect an organization’s
investment in business information and internal resources, like hardware and
software. Having a security policy in itself is not enough, however. You must
implement the policy for it to be effective. You can leverage Group Policy to
standardize security to control the environment.
Implementing Security Using Group Policy 8-3
Group Policy provides settings you can use to implement and manage security in
your organization. For example, you can use Group Policy settings to secure
passwords, startup, and permissions for system services.
In this lesson, you will learn the knowledge and skills necessary to configure
security policies.
8-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Security policies are rules that protect resources on computers and networks.
Group Policy allows you to configure many of these rules as Group Policy settings.
For example, you can configure password policies as part of Group Policy.
Group Policy has a large security section to configure security for both users and
computers. This way, you can apply security consistently across organizational
units (OUs) in Active Directory® Domain Services (AD DS) by defining security
settings in a Group Policy object that is associated with a site, domain, or OU.
Implementing Security Using Group Policy 8-5
Key Points
Account policies protect your organization’s accounts and data by mitigating the
threat of brute force guessing of account passwords. In Microsoft® Windows®
operating systems, and many other operating systems, the most common method
for authenticating a user’s identity is to use a secret password. Securing your
network environment requires that all users utilize strong passwords. Password
policy settings control the complexity and lifetime of passwords. You can configure
password policy settings through Group Policy.
The policy settings under Account policies should always be configured at the
domain level. Configuring these policy settings at any other Active Directory level
only affects local accounts on member computers at those levels.
Question: You must ensure that all users change their password exactly every 30
days. How would you configure account policies to accomplish this?
8-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Every Windows°2000 Server or later computer has exactly one Local Group Policy
Object (LGPO). In this object, Group Policy settings are stored on individual
computers, regardless of whether they are part of an Active Directory environment.
The LGPO is stored in a hidden folder named %windir%\system32\Group Policy.
This folder does not exist until you configure an LGPO.
Question: You have a Microsoft Windows Vista® client that is not joined to the
domain. You want to force the Administrators to change their passwords every
seven days, while standard users change their passwords every 21 days. How
would you configure the local policy to achieve this?
Implementing Security Using Group Policy 8-7
Key Points
Automating client computer configuration settings is an essential step to reduce
the cost of deploying networking security, and minimize support issues that result
from incorrectly configured settings.
Starting with Windows Server 2003, you were able to automate client wireless
configuration using the Wireless Networking Policies settings in Group Policy.
Microsoft Windows Server® 2008 and Windows Vista include new features for
network policies, and Group Policy support for 802.1X authentication settings for
wired and wireless connections.
Question: How does your organization implement group policy to restrict access
to wireless networks?
8-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Vista and Windows Server 2008 include a new and enhanced version of
Windows Firewall. The new Windows Firewall is a stateful host-based firewall that
allows or blocks network traffic according to its configuration.
Windows Firewall with Advanced Security allows you to create the following rules:
• Program rule: This type of rule allows traffic for a particular program. You can
identify the program by program path and executable name.
• Port rule: This type of rule allows traffic on a particular TCP or User Datagram
Protocol (UDP) port number or range of port numbers.
• Predefined rule: Windows includes a number of Windows functions that you
can enable, such as File and Printer Sharing, Remote Assistance, and Windows
Collaboration. Creating a predefined rule actually creates a group of rules that
allows the specified Windows functionality to access the network.
• Custom rule: A custom rule allows you to create a rule that you may not be able
to create using the other types of rules.
Implementing Security Using Group Policy 8-9
Question: You want to ensure that users are not allowed to use the Telnet service
to connect to any other computers. How would you accomplish this?
8-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create a wired network policy and see the available options.
• Create a Windows Vista wireless network policy, and see the options available.
• Demonstrate how you can control services.
• Demonstrate how you can control registry and file-system permissions.
• Demonstrate the Windows Firewall with advanced security options. Create
some different types of rules as examples. Explore some of the predefined
rules.
Question: You need to ensure that a particular service is not allowed to run on any
of your network servers. How would you accomplish this?
Implementing Security Using Group Policy 8-11
Key Points
Default Domain Controllers Policy is linked to the Domain Controllers OU. This
policy generally affects only domain controllers, because by default, computer
accounts for domain controllers are kept in the Domain Controllers OU.
Question: Provide at least one example of a default controller policy that your
organization has customized?
Question: You need to grant an ordinary user the right to log on locally to domain
controllers. In which of the default policies should you configure this setting?
8-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The default domain policy is linked to the domain, and therefore affects all objects
in the domain unless a GPO that you applied at a lower level blocks or overrides
these settings. This policy has very few settings configured by default.
Note: Although you typically configure the Default Domain Policy to deliver
Account Policies, any domain-level policy is capable of delivering Account Policies
to the domain. If you configure multiple domain-level policies to provide Account
Policies, the policy with the highest priority will win.
Question: If multiple policies are configured at the domain level, what determines
the processing priority?
Implementing Security Using Group Policy 8-13
Key Points
• Open the default domain controller policy.
• Explore the default audit policy.
• Explore the user rights configuration.
• Explore the security options.
• Discuss the differences from the default domain policy.
Question: What is the default Group Policy refresh interval for domain
controllers?
8-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Security policies protect the integrity of the computing environment by controlling
many aspects of it, such as password policies, security options, restricted groups,
network policies, services, public key policies, and so on.
Question: You have configured a password policy in a GPO and linked that policy
to the Research OU. The policy is not affecting domain users in the OU. What is
the problem?
Implementing Security Using Group Policy 8-15
In Windows Server 2008, using fine-grained password policies, you can allow
different password requirements and account lockout policies for different Active
Directory users or groups.
In this lesson, you will learn the knowledge and skills to implement fine-grained
password policies.
8-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
In previous versions of AD DS, you could apply only one password and account
lockout policy to all users in the domain. Fine-grained password policies allow you
to have different password requirements and account lockout policies for different
Active Directory users or groups. This is desirable when you want different sets of
users to have different password requirements, but do not want separate domains.
For example, the Domain Admins group may need strict password requirements to
which you do not want to subject ordinary users. If you do not implement fine-
grained passwords, then the normal default domain account policies apply to all
users.
Key Points
To store fine-grained password policies, Windows Server 2008 includes two new
object classes in the Active Directory schema. They are:
• Password Settings Container (PSC)
• Password Settings Object (PSO)
The PSC object class is created by default under the System container in the
domain, which stores that domain’s PSOs. You cannot rename, move, or delete this
container.
Question: How could you view the Password Settings Container in Active
Directory Users and Computers?
8-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
There are three major steps involved in implementing fine-grained passwords:
• Create necessary groups, and add the appropriate users.
• Create PSOs for all defined password policies.
• Apply PSOs to the appropriate users or global security groups.
Key Points
• Follow the steps in the step-by-step guide to create a PSO named 7Days that
forces the administrator to change passwords every seven days.
• Use the values given in the step-by-step guide to fill in the ADSI edit wizard.
Question: What utilities can be used to manage PSOs? Choose all that apply.
a. ADSI edit
b. GPMC
c. CSVDE
d. LDIFDE
e. NTDSUtil
f. Active Directory Users and Computers
8-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Scenario
Woodgrove Bank has decided to implement Group Policy to configure security for
users and computers in the organization. The company recently upgraded all of
the workstations to Windows Vista, and all of the servers to Windows Server 2008.
The organization wants to utilize Group Policy to implement security settings for
the workstations, servers, and users.
Note: Some of the tasks in this lab are designed to illustrate GPO management
techniques and settings, and may not always follow best practices.
Implementing Security Using Group Policy 8-21
You also will configure a local policy on the Windows Vista client that enables the
local Administrator account, and prohibits access to the Run menu for Non-
Administrators.
Then you will create a wireless network policy for Windows Vista that creates a
profile for the Corp wireless network. This profile will define 802.1x as the
authentication method. This policy also will deny access to a wireless network
named Research.
Finally, you will configure a policy to prevent the Windows Installer service from
running on any domain controller.
The main tasks in this exercise are:
1. Start the virtual machine, and log on as Administrator.
2. Create an account policy for the domain.
3. Configure local policy settings for a Windows Vista client.
4. Create a wireless network GPO for Windows Vista clients.
5. Configure a GPO that prohibits a service on all domain controllers.
Result: At the end of this exercise, you will have configured account and security
policy settings.
8-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
You will create a fine-grained password policy to enforce these policies for the IT
Admins global group.
The main tasks are as follows:
1. Create a PSO using ADSI Edit.
2. Assign the ITAdmin PSO to the IT Admins global group.
Note: PSO values are time-based values entered using the integer8 format. Integer8 is a
64-bit number that represents the amount of time, in 100-nanosecond intervals, that has
passed since 12:00 AM January 1, 1601.
Result: At the end of this exercise, you will have implemented fine-grained password
policies.
8-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
In some cases, you may want to control the membership of certain groups in a
domain to prevent addition of other user accounts to those groups, such as the
local administrators group.
You can use the Restricted Groups policy to control group membership. Use the
policy to specify what members are placed in a group. If you define a Restricted
Groups policy and refresh Group Policy, any current member of a group that is not
on the Restricted Groups policy members list is removed. This can include default
members, such as domain administrators.
Although you can control domain groups by assigning Restricted Groups
policies to domain controllers, you should use this setting primarily to configure
membership of critical groups like Enterprise Admins and Schema Admins. You
also can use this setting to control the membership of built-in local groups on
workstations and member servers. For example, you can place the Helpdesk group
into the local Administrators group on all workstations.
8-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Your company has five Web servers physically located across North
America. The Web servers' computer accounts are all located in a single OU. You
want to grant all the users in the global group named Web_Backup the right to
backup and restore the web servers. How could you use Group Policy to
accomplish this?
Implementing Security Using Group Policy 8-29
Key Points
• Create and link a new Group Policy to the ITAdmins OU.
• Add the administrators group to the GPO restricted groups list.
• Configure the Administrators group membership to include Domain Admins
and the ITAdmins_WoodgroveGG global group.
• Move the Windows Vista client into an ITAdmins OU, and then force the
update of Group Policy on the client.
Question: You created a Group Policy that adds the Helpdesk group to the local
Administrators group and you linked the policy to an OU. Now the Domain
Administrators no longer have any administrative authority on the computers in
that OU. What is the most likely problem and how would you solve it?
8-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You may want to restrict access to software to prevent users from running
particular applications or types of applications, like VBscripts. Software restriction
policy provides administrators with a policy-driven mechanism for identifying
software and controlling its ability to run on a client computer.
Key Points
Software Restriction policies use rules to determine whether an application is
allowed to run. When you create a rule, you first identify the application. Next
you identify it as an exception to the default policy setting of Unrestricted or
Disallowed. The enforcement engine queries the rules in the software restriction
policy before allowing a program to run.
Unrestricted security level allows all software to run according to the users’ normal
permissions, except for software that is identified specifically as an exception to the
rule.
Basic security level allows programs to execute as a user that does not have
Administrator access rights, but can still access resources accessible by normal
users.
8-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Note: You should apply Disallowed security level only in very high-security or locked-
down environments. It can be difficult to manage because each allowed application must
be identified individually, and because you might need to update the policy each time a
service pack is applied to a software package.
Question: You need to restrict access to a certain application no matter into what
directory location the application is installed. What type of rule should you use?
Implementing Security Using Group Policy 8-33
Key Points
• Create a hash rule to disallow Microsoft Internet Explorer®.
• Log off and log on to test the rule.
Note: Internet zone rules only apply to software that uses the Windows installer.
Question: You want to ensure that only digitally signed Visual Basic scripts are
allowed to run. What type of rule should you use?
8-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
A security template is a collection of configured security settings. You can use
predefined security templates as a base to create security policies that you
customize to meet your needs, or you can create new templates. You use the
Security Templates snap-in to create or customize templates. After you create a new
template or customize a predefined security template, you can use it to configure
security on an individual computer or thousands of computers. Security templates
contain security settings for all security areas. You apply security templates by
using the Security Configuration and Analysis snap-in, the secedit command-line
tool, or by importing the template into Local Security Policy.
Question: Provide an example of how Security Templates can help organize your
existing security attributes.
8-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create a new OU named Servers.
• Create a new GPO named Security Baseline, and then assign it to the
servers OU.
• Create an MMC with the Security templates snap-in.
• Create a new security template named Server Baseline.
• Configure some security settings. For example, rename the administrator
account, configure a restricted group, and so on.
• Import the server baseline template into the security baseline GPO.
Question: You have multiple database servers that are located in different OUs.
What is the easiest way to apply consistent security settings to all of the database
servers?
Implementing Security Using Group Policy 8-37
Key Points
The Security Configuration Wizard (SCW) is an attack-surface reduction tool that
was introduced with Windows Server 2003 with Service Pack 1 (SP1). SCW assists
administrators in creating security policies, and determines the minimum
functionality that is required for a server’s role or roles, and then disables
functionality that is not required.
SCW guides you through the process of creating, editing, applying, or rolling back
a security policy based on the server’s selected roles. The security policies that you
create with SCW are XML files that, when applied, configure services, network
security, specific registry values, audit policy, and if applicable, Internet
Information Services (IIS).
Key Points
• Open the Security Configuration Wizard, and then create a new policy.
• Explore the security configuration database.
• Step through the wizard and notice the various options.
• Save the policy file as C:\baseline.xml.
• Complete the wizard, but choose to apply the policy later.
Key Points
Security policies that you create with the SCW can also include custom security
templates. Some of the settings that you can configure using the SCW partially
overlap with the settings that you can configure using security templates alone.
Neither set of configuration changes is completely inclusive of the other. For
example, the SCW includes IIS settings that are not included in any security
template. Conversely, security templates can include such items as Software
Restriction policies, which you cannot configure through SCW.
SCW saves its security policies as XML files. The scwcmd.exe command-line utility
allows you to convert these and save them as GPOs by using the scwcmd.exe
transform command. The SCW itself does not support GPOs.
