6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol1

OFFICIAL
MICROSOFT
LEARNING
PRODUCT
6419A
Configuring, Managing and Maintaining Windows Server 2008 Servers
Volume 1
Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.
WWW.ISLAMSC.COM
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2009 Microsoft Corporation. All rights reserved. Microsoft, Microsoft Press, Active Directory, ActiveX, BitLocker, Excel, Hyper-V, Internet Explorer, MS, MSDN, PowerPoint, SharePoint, SQL Server, Visual Basic, Visual Studio, Win32, Windows, Windows Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.
Product Number: 6419A Part Number: X15-19813 Released: 02/2009
WWW.ISLAMSC.COM
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.
1. DEFINITIONS. a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. location, an IT Academy location, or such other entity as Microsoft may designate from time to time. conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.
g.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
WWW.ISLAMSC.COM
i.
Student Content means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf. Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content. Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
j.
k. Trainer Content means the materials accompanying these license terms that are for use by
l.
m. Virtual Machine means a virtualized computing experience, created and accessed using
n.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may: i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.
WWW.ISLAMSC.COM
i.
Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own 4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers. i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.
ii.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a
WWW.ISLAMSC.COM
protective order or otherwise protect the information. Confidential information does not include information that d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (beta term). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.
e.
f.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers: i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks:
WWW.ISLAMSC.COM
You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations. You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
o o o o
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the Course. iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.
WWW.ISLAMSC.COM
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in the format provided below: Form of Notice: 2009 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy;
WWW.ISLAMSC.COM
transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. Content marked as NFR or Not for Resale.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed 10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed Content and support services.
13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
WWW.ISLAMSC.COM
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. This limitation applies to anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.
WWW.ISLAMSC.COM
xi
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Aaron Clutter Lead Developer

Aaron Clutter has been developing and leading the development of content for Aeshen since 2002. He has a background as a Windows administrator and network engineer.
Michael Cassens Content Developer

Michael Cassens is a Senior Content Developer at Aeshen and joined in 2006. He earned his MCSD and MCP+Site Building certifications in 2000 and a Masters in Computer Science in 2003. He has also worked as an independent software consultant and an Adjunct Professor at the University of Montana since 1998.
Sean Masters Content Developer

Sean Masters joined Aeshen in 2007. He has worked in SMB technical operations for nearly 10 years including 4 years as manager of information technology at a property management firm and 4 years as a private consultant to various legal and financial firms in the New England area.
Valerie Lee Content Developer

Valerie Lee joined Aeshen in 2006, and has gained extensive knowledge of Microsoft technologies by working on Microsoft TechNet Content, Webcasts, White Papers, and Microsoft Learning Courses. Prior to joining Aeshen, she worked as a consultant in positions providing desktop and network troubleshooting and training support.
Joel Barker Content Developer

Joel Barker has been developing content for Microsoft server products for five years; prior to that he has held a variety of positions in the IT industry.
WWW.ISLAMSC.COM
xii
Philip Morgan - Subject Matter Expert

Philip Morgan is a Senior Product Analyst at Aeshen and joined the company in 2007. He has been an MCT since 1996 and has worked as a trainer, consultant, and network administrator helping people learn, implement, and use Microsoft products.
Conan Kezema Technical Reviewer

Conan Kezema, MCSE, MCT is an educator, consultant, network systems architect, and author who specializes in Microsoft technologies.
WWW.ISLAMSC.COM
xiii
Contents
Module 1: Introduction to Managing Microsoft Windows Server 2008 Environment
Lesson 1: Server Roles Lesson 2: Overview of Active Directory Lesson 3: Using Windows Server 2008 Administrative Tools Lesson 4: Using Remote Desktop for Administration Lab: Administering Windows Server 2008 1-3 1-15 1-28 1-36 1-44
Module 2: Creating Active Directory Domain Services User and Computer Objects
Lesson 1: Managing User Accounts Lesson 2: Creating Computer Accounts Lesson 3: Automating AD DS Object Management Lesson 4: Using Queries to Locate Objects in AD DS Lab: Creating AD DS User and Computer Accounts 2-3 2-17 2-24 2-33 2-39
Module 3: Creating Groups and Organizational Units

Lesson 1: Introduction to AD DS Groups Lesson 2: Managing Groups Lesson 3: Creating Organizational Units Lab: Creating an OU Infrastructure 3-3 3-17 3-22 3-29
Module 4: Managing Access to Resources in Active Directory Domain Services

Lesson 1: Managing Access Overview Lesson 2: Managing NTFS File and Folder Permissions Lesson 3: Assigning Permissions to Shared Resources Lesson 4: Determining Effective Permission Lab: Managing Access to Resources 4-3 4-11 4-20 4-33 4-44
WWW.ISLAMSC.COM
xiv
Module 5: Configuring Active Directory Objects and Trusts

Lesson 1: Delegate Administrative Access to Active Directory Objects Lab A: Configuring Active Directory Delegation Lesson 2: Configure Active Directory Trusts Lab B: Configuring Active Directory Trusts 5-3 5-12 5-16 5-24
Module 6: Creating and Configuring Group Policy

Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policy Lab A: Creating and Configuring GPOs Lab B: Verifying and Managing GPOs 6-3 6-18 6-31 6-37 6-47 6-51 6-57
Module 7: Configure User and Computer Environments By Using Group Policy

Lesson 1: Configuring Group Policy Settings Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy Lab A: Configuring Logon Scripts and Folder Redirection Using Group Policy Lesson 3: Configuring Administrative Templates Lab B: Configuring Administrative Templates Lesson 4: Deploying Software Using Group Policy Lab C: Deploying Software with Group Policy Lesson 5: Configuring Group Policy Preferences Lab D: Configuring Group Policy Preferences Lesson 6: Introduction to Group Policy Troubleshooting Lesson 7: Troubleshooting Group Policy Application Lesson 8: Troubleshooting Group Policy Settings Lab E: Troubleshooting Group Policy Issues 7-3 7-7 7-13 7-17 7-23 7-28 7-36 7-39 7-44 7-48 7-55 7-67 7-71
WWW.ISLAMSC.COM
xv
Module 8: Implementing Security Using Group Policy

Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lab A: Implementing Security Using Group Policy Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security Using Security Templates Lab B: Configuring and Verifying Security Policies 8-3 8-15 8-20 8-26 8-34 8-43
Module 9: Configuring Server Security Compliance

Lesson 1: Securing a Windows Infrastructure Lesson 2: Overview of EFS Lesson 3: Configuring an Audit Policy Lesson 4: Overview of Windows Server Update Services (WSUS) Lesson 5: Managing WSUS Lab: Manage Server Security 9-3 9-9 9-13 9-20 9-32 9-40
Module 10: Configuring and Managing Storage Technologies

Lesson 1: Windows Server 2008 Storage Management Overview Lesson 2: Managing Storage Using File Server Resource Manager Lab A: Installing the FSRM Role Service Lesson 3: Configuring Quota Management Lab B: Configuring Storage Quotas Lesson 4: Implementing File Screening Lab C: Configuring File Screening Lesson 5: Managing Storage Reports Lab D: Generating Storage Reports Lesson 6: Understanding Storage Area Networks 10-3 10-13 10-20 10-22 10-29 10-31 10-38 10-40 10-45 10-47
WWW.ISLAMSC.COM
xvi
Module 11: Configuring and Managing Distributed File System

Lesson 1: Distributed Files System (DFS) Overview Lesson 2: Configuring DFS Namespaces Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace Lesson 3: Configuring DFS Replication Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-3 11-13 11-22 11-26 11-42
Module 12: Configuring Network Access Protection

Lesson 1: Overview of Network Access Protection Lesson 2: How NAP Works Lesson 3: Configuring NAP Lesson 4: Monitoring and Troubleshooting NAP Lab: Configuring NAP for DHCP and VPN 12-3 12-18 12-25 12-33 12-37
Module 13: Configuring Availability of Network Content and Resources

Lesson 1: Configuring Shadow Copies Lab A: Configuring Shadow Copying Lesson 2: Providing Server and Service Availability Lab B: Configuring Network Load Balancing 13-3 13-11 13-14 13-26
Module 14: Monitoring and Maintaining Windows Server 2008 Servers

Lesson 1: Planning Monitoring Tasks Lesson 2: Calculating a Server Baseline Lesson 3: Measuring Performance Objects Lab A: Identifying Windows Server 2008 Monitoring Requirements Lesson 4: Selecting Appropriate Monitoring Tools Lesson 5: Planning Notification Methods Lesson 6: Overview of Windows Server 2008 Management Tasks Lesson 7: Automating Windows Server 2008 Management Lab B: Configuring Windows Server 2008 Monitoring 14-3 14-9 14-14 14-24 14-29 14-37 14-41 14-45 14-49
WWW.ISLAMSC.COM
xvii
Module 15: Managing Windows Server 2008 Backup and Restore

Lesson 1: Planning Backups with Windows Server 2008 Lesson 2: Planning Backup Policy on Windows Server 2008 Lesson 3: Planning a Server Restore Policy Lesson 4: Planning an EFS Restore Policy Lesson 5: Troubleshooting Windows Server 2008 Startup Lab A: Planning Windows Server 2008 Backup Policy Lab B: Planning Windows Server 2008 Restore 15-3 15-15 15-20 15-29 15-40 15-51 15-58
Lab Answer Keys
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
About This Course
xix
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This five-day instructor-led course provides students with the knowledge and skills to configure and manage Microsoft Windows Server 2008 servers. The course focuses heavily on Active Directory Domain Services object creation and Group Policy management. The course also focuses on configuring security, storage, Network Access Protection, troubleshooting, and server data protection.
Audience
The primary audience for this course is IT Professionals who want to increase their hands-on deployment and day-to-day management skills for Windows Server 2008 servers in an enterprise organization. The primary audience for this course will be responsible for day-to day management of the server OS, file, and directory services; software distribution, patches, and updates; profiling and monitoring; and Tier 2 troubleshooting for a subset of the organizations servers. The secondary audiences for this course are individuals who are network infrastructure technology specialists.
Student Prerequisites
This course requires that you meet the following prerequisites: At least one year experience operating Windows Servers daily in the area of account management, server maintenance, server monitoring, or server security A+, Server+, hardware portion of Net+, and familiarity with Microsoft Windows (client side) Working knowledge of networking technologies Intermediate understanding of network operating systems Working experience with Windows Server 2003 and Windows Server 2008 Basic knowledge of Active Directory
WWW.ISLAMSC.COM
About This Course
xx
An understanding of security concepts and methodologies (for example, corporate policies) Basic knowledge of TCP/IP Basic knowledge of scripting tools such as Windows Powershell and WMI
Course Objectives
After completing this course, students will be able to: Describe the different administrative tools and tasks in Windows Server 2008 Configure AD DS user and computer accounts Create Groups and Organizational Units Manage access to shared resources in an AD DS environment Configure Active Directory Objects and Trusts Create and configure Group Policy Objects Configure user and computer environments by using Group Policy Implement security by using Group Policy Configure and analyze server security and security update compliance Configure and manage storage technologies included with Windows Server 2008 Configure and manage Distributed File System Configure Network Access Protection Configure availability of network resources Plan and Maintain Windows Server 2008 monitoring Manage a Windows Server 2008 Backup and Restore
WWW.ISLAMSC.COM
About This Course
xxi
Course Outline
This section provides an outline of the course: Module 1: Introduction to Managing Microsoft Windows Server 2008 Environment describes the fundamentals of an enterprise networking environment, which consists of Windows Infrastructure Services, Windows Application Platform Services, and Active Directory. This module also explains how to o administer a Windows 2008 server. Module 2: Creating Active Directory Domain Services User and Computer Objects explains how to configure AD DS user and computer accounts. Module 3: Creating Groups and Organizational Units explains how to configure AD DS group accounts and organizational units. Module 4: Managing Access to Resources in Active Directory Domain Services explains how to manage access to shared resources in an AD DS environment. Module 5: Configuring Active Directory Objects and Trusts explains how to implement and configure AD DS objects and trusts. Module 6: Creating and Configuring Group Policy explains how Group Policy objects (GPOs) work and how to create and apply GPOs. Module 7: Configure User and Computer Environments by Using Group Policy describes how to configure user desktop settings by using Group Policy and how to troubleshoot and resolve issues related to Group Policy. Module 8: Implementing Security Using Group Policy describes how to configure security settings and apply them using GPOs. Module 9: Configuring Server Security Compliance explains how to configure and analyze server security and security update compliance. This module also describes some of the management tasks that you should undertake with a focus on security update management and discusses automated maintenance tools such as Windows Server Update Services. Module 10: Configuring and Managing Storage Technologies explains how to configure and troubleshoot file system storage technologies included with Windows Server 2008.
WWW.ISLAMSC.COM
About This Course
xxii
Module 11: Configuring and Managing Distributed File System explains how to configure and manage Distributed File System. Module 12: Configuring Network Access Protection explains how to configure and manage NAP for DHCP, VPN, and 802.1X. Module 13: Configuring Availability of Network Resources and Content explains how to configure network resources and content availability. It explains how to enable a shadow copy volume, which provides access to previous file and folder versions on a network. Finally, this module explains how you can use failover clustering and Network Load Balancing (NLB) to facilitate greater data availability and workload scalability. Module 14: Monitoring and Maintaining Windows Server 2008 Servers covers planning your monitoring tasks to determine appropriate server baselines, measuring key performance metrics, collecting data by using Data Collector Sets, and identifying suitable notification methods when an alert occurs. Module 15: Managing Windows Server 2008 Backup and Restore describes the changes to backup in Windows Server 2008 and helps you to plan your backup requirements and policy to meet the requirements of your organization. This module also describes how you should plan for encrypted file system recovery, restoration of system state data, and creating a server restore policy to verify server operations.
WWW.ISLAMSC.COM
About This Course
xxiii
Course Materials
The following materials are included with your kit: Course Handbook. A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion CD. Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Lessons: Include detailed information for each topic, expanding on the content in the Course Handbook. Labs: Include complete lab exercise information and answer keys in digital form to use during lab time. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, and Microsoft Press.
WWW.ISLAMSC.COM
About This Course
xxiv
Student Course Files: Include the Allfiles.exe, a self-extracting executable file that contains all the files required for the labs and demonstrations.
Note: To access the full course content, insert the Course Companion CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
WWW.ISLAMSC.COM
About This Course
xxv
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Virtual Server 2005 R2 with SP1 to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must not save any changes. To close a virtual machine without saving the changes, perform the following steps: 1. On the virtual machine, on the Action menu, click Close. 2. In the Close dialog box, in the What do you want the virtual machine to do? list, click Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine used in this course:
Virtual machine 6419-LON-DC1 6419-NYC-CL1 6419-NYC-CL2 6419-NYC-DC1 6419-NYC-DC2 6419-NYC-INF 6419-NYC-SVR1 6419-NYC-SVR2 6419-VAN-DC1 Role Domain Controller for EMEA.WoodgroveBank.com Client computer in WoodgroveBank.com Client computer in the Woodgrovebank.com domain Domain Controller for WoodgroveBank.com Domain Controller for WoodgroveBank.com Member server for WoodgroveBank.com Standalone server Standalone server Domain Controller for Fabrikam.com
WWW.ISLAMSC.COM
About This Course
xxvi
Software Configuration
The following software is installed on each VM: Windows Server 2008 Enterprise Edition Windows Server 2003 Enterprise Edition is installed in 6419-VAN-DC1
Course Files
There are files associated with the labs in this course. The lab files are located in the folder E:\ModXX\Labfiles within the virtual machines.
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. This course requires that you have a computer that meets or exceeds hardware level 6, which specifies an Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor, dual 120 GB hard disks 7200 RM SATA or better, 4 GB RAM expandable to 8GB or higher, a DVD drive, a network adapter, a super VGA (SVGA) 17-inch monitor, a Microsoft Mouse or compatible pointing device, and a sound card with amplified speakers.
WWW.ISLAMSC.COM
Introduction to Managing Microsoft Windows Server 2008 Environment
1-1
Module 1
Contents:
Lesson 1: Server Roles Lesson 2: Overview of Active Directory Lesson 3: Using Windows Server 2008 Administrative Tools Lesson 4: Using Remote Desktop for Administration Lab: Administering Windows Server 2008 1-3 1-15 1-28 1-36 1-44
WWW.ISLAMSC.COM
1-2
Module Overview
Multiple tools exist to facilitate management of Microsoft Windows Server 2008 computers and Active Directory domains. In Windows Server 2008, many of these tools have been consolidated into the Server Manager tool. This change offers a single point for server administration. By understanding the tools available to manage Windows Server 2008 and Active Directory, you will be able to more quickly and effectively implement change requests.
WWW.ISLAMSC.COM
1-3
Lesson 1
Server Roles
Windows Server 2008 is configured by adding and removing server roles and features. This is a new method of organizing the addition and removal of services. Understanding server roles and features allows you to install and support only the Windows Server 2008 components you need in your environment.
WWW.ISLAMSC.COM
1-4
Windows Server 2008 Editions
Key Points
Windows Server 2008 is available in several editions to meet the needs of various organizations. The editions are available for x86, x64, and Itanium processors. Windows HPC Server 2008 is designed for clustering hundreds of computers together to work on a single processing task. Hyper-V is a role that is provided for 64-bit installations of Windows Server 2008. You can order Standard, Enterprise, and Datacenter editions that do not have Hyper-V included. Question: Describe the criteria you will use when deciding what edition of Windows Server to deploy.
WWW.ISLAMSC.COM
1-5
What Are Server Roles?
Key Points
Server roles are a way to configure a computer running Windows Server 2008 to perform a specific function. In a large enterprise, computers can be configured to perform a single role to ensure greater scalability. In a small organization, many roles can be combined on a single computer. When deploying multiple server roles on a single computer, consider the following: The capacity of the computer should be sufficient for all the installed roles. Ensure that security requirements for the roles you plan to install can co-exist on a single computer.
WWW.ISLAMSC.COM
1-6
Configure security settings appropriately for all installed roles. Plan ahead for possible migration paths if the computer becomes overloaded.
Question: In your work environment, what are the advantages of consolidated servers, dedicated servers, or both?
WWW.ISLAMSC.COM
1-7
What Are the Windows Infrastructure Services Roles?
Key Points
Windows infrastructure services roles are used to form the underlying framework of software and services that are used by other applications within the organization. The table below describes Microsoft Windows infrastructure services roles:
Role Active Directory Certificate Services Description Creates and manages certification authorities. Certification authorities are used to create digital certificates for identification and encryption. Helps protect information from unauthorized use and generates licenses that specify what actions can be taken with protected content and by whom. Automatically allocates IP addresses and IP configuration information to clients.
Active Directory Rights Management Services
DHCP Server
WWW.ISLAMSC.COM
1-8
(continued)
Role DNS Server Fax Server Description Provides name resolution for TCP/IP networks. Sends and receives faxes electronically rather than requiring paper-based copies of documents. Provides technologies for storage management, file replication, and file searching. Provides support for LAN or WAN routing, network access policy enforcement, VPN connections, and dialup connections. Provides server virtualization functionality. Enables and manages network printing. Allows users to run programs on a remote server but view the results in a Remote Desktop window. Deploys Windows operating systems to computers over the network.
File Services
Network Policy and Access Services
Hyper-V Print Services Terminal Services
Windows Deployment Services
Question: List the Windows infrastructure services roles used in your work environment.
WWW.ISLAMSC.COM
1-9
What Are the Windows Application Platform Services Roles?
Key Points
Windows application platform services roles are used as a platform for the development of applications. The table below describes Windows application platform services roles:
Role Application Server Description Provides a complete solution for hosting and managing distributed business applications. Includes services such as .NET Frameworks, Web server, and Message Queuing. Shares information about Web services within an organization or between business partners. Enables Windows Server 2008 as a Web server.
Universal Description, Discovery, and Integration (UDDI) Services Web Server (IIS)
WWW.ISLAMSC.COM
1-10
Question: List the Windows application platform roles used in your work environment.
WWW.ISLAMSC.COM
1-11
What Are the Active Directory Server Roles?
Key Points
The Active Directory roles allow you to implement and control Active Directory for your organization. Question: Briefly describe one or two scenarios where you would implement each server role.
WWW.ISLAMSC.COM
1-12
AD DS Integration with Other Active Directory Server Roles
Key Points
Many of the other Windows Server 2008 server roles integrate with AD DS. Server roles, such as the following, rely on AD DS: Active Directory Federation Services (AD FS) Active Directory Rights Management Services (AD RMS) Active Directory Certificate Services (AD CS)
Question: Describe any other applications you aware of that can leverage AD DS.
WWW.ISLAMSC.COM
1-13
What Are Server Features?
Key Points
Server features support server roles or enhance the functionality of a server. Question: Which of these features do you use in your work environment?
WWW.ISLAMSC.COM
1-14
What Is Server Core?
Key Points
Server Core is a new installation option for Windows Server 2008. It provides a minimal environment for running specific server roles. A graphical interface is not included as part of the Server core installation. Question: Describe two scenarios in which Server Core would be a beneficial choice of server platform.
WWW.ISLAMSC.COM
1-15
Lesson 2
Overview of Active Directory
Active Directory is a central repository of network information. Understanding how Active Directory is organized is essential to understanding network security and management. In this lesson, you will learn about Active directory domains, forests, and domain controllers.
WWW.ISLAMSC.COM
1-16
What Is Active Directory?
Key Points
Active Directory is a central repository of network information that is used for logon security and application configuration. The information stored in Active Directory includes: User accounts Computer accounts Application configuration information Subnet addresses Group accounts Printer objects Published folder objects
WWW.ISLAMSC.COM
1-17
Active Directory is not a large single database. It is composed of multiple partitions. The domain partition holds information that is specific to a particular domain. The configuration partition holds configuration information for Active Directory and applications. The schema partition is the list of allowed objects and attributes in Active Directory. Question: Why is it important that the schema is replicated to all domain controllers in entire forest?
WWW.ISLAMSC.COM
1-18
Benefits of Active Directory
Key Points
Active Directory provides a single repository of information that is used for network management. A workgroup is a peer-to-peer network without a centralized security database. When Windows computers are not joined to a domain, they are considered members of a workgroup. Each workgroup member has its own security database and group policy store. Question: Are there any situations where a workgroup would be preferable?
WWW.ISLAMSC.COM
1-19
What Is a Domain?
Key Points
A domain is a logical grouping of objects such as: User accounts. These are required for users to log on and access network resources. Information such as e-mail addresses and mailing addresses can be stored as part of a user account. Computer accounts. These are required for a computer to participate in the domain and become part of the security infrastructure. To log on with a domain user account, you must use a computer that has a computer account in the domain. Groups. These are used to organize users and computers into sets for assigning permissions to resources. Using groups make it easier to manage access to resources such as files.
WWW.ISLAMSC.COM
1-20
Question: How has your organization used domains to create security boundaries? If your organization does not use domains, how might domains be used in your organization?
WWW.ISLAMSC.COM
1-21
What Is an Organization Unit?
Key Points
An organizational (OU) unit is a grouping of objects within a domain. OUs can contain: Users Groups Computers Other OUs
WWW.ISLAMSC.COM
1-22
OUs are used to: Apply Group Policy Settings: Group Policy Settings can be associated with an OU. When associated with an OU, the group policy applies to all user and computer accounts within the OU. Delegate management: Permissions to manage Active Directory objects can be assigned to an OU. Permissions granted to an OU are inherited for objects inside the OU.
Question: Describe one scenario when you would use a domain to organize a network. Describe one scenario when you would use an OU to organize a network.
WWW.ISLAMSC.COM
1-23
What Is a Forest?
Key Points
A forest is collection of domains that: Share a common schema Share a common Global Catalog Are connected by two-way transitive trusts
When domains have a trust relationship, accounts in the trusted domain can be granted access to resources in the trusting domain. Domain trees in a forest are not required to have the same naming structures. Question: Does a trust automatically allow users in one domain to access resources in another domain?
WWW.ISLAMSC.COM
1-24
What Is a Domain Controller?
Key Points
The following are characteristics of a domain controller: A domain controller is a computer that holds a copy of Active Directory information. Domain controllers update this copy of Active Directory information through multi-master replication with other domain controllers in the domain and forest. At minimum, a domain controller holds a copy of the local domain partition, the configuration partition, and the schema partition.
Note: A global catalog server is a domain controller that holds a subset of the domain information for all domains in the entire forest.
Question: How many domain controllers should you have?
WWW.ISLAMSC.COM
1-25
What Is a Read-Only Domain Controller?
Key Points
An RODC is a new type of domain controller that Windows Server 2008 supports. An RODC hosts read-only partitions of the AD DS database. This means that no changes can ever be made to the database copy stored by RODC, and all AD DS replication uses a one-way connection from a domain controller that has a writeable database copy to the RODC. Question: In your work environment, do you have scenarios where an RODC would be beneficial?
WWW.ISLAMSC.COM
1-26
Read-Only Domain Controller Features
Key Points
RODCs provide several features designed to work together to increase security. These features minimize the risks of deploying a domain controller in a location with low physical security or high exposure to attack. Question: If you plan to use one or more RODCs in your work environment, which RODC features do you plan to use?
WWW.ISLAMSC.COM
1-27
Demonstration: Joining a Domain
Key Points
Join NYC-CL1 to the WoodgroveBank.com domain. View the results of joining the domain.
WWW.ISLAMSC.COM
1-28
Lesson 3
Using Windows Server 2008 Administrative Tools
Each administrative tool included with Windows Server 2008 is used to manage different system components. Administrative tools include: Microsoft Management Console Problem Reports and Solutions Server Manager Computer Management Device Manager
By understanding the administrative tools available to you in Windows Server 2008, you can choose the best tool for the administrative task at hand.
WWW.ISLAMSC.COM
1-29
Microsoft Management Console
Key Points
A snap-in is a program that allows you to perform specific administrative tasks. New snap-ins are added when you install additional software components. For example, the snap-ins for managing Microsoft Exchange Server 2007 are added when you install Exchange Server 2007. You can remotely administer a server by re-focusing the MMC snap-in to the remote server. Custom consoles allow you to create a console with only the capabilities that you require as part of your job role.
Question: Will you create customized consoles for most of your management tasks?
WWW.ISLAMSC.COM
1-30
Server Manager
Key Points
Combining frequently used snap-ins into a single console simplifies administration of your server. Question: Why is it beneficial to combine frequently used snap-ins into a single console?
WWW.ISLAMSC.COM
1-31
Computer Management
Key Points
This administrative tool is included with Microsoft Windows 2000 Server and Windows Server 2003 operating systems. Many of the snap-ins found in Server Manager are also found in Computer Management. Question: Will you use Computer Management or Server Manager to manage your servers?
WWW.ISLAMSC.COM
1-32
Device Manager
Key Points
On of the most common uses for Device Manager is updating device drivers. Device drivers are used by the operating system to communicate with devices such as network adapters or video adapters. When an incorrect driver is used, the device will typically have limited functionality or no functionality at all. Device Manager visually indicates if a device is disabled or is not functioning properly. This makes it easy to identify malfunctioning components.
Question: Why would you update a device driver if a device appears to be working properly?
WWW.ISLAMSC.COM
1-33
Problem Reports and Solutions
Key Points
Problem Reports and Solutions is a utility for monitoring and resolving system problems. Problem Reports and Solutions records the details of a system problem, and then contacts Microsoft for a resolution of the problem. Question: How do Problem Reports and Solutions improve upon the Dr. Watson utility found in previous versions of Microsoft Windows operating system?
WWW.ISLAMSC.COM
1-34
Demonstration: Using Windows Server 2008 Administrative Tools
Key Points
Use Problem Reports and Solutions. Use Server Manager. Use Computer Management. Use Device Manager.
Question: Which of the administrative tools demonstrated will you use most often?
WWW.ISLAMSC.COM
1-35
Common Administration Tasks
Key Points
Administrative tools can be grouped by the task in which each tool will commonly be used. Sometimes multiple tools may be used to carry out a single task. Question: Describe one or more common administrative tasks you carry out in your work environment and a tool that would be used to carry out this task.
WWW.ISLAMSC.COM
1-36
Lesson 4
Using Remote Desktop for Administration
Remote Desktop for Administration is widely used by most organizations to access servers remotely and to perform system maintenance. There are many configuration options you can use for controlling security of the connections and other connection characteristics. Remote Desktop for Administration can help you reduce the time and effort involved in server administration tasks.
WWW.ISLAMSC.COM
1-37
Remote Desktop for Administration
Key Points
Remote Desktop for Administration is a service that allows administrators to access the desktop of a computer running Windows Server 2008 remotely. This service can be used to access a server from a corporate desktop or a remote location. Note the following primary differences between Remote Desktop for Administration and the Windows Server 2008 Terminal Services role: Remote Desktop for Administration is limited to two concurrent remote connections. Remote Desktop for Administration requires no extra licensing. Remote Desktop for Administration is installed by default but is not enabled by default.
WWW.ISLAMSC.COM
1-38
Note: Remote Desktop for Administration generates a much smaller amount of network data than running server management utilities over the network from a workstation.
Question: What concerns are there about allowing a server administrator to use Remote Desktop for Administration from home?
WWW.ISLAMSC.COM
1-39
Benefits of Remote Desktop for Administration
Key Points
Remote Desktop for Administration is a useful tool with several benefits.
Note: Even though Server Core does not include a graphical desktop, you can enable Remote Desktop for Administration. Once connected, you are presented with a command prompt rather than a Windows desktop.
Question: Can Remote Desktop for Administration result in cost savings for an organization?
WWW.ISLAMSC.COM
1-40
Demonstration: Remote Desktop Client Configuration
Key Points
View the Remote Desktop options on NYC-CL1. Describe the options on the following tabs: General tab Display tab Local Resources tab Programs tab Experience tab Advanced tab
Question: Why would you disable client features such as local drives and printers?
WWW.ISLAMSC.COM
1-41
Securing Remote Desktop for Administration
Key Points
The first level of securing Remote Desktop for Administration is controlling who can use it. Remote Desktop for Administration is disabled by default. You can leave it disabled for high security installations. When enabled, access can be controlled by making users members of the Remote Desktop Users group. Members of the Local Administrators group are allowed to connect by default. The Security layer determines the type of encryption that is performed between the client and server.
WWW.ISLAMSC.COM
1-42
Encryption level controls which data is encrypted and the strength of the encryption. The Require Network Level Authentication setting requires users to enter a username and password before connecting to the server.
Question: Why should you not use the low encryption level?
WWW.ISLAMSC.COM
1-43
Demonstration: Using Remote Desktop for Administration
Key Points
On NYC-DC1, enable Remote Desktop for Administration. Configure security settings on NYC-DC1. Connect to the console with the /console switch.
Question: When is connecting to the server console, rather than a remote session, useful?
WWW.ISLAMSC.COM
1-44
Lab: Administering Windows Server 2008
Exercise 1: Install the DNS Server Role

Scenario
You have decided to prepare the server NYC-SVR1 for remote management through Remote Desktop. You will also install the DNS Server role and verify domain membership on NYC-SVR1. In this exercise, you will install the DNS Server role and verify domain membership. The main tasks for this exercise are as follows: 1. 2. 3. Start the virtual machines, and then log on. Install the DNS Server Role. Verify domain membership.
WWW.ISLAMSC.COM
1-45
Task 1: Start the virtual machines, and then log on

1. 2. 3. 4. 5. 6. 7. 8. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Log on to NYC-CL1 as Administrator with the password Pa$$w0rd. Log on to NYC-SVR1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Install the DNS Server role

On NYC-SVR1, use Server Manager to install the DNS Server role using the following settings: Add only the DNS Server role service.
Task 3: Verify domain membership

1. 2. On NYC-DC1, in Active Directory Users and Computers, verify that the NYCSVR1 computer account exists. On NYC-SVR1, in Local Users and Groups, verify that Domain Admins is a member of the local administrators group.
Results: After this exercise, you should have successfully installed the DNS Server role and successfully verified domain membership.
WWW.ISLAMSC.COM
1-46
Exercise 2: Configuring Remote Desktop for Administration

Scenario
The server NYC-SVR1 is being used to run a new application for loan applications. The person responsible for monitoring this application needs access to NYC-SVR1 remotely because he is not authorized to enter the data center. You need to enable Remote Desktop for Administration for Axel Delgado with the highest level of security possible. In this exercise, you will enable Remote Desktop for Administration, and configure security settings to allow Axel Delgato to carry out remote administration tasks. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Enable Remote Desktop for Administration. Grant Axel Delgado access to Remote Desktop for Administration on NYCSVR1. Configure security for Remote Desktop for Administration. Give Axel Delgado rights to run Reliability and Performance Monitor. Verify Remote Desktop for Administration Functionality.
Task 1: Enable Remote Desktop for Administration

1. 2. On NYC-SVR1, open Remote settings in System Properties. Allow connections only if Network Level Authentication is used.
Task 2: Grant Axel Delgado access to Remote Desktop for Administration on NYC-SVR1
On NYC-SVR1 in Remote Settings, add Axel Delgado as a user allowed to connect remotely.
WWW.ISLAMSC.COM
1-47
Task 3: Configure security for Remote Desktop for Administration

1. 2. On NYC-SVR1, open Terminal Service Configuration. In the properties of RDP-TCP, configure: Security layer: SSL (TLS1.0) Encryption level: High Allow connections only from computers running Remote Desktop with Network Level Authentication
Task 4: Give Axel Delgado rights to run Reliability and Performance Monitor
On NYC-SVR1, use Local Users and Groups to add Axel Delgado as a member of Performance Log Users.
Task 5: Verify Remote Desktop for Administration functionality

1. 2. On NYC-CL1, open Remote Desktop Connection. Log on using the following information: 3. Computer: NYC-SVR1.woodgrovebank.com User name: woodgrovebank\Axel Password: Pa$$w0rd
In the Remote Desktop Connection window, open Reliability and Performance Monitor. Notice that data associated with Resource Overview is not available to Axel Delgado because Axel Delgado is not a local Administrator. Verify that Axel Delgado can view information in Performance Monitor.
Results: After this exercise, you should have successfully used Axel Delgado's account to remotely access NYC-SVR1 and run Reliability and Performance Monitor.
4.
Lab Shutdown
After you complete the lab, you must shut down the 6419A-NYC-DC1, 6419ANYC-CL1, and 6419A-NYC-SVR1 virtual machines and discard any changes.
WWW.ISLAMSC.COM
1-48
Module Review and Takeaways
Review Questions
1. 2. 3. 4. Which server role must be installed to configure Windows Server 2008 as a domain controller? What is the relationship between Active Directory domains and Active Directory forests? Which administrative tool tracks system crashes and attempts to resolve them? When monitoring performance, which tools can you use to track CPU utilization over time?
WWW.ISLAMSC.COM
1-49
Real-world Issues and Scenarios

1. You are the lead server administrator for your location in a large organization. There are 4,000 users in your location, with seven server administrators. You would like to configure administrative tools for the server administrators that you manage. Each administrative tool would have all the options required for them to perform their job tasks. How can you create these custom tools? A computer running Windows Server 2008 has been in your organization for about two months. It has been running perfectly until last week. Since last week, it has been crashing once or twice a day. How can you determine the cause of this problem? You are the server administrator for a small organization with 100 users and three computers running Windows Server 2008. Your IT manager would like to respond more quickly to support calls after business hours. Currently, you drive into the office when required. This takes up to an hour. How can you avoid the need to return to the office to perform support tasks after hours? And how will you address security concerns?
2.
3.
WWW.ISLAMSC.COM
1-50
Tools
Tool Active Directory Users and Computers Active Directory Domains and Trusts Active Directory Sites and Services ADSI Edit Use for Create user accounts Where to find it Administrative Tools
View and manage trusts
Administrative Tools
View and manage Active Directory sites Perform manual edits of Active Directory objects
Microsoft Management Console
Add snap-ins to perform

administrative tasks
Command prompt
Create custom consoles

Problem Reports and Solutions
Track solutions to system

problems
Server Manager
Add or remove server roles

and features
Perform diagnostics Manage server

configuration
Manage server storage

Computer Management
Share folders Access system tools Manage server storage Manage services Manage Routing and Remote Access
Device Manager
Configure devices Update drivers
Administrative Tools, Computer Management, Server Management
WWW.ISLAMSC.COM
1-51
(continued)
Tool Task Manager Use for Where to find it Ctrl+Alt+Del, rightclick taskbar, Ctrl+Shift+Esc
View applications and

processes
View basic performance

information Reliability and Performance Monitor
Resource Overview Performance Monitor Reliability Monitor Data Collector Sets
Event Viewer
View events in logs Collect events at a single

computer
Query events
Remote Desktop for Administration and perform administrative tasks
Administrative Tools, Computer Management, Server Management
Remotely connect to servers Control Panel >

System > Remote settings Administrative Tools
Terminal Services Configuration Local User and Computers snap-in
Configure Remote Desktop

for Administration
Used to manage local users

and groups
Computer Management, Server Management Administrative Tools
Active Directory Users and Computers Run As Administrator
Used to manage domain

user accounts and groups
Elevate privileges of a
program
Context menu when right-clicking an application shortcut Command prompt
runas
Elevate privileges of a
program
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
Creating Active Directory Domain Services User and Computer Objects
2-1
Module 2
Contents:
Lesson 1: Managing User Accounts Lesson 2: Creating Computer Accounts Lesson 3: Automating AD DS Object Management Lesson 4: Using Queries to Locate Objects in AD DS Lab: Creating AD DS User and Computer Accounts 2-3 2-17 2-24 2-33 2-39
WWW.ISLAMSC.COM
2-2
Module Overview
One of your functions as an Active Directory Domain Services (AD DS) administrator is to manage user and computer accounts. These accounts are AD DS objects that individuals use to log on to the network and access resources. In this module, you will learn about modifying user and computer accounts on computers running the Microsoft Windows Server 2008 operating system in a networked environment.
WWW.ISLAMSC.COM
2-3
Lesson 1
Managing User Accounts
In AD DS for Windows Server 2008, all users that require access to network resources must be configured with a user account. With this user account, users can be authenticated to the AD DS domain and granted access to network resources. As the AD DS administrator, you will need to know how to create and configure user accounts.
WWW.ISLAMSC.COM
2-4
What Is a User Account?
Key Points
A user account is an object that contains all of the information that defines a user in Windows Server 2008. The account can be either a local or a domain account. A user account includes the user name and password as well as group memberships. A user account also contains many other settings that can be configured based upon your organizational requirements.
WWW.ISLAMSC.COM
2-5
Usage
With a user account, you can: Allow or deny users to log on to a computer based on their user account identity. Grant users access to processes and services for a specific security context. Manage users' access to resources such as AD DS objects and their properties, shared folders, files, directories, and printer queues.
Question: List at least one advantage of creating local accounts. List at least one advantage of creating domain accounts.
WWW.ISLAMSC.COM
2-6
Names Associated with Domain User Accounts
Key Points
When creating a user account, an administrator provides a user logon name. User logon names must be unique in the domain/forest in which the user account is created.
Names generated by Active Directory

When a user account is created using Active Directory Users and Computers, Active AD DS also creates: An LDAP distinguished name. An LDAP-relative distinguished name. A SID and global unique identifier (GUID).
Question: Provide at least one example of good scalable unique domain user name.
WWW.ISLAMSC.COM
2-7
User Account Password Options
Key Points
As a systems administrator, you can manage user account password options. These options can be set when the user account is created or in the Properties dialog box of a user account. Systems administrators can also change the default domain password complexity settings by accessing the Group Policy Management Editor. Administrators can configure these settings by navigating to: Computer Configuration\Policies \Windows Settings\Security Settings\Account Policies\Password Policy. Question: Provide at least one example of a strong password.
WWW.ISLAMSC.COM
2-8
Standard User Management
Key Points
Some common standard user tasks are resetting passwords, configuring group management, assigning user profiles, creating home directories and setting user expiration. The Resetting Password function is accessed through the Active Directory Users and Computers management console. Administrators can easily access any user record and reset their password through a context menu. The Group Management functionality is also accessed through the Active Directory Users and Computers management console. Administrators can create groups and then assign users to these groups by selecting the user and adding them to a group. Administrators can set an expiration date for users in the Active Directory Users and Computers management console when new users are created. In the Active Directory Users and Computers management console, administrators can set logon hours, which provide specific times when a user can access a computer.
WWW.ISLAMSC.COM
2-9
Administrators can assign a home directory to their users in the Active Directory Users and Computers management console by accessing a user and specifying the user's home directory in the Home Folder section. Administrators can assign custom profiles to users in the Active Directory Users and Computers management console. This allows administrators to assign user access to resources.
Question: How many times can users attempt to login before they are locked out (by default)?
WWW.ISLAMSC.COM
2-10
Tools for Configuring User Accounts
Key Points Active Directory Users and Computers

Active Directory Users and Computers is the primary tool used for day-to-day administration of AD DS.
Command line tools

You also can use the command-line tools Dsadd, Dsmod, and Dsrm to manage user accounts in AD DS.
Csvde
The Csvde command-line tool uses a comma-delimited text file, also known as a comma-separated value format (Csvde format) as input to create multiple accounts in AD DS.
WWW.ISLAMSC.COM
2-11
Ldifde
Ldifde command-line tool uses a line-separated value format to create, modify, and delete objects in Active Directory.
Windows PowerShell
Use Windows PowerShell when you want to change the attribute values for multiple Active Directory objects or when the selection criteria for these objects are complex. Question: List at least two criteria required when selecting from the available methods for automating user creation.
WWW.ISLAMSC.COM
2-12
Demonstration: Configuring User Accounts
Key Points: Add a User in Active Directory Users and Computers. Add a User through the dsadd. Review User Account and Properties. Rename Account in Active Directory Users and Computers. Rename Account using dsmod. Review Password Complexity Settings.
WWW.ISLAMSC.COM
2-13
Question: How would you create several user objects with the same settings for attributes, such as department and office location? Question: Under what circumstances would you disable a user account rather than delete it? Question: Why are you prompted to change the additional names when you change the user name? Question: Why would you rename a user name in AD DS when a user changes their name rather than deleting the account and creating a new account with the new name?
WWW.ISLAMSC.COM
2-14
What Is a User Account Template?
Key Points
A user account template is an account that has commonly used settings and properties already configured. You can use user account templates to simplify the process of creating domain user accounts. To perform this procedure, you must be a member of the Account Operators group, Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers. To prevent a particular user from logging on for security reasons, you can disable user accounts rather than deleting user accounts. By creating disabled user accounts with common group memberships, you can use disabled user accounts as account templates to simplify user account creation.
WWW.ISLAMSC.COM
2-15
Information such as logon hours, and groups are retained when a new user is created from a template, but the Description and Office attributes are not replicated. Additional attributes can be viewed and modified in the Active Directory Schema MMC snap-in.
Question: List at least one example of how your company uses account templates.
WWW.ISLAMSC.COM
2-16
Demonstration: Creating and Using a User Account Template
Key Points
Use Active Directory Users and Computers to add a new user to the Users container. Copy the template account, and rename its identity attributes.
Question: What are some fields not populated when you create a new user from a template? Question: How could you make a template account easy to find in AD DS?
WWW.ISLAMSC.COM
2-17
Lesson 2
Creating Computer Accounts
In AD DS, computers are security principals, just like users. This means that computers must have accounts and passwords. To be fully authenticated by AD DS, a user must have a valid user account, and the user must also log on to the domain from a computer that has a valid computer account. All computers running Microsoft Windows NT or later operating systems must have computer accounts in AD DS.
WWW.ISLAMSC.COM
2-18
What Is a Computer Account?
Key Points
Computers access network resources to perform key tasks such as authenticating user log on, obtaining an IP address, and receiving security policies. To have full access to these network resources, computers must have valid accounts in AD DS. The two main functions of a computer account are performing security and management activities. Question: List at least one way your company manages their computer accounts.
WWW.ISLAMSC.COM
2-19
Options for Creating Computer Accounts
Key Points
You can create computer accounts in AD DS by joining the computer to the domain, or by pre-staging computer accounts before joining the computer to the domain. Both administrators and users can join computers to the domain. Pre-staging the account is simply creating the computer account in AD before joining the computer to the domain. If you need to secure the pre-staged account, then you can provide a staging GUID that will then be used only by the computer that matches the GUID.
Adding computers to an AD DS domain

If a computer is joined to a domain, the computer account is created in the Computers container by default. In most organizations, administrators will move the computer accounts to department-specific OUs so that specific software and operating system configurations can be applied to the computers.
WWW.ISLAMSC.COM
2-20
Pre-staging computer accounts

You can ensure that computer accounts are configured in the right AD DS container by pre-staging computer accounts. When you pre-stage a computer account, you create the computer in the domain before joining the computer to the domain. Organizations pre-stage computer accounts in order to automate the operating system and application installation by using tools such as Windows Deployment Services. Question: List at least one advantage of pre-staging when deploying.
WWW.ISLAMSC.COM
2-21
Managing Computer Accounts
Key Points
The most commonly used properties for computer accounts in AD DS are the Location and Managed by properties. To maintain computers, you must find the physical location of the computers. The Location property can be used to document the computers physical location in your network. The Managed By property lists the individual responsible for the computer. This information can be useful when you have a data center with servers for different departments and you need to perform maintenance on the server. You can call or send e-mail to the person who is responsible for the server before you perform maintenance on the server.
Question: How can the Location and Managed by properties be used to automate computer account management?
WWW.ISLAMSC.COM
2-22
Demonstration: Configuring Computer Accounts
Key Points
Create a normal user account in Active Directory Users and Computers. Configure the Computer Account Settings. Disable and Reset an Account.
WWW.ISLAMSC.COM
2-23
Question: A user is taking a two month leave from work. No one else will be using the users computer, and you want to ensure that no one can log on to the computer while she is gone. However, you want to minimize the amount of effort required for the user to start using the computer when she comes back. How should you configure the computer account? Question: You are pre-staging 100 computer accounts for workstations that will be added to the domain over the next few weeks. You want to ensure that only members of the desktop support team can add the computers to the domain. What should you do?
WWW.ISLAMSC.COM
2-24
Lesson 3:
Automating AD DS Object Management
In most cases, you are likely to create and configure AD DS objects on an individual basis. However, in some cases, you may need to create or modify the configuration for many objects simultaneously. For example, if your organization hires a large group of new employees, you may want to automate the new-accounts configuration process. If your organization moves to a new location, you may want to automate the task of assigning new addresses and phone numbers to all users. This lesson describes how to manage multiple AD DS objects.
WWW.ISLAMSC.COM
2-25
Tools for Automating AD DS Object Management
Key Points
Windows Server 2008 provides a number of tools that you can use to create or modify multiple user accounts automatically in AD DS. Some of these tools require that you use a text file containing information about the user accounts that you want to create. You also can create Windows PowerShell scripts to add objects or make changes to Active Directory objects. Administrators can still use Microsoft Visual Basic Scripting Edition (VBScript) to manage Active Directory objects. If students already have VB scripts developed, they should be able to reuse those scripts with very little modification. Question: List at least one way your organization has employed these tools to automate AD DS Objects.
WWW.ISLAMSC.COM
2-26
Configuring AD DS Objects Using Command-Line Tools
Key Points
Use these command-line tools to configure AD DS objects. Examples: Dsadd - dsadd user "cn=Keith Harris,cn=users,dc=contoso,dc=com" samid Keith fn Keith ln Harris display "Keith Harris" pwd Pa$$w0rd Dsmod - dsmod computer "cn=sales2,ou=sales,dc=contoso,dc=com" -loc Downtown desc Workstation Dsrm - dsrm -subtree -c "cn=sales2,ou=sales,dc=contoso,dc=com" Dsget - dsget user "cn=Keith Harris,cn=users,dc=contoso,dc=com" -memberof net user - net user Gregory Weber Pa$$w0rd /ad
WWW.ISLAMSC.COM
2-27
Net group - Net group SalesGroup Gregory Weber Net computer - Net computer //Sales2 /Del
Question: List at least one example of why an administrator would want to use command line tools.
WWW.ISLAMSC.COM
2-28
Managing User Objects with LDIFDE
Key Points
You can use the Ldifde command-line tool to create and make changes to multiple accounts. When you use the Ldifde tool, you will use a line-separated text file to provide the commands input information. Question: List at least one way that LDIFDE makes user management more scalable and reliable.
WWW.ISLAMSC.COM
2-29
Managing User Objects with CSVDE
Key Points
You can use the Csvde command-line tool to create multiple accounts in AD DS; however, you only can use the Csvde tool to create accounts, not to change them. Question: List at least one advantage of using CSVDE over LDIFDE when managing user objects.
WWW.ISLAMSC.COM
2-30
What Is Windows PowerShell?
Key Points
Windows PowerShell is an extensible scripting and command-line technology that developers and administrators can use to automate tasks in a Windows environment. Windows PowerShell uses a set of small cmdlets that each performs a specific task, but can also be combined in multiple cmdlets to perform complex administrative tasks. Windows PowerShell is directly accessible through the new command shell, called PowerShell.exe. When you run Windows PowerShell from this command shell, you can perform many of the tasks you could perform using the traditional command shell (cmd.exe), plus many more. Question: What is the difference between the command prompt and Windows PowerShell?
WWW.ISLAMSC.COM
2-31
Windows PowerShell Cmdlets
Key Points
Windows PowerShell is easy to learn because the use of Cmdlets. Pipelining is consistent across all Cmdlets. Question: List at least one important management cmdlets.
WWW.ISLAMSC.COM
2-32
Demonstration: Configuring Active Directory Objects Using Windows PowerShell
Key Points
Examine built in cmdlet commands. Build Complex Commands using Pipelines and Auto-Complete. Examine and run a pre-existing script.
Question: What are the advantages and disadvantages of modifying Active Directory objects by using Windows PowerShell scripts? How can you address the disadvantages?
WWW.ISLAMSC.COM
2-33
Lesson 4
Using Queries to Locate Objects in AD DS
Some large organizations have thousands of user accounts in an AD DS domain. Even if these accounts are grouped into different OUs, it can still take some time to find a specific user in the domain. Windows Server 2008 provides several features in Active Directory Users and Computers that make it easier to locate these users.
WWW.ISLAMSC.COM
2-34
Options for Locating Objects in AD DS
Key Points
There are several options available in the Windows Server 2008 administration tools that can increase the efficiency of looking for user accounts in domains with many users. To sort the order of objects in Active Directory Users and Computers: 1. 2. View the user accounts in their container in Active Directory Users and Computers. Click any of the column headings to sort the order of the objects (either ascending or descending).
You can also add more columns to the display and then sort the display based on the additional column.
WWW.ISLAMSC.COM
2-35
To search for objects in Active Directory Users and Computers

Active Directory provides information about all objects on a network, including people, groups, computers, printers, shared folders, and OUs. It is easy to search for users, contacts, and groups by using the Find Users, Contacts, and Groups dialog box.
Using a command line

You can use the dsquery command to find users and computers in AD DS that match the specified search criteria. Question: If an administrator were searching for a number of disparate users, would it be more efficient to use the graphic user interface or the command line tool?
WWW.ISLAMSC.COM
2-36
Demonstration: Searching AD DS
Key Points
Create a Saved Query. Export a query to an .xml file.
Question: You need to update the phone number for a user. You have only been given the users first name and last name and you do not know which OU contains the object. What is the quickest way to locate the user account? Question: You need to create a new user account and want to check if a user name is already in use in the domain. How could you do this?
WWW.ISLAMSC.COM
2-37
What Is a Saved Query?
Key Points
The Active Directory Users and Computers management tool has a Saved Queries folder in which you can create, edit, save, and organize saved queries. Saved queries use predefined LDAP strings to search only the specified domain partition allowing you to focus searches to a single container object. You can also create a customized saved query that contains an LDAP search filter. Queries are specific to the domain controller on which they were created. After you successfully create your customized set of queries, you can copy the .msc file to other Windows Server 2008 domain controllers that are in the same domain, and reuse the same set of saved queries. Queries can also be shared throughout the domain by exporting them to XML files and then importing those files to other domain controllers. Question: List at least one way that saved queries help with the long term maintainability of your organization.
WWW.ISLAMSC.COM
2-38
Demonstration: Using a Saved Query
Key Points
Create a Saved Query. Export a query to an .xml file.
Question: You need to find all user accounts in your AD DS domain that are no longer active. How would you do this?
WWW.ISLAMSC.COM
2-39
Lab: Creating AD DS User and Computer Accounts
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD DS for Windows Server 2008. As one of the network administrators, one of your primary tasks will be to create and manage user and computer accounts.
WWW.ISLAMSC.COM
2-40
Exercise 1: Creating and Configuring User Accounts

In this exercise, you will create and configure user accounts. You will create a template and a user account based on the template. Finally, you will create a saved query and verify its ability to return expected search results. The main tasks are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Start the virtual machines, and then log on. Create a new user account. Modify Kerim Hanifs user account properties. Create a template for the New York Customer Service department. Create a new user account based on the customer service template. Modify the user account properties for all customer service representatives in New York. Modify the user account properties for all Branch Managers. Create a saved query to find all investment users.

