10324A-EnU MEDV TrainerHandbook

OFFICIAL
MICROSOFT
LEARNING
PRODUCT
10324A
Implementing and Managing Microsoft Desktop Virtualization
Be sure to access the extended learning content on your Course Companion CD enclosed on the back cover of the book.
ii
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein. 2010 Microsoft Corporation. All rights reserved. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us /IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.
Product Number: 10324A Part Number: X17-14982 Released: 10/2010
MICROSOFT LICENSE TERMS OFFICIAL MICROSOFT LEARNING PRODUCTS - TRAINER EDITION Pre-Release and Final Release Versions
These license terms are an agreement between Microsoft Corporation and you. Please read them. They apply to the Licensed Content named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft updates, supplements, Internet-based services, and support services
for this Licensed Content, unless other terms accompany those items. If so, those terms apply. By using the Licensed Content, you accept these terms. If you do not accept them, do not use the Licensed Content. If you comply with these license terms, you have the rights below.
1. DEFINITIONS. a. Academic Materials means the printed or electronic documentation such as manuals,
workbooks, white papers, press releases, datasheets, and FAQs which may be included in the Licensed Content. location, an IT Academy location, or such other entity as Microsoft may designate from time to time. conducted at or through Authorized Learning Centers by a Trainer providing training to Students solely on Official Microsoft Learning Products (formerly known as Microsoft Official Curriculum or MOC) and Microsoft Dynamics Learning Products (formerly know as Microsoft Business Solutions Courseware). Each Authorized Training Session will provide training on the subject matter of one (1) Course. Center during an Authorized Training Session, each of which provides training on a particular Microsoft technology subject matter.
b. Authorized Learning Center(s) means a Microsoft Certified Partner for Learning Solutions
c. Authorized Training Session(s) means those training sessions authorized by Microsoft and
d. Course means one of the courses using Licensed Content offered by an Authorized Learning
e. Device(s) means a single computer, device, workstation, terminal, or other digital electronic or
analog device.
f.
Licensed Content means the materials accompanying these license terms. The Licensed Content may include, but is not limited to, the following elements: (i) Trainer Content, (ii) Student Content, (iii) classroom setup guide, and (iv) Software. There are different and separate components of the Licensed Content for each Course. Software means the Virtual Machines and Virtual Hard Disks, or other software applications that may be included with the Licensed Content.
g.
h. Student(s) means a student duly enrolled for an Authorized Training Session at your location.
i.
Student Content means the learning materials accompanying these license terms that are for use by Students and Trainers during an Authorized Training Session. Student Content may include labs, simulations, and courseware files for a Course. Trainer(s) means a) a person who is duly certified by Microsoft as a Microsoft Certified Trainer and b) such other individual as authorized in writing by Microsoft and has been engaged by an Authorized Learning Center to teach or instruct an Authorized Training Session to Students on its behalf. Trainers and Students, as applicable, solely during an Authorized Training Session. Trainer Content may include Virtual Machines, Virtual Hard Disks, Microsoft PowerPoint files, instructor notes, and demonstration guides and script files for a Course. Virtual Hard Disks means Microsoft Software that is comprised of virtualized hard disks (such as a base virtual hard disk or differencing disks) for a Virtual Machine that can be loaded onto a single computer or other device in order to allow end-users to run multiple operating systems concurrently. For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content. Microsoft Virtual PC or Microsoft Virtual Server software that consists of a virtualized hardware environment, one or more Virtual Hard Disks, and a configuration file setting the parameters of the virtualized hardware environment (e.g., RAM). For the purposes of these license terms, Virtual Hard Disks will be considered Trainer Content. you means the Authorized Learning Center or Trainer, as applicable, that has agreed to these license terms.
j.
k. Trainer Content means the materials accompanying these license terms that are for use by
l.
m. Virtual Machine means a virtualized computing experience, created and accessed using
n.
2. OVERVIEW.
Licensed Content. The Licensed Content includes Software, Academic Materials (online and electronic), Trainer Content, Student Content, classroom setup guide, and associated media. License Model. The Licensed Content is licensed on a per copy per Authorized Learning Center location or per Trainer basis.
3. INSTALLATION AND USE RIGHTS. a. Authorized Learning Centers and Trainers: For each Authorized Training Session, you
may: i. either install individual copies of the relevant Licensed Content on classroom Devices only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of copies in use does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session, OR
ii. install one copy of the relevant Licensed Content on a network server only for access by classroom Devices and only for use by Students enrolled in and the Trainer delivering the Authorized Training Session, provided that the number of Devices accessing the Licensed Content on such server does not exceed the number of Students enrolled in and the Trainer delivering the Authorized Training Session. iii. and allow the Students enrolled in and the Trainer delivering the Authorized Training Session to use the Licensed Content that you install in accordance with (ii) or (ii) above during such Authorized Training Session in accordance with these license terms.
i.
Separation of Components. The components of the Licensed Content are licensed as a single unit. You may not separate the components and install them on different Devices.
ii. Third Party Programs. The Licensed Content may contain third party programs. These license terms will apply to the use of those third party programs, unless other terms accompany those programs.
b. Trainers:
i. Trainers may Use the Licensed Content that you install or that is installed by an Authorized Learning Center on a classroom Device to deliver an Authorized Training Session.
ii. Trainers may also Use a copy of the Licensed Content as follows:
A. Licensed Device. The licensed Device is the Device on which you Use the Licensed Content.
You may install and Use one copy of the Licensed Content on the licensed Device solely for your own personal training Use and for preparation of an Authorized Training Session. personal training Use and for preparation of an Authorized Training Session.
B. Portable Device. You may install another copy on a portable device solely for your own 4. PRE-RELEASE VERSIONS. If this is a pre-release (beta) version, in addition to the other provisions
in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content is a pre-release version. It may not
contain the same information and/or work the way a final version of the Licensed Content will. We may change it for the final, commercial version. We also may not release a commercial version. You will clearly and conspicuously inform any Students who participate in each Authorized Training Session of the foregoing; and, that you or Microsoft are under no obligation to provide them with any further content, including but not limited to the final released version of the Licensed Content for the Course. Microsoft, without charge, the right to use, share and commercialize your feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software, Licensed Content, or service that includes the feedback. You will not give feedback that is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your feedback in them. These rights survive this agreement.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, you give to
c. Confidential Information. The Licensed Content, including any viewer, user interface, features
and documentation that may be included with the Licensed Content, is confidential and proprietary to Microsoft and its suppliers. i. Use. For five years after installation of the Licensed Content or its commercial release, whichever is first, you may not disclose confidential information to third parties. You may disclose confidential information only to your employees and consultants who need to know the information. You must have written agreements with them that protect the confidential information at least as much as this agreement. Survival. Your duty to protect confidential information survives this agreement.
ii.
iii. Exclusions. You may disclose confidential information in response to a judicial or governmental order. You must first give written notice to Microsoft to allow it to seek a
protective order or otherwise protect the information. Confidential information does not include information that d. becomes publicly known through no wrongful act; you received from a third party who did not breach confidentiality obligations to Microsoft or its suppliers; or you developed independently.
Term. The term of this agreement for pre-release versions is (i) the date which Microsoft informs you is the end date for using the beta version, or (ii) the commercial release of the final release version of the Licensed Content, whichever is first (beta term). Use. You will cease using all copies of the beta version upon expiration or termination of the beta term, and will destroy all copies of same in the possession or under your control and/or in the possession or under the control of any Trainers who have received copies of the pre-released version. Copies. Microsoft will inform Authorized Learning Centers if they may make copies of the beta version (in either print and/or CD version) and distribute such copies to Students and/or Trainers. If Microsoft allows such distribution, you will follow any additional terms that Microsoft provides to you for such copies and distribution.
e.
f.
5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