Key Points
• Launch the command prompt.
• Use scwcmd.exe to transform the Baseline.XML policy file that you created in
the last demo, into a GPO named ServerBaseline:
Scwcmd transform /p:C:\Baseline.xml /g:Serverbaseline
• Open the GPMC and see that the GPO named Serverbaseline exists.
Question: You need to open a port on your Windows Vista client computers for a
custom application. Should you use the SCW or create a security template and use
a GPO?
Implementing Security Using Group Policy 8-41
Key Points
You can use the Security Configuration and Analysis tool to analyze and configure
local system security.
Regular analysis enables you to track and ensure an adequate level of security on
each computer as part of an enterprise risk management program. You can tune
the security levels and, most importantly, detect any security flaws that may occur
in the system over time.
You also can use Security Configuration and Analysis to configure local system
security.
8-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create a custom security template.
• Import the custom template into the Security Configuration and Analysis Tool.
• Run an analysis to compare the current settings to the custom security
template.
Question: Provide at least one example of how your organization can benefit from
using the Security Configuration and Analysis Tool.
Implementing Security Using Group Policy 8-43
Scenario
The enterprise administrator created a design that includes modifications to the
default domain security policy, and additional GPOs for configuring security. The
company wants to have the flexibility to assign different password policies for
specific users. The company also wants to automate the configuration of security
settings as much as possible.
8-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Result: At the end of this exercise, you will have configured restricted groups and
software restriction policies.
8-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
f Task 1: Create a security template for the file and print servers
1. On NYC-DC1, create a new MMC, and then add the snap-in for Security
Templates.
2. Expand Security Templates, right-click C:\Users\Administrators
\Documents\Security\Templates, and then click New Template.
3. Name the template FPSecurity.
4. Navigate to Local Polices, and then Security Options. Define the Accounts:
Rename administrator account with the value FPAdmin.
5. Set the Interactive Logon: Do not display last user name to be Enabled.
6. In the folder pane, right-click FPSecurity, and then click Save.
7. Close the MMC without saving the changes.
Result: At the end of this exercise, you will have configured security templates.
Implementing Security Using Group Policy 8-49
f Task 4: Use Group Policy modeling to test the settings on the file and
print server
1. Open the GPMC, and then launch the Group Policy Modeling Wizard.
2. Accept all the defaults except on the User and Computer Selection window.
3. Click Computer, and then type Woodgrovebank\NYC-SVR1.
4. After completing the wizard, observe the policy settings.
Implementing Security Using Group Policy 8-51
Result: At the end of this exercise, you will have verified the security configuration.
8-52 Configuring, Managing and Maintaining Windows Server 2008 Servers
Review Questions
1. You want to place a software restriction policy on a new type of executable file.
What must you do before you can create a rule for this executable code?
2. What setting must you configure to ensure that users are only allowed 3
invalid logon attempts?
3. You want to provide consistent security settings for all client computers in the
organization. The computer accounts are scattered across multiple OUs. What
is the best way to provide this?
4. An administrator in your organization has accidentally modified the Default
Domain Controller Policy. You need to restore the policy to its original default
settings. How would you accomplish this?
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Server Security Compliance 9-1
This module explains how to secure servers, secure data on servers, and maintain
update compliance. It also details how to configure an audit policy and manage
updates using Windows Server Update Services (WSUS). Because keeping servers
and workstations updated with the most recent software updates helps increase
security, it is important to automate software updates. WSUS helps administrators
use automation to deploy software updates with less effort and more control.
Configuring Server Security Compliance 9-3
This lesson explains how to secure a server role within a Microsoft® Windows®
infrastructure. As organizations expand the availability of network data,
applications, and systems, it becomes more challenging to ensure network
infrastructure security. Security technologies in the Microsoft Windows Server®
2008 operating system enable organizations to provide better protection for their
network resources and organizational assets in increasingly complex environments
and business scenarios.
9-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Discuss the challenges of securing a Windows infrastructure.
Configuring Server Security Compliance 9-5
Key Points
The layers of defense provide a view of your environment, area by area, that you
should consider when designing your network’s security defenses. You can modify
the detailed definitions of each layer based on your organization’s security
priorities and requirements. The following list gives an example of what you could
address each level of defense:
• Data. An organization’s primary concerns at this layer are business and legal
issues that may arise from data loss or theft and operational issues that
vulnerabilities may expose at the host or application layers.
• Application. An organization’s primary concerns at this layer are access to the
binary files that comprise applications, access to the host through
vulnerabilities in the application’s listening services, or inappropriate gathering
of specific system data to pass to someone who can use it for their own
purposes.
9-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: What is the most important part of the defense-in-depth security model?
Configuring Server Security Compliance 9-7
Key Points
Without physical security, you have no security. Core server-security practices are
relatively easy to adopt, and you should integrate them into the standard security
configuration of all servers. Some of your core server-security practices should
include:
• Apply the latest service packs, and all available security and critical updates.
• Use the Security Configuration Wizard to scan and implement server security
based on server roles.
• Use Group Policy and security templates to harden servers and lessen the
attack footprint.
• Restrict scope of access for service accounts, which lessens damage should the
account be compromised.
9-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Does your company have a detailed "build sheet" for all new
installations that occur on new hardware? What can you do to lessen the attack
footprint on your infrastructure?
Configuring Server Security Compliance 9-9
Data encryption on the filesystem is an important part of securing server data. The
Encrypting File System (EFS) integrates with NTFS to provide data encryption for
files. Encrypting a file with EFS is straightforward: users can select a checkbox and
the file will be encrypted. BitLocker Drive Encryption can be used to protect
operating system files on a server that has been physically compromised.
9-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Encrypting Files System (EFS) is a system for encrypting data files that is
included as part of Microsoft Windows 2000, Windows XP, Windows Server 2003,
Windows Vista®, and Windows Server 2008. EFS generates a unique symmetrical
encryption key to encrypt each file. The symmetrical key is stored in the file
header.
Encrypting or decrypting a file or folder occurs when a user opens advanced
properties and checks or clears the Encrypt contents to secure data checkbox.
Question: Why would EFS be used to encrypt data in addition to using NTFS
permissions?
Configuring Server Security Compliance 9-11
Key Points
BitLocker Drive Encryption is a system that encrypts the entire operating system
volume. Encryption of additional data volumes is also an option. Encryption keys
are handled automatically in the background with little overhead.
Key Points
When you encounter issues with EFS, first determine the circumstances under
which the error occurs:
• Does the error affect multiple users or one user?
• Is the error with a local or remote file?
• Does the error occur during encryption or decryption?
Based on the information you gather about the issue, you can focus on the
probably causes.
Question: Have you faced any EFS troubleshooting scenarios in your work
environment? If so, how did you approach them?
Configuring Server Security Compliance 9-13
You can configure an audit policy that records user or system activity in specified
event categories. Additionally, you can monitor security-related activity, such as
who accesses an object, if a user logs on or off a computer, or if changes occur to
an auditing policy setting.
As a best practice, you should create an audit plan before implementing audit
policy.
9-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Auditing is the process that tracks user activity by recording selected events in a
server or workstation security log.
The most common types of events to audit are:
• Access to objects, such as files and folders.
• Management of user and group accounts.
• Users logging on and off the system.
Question: List three reasons that you may want to audit certain areas of a system
or a particular shared resource.
Configuring Server Security Compliance 9-15
Key Points
An audit policy determines the security events that are reported to the network
administrator. When you implement an audit policy:
• Specify the categories of events that you want to audit.
• Set the size and behavior of the security log.
• Audit directory service access or object access by determining for which
objects you are monitoring access and what type of access you want to
monitor. For example, if you want to audit any attempts by users to open a
particular file, you can configure auditing policy settings in the object access
event category so that both successful and failed attempts to read a file are
recorded.
Question: Provide an example of why you would want to log successful events and
failure events, as opposed to only failure events.
9-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Before you implement an auditing policy, you must decide which event categories
to audit. The auditing settings that you choose for the event categories define your
auditing policy. Auditing settings for the event categories are undefined by default
on member servers and workstations that are joined to a domain. Domain
controllers turn on auditing by default.
You can create an auditing policy that suits your organization’s security needs by
defining auditing settings for specific event categories.
Question: What categories of events does your company presently audit? If your
company is not auditing, what event categories would you like to see audited in
your organization?
Configuring Server Security Compliance 9-17
Key Points
After you configure auditing, the service may not work. This behavior can occur for
any of the following reasons:
• A site, a domain, or an organizational unit policy setting overrides the
audit policy that you configured. To troubleshoot this issue, open the Audit
Policy, and view the Security Setting of the policy. If the security setting of the
policy is No auditing, a higher-level GPO may be overriding the audit policy
setting that you configured. To confirm this behavior, view the higher-level
GPO items that are linked to either the organizational unit or to the domain
for possible conflicts.
• A GPO that overrides the audit policy setting has a higher priority. To
troubleshoot this issue, in Active Directory Users and Computers, view the
properties of your domain. Then view the Group Policy Object Links list on
the Group Policy tab. Items that are higher in the list override other lower-level
items.
9-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: How often do you think you should check the security log to ensure
auditing is happening correctly?
Configuring Server Security Compliance 9-19
Key Points
• Open Group Policy Management. Edit the Default Domain Controllers Policy
located under WoodgroveBank.com\Group Policy Objects\Default Domain
Controllers Policy.
• In the Group Policy Management Editor console tree, expand Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies
\Audit Policy.
• Enable one or more auditing policies.
• Click the Explain tab of an auditing policy.
• Enable auditing on object access.
Question: What is the default auditing policy setting for domain controllers? What
is the benefit of having this setting as the default setting for domain controllers?
9-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
This lesson introduces Windows Server Update Services (WSUS), which is a tool
for managing and distributing software updates that resolve security vulnerabilities
and other stability issues.
WSUS enables you to deploy the latest Microsoft product updates to computers
running the Windows operating system.
Configuring Server Security Compliance 9-21
Key Points
WSUS enables you to deploy the latest Microsoft product updates to computers
running Windows Server 2003, Windows Server 2008, Windows Vista, Microsoft
Windows XP with Service Pack 2, and Windows 2000 with Service Pack 4
operating systems. Using WSUS enables you to manage the distribution of updates
to your network’s computers that Microsoft Update releases.
WSUS 3.0 provides improvements in the following areas:
• Ease of use
• Improved deployment options
• Better support for complex server hierarchies
9-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Do you currently use WSUS services in your organization? If so, how
would the improvements to WSUS 3.0 affect how you use WSUS? If not, how
would implementing WSUS benefit your organization?
Configuring Server Security Compliance 9-23
Key Points
At least one WSUS server in your organization must synchronize updates with the
Windows Update servers on the Internet. Additional WSUS servers can
synchronize updates with a parent WSUS server.
You can use WSUS on an isolated network by copying update files from a WSUS
server that is connected to the Internet.
Key Points
It is recommended to implement an ongoing four-phase approach to the update
management process: assess, identify, evaluate and plan, and deploy. It is essential
to repeat the update management process on an ongoing basis, as new updates
become available that can enhance and protect the production environment.
Each phase has different goals and methods for using WSUS features to ensure
success during the update management process. It is important to note that you
can employ many of the features in more than one phase.
Key Points
Deployment considerations include the following:
Internet connectivity is required for at least one of your WSUS servers, although it
is possible to support isolated network segments that have no connection to the
Internet.
You should determine the number of WSUS servers that you require by examining
the number of client computers that you must support, the number of locations
that you have, and the type of WSUS deployment that you choose.
A simple WSUS deployment consists of a single WSUS server or farm, which
synchronizes updates from Windows Update and distributes them to computers
on the network.
A WSUS server hierarchy consists of a parent WSUS server, which synchronizes
with Windows Update, and downstream WSUS servers that synchronize with the
parent WSUS server.
9-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: In your organization, would you use more than one WSUS server? If so,
would you link your WSUS servers together using autonomous mode or replica
mode?
Configuring Server Security Compliance 9-27
Key Points
The number of client computers that your organization is updating is what
drives hardware and database software requirements. A WSUS server using the
recommended hardware can support a maximum of 20,000 clients. You must
format both the system partition and the partition on which you install WSUS with
the NTFS file system.
Question: Does your organization meet the software requirements for WSUS?
9-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Considerations for installing the WSUS server include:
• You can store updates locally or you can have client computers connect to
Microsoft Update to get approved updates.
• By default, WSUS offers to install Windows Internal Database, or you can
choose to use an exiting database instance.
• You can use the default IIS Web site on port 80, or if you already have a Web
site on port 80, you can create an alternate site on port 8530 by selecting the
second option.
Once you install the WSUS server, you can install the WSUS administration
console to manage the WSUS server.
Question: Would you install the WSUS administration console on the same server
as the WSUS server in your organization?
Configuring Server Security Compliance 9-29
Key Points
When you configure the Group Policy settings for WSUS, use a GPO linked to an
Active Directory container appropriate for your environment. Microsoft does not
recommend editing the Default Domain or Default Domain Controller GPOs to
add WSUS settings.
• In a simple environment, link the GPO with the WSUS settings to the domain.
• In more complex environment, you might have multiple GPOs linked to
several organizational units (OUs), which enables you to have different WSUS
policy settings applied to different types of computers.
• To help protect computers against immediate security threats, set up more a
more frequent schedule for computers to contact the WSUS server, download,
and install updates.
Question: What is the risk in allowing users of desktop computers to delay restarts
that updates require?
9-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You can use Group Policy or the registry to configure Automatic Updates.
Configuring Automatic Updates involves pointing the client computers to the
WSUS server, ensuring that the Automatic Updates software you are using is
current, and configuring any additional environment settings.