1. 2. 3. 4. 5. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
WWW.ISLAMSC.COM
2-41
Task 2: Create a new user account

1. 2. On NYC-DC1, open Active Directory Users and Computers. In the ITAdmins OU, create a new user with the following parameters: 3. 4. First name: Kerim Last name: Hanif Full name: Kerim Hanif User logon name: Kerim Password: Pa$$w0rd
On NYC-CL1, verify that you can log on as Kerim, with a password of Pa$$w0rd. When prompted, change the password to Pa$$w0rd1. Log off from NYC-CL1.
Task 3: Modify Kerim Hanifs user account properties

1. Modify the user account properties for Kerim Hanifs account as follows: 2. Telephone number: 204-555-0100 Office: Downtown E-mail: Kerim@WoodgroveBank.com Remote Access Permission : Allow access Logon Hours. Mon-Fri, 8:00 A.M. and 5:00 P.M
Add Kerim to the ITAdmins_WoodgroveGG group.
WWW.ISLAMSC.COM
2-42
Task 4: Create a template for the New York Customer Service department
In the CustomerService OU, create and configure a user account with the property settings in the following table:
Property First name Last name Full name User logon name Password Description Office Member Of Department Logon Hours Disable the account Value CustomerService Template CustomerService Template _ CustomerServiceTemplate Pa$$w0rd Customer Service Representative New York Main Office NYC_CustomerServiceGG Customer Service 6:00 A.M 6:00 P.M. Monday to Friday
Task 5: Create a new user account based on the customer service template
1. Copy the CustomerService Template and create a new user with the following parameters: 2. First Name: Sunil Last Name: Koduri User Logon Name: Sunil Password: Pa$$w0rd
Enable the account.
WWW.ISLAMSC.COM
2-43
Task 6: Modify the user account properties for all customer service representatives in New York
1. In the CustomerService OU, update the properties of all the users to reflect the following information: 2. Description: Customer Service Representative Office: New York Main Office Department: Customer Service
View the properties of one of the user accounts in the OU to confirm that the Description, Office and Department attributes have been updated.
Task 7: Modify the user account properties for all Branch Managers
1. 2. 3. In Active Directory Users and Computers, search the WoodgroveBank.com domain. Use an advanced search and search for all user accounts that have a job title of Branch Manager. Select all of the user accounts located by the search, and add them to the BranchManagersGG group.
Task 8: Create a saved query to find all investment users

1. In Active Directory Users and Computers, create a new saved query named Find_Investment_Users that will search for all users with a department attribute that starts with Investments. Verify that the query displays all the users in the Investment departments in each city.
Result: At the end of this exercise, you will have created and configured user accounts. You will have created a template and a user account based on the template. And you will have created a saved query and verified its ability to return expected search results.
2.
WWW.ISLAMSC.COM
2-44
Exercise 2: Creating and Configuring Computer Accounts

In this exercise, you will create and configure computer accounts, delete a computer account and join a computer to an AD DS domain. The main tasks are as follows: 1. 2. 3. Create a computer account by using Active Directory Users and Computers. Delete a computer account in AD DS. Join a computer to an AD DS domain.
Task 1: Create a computer account by using Active Directory Users and Computers
1. 2. On NYC-DC1, in Active Directory Users and Computers, create a new computer account named Vista1 in the Computers container. Configure the computer account settings so that Doris Krieger can join the computer to the domain.
Task 2: Delete a computer account in AD DS

1. 2. In Active Directory Users and Computers, delete the NYC-CL1 computer account. On NYC-CL1, attempt to log on as Axel with a password of Pa$$w0rd.
Task 3: Join a computer to an AD DS domain

1. 2. 3. On NYC-CL1, log on as a local Administrator with a password of Pa$$w0rd. Access the System control panel, and click Change settings. Change the computer name to NYC-CL3 and configure the computer to be a member of a Workgroup called WORKGROUP.
Note: You will be prompted to authenticate. Authenticate as Administrator with a password of Pa$$w0rd.
WWW.ISLAMSC.COM
2-45
4. 5. 6. 7. 8. 9.
Restart the computer. After the computer restarts, log on as Administrator with a password of Pa$$w0rd. Access the System control panel, and click Change settings. Configure the computer to be a member of the WoodgroveBank.com domain. Use the administrator credentials to join the computer to the domain. Restart the computer.
10. On NYC-DC1, in Active Directory Users and Computers, verify that the NYC-CL3 account was added to the domain. 11. On NYC-CL3, verify that you can log on as WoodgroveBank\Axel with a password of Pa$$w0rd.
Result: At the end of this exercise, you will have created and configured computer accounts, deleted a computer account and joined a computer to an AD DS domain.
WWW.ISLAMSC.COM
2-46
Exercise 3: Automating the Management of AD DS Objects

Woodgrove Bank is opening a new Houston branch. The HR department has provided you with a file that includes all of the new users that are being hired for the Houston location. You need to import the user accounts into AD DS, and then activate and assign passwords to all of the accounts. You also need to modify the user properties for the Houston users by updating the city information. Woodgrove Bank is also planning on starting a Research and Development department in the NYC location. You need to create a new OU for the research and development (R&D) department in the Woodgrove Bank domain, and import and configure new user accounts into AD DS. The main tasks are as follows: 1. 2. 3. 4. Modify and use the Importusers.csv file to import a group of users into AD DS. Modify and run the ActivateUser.vbs script to enable the imported user accounts and assign a password to each account. Modify and use the Modifyusers.ldf file to prepare for modifying the properties for a group of users in AD DS. Run the CreateUser.ps1 script to add new users to AD DS.
Task 1: Modify and use the Importusers.csv file to import a group of users into AD DS
1. On NYC-DC1, browse to E:\Mod02\Labfiles and open ImportUsers.csv with Notepad. Examine the header information required to create OUs and user accounts. Copy and paste the contents of the ImportUsers.txt file into the ImportUsers.csv file, starting with the second line. Save the file as C:\import.csv. At the command prompt, type CSVDE I F C:\import.csv and then press ENTER. In Active Directory Users and Computers, verify that the Houston OU and five child OUs were created, and that several user accounts were created in each OU.
2.
3. 4.
WWW.ISLAMSC.COM
2-47
Task 2: Modify and run the ActivateUser.vbs script to enable the imported user accounts and assign a password to each account
1. 2. 3. On NYC-DC1, in E:\ Mod02\Labfiles, edit Activateusers.vbs. Modify the container value in the second line to: OU=BranchManagers,OU=Houston,DC=WoodgroveBank,DC=com. Modify the container values in the additional lines at the end of the script to include the following OUs, and then save the file: 4. 5. OU=CustomerService,OU=Houston,DC=WoodgroveBank,DC=com OU=Executives,OU=Houston,DC=WoodgroveBank,DC=com OU=Investments,OU=Houston,DC=WoodgroveBank,DC=com OU=ITAdmins,OU=Houston,DC=WoodgroveBank,DC=com
Save the file as c:\Activateusers.vbs, and then run using Cscript c:\Activateusers.vbs. In Active Directory Users and Computers, browse to the Houston OU, and then confirm that user accounts in all child OUs are activated.
Task 3: Modify and use the Modifyusers.ldf file to prepare to modify the properties for a group of users in AD DS
1. On NYC-DC1, export all of the user accounts in the Houston child OUs by using the following command: LDIFDE f c:\Modifyusers.ldf d "OU=Houston,DC=WoodgroveBank,DC=com" r "objectClass=user" l physicalDeliveryOfficeName. 2. 3. 4. Edit the C:\Modifyusers.ldf file. On the Edit menu, use the Replace option to replace all instances of changetype: add, with changetype: modify. After each changetype line, add the following lines: replace: physicalDeliveryOfficeName physicalDeliveryOfficeName: Houston 5. At the end of the entry for each user, add a dash () on its own line followed by a blank line.
WWW.ISLAMSC.COM
2-48
6. 7. 8.
Save the file as C:\Modifyusers. At the command prompt, type ldifde I f c:\Modifyusers.ldf and then press ENTER. In Active Directory Users and Computers, verify that the Office attribute for the user accounts in Houston has been updated with the Houston location.
Task 4: Modify and run the CreateUser.ps1 script to add a new user to AD DS
1. 2. On NYC-DC1, in E:\Mod02\LabFiles, open CreateUser.ps1. Under #Assign the location where the user account will be created, note the entry $objADSI = [ADSI]"LDAP://ou=ITAdmins,DC=WoodgroveBank,DC=com". Enable execution in PowerShell by typing the following at a command prompt: Set-ExecutionPolicy AllSigned, and then press ENTER. Run the script: E:\Mod02\Labfiles\CreateUser.ps1
3. 4.
Note: You will be prompted to authenticate. Authenticate as Administrator with a password of Pa$$w0rd. In Active Directory Users and Computers, in the ITAdmins OU, verify that the user Jesper has been created.
Task 5: Close all virtual machines and discard undo disks

1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes. Click OK. Close the 6419A Lab Launcher.
Result: At the end of this exercise, you will have examined several options for automating the management of user objects.
WWW.ISLAMSC.COM
2-49
Review Questions
1. You are responsible for managing accounts and access to resources for members of your group. A user in your group leaves the company, and you expect a replacement for that employee in a few days. What should you do with the previous users account? A user in your group must create a test lab with 24 computers that will be joined to the domain but the account must be created in a separate OU. What is the best way to do this? You are responsible for maintaining the servers in your organization. You want to enable other administrators in the organization to determine the physical location of each server without adding any additional administrative tasks or creating any additional documents. How can you do this?
2.
3.
WWW.ISLAMSC.COM
2-50
4.
To accelerate the process of creating new accounts when new employees enter your group, you create a series of account templates that you use to create new user accounts and groups. You are notified that a user with an account that was created by using one of the non-manager account templates has been accessing files that are restricted to the Managers group. What should you do? You are responsible for managing computer accounts for your group. A user reports that they cannot log on to the domain from a specific computer but can log on from other computers. What should you do? You have determined the best ways to search for Active Directory objects and documented your recommended search criteria. However, the administrators tell you that it is taking too long to create and then run the search. After further research, you determine that most of the systems administrators are searching for the same information. What can you do to accelerate the search process?
5.
6.
Considerations for Managing AD DS User and Computer Accounts

When managing AD DS user and computer accounts, consider the following: If your organization typically creates large numbers of user accounts at the same time, explore using of LDIFDE, CSVDE or Windows PowerShell scripts to automate the process of creating the accounts. These tools can save a great deal of time when adding or modifying multiple accounts. Consider delegating permissions to create and manage user accounts in your AD DS domain. You can delegate permissions at the domain or OU level. At a minimum, you should retain the password complexity requirements in a Windows Server 2008 domain. Complex passwords are more difficult for users to remember, but they are also the most important first step in maintaining AD DS security.
WWW.ISLAMSC.COM
Creating Groups and Organizational Units
3-1
Module 3
Contents:
Lesson 1: Introduction to AD DS Groups Lesson 2: Managing Groups Lesson 3: Creating Organizational Units Lab: Creating an OU Infrastructure 3-3 3-17 3-22 3-29
WWW.ISLAMSC.COM
3-2
Module Overview
One of the primary functions of a directory service such as Active Directory Domain Services (AD DS) is to provide authorization for access to network resources. Ultimately, access to network resources is based on the individual user accounts. However, in most cases, you do not want to administer access to resources by using individual user accounts. In a large company, this would result in significant administrative effort. Because it is difficult to manage access to network resources by using individual user accounts, you must learn to create group objects to manage large collections of users simultaneously. In an Active Directory domain, you can organize users and computers in organizational units (OUs). You use an OU to group and organize objects for administrative purposes, such as delegating administrative rights and assigning Group Policy settings to a collection of objects as a single unit.
WWW.ISLAMSC.COM
3-3
Lesson 1
Introduction to Groups
A group is a collection of user or computer accounts. You use groups to efficiently manage access to domain resources, which helps simplify network management and administration. You can use groups separately, or you can put one group within another to simplify administration even more. This lesson describes how to use and configure groups.
WWW.ISLAMSC.COM
3-4
What Are Groups?
Key Points
Groups are a logical collection of AD DS objects, such as users, computers, or other groups. Groups can be made up according to their departments, locations, or resources. Groups are an important administrative tool for simplifying administration, and enable you to assign permissions for resources to multiple users or computers concurrently instead of individually.
Note: Groups can be converted from distribution to security (or vice versa) if the domain functional level is Microsoft Windows 2000 native or later versions.
Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as logging on to a system interactively or backing up files and directories. User rights are different from permissions because user rights apply to user accounts, and permissions are attached to objects.
WWW.ISLAMSC.COM
3-5
Group Scopes
There are three group scopes available: Domain Local Global Universal
Question: Describe a situation where you would use a distribution group instead of a security group.
WWW.ISLAMSC.COM
3-6
AD DS Domain Functional Levels
Key Points
Functional levels determine the available AD DS domain or forest capabilities. They also determine which Windows Server operating systems that you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest. When you deploy AD DS, set the domain and forest functional levels to the highest value that your environment can support. This way, you can use as many AD DS features as possible. For example, if you are sure that you will never add domain controllers that run Microsoft Windows Server 2003 to the domain or forest, select the Microsoft Windows Server 2008 functional level during the deployment process. However, if you might retain or add domain controllers that run Windows Server 2003, select the Windows Server 2003 functional level.
WWW.ISLAMSC.COM
3-7
After you raise the domain or forest functional level, you cannot go back to a lower functional level. Question: What domain functional level do you currently have in your organization? If you dont know, what functional level do you think you should have?
WWW.ISLAMSC.COM
3-8
What Are Global Groups?
Key Points
A global group is a security or distribution group that can contain users, groups, and computers that are from the same domain as the global group. You can use global security groups to assign user rights, delegate authority to AD DS objects, or assign permissions to resources in any domain in the forest or any other trusting domain in another forest. Use groups with global scope to manage directory objects that require daily maintenance, such as user and computer accounts. Because groups with global scope are not replicated outside their own domain, you can change accounts in a group having global scope frequently without generating replication traffic to the global catalog. The domain functional level must be Microsoft Windows 2000 native, Windows Server 2003 or Windows Server 2008 to create global groups. Question: In what ways could you use global groups in your organization?
WWW.ISLAMSC.COM
3-9
What Are Universal Groups?
Key Points
A universal group is a security or distribution group that can contain users, groups, and computers from any domain in its forest. You can use universal security groups to assign user rights and permissions to resources in any domain in the forest. Changes to the universal groups are registered in the Global Catalog. Therefore, you shouldn't change the membership of a group with universal scope frequently. Any changes to the membership of this type of group cause the entire membership of the group to be replicated to every global catalog in the forest. When the domain functional level is set to Windows 2000 mixed, security groups with universal scope cannot be created, although distribution groups with universal scope are still permitted. At the Windows 2000 native domain functional level and higher, universal groups are available for both distribution and security groups. Question: In what ways could you use universal groups in your organization?
WWW.ISLAMSC.COM
3-10
What Are Domain Local Groups?
Key Points
A domain local group is a security or distribution group that can contain user accounts from the local domain, any domain in the forest, or any trusted domain. Domain local groups also can contain universal or global groups from any domain in the forest or any trusted domain, and domain local groups from the local domain. The domain functional level must be Windows 200 native or higher to create domain local groups. Use a domain local group to assign permissions to resources that are located in the same domain as the domain local group. You can put all global groups that have to share the same resources into the appropriate domain local group.
Question: How could you provide members of a Sales department that travel frequently between domains in a multi-city company with access to printers on various domains that are managed by using domain local groups?
WWW.ISLAMSC.COM
3-11
What Are Local Groups?
Key Points
A local group is a collection of user accounts or domain groups that are created on a member server of an AD DS domain or a stand-alone server; as well as, a workstation. You can create local groups to grant permissions for resources residing on the local computer. Local groups can contain local or domain user accounts, computers, global groups, and universal groups. You cannot create local groups on AD DS domain controllers. Domain controllers do not have local users and groups, as the only security database located on a domain controller is the AD DS database.
WWW.ISLAMSC.COM
3-12
Note: Because groups that have a domain local scope also are known as local groups, it is important to distinguish between a local group and a group that has a domain local scope. Local groups also are known as machine local groups to distinguish them from domain local groups.
Question: Describe a situation where you would use a local group instead of one of the domain groups.
WWW.ISLAMSC.COM
3-13
Discussion: Identifying Group Usage
Key Points
Discuss these scenarios with the classroom, led by your instructor.
WWW.ISLAMSC.COM
3-14
What Is Group Nesting?
Key Points
When you use nesting, you add a group as a member of another group. You can use nesting to combine group management. Nesting increases the member accounts that are affected by a single action, and reduces replication traffic caused by the replication of changes in group membership. Group nesting is available when the domain functional level is Windows 2000 native, Windows Server 2003 or Windows Server 2008.
Note: You should avoid nesting multiple levels of groups. Tracking permissions is more complex with multiple levels.
WWW.ISLAMSC.COM
3-15
The following are best practices:
AGDLP Accounts, Global, Domain Local, Permissions

Take accounts and place accounts into Global Groups. Global group is then placed inside (nested) within the Domain Local group. Permission is assigned to the Domain Local group.
AGUDLP Accounts, Global, Universal, Domain Local, Permissions
In this practice, the global is first nested within a universal group.
Question: Describe a scenario where you could use nesting in your organization to simplify management.
WWW.ISLAMSC.COM
3-16
Discussion: Strategies for Nesting AD DS Groups
Key Points
WWW.ISLAMSC.COM
3-17
Lesson 2
Managing Groups
As an AD DS administrator, you will spend much of your time creating and administering groups. The administration tasks could include selecting group names, creating groups, and adding members to groups. This lesson describes how to perform these tasks.
WWW.ISLAMSC.COM
3-18
Considerations for Naming Groups
Key Points
A large organization might have many security and distribution groups. A standardized naming convention can help you locate and identify groups more easily. Keeping the names concise, using departmental, geographic, or project names all are helpful ways to identify groups more easily. Question: You want to create a security group for the finance department at Contoso Corporation. Contoso has worldwide locations; however, the finance department is only located in the New York office. Within the finance department, there are separate departments for accounts receivable and accounts payable. How many security groups would you create? What would be the name(s) for the security group(s) you would create?
WWW.ISLAMSC.COM
3-19
Demonstration: Creating Groups
Key Points
Create a security group. Create a distribution group.
Question: Your organization requires a group that can be used to send e-mail to users in multiple domains. The group will not be used to assign permissions. What type of group should you create? Question: Which group scope can be assigned permissions in any domain or forest?
WWW.ISLAMSC.COM
3-20
Identifying Group Membership
Key Points
Use Active Directory Users and Computers to determine the membership status of both users and groups. All user accounts have a Member Of attribute that lists all the groups of which the user is a member. All groups have a Members attribute and a Member Of attribute. The Members attribute lists all user accounts or other group accounts that are members of the group, while the Member Of tab indicates into which groups the group has been added or nested. The Managed By tab on the properties of a group lists the users or groups that manage the group. You can easily delegate administration of the group on this tab. Question: In what ways can the Member tab and the Members Of tab simply management of groups?
WWW.ISLAMSC.COM
3-21
Demonstration: Modifying Group Scope and Type
Key Points
In Active Directory Users and Computers, open a group and change its group type. Return the Group Type to its original setting. Change the Group scope to a different scope.
Question: Describe a situation where you would want to change a group type. Question: List some problems that may arise from changing a group type from security to distribution.
WWW.ISLAMSC.COM
3-22
Lesson 3
Creating Organizational Units
Another option for collecting several user and computer accounts for administrative purposes is to create organizational units (OUs). In this lesson, you will learn to create OUs. You also will learn about the available options for creating OU hierarchies, and how to move objects between OUs.
WWW.ISLAMSC.COM
3-23
What Is an Organizational Unit (OU)?
Key Points
An OU is an AD DS object that is contained in a domain. You can use OUs to organize hundreds of thousands of directory objects into manageable units. OUs are useful in grouping and organizing objects for administrative purposes, such as delegating administrative rights and assigning policies to a collection of objects as a single unit. Question: Describe an example of how you can create an OU to isolate file and print server accounts, and allow only a particular administrator to access these accounts.
WWW.ISLAMSC.COM
3-24
What Is an OU Hierarchy?
Key Points
AD DS OUs are used to create a hierarchical structure within a domain. By creating an OU structure, you are grouping objects that you can administer as a unit. An organizational hierarchy should logically represent an organizational structure. That organization could be based on geographic, functional, resource-based, or user classifications. Whatever the order, the hierarchy should make it possible to administer AD DS resources as flexibly and effectively as possible. For example, if all the computers that are used by IT administrators must be configured in a certain way, you can group all the computers in an OU, and assign a policy to manage the computers in the OU. Question: What is one advantage of the OU structure being invisible to end-users?
WWW.ISLAMSC.COM
3-25
OU Hierarchy Examples
Key Points
Organizations may deploy OU hierarchies by using several different models.
Geographic OUs
If the organization has multiple locations and network management is distributed geographically, you should use a location-based hierarchy. For example, you might decide to create OUs for New York, Toronto, and Miami in a single domain.
Departmental OU
A Departmental OU is based only on the organization's business functions, without regard to geographical location or divisional barriers. This approach works well for small organizations with a single location.
WWW.ISLAMSC.COM
3-26
Resource OUs
Resource OUs are designed to manage resource objects (non-users such as client computers, servers, or printers). This design is most useful when all resources of a given type are managed in the same manner. Resource-based OUs can simplify software installations or printer selections based on Group Policies.
Management-based OUs
Management-based OUs reflect the various administrative divisions within the organization by mirroring its structure in the OU structure. Responsibilities to manage users and groups, when they are placed into nested departmental OUs, can be delegated to managers of those departments. The eventual OU design should represent how the business will be administered. Delegation of authority, separation of administrative duties, central versus distributed administration, and design flexibility are important factors you must consider when you design Group Policy and select the scenarios to use for your organization. Question: How would you structure the OU hierarchy in your organization? If you already have an OU structure in your organization, would you make any changes based on this information?
WWW.ISLAMSC.COM
3-27
Demonstration: Creating OUs
Key Points
Create a new OU named Vancouver. Create subOUs within the newly created OU. Place two user accounts in Marketing: Claus Hansen and Arno Harteveld. Create several other objects within OUs.
Question: When you move a user, what can happen to a user in regards to Group Policy and delegated authority? Question: Why would you locate user accounts and computer accounts in separate OUs?
WWW.ISLAMSC.COM
3-28
OUs and Groups Summary
Key Points
The main difference between OUs and groups is that security groups can be used as security principals, whereas OUs can not be used to apply permissions. If your organization typically creates many user groups or OUs at the same time, explore using LDIFDE, CSVDE, or Windows PowerShell scripts to automate creating the accounts. These tools can save you significant time when you are adding or modifying multiple AD DS objects. Question: You have a collection of users that you want to give permissions to access certain file servers. Would you create an OU or a group for these users? Describe the reason for your choice.
WWW.ISLAMSC.COM
3-29
Lab: Creating an OU Infrastructure
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank is opening a new subsidiary in Vancouver, and they need an OU design for the subsidiary. Woodgrove Bank has deployed AD DS on servers running Windows Server 2008, and one of your primary tasks will be to create a new OU design and move users from current positions to the new subsidiary.
WWW.ISLAMSC.COM
3-30
Exercise 1: Creating AD DS Groups

In this exercise, you will create three new groups by using Active Directory Users and Computers. You will create one group by using Dsadd. You will add users to the groups and inspect the results. The main tasks are as follows: 1. 2. 3. 4. 5. Start the virtual machines, and then log on. Create three groups using Active Directory Users and Computers. Create a group using the Dsadd command-line tool. Add members to the new groups. Inspect the contents of the Vancouver groups.

1. 2. 3. 4. 5. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
WWW.ISLAMSC.COM
3-31
Task 2: Create three groups using Active Directory Users and Computers
1. 2. On NYC-DC1, open Active Directory Users and Computers. In the WoodgroveBank.com domain, create a new group in the Users container using the following parameters: 3. Group Name: VAN_BranchManagersGG Scope: Global Type: Security
Repeat step 2 to create two more groups that have the same scope and type. The two group names are as follows: VAN_CustomerServiceGG VAN_InvestmentsGG
Task 3: Create a group using the Dsadd command-line tool

1. At a command prompt, enter the following command:
dsadd group cn=VAN_MarketingGG,cn=Users,dc=WoodgroveBank,dc=com samid VAN_MarketingGG secgrp yes scope g
2. 3.
Press ENTER. Use the Find command to locate the new group in the WoodgroveBank.com OU.
WWW.ISLAMSC.COM
3-32
Task 4: Add members to the new groups

1. In Active Directory Users and Computers, search the WoodgroveBank.com domain by using the standard Find box to find each of the user accounts listed in the table in Step 2. Add each worker to the groups indicated in the following table:
Find Neville Burdan Suchitra Mohan Anton Kirilov Shelley Dyck Barbara Moreland Nate Sun Yvonne McKay Monika Buschmann Bernard Duerr Add to group VAN_BranchManagersGG VAN_BranchManagersGG VAN_CustomerServiceGG VAN_CustomerServiceGG VAN_InvestmentsGG VAN_InvestmentsGG VAN_MarketingGG VAN_MarketingGG VAN_MarketingGG
2.
Task 5: Inspect the contents of the Vancouver groups

1. In Active Directory Users and Computers, click the Users container in WoodgroveBank.com. In the contents view area, right-click VAN_BranchManagersGG, and view its properties. Open the Members tab and observe that Neville Burdon and Suchitra Mohan are now members.
Result: At the end of this exercise, you will have created three new groups by using Active Directory Users and Computers, and one new group by using Dsadd. You also will have added users to the groups and inspected the results.
2.
WWW.ISLAMSC.COM
3-33
Exercise 2: Planning an OU Hierarchy (Discussion)

In this exercise, you will discuss and determine how to plan an OU hierarchy.
Scenario
A new subsidiary of Woodgrove Bank is located in Vancouver, Canada. It will have the following departments: Management Customer Service Marketing Investments
The OU hierarchy has to support delegation of administrative tasks to users within that organizational unit.
Discussion Questions
1. Which approach to extending the organizational hierarchy of WoodgroveBank.com is the most likely to be applied in creating the new subsidiarys resources: Geographic, Organizational, or Functional? Why? What would be the most logical way to additionally subdivide the subsidiarys organizational unit (Geographic, Organizational, or Functional)? What does the pattern of naming second level OUs in other centers suggest for the new Vancouver OU? What would be a simple but effective way of delegating administrative tasks (such as adding users and computers to the domain, and changing user properties such as password resets, and employee contact details) to certain users within a department?
Result: At the end of this exercise, you will have discussed and determined how to plan an OU hierarchy.
2. 3. 4.
WWW.ISLAMSC.COM
3-34
Exercise 3: Creating an OU Hierarchy

In this exercise, you will use the output from the previous discussion to create an OU structure for the new Vancouver subsidiary of WoodgroveBank.com. You also will move users (see list in this section) from other subsidiaries into groups, and add groups to the appropriate OUs. Additionally, you will populate the groups that have the members of the corresponding departments, and update the descriptions of the user accounts that have been moved into the new subsidiary. The benefit of having OUs based on administrative units is in delegating administrative responsibilities to members of those units. You will create OUs in two ways: In Active Directory Users and Computers, by using an MMC snap-in In Directory Service Tools, by using the Dsadd command-line tool
The main tasks are as follows: 1. 2. 3. 4. 5. 6. 7. 8. Create OUs using Active Directory Users and Computers. Create an OU using Dsadd. Nest an OU inside another OU. Move groups that you created in Exercise 1 into the appropriate OUs. Find and move users into Vancouver OUs. Delegate control over an OU. Test delegated user rights. Close all virtual machines, and discard undo disks.
Task 1: Create OUs using Active Directory Users and Computers

1. 2. 3. On NYC-DC1, open Active Directory Users and Computers. At the root level of WoodgroveBank.com, create a new OU called Vancouver. Inside the Vancouver OU, create three OUs with the following names: BranchManagers CustomerService Marketing
WWW.ISLAMSC.COM
3-35
Task 2: Create an OU using Dsadd

1. 2. Click Start, click Run, and then type cmd to open a command-line window. Type the following command at the command prompt:
dsadd ou ou=Investments,dc=WoodgroveBank,dc=com -desc Investment department -d WoodgroveBank.com -u Administrator -p Pa$$w0rd
3. 4.
Press ENTER. In Active Directory Users and Computers, refresh the WoodgroveBank.com domain object, and note the presence of the new OU.
Task 3: Nest an OU inside another OU

1. 2. In Active Directory Users and Computers, refresh the object tree. Move the new Investments OU from WoodgroveBank.com domain level into the Vancouver OU. Click OK to dismiss the warning message.
Note: There is a potential risk associated with the movement of security groups from one OU into another. Group Policies that are in effect in one OU may no longer be applied in the new location. By default, AD DS notifies administrators of that risk whenever a group is moved between OUs.
WWW.ISLAMSC.COM
3-36
Task 4: Move groups that you created in Exercise 1 into the appropriate OUs
1. In Active Directory Users and Groups, locate the remaining groups that you created in Exercise 1 for the new Vancouver subsidiary in the WoodgroveBank.com OU. Move the following groups into the following Vancouver OUs:
2.
Note: There are several ways to move objects between OUs in Active Directory Users and Computers. You can use the Move command, drag the object into a new OU, or use the Cut and Paste commands.
VAN_MarketingGG group to Vancouver\Marketing OU VAN_BranchManagersGG group to Vancouver\BranchManagers OU VAN_InvestmentsGG group to Vancouver\Investments OU VAN_CustomerServiceGG group to Vancouver\CustomerService OU
Task 5: Find and move users into Vancouver OUs

Use Active Directory Users and Computers to find and move the following users into the OUs that the following table lists:
Find Neville Burdan Suchitra Mohan Anton Kirilov Shelley Dyck Barbara Moreland Nate Sun Yvonne McKay Monika Buschmann Bernard Duerr Move to Vancouver OU BranchManagers BranchManagers CustomerService CustomerService Investments Investments Marketing Marketing Marketing
WWW.ISLAMSC.COM
3-37
Task 6: Delegate control over an OU

1. 2. 3. In Active Directory Users and Computers, select the Vancouver\Marketing OU, and open the Delegation of Control Wizard. Add Yvonne McKay to the selected users and groups list, and then click Next. Delegate to her the following common tasks: 4. Create, delete, and manage user accounts Reset user passwords and force password change at next logon Create, delete and manage groups Modify the membership of a group
Click Next, and then click Finish.
Task 7: Test delegated user rights

1. 2. 3. On NYC-SVR1, log on with the account WoodgroveBank\Yvonne and the password Pa$$w0rd. Start Server Manager as an Administrator. Provide the domain administrator credentials when prompted. Install the Active Directory Domain Services Tools feature.
Note: This feature is under Remote Server Administration Tools.
4. 5. 6.
When prompted, restart the computer and log on as Yvonne. Start Server Manager as an Administrator, and let the installation complete. Start Active Directory Users and Computers. Reset the password of Monika Buschmann using the password Pa$$w0rd again. You should see the following message: Password for Monika Buschmann has been changed. Try to move a user from the Miami BranchManagers OU into the Vancouver BranchManagers OU. You should see the following message: Windows cannot move object [user name] because: Access denied.
7.
WWW.ISLAMSC.COM
3-38
Task 8: Close all virtual machines, and discard undo disks

Result: At the end of this exercise, you will have created OUs by using Active Directory Users and Computers and Dsadd. You also will have delegated administrative permissions and tested them.
WWW.ISLAMSC.COM
3-39
Review Questions
1. You are responsible for managing accounts and access to resources for members of your group. A user in your group transfers into another department within the company. What should you do with the users account? A project manager in your department is starting a group project that will continue for the next year. Several users from your department and other departments will be dedicated to the project during this time. The project team must have access to the same shared resources. The project manager must be able to manage the user accounts and group accounts in AD DS. However, you do not want to give her permission to manage anything else in AD DS. What is the best way to do this? You are responsible for maintaining access to local resources, such as printers, in your organization. You want to establish an efficient way to maintain printing permissions to members in each work group, even while those members may change frequently. You also want to simplify the replacement of printers when one has to be taken offline for repairs, or replaced with a new one. How can you do this with the least disruption and effort on your part?
2.
3.
WWW.ISLAMSC.COM
3-40
4.
You have decided to create a naming convention for all organizational units and groups. What considerations should you take as you set a pattern for naming new objects? You take over the administration of your departments AD DS organizational unit. When you open Active Directory Users and Computers and view the OU, you notice that all groups and users exist at the same level. Groups that have names such as Ajax_account, SW_Colorado, Nancy, and New_Canon_printer, exist side-by-side with computer accounts named New_IBM_1, 2, 3, etc., and a FileShare object named DO_NOT_OPEN. What should you do? An employee in your company has transferred to another department. The user account was removed from all groups associated with the old department and added to groups associated with the new department. The user account also was moved into the new department OU. After the user transfer is complete, he informs you that he cannot access his files that are stored on a file server. What should you do?
5.
6.
Considerations for Managing AD DS Groups and OUs

When you manage AD DS groups and organizational units, consider the following: If your organization typically creates many user groups or OUs simultaneously, explore using LDIFDE, CSVDE, or Windows PowerShell scripts to automate creating the accounts. These tools can save you significant time when you are adding or modifying multiple AD DS objects. Consider delegating permissions to create and manage groups and OUs in your AD DS domain. You can delegate permissions at the domain or OU level. Keep the number of people to whom you delegate administrative control for creating and modifying groups or OUs to a minimum. Separate various functional needs for administration among users by adding additional OUs, thereby separating their spheres of influence.
WWW.ISLAMSC.COM
Managing Access to Resources in Active Directory Domain Services
4-1
Module 4
Contents:
Lesson 1: Managing Access Overview Lesson 2: Managing NTFS File and Folder Permissions Lesson 3: Assigning Permissions to Shared Resources Lesson 4: Determining Effective Permission Lab: Managing Access to Resources 4-3 4-11 4-20 4-33 4-44
WWW.ISLAMSC.COM
4-2
Module Overview
One of the primary reasons to deploy Active Directory Domain Services (AD DS) is to enable users to access shared resources on the network. The previous modules introduced users and groups as the primary way to enable access to those resources. This module describes how to configure shared folders to enable those users and groups to gain access to the resources. Specifically, this module helps you learn the skills and knowledge necessary to: Understand how permissions enable resource access. Manage access to files and folders by using shared folder permissions, NTFS file system permissions, or special permissions. Manage permissions inheritance.
WWW.ISLAMSC.COM
4-3
Lesson 1
Managing Access Overview
In order to manage access to resources, you must understand how Microsoft Windows operating systems use security principals and security tokens to allow access to resources. Then you must understand how permissions are applied to resources such as shared folders. This lesson provides the information that you need to manage access to resources.
WWW.ISLAMSC.COM
4-4
What Are Security Principles?
Key Points
A security principal is an AD DS entity that can be authenticated by a Windows operating system. Security principals include the following: User and computer accounts A thread or process that runs in the security context of a user or computer account Groups of the previous accounts
WWW.ISLAMSC.COM
4-5
Every security principal is assigned a security identifier (SID) automatically when it is created. A SID has two components: Domain identifier. The domain identifier is the same for all security principals created in the domain. Relative identifier. The relative identifier is unique to each security principal created in the domain.
Question: When a user is deleted and then recreated, they will be issued a new SID. What are the ramifications of this?
WWW.ISLAMSC.COM
4-6
What Are Access Tokens?
Key Points
An access token is a protected object that contains information about the identity and rights associated with a user account.
How access tokens are created

When a user logs on, if authentication is successful, the logon process provides a SID that represents the user and a list of SIDs for the security groups of which the user is a member. The Local Security Authority (LSA) on the computer uses this information to create an access token that includes the SIDs and a list of rights assigned by local security policy to the user and to the users security groups.
WWW.ISLAMSC.COM
4-7
How access tokens are used to verify the users user rights
After LSA creates the primary access token, a copy of the access token is attached to every process and thread that executes on the users behalf. Whenever a thread or process interacts with a shared resource or tries to perform a system task that requires user rights, the operating system checks the access token associated with the thread to verify the user access to the resource. Question: When accessing a resource, is it a best practice to assign permission to the Group SID or the User SID?
WWW.ISLAMSC.COM
4-8
What Are Permissions?
Key Points
Permissions define the type of access that is granted to a security principal for an object. When you assign permissions, you can: Explicitly apply permissions. When you apply permissions explicitly, you access the shared resource object directly and configure permissions on that object. You can apply permissions explicitly on folders or files. Configure permission inheritance. When you configure permissions on a folder, the permissions are inherited by default on all subfolders or files in that folder. You can accept the default permission inheritance or modify the default behavior by blocking permission inheritance or by assigning explicit permissions to lower level folders or files.
WWW.ISLAMSC.COM
4-9
Accept implicitly applied permissions. If no permissions are assigned explicitly to an object for a particular user account, and no inherited permissions apply to the user account, the user will be denied access to the object.
Question: List at least one way that administrators can easily maintain permissions on an object?
WWW.ISLAMSC.COM
4-10
How Access Control Works
Key Points
The process of accessing an AD DS resource is called access control and it is based on the verification of security principals. All objects in AD DS, and all securable objects on a local computer or on the network, have security descriptors assigned to them to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Question: Which access control resource, DACL or SACL, plays a more critical role in security?
WWW.ISLAMSC.COM
4-11
Lesson 2
Managing NTFS File and Folder Permissions
In addition to configuring access to shared folders by using shared folder permissions, you also can assign permissions by using NTFS permissions. The information in this lesson presents the skills and knowledge that you must have to manage access to files and folders by using NTFS permissions.
WWW.ISLAMSC.COM
4-12
What Are NTFS Permissions?
Key Points
NTFS permissions specify which users, groups, and computers can access files and folders. NTFS permissions also dictate what users, groups, and computers can do with the contents of the file or folder. NTFS file permissions include: Read. Read the file, attributes, and permissions, and view owner. Write. Write to the file, change attributes, and view permissions and owner. Read & Execute. Execute applications plus all Read permissions. Modify. All the previous permissions, plus ability to delete files. Full Control. All the previous permissions, plus the ability to change permissions and take ownership of the file.
WWW.ISLAMSC.COM
4-13
There are six basic NTFS folder permissions: Read. Read files, folders, and subfolders, permissions and view owner. Write. Create new files and folders, view permissions, and owner, change folder attributes. List Folder Contents. View files and subfolders. Read & Execute. Execute applications plus all permissions of Read and List Folder Contents. Modify. All the previous permissions, plus ability to delete folder. Full Control. All the previous permissions, plus the ability to change permissions on the folder and take ownership.
Question: If an administrator wanted to prevent a user from viewing the permissions or the owner of a folder which folder permission should be applied?
WWW.ISLAMSC.COM
4-14
What Are Standard and Special Permissions?
Key Points
NTFS permissions fall into two categories: standard and special. Standard permissions are the most frequently assigned permissions. The permissions described in the previous topic are standard permissions. Special permissions give you a finer degree of control for assigning access to objects. Question: Think of a situation where administrators may need to assign special permissions.
WWW.ISLAMSC.COM
4-15
What Is NTFS Permissions Inheritance?
Key Points
By default, the permissions that you grant to a parent folder are inherited by its subfolders and files. A security principal that is inheriting permissions can have additional NTFS permissions assigned, but the inherited permissions cannot be removed until inheritance is blocked.
Blocking permission inheritance

The folder on which you prevent permissions inheritance becomes the new parent folder, and the subfolders and files that are contained in it inherit the permissions assigned to it. Permissions can be inherited only from a direct parent.
WWW.ISLAMSC.COM
4-16
Administrators can also use the Icalcs.exe utility to reset folder permissions while in a specific folder or directory. icacls.exe c:\folder_name /setowner "domain\user" Question: List one or two ways permission inheritance can reduce administration time.
WWW.ISLAMSC.COM
4-17
Demonstration: Configuring NTFS Permissions
Key Points
Browse a directory, view the standard permissions. View the advanced NTFS permissions. View permission inheritance.
Question: If you deny NTFS permission to a group for a particular resource while allowing the same permission to another group for that resource, what will happen to the permissions of an individual who is a member of both groups? Question: If a group added to a shared folder was given an NTFS permission of Allow for Write in a shared folder, and Deny permission for Write in a nested folder, what would their effective permissions be in the two folders?
WWW.ISLAMSC.COM
4-18
Effects on NTFS Permissions When Copying and Moving Files and Folders
Key Points
When you copy or move a file or folder, the permissions might change, depending on where you move the file or folder. You should understand the changes that the permissions undergo when they are copied or moved.
Copying a file
When you copy a file or folder from one folder to another folder, or from one partition to another partition, permissions for the files or folders might change. When you copy a file or folder: Within a single NTFS partition, the copy of the folder or file inherits the permissions of the destination folder. To a different NTFS partition, the copy of the folder or file inherits the permissions of the destination folder.
WWW.ISLAMSC.COM
4-19
To a non-NTFS partition, such as a file allocation table (FAT) partition, the copy of the folder or file loses its NTFS permissions, because non-NTFS partitions do not support NTFS permissions.
Moving a file
When you move a file or folder, permissions might change, depending on the permissions of the destination folder. When you move a file or folder: In the same NTFS partition, the folder or file keeps its original permissions. If the permissions of the new parent folder are changed later, the file or folder will inherit the new permissions. Permissions explicitly applied to the folder will be retained. Permissions previously inherited will be lost. To a different NTFS partition, the folder or file inherits the permissions of the destination folder. When you move a folder or file between partitions, Windows Server 2008 copies the folder or file to the new location and then deletes it from the old location. To a non-NTFS partition, the folder or file loses its NTFS permissions, because non-NTFS partitions do not support NTFS permissions.
Question: Provide one or two examples where moving files and folders within the same partition reduces administration time.
WWW.ISLAMSC.COM
4-20
Lesson 3
Assigning Permissions to Shared Resources
Shared folders give users access to files and folders over a network. Users can connect to the shared folder over the network to access its folders and files. Shared folders can contain applications, public data, or a users personal data. Using shared data folders provides a central location for users to access common files and makes it easier to back up data that is contained in those files.
WWW.ISLAMSC.COM
4-21
What Are Shared Folders?
Key Points
When you share a folder, it is made available to multiple users simultaneously over the network. As soon as they are granted permission, users can access all the files and subfolders in the shared folder. Most organizations deploy dedicated file servers to host shared folders. You can store files in shared folders according to categories or functions. For example, you can put shared files for the Sales department in one shared folder and shared files for executives in another. When you create a shared folder by using the Provision a Shared Folder Wizard in the Share and Storage Management console, or by using the File Sharing Wizard, you can configure the permissions assigned to each share as you create it. Question: List at least one benefit of sharing folders across a network.
WWW.ISLAMSC.COM
4-22
What Are Administrative Shared Folders?
Key Points
Windows Server 2008 automatically creates shared folders on computers running Windows that enable you to perform administrative tasks. These default administrative shares have a dollar sign ($) at the end of the share name. Appending the dollar sign at the end of the folder name hides the shared folder from users who browse the network. Administrators can quickly administer files and folders on remote servers by using these hidden shared folders. Question: List at least one benefit of having and creating your own hidden shares.
WWW.ISLAMSC.COM
4-23
Shared Folder Permissions
Key Points
Shared folder permissions apply only to users who connect to the folder over the network. They do not restrict access to users who access the folder at the computer where the folder is stored. You can grant shared folder permissions to user accounts, groups, and computer accounts. By default, users will have the same level of access to subfolders under a shared folder as they have on the parent folder. Question: List at least one example of when an administrator might give Full Control to a folder.
WWW.ISLAMSC.COM
4-24
Demonstration: Creating Shared Folders
Key Points
Create two test directories, populate each with a text file and some data. Use Windows Explorer to create a share. Using the Share and Storage Management Microsoft Management Console (MMC) snap-in to create a hidden share. Using the Share and Storage snap in to modify the share permissions. Test share access.
In Windows Server 2008, the only groups that can create shared folders are the Administrators, Server Operators, and Power Users groups. These groups are builtin groups that are put in the Groups folder in Computer Management or the BuiltIn container in Active Directory Users and Groups.
WWW.ISLAMSC.COM
4-25
Question: How do you apply sharing permissions to a folder? Question: How would you begin to create a shared folder by using the Using Share and Storage Management MMC? Question: Which tool would you use to create a shared folder?
WWW.ISLAMSC.COM
4-26
Connecting to Shared Folders
Key Points
After you create a shared folder, users can access the folder over the network by using multiple methods. Users can access a shared folder on another computer by using: The Network window (in Microsoft Windows Server 2008 or Microsoft Windows Vista) My Network Places (in Microsoft Windows Server 2003 or Microsoft Windows XP) The Map Network Drive feature Searching AD DS The Run command on the Start menu
WWW.ISLAMSC.COM
4-27
Administrators can also publish Shared Folders to Active Directory using the Active Directory Users and Computer interface. Within the Organizational Unit, administrators can add a new Shared Folder making it searchable through Active Directory. Users can also search Active Directory Shared Folders by accessing My Network Places in Windows XP and the Network in Windows Vista.
Windows Server 2008 turns on Access Based Enumeration by default on new shares. Access Based Enumeration prevents the display of folders or other shared resources that the user does not have rights to access.
Note: The Computer Browser service is disabled by default in Windows Server 2008.
Question: List at least one benefit of accessing resources through mapped drives.
WWW.ISLAMSC.COM
4-28
Demonstration: Managing Shared Folders
Key Points
Create two test directories. Use Windows Explorer to create a share. Using the Share and Storage Management Microsoft Management Console (MMC) snap-in, create a hidden share. Modify the share permissions.
Question: What would happen if the user was editing the file but had not saved the changes, and then an administrator used the Close File feature?
WWW.ISLAMSC.COM
4-29
Considerations for Using Shared Folders
Key Points
When you are managing access to shared folders, consider the following best practices when granting permissions: Use the most restrictive permissions possible. Do not grant more permissions for a shared folder than the users legitimately require. For example, if a user only has to read the files in a folder, grant Read permission for the folder to the user or group to which the user belongs. Avoid assigning permissions to individual users. Use groups whenever possible. Because it is inefficient to maintain user accounts directly, avoid granting permissions to individual users.
WWW.ISLAMSC.COM
4-30
Remember that Full Control lets users modify permissions. Assign Full Control permissions with caution, as any change in existing permissions could potentially affect security. Use the Authenticated Users or the Domain Users group instead of the Everyone group (if present) from the shared folders permissions list. Because members of the Everyone group includes Guests, using the Authenticated or Domain Users groups limits access to shared folders to only authenticated users, and prevents users or viruses from accidentally deleting or damaging data and application files.
Question: List one or two reasons why administrators should not leave the Everyone group in a shares permissions.
WWW.ISLAMSC.COM
4-31
Offline File Configuration and Deployment
Key Points
Offline files are available in Windows XP, Vista, Server 2003 and Server 2008: Select a folder at a networking place, synchronize and then disconnect computer. Users can set up a folder that will be taken offline by selecting it and synchronizing it with the network files. Make edits to documents on a disconnected computer. After the folder is taken offline, the user can make edits to any of the documents in the folder. The changes are made locally and can only be seen by the person making the changes until the files are synchronized again.
WWW.ISLAMSC.COM
4-32
Reconnect to the computer to the network again to update changes. Users must reconnect their computer back to the network in order to update any changes that were made locally. Files are synchronized automatically. Once the folder is connected to the network, Windows knows to synchronize the folder and its contents with the server version ensuring the folder is up to date.
Question: List at least one example of how offline files are useful.
WWW.ISLAMSC.COM
4-33
Lesson 4
Determining Effective Permission
You can assign user access to a shared folder by using shared folder permissions or NTFS permissions. You also can assign permissions to individual user accounts or group accounts. To determine what level of access the user actually has on the network, you must understand how effective permissions are determined and how you can view effective permissions.
WWW.ISLAMSC.COM
4-34
What Are Effective NTFS Permissions?
Key Points
Windows Server 2008 provides a tool (Effective Permissions tool) that shows effective permissions, which are cumulative permissions based on group membership. The following principles determine effective permissions: Cumulative permissions are the combination of the highest NTFS permissions granted to the user and all the groups of which the user is a member. For example, if a user is a member of a group that has Read permission and a member of a group that has Modify permission, the user has Modify permission. Explicit Deny permissions override equivalent Allow permissions. However, an explicit Allow permission can override an inherited deny permission. For example, if a user is denied write access to a folder explicitly but explicitly allowed write access to a subfolder or a particular file, the explicit Allow would override the inherited Deny.
WWW.ISLAMSC.COM
4-35
Permissions can be applied to a user or a group. Assigning permissions to groups is preferred as it is more efficient than managing the permissions of many individuals. NTFS file permissions take priority over folder permissions. For example, if a user has Modify permission to a folder but only has Read permission to certain files in that folder, the effective permission for those files will be Read. Every object is owned in an NTFS volume or in Active Directory. The owner controls how permissions are set on the object and to whom permissions are granted. For example, a user can create a file in a folder where the user typically has Modify permission. However, because that user created the file, the user can change the permissions. The user then can grant himself Full Control over the file.
Question: Provide at least one example of how cumulative permissions benefit administrators.
WWW.ISLAMSC.COM
4-36
Discussion: Applying NTFS Permissions
In this discussion, you are presented with a scenario in which you are asked to apply NTFS permissions. You and your classmates will discuss possible solutions to the scenario.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the slide shows folders and files on the NTFS partition. Question: The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1?
WWW.ISLAMSC.COM
4-37
Question: The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2? Question: The Users group has Modify permission for Folder1. File2 should be accessible only to the Sales group, and they should only be able to read File2. What do you do to ensure that the Sales group has only Read permission for File2?
WWW.ISLAMSC.COM
4-38
Demonstration: Evaluating Effective Permissions
Key Points
Open a directory, and assign permissions to a user. Use the effective permissions tool. Deny user permission.
Questions: Can the Effective Permissions tool return the actual permissions of a user?
WWW.ISLAMSC.COM
4-39
Effects of Combining Shared Folder and NTFS Permissions
Key Points
When enabling access to network resources on an NTFS volume, it is recommended that you use the most restrictive NTFS permissions to control access to folders and files, combined with the most restrictive shared folder permissions that control network access. Question: Provide at least one consideration an administrator must acknowledge before combining Shared Folders and NTFS Permissions.
WWW.ISLAMSC.COM
4-40
Discussion: Determining Effective NTFS and Shared Folder Permissions
In this discussion, you will determine effective NTFS and shared folder permissions.
Scenario
The figure shows two shared folders that contain folders or files that have NTFS permissions. Look at each example, and determine a users effective permissions. In the first example, the Users folder has been shared, and the Users group has the shared folder permission Full Control. User1, User2, and User3 have been granted the NTFS permission Full Control to only their folder. These users are all members of the Users group.
WWW.ISLAMSC.COM
4-41
Question: Discuss what the effective permissions are for User1, User2, and User3. Can User1 take full control of User2s directory? Why? How does using the share permission instead of the NTFS permission prevent users from accessing other Users directories? Question: You have shared the Data folder to the Sales Group. Within the Data directory, you have given the Sales Group Full Control over the Sales Group. When users in the Sales Group try to save a file in the \Data\Sales directory, they get an access denied error. Why? What permission needs to be changed, and why?
WWW.ISLAMSC.COM
4-42
Considerations for Implementing NTFS and Shared Folder Permissions
Key Points
Here are several considerations to make administering permissions more manageable: 1. Grant permissions to groups instead of users. Groups can always have individuals added or deleted, while permissions on a case-by-case basis are difficult to track. Use Deny permissions only when necessary. Because deny permissions are inherited exactly like allow permissions, assigning deny permissions to a folder can result in users not being able to access files lower in the folder structure. Deny permissions should be assigned in the following situations: To exclude a subset of a group that has Allow permissions. To exclude one permission when you have granted Full Control permissions already to a user or group.
2.
WWW.ISLAMSC.COM
4-43
3.
Never deny the Everyone group access to an object. If you deny everyone access to an object, you deny administrators access. Instead, we recommend that you remove the Everyone group, as long as you grant permissions for the object to other users, groups, or computers. Grant permissions to an object that is as high in the folder as possible so that the security settings are propagated throughout the tree. For example, instead of bringing groups representing all departments of the company together into a Read folder, assign Domain Users (which is a default group for all user accounts on the domain) to the share. In this manner, you eliminate the need to update department groups before new users receive the shared folder. Use NTFS permissions instead of shared permissions for fine-grained access. Configuring both NTFS and shared folder permissions can be difficult. Consider assigning the most restrictive permissions for a group that contains many users at the shared folder level, and then by using NTFS permissions to assign more specific permissions.
4.
5.
Question: List one or two examples of best practices that you have implemented when assigning Shared Folder or NTFS permission in your organization.
WWW.ISLAMSC.COM
4-44
Lab: Managing Access to Resources
Scenario
Woodgrove Bank is an enterprise that has offices located in several cities throughout the world. Woodgrove Bank has deployed AD DS in Windows Server 2008. They have recently opened a new subsidiary in Toronto, Canada. As a network administrator assigned to the new subsidiary, one of your primary tasks will be to create and manage access to resources, including the shared folder implementation. For example, groups that mirror the departmental organization of the bank need shared file storage areas. You must also have shared folders to enable files to be shared during special projects between departments.
WWW.ISLAMSC.COM
4-45
Exercise 1: Planning a Shared Folder Implementation (Discussion)

In this exercise, you will discuss and determine the best solutions for a shared folder implementation.
Discussion Questions:
1. The Woodgrove Bank Toronto subsidiary has an organizational hierarchy, as outlined by its organizational units (OUs) that supports the activities of its four departments: Marketing, Investments, Management, and Customer Service. Each department has groups populated with the employees in that department. How could you give each department separate file-sharing spaces? All members of the Toronto subsidiary must be able to read documents posted by management about topics such as staffing, targets and projections, and company news. To create a series of folders that will enable this information to be available to all employees in the subsidiary, and managers from other parts of the Woodgrove Bank, what sorts of groups would be needed? What sorts of permissions would each require? What sorts of folder structures might be needed? A task force on reducing the subsidiarys carbon footprint (that is, its negative impact on the natural environment) is collecting data from various departments. They plan to keep the information private until they can publish a report. How can individuals from various departments have contributing status while restricting access to those outside their project?
Result: At the end of this exercise, you will have discussed and determined solutions for a shared folder implementation.
2.
3.
WWW.ISLAMSC.COM
4-46
Exercise 2: Implementing a Shared Folder Implementation

In this exercise, you will create the shared folder implementation based on the discussion in the previous exercise. The main tasks are as follows: 1. 2. 3. 4. 5. Start the virtual machines, and then log on. Create four new folders by using Windows Explorer. Set share permissions for the folders. Create a shared folder for all Domain Users by using Share and Storage Management Microsoft Management Console (MMC). Create a new group and shared folder for an interdepartmental project.