a. Authorized Learning Centers and Trainers: i. Software.
ii. Virtual Hard Disks. The Licensed Content may contain versions of Microsoft XP, Microsoft Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 2000 Advanced Server and/or other Microsoft products which are provided in Virtual Hard Disks. A. If the Virtual Hard Disks and the labs are launched through the Microsoft Learning Lab Launcher, then these terms apply: Time-Sensitive Software. If the Software is not reset, it will stop running based upon the time indicated on the install of the Virtual Machines (between 30 and 500 days after you install it). You will not receive notice before it stops running. You may not be able to access data used or information saved with the Virtual Machines when it stops running and may be forced to reset these Virtual Machines to their original state. You must remove the Software from the Devices at the end of each Authorized Training Session and reinstall and launch it prior to the beginning of the next Authorized Training Session. B. If the Virtual Hard Disks require a product key to launch, then these terms apply: Microsoft will deactivate the operating system associated with each Virtual Hard Disk. Before installing any Virtual Hard Disks on classroom Devices for use during an Authorized Training Session, you will obtain from Microsoft a product key for the operating system software for the Virtual Hard Disks and will activate such Software with Microsoft using such product key. C. These terms apply to all Virtual Machines and Virtual Hard Disks:
You may only use the Virtual Machines and Virtual Hard Disks if you comply with the terms and conditions of this agreement and the following security requirements: o o You may not install Virtual Machines and Virtual Hard Disks on portable Devices or Devices that are accessible to other networks. You must remove Virtual Machines and Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session, except those held at Microsoft Certified Partners for Learning Solutions locations. You must remove the differencing drive portions of the Virtual Hard Disks from all classroom Devices at the end of each Authorized Training Session at Microsoft Certified Partners for Learning Solutions locations. You will ensure that the Virtual Machines and Virtual Hard Disks are not copied or downloaded from Devices on which you installed them. You will strictly comply with all Microsoft instructions relating to installation, use, activation and deactivation, and security of Virtual Machines and Virtual Hard Disks. You may not modify the Virtual Machines and Virtual Hard Disks or any contents thereof. You may not reproduce or redistribute the Virtual Machines or Virtual Hard Disks.
o o o o
ii. Classroom Setup Guide. You will assure any Licensed Content installed for use during an
Authorized Training Session will be done in accordance with the classroom set-up guide for the Course. iii. Media Elements and Templates. You may allow Trainers and Students to use images, clip art, animations, sounds, music, shapes, video clips and templates provided with the Licensed Content solely in an Authorized Training Session. If Trainers have their own copy of the Licensed Content, they may use Media Elements for their personal training use. iv. iv Evaluation Software. Any Software that is included in the Student Content designated as Evaluation Software may be used by Students solely for their personal training outside of the Authorized Training Session.
b. Trainers Only:
i. Use of PowerPoint Slide Deck Templates. The Trainer Content may include Microsoft PowerPoint slide decks. Trainers may use, copy and modify the PowerPoint slide decks only for providing an Authorized Training Session. If you elect to exercise the foregoing, you will agree or ensure Trainer agrees: (a) that modification of the slide decks will not constitute creation of obscene or scandalous works, as defined by federal law at the time the work is created; and (b) to comply with all other terms and conditions of this agreement.
ii. Use of Instructional Components in Trainer Content. For each Authorized Training Session, Trainers may customize and reproduce, in accordance with the MCT Agreement, those portions of the Licensed Content that are logically associated with instruction of the Authorized Training Session. If you elect to exercise the foregoing rights, you agree or ensure the Trainer agrees: (a) that any of these customizations or reproductions will only be used for providing an Authorized Training Session and (b) to comply with all other terms and conditions of this agreement.
iii. Academic Materials. If the Licensed Content contains Academic Materials, you may copy and use the Academic Materials. You may not make any modifications to the Academic Materials and you may not print any book (either electronic or print version) in its entirety. If you reproduce any Academic Materials, you agree that:
The use of the Academic Materials will be only for your personal reference or training use You will not republish or post the Academic Materials on any network computer or broadcast in any media; You will include the Academic Materials original copyright notice, or a copyright notice to Microsofts benefit in the format provided below: Form of Notice: 2010 Reprinted for personal reference use only with permission by Microsoft Corporation. All rights reserved. Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the US and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.
6. INTERNET-BASED SERVICES. Microsoft may provide Internet-based services with the Licensed
Content. It may change or cancel them at any time. You may not use these services in any way that could harm them or impair anyone elses use of them. You may not use the services to try to gain unauthorized access to any service, data, account or network by any means.
7. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you may use the Licensed Content only as expressly permitted in this agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only allow you to use it in certain ways. You may not install more copies of the Licensed Content on classroom Devices than the number of Students and the Trainer in the Authorized Training Session; allow more classroom Devices to access the server than the number of Students enrolled in and the Trainer delivering the Authorized Training Session if the Licensed Content is installed on a network server; copy or reproduce the Licensed Content to any server or location for further reproduction or distribution; disclose the results of any benchmark tests of the Licensed Content to any third party without Microsofts prior written approval; work around any technical limitations in the Licensed Content; reverse engineer, decompile or disassemble the Licensed Content, except and only to the extent that applicable law expressly permits, despite this limitation; make more copies of the Licensed Content than specified in this agreement or allowed by applicable law, despite this limitation; publish the Licensed Content for others to copy;
transfer the Licensed Content, in whole or in part, to a third party; access or use any Licensed Content for which you (i) are not providing a Course and/or (ii) have not been authorized by Microsoft to access and use; rent, lease or lend the Licensed Content; or use the Licensed Content for commercial hosting services or general business purposes. Rights to access the server software that may be included with the Licensed Content, including the Virtual Hard Disks does not give you any right to implement Microsoft patents or other Microsoft intellectual property in software or devices that may access the server.
8. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and
regulations. You must comply with all domestic and international export laws and regulations that apply to the Licensed Content. These laws include restrictions on destinations, end users and end use. For additional information, see www.microsoft.com/exporting. Content marked as NFR or Not for Resale.
9. NOT FOR RESALE SOFTWARE/LICENSED CONTENT. You may not sell software or Licensed 10. ACADEMIC EDITION. You must be a Qualified Educational User to use Licensed Content marked as
Academic Edition or AE. If you do not know whether you are a Qualified Educational User, visit www.microsoft.com/education or contact the Microsoft affiliate serving your country. fail to comply with the terms and conditions of these license terms. In the event your status as an Authorized Learning Center or Trainer a) expires, b) is voluntarily terminated by you, and/or c) is terminated by Microsoft, this agreement shall automatically terminate. Upon any termination of this agreement, you must destroy all copies of the Licensed Content and all of its component parts.
11. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
12. ENTIRE AGREEMENT. This agreement, and the terms for supplements, updates, Internet-
based services and support services that you use, are the entire agreement for the Licensed Content and support services.
13. APPLICABLE LAW. a. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. The laws of the state where you live govern all other claims, including claims under state consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws
of that country apply.
14. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the Licensed Content. This agreement does not change your rights under the laws of your country if the laws of your country do not permit it to do so.
15. DISCLAIMER OF WARRANTY. The Licensed Content is licensed as-is. You bear the risk of
using it. Microsoft gives no express warranties, guarantees or conditions. You may have additional consumer rights under your local laws which this agreement cannot change. To the extent permitted under your local laws, Microsoft excludes the implied warranties of merchantability, fitness for a particular purpose and non-infringement.
16. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. This limitation applies to anything related to the Licensed Content, software, services, content (including code) on third party Internet sites, or third party programs; and claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence, or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your country may not allow the exclusion or limitation of incidental, consequential or other damages. Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this agreement are provided below in French. Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en franais. EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues. LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices. Cette limitation concerne: tout ce qui est reli au le contenu sous licence , aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers ; et les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre gard. EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre pays si celles-ci ne le permettent pas.
Welcome!
Thank you for taking our training! Weve worked together with our Microsoft Certied Partners for Learning Solutions and our Microsoft IT Academies to bring you a world-class learning experiencewhether youre a professional looking to advance your skills or a student preparing for a career in IT.
Microsoft Certied Trainers and InstructorsYour instructor is a technical and instructional expert who meets ongoing certication requirements. And, if instructors are delivering training at one of our Certied Partners for Learning Solutions, they are also evaluated throughout the year by students and by Microsoft. Certication Exam BenetsAfter training, consider taking a Microsoft Certication exam. Microsoft Certications validate your skills on Microsoft technologies and can help differentiate you when finding a job or boosting your career. In fact, independent research by IDC concluded that 75% of managers believe certications are important to team performance1. Ask your instructor about Microsoft Certication exam promotions and discounts that may be available to you. Customer Satisfaction GuaranteeOur Certied Partners for Learning Solutions offer a satisfaction guarantee and we hold them accountable for it. At the end of class, please complete an evaluation of todays experience. We value your feedback!
We wish you a great learning experience and ongoing success in your career!
Sincerely, Microsoft Learning www.microsoft.com/learning
IDC, Value of Certication: Team Certication and Organizational Performance, November 2006
xiii
Acknowledgement
Microsoft Learning would like to acknowledge and thank the following for their contribution towards developing this title. Their effort at various stages in the development has ensured that you have a good classroom experience.
Gary DunlopContent Developer