The best way to configure Automatic Updates and WSUS environment options
depends on your network environment. In an Active Directory environment, you
use Group Policy. In a non-Active Directory environment, you might use the Local
Group Policy object (GPO) or edit the registry directly.
Key Points
• Configure Automatic Update client settings using Group Policy.
• Open Group Policy Management.
• Create a new GPO in the WoodgroveBank.com domain.
• Edit the GPO.
• In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand
Windows Components, and then click Windows Update.
• Enable Configure Automatic Updates.
Question: Would you enable the Delay Restart for scheduled installations policy
in your organization? Why or why not?
9-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
This lesson explains how you can manage WSUS by performing administrative
tasks using the WSUS 3.0 administration console, managing computer groups to
target updates to specific computers, and approving the installation of updates for
all the computers in your WSUS network or for different computer groups.
Configuring Server Security Compliance 9-33
Key Points
The WSUS 3.0 administration console has changed from a Web-based console to a
plug-in for MMC version 3.0.
The WSUS 3.0 administration console also enables you to:
• Manage WSUS remotely.
• Configure post-setup tasks using a wizard.
• Generate multiple reports with improved precision.
• Maintain server health more easily.
9-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Explain why having an MMC console for WSUS makes administration
easier.
Configuring Server Security Compliance 9-35
Key Points
Computer groups are an important part of WSUS deployments, even a basic one.
Computer groups enable you to target updates to specific computers. There are
two default computer groups: All Computers and Unassigned Computers. By
default, when each client computer initially contacts the WSUS server, the server
adds that client computer to each of these groups.
You can create custom computer groups. One benefit of creating computer groups
is that they enable you to test updates before deploying updates widely. If testing
goes well, you can roll out the updates to the All Computers group. There is no
limit to the number of custom groups you can create.
Key Points
After updates have synchronized to your WSUS server, they are scanned
automatically for relevance to the server’s client computers. However, you must
approve the updates manually before they are deployed to your network’s
computers.
• When you approve an update, you are specifying what WSUS does with it (the
options are Install or Decline for a new update). You can approve updates for
the All Computers group or for subgroups.
• If you do not approve an update, its approval status remains Not approved,
and your WSUS server allows clients to evaluate whether they need the
update.
Configuring Server Security Compliance 9-37
Note: If your WSUS server is running in replica mode, you will not be able to approve
updates on your WSUS server.
Key Points
• Add a computer to the WSUS console.
• Approve an update to be applied to the computer.
Key Points
Windows Server 2008 Server Core requires fewer updates than a full server
installation of Windows Server 2008. However, you typically use the command
line to locally administer a Server Core installation.
Windows Update uses applicability rules so that only computers that have
Internet Explorer® 7 install Internet Explorer 7 updates; these applicability settings
also apply to Server Core installations.
Question: Do any other management tasks for Server Core differ from the
standard full server implementation?
9-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
f Task 2: Use the Group Policy Management Console to create and link
a GPO to the domain to configure client updates
1. On NYC-DC1, open Group Policy Management.
2. Create a new GPO in the WoodGroveBank.com domain named WSUS.
3. Open the Group Policy Management Editor to edit the WSUS GPO.
4. In the Group Policy Management Editor window, under Computer
Configuration, expand Policies, expand Administrative Templates, expand
Windows Components, and then click Windows Update.
5. Enable Configure Automatic Updates.
6. Enable Specify intranet Microsoft update service location.
• Set the intranet update service for detecting updates and the intranet
statistics server to http://NYC-SVR1.
7. Enable Automatic Updates detection frequency.
9-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
f Task 4: Create a computer group, and add NYC-CL2 to the new group
1. In the list pane, expand Computers, and then select All Computers.
2. In the Actions pane, click Add Computer Group, and name the group
HO Computers.
3. Change membership of the NYC-CL2.woodgrovebank.com computer object
so that it is a part of the HO Computers group.
Note: Entering yesterday’s date will cause the update to be installed as soon as the client
computers contact the server. Note that because these VMs use the Microsoft Lab
Launcher environment, their date will not correspond with the actual date. This is by
design. Take note of the VMs configured date and enter a date one day before the VMs
configured date.
Result: At the end of this exercise, you will have configured AD DS Auditing.
9-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
Review Questions
1. What kind of security challenges might a small to medium-sized business
experience, that may not be as big an issue for a large enterprise?
2. If you decide to put an audit policy in place, how should you configure the
security log properties in Event Viewer?
3. What must an administrator do before any update is sent to clients and servers
via WSUS?
4. What is the reason for setting a deadline for automatic installation to a past
date?
Configuring Server Security Compliance 9-47
Windows Server 2008 operating system storage management and File Server
Resources Manager are storage technologies that you can configure and manage to
address common capacity and storage management challenges in the enterprise
environment.
This lesson will describe common capacity and storage management challenges
and will describe how you can use File Server Resources Manager and the
Windows Server 2008 operating system storage management to address these
challenges.
10-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Capacity management is the process of planning, analyzing, sizing, and optimizing
methods to satisfy an organization’s increase in data storage demands. As the
data that you need to store and access increases, so does your need for capacity
management. Keeping track of how much storage capacity is available, how
much storage space you need for future expansion, and how you are using the
environment’s storage enables you to meet the storage capacity requirements of
your organization.
Capacity management is also an attempt to control corporate storage misuse. Many
users tend to use server storage space store large personal multimedia files, such as
MP3s or digital photos, as well as other types of data, such as screensavers and
games.
Key Points
After capacity management, the next challenge is managing the file types that are
stored on servers. Many organizations store 60 to 100 percent of their work data,
including e-mail messages, office documents, and line-of-business application
databases. Some information is critical to the functioning of the business, while
other information is less critical. Critical information often must be maintained in
a state that allows it to always be available. Some data also may have specific
retention requirements due to industry or regulatory standards.
Unapproved files and programs also create storage management issues. Many
users tend to store non-work-related files and programs that can consume storage.
Storage management attempts to control this misuse of corporate space.
Key Points
• Knowing how the company is currently using storage makes planning for
future storage requirements much more predictable.
• Without policies and controls in place, users may often use storage for
noncompliant uses.
• Having resource management policies in place allows for more predictability
when planning for future capacity.
• Resource management policies may vary within a company. For example,
some departments may require more storage than others, and some
departments may want to store files in specific ways.
Configuring and Managing Storage Technologies 10-7
Question: In your work environment, what tools and strategies are currently used
to address capacity and storage management challenges?
10-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Server 2008 provides a number of tools and technologies to assist in
capacity management tasks. With the addition of other applications such as
Microsoft System Center Operations Manager (SCOM) and the File Server
Migration Toolkit (FSMT), a full range of storage management solutions can be
realized.
The FSMT helps you copy files and folders from servers running Microsoft
Windows 2003 Server, Microsoft Windows® 2000 Server or Windows NT® Server
4.0 operating systems to a server running Windows Server 2003, Windows Storage
Server 2003, Windows Server 2008 or Microsoft Windows Storage Server 2008.
The primary benefits of FSMT include:
• Transparent migration experience for end users.
• Maintains security settings for migrated files.
• Consolidates shared folders with the same names from different servers.
Configuring and Managing Storage Technologies 10-9
Key Points
Windows Server 2008 also provides a number of tools to assist in storage
management tasks. These tools include:
• Fibre Channel Information Tool helps to gather configuration information
on a Fibre Channel SAN for management of Fibre Channel Host Bus Adapters
and discovery of SAN resources.
• Virtual Disk Service provides a unified view of all disks and volumes,
regardless of whether they are connected by SCSI, Fiber Channel, iSCSI or PCI
RAID.
• Storage Manager for SANs helps you create and manage logical unit numbers
(LUNs) on Fibre Channel and Internet SCSI (iSCSI) disk drive subsystems
that support Virtual Disk Service (VDS) in your storage area network (SAN).
Configuring and Managing Storage Technologies 10-11
Key Points
File Server Resource Manager (FSRM) is a complete set of tools that allows
administrators to address the following key file-server management challenges:
• Capacity management. Monitors usage patterns and utilization levels.
• Policy management. Restricts which files are stored on the server.
• Quota management. Limits how much data can be stored on the server.
• Reports. Provides storage capacity usage reports to meet regulatory
requirements that allow the administrators, security groups and management
personnel the ability to perform oversight and auditing functions.
You use FSRM to configure quota management, implement file screening, and
generate storage reports. This lesson provides information about how to manage
storage using FSRM.
10-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
File System Resource Manager provides several features to carry out storage
management tasks. The following table describes FSRM functions:
Function Description
Create quotas to limit the Allows you to set the maximum amount of space
space allowed for a volume allotted to a user. It also allows the administrator to be
or folder notified if the quota is exceeded.
Create file screens Enables file filtering based on file extensions. Common
file categories can be grouped together to create file
groups.
Configuring and Managing Storage Technologies 10-15
Function Description
Define quota and file Allows you to customize and implement a detailed
screening templates company storage policy.
Generate scheduled or on- Allows you to create reports on a regular basis for
demand storage reports review, or create reports on demand, which allows you
to quickly generate a report for immediate
consumption.
Question: Describe two scenarios where one or more FSRM features could be used
in your work environment.
10-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Start the NYC-SVR1 virtual machine.
• Use Server Manager to add the FSRM role service.
• Configure the volume during installation.
• Open the FSRM management console.
Question: Will you install the FSRM role service on all servers in your
organization?
Question: How would you access the FSRM console from a workstation?
Configuring and Managing Storage Technologies 10-17
Key Points
The FSRM console enables you to view all their local storage resources from a
single console, and create and apply policies that control these resources. The
three tools included in the FSRM console are:
• Quota Management node
• File Screening Management node
• Storage Reports Management node
Question: Describe a scenario in which you would use each FSRM console
component.
10-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When you create quotas and file screens, you have the option of sending e-mail
notifications to users when their quota limit is approaching or after they have
attempted to save files that have been blocked.
The default parameters for storage reports are used for the incident reports that are
generated when a quota or file screening event occurs.
By using File Server Resource Manager, you can record file screening activity in an
auditing database.
Question: In your work environment, are there currently server storage policies in
place? If so, how will you use the FSRM configuration options to enforce these
policies?
Configuring and Managing Storage Technologies 10-19
Key Points
• Start the NYC-SVR1 virtual machine.
• Configure email notifications in FSRM.
• Configure storage report parameters and default report repository locations.
Scenario
As the Windows Infrastructure Services (WIS) Technology Specialist, you have
been tasked with configuring storage on a server to comply with corporate
standards. You must create the storage with minimal long-term management by
utilizing file screening and quota management.
Results: After this exercise, you should have successfully installed the FSRM role
service on NYC-SVR1.
10-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
You use Quota management to create quotas that limit the space allowed for a
volume or folder, and to generate notifications when quota limits are approached
or exceeded. FSRM provides quota templates that you can apply easily to new
volumes or folders and that you can use across an organization. You also can auto-
apply quota templates to all existing folders in a volume or folder, as well as to any
new subfolders created in the future.
Configuring and Managing Storage Technologies 10-23
Key Points
• A hard quota prevents users from saving files after the space limit is reached,
and it generates notifications when the data volume reaches the configured
threshold.
• A soft quota does not enforce the quota limit, but it generates configured
notifications.
• The quota limit applies to the entire folder subtree.
Key Points
The Microsoft Windows® 2000 Server operating system, Windows Server 2003
operating system, and Windows Server 2008 operating systems support NTFS disk
quotas, which you can use to track and control disk usage on a per-user/per-
volume basis.
The above table outlines the advantages of using the FSRM quota management
tools compared to NTFS disk quotas.
Question: Are there any instances when you would use NTFS disk quotas instead
of FSRM quotas?
Configuring and Managing Storage Technologies 10-25
Key Points
Quota templates simplify the tasks associated with quota management. If you
base your quotas on a quota template and you later decide to change the quota
configuration, you can simply update the quota template and then choose to
update all quotas that are based on this template. For example, you might choose
to allow each user additional space on the storage server. By updating the quota
template, all quotas based on this template are updated for you automatically.
Key Points
You can use the FSRM Quota Management node to create and modify quotas. By
creating a quota for a volume or folder, you limit the disk space that is allocated for
that volume or folder. The FSRM Quota Management node includes all the
necessary options to work with quotas.
Question: In what scenario would you use the command line Dirquota tool?
Configuring and Managing Storage Technologies 10-27
Key Points
After configuring and applying quotas to your file shares or volumes, you should
understand how to monitor disk usage to meet your organization’s ongoing
storage requirements effectively.
Note: Quotas reduce the input/output (I/O) per-second performance of the storage
subsystem by a small amount (10 percent or less). Servers that apply quotas to more than
10,000 folders might experience a larger performance overhead.
Question: In your work environment, which quota usage monitoring method will
be most helpful?
10-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Start the NYC-SVR1 virtual machine.
• Create a quota template to restrict large files on E:.
• Use the quota template to create a new quota.
• Configure the quota to log an event when it is exceeded.
f Task 3: Test that the Quota is working by generating several large files
1. Open a command prompt and use the fsutil file createnew file1.txt
89400000 command to create a file in the E:\Mod10\Labfiles\Users\User1
folder.
2. Check the Event Viewer for an Event ID of 12325.
3. Test that the quota works by attempting to create a file that is 16,400,000
bytes, and then press ENTER.
4. Enable NTFS folder compression for the E:\Mod10\Labfiles\Users folder.
Check to see what effect this has in the Quota console. Try again to create a file
that is 16,400,000 bytes.
Results: After this exercise, you should have seen the effect of a quota template that
imposes a 100MB limit on user storage on the E:\Mod10\Labfiles\Users folder.
Configuring and Managing Storage Technologies 10-31
Your security policy might prohibit specific file types from being placed on
company servers, and you might want to be notified if a specific file type is saved
on a file server. This lesson explains the concepts related to file screening that you
can use to manage the types of files that users can save on corporate file servers.