1. 2. 3. 4. 5. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Create four new folders by using Windows Explorer

1. 2. On NYC-DC1, open Windows Explorer. On drive C, create folders named: Marketing Managers Investments CustomerService
WWW.ISLAMSC.COM
4-47
Task 3: Set share properties for the folder

1. 2. 3. 4. Right-click the Marketing folder, and then click Share. In File Sharing dialog box, type TOR_MarketingGG, and then click Add. Change the permission level to Contributor, and then click Share. Repeat creating shares for each of the remaining folders, assigning the groups and permissions. TOR_BranchManagersGG (Managers folder) TOR_InvestmentsGG (Investments folder) TOR_CustomerServiceGG (CustomerService folder)
Task 4: Create another shared folder by using Share and Storage Management MMC
1. 2. 3. 4. 5. 6. 7. 8. On the Start menu, in Administrative Tools, click Share and Storage Management. Start Provision Share Wizard. Click the Browse button. In the Browse Folder window, create a new folder named CompanyNews on the C drive. Do not change any other settings, but click Next all the way through to the Create button. Click Create, and then click Close. In the Shares list of the Share and Storage Management MMC, right-click CompanyNews, and then click Properties. In the Permissions tab, click Share Permissions. Add the Domain Users group, and notice that their permission is set as Read. Add the TOR _BranchManagersGG group, and give them Full Control permissions. Finish the Permissions settings, and exit Share and Storage Management MMC.
WWW.ISLAMSC.COM
4-48
Task 5: Create a new group and shared folder for an interdepartmental project
1. 2. 3. Open Active Directory Users and Computers MMC. Click the Toronto OU, and add a new global security group named TOR_SpecialProjectGG. Expand the following Toronto OUs, and use the Add to group command to add the users listed in the following table:
Toronto OUs Investment Marketing Branch Managers Customer Service Names Aaron Con Aidan Delaney Sven Buck Dorena Paschke
4. 5. 6. 7.
Close Active Directory Users and Computers. Create a new folder in drive C, and name it SpecialProjects. Share the folder, adding the TOR_SpecialProjectGG group that has Contribute permission levels. Click Share.
Task 6: Block inheritance of a folder in a shared folder

1. 2. 3. 4. Open the SpecialProjects folder. Create a new folder called Unshared. Change Unshared Properties by removing the inheritable permissions. Give permissions back the Administrator.
Result: At the end of this exercise, you will have created a shared folder implementation.
WWW.ISLAMSC.COM
4-49
Exercise 3: Evaluating the Shared Folder Implementation

In this exercise, you will verify that the shared folder implementation meets the security requirements provided in the documentation. You will log on as some users to make sure that they have the required level of access. The main tasks are as follows: 1. 2. 3. 4. Log on to NYC-CL1 as Sven. Check the permissions for Company News. Check permissions of interdepartmental share Special Projects. Close all virtual machines, and discard undo disks.
Task 1: Log on to NYC-CL1 as Sven

Log on to NYC-CL1 as Sven, with the password Pa$$w0rd.
Task 2: Check the permissions for Company News

1. 2. 3. After you are logged on as Sven, open the Company News folder and create a text file. Name it News.txt. Create a folder named News, and drag News.txt into it. Close the Company News window and log off.
Task 3: Check permissions of interdepartmental share Special Projects

1. 2. 3. 4. Log on as Dorena with the password Pa$$w0rd. Open the Special Project volume and create a text document. Try to open Company News. Open the News.txt file inside the News folder. Log off as Dorena.
WWW.ISLAMSC.COM
4-50

Result: At the end of this exercise, you will have verified that the shared folder implementation meets security requirements.
WWW.ISLAMSC.COM
4-51
Review Questions
1. 2. 3. What is the role of ACLs in granting access to resources on an AD DS network? How do DACLs differ from SACLs? What happens to the shared folder configuration when you copy or move a shared folder from one hard disk to another on the same server? What happens to the shared folder configuration when you copy or move the shared folder to another server? You have to assign permissions to a shared folder so that all users in your organization can read the contents of the folder. Which of these approaches would be the best way to do this: accept the default permissions, assign read permissions to the folder for the Domain Users group, or add groups representing whole departments? How would this configuration change if your organization had multiple domains?
4.
WWW.ISLAMSC.COM
4-52
5. 6.
When moving a folder in an NTFS partition, what permissions are required over the source file or folder and over the destination folder? What is the best way to create a shared folder that need to be accessed by users who are situated on two domains?
Considerations for Managing Shared Folders and NTFS Permissions

When you manage AD DS shared folders and NTFS permissions, consider the following: Consider delegating permissions to create and manage shared folders in your AD DS domain. You can delegate permissions to groups in the NTFS security settings of the appropriate level of the shared folder hierarchy. When allowing access to network resources on an NTFS volume, we recommend that you use the most restrictive NTFS permissions to control access to folders and files, combined with the most restrictive shared folder permissions that control network access. Document your shared folder and permissions configuration. The shared folder configuration can be very difficult over time as users or departments request new shared folders for many reasons. Without documentation, it can be difficult to manage and troubleshoot file access issues. All shared folders should be part of your regular backup process. The data that is stored in the shared folders is usually important to your organization. Therefore, you must make sure that you can recover it if a server were to fail.
WWW.ISLAMSC.COM
Configuring Active Directory Objects and Trusts
5-1
Module 5
Contents:
Lesson 1: Delegate Administrative Access to Active Directory Objects Lab A: Configuring Active Directory Delegation Lesson 2: Configure Active Directory Trusts Lab B: Configuring Active Directory Trusts 5-3 5-12 5-16 5-24
WWW.ISLAMSC.COM
5-2
Module Overview
After the initial deployment of Active Directory Domain Services (AD DS), the most common tasks for an AD DS administrator are configuring and managing AD DS objects. In most organizations, each employee is issued a user account, which is added to one or more groups in AD DS. The user and group accounts enable access to Windows Server-based network resources such as Web sites, mailboxes, and shared folders. This module describes how to perform many of these administrative tasks, and options available for delegating or automating these tasks. This module also describes how to configure and manage Active Directory trusts.
WWW.ISLAMSC.COM
5-3
Lesson 1:
Delegate Administrative Access to Active Directory Objects
One of the options available for effectively administering a Microsoft Windows Server 2008 AD DS, is to delegate some of those administrative tasks to other administrators or users. By delegating control, you can enable these users to perform specific Active Directory management tasks, without granting them more permissions than they need.
WWW.ISLAMSC.COM
5-4
Active Directory Object Permissions
Key Points
Active Directory object permissions secure resources by enabling you to control which administrators or users can access individual objects or object attributes, and to control the type of access they have. You use permissions to assign privileges for administrators to manage an organizational unit or a hierarchy of organizational units, and the Active Directory objects contained within those organizational units. Denied permissions take precedence over any permission that you otherwise allow to user accounts and groups. You should use Deny permissions explicitly only when it is necessary to remove a permission that a user is granted by being a particular groups member. When permission to perform an operation is not allowed, it is implicitly denied.
WWW.ISLAMSC.COM
5-5
Special permissions allow you to set permissions on a particular class of object or individual attributes of an object class. For example, you could grant a user Full Control over the group object class in a container, just grant the user the ability to modify group memberships in a container, or just grant the user the permissions needed to change a single attribute, such as the phone number, on all user accounts. Inherited permissions are those that are propagated to an object from a parent object. For example, if you assign permissions at an OU level, by default, all of those permissions are inherited by objects inside the OU. Explicit permissions take precedence over inherited permissions, even inherited Deny permissions.
Question: What are the risks with using special permissions to assign AD DS permissions? Question: What permissions would a user have on an object if you granted them full control permission, and denied the user write access?
WWW.ISLAMSC.COM
5-6
Demonstration: Active Directory Domain Services Object Permission Inheritance
Key Points
Enable the Advanced view in Active Directory Users and Computers. Disable permission inheritance by child items. View the Effective Permissions for the object.
Question: What would happen to an objects permissions if you moved the object from one OU to another if the OUs had different permissions applied? Question: What would happen if you removed all permissions from an OU when you blocked inheritance and did not assign any new permissions?
WWW.ISLAMSC.COM
5-7
What Are Effective Permissions?
Key Points
Accessible from an object's advanced properties settings, the Effective Permissions tool helps you to determine the permissions for an Active Directory object. This tool calculates the permissions that are granted to the specified user or group, and takes into account the permissions that are in effect from group memberships and any permission inherited from parent objects. Question: When retrieving effective permissions, accurate retrieval of information requires permission to read the membership information. If the specified user or group is a domain object, what type of permissions does a Domain Administrator need to have to read the object's group information on the domain? What about a Local administrator and an Authenticated domain user?
WWW.ISLAMSC.COM
5-8
What Is Delegation of Control?
Key Points
Delegation of control is the ability to assign management responsibility of Active Directory objects to another user or group. Delegated administration helps to ease the administrative burden of managing your network by distributing routine administrative tasks to multiple users. With delegated administration, you can assign basic administrative tasks to regular users or groups. For example, you could give OU administrators the right to add or remove user or computer objects, or an administrative assistant the right to reset passwords. By delegating administration, you give groups in your organization more control of their local network resources. You also help secure your network from accidental or malicious damage by limiting the membership of administrator groups.
WWW.ISLAMSC.COM
5-9
The Delegation of Control Wizard
You can define the delegation of administrative control in the following four ways: Grant permissions to create or modify all objects in a specific organizational unit or in the domain. Grant permissions to create or modify some types of objects in a specific organizational unit or at the domain level. Grant permissions to create or modify a specific object in a specific organizational unit or at the domain level. Grant permissions to modify specific attributes of an object, (such as granting the permission to reset passwords on a user account) in a specific organizational unit or at the domain level.
WWW.ISLAMSC.COM
5-10
Discussion: Scenarios for Delegating Control
Discussion Questions
What are the benefits of delegating administrative permissions? How would you use delegation of control in your organization?
WWW.ISLAMSC.COM
5-11
Demonstration: Configuring Delegation of Control
Key Points
Use the Delegation of Control Wizard to delegate permissions to manage user and computer accounts. Use the Delegation of Control Wizard to delegate the administration of individual attributes. Use a Microsoft Windows PowerShell script to delegate the Password Reset task.
WWW.ISLAMSC.COM
5-12
Lab A: Configuring Active Directory Delegation
Scenario
To optimize the use of AD DS administrator time, Woodgrove Bank would like to delegate some administrative tasks to interns and junior administrators. These administrators will be granted access to manage user and group accounts in different OUs. User accounts must also be configured with a standard configuration. The organization also requires AD DS groups that will be used, to assign permissions to a variety of network resources. The organization would like to automate the user and group management tasks, and delegate some administrative tasks to junior administrators.
WWW.ISLAMSC.COM
5-13
Exercise 1: Delegating Control of AD DS Objects

In this exercise, you will delegate control of AD DS objects for other administrators. You will also test the delegate permissions to ensure that administrators can perform the required actions, but cannot perform other actions. Woodgrove Bank has decided to delegate administrative tasks for the Toronto office. In this office, the branch managers must be able to create and manage user and group accounts. The customer service personnel must be able to reset user passwords and configure some user information, such as phone numbers and addresses. The main tasks are as follows: 1. 2. 3. 4. 5. Start the virtual machine and log on. Assign full control of users and groups in the Toronto OU. Assign rights to reset passwords and configure private user information in the Toronto OU. Verify the effective permissions assigned for the Toronto OU. Test the delegated permissions for the Toronto OU.
Task 1: Start the virtual machine, and then log on

1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. Log on to 6419A-NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Assign full control of users and groups in the Toronto OU

1. 2. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU. Assign the right to Create, delete and manage user accounts and the Create, delete and manage groups to the Tor_BranchManagersGG.
WWW.ISLAMSC.COM
5-14
Task 3: Assign rights to reset passwords and configure private user information in the Toronto OU
1. 2. 3. 4. On NYC-DC1, run the Delegation of Control Wizard on the Toronto OU. Assign the right to Reset user passwords and force password change at next logon to the Tor_CustomerServiceGG group. Run the Delegation of Control Wizard again. Choose the option to create a custom task. Assign the Tor_CustomerServiceGG group permission to change personal information only for user accounts.
Task 4: Verify the effective permissions assigned for the Toronto OU

1. 2. 3. In Active Directory Users and Computers, enable viewing of Advanced Features. Access the Advanced Security Settings for the Toronto OU. Check the effective permissions for Sven Buck. Sven is a member of the Tor_BranchManagersGG group. Verify that Sven has permissions to create and delete user and group accounts. Access the advanced security settings for Matt Berg, located in the CustomerService OU in the Toronto OU. Verify that Matt has permissions to create and delete user and group accounts. Check the effective permissions for Helge Hoening. Helge is a member of the Tor_CustomerServiceGG group. Verify that Helge has permissions to reset passwords and permission to write personal attributes.
4.
5.
WWW.ISLAMSC.COM
5-15
Task 5: Test the delegated permissions for the Toronto OU

1. 2. 3. 4. 5. 6. 7. Log on to NYC-DC1 as Sven with the password of Pa$$w0rd. Start Active Directory Users and Computers, and verify that Sven can create a new user in the Toronto organizational unit. Verify that Sven can create a new group in the Toronto OU. Verify that Sven cannot create a user in the ITAdmins OU. Log off NYC-DC1, and then log on as Helge with the password Pa$$w0rd. In Active Directory Users and Computers, verify that Helge does not have permissions to create any new objects in the Toronto OU. Verify that Helge can reset user passwords and configure user properties, such as the office and telephone number.
Result: At the end of this exercise, you will have delegated the administrative tasks for the Toronto office.
WWW.ISLAMSC.COM
5-16
Lesson 2:
Configure Active Directory Trusts
Many organizations that deploy AD DS will deploy only one domain. However, larger organizations, or organizations that need to enable access to resources in other organizations or business units, may deploy several domains in the same Active Directory forest or a separate forest. For users to access resources between the forests, you must configure the forests with trusts. This lesson describes how to configure and manage trusts in an Active Directory environment.
WWW.ISLAMSC.COM
5-17
What Are AD DS Trusts?
Key Points
Trusts allow security principals to traverse their credentials from one domain to another, and are necessary to allow resource access between domains. When you configure a trust between domains, a user can be authenticated in their domain, and their security credentials can then be used to access resources in a different domain. Trusts can be defined as transitive or non-transitive. The user accounts are located in the trusted domain, while the resources are located in the trusting domain. The two protocol options for configuring trusts are the Kerberos protocol version 5, and Microsoft Windows NT Local Area Network (LAN) Manager (NTLM).
Question: What does a trust existing between two domains provide?
WWW.ISLAMSC.COM
5-18
AD DS Trust Options
Key Points
All trusts in Microsoft Windows 2000 Server, Microsoft Windows Server 2003, and Microsoft Windows Server 2008 forests are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted; however one-way trusts can be configured. This diagram illustrates a two-way trust between Forests 1 and 2, and a one-way trust between domains E and A and domains B and Q. Question: If you were going to configure a trust between a Windows Server 2008 domain and a Windows NT 4.0 domain, what type of trust would you need to configure? Question: If you need to share resources between domains, but do not want to configure a trust, how could provide access to the shared resources?
WWW.ISLAMSC.COM
5-19
How Trusts Work Within a Forest
Key Points
When you set up trusts between domains either within the same forest, across forests, or with an external realm, information about these trusts is stored in AD DS so you can retrieve it when necessary. A trusted domain object (TDO) stores this information. The TDO stores information about the trust such as the trust transitivity and type. Whenever you create a trust, a new TDO is created and stored in the System container in the trusts domain. Question: In this slide Domain B and Domain C have what type of Trust in this forest? What are the limitations?
WWW.ISLAMSC.COM
5-20
How Trusts Work Between Forests
Key Points
Windows Server 2008 supports cross-forest trusts, which allow users in one forest to access resources in another forest. When a user attempts to access a resource in a trusted forest, AD DS must first locate the resource. After the resource is located, the user can be authenticated and allowed to access the resource. Question: Why would clients not able to access resources in a domain outside the forest?
WWW.ISLAMSC.COM
5-21
Demonstration: Reviewing Trusts
Key Points
Review the Active Directory Domains and Trusts MMC.
Question: When you set up a forest trust, what information will need to be available in DNS in order for the forest trust to work?
WWW.ISLAMSC.COM
5-22
What Are User Principal Names?
Key Points
A user principal name (UPN) is a logon name that is used only to log on to a Windows Server 2008 network. There are two parts to a UPN, which are separated by the @ sign, for example, suzan@WoodgroveBank.com. The user principal name prefix, which in this example is suzan. The user principal name suffix, which in this example is WoodgroveBank.com.
By default, the suffix is the domain name in which the user account was created. You can use the other domains in the network, or additional suffixes that you created, to configure other suffixes for users. For example, you may want to configure a suffix to create user logon names that match users e-mail addresses. Question: Provide a couple scenarios where UPNs would be useful?
WWW.ISLAMSC.COM
5-23
What Are the Selective Authentication Settings?
Key Points
Another option for restricting authentication across trusts in a Windows Server 2008 forest is selective authentication. With selective authentication, you can restrict which computers in your forest can be accessed by another forests users. Question: Provide a scenario where it would be appropriate to enable selective authentication?
WWW.ISLAMSC.COM
5-24
Lab B: Configuring Active Directory Trusts
Scenario
Woodgrove Bank also has established a partner relationship with another organization. Some users in each organization must be able to access resources in the other organization. However, the access between organizations must be limited to as few users and as few servers as possible.
WWW.ISLAMSC.COM
5-25
Exercise 1: Configuring AD DS Trusts

In this exercise, you will configure trusts based on a trust-configuration design that the enterprise administrator provides. You also will test the trust configuration to ensure that the trusts are configured correctly. Woodgrove Bank has initiated a strategic partnership with Fabrikam. Users at Woodgrove Bank will need to have access to several file shares and applications running on several servers at Fabrikam. Only users from Fabrikam should be able to access shares on NYC-SVR1. The main tasks are as follows: 1. 2. 3. 4. 5. 6. Start the virtual machines, and then log on. Configure the Network and DNS Settings to enable the forest trust. Configure a forest trust between WoodgroveBank.com and Fabrikam.com. Configure selective authentication for the forest trust to enable access to only NYC-DC2. Test the selective authentication. Close all virtual machines and discard undo disks.

1. 2. 3. 4. 5. In the Lab Launcher, next to 6419A-VAN-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-DC2, click Launch. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch. Log on to 6419A-VAN-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Configure the Network and DNS Settings to enable the forest trust
1. On VAN-DC1, modify the Local Area Network properties to change the IP address to 10.10.0.110, the Default gateway to 10.10.0.1, and the Preferred DNS server to 10.10.0.110, and then click OK. Synchronize the time on VAN-DC1 with NYC-DC1.
2.
WWW.ISLAMSC.COM
5-26
3. 4. 5. 6.
In DNS Manager, add a conditional forwarder to forward all queries for Woodgrovebank.com to 10.10.0.10. In Active Directory Domains and Trusts, raise the domain and forest functional level to Windows Server 2003. On NYC-DC1, in the DNS Manager console, add a conditional forwarder to forward all queries for Fabrikam.com to 10.10.0.110. Close the DNS Manager console.
Task 3: Configure a forest trust between WoodgroveBank.com and Fabrikam.com

1. 2. 3. 4. 5. 6. On NYC-DC1, start Active Directory Domains and Trusts from the Administrative Tools folder. Right-click WoodgroveBank.com and then click Properties. Start the New Trust Wizard and configure a forest trust with Fabikam.com. Configure both sides of the trust. Use Administrator@Fabrikam.com to verify the trust. Accept the default s setting of domain-wide authentication for both domains. Confirm both trusts.
Task 4: Configure selective authentication for the forest trust to enable access to only NYC-DC2
1. 2. In Active Directory Domains and Trusts, modify the incoming trust from Fabriakm.com to use selective authentication. In Active Directory Users and Computers, access NYC-DC2s properties. On the Security tab, grant the MarketingGG group from Fabrikam.com permission to authenticate to this server. Access NYC-CL1s properties. On the Security tab, grant the MarketingGG group from Fabrikam.com permission to authenticate to this workstation.
3.
WWW.ISLAMSC.COM
5-27
Task 5: Test the selective authentication

1. Log on to the NYC-CL1 virtual machine as Adam@fabrikam.com using the password Pa$$w0rd.
Note: Adam is a member of the MarketingGG group at Fabrikam. He is able to log on to a computer in the WoodgroveBank.com domain because of the trust between the two forests and because he has been allowed to authenticate to NYC-CL1.
2. 3.
Try to access the \\NYC-DC2\Netlogon folder. Adam should be able to access the folder. Try to access the \\NYC-DC1\Netlogon folder. Adam should not be able to access the folder because the server is not configured for selective authentication.

1. 2. 3. For each running virtual machine, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes, and then click OK. Close the 6419A Lab Launcher.
Result: At the end of this exercise, you will have configured trusts based on a trust configuration design.
WWW.ISLAMSC.COM
5-28
Review Questions
1. If a there is a trust within a forest, and the resource is not in the users domain how does the domain controller use the trust relationship to access the resource? The BranchOffice_Admins group has been granted full control of all user accounts in the BranchOffice_OU. What permissions would the BranchOffice_Admins have to a user account that was moved from the BranchOffice_OU to the HeadOffice_OU? Your organization has a Windows Server 2008 forest environment, but it has just acquired another organization with a Windows 2000 forest environment that contains a single domain. Users in both organizations must be able to access resources in each others forest. What type of trust do you create between the forest root domain of each forest?
2.
3.
WWW.ISLAMSC.COM
5-29
Real-World Issues and Scenarios

Scenario: Your organization has two domains: Contoso.com and Fabrikam.com. You need to allow users from Fabrikam.com to access a shared folder in Contoso.com. Describe the steps for configuring this access. Question: How could you remove Write share permissions from a single file that is located inside a folder that is inheriting Write permissions from shared folder in which it is located? Question: When moving a folder in an NTFS partition, what permissions are required over the source file or folder and over the destination folder?
Considerations for Configuring Active Directory Objects

Supplement or modify the following best practices for your own work situations: Create a naming scheme for AD DS objects before starting the AD DS deployment. For example, you need to plan how you will create user logon names and devise your group-naming strategy. It is much easier to plan the naming strategies early in the AD DS deployment rather than change the names after deployment. Plan your AD DS group strategy before deploying AD DS. When planning the group strategy, consider the organizations plans for future growth. Even if the organization only has a small number of users in a single domain, you may want to implement an account group/resource group strategy if the organization has an aggressive growth strategy or is likely to establish key partnerships that may require forest trusts. Look for opportunities to automate AD DS management tasks. It can take considerable time to create csvde and ldifde files, or to write VBScript or Windows PowerShell scripts. However, once these tools are in place, they can save a great deal of time. Another option for decreasing workload for AD DS administrators is to delegate tasks. One strategy for determining what tasks to delegate is to analyze what tasks take the most time for AD DS administrators. If mundane tasks, such as creating user accounts, resetting passwords, or updating user information, take a significant amount of time, consider delegating those specific tasks to other users.
WWW.ISLAMSC.COM
5-30
Tools
Use the following tools when configuring AD DS objects and trusts:
Tool Server Manager Use for Where to find it Click Start, point to Administrative Tools, and then click Server Manager. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. These are installed by default and are accessible at a command prompt. Windows PowerShell is available as a download from Microsoft and can be installed as a feature in Windows Server 2008. After installing Windows PowerShell, all cmdlets are accessible through the Windows PowerShell command shell.
Accessing the AD DS
management tools in a single console.
Active Directory Users and Computers
Creating and configuring all

AD DS objects.
Active Directory Domains and Trusts
Creating and configuring

trusts.
Command line tools (including Csvde and Ldifde) Windows PowerShell
Creating and configuring AD

DS objects
Writing scripts that can

automate AD DS object management
WWW.ISLAMSC.COM
Creating and Configuring Group Policy
6-1
Module 6
Contents:
Lesson 1: Overview of Group Policy Lesson 2: Configuring the Scope of Group Policy Objects Lesson 3: Evaluating the Application of Group Policy Objects Lesson 4: Managing Group Policy Objects Lesson 5: Delegating Administrative Control of Group Policy Lab A: Creating and Configuring GPOs Lab B: Verifying and Managing GPOs 6-3 6-18 6-31 6-37 6-47 6-51 6-57
WWW.ISLAMSC.COM
6-2
Module Overview
Administrators face increasingly complex challenges in managing the Information Technology (IT) infrastructure. They must deliver and maintain customized desktop configurations for a greater variety of employees, such as mobile users, information workers, or others assigned to strictly defined tasks, such as data entry. Group Policy and the Active Directory Domain Services (AD DS) infrastructure in Microsoft Windows Server 2008 enable IT administrators to automate user and computer management, thus simplifying administrative tasks and reducing IT costs. With Group Policy and AD DS, administrators can efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain, or range of organizational units (OUs).
WWW.ISLAMSC.COM
6-3
Lesson 1
Overview of Group Policy
This lesson introduces you to how to use Group Policy to simplify managing computers and users in an Active Directory environment. You will learn how Group Policy Objects (GPOs) are structured and applied, and about some of the exceptions of how GPOs are applied. This lesson also discusses Group Policy features that are included with Windows Server 2008, which also will help simplify computer and user management.
WWW.ISLAMSC.COM
6-4
What Is Group Policy?
Key Points
Group Policy is a Microsoft technology that supports one-to-many management of computers and users in an Active Directory environment. By editing Group Policy settings and targeting a Group Policy Object (GPO) at the intended users or computers, you can centrally manage specific configuration parameters. In this way, you can manage potentially thousands of computers or users by changing a single GPO. A Group Policy object is the collection of settings that are applied to selected users and computers. Group Policy can control many aspects of a target objects environment, including the registry, NTFS file system security, audit and security policy, software installation and restriction, desktop environment, logon/logoff scripts, and so on.
WWW.ISLAMSC.COM
6-5
One GPO can be associated with multiple containers in AD DS, through linking. Conversely, multiple GPOs may link to one container. Each computer running a Microsoft Windows operating system has a local Group Policy object. In these objects, Group Policy settings are stored on individual computers, whether or not they are part of an Active Directory environment or a networked environment. Local Group Policy objects contain fewer settings than nonlocal Group Policy objects, particularly under Security Settings. Local Group Policy objects do not support Folder Redirection or Group Policy Software Installation. Question: When would local Group Policy be useful in a domain environment?
WWW.ISLAMSC.COM
6-6
Group Policy Settings
Key Points
Group Policy has thousands of configurable settings (approximately 2,400). These settings can affect nearly every area of the computing environment. You cannot apply all of the settings to all versions of Microsoft Windows operating systems. For example, many of the new settings that came with the Microsoft Windows XP Professional operating system, Service Pack (SP) 2, such as software restriction policies, only applied to that operating system. Equally, many of the hundreds of new settings only apply to the Microsoft WindowsVista operating system and Windows Server 2008. If a computer has a setting applied that it cannot process, it simply ignores it.
WWW.ISLAMSC.COM
6-7
Group Policy structure

Group Policy is split into two distinct areas:
Group Policy area Computer configuration User configuration What it does Affects the HKEY_Local_Machine registry hive. Affects the HKEY_Current_User registry hive.
Configuring Group Policy settings

Each area has three sections:
Section Software settings Description Software can be deployed to either the user or the computer. Software deployed to a user is specific to that user. Software deployed to the computer is available to all users of that computer. Contain script settings and security settings for both user and computer, and Internet Explorer maintenance for the user configuration. Contain hundreds of settings that modify the registry to control various aspects of the user or computer environment.
Windows settings
Administrative templates
WWW.ISLAMSC.COM
6-8
Group Policy areas in Windows Vista and Server 2008

Many areas of Group Policy have been enhanced to include new features. They include:
Feature Antivirus Client Help Deployed Printer Connections Internet Explorer 7 Function Manages attachments behavior. Determines where users can access help systems. Automates printer deployment. Replaces and expands the current Internet Explorer Maintenance extension. Sets up network wireless policies. Enhances security and manageability of TS remote connections. Disables Windows Feedback for any or all components.
Wireless Configuration Terminal Services (TS)
Windows Error Reporting
New areas of Group Policy include:

Feature Removable storage device management Function Controls installation of hardware classes, and the read/write capabilities of removable storage devices. Controls all power management settings using Group Policy. Controls the behavior of the User Account Control feature. Manages Health Registration Authority, Internet Authentication Service, and Network Access Protection. Configures Windows Defender settings. Controls Windows Firewall advanced configurations.
Power management
User Account Control
Network Access Protection
Windows Defender Windows Firewall with Advance Security
WWW.ISLAMSC.COM
6-9
Group Policy examples

Example 1: As the domain administrator, you want to disable the write ability for removable disks in a GPO: In the Group Policy Editor, point to Computer Configuration, point to Administrative Templates, point to System, point to Removable Storage Access, and then enable the Removable Disks: Deny write access setting. Example 2: As the domain administrator, you want to disable the User Account Control prompt for Administrators: In the Group Policy Editor, point to Computer Configuration, point to Windows Settings, point to Security Settings, point to Local Policies, point to Security Options, and then set the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode to Elevate without prompting. You will need to restart the clients to accept the setting.
Note: A number of settings appear in both the user and the computer configuration, for example, Offline file or Windows Messenger settings. With few exceptions, in case of a conflict between the user and computer setting, the user settings will be ignored, and the computer setting will be applied.
Question: Which of the new features will you find the most useful in your environment?
WWW.ISLAMSC.COM
6-10
How Group Policy Is Applied
Key Points
Clients initiate Group Policy application by requesting GPOs from AD DS. When Group Policy is applied to a user or computer, the client component interprets the policy, and then makes the appropriate environment changes. These components are known as Group Policy client-side extensions. As GPOs are processed, the gpsvc service passes the list of GPOs that must be processed to each Group Policy client-side extension. The extension then uses the list to process the appropriate policy, when applicable. Question: What would be some advantages and disadvantages to lowering the refresh interval?
WWW.ISLAMSC.COM
6-11
Exceptions to Group Policy Processing
Key Points
Different factors can change the normal Group Policy processing behavior, such as logging on using a slow connection. Also, different types of connections or operating systems handle Group Policy processing differently. Question: How is Network Location Awareness (NLA) better than Internet Control Message Protocol (ICMP) in the proper application of Group Policy?
WWW.ISLAMSC.COM
6-12
Group Policy Components
Key Points
You can use Group Policy templates to create and configure Group Policy settings, which are stored by the GPOs. The GPOs in turn are stored in the System Volume (SYSVOL) container in AD DS. The SYSVOL container acts as a central repository for the GPOs. In this way, one policy may be associated with multiple Active Directory containers through linking. Conversely, multiple policies may link to one container. Group Policy has three major components: Group Policy templates Group Policy container Group Policy objects
Question: Think of at least one example of how your organization can benefit by using the Group Policy components.
WWW.ISLAMSC.COM
6-13
What Are ADM and ADMX Files?
Key Points ADM Files

Traditionally, ADM files have been used to define the settings the administrator can configure through Group Policy. Each successive Windows operating system and service pack has included a newer version of these files. ADM files use their own markup language. Because of this, it is difficult to customize ADM files. The ADM templates are located in the %SystemRoot%\Inf folder.
ADMX Files
Windows Vista and Windows Server 2008 introduce a new format for displaying registry-based policy settings. Registry-based policy settings are defined using a standards-based XML file format known as ADMX files. These new files replace ADM files. Group Policy tools on Windows Vista and Server 2008 will continue to recognize custom ADM files you have in your existing environment, but will ignore any ADM file that ADMX files have superseded.
WWW.ISLAMSC.COM
6-14
Question: How could you tell if a GPO was created or edited using ADM or ADMX files? Question: List one benefit of the ADMX format with Group Policy Objects.
WWW.ISLAMSC.COM
6-15
What Is the Central Store?
Key Points
For domain-based enterprises, administrators can create a central store location of ADMX files that is accessible by anyone with permission to create or edit GPOs. The GPO Editor on Microsoft Windows Vista and Windows Server 2008 automatically reads and displays Administrative Template policy settings from ADMX files that the central store caches, and ignores the ones stored locally. If the domain controller is not available, then the local store is used. You must create the central store, and then update it manually on a domain controller. The use of ADMX files is dependant on the computers operating system where you are creating or editing the GPO. Therefore, the domain controller can be a server with Microsoft Windows 2000, Microsoft Windows Server2003, or Windows Server 2008. The File Replication Service (FRS) will replicate the domain controller to that domains other controllers.
WWW.ISLAMSC.COM
6-16
To create a Central Store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies
Note: FQDN is a fully qualified domain name.
For example, to create a Central Store for the Test.Microsoft.com domain, create a PolicyDefinitions folder in the following location: \\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies Copy all files from the PolicyDefinitions folder on a Windows Vista-based client computer to the PolicyDefinitions folder on the domain controller. The PolicyDefinitions folder on a Windows Vista-based computer resides in the same folder as Windows Vista. The PolicyDefinitions folder on the Windows Vista-based computer stores all .admx files and .adml files for all languages that are enabled on the client computer. Question: What would be the advantage of creating the central store in your environment?
WWW.ISLAMSC.COM
6-17
Demonstration: Configuring Group Policy Objects
Key Points
Open the Group Policy Management Console (GPMC). Create a new Group Policy named Desktop in the Group Policy container. In the computer configuration, prevent the last logon name from displaying, and prevent Windows Installer from running. In the user configuration, remove the Search menu from the Start menu, and hide the Screen Saver tab.
Question: When you open the GPMC on your Windows XP computer, you do not see the new Windows Vista settings in the Group Policy Object Editor. Why not?
WWW.ISLAMSC.COM
6-18
Lesson 2:
Configuring the Scope of Group Policy Objects
There are several techniques in Group Policy that allow administrators to manipulate how Group Policy is applied. You can control the default processing order of policy through enforcement, blocking inheritance, security filtering, Windows Management Instrumentation (WMI) filters, or using the loopback processing feature. In this lesson, you will learn about these techniques.
WWW.ISLAMSC.COM
6-19
Group Policy Processing Order
Key Points
The GPOs that apply to a user or computer do not all have the same precedence. GPOs are applied in a particular order. This order means that settings that are processed first may be overwritten by settings that are processed later. For example, a policy that restricts access to Control Panel applied at the domain level could be reversed by a policy applied at the OU level for that particular OU. If you link several GPOs to an organizational unit, their processing occurs in the order that the administrator specifies on the Linked Group Policy Objects tab for the organizational unit in the Group Policy Management Console (GPMC). Question: Your organization has multiple domains spread over multiple sites. You want to apply a Group Policy to all users in two different domains. What is the best way to accomplish this?
WWW.ISLAMSC.COM
6-20
What Are Multiple Local Group Policy Objects?
Key Points
In Microsoft operating systems prior to Windows Vista, there was only one user configuration available in the local Group Policy. That configuration was applied to all users logged on from the local computer. This is still true, but Windows Vista and Windows Server 2008 have an added feature. In Windows Vista and Windows Server 2008, it now is possible to have different user settings for different local users, although there remains only one computer configuration available that affects all users. Domain administrators can disable Local Group Policy objects processing on clients running Windows Vista or Windows Server 2008 by enabling the Turn off Local Group Policy objects processing policy setting in a domain GPO. Question: When would multiple local Group Policy objects be useful in a domain environment?
WWW.ISLAMSC.COM
6-21
Options for Modifying Group Policy Processing
Key Points
There may be occasions when the normal behavior of Group Policy is not desirable. For example, certain users or groups may need to be exempt from restrictive Group Policy settings, or a GPO should be applied only to computers with certain hardware or software characteristics. By default, all Group Policy settings apply to the Authenticated Users group in a given container. However, you can modify that behavior through various methods. Using block inheritance prevents the child level from automatically inheriting GPOs linked to higher sites, domains, or organizational units. GPO-links that are enforced cannot be blocked from the parent container. By denying or granting the Apply Group Policy permission, you can control which users, groups, or computers actually receive the GPO settings. Security group filtering will override enforcement.
WWW.ISLAMSC.COM
6-22
WMI provides access to properties of almost every hardware and software object in the computing environment. Through WMI scripts, these properties can be evaluated, and decisions about the application of Group Policy are made based on the results. You can completely block the application of a GPO for a given site, domain, or organizational unit by disabling that containers GPO link. You can use the Group Policy loopback feature to apply GPOs that only depend on to what computer the user logs on.
Question: You have created a restrictive desktop policy and linked it to the Finance OU. The Finance OU has several child OUs that have separate GPOs that reverse some of your desktop restrictions. How would you ensure that all users in the Finance department receive your desktop policy?
WWW.ISLAMSC.COM
6-23
Demonstration: Configuring Group Policy Object Links
Key Points
Link the policy you created in the previous demo to the Toronto OU. Log on as one of the Toronto users to test the results. Disable the computer or user side of the policy. Doing this gives some performance advantage by not processing parts of the policy that are known to be empty. Disable the entire policy. Occasionally you may need to do this for troubleshooting policies.
Question: True or false if a GPO is linked to multiple containers, altering the settings for one of those links will only affect that container.
WWW.ISLAMSC.COM
6-24
Demonstration: Configuring Group Policy Inheritance
Key Points
Create a new OU and a new user in the OU. In the Default Domain policy, enable the setting to remove the Help menu from the Start menu. Test the settings. Block inheritance for the new OU. Test the settings. Enforce the Default Domain policy. Test the settings. Turn off enforcement and inheritance blocking.
Question: Your domain has two domain-level policies, GPO1 and GPO2. You need to ensure that all OUs receive GPO1, but GPO2 should not affect two of the OUs. How could you accomplish this?
WWW.ISLAMSC.COM
6-25
Demonstration: Filtering Group Policy Objects Using Security Groups
Key Points
Create a new user in the OU that you created for the last demo. Create a link between the OU and the GPO that removes the Search link from the Start menu. Use security filtering to exempt the new user from the GPO setting. Log on as the first and test that there is no Help menu link. Log on as the new and test that the Help menu link appears because security filtering is in place.
Question: You want to ensure that a specific policy linked to an OU will only affect the members of the Managers global group. How would you accomplish this?
WWW.ISLAMSC.COM
6-26
Demonstration: Filtering Group Policy Objects Using WMI Filters
Key Points
Use the GPMC to create a new WMI filter that targets only XP Professional clients: Root\CimV2; Select * from Win32_OperatingSystem where Caption = Microsoft Windows XP Professional Use the GPMC to create a new GPO named software. Assign the WMI to the software GPO.
Question: You need to deploy a software application that requires computers to have more than 1 GB or RAM. What is the best way to accomplish this?
WWW.ISLAMSC.COM
6-27
How Does Loopback Processing Work?
Key Points
User policy settings are normally derived entirely from the GPOs associated with the user account, based on its AD DS location. However, Loopback processing directs the system to apply an alternate set of user settings for the computer to any user who logs on to a computer affected by this policy. Loopback processing is intended for special-use computers where you must modify the user policy based on the computer being used, such as the computers in public areas or classrooms. When you apply loopback, it will affect all users except local ones. Both the user objects and the computer objects can potentially have different group policy settings applied (depending upon where each object resides in AD). Loopback processing ensures that the computer objects policy takes precedence over the user objects group policy settings.
WWW.ISLAMSC.COM
6-28
Loopback operates using the following two modes: Merge mode Replace mode
Question: List one of the benefits of using Loop Processing?
WWW.ISLAMSC.COM
6-29
Discussion: Configuring the Scope of Group Policy Processing
Scenario
Use the following scenario information for your discussion.
Physical structure
Woodgrove bank has a single domain that spans two sites, Head Office and Toronto. The Toronto site is connected to the Head Office site across a high-speed link. Within the Head Office site, there is a branch office in Winnipeg. This office is connected to Head Office across a slow link. There are five users in the Winnipeg office. There is no domain controller in the Winnipeg office, but there is a SQL server. This organization has deployed both Windows XP Professional and Windows Vista computers.
WWW.ISLAMSC.COM
6-30
Requirements
All domain computers that have Windows XP Professional installed will have a small software application distributed through Group Policy. Domain users should not have access to the desktop display properties. The Administrators group will be exempt from this restriction. Both the Winnipeg and Toronto branch users will have further desktop restrictions applied. Both branches will have a kiosk computer available in the lobby for public Internet access. This computer needs to be locked down so that the user cannot change any settings. Their computer accounts are located in their respective branches OU. The computer accounts for all servers other than domain controllers will be located in the servers OU or in a nested OU inside the Servers OU. All servers must have baseline security settings applied. SQL servers must have additional security settings applied. Multimedia activity The "Implementing Group Policy" activity includes multiple choice and drag-anddrop exercises that test your knowledge. To access the activity, open the Web page on the Student Materials CD, click Multimedia, and then click Implementing Group Policy. Read the instructions, and then click the Effects of Group Policy Settings tab to begin the activity. Question: How would you construct a Group Policy scheme to satisfy the requirements?
WWW.ISLAMSC.COM
6-31
Lesson 3:
Evaluating the Application of Group Policy Objects
System administrators need to know how Group Policy settings affect computers and users in a managed environment. This information is essential when planning Group Policy for a network, and when debugging existing GPOs. Obtaining the information can be a complex task when you consider the many combinations of sites, domains, and organizational units that are possible, and the many types of Group Policy settings that can exist. Further complicating the task are securitygroup filtering, and GPO inheritance, blocking, and enforcement. The Group Policy Results (GPResult.exe) command-line tool and the GPMC provide reporting features to simplify these tasks.
WWW.ISLAMSC.COM
6-32
What Is Group Policy Reporting?
Key Points
Group Policy Reporting is a feature of Group Policy that makes implementation and troubleshooting easier. Two main reporting tools are the GPResult.exe command-line tool, and the Group Policy Results Wizard in the GPMC. The Group Policy Results feature allows administrators to determine the resultant policy set that was applied to a given computer and/or user that logged on to that computer. Although these tools are similar, they each provide different information. The built in Windows firewall must be configured to allow the incoming traffic we want by using a Group Policy Object (GPO), so ironically, such a policy is the only one we definitely cannot force to firewall-enabled remote computers.
WWW.ISLAMSC.COM
6-33
The policy setting that needs to be enabled for all the mentioned methods is the following: Computer Settings | Administrative Templates | Network | Network Connections | Windows Firewall | Domain Profile | "Windows Firewall: Allow remote administration exception". Question: You want to know which domain controller delivered Group Policy to a client. Which utility would you use to find that out?
WWW.ISLAMSC.COM
6-34
What Is Group Policy Modeling?
Key Points
Another method for testing Group Policy is to use the Group Policy Modeling Wizard in the GPMC to model environment changes before you actually make them. The Group Policy Modeling Wizard calculates the simulated net effect of GPOs. Group Policy Modeling also simulates such things as security group membership, WMI filter evaluation, and the effects of moving user or computer objects to a different OU or site. You also can specify slow-link detection, loopback processing, or both when using the Group Policy Modeling Wizard. The Group Policy Modeling process actually runs on a domain controller in your Active Directory domain. Because the wizard never queries the client computer, it cannot take local policies into account.
WWW.ISLAMSC.COM
6-35
Question: What simulations can be performed with the Group Policy Modeling Wizard? Choose all that apply. a. b. c. Loopback processing Moving a user to a different domain in the same forest Security group filtering
d. Slow link detection e. f. WMI filtering All of the above
WWW.ISLAMSC.COM
6-36
Demonstration: How to Evaluate the Application of Group Policy
Key Points
Login using the WOODGROVEBANK\Administrator account. Run GPResult. Use the GPMC to run the Group Policy Reporting Wizard for a User. Examine the output, and save the report as an HTML file. Use the GPMC to run the Group Policy Modeling Wizard to simulate what would happen if the User moved to a different OU, and then compare the differences.
Question: A user reports that they are unable to access Control Panel. Other users in the department can access Control Panel. What tools might you use to troubleshoot the problem?
WWW.ISLAMSC.COM
6-37
Lesson 4:
Managing Group Policy Objects
GPMC provides mechanisms for backing up, restoring, migrating, and copying existing GPOs. This is very important for maintaining your Group Policy deployments in the event of error or disaster. It helps you avoid manually recreating lost or damaged GPOs, and having to again go through the planning, testing, and deployment phases. Part of your ongoing Group Policy operations plan should include regular backups of all GPOs. GPMC also provides for copying and importing GPOs, both from the same domain and across domains.
WWW.ISLAMSC.COM
6-38
GPO Management Tasks
Key Points
Like critical data and Active Directory-related resources, you must back up GPOs to protect the integrity of AD DS and GPOs. The GPMC not only provides the basic backup and restore options, but also provides additional control over GPOs for administrative purposes. You can back up GPOs individually or as a whole with the GPMC. The restore interface provides the ability for you to view the settings stored in the backed-up version before restoring it. Importing a GPO allows you to transfer settings from a backed-up GPO to an existing GPO. It does not modify the existing security or links on the destination GPO. You can copy GPOs using the GPMC, both in the same domain and across domains.
WWW.ISLAMSC.COM
6-39
Note: It is not possible to merge imported settings with the current target GPO settings; the imported settings will overwrite all existing settings. Note: It is not possible to copy settings from multiple GPOs into a single GPO.
Question: You perform regular backups of GPOs. An administrator has inadvertently changed a number of settings on the wrong GPO. What is the quickest way to fix the problem?
WWW.ISLAMSC.COM
6-40
What Is a Starter GPO?
Key Points
Starter GPOs store a collection of Administrative Template policy settings in a single object. Starter GPOs only contain Administrative Templates. You can import and export Starter GPOs to distribute them to other areas of your enterprise. When you create a new GPO from a Starter GPO, the new GPO has all the Administrative Template settings that the Starter GPO defined. In this way, Starter GPOs act as templates for creating GPOs, which helps provide consistency in distributed environments. Individual Starter GPOs can be exported into .Cab files for easy distribution. You then can import these cab files back into the GPMC. The GPMC stores Starter GPOs in a folder named StarterGPOs, which is located in SYSVOL. Question: List one of the benefits of using Starter GPOs.
WWW.ISLAMSC.COM
6-41
Demonstration: Starter GPOs
Key Points
Open the Group Policy Management console. In the GPMC console tree, click Starter GPOs. In the results pane, click the Contents tab, and then click Load Cabinet. In the Load Starter GPO dialog box, click Browse for CAB. Click the name of the Starter GPO cabinet file that you want to install, and then click Open. In the Load Starter GPO dialog box, confirm that the correct Starter GPO cabinet file is specified, and then click OK. On the Contents tab, confirm that the name of the Starter GPO that you installed appears in the list of Starter GPOs. The Starter GPO will be created in the shared SYSVOL folder found on domain controllers, in all 24 languages in which Windows Vista and Windows XP SP2 are available.
WWW.ISLAMSC.COM
6-42
Demonstration: How to Copy a GPO
Key Points
Use the GPMC to copy the Desktop policy that you created in the previous demonstration. Rename the resulting GPO with the name of your choice.
Question: What is the advantage of copying a GPO and linking it to an OU over linking the original GPO to multiple OUs?
WWW.ISLAMSC.COM
6-43
Demonstration: Backing Up and Restoring GPOs
Key Points
Create a folder named GPO_Back to hold the backed up GPOs. Back up an individual GPO. Back up all GPOs. Delete one of the GPOs from the Group Policy folder. Restore the GPO from the backup version.
Question: What permissions are required to back-up a GPO?
WWW.ISLAMSC.COM
6-44
Demonstration: Importing a GPO
Key Points
Create a new GPO named Redirect. Configure the Redirect policy to redirect the My Documents folder to a UNC path of \\server\share. Backup the Redirect policy. Create a new GPO named Imported. Import the policy settings from the Redirect policy to the Imported policy.
WWW.ISLAMSC.COM
6-45
When the scan discovers the settings that may need to be modified, create a new migration table that changes the UNC path from \\server\share to \\Srv1\docs. Finish the Import Wizard, and show that the UNC path for My Documents has changed from \\server\share to \\Srv1\docs.
Question: What is the purpose of a migration table?
WWW.ISLAMSC.COM
6-46
Migrating Group Policy Objects
Key Points
The ADMX Migrator allows you to convert custom ADM templates into ADMX templates. The associated ADML file is also created. Converted files are saved into the users documents folder by default. Once you create the new files, copy the ADMX file into the PolicyDefinitions folder, or the central store, and copy the ADML file into the appropriate subfolder. The new Administrative Templates then become available in the GPMC. Question: List at least one benefit of using the ADMX Migrator utility.
WWW.ISLAMSC.COM
6-47
Lesson 5:
Delegating Administrative Control of Group Policy
In a distributed environment, it is common to have different groups delegated to perform different administrative tasks. Group Policy management is one of the administrative tasks that you can delegate.
WWW.ISLAMSC.COM
6-48
Options for Delegating Control of GPOs
Key Points
Delegation allows the administrative workload to be distributed across the enterprise. One group could be tasked with creating and editing GPOs, while another group performs reporting and analysis duties. A separate group might be in charge of WMI filters. The following Group Policy tasks can be independently delegated: Creating GPOs Editing GPOs Managing Group Policy links for a site, domain, or OU Performing Group Policy Modeling analyses on a given domain or OU Reading Group Policy Results data for objects in a given domain or OU Creating WMI filters in a domain
WWW.ISLAMSC.COM
6-49
The Group Policy Creator Owners group lets its members create new GPOs, and edit or delete GPOs that they have created. Question: List one of the benefits of the administrator delegating rights to create new Group Policies.
WWW.ISLAMSC.COM
6-50
Demonstration: How to Delegate Administrative Control of GPOs
Key Points
Use the Delegation of Control Wizard to delegate to a user the right to link an existing GPO, and to use the Group Policy reporting tools. Use the GPMC to delegate a different user the right to create Group Policy. Use the GPMC to delegate the user the right to edit the desktop policy.
Question: A user located in a different domain in your forest needs permission to create GPOs in your domain. What is the best way to accomplish this?
WWW.ISLAMSC.COM
6-51
Lab A: Creating and Configuring GPOs
Scenario
The Woodgrove Bank has decided to implement Group Policy to manage user desktops and to configure computer security. The organization already implemented an OU configuration that includes top-level OUs by location, with additional OUs within each location OU for different departments. User accounts are in the same container as their workstation computer accounts. Server computer accounts are spread throughout various OUs.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings and may not always follow best practices.
Group Policy Requirements

Domain users will not have access to the Run menu. The policy will apply to all users except users in the IT Admin OU. Executives will not have access to the desktop display settings.
WWW.ISLAMSC.COM
6-52
The NYC, Miami and Toronto branch users will not have access to the Control Panel. All branch managers will be exempt from this restriction. All domain computers will have a mandatory baseline security policy applied that does not display the name of the last logged on user. Computers running Windows Vista or Windows XP will have additional settings applied to wait for the network at startup. Users in the administrators group will have the URL for Microsoft support added to their Favorites. Kiosk computers in the branch offices will have Loopback processing enabled.
Exercise 1: Creating and Configuring Group Policy Objects

You will create and link the GPOs that the enterprise administrators design specifies. Tasks include modifying the default domain policy, and creating policy settings linked to specific OUs and sites. The main tasks are as follows: 1. 2. 3. 4. Start and log on to NYC-DC1. Create the GPOs. Configure GPOs. Link the GPOs.
Task 1: Start the virtual machines and then log on

1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. Log on to NYC-DC1as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
WWW.ISLAMSC.COM
6-53
Task 2: Create the group policy settings

Use the GPMC to perform the following: Create a GPO named Restrict Control Panel. Create a GPO named Restrict Desktop Display. Create a GPO named Restrict Run Command. Create a GPO named Baseline Security. Create a GPO named Vista and XP Security. Create a GPO named Admin Favorites. Create a GPO named Kiosk Computer Security.
Task 3: Configure the policy settings

1. Edit the Baseline Security GPO (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\ Interactive logon: Do not display last user name) so that the name of the last logged on user is not displayed. Edit the Admin Favorites GPO (User Configuration\Policies\Windows Settings\Internet Explorer Maintenance\URLs\Favorites and Links) to include the URL for Microsoft tech support (http://support.microsoft.com) in the Internet Favorites. Edit the Restrict Desktop Display GPO (User Configuration\Policies \Administrative Templates\Control Panel\Display\Remove Display in Control Panel) to prevent access to the desktop display settings. Edit the Kiosk Computer Security GPO (Computer Configuration\Policies \Administrative Templates\System\Group Policy\User Group Policy loopback processing mode) to use loopback processing, and to hide and disable all items on the desktop for the logged on user. Edit the Restrict Control Panel GPO (User Configuration\Policies \Administrative Templates\Control Panel\Prohibit access to the Control Panel) to prevent user access to Control Panel.
2.
3.
4.
5.
WWW.ISLAMSC.COM
6-54
6.
Edit the Restrict Run Command GPO (User Configuration\Policies \Administrative Templates\Start Menu and Taskbar\Remove Run Menu from the Start Menu) to prevent access to the Run menu. Edit the Vista and XP Security GPO (Computer Configuration\Policies \Administrative Templates\System\Logon\Always wait for the network at computer startup and logon) to ensure that computers wait for the network at startup.
7.
Task 4: Link the GPOs to the appropriate containers

Use the GPMC to perform the following: Link the Restrict Run Command GPO to the domain container. Link the Baseline Security GPO to the domain container. Link the Vista and XP Security GPO to the domain container Link the Kiosk Computer Security GPO to the domain container. Link the Admin Favorites GPO to the ITAdmins OU. Link the Restrict Control Panel GPO to the NYC, Miami and Toronto OUs. Link the Restrict Desktop Display GPO to the Executive OU.
Result: At the end of this exercise, you will have created and configured GPOs.
WWW.ISLAMSC.COM
6-55
Exercise 2: Managing the Scope of GPO Application

In this exercise, you will configure the scope of GPO settings based on the enterprise administrators design. Tasks include disabling portions of GPOs, blocking and enforcing inheritance, and applying filtering based on security groups and WMI filters. The main tasks are as follows: 1. 2. 3. 4. Configure Group Policy management for the domain container. Configure Group Policy management for the IT Admin OU. Configure Group Policy management for the branch OUs. Create and apply a WMI filter for the Vista and XP Security GPO.
Task 1: Configure Group Policy management for the domain container

1. 2. 3. Configure the Baseline Security link to be Enforced, and the disable the User side of the policy. Configure the Vista and XP Security link to be Enforced. Use security group membership filtering to configure the Kiosk Computer Security GPO to apply only to the Kiosk Computers global group.
Task 2: Configure Group Policy management for the IT Admin OU

Block inheritance at the IT Admin OU, to exempt the ITAdmins users from the Restrict Run Command GPO.
WWW.ISLAMSC.COM
6-56
Task 3: Configure Group Policy management for the branch OUs

Use security group membership filtering to configure the Restrict Control Panel GPO to deny the Apply Group Policy permission to the following groups: Mia_BranchManagersGG NYC_BranchManagersGG Tor_BranchManagersGG
Task 4: Create and apply a WMI filter for the Vista and XP Security GPO
1. 2. 3. Create a new WMI query to retrieve users from the Windows XP and Windows Vista operating systems. Open GPMC and create a new WMI Filter. Write a query to retrieve Windows XP and Windows Vista users in the WMI Query box.
Result: At the end of this exercise, you will have configured the scope of GPO settings.
WWW.ISLAMSC.COM
6-57
Lab B: Verifying and Managing GPOs
Scenario
The enterprise administrator has created a GPO deployment plan. You have been asked to create GPOs so that certain policies can be applied to all domain objects. Some policies are considered mandatory. You also want to create policy settings that will apply only to subsets of the domains objects, and you want to have separate policies for computer settings and user settings. You must delegate GPO administration to administrators within each company location.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings and may not always follow best practices.
WWW.ISLAMSC.COM
6-58
Group Policy Requirements

Domain users will not have access to the Run menu. The policy will apply to all users except users in the IT Admin OU. Executives will not have access to the desktop display settings. The NYC, Miami and Toronto branch users will not have access to the Control Panel. All branch managers will be exempt from this restriction. All domain computers will have a mandatory baseline security policy applied that does not display the name of the last logged on user. Computers running Windows Vista or Windows XP will have additional settings applied to wait for the network at startup. Users in the administrators group will have the URL for Microsoft support added to their Favorites. Kiosk computers in the branch offices will have Loopback processing enabled.
Exercise 1: Verifying GPO Application

In this exercise, you will test the application of GPOs to ensure that the GPOs are being applied as the design specifies. Students will log on as specific users, and also use Group Policy Modeling and Resultant Set of Policy (RSoP) to verify that GPOs are being applied correctly. The main tasks are as follows: 1. 2. 3. 4. 5. 6. 7. Start NYC-CL1. Verify that a Miami branch user is receiving the correct policy. Verify that a Miami Branch Manager is receiving the correct policy. Verify that a user in the IT Admin OU is receiving the correct policy. Verify that a user in the Executive OU user is receiving the correct policy. Verify that the username does not appear. Use Group Policy modeling to test kiosk computer settings.
WWW.ISLAMSC.COM
6-59
Task 1: Start NYC-CL1

Log on to NYC-CL1 as WOODGROVEBANK\Anton with the password Pa$$w0rd.
Task 2: Verify that a Miami branch user is receiving the correct policy
1. 2. 3. Ensure that there is no link to the Run menu in the Accessories folder on the Start menu. Ensure that there is no link to Control Panel on the Start menu. Log off.
Task 3: Verify that a Miami Branch Manager is receiving the correct policy
1. 2. 3. 4. Log on to NYC-CL1 as WOODGROVEBANK\Roya with the password Pa$$w0rd. Ensure that there is no link to the Run menu in the Accessories folder on the Start menu. Ensure that a link to Control Panel appears on the Start menu. Log off.
Task 4: Verify that a user in the IT Admin OU is receiving the correct policy
1. 2. 3. 4. 5. Log on to NYC-CL1 as WOODGROVEBANK\Betsy with the password Pa$$w0rd. Ensure that a link to the Run menu appears in the Accessories folder on the Start menu. Ensure that a link to Control Panel appears on the Start menu. Launch Internet Explorer, open the Favorites pane, and then ensure that the link to Tech Support appears. Log off.
WWW.ISLAMSC.COM
6-60
Task 5: Verify that a user in the Executive OU user is receiving the correct policy
1. 2. 3. 4. Log on to NYC-CL1 as Chase with the password Pa$$w0rd. Ensure that there is no link to the Run menu in the Accessories folder on the Start menu. Ensure that a link to Control Panel appears on the Start menu. Ensure that there is no access to the desktop display settings.
Hint: When you attempt to access display settings you will receive a message informing you that this has been disabled.
5.
Log off.
Task 6: Verify that the last logged on username does not appear
Verify that the last logged on username does not appear.
Task 7: Use Group Policy modeling to test kiosk computer settings

1. 2. 3. 4. 5. 6. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Launch the GPMC, right-click the Group Policy Modeling folder, click Group Policy Modeling Wizard, and then click Next twice. On the User and Computer Selection screen, click Computer and enter Woodgrovebank\NYC-CL1, and click then Next three times. In the Computer Security Groups screen, click Add. In the Select Groups dialog box, type Kiosk Computers, and then click Next. In the WMI Filters for Computers screen, click Next twice, click Finish and then view the report.
Result: At the end of this exercise, you will have tested and verified a GPO application.
WWW.ISLAMSC.COM
6-61
Exercise 2: Managing GPOs

In this exercise, you will use the GPMC to back up, restore, and import GPOs. The main tasks are as follows: 1. 2. 3. 4. Backup an individual policy. Back up all GPOs. Delete and restore an individual GPO. Import a GPO.
Task 1: Backup an individual policy

1. 2. 3. 4. 5. Create a folder named C:\GPOBackup. In the GPMC, open the Group Policy Objects folder. Right-click the Restrict Control Panel policy, and then click Backup. Browse to C:\GPOBackup. Click Backup, and then click OK after the backup succeeds.
Task 2: Back up all GPOs

1. 2. Right-click the Group Policy Objects folder and then click Back Up All. Ensure that C:\GPOBackup is the backup location. Confirm the deletion.
Task 3: Delete and restore an individual GPO

1. 2. 3. 4. Right-click the Admin Favorites policy and then click Delete. Click Yes and then click OK when the deletion succeeds. Right-click the Group Policy Objects folder and then click Manage Backups. Restore the Admin Favorites GPO. Confirm that the Admin Favorites policy appears in the Group Policy Objects folder.
WWW.ISLAMSC.COM
6-62
Task 4: Import a GPO

1. 2. 3. 4. 5. 6. 7. 8. Create a new GPO named Import in the Group Policy Objects folder. Right-click the Import GPO, and then click Import Settings. In the Import Settings Wizard, click Next. On the Backup GPO window, click Next. Ensure the Backup folder location is C:\GPOBackup. On the Source GPO screen, click Restrict Control Panel, and then click Next. Finish the Import Settings wizard. Click Import GPO, click the Settings tab, and then ensure that the Restrict Access to Control Panel setting is Enabled.
Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.
WWW.ISLAMSC.COM
6-63
Exercise 3: Delegating Administrative Control of GPOs

In this exercise, you will delegate administrative control of GPOs based on the enterprise administrator design. Tasks include configuring permissions to create, edit and link GPOs. You will then test the permissions configuration. The main tasks are as follows: 1. 2. 3. 4. 5. 6. Grant Betsy the right to create GPOs in the domain. Delegate the right to edit the Import GPO to Betsy. Delegate the right to link GPOs to the Executives OU to Betsy. Enable Domain Users to log on to domain controllers. Test the delegation. Close all virtual machines and discard undo disks.
Task 1: Grant Betsy the right to create GPOs in the domain

1. 2. Select the Group Policy Objects folder and then click the Delegation tab, and then click Add. In the Select Users dialog box, type Betsy in the Object name field, and then click OK.
Task 2: Delegate the right to edit the Import GPO to Betsy

1. 2. 3. In the Group Policy Objects folder, select Import GPO, click the Delegation tab, and then click Add. In the Select Users dialog box, type Betsy in the Object name field and then click OK. In the Add Group or User dialog box, select Edit Settings from the dropdown list, and then click OK.
WWW.ISLAMSC.COM
6-64
Task 3: Delegate the right to link GPOs to the Executives OU to Betsy

1. 2. 3. Select the Executives OU, the click the Delegation tab, and then click Add. In the Select Users dialog box, type Betsy in the Object name field, and then click OK. In the Add Group or User dialog box select This container only, and then click OK.
Task 4: Enable Domain Users to log on to domain controllers

Note: This step is included in the lab to enable you to test the delegated permissions. As a best practice, you should install the administration tools on a Windows workstation rather than enable Domain Users to log on to domain controllers.
1. 2. 3. 4. 5.
On NYC-DC1, start Group Policy Management, and then edit the Default Domain Controllers Policy. In the Group Policy Management Editor window, access the User Rights Assignment folder. Double-click Allow log on locally. In the Allow log on locally Properties dialog box, click Add User or Group. Grant the Domain Users group the log on locally right. Open a command prompt, type GPUpdate /force, and then press ENTER.
Task 5: Test the delegation

1. 2. 3. 4. 5. Log on to NYC-CL1 as Betsy. Create a Group Policy Management Console. Right-click the Group Policy Objects folder, and then click New. Create a new policy named Test. This operation will succeed. Right-click Import GPO, and then click Edit. This operation will succeed.
WWW.ISLAMSC.COM
6-65
6. 7. 8.
Right-click Executives OU, and link the Test GPO to it. This operation will succeed. Right-click the Admin Favorites policy, and attempt to edit it. This operation is not possible. Close the GPMC.