Gary Dunlop is based in Winnipeg, Canada and is a technical consultant and trainer for Broadview Networks. He has authored a number of Microsoft Learning titles and has been an MCT since 1997.
Damir Dizdarevic Content Developer

Damir Dizdarevic is a manager of the Learning Center at Logosoft d.o.o. (Sarajevo, Bosnia and Herzegovina) and an MCT. He has worked as a subject matter expert and technical reviewer on several MOC courses, and has published more than 350 articles in various IT magazines such as Windows ITPro. He is an MVP for Windows Server Infrastructure Management, and an MCSE, MCTS, and MCITP (Windows Server 2008 and Exchange Server 2007). He specializes in Windows Server and Exchange Server.
Slavko Kukrika Content Developer

Slavko Kukrika has been a Microsoft Certified Trainer (MCT) for over 12 years. He holds title Business Desktop Deployment Specialist among others. He has delivered many courses on standardized desktop deployment, on such topics as Windows Vista Preinstallation and Microsoft Deployment Toolkit.
Stan Reimer Content Developer

Stan Reimer is president of S. R. Technical Services Inc, and he works as a consultant, trainer and author. Stan has extensive experience consulting on Active Directory and Exchange Server deployments for some of the largest companies in Canada. Stan is the lead author for two Active Directory books for Microsoft Press, and is currently working on an Exchange Server 2010 Best Practices book, also for Microsoft Press. For the last six years, Stan has been writing courseware for Microsoft Learning, specializing in Active Directory and Exchange Server courses. Stan has been an MCT for 11 years.
xiv
Nelson Ruest Technical Reviewer

Nelson Ruest is a technology futurist, who is focused on virtualization and constant service delivery. Together with his partner, Danielle Ruest, Nelson has written more than a dozen books and hundreds of articles on Microsoft technologies. He recently concluded an extended multicity tour on virtualization in the US.
xv
Contents
Module 1: Overview of Desktop and Application Virtualization
Lesson 1: Overview of Virtualization Lesson 2: Overview of Virtualization Management Lesson 3: Planning an Application and Desktop Virtualization Deployment Lab: Planning Desktop Virtualization Scenarios 1-3 1-24 1-44 1-59
Module 2: Implementing Windows Virtual PC and Windows XP Mode

Lesson 1: Installing Windows Virtual PC Lesson 2: Configuring Windows Virtual PC Lesson 3: Installing, Configuring, and Managing the Windows XP Mode Lesson 4: Creating and Deploying Custom Images of Windows XP Mode Lab: Implementing Windows Virtual PC and Windows XP Mode 2-3 2-21 2-39 2-50 2-61
Module 3: Implementing Microsoft Enterprise Desktop Virtualization

Lesson 1: Overview of MED-V Lesson 2: Implementing MED-V Management Servers Lesson 3: Implementing a MED-V Client Lab: Implementing MED-V 3-3 3-16 3-23 3-32
Module 4: Configuring and Deploying MED-V Images

Lesson 1: Configuring MED-V Images Lesson 2: Deploying MED-V Images Lab: Configuring and Deploying MED-V Images 4-3 4-16 4-27
xvi
Module 5: Managing a MED-V Deployment

Lesson 1: Implementing the MED-V Workspace Policy Lesson 2: Working with a MED-V Workspace Lesson 3: Reporting and Troubleshooting MED-V Lab: Managing a MED-V Deployment 5-3 5-17 5-26 5-35
Module 6: Implementing Microsoft Application Virtualization

Lesson 1: Introduction to Application Virtualization Lesson 2: Planning for Application Virtualization Lesson 3: Deploying Application Virtualization Servers Lab: Implementing Application Virtualization 6-3 6-19 6-35 6-45
Module 7: Planning and Deploying App-V Clients

Lesson 1: Overview of the App-V Client Lesson 2: Installing and Configuring the App-V Client Lab A: Deploying the App-V Client in Stand-Alone Mode Lesson 3: Managing Client Configuration Features Lab B: Managing Client Configuration Features 7-3 7-17 7-29 7-33 7-48
Module 8: Managing and Administering Application Virtualization

Lesson 1: Using the Application Virtualization Management Console Lesson 2: Publishing Applications into the App-V Environment Lab A: Publishing Applications in the App-V Environment Lesson 3: Performing Advanced Administration Tasks for Application Virtualization Lab B: Implementing License Enforcement 8-3 8-15 8-32 8-38 8-52
Module 9: Sequencing Applications for Virtualization

Lesson 1: Overview of Application Sequencing Lesson 2: Planning and Configuring the Sequencer Environment Lesson 3: Performing Application Sequencing Lesson 4: Advanced Sequencing Scenarios Lab: Sequencing Applications for Virtualization 9-3 9-12 9-23 9-32 9-45
xvii
Module 10: Configuring Remote Desktop Services and RemoteApp

Lesson 1: Overview of RDS Lesson 2: Publishing RemoteApp Programs by Using RDS Lesson 3: Accessing RemoteApp Programs from Clients Lab: Configuring RDS and RemoteApp Programs 10-3 10-15 10-30 10-50
Module 11: Implementing User State Virtualization

Lesson 1: Overview of User State Lesson 2: Configuring Roaming Profiles and Folder Redirection Lab: Implementing User State Virtualization 11-3 11-18 11-37
Module 12: Configuring Virtual Desktop Infrastructure

Lesson 1: Overview of Windows Server 2008 R2 Hyper-V Lesson 2: Introduction to VDI Lesson 3: Configuring Personal and Pooled Virtual Desktops Lab: Configuring Virtual Desktop Infrastructure 12-3 12-21 12-37 12-49
Module 13: Summary of Desktop Virtualization Technologies

Lesson 1: Review of Desktop Virtualization Technologies Lesson 2: Real-World Usage Scenarios 13-3 13-20
Appendix: Lab Answer Keys

Module 1 Lab: Planning Desktop Virtualization Scenarios Module 2 Lab: Implementing Windows Virtual PC and Windows XP Mode Module 3 Lab: Implementing MED-V Module 4 Lab: Configuring and Deploying MED-V Images Module 5 Lab: Managing a MED-V Deployment Module 6 Lab: Implementing Application Virtualization Module 7 Lab A: Deploying the App-V Client in Stand-Alone Mode Module 7 Lab B: Managing Client Configuration Features Module 8 Lab A: Publishing Applications in the App-V Environment L1-1 L2-9 L3-15 L4-23 L5-33 L6-43 L7-53 L7-57 L8-63
xviii
Module 8 Lab B: Implementing License Enforcement Module 9 Lab: Sequencing Applications for Virtualization Module 10 Lab: Configuring RDS and RemoteApp Programs Module 11 Lab: Implementing User State Virtualization Module 12 Lab: Configuring Virtual Desktop Infrastructure
L8-68 L9-73 L10-83 L11-95 L12-107
About This Course
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course