10-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Many organizations face issues with network users storing unauthorized or
personal data on corporate file servers. Not only does this misuse valuable storage
space, but it also increases the backup process duration, and might violate privacy
or security policies within the company.
You also can implement a screening process to notify you by e-mail when an
unauthorized file type has been stored on a shared folder. The e-mail message can
include information such as the name of the user who stored the file and its exact
location so that you can take appropriate precautionary steps.
Question: In your work environment, are there any server usage policies that file
screening could be used to enforce?
Configuring and Managing Storage Technologies 10-33
Key Points
Before you begin working with file screens, you must understand the role file
groups play in the file screening process. A file group is used to define a namespace
for a file screen, file screen exception, or storage report.
A file group consists of a set of file name patterns that are grouped into two groups:
Files to include, and Files to exclude:
• Files to include. These are files that should be included in the group.
• Files to exclude. These are files that should not be included in the group.
Question: In your work environment, list two or three file groups you plan to
create.
10-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Occasionally, you will need to allow exceptions to file screening. For example,
you might want to block video files from a file server, but you need to allow your
training group to save the video files for their computer-based training. To allow
files that other file screens are blocking, create a file screen exception.
A file screen exception is a configuration that overrides any file screening that
would otherwise apply to a folder and all its subfolders, in a designated exception
path. In other words, the file screen exception creates an exception to any rules
derived from a parent folder.
Question: Describe two ways you plat to use file screen exceptions in your work
environment.
Configuring and Managing Storage Technologies 10-35
Key Points
To simplify file screen management, base your file screens on file screen templates.
A file screen template defines the following:
• File groups to block.
• Screening types to perform.
• Notifications to be generated.
You can configure two screening types in a file screen template: Active screening
does not allow users to save any files related to the selected file groups configured
with the template. Passive screening still allows users to save files but provides
notifications for monitoring.
10-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: What file types do you plan to create file screen templates for in your
work environment?
Configuring and Managing Storage Technologies 10-37
Key Points
• Start the NYC-SVR1 virtual machine.
• Create a new file screen in the E:\ drive based upon the Block Audio and
Video Files default template.
• Create a new custom file group and create a file screen exception to allow
Microsoft Windows Media® Player audio (WMA) files.
Question: How do you plan to implement file screens in your work environment?
Question: How do you plan to implement file screen exceptions in your work
environment?
10-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have successfully implemented a file screen
that logs attempts to save executable files in E:\Mod10\Labfiles\Users.
10-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
To better carry out capacity planning, you must be able to configure and generate
extensive reports based on current storage utilization. This lesson will describe
how to configure, schedule, and generate storage reports using FSRM.
Configuring and Managing Storage Technologies 10-41
Key Points
Storage reports provide information about file usage on a file server. The FSRM
Storage Reports Management feature allows you to generate storage reports on
demand and schedule periodic storage reports that help identify trends in disk
usage. You also can create reports to monitor attempts to save unauthorized files
by all users or a selected group of users.
The following table describes the storage report types in FSRM:
Report Description
Large Files Lists files that are larger than a specified size. Use this report to
identify files that are consuming excessive server disk space.
Files by Owner Lists files that are grouped by owner. Use this report to analyze
server usage patterns and to identify users who use large
amounts of disk space.
10-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
Report Description
Files by File Group Lists files that belong to specified file groups. Use this report to
identify file-group usage patterns and to identify file groups that
occupy large amounts of disk space. This can help you
determine which file screens to configure on the server.
Duplicate Files Lists duplicate files (files with the same name, size, and last-
modified date). Use this report to identify and reclaim disk space
that is lost due to duplicate files.
Least Recently Used Lists files that have not been accessed for a specified number of
Files days. This report can help you identify seldom-used data that
could be archived and removed from the server.
Most Recently Used Lists files that have been accessed within a specified number of
Files days. Use this report to identify frequently used data that should
be highly available.
Quota Usage Lists quotas for which the quota usage is higher than a specified
percentage. Use this report to identify quotas with high usage
levels so that appropriate action can be taken. This report
includes quotas that were created for volumes and folders in
FSRM only. It does not include quotas applied to volumes in
NTFS file system.
File Screening Lists file screening violations that have occurred on the server,
Audit for a specified number of days. Use this report to identify
individuals or applications that violate the file screening policy.
Key Points
The Scheduled Report Tasks node results pane includes the report task. Tasks are
identified by the reports to be generated, the namespace on which the report will
be created, and the report schedule. You also can view the current report status
(whether the report is running), the last run time and the result of that run, and
the next scheduled run time.
Question: In your work environment, how frequently will you schedule reports
using report tasks?
10-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
During daily operations, you may want to generate reports on demand to analyze
aspects of current server disk usage. Use the Generate reports now action to
generate one or more reports. Current data is gathered before the reports are
generated.
Results: After this exercise, you should have successfully generated an on-demand
storage report.
Configuring and Managing Storage Technologies 10-47
With the rapid growth of the Internet and increased reliance on e-commerce, the
adoption of SANs has become more common due to the proliferation of data. This
lesson provides an overview of the concepts and terminology related to storage
area networks.
10-48 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Question: In what way or ways do you currently use SAN storage in your work
environment?
Configuring and Managing Storage Technologies 10-49
Key Points
Both Direct-Attached Storage and SANs use the SCSI protocol to move data in
blocks rather than files. From the vantage point of most operating systems, DAS
and SAN storage are indistinguishable, despite the differences in their network
topologies.
Note: NAS devices differ from SANs by serving files via network shares rather than
simulating local disks attached to servers.
Key Points
Fibre Channel (FC) is based on serial SCSI technologies and overcomes the
parallel SCSI limitations to enable essentially unlimited device connectivity over
long distances.
• FC interconnects deliver high-performance block I/O to storage devices within
a SAN.
• Unlike parallel SCSI devices that must arbitrate (or contend) for the bus, FC
channel devices, using switch technology, can transmit information between
multiple servers and multiple storage devices at the same time.
Key Points
In a Fibre Channel SAN, each server contains an HBA that connects by means of
a Fibre Channel switch to a disk controller on the storage array. HBAs, although
they reside on the server, are also part of the storage network. They serve first to
provide the interface between the server and the attached Fibre Channel network
and second to provide I/O processing, offloading most of the server processing
required for transferring data. The resulting performance is very high and very
scalable.
Key Points
Your organization has implemented a basic SAN scenario; however, you are
concerned about availability of the SAN components. Based on the diagram
presented, describe what is required to ensure availability and redundancy of the
SAN environment.
Question: How would you configure the connections between an HBA and a FC
switch to ensure availability?
Question: How would you ensure that the path between the switch and the disk
array is highly available?
Configuring and Managing Storage Technologies 10-53
Key Points
Consider all points of failure when designing redundancy in the SAN.
• Redundant HBAs, FC switches, and disk array controllers will increase the
level of redundancy in the SAN.
10-54 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Internet SCSI (iSCSI) is an industry standard that enables transmission of SCSI
block commands over an existing IP network by using the TCP/IP protocol. iSCSI
is a technological breakthrough that offers organizations the possibility of
delivering both messaging traffic and block-based storage over existing IP
networks, without installing a separate Fibre Channel network.
Question: In your work environment, is iSCSI implemented? If so, how has it been
implemented?
Configuring and Managing Storage Technologies 10-55
Key Points
The Microsoft iSCSI Software Initiator service is installed on a host server and
enables the server to connect to iSCSI target volumes on a storage array. The
Software Initiator service enables streamlined storage management for all aspects
of the iSCSI service.
Question: Describe at least one scenario where you would implement the
Microsoft iSCSI software initiator.
10-56 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
An iSCSI-based SAN solution consists of two components:
• iSCSI Software Initiator
• iSCSI target
Question: Question: In the scenario depicted above, can either of the client
computers access the iSCSI storage?
Configuring and Managing Storage Technologies 10-57
Key Points
Storage Manager for SANs is a server feature that is provided in Windows
Server 2008. Storage Manager for SANs can be used to assist in storage resource
provisioning and disk configuration tasks with the implementation of a SAN
solution. SAN provisioning has traditionally been viewed as the most complex of
storage tasks and typically includes proprietary tools and commands. Storage
Manager for SANs helps to simplify provisioning tasks and is designed to look and
behave like standard Windows-based applications that administrators are already
familiar with.
Storage Manager for SANs provides the following benefits and functionality:
• Leverages the Virtual Disk Service to manage storage, with the addition of
vendor-provided VDS hardware providers.
• Discovers storage arrays on a Fibre Channel or an Internet Small Computer
System Interface (iSCSI) SAN, including storage array properties such as
firmware information.
10-58 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: What approach does your organization currently use to manage SAN
storage that is connected to Windows Servers?
Configuring and Managing Storage Technologies 10-59
Key Points
When you encounter issues with SAN storage, begin troubleshooting by gathering
information about the nature of the issue, hardware involved, and software
configuration.
After you have gathered enough information, you can analyze the information,
recommend changes, implement one or more changes, monitor the result, and
document the process for future reference.
Question: Have you faced any SAN troubleshooting scenarios in your work
environment? If so, how did you approach them?
10-60 Configuring, Managing and Maintaining Windows Server 2008 Servers
Review Questions
1. What is the difference between a hard and soft quota?
2. When a common set of file types need to be blocked, what should you create
to block them in the most efficient manner?
3. If you want to apply a quota to all subfolders in a folder, including folders that
will be created in the future, what option must you configure in the quota
policy?
Configuring and Managing Storage Technologies 10-61
Tool Description
Dirquota.exe Use to create and manage quotas and quota templates.
Fsutil Use to configure NTFS Quotas and create files to test quota
behavior.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring and Managing Distributed File System 11-1
Key Points
DFS Namespaces allows administrators to group shared folders located on
different servers into one or more logically structured namespaces.
DFS Replication (DFS-R) is a multi-master replication engine used to synchronize
files between servers for both local and WAN network connections.
Remote Differential Compression (RDC) identifies and synchronizes the data
changes on a remote source, and uses compression techniques to minimize the
data that is sent across the network.
Question: Do you have experience working with DFS or the DFS predecessor, File
Replication service (FRS)?
Configuring and Managing Distributed File System 11-5
Key Points
Even though DFS Namespaces and DFS Replication are separate technologies, they
can be used together to provide high availability and data redundancy.
The following process describes how DFS Namespaces and DFS Replication work
together:
1. User accesses folder in the configured namespace.
2. Client computer accesses the first server in the referral. This referral typically is
a server in the client's own site, unless there is no server located within the
client's site. In this case, the administrator can configure the target priority.
Key Points
Large organizations that have many branch offices often have to share files or
collaborate between these locations. DFS-R can help replicate files between branch
offices or from a branch office to a hub site.
• DFS technologies can collect files from a remote office and replicate them to a
hub site, thus allowing the files to be used for a number of specific purposes.
• You can use DFS Namespaces and DFS-R to publish and replicate documents,
software, and other line-of-business data throughout your organization.
Question: In what ways can you use DFS technologies within your organization?
Configuring and Managing Distributed File System 11-7
Key Points
You can create either a domain-based or stand-alone namespace. Each type has
different characteristics.
A domain-based namespace can be used when:
• Namespace high availability is required.
• You need to hide the name of the namespace servers from users.
11-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You create one or more folders within a DFS namespace. These folders contain one
or more folder targets. If one of the folder targets is not available, the client will
attempt to access the next folder target in the referral. This increases the data
availability in the folder.
Question: Describe a scenario of how you would use folder targets in your
organization.
11-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
A namespace server is a domain controller or member server that hosts a DFS
Namespace. The operating system running on the server determines the number of
namespaces that a server can host.
The following table lists the guidelines you should use for namespace server
requirements:
Key Points
• Install the DFS role services on both NYC-DC1 and NYC-DC2.
• Add File Services role in the Server Manager.
• Add Distributed File System Role Service.
Question: You need to deploy DFS technology within your environment. Is DFS
considered a role service or a feature?
Key Points
Most DFS implementations primarily consist of content published within the DFS
namespace.
• Use the New Namespace Wizard to create the namespace from within the DFS
Management console.
• After the namespace is created, you then can add a folder in the namespace.
• You can add multiple folder targets to increase the folder's availability in the
namespace.
• A referral is an ordered list of targets that a client computer receives from the
namespace server when a user accesses a namespace root or folder.
Question: Describe a scenario when having a client continue to access the failover
server would present problems.
Configuring and Managing Distributed File System 11-15
Key Points
To perform namespace management tasks, a user either has to be a member of an
administrative group or has to be delegated specific permission to perform the
task. You can right-click the namespace and then click Delegate Management
Permissions to delegate the required permissions.
Note: You also must add the user to the Local Administrators group on the namespace
server.
Key Points
• Create a domain-based namespace.
• Create the ProjectDocs namespace.
• Create the AccountingSpreadhseets folder target.
Key Points
For clients to connect to a DFS namespace, they must be able to connect to a
namespace server. This means that it is important to ensure the namespace servers
are always available. The process for increasing namespace availability varies for
domain-based and stand-alone namespaces. Domain-based namespaces can be
hosted on multiple servers. Stand-alone namespaces are limited to a single server.
• Domain-based namespaces. You can increase the availability of a domain-based
namespace by specifying additional namespace servers to host it.
• Stand-alone namespaces. You can increase the availability of a stand-alone
namespace by creating it as a shared resource in a server cluster.
11-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Describe how you could use these methods to increase availability in
your organization.
Configuring and Managing Distributed File System 11-19
Key Points
Renaming a folder allows you to reorganize the hierarchy of folders to best suit
your organization's users.
By disabling a folder target's referral, you prevent client computers from accessing
that folder target in the namespace. This is useful when you are moving data
between servers.
Clients do not contact a namespace server for a referral each time they access a
folder in a namespace. By default, namespace root referrals are cached for 300
seconds (five minutes), and folder referrals are cached for 1,800 seconds (30
minutes).