1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close box, select Turn off machine and discard changes, and then click OK. Close the 6419A Lab Launcher.
Result: At the end of this exercise, you will have backed up, restored, and imported GPOs.
WWW.ISLAMSC.COM
6-66
Considerations
Keep the following considerations in mind when creating and configuring Group Policy: Create multiple local Group Policy objects when necessary Upgrade and replace ADM files or use ADMX and ADML files for better extensibility Utilize different methods to control Group Policy, inheritance, filtering, enforcement Use the correct Group Policy tools and reporting to enhance Group Policy Maintenance
WWW.ISLAMSC.COM
6-67
Review Questions
1. 2. You want to force the application of certain Group Policy settings across a slow link. What can you do? You need to ensure that a domain level policy is enforced, but the Managers global group needs to be exempt from the policy. How would you accomplish this? You want all GPOs that contain user settings to have certain Administrative Templates enabled. You need to be able to send those policy settings to other administrators in the enterprise. What is the best approach? You want to control access to removable storage devices on all client workstations through Group Policy. Can you use Group Policy to do this?
3.
4.
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
Configure User and Computer Environments By Using Group Policy
7-1
Module 7
Contents:
Lesson 1: Configuring Group Policy Settings Lesson 2: Configuring Scripts and Folder Redirection Using Group Policy Lab A: Configuring Logon Scripts and Folder Redirection Using Group Policy Lesson 3: Configuring Administrative Templates Lab B: Configuring Administrative Templates Lesson 4: Deploying Software Using Group Policy Lab C: Deploying Software with Group Policy Lesson 5: Configuring Group Policy Preferences Lab D: Configuring Group Policy Preferences Lesson 6: Introduction to Group Policy Troubleshooting Lesson 7: Troubleshooting Group Policy Application Lesson 8: Troubleshooting Group Policy Settings Lab E: Troubleshooting Group Policy Issues 7-3 7-7 7-13 7-17 7-23 7-28 7-36 7-39 7-44 7-48 7-55 7-67 7-71
WWW.ISLAMSC.COM
7-2
Module Overview
This module introduces the job function of configuring the user environment using Group Policy. Specifically, this module provides the skills and knowledge that you need to use Group Policy to configure Folder Redirection, as well as how to use scripts. You also will learn how Administrative Templates affect Microsoft Windows Vista and Windows Server 2008, and how to deploy software using Group Policy. This module also describes troubleshooting procedures for Group Policy processing clients and computers. These troubleshooting procedures may include incorrect or incomplete policy settings, or lack of policy application to the computer or user. You will learn the knowledge and skills necessary for troubleshooting these issues.
WWW.ISLAMSC.COM
7-3
Lesson 1
Configuring Group Policy Settings
Group Policy can deliver many different types of settings. Some setting are simply a matter of turning them on, while others are more complex to configure. In addition, Group Policy can be used to deploy software to some or all users in an organization. Using Group Policy to deploy software can reduce the effort required to keep computers up to date with required software. This lesson will describe how to configure the various Group Policy settings.
WWW.ISLAMSC.COM
7-4
Options for Configuring Group Policy Settings
Key Points
For a Group Policy setting to have an effect, you must configure it. Most Group Policy settings have three states. They are: Enabled: For example, to prevent access to Control Panel, you would enable the policy setting Prohibit access to the Control Panel. Disabled: For example, if you disable the Prohibit access to the Control Panel at the child container level, you specifically are allowing access to Control Panel. Not Configured: A Group Policy setting that is set to Not Configured means that the normal default behavior will be enforced, and that particular Group Policy will have no effect on that setting.
WWW.ISLAMSC.COM
7-5
You also must configure values for some Group Policy settings. For example, to configure restricted group-membership you need to provide values for the groups and users. Question: A domain level policy restricts access to the Control Panel. You want the users in the Admin organizational unit (OU) to have access to the Control Panel, but you do not want to block inheritance. How could you accomplish this?
WWW.ISLAMSC.COM
7-6
Demonstration: Configuring Group Policy Settings Using the Group Policy Editor
Key Points
Create and link a GPO to configure Windows Update settings. Log on to client computer and test results.
Question: How could you prevent a lower-level policy from reversing the setting of a higher-level policy?
WWW.ISLAMSC.COM
7-7
Lesson 2
Configuring Scripts and Folder Redirection Using Group Policy
Windows Server 2008 enables you to use Group Policy to deploy scripts to users and computers. You can also redirect folders that the users profile includes, from the users local hard disks to a central server.
WWW.ISLAMSC.COM
7-8
What Are Group Policy Scripts?
Key Points
You can use Group Policy scripts to perform any number of tasks. There may be actions that you need performed every time a computer starts or shuts down, or when users log off or on. For example, you can use scripts to: Clean up desktops when users log off and shut down computers. Delete the contents of temporary directories. Map drives or printers. Set environment variables.
For many of these settings, using Group Policy Preferences is a better alternative to configuring them in Microsoft Windows images or using logon scripts. Group Policy Preferences is covered in more detail later in this module. Question: You keep logon scripts in a shared folder on the network. How could you ensure that the scripts will always be available to users from all locations?
WWW.ISLAMSC.COM
7-9
Demonstration: Configuring Scripts with Group Policy
Key Points
Create a login script that uses the command net use t: \\nyc-dc1\data. Create and link a GPO to configure a logon script using the script you just created. Log on to client computer and test results.
Question: What other method could you use to assign logon scripts to users?
WWW.ISLAMSC.COM
7-10
What Is Folder Redirection?
Key Points
Folder Redirection makes it easier for you to manage and back up data. By redirecting folders, you can ensure user access to data regardless of the computers to which they log on. When you redirect folders, you change the folders storage location from the users computer local hard disk to a shared folder on a network file server. After you redirect a folder to a file server, it still appears to the user as if it is stored on the local hard disk.
Question: List some disadvantages of folder redirection.
WWW.ISLAMSC.COM
7-11
Folder Redirection Configuration Options
Key Points
There are three available settings for Folder Redirection: none, basic, and advanced. Basic folder redirection is for users who must redirect their folders to a common area or users who need their data to be private. Advanced redirection allows you to specify different network locations for different Active Directory security groups.
Question: Users in the same department often log on to different computers. They need access to their My Documents folder. They also need the data to be private. What folder redirection setting would you choose?
WWW.ISLAMSC.COM
7-12
Security Settings for Redirected Folders
Key Points
While you must manually create a shared network folder in which to store the redirected folders, Folder Redirection can create the users redirected folders for you. When you use this option, the correct permissions are set automatically. If you manually create folders, you must know the correct permissions.
Question: What steps could you take to protect the data while it is in transit between the client and the server?
WWW.ISLAMSC.COM
7-13
Lab A: Configuring Logon Scripts and Folder Redirection Using Group Policy
Exercise 1: Configure Logon Scripts and Folder Redirection

Scenario
Woodgrove Bank has decided to implement Group Policy to manage user desktops. The organization has already implemented an organizational unit (OU) configuration that includes top-level OUs grouped by location, with additional OUs within each location for different departments. You have been tasked to create a script that will map a network drive to the shared folder named Data on NYC-DC1. Then you will use Group Policy to assign the script to all users in Toronto, Miami, and NYC OUs. The script needs to be stored in a highly available location. You also will set permissions to share and secure a folder on NYC-DC1. The Documents folder for all members of the Executive OU will be redirected there.
WWW.ISLAMSC.COM
7-14
The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. Start the 6419A-NYC-DC1 virtual machine and log. Review the logon script to map a network drive. Configure and link the Logon Script GPO. Share and secure a folder for the Executives group. Redirect the Documents folder for the Executives group. Start the 6419A-NYC-CL1 virtual machine, and then log on as WOODGROVEBANK\Tony. Observe the applied settings while logged on as a user in the Executives OU.
Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator

Start NYC-DC1, and then log on as WOODGROVEBANK\Administrator using the password Pa$$w0rd.
Task 2: Review the logon script to map a network drive

1. 2. On NYC-DC1, browse to E:\Mod07\LabFiles\Scripts. Review the Map.bat script, and then copy it to the clipboard.
Task 3: Configure and link the Logon Script GPO

1. 2. Open Group Policy Management, and then create a new GPO named Logon Script, linked to the WoodgroveBank.com domain. Configure the Logon Script GPO with the following settings: Under User Configuration, Policies, Windows Settings, Scripts (Logon/Logoff), double-click Logon. Paste the Map.bat logon script from the clipboard.
WWW.ISLAMSC.COM
7-15
Task 4: Share and secure a folder for the Executives group

1. 2. In Windows Explorer, browse to E:\Mod07\Labfiles. Share the ExecData folder and set the following permissions: Remove the Everyone group. Add the Executives_WoodgroveGG group with full control. On the Security tab, click Advanced. Remove all users and groups except for CREATOR OWNER and SYSTEM. Add the Executives_WoodgroveGG group and apply the settings to this folder only. For Executives_WoodgroveGG, allow the List folder / read data and Create folders / append data permissions.
Task 5: Redirect the Documents folder for the Executives group

1. 2. In the Group Policy Management window, create a new GPO named Executive Redirection, linked to the Executives OU. Configure the Executives GPO with the following settings: Under User Configuration, Polices, Windows Settings, Folder Redirection, modify Documents. Select the Basic - Redirect everyone's folder to the same location option. In the Root Path field, type \\NYC-DC1\ExecData.
WWW.ISLAMSC.COM
7-16
Task 6: Start the 6419A-NYC-CL1 virtual machine, and then log on as WOODGROVEBANK\Tony
Start NYC-CL1, and then log on as WOODGROVEBANK\Tony using the password Pa$$w0rd.
Task 7: Observe the applied settings while logged on as a user in the Executives OU
1. 2. Verify that the J: drive is mapped to the Data share on NYC-DC1. In Documents Properties, verify the location is \\NYC-DC1\ExecData\Tony.
Result: At the end of this exercise, you will have configured logon scripts and folders redirection.
WWW.ISLAMSC.COM
7-17
Lesson 3
Configuring Administrative Templates
The Administrative Template files provide the majority of available policy settings, which are designed to modify specific registry keys. This is known as registry-based policy. For many applications, the use of registry-based policy that the Administrative Template files deliver is the simplest and best way to support centralized management of policy settings. In this lesson, you will learn how to configure Administrative Templates.
WWW.ISLAMSC.COM
7-18
What Are Administrative Templates?
Key Points
Administrative Templates allow you to control the environment of the operating system and user experience. There are two sets of Administrative Templates: one for users, and one for computers. Administrative Templates are the primary means of configuring the client computers registry settings through Group Policy. Administrative Templates are a repository of registry-based changes. By using the administrative template sections of the GPO, you can deploy hundreds of modifications to the computer (the HKEY_LOCAL_MACHINE hive in the registry,) and user (the HKEY_CURRENT_USER hive in the registry) portions of the Registry.
Question: What sections of the Administrative Templates will you find most useful in your environment?
WWW.ISLAMSC.COM
7-19
Demonstration: Configuring Administrative Templates
Key Points
On NYC-DC1, edit the Demo GPO. Under Computer Configuration, under Internet Explorer, disable the ability to delete browsing history. Under User Configuration, hide the Screen Saver tab. On NYC-CL1, log on as WOODGROVEBANK\Administrator and then review the settings.
Question: You need to ensure that Windows Messenger is never allowed to run on a particular computer. How could you use Administrative Templates to implement this?
WWW.ISLAMSC.COM
7-20
Modifying Administrative Templates
Key Points
Because ADMX files are XML based, you can use any text editor to edit or create new ADMX files. There are programs that are XML-aware, (such as Microsoft Visual Studio,) that administrators or developers can use to create or modify ADMX files. Once you have a valid ADMX file, you need only to place it in the Policy Definitions folder, or in the Central Store, if one exists.
Tip: Leave the default ADMX files untouched, and create your own customized versions for custom settings.
WWW.ISLAMSC.COM
7-21
Demonstration: Adding Custom Administrative Templates
Key Points
Add a custom ADM file. Copy sample ADMX files to the central store. Review custom ADMX files.
Question: Can you still use custom ADM files to deliver Group Policy settings in Windows Server 2008? Question: What are two differences between ADM and ADMX files?
WWW.ISLAMSC.COM
7-22
Discussion: Options for Using Administrative Templates
Key Points
You should consider creating a policy setting for the following purposes: To help administrators manage and increase security of their desktop computers. To hide or disable a user interface that can lead users into a situation in which they must call the helpdesk for support. To hide or disable new behavior that might confuse users. A policy setting created for this purpose allows administrators to manage the introduction of new features until after user training has taken place. To hide settings and options that might take up too much of users' time.
WWW.ISLAMSC.COM
7-23
Lab B: Configuring Administrative Templates
Exercise 1: Configure Administrative Templates

Scenario
You have been asked to configure several Group Policy settings to control the user environment and make the desktop more secure. You'll also modify the Default Domain Policy to allow remote administration through the firewall, allowing you to run Group Policy Results queries against target computers in the domain. The main tasks for this exercise are: 1. 2. 3. 4. 5. Modify the Default Domain Policy to allow remote administration through the firewall for all domain computers. Create and assign a GPO to prevent the installation of removable devices. Create and assign a GPO to encrypt offline files for executive computers. Create and assign a domain-level GPO for all domain users. Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users.
WWW.ISLAMSC.COM
7-24
Task 1: Modify the Default Domain Policy allow remote administration through the firewall for all domain computers
On NYC-DC1, in the Group Policy Management console pane, configure the Default Domain Policy GPO with the following settings: Under Computer Configuration, Polices, Administrative Templates, Network, Network Connections, Windows Firewall, Domain Profile, enable Windows Firewall: Allow inbound remote administration exception. Under System, Group Policy, enable Group Policy slow link detection and assign a Connection speed value of 800 Kbps.
Result: At the end of this task, you will have enabled remote administration through the firewall. This allows the Group Policy Results Wizard to query target computers.
Task 2: Create and assign a GPO to prevent the installation of removable devices
1. 2. In the Group Policy Management window, create a new GPO named Prevent Removable Devices, linked to the Miami, NYC, and Toronto OUs. Configure the Prevent Removable Devices GPO with the following settings: Under Computer Configuration, Policies, Administrative Templates, System, Device Installation, Device Installation Restrictions, enable Prevent installation of removable devices.
Task 3: Create and assign a GPO to encrypt offline files for executive computers
1. 2. In the Group Policy Management window, create a new GPO named Encrypt Offline Files, linked to the Executives OU. Configure the Encrypt Offline Files GPO with the following settings: Under Computer Configuration, Policies, Administrative Templates, Network, Offline Files, enable Encrypt the Offline Files cache.
WWW.ISLAMSC.COM
7-25
Task 4: Create and assign a domain-level GPO for all domain users
1. 2. In the Group Policy Management window, create a new GPO named All Users Policy, linked to the WoodgroveBank.com domain. Configure the All Users Policy GPO with the following settings: Under User Configuration, Policies, Administrative Templates, System, enable Prevent access to registry editing tools. Under Start Menu and Taskbar, enable Remove Clock from the system notification area.
Task 5: Create and assign a policy to limit profile size and turn off Windows Sidebar for branch users
1. 2. In the Group Policy Management window, create a new GPO named Branch Users Policy, linked to the Miami, NYC, and Toronto OUs. Configure the Branch Users Policy GPO with the following settings: Under User Configuration, Policies, Administrative Templates, System, User Profiles, enable Limit profile size and assign a Max Profile size of 1000000 KB. Under Windows Components, Windows Sidebar, enable Turn off Windows Sidebar.
WWW.ISLAMSC.COM
7-26
Exercise 2: Verify GPO Application

The main tasks for this exercise are: 1. 2. 3. Verify that the preferences have been applied. Log on as a user in a Branch Office and observe the applied settings. Use the Group Policy Results Wizard to review Group Policy application for a target user and computer.
Task 1: Verify that the settings for Executives have been applied
1. On NYC-CL1, log on as WOODGROVEBANK\Tony.
Note: Some user settings can only be applied during logon or may not apply due to cached credentials. These include roaming user profile path, Folder Redirection path, and Software Installation settings. If the user is already logged on when these settings are detected, they will not be applied until the next time the user is logged on.
2. 3. 4. 5. 6.
Verify that the Windows Sidebar is not displayed. In the notification area, verify that the clock is not displayed. In the Taskbar Properties, on the Notification Area tab, verify that you do not have the option to display the clock. Verify that you do not have access to registry editing tools. Log off NYC-CL1.
Task 2: Log on as a user in a Branch Office and observe the applied settings
1. 2. 3. 4. 5. On NYC-CL1, log on as WOODGROVEBANK\Roya. Verify that the Windows Sidebar is not displayed. In the notification area, verify that the clock is not displayed. In the notification area, double-click the Available profile space icon and review the information. In Documents Properties, verify the location is C:\Users\Roya.
WWW.ISLAMSC.COM
7-27
6. 7. 8.
Verify that you do not have access to registry editing tools. Verify that the J: drive is mapped to the Data share on NYC-DC1. Log off NYC-CL1
Task 3: Use the Group Policy Results Wizard to review Group Policy application for a target user and computer
1. 2. On NYC-DC1, in the Group Policy Management window, run the Group Policy Results Wizard against NYC-CL1 for the user Tony. Review the list of applied computer and user GPOs. Question: Which GPOs were applied to the computer? Question: Which GPOs were applied to the user? 3. On the Settings tab, under Computer Configuration, click Administrative Templates, and then expand each of the settings. Question: What settings were delivered to the computer? 4. Under User Configuration, expand each of the settings. Question: What settings were delivered to the user?
Result: At the end of this exercise, you will have configured several Administrative Templates policy settings for various OUs in the organization and then verified successful GPO application.
WWW.ISLAMSC.COM
7-28
Lesson 4
Deploying Software Using Group Policy
Windows Server 2008 includes a feature called Software Installation and Maintenance that AD DS, Group Policy, and the Microsoft Windows Installer service use to install, maintain, and remove software on your organizations computers.
WWW.ISLAMSC.COM
7-29
Options for Deploying and Managing Software Using Group Policy
Key Points
The software life cycle consists of four phases: preparation, deployment, maintenance, and removal. You can apply Group Policy settings to users or computers in a site, domain, or an organizational unit to automatically install, upgrade, or remove software. By applying Group Policy settings to software, you can manage the various phases of software deployment without deploying software on each computer individually.
Question: What types of applications would you deploy via Group Policy in your environment?
WWW.ISLAMSC.COM
7-30
How Software Distribution Works
Key Points
To enable Group Policy to deploy and manage software, Windows Server 2008 uses the Windows Installer service. This component automates the installation and removal of applications by applying a set of centrally defined setup rules during the installation process. Question: What are some disadvantages of deploying software through Group Policy?
WWW.ISLAMSC.COM
7-31
Options for Installing Software
Key Points
There are two deployment types available for delivering software to clients. Administrators can either install software for users or computers in advance, or give users the option to install the software when they require it. Users do not share deployed applications, meaning an application you install for one user through Group Policy will not be available to that computers other users. All users need their own instance of the application. When you assign software to a user, the users Start menu advertises the software when the user logs on. Installation does not begin until the user double-clicks the application's icon or a file that is associated with the application. When you assign an application to a computer, the application is installed the next time the computer starts. The application will be available to all users of the computer.
WWW.ISLAMSC.COM
7-32
The Control Panel's Programs applet advertises a published program to the user, who can install the application by using the Programs applet, or you can set it up so the application is installed by document activation. Applications that user's do not have permission to install are not advertised to them. Applications cannot be published to computers.
Question: What is an advantage of publishing an application over assigning it?
WWW.ISLAMSC.COM
7-33
Options for Modifying the Software Distribution
Key Points
Software Installation in Group Policy includes options for configuring deployed software. You use software categories to organize published software into logical groups so that users can locate applications easily in the Programs and Features applet in Control Panel. There are no predefined software categories. You can create software categories to arrange different applications under specific headings. To determine which software users install when they double click a file, you can choose a file name extension and configure a priority for installing applications that are associated with it. You can use software modifications, or .MST files (also called transform files), to deploy several configurations of one application.
WWW.ISLAMSC.COM
7-34
Maintaining Software Using Group Policy
Key Points
Occasionally a software package will need to be upgraded to a newer version. The Upgrades tab allows you to upgrade a package using the GPO. You may redeploy a package if the original Windows Installer file has been modified. You can remove software packages if they were delivered originally using Group Policy. Removal can be mandatory or optional.
Question: Your organization is upgrading to a newer version of a software package. Some users in the organization require the old version. How would you deploy the upgrade?
WWW.ISLAMSC.COM
7-35
Discussion: Evaluating the Use of Group Policy to Deploy Software
WWW.ISLAMSC.COM
7-36
Lab C: Deploying Software with Group Policy
Exercise 1: Deploy a Software Package with Group Policy

Scenario
Not all computers have Microsoft Office installed, but even those users may need to be able to open and view a document such as a PowerPoint presentation. You need to deploy the Microsoft Office PowerPoint viewer application to all computers in the WoodgroveBank.com domain. The main tasks for this exercise are: 1. 2. Copy a software package to the Data share. Configure and review the software deployment GPO.
WWW.ISLAMSC.COM
7-37
Task 1: Copy a software package to the Data share

On NYC-DC1, browse to E:\Mod07\LabFiles and copy and paste PPVIEWER.MSI to the Data folder.
Task 2: Configure and review the software deployment GPO

1. 2. On NYC-DC1, in the Group Policy Management window create a new GPO named Software Deployment, linked to the WoodgroveBank.com domain. Configure the Software Deployment GPO with the following settings: Under Computer Configuration, Policies, Software Settings, Software installation, right-click Software installation, point to New, and then click Package. Choose the Assign option, and type \\NYC-DC1\Data\ppviewer.msi.
3.
Open the Microsoft Office PowerPoint Viewer 2003 package properties and review the options on the following tabs: General Deployment Upgrades Categories Modifications Security
WWW.ISLAMSC.COM
7-38
Exercise 2: Verify Software Installation

The main task for this exercise is: 1. Verify that the software package has been installed.
Task 1: Verify that the software package has been installed

1. 2. 3. 4. 5. 6. 7. On NYC-CL1, log on as WOODGROVEBANK\Administrator. From a Command Prompt window, type GPUpdate /force and then restart the computer when prompted. When the computer restarts, log on as WOODGROVEBANK\Administrator. In the Control Panel window, click Uninstall a program. Notice that the Microsoft Office PowerPoint Viewer 2003 program has been successfully installed. Uninstall Microsoft Office PowerPoint Viewer 2003. When the process completes, press F5 and notice that even though you can uninstall the program, it comes back because the program is assigned through Group Policy.
Result: At the end of this exercise, you will have successfully deployed an assigned software package using Group Policy.
WWW.ISLAMSC.COM
7-39
Lesson 5
Configuring Group Policy Preferences
Many common settings that affect the user and computer environment could not be delivered through Group Policy, for example, mapped drives. These settings were usually delivered through logon scripts or imaging solutions. Windows Server 2008 includes the new Group Policy preferences built-in to the Group Policy Management Console (GPMC). Additionally, administrators can configure preferences by installing the Remote Server Administration Tools (RSAT) on a computer running Windows Vista Service Pack 1 (SP1). This allows many common settings to be delivered through Group Policy.
WWW.ISLAMSC.COM
7-40
What Are Group Policy Preferences?
Key Points
Group Policy preference extensions are more than twenty Group Policy extensions that expand the range of configurable settings within a GPO. The main difference between policy settings and preference settings is that preference settings are not enforced. The end user can change any preference setting that is applied through Group Policy, but policy settings prevent users from changing them.
WWW.ISLAMSC.COM
7-41
Difference Between Group Policy Settings and Preferences
Key Points
The key difference between preferences and Group Policy settings is enforcement. In some cases, the same setting can be configured through a policy setting as well as a preference item. If both settings are configured and applied to the same object, the value of the policy setting always applies. Policy settings have a higher priority than preference settings.
WWW.ISLAMSC.COM
7-42
Group Policy Preferences Features
Key Points
Most Group Policy preference extensions support the following actions for each preference item: Create: Create a new item on the targeted computer. Delete: Remove an existing item from the targeted computer. Replace: Delete and recreate an item on the targeted computer. The result is that Group Policy preferences replace all existing settings and files associated with the preference item. Update: Modify an existing item on the targeted computer.
WWW.ISLAMSC.COM
7-43
Deploying Group Policy Preferences
Key Points
Group Policy preferences do not require you to install any services on servers. Windows Server 2008 includes Group Policy preferences by default as part of the Group Policy Management Console (GPMC). Administrators can configure and deploy Group Policy preferences in a Windows Server 2003 environment by installing the RSAT on a computer running Windows Vista with SP1. On Windows XP and Windows Vista client computers, Group Policy Client Side Extensions must be downloaded and installed. Client Side Extensions are available through Windows Update.
WWW.ISLAMSC.COM
7-44
Lab D: Configuring Group Policy Preferences
Exercise 1: Configure Group Policy Preferences

Scenario
In an effort to simplify Group Policy management, including eliminating the need for logon scripts to map drives, you have been asked to deploy several Group Policy Preferences settings that will allow for more flexibility for corporate users. The main tasks for this exercise are: 1. 2. 3. 4. Add a shortcut to Notepad on the desktop of NYC-DC1. Create a new folder named Reports on the C: drive of all computers running Windows Server 2008. Configure drive mapping. Remove old Logon Script GPO.
WWW.ISLAMSC.COM
7-45
Task 1: Add a shortcut to Notepad on the desktop of NYC-DC1

1. On NYC-DC1, in the Group Policy Management window, configure the Default Domain Policy GPO with the following settings: 2. Under Computer Configuration, Preferences, Windows Settings, rightclick Shortcuts, point to New, and then click Shortcut. In the New Shortcut Properties dialog box, create a shortcut for Notepad.exe in the All Users Desktop location. On the Common tab, configure item-level targeting for the computer NYC-DC1.
Leave the Group Policy Management Editor window open for the next task.
Task 2: Create a new folder named Reports on the C: drive of all computers running Windows Server 2008
1. 2. 3. 4. In the Group Policy Management Editor window, under Windows Settings, right click Folders, point to New, and then click Folder. In the New Folder Properties dialog box, create the C:\Reports folder. On the Common tab, configure item-level targeting for the Windows Server 2008 operating system. Leave the Group Policy Management Editor window open for the next task.
WWW.ISLAMSC.COM
7-46
Task 3: Configure drive mapping

1. In the Group Policy Management Editor window, under User Configuration, Preferences, Windows Settings, Drive Maps, right-click Drive Maps, point to New, and then click Mapped Drive. Create a new mapped drive labeled Data for \\NYC-DC1\Data, using the drive letter P, and select the Reconnect option.
2.
Task 4: Remove old Logon Script GPO

In the Group Policy Management window, delete the Logon Script link for the WoodgroveBank.com domain.
Note: You arent actually deleting the GPO, just the link to it in the domain.
WWW.ISLAMSC.COM
7-47
Exercise 2: Verify Group Policy Preferences Application

The main tasks for this exercise are: 1. 2. Verify that the preferences have been applied. Close all virtual machines and discard undo disks.
Task 1: Verify that the preferences have been applied

1. 2. 3. On NYC-DC1, log off, and then log back on as WOODGROVEBANK\Administrator. Verify that the P: drive is mapped to the Data share on NYC-DC1. Verify that the C:\Reports folder exists.
Note: It may take a few moments for this folder to appear. Note: To apply Group Policy preferences to Windows Vista computers, you must download and install Group Policy Preference Client Side Extensions for Windows Vista (KB943729).

1 2. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close dialog box, select Turn off machine and discard changes, and then click OK.
Result: At the end of this exercise, you will have configured and tested Group Policy Preferences and verified their application.
WWW.ISLAMSC.COM
7-48
Lesson 6
Introduction to Group Policy Troubleshooting
Group Policy can be complex to deploy and manage, and sometimes a setting can cause unintended consequences for users or computers. This lesson provides details about Group Policy processing and common problem areas, and describes some of the troubleshooting tools available.
WWW.ISLAMSC.COM
7-49
Scenarios for Group Policy Troubleshooting
Key Points
Group Policy processing has two distinct phases: Core Group Policy processing. When a client begins to process Group Policy, it must determine whether it can reach a domain controller, whether any Group Policy objects (GPOs) have changed, and what policy settings (based on client-side extension,) must be processed. The core Group Policy engine performs the processing of this in the initial phase. Client side extension (CSE) processing. Policy settings are grouped into different categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. The settings in each category require a specific CSE to process them, and each CSE has its own rules for processing settings. The core Group Policy engine calls the CSEs that are required to process the settings that apply to the client.
WWW.ISLAMSC.COM
7-50
Preparing to Troubleshoot Group Policy
Key Points
Group Policy issues may be a symptom of unrelated issues, such as network connectivity, authentication problems, domain controller availability, or Domain Name Service (DNS) configuration errors. You should begin the troubleshooting process by determining the scope of the issue. For example, is the issue widespread, or affecting a single client only? If the issue affects a single client, you should check for physical issues, like incorrect configurations, or hardware or operating system failures. These issues are usually easy to diagnose.
WWW.ISLAMSC.COM
7-51
Once you eliminate these causes, your first real troubleshooting step is to check Event Viewer entries, Windows logs, and application and service logs, which can provide valuable information about the root cause of issues. Log entries often direct you to the area in which to begin your investigation. Once you narrow down your problem area, you can use other diagnostic tools to pursue the issue. Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host Configuration Protocol (DHCP) address issued to a client computer?
WWW.ISLAMSC.COM
7-52
Tools for Troubleshooting Group Policy
Key Points
There are a number of diagnostic tools and logs that you can use to verify whether you can trace a problem to core Group Policy: Group Policy reporting RSoP: used to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network. GPResult: used to display the Resultant Set of Policy (RSoP) information for a remote user and computer. Gpotool: used to traverse all of your domain controllers and check for consistency between the Group Policy container (that is, information contained in the directory service) and the Group Policy template (that is, information contained in the SYSVOL share on the domain controller). Gpupdate: used to refresh local and Active Directory-based Group Policy settings, including security settings.
WWW.ISLAMSC.COM
7-53
Dcgpofix: used to recreate the two default Windows Server GPOs and creates security settings based on the operations that are performed during Dcpromo. GPOLogView: used to export Group Policy event data from the system and operational log into a text, HTML, or XML file. Group Policy log files: used to obtain information about Group Policy events. Group Policy Management Scripts: used to demonstrate the scripting functionality of the Group Policy Management Console.
Group Policy Logging

If other tools do not provide the information you need to identify the problems affecting Group Policy application, you can enable verbose logging and examine the resulting log files. Log files can be generated on both the client and the server to provide detailed information. Question: What diagnostic tool will quickly display the current Group Policy slow link threshold?
WWW.ISLAMSC.COM
7-54
Demonstration: Using Group Policy Diagnostic Tools
Key Points
Run GPResult in regular and verbose mode. Review the GPOTool included with the Windows Server 2008 Resource Kit. Run GPUpdate and review the command line parameters. Review the GPLogView tool available as a free download from Microsoft. Run GPLogView in monitor mode.
Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer?
WWW.ISLAMSC.COM
7-55
Lesson 7
Troubleshooting Group Policy Application
When troubleshooting Group Policy issues, you need a firm understanding of the interactions between Group Policy and its supporting technologies, and the ways in which you manage, deploy, and apply Group Policy objects.
WWW.ISLAMSC.COM
7-56
How Client Side Extension Processing Works
Key Points
CSEs are dynamic-link libraries (DLLs) that perform the actual processing of Group Policy settings. Policy settings are grouped into different categories, such as Administrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. Each categorys settings require a specific CSE to process them, and each CSE has its own rules for processing settings. The core Group Policy process calls the appropriate CSEs to process those settings. Some CSEs behave differently under different circumstances. For example, a number of CSEs do not process if a slow link is detected.
WWW.ISLAMSC.COM
7-57
Security settings and Administrative Templates are always applied, and you cannot turn them off. You can control the behavior of other CSEs across slow links. As Group Policy is processed, the Winlogon process passes the list of GPOs that must be processed to each Group Policy client-side extension.
Question: Users in a branch office log on across a slow modem connection. You want folder redirection to be applied to them even across the slow link. How would you accomplish this?
WWW.ISLAMSC.COM
7-58
Troubleshooting Group Policy Inheritance
Key Points
The following four settings can be used to alter the default inheritance of GPO processing: Block policy inheritance GPO enforcement GPO filtering of the access control list (ACL) Windows Management Instrumentation (WMI) Filters
If none of the users or computers in an OU or entire subtree of OUs are receiving policies that were linked to higher levels, it may be due to inheritance blocking. GPMC interface provides a visual indicator of a blue exclamation mark when inheritance is blocked. Group Policy results reporting (RSoP) lists the GPOs that are being applied, and the GPOs that are being blocked.
WWW.ISLAMSC.COM
7-59
You can run the Gpresult command from the target computer to get an idea about whether any of these settings are prohibiting the policies from applying. If inheritance is blocked incorrectly, removing the setting returns Group Policy processing to normal. Question: Are there scenarios in your organization that would benefit from blocking inheritance?
WWW.ISLAMSC.COM
7-60
Troubleshooting Group Policy Filtering
Key Points
Group Policy filtering determines which users and computers will receive the GPOs settings. Group Policy object (GPO) filtering is based on two factors: The security filtering on the GPO. Any Windows Management Instrumentation (WMI) filters on the GPO. Group Policy filtering may appear to look like inconsistent application of policies in an OU. If some users, groups, or computers have filtering applied, they will not receive policies that other users in the same OU receive. To check filtering on a GPO, In GPMC, open Group Policy Objects node, select the GPO you are troubleshooting, and then in the right pane select the Scope tab. The Security Filtering and WMI Filtering panels show the current filtering configuration. To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review.
WWW.ISLAMSC.COM
7-61
If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy. If a WMI filter is deleted, the links to the WMI filter are not automatically deleted. If there is a link to a non-existent WMI filter, the GPO with that link will not be processed until the link is removed or the filter is restored.
Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this by setting the following GPO permissions: Authenticated Users are denied the Apply Group Policy permission. The Managers group has been granted Read and Apply Group Policy permission.
None of the managers are receiving the GPO settings. What is the problem?
WWW.ISLAMSC.COM
7-62
Troubleshooting Group Policy Replication
Key Points
In a domain that contains more than one domain controller, Group Policy information takes time to propagate, or replicate, from one domain controller to another. Replication issues are most noticeable in remote sites with slow connections where there is long replication latency. The GPOTool can check for consistency of policies across all domain controllers. Another tool is Readmin, which can provide information about Group Policy synchronization status, and general replication information. Once you determine that replication is the issue, then you must determine if the problem is with the FRS or AD DS replication. A simple test for SYSVOL replication is to put a small test file into the SYSVOL directory, and see if it replicates to other domain controllers.
WWW.ISLAMSC.COM
7-63
Likewise, a simple way to test AD DS replication is to create a test object, such as an OU, and see if it replicates to other domain controllers. In many cases, just waiting for normal replication cycles to complete resolves the problem.
Question: What tool can be used to force replication across all domain controllers in the domain?
WWW.ISLAMSC.COM
7-64
Troubleshooting Group Policy Refresh
Key Points
Group Policy refresh refers to a clients periodic retrieval of GPOs. During Group Policy refresh, the client contacts an available domain controller. If any GPOs changed, the domain controller provides a list of all the appropriate GPOs. By default, GPOs are processed at the computer only if the version number of at least one GPO has changed on the domain controller that the computer is accessing. Group Policy reporting provides information about when the last Group Policy refresh occurred, on the summary page. The report also tells you if the loopback setting is enabled.
WWW.ISLAMSC.COM
7-65
Question: You have implemented folder redirection for a particular OU. Some users report that their folders are not redirecting to the network share. What is the first step you should take to resolve the problem?
WWW.ISLAMSC.COM
7-66
Discussion: Troubleshooting Group Policy Configuration
Question: One user is getting settings applied that no one else is receiving. What might be the issue and how would you start troubleshooting?
WWW.ISLAMSC.COM
7-67
Lesson 8:
Troubleshooting Group Policy Settings
Group Policy settings issues are usually due to slow-link detection or incorrect configuration. Understanding how Client Side Extension Processes work and how slow links are determined assists in troubleshooting these issues.
WWW.ISLAMSC.COM
7-68
Troubleshooting Administrative Template Policy Settings
Key Points
Administrative Templates may not be applied because the operating system is not capable of interpreting the policy setting. Many of the newer policy settings apply only to particular operating systems. If the GPO that delivers true policies is unlinked, then the true policies are removed. However, the administrator must undo the preference explicitly by specifying a value in a GPO. Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured the Administrative Template to remove the games link from the Start menu, but only the Windows Vista computers are enforcing the setting. What is the problem?
WWW.ISLAMSC.COM
7-69
Troubleshooting Script Policy Settings
Key Points
The Scripts CSE updates the registry with the location of script files so that the UserInit process can find those values during its normal processing. When a CSE reports success, it might mean only that the scripts location is placed in the registry. Even though the setting is in the registry, there could be problems preventing the setting from being applied to the client. For example, if a script specified in a Script setting has an error that prevents it from completing, the CSE does not detect an error.
WWW.ISLAMSC.COM
7-70
Group Policy processes a GPO and stores the script information in the registry, in these locations: HKCU\Software\Policies\Microsoft\Windows\System\Scripts (User Scripts) HKLM\Software\Policies\Microsoft\Windows\System\Scripts (Machine Scripts)
Question: A logon script is assigned to an OU. The script executes properly for all users, but some users report that they get an access-denied message when they try to access the mapped drive. What is the problem?
WWW.ISLAMSC.COM
7-71
Lab E: Troubleshooting Group Policy Issues
Exercise 1: Troubleshoot Group Policy Scripts

Scenario
Woodgrove Bank has completed its deployment of Windows Server 2008. As the AD DS administrator, one of your primary tasks is troubleshooting AD DS issues that have been escalated to you from the companys help desk. You are responsible for resolving issues related to Group Policy application and configuration. All domain users will have a drive mapping to a shared folder named Data. The GPO is already created, and is backed up. You will restore and apply the GPO that delivers that policy to the domain, and troubleshoot any issues with the policy.
WWW.ISLAMSC.COM
7-72
The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. 7. 8. Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator. Create and link a domain Desktop policy. Restore the Lab7A GPO. Link the Lab7A GPO to the domain. Start NYC-CL1 and log on as WOODGROVEBANK\Administrator. Test the GPO. Troubleshoot the GPO. Resolve the issue and test the resolution.
Task 1: Start the 6419A-NYC-DC1 virtual machine and log on as WOODGROVEBANK\Administrator

Start NYC-DC1, and then log on as WOODGROVEBANK\Administrator.
Task 2: Create and link a domain Desktop policy

1. 2. On NYC-DC1, open Group Policy Management, and then create a new GPO named Desktop, linked to the WoodgroveBank.com domain. Configure the Desktop GPO with the following settings: Under Computer Configuration, Policies, Administrative Templates, System, Logon, enable Always wait for the network at computer startup and logon. Under Network, Network Connections, Windows Firewall, Domain Profile, enable Windows Firewall: Allow inbound remote administration exception. Under User Configuration, Policies, Windows Settings, Internet Explorer Maintenance, in Important URLS, add http://WoodGroveBank.com as a customized home page URL. Under Administrative Templates, Start Menu and Taskbar, enable Force classic Start Menu.
WWW.ISLAMSC.COM
7-73
Task 3: Restore the Lab7A GPO

In the Group Policy Management window, restore the Lab 7A GPO from E:\Mod07\LabFiles\GPOBackup.
Task 4: Link the Lab7A GPO to the domain

In the Group Policy Management window, link the Lab 7A GPO to the WoodgroveBank.com domain.
Task 5: Start NYC-CL1 and log on as WOODGROVEBANK\Administrator

1. 2. Start NYC-CL1, and then log on as WOODGROVEBANK\Administrator. Disable the Windows Firewall on NYC-CL1.
Task 6: Test the GPO

1. 2. 3. 4. 5. 6. 7. 8. Verify that you see the classic Start menu. In Windows Internet Explorer, verify that the home page opens to http://WoodgroveBank.com. Verify that the J: drive is mapped to the Data share on NYC-DC1. Log off, and then log back on as WOODGROVEBANK\Roya. Verify that you see the classic Start menu. In Internet Explorer, verify that the home page opens to http://WoodgroveBank.com. Notice that the J: drive is not mapped to the Data share on NYC-DC1. Log off NYC-CL1.
Task 7: Troubleshoot the GPO

1. 2. On NYC-DC1, in the Group Policy Management window, run the Group Policy Results Wizard against NYC-CL1 for the user Roya. Review the list of applied computer and user GPOs. Notice that the settings for both the Desktop GPO and the Lab 7A GPO were applied successfully.
WWW.ISLAMSC.COM
7-74
3. 4. 5. 6.
On the Settings tab, under User Configuration, Windows Settings, Scripts, Logon, notice that the Lab 7A GPO was applied correctly. On NYC-CL1, log on as WOODGROVEBANK\Roya. Attempt to access the \\NYC-DC1\Scripts share, and then review the error. Log off NYC-CL1.
Note: If time permits, you can view the Group Policy operational log as Administrator on NYC-CL1. If you filter the view to show events that Roya generates, you would see that the log does not detect any errors or warnings for this user. This is because the GPO only sets a registry value that defines the location of the scripts folder. Group Policy is unaware if the user has access to the location. The write to the registry was successful. Therefore, the Group Policy log does not see any errors. You would have to audit Object Access for the scripts folder to determine access issues.
Task 8: Resolve the issue and test the resolution

1. 2. 3. 4. 5. On NYC-DC1, browse to E:\Mod07\Labfiles\Scripts. Review the permissions on the share and make sure that Authenticated Users have permission to access the share. On NYC-CL1, log on as WOODGROVEBANK\Roya. Verify that the J: drive is now mapped to the Data share on NYC-DC1. Log off NYC-CL1.
Note: Another way to resolve the issue would be to move the script to the Netlogon share, or to eliminate the need for such a logon script altogether, you could configure a mapped drive in Group Policy Preferences.
Result: At the end of this exercise, you will have resolved a Group Policy scripts issue.
WWW.ISLAMSC.COM
7-75
Exercise 2: Troubleshoot GPO Lab-7B

Scenario
Domain users in the Miami OU and all sub OUs should not have access to Control Panel. You will restore and apply the GPO that delivers that policy to the Miami OU. The local onsite technician has submitted a help-desk ticket and escalated the following issue to the server team: Description of problem: No users should be able to access the Control Panel. However, some users do have access to Control Panel, while others do not. In particular, Roya, a Miami branch manager, has access to Control Panel.
This ticket has been escalated to the server team for resolution. The main tasks in this exercise are: 1. 2. 3. 4. 5. Restore the Lab7B GPO. Link the Lab7B GPO to the Miami OU. Test the GPO. Troubleshoot the GPO. Resolve the issue and test the resolution.
Task 1: Restore the Lab7B GPO

On NYC-DC1, in the Group Policy Management window, restore the Lab 7B GPO from backup.
Task 2: Link the Lab7B GPO to the Miami OU

In the Group Policy Management window, link the Lab 7B GPO to the Miami OU.
WWW.ISLAMSC.COM
7-76

1. On NYC-CL1, log on as WOODGROVEBANK\Rich.
Note: Rich is a member of the Miami OU.
2. 3. 4. 5. 6. 7. 8.
Verify that you see the classic Start menu. In Internet Explorer, verify that the home page opens to http://WoodgroveBank.com. Verify that the J: drive is mapped to the Data share on NYC-DC1. Notice that the Control Panel does not appear on the desktop or Start menu. This is a setting from the Lab 7B GPO that was applied to the Miami OU. Log off NYC-CLI, and then log back on as WOODGROVEBANK\Roya. Notice that even though the GPO should prevent it, the Control Panel is still present on the desktop and Start menu. Log off NYC-CL1.

1. 2. 3. 4. 5. 6. On NYC-DC1, in the Group Policy Management window, run the Group Policy Results Wizard against NYC-CL1 for the user Rich. In the report summary, notice that the Lab 7B GPO was applied. On the Settings tab, under User Configuration, notice that the policy setting to prohibit access to the Control Panel is enabled. Rerun the query for Roya on NYC-CL1. In the report summary, notice that the Lab 7B GPO has not been applied. Review the denied GPOs and notice that the Lab 7B GPO is listed amongst the denied GPO.
WWW.ISLAMSC.COM
7-77

1. 2. In the Group Policy Management window, review the Delegation tab for the Lab 7B GPO. Under Advanced settings, review the permissions for MIA_BranchManagerGG, and notice that the Apply group policy setting is set to Deny. Remove the MIA_BranchManagerGG group from the permission list. On NYC-CL1, log on as WOODGROVEBANK\Roya. Notice that the Control Panel now correctly does not appear on the desktop or Start menu. Log off NYC-CL1.
Result: At the end of this exercise, you will have resolved a Group Policy objects issue.
3. 4. 5. 6.
WWW.ISLAMSC.COM
7-78
Exercise 3: Troubleshoot GPO Lab-7C

Scenario
Users in the Miami OU should not have access to the Run command on the Start menu. You will restore and link the Lab 7C GPO to apply this setting. The local desktop technician has escalated the following issue to the server team: Description of problem: No users should be able to access the Run command on the Start menu, but all users in the Miami OU have access to the Run command.
The main tasks in this exercise are: 1. 2. 3. 4. 5. Restore the Lab7C GPO. Link the Lab7C GPO to the Miami OU. Test the GPO. Troubleshoot the GPO. Resolve the issue and test the resolution.
Task 1: Restore the Lab7C GPO

On NYC-DC1, in the Group Policy Management window, restore the Lab 7C GPO from backup.
Task 2: Link the Lab7C GPO to the Miami OU

In the Group Policy Management window, link the Lab 7C GPO to the Miami OU.

1. 2. 3. On NYC-CLI, log on as WOODGROVEBANK\Roya. Click Start, and then notice the presence of the Run command. It is not supposed to be there. Log off NYC-CL1.
WWW.ISLAMSC.COM
7-79

1. 2. 3. On NYC-DC1, in the Group Policy Management window, rerun the query for Roya on NYC-CL1. In the report summary, under User Configuration Summary, notice that the Lab 7C GPO is being applied. On the Settings tab, under User Configuration, notice that the Add the Run command to the Start Menu setting is enabled.

1. 2. Edit the Lab 7C GPO. In the Group Policy Management Editor window, under User Configuration, Policies, Administrative Templates, Start Menu and Taskbar, change Add the Run command to the Start Menu to Not Configured, and then click OK. Change Add the Run command to the Start Menu to Enabled, and then click OK. On NYC-CL1, log on as WOODGROVEBANK\Roya. Click Start, and notice that the Run command is no longer present. Do not log off NYC-CL1.
3. 4. 5. 6.
WWW.ISLAMSC.COM
7-80
Exercise 4: Troubleshoot GPO Lab-7D

Scenario
You will restore the Lab 7D GPO and link it to the Loopback folder. This GPO is designed to enhance security. A user in the Miami OU has submitted the following helpdesk ticket: Description of problem: Since the application of the GPO, Roya no longer has the classic Start menu or drive mapping, and no longer can run Internet Explorer.
The main tasks in this exercise are: 1. 2. 3. 4. 5. 6. 7. Create a new OU named Loopback. Restore the Lab7D GPO. Link the Lab7D GPO to the Loopback OU. Move NYC-CL1 to the Loopback OU. Test the GPO. Troubleshoot the GPO. Resolve the issue and test the resolution.
Task 1: Create a new OU named Loopback

1. 2. On NYC-DC1, open Active Directory Users and Computers. Create a new Organizational Unit under WoodgroveBank.com named Loopback.
Task 2: Restore the Lab7D GPO

On NYC-DC1, in the Group Policy Management window, restore the Lab 7D GPO from backup.
WWW.ISLAMSC.COM
7-81
Task 3: Link the Lab7D GPO to the Loopback OU

In the Group Policy Management window, link the Lab 7D GPO to the Loopback OU.
Task 4: Move NYC-CL1 to the Loopback OU

In Active Directory Users and Computers, move the NYC-CL1 computer from the Computers container to the Loopback OU.

1. 2. 3. 4. 5. Restart NYC-CL1. When the computer restarts, log on as WOODGROVEBANK\Roya. Click Start and notice that the Run command is present once again. Notice also that the Control Panel is present on the desktop and Start menu. These changes are not intentional. Open Windows Internet Explorer and notice that Internet Explorer does not launch.

1. 2. 3. On NYC-DC1, in the Group Policy Management window, rerun the query for Roya on NYC-CL1. In the summary report, under Computer Configuration, review the applied GPOs and notice that the Lab 7D GPO has been applied. On the Settings tab, under Computer Configuration, notice that loopback processing mode is enabled.
Note: Group Policy applies to the user or computer in a manner that depends on where both the user and the computer objects are located in Active Directory. However, in some cases, users may need policy applied to them based on the location of the computer object alone. You can use the Group Policy loopback feature to apply GPOs that depend only on which computer the user logs on to.
WWW.ISLAMSC.COM
7-82

1. In the Group Policy Management window, disable the link for the Lab 7D GPO.
Note: Another alternative would be to disable loopback processing in the GPO itself, especially if there were other settings in the GPO that you did wish to have applied.
2. 3. 4. 5. 6.
Restart NYC-CL1. When the computer restarts, log on as WOODGROVEBANK\Roya. Click Start and notice that the Run command is no longer present. Notice that the Control Panel is again absent from the desktop and Start menu. Open Internet Explorer and notice that Internet Explorer again opens properly.

1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control window. In the Close dialog box, select Turn off machine and discard changes, and then click OK. Close the 619A Lab Launcher.
WWW.ISLAMSC.COM
7-83
Review Questions
1. You have assigned a logon script to an OU via Group Policy. The script is located in a shared network folder named Scripts. Some users in the OU receive the script, while others do not. What might be some causes? What log will give folder redirection details? What visual indicator in the GPMC designates that inheritance has been blocked? What GPO settings are applied across slow links by default? Given a choice between a small number of GPOs with many settings or a large number of GPOs with fewer settings, which is preferable? Can you deliver Windows security updates through Group Policy?
2. 3. 4. 5. 6.
WWW.ISLAMSC.COM
7-84
Considerations
When configuring user environments using Group Policy, consider the following: Policy settings that are Enabled enforce a setting. Policy settings that are Disabled reverse a setting. Policy settings that are Not Configured are not affected by Group Policy. Scripts can be applied to the user or computer via Group Policy. Scripts can be written in multiple languages. Storing scripts in the NetLogon share makes them highly available. Certain folders can be redirected from the users profile to a shared folder on the network. Different security groups can be redirected to different network locations. Administrative Templates apply settings by modifying the registry for the user and computer. ADMX files can be customized. Software can be distributed via Group Policy through .MSI files. Software can be published to users or assigned to users or computers. Software assigned to users is specific to that user. Software assigned to computers is available to all users on that computer. Software can be modified and maintained through Group Policy. Software can be removed through Group Policy.
WWW.ISLAMSC.COM
7-85
Consider the following when implementing an AD DS monitoring plan: Client-side extensions handle application of Group Policy at regular, configurable intervals. GPO version numbers determine if a Group Policy has changed. Not all CSEs process across a slow link. Security settings refresh every 16 hours. Windows XP and earlier versions log to the Userenv log for most Group-Policy issues. You can modify the registry to enable other CSE logs. Windows Vista logs to operational logs in Event Viewer. Blocking inheritance will block all higher level polices from being applied, unless those policies are enforced. You can filter Group Policy to apply only to certain security principles by using security settings, or WMI scripts. Group Policy is made up of two parts: Group Policy templates, and Group Policy containers. Group Policy replicates these objects on separate schedules using different mechanisms. Windows XP and later versions log on users with cached credentials by default. Many users settings will require two logons because of this. Windows XP and earlier use the ICMP to determine link speed. Windows Vista and later versions use network awareness to determine link speed. Security principles need permission to access script locations, so that they can execute scripts. Computer startup scripts run synchronously by default. User logon scripts run asynchronously by default.
WWW.ISLAMSC.COM
7-86
Tools
Use the following tools when troubleshooting Group Policy issues:
Tool Ping NSlookup DCdiag Set Kerbtray Group policy reporting RSoP GPResult GPOTool Use Testing network connectivity. Testing DNS lookups. Testing domain controllers. Displaying, setting, or removing environment variables. Displaying Kerberos ticket information. Reporting information about the current policies being delivered to clients. A command-line utility that displays RSoP information. Checking Group Policy object stability, and monitors policy replication. Refreshing local and AD DS-based Group Policy settings. Restoring the default Group Policy objects to their original state after initial installation. Exporting Group Policy-related events from the system and operational logs into text, HTML, or XML files. For use with Windows Vista and later versions. Sample scripts that perform a number of different troubleshooting and maintenance tasks.
GPResult Dcgpofix
GPOLogView
Group Policy Management scripts
WWW.ISLAMSC.COM
Implementing Security Using Group Policy
8-1
Module 8
Contents:
Lesson 1: Configuring Security Policies Lesson 2: Implementing Fine-Grained Password Policies Lab A: Implementing Security Using Group Policy Lesson 3: Restricting Group Membership and Access to Software Lesson 4: Managing Security Using Security Templates Lab B: Configuring and Verifying Security Policies 8-3 8-15 8-20 8-26 8-34 8-43
WWW.ISLAMSC.COM
8-2
Module Overview
Failure to have adequate security policies can lead to many risks for an organization. A well designed security policy helps to protect an organizations investment in business information and internal resources, like hardware and software. Having a security policy in itself is not enough, however. You must implement the policy for it to be effective. You can leverage Group Policy to standardize security to control the environment.
WWW.ISLAMSC.COM
8-3
Lesson 1
Configuring Security Policies
Group Policy provides settings you can use to implement and manage security in your organization. For example, you can use Group Policy settings to secure passwords, startup, and permissions for system services. In this lesson, you will learn the knowledge and skills necessary to configure security policies.
WWW.ISLAMSC.COM
8-4
What Are Security Policies?
Key Points
Security policies are rules that protect resources on computers and networks. Group Policy allows you to configure many of these rules as Group Policy settings. For example, you can configure password policies as part of Group Policy. Group Policy has a large security section to configure security for both users and computers. This way, you can apply security consistently across organizational units (OUs) in Active Directory Domain Services (AD DS) by defining security settings in a Group Policy object that is associated with a site, domain, or OU.
WWW.ISLAMSC.COM
8-5
What Are Account Policies?
Key Points
Account policies protect your organizations accounts and data by mitigating the threat of brute force guessing of account passwords. In Microsoft Windows operating systems, and many other operating systems, the most common method for authenticating a users identity is to use a secret password. Securing your network environment requires that all users utilize strong passwords. Password policy settings control the complexity and lifetime of passwords. You can configure password policy settings through Group Policy. The policy settings under Account policies should always be configured at the domain level. Configuring these policy settings at any other Active Directory level only affects local accounts on member computers at those levels. Question: You must ensure that all users change their password exactly every 30 days. How would you configure account policies to accomplish this?
WWW.ISLAMSC.COM
8-6
What Are Local Policies?
Key Points
Every Windows2000 Server or later computer has exactly one Local Group Policy Object (LGPO). In this object, Group Policy settings are stored on individual computers, regardless of whether they are part of an Active Directory environment. The LGPO is stored in a hidden folder named %windir%\system32\Group Policy. This folder does not exist until you configure an LGPO. Question: You have a Microsoft Windows Vista client that is not joined to the domain. You want to force the Administrators to change their passwords every seven days, while standard users change their passwords every 21 days. How would you configure the local policy to achieve this?
WWW.ISLAMSC.COM
8-7
What Are Network Security Policies?
Key Points
Automating client computer configuration settings is an essential step to reduce the cost of deploying networking security, and minimize support issues that result from incorrectly configured settings. Starting with Windows Server 2003, you were able to automate client wireless configuration using the Wireless Networking Policies settings in Group Policy. Microsoft Windows Server 2008 and Windows Vista include new features for network policies, and Group Policy support for 802.1X authentication settings for wired and wireless connections. Question: How does your organization implement group policy to restrict access to wireless networks?
WWW.ISLAMSC.COM
8-8
Windows Firewall with Advanced Security
Key Points
Windows Vista and Windows Server 2008 include a new and enhanced version of Windows Firewall. The new Windows Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration. Windows Firewall with Advanced Security allows you to create the following rules: Program rule: This type of rule allows traffic for a particular program. You can identify the program by program path and executable name. Port rule: This type of rule allows traffic on a particular TCP or User Datagram Protocol (UDP) port number or range of port numbers. Predefined rule: Windows includes a number of Windows functions that you can enable, such as File and Printer Sharing, Remote Assistance, and Windows Collaboration. Creating a predefined rule actually creates a group of rules that allows the specified Windows functionality to access the network. Custom rule: A custom rule allows you to create a rule that you may not be able to create using the other types of rules.
WWW.ISLAMSC.COM
8-9
The default behavior of the new Windows Firewall is to: Block all incoming traffic unless it is solicited or it matches a configured rule. Allow all outgoing traffic unless it matches a configured rule.
Question: You want to ensure that users are not allowed to use the Telnet service to connect to any other computers. How would you accomplish this?
WWW.ISLAMSC.COM
8-10
Demonstration: Overview of Additional Security Settings
Key Points
Create a wired network policy and see the available options. Create a Windows Vista wireless network policy, and see the options available. Demonstrate how you can control services. Demonstrate how you can control registry and file-system permissions. Demonstrate the Windows Firewall with advanced security options. Create some different types of rules as examples. Explore some of the predefined rules.
Question: You need to ensure that a particular service is not allowed to run on any of your network servers. How would you accomplish this?
WWW.ISLAMSC.COM
8-11
Default Domain Controller Policies
Key Points
Default Domain Controllers Policy is linked to the Domain Controllers OU. This policy generally affects only domain controllers, because by default, computer accounts for domain controllers are kept in the Domain Controllers OU. Question: Provide at least one example of a default controller policy that your organization has customized? Question: You need to grant an ordinary user the right to log on locally to domain controllers. In which of the default policies should you configure this setting?
WWW.ISLAMSC.COM
8-12
What Is the Default Domain Security Policy?
Key Points
The default domain policy is linked to the domain, and therefore affects all objects in the domain unless a GPO that you applied at a lower level blocks or overrides these settings. This policy has very few settings configured by default. Note: Although you typically configure the Default Domain Policy to deliver Account Policies, any domain-level policy is capable of delivering Account Policies to the domain. If you configure multiple domain-level policies to provide Account Policies, the policy with the highest priority will win. Question: If multiple policies are configured at the domain level, what determines the processing priority?
WWW.ISLAMSC.COM
8-13
Demonstration: What Is the Default Domain Controller Security Policy?
Key Points Open the default domain controller policy. Explore the default audit policy. Explore the user rights configuration. Explore the security options. Discuss the differences from the default domain policy.
Question: What is the default Group Policy refresh interval for domain controllers?
WWW.ISLAMSC.COM
8-14
Characteristics of Security Policy Settings
Key Points
Security policies protect the integrity of the computing environment by controlling many aspects of it, such as password policies, security options, restricted groups, network policies, services, public key policies, and so on.
Characteristics of Security Policies

Security policies are refreshed every 16 hours even if they have not changed. Security policies are always processed, even across slow connections.
Question: You have configured a password policy in a GPO and linked that policy to the Research OU. The policy is not affecting domain users in the OU. What is the problem?
WWW.ISLAMSC.COM
8-15
Lesson 2
Implementing Fine-Grained Password Policies
In Windows Server 2008, using fine-grained password policies, you can allow different password requirements and account lockout policies for different Active Directory users or groups. In this lesson, you will learn the knowledge and skills to implement fine-grained password policies.
WWW.ISLAMSC.COM
8-16
What Are Fine-Grained Password Policies?
Key Points
In previous versions of AD DS, you could apply only one password and account lockout policy to all users in the domain. Fine-grained password policies allow you to have different password requirements and account lockout policies for different Active Directory users or groups. This is desirable when you want different sets of users to have different password requirements, but do not want separate domains. For example, the Domain Admins group may need strict password requirements to which you do not want to subject ordinary users. If you do not implement finegrained passwords, then the normal default domain account policies apply to all users. Question: How would you use fine-grained passwords in your environment?
WWW.ISLAMSC.COM
8-17
How Fine-Grained Password Policies Are Implemented
Key Points
To store fine-grained password policies, Windows Server 2008 includes two new object classes in the Active Directory schema. They are: Password Settings Container (PSC) Password Settings Object (PSO)
The PSC object class is created by default under the System container in the domain, which stores that domains PSOs. You cannot rename, move, or delete this container. Question: How could you view the Password Settings Container in Active Directory Users and Computers?
WWW.ISLAMSC.COM
8-18
Implementing Fine-Grained Password Policies
Key Points
There are three major steps involved in implementing fine-grained passwords: Create necessary groups, and add the appropriate users. Create PSOs for all defined password policies. Apply PSOs to the appropriate users or global security groups.
Question: In your organization, a number of users deal with confidential files on a regular basis. You need to ensure that all these users have strict account polices enforced. The user accounts are scattered across multiple OUs. How would you accomplish this with the least administrative effort?
WWW.ISLAMSC.COM
8-19
Demonstration: Implementing Fine-Grained Password Policies
Key Points Follow the steps in the step-by-step guide to create a PSO named 7Days that forces the administrator to change passwords every seven days. Use the values given in the step-by-step guide to fill in the ADSI edit wizard.
Question: What utilities can be used to manage PSOs? Choose all that apply. a. b. c. ADSI edit GPMC CSVDE
d. LDIFDE e. f. NTDSUtil Active Directory Users and Computers
WWW.ISLAMSC.COM
8-20
Lab A: Implementing Security Using Group Policy
Scenario
Woodgrove Bank has decided to implement Group Policy to configure security for users and computers in the organization. The company recently upgraded all of the workstations to Windows Vista, and all of the servers to Windows Server 2008. The organization wants to utilize Group Policy to implement security settings for the workstations, servers, and users.
Note: Some of the tasks in this lab are designed to illustrate GPO management techniques and settings, and may not always follow best practices.
WWW.ISLAMSC.COM
8-21
Exercise 1: Configuring Account and Security Policy Settings

You have been tasked to implement a domain account policy with the following criteria: Domain passwords will be eight characters. Strong passwords will be enforced. Passwords will be changed exactly every 20 days. Accounts will be locked out for 30 minutes after five invalid logon attempts.
You also will configure a local policy on the Windows Vista client that enables the local Administrator account, and prohibits access to the Run menu for NonAdministrators. Then you will create a wireless network policy for Windows Vista that creates a profile for the Corp wireless network. This profile will define 802.1x as the authentication method. This policy also will deny access to a wireless network named Research. Finally, you will configure a policy to prevent the Windows Installer service from running on any domain controller. The main tasks in this exercise are: 1. 2. 3. 4. 5. Start the virtual machine, and log on as Administrator. Create an account policy for the domain. Configure local policy settings for a Windows Vista client. Create a wireless network GPO for Windows Vista clients. Configure a GPO that prohibits a service on all domain controllers.