This section provides you with a brief description of the course, audience, suggested prerequisites, and course objectives.
Course Description
This five-day, instructor-led course provides you with the knowledge and skills to implement and manage desktop virtualization solutions. This course provides an overview of virtualization and the various Microsoft products that you can use to implement and deploy a virtualization solution. The course explains how to configure and manage a MED-V deployment. Then, it describes the procedures for deploying an App-V solution by implementing App-V servers and clients and by sequencing applications. The course then covers the configuration of Remote Desktop Services and RemoteApp programs. Finally, the course describes the concept of user state virtualization and procedures for configuring the Virtual Desktop Infrastructure (VDI).
Audience
This course is intended for Microsoft Windows Server 2008 system and desktop administrators who will manage and implement desktop and application virtualization technologies within their networks. The students for this course typically are responsible for implementing their organizations desktop and application virtualization, or their information technology (IT) management has directed them to research and/or implement desktop and application virtualization in the existing environment. Students should have a minimum of 1.5 years of experience working with Windows Server 2008 as a server or desktop administrator. This course does not require prior experience with virtualization. However, we highly recommend familiarity with virtualization concepts and management tools.
About This Course
ii
Student Prerequisites
This course requires that you meet the following prerequisites: Basic skills with Windows Command line Monitoring and Management Tools Networking AD DS, including Group Policy deployments Performance Monitoring Troubleshooting
Course Objectives
After completing this course, students will be able to: Plan desktop virtualization scenarios. Implement and configure Windows Virtual PC and the Windows XP mode. Implement Microsoft Enterprise Desktop Virtualization. Configure and deploy MED-V images. Manage a MED-V deployment. Implement App-V servers. Plan and deploy Application Virtualization clients. Administer the App-V infrastructure by using the App-V Management Console. Sequence applications for deployment by using the App-V infrastructure or a standalone installation. Configure and use Remote Desktop Services and RemoteApp programs. Implement user state virtualization. Configure and use Virtual Desktop Infrastructure.
About This Course
iii
Course Outline
This section provides an outline of the course: Module 1, Overview of Desktop and Application Virtualization Many organizations are exploring the use of virtualization to optimize their information technology environment and to streamline their IT management practices. Microsoft provides several products and technologies that enable organizations to implement virtualization solutions in many different ways. This module provides an overview of the Microsoft virtualization technologies and provides information on planning and managing virtualized environments. Module 2, Implementing Windows Virtual PC and Windows XP Mode Windows 7 has introduced new version of Microsoft Virtual PC software, to support creating virtual machines with various operating systems within same virtual environment. Also, Windows 7 brings Windows XP Mode, a pre-created virtual machine with Windows XP Professional SP3 installed, for supporting older applications and to make migration to Windows 7 more convenient. In this module, you will learn how to configure and use Windows Virtual PC, virtual machines as well as how to use Windows XP Mode. Module 3, Implementing Microsoft Enterprise Desktop Virtualization Microsoft Enterprise Desktop Virtualization (MED-V) is an enterprise solution that enables incompatible or unsupported applications to be available in a virtual environment, and then used by the end users as if they were installed locally on their computers. However, the applications availability from the virtual environment is seamless, or invisible, to the user. It provides a virtual environment for legacy applications, and it enables central administration of applications. MED-V is built on Windows Virtual PC 2007 Service Pack 1 (SP1), and it is available for Windows clients such as the Windows XP, Windows Vista, and Windows 7 operating systems. Module 4, Configuring and Deploying MED-V Images MED-V uses virtualization to provide an isolated environment, in which you can run legacy applications and publish applications to the host. A virtual image contains the virtual machine and MED-V enables central management of the images. There are certain prerequisites that you must meet when you create a MED-V image. This module describes the purpose and functionality of MED-V images, and the procedures for configuring and testing of the images. The module also explains how to pack and upload MED-V images to the image repository on a MED-V server.
About This Course
iv
Module 5, Managing a MED-V Deployment Managing the MED-V environment typically is one of the most time-consuming activities for MED-V administrators. After you deploy the MED-V infrastructure, you must define MED-V Workspaces by configuring MED-V policies. You then need to enable the workspaces for the users and set options to configure the workspaces that will be available to the users. MED-V users work in two separate environments, the host operating system and the MED-V Workspace. If you seamlessly integrate published applications with the host, users typically cannot differentiate them from the locally installed applications. Besides a configurable virtual environment and a seamless integration with the host, MED-V also provides reporting and diagnostics capability. The reporting feature requires Microsoft SQL Server, and it logs MED-V events and provides three basic report types. The MED-V client provides a diagnostics mode, policy updates, and diagnostic log gathering that you can use to troubleshoot MED-V issues. Module 6, Implementing Microsoft Application Virtualization The Microsoft Application Virtualization 4.5 Service Pack 1 (App-V 4.5 SP1) and the App-V 4.6 client and sequencer software provide the latest updates to application virtualization technology. This release includes new capabilities that make it easy for enterprise Information Technology (IT) organizations to support large-scale, global application virtualization implementations. This module provides an overview of application virtualization and App-V components. The module also covers the App-V infrastructure, the deployment scenarios, and the procedures for installing and configuring App-V servers and App-V clients. Module 7, Planning and Deploying App-V Clients The App-V Client software is the one component that you always require to implement Microsoft App-V solutions. Therefore, deploying the App-V client requires careful consideration of various factors. You should consider the best client to deploy, the method of deployment, and the configurations required for the deployment. You should also be aware of the prerequisites for installing the client. This module provides an overview of the desktop and remote desktop client including the several installation methods. The module also describes the recommendations for deploying and managing the App-V client.
About This Course
Module 8, Managing and Administering Application Virtualization After you deploy the Microsoft Application Virtualization (App-V) infrastructure, you should be able to manage and administer the App-V solution by using the Application Virtualization Management Console to perform daily management tasks. This console enables you to control the entire App-V environment from a single workstation. You deploy the Application Virtualization Management Console on the administrative workstation, and then use it to perform administrative tasks, such as publishing virtualized applications, modifying published applications, and configuring version upgrades. This module provides an overview of the Application Virtualization Management Console and the permissions that users must have to administer the App-V Management Server. The module also covers the steps you must take to perform these administrative tasks, and how to enforce license compliance and manage server groups and server objects. Module 9, Sequencing Applications for Virtualization To use applications in an App-V solution, you must first package them into a form that can run in a virtualized environment. You can use the Microsoft Application Virtualization (App-V) Sequencer to create these application packages. You can sequence applications that you plan to deploy by using the App-V infrastructure or standalone installation. By using App-V sequencing, you create a set of files that contain the all the information about the application that is required for the application to run in a virtual environment. The App-V Sequencer provides several packaging options that you can choose based on your specific requirements. This module describes how to use install and configure the App-V Sequencer to create application packages. The module also describes how to upgrade existing packages and create standalone packages.
About This Course
vi
Module 10, Configuring Remote Desktop Services and RemoteApp Remote Desktop Services (RDS) provide a form of virtualization known as presentation virtualization. Although you connect to a remote desktop or to individual remote applications, your experience is similar to running local applications on your computer. With features such as device redirection, single sign-on, and RD Easy Print, it is not easy to distinguish between remote and local applications. This module provides an overview of Remote Desktop Services and their role services, and the procedures for connecting to an RD Session host. The module also describes RemoteApp programs the methods for accessing them. The module also explains how to using RD Gateway to access RDS infrastructure securely from an external network. Module 11, Implementing User State Virtualization User state virtualization is a concept that allows administrators to provide more flexible client environments, and to provide users with ability to have documents and settings following them from computer to computer. Also, this concept provides better ability to backup and centralize user data, as well as to prevent data loss. This module discusses technologies that provide user state virtualization and various ways to provide virtualization. This module also discusses how to configure roaming profiles and users folder redirection as part of user state. Module 12, Configuring Virtual Desktop Infrastructure Using virtualization technologies for desktop virtualization can be very convenient. Microsoft provides virtual desktop infrastructure (VDI) as a technology that relies on Hyper-V and Remote Desktop Services (RDS) to enable administrators to configure virtual desktops as working environments instead of real physical desktop computers. In order to use VDI, you should be familiar with Hyper-V, RDS as well as with features and configuration procedures for VDI. Module 13, Summary of Desktop Virtualization Technologies This module summarizes the various desktop virtualization technologies that are covered in this course. The module compares the features of these technologies, and it also provides examples of real-world scenarios in which you would implement these virtualization technologies.
About This Course
vii
Course Materials
The following materials are included with your kit: Course Handbook. A succinct classroom learning guide that provides all the critical technical information in a crisp, tightly-focused format, which is just right for an effective in-class learning experience. Lessons: Guide you through the learning objectives and provide the key points that are critical to the success of the in-class learning experience. Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned in the module. Module Reviews and Takeaways: Provide improved on-the-job reference material to boost knowledge and skills retention. Lab Answer Keys: Provide step-by-step lab solution guidance at your finger tips when its needed.
Course Companion CD. Searchable, easy-to-navigate digital content with integrated premium on-line resources designed to supplement the Course Handbook. Lessons: Include detailed information for each topic, expanding on the content in the Course Handbook. Labs: Include complete lab exercise information and answer keys in digital form to use during lab time. Resources: Include well-categorized additional resources that give you immediate access to the most up-to-date premium content on TechNet, MSDN, Microsoft Press.
Note: To access the full course content, insert the Course Companion CD into the CD-ROM drive, and then in the root directory of the CD, double-click StartCD.exe.
Course evaluation. At the end of the course, you will have the opportunity to complete an online evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send e-mail to support@mscourseware.com. To inquire about the Microsoft Certification Program, send e-mail to mcphelp@microsoft.com.
About This Course
viii
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Hyper-V deployed on Windows Server 2008 to perform the labs. The following table shows the role of each virtual machine used in this course:
Virtual machine 10324A-NYC-DC1 Role Windows Server 2008 R2 domain controller in the Contoso.com domain Windows 7 client in the Contoso.com domain Windows 7 client in the Contoso.com domain Windows 7 client in the Contoso.com domain Windows Server 2008 R2 member server in the Contoso.com domain Windows Server 2008 R2 member server in the Contoso.com domain Windows Server 2008 R2 member server in the Contoso.com domain
10324A -NYC-CL1 10324A -NYC-CL2 10324A -NYC-CL3 10324A -NYC-SVR1
10324A -NYC-SVR2
10324A -NYC-SVR3
About This Course
ix
Software Configuration
The following software is installed on each VM: Windows Server 2008 R2 Enterprise Windows 7
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way. All of the virtual machines are deployed on each student computer.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft Learning Product courseware are taught. The classroom computers require the following hardware and software configuration.
Hardware Level 6
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better* 6 GB RAM expandable to 8GB or higher DVD drive Network adapter Super VGA (SVGA) 17-inch monitor Microsoft Mouse or compatible pointing device Sound card with amplified speakers
*Striped
Additionally, the instructor computer must be connected to a projection display device that supports SVGA 1024 x 768 pixels, 16-bit colors.
Overview of Desktop and Application Virtualization
1-1
Module 1
Contents:
Lesson 1: Overview of Virtualization Lesson 2: Overview of Virtualization Management Lesson 3: Planning an Application and Desktop Virtualization Deployment Lab: Planning Desktop Virtualization Scenarios 1-3 1-24 1-44 1-59
1-2
Module Overview
Many organizations are exploring the use of virtualization to optimize their information technology (IT) environment and to streamline their IT management practices. Microsoft provides several products and technologies that enable organizations to implement virtualization solutions in many different ways. This module provides an overview of the available Microsoft virtualization technologies, and provides information on planning and managing virtualized environments.
1-3
Lesson 1
Overview of Virtualization
During the last few years, virtualization has become a key component to enable organizations to deal with the cost and complexity of managing an IT environment. You can use virtualization to decrease how much it costs significantly to provide IT services by enabling organizations to decrease the number of physical servers they need to provide network services and applications. You also can use virtualization to provide new options for deploying or managing applications for users. This lesson provides an overview of the various options available for enabling virtualization within the IT infrastructure.
1-4
Challenges of Traditional Network Environments
Key Points
Most organizations consider using virtualization because of the challenges that they are facing and the associated benefits that it provides. The following sections describe some of the challenges that organizations are facing.
Data Centers Are Reaching Capacity