11-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Describe a scenario when you would want to disable a folder target’s
referral.
Configuring and Managing Distributed File System 11-21
Key Points
• Configure a second folder target.
• Examine namespace optimization settings.
Question: Which types of paths can you use when creating a new folder target?
Objectives
• Install the Distributed File System Role Service.
• Create a DFS Namespace.
Logon Information
• Virtual Machines: 6419A-NYC-DC1 and 6419A-NYC-SVR1
• User Name: WoodgroveBank\Administrator
• Password: Pa$$w0rd
Configuring and Managing Distributed File System 11-23
Note: Verify from the Details pane that that the CorpDocs namespace is now hosted on
both NYC-DC1 and NYC-SVR1.
11-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• DFS-R uses a new compression algorithm known as remote differential
compression (RDC).
• DFS-R detects changes on the volume by monitoring the update sequence
number (USN) journal, and replicates changes only after the file is closed.
• When a file is changed, only the changed blocks are replicated, not the entire
file.
11-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: List one advantage and one disadvantage to having deleted files stored
in the Conflict and Deleted folders.
Configuring and Managing Distributed File System 11-29
Key Points
A replication group consists of a set of member servers that participate in replicating
one or more replicated folders. There are two main types of replication groups:
• Multipurpose replication group.
• Replication group for data collection.
Key Points
If you plan to use DFS Replication, the Active Directory schema must be updated
to at least the version equal to Windows Server 2003 R2, so that it includes the
Active Directory classes and attributes that DFS Replication uses.
You cannot enable replication across servers in different forests.
Key Points
Use the above scalability considerations when deploying DFS-R. Remember, these
are guidelines and that you may be able to deploy configurations successfully that
exceed these guidelines. However, it is important to test and verify that there is
adequate space in the staging folders, and that latency is acceptable.
Question: DFS-R doesn’t have restrictions on the size of files replicated; however,
there is a consideration to ensure the files get replicated. What is this
consideration?
11-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
A multi-purpose replication group is used to replicate data between two or more
servers for general content sharing or for data publishing.
You can choose one of the following three types of topology that is used for the
connections between the replication group members.
• Hub and spoke: Requires three or more members. In this topology, spoke
members are connected to one or more hub members. Data then is replicated
from the hub member to the spoke members.
• Full mesh: In this topology, each member replicates with all other members of
the replication group. This works well with 10 or fewer members.
• No topology: You can use this option if you want to create a custom topology
after you finish the wizard.
Configuring and Managing Distributed File System 11-33
When you first configure replication, you must choose a primary member that has
the most up-to-date files to be replicated. This server is considered authoritative for
any conflict resolution that occurs when the receiving members have files that are
older or newer when compared to the same files on the primary member.
The following concepts will help you to better understand the initial replication
process:
• Initial replication does not begin immediately.
• Initial replication always occurs between the primary member and its receiving
replication partners.
• When receiving files from the primary member during initial replication, the
receiving members that contain files that are not present on the primary
member move those files to their respective DfsrPrivate\PreExisting folder.
Configuring and Managing Distributed File System 11-35
Key Points
To help maintain and troubleshoot DFS-R, you can generate diagnostic reports and
perform propagation tests.
You can use the Diagnostic Report Wizard to perform the following:
• Create a health report.
• Start a propagation test.
• Create a propagation report.
Question: How often would you run the diagnostic report wizard to create a health
report in your organization?
Configuring and Managing Distributed File System 11-37
Key Points
• Create and configure the AccountingDataRepl replication group.
• Create a diagnostic report.
Question: Where are you able to modify the path for the staging folder?
Question: Which tab shows the sending and receiving members of the replication
group?
11-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Common causes of “Waiting for the DFS Replication service to retrieve replication
settings from Active Directory” error:
Issue: Active Directory replication latency
Solutions:
• Wait.
• Force replication using repadmin (with /replicate /force) or replmon (with
synchronize directory partition).
• Change your replication schedule and topology.
Question: List three places you can look for DFS-R troubleshooting information.
11-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Several other issues and solutions include:
• DFS-R is slow
• Make sure operating system updates and DFS-R hotfixes are installed.
• If the event that indicates the staging quota is over its configured size
(event ID 4208 in the DFS-R event log) is logged multiple times in an
hour, increase the staging quota by 20 percent.
• If you see a considerable amount of DFS-R event log entries for 4302 and
4304, you may want to start examining how files are being used for
sharing violations.
Configuring and Managing Distributed File System 11-41
Question: In your organization, would you include .bak files in your DFS
replication?
f Task 5: Create additional folder targets for the PolicyFiles folder, and
then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the
following options:
• Path to folder target: \\NYC-DC1\PolicyFiles
• Create share: Yes
• Local Path of shared folder: C:\PolicyFiles
• Shared folder permissions: Administrators have full access; other users
have read-only permissions
• Replication group: Yes
• Replication Group name: woodgrovebank.com\corpdocs\policyfiles
• Replicated folder name: PolicyFiles
• Primary member: NYC-SVR1
• Topology: Full mesh
• Replication schedule: default
2. In the console tree, expand the Replication node, and then click
woodgrovebank.com\corpdocs\PolicyFiles.
3. In the details pane, on the Memberships tab, verify that both NYC-DC1 and
NYC-SVR1 are listed and enabled.
11-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
Review Questions
1. How can you use DFS in your File Services deployment?
2. What kind of compression technology is used by Windows Server 2008 DFS?
3. What are three main scenarios used for DFS?
4. What is the difference between a domain-based DFS namespace and a stand-
alone DFS namespace?
5. What is the default ordering method for client referral to folder targets?
6. What does the Primary Member configuration do when setting up replication?
7. Which folder is used to cache files and folders where conflicting changes are
made on two or more members?
11-48 Configuring, Managing and Maintaining Windows Server 2008 Servers
NetBIOS Datagram Domain controllers; root servers that are not 138
Service domain controllers; servers acting as folder
targets; client computers acting as folder targets
NetBIOS Session Domain controllers; root servers that are not 139
Service domain controllers; servers acting as folder
targets; client computers acting as folder targets
Server Message Domain controllers; root servers that are not 445 445
Block (SMB) domain controllers; servers acting as folder
targets; client computers acting as folder targets
Configuring and Managing Distributed File System 11-49
DFS Performing tasks related to DFS Click Start, and then point to
Management namespaces and replication. Administrative Tools, and then
click DFS Management.
MCT USE ONLY. STUDENT USE PROHIBITED
Configuring Network Access Protection 12-1
Network Access Protection (NAP) ensures compliance with specific health policies
for systems accessing the network. NAP assists administrators in achieving and
maintaining a specific health policy. This module provides information about how
NAP works, and how to configure, monitor, and troubleshoot NAP.
Configuring Network Access Protection 12-3
NAP for Windows Server 2008, Windows Vista, and Windows XP Service Pack 3
provides components and an application programming interface (API) that help
administrators enforce compliance with health-requirement policies for network
access or communication. NAP enables developers and administrators to create
solutions for validating computers that connect to their networks, as well as
provide needed updates or access to needed health update resources and limit the
access or communication of non-compliant computers.
NAP has three important and distinct aspects:
• Health state validation
• Health policy compliance
• Limited access
Question: Have you ever had an issue with unsecure, unmanaged laptops causing
harm to your network? Do you think NAP would have addressed this issue?
12-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: Which of the NAP enforcement types would best suit your company?
Can you see your organization using multiple NAP enforcement types? If so, which
ones?
Configuring Network Access Protection 12-7
Question: How would your organization deal with enabling the appropriate EC on
non-domain computers that are outside of the management scope?
12-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Open the NAP Client Configuration tool.
• Explore the options available.
Question: List at least one example of how the NAP client could benefit your
organization.
Configuring Network Access Protection 12-13
Question: List at least one example of how the NAP health policy server can
monitor your networks.
Configuring Network Access Protection 12-15
The NAP Agent component can communicate with the NAP Administration Server
component through the following process:
1. The NAP Agent passes the system SSoH to the NAP EC.
2. The NAP EC passes the SSoH to the NAP ES.
3. The NAP ES passes the SSoH to the NPS service.
4. The NPS service passes the SSoH to the NAP Administration Server.
The NAP Administration Server can communicate with the NAP Agent through the
following process:
1. The NAP Administration Server passes the SSoHR to the NPS service.
2. The NPS service passes the SSoHR to the NAP ES.
3. The NAP ES passes the SSoHR to the NAP EC.
4. The NAP EC passes the SSoHR to the NAP Agent.
A SHA can communicate with its corresponding SHV through the following
process:
1. The SHA passes its SoH to the NAP Agent.
2. The NAP Agent passes the SoH, contained within the SSoH, to the NAP EC.
3. The NAP EC passes the SoH to the NAP ES.
4. The NAP ES passes the SoH to the NAP Administration Server.
5. The NAP Administration Server passes the SoH to the SHV.
Configuring Network Access Protection 12-17
Question: List an example of how your organization can use NAP Platform
Components to facilitate communication.
12-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
With Network Access Protection, you can create customized health policies to
validate computer health before allowing access or communication, to update
compliant computers automatically to ensure ongoing compliance, and, optionally,
to confine non-compliant computers to a restricted network until they become
compliant.
Question: List at least one example of why you would customize a health policy.
12-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: For which computers in the secure network would you allow unsecure
communication from computers in the restricted network to succeed?
12-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: What must the network devices support to implement 802.1x NAP?
Configuring Network Access Protection 12-23
Question: How does the VPN NAP enforcement method respond to non-
compliant computers that make connection attempts?
12-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
DHCP address configuration limits network access for the DHCP client through
its IPv4 routing table. DHCP enforcement sets the DHCP Router option value
to 0.0.0.0, so the non-compliant computer does not have a configured default
gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4
address to 255.255.255.255, so that there is no route to the attached subnet.
To allow the non-compliant computer to access the restricted network’s
remediation servers, the DHCP server assigns the Classless Static Routes DHCP
option. This option contains host routes to the restricted network’s computers,
such as the DNS and remediation servers. The end result of DHCP limited network
access is a configuration and routing table that allows connectivity only to specific
destination addresses corresponding to the restricted network. Therefore, when an
application attempts to send to a unicast IPv4 address other than those supplied
via the Classless Static Routes option, the TCP/IP protocol returns a routing error.
Question: Does the DHCP NAP enforcement type work on IPv6 networks?
Configuring Network Access Protection 12-25
This lesson provides information about configuring the client to interoperate with
the server-side infrastructure of a NAP-enforced environment.
A NAP-capable client is a computer that has the NAP components installed and can
verify its health state by sending a SoH to NPS.
12-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
SHAs and SHVs, which are NAP infrastructure components, provide health-state
tracking and validation. Windows Vista and Windows XP Service Pack 3 include
a Windows Security Health Validator SHA that monitors the Windows Security
Center settings. Windows Server 2008 includes a corresponding Windows
Security Health Validator SHV. NAP is designed to be flexible and extensible, and
interoperates with any vendor’s software that provides SHAs and SHVs that use the
NAP API.
An SHV receives a SoH from the NAP Administration Server and compares the
system health status information in the SoH with the required system health state.
For example, if the SoH is from an antivirus SHA and contains the last virus-
signature file version number, the corresponding antivirus SHV can check with the
antivirus health requirement server for the latest version number to validate the
NAP client’s SoH.
Configuring Network Access Protection 12-27
Question: Does NAP work only with Microsoft-supplied System Health Validators?
12-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
If the client configuration state does not match the requirements that the health
policy defines, NPS takes one of the following actions, depending on the NAP
configuration:
• It rejects the connection request.
• It places the NAP client on a restricted network where it can receive updates
from remediation servers that bring the client into compliance with health
policy. After the NAP client achieves compliancy, NPS enables it to connect.
• It allows the NAP client to connect to the network despite its non-compliance
with the health policy.
A remediation server hosts the updates that NAP agent can use to bring non-
compliant client computers into compliance with health policy, as NPS defines.
For example, a remediation server can host antivirus signatures. If health policy
requires that client computers have the latest antivirus definitions, then the
following work together to update non-compliant computers: an antivirus SHA,
an antivirus SHV, an antivirus policy server, and the remediation server.
You should remember these basic guidelines when you configure NAP clients:
Some NAP deployments that use Windows Security Health Validator require that
you enable Security Center:
• Enable the Turn on Security Center (Domain PCs only) setting in Group
Policy under Computer Configuration, Administrative Templates, Windows
Components, and Security Center sections.
You also must configure the NAP enforcement clients on the NAP-capable
computers. You can use this procedure to install Group Policy Management and
enable Security Center on NAP-capable clients using Group Policy. Security Center
is required for some Network Access Protection (NAP) deployments that use
Windows Security Health Validator (WSHV).
• Create a custom Microsoft Management Consoles (MMC) console with the
NAP Client Configuration snap-in.
• Expand NAP Client Configuration, and select Enforcement Clients from the
console tree.
• In the details pane, double-click the EC that you want to enable, and select
Enable This Enforcement Client from the Properties sheet.
You also can use the Netsh command to enable or disable ECs. Use the following
command to enable the DHCP EC on the client:
• Netsh nap client set enforcement dhcp = enable
Question: What Windows groups have the rights to enable Security Center in
Group Policy, enable NAP service on clients, and enable/disable NAP enforcement
clients?
12-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Open the Network Policy Server tool to configure NAP.
• Create a policy for DHCP.
Configuring Network Access Protection 12-33
You can use the NAP Client Configuration snap-in to configure NAP tracing.
Tracing records NAP events in a log file, and is useful for troubleshooting and
maintenance. You also can use tracing logs to evaluate your network’s health and
security. You can configure three levels of tracing: Basic, Advanced, and Debug.
You should enable NAP tracing when:
• You are troubleshooting NAP problems.
• You want to evaluate the overall health and security of your organization’s
computers.