1. 2. 3. 4. On your host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
WWW.ISLAMSC.COM
8-22
Task 2: Create an account policy for the domain

1. 2. Launch the Group Policy Management Console. In the Group Policy Management console pane, expand Forest: WoodgroveBank.com, expand Domains, expand WoodgroveBank.com, and then click Group Policy Objects. In the details pane, right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Account Policies. Edit the Account Policy in the Default Domain Policy with the following values: Password Policy: Domain passwords: 8 characters in length Strong passwords: enforced Minimum password age: 19 days Maximum password age: 20 days
3. 4.
5.
Account lockout policy: Account Lockout Threshold: 5 invalid logon attempts Account lockout duration: 30 minutes Lockout counter: reset after 30 minutes
Task 3: Configure local policy settings for a Windows Vista client

1. 2. 3. Start NYC-CL1 and log on as WoodgroveBank\Administrator using the password Pa$$w0rd. Create a new MMC, and then add the snap-in for the Group Policy Object Editor for the Local Computer. Open Computer Configurations Windows Settings, open Security Settings, open Local Policies, open Security Options, and then enable the Accounts: Administrator Account Status setting. Add the Group Policy Object Editor snap-in to the MMC again and then click Browse.
4.
WWW.ISLAMSC.COM
8-23
5. 6.
Click the Users tab, select the Non-Administrators group, click OK, and then Finish. Open User Configuration, Administrative Templates, click the Start Menu and Taskbar folder, and then enable the Remove Run from Start Menu setting. Close the MMC without saving the changes.
7.
Task 4: Create a wireless network GPO for Windows Vista clients

1. 2. On NYC-DC1, in the GPMC, create a new GPO named Vista Wireless. Edit the GPO by right-clicking Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies, and then clicking Create a New Windows Vista Policy. In the New Vista Wireless Network Policy dialog box, click Add, and then click Infrastructure. Create a new profile named Corporate, and then in the Network Name (SSID) field, type Corp. Click the Security tab, change the Authentication method to Open with 802.1X, and then click OK. Click the Network Permissions tab, and then click Add. Type Research in the Network Name (SSID): field, set the Permission to Deny, and then click OK twice. Close the Group Policy Management Editor, and then leave the GPMC open.
3. 4. 5. 6. 7. 8.
Task 5: Configure a policy that prohibits a service on all domain controllers

1. Edit the following to disable the Windows Installer service: Default Domain Controller Policy, Computer Configuration, Policies, Windows Settings, Security Settings, and System Services. Close the Group Policy Management Editor and leave the GPMC open.
Result: At the end of this exercise, you will have configured account and security policy settings.
2.
WWW.ISLAMSC.COM
8-24
Exercise 2: Implementing Fine-Grained Password Policies

Your corporate security policy dictates that members of the IT Administrative group will have strict password policies. The passwords must meet the following criteria: 30 passwords will be remembered in password history. Domain passwords will be 10 characters. Strong passwords will be enforced. Passwords will not be stored with reversible encryption. Passwords will be changed every seven days exactly. Accounts will be locked out for 30 minutes after three invalid logon attempts.
You will create a fine-grained password policy to enforce these policies for the IT Admins global group. The main tasks are as follows: 1. 2. Create a PSO using ADSI Edit. Assign the ITAdmin PSO to the IT Admins global group.
Task 1: Create a PSO using ADSI edit

1. 2. 3. On NYC-DC1, in the Run menu, type adsiedit.msc, and then press ENTER. Right-click ADSI Edit, click Connect to, and then click OK to accept the defaults. Navigate to DC=woodgrovebank, DC=com, CN=System, CN=Password Settings Container, right-click CN=Password Settings Container, and then create a new object. In the Create Object dialog box, click msDS-PasswordSettings, and then click Next. In Value box type ITAdmin. In the msDS-PasswordSettingsPrecedence value, type 10. In the msDS-PasswordReversibleEncryptionEnabled value, type FALSE. In the msDS-PasswordHistoryLength value, type 30. In the msDS-PasswordComplexityEnabled value, type TRUE.
4. 5. 6. 7. 8. 9.
WWW.ISLAMSC.COM
8-25
10. In the msDS-MinimumPasswordLength value, type 10. 11. In the msDS-MinimumPasswordAge value, type -5184000000000.
Note: PSO values are time-based values entered using the integer8 format. Integer8 is a 64-bit number that represents the amount of time, in 100-nanosecond intervals, that has passed since 12:00 AM January 1, 1601.
12. In the msDS-MaximumPasswordAge value, type -6040000000000. 13. In the msDS-LockoutThreshold value, type 3. 14. In the msDS-LockoutObservationWindow value, type -18000000000. 15. In the msDS-LockoutDuration value, type -18000000000 and then click Finish. 16. Close the ADSI Edit MMC without saving changes.
Task 2: Assign the ITAdmin password policy to the IT Admins global group
1. 2. 3. 4. 5. 6. 7. Open Active Directory Users and Computers. Click View, and then click Advanced Features. Expand Woodgrovebank.com, expand System, and then click Password Settings Container. In the details pane, right-click the ITAdmin PSO, and then click Properties. Click the Attribute Editor tab, scroll down, select the msDS-PSOAppliesTo attribute, and then click Edit. Add the ITAdmins_WoodgroveGG group. Close Active Directory Users and Computers.
Result: At the end of this exercise, you will have implemented fine-grained password policies.
WWW.ISLAMSC.COM
8-26
Lesson 3
Restricting Group Membership and Access to Software
In a large network environment, one of the challenges of network security is controlling the membership of built-in groups in the directory and on workstations. Another concern is preventing access to unauthorized software on workstations.
WWW.ISLAMSC.COM
8-27
What Is Restricted Group Membership?
Key Points
In some cases, you may want to control the membership of certain groups in a domain to prevent addition of other user accounts to those groups, such as the local administrators group. You can use the Restricted Groups policy to control group membership. Use the policy to specify what members are placed in a group. If you define a Restricted Groups policy and refresh Group Policy, any current member of a group that is not on the Restricted Groups policy members list is removed. This can include default members, such as domain administrators. Although you can control domain groups by assigning Restricted Groups policies to domain controllers, you should use this setting primarily to configure membership of critical groups like Enterprise Admins and Schema Admins. You also can use this setting to control the membership of built-in local groups on workstations and member servers. For example, you can place the Helpdesk group into the local Administrators group on all workstations.
WWW.ISLAMSC.COM
8-28
You cannot specify local users in a domain GPO. Any local users who currently are in the local group that the policy controls will be removed. The only exception is that the local Administrators account will always be in the local Administrators group. Question: Your company has five Web servers physically located across North America. The Web servers' computer accounts are all located in a single OU. You want to grant all the users in the global group named Web_Backup the right to backup and restore the web servers. How could you use Group Policy to accomplish this?
WWW.ISLAMSC.COM
8-29
Demonstration: Configuring Restricted Group Membership
Key Points Create and link a new Group Policy to the ITAdmins OU. Add the administrators group to the GPO restricted groups list. Configure the Administrators group membership to include Domain Admins and the ITAdmins_WoodgroveGG global group. Move the Windows Vista client into an ITAdmins OU, and then force the update of Group Policy on the client.
Question: You created a Group Policy that adds the Helpdesk group to the local Administrators group and you linked the policy to an OU. Now the Domain Administrators no longer have any administrative authority on the computers in that OU. What is the most likely problem and how would you solve it?
WWW.ISLAMSC.COM
8-30
What Is a Software Restriction Policy?
Key Points
You may want to restrict access to software to prevent users from running particular applications or types of applications, like VBscripts. Software restriction policy provides administrators with a policy-driven mechanism for identifying software and controlling its ability to run on a client computer. Question: You have a number of computers in a workgroup. You need to restrict access to a certain application so that only members of the Administrators group are allowed to launch the application. How would you accomplish this?
WWW.ISLAMSC.COM
8-31
Options for Configuring Software Restriction Policies
Key Points
Software Restriction policies use rules to determine whether an application is allowed to run. When you create a rule, you first identify the application. Next you identify it as an exception to the default policy setting of Unrestricted or Disallowed. The enforcement engine queries the rules in the software restriction policy before allowing a program to run. Unrestricted security level allows all software to run according to the users normal permissions, except for software that is identified specifically as an exception to the rule. Basic security level allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.
WWW.ISLAMSC.COM
8-32
Disallowed security level does not allow any software to run on the client computer except for software that is identified specifically as an exception to the rule.
Note: You should apply Disallowed security level only in very high-security or lockeddown environments. It can be difficult to manage because each allowed application must be identified individually, and because you might need to update the policy each time a service pack is applied to a software package.
Question: You need to restrict access to a certain application no matter into what directory location the application is installed. What type of rule should you use?
WWW.ISLAMSC.COM
8-33
Demonstration: Configuring Software Restriction Policies
Key Points Create a hash rule to disallow Microsoft Internet Explorer. Log off and log on to test the rule.
Note: Internet zone rules only apply to software that uses the Windows installer.
Question: You want to ensure that only digitally signed Visual Basic scripts are allowed to run. What type of rule should you use?
WWW.ISLAMSC.COM
8-34
Lesson 4
Managing Security Using Security Templates
A security policy is a group of security settings that affect a computers security. You can use a security policy to establish account and local policies on your local computer, and in Active Directory. You can create security templates to assist in creating security policies to meet your companys security needs. You can then use these templates to configure the security settings assigned to computers either manually, or through Group Policy.
WWW.ISLAMSC.COM
8-35
What Are Security Templates?
Key Points
A security template is a collection of configured security settings. You can use predefined security templates as a base to create security policies that you customize to meet your needs, or you can create new templates. You use the Security Templates snap-in to create or customize templates. After you create a new template or customize a predefined security template, you can use it to configure security on an individual computer or thousands of computers. Security templates contain security settings for all security areas. You apply security templates by using the Security Configuration and Analysis snap-in, the secedit command-line tool, or by importing the template into Local Security Policy. Question: Provide an example of how Security Templates can help organize your existing security attributes.
WWW.ISLAMSC.COM
8-36
Demonstration Applying Security Templates
Key Points Create a new OU named Servers. Create a new GPO named Security Baseline, and then assign it to the servers OU. Create an MMC with the Security templates snap-in. Create a new security template named Server Baseline. Configure some security settings. For example, rename the administrator account, configure a restricted group, and so on. Import the server baseline template into the security baseline GPO.
Question: You have multiple database servers that are located in different OUs. What is the easiest way to apply consistent security settings to all of the database servers?
WWW.ISLAMSC.COM
8-37
What Is the Security Configuration Wizard?
Key Points
The Security Configuration Wizard (SCW) is an attack-surface reduction tool that was introduced with Windows Server 2003 with Service Pack 1 (SP1). SCW assists administrators in creating security policies, and determines the minimum functionality that is required for a servers role or roles, and then disables functionality that is not required. SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the servers selected roles. The security policies that you create with SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS). Question: What types of server roles exist in your organization?
WWW.ISLAMSC.COM
8-38
Demonstration: Configuring Server Security Using the Security Configuration Wizard
Key Points Open the Security Configuration Wizard, and then create a new policy. Explore the security configuration database. Step through the wizard and notice the various options. Save the policy file as C:\baseline.xml. Complete the wizard, but choose to apply the policy later.
Question: What types of server roles exist in your organization?
WWW.ISLAMSC.COM
8-39
Options for Integrating the Security Configuration Wizard and Security Templates
Key Points
Security policies that you create with the SCW can also include custom security templates. Some of the settings that you can configure using the SCW partially overlap with the settings that you can configure using security templates alone. Neither set of configuration changes is completely inclusive of the other. For example, the SCW includes IIS settings that are not included in any security template. Conversely, security templates can include such items as Software Restriction policies, which you cannot configure through SCW. SCW saves its security policies as XML files. The scwcmd.exe command-line utility allows you to convert these and save them as GPOs by using the scwcmd.exe transform command. The SCW itself does not support GPOs. Question: What is the main advantage of the SCW?
WWW.ISLAMSC.COM
8-40
Demonstration: Importing Security Configuration Policies into Security Templates
Key Points Launch the command prompt. Use scwcmd.exe to transform the Baseline.XML policy file that you created in the last demo, into a GPO named ServerBaseline: Scwcmd transform /p:C:\Baseline.xml /g:Serverbaseline Open the GPMC and see that the GPO named Serverbaseline exists.
Question: You need to open a port on your Windows Vista client computers for a custom application. Should you use the SCW or create a security template and use a GPO?
WWW.ISLAMSC.COM
8-41
What Is the Security Configuration and Analysis Tool?
Key Points
You can use the Security Configuration and Analysis tool to analyze and configure local system security. Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time. You also can use Security Configuration and Analysis to configure local system security.
WWW.ISLAMSC.COM
8-42
Demonstration: Analyzing Security Policy Using the Security Configuration and Analysis Tool
Key Points Create a custom security template. Import the custom template into the Security Configuration and Analysis Tool. Run an analysis to compare the current settings to the custom security template.
Question: Provide at least one example of how your organization can benefit from using the Security Configuration and Analysis Tool.
WWW.ISLAMSC.COM
8-43
Lab B: Configuring and Verifying Security Policies
Scenario
The enterprise administrator created a design that includes modifications to the default domain security policy, and additional GPOs for configuring security. The company wants to have the flexibility to assign different password policies for specific users. The company also wants to automate the configuration of security settings as much as possible.
WWW.ISLAMSC.COM
8-44
Exercise 1: Configuring Restricted Groups and Software Restriction Policies

You need to ensure that the ITAdmins global group is included in the local Administrators group for all of the organizations computers. Domain controllers are considered high security, and Internet Explorer will not be allowed to run on domain controllers. You also will prevent any Visual Basic scripts (VBS) from running on the C: drive of domain controllers. The main tasks are as follows: 1. 2. Configure restricted groups for the local administrators group. Create a GPO that prohibits Internet Explorer and VBS scripts from running on domain controllers.
Task 1: Configure restricted groups for the local administrators group

1. 2. If required, open the GPMC, open the Group Policy Objects folder and then edit the Default Domain Policy. Navigate to Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, right-click Restricted Groups, and then click Add Group. Add the Administrators group, and then click OK. In the Administrators Properties dialog box, add the following groups: 5. Woodgrovebank\ITAdmins_WoodgroveGG Woodgrovebank\Domain Admins
3. 4.
Close the Group Policy Management Editor.
WWW.ISLAMSC.COM
8-45
Task 2: Prohibit Internet Explorer and VBS scripts from running on domain controllers
1. 2. 3. 4. 5. 6. 7. Edit the Default Domain Controllers Policy. Navigate to Windows Settings, expand Security Settings, right-click Software Restriction Policies, and then click New Software Restriction Policy. Right-click Additional Rules, and then click New Hash Rule. Browse and navigate to C:\Program Files\Internet Explorer\iexplore.exe, and then click Open. Ensure that the Security level is Disallowed. Right-click Additional Rules, and then click New Path Rule. In the Path field, type *.vbs and then click OK. Close the Group Policy Management Editor.
Result: At the end of this exercise, you will have configured restricted groups and software restriction policies.
WWW.ISLAMSC.COM
8-46
Exercise 2: Configuring Security Templates

You will create a security template for file and print servers that will rename the Administrator account, and does not display the last user name that logged on. You then will use the Security Configuration Wizard to create a security policy that hardens the file and print server, and includes the security template. You will use the SCW interface to apply the policy to the file and NYC-SVR1print server. Finally, you will transform the policy into a GPO named FPSecurity. The main tasks for this exercise are: 1. 2. 3. 4. Create a security template for the file and print servers. Start NYC-SVR1, and disable the Windows Firewall. Run the Security Configuration Wizard and import the FPSecurity template. Transform the FPPolicy into a GPO.
Task 1: Create a security template for the file and print servers
1. 2. 3. 4. 5. 6. 7. On NYC-DC1, create a new MMC, and then add the snap-in for Security Templates. Expand Security Templates, right-click C:\Users\Administrators \Documents\Security\Templates, and then click New Template. Name the template FPSecurity. Navigate to Local Polices, and then Security Options. Define the Accounts: Rename administrator account with the value FPAdmin. Set the Interactive Logon: Do not display last user name to be Enabled. In the folder pane, right-click FPSecurity, and then click Save. Close the MMC without saving the changes.
Task 2: Start NYC-SVR1 and disable the Windows Firewall

1. 2. Start NYC-SVR1 and log on as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Disable the Windows Firewall.
WWW.ISLAMSC.COM
8-47
Note: This step is performed to simplify the lab and is not a recommended practice.
Task 3: Run the Security Configuration Wizard and import the FPSecurity template
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, launch the Security Configuration Wizard. On the Welcome page, click Next. On the Configuration Action screen, click Next. On the Select Server screen type NYC-SVR1.woodgrovebank.com, and then click Next. After the configuration databases processes, click Next. On the Role-Based service Configuration screen, click Next. On the Select server Roles screen, clear the checkbox beside DNS Server. Select the checkbox beside File Server. Select the checkbox beside Print Server and then click Next.
10. On the Select Client Features screen, click Next. 11. On the Select Administration and Other Options screen, click Next. 12. On the Select Additional Services screen, click Next. 13. On the Handling Unspecified Services screen, continue clicking Next until you reach the Security Policy File Name screen. 14. On the Security Policy File Name screen, type FPPolicy at the end of the C:\Windows\security\msscw\policies\ path. 15. Click Include Security Templates, and then click Add. 16. Add the Documents\Security\Templates\FPSecurity policy. 17. On the Apply Security Policy screen, click Apply Now, and then click Next. 18. On the Applying Security Policy screen, click Next, and then click Finish.
WWW.ISLAMSC.COM
8-48
Task 4: Transform the FPPolicy into a GPO

1. On NYC-DC1, launch the Command Prompt and type scwcmd transform /p:C:\Windows\security\msscw\Policies\FPpolicy.xml /g:FileServerSecurity. Open the GPMC if necessary and then open the Group Policy Objects folder. Double click the FilesServerSecurity GPO and then examine the settings. Close the GPMC and log off NYC-DC1.
Result: At the end of this exercise, you will have configured security templates.
2. 3.
WWW.ISLAMSC.COM
8-49
Exercise 3: Verifying the Security Configuration

You will log on as various users to test the results of Group Policy. The main tasks for this exercise are: 1. 2. 3. 4. 5. Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group. Log on to the Windows Vista computer as an ordinary user and test the account policy. Log on to the domain controller as the domain administrator and test software restrictions and services. Use Group Policy modeling to test the settings on the file and print server. Close all virtual machines and discard undo disks.
Task 1: Log on as the Local Administrator of the Windows Vista computer and check the membership of the local administrators group
1. 2. 3. 4. Log on to NYC-CLI as NYC-CL1\administrator with the password Pa$$w0rd. Launch a Command Prompt, and run the GPupdate /force command. Ensure that the Run menu appears in the Accessories folder on the Start menu. Open Control Panel, click User Accounts, click User Accounts, click Manage User Accounts, click the Advanced tab, click Advanced, click Groups, open the Administrators group, and then ensure that the Domain Admins and the ITAdmins global groups are present. Restart NYC-CL1.
5.
Task 2: Log on to the Windows Vista computer as an ordinary user, and test the policy
1. 2. Log on to NYC-CL1 as Woodgrovebank\Roya with the password Pa$$w0rd. Ensure that the Run menu does not appear in the Accessories folder on the Start menu.
WWW.ISLAMSC.COM
8-50
3. 4. 5.
Press Right-ALT + DELETE, and then click Change a password. In the Old Password field, type Pa$$w0rd. In the New Password and Confirm password fields, type w0rdPa$$. You will not be able to update the password because the minimum password age has not expired. Press Right-ALT + DELETE, and then click Change a password. In the New Password and Confirm password fields, type pa. You will not be able to update the password because the minimum password length has not expired. Log off NYC-CL1.
6. 7.
8.
Task 3: Log on to the domain controller as the domain administrator, and test software restrictions and services
1. 2. 3. 4. 5. Log on to NYC-DC1 as Administrator with the password Pa$$w0rd. Launch a Command Prompt, and then run the GPupdate /force command. Attempt to launch Internet Explorer, read the error message, and then click OK. Navigate to E:\mod08\labfiles, double-click Hello.vbs, read the error message, and then click OK. Open the Services MMC in Administrative Tools. Scroll down to the Windows Installer service, and ensure that it is set up Disabled.
Task 4: Use Group Policy modeling to test the settings on the file and print server
1. 2. 3. 4. Open the GPMC, and then launch the Group Policy Modeling Wizard. Accept all the defaults except on the User and Computer Selection window. Click Computer, and then type Woodgrovebank\NYC-SVR1. After completing the wizard, observe the policy settings.
WWW.ISLAMSC.COM
8-51

Result: At the end of this exercise, you will have verified the security configuration.
WWW.ISLAMSC.COM
8-52
Considerations for Implementing Security Using Group Policy

Consider the following when implementing security using Group Policy: The Default Domain Policy and the Default Domain Controllers Policy are created by default. Account policies must be implemented at the domain level. Any domain level policy is capable of delivering account policies. Clients receive account policies from domain controllers. Local policies generally affect all users of the local computer, including domain users. Network security policies can control wireless configuration for Windows XP and later.
WWW.ISLAMSC.COM
8-53
Network security policies can control wired configuration for Windows Vista and later. Windows Firewall supports outbound rules. Network awareness can automatically determine your firewall profile. Firewall settings and IPsec settings are now integrated. Fine-grained passwords allow different users or global groups to have different account policies. Fine-grained policies are not delivered through Group Policy. Fine-grained policies must be created using ADSIedit or LDIFDE. Both domain and local group membership can be controlled through Group Policy. Access to software can be controlled through Group Policy. Local administrators can be exempted from software restrictions. There are four rule types to control access to software. Security templates can be used to provide a consistent set of security settings. The Security Configuration Wizard can be used to assist in creating security policies.
Review Questions
1. 2. 3. You want to place a software restriction policy on a new type of executable file. What must you do before you can create a rule for this executable code? What setting must you configure to ensure that users are only allowed 3 invalid logon attempts? You want to provide consistent security settings for all client computers in the organization. The computer accounts are scattered across multiple OUs. What is the best way to provide this? An administrator in your organization has accidentally modified the Default Domain Controller Policy. You need to restore the policy to its original default settings. How would you accomplish this?
4.
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
Configuring Server Security Compliance
9-1
Module 9
Contents:
Lesson 1: Securing a Windows Infrastructure Lesson 2: Overview of EFS Lesson 3: Configuring an Audit Policy Lesson 4: Overview of Windows Server Update Services (WSUS) Lesson 5: Managing WSUS Lab: Manage Server Security 9-3 9-9 9-13 9-20 9-32 9-40
WWW.ISLAMSC.COM
9-2
Module Overview
This module explains how to secure servers, secure data on servers, and maintain update compliance. It also details how to configure an audit policy and manage updates using Windows Server Update Services (WSUS). Because keeping servers and workstations updated with the most recent software updates helps increase security, it is important to automate software updates. WSUS helps administrators use automation to deploy software updates with less effort and more control.
WWW.ISLAMSC.COM
9-3
Lesson 1
Securing a Windows Infrastructure
This lesson explains how to secure a server role within a Microsoft Windows infrastructure. As organizations expand the availability of network data, applications, and systems, it becomes more challenging to ensure network infrastructure security. Security technologies in the Microsoft Windows Server 2008 operating system enable organizations to provide better protection for their network resources and organizational assets in increasingly complex environments and business scenarios.
WWW.ISLAMSC.COM
9-4
Discussion: Challenges of Securing a Windows Infrastructure
Key Points
Discuss the challenges of securing a Windows infrastructure.
WWW.ISLAMSC.COM
9-5
Applying Defense-in-Depth to Increase Security
Key Points
The layers of defense provide a view of your environment, area by area, that you should consider when designing your networks security defenses. You can modify the detailed definitions of each layer based on your organizations security priorities and requirements. The following list gives an example of what you could address each level of defense: Data. An organizations primary concerns at this layer are business and legal issues that may arise from data loss or theft and operational issues that vulnerabilities may expose at the host or application layers. Application. An organizations primary concerns at this layer are access to the binary files that comprise applications, access to the host through vulnerabilities in the applications listening services, or inappropriate gathering of specific system data to pass to someone who can use it for their own purposes.
WWW.ISLAMSC.COM
9-6
Host. An organizations primary concerns at this layer are preventing access to the binary files that comprise the operating system, and access to the host through vulnerabilities in the operating systems listening services. Internal network. The risks to an organizations internal network largely concern the sensitive data that they transmit via the networks. The connectivity requirements for client workstations on these internal networks also pose a number of risks. Perimeter network. The primary risks at this layer focus on available Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports that the network uses. Physical security. An organizations primary concern at this layer, if using antivirus systems, is to stop infected files from bypassing the perimeter and internal network defenses. Policies, procedures and awareness. It is important for you to promote awareness in your organization to all interested parties. In many cases, ignorance of a risk can lead to a security breach. For this reason, training also should be an integral part of any security model.
Question: What is the most important part of the defense-in-depth security model?
WWW.ISLAMSC.COM
9-7
Core Server Security Practices
Key Points
Without physical security, you have no security. Core server-security practices are relatively easy to adopt, and you should integrate them into the standard security configuration of all servers. Some of your core server-security practices should include: Apply the latest service packs, and all available security and critical updates. Use the Security Configuration Wizard to scan and implement server security based on server roles. Use Group Policy and security templates to harden servers and lessen the attack footprint. Restrict scope of access for service accounts, which lessens damage should the account be compromised.
WWW.ISLAMSC.COM
9-8
Use security options to restrict who can log on locally to server consoles. Restrict physical and network access to servers.
Question: Does your company have a detailed "build sheet" for all new installations that occur on new hardware? What can you do to lessen the attack footprint on your infrastructure?
WWW.ISLAMSC.COM
9-9
Lesson 2
Overview of EFS
Data encryption on the filesystem is an important part of securing server data. The Encrypting File System (EFS) integrates with NTFS to provide data encryption for files. Encrypting a file with EFS is straightforward: users can select a checkbox and the file will be encrypted. BitLocker Drive Encryption can be used to protect operating system files on a server that has been physically compromised.
WWW.ISLAMSC.COM
9-10
What Is Encrypting File System?
Key Points
Encrypting Files System (EFS) is a system for encrypting data files that is included as part of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. EFS generates a unique symmetrical encryption key to encrypt each file. The symmetrical key is stored in the file header. Encrypting or decrypting a file or folder occurs when a user opens advanced properties and checks or clears the Encrypt contents to secure data checkbox. Question: Why would EFS be used to encrypt data in addition to using NTFS permissions?
WWW.ISLAMSC.COM
9-11
What Is BitLocker Drive Encryption?
Key Points
BitLocker Drive Encryption is a system that encrypts the entire operating system volume. Encryption of additional data volumes is also an option. Encryption keys are handled automatically in the background with little overhead. Question: In what scenario would BitLocker be useful on a server?
WWW.ISLAMSC.COM
9-12
Troubleshooting EFS
Key Points
When you encounter issues with EFS, first determine the circumstances under which the error occurs: Does the error affect multiple users or one user? Is the error with a local or remote file? Does the error occur during encryption or decryption?
Based on the information you gather about the issue, you can focus on the probably causes. Question: Have you faced any EFS troubleshooting scenarios in your work environment? If so, how did you approach them?
WWW.ISLAMSC.COM
9-13
Lesson 3
Configuring an Audit Policy
You can configure an audit policy that records user or system activity in specified event categories. Additionally, you can monitor security-related activity, such as who accesses an object, if a user logs on or off a computer, or if changes occur to an auditing policy setting. As a best practice, you should create an audit plan before implementing audit policy.
WWW.ISLAMSC.COM
9-14
What Is Auditing?
Key Points
Auditing is the process that tracks user activity by recording selected events in a server or workstation security log. The most common types of events to audit are: Access to objects, such as files and folders. Management of user and group accounts. Users logging on and off the system.
Question: List three reasons that you may want to audit certain areas of a system or a particular shared resource.
WWW.ISLAMSC.COM
9-15
What Is an Audit Policy?
Key Points
An audit policy determines the security events that are reported to the network administrator. When you implement an audit policy: Specify the categories of events that you want to audit. Set the size and behavior of the security log. Audit directory service access or object access by determining for which objects you are monitoring access and what type of access you want to monitor. For example, if you want to audit any attempts by users to open a particular file, you can configure auditing policy settings in the object access event category so that both successful and failed attempts to read a file are recorded.
Question: Provide an example of why you would want to log successful events and failure events, as opposed to only failure events.
WWW.ISLAMSC.COM
9-16
Types of Events to Audit
Key Points
Before you implement an auditing policy, you must decide which event categories to audit. The auditing settings that you choose for the event categories define your auditing policy. Auditing settings for the event categories are undefined by default on member servers and workstations that are joined to a domain. Domain controllers turn on auditing by default. You can create an auditing policy that suits your organizations security needs by defining auditing settings for specific event categories. Question: What categories of events does your company presently audit? If your company is not auditing, what event categories would you like to see audited in your organization?
WWW.ISLAMSC.COM
9-17
Troubleshooting Audit Policy
Key Points
After you configure auditing, the service may not work. This behavior can occur for any of the following reasons: A site, a domain, or an organizational unit policy setting overrides the audit policy that you configured. To troubleshoot this issue, open the Audit Policy, and view the Security Setting of the policy. If the security setting of the policy is No auditing, a higher-level GPO may be overriding the audit policy setting that you configured. To confirm this behavior, view the higher-level GPO items that are linked to either the organizational unit or to the domain for possible conflicts. A GPO that overrides the audit policy setting has a higher priority. To troubleshoot this issue, in Active Directory Users and Computers, view the properties of your domain. Then view the Group Policy Object Links list on the Group Policy tab. Items that are higher in the list override other lower-level items.
WWW.ISLAMSC.COM
9-18
If the GPO that contains your audit policy setting is listed below a higherpriority GPO item that turns off auditing, do one of the following steps: Click the GPO that contains the audit policy setting that you want to use, and then click Up to move it above the higher-priority item in the list. Edit the GPO items that are listed above the GPO that contains the audit policy setting to remove conflicting policy settings.
The site, the domain, or the organizational unit policy setting that contains the audit policy setting has not replicated to other computers. To resolve this issue, use the Secedit.exe command-line utility to force Group Policy to be refreshed.
Object Access Auditing Inheritance affects file and folder auditing. After you set up auditing on a parent folder, new files and subfolders that are created in that folder inherit auditing. If you do not want the file or folder to inherit auditing from the parent, you can edit the auditing settings of the file or folder. You can test an audit rule for a file or folder by opening and closing the file or folder. Then you can look in the event log for the corresponding events.
Question: How often do you think you should check the security log to ensure auditing is happening correctly?
WWW.ISLAMSC.COM
9-19
Demonstration: How to Configure Auditing
Key Points
Open Group Policy Management. Edit the Default Domain Controllers Policy located under WoodgroveBank.com\Group Policy Objects\Default Domain Controllers Policy. In the Group Policy Management Editor console tree, expand Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies \Audit Policy. Enable one or more auditing policies. Click the Explain tab of an auditing policy. Enable auditing on object access.
Question: What is the default auditing policy setting for domain controllers? What is the benefit of having this setting as the default setting for domain controllers?
WWW.ISLAMSC.COM
9-20
Lesson 4
Overview of Windows Server Update Services (WSUS)
This lesson introduces Windows Server Update Services (WSUS), which is a tool for managing and distributing software updates that resolve security vulnerabilities and other stability issues. WSUS enables you to deploy the latest Microsoft product updates to computers running the Windows operating system.
WWW.ISLAMSC.COM
9-21
What Is Windows Server Update Services?
Key Points
WSUS enables you to deploy the latest Microsoft product updates to computers running Windows Server 2003, Windows Server 2008, Windows Vista, Microsoft Windows XP with Service Pack 2, and Windows 2000 with Service Pack 4 operating systems. Using WSUS enables you to manage the distribution of updates to your networks computers that Microsoft Update releases. WSUS 3.0 provides improvements in the following areas: Ease of use Improved deployment options Better support for complex server hierarchies
WWW.ISLAMSC.COM
9-22
Better performance and bandwidth optimization The ability to extend WSUS 3.0 using improved application programming interfaces (APIs)
Question: Do you currently use WSUS services in your organization? If so, how would the improvements to WSUS 3.0 affect how you use WSUS? If not, how would implementing WSUS benefit your organization?
WWW.ISLAMSC.COM
9-23
Obtaining Updates
Key Points
At least one WSUS server in your organization must synchronize updates with the Windows Update servers on the Internet. Additional WSUS servers can synchronize updates with a parent WSUS server. You can use WSUS on an isolated network by copying update files from a WSUS server that is connected to the Internet. Question: Describe a scenario where an organization would have an isolated network.
WWW.ISLAMSC.COM
9-24
Windows Server Update Services Process
Key Points
It is recommended to implement an ongoing four-phase approach to the update management process: assess, identify, evaluate and plan, and deploy. It is essential to repeat the update management process on an ongoing basis, as new updates become available that can enhance and protect the production environment. Each phase has different goals and methods for using WSUS features to ensure success during the update management process. It is important to note that you can employ many of the features in more than one phase. Question: You need to determine which types of updates to synchronize from Microsoft Update and when to synchronize them. In which phase of the WSUS process would this planning occur.
WWW.ISLAMSC.COM
9-25
WSUS Deployment Considerations
Key Points
Deployment considerations include the following: Internet connectivity is required for at least one of your WSUS servers, although it is possible to support isolated network segments that have no connection to the Internet. You should determine the number of WSUS servers that you require by examining the number of client computers that you must support, the number of locations that you have, and the type of WSUS deployment that you choose. A simple WSUS deployment consists of a single WSUS server or farm, which synchronizes updates from Windows Update and distributes them to computers on the network. A WSUS server hierarchy consists of a parent WSUS server, which synchronizes with Windows Update, and downstream WSUS servers that synchronize with the parent WSUS server.
WWW.ISLAMSC.COM
9-26
You can use computer groups to control whether computers should get different updates. You can also use computer groups to create a limited release-testing group for testing updates before full deployment. You should consider where to store updates before distribution. You can store the updates on Windows Update servers and use WSUS to control which updates the computers will download or you can store the updates on the WSUS server. Question: In your organization, would you use more than one WSUS server? If so, would you link your WSUS servers together using autonomous mode or replica mode?
WWW.ISLAMSC.COM
9-27
Server Requirements for WSUS
Key Points
The number of client computers that your organization is updating is what drives hardware and database software requirements. A WSUS server using the recommended hardware can support a maximum of 20,000 clients. You must format both the system partition and the partition on which you install WSUS with the NTFS file system. Question: Does your organization meet the software requirements for WSUS?
WWW.ISLAMSC.COM
9-28
Installing WSUS
Key Points
Considerations for installing the WSUS server include: You can store updates locally or you can have client computers connect to Microsoft Update to get approved updates. By default, WSUS offers to install Windows Internal Database, or you can choose to use an exiting database instance. You can use the default IIS Web site on port 80, or if you already have a Web site on port 80, you can create an alternate site on port 8530 by selecting the second option.
Once you install the WSUS server, you can install the WSUS administration console to manage the WSUS server. Question: Would you install the WSUS administration console on the same server as the WSUS server in your organization?
WWW.ISLAMSC.COM
9-29
WSUS Group Policy Settings
Key Points
When you configure the Group Policy settings for WSUS, use a GPO linked to an Active Directory container appropriate for your environment. Microsoft does not recommend editing the Default Domain or Default Domain Controller GPOs to add WSUS settings. In a simple environment, link the GPO with the WSUS settings to the domain. In more complex environment, you might have multiple GPOs linked to several organizational units (OUs), which enables you to have different WSUS policy settings applied to different types of computers. To help protect computers against immediate security threats, set up more a more frequent schedule for computers to contact the WSUS server, download, and install updates.
Question: What is the risk in allowing users of desktop computers to delay restarts that updates require?
WWW.ISLAMSC.COM
9-30
Automatic Updates Configuration
Key Points
You can use Group Policy or the registry to configure Automatic Updates. Configuring Automatic Updates involves pointing the client computers to the WSUS server, ensuring that the Automatic Updates software you are using is current, and configuring any additional environment settings. The best way to configure Automatic Updates and WSUS environment options depends on your network environment. In an Active Directory environment, you use Group Policy. In a non-Active Directory environment, you might use the Local Group Policy object (GPO) or edit the registry directly. Question: Which method of client configuration would you use in your environment?
WWW.ISLAMSC.COM
9-31
Demonstration: Configuring WSUS
Key Points
Configure Automatic Update client settings using Group Policy. Open Group Policy Management. Create a new GPO in the WoodgroveBank.com domain. Edit the GPO. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. Enable Configure Automatic Updates.
Question: Would you enable the Delay Restart for scheduled installations policy in your organization? Why or why not?
WWW.ISLAMSC.COM
9-32
Lesson 5
Managing WSUS
This lesson explains how you can manage WSUS by performing administrative tasks using the WSUS 3.0 administration console, managing computer groups to target updates to specific computers, and approving the installation of updates for all the computers in your WSUS network or for different computer groups.
WWW.ISLAMSC.COM
9-33
WSUS Administration
Key Points
The WSUS 3.0 administration console has changed from a Web-based console to a plug-in for MMC version 3.0. The WSUS 3.0 administration console also enables you to: Manage WSUS remotely. Configure post-setup tasks using a wizard. Generate multiple reports with improved precision. Maintain server health more easily.
WWW.ISLAMSC.COM
9-34
You can also manage updates with command-line tools: Wuauclt.exe can be used to control some aspects of the Windows Update Agent. Wsusutil.exe is the command-line tool for managing WSUS.
Question: Explain why having an MMC console for WSUS makes administration easier.
WWW.ISLAMSC.COM
9-35
Managing Computer Groups
Key Points
Computer groups are an important part of WSUS deployments, even a basic one. Computer groups enable you to target updates to specific computers. There are two default computer groups: All Computers and Unassigned Computers. By default, when each client computer initially contacts the WSUS server, the server adds that client computer to each of these groups. You can create custom computer groups. One benefit of creating computer groups is that they enable you to test updates before deploying updates widely. If testing goes well, you can roll out the updates to the All Computers group. There is no limit to the number of custom groups you can create. Question: Describe a benefit of using computer groups in WSUS for deploying updates.
WWW.ISLAMSC.COM
9-36
Approving Updates
Key Points
After updates have synchronized to your WSUS server, they are scanned automatically for relevance to the servers client computers. However, you must approve the updates manually before they are deployed to your networks computers. When you approve an update, you are specifying what WSUS does with it (the options are Install or Decline for a new update). You can approve updates for the All Computers group or for subgroups. If you do not approve an update, its approval status remains Not approved, and your WSUS server allows clients to evaluate whether they need the update.
WWW.ISLAMSC.COM
9-37
You can configure your WSUS server for automatic approval of certain updates. You can also specify automatic approval of revisions to existing updates as they become available. This option is selected by default. Automatic approval rules will not apply to updates requiring an End User License Agreement (EULA) that has not yet been accepted on the server. If you find that applying an automatic approval rule does not cause all the relevant updates to be approved, you should approve these updates manually.
Note: If your WSUS server is running in replica mode, you will not be able to approve updates on your WSUS server.
Question: Would you choose automatic approval of updates in your organization when automatic approval is available? Explain your reason.
WWW.ISLAMSC.COM
9-38
Demonstration: Managing WSUS
Key Points
Add a computer to the WSUS console. Approve an update to be applied to the computer.
Question: How do you install an update immediately?
WWW.ISLAMSC.COM
9-39
Server Core Security Updates
Key Points
Windows Server 2008 Server Core requires fewer updates than a full server installation of Windows Server 2008. However, you typically use the command line to locally administer a Server Core installation. Windows Update uses applicability rules so that only computers that have Internet Explorer 7 install Internet Explorer 7 updates; these applicability settings also apply to Server Core installations. Question: Do any other management tasks for Server Core differ from the standard full server implementation?
WWW.ISLAMSC.COM
9-40
Lab: Manage Server Security
Exercise 1: Configuring Windows Software Update Services

Scenario
As the Windows Infrastructure Services Technology Specialist, you have been tasked with configuring and managing server and client security patch compliance as well as implementing an audit policy to track specific events occurring in AD DS. You must ensure systems maintain compliance with corporate standards. In this exercise, you will configure WSUS. The main tasks are as follows: 1. 2. 3. Start the virtual machines, and then log on. Use the Group Policy Management Console to create and link a GPO to the domain to configure client updates. Use the WSUS administration tool to view WSUS properties.
WWW.ISLAMSC.COM
9-41
4. 5. 6. 7.
Create a computer group, and add NYC-CL2 to the new group. Approve an update for Windows Vista clients. Install an update on the Windows Vista client. View WSUS reports.
Task 1: Start the virtual machines, and log on

1. 2. 3. 4. 5. 6. On the host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. In the Lab Launcher, next to 6419A-NYC-CL2, click Launch. Log on to each virtual machine as Woodgrovebank\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Use the Group Policy Management Console to create and link a GPO to the domain to configure client updates
1. 2. 3. 4. On NYC-DC1, open Group Policy Management. Create a new GPO in the WoodGroveBank.com domain named WSUS. Open the Group Policy Management Editor to edit the WSUS GPO. In the Group Policy Management Editor window, under Computer Configuration, expand Policies, expand Administrative Templates, expand Windows Components, and then click Windows Update. Enable Configure Automatic Updates. Enable Specify intranet Microsoft update service location. 7. Set the intranet update service for detecting updates and the intranet statistics server to http://NYC-SVR1.
5. 6.
Enable Automatic Updates detection frequency.
WWW.ISLAMSC.COM
9-42
8. 9.
On NYC-CL2, run the GPUpdate /force command from the command prompt. Restart NYC-CL2 and log on as WoodgroveBank\Administrator after NYC-CL2 restarts.
Task 3: Use the WSUS administration tool to view WSUS properties

1. 2. 3. On NYC-SVR1, open Microsoft Windows Server Update Services 3.0 SP1. In the Update Services window, in the console pane under NYC-SVR1, click Options. Using the details pane, view the configuration settings available in WSUS.
Task 4: Create a computer group, and add NYC-CL2 to the new group
1. 2. 3. In the list pane, expand Computers, and then select All Computers. In the Actions pane, click Add Computer Group, and name the group HO Computers. Change membership of the NYC-CL2.woodgrovebank.com computer object so that it is a part of the HO Computers group.
Task 5: Approve an update for Windows Vista clients

1. 2. 3. 4. In the Update Services windows, in the console pane, expand Updates, and then click Security Updates. In the details pane, change both the Approval and Status filters to Any, and then click Refresh. Notice all of the updates available. In the Critical Updates details pane, right-click Security Update for Windows Vista (KB957095), and then click Approve. Approve the update for all computers.
WWW.ISLAMSC.COM
9-43
5. 6.
In the Critical Updates details pane, right-click Security Update for Windows Vista (KB957095), and then click Approve. Set the deadline to yesterday's date.
Note: Entering yesterdays date will cause the update to be installed as soon as the client computers contact the server. Note that because these VMs use the Microsoft Lab Launcher environment, their date will not correspond with the actual date. This is by design. Take note of the VMs configured date and enter a date one day before the VMs configured date.
Task 6: Install an update on the Windows Vista client

1. 2. 3. 4. 5. On NYC-CL2, at the command prompt, type GPUpdate /force. Once the policy has finished updating, type wuauclt /detectnow. When prompted, restart the computer. Log on as Woodgrovebank\administrator with a password of Pa$$w0rd. Open Windows Update to review recently installed updates.
Task 7: View WSUS reports

On NYC-SVR1, run a Computer Detailed Status report to view updates for NYC-CL2.
Results: After this exercise, you should have configured WSUS.
WWW.ISLAMSC.COM
9-44
Exercise 2: Configure Auditing

Scenario
As the network administrator, you have been tasked with implementing an audit policy to track specific events occurring in AD DS. First, you will examine the audit policys current state. Then you will configure auditing as required to track successful and unsuccessful modifications made to Active Directory objects, including the old and new attributes values. Finally, you will test the policy. In this exercise you will enable auditing. The main tasks for this exercise are: 1. 2. 3. 4. 5. Examine the current state of the audit policy. Enable Audit Directory Service Access on domain controllers. Set the SACL for the domain. Test the policy. Close all virtual machines and discard undo disks.
Task 1: Examine the current state of the audit policy

On NYC-DC1, type the following at the command prompt: Auditpol.exe /get /category:* and then press ENTER.
Task 2: Enable Audit Directory Service Access on domain controllers

1. Open Group Policy Management. In the console pane, click WoodgroveBank.com, expand Group Policy Objects, and then right-click the Default Domain Controllers Policy, and then click Edit. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy. Enable the Audit Directory Service Access policy to audit both Success and Failure. At the Command Prompt, type Gpupdate. When the update completes, run the Auditpol.exe /get /category:* command again, and then examine the default audit-policy settings.
2. 3. 4. 5.
WWW.ISLAMSC.COM
9-45
Task 3: Set the SACL for the domain

1. 2. 3. Open Active Directory Users and Computers. On the View menu, click Advanced Features. Enable auditing for the WoodgroveBank.com domain object. Enable auditing for Everyone. Audit both Successful and Failed for Write all Properties.
Task 4: Test the policy

1. 2. 3. 4. 5. 6. Rename the Toronto OU to GTA. Open Event Viewer, expand Windows Logs, and then click Security. Open event 4662 and examine the event. Return to Active Directory Users and Computers, and edit any user account to change the phone number. Return to Event Viewer, and examine the resulting directory service changes events. Close all open windows.

Result: At the end of this exercise, you will have configured AD DS Auditing.
WWW.ISLAMSC.COM
9-46
Review Questions
1. 2. 3. 4. What kind of security challenges might a small to medium-sized business experience, that may not be as big an issue for a large enterprise? If you decide to put an audit policy in place, how should you configure the security log properties in Event Viewer? What must an administrator do before any update is sent to clients and servers via WSUS? What is the reason for setting a deadline for automatic installation to a past date?
WWW.ISLAMSC.COM
9-47
Best Practices
Regardless of the operating system you are using, the basic steps for securing it are the same. Consider the following best practices for securing an operating system: Install all operating system service packs and updates. Verify user account security. Eliminate unnecessary applications and network services. Configure system logging to record significant events. Keep applications and operating systems up to date.
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
Configuring and Managing Storage Technologies
10-1
Module 10
Contents:
Lesson 1: Windows Server 2008 Storage Management Overview Lesson 2: Managing Storage Using File Server Resource Manager Lab A: Installing the FSRM Role Service Lesson 3: Configuring Quota Management Lab B: Configuring Storage Quotas Lesson 4: Implementing File Screening Lab C: Configuring File Screening Lesson 5: Managing Storage Reports Lab D: Generating Storage Reports Lesson 6: Understanding Storage Area Networks 10-3 10-13 10-20 10-22 10-29 10-31 10-38 10-40 10-45 10-47
WWW.ISLAMSC.COM
10-2
Module Overview
File storage is important when managing Microsoft Windows Server environments. Significant challenges exist when attempting to analyze, plan, and implement storage solutions. The Windows Server 2008 operating system includes several tools to help you configure and manage storage technologies. This module will explain common capacity and storage management challenges, and describe storage technologies that you can configure and manage to address file-storage problems. This module also describes how to analyze usage trends, and how to implement solutions to meet user requirements while complying with company policy and industry and regulatory standards.
WWW.ISLAMSC.COM
10-3
Lesson 1
Windows Server 2008 Storage Management Overview
Windows Server 2008 operating system storage management and File Server Resources Manager are storage technologies that you can configure and manage to address common capacity and storage management challenges in the enterprise environment. This lesson will describe common capacity and storage management challenges and will describe how you can use File Server Resources Manager and the Windows Server 2008 operating system storage management to address these challenges.
WWW.ISLAMSC.COM
10-4
Common Capacity Management Challenges
Key Points
Capacity management is the process of planning, analyzing, sizing, and optimizing methods to satisfy an organizations increase in data storage demands. As the data that you need to store and access increases, so does your need for capacity management. Keeping track of how much storage capacity is available, how much storage space you need for future expansion, and how you are using the environments storage enables you to meet the storage capacity requirements of your organization. Capacity management is also an attempt to control corporate storage misuse. Many users tend to use server storage space store large personal multimedia files, such as MP3s or digital photos, as well as other types of data, such as screensavers and games. Question: What capacity management challenges do you face in your work environment?
WWW.ISLAMSC.COM
10-5
Common Storage Management Challenges
Key Points
After capacity management, the next challenge is managing the file types that are stored on servers. Many organizations store 60 to 100 percent of their work data, including e-mail messages, office documents, and line-of-business application databases. Some information is critical to the functioning of the business, while other information is less critical. Critical information often must be maintained in a state that allows it to always be available. Some data also may have specific retention requirements due to industry or regulatory standards. Unapproved files and programs also create storage management issues. Many users tend to store non-work-related files and programs that can consume storage. Storage management attempts to control this misuse of corporate space. Question: What are some of the storage challenges in your organization?
WWW.ISLAMSC.COM
10-6
Addressing Capacity and Storage Management Challenges
Key Points
Knowing how the company is currently using storage makes planning for future storage requirements much more predictable. Without policies and controls in place, users may often use storage for noncompliant uses. Having resource management policies in place allows for more predictability when planning for future capacity. Resource management policies may vary within a company. For example, some departments may require more storage than others, and some departments may want to store files in specific ways.
WWW.ISLAMSC.COM
10-7
Tools such as File Server Resource Manager (FSRM) perform the tasks necessary for analyzing storage usage, planning storage policies, and implementing the policies. The final step after analyzing and defining policies is to implement the policies. Tools such as File Server Resource Manager (FSRM) perform the tasks necessary for analyzing storage usage, planning storage policies, and implementing the policies. Question: In your work environment, what tools and strategies are currently used to address capacity and storage management challenges?
WWW.ISLAMSC.COM
10-8
Capacity Management Solutions
Key Points
Windows Server 2008 provides a number of tools and technologies to assist in capacity management tasks. With the addition of other applications such as Microsoft System Center Operations Manager (SCOM) and the File Server Migration Toolkit (FSMT), a full range of storage management solutions can be realized. The FSMT helps you copy files and folders from servers running Microsoft Windows 2003 Server, Microsoft Windows 2000 Server or Windows NT Server 4.0 operating systems to a server running Windows Server 2003, Windows Storage Server 2003, Windows Server 2008 or Microsoft Windows Storage Server 2008. The primary benefits of FSMT include: Transparent migration experience for end users. Maintains security settings for migrated files. Consolidates shared folders with the same names from different servers.
WWW.ISLAMSC.COM
10-9
Supports server clusters as source and target file servers. Roll-back functionality for failed migrations.
The FSMT can be downloaded from the Microsoft web site: http://www.microsoft.com/downloads/details.aspx?FamilyID=d00e3eae-930a42b0-b595-66f462f5d87b&DisplayLang=en Question: How do you currently address these capacity management challenges in your work environment?
WWW.ISLAMSC.COM
10-10
Storage Management Solutions
Key Points
Windows Server 2008 also provides a number of tools to assist in storage management tasks. These tools include: Fibre Channel Information Tool helps to gather configuration information on a Fibre Channel SAN for management of Fibre Channel Host Bus Adapters and discovery of SAN resources. Virtual Disk Service provides a unified view of all disks and volumes, regardless of whether they are connected by SCSI, Fiber Channel, iSCSI or PCI RAID. Storage Manager for SANs helps you create and manage logical unit numbers (LUNs) on Fibre Channel and Internet SCSI (iSCSI) disk drive subsystems that support Virtual Disk Service (VDS) in your storage area network (SAN).
WWW.ISLAMSC.COM
10-11
Operations Manager monitors up to thousands of servers, applications, and clients to provide a comprehensive view of the health of an organizations IT environment.
Question: How do you currently address these storage management challenges in your work environment?
WWW.ISLAMSC.COM
10-12
What Is File Server Resource Manager?
Key Points
File Server Resource Manager (FSRM) is a complete set of tools that allows administrators to address the following key file-server management challenges: Capacity management. Monitors usage patterns and utilization levels. Policy management. Restricts which files are stored on the server. Quota management. Limits how much data can be stored on the server. Reports. Provides storage capacity usage reports to meet regulatory requirements that allow the administrators, security groups and management personnel the ability to perform oversight and auditing functions.
Question: Do you currently use FSRM in your work environment?
WWW.ISLAMSC.COM
10-13
Lesson 2
Managing Storage Using File Server Resource Manager
You use FSRM to configure quota management, implement file screening, and generate storage reports. This lesson provides information about how to manage storage using FSRM.
WWW.ISLAMSC.COM
10-14
FSRM Functions
Key Points
File System Resource Manager provides several features to carry out storage management tasks. The following table describes FSRM functions:
Function Create quotas to limit the space allowed for a volume or folder Automatically generate quotas Description Allows you to set the maximum amount of space allotted to a user. It also allows the administrator to be notified if the quota is exceeded. Allows you to specify that quotas are generated dynamically when subfolders are created. This allows the storage volume to be managed without having to apply quotas every time a directory structure is modified. Enables file filtering based on file extensions. Common file categories can be grouped together to create file groups.
Create file screens
WWW.ISLAMSC.COM
10-15
(continued)
Function Monitor attempts to save unauthorized files Define quota and file screening templates Generate scheduled or ondemand storage reports Description Enables administrators to be notified when users attempt to save an unapproved file type. Allows you to customize and implement a detailed company storage policy. Allows you to create reports on a regular basis for review, or create reports on demand, which allows you to quickly generate a report for immediate consumption.
Question: Describe two scenarios where one or more FSRM features could be used in your work environment.
WWW.ISLAMSC.COM
10-16
Demonstration: Installing the FSRM Role Service
Key Points
Start the NYC-SVR1 virtual machine. Use Server Manager to add the FSRM role service. Configure the volume during installation. Open the FSRM management console.
Question: Will you install the FSRM role service on all servers in your organization? Question: How would you access the FSRM console from a workstation?
WWW.ISLAMSC.COM
10-17
FSRM Console Components
Key Points
The FSRM console enables you to view all their local storage resources from a single console, and create and apply policies that control these resources. The three tools included in the FSRM console are: Quota Management node File Screening Management node Storage Reports Management node
Question: Describe a scenario in which you would use each FSRM console component.
WWW.ISLAMSC.COM
10-18
FSRM Configuration Options
Key Points
When you create quotas and file screens, you have the option of sending e-mail notifications to users when their quota limit is approaching or after they have attempted to save files that have been blocked. The default parameters for storage reports are used for the incident reports that are generated when a quota or file screening event occurs. By using File Server Resource Manager, you can record file screening activity in an auditing database. Question: In your work environment, are there currently server storage policies in place? If so, how will you use the FSRM configuration options to enforce these policies?
WWW.ISLAMSC.COM
10-19
Demonstration: Configuring FSRM Options
Key Points
Start the NYC-SVR1 virtual machine. Configure email notifications in FSRM. Configure storage report parameters and default report repository locations.
Question: In your work environment, how do you plan to integrate email notifications for quota violations? Question: In your work environment, what notification threshold provides enough advance warning to users that they are approaching a quota threshold?
WWW.ISLAMSC.COM
10-20
Lab A: Installing the FSRM Role Service
Scenario
As the Windows Infrastructure Services (WIS) Technology Specialist, you have been tasked with configuring storage on a server to comply with corporate standards. You must create the storage with minimal long-term management by utilizing file screening and quota management.
Exercise 1: Installing the FSRM Role Service