In many organizations, data centers quickly reach capacity for power and space. These organizations frequently deploy new servers for every new project or requirement. However, most organizations find it cost-prohibitive to build new data centers. Data centers also require large amounts of power for cooling and running servers. As the cost of electricity increases, this can add significant cost to running the IT infrastructure and waste resources.
1-5
Server Utilization Is Very Low

Most servers run at very low utilization, which is a problem that often exacerbates capacity for data centers. It is common for servers to run at less than 10 percent of capacity. This issue typically develops over time as organizations purchase morepowerful servers to replace end-of-life, underutilized servers. For example, it is common for organizations to replace old servers that are running at less than 5 percent utilization with new servers that are several times more powerful, but without a corresponding increase in server load.
Managing Physical Servers Requires Significantly More Effort

As organizations have deployed more and more physical servers, the amount of effort required to manage these servers has increased. With each server, you must manage hardware failures and replace hardware as the warranty expires or as the hardware ages. In many cases, moving servers to new physical hardware requires significant effort.
Supporting Legacy Systems Can Be Difficult

Legacy hardware and systems become increasingly costly to maintain. Many organizations have business applications that were developed many years ago, and which the organizations have not upgraded to run on new operating systems or hardware. Maintaining the old systems is expensive, and the potential of system failure is high. However, the cost of updating the systems typically is very expensive.
Application Compatibility Can Be Complicated

Most large organizations run many different applications, frequently including different versions of the same applications. The applications can be expensive to deploy and maintain, and they may be incompatible, either with the operating systems that the organization deploys or with other required applications.
1-6
User Environments Are More Flexible