Question: List at least one example of how NAP tracing can be used to determine
an issue with client communication.
Configuring Network Access Protection 12-35
There are two tools that are available for configuring NAP tracing. The NAP Client
Configuration console is part of the Windows user interface, and netsh is a
command-line tool.
To view the log files, navigate to the %systemroot%\tracing\nap directory, and
open the particular trace log that you want to view.
Question: What is the netsh command for enabling NAP debug logging levels?
12-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Configure tracing from the Graphical Users Interface.
• Configure tracking from the Command Line.
Objectives
• Configure NAP for DHCP clients
• Configure NAP for VPN clients
Scenario
As the Woodgrove Bank technology specialist, you need to establish a way to bring
client computers automatically into compliance. You will do this by using Network
Policy Server, creating client compliance policies, and configuring a NAP server to
check the current health of computers.
Note: Since NAP is a new and complex technology in Windows Server 2008, detailed
steps have been provided here for each of the tasks in this lab. For this reason, there will
be no separate lab answer key for this module.
12-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
f Task 2: Install the Network Policy Server (NPS) and Dynamic Host
Configuration Protocol (DHCP) server roles
1. On NYC-SVR1, click Start, and then click Server Manager.
2. In the Server Manager console pane, right-click Roles, and then click Add
Roles.
3. On the Before You Begin page, click Next.
Configuring Network Access Protection 12-39
Note: A setting of Access granted does not mean that non-compliant clients are
granted full network access. It specifies that clients matching these conditions will be
granted an access level that the policy determines.
Note: that although this remediation server does not exist due to the limitations of the
lab environment, it's important to understand how to configure the settings.
Note: that in this lab, the DNS server address is same for both the restricted and non-
restricted networks. In a real environment, you would specify a DNS server that existed
on the restricted network here.
21. Under Available Options, select the 015 DNS Domain Name check box.
22. In the String value field, type restricted.woodgrovebank.com, and then click
OK.
Note: This reduces the lab’s complexity, particularly for those who are not familiar with
IPv6.
Note: Notice it tells you the computer is not compliant with requirements of the
network. This may take a few minutes to appear.
6. Click Close.
12-50 Configuring, Managing and Maintaining Windows Server 2008 Servers
Note: This ensures that traffic from non-compliant clients can reach only NYC DC1.
Note: This ensures that only traffic from NYC DC1 can be sent to non-compliant clients.
Note: This ensures that NYC SVR1 will be able to ping NYC DC1 when attached to the
Internet subnet without requiring that you configure additional packet filters for Internet
Control Message Protocol (ICMP) traffic.
Note: The client now meets the requirement for VPN full connectivity.
Note: This dialog box indicates the computer does not meet health requirements. This
message is displayed because antivirus software has not been installed.
Configuring Network Access Protection 12-59
Review Questions
1. What are the three main client configurations that you need to configure for
most NAP deployments?
2. You want to evaluate the overall health and security of the NAP enforced
network. What do you need to do to start recording NAP events?
Configuring Network Access Protection 12-61
Netsh nap Using netsh, you can create Open a command window with
scripts to configure automatically administrative rights and type netsh
a set of Windows Firewall with nap. You can type help to get a full
Advanced Security settings, create list of available commands.
rules, monitor connections, and
display the configuration and
status of Windows Firewall with
Advanced Security.
Group Some NAP deployments that use Enable the Turn on Security Center
policy Windows Security Health (Domain PCs only) setting in the
Validator require that Security Computer Configuration,
Center is enabled. Group Policy Administrative Templates,
can also be used to enable and Windows Components, and
manage the NAP client. Security Center sections of Group
Policy.
Configure Used to create the health policies, Open the NPS (Local) console. In
NAP with connection request policies, and Getting Started and Standard
a wizard Network Access Protection (NAP) Configuration, select Network
with Network Policy Server. Access Protection (NAP) policy
server. The text and links below the
text change to reflect your selection.
Click Configure NAP with a wizard.
Configuring Availability of Network Content and Resources 13-1
This module explains how to configure network resources and content availability
and how to enable a shadow copy volume, which provides access to previous file
and folder versions on a network. Finally, this module explains how you can use
failover clustering and Network Load Balancing (NLB) to facilitate greater data
availability and workload scalability.
Configuring Availability of Network Content and Resources 13-3
Key Points
The Previous Versions feature in Windows Server 2008 enables your users to
access previous versions of files and folders on your network. This is useful
because users can:
• Recover files that were deleted accidentally.
• Recover from accidentally overwriting a file.
• Compare versions of a file while working.
Question: If you were to deploy shadow copies of shared folders in your network
environment, would you notice a decrease in calls from users needing restoration
from backups?
Configuring Availability of Network Content and Resources 13-5
Key Points
Before deploying shadow copies, gather the following information to assist with
planning:
• How frequently will users modify the content of shadow copy-protected
folders?
• How many previous versions of files do you want to maintain?
• How much space is available for storing shadow copies?
Key Points
If you use the default values to enable shadow copies of shared folders on a
volume, tasks will be scheduled to create shadow copies at 7:00 A.M. and Noon.
The default storage area will be on the same volume, and its size will be limited
to10 percent of the available space.
If you decide that you want shadow copies to be made more often, verify that you
have allotted enough storage space and that you do not make copies so often that
it degrades server performance.
Question: How might you consider modifying the default schedule for your
environment? Do you have data in shares that might require a more aggressive
schedule?
Configuring Availability of Network Content and Resources 13-7
Key Points
• Open Computer Management.
• Enable Shadow Copies on a single server volume.
Question: What are the possible drawbacks or costs of enabling Shadow Copies?
Question: Will you enable Shadow Copies on all volumes on your servers?
13-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
For previous versions of the Windows operating system, the Previous Versions
client software must be installed for the user to make use of shadow copies. The
Microsoft Windows Vista® operating system has the Previous Versions client built
into the operating system, so client configuration is not necessary.
Question: What might be the problem if a user calls the Help Desk and complains
that the Previous Versions tab is missing from the shared folder/file properties?
Configuring Availability of Network Content and Resources 13-9
Key Points
After you enable shadow copies of shared folders and start creating shadow copies,
you can use the Previous Versions feature to recover previous versions of files and
folders, or recover files and folders that have been renamed or were deleted.
Question: If a user calls you and says that the “Previous Versions” tab is not
visible, what would you ask to determine the problem?
13-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Use the Previous Versions tab to restore an older version of a file.
Question: How would you train users to perform shadow copy restorations on
their own?
Results: After this exercise, you should have established shadow copies on a share,
changed a file, and then restored the original version.
13-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When you install NLB as a network driver on each of the cluster’s member servers
or hosts, the cluster presents a virtual IP address to client requests. The client
requests go to all the hosts in the cluster, but only the host to which a given client
request is mapped accepts and handles the request. All the other hosts drop the
request. Depending on the configuration of each host in the cluster, the statistical
mapping algorithm, which is present on all the cluster hosts, maps the client
requests to particular hosts for processing.
Using NLB with compatible services offers the benefits of increased availability,
scalability, and load-balancing performance, as well as the ability to distribute a
large number of clients over a group of servers.
Question: Do you have any servers hosting stateless information that would
benefit from Network Load Balancing in your environment?
13-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Install the Network Load Balancing feature.
Key Points
To configure the Network Load Balancing cluster, you must configure three types
of parameters:
• Host parameters, which are specific to each host in a NLB cluster. Host
parameters include:
• Priority, which specifies a unique ID for each host. The host with the
lowest numerical priority among the current members of the cluster
handles all of the cluster's network traffic that is not covered by a port
rule.
• Cluster parameters, which apply to a NLB cluster as a whole. Cluster
parameters include:
• The IP Address and Subnet Mask for the NLB cluster.
13-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Create a new NLB cluster.
• Configure settings for the new NLB cluster.
Key Points
There are several important terms that are used when discussing clustering.
Key Points
A failover cluster is a group of independent computers that work together to
increase the availability of applications and services. Physical cables and software
connect the clustered servers, known as nodes. If one of the cluster nodes fails,
another node begins to provide service (a process known as failover). Therefore,
users experience a minimum of service disruptions.
Note: The failover cluster feature is not available in the Windows® Web Server 2008 or
Windows Server 2008 Standard editions.
Key Points
Carefully review the hardware on which you plan to deploy a failover cluster to
ensure that it is compatible with Windows Server 2008. This is especially necessary
if you are currently using that hardware for a server cluster running Windows
Server 2003. Hardware that supports a server cluster running Windows Server
2003 will not necessarily support a failover cluster running Windows Server 2008.
Note: You cannot perform a rolling upgrade from a server cluster running Windows
Server 2003 to a failover cluster running Windows Server 2008. However, after you create
a failover cluster running Windows Server 2008, you can use a wizard to migrate certain
resource settings to it from a server cluster running Windows Server 2003.
13-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: If you presently have a server cluster in a previous server version, can
you do a rolling upgrade to Windows Server 2008 Failover Clustering?
Configuring Availability of Network Content and Resources 13-25
Key Points
Failover clustering can be useful in a number of different scenarios:
• File shares can be made highly available.
• Applications like Microsoft Exchange can be made highly available.
• Databases on Microsoft SQL Server® can be made highly available.
• Virtual Machines running on Hyper-V™ hosts can be made highly available.
Question: Describe one scenario in your work environment where you currently
use or plan to implement failover clustering.
13-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: Even though a NLB Cluster member is unavailable, the web site is still
available.
Configuring Availability of Network Content and Resources 13-29
Review Questions
1. What is the danger of choosing to restore a folder in Shadow Copies?
2. How is failover clusters different from Network Load Balancing?
Best Practices
Consider the following best practices for NLB and Failover Clustering:
• Properly secure the NLB hosts and the load-balanced applications:
• Network Load Balancing does not provide additional security for the load-
balanced hosts and cannot be used as a firewall. It is important to properly
secure the load-balanced applications and hosts. Security procedures can
typically be found in the documentation for each particular application.
For example, if you are using NLB to load balance a cluster of IIS servers,
you should follow the procedures and guidelines for securing IIS.
13-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Most businesses require cost-effective solutions that provide value for money. You
should monitor servers to ensure that they run efficiently and use available server
capacity.
Many administrators require performance-monitoring tools to identify components
that require additional tuning and troubleshooting. By identifying components that
require additional tuning, you can improve the efficiency of your servers.
Monitoring and Maintaining Windows Server 2008 Servers 14-3
The Microsoft® Windows Server® 2008 operating system can use many monitoring
tools.
This lesson discusses the range of monitoring features that are available for
Windows Server 2008 and how you can plan to measure the efficiency of the
operating system and hardware components through monitoring.
14-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You should monitor servers in your organization so that you can troubleshoot
unexpected performance problems from your hardware and software quickly and
easily.
By using performance-monitoring tools, you can determine when a server is really
slower at responding to user requests rather than relying on user perception of
"slow" and "fast" response times.
Interactive monitoring of systems is useful when you want to determine the effect
of performing a specific action or troubleshoot specific events. This type of
monitoring can also help you to ensure that you are meeting SLAs.
Monitoring and Maintaining Windows Server 2008 Servers 14-5
Question: List four troubleshooting procedures that would benefit from server
monitoring.
14-6 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You should select the most appropriate tool to suit the type of monitoring that is
required.
Question: Which tools do you currently plan to use to monitor Windows Server
2008? Consider long-term planning goals and specific troubleshooting instances.
Monitoring and Maintaining Windows Server 2008 Servers 14-7
Key Points
There are several considerations when planning for event monitoring. Consider the
following:
• You should ensure that your systems are cost-effective for your organization.
• Your business may achieve reductions in the effort staff spent on event
monitoring by implementing efficient event monitoring.
• You can prevent service and system outages by ensuring that resources retain
enough capacity to meet service-level agreements (SLAs).
14-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Question: What is the cost of system outage that is caused by not monitoring
systems?
This lesson discusses some of the key server components to measure. You will
learn how to use analysis and planning techniques from collected performance
metrics to improve your server infrastructure.
14-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The four main hardware components to monitor are processor, disk, memory and
network.
• You should measure all of the key components in your system.
• You should consider the server role and workload to determine which
hardware components are likely to restrict performance.
• You can increase server performance by adding power or reducing the number
of users who are accessing a server.
Question: Which hardware components are most likely to restrict performance for
a file server?
Monitoring and Maintaining Windows Server 2008 Servers 14-11
Key Points
You should familiarize yourself with basic performance measurement objects and
counters to monitor the main hardware components.
Key Points
It is important to align planning across your organization. By analyzing
performance trends, you can make decisions for the future.
• You should give careful consideration to the value of performance data to
ensure that it reflects the real server environment.
• You should consider performance analysis alongside business plans.
• It may be possible to reduce the number of servers in operation after you have
measured performance.
Question: What additional server support will your current business plans
require?
Monitoring and Maintaining Windows Server 2008 Servers 14-13
Key Points
You want to ensure that you are able to support future growth in your
organization. Planning for future capacity will allow your organization to grow
without compromising productivity.
Capacity planning focuses on:
• The server workload.
• The number of users that a server can support.
• How to scale the systems to support additional workload and users in the
future.
Question: How can you scale up your existing server workload to support more
users?
14-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Server 2008 uses server roles to improve server efficiency and security.
• By identifying the role that a server performs, you can ensure that you measure
the necessary counters to monitor performance.
• By using server roles, you ensure that you install and activate only the required
components on your servers.
• Only the performance objects and counters that are relevant to the installed
server role are available to monitor.
Question: Which server roles will you use in your organization? Which objects
and counters will be available for you to monitor?
14-16 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
There are many counters that you should research and consider monitoring to
meet your specific requirements.