Scenario
In this exercise, you will install the FSRM role service. The main tasks for this exercise are as follows: 1. 2. Start the NYC-DC1 and NYC-SVR1 virtual machines. Install the FSRM server role on NYC-SVR1.
WWW.ISLAMSC.COM
10-21
Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines

1. 2. 3. 4. 5. On the host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. Log on to both virtual machines as Woodgrovebank\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Install the FSRM server role on NYC-SVR1

1. 2. Using Server Manager, install the File System Resource Manager role service. The role service is located under the File Services role. Set Storage Usage Monitoring to Allfiles (E:).
Results: After this exercise, you should have successfully installed the FSRM role service on NYC-SVR1.
WWW.ISLAMSC.COM
10-22
Lesson 3
Configuring Quota Management
You use Quota management to create quotas that limit the space allowed for a volume or folder, and to generate notifications when quota limits are approached or exceeded. FSRM provides quota templates that you can apply easily to new volumes or folders and that you can use across an organization. You also can autoapply quota templates to all existing folders in a volume or folder, as well as to any new subfolders created in the future.
WWW.ISLAMSC.COM
10-23
What Is Quota Management?
Key Points
A hard quota prevents users from saving files after the space limit is reached, and it generates notifications when the data volume reaches the configured threshold. A soft quota does not enforce the quota limit, but it generates configured notifications. The quota limit applies to the entire folder subtree.
Question: In your work environment, which notification method do you plan to use?
WWW.ISLAMSC.COM
10-24
FSRM Quotas vs. NTFS Disk Quotas
Key Points
The Microsoft Windows 2000 Server operating system, Windows Server 2003 operating system, and Windows Server 2008 operating systems support NTFS disk quotas, which you can use to track and control disk usage on a per-user/pervolume basis. The above table outlines the advantages of using the FSRM quota management tools compared to NTFS disk quotas.
Question: Are there any instances when you would use NTFS disk quotas instead of FSRM quotas?
WWW.ISLAMSC.COM
10-25
What Are Quota Templates?
Key Points
Quota templates simplify the tasks associated with quota management. If you base your quotas on a quota template and you later decide to change the quota configuration, you can simply update the quota template and then choose to update all quotas that are based on this template. For example, you might choose to allow each user additional space on the storage server. By updating the quota template, all quotas based on this template are updated for you automatically. Question: Based on your work environment specifics, what quota templates do you plan to create?
WWW.ISLAMSC.COM
10-26
Creating and Modifying a Quota
Key Points
You can use the FSRM Quota Management node to create and modify quotas. By creating a quota for a volume or folder, you limit the disk space that is allocated for that volume or folder. The FSRM Quota Management node includes all the necessary options to work with quotas. Question: In what scenario would you use the command line Dirquota tool?
WWW.ISLAMSC.COM
10-27
Monitoring Quota Usage
Key Points
After configuring and applying quotas to your file shares or volumes, you should understand how to monitor disk usage to meet your organizations ongoing storage requirements effectively.
Note: Quotas reduce the input/output (I/O) per-second performance of the storage subsystem by a small amount (10 percent or less). Servers that apply quotas to more than 10,000 folders might experience a larger performance overhead.
Question: In your work environment, which quota usage monitoring method will be most helpful?
WWW.ISLAMSC.COM
10-28
Demonstration: How to Create and Manage Quotas
Key Points
Start the NYC-SVR1 virtual machine. Create a quota template to restrict large files on E:. Use the quota template to create a new quota. Configure the quota to log an event when it is exceeded.
Question: What quota notifications do you plan to implement in your work environment? Question: What quota templates do you plan to implement in your environment?
WWW.ISLAMSC.COM
10-29
Lab B: Configuring Storage Quotas
Exercise 1: Configuring Storage Quotas

Scenario
You must configure a quota template that allows users a maximum of 100 MB of data in their user folders. When users exceed 85 percent of the quota, or when they attempt to add files larger than 100 MB, an event should be logged to the Event Viewer on the server. The main tasks for this exercise are as follows: 1. 2. 3. Create a quota template. Configure a quota based on the quota template. Test that the quota is working by generating several large files.
WWW.ISLAMSC.COM
10-30
Task 1: Create a quota template

In the File Server Resource Manager console, use the Quota Templates node to configure a template that sets a hard limit of 100 MB on the maximum folder size. Make sure this template also notifies the Event Viewer when the folder reaches 85 percent and 100 percent capacity.
Task 2: Configure a quota based on the quota template

1. Use the File Server Resource Manager console and the Quotas node to create a quota in the E:\Mod10\Labfiles\Users folder by using the quota template that you created in Task 1. Create an additional folder named User4 in the E:\Mod10\Labfiles\Users folder, and ensure that the new folder is listed in the quotas list.
2.
Task 3: Test that the Quota is working by generating several large files
1. Open a command prompt and use the fsutil file createnew file1.txt 89400000 command to create a file in the E:\Mod10\Labfiles\Users\User1 folder. Check the Event Viewer for an Event ID of 12325. Test that the quota works by attempting to create a file that is 16,400,000 bytes, and then press ENTER. Enable NTFS folder compression for the E:\Mod10\Labfiles\Users folder. Check to see what effect this has in the Quota console. Try again to create a file that is 16,400,000 bytes.
2. 3. 4.
Results: After this exercise, you should have seen the effect of a quota template that imposes a 100MB limit on user storage on the E:\Mod10\Labfiles\Users folder.
WWW.ISLAMSC.COM
10-31
Lesson 4
Implementing File Screening
Your security policy might prohibit specific file types from being placed on company servers, and you might want to be notified if a specific file type is saved on a file server. This lesson explains the concepts related to file screening that you can use to manage the types of files that users can save on corporate file servers.
WWW.ISLAMSC.COM
10-32
What Is File Screening?
Key Points
Many organizations face issues with network users storing unauthorized or personal data on corporate file servers. Not only does this misuse valuable storage space, but it also increases the backup process duration, and might violate privacy or security policies within the company. You also can implement a screening process to notify you by e-mail when an unauthorized file type has been stored on a shared folder. The e-mail message can include information such as the name of the user who stored the file and its exact location so that you can take appropriate precautionary steps. Question: In your work environment, are there any server usage policies that file screening could be used to enforce?
WWW.ISLAMSC.COM
10-33
What Are File Groups?
Key Points
Before you begin working with file screens, you must understand the role file groups play in the file screening process. A file group is used to define a namespace for a file screen, file screen exception, or storage report. A file group consists of a set of file name patterns that are grouped into two groups: Files to include, and Files to exclude: Files to include. These are files that should be included in the group. Files to exclude. These are files that should not be included in the group.
Question: In your work environment, list two or three file groups you plan to create.
WWW.ISLAMSC.COM
10-34
What Is a File Screen Exception?
Key Points
Occasionally, you will need to allow exceptions to file screening. For example, you might want to block video files from a file server, but you need to allow your training group to save the video files for their computer-based training. To allow files that other file screens are blocking, create a file screen exception. A file screen exception is a configuration that overrides any file screening that would otherwise apply to a folder and all its subfolders, in a designated exception path. In other words, the file screen exception creates an exception to any rules derived from a parent folder. Question: Describe two ways you plat to use file screen exceptions in your work environment.
WWW.ISLAMSC.COM
10-35
What Is a File Screen Template?
Key Points
To simplify file screen management, base your file screens on file screen templates. A file screen template defines the following: File groups to block. Screening types to perform. Notifications to be generated.
You can configure two screening types in a file screen template: Active screening does not allow users to save any files related to the selected file groups configured with the template. Passive screening still allows users to save files but provides notifications for monitoring.
WWW.ISLAMSC.COM
10-36
By creating file screens exclusively from templates, you can manage your file screens centrally by updating the templates instead of the individual file screens. Question: What file types do you plan to create file screen templates for in your work environment?
WWW.ISLAMSC.COM
10-37
Demonstration: Implementing File Screening
Key Points
Start the NYC-SVR1 virtual machine. Create a new file screen in the E:\ drive based upon the Block Audio and Video Files default template. Create a new custom file group and create a file screen exception to allow Microsoft Windows Media Player audio (WMA) files.
Question: How do you plan to implement file screens in your work environment? Question: How do you plan to implement file screen exceptions in your work environment?
WWW.ISLAMSC.COM
10-38
Lab C: Configuring File Screening
Exercise 1: Configuring File Screening

Scenario
You must configure file screening to monitor executable files. The main tasks for this exercise are as follows: 1. 2. Create a file screen. Test the file screen.
WWW.ISLAMSC.COM
10-39
Task 1: Create a file screen

On NYC-SVR1, in the File Server Resource Manager console, use the File Screens node to create a file screen that monitors executable files in the E:\Mod10\Labfiles\Users folder. When an executable is dropped into the folder, the file screen will log an 8215 event in the Event Viewer.
Task 2: Test the file screen

1. 2. Copy and paste E:\Mod10\Labfiles\example.bat to E:\Mod10\Labfiles\Users\user1. Open the Event Viewer and check the application log for Event ID 8215.
Results: After this exercise, you should have successfully implemented a file screen that logs attempts to save executable files in E:\Mod10\Labfiles\Users.
WWW.ISLAMSC.COM
10-40
Lesson 5
Managing Storage Reports
To better carry out capacity planning, you must be able to configure and generate extensive reports based on current storage utilization. This lesson will describe how to configure, schedule, and generate storage reports using FSRM.
WWW.ISLAMSC.COM
10-41
What Are Storage Reports?
Key Points
Storage reports provide information about file usage on a file server. The FSRM Storage Reports Management feature allows you to generate storage reports on demand and schedule periodic storage reports that help identify trends in disk usage. You also can create reports to monitor attempts to save unauthorized files by all users or a selected group of users. The following table describes the storage report types in FSRM:
Report Large Files Description Lists files that are larger than a specified size. Use this report to identify files that are consuming excessive server disk space. Lists files that are grouped by owner. Use this report to analyze server usage patterns and to identify users who use large amounts of disk space.
Files by Owner
WWW.ISLAMSC.COM
10-42
(continued)
Report Files by File Group Description Lists files that belong to specified file groups. Use this report to identify file-group usage patterns and to identify file groups that occupy large amounts of disk space. This can help you determine which file screens to configure on the server. Lists duplicate files (files with the same name, size, and lastmodified date). Use this report to identify and reclaim disk space that is lost due to duplicate files. Lists files that have not been accessed for a specified number of days. This report can help you identify seldom-used data that could be archived and removed from the server. Lists files that have been accessed within a specified number of days. Use this report to identify frequently used data that should be highly available. Lists quotas for which the quota usage is higher than a specified percentage. Use this report to identify quotas with high usage levels so that appropriate action can be taken. This report includes quotas that were created for volumes and folders in FSRM only. It does not include quotas applied to volumes in NTFS file system. Lists file screening violations that have occurred on the server, for a specified number of days. Use this report to identify individuals or applications that violate the file screening policy.
Duplicate Files
Least Recently Used Files
Most Recently Used Files
Quota Usage
File Screening Audit
Question: In your work environment, how do you currently obtain information about file usage on servers?
WWW.ISLAMSC.COM
10-43
What Is a Report Task?
Key Points
The Scheduled Report Tasks node results pane includes the report task. Tasks are identified by the reports to be generated, the namespace on which the report will be created, and the report schedule. You also can view the current report status (whether the report is running), the last run time and the result of that run, and the next scheduled run time. Question: In your work environment, how frequently will you schedule reports using report tasks?
WWW.ISLAMSC.COM
10-44
Generating On-Demand Reports
Key Points
During daily operations, you may want to generate reports on demand to analyze aspects of current server disk usage. Use the Generate reports now action to generate one or more reports. Current data is gathered before the reports are generated. Question: Under what circumstances do you plan to use on-demand reports?
WWW.ISLAMSC.COM
10-45
Lab D: Generating Storage Reports
Exercise 1: Generating Storage Reports

Scenario
You must generate an on-demand storage report. The main tasks for this exercise are as follows: 1. 2. Generate an on-demand storage report. Close all virtual machines, and discard undo disks.
WWW.ISLAMSC.COM
10-46
Task 1: Generate an on-demand storage report

1. 2. 3. 4. In the File Server Resource Manager console, run the Generate reports now option in the Reports node. Store the report in the E:\Mod10\Labfiles\Users folder. Generate a File Screening Audit and a Quota Usage report. Review the contents of the report.

1. 2. 3. For each virtual machine that is running, close the Virtual Machine Remote Control (VMRC) window. In the Close box, select Turn off machine and discard changes, and then click OK. Close the 6419A Lab Launcher.
Results: After this exercise, you should have successfully generated an on-demand storage report.
WWW.ISLAMSC.COM
10-47
Lesson 6
Understanding Storage Area Networks
With the rapid growth of the Internet and increased reliance on e-commerce, the adoption of SANs has become more common due to the proliferation of data. This lesson provides an overview of the concepts and terminology related to storage area networks.
WWW.ISLAMSC.COM
10-48
What Is a Storage Area Network?
Key Points Storage Area Network

Many administrators confuse the terms Network Attached Storage (NAS) and storage area network (SAN). A SAN is a high-performance network, usually separate from the local area network (LAN) of an organization, dedicated to delivering block (unformatted) data between servers and storage. A NAS device is typically a number of disks that are housed in an appliance dedicated to sharing and storing files directly on the LAN, similar to accessing files via a standard network share.
Question: In what way or ways do you currently use SAN storage in your work environment?
WWW.ISLAMSC.COM
10-49
How Is a SAN Different from Direct Attached Storage?
Key Points
Both Direct-Attached Storage and SANs use the SCSI protocol to move data in blocks rather than files. From the vantage point of most operating systems, DAS and SAN storage are indistinguishable, despite the differences in their network topologies.
Note: NAS devices differ from SANs by serving files via network shares rather than simulating local disks attached to servers.
Question: How does SAN storage simplify backups?
WWW.ISLAMSC.COM
10-50
What Is a Fibre Channel SAN?
Key Points
Fibre Channel (FC) is based on serial SCSI technologies and overcomes the parallel SCSI limitations to enable essentially unlimited device connectivity over long distances. FC interconnects deliver high-performance block I/O to storage devices within a SAN. Unlike parallel SCSI devices that must arbitrate (or contend) for the bus, FC channel devices, using switch technology, can transmit information between multiple servers and multiple storage devices at the same time.
Question: Is Fibre Channel storage in use in your work environment?
WWW.ISLAMSC.COM
10-51
Example of a Basic Fibre Channel SAN Configuration
Key Points
In a Fibre Channel SAN, each server contains an HBA that connects by means of a Fibre Channel switch to a disk controller on the storage array. HBAs, although they reside on the server, are also part of the storage network. They serve first to provide the interface between the server and the attached Fibre Channel network and second to provide I/O processing, offloading most of the server processing required for transferring data. The resulting performance is very high and very scalable. Question: Does the SAN configuration depicted above provide fault-tolerance?
WWW.ISLAMSC.COM
10-52
Discussion: Designing Redundancy in a Fibre Channel SAN
Key Points
Your organization has implemented a basic SAN scenario; however, you are concerned about availability of the SAN components. Based on the diagram presented, describe what is required to ensure availability and redundancy of the SAN environment. Question: Which components should be redundant to obtain high availability? Question: How would you configure the connections between an HBA and a FC switch to ensure availability? Question: How would you ensure that the path between the switch and the disk array is highly available?
WWW.ISLAMSC.COM
10-53
Discussion: Designing Redundancy in a Fibre Channel SAN Possible Solution
Key Points
Consider all points of failure when designing redundancy in the SAN. Redundant HBAs, FC switches, and disk array controllers will increase the level of redundancy in the SAN.
WWW.ISLAMSC.COM
10-54
What Is iSCSI?
Key Points
Internet SCSI (iSCSI) is an industry standard that enables transmission of SCSI block commands over an existing IP network by using the TCP/IP protocol. iSCSI is a technological breakthrough that offers organizations the possibility of delivering both messaging traffic and block-based storage over existing IP networks, without installing a separate Fibre Channel network. Question: In your work environment, is iSCSI implemented? If so, how has it been implemented?
WWW.ISLAMSC.COM
10-55
What Is the Microsoft iSCSI Software Initiator?
Key Points
The Microsoft iSCSI Software Initiator service is installed on a host server and enables the server to connect to iSCSI target volumes on a storage array. The Software Initiator service enables streamlined storage management for all aspects of the iSCSI service. Question: Describe at least one scenario where you would implement the Microsoft iSCSI software initiator.
WWW.ISLAMSC.COM
10-56
Example of a Basic iSCSI SAN Configuration
Key Points
An iSCSI-based SAN solution consists of two components: iSCSI Software Initiator iSCSI target
Question: Question: In the scenario depicted above, can either of the client computers access the iSCSI storage?
WWW.ISLAMSC.COM
10-57
What Is Storage Manager for SANs?
Key Points
Storage Manager for SANs is a server feature that is provided in Windows Server 2008. Storage Manager for SANs can be used to assist in storage resource provisioning and disk configuration tasks with the implementation of a SAN solution. SAN provisioning has traditionally been viewed as the most complex of storage tasks and typically includes proprietary tools and commands. Storage Manager for SANs helps to simplify provisioning tasks and is designed to look and behave like standard Windows-based applications that administrators are already familiar with. Storage Manager for SANs provides the following benefits and functionality: Leverages the Virtual Disk Service to manage storage, with the addition of vendor-provided VDS hardware providers. Discovers storage arrays on a Fibre Channel or an Internet Small Computer System Interface (iSCSI) SAN, including storage array properties such as firmware information.
WWW.ISLAMSC.COM
10-58
Provides the ability to create, delete, and expand storage array logical unit numbers (LUNs). Provides the ability to specify LUN options such as redundant array of independent disk (RAID) levels. Allows for the allocation of LUNs to specific servers on the SAN. Monitors LUN status and health.
Question: What approach does your organization currently use to manage SAN storage that is connected to Windows Servers?
WWW.ISLAMSC.COM
10-59
Troubleshooting SAN Storage
Key Points
When you encounter issues with SAN storage, begin troubleshooting by gathering information about the nature of the issue, hardware involved, and software configuration. After you have gathered enough information, you can analyze the information, recommend changes, implement one or more changes, monitor the result, and document the process for future reference. Question: Have you faced any SAN troubleshooting scenarios in your work environment? If so, how did you approach them?
WWW.ISLAMSC.COM
10-60
Review Questions
1. 2. 3. What is the difference between a hard and soft quota? When a common set of file types need to be blocked, what should you create to block them in the most efficient manner? If you want to apply a quota to all subfolders in a folder, including folders that will be created in the future, what option must you configure in the quota policy?
WWW.ISLAMSC.COM
10-61
Tools
The following table describes the tools that you can use to configure FSRM:
Tool Dirquota.exe FileScrn.exe Description Use to create and manage quotas and quota templates. Use to create and manage file screens, file-screening exceptions, and file groups. Use to configure report parameters and generate storage reports on demand. You also can create report tasks and then use Schtasks.exe to schedule them. Use to configure NTFS Quotas and create files to test quota behavior.
StorRept.exe
Fsutil
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
Configuring and Managing Distributed File System
11-1
Module 11
Contents:
Lesson 1: Distributed Files System (DFS) Overview Lesson 2: Configuring DFS Namespaces Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace Lesson 3: Configuring DFS Replication Lab B: Configuring Folder Targets and Viewing Diagnostic Reports 11-3 11-13 11-22 11-26 11-42
WWW.ISLAMSC.COM
11-2
Module Overview
Many of todays enterprises are challenged with maintaining large numbers of servers and users who often are distributed geographically throughout widespread locations. In these situations, administrators must find ways that users can locate the most recent files as quickly as possible. Managing multiple data sites often introduces additional challenges, such as limiting network traffic over slow wide area network (WAN) connections, ensuring the availability of files during WAN or server failures, and backing up file servers that are located at smaller remote offices. This module introduces the Distributed File System (DFS) solution that you can use to address these challenges by providing fault-tolerant access and WANfriendly replication of files located throughout an enterprise.
WWW.ISLAMSC.COM
11-3
Lesson 1
Distributed File System (DFS) Overview
Administrators who manage file servers throughout an enterprise require efficient access to resources and availability to files. DFS in the Microsoft Windows Server 2008 operating system provides two technologies to address these challenges: DFS Replication and DFS Namespaces. This lesson introduces the two technologies, and provides scenarios and requirements for deploying a DFS solution within your network environment.
WWW.ISLAMSC.COM
11-4
What Is the Distributed File System?
Key Points
DFS Namespaces allows administrators to group shared folders located on different servers into one or more logically structured namespaces. DFS Replication (DFS-R) is a multi-master replication engine used to synchronize files between servers for both local and WAN network connections. Remote Differential Compression (RDC) identifies and synchronizes the data changes on a remote source, and uses compression techniques to minimize the data that is sent across the network.
Question: Do you have experience working with DFS or the DFS predecessor, File Replication service (FRS)?
WWW.ISLAMSC.COM
11-5
How DFS Namespaces and DFS Replication Work
Key Points
Even though DFS Namespaces and DFS Replication are separate technologies, they can be used together to provide high availability and data redundancy. The following process describes how DFS Namespaces and DFS Replication work together: 1. 2. User accesses folder in the configured namespace. Client computer accesses the first server in the referral. This referral typically is a server in the client's own site, unless there is no server located within the client's site. In this case, the administrator can configure the target priority.
Question: In your organization, do you currently synchronize your shared folders? If so, how do you keep them synchronized?
WWW.ISLAMSC.COM
11-6
DFS Scenarios
Key Points
Large organizations that have many branch offices often have to share files or collaborate between these locations. DFS-R can help replicate files between branch offices or from a branch office to a hub site. DFS technologies can collect files from a remote office and replicate them to a hub site, thus allowing the files to be used for a number of specific purposes. You can use DFS Namespaces and DFS-R to publish and replicate documents, software, and other line-of-business data throughout your organization.
Question: In what ways can you use DFS technologies within your organization?
WWW.ISLAMSC.COM
11-7
Types of DFS Namespaces
Key Points
You can create either a domain-based or stand-alone namespace. Each type has different characteristics. A domain-based namespace can be used when: Namespace high availability is required. You need to hide the name of the namespace servers from users.
WWW.ISLAMSC.COM
11-8
A stand-alone namespace is used when: Your organization has not implemented Active Directory domain services. Your organization does not meet the requirements for a Windows Server 2008 mode, domain-based namespace, and you have requirements for more than 5,000 DFS folders. Stand-alone DFS namespaces support up to 50,000 folders with targets.
Question: In your organization, would you implement a domain-based namespace or a stand-alone namespace?
WWW.ISLAMSC.COM
11-9
What Are Folders and Folder Targets?
Key Points
You create one or more folders within a DFS namespace. These folders contain one or more folder targets. If one of the folder targets is not available, the client will attempt to access the next folder target in the referral. This increases the data availability in the folder. Question: Describe a scenario of how you would use folder targets in your organization.
WWW.ISLAMSC.COM
11-10
Namespace Server Requirements
Key Points
A namespace server is a domain controller or member server that hosts a DFS Namespace. The operating system running on the server determines the number of namespaces that a server can host. The following table lists the guidelines you should use for namespace server requirements:
Server hosting stand-alone Namespaces Server hosting Domain-Based Namespaces Must contain an NTFS file system volume to host the namespace Can be a member server or a domain controller Must contain an NTFS volume to host the namespace Must be a member server or domain controller in the domain that the namespace is configured in Namespace cannot be a clustered resource in a server cluster
Can be a clustered file server
WWW.ISLAMSC.COM
11-11
Question: How can you ensure the availability of domain-based roots with domainbased DFS namespaces?
WWW.ISLAMSC.COM
11-12
Demonstration: Installing DFS
Key Points
Install the DFS role services on both NYC-DC1 and NYC-DC2. Add File Services role in the Server Manager. Add Distributed File System Role Service.
Question: You need to deploy DFS technology within your environment. Is DFS considered a role service or a feature? Question: Is it possible to install DFS Replication without installing DFS Namespaces?
WWW.ISLAMSC.COM
11-13
Lesson 2
Configuring DFS Namespaces
Configuring DFS Namespaces consists of several tasks that include creating the namespace structure, creating folders within the namespace, and adding folder targets. You also may choose to perform additional management tasks, such as configuring the referral order and DFS replication. This lesson provides information on how to complete these configuration and management tasks to deploy an effective DFS solution.
WWW.ISLAMSC.COM
11-14
Deploying Namespaces for Publishing Content
Key Points
Most DFS implementations primarily consist of content published within the DFS namespace. Use the New Namespace Wizard to create the namespace from within the DFS Management console. After the namespace is created, you then can add a folder in the namespace. You can add multiple folder targets to increase the folder's availability in the namespace. A referral is an ordered list of targets that a client computer receives from the namespace server when a user accesses a namespace root or folder.
Question: Describe a scenario when having a client continue to access the failover server would present problems.
WWW.ISLAMSC.COM
11-15
Security Requirements for Creating and Managing a Namespace
Key Points
To perform namespace management tasks, a user either has to be a member of an administrative group or has to be delegated specific permission to perform the task. You can right-click the namespace and then click Delegate Management Permissions to delegate the required permissions.
Note: You also must add the user to the Local Administrators group on the namespace server.
Question: How would you delegate namespace tasks in your organization?
WWW.ISLAMSC.COM
11-16
Demonstration: How to Create Namespaces
Key Points
Create a domain-based namespace. Create the ProjectDocs namespace. Create the AccountingSpreadhseets folder target.
Question: You want to enable advanced scalability and access-based enumeration. Which option provides these features?
WWW.ISLAMSC.COM
11-17
Increasing Availability of a Namespace
Key Points
For clients to connect to a DFS namespace, they must be able to connect to a namespace server. This means that it is important to ensure the namespace servers are always available. The process for increasing namespace availability varies for domain-based and stand-alone namespaces. Domain-based namespaces can be hosted on multiple servers. Stand-alone namespaces are limited to a single server. Domain-based namespaces. You can increase the availability of a domain-based namespace by specifying additional namespace servers to host it. Stand-alone namespaces. You can increase the availability of a stand-alone namespace by creating it as a shared resource in a server cluster.
WWW.ISLAMSC.COM
11-18
Folder targets. You can increase the availability of each folder in a namespace by adding multiple folder targets.
Question: Describe how you could use these methods to increase availability in your organization.
WWW.ISLAMSC.COM
11-19
Options for Optimizing a Namespace
Key Points
Renaming a folder allows you to reorganize the hierarchy of folders to best suit your organization's users. By disabling a folder target's referral, you prevent client computers from accessing that folder target in the namespace. This is useful when you are moving data between servers. Clients do not contact a namespace server for a referral each time they access a folder in a namespace. By default, namespace root referrals are cached for 300 seconds (five minutes), and folder referrals are cached for 1,800 seconds (30 minutes).
WWW.ISLAMSC.COM
11-20
To maintain a consistent domain-based namespace across namespace servers, namespace servers must poll Active Directory periodically to obtain the most current namespace data. Question: Describe a scenario when you would want to disable a folder targets referral.
WWW.ISLAMSC.COM
11-21
Demonstration: Configuring Folder Targets
Key Points
Configure a second folder target. Examine namespace optimization settings.
Question: Which types of paths can you use when creating a new folder target? Question: What kind of permissions do you need to add folder targets?
WWW.ISLAMSC.COM
11-22
Lab A: Installing the Distributed File System Role Service and Creating a DFS Namespace
Objectives
Install the Distributed File System Role Service. Create a DFS Namespace.
Logon Information
Virtual Machines: 6419A-NYC-DC1 and 6419A-NYC-SVR1 User Name: WoodgroveBank\Administrator Password: Pa$$w0rd
WWW.ISLAMSC.COM
11-23
Exercise 1: Installing the Distributed File System Role Service

In this exercise, you will install the Distributed File System Role Service on both NYC-DC1 and NYC-SVR1. This will provide redundancy for the CorpDocs namespace and allow clients to contact the namespace server within their own site. The main tasks for this exercise are as follows: 1. 2. 3. Start each virtual machine and log on. Install the Distributed File System Role Service on NYC-DC1. Install the Distributed File System Role Service on NYC-SVR1.
Task 1: Start each virtual machine and log on

Task 2: Install the Distributed File System Role Service on NYC-DC1

1. 2. On NYC-DC1, start Server Manager. Use the Add Roles Wizard to add the Distributed File System Role Service including the DFS Namespaces and DFS Replication role services. Do not create a namespace at this point. Using the Server Manager Roles pane, verify that File Server, Distributed File System, DFS Namespaces, and DFS Replication are installed.
3.
WWW.ISLAMSC.COM
11-24
Task 3: Install the Distributed File System Role Service on NYC-SVR1

1. 2. On NYC-SVR1, start Server Manager. Use the Add Roles Wizard to add the Distributed File System Role Service including the DFS Namespaces and DFS Replication role services. Do not create a namespace at this point. Using the Server Manager Roles pane, verify that File Server, Distributed File System, DFS Namespaces, and DFS Replication are all installed.
3.
WWW.ISLAMSC.COM
11-25
Exercise 2: Creating a DFS Namespace

In this exercise, you will create the CorpDocs DFS namespace. You also will configure both NYC-DC1 and NYC-SVR1 to host the CorpDocs namespace to provide redundancy. The main tasks for this exercise are as follows: 1. 2. Use the New Namespace Wizard to create a new namespace. Add an additional namespace server to host the namespace.
Task 1: Use the New Namespace Wizard to create a new namespace

1. 2. On NYC-DC1, start the DFS Management console. Use the New Namespaces Wizard to create a namespace with the following options: 3. 4. Namespace Server: NYC-DC1 Namespace Name and Settings: CorpDocs Namespace Type: Domain-based namespace
In the left pane, click the plus sign next to Namespaces, and then click \\WoodgroveBank.com\CorpDocs. Verify that the CorpDocs namespace has been created on NYC-DC1.
Task 2: Add an additional namespace server to host the namespace

1. On NYC-DC1, in the DFS Management console, use the Add Namespace Server Wizard to add a new namespace server with the following options: 2. Namespace server: NYC-SVR1 Click Yes to start the Distributed File System service
In the left pane, click the plus sign next to Namespaces, and then click \\WoodgroveBank.com\CorpDocs.
Note: Verify from the Details pane that that the CorpDocs namespace is now hosted on both NYC-DC1 and NYC-SVR1.
WWW.ISLAMSC.COM
11-26
Lesson 3
Configuring DFS Replication
To configure DFS-R effectively, it is important to understand the terminology and requirements associated with the feature. This lesson provides information on the specific elements, requirements, and scalability considerations as they relate to DFS-R, and also provides a process for configuring an effective replication topology.
WWW.ISLAMSC.COM
11-27
What Is DFS Replication?
Key Points
DFS-R uses a new compression algorithm known as remote differential compression (RDC). DFS-R detects changes on the volume by monitoring the update sequence number (USN) journal, and replicates changes only after the file is closed. When a file is changed, only the changed blocks are replicated, not the entire file.
WWW.ISLAMSC.COM
11-28
DFS-R is self-healing and can automatically recover from USN journal wraps, USN journal loss, or loss of the DFS Replication database. DFS-R uses a Windows Management Instrumentation (WMI) provider that provides interfaces to obtain configuration and monitoring information from the DFS Replication service.
Question: List one advantage and one disadvantage to having deleted files stored in the Conflict and Deleted folders.
WWW.ISLAMSC.COM
11-29
What Are Replication Groups and Replicated Folders?
Key Points
A replication group consists of a set of member servers that participate in replicating one or more replicated folders. There are two main types of replication groups: Multipurpose replication group. Replication group for data collection.
A replicated folder is a folder that is synchronized between each member server. Question: How can creating multiple replicated folders in a single replication group simplify deployment?
WWW.ISLAMSC.COM
11-30
DFS-R Requirements
Key Points
If you plan to use DFS Replication, the Active Directory schema must be updated to at least the version equal to Windows Server 2003 R2, so that it includes the Active Directory classes and attributes that DFS Replication uses. You cannot enable replication across servers in different forests. Question: Does your organization meet the requirements for DFS-R?
WWW.ISLAMSC.COM
11-31
Scalability Considerations for DFS-R
Key Points
Use the above scalability considerations when deploying DFS-R. Remember, these are guidelines and that you may be able to deploy configurations successfully that exceed these guidelines. However, it is important to test and verify that there is adequate space in the staging folders, and that latency is acceptable. Question: DFS-R doesnt have restrictions on the size of files replicated; however, there is a consideration to ensure the files get replicated. What is this consideration?
WWW.ISLAMSC.COM
11-32
Process for Deploying a Multipurpose Replication Group
Key Points
A multi-purpose replication group is used to replicate data between two or more servers for general content sharing or for data publishing. You can choose one of the following three types of topology that is used for the connections between the replication group members. Hub and spoke: Requires three or more members. In this topology, spoke members are connected to one or more hub members. Data then is replicated from the hub member to the spoke members. Full mesh: In this topology, each member replicates with all other members of the replication group. This works well with 10 or fewer members. No topology: You can use this option if you want to create a custom topology after you finish the wizard.
WWW.ISLAMSC.COM
11-33
After an initial replication group is created, you can modify the replicated folders, the connection, or topology. You also can delegate permissions to other administrators to allow for management of the replication group. Question: What topology would you use in your organization? Question: When is the best time to schedule replication?
WWW.ISLAMSC.COM
11-34
Understanding the Initial Replication Process
When you first configure replication, you must choose a primary member that has the most up-to-date files to be replicated. This server is considered authoritative for any conflict resolution that occurs when the receiving members have files that are older or newer when compared to the same files on the primary member. The following concepts will help you to better understand the initial replication process: Initial replication does not begin immediately. Initial replication always occurs between the primary member and its receiving replication partners. When receiving files from the primary member during initial replication, the receiving members that contain files that are not present on the primary member move those files to their respective DfsrPrivate\PreExisting folder.
WWW.ISLAMSC.COM
11-35
To determine whether files are identical on the primary member and receiving member, DFS replication compares the files using a hash algorithm. After the initialization of the replicated folder, the primary member designation is removed.
Question: What is a consideration when choosing a primary member?
WWW.ISLAMSC.COM
11-36
Generating Diagnostic Reports and Propagation Tests
Key Points
To help maintain and troubleshoot DFS-R, you can generate diagnostic reports and perform propagation tests. You can use the Diagnostic Report Wizard to perform the following: Create a health report. Start a propagation test. Create a propagation report.
Question: How often would you run the diagnostic report wizard to create a health report in your organization?
WWW.ISLAMSC.COM
11-37
Demonstration: Deploying DFS-R
Key Points
Create and configure the AccountingDataRepl replication group. Create a diagnostic report.
Question: Where are you able to modify the path for the staging folder? Question: Which tab shows the sending and receiving members of the replication group?
WWW.ISLAMSC.COM
11-38
Troubleshooting DFS-R and Active Directory
Key Points
Common causes of Waiting for the DFS Replication service to retrieve replication settings from Active Directory error: Issue: Active Directory replication latency Solutions: Wait. Force replication using repadmin (with /replicate /force) or replmon (with synchronize directory partition). Change your replication schedule and topology.
Issue: Active Directory replication blocked due to network mis-configurations such as DNS resolution or firewall blocks. Solution: Fix the network configuration.
WWW.ISLAMSC.COM
11-39
Issue: Active Directory replication blocked due to topology mis-configurations. Solution: Verify site topology in Active Directory and check event logs for topology problems. Issue: AD replication blocked due to lingering objects. Lingering objects are typically objects that exist in the read-only GC partition of a domain controller but no longer exist in the read-write source domain partition. This can happen when an administrator brings a domain controller (DC) back online after it has been shut off for months; source objects that were deleted and tomb-stoned are no longer available. Since the old DC cant be told about the deletions anymore, there are still reanimated versions. Solution: To resolve this issue, you can use the Repadmin tool to remove lingering objects from a directory partition - repadmin /removelingeringobjects. Issue: Active Directory replication blocked due to tombstone lifetime - Event ID 2042 (It has been too long since this machine replicated). Solution: In most circumstances, the best answer is to forcibly demote the DC if you have other domain controllers that can handle the load in the meantime. Question: List three places you can look for DFS-R troubleshooting information.
WWW.ISLAMSC.COM
11-40
Troubleshooting DFS-R
Key Points
Several other issues and solutions include: DFS-R is slow Make sure operating system updates and DFS-R hotfixes are installed. If the event that indicates the staging quota is over its configured size (event ID 4208 in the DFS-R event log) is logged multiple times in an hour, increase the staging quota by 20 percent. If you see a considerable amount of DFS-R event log entries for 4302 and 4304, you may want to start examining how files are being used for sharing violations.
WWW.ISLAMSC.COM
11-41
Data isnt being replicated DFS-R might not work across firewalls when replicating between branch offices without a virtual private network (VPN) connection because it uses the remote procedure call (RPC) dynamic endpoint mapper. Additionally, configuring DFS-R using the DFS Management console does not work when a firewall is enabled. To enable DFS-R to work through a firewall, you can define a static port using the Dfsrdiag.exe command-line tool. May have error ID: 6802 in Event Viewer if topology is not connected.
Not replicating .bak files By default DFS-R has file filter on replicated folder that excludes the files with names starting ~ or files with extension *.tmp or *.bak from replication. You can change it using DFS Management Console.
Question: In your organization, would you include .bak files in your DFS replication? Question: What would be a disadvantage of replicating .bak files?
WWW.ISLAMSC.COM
11-42
Lab B: Configuring Folder Targets and Viewing Diagnostic Reports
Exercise 1: Configuring Folder Targets and Folder Replication

In this exercise, you initially will create folder targets on two separate servers and then verify that the CorpDocs namespace functions correctly. You then will add availability and redundancy by creating additional folder targets and configuring replication. The main tasks for this exercise are as follows: 1. 2. 3. Create the HRTemplates folder, and configure a folder target on NYC-DC1. Create the PolicyFiles folder, and configure a folder target on NYC-SVR1. Verify the CorpDocs namespace functionality.
WWW.ISLAMSC.COM
11-43
4. 5.
Create additional folder targets for the HRTemplates folder, and then configure folder replication. Create additional folder targets for the PolicyFiles folder, and then configure folder replication.
Task 1: Create the HRTemplates folder, and configure a folder target on NYC-DC1
1. 2. 3. On NYC-DC1, in the DFS Management console, right-click \\WoodgroveBank.com\CorpDocs. Create a new folder called HRTemplates. Add a new folder target called HRTemplateFiles using the following options: 4. 5. 6. Click the New Shared Folder button. Share Name: HRTemplateFiles Local path of shared folder: C:\HRTemplateFiles Shared Folder Permissions: Administrators have full access; other users have read-only permissions
In the console tree, click \\WoodgroveBank.com\CorpDocs. In the details pane, click the Namespace tab. Notice that HRTemplates is listed as an entry in the namespace. In the console tree, expand \\WoodgroveBank.com\CorpDocs and then click HRTemplates. In the details pane, notice that on the Folder Targets tab, one folder target is configured. Click the Replication tab, and notice that replication is not configured.
7.
Task 2: Create the PolicyFiles folder, and configure a folder target on NYC-SVR1
1. 2. On NYC-DC1, in the DFS Management console, right-click \\WoodgroveBank.com\CorpDocs. Create a new folder called PolicyFiles on NYC-SVR1.
WWW.ISLAMSC.COM
11-44
3.
Add a new Folder target called PolicyFiles using the following options: Click the New Shared Folder button. Share Name: PolicyFiles Local path of shared folder: C:\Policyfiles Shared Folder Permissions: Administrators have full access; other users have read-only permissions
4.
In the console tree, expand \\WoodgroveBank.com\CorpDocs and then click PolicyFiles. In the details pane, notice that on the Folder Targets tab, one folder target is configured.
Task 3: Verify the CorpDocs namespace functionality

1. 2. On NYC-DC1, click Start and then click Run. Access the \\WoodgroveBank\CorpDocs namespace, and verify that both HRTemplates and PolicyFiles are visible. (If they are not visible, wait for approximately five minutes to complete.) In the HRTemplates folder, create a new Rich Text Document file called VacationRequest. In the PolicyFiles folder, create a new Rich Text Document file called OrderPolicies.
3. 4.
Task 4: Create additional folder targets for the HRTemplates folder, and then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the following options: Path to folder target: \\NYC-SVR1\HRTemplates Create share: Yes Local Path of shared folder: C:\HRTemplates Shared folder permissions: Administrators have full access; other users have read-only permissions Replication group: Yes Replication Group name: woodgrovebank.com\corpdocs\hrtemplates
WWW.ISLAMSC.COM
11-45
2. 3.
Replicated folder name: HRTemplates Primary member: NYC-DC1 Topology: Full mesh Replication schedule: default
In the console tree, expand the Replication node, and then click woodgrovebank.com\corpdocs\hrtemplates. In the details pane, on the Memberships tab, verify that both NYC-DC1 and NYC-SVR1 are listed and enabled.
Task 5: Create additional folder targets for the PolicyFiles folder, and then configure folder replication
1. On NYC-DC1, in the DFS Management console, add a folder target with the following options: 2. 3. Path to folder target: \\NYC-DC1\PolicyFiles Create share: Yes Local Path of shared folder: C:\PolicyFiles Shared folder permissions: Administrators have full access; other users have read-only permissions Replication group: Yes Replication Group name: woodgrovebank.com\corpdocs\policyfiles Replicated folder name: PolicyFiles Primary member: NYC-SVR1 Topology: Full mesh Replication schedule: default
In the console tree, expand the Replication node, and then click woodgrovebank.com\corpdocs\PolicyFiles. In the details pane, on the Memberships tab, verify that both NYC-DC1 and NYC-SVR1 are listed and enabled.
WWW.ISLAMSC.COM
11-46
Exercise 2: Viewing Diagnostic Reports for Replicated Folders

In this exercise, you will generate a diagnostic report to view the folder replication status. The main tasks for this exercise are as follows: 1. 2. Create a diagnostic report for woodgrovebank.com\corpdocs\hrtemplates. Close all virtual machines, and discard undo disks.
Task 1: Create a diagnostic report for woodgrovebank.com\corpdocs\hrtemplates

1. On NYC-DC1, create a diagnostic report for woodgrovebank.com\corpdocs\hrtemplates based upon the following options: 2. 3. Type of Diagnostic Report or Test: health report Path and Name: default Members to include: NYC-DC1 and NYC-SVR1 Options: Backlogged files enabled; Count replicated files enabled
Read through the report and take note of any errors or warnings. When you are finished, close the Microsoft Internet Explorer window. Create a diagnostic report for the policy files replication group. Read through the report and take note of any errors or warnings. When you are finished, close the Internet Explorer window. Note that there may be errors reported if replication has not yet begun or finished.

WWW.ISLAMSC.COM
11-47
Review Questions
1. 2. 3. 4. 5. 6. 7. How can you use DFS in your File Services deployment? What kind of compression technology is used by Windows Server 2008 DFS? What are three main scenarios used for DFS? What is the difference between a domain-based DFS namespace and a standalone DFS namespace? What is the default ordering method for client referral to folder targets? What does the Primary Member configuration do when setting up replication? Which folder is used to cache files and folders where conflicting changes are made on two or more members?
WWW.ISLAMSC.COM
11-48
Network Ports Used by DFS

The following table describes the network ports that DFS uses:
Service Name NetBIOS Name Service Relevant Computers Domain controllers; root servers that are not domain controllers; servers acting as folder targets; client computers acting as folder targets Domain controllers; root servers that are not domain controllers; servers acting as folder targets; client computers acting as folder targets Domain controllers; root servers that are not domain controllers; servers acting as folder targets; client computers acting as folder targets Domain controllers Domain controllers 389 UDP TCP 137 137
NetBIOS Datagram Service
138
NetBIOS Session Service
139
LDAP Server Remote Procedure Call (RPC) endpoint mapper Server Message Block (SMB)
389 135
Domain controllers; root servers that are not domain controllers; servers acting as folder targets; client computers acting as folder targets
445
445
WWW.ISLAMSC.COM
11-49
Tools
The following table lists the tools that you can use to configure and manage DFS:
Tool Dfsutil Use For Performing advanced operations on DFS namespaces. Scripting basic DFS tasks such as configuring DFS roots and targets. Performing tasks related to DFS namespaces and replication. Where to find it On a namespace server, type Dfsutil at a command prompt. On a namespace server, type Dfscmd at a command prompt.
Dfscmd.exe
DFS Management
Click Start, and then point to Administrative Tools, and then click DFS Management.
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
Configuring Network Access Protection
12-1
Module 12
Contents:
Lesson 1: Overview of Network Access Protection Lesson 2: How NAP Works Lesson 3: Configuring NAP Lesson 4: Monitoring and Troubleshooting NAP Lab: Configuring NAP for DHCP and VPN 12-3 12-18 12-25 12-33 12-37
WWW.ISLAMSC.COM
12-2
Module Overview
Network Access Protection (NAP) ensures compliance with specific health policies for systems accessing the network. NAP assists administrators in achieving and maintaining a specific health policy. This module provides information about how NAP works, and how to configure, monitor, and troubleshoot NAP.
WWW.ISLAMSC.COM
12-3
Lesson 1
Overview of Network Access Protection
NAP is a system health policy-enforcement platform built into Microsoft Windows Server 2008, Windows Vista, and Windows XP Service Pack 3. This platform enables you to protect private network assets better by enforcing compliance with system health requirements. NAP enables you to create customized healthrequirement policies to validate computer health before allowing access or communication, as well as automatically update compliant computers to ensure ongoing compliance and limit the access of non-compliant computers to a restricted network until they become compliant.
WWW.ISLAMSC.COM
12-4
What Is Network Access Protection?
NAP for Windows Server 2008, Windows Vista, and Windows XP Service Pack 3 provides components and an application programming interface (API) that help administrators enforce compliance with health-requirement policies for network access or communication. NAP enables developers and administrators to create solutions for validating computers that connect to their networks, as well as provide needed updates or access to needed health update resources and limit the access or communication of non-compliant computers. NAP has three important and distinct aspects: Health state validation Health policy compliance Limited access
Question: How would you use NAP enforcement in your environment, considering home users, roaming laptops and outside business partners?
WWW.ISLAMSC.COM
12-5
NAP Scenarios
Depending on their requirements, administrators can configure a solution to address any or all of these scenarios for their networks. Question: Have you ever had an issue with unsecure, unmanaged laptops causing harm to your network? Do you think NAP would have addressed this issue?
WWW.ISLAMSC.COM
12-6
NAP Enforcement Methods
Components of the NAP infrastructure known as enforcement clients (ECs) and enforcement servers (ESs) require health-state validation and enforce limited network access for non-compliant computers to specific network access or communication. Administrators can use the enforcement methods separately or together to limit the access or communication of non-compliant computers. Network Policy Server (NPS) in Windows Server 2008, the replacement for Internet Authentication Service (IAS) in Windows Server 2003, acts as a health policy server for all of these NAP enforcement methods. Windows Vista and Windows Server 2008 also include NAP support for Terminal Services Gateway (TS Gateway) connections.
Question: Which of the NAP enforcement types would best suit your company? Can you see your organization using multiple NAP enforcement types? If so, which ones?
WWW.ISLAMSC.COM
12-7
NAP Platform Architecture
The components of a NAP-enabled network infrastructure consist of the following: NAP clients are computers that support the NAP platform for system healthvalidated network access or communication. NAP enforcement points are computers or network-access devices that use NAP to require evaluation of a NAP clients health state and provide restricted network access or communication. NAP enforcement points include HRA, VPN server, DHCP server and network access devices. HRA is a computer that runs Windows Server 2008 and Internet Information Services (IIS), and that obtains health certificates from a certification authority (CA) for compliant computers.
WWW.ISLAMSC.COM
12-8
NAP health policy servers are computers that run Windows Server 2008 and the NPS service, and that store health-requirement policies and provide health-state validation for NAP. NPS is the replacement for the Internet Authentication Service (IAS), and the Remote Authentication Dial-In User Service (RADIUS) server and proxy that Windows Server 2003 provides. Remediation servers are computers that contain health update resources that NAP clients can access to remediate their non-compliant state. Examples include antivirus signature, distribution servers and software update servers.
Question: Does your environment presently use 802.1x authentication at the switch level? If so, would 802.1x NAP be beneficial, considering you can configure remediation VLANs to offer limited access?
WWW.ISLAMSC.COM
12-9
NAP Architecture Interactions
The interactions for the computers and devices of a NAP-enabled network infrastructure depend on the NAP enforcement methods chosen for unlimited network connectivity. The architectures client side and server side have processes that enable policy validation for the client, or remediation network access to help the client become compliant with the requirements for unrestricted network access. Question: List an example of a NAP-enabled network infrastructure used in your organization.
WWW.ISLAMSC.COM
12-10
NAP Client Infrastructure
The NAP client architecture consists of the following: A layer of NAP enforcement client (EC) components - Each NAP EC is defined for a different type of network access or communication. A layer of system health agent (SHA) components - An SHA component maintains and reports one or multiple elements of system health. NAP Agent - Maintains the current health-state information of the NAP client and facilitates communication between the NAP EC and SHA layers. The NAP platform provides the agent. SHA application programming interface (API) - Provides a set of function calls that allow SHAs to register with the NAP Agent, to indicate system health status, respond to NAP Agent queries for system health status, and for the NAP Agent to pass system health-remediation information to a SHA. NAP EC API - Provides a set of function calls that allow NAP ECs to register with the NAP Agent, to request system health status, and pass system healthremediation information to the NAP Agent.
WWW.ISLAMSC.COM
12-11
The NAP ECs for the NAP platform supplied in Windows Vista, Windows Server 2008, and Windows XP with SP2 (with the NAP Client for Windows XP) are the following: An IPsec NAP EC for IPsec-protected communications An EAPHost NAP EC for 802.1X-authenticated connections A VPN NAP EC for remote access VPN connections A DHCP NAP EC for DHCP-based IPv4 address configuration
Question: How would your organization deal with enabling the appropriate EC on non-domain computers that are outside of the management scope?
WWW.ISLAMSC.COM
12-12
Demonstration: Using the NAP Client Configuration Tool
Key Points
Open the NAP Client Configuration tool. Explore the options available.
Question: List at least one example of how the NAP client could benefit your organization.
WWW.ISLAMSC.COM
12-13
NAP Server-Side Infrastructure
A Windows-based NAP enforcement point has a layer of NAP Enforcement Server (ES) components. Each NAP ES is defined for a different type of network access or communication. For example, there is a NAP ES for remote-access VPN connections and a NAP ES for DHCP configuration. The NAP ES typically is matched to a specific type of NAP-capable client. For example, the DHCP NAP ES is designed to work with a DHCP-based NAP client. Third-party software vendors or Microsoft can provide additional NAP ESs for the NAP platform. The most common configuration for NAP server-side infrastructure consists of NAP enforcement points providing network access or communication of a specific type and separate NAP health policy servers providing system health validation and remediation. It is possible to install the NPS service as a NAP health policy server on individual Windows-based NAP enforcement points. However, in this configuration, you must configure each NAP enforcement point separately with network access and health policies. We recommend a configuration where you use separate NAP health policy servers.
WWW.ISLAMSC.COM
12-14
The overall NAP architecture consists of the following sets of components: The three NAP client components (a SHA layer, the NAP Agent, and a NAP EC layer) The four NAP server-side components (a SHV layer, the NAP Administration Server, the NPS service, and a NAP ES layer on Windows-based NAP enforcement points) Health-requirement servers Remediation servers
Question: List at least one example of how the NAP health policy server can monitor your networks.
WWW.ISLAMSC.COM
12-15
Communication Between NAP Platform Components
Some common NAP-related terms you will see are: SHV: System health validator. A module including registration and unregistration with the NAP system. SHA: System health agent. A SHA performs system health updates and publishes its status in the form of statement of health (SoH) to the NAP Agent. The SoH contains information that the NAP health policy server can use to verify that the client computer is in the required state of health. SoH: Statement of health. To indicate the health state of a specific SHA, an SHA creates a SoH and passes it to the NAP Agent. A SoH can contain one or multiple elements of system health. SSoH: System statement of health. To indicate the overall health state of a NAP client, the NAP Agent uses a SSoH, which includes version information for the NAP client and the set of SoHs for the installed SHAs.
WWW.ISLAMSC.COM
12-16
SoHR: Statement of health response. A SHA is matched to a SHV on the serverside of the NAP platform architecture. The corresponding SHV returns a SoHR to the NAP client, which is passed by the NAP EC and the NAP Agent to the SHA, informing it of what to do if the SHA is not in a required state of health. SSoHR: System statement of health response. Based on the SoHRs from the SHVs and the configured health policies, the NPS service creates a SSoHR, which indicates whether the NAP client is compliant or non-compliant and includes the set of SoHRs from the SHVs.
The NAP Agent component can communicate with the NAP Administration Server component through the following process: 1. 2. 3. 4. The NAP Agent passes the system SSoH to the NAP EC. The NAP EC passes the SSoH to the NAP ES. The NAP ES passes the SSoH to the NPS service. The NPS service passes the SSoH to the NAP Administration Server.
The NAP Administration Server can communicate with the NAP Agent through the following process: 1. 2. 3. 4. The NAP Administration Server passes the SSoHR to the NPS service. The NPS service passes the SSoHR to the NAP ES. The NAP ES passes the SSoHR to the NAP EC. The NAP EC passes the SSoHR to the NAP Agent.
A SHA can communicate with its corresponding SHV through the following process: 1. 2. 3. 4. 5. The SHA passes its SoH to the NAP Agent. The NAP Agent passes the SoH, contained within the SSoH, to the NAP EC. The NAP EC passes the SoH to the NAP ES. The NAP ES passes the SoH to the NAP Administration Server. The NAP Administration Server passes the SoH to the SHV.
WWW.ISLAMSC.COM
12-17
The SHV can communicate with its corresponding SHA through the following process: 1. 2. 3. 4. 5. 6. The SHV passes its SoHR to the NAP Administration Server. The NAP Administration Server passes the SoHR to the NPS service. The NPS service passes the SoHR, contained within the SSoHR, to the NAP ES. The NAP ES passes the SoHR to the NAP EC. The NAP EC passes the SoHR to the NAP Agent. The NAP Agent passes the SoHR to the SHA.
Question: List an example of how your organization can use NAP Platform Components to facilitate communication.
WWW.ISLAMSC.COM
12-18
Lesson 2
How NAP Works
The design of NAP enables administrators to configure it to meet their network needs. Therefore, the actual NAP configuration will vary according to the administrators preferences and requirements. However, the underlying operation of NAP remains the same. When a client attempts to access or communicate on the network, it must present its statement of health (SoH). If a client is not compliant with system-health requirements (for example, that it has the latest operating system and antivirus updates installed), its access to, or communication on, the network can be limited to a restricted network containing server resources, until the health-compliance issues are remedied. After the updates are installed, the client requests access to the network or attempts the communication again. If compliant, the client is granted unlimited access to the network or the communication is allowed.
WWW.ISLAMSC.COM
12-19
NAP Enforcement Processes
With Network Access Protection, you can create customized health policies to validate computer health before allowing access or communication, to update compliant computers automatically to ensure ongoing compliance, and, optionally, to confine non-compliant computers to a restricted network until they become compliant. Question: List at least one example of why you would customize a health policy.
WWW.ISLAMSC.COM
12-20
How IPsec Enforcement Works
IPsec enforcement limits communication for IPsec-protected NAP clients by dropping incoming communication attempts sent from computers that cannot negotiate IPsec protection using health certificates. Unlike 802.1X and VPN enforcement, in which enforcement occurs at the network entry point, each individual computer performs IPsec enforcement. IPsec enforcement defines the following logical networks: Secure network: The set of computers that have health certificates and that require that incoming communication attempts use health certificates for IPsec authentication. Boundary network: The set of computers that have health certificates, but which do not require that incoming communication attempts use health certificates for IPsec authentication.
WWW.ISLAMSC.COM
12-21
Restricted network: The set of computers that do not have health certificates that include non-compliant NAP client computers, guests on the network, or computers that are not NAP-capable, such as computers running Windows versions that do not support NAP, or Apple Macintosh or UNIX-based computers.
Question: For which computers in the secure network would you allow unsecure communication from computers in the restricted network to succeed?
WWW.ISLAMSC.COM
12-22
How 802.1x Enforcement Works
IEEE 802.1X enforcement instructs an 802.1X-capable access point to use a limited access profile, either a set of IP packet filters or a VLAN ID, to limit the traffic of the non-compliant computer so that it can reach only resources on the restricted network. For IP packet filtering, the 802.1X-capable access point applies the IP packet filters to the IP traffic that is exchanged with the 802.1X client, and silently discards all packets that do not correspond to a configured packet filter. For VLAN IDs, the 802.1X-capable access point applies the VLAN ID to all of the packets exchanged with the 802.1X client, and the traffic does not leave the VLAN corresponding to the restricted network. If the NAP client is non-compliant, the 802.1X connection has the limited access profile applied and the NAP client can reach only the resources on the restricted network. Question: What must the network devices support to implement 802.1x NAP?
WWW.ISLAMSC.COM
12-23
How VPN Enforcement Works
VPN enforcement uses a set of remote-access IP packet filters to limit noncompliant VPN client traffic so that it can reach only the resources on the restricted network. The VPN server applies the IP packet filters to the IP traffic that it receives from the VPN client, and silently discards all packets that do not correspond to a configured packet filter. Question: How does the VPN NAP enforcement method respond to noncompliant computers that make connection attempts?
WWW.ISLAMSC.COM
12-24
How DHCP Enforcement Works
DHCP address configuration limits network access for the DHCP client through its IPv4 routing table. DHCP enforcement sets the DHCP Router option value to 0.0.0.0, so the non-compliant computer does not have a configured default gateway. DHCP enforcement also sets the subnet mask for the allocated IPv4 address to 255.255.255.255, so that there is no route to the attached subnet. To allow the non-compliant computer to access the restricted networks remediation servers, the DHCP server assigns the Classless Static Routes DHCP option. This option contains host routes to the restricted networks computers, such as the DNS and remediation servers. The end result of DHCP limited network access is a configuration and routing table that allows connectivity only to specific destination addresses corresponding to the restricted network. Therefore, when an application attempts to send to a unicast IPv4 address other than those supplied via the Classless Static Routes option, the TCP/IP protocol returns a routing error. Question: Does the DHCP NAP enforcement type work on IPv6 networks?
WWW.ISLAMSC.COM
12-25
Lesson 3
Configuring NAP
This lesson provides information about configuring the client to interoperate with the server-side infrastructure of a NAP-enforced environment. A NAP-capable client is a computer that has the NAP components installed and can verify its health state by sending a SoH to NPS.
WWW.ISLAMSC.COM
12-26
What Are System Health Validators?
SHAs and SHVs, which are NAP infrastructure components, provide health-state tracking and validation. Windows Vista and Windows XP Service Pack 3 include a Windows Security Health Validator SHA that monitors the Windows Security Center settings. Windows Server 2008 includes a corresponding Windows Security Health Validator SHV. NAP is designed to be flexible and extensible, and interoperates with any vendors software that provides SHAs and SHVs that use the NAP API. An SHV receives a SoH from the NAP Administration Server and compares the system health status information in the SoH with the required system health state. For example, if the SoH is from an antivirus SHA and contains the last virussignature file version number, the corresponding antivirus SHV can check with the antivirus health requirement server for the latest version number to validate the NAP clients SoH.
WWW.ISLAMSC.COM
12-27
The SHV returns a SoHR to the NAP Administration Server. The SoHR can contain information about how the corresponding SHA on the NAP client can meet current system-health requirements. For example, the SoHR that the antivirus SHV sends could instruct the NAP clients antivirus SHA to request the latest version, by name or IP address, of the antivirus signature file from a specific antivirus signature server. Question: Does NAP work only with Microsoft-supplied System Health Validators?
WWW.ISLAMSC.COM
12-28
What Is a Health Policy?
If the client configuration state does not match the requirements that the health policy defines, NPS takes one of the following actions, depending on the NAP configuration: It rejects the connection request. It places the NAP client on a restricted network where it can receive updates from remediation servers that bring the client into compliance with health policy. After the NAP client achieves compliancy, NPS enables it to connect. It allows the NAP client to connect to the network despite its non-compliance with the health policy.
Question: Can you use only one SHV in a health policy?
WWW.ISLAMSC.COM
12-29
What Are Remediation Server Groups?
A remediation server hosts the updates that NAP agent can use to bring noncompliant client computers into compliance with health policy, as NPS defines. For example, a remediation server can host antivirus signatures. If health policy requires that client computers have the latest antivirus definitions, then the following work together to update non-compliant computers: an antivirus SHA, an antivirus SHV, an antivirus policy server, and the remediation server. Question: What services might a remediation server offer to update antivirus signatures?
WWW.ISLAMSC.COM
12-30
NAP Client Configuration
You should remember these basic guidelines when you configure NAP clients: Some NAP deployments that use Windows Security Health Validator require that you enable Security Center: Enable the Turn on Security Center (Domain PCs only) setting in Group Policy under Computer Configuration, Administrative Templates, Windows Components, and Security Center sections.
To use the setting, a firewall is enabled for all network connections: The firewall software that is running on the client computer must be Windows Firewall software or other firewall software that is compatible with Windows Security Center. Firewall software that is not compatible with Windows Security Center cannot be managed or detected by Windows Security Health Agent (WSHA) on the client computer.
WWW.ISLAMSC.COM
12-31
The Network Access Protection service is required when you deploy NAP to NAPcapable client computers. Open Services from the Administrative Tools menu. Change the startup type to Automatic for the Network Access Protection service in the agent properties.
You also must configure the NAP enforcement clients on the NAP-capable computers. You can use this procedure to install Group Policy Management and enable Security Center on NAP-capable clients using Group Policy. Security Center is required for some Network Access Protection (NAP) deployments that use Windows Security Health Validator (WSHV). Create a custom Microsoft Management Consoles (MMC) console with the NAP Client Configuration snap-in. Expand NAP Client Configuration, and select Enforcement Clients from the console tree. In the details pane, double-click the EC that you want to enable, and select Enable This Enforcement Client from the Properties sheet.
You also can use the Netsh command to enable or disable ECs. Use the following command to enable the DHCP EC on the client: Netsh nap client set enforcement dhcp = enable
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Question: What Windows groups have the rights to enable Security Center in Group Policy, enable NAP service on clients, and enable/disable NAP enforcement clients?
WWW.ISLAMSC.COM
12-32
Demonstration: Using the Configure NAP Wizard to Apply Network Access Policies
Key Points
Open the Network Policy Server tool to configure NAP. Create a policy for DHCP.
WWW.ISLAMSC.COM
12-33
Lesson 4
Monitoring and Troubleshooting NAP
Troubleshooting and monitoring the NAP structure is an important administrative task because of different technology levels, and varied expertise and prerequisites, for each NAP enforcement method. Trace logs are available for NAP, but are disabled by default. These logs serve two purposes: troubleshooting and evaluating a networks health and security.
WWW.ISLAMSC.COM
12-34
What Is NAP Tracing?
You can use the NAP Client Configuration snap-in to configure NAP tracing. Tracing records NAP events in a log file, and is useful for troubleshooting and maintenance. You also can use tracing logs to evaluate your networks health and security. You can configure three levels of tracing: Basic, Advanced, and Debug. You should enable NAP tracing when: You are troubleshooting NAP problems. You want to evaluate the overall health and security of your organizations computers.
Question: List at least one example of how NAP tracing can be used to determine an issue with client communication.
WWW.ISLAMSC.COM
12-35
Configuring NAP Tracing
There are two tools that are available for configuring NAP tracing. The NAP Client Configuration console is part of the Windows user interface, and netsh is a command-line tool. To view the log files, navigate to the %systemroot%\tracing\nap directory, and open the particular trace log that you want to view. Question: What is the netsh command for enabling NAP debug logging levels?
WWW.ISLAMSC.COM
12-36
Demonstration: Configuring Tracing
Key Points
Configure tracing from the Graphical Users Interface. Configure tracking from the Command Line.
Question: Of what group must you be a member to enable NAP tracing?
WWW.ISLAMSC.COM
12-37
Lab: Configuring NAP for DHCP and VPN
Objectives
Configure NAP for DHCP clients Configure NAP for VPN clients
Scenario
As the Woodgrove Bank technology specialist, you need to establish a way to bring client computers automatically into compliance. You will do this by using Network Policy Server, creating client compliance policies, and configuring a NAP server to check the current health of computers.
Note: Since NAP is a new and complex technology in Windows Server 2008, detailed steps have been provided here for each of the tasks in this lab. For this reason, there will be no separate lab answer key for this module.
WWW.ISLAMSC.COM
12-38
Exercise 1: Configuring Network Access Protocol (NAP) for Dynamic Host Configuration Protocol (DHCP) Clients
In this exercise, you will configure and test NAP for DHCP clients. The main tasks are as follows: 1. 2. 3. 4. 5. 6. Start the NYC-DC1, NYC-SVR1, and NYC-CL1 virtual machines. Install the Network Policy Server (NPS) and Dynamic Host Configuration Protocol (DHCP) server roles. Configure NYC-SVR1 as a NAP health policy server. Configure DHCP service for NAP enforcement. Configure NYC-CL1 as DHCP and NAP client. Test NAP Enforcement.
Task 1: Start the NYC-DC1, NYC-SVR1, and NYC-CL1 virtual machines