In a traditional IT environment, most users work at desktop computers located in the organizations offices. These desktop computers run a single operating system and all of the applications that users require. However, organizations are replacing this traditional environment with a much more complex work place. In many organizations, users work from outside the office, either as part of a mobile workforce or from home. Users now use a wide variety of clients, including portable computers, which frequently are disconnected from the network, Internet kiosks, home computers, and mobile devices. Question: Why are your organizations exploring the use of virtualization?
1-7
Virtualization Modes
Key Points
Virtualization separates the components of the applications and operating system that users work with from the actual physical components that provide the application or operating system services. For example, virtual machines provide all of the functionality of physical servers. However, the operating system is not tied to any particular piece of hardware, and can be made available where it is most convenient. Applications traditionally run on an operating system that is running on a particular piece of hardware. With application and presentation virtualization, those applications might run on a centralized server or in a virtual environment that is completely portable to other operating systems or hardware devices.
1-8
Virtualization Solutions
Microsoft provides virtualization solutions that address the virtualization requirements for most organizations: Server virtualization. Windows Server 2008 Hyper-V and Microsoft Virtual Server 2005 release 2 (R2) enable server virtualization, so that you can run multiple virtual machines on a single physical server. This allows you to utilize server hardware resources more fully while allowing you to maintain operational isolation and security. Application virtualization. Application virtualization enables you to run applications in a virtualized environment on a users desktop. Application virtualization separates the application configuration layer from the desktop operating system, which reduces the potential for application conflicts. With application virtualization, you isolate the application from the underlying operating system because you encapsulate it in a virtual environment. With application virtualization, you also can configure centralized servers to distribute the applications and simplify the distribution of updated virtual applications. Microsoft Application Virtualization (App-V) is an example of an application virtualization platform. Desktop virtualization. You can provide desktop virtualization by running Microsoft Virtual PC on the Windows Vista operating system, or Windows Virtual PC and Windows XP Mode on the Windows 7 operating system. Desktop virtualization enables you to run multiple operating systems on a single workstation, and to run an incompatible legacy or line-of-business (LOB) application in a virtual machine that you host on a more-current desktop operating system. Microsoft provides a way to manage a complex desktop virtualization environment through Microsoft Enterprise Desktop Virtualization (MED-V). With MED-V, you can create and manage a centralized collection of Virtual PC images, and then deliver those images to client computers as necessary. Presentation virtualization. Remote Desktop Services (RDS) in the Windows Server 2008 R2 operating system provides presentation virtualization. RDS is an upgrade of Terminal Services, which was in previous Windows versions. Presentation virtualization enables you to run applications and maintain application storage on centralized servers, while providing users with a familiar application interface on their workstations.
1-9
Microsoft also provides Virtual Desktop Infrastructure (VDI), which integrates the functionality of presentation and desktop virtualization. With VDI, you configure desktop operating systems as virtual machines that are hosted on a Hyper-V infrastructure. These virtual machines are made available to users through an RDS infrastructure, so that users can connect to the virtual machines through a Remote Desktop Protocol (RDP) connection. User state virtualization. User state virtualization enables users to take advantage of separating their files and profile information from a specific computer, which makes it easy for users to begin working when you issue them a new computer. User state virtualization also makes it easy for users to move between computers, or to experience the same desktop environment when using one of the other virtualization technologies. Virtualization management. One of the critical components in deploying virtualization is your ability to manage the solution, including both the physical and virtual components. The Microsoft System Center suite of tools provides virtualization management. Tools such as Microsoft System Center Configuration Manager, System Center Operations Manager, and System Center Virtual Machine Manager (VMM) provide a familiar set of tools for managing both the virtual environment and the physical layer that hosts the virtual environment. Cloud computing. Cloud computing enables organizations to purchase IT services from external organizations. These IT services can include e-mail service hosting, Web site hosting, or online applications. With cloud computing, organizations can purchase only the services that they require without significantly increasing the cost and complexity of managing their IT infrastructure.
1-10
What Is Server Virtualization?
Key Points
Server virtualization enables you to configure one or more virtual machines that emulate a physical computer. Multiple virtual machines can run on one physical server, with all of the virtual machines sharing the resources available on the physical server. Microsoft provides three products for server virtualization: Microsoft Virtual Server 2005 R2 Windows Server 2008 Hyper-V Windows Server 2008 R2 Hyper-V
Note: Windows Server 2008 R2 Hyper-V uses the same underlying technology to enable server virtualization as Windows Server 2008, but it also provides improved performance and significant new features, including Live Migration and Cluster Shared Volumes.
1-11
Benefits of Server Virtualization

Server virtualization provides many benefits, which include: Server consolidation. Many servers that organizations deploy are underutilized. By deploying multiple virtual machines on fewer physical servers, you can increase the server resource utilization significantly while decreasing the number of physical servers. You can deploy many virtual machines on one physical server. In most organizations, this will result in a significant decrease in power and space consumption in the data centers. Service or application isolation. Server virtualization enables you to run each service or application on an isolated operating system. This means that you can prevent one application from impacting another application when upgrades or changes are made. This is preferable to running multiple applications or services on a single operating system. Simplified server deployment. By creating standard virtual machine builds, you can deploy new server builds more easily. Because you are deploying virtual machines rather than physical servers, you also do not need to acquire new hardware, and locate data center space and power, for each new server.
Note: You may need to invest in new server and storage hardware when you first implement server virtualization, but an important result of server virtualization is the decrease in the number of physical servers that your organization has.
Increased service and application availability. Because the service or application no longer connects directly to a specific piece of hardware, it is much easier to ensure high availability and recoverability. With Live Migration in Windows Server 2008 R2, you can move a virtual machine to another physical server with users experiencing little or no service outage. Multiple operating systems can run on one consistent platform. With server virtualization, you can deploy multiple operating system technologies on a single hardware platform. For example, you can deploy Windows Server 2003, Windows Server 2008, and Linux on one Windows Server 2008 R2 Hyper-V host. Server virtualization also makes it much easier to replace hardware when it becomes obsolete or fails.
1-12
What Is Desktop Virtualization?
Key Points
Desktop virtualization provides new options for deploying client desktops by enabling several ways to virtualize the desktop. Traditionally, users work on a specific piece of hardware that is running a single operating system and all applications.
Client-Hosted Desktop Virtualization

Client-hosted desktop virtualization uses Microsoft Virtual PC on Windows Vista and Windows Virtual PC on Windows 7 to enable users to run multiple virtual machines on their Windows desktop. Client-hosted desktop virtualization creates a separate environment on the desktop, allowing incompatible legacy or LOB applications to operate within their native environment on a more-current desktop operating system.
1-13
In Windows 7, Microsoft provides a preconfigured Windows XP virtual machine that can be run as a Windows Virtual PC virtual machine. Windows XP mode enables you to run applications seamlessly from a Windows 7 computer or from the Windows XP virtual machine.
Virtual Desktop Infrastructure

VDI extends the concept of desktop virtualization by running client operating systems as virtual machines on a data centers servers. This means that the virtual client computers are not running on the user desktop, but on a centralized Hyper-V environment in the data center. Users can interact with the virtual machines by using regular computers or thin clients, and then establishing remote desktop connections to the virtual machines. In Windows Server 2008, VDI has been integrated with RDP to provide a consistent client experience. VDI enables you to centralize a users desktop for easier management. The users have an individualized desktop experience with full administrative control over desktop and applications. Therefore, VDI can be a very effective solution for users who need to access their work environment from anywhere, including from a PC that their company does not own. By centralizing the management of the client virtual machines, you do not need to be as concerned about the location or the device from which the user is connecting.
Microsoft Enterprise Desktop Virtualization

The Microsoft Desktop Optimization Pack (MDOP) includes MED-V, which enhances the management of the virtual machines that deploy to user desktops. MED-V adds four additional features and advantages on top of Virtual PC to enable enterprise deployment of desktop virtualization: A virtual image repository and delivery of images, which simplifies the process of creating, testing, delivering, and updating virtual images. Centralized management and monitoring, which manages the life cycle of a virtual machine. Usage policy and data transfer control, which is an endpoint agent that enforces usage policies for the virtual machine. A seamless end-user experience.
1-14
What Is Application Virtualization?
Key Points
You can use application virtualization to create virtual applications that you then can distribute to user desktops. Each virtual application includes its own registry entries, specific dynamic-link libraries (DLLs), and other resources. When you deploy a virtual application, it uses its own copy of these shared resources. Because the virtual application runs in an isolated environment, incompatible applications can share the same workstation. Microsoft App-V is an application virtualization solution.
1-15
Benefits of Application Virtualization

Application virtualization provides the following benefits: Application virtualization enables organizations to run potentially incompatible applications on the same client computer. Applications commonly share various application or operating system components with other applications on the client computer. For example, one application might require a specific version of a DLL, while another application on that system might require a different version of the same DLL. Installing both applications may result in one of the applications overwriting the DLL that the other requires. With application virtualization, each application can have its own version of all required files and settings on the client computer. Application virtualization makes preparation significantly easier. Since you encapsulate applications in an isolated virtual environment, there is less of a requirement to test new applications for conflicts with existing applications before you roll them out. From the users perspective, a virtual application looks just like any other application. The user may start it from the Start menu, from a desktop icon, or by file extension association. The application appears in Task Manager, and it can use printers, network connections, and other resources that attach to the machine. Virtual applications are easy to deploy and manage. You can stream a virtual application from a server, on demand, so the user can download it automatically the first time he needs to use it. If you must update an application, administrators can update the servers version of the application, and the updated files then download the next time the client computer needs to run the application.
1-16
What Is Presentation Virtualization?
Key Points
Presentation virtualization runs applications on a central server, with only the application interface, mouse movements, and keystrokes sent across the network between the central server and the client computer. Presentation virtualization creates virtual sessions in which the executing applications project their user interfaces remotely. Each session might run only a single application, or it might present users with a complete desktop that offers multiple applications. Presentation virtualization was available for several Windows Server versions as Terminal Services. In Windows Server 2008 R2, the name for the presentation virtualization feature is Remote Desktop Services, or RDS.
Benefits of Presentation Virtualization