Windows Server 2008 enables monitoring of operating system performance
through performance objects and counters in the object. Windows Server 2008
collects data from counters in various ways, including:
• Real-time snapshot value
• Total since last server restart
• Average over specific time interval
• Average of last x values
Monitoring and Maintaining Windows Server 2008 Servers 14-17
Question: Why are average counters more useful than counters that show the
current value?
14-18 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
CPU counters are a feature of the computer's CPU that store the count of
hardware-related events.
• Processor\% Processor Time: Shows the percentage of elapsed time that this
thread used the processor to execute instructions. An instruction is the basic
unit of execution in a processor, and a thread is the object that executes
instructions. Code executed to handle some hardware interrupts and trap
conditions is included in this count.
• Processor\Interrupts/sec: Shows the rate, in incidents per second, at which the
processor received and serviced hardware interrupts.
Monitoring and Maintaining Windows Server 2008 Servers 14-19
Question: If the % Processor time is 80%, should any corrective action be taken?
14-20 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The Memory performance object consists of counters that describe the behavior of
physical and virtual memory on the computer. Physical memory is the amount of
RAM on the computer. Virtual memory consists of space in physical memory and
on disk. Many of the memory counters monitor paging, which is the movement of
pages of code and data between disk and physical memory.
Question: If the pool nonpages bytes has a slow rise, what might be happening?
Monitoring and Maintaining Windows Server 2008 Servers 14-21
Key Points
The LogicalDisk performance object consists of counters that monitor logical
partitions of hard or fixed disk drives. System Monitor identifies logical disks by
their drive letter, such as "C."
The PhysicalDisk performance object consists of counters that monitor hard or
fixed disk drives. Disks are used to store file, program, and paging data. They are
read to retrieve these items, and are written to record changes to them. The values
of physical disk counters are sums of the values of the logical disks (or partitions)
into which they are divided.
Key Points
Most workloads require access to production networks to ensure communication
with other applications and services and to communicate with users. Network
requirements include elements such as throughput—that is, the total amount of
traffic that passes a given point on a network connection per unit of time.
Other network requirements include the presence of multiple network
connections. Workloads might require access to several different networks that
must remain secure. Examples include connections for:
• Public network access.
• Networks for performing backups and other maintenance tasks.
• Dedicated remote-management connections.
• Network adapter teaming for performance and failover.
• Connections to the physical host server.
• Connections to network-based storage arrays.
Monitoring and Maintaining Windows Server 2008 Servers 14-23
Question: If the output queue length is 5, what problems might you have in your
network?
14-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have identified performance issues with servers
and suggested steps to resolve the problems.
14-28 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have identified steps to create a data collector
set for measuring file server performance.
Monitoring and Maintaining Windows Server 2008 Servers 14-29
Windows Server 2008 provides a range of tools to monitor the operating system
and applications that you can use to tune your system for efficiency. You should
use these tools and complement them where necessary with your own tools.
14-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Windows Server 2008 has a range of built-in tools to assist you in monitoring your
systems.
Windows Server 2008 Event Viewer collects information that relates to server
operations.
Task Manager enables you to view processes in real time to determine their exact
resource usage at a point in time.
All performance counters are available programmatically through Microsoft
Windows® Management Instrumentation (WMI). By making performance counters
available through WMI, you can monitor servers by using scripts.
Monitoring and Maintaining Windows Server 2008 Servers 14-31
Question: Which tools do you currently use to monitor servers? How can you
make use of improved monitoring tools in Windows Server 2008?
14-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Performance Monitor provides a visual display of Windows performance objects
and counters, either in real time or as a review of historical data. Performance
Monitor features multiple graph views that you can use to review performance log
data. You can create custom views in Performance Monitor that you can export as
data collector sets for use with performance and logging features.
Key Points
Reliability Monitor provides a system stability overview and trend analysis with
detailed information about individual events that may affect the overall stability of
the system.
Question: How can you use the Reliability Monitor in your organization?
14-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• Reliability and Performance Monitor resources view.
• Performance Monitor overview.
• Reliability Monitor overview.
• Reports overview.
Question: Where can you find real-time information about network activity?
Question: Which Reliability Monitor reports will you implement in your work
environment?
Monitoring and Maintaining Windows Server 2008 Servers 14-35
Key Points
Third-party tools can help you monitor your server environment.
Hardware vendor tools are useful in detecting performance issues that occur
because of faulty hardware.
Many third-party tools integrate with System Center Operations Manager
(Operations Manager) 2007 to provide a centralized monitoring console for your
organization.
Question: Which third-party monitoring tools do you currently use, if any? How
can these help you monitor server performance in the future?
14-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Event Viewer enables you to view events on a single remote computer. However,
troubleshooting an issue might require you to examine a set of events stored
in multiple logs on multiple computers. Event Viewer provides the ability to
collect copies of events from multiple remote computers, and store them locally.
To specify which events to collect, you create an event subscription. After a
subscription is active and events are being collected, you can view and manipulate
these forwarded events as you would any other locally stored events.
Your business will require you to react to various events to ensure that you
maintain SLAs. To meet SLAs, you must notify staff by using a range of methods to
take appropriate action to resolve problems. It may be necessary for staff to request
additional support to assist in troubleshooting some events.
14-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Performance tuning is an ongoing exercise where you never achieve perfection.
You should ensure that your server operations run effectively and meet all of your
business SLAs.
You should always attempt to find the most cost-effective solution to a
performance bottleneck.
Question: What are your businesses response times and how does your business
makes staff available to provide support?
Monitoring and Maintaining Windows Server 2008 Servers 14-39
Key Points
You should react in a measured and appropriate manner to an event.
• Some events will require staff to react immediately to ensure that they
maintain system availability.
• Other events may require staff to perform investigative work in the form of
additional system checks to determine the cause of a problem and then to
provide a solution to improve system performance. These system checks
usually do not require an immediate e-mail response.
• Notifications to server events should take into account the severity of the
problem.
Key Points
To meet SLAs, you should ensure that you have a clear audit trail to follow when
you escalate performance issues.
• Your SLAs should state the amount of time problems remain at various stages
during resolution. This helps you to provide an acceptable and mutually
agreed level of service to your organization.
• Where it is not possible to resolve an issue in-house, you should notify the
relevant people because further delays are likely.
Question: What improvements can you make to the escalation paths for issues
within your business?
Monitoring and Maintaining Windows Server 2008 Servers 14-41
Key Points
Performing regular maintenance tasks will help facilitate optimal server availability.
• Regular maintenance tasks involve ensuring you computer is up-to-date with
the latest operating system updates, including security updates. You will also
want to ensure you have the latest security updates are installed for all
applications.
• Monitoring performance, health and diagnostics on a regular basis will ensure
possible issues are caught early.
• Troubleshooting tools, such as Event Viewer, are included with Windows
Server 2008. In addition, administrators can search the Microsoft TechNet
Web site, the Microsoft Web site, search engines, newsgroups, and blogs.
Question: List the monitoring tasks you perform at work most often.
Monitoring and Maintaining Windows Server 2008 Servers 14-43
Key Points
Different server roles will necessitate different tasks. However, you will want to
perform some tasks for all types of servers, including reviewing system and
application event logs.
Question: Which event logs do you regularly review on your servers at work?
14-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
To maximize administrator time while also providing adequate monitoring of
servers, you should follow guidelines for the frequency of management tasks.
There are many advantages to automating aspects of your Windows Server 2008
management strategy.
Automating management tasks often saves time and can have a significant impact
on costs. However, there are many considerations to take into account that relate
to the methods, skills, software, and planning that you must perform before you
can deploy automation options.
14-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When you examine automation solutions for managing your server infrastructure,
you must consider several aspects that can provide benefits but may have hidden
restrictions or costs.
Key Points
Microsoft provides many tools that can simplify complex or repetitive tasks in
Windows Server 2008. Although some of these tools may require additional skills,
several of them are straightforward to implement and offer immediate benefits.
In addition, you may use various third-party tools that can perform monitoring and
alerting, deploy configuration changes, or perform audits to more easily manage
computers on your network.
Question: In what ways can using automation tools benefit your organization?
14-48 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When you choose tools to help you manage your infrastructure, you must consider
several factors to ensure that you make the right choice. You may need to select
several tools to ensure comprehensive coverage of all of your management
requirements.
Question: If you currently use some of these tools, why was the tool(s) chosen?
Monitoring and Maintaining Windows Server 2008 Servers 14-49
Results: After this exercise, you should have configured a performance alert.
14-50 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have identified performance counters that you
will need to collect from a server in your own organization.
Monitoring and Maintaining Windows Server 2008 Servers 14-51
<QueryList>
<Query Id="0" Path="Directory Service">
<Select Path="Directory Service">*[System[(Level=2 or Level=3)
and (EventID=1308 or EventID=1864)]]</Select>
</Query>
</QueryList>
14-52 Configuring, Managing and Maintaining Windows Server 2008 Servers
$aryComputers = "NYC-DC1","NYC-SVR1"
Set-Variable -name intDriveType -value 3 -option constant
• Save as C:\Users\Administrator.Woodgrovebank\Documents
\DriveReport.ps1.
• Start Windows PowerShell.
• Turn on Windows PowerShell script execution by typing the following:
set-executionpolicy unrestricted.
• Run the DriveReport.ps1 script that you created and review the results.
Results: After this exercise, you should have configured Event Log forwarding for
Active Directory directory service replication errors and run a script to review disk
space.
Review Questions
1. What are the benefits of monitoring server performance?
2. What are some of the tasks that you should undertake when you create a
performance baseline for a server?
3. What are the advantages of using a range of monitoring tools?
4. What are the advantages of measuring specific performance counters?
5. What are the advantages of using alerts to identify performance issues?
14-54 Configuring, Managing and Maintaining Windows Server 2008 Servers
This lesson examines the planning elements that are required to create a
successful, unobtrusive, and secure backup process. You can apply these
considerations when you are planning backup for various types of data on your
network. Typically, you will distribute backup tasks among various servers and
personnel in your environment.
15-4 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When you plan your backup strategy, you must choose which backup software to
use and who should perform some of the required backup tasks.
You need to use backup software to back up the data and servers on your network.
You can choose the backup feature in the Windows Server 2008 operating system
or you can choose third-party backup software. Your choice depends on your
backup medium, how you intend to manage your backups across several servers,
and licensing costs, among other factors. For example, the Windows Server 2008
Backup feature has no additional licensing costs, but it does not support tape
backups.
The Windows Server 2008 Backup feature also supports command-line use
through the Wbadmin.exe command. This is useful for scripting or performing
specific backups such as system state data. Note that system state backup is only
available for the command line and is not available in the Windows Server Backup
snap-in user interface. In addition, you cannot configure a scheduled backup to
create system state backups. However, you can script the Wbadmin start
systemstatebackup command to run backups on a schedule.
Managing Windows Server 2008 Backup and Restore 15-5
Key Points
When you plan your backup strategy, you must plan the elements that are listed in
the following table.
List the data to back up. You must identify all data that requires backup so that you
can restore your data and systems in the event of a disaster.
Create a backup You must plan how frequently and at what times servers perform
schedule automated backup tasks.
Managing Windows Server 2008 Backup and Restore 15-7
Choose a backup Based on the frequency and the time that is taken to perform a
type backup and a restore operation, you may also need to select a
backup type.
Your backup software (i.e. SQL Server 2008) may enable you to
choose from the following backup types:
• Full or Normal
• Incremental
• Differential
The Windows Server 2008 Backup feature performs one scheduled
full backup followed by scheduled incremental backups by using
the Volume Shadow Copy Service (VSS).
Choose the Based on your backup software, the size of backups, and the time
backup medium to restore data, you should choose an appropriate backup
medium.
Backup media include:
• Tape (not available with Windows Server 2008 backup)
• Removable hard disk
• DVD
• Shared folder
Tape is available in various formats, supporting various data rates
and storage capacities. If you back up to tape, you should ensure
that the tape format that you use is appropriate to the quantity of
data that you are backing up.
The Windows Server 2008 Backup feature does not support
backing up to tape. Removable disks and shared folders are the
only supported storage media.
Consider the length of time that you require to retain backups to
restore data. Should you be able to restore data from one month
ago, six months ago, 12 months ago, or longer?
You must also consider the storage location of your backup
media. Tapes are susceptible to magnetic fields and heat, so they
should be stored away from these environmental factors.
15-8 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
When you create a backup schedule, you should consider the following factors:
How often does the data change? You may want to back up data that changes more
frequently more often so that you can restore as much information as possible. You
should also consider backing up data that changes less often less frequently to
reduce storage requirements and administrative overhead.
What is the cost to re-create the data? This cost should have an impact on how
frequently you back up data and the storage medium that you use to perform
backups. The storage medium has a large effect on the time that a backup takes.
15-10 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
How long must you keep data? Must you keep data for legal compliance, such as
Sarbanes-Oxley, or for business requirements such as the ability to audit all
projects during the previous five years?
Where should you archive data? Do users require access to archived data regularly,
which may require keeping the data on a server, or can the data be archived to a
static medium such as optical or tape storage? For static media archival, you must
consider that media such as DVD or tape has a finite lifetime for storing data.
What is the cost of data storage? Different storage mechanisms and media have
different costs associated with them. If you keep your data archive on your
corporate storage area network (SAN), this has a relatively high cost per megabyte
(MB). If you keep archived data on a server hard disk, it has a lower cost per MB,
and data that is stored on tape has a very low cost per MB. Contrary to this is the
ease of access, so you must balance the cost against the ease of access for the data.
Typically, you move older data to cheaper storage media.
15-12 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Planning backups for encrypted files must include consideration for correctly
backing up and recovering the files and for backing up and recovering the
encryption keys.
Encrypting File System (EFS) is a powerful tool for encrypting files and folders on
client computers and remote file servers. It enables users to protect their data from
unauthorized access by other users or external attackers.
Backing up Hyper-V
Although not technically a backup, a VM snapshot provides a point in time to
which you can revert back using differencing disks and a copy of the VM
configuration file.