1. 2. 3. 4. 5. 6. On the host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Install the Network Policy Server (NPS) and Dynamic Host Configuration Protocol (DHCP) server roles
1. 2. 3. On NYC-SVR1, click Start, and then click Server Manager. In the Server Manager console pane, right-click Roles, and then click Add Roles. On the Before You Begin page, click Next.
WWW.ISLAMSC.COM
12-39
4. 5. 6. 7. 8. 9.
On the Select Server Roles page, select the DHCP Server and Network Policy and Access Services check boxes, and then click Next twice. On the Select Role Services page, select the Network Policy Server check box, and then click Next twice. On the Select Network Connection Bindings page, verify that 10.10.0.24 is selected, and then click Next. On the Specify IPv4 DNS Server Settings page, for Parent Domain, verify that WoodGroveBank.com is listed. In the Preferred DNS Server IPv4 Address field, type 10.10.0.10, and then click Validate. Verify that the result returned is Valid, and then click Next.
10. On the Specify IPv4 WINS Server Settings page, verify that WINS is not required for applications on this network is selected, and then click Next. 11. On the Add or Edit DHCP Scopes page, click Add. 12. In the Add Scope dialog box, in Scope Name field, type NAP Scope. 13. In the Starting IP Address field, type 10.10.0.50. 14. In the Ending IP Address field, type 10.10.0.99. 15. In the Subnet Mask field, type 255.255.0.0. 16. Verify that the Activate this scope check box is selected, click OK, and then click Next. 17. On the Configure DHCPv6 Stateless Mode page, click Disable DHCPv6 stateless mode for this server, and then click Next. 18. On the Authorize DHCP Server page, verify that Use current credentials is selected, and then click Next. 19. On the Confirm Installation Selections page, click Install. 20. When the installation completes, click Close. 21. Close Server Manager.
WWW.ISLAMSC.COM
12-40
Task 3: Configure NYC-SVR1 as a NAP health policy server

1. 2. Click Start, point to Administrative Tools, and then click Network Policy Server. Configure SHVs: a. b. c. In the Network Policy Server console pane, expand Network Access Protection, and then click System Health Validators. In the details pane, double-click Windows Security Health Validator. In the Windows Security Health Validator Properties dialog box, click Configure.
d. In the Windows Security Health Validator dialog box, on the Windows Vista tab, clear all check boxes except A firewall is enabled for all network connections. e. 3. Click OK twice.
Configure remediation server groups: a. b. c. In the console pane, under Network Access Protection, right-click Remediation Server Groups, and then click New. In the New Remediation Server Group dialog box, in the Group Name field, type Rem1. Click Add.
d. In the Add New Server dialog box, in the IP address or DNS name field, type 10.10.0.10, and then click Resolve. e. 4. Click OK twice.
Configure health policies: a. b. c. In the console pane, expand Policies. Right-click Health Policies, and then click New. In the Create New Health Policy dialog box, in the Policy name field, type DHCP Compliant.
d. In the Client SHV checks list, verify that Client passes all SHV checks is selected. e. Under SHVs used in this health policy, select the Windows Security Health Validator check box, and then click OK.
WWW.ISLAMSC.COM
12-41
f. g. h. i. 5.
In the console pane, right-click Health Policies, and then click New. In the Create New Health Policy dialog box, in the Policy name field, type DHCP Noncompliant. In the Client SHV checks list, click Client fails one or more SHV checks. Under SHVs used in this health policy, select the Windows Security Health Validator check box, and then click OK.
Configure a network policy for compliant computers: a. b. c. In the console pane, under Policies, click Network Policies. In the details pane, right-click Connections to Microsoft Routing and Remote Access server and then click Disable. Right-click Connections to other access servers, and then click Disable.
d. In the console pane, right-click Network Policies, and then click New. e. f. g. h. i. j. k. l. On the Specify Network Policy Name and Connection Type page, in the Policy name field, type DHCP Compliant-Full Access. In the Type of network access server list, click DHCP Server and then click Next. On the Specify Conditions page, click Add. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, in the Health policies list, click DHCP Compliant, and then click OK. On the Specify Conditions page, verify that Health Policy is specified under Conditions with a value of DHCP Compliant. On the Specify Conditions page, click Add. In the Select condition dialog box, double-click MS-Service Class.
m. In the MS-Service Class dialog box, type NAP Scope, and then click OK. n. On the Specify Conditions page, verify that MS-Service class is specified under Conditions with a value of NAP Scope, and then click Next. o. p. On the Specify Access Permission page, verify that Access granted is selected, and then click Next. On the Configure Authentication Methods page, clear all check boxes, then select Perform machine health check only, and then click Next.
WWW.ISLAMSC.COM
12-42
q. r. s. t. 6.
On the Configure Constraints page, click Next. On the Configure Settings page, click NAP Enforcement. In the details pane, verify that Allow full network access is selected and then click Next. On the Completing New Network Policy page, click Finish to complete configuration of the network policy for compliant client computers.
Configure a network policy for non-compliant computers: a. b. c. In the console pane, right-click Network Policies, and then click New. On the Specify Network Policy Name and Connection Type page, in the Policy name field, type DHCP Noncompliant-Restricted Access. In the Type of network access server list, click DHCP Server and then click Next.
d. On the Specify Conditions page, click Add. e. f. g. h. i. j. k. l. In the Select condition dialog box, double-click Health Policies. In the Health Policies dialog box, in the Health policies list, click DHCP Noncompliant, and then click OK. On the Specify Conditions page, verify that Health Policy is specified under Conditions with a value of DHCP Noncompliant. Click Add. In the Select condition dialog box, double-click MS-Service Class. In the MS-Service Class dialog box, type NAP Scope, and then click OK. On the Specify Conditions page, verify that MS-Service class is specified under Conditions with a value of NAP Scope, and then click Next. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.
Note: A setting of Access granted does not mean that non-compliant clients are granted full network access. It specifies that clients matching these conditions will be granted an access level that the policy determines.
m. On the Configure Authentication Methods page, clear all check boxes, then select Perform machine health check only, and then click Next.
WWW.ISLAMSC.COM
12-43
n. On the Configure Constraints page, click Next. o. On the Configure Settings page, click NAP Enforcement.
p. In the details pane, click Allow limited access. q. r. s. t. Click Configure. In the Remediation Server Group and Troubleshooting URL dialog box, in the Remediation Server Group list, click Rem1. In the Troubleshooting URL field, type http://remediation.restricted.woodgrovebank.com, and then click OK. Verify that Enable auto-remediation of client computers is selected and then click Next.
Note: that although this remediation server does not exist due to the limitations of the lab environment, it's important to understand how to configure the settings.
u. 7.
On the Completing New Network Policy page, click Finish to complete configuration of the network policy for non-compliant client computers.
Configure a network policy for non NAP-capable computers: a. b. c. In the console pane, right-click Network Policies, and then click New. On the Specify Network Policy Name and Connection Type page, in the Policy name field, type DHCP Non NAP-Capable. In the Type of network access server list, click DHCP Server and then click Next.
d. On the Specify Conditions page, click Add. e. f. g. h. i. In the Select condition dialog box, double-click NAP-Capable Computers. In the NAP-Capable Computers dialog box, click Only computers that are not NAP-capable, and then click OK. On the Specify Conditions page, verify that NAP-Capable is specified under Condition with a value of Computer is not NAP-Capable. On the Specify Conditions page, click Add. In the Select condition dialog box, double-click MS-Service Class.
WWW.ISLAMSC.COM
12-44
j. k. l.
In the MS-Service Class dialog box, type Non NAP Scope, and then click OK. On the Specify Conditions page, verify that MS-Service class is specified under Conditions with a value of Non NAP Scope, and then click Next. On the Specify Access Permission page, verify that Access granted is selected, and then click Next.
m. On the Configure Authentication Methods page, clear all check boxes, then select Perform machine health check only, and then click Next. n. On the Configure Constraints page, click Next. o. On the Configure Settings page, click NAP Enforcement.
p. In the details pane, click Allow limited access. q. r. s. t. u. Click Configure. In the Remediation Server Group and Troubleshooting URL dialog box, in the Remediation Server Group list, click Rem1. In the Troubleshooting URL field, type http://remediation.restricted.woodgrovebank.com, and then click OK. Verify that Enable auto-remediation of client computers is selected and then click Next. On the Completing New Network Policy page, click Finish to complete configuration of the network policy for older, non NAP-capable client computers.
8.
Configure connection request policy: a. b. c. In the console pane, right-click Connection Request Policies, and then click New. On the Specify Connection Request Policy Name and Connection Type page, in the Policy name field, type NAP DCHP. In the Type of network access server list, click DHCP Server, and then click Next.
d. On the Conditions page, click Add. e. f. In the Select condition dialog box, double-click Day and Time Restrictions. In the Day and time restrictions dialog box, click All and then click Permitted.
WWW.ISLAMSC.COM
12-45
g. h. i. j.
Click OK and click Next. On the Specify Connection Request Forwarding page, verify that Authenticate requests on this server is selected and click Next. On Specify Authentication Methods page, verify that Override network policy authentication settings is not selected. Click Next twice, and then click Finish.
Result: This completes configuration of the NAP network policies.
Task 4: Configure DHCP service for NAP enforcement

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, point to Administrative Tools, and then click DHCP. In the DHCP console pane, expand nyc-dc1.woodgrovebank.com, expand IPv4, and then click Scope [10.10.0.0] HeadOffice. Right-click Scope [10.10.0.0] HeadOffice, and then click Delete. In the DHCP dialog box, click Yes twice. Close DHCP. On NYC-SVR1, click Start, point to Administrative Tools, and then click DHCP. In the DHCP console pane, expand nyc-svr1.woodgrovebank.com, and then expand IPv4, and then click Scope [10.10.0.0] NAP Scope. Right-click Scope [10.10.0.0] NAP Scope, and then click Properties. In the Scope [10.10.0.0] NAP Scope Properties dialog box, on the Network Access Protection tab, click Enable for this scope.
10. Select Use custom profile. 11. In the Profile Name field, type NAP Scope, and then click OK. 12. In console pane, click Scope Options. 13. Right-click Scope Options, and then click Configure Options. 14. In the Scope Options dialog box, on the Advanced tab, in the User class list, verify that Default User Class is selected. 15. Under Available Options, select the 015 DNS Domain Name check box.
WWW.ISLAMSC.COM
12-46
16. In the String value field, type woodgrovebank.com, and then click OK. 17. In console pane, right-click Scope Options, and then click Configure Options. 18. In the Scope Options dialog box, on the Advanced tab, in the User class list, click Default Network Access Protection Class. 19. Under Available Options, select the 006 DNS Servers check box. 20. In the IP address field, type 10.10.0.10, and then click Add.
Note: that in this lab, the DNS server address is same for both the restricted and nonrestricted networks. In a real environment, you would specify a DNS server that existed on the restricted network here.
21. Under Available Options, select the 015 DNS Domain Name check box. 22. In the String value field, type restricted.woodgrovebank.com, and then click OK.
Note: The restricted.woodgrovebank.com domain is a restricted access network assigned to non-compliant NAP clients.
23. Close DHCP.
Task 5: Configure NYC-CL1 as DHCP and NAP client

1. On NYC-CL1, enable Security Center: a. b. c. Click Start, type mmc, and then press ENTER. In the Console1 window, on the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, under Available snap-ins, click Group Policy Object Editor, and then click Add.
d. In the Select Group Policy Object dialog box, click Finish, and then click OK. e. In the console pane, expand Local Computer Policy, expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Security Center.
WWW.ISLAMSC.COM
12-47
f. g. 2.
In the details pane, double-click Turn on Security Center (Domain PCs only). In the Turn on Security Center (Domain PCs only) Properties dialog box, click Enabled, and then click OK.
Enable the DHCP enforcement client: a. b. c. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, under Available snap-ins, click NAP Client Configuration, and then click Add. In the NAP Client Configuration dialog box, click OK twice.
d. In the console pane, click NAP Client Configuration (Local Computer). e. f. 3. In the NAP Client Configuration details pane, click Enforcement Clients. Right-click DHCP Quarantine Enforcement Client, and then click Enable.
Enable and start the NAP agent service: a. b. c. On the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, under Available snap-ins, click Services, and then click Add. In the Services dialog box, click Finish, and then click OK.
d. In the console pane, click Services. e. f. g. h. 4. In the details pane, double-click Network Access Protection Agent. In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup type list, click Automatic, and then click Start. Wait for the NAP agent service to start, and then click OK. Close Console1. When prompted to save settings, click No.
Configure NYC-CL1 for DHCP address assignment: a. b. c. Click Start, right-click Network, and then click Properties. In the Network and Sharing Center window, click View status. In the Local Area Connection Status dialog box, click Properties.
WWW.ISLAMSC.COM
12-48
d. In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box.
Note: This reduces the labs complexity, particularly for those who are not familiar with IPv6.
e. f.
Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. In the Internet Protocol Version 4 (TCP/IP) Properties dialog box, click Obtain an IP address automatically, and then click Obtain DNS server address automatically. Click OK, and then click Close twice. Close Network and Sharing Center.
g. h.
Task 6: Test NAP enforcement

1. Verify DHCP assigned address and current quarantine state: a. b. c. 2. Click Start, point to All Programs, point to Accessories, and then click Command Prompt. At the command prompt, type ipconfig /all, and then press ENTER. Verify that the DNS Suffix Search List is Woodgrovebank.com and System Quarantine State is Not Restricted.
Configure the System Health Validator policy to require antivirus software: a. b. c. On NYC-SVR1, in the Network Policy Server console pane, expand Network Access Protection, and then click System Health Validators. In the details pane, double-click Windows Security Health Validator. In the Windows Security Health Validator Properties dialog box, click Configure.
d. In the Windows Security Health Validator dialog box, under Virus Protection, select the An antivirus application is on check box and then click OK twice.
WWW.ISLAMSC.COM
12-49
3.
Verify the restricted network on NYC-CL1: a. b. c. On NYC-CL1, at the command prompt, type ipconfig /release and then press ENTER. Type ipconfig /renew and then press ENTER. Verify the Connection-specific DNS suffix is now restricted.woodgrovebank.com.
4. 5.
Close Command Prompt. In the notification area, double-click the Network Access Protection icon.
Note: Notice it tells you the computer is not compliant with requirements of the network. This may take a few minutes to appear.
6.
Click Close.
WWW.ISLAMSC.COM
12-50
Exercise 2: Configuring NAP for VPN Clients

In this exercise, you will configure NAP for VPN Clients. This exercise uses the Windows Security Health Agent and Windows Security Health Validator to require that client computers have Windows Firewall enabled and have an antivirus application installed. You will create two network policies in this exercise. A compliant policy grants full network access to an intranet network segment. A non-compliant policy demonstrates network restriction by applying IP filters to the VPN tunnel interface that only allow client access to a single remediation server. The main tasks are as follows: 1. 2. 3. 4. 5. 6. Configure NYC-DC1 as an Enterprise Root CA. Configure NYC-SVR1 with NPS functioning as a health policy server. Configure NYC-SVR1 with the Routing and Remote Access Service (RRAS) configured as a VPN server. Configure NYC-CL1 as a VPN and NAP client. Configure System Help for Networking. Close all virtual machines, and discard undo disks.
Task 1: Configure NYC-DC1 as an Enterprise Root CA

1. 2. On NYC-DC1, click Start, point to Administrative Tools, and then click Certification Authority. In the certsrv [Certification Authority (Local)] console pane, expand WoodgroveBank-NYC-DC1-CA, right-click Certificate Templates, and then click Manage. In the Certificate Templates Console details pane, right-click Computer, and then click Properties. In the Computer Properties dialog box, on the Security tab, click Authenticated Users. In the Permissions for Authenticated Users pane, for Enroll, select the Allow check box, and then click OK. Close all windows.
3. 4. 5. 6.
WWW.ISLAMSC.COM
12-51
Task 2: Configure NYC-SVR1 with NPS functioning as a health policy server

1. Obtain computer certificate on NYC-SVR1 for server-side PEAP authentication: a. b. c. On NYC-SVR1, click Start, type mmc, and then press ENTER. In the Console1 window, on the File menu, click Add/Remove Snap-in. In the Add or Remove Snap-ins dialog box, click Certificates, and then click Add.
d. In the Certificates snap-in dialog box, click Computer account, click Next, and then click Finish. e. f. g. h. i. j. 2. Click OK. In the console pane, expand Certificates (Local Computer), right-click Personal, point to All Tasks, and then click Request New Certificate. In the Certificate Enrollment dialog box, click Next. On the Request Certificates page, select the Computer check box, and then click Enroll. Verify the status of certificate installation as Succeeded, and then click Finish. Close Console1. When prompted to save settings, click No.
Install the Remote Access Service role service: a. b. c. Click Start, and then click Server Manager. In the Server Manager console pane, expand Roles, right-click Network Policy and Access Services, and then click Add Role Services. On the Select Role Services page, select the Remote Access Service check box, and then click Next.
d. On the Confirm Installation Selections page, click Install. e. f. 3. When the installation completes, click Close. Close Server Manager.
Configure NPS as a NAP health policy server: a. b. In the Network Policy Server console pane, click System Health Validators. In the details pane, double-click Windows Security Health Validator.
WWW.ISLAMSC.COM
12-52
c.
In the Windows Security Health Validator Properties dialog box, click Configure.
d. In the Windows Security Health Validator dialog box, clear the An antivirus application is on check box, and then click OK twice. 4. Configure Network Policies using the Network Policy Wizard: a. b. c. In the console pane, click NPS(local). In the details pane, click Configure NAP. On the Select Network Connection Method For Use with NAP page, in the Network connection method list, click Virtual Private Network (VPN) and then click Next.
d. On the Specify NAP Enforcement Servers Running VPN Server page, click Next. e. f. g. h. i. j. On the Configure User Groups and Machine Groups page, click Next. On the Configure an Authentication Method page, review the settings, and then click Next. On the Specify NAP Remediation Server Group and URL page, in the Remediation Server Group list, click Rem1. In the Troubleshooting URL field, type http://remediation.restricted.woodgrovebank.com and click Next. On the Define NAP Health Policy page, review the settings, and then click Next. On the Completing NAP Enforcement Policy and RADIUS Client Configuration page, review the policies that will be created, and then click Finish.
5.
Configure NAP VPN Non-compliant policy: a. b. c. In the console pane, click Network Policies. In the details pane, right-click NAP VPN Noncompliant, and then click Properties. On the Settings tab, click IP Filters.
d. Under IPv4, click Input Filters. e. In the Inbound Filters dialog box, click New.
WWW.ISLAMSC.COM
12-53
f. g. h. i. j. k.
In the Add IP Filter dialog box, select the Destination network check box. In the IP Address field, type 10.10.0.10. In the Subnet mask field, type 255.255.255.255. Click OK. In the Inbound Filters dialog box, click Permit only the packets listed below. Click OK.
Note: This ensures that traffic from non-compliant clients can reach only NYC DC1.
l.
Under IPv4, click Output Filters.
m. In the Outbound Filters dialog box, click New. n. In the Add IP Filter dialog box, select Source network check box. o. p. q. r. s. In the IP address field, type 10.10.0.10. In the Subnet mask field, type 255.255.255.255. Click OK. In the Outbound Filters dialog box, click Permit only the packets listed below. Click OK twice.
Note: This ensures that only traffic from NYC DC1 can be sent to non-compliant clients.
6.
Configure connection request policies: a. b. c. In the console pane, click Connection Request Policies. In the details pane, right-click Use windows authentication for all users, and then click Disable. Right-click NAP VPN, and then click Properties.
d. In the NAP VPN Properties dialog box, on the Conditions tab, click Add. e. In the Select condition dialog box, double-click Tunnel Type.
WWW.ISLAMSC.COM
12-54
f.
In the Tunnel Type dialog box, select the Layer Two Tunneling Protocol L2TP and Point-to-Point Tunneling Protocol PPTP check boxes, and then click OK. On the Settings tab, click Authentication, and review the settings. Click Authentication Methods, and review the settings. In the details pane, click Add. In the Add EAP dialog box, click Microsoft: Secured password (EAPMSCHAP v2), and then click OK. Click Microsoft: Protected EAP (PEAP), and then click Edit. In the Configure Protected EAP Properties dialog box, verify that Enable Quarantine checks is selected, and then click OK twice.
g. h. i. j. k. l.
Task 3: Configure NYC-SVR1 with the Routing and Remote Access Service (RRAS) configured as a VPN server
1. 2. 3. 4. 5. 6. 7. On NYC-SVR1, click Start, point to Administrative Tools, and then click Routing and Remote Access. In the Routing and Remote Access window, right-click NYC-SVR1 (local), and then click Configure and Enable Routing and Remote Access. In the Routing and Remote Access Server Setup Wizard, click Next. On the Configuration page, verify that Remote access (dial-up or VPN) is selected, and then click Next. On the Remote Access page, select the VPN check box, and then click Next. On the VPN Connection page, click Local Area Connection 2. Clear the Enable security on the selected interface by setting up static packet filters check box, and then click Next.
Note: This ensures that NYC SVR1 will be able to ping NYC DC1 when attached to the Internet subnet without requiring that you configure additional packet filters for Internet Control Message Protocol (ICMP) traffic.
8.
On the IP Address Assignment page, click From a specified range of addresses, and then click Next.
WWW.ISLAMSC.COM
12-55
9.
On the Address Range Assignment page, click New.
10. In the New IPv4 Address Range dialog box, in the Start IP address field, type 10.10.0.100. 11. In the End IP address field, type 10.10.0.110, click OK and then click Next. 12. On the Managing Multiple Remote Access Servers page, verify that No, use Routing and Remote Access to authenticate connection requests is selected, and then click Next. 13. Click Finish. 14. In the Routing and Remote Access dialog box, click OK twice. 15. Close Routing and Remote Access. 16. In the Network Policy Server console pane, right-click Connection Request Policies and then click Refresh. 17. In the details pane, right-click Microsoft Routing and Remote Access Service Policy and then click Disable.
Task 4: Configure NYC-CL1 as a VPN and NAP client

1. Enable the remote-access, quarantine-enforcement client: a. b. c. On NYC-CL1, click Start, type napclcfg.msc, and then press ENTER. In the napclcfg - [NAP Client Configuration (Local Computer)] console pane, click Enforcement Clients. In the details pane, right-click Remote Access Quarantine Enforcement Client, and then click Enable.
d. Close the NAP Client Configuration window. 2. Configure NYC-CL1 for the Internet network segment: a. b. c. Click Start, right-click Network, and then click Properties. In the Network and Sharing Center window, next to Local Area Connection, click View status. In the Local Area Connection dialog box, click Properties.
d. In the Local Area Connection Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
WWW.ISLAMSC.COM
12-56
e. f. g. h. i. j. 3.
In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Use the following IP address. In the IP address field, type 10.10.0.50. In the Subnet mask field, type 255.255.0.0. In the Default gateway field, type 10.10.0.1. In the Preferred DNS server field, type 10.10.0.10. Click OK twice, and then click Close.
Verify network connectivity for NYC-CL1: a. b. c. Click Start | All Programs | Accessories, and then click Command Prompt. At the command prompt, type ping nyc-dc1 and then press ENTER. Verify that a successful reply from 10.10.0.10 is returned.
4.
Configure a VPN connection: a. b. c. In the Network and Sharing Center Tasks pane, click Set up a connection or network. On the Choose a connection page, click Connect to a workplace, and then click Next. On the How do you want to connect page, click Use my Internet connection (VPN).
d. On the Do you want to set up an Internet connection before continuing page, click Ill set up an Internet connection later. e. f. g. h. i. j. On the Type the Internet address to connect to page, in the Internet address field, type 10.10.0.30. In the Destination name field, type Woodgrove VPN. Select the Allow other people to use this connection check box, and then click Next. On the Type your user name and password page, in the User name field, type Administrator. In the Password field, type Pa$$w0rd and then select the Remember this password check box. In the Domain (optional) field, type WOODGROVEBANK, and then click Create.
WWW.ISLAMSC.COM
12-57
k. l.
On the The connection is ready to use page, click Close. In the Network and Sharing Center Tasks pane, click Manage network connections.
m. In the Network Connections window, right-click Woodgrovebank VPN, and then click Properties. n. In the Woodgrove VPN Properties dialog box, on the Security tab, click Advanced (custom settings), and then click Settings. o. In the Advanced Security Settings dialog box, click Use Extensible Authentication Protocol (EAP), and then in the Use Extensible Authentication Protocol (EAP) list, click Protected EAP (PEAP) (encryption enabled).
p. Click Properties. q. In the Protected EAP Properties dialog box, verify that the Validate server certificate check box is selected, and then clear the Connect to these servers check box. In the Select Authentication Method list, verify that Secured Password (EAP-MSCHAP v2) is selected. Clear the Enable Fast Reconnect check box, and then select the Enable Quarantine checks check box. Click OK three times.
r. s. t. 5.
Test the VPN connection: a. b. c. In the Network Connections window, right-click Woodgrove VPN, and then click Connect. In the Connect Woodgrove VPN dialog box, click Connect. In the Enter Credentials dialog box, click OK.
d. In the Validate Server Certificate dialog box, click View Server Certificate. e. In the Certificate dialog box, verify that Certificate Information states that the certificate was issued to nyc-svr1Woodgrovebank.com by WoodgroveBank-NYC-DC1-CA and then click OK twice. Wait for the VPN connection to be made. Because NYC-CL1 is compliant, it should have unlimited access to the intranet subnet. At the command prompt, type ipconfig /all and press ENTER.
f. g.
WWW.ISLAMSC.COM
12-58
h. i.
Review the IP configuration and verify that System Quarantine State is Not Restricted. Type ping nyc-svr1 and then press ENTER. This should be successful.
Note: The client now meets the requirement for VPN full connectivity.
j. 6.
In the Network Connections window, right-click Woodgrove VPN, and then click Disconnect.
Configure Windows Security Health Validator to require an antivirus application: a. b. c. On NYC-SVR1, in the Network Policy Server console pane, click System Health Validators. In the details pane, double-click Windows Security Health Validator. In the Windows Security Health Validator Properties dialog box, click Configure.
d. In the Windows Security Health Validator dialog box, select the An antivirus application is on check box. e. 7. Click OK twice.
Verify the client is placed on the restricted network: a. b. c. On NYC-CL1, in the Network Connections window, right-click Woodgrove VPN, and then click Connect. In the Connect Woodgrove VPN dialog box, click Connect. In the Enter Credentials dialog box, click OK.
d. Wait for the VPN connection to be made. e. f. In the notification area, double-click the network access icon in the system tray. In the Network Access Protection dialog box, review the settings and then click Close.
Note: This dialog box indicates the computer does not meet health requirements. This message is displayed because antivirus software has not been installed.
WWW.ISLAMSC.COM
12-59
g. h. 8.
At the command prompt, type ipconfig /all and then press ENTER. Review the IP configuration. The System Quarantine State should be Restricted.
Disconnect from Woodgrovebank VPN.
Task 5: Configure System Help for Networking

1. 2. 3. On NYC-SVR1, click Start and then click Help and Support. In the Windows Help and Support window, click Networking. Verify that the Networking help topics exist.

WWW.ISLAMSC.COM
12-60
Review Questions
1. 2. What are the three main client configurations that you need to configure for most NAP deployments? You want to evaluate the overall health and security of the NAP enforced network. What do you need to do to start recording NAP events?
WWW.ISLAMSC.COM
12-61
Best Practices
Consider the following best practices when implementing NAP: Use strong enforcement methods (IPsec, 802.1x and VPN). Strong enforcement methods provide the most secure and effective NAP deployment. Do not rely on NAP to secure a network from malicious users. NAP is designed to help administrators maintain the health of the networks computers, which in turn helps maintain the networks overall integrity. NAP does not prevent an authorized user with a compliant computer from uploading a malicious program to the network or disabling the NAP agent. Use consistent NAP policies throughout the site hierarchy to minimize confusion. Configuring a NAP policy incorrectly may result in clients accessing the network when they should be restricted or valid clients being erroneously restricted. The more complicated your NAP policy design, the higher the risk of incorrect configuration. Do not rely on NAP as an instantaneous or real-time enforcement mechanism. There are inherent delays in the NAP enforcement mechanism. While NAP helps keep computers compliant over the long run, typical enforcement delays may last for several hours or more due to many factors, including the settings of various configuration parameters.
WWW.ISLAMSC.COM
12-62
Tools
Tool Services Use For Enable and configure the NAP service on client computers. Where to find it Click Start, click Control Panel, click System and Maintenance, click Administrative Tools, and then click double-click Services. Open a command window with administrative rights and type netsh nap. You can type help to get a full list of available commands.
Netsh nap
Using netsh, you can create scripts to configure automatically a set of Windows Firewall with Advanced Security settings, create rules, monitor connections, and display the configuration and status of Windows Firewall with Advanced Security. Some NAP deployments that use Windows Security Health Validator require that Security Center is enabled. Group Policy can also be used to enable and manage the NAP client.
Group policy
Enable the Turn on Security Center (Domain PCs only) setting in the Computer Configuration, Administrative Templates, Windows Components, and Security Center sections of Group Policy. Open the NPS (Local) console. In Getting Started and Standard Configuration, select Network Access Protection (NAP) policy server. The text and links below the text change to reflect your selection. Click Configure NAP with a wizard.
Configure NAP with a wizard
Used to create the health policies, connection request policies, and Network Access Protection (NAP) with Network Policy Server.
WWW.ISLAMSC.COM
Configuring Availability of Network Content and Resources
13-1
Module 13
Contents:
Lesson 1: Configuring Shadow Copies Lab A: Configuring Shadow Copying Lesson 2: Providing Server and Service Availability Lab B: Configuring Network Load Balancing 13-3 13-11 13-14 13-26
WWW.ISLAMSC.COM
13-2
Module Overview
This module explains how to configure network resources and content availability and how to enable a shadow copy volume, which provides access to previous file and folder versions on a network. Finally, this module explains how you can use failover clustering and Network Load Balancing (NLB) to facilitate greater data availability and workload scalability.
WWW.ISLAMSC.COM
13-3
Lesson 1
Configuring Shadow Copies
In Microsoft Windows Server 2008 as in Microsoft Windows Server 2003, you can enable shadow copies on a per-volume basis that will monitor changes made to shares over the network, giving the user the opportunity to recover files and folders.
WWW.ISLAMSC.COM
13-4
What Are Shadow Copies?
Key Points
The Previous Versions feature in Windows Server 2008 enables your users to access previous versions of files and folders on your network. This is useful because users can: Recover files that were deleted accidentally. Recover from accidentally overwriting a file. Compare versions of a file while working.
Question: If you were to deploy shadow copies of shared folders in your network environment, would you notice a decrease in calls from users needing restoration from backups?
WWW.ISLAMSC.COM
13-5
Considerations for Deploying Shadow Copies
Key Points
Before deploying shadow copies, gather the following information to assist with planning: How frequently will users modify the content of shadow copy-protected folders? How many previous versions of files do you want to maintain? How much space is available for storing shadow copies?
Question: Apply these planning considerations to a shadow copy scenario in your work environment and describe the choices you might make.
WWW.ISLAMSC.COM
13-6
Shadow Copy Scheduling
Key Points
If you use the default values to enable shadow copies of shared folders on a volume, tasks will be scheduled to create shadow copies at 7:00 A.M. and Noon. The default storage area will be on the same volume, and its size will be limited to10 percent of the available space. If you decide that you want shadow copies to be made more often, verify that you have allotted enough storage space and that you do not make copies so often that it degrades server performance. Question: How might you consider modifying the default schedule for your environment? Do you have data in shares that might require a more aggressive schedule?
WWW.ISLAMSC.COM
13-7
Demonstration: Configuring Shadow Copies
Key Points
Open Computer Management. Enable Shadow Copies on a single server volume.
Question: What are the possible drawbacks or costs of enabling Shadow Copies? Question: Will you enable Shadow Copies on all volumes on your servers?
WWW.ISLAMSC.COM
13-8
Managing Shadow Copies from a Client Perspective
Key Points
For previous versions of the Windows operating system, the Previous Versions client software must be installed for the user to make use of shadow copies. The Microsoft Windows Vista operating system has the Previous Versions client built into the operating system, so client configuration is not necessary. Question: What might be the problem if a user calls the Help Desk and complains that the Previous Versions tab is missing from the shared folder/file properties?
WWW.ISLAMSC.COM
13-9
Restoring Shadow Copies
Key Points
After you enable shadow copies of shared folders and start creating shadow copies, you can use the Previous Versions feature to recover previous versions of files and folders, or recover files and folders that have been renamed or were deleted. Question: If a user calls you and says that the Previous Versions tab is not visible, what would you ask to determine the problem?
WWW.ISLAMSC.COM
13-10
Demonstration: Restoring Shadow Copies
Key Points
Use the Previous Versions tab to restore an older version of a file.
Question: How would you train users to perform shadow copy restorations on their own? Question: If a user wanted to restore part of a previous document version, how would you advise them to proceed?
WWW.ISLAMSC.COM
13-11
Lab A: Configuring Shadow Copying
Exercise 1: Configuring Shadow Copying

Scenario
You are the storage administrator for Woodgrove bank. You find your time is often spent restoring previous versions of files from backups. You want to institute shadow copies to allow users to recover their own previous versions. In this exercise, you will configure and test shadow copies. The main tasks are as follows: 1. 2. 3. 4. Enable shadow copies on a volume. Change a file in a share location. Manually create a shadow copy. View the file previous versions, and restore to a previous version.
WWW.ISLAMSC.COM
13-12

1. 2. 3. 4. 5. 6. Click the 6419A Lab Launcher shortcut on your desktop. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. In the Lab Launcher, next to 6419A-NYC-CL1, click Launch. Log on to NYC-DC1 as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Enable shadow copies on a volume

1. 2. Using the Computer Management console, enable shadow copies for drive E:\. Create an initial shadow copy for drive E:\.
Task 3: Change a file in a share location

1. 2. On NYC-CL1, open the shadowtest.txt file at \\NYC-DC1\shadow\. Add the following text to the end of the text file: This is my text that I am adding to the file. 3. 4. 5. Save and close the shadowtest.txt file. On NYC-CL1, open the shadowtest.txt file at \\NYC-DC1\shadow\. Add the following text to the end of the text file: This is my second modification to the file. 6. Save and close the shadowtest.txt file.
Task 4: Manually create a shadow copy

On NYC-DC1, create a new shadow copy of drive E\:.
WWW.ISLAMSC.COM
13-13
Task 5: View the previous file versions, and restore to a previous version
1. 2. 3. On NYC-CL1, view the previous versions tab of the properties of \\NYC-DC1\shadow\shadowtest.txt. View the previous version. Restore the previous version.
Results: After this exercise, you should have established shadow copies on a share, changed a file, and then restored the original version.
WWW.ISLAMSC.COM
13-14
Lesson 2
Providing Server and Service Availability
Network Load Balancing (NLB) is a clustering technology that uses a distributed algorithm to load balance network traffic across several hosts. This enhances the scalability and availability of mission critical, IP-based services, such as Web, Virtual Private Networking (VPN), Streaming Media, Terminal Services, Proxy, and so on. It also provides high availability by detecting host failures and automatically redistributing traffic to operational hosts.
WWW.ISLAMSC.COM
13-15
Network Load Balancing Manager Overview
Key Points
When you install NLB as a network driver on each of the clusters member servers or hosts, the cluster presents a virtual IP address to client requests. The client requests go to all the hosts in the cluster, but only the host to which a given client request is mapped accepts and handles the request. All the other hosts drop the request. Depending on the configuration of each host in the cluster, the statistical mapping algorithm, which is present on all the cluster hosts, maps the client requests to particular hosts for processing. Using NLB with compatible services offers the benefits of increased availability, scalability, and load-balancing performance, as well as the ability to distribute a large number of clients over a group of servers. Question: Do you have any servers hosting stateless information that would benefit from Network Load Balancing in your environment?
WWW.ISLAMSC.COM
13-16
Demonstration: Installing Network Load Balancing
Key Points
Install the Network Load Balancing feature.
Question: Should you enable this feature on all servers?
WWW.ISLAMSC.COM
13-17
Considerations for Creating a Network Load Balancing Cluster
Key Points
To configure the Network Load Balancing cluster, you must configure three types of parameters: Host parameters, which are specific to each host in a NLB cluster. Host parameters include: Priority, which specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule.
Cluster parameters, which apply to a NLB cluster as a whole. Cluster parameters include: The IP Address and Subnet Mask for the NLB cluster.
WWW.ISLAMSC.COM
13-18
Port rules, which override the Priority setting or provides load balancing for specific ranges of ports. Port rules include the following attributes: The Port Range specifies the port or ports which will be affected by the port rule. The Protocols setting determines the network protocol that the rule will cover.
Question: What applications would require the optional shared storage?
WWW.ISLAMSC.COM
13-19
Demonstration: Configuring a Network Load Balancing Cluster
Key Points
Create a new NLB cluster. Configure settings for the new NLB cluster.
Question: When should you configure multiple DIP for a cluster?
WWW.ISLAMSC.COM
13-20
Clustering Terminology
Key Points
There are several important terms that are used when discussing clustering. Question: Discuss your work environments approach to planned and unplanned downtime.
WWW.ISLAMSC.COM
13-21
What Is a Failover Cluster?
Key Points
A failover cluster is a group of independent computers that work together to increase the availability of applications and services. Physical cables and software connect the clustered servers, known as nodes. If one of the cluster nodes fails, another node begins to provide service (a process known as failover). Therefore, users experience a minimum of service disruptions.
Note: The failover cluster feature is not available in the Windows Web Server 2008 or Windows Server 2008 Standard editions.
Failover clusters include the following new functionality: New validation feature Support for globally unique identifier (GUID) partition table (GPT) disks in cluster storage
WWW.ISLAMSC.COM
13-22
Improvements to existing failover cluster functionality include: Improved cluster setup Simplified management interfaces Improvements to stability and security, which can result in increased availability Improvements to the way a cluster works with storage Improvements to interfaces for working with shared folders Improvements to networking and security
Question: Have you employed previous versions of clustering technology?
WWW.ISLAMSC.COM
13-23
Hardware Requirements for a Failover Cluster
Key Points
Carefully review the hardware on which you plan to deploy a failover cluster to ensure that it is compatible with Windows Server 2008. This is especially necessary if you are currently using that hardware for a server cluster running Windows Server 2003. Hardware that supports a server cluster running Windows Server 2003 will not necessarily support a failover cluster running Windows Server 2008.
Note: You cannot perform a rolling upgrade from a server cluster running Windows Server 2003 to a failover cluster running Windows Server 2008. However, after you create a failover cluster running Windows Server 2008, you can use a wizard to migrate certain resource settings to it from a server cluster running Windows Server 2003.
WWW.ISLAMSC.COM
13-24
The following hardware is required in a failover cluster: Servers Network adapters and cable (for network communication) Device controllers or appropriate adapters for the storage if using shared SCSI iSCSI initiator and dedicated network adapter if using iSCSI storage Shared storage
Question: If you presently have a server cluster in a previous server version, can you do a rolling upgrade to Windows Server 2008 Failover Clustering?
WWW.ISLAMSC.COM
13-25
Failover Clustering Scenarios
Key Points
Failover clustering can be useful in a number of different scenarios: File shares can be made highly available. Applications like Microsoft Exchange can be made highly available. Databases on Microsoft SQL Server can be made highly available. Virtual Machines running on Hyper-V hosts can be made highly available.
Question: Describe one scenario in your work environment where you currently use or plan to implement failover clustering.
WWW.ISLAMSC.COM
13-26
Lab B: Configuring Network Load Balancing
Exercise 1: Configuring Network Load Balancing

Scenario
You have been asked to increase the reliability for a critical web server service. Configure network load balancing for the service. In this exercise, you will configure Network Load Balancing. The main tasks are as follows: 1. 2. 3. 4. Install the Network Load Balancing feature on NYC-DC1 and NYC-SVR1. Configure Network Load Balancing on NYC-DC1 and NYC-SVR1. Test the Network Load Balancing cluster. Close all virtual machines, and discard undo disks.
WWW.ISLAMSC.COM
13-27
Task 1: Install Network Load Balancing

1. 2. 3. On NYC-DC1, open Server Manager. Add the Network Load Balancing feature. Repeat for NYC-SVR1.
Task 2: Create an NLB Cluster

1. 2. 3. 4. 5. On NYC-DC1, open Network Load Balancing Manager. Create a new cluster with the hostname NYC-DC1 and start it. Specify an IPv4 cluster IP of 10.10.0.70 with a Subnet Mask of 255.255.0.0. Give the cluster a Full Internet Name of webfarm.woodgrovebank.com and set the operation mode to Multicast. Define port rules: 6. Port Range: 80 to 80 Protocols: TCP Filtering mode: Multiple host Affinity: none
Add the host NYC-SVR1 to the cluster.
Task 3: Test the NLB Cluster

1. 2. 3. 4. Use Internet Explorer to browse to http://10.10.0.70. The IIS 7.0 default page appears. Turn off NYC-SVR1. Use Internet Explorer to browse to http://10.10.0.70.
WWW.ISLAMSC.COM
13-28

Results: Even though a NLB Cluster member is unavailable, the web site is still available.
WWW.ISLAMSC.COM
13-29
Review Questions
1. 2. What is the danger of choosing to restore a folder in Shadow Copies? How is failover clusters different from Network Load Balancing?
Best Practices
Consider the following best practices for NLB and Failover Clustering: Properly secure the NLB hosts and the load-balanced applications: Network Load Balancing does not provide additional security for the loadbalanced hosts and cannot be used as a firewall. It is important to properly secure the load-balanced applications and hosts. Security procedures can typically be found in the documentation for each particular application. For example, if you are using NLB to load balance a cluster of IIS servers, you should follow the procedures and guidelines for securing IIS.
WWW.ISLAMSC.COM
13-30
You must protect the NLB subnet from intrusion by unauthorized computers and devices to avoid interference from unauthorized heartbeat packets.
While not required, use two or more network adapters in each NLB cluster host whenever possible: If the cluster is operating in the default unicast mode, NLB cannot distinguish between single adapters on each host. Therefore, any communication among NLB cluster hosts is not possible unless each cluster host has at least two network adapters. You can configure Network Load Balancing on more than one network adapter. However, if you use a second network adapter to address this best practice, make sure that you install Network Load Balancing on only one adapter (referred to as the cluster adapter.)
Use only the TCP/IP network protocol on the cluster adapter: Do not add any other protocols (for example, IPX) to this adapter.
Enable Network Load Balancing Manager logging: You can configure Network Load Balancing Manager (NLBM) to log each NLBM event. This log can be very useful in troubleshooting problems or errors when using NLBM. Enable NLBM logging by clicking Log Settings in the Network Load Balancing Manager Options menu. Select the Enable logging check box, and then specify a name and location for the log file. The Network Load Balancing Manager log file contains potentially sensitive information about the Network Load Balancing cluster and hosts, so it must be properly secured. By default, the log file inherits the directorys security settings in which it is created, so you may need to change the explicit permissions on the file to restrict read and write access to those individuals who do not need full control of the file. Be aware that the individual using NLBM does require full control of the log file.
WWW.ISLAMSC.COM
13-31
Verify that the load-balanced application is started on all cluster hosts on which the application is installed: NLB does not start or stop applications.
Use the following to help increase failover cluster security: Do not set the Cluster service account to be a member of the domain Administrators group. By giving the minimal possible user rights to the Cluster service account, you avoid potential security issues if that account is compromised. Limit and audit access to shared data (for example, files and folders on cluster disks). Limit client access to cluster resources. Use different accounts for the Cluster service and applications in the cluster. Use different Cluster service accounts for multiple clusters.
WWW.ISLAMSC.COM
WWW.ISLAMSC.COM
Monitoring and Maintaining Windows Server 2008 Servers
14-1
Module 14
Contents:
Lesson 1: Planning Monitoring Tasks Lesson 2: Calculating a Server Baseline Lesson 3: Measuring Performance Objects Lab A: Identifying Windows Server 2008 Monitoring Requirements Lesson 4: Selecting Appropriate Monitoring Tools Lesson 5: Planning Notification Methods Lesson 6: Overview of Windows Server 2008 Management Tasks Lesson 7: Automating Windows Server 2008 Management Lab B: Configuring Windows Server 2008 Monitoring 14-3 14-9 14-14 14-24 14-29 14-37 14-41 14-45 14-49
WWW.ISLAMSC.COM
14-2
Module Overview
Most businesses require cost-effective solutions that provide value for money. You should monitor servers to ensure that they run efficiently and use available server capacity. Many administrators require performance-monitoring tools to identify components that require additional tuning and troubleshooting. By identifying components that require additional tuning, you can improve the efficiency of your servers.
WWW.ISLAMSC.COM
14-3
Lesson 1
Planning Monitoring Tasks
The Microsoft Windows Server 2008 operating system can use many monitoring tools. This lesson discusses the range of monitoring features that are available for Windows Server 2008 and how you can plan to measure the efficiency of the operating system and hardware components through monitoring.
WWW.ISLAMSC.COM
14-4
Reasons for Monitoring
Key Points
You should monitor servers in your organization so that you can troubleshoot unexpected performance problems from your hardware and software quickly and easily. By using performance-monitoring tools, you can determine when a server is really slower at responding to user requests rather than relying on user perception of "slow" and "fast" response times. Interactive monitoring of systems is useful when you want to determine the effect of performing a specific action or troubleshoot specific events. This type of monitoring can also help you to ensure that you are meeting SLAs.
WWW.ISLAMSC.COM
14-5
Reviewing collected data can be useful for tracking trends over time, determining when to relocate resources, and deciding when to invest in new hardware to meet the changing requirements of your business. You should use historical performance data to assist you when you plan future server requirements. Question: List four troubleshooting procedures that would benefit from server monitoring.
WWW.ISLAMSC.COM
14-6
Monitoring Methods
Key Points
You should select the most appropriate tool to suit the type of monitoring that is required. Question: Which tools do you currently plan to use to monitor Windows Server 2008? Consider long-term planning goals and specific troubleshooting instances.
WWW.ISLAMSC.COM
14-7
Planning for Event Monitoring
Key Points
There are several considerations when planning for event monitoring. Consider the following: You should ensure that your systems are cost-effective for your organization. Your business may achieve reductions in the effort staff spent on event monitoring by implementing efficient event monitoring. You can prevent service and system outages by ensuring that resources retain enough capacity to meet service-level agreements (SLAs).
WWW.ISLAMSC.COM
14-8
Question: What is the monetary cost of reduced user productivity for your organization? Question: What is the cost of system outage that is caused by not monitoring systems? Question: What is the cost of a reactive approach to troubleshooting?
WWW.ISLAMSC.COM
14-9
Lesson 2
Calculating a Server Baseline
This lesson discusses some of the key server components to measure. You will learn how to use analysis and planning techniques from collected performance metrics to improve your server infrastructure.
WWW.ISLAMSC.COM
14-10
Key Hardware Components to Monitor
Key Points
The four main hardware components to monitor are processor, disk, memory and network. You should measure all of the key components in your system. You should consider the server role and workload to determine which hardware components are likely to restrict performance. You can increase server performance by adding power or reducing the number of users who are accessing a server.
Question: Which hardware components are most likely to restrict performance for a file server?
WWW.ISLAMSC.COM
14-11
Common Performance Metrics
Key Points
You should familiarize yourself with basic performance measurement objects and counters to monitor the main hardware components. Question: What performance issues could be identified by monitoring cache?
WWW.ISLAMSC.COM
14-12
Analyzing Performance Trends
Key Points
It is important to align planning across your organization. By analyzing performance trends, you can make decisions for the future. You should give careful consideration to the value of performance data to ensure that it reflects the real server environment. You should consider performance analysis alongside business plans. It may be possible to reduce the number of servers in operation after you have measured performance.
Question: What additional server support will your current business plans require?
WWW.ISLAMSC.COM
14-13
Planning for Future Capacity Requirements
Key Points
You want to ensure that you are able to support future growth in your organization. Planning for future capacity will allow your organization to grow without compromising productivity. Capacity planning focuses on: The server workload. The number of users that a server can support. How to scale the systems to support additional workload and users in the future.
Question: How can you scale up your existing server workload to support more users?
WWW.ISLAMSC.COM
14-14
Lesson 3
Measuring Performance Objects
Performance tuning is the continuous process of monitoring a server to determine whether it can deliver the requested workload. You should tune servers to adjust to the current workload to support more users or applications. Windows Server 2008 enables you to create server roles to meet your business requirements. You should tune these roles to ensure that they are performing efficiently to maximize their use. In this lesson, you will learn some of the basic performance counters to measure for different server roles.
WWW.ISLAMSC.COM
14-15
Identifying Server Role Performance Metrics
Key Points
Windows Server 2008 uses server roles to improve server efficiency and security. By identifying the role that a server performs, you can ensure that you measure the necessary counters to monitor performance. By using server roles, you ensure that you install and activate only the required components on your servers. Only the performance objects and counters that are relevant to the installed server role are available to monitor.
Question: Which server roles will you use in your organization? Which objects and counters will be available for you to monitor?
WWW.ISLAMSC.COM
14-16
Identifying Key Performance Counters
Key Points
There are many counters that you should research and consider monitoring to meet your specific requirements. Windows Server 2008 enables monitoring of operating system performance through performance objects and counters in the object. Windows Server 2008 collects data from counters in various ways, including: Real-time snapshot value Total since last server restart Average over specific time interval Average of last x values
WWW.ISLAMSC.COM
14-17
Number per second Maximum value Minimum value
Question: Why are average counters more useful than counters that show the current value?
WWW.ISLAMSC.COM
14-18
Primary CPU Performance Counters
Key Points
CPU counters are a feature of the computer's CPU that store the count of hardware-related events. Processor\% Processor Time: Shows the percentage of elapsed time that this thread used the processor to execute instructions. An instruction is the basic unit of execution in a processor, and a thread is the object that executes instructions. Code executed to handle some hardware interrupts and trap conditions is included in this count. Processor\Interrupts/sec: Shows the rate, in incidents per second, at which the processor received and serviced hardware interrupts.
WWW.ISLAMSC.COM
14-19
Processor\System Processor Queue Length: The System\Processor Queue Length counter is a rough indicator of the number of threads each processor is servicing. The processor queue length, sometimes called processor queue depth, reported by this counter is an instantaneous value that is representative only of a current snapshot of the processor, so it is necessary to observe this counter over a long period of time. Also, the System\Processor Queue Length counter is reporting a total queue length for all processors, not a length per processor.
Question: If the % Processor time is 80%, should any corrective action be taken?
WWW.ISLAMSC.COM
14-20
Primary Memory Performance Counters
Key Points
The Memory performance object consists of counters that describe the behavior of physical and virtual memory on the computer. Physical memory is the amount of RAM on the computer. Virtual memory consists of space in physical memory and on disk. Many of the memory counters monitor paging, which is the movement of pages of code and data between disk and physical memory. Question: If the pool nonpages bytes has a slow rise, what might be happening?
WWW.ISLAMSC.COM
14-21
Primary Disk Performance Counters
Key Points
The LogicalDisk performance object consists of counters that monitor logical partitions of hard or fixed disk drives. System Monitor identifies logical disks by their drive letter, such as "C." The PhysicalDisk performance object consists of counters that monitor hard or fixed disk drives. Disks are used to store file, program, and paging data. They are read to retrieve these items, and are written to record changes to them. The values of physical disk counters are sums of the values of the logical disks (or partitions) into which they are divided. Question: Why do you want the % Disk time to be as low as possible?
WWW.ISLAMSC.COM
14-22
Primary Network Performance Counters
Key Points
Most workloads require access to production networks to ensure communication with other applications and services and to communicate with users. Network requirements include elements such as throughputthat is, the total amount of traffic that passes a given point on a network connection per unit of time. Other network requirements include the presence of multiple network connections. Workloads might require access to several different networks that must remain secure. Examples include connections for: Public network access. Networks for performing backups and other maintenance tasks. Dedicated remote-management connections. Network adapter teaming for performance and failover. Connections to the physical host server. Connections to network-based storage arrays.
WWW.ISLAMSC.COM
14-23
By monitoring the network performance counters, you can evaluate your network performance. Question: If the output queue length is 5, what problems might you have in your network?
WWW.ISLAMSC.COM
14-24
Lab A: Identifying Windows Server 2008 Monitoring Requirements
Exercise 1: Evaluating Performance Metrics