Running applications on a shared server offers several benefits, including: You can centralize your data. This means that you can store it safely on a central server rather than on multiple desktop machines, which improves security because information is not spread across many different systems.
1-17
You can reduce the cost of managing applications significantly. For example, rather than updating each application on each individual desktop, you can change only the single shared copy on the server. Presentation virtualization also allows using simpler desktop operating system images or specialized desktop devices, commonly called thin clients, both of which can lower management costs. You can combine application virtualization with presentation virtualization to reduce the issues with incompatibilities between applications. You can install App-V applications on RDS host servers, and then run multiple instances of potentially incompatible applications on the centralized server. In some cases, presentation virtualization can improve performance. For example, if a client or server application needs to access large amounts of data from a central database, it may be quicker to run the application on an RDS host that is located close to the data, rather than pull the data across a slow network connection to the client.
1-18
What Is Microsoft Desktop Optimization Pack?
Key Points
MDOP provides a package of desktop management and virtualization solutions that is available for Microsoft Software Assurance customers. Many of the application and desktop virtualization products are available as part of MDOP. MDOP includes the following components: Microsoft App-V. This application virtualization and streaming solution transforms applications into centrally managed services that are available when and where you need them. Microsoft MED-V. This provides deployment and management of virtual PC images. You can deploy these virtual PC images to user desktops to address application compatibility issues. Microsoft Asset Inventory Service. This hosted service runs a complete scan of the software installed on every computer in your environment, and then provides you with intelligent reports and analysis to understand and better manage your software assets.
1-19
Microsoft Diagnostic and Recovery Toolset (DaRT). This provides powerful tools to accelerate desktop repair for unbootable desktop computers. Microsoft Advanced Group Policy Management. This enables Group Policy object (GPO) versioning, change management, and delegation. Microsoft Desktop Error Monitoring. This makes desktops more stable by causing the client to send error messages, as they occur, to a central database.
Note: You can download all of the tools, with the exception of App-V, only as part of the MDOP. App-V is available as a separate download.
1-20
What Is Cloud Computing?
Key Points
Cloud computing is a new virtualization option that enables organizations to purchase IT services from Internet-based service providers or to provide IT services through the Internet. These services can include servers, storage, or networking resources. The services may be running on virtual environments based on Hyper-V or one of the other virtualization options. The actual server and storage deployment is largely transparent to the users who consume the services. They typically are concerned only with being able to access their required applications easily. A cloud computing environment normally includes: A data center that contains virtualization hosts and storage. In the Microsoft solution, these hosts are running Hyper-V. Virtual servers, storage and network resources located in the data center. A highly available and high bandwidth network connection to the Internet.
1-21
Automated processes and tools for deploying and configuring virtual machines. These processes may be managed entirely by the online service provider, or may be exposed to the customer to manage their own virtual environment. Tools for managing the interaction of local and cloud computing. Many organizations still host most IT services locally even as they begin to move some services to the cloud. You can use this integration tool to ensure that users can gain seamless access to both local and cloud resources. For example, most organizations will still run Active Directory Domain Services (AD DS) locally. Ideally, users should be able to authenticate once to their local domain, and gain access to all required services regardless of whether they are located internally or in the cloud.
Benefits of Cloud Computing

Cloud computing provides several benefits for organizations: Flexible deployment options. The organization may host the data center that provides cloud services or an external hosting provider, such as Microsoft or a third party, may host it. Scalability. In a cloud-computing scenario, all service components are virtual, which makes it very easy to scale up or down, as necessary. For example, if an organization requires more resources, it can deploy additional virtual machines in the data center. If the organization requires fewer resources, it can save money by removing virtual machines or by reusing the physical resources for another purpose. Potential for decreased cost. By purchasing online services from a hosting provider, organizations often can implement services for a cost that is significantly less than hosting the services locally. More reliable and effective services. Some services require constant monitoring and specialized skills. By purchasing these services from an online service provider, organizations can take advantage of the infrastructure and skills that are available at the hosting provider, but which may be prohibitively expensive for a small organization.
Question: Has your organization moved any services to an environment that is hosted online? If so, which services?
1-22
Discussion: Implementing Virtualization Solutions
Key Points
Contoso, Ltd is a large enterprise with multiple locations, and data centers in London, New York City, and Sydney, Australia. Contoso, Ltd also has several smaller branch offices and many users who work outside of the office. Contoso, Ltd has collected the following information about the current computing environment: Server utilization for most of the data center servers is less that 10%. Contoso, Ltd has deployed multiple servers in many of the branch offices. These servers are difficult to deploy and manage because the wide are network (WAN) links to some of the branch offices that have very little available bandwidth. Many of the users working outside of the office require a standard set of business applications. Some of the users who run these applications are mobile users who are using company-issued laptops, while other users work from home on their personal computers.
1-23
Contoso, Ltd has developed a large number of business applications, using different development platforms, and many of the applications do not use current technologies or may not run on the latest operating systems.
Question: How will virtualization help Contoso, Ltd address the issues in its current computing environment?
1-24
Lesson 2
Overview of Virtualization Management
Implementing virtualization can add complexity to your IT infrastructure management. Virtualization requires that you manage both the physical and virtual environments. The design of many of the Microsoft System Center tools helps you manage the virtualized data center. This lesson introduces some of the issues that relate to managing a virtualized environment, and introduces the System Center products that you can use to manage and maintain the virtual environments.
1-25
Managing a Virtual Environment
Key Points
Virtualization technologies provide a range of benefits. Yet as an organizations computing environment becomes more virtualized, it also may become more complex. A virtualized environment that you do not manage well can be less reliable, and more expensive, than its unvirtualized counterpart. For example, if an organization implements a Hyper-V environment without considering high availability, a single server failure may affect many virtual servers. If an organization implements VDI or MED-V, an outage in the server infrastructure may prevent users from accessing the virtual desktops that they need to do their work.
1-26
There are several issues that you should consider regarding the deployment and management of virtualized environments. One of the primary benefits of a virtualized environment is the option to deploy almost any virtual component rapidly. If you require an additional server, it is easy to deploy a new virtual machine in Hyper-V. If you must update an application or deploy a new one, App-V or Windows Server 2008 R2 RemoteApp makes it easy. However, to take advantage of the rapid deployment features, you must have the required infrastructure in place. This may require additional planning, tools for deploying components quickly, and monitoring to verify that the additional resources are available on the current infrastructure. You realize the many benefits of virtualization when you centralize the virtual components on a small number of physical servers. This means that it is critical to ensure that the physical servers are highly available, or that you configure the service or application deployment to be highly available. This requires advanced monitoring and management tools. You often perform the management of physical and virtual machines by using separate management solutions. This may mean that administrators must learn how to use multiple tools, which may not provide consistent information. Using a single set of administrative tools to manage both environments simplifies the management processes. Managing multiple desktops, applications, and servers is complex. With virtualization, the complexity level may increase because each physical computer now has additional components that you must manage. For example, a desktop computer running Windows 7 also may be running a Windows XP mode virtual machine. To ensure your networks security, you must install and manage updates and antivirus products on both the Windows 7 computer and Windows XP mode virtual machine. A management system that can handle all assets, regardless of whether they are virtual or physical, saves time and reduces the number of required resources. Effective physical and virtual machine management can optimize the benefits of using virtualization technologies. This includes monitoring and managing hardware and software in a distributed environment. Monitoring both the software running on physical machines, and the physical machines themselves, enables administrators to know what is happening in their environment. It also lets them respond appropriately to running tasks and taking other actions to fix problems that occur.
1-27
Overview of Microsoft System Center
Key Points
Microsoft developed the Microsoft System Center products and solutions, which assist enterprises with the planning, delivery, and operation lifecycle of their entire infrastructure. These solutions capture and aggregate knowledge about an infrastructure, policies, processes, and best practices. They can help optimize the IT structure, reduce costs, improve application availability, and enhance service delivery. You can use many of the System Center products to manage your virtualized IT environment and your physical components, as well.
1-28
You can use System Center to manage the virtual environment in the following ways: A fundamental challenge in systems management is monitoring and managing the hardware and software in a distributed environment. Operations Manager 2007 R2 enables operations staff to monitor both the software running on physical machines and the virtual machines themselves, given the strong similarities between physical and virtual environments. Additionally, you also can use Operations Manager 2007 to monitor and manage virtual machines and other aspects of a virtualized world. Another concern for people who manage a computing environment is installing software and managing its configuration. While it is possible to perform these tasks manually, automated solutions provide a better approach in all but the smallest environments. To allow this, Microsoft provides System Center Configuration Manager 2007. Similar to Operations Manager, Configuration Manager handles virtual environments in much the same way as physical environments. As organizations move towards virtualization for their current servers, the process of converting the physical machines to virtual machines, and then managing the virtual machines, can be complex. To address this situation, Microsoft provides VMM 2008 R2, which you can use to manage virtual machines on hosts running Microsoft Virtual Server 2005, Hyper-V, or VMware. Among other things, this tool helps you choose the virtualization workloads, creates the virtual machines that will run those workloads, and converts physical computers to virtual machines. You also can integrate VMM 2008 R2 with Operations Manager 2007 R2 to provide enhanced reporting and management capabilities. To ensure that you can recover a virtualized environment, you must ensure that you deploy a disaster-recovery system that can back up and restore both the physical servers and virtual machines. You can use System Center Data Protection Manager 2007 Service Pack 1 (SP1) and Data Protection Manager 2010 to back up and restore servers running the virtual and virtualized components.
1-29
Using Virtual Machine Manager to Manage Virtual Environments
Key Points
VMM is the primary tool that you use to manage virtual machines that are running on Hyper-V. VMM provides a management tool that lets you manage multiple physical host computers and the virtual machines that are running on the host computers. VMM provides the following features: Enables management of virtual environments that are running on different host platforms. You can use VMM 2008 to manage host computers and virtual machines that are running Windows Server 2008 or Windows Server 2008 R2 Hyper-V, Virtual Server 2005 R2, and VMware ESX Server. With VMM, you can use a single interface to manage the host server configuration, and deploy and manage virtual machines on the host servers.
1-30
Physical and virtual machine conversion. You can use VMM to convert a physical computer to a virtual machine while the physical machine is online. You also can use VMM to convert Virtual Server 2005 and VMware-based virtual machines to Hyper-V. Intelligent virtual machine placement. When you create a new virtual machine or use VMM to move a virtual machine from one host to another, VMM 2008 analyzes the available physical hosts and provides a recommendation as to the best location for the virtual machine. You can integrate this process with Operations Manager 2007, which enables the intelligent placement process to factor in past performance characteristics to ensure the best possible match between the virtual machine and its host hardware. Self-Service Portal. VMM provides the Service Manager Self-Service Portal that enables users to create and manage their own virtual machines. The VMM administrators retain complete control of the environment, because they can set permissions that restrict which users can create virtual machines, what templates users can use to create virtual machines, and where users can create the virtual machines. VMM Library. VMM 2008 provides a centralized library to store various virtual machine components, such as offline machines, templates, virtual hard disks, and other virtualization components. Administrators can use the components in the library to deploy virtual machines rapidly using standardized templates. Windows PowerShell integration. VMM 2008 is built on the command line and scripting environment that Windows PowerShell provides. VMM provides Windows PowerShell cmdlets that allow administrators automate VMM management tasks. Operations Manager 2007 integration. VMM 2008 includes the Performance and Resource Optimization (PRO) feature, which enables dynamic management of virtual resources though management packs for Operations Manager 2007. The PRO feature enables administrators to set rules for moving or configuring virtual machines based on the host server performance.
Note: For detailed information on deploying and managing System Center Virtual Machine Manager 2008 R2, see Course 10215A, Implementing and Managing Microsoft Server Virtualization.
1-31
Protecting Virtualized Environments with Data Protection Manager
Key Points
Data Protection Manager (DPM) is a solution for disk-based and tape backups that enables you to back up physical servers and virtual machines. After an initial full backup, the express backups that DPM performs are significantly faster than typical full backups, because DPM backs up only disk block changes. You can use DPM to back up both the host server and the guest virtual machines.
Host Backups
Host backups require that you install a DPM protection agent only on the host server, not in each virtual machine. This can result in significant cost savings when compared to guest backup, which requires that you install the DPM protection agent in each virtual machine.
1-32
You can perform a host backup of a single virtual machine. When you perform a host backup, this backs up the entire virtual machine as a single unit. However, the backup is not application aware. Therefore, you can recover only the entire virtual machine, not just specific data.
Virtual Machine or Guest Backups