15-14 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Factor Details
Service-level If your information technology (IT) department has agreed on
agreements SLAs or intends to create SLAs for data or server availability, you
must include consideration of backup and restore processes with
your SLA. An SLA should specify the data or servers to which it
refers, and it should identify acceptable periods of unavailability. It
is important that the time that is taken to perform a restore
operation does not exceed the SLA; if it does, the SLA is
redundant.
Managing Windows Server 2008 Backup and Restore 15-17
Factor Details
Cost When you plan your backup policy, you must consider the cost of
your backup solution. Costs for your backup solutions can include
hardware, software, and media. You should carefully consider cost
with respect to backup and restore times, and the required
storage quantities. Larger storage capacities or faster storage
media are more expensive, but you may require these for specific
data types in your organization, such as database backups.
When you plan for increases in data storage, you should include
any necessary increase in backup costs that are required to
maintain your backup schedule.
Personnel You should also consider who can perform backup tasks. This
includes physical tasks such as loading or changing tape libraries,
and system tasks such as performing backups or changing backup
schedules.
Question: Does your information technology (IT) department fulfill any service-
level agreements (SLAs)?
Key Points
Security considerations for your data backups are an important part of your overall
security strategy. Physical security is particularly important with backup storage
media, at both on-site and off-site locations.
Key Points
When you plan who should perform key backup and restore tasks in your
organization, consider whether the backup and restore roles should be separated
for security purposes.
Training is also important for individuals to understand the effect of backup and
restore on data and related systems.
This lesson will discuss the requirements for a restore policy on Windows Server
2008. Your restore policy should not be a static document that you write once and
archive. You should regularly update your server restore policy by reviewing the
results of trial and real restore operations.
Managing Windows Server 2008 Backup and Restore 15-21
Key Points
Total server failure may require data recovery from an off-site location.
You should determine whether a single file or application data requires restoring.
You should consider the potential impact that a failed restore could have on your
organization.
Question: Who determines the restore procedures during data and server loss
incidents within your organization?
Question: What process do you follow to ensure that you only restore valid data
and that no data is lost during the restore process?
15-22 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Perform a brief business impact analysis before you restore data to determine the
possible number of users who are impacted by the restore of data.
Consider the effect on service-level agreements (SLAs) that the restore of data will
have.
Question: How can you improve the change management process for restoring
data in your organization?
Managing Windows Server 2008 Backup and Restore 15-23
Key Points
You should continually strive to improve your backup plan after you have
identified areas for improvement from unsuccessful restores.
You should regularly review your backup policy by performing a trial restore of
data.
Question: What improvements can you make to your disaster recovery plans?
15-24 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Data restore may require emergency changes to meet SLAs.
You can empower users to recover their own data by using earlier versions.
The Volume Shadow Copy Service (VSS) captures and copies stable images for
backup on running systems, particularly servers, without unduly degrading the
performance and stability of the services they provide.
Question: How do you ensure that restored data does not overwrite newer data in
your organization?
Managing Windows Server 2008 Backup and Restore 15-25
Key Points
You should review backup log files after each backup. Some backups will fail; you
should ensure that the backups are complete and useable for restore.
After you have restored data, you should verify that the restoration of all files has
been successful by reviewing the associated log files.
Question: How frequently are the backup logs reviewed and trial restores
performed to ensure that the backups have worked as expected in your
organization?
15-26 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You should verify that access to restored data is only available to authorized users.
You should consider whether to restore data to an alternate location or to
overwrite existing files.
Question: What is the process in your organization for checking access to restored
data?
Managing Windows Server 2008 Backup and Restore 15-27
Key Points
You should use the built-in group Backup Operators to enable users to back up
and restore files and folders.
If users only require the right to back up files, you should not place them in the
Backup Operators group, because this would grant users additional rights to
restore files.
Key Points
You should review, improve, and update all of your policies and working practices
to ensure that you continue to meet the requirements of your business.
By increasing the frequency of backups, you can provide access to recent changes
in documents for users.
Windows Server 2008 simplifies scheduling backup tasks by using VSS. This
improved backup enables users to restore files without resorting to assistance from
the IT team.
Question: How often do you update the backup and restore policy in your
organization? Can you identify areas of your current policies that require updating?
Managing Windows Server 2008 Backup and Restore 15-29
By encrypting data, you secure it so that only the data owners can access the files.
This may lead to difficulties when you restore data because user encryption keys
are stored separately to files.
Because there is no way to recover data that has been encrypted with a corrupted
or missing certificate, it is critical that you back up the certificates which store
encryption keys and store them in a secure location. You can also specify a
recovery agent. This agent can restore the data. The recovery agent's certificate
serves a different purpose than the user's certificate.
This lesson will discuss the requirements for restoring encrypted data by using the
Encrypting File System (EFS) on Windows Server 2008. It is beyond the scope of
this course to detail the recovery of file encryption keys.
15-30 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
You should ensure that you could recover encryption keys and data as part of your
recovery strategy.
When you restore data, you should ensure that you match the file that is restored
with the same key that you used to encrypt the file.
You should have a documented and tested procedure to restore user encryption
keys.
Question: What steps must you take to ensure that you can recover EFS keys and
data?
Managing Windows Server 2008 Backup and Restore 15-31
Key Points
There are many configurations and recovery options for EFS.
You can recover keys from Active Directory, backups, or recover the data by using
data recovery agents. You should also consider that if an organization does not
centralize key storage in AD, there is the possibility of recovery keys being stored
on multiple servers and workstations throughout the organization.
By using a recovery agent, you can ensure that data is recoverable in the event of
loss of the original user encryption keys.
In a secure environment where only the user who is encrypting a file may decrypt
it, your options for file and encryption key recovery may be limited to only the user
owning the file if the data recovery agent (DRA) keys are intentionally deleted. This
makes the file more secure by limiting access to only the user who is encrypting
the file; however, the tradeoff is that you can only ever recover the file by using the
original encryption key.
15-32 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
After you complete these steps, your Windows Server 2008 enterprise CA will be
configured to issue digital certificates.
15-34 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
• To designate a user as an additional recovery agent using the Add Recovery
Agent Wizard, click Add Data Recovery Agent.
• To allow EFS to work without recovery agents, point to All Tasks and then
click Do Not Require Data Recovery Agents.
• To delete this EFS policy and every recovery agent, point to All Tasks and then
click Delete Policy. If you select this option, users can still encrypt files on this
computer. Note that this option will not appear unless there is an EFS policy
on the computer.
Important: Before changing the recovery policy in any way, you should first back up the
recovery keys to a floppy disk.
15-36 Configuring, Managing and Maintaining Windows Server 2008 Servers
Note: We recommend that you back up the file to a disk or to a removable media
device, and then store the backup in a location where you can confirm the physical
security of the backup.
Question: List at least one example of how your organization can use the Recovery
Agent to access EFS files during a disaster recovery scenario.
15-38 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Data Recovery—Best Practices
In general, the best practice for organizations to follow regarding data recovery is
to deploy a public key infrastructure (PKI) to issue certificates to users and data
recovery agents that are issued from a certification authority (CA). The Microsoft
Enterprise Certification Authority makes it easy for users to automatically get
certificates for use by EFS.
Managing Windows Server 2008 Backup and Restore 15-39
Question: Who in your organization has the proper DRA privileges to open EFS
encrypted files?
15-40 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Sometimes a problem can arise that will prevent Windows from starting properly.
This lesson will discuss the common causes of startup problems, review startup
process that may be affected, and explore different troubleshooting techniques that
you can use depending on when the failure occurs.
Managing Windows Server 2008 Backup and Restore 15-41
Key Points
Diagnosing and correcting hardware and software problems that affect the startup
process requires different tools and techniques than troubleshooting problems that
occur after the system has started, because the person troubleshooting the startup
problem does not have access to the full suite of Microsoft Windows Server 2008
troubleshooting tools. Resolving startup issues requires a clear understanding of
the startup process and core operating system components, as well as the tools
used to isolate and resolve problems.
Startup failure can result from a variety of problems, such as user error, driver
problems, application faults, hardware failures, disk or file corruption, system
misconfiguration, or virus activity. If the condition is serious enough, you might
need to reinstall Windows.
Question: Can you think of situations where you had to troubleshoot a Windows
startup problem and if so how did you resolve it?
15-42 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
The above startup sequence applies to systems started or restarted after a normal
shutdown.
The detect and configure hardware phase detects and configures only hardware
necessary to start the kernel loading phase, including system buses, hard disks,
input devices, and parallel ports. Remaining hardware devices are configured
during the kernel loading phase.
Key Points
Being prepared for a server failure means having being able to recover the server
quickly in the event of disaster. On a computer running Windows Server 2008,
you can use the following to perform recovery tasks:
Recovery Wizard. This wizard helps you recover files and folders, applications,
and volumes.
Catalog Recovery Wizard. This wizard helps you recover the backup catalog. This
wizard is only available if your backup catalog has become corrupted.
A Windows Setup disc and a backup created with Windows Server Backup.
This method helps you recover your operating system or full server.
You can also perform recoveries using the Wbadmin start recovery, Wbadmin
start systemstaterecovery, and Wbadmin restore catalog commands.
15-44 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Use this flow chart to see how to troubleshoot startup problems that occur before
the Windows Server 2008 logo appears.
In earlier versions of Windows, a file called boot.ini contained information about
the Windows operating systems installed on the computer. This information was
displayed during the startup process when you turned on your computer. It was
most useful in multiboot configurations, or for advanced users or administrators
who needed to customize how Windows started.
In Windows Server 2008, the boot.ini file has been replaced with Boot
Configuration Data (BCD). This file is more versatile than boot.ini, and it can apply
to computer platforms that use means other than basic input/output system
(BIOS) to start the computer.
Question: Based on this flowchart, what would you say are the most common
causes of Windows failing to start before the Windows logo appears?
15-46 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
If your computer displays the graphical Windows Server 2008 logo before
failing, use the process illustrated here to identify and disable the failing software
component to allow Windows to start successfully. Once Windows starts, you can
perform further troubleshooting to resolve the problem with the component if
necessary.
If the startup problem occurs immediately after updating or installing a startup
application, try troubleshooting the startup application.
When you are troubleshooting, the method for determining which services and
processes to temporarily disable varies from one computer to the next. The most
reliable way to determine what you can disable is to gather more information about
the services and processes enabled on your computer.
Managing Windows Server 2008 Backup and Restore 15-47
Question: Based on this flowchart, what would you say are the most common
causes of Windows failing to start after the Windows logo appears?
15-48 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
If your computer fails immediately after a user logs on, use the process shown here
to identify and disable the failing startup application to enable successful log on. If
the problem occurs immediately after updating or installing an application, try
uninstalling the application.
If a problem occurs after installing new software, you can temporarily disable or
uninstall the application to verify that the application is the source of the problem.
Problems with applications that run at startup can cause logon delays or even
prevent you from completing Windows startup in Normal mode. The following
sections provide techniques for temporarily disabling startup applications.
Managing Windows Server 2008 Backup and Restore 15-49
Question: Based on this flowchart, what would you say are the most common
causes of Windows failing to start after logon?
15-50 Configuring, Managing and Maintaining Windows Server 2008 Servers
Key Points
Although most hardware related problems do not stop Windows Server 2008 from
successfully starting, hardware related problems can appear before the logo would
normally appear in the startup process, and symptoms include warning messages,
startup failures, and Stop messages.
The causes are typically improper device configuration, incorrect driver settings, or
hardware malfunction and failure. You can also use the suggestions provided in
the companion CD for troubleshooting hardware issues not directly related to
startup.
Question: If you suspected a hardware related problem, what would be the first
things you would check?
Managing Windows Server 2008 Backup and Restore 15-51
In addition to the file servers, you are responsible for ensuring that four intranet
Web servers and two domain controllers can have the data or server restored in the
event of a disaster. Web pages on the intranet Web sites do not change frequently.
Currently, there is a scheduled weekly backup of the volumes that contain the
shares on the file servers and the volumes that contain the Web page content on
the Web servers.
In this exercise, you must review the existing backup plan against requirements
that the management team at Woodgrove Bank have specified.
The main tasks for this exercise are as follows:
1. Review the existing backup plan.
2. Propose changes to the backup plan.
Backup Frequency
Sales
Finance
Human Resources
Technical Library
Projects
2. How would you address the requirement to restore the servers and how
frequently would you back up the servers?
Results: After this exercise, you should have reviewed the existing backup plan and
proposed changes to the backup plan.
15-54 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have created a backup strategy to comply with
the SLA and legal storage requirements.
Managing Windows Server 2008 Backup and Restore 15-55
Results: After these tasks, you should have initialized a new disk and created the new
backup schedule by using Windows Server Backup.
Results: After this exercise, you should have analyzed the backup data against the
restore requirements.
Managing Windows Server 2008 Backup and Restore 15-61
Requirements
2. What additional consideration must you make for performing a trial restore of
the HR data on NYC-FS1?
3. With what types of backup data should you perform a trial restore?
Results: After this exercise, you should have planned for trial restore operations.
15-62 Configuring, Managing and Maintaining Windows Server 2008 Servers
Results: After this exercise, you should have investigated a failed restore and changed
the backup policy.
Managing Windows Server 2008 Backup and Restore 15-63
Results: After this exercise, you should have seen how to backup and recovery files
from the command line and from the Windows Server Backup utility.
Review Questions
1. What should you consider for your server restore policy?
2. What considerations should you take into account for the recovery of
encrypted data?
3. What steps should you take to verify restored data?
4. How do you know whether your backups are successful?
5. What provisions should you make for backup storage?
15-66 Configuring, Managing and Maintaining Windows Server 2008 Servers
Tools
Your evaluation of this course will help Microsoft understand the quality of your
learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will
use your responses to improve your future learning experience. Your open and
honest feedback is valuable and appreciated.