Scenario
In this exercise, you will review data collector sets to locate problems and provide troubleshooting advice to technical specialists. The main tasks for this exercise are as follows: 1. 2. 3. 4. Start each virtual machine and log on. Identify performance problems with Windows Server 2008 - Part A. Identify performance problems with Windows Server 2008 - Part B. Identify performance problems with Windows Server 2008 - Part C.
WWW.ISLAMSC.COM
14-25
Task 1: Start each virtual machine and log on

Task 2: Identify performance problems with Windows Server 2008 Part A

You know that the server 6419A-NYC-SVR1 experiences low network traffic and has limited disk activity, but the help desk is receiving many reports that the server is slow. Use Performance Monitor to review the data collector log at E:\Labfiles\Mod14\Ex1A\6419A-NYC-SVR1-LAB14-EX1A.blg on the server 6419A-NYC-SRV1: Examine the following counters: Processor - % Processor Time System - Processor Queue Length Process _ % Processor Time (All Instances)
What appears to be the problem on this server? Write a brief report that outlines your findings and suggests possible solutions to the problem.
WWW.ISLAMSC.COM
14-26
Task 3: Identify performance problems with Windows Server 2008 Part B

You know that the server 6419A-NYC-SVR1 is not running processor-intensive applications, but the help desk is receiving many reports that the server is slow. Use Performance Monitor to review the data collector log at E:\Labfiles\Mod14\Ex1B\6419A-NYC-SVR1-LAB14-EX1B.blg on the server 6419A-NYC-SVR1: Examine the following counters: PhysicalDisk - Avg. Disk Queue Length PhysicalDisk - Current Disk Queue Length PhysicalDisk - Disk Transfers/sec Process - IO Data Bytes/sec (All Instances)
WWW.ISLAMSC.COM
14-27
Task 4: Identify performance problems with Windows Server 2008 Part C

You know that the server 6419A-NYC-SVR1 experiences low network traffic and is not running processor-intensive applications, but the help desk is receiving many reports that the server is slow. Use Performance Monitor to review the data collector log at E:\Labfiles\Mod14\Ex1C\6419A-NYC-SVR1-LAB14-EX1C.blg on the server 6419A-NYC-SVR1. Examine the following counters: Process - Working Set-Private (All Instances) Paging File - % Usage Paging File - % Usage Peak Memory - % Committed Bytes In Use Memory - Available Mbytes Memory - Committed Bytes Memory - Page Faults/sec Memory - Pool Nonpaged Bytes Memory - Pool Paged Bytes
Results: After this exercise, you should have identified performance issues with servers and suggested steps to resolve the problems.
WWW.ISLAMSC.COM
14-28
Exercise 2: Monitoring Performance Metrics

Scenario
In this exercise, you will plan the performance metrics that are required to measure the scalability of a server. The main task for this exercise is to create a data collector set to measure server requirements.
Task 1: Create a data collector set to measure server requirements

Create a data collector set based on the System Performance template to measure the performance requirements of a file server. This forms the base performance metrics for measuring the capacity of this server. Which specific counters do you anticipate will require careful analysis?
Results: After this exercise, you should have identified steps to create a data collector set for measuring file server performance.
WWW.ISLAMSC.COM
14-29
Lesson 4
Selecting Appropriate Monitoring Tools
Windows Server 2008 provides a range of tools to monitor the operating system and applications that you can use to tune your system for efficiency. You should use these tools and complement them where necessary with your own tools.
WWW.ISLAMSC.COM
14-30
Windows Server 2008 Monitoring Tools
Key Points
Windows Server 2008 has a range of built-in tools to assist you in monitoring your systems. Windows Server 2008 Event Viewer collects information that relates to server operations. Task Manager enables you to view processes in real time to determine their exact resource usage at a point in time. All performance counters are available programmatically through Microsoft Windows Management Instrumentation (WMI). By making performance counters available through WMI, you can monitor servers by using scripts.
WWW.ISLAMSC.COM
14-31
You can use Microsoft Windows Reliability and Performance Monitor to examine how programs you run affect your computer's performance, both in real time and by collecting log data for later analysis. Question: Which tools do you currently use to monitor servers? How can you make use of improved monitoring tools in Windows Server 2008?
WWW.ISLAMSC.COM
14-32
Reliability and Performance Monitor
Key Points
Performance Monitor provides a visual display of Windows performance objects and counters, either in real time or as a review of historical data. Performance Monitor features multiple graph views that you can use to review performance log data. You can create custom views in Performance Monitor that you can export as data collector sets for use with performance and logging features. Question: What is a benefit to Data Collector Sets?
WWW.ISLAMSC.COM
14-33
Reliability Monitor
Key Points
Reliability Monitor provides a system stability overview and trend analysis with detailed information about individual events that may affect the overall stability of the system. Question: How can you use the Reliability Monitor in your organization?
WWW.ISLAMSC.COM
14-34
Demonstration: Overview of the Reliability and Performance Monitor
Key Points
Reliability and Performance Monitor resources view. Performance Monitor overview. Reliability Monitor overview. Reports overview.
Question: Where can you find real-time information about network activity? Question: Which Reliability Monitor reports will you implement in your work environment?
WWW.ISLAMSC.COM
14-35
Third-Party Monitoring Tools
Key Points
Third-party tools can help you monitor your server environment. Hardware vendor tools are useful in detecting performance issues that occur because of faulty hardware. Many third-party tools integrate with System Center Operations Manager (Operations Manager) 2007 to provide a centralized monitoring console for your organization. Question: Which third-party monitoring tools do you currently use, if any? How can these help you monitor server performance in the future?
WWW.ISLAMSC.COM
14-36
What Are Subscriptions?
Key Points
Event Viewer enables you to view events on a single remote computer. However, troubleshooting an issue might require you to examine a set of events stored in multiple logs on multiple computers. Event Viewer provides the ability to collect copies of events from multiple remote computers, and store them locally. To specify which events to collect, you create an event subscription. After a subscription is active and events are being collected, you can view and manipulate these forwarded events as you would any other locally stored events. Question: Where would subscriptions be most useful on in your organization?
WWW.ISLAMSC.COM
14-37
Lesson 5
Planning Notification Methods
Your business will require you to react to various events to ensure that you maintain SLAs. To meet SLAs, you must notify staff by using a range of methods to take appropriate action to resolve problems. It may be necessary for staff to request additional support to assist in troubleshooting some events.
WWW.ISLAMSC.COM
14-38
Identifying Business Requirements
Key Points
Performance tuning is an ongoing exercise where you never achieve perfection. You should ensure that your server operations run effectively and meet all of your business SLAs. You should always attempt to find the most cost-effective solution to a performance bottleneck. Question: What are your businesses response times and how does your business makes staff available to provide support?
WWW.ISLAMSC.COM
14-39
Suitable Notification Methods
Key Points
You should react in a measured and appropriate manner to an event. Some events will require staff to react immediately to ensure that they maintain system availability. Other events may require staff to perform investigative work in the form of additional system checks to determine the cause of a problem and then to provide a solution to improve system performance. These system checks usually do not require an immediate e-mail response. Notifications to server events should take into account the severity of the problem.
Question: How do you notify staff of service failure or maintenance problems? In what ways can you improve this process?
WWW.ISLAMSC.COM
14-40
Establishing an Escalation Path
Key Points
To meet SLAs, you should ensure that you have a clear audit trail to follow when you escalate performance issues. Your SLAs should state the amount of time problems remain at various stages during resolution. This helps you to provide an acceptable and mutually agreed level of service to your organization. Where it is not possible to resolve an issue in-house, you should notify the relevant people because further delays are likely.
Question: What improvements can you make to the escalation paths for issues within your business?
WWW.ISLAMSC.COM
14-41
Lesson 6
Overview of Windows Server 2008 Management Tasks
To ensure that the server runs optimally, it is important to understand what management tasks you must perform on your servers. You must decide how frequently to run each management task, and ensure that the frequency reflects both maintenance and business requirements.
WWW.ISLAMSC.COM
14-42
Windows Server 2008 Maintenance Tasks
Key Points
Performing regular maintenance tasks will help facilitate optimal server availability. Regular maintenance tasks involve ensuring you computer is up-to-date with the latest operating system updates, including security updates. You will also want to ensure you have the latest security updates are installed for all applications. Monitoring performance, health and diagnostics on a regular basis will ensure possible issues are caught early. Troubleshooting tools, such as Event Viewer, are included with Windows Server 2008. In addition, administrators can search the Microsoft TechNet Web site, the Microsoft Web site, search engines, newsgroups, and blogs.
Question: List the monitoring tasks you perform at work most often.
WWW.ISLAMSC.COM
14-43
Common Tasks for Different Server Roles
Key Points
Different server roles will necessitate different tasks. However, you will want to perform some tasks for all types of servers, including reviewing system and application event logs. Question: Which event logs do you regularly review on your servers at work?
WWW.ISLAMSC.COM
14-44
Frequency of Management Tasks
Key Points
To maximize administrator time while also providing adequate monitoring of servers, you should follow guidelines for the frequency of management tasks. Question: How often do you review server event logs? Question: Do any of your servers have requirements that make scheduling management tasks more difficult (such as 24x7 operations)?
WWW.ISLAMSC.COM
14-45
Lesson 7
Automating Windows Server 2008 Maintenance
There are many advantages to automating aspects of your Windows Server 2008 management strategy. Automating management tasks often saves time and can have a significant impact on costs. However, there are many considerations to take into account that relate to the methods, skills, software, and planning that you must perform before you can deploy automation options.
WWW.ISLAMSC.COM
14-46
Automation Requirements
Key Points
When you examine automation solutions for managing your server infrastructure, you must consider several aspects that can provide benefits but may have hidden restrictions or costs. Question: Do you have any skills in scripting or in Windows PowerShell in your organization?
WWW.ISLAMSC.COM
14-47
Task Automation Tools
Key Points
Microsoft provides many tools that can simplify complex or repetitive tasks in Windows Server 2008. Although some of these tools may require additional skills, several of them are straightforward to implement and offer immediate benefits. In addition, you may use various third-party tools that can perform monitoring and alerting, deploy configuration changes, or perform audits to more easily manage computers on your network. Question: Question: Do you currently use automation tools at work? Question: In what ways can using automation tools benefit your organization?
WWW.ISLAMSC.COM
14-48
Tool Selection Process
Key Points
When you choose tools to help you manage your infrastructure, you must consider several factors to ensure that you make the right choice. You may need to select several tools to ensure comprehensive coverage of all of your management requirements. Question: If you currently use some of these tools, why was the tool(s) chosen?
WWW.ISLAMSC.COM
14-49
Lab B: Configuring Windows Server 2008 Monitoring
Exercise 1: Configuring Data Collector Sets

Scenario
In this exercise, you will configure data collector sets to generate an alert. The main task for this exercise is to generate an alert by using a data collector set.
Task 1: Generate an alert by using a data collector set

Create a user-defined data collector set and configure an alert to trigger when the counter Process - % Processor Time reaches 95%. The alert should log an event in the application event log.
Results: After this exercise, you should have configured a performance alert.
WWW.ISLAMSC.COM
14-50
Exercise 2: Monitoring Extension Exercise

Scenario
In this exercise, you will create a data collector set to monitor a server that you currently administer. The main task for this exercise is to create a tailored data collector set.
Task 1: Create a tailored data collector set

Use the Reliability and Performance Monitor to create a data collector set for a server in your organization.
Results: After this exercise, you should have identified performance counters that you will need to collect from a server in your own organization.
WWW.ISLAMSC.COM
14-51
Exercise 3: Automating Maintenance Tasks

Scenario
You decide that it will be easier to review the Directory Service log information from a single, central location. You also want to produce a simple report about disk space across several servers at the same time. In this exercise, you will configure event forwarding for Directory Service events. The main tasks for this exercise are as follows: 1. 2. 3. Forward Directory Service replication error messages to a central location. Run a script to review disk space. Close all virtual machines, and discard undo disks.
Task 1: Forward Directory Service replication error messages to a central location

Log on to 6419A-NYC-DC1 by using the following information: User name: woodgrovebank\administrator Password: Pa$$w0rd
Add the computer NYC-SVR1 to the Administrators group in the WoodgroveBank.com domain. Log on to 6419A-NYC-SVR1 by using the following information: User name: woodgrovebank\administrator Password: Pa$$w0rd
Open Event Viewer. Create a subscription to forward events from NYC-DC1 to NYC-SVR1 by manually entering the query in the following code example:
<QueryList> <Query Id="0" Path="Directory Service"> <Select Path="Directory Service">*[System[(Level=2 or Level=3) and (EventID=1308 or EventID=1864)]]</Select> </Query> </QueryList>
WWW.ISLAMSC.COM
14-52
Task 2: Run a script to review disk space

Open Notepad. Enter the text in the following code example into Notepad:
$aryComputers = "NYC-DC1","NYC-SVR1" Set-Variable -name intDriveType -value 3 -option constant foreach ($strComputer in $aryComputers) {"Hard drives on: " + $strComputer Get-WmiObject -class win32_logicaldisk -computername $strComputer | Where {$_.drivetype -eq $intDriveType} | Format-table}
Save as C:\Users\Administrator.Woodgrovebank\Documents \DriveReport.ps1. Start Windows PowerShell. Turn on Windows PowerShell script execution by typing the following: set-executionpolicy unrestricted. Run the DriveReport.ps1 script that you created and review the results.
Results: After this exercise, you should have configured Event Log forwarding for Active Directory directory service replication errors and run a script to review disk space.

WWW.ISLAMSC.COM
14-53
Review Questions
1. 2. 3. 4. 5. What are the benefits of monitoring server performance? What are some of the tasks that you should undertake when you create a performance baseline for a server? What are the advantages of using a range of monitoring tools? What are the advantages of measuring specific performance counters? What are the advantages of using alerts to identify performance issues?
WWW.ISLAMSC.COM
14-54
Best Practices Related to Windows Server 2008 Performance Monitoring

Supplement or modify the following best practices for your own work situations: Create server baselines for each of your server roles. Reuse data collector sets across servers. Use a range of tools, including third-party tools, to monitor your server infrastructure.
WWW.ISLAMSC.COM
Managing Windows Server 2008 Backup and Restore
15-1
Module 15
Contents:
Lesson 1: Planning Backups with Windows Server 2008 Lesson 2: Planning Backup Policy on Windows Server 2008 Lesson 3: Planning a Server Restore Policy Lesson 4: Planning an EFS Restore Policy Lesson 5: Troubleshooting Windows Server 2008 Startup Lab A: Planning Windows Server 2008 Backup Policy Lab B: Planning Windows Server 2008 Restore 15-3 15-15 15-20 15-29 15-40 15-51 15-58
WWW.ISLAMSC.COM
15-2
Module Overview
Disaster recovery planning is a critical part of managing any server infrastructure. This module examines the necessary planning for backup procedures to ensure that you protect data and servers sufficiently against disasters. By using the Microsoft Windows Server 2008 operating system, you can restore data that was previously backed up to disk. You should plan your restore policy based on the data that you have backed up from your backup strategy. Restoring data is a riskier operation than backing up data because you can overwrite and lose existing data through careless restore procedures. You should only permit trusted administrators to perform restore operations; it is likely that the restore operators are a subset of the backup operators, but in some organizations, the backup and restore teams are separated. You should use the knowledge that you gain from this module to improve your Windows Server 2008 restore skills.
WWW.ISLAMSC.COM
15-3
Lesson 1
Planning Backups with Windows Server 2008
This lesson examines the planning elements that are required to create a successful, unobtrusive, and secure backup process. You can apply these considerations when you are planning backup for various types of data on your network. Typically, you will distribute backup tasks among various servers and personnel in your environment.
WWW.ISLAMSC.COM
15-4
Selecting Backup Software and Backup Operators
Key Points
When you plan your backup strategy, you must choose which backup software to use and who should perform some of the required backup tasks. You need to use backup software to back up the data and servers on your network. You can choose the backup feature in the Windows Server 2008 operating system or you can choose third-party backup software. Your choice depends on your backup medium, how you intend to manage your backups across several servers, and licensing costs, among other factors. For example, the Windows Server 2008 Backup feature has no additional licensing costs, but it does not support tape backups. The Windows Server 2008 Backup feature also supports command-line use through the Wbadmin.exe command. This is useful for scripting or performing specific backups such as system state data. Note that system state backup is only available for the command line and is not available in the Windows Server Backup snap-in user interface. In addition, you cannot configure a scheduled backup to create system state backups. However, you can script the Wbadmin start systemstatebackup command to run backups on a schedule.
WWW.ISLAMSC.COM
15-5
You may also have special requirements, such as databases, that you must regularly back up. A database backup may require special software or tools to perform the backup. In addition, you must select staff members who should perform the backup tasks. You must ensure that whoever is administering the backup process checks that backups complete successfully and that they are aware of backup failures. Question: What backup software or solutions do you currently use?
WWW.ISLAMSC.COM
15-6
Process for Planning Backup in Windows Server 2008
Key Points
When you plan your backup strategy, you must plan the elements that are listed in the following table. List the data to back up. You must identify all data that requires backup so that you can restore your data and systems in the event of a disaster.
Plan elements List the data to back up Details You must identify all data that requires backup so that you can restore your data and systems in the event of a disaster. You must identify the quantity of data which in Windows Server 2008 includes which volumes to back up so that you can choose an appropriate storage medium and identify how long a backup or restore operation requires. Create a backup schedule You must plan how frequently and at what times servers perform automated backup tasks.
WWW.ISLAMSC.COM
15-7
(continued)
Plan elements Choose a backup type Details Based on the frequency and the time that is taken to perform a backup and a restore operation, you may also need to select a backup type. Your backup software (i.e. SQL Server 2008) may enable you to choose from the following backup types:
Full or Normal Incremental Differential

The Windows Server 2008 Backup feature performs one scheduled full backup followed by scheduled incremental backups by using the Volume Shadow Copy Service (VSS). Choose the backup medium Based on your backup software, the size of backups, and the time to restore data, you should choose an appropriate backup medium. Backup media include:
Tape (not available with Windows Server 2008 backup) Removable hard disk DVD Shared folder
Tape is available in various formats, supporting various data rates and storage capacities. If you back up to tape, you should ensure that the tape format that you use is appropriate to the quantity of data that you are backing up. The Windows Server 2008 Backup feature does not support backing up to tape. Removable disks and shared folders are the only supported storage media. Consider the length of time that you require to retain backups to restore data. Should you be able to restore data from one month ago, six months ago, 12 months ago, or longer? You must also consider the storage location of your backup media. Tapes are susceptible to magnetic fields and heat, so they should be stored away from these environmental factors.
WWW.ISLAMSC.COM
15-8
The Windows Server Backup feature in Windows Server 2008 consists of an MMC snap-in and command-line tools that provide a complete solution for your day-today backup and recovery needs. You can use four wizards to guide you through running backups and recoveries. You can use Windows Server Backup to back up a full server (all volumes), selected volumes, or the system state, which differs from the more granular selection process from Windows Server 2003, and may impact they way you perform backups. You can however still recover volumes, folders, files, certain applications, and the system state. And, in case of disasters like hard disk failures, you can perform a system recovery by using a full server backup and the Windows Recovery Environmentthis will restore your complete system onto the new hard disk. You may wish to create a system state backup of the machine before you make critical changes to the machine or active directory. The ability to take just a system state backup is not exposed in the GUI interface of backup. If you wish to take just a system state backup you must use the wbadmin.exe utility. WBadmin.exe is a command line utility. Question: What types of data do you regularly back up at work?
WWW.ISLAMSC.COM
15-9
Creating a Backup Schedule
Key Points
When you create a backup schedule, you should consider the following factors: How often does the data change? You may want to back up data that changes more frequently more often so that you can restore as much information as possible. You should also consider backing up data that changes less often less frequently to reduce storage requirements and administrative overhead. What is the cost to re-create the data? This cost should have an impact on how frequently you back up data and the storage medium that you use to perform backups. The storage medium has a large effect on the time that a backup takes.
WWW.ISLAMSC.COM
15-10
How long is the backup window? Certain types of backup take longer than other types. For example, a full backup takes longer than an incremental backup, but an incremental backup backs up only changes to data. You should choose the type and frequency of backup based on how long you want the backup operation to take. Backup operations use server resources, so you typically schedule them for hours outside normal business hours. However, you may have other tasks, such as automated maintenance on the server, or you may have global users, so the server is accessed for extended hours throughout the day. How often is a trial restore performed? You should periodically perform a trial restore on your backups to ensure that the backup is accessible and the data is recoverable. This is an essential part of disaster recovery planning and you should not ignore it. How long does a restore take? Restoring large amounts of data can take hours or days, depending on the amount of data that was lost and the speed of the backup media. You can back up different types of data in different ways or by using different media so that you can restore the most important data more quickly. This can be particularly useful when you are planning for disasters that involve the loss of one or more servers or if you have service-level agreement (SLA) requirements to meet. You should typically automate the backup task by creating a scheduled backup job in your backup software or by using task scheduling in Windows Server 2008. Question: How frequently do you currently perform backups? Question: Do you have different backup schedules for different data?
WWW.ISLAMSC.COM
15-11
Creating the Data Retention Plan
Key Points
How long must you keep data? Must you keep data for legal compliance, such as Sarbanes-Oxley, or for business requirements such as the ability to audit all projects during the previous five years? Where should you archive data? Do users require access to archived data regularly, which may require keeping the data on a server, or can the data be archived to a static medium such as optical or tape storage? For static media archival, you must consider that media such as DVD or tape has a finite lifetime for storing data. What is the cost of data storage? Different storage mechanisms and media have different costs associated with them. If you keep your data archive on your corporate storage area network (SAN), this has a relatively high cost per megabyte (MB). If you keep archived data on a server hard disk, it has a lower cost per MB, and data that is stored on tape has a very low cost per MB. Contrary to this is the ease of access, so you must balance the cost against the ease of access for the data. Typically, you move older data to cheaper storage media.
WWW.ISLAMSC.COM
15-12
What software tools can assist data retention? Your backup software or additional tools may have data-retention capabilities, or you could invest in software to assist data retention in your organization. Consider tools such as Microsoft System Center Data Protection Manager, which can offer backup capabilities and options to archive older data to media such as tape instead of hard disk. Question: What is your current data retention plan? Question: Do you have any legal data retention requirements to fulfill?
WWW.ISLAMSC.COM
15-13
Backing Up Encrypted Files and Virtual Machines
Key Points
Planning backups for encrypted files must include consideration for correctly backing up and recovering the files and for backing up and recovering the encryption keys. Encrypting File System (EFS) is a powerful tool for encrypting files and folders on client computers and remote file servers. It enables users to protect their data from unauthorized access by other users or external attackers. Backing up Hyper-V Although not technically a backup, a VM snapshot provides a point in time to which you can revert back using differencing disks and a copy of the VM configuration file.
WWW.ISLAMSC.COM
15-14
Although one exciting benefit of server virtualization is the prospect of no longer having to individually back up the virtualized systems, simply backing up the virtual machine files is not sufficient. Because these are live computers consisting of in-memory data, data on disk, system configurations, and open files, there are other things to consider. Question: Do your users currently use Encrypting File System (EFS)?
WWW.ISLAMSC.COM
15-15
Lesson 2
Planning Backup Policy on Windows Server 2008
In addition to deciding on backup strategy for various types of data on your network, you must also examine some wider issues when you plan your overall backup policy. This lesson examines some of the additional considerations that you must take into account when you create your backup policy.
WWW.ISLAMSC.COM
15-16
Factors That Affect Backup Policy
Key Points
Factor Service-level agreements Details If your information technology (IT) department has agreed on SLAs or intends to create SLAs for data or server availability, you must include consideration of backup and restore processes with your SLA. An SLA should specify the data or servers to which it refers, and it should identify acceptable periods of unavailability. It is important that the time that is taken to perform a restore operation does not exceed the SLA; if it does, the SLA is redundant.
WWW.ISLAMSC.COM
15-17
(continued)
Factor Cost Details When you plan your backup policy, you must consider the cost of your backup solution. Costs for your backup solutions can include hardware, software, and media. You should carefully consider cost with respect to backup and restore times, and the required storage quantities. Larger storage capacities or faster storage media are more expensive, but you may require these for specific data types in your organization, such as database backups. When you plan for increases in data storage, you should include any necessary increase in backup costs that are required to maintain your backup schedule. Bandwidth If you back up to a different physical location, such as a secure offsite storage provider or a dedicated disaster recovery site, you must consider bandwidth requirements. The available bandwidth for these backups directly impacts the time that is taken to perform a backup and restore operation and, unless fast links are available, you would typically use these as additional protection if a physical or environmental disaster occurs at your primary location. You might also consider using Distributed File System (DFS) replication to enable backup at another location. If you have branch offices, you can decide to perform all regular file-based backups from your main office by replicating content to the main office and then performing the backup. Personnel You should also consider who can perform backup tasks. This includes physical tasks such as loading or changing tape libraries, and system tasks such as performing backups or changing backup schedules.
Question: Does your information technology (IT) department fulfill any servicelevel agreements (SLAs)? Question: Do you back up any data over the network?
WWW.ISLAMSC.COM
15-18
Storage and Security Considerations
Key Points
Security considerations for your data backups are an important part of your overall security strategy. Physical security is particularly important with backup storage media, at both on-site and off-site locations. Question: Who currently has access to backup media at your organization?
WWW.ISLAMSC.COM
15-19
Process for Selecting Backup Operators
Key Points
When you plan who should perform key backup and restore tasks in your organization, consider whether the backup and restore roles should be separated for security purposes. Training is also important for individuals to understand the effect of backup and restore on data and related systems. Question: Who performs backup and restore tasks in your organization? Question: Are backup and restore roles separated in your organization?
WWW.ISLAMSC.COM
15-20
Lesson 3
Planning a Server Restore Policy
This lesson will discuss the requirements for a restore policy on Windows Server 2008. Your restore policy should not be a static document that you write once and archive. You should regularly update your server restore policy by reviewing the results of trial and real restore operations.
WWW.ISLAMSC.COM
15-21
Considerations for a Server Restore
Key Points
Total server failure may require data recovery from an off-site location. You should determine whether a single file or application data requires restoring. You should consider the potential impact that a failed restore could have on your organization. Question: Who determines the restore procedures during data and server loss incidents within your organization? Question: What process do you follow to ensure that you only restore valid data and that no data is lost during the restore process?
WWW.ISLAMSC.COM
15-22
Impact of a Server Restore
Key Points
Perform a brief business impact analysis before you restore data to determine the possible number of users who are impacted by the restore of data. Consider the effect on service-level agreements (SLAs) that the restore of data will have. Question: How can you improve the change management process for restoring data in your organization?
WWW.ISLAMSC.COM
15-23
Improving the Backup Plan
Key Points
You should continually strive to improve your backup plan after you have identified areas for improvement from unsuccessful restores. You should regularly review your backup policy by performing a trial restore of data. Question: What improvements can you make to your backup plans? Question: What improvements can you make to your disaster recovery plans?
WWW.ISLAMSC.COM
15-24
Change Management Considerations
Key Points
Data restore may require emergency changes to meet SLAs. You can empower users to recover their own data by using earlier versions. The Volume Shadow Copy Service (VSS) captures and copies stable images for backup on running systems, particularly servers, without unduly degrading the performance and stability of the services they provide. Question: How do you ensure that restored data does not overwrite newer data in your organization?
WWW.ISLAMSC.COM
15-25
Restore Logs
Key Points
You should review backup log files after each backup. Some backups will fail; you should ensure that the backups are complete and useable for restore. After you have restored data, you should verify that the restoration of all files has been successful by reviewing the associated log files. Question: How frequently are the backup logs reviewed and trial restores performed to ensure that the backups have worked as expected in your organization?
WWW.ISLAMSC.COM
15-26
Restore Options
Key Points
You should verify that access to restored data is only available to authorized users. You should consider whether to restore data to an alternate location or to overwrite existing files. Question: What is the process in your organization for checking access to restored data?
WWW.ISLAMSC.COM
15-27
Security Analysis
Key Points
You should use the built-in group Backup Operators to enable users to back up and restore files and folders. If users only require the right to back up files, you should not place them in the Backup Operators group, because this would grant users additional rights to restore files. Question: Who can restore files in your organization? Question: Must you review membership of the Administrators and Backup Operators groups?
WWW.ISLAMSC.COM
15-28
Updating Backup Policy
Key Points
You should review, improve, and update all of your policies and working practices to ensure that you continue to meet the requirements of your business. By increasing the frequency of backups, you can provide access to recent changes in documents for users. Windows Server 2008 simplifies scheduling backup tasks by using VSS. This improved backup enables users to restore files without resorting to assistance from the IT team. Question: How often do you update the backup and restore policy in your organization? Can you identify areas of your current policies that require updating?
WWW.ISLAMSC.COM
15-29
Lesson 4
Planning an EFS Restore Policy
By encrypting data, you secure it so that only the data owners can access the files. This may lead to difficulties when you restore data because user encryption keys are stored separately to files. Because there is no way to recover data that has been encrypted with a corrupted or missing certificate, it is critical that you back up the certificates which store encryption keys and store them in a secure location. You can also specify a recovery agent. This agent can restore the data. The recovery agent's certificate serves a different purpose than the user's certificate. This lesson will discuss the requirements for restoring encrypted data by using the Encrypting File System (EFS) on Windows Server 2008. It is beyond the scope of this course to detail the recovery of file encryption keys.
WWW.ISLAMSC.COM
15-30
Considerations When Restoring EFS Data
Key Points
You should ensure that you could recover encryption keys and data as part of your recovery strategy. When you restore data, you should ensure that you match the file that is restored with the same key that you used to encrypt the file. You should have a documented and tested procedure to restore user encryption keys. Question: What steps must you take to ensure that you can recover EFS keys and data?
WWW.ISLAMSC.COM
15-31
Requirements for EFS Recovery
Key Points
There are many configurations and recovery options for EFS. You can recover keys from Active Directory, backups, or recover the data by using data recovery agents. You should also consider that if an organization does not centralize key storage in AD, there is the possibility of recovery keys being stored on multiple servers and workstations throughout the organization. By using a recovery agent, you can ensure that data is recoverable in the event of loss of the original user encryption keys. In a secure environment where only the user who is encrypting a file may decrypt it, your options for file and encryption key recovery may be limited to only the user owning the file if the data recovery agent (DRA) keys are intentionally deleted. This makes the file more secure by limiting access to only the user who is encrypting the file; however, the tradeoff is that you can only ever recover the file by using the original encryption key.
WWW.ISLAMSC.COM
15-32
You can use Group Policy settings to configure EFS across your organization. You should consider the use of smart cards and storing keys on these cards as part of your EFS strategy. Question: What planning documentation is there in your organization for EFS? How can you ensure that this documentation is updated and modified?
WWW.ISLAMSC.COM
15-33
Preparing to Recover EFS Files
Key Points Configure Windows Enterprise Certification Authority

The first step is to configure your computer running Windows Server 2008 Enterprise Edition to be an enterprise certification authority (CA). The CA is responsible for issuing digital certificates that provide S/MIME functionality. To configure your enterprise CA, you will need to: Install and configure the Microsoft Active Directory domain service. Install and configure Active Directory Certificate Services.
After you complete these steps, your Windows Server 2008 enterprise CA will be configured to issue digital certificates.
WWW.ISLAMSC.COM
15-34
Certificate Templates
The Encrypting File System (EFS) is a feature of Windows 2008 that allows users to encrypt data directly on volumes that use the NTFS file system. It operates by using certificates based on the X.509 standard. If no Certificate Authority (CA) is available from which to request certificates, the EFS subsystem automatically generates its own self-signed certificates for users and default recovery agents. There are several circumstances in which an organization may want to implement Certificate Authorities, as opposed to allowing EFS to generate its own self-signed certificates.
Certificate Auto-enrollment Policy

Using the autoenrollment feature, organizations can manage the certificate lifecycle for users, which includes: Certificate renewal Superseding of certificates Multiple signature requirements
Certificate autoenrollment is based on the combination of Group Policy settings and version 2 certificate templates. This combination allows the Microsoft Windows XP Professional, Windows Vista, or Windows Server 2008 client to enroll users when they log on to their domain, or a machine when it boots, and keeps them periodically updated between these events. Automatic enrollment of user certificates provides a quick and simple way to issue certificates to users and to enable public key infrastructure (PKI) applications, such as smart card logon, Encrypting File System (EFS), Secure Sockets Layer (SSL), Secure/Multipurpose Internet Mail Extensions (S/MIME), and others, within an Active Directory directory service environment. User autoenrollment minimizes the high cost of normal PKI deployments and reduces the total cost of ownership (TCO) for a PKI implementation when Windows XP Professional or Windows Vista clients are configured to use Active Directory. Question: Who in your organization is in charge of creating and configuring certification authority?
WWW.ISLAMSC.COM
15-35
Managing the Recovery Agent
Key Points
To designate a user as an additional recovery agent using the Add Recovery Agent Wizard, click Add Data Recovery Agent. To allow EFS to work without recovery agents, point to All Tasks and then click Do Not Require Data Recovery Agents. To delete this EFS policy and every recovery agent, point to All Tasks and then click Delete Policy. If you select this option, users can still encrypt files on this computer. Note that this option will not appear unless there is an EFS policy on the computer.
Important: Before changing the recovery policy in any way, you should first back up the recovery keys to a floppy disk.
WWW.ISLAMSC.COM
15-36
Notes
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure. There is no default recovery agent on a standalone computer. A file recovery certificate can be created by running cipher.exe /r, and the Add Data Recovery Agent option can be used to import this certificate into the EFS policy. Fore more information on cipher.exe, see Related Topics. You can make changes to the File Recovery certificate by right-clicking the certificate and then clicking Properties. For example, you can give the certificate a friendly name and enter a text description.
Process for Exporting and Deleting Private Key

The first domain controller in a domain contains the built-in Administrator profile that contains the public certificate and the private key for the default recovery agent of the domain. The public certificate is imported to the Default Domain Policy and is applied to domain clients by using Group Policy. If the Administrator profile or if the first domain controller is no longer available, the private key that is used to decrypt the encrypted files is lost, and files cannot be recovered through that recovery agent. To locate the Encrypted Data Recovery policy, open the Default Domain Policy in the Group Policy Object Editor snap-in, expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Public Key Policies. If you click to select the Delete the private key if the export is successful check box, the private key is removed from the domain controller. As a best practice, we recommend that you use this option. Install the recovery agent's private key only in situations when you need it to recover files. At all other times, export, and then store the recovery agent's private key offline to help maintain its security.
WWW.ISLAMSC.COM
15-37
Note: We strongly recommend that you click to select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above check box to protect your private key from unauthorized access. Note: We recommend that you back up the file to a disk or to a removable media device, and then store the backup in a location where you can confirm the physical security of the backup.
Question: List at least one example of how your organization can use the Recovery Agent to access EFS files during a disaster recovery scenario.
WWW.ISLAMSC.COM
15-38
Recovering EFS Files
Key Points
Data RecoveryBest Practices In general, the best practice for organizations to follow regarding data recovery is to deploy a public key infrastructure (PKI) to issue certificates to users and data recovery agents that are issued from a certification authority (CA). The Microsoft Enterprise Certification Authority makes it easy for users to automatically get certificates for use by EFS.
WWW.ISLAMSC.COM
15-39
Other best practices include: Using more than one DRA per domain, and storing the actual private keys for the DRAs on a medium (floppy disk, CD-ROM, etc.) that can be secured and retrieved only when appropriate security policies and practices have been followed. DRAs may be defined at the site, domain or OU like any other Group Policy, and may be combined as an aggregate policy based on the organization of Active Directory. Question: Who in your organization has the proper DRA privileges to open EFS encrypted files?
WWW.ISLAMSC.COM
15-40
Lesson 5
Troubleshooting Windows Server 2008 Startup
Key Points
Sometimes a problem can arise that will prevent Windows from starting properly. This lesson will discuss the common causes of startup problems, review startup process that may be affected, and explore different troubleshooting techniques that you can use depending on when the failure occurs.
WWW.ISLAMSC.COM
15-41
Common Causes of Startup Problems
Key Points
Diagnosing and correcting hardware and software problems that affect the startup process requires different tools and techniques than troubleshooting problems that occur after the system has started, because the person troubleshooting the startup problem does not have access to the full suite of Microsoft Windows Server 2008 troubleshooting tools. Resolving startup issues requires a clear understanding of the startup process and core operating system components, as well as the tools used to isolate and resolve problems. Startup failure can result from a variety of problems, such as user error, driver problems, application faults, hardware failures, disk or file corruption, system misconfiguration, or virus activity. If the condition is serious enough, you might need to reinstall Windows. Question: Can you think of situations where you had to troubleshoot a Windows startup problem and if so how did you resolve it?
WWW.ISLAMSC.COM
15-42
Reviewing Startup Processes
Key Points
The above startup sequence applies to systems started or restarted after a normal shutdown. The detect and configure hardware phase detects and configures only hardware necessary to start the kernel loading phase, including system buses, hard disks, input devices, and parallel ports. Remaining hardware devices are configured during the kernel loading phase. Question: During startup, in which of these phases is system memory checked?
WWW.ISLAMSC.COM
15-43
Being Prepared for Startup Failures
Key Points
Being prepared for a server failure means having being able to recover the server quickly in the event of disaster. On a computer running Windows Server 2008, you can use the following to perform recovery tasks: Recovery Wizard. This wizard helps you recover files and folders, applications, and volumes. Catalog Recovery Wizard. This wizard helps you recover the backup catalog. This wizard is only available if your backup catalog has become corrupted. A Windows Setup disc and a backup created with Windows Server Backup. This method helps you recover your operating system or full server. You can also perform recoveries using the Wbadmin start recovery, Wbadmin start systemstaterecovery, and Wbadmin restore catalog commands.
WWW.ISLAMSC.COM
15-44
Additional preventative measure should be taken to ensure server health and availability including: Protecting the operating system with current Windows Updates and antivirus signatures Following vendor recommendations for hardware maintenance Familiarizing yourself with advanced boot options (F8 on startup): Safe Mode Last Known Good Configuration Boot Logging
References: Windows Server 2008 Help: Recover the Operating System
WWW.ISLAMSC.COM
15-45
Troubleshooting Startup Before the Windows Logo Appears
Key Points
Use this flow chart to see how to troubleshoot startup problems that occur before the Windows Server 2008 logo appears. In earlier versions of Windows, a file called boot.ini contained information about the Windows operating systems installed on the computer. This information was displayed during the startup process when you turned on your computer. It was most useful in multiboot configurations, or for advanced users or administrators who needed to customize how Windows started. In Windows Server 2008, the boot.ini file has been replaced with Boot Configuration Data (BCD). This file is more versatile than boot.ini, and it can apply to computer platforms that use means other than basic input/output system (BIOS) to start the computer. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start before the Windows logo appears?
WWW.ISLAMSC.COM
15-46
Troubleshooting Startup After the Windows Logo Appears
Key Points
If your computer displays the graphical Windows Server 2008 logo before failing, use the process illustrated here to identify and disable the failing software component to allow Windows to start successfully. Once Windows starts, you can perform further troubleshooting to resolve the problem with the component if necessary. If the startup problem occurs immediately after updating or installing a startup application, try troubleshooting the startup application. When you are troubleshooting, the method for determining which services and processes to temporarily disable varies from one computer to the next. The most reliable way to determine what you can disable is to gather more information about the services and processes enabled on your computer.
WWW.ISLAMSC.COM
15-47
Windows Server 2008 includes several tools and features to generate a variety of logs that can provide you with valuable troubleshooting information: Event Viewer Sc.exe System Information Error Reporting Service Boot logs (covered earlier)
Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after the Windows logo appears?
WWW.ISLAMSC.COM
15-48
Troubleshooting Startup Problems After Logon
Key Points
If your computer fails immediately after a user logs on, use the process shown here to identify and disable the failing startup application to enable successful log on. If the problem occurs immediately after updating or installing an application, try uninstalling the application. If a problem occurs after installing new software, you can temporarily disable or uninstall the application to verify that the application is the source of the problem. Problems with applications that run at startup can cause logon delays or even prevent you from completing Windows startup in Normal mode. The following sections provide techniques for temporarily disabling startup applications.
WWW.ISLAMSC.COM
15-49
Disabling Startup Applications by Using the SHIFT Key

One way you can simplify your configuration is to disable startup applications. By holding down the SHIFT key during the logon process you can prevent the operating system from running startup programs or shortcuts. Question: Based on this flowchart, what would you say are the most common causes of Windows failing to start after logon?
WWW.ISLAMSC.COM
15-50
Recovering from Hardware Problems
Key Points
Although most hardware related problems do not stop Windows Server 2008 from successfully starting, hardware related problems can appear before the logo would normally appear in the startup process, and symptoms include warning messages, startup failures, and Stop messages. The causes are typically improper device configuration, incorrect driver settings, or hardware malfunction and failure. You can also use the suggestions provided in the companion CD for troubleshooting hardware issues not directly related to startup. Question: If you suspected a hardware related problem, what would be the first things you would check?
WWW.ISLAMSC.COM
15-51
Lab A: Planning Windows Server 2008 Backup Policy
Exercise 1: Evaluating the Existing Backup Plan

Scenario
At Woodgrove Bank, data for several departments is stored across servers on the network. In the New York office, several file servers are part of a domain-based Distributed File System (DFS) namespace and host the following shares: Sales. This share holds the shared data for the Sales department. The Sales department updates it regularly with budgets, forecasts, and sales figures. Finance. This share holds important data for the Finance department that supplements the Finance application database. The Finance database should not form part of your backup plan. Human Resources. This share holds highly confidential data for the Human Resources department. You have encrypted some of this data by using EFS.
WWW.ISLAMSC.COM
15-52
Technical Library. This share holds technical information, such as white papers and guidance documents, for the IT department. The IT department updates this information infrequently. Projects. This share holds documents that relate to any projects that are running at the New York office and changes frequently.
In addition to the file servers, you are responsible for ensuring that four intranet Web servers and two domain controllers can have the data or server restored in the event of a disaster. Web pages on the intranet Web sites do not change frequently. Currently, there is a scheduled weekly backup of the volumes that contain the shares on the file servers and the volumes that contain the Web page content on the Web servers. In this exercise, you must review the existing backup plan against requirements that the management team at Woodgrove Bank have specified. The main tasks for this exercise are as follows: 1. 2. Review the existing backup plan. Propose changes to the backup plan.
Task 1: Start the NYC-DC1 and NYC-SVR1 virtual machines

1. 2. 3. 4. 5. On the host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
WWW.ISLAMSC.COM
15-53
Task 2: Review the existing backup plan

1. You have agreed that no more than one day's critical data should be lost in the event of a disaster. Critical data includes the Sales, Finance, and Projects data. Does the current backup plan meet this requirement? Currently, you copy the Human Resources confidential data onto a removable hard disk that is attached to a computer in the Human Resources office. This task is performed weekly by using a script to preserve the encryption on the files. What are the consequences of this process and how would you address them? You have also agreed that, if a server fails, you should be able to restore that server, including all installed roles, features, applications, and security identity, in six hours. Does the current backup plan enable you to restore the servers in this way?
2.
3.
Task 3: Propose changes to the backup plan

1. Propose an appropriate backup frequency for the shares in the following table:
Backup Sales Finance Human Resources Technical Library Projects Frequency
2.
How would you address the requirement to restore the servers and how frequently would you back up the servers?
Results: After this exercise, you should have reviewed the existing backup plan and proposed changes to the backup plan.
WWW.ISLAMSC.COM
15-54
Exercise 2: Updating the Backup Policy

Scenario
The management team at Woodgrove Bank has decided that an SLA should be put in place for the mission-critical data that is stored on the intranet file servers and Web servers. The SLA will specify availability for data and the recovery of deleted items. In addition, Woodgrove Bank must also comply with legal regulations that state how long the bank must keep customer and financial data. Failure to comply with these requirements entails heavy fines and penalties for the company. You must keep Human Resources and financial information for a minimum of seven years. In the event of an audit, you must provide access to this data within three working days. In this exercise, you will examine the SLA and legal requirements and propose solutions to ensure compliance. The main tasks for this exercise are as follows: 1. 2. Create a backup strategy to comply with the SLA. Create a backup strategy to comply with legal requirements.
Task 1: Create a backup strategy to comply with the SLA

1. You should be able to restore critical data, which includes the Sales, Finance, and Projects shares, as quickly as possible in the event of a disaster. What factors affect how quickly you can restore data? Given that you have a limited budget to meet the SLA requirements, how could you maximize your budget while providing backup for all of the network data for which you are responsible?
2.
Task 2: Create a backup strategy to comply with legal requirements

How will you ensure that the required data is stored for the minimum legal requirement period and that the data is available for audit purposes when it is required?
Results: After this exercise, you should have created a backup strategy to comply with the SLA and legal storage requirements.
WWW.ISLAMSC.COM
15-55
Exercise 3: Reviewing Backup Policy and Plans

Scenario
In this exercise, you will share your solutions with the class in an instructor-led discussion. Be prepared to add solutions from your own experience at work to the discussion. The main task for this exercise is to discuss your solutions with the class.
WWW.ISLAMSC.COM
15-56
Exercise 4: Implementing the Backup Policy

Scenario
In this exercise, you will implement a Backup policy for the NYC-SVR1 file server. The main tasks for this exercise are as follows: 1. 2. Initialize the backup storage volume. Create the new backup schedule.
Task 1: Initialize the backup storage volume

1. Log on to 6419A-NYC-SVR1 by using the following information: 2. User name: Woodgrovebank\Administrator Password: Pa$$w0rd
Use Disk Management to create a maximum-size simple volume on Disk 2. Use a quick format.
Task 2: Create the new backup schedule

Use Windows Server Backup to create a new backup schedule. The backup should include the file shares on the E: volume and backup to Disk 2, and you should schedule the backup for 12:30 and 21:00 every day.
Results: After these tasks, you should have initialized a new disk and created the new backup schedule by using Windows Server Backup.
Task 3: Backup the Domain Recovery Agent's Private Key

1. On NYC-DC1, use the Group Policy Management Editor to browse to the Encrypting File System public policy (located in Default Group Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting Files System). From the Group Policy Management Editor, export the File Recovery certificate private key to C:\AdminKey.pfx using a password of Pa$$w0rd.
2.
WWW.ISLAMSC.COM
15-57
Task 4: Lab Shutdown

WWW.ISLAMSC.COM
15-58
Lab B: Planning Windows Server 2008 Restore
Exercise 1: Evaluating Backup Data

Scenario
Woodgrove Bank has file servers that store shared data for several departments. The server NYC-FS1 has file shares, including the Human Resources (HR) share, on a redundant array of independent disks (RAID) 5 volume that is labeled E:. At present, a member of the backup team performs a manual full backup of the E: volume by using Windows Server Backup on a Friday evening. The backup takes 20 hours to complete because of the volume of data to back up. After the backup completes, the backup team sends a copy of the backup to secure off-site storage. Previous versions are not enabled on the E: volume. In this exercise, you will analyze the backup data against restore requirements.
WWW.ISLAMSC.COM
15-59
The main tasks for this exercise are as follows: 1. 2. 3. Evaluate file restoration. Restore EFS files. Evaluate server restore.
Task 1: Start the NYC-DC1, NYC-SVR1, and NYC-INF virtual machines

1. 2. 3. 4. 5. 6. On the host machine, click Start, point to All Programs, point to Microsoft Learning, and then click 6419A. The Lab Launcher starts. In the Lab Launcher, next to 6419A-NYC-DC1, click Launch. In the Lab Launcher, next to 6419A-NYC-SVR1, click Launch. In the Lab Launcher, next to 6419A-NYC-INF, click Launch. Log on to each virtual machine as WOODGROVEBANK\Administrator with the password Pa$$w0rd. Minimize the Lab Launcher window.
Task 2: Evaluate file restoration

On Thursday, a member of the HR department asks you to restore an important file, which he created two days ago but someone subsequently deleted. 1. 2. 3. Why can you not restore the file? How could you change the backup strategy so that it is possible to restore files that have changed more recently? What other effects would a change in backup strategy cause?
Task 3: Restore EFS files

Members of the HR department have encrypted some of the files that are stored on the HR share by using EFS. The HR director asks you to restore some encrypted confidential files that were originally written by Tommy Hartono, who has since left the company. After you have restored the files, how can you provide access to the files for the HR director?
WWW.ISLAMSC.COM
15-60
Task 4: Evaluate server restore

On Wednesday, the server, NYC-FS1, suffers a hardware failure. Both the C: and E: volumes are lost. 1. 2. How can you restore the server and data? How could you make the restore process easier?
Results: After this exercise, you should have analyzed the backup data against the restore requirements.
WWW.ISLAMSC.COM
15-61
Exercise 2: Planning a Restore

Scenario
In this exercise, you will plan for trial restore operations to test your backups. The main task for this exercise is to plan a trial restore.
Task 1: Plan a trial restore

1. In the following table, list the hardware and software requirements for performing a trial restore:
Requirements
2. 3.
What additional consideration must you make for performing a trial restore of the HR data on NYC-FS1? With what types of backup data should you perform a trial restore?
Results: After this exercise, you should have planned for trial restore operations.
WWW.ISLAMSC.COM
15-62
Exercise 3: Investigating a Failed Restore

Scenario
Users have reported that some files in the Technical Library share on 6419A-NYCSVR1 appear to be the wrong version. In this exercise, you will investigate the files and resolve the problem. The main tasks for this exercise are as follows: 1. 2. 3. Determine the reason for the wrong file version. Create a Restore Operators group. Separate the Backup and Restore roles.
Task 1: Determine the reason for the wrong file version

1. Log on to 6419A-NYC-SVR1 by using the following information: 2. 3. Username: Woodgrovebank\Administrator Password: Pa$$w0rd
Review the backup logs. What operation was last performed?
Task 2: Create a Restore Operators group

Create a new local group on 6419A-NYC-SVR1 that is named Restore Operators.
Task 3: Separate the Backup and Restore roles

Edit the local security policy on 6419A-NYC-SVR1 by using the following settings: Prevent the Backup Operators group from being able to restore files. Allow the Restore Operators group to restore files.
Results: After this exercise, you should have investigated a failed restore and changed the backup policy.
WWW.ISLAMSC.COM
15-63
Exercise 4: Restoring System State Data

Scenario
The infrastructure team at Woodgrove Bank has escalated a problem with Dynamic Host Configuration Protocol (DHCP). The DHCP service on 6419A-NYC-INF cannot start and the server reports a general error. In this exercise, you will perform a system state restore to repair the server. The main tasks for this exercise are as follows: 1. 2. 3. Backup and restore specific files and folders. Check the state of the DHCP service. Perform a system state restore.
Task 1: Backup and restore specific files and folders

1. 2. 3. 4. Run the Windows Server Backup. Back up the E: volume. Delete a file. Use Windows Server Backup to recover the file.
Task 2: Check the state of the DHCP service

1. Log on to 6419A-NYC-INF by using the following information: 2. Username: Woodgrovebank\Administrator Password: Pa$$w0rd
Is the DHCP service running?
WWW.ISLAMSC.COM
15-64
Task 3: Perform a system state restore

1. Use the following command to get the backup version identifier: wbadmin get versions -backuptarget:f: 2. Use the following command to perform the system state restore: wbadmin start systemstaterecovery -version:<version identifier> backuptarget:f: 3. Cancel the backup after a couple of minutes.
Results: After this exercise, you should have seen how to backup and recovery files from the command line and from the Windows Server Backup utility.
Task 4: Lab Shutdown

WWW.ISLAMSC.COM
15-65
Review Questions
1. 2. 3. 4. 5. What should you consider for your server restore policy? What considerations should you take into account for the recovery of encrypted data? What steps should you take to verify restored data? How do you know whether your backups are successful? What provisions should you make for backup storage?
WWW.ISLAMSC.COM
15-66
Real-World Issues and Scenarios

Your organization currently runs Microsoft Windows 2000 Server servers. What do you anticipate the main issues will be when you back up data after you have migrated to Windows Server 2008? How do you plan to archive backup data after your migration? How will you restore previous versions of files from Windows 2000 Server after your migration?
Best Practices Related to Windows Server 2008 Backup

Supplement or modify the following best practices for your own work situations: Do not add information technology (IT) administrators who require only the right to back up files and folders to the Backup Operators group. Create a local group and assign rights to back up files and folders on relevant servers. Restrict membership of the Backup Operators group solely to administrators who are allowed to restore files and folders. Perform regular backups to enable data to be restored to a point in time. Educate users to enable them to recover their own files by using the Volume Shadow Copy Service (VSS).
Best Practices Related to Windows Server 2008 Restore

Supplement or modify the following best practices for your own work situations: Add IT administrators who require the right to restore files and folders to the Backup Operators group. Do not overwrite data files with older data. Educate users to enable them to recover their own files by using VSS. Develop an archive solution for your data to enable off-site storage. Perform regular trial restore procedures to test your restore strategy.
WWW.ISLAMSC.COM
15-67
Best Practices Related to Backup Policies

Supplement or modify the following best practices for your own work situations: Identify the data sources that require backing up. Identify specific requirements for backing up data, such as SLAs, legal requirements, and the quantity of data that it is acceptable to lose. Choose appropriate backup hardware, media, and software. Specify your backup operators. Specify your backup schedule. Perform trial data and server restore operations.
Tools
Tool Windows Server Backup Console Use for Where to find it On the Administrative Tools menu, after you have installed the Backup feature.
Scheduling backups of the

Windows Server 2008 operating system volumes.
Performing manual backups of

Windows Server 2008 volumes. Wbadmin.exe
Scripting Windows Server 2008 At the command prompt, after

backup tasks.
Performing system state

backups. System Center Data Protection Manager
you have installed the Backup feature.
Backing up Windows Server

2008 data (application servers and databases can also be backed up).
http://go.microsoft.com/fwlink/ ?LinkId=121141
Managing backup media. Creating a data storage

hierarchy.
WWW.ISLAMSC.COM
15-68
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
WWW.ISLAMSC.COM

6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol1

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

6419A-En Configuring Managing Maintaining Windows Server08 Servers-TrainerWorkbook Vol1

Hochgeladen von

Copyright:

Verfügbare Formate

OFFICIAL

Configuring, Managing and Maintaining Windows Server 2008 Servers

Product Number: 6419A Part Number: X15-19813 Released: 02/2009

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

Configuring, Managing and Maintaining Windows Server 2008 Servers

Aaron Clutter Lead Developer

Michael Cassens Content Developer

Sean Masters Content Developer

Valerie Lee Content Developer

Joel Barker Content Developer

Configuring, Managing and Maintaining Windows Server 2008 Servers

Philip Morgan - Subject Matter Expert

Conan Kezema Technical Reviewer

Configuring, Managing and Maintaining Windows Server 2008 Servers

Module 3: Creating Groups and Organizational Units

Module 4: Managing Access to Resources in Active Directory Domain Services

Configuring, Managing and Maintaining Windows Server 2008 Servers

Module 5: Configuring Active Directory Objects and Trusts

Module 6: Creating and Configuring Group Policy

Module 7: Configure User and Computer Environments By Using Group Policy

Configuring, Managing and Maintaining Windows Server 2008 Servers

Module 8: Implementing Security Using Group Policy

Module 9: Configuring Server Security Compliance

Module 10: Configuring and Managing Storage Technologies

Configuring, Managing and Maintaining Windows Server 2008 Servers

Module 11: Configuring and Managing Distributed File System

Module 12: Configuring Network Access Protection

Module 13: Configuring Availability of Network Content and Resources

Module 14: Monitoring and Maintaining Windows Server 2008 Servers

Configuring, Managing and Maintaining Windows Server 2008 Servers

Module 15: Managing Windows Server 2008 Backup and Restore

Lab Answer Keys

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Virtual Machine Environment

Virtual Machine Configuration

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Hardware Level

Introduction to Managing Microsoft Windows Server 2008 Environment

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Introduction to Managing Microsoft Windows Server 2008 Environment

MCT USE ONLY. STUDENT USE PROHIBITED

Configuring, Managing and Maintaining Windows Server 2008 Servers

MCT USE ONLY. STUDENT USE PROHIBITED

Windows Server 2008 Editions

Introduction to Managing Microsoft Windows Server 2008 Environment

MCT USE ONLY. STUDENT USE PROHIBITED

What Are Server Roles?