A guest backup uses the same process as backing up a physical server. You install a DPM protection agent on each virtual machine, and then DPM communicates with that agent to perform the backup. Because the DPM protection agent is running in the virtual machine, it is aware of the applications running in the server. This allows granular recovery of data within the virtual machine. For example, a backup performed on a virtualized Exchange server could recover a single message database. You can use guest backups to back up both virtual machines that support Volume Shadow Copy Service (VSS) backups and virtual machines that do not. You cannot use a VSS back up to back up the virtual machine if the guest operating system does not support VSS or if an application in the guest does not support VSS. When backing up a guest virtual machine that does not support VSS, DPM has to hibernate the guest, and then perform a host-based backup of the virtual machine. DPM takes a snapshot of the virtual machine, and then the virtual machine is restored. The outage experience with this method is very short, but noticeable. After the guest resumes, the backup occurs from the snapshot, and DPM backs up only disk blocks that have changes. This results in a backup process that is much faster than a typical full backup of virtual machine files. If the operating system and applications in the guest support VSS backups, the DPM protection agent uses VSS writers to make data within the guest consistent. Applications running on the guest must have an appropriate VSS writer. The hypervisor then provides the DPM protection agent with access to the consistent version of the data for backup. There is no interruption in service at any point during the backup process. The backup is completely transparent to users.
1-33
Monitoring Virtual Environments by Using Operations Manager 2007
Key Points
You can use Operations Manager 2007 R2 to monitor servers and their applications from a central location. To do this, you install an agent on remote systems. The agent gathers events and performance information about the remote systems, and then forwards it to Operations Manager 2007. The data that the agent gathers is based on rules that Operations Manager 2007 stores and distributes to the agent monitoring each server. Operations Manager 2007 also generates alerts based on the rules. You create the rules in Operations Manager 2007 by importing management packs. The rules in management packs are appropriate for most environments, and are based on best practices. However, you can modify the rules to meet the needs of your specific environment. You also can create your own rules. Centralized monitoring and alerting is important for any environment, but it is particularly important for virtualized environments where you can add many additional resources quickly and easily.
1-34
Monitoring Host Computers

You can use Operations Manager 2007 to monitor host server performance by using the same management packs that you would use to monitor other Windows servers. Additionally, Operations Manager 2007 provides a number of management packs to integrate with virtualization technologies, including: Server Virtualization Management Pack for System Center Operations Manager 2007 helps to monitor the health and performance of VMM components, including library servers, self-service Web servers, and the entire virtualized environment. Application Virtualization 4.5 Management Pack monitors the health and performance of Microsoft Application Virtualization Management Servers and Microsoft Application Virtualization Client requests. Windows Server Hyper-V Management Pack monitors the health and performance on Hyper-V host computers. Remote Desktop Services Management Pack monitors each of the Remote Desktop server roles.
Virtualization Reports
Operations Manager 2007 also provides several reports that you can use to plan and monitor the virtualized environment, including: The Virtualization Candidates report helps to identify physical computers that are good candidates for virtualization. This report displays performance and hardware information for physical computers, which you can sort and filter to select the appropriate candidates. The Virtual Machine Allocation report enables you to calculate chargeback to cost centers, such as departments. To use this report, you must assign a cost center to the appropriate virtual machines. The Virtual Machine Utilization report contains information about the utilization of virtual processors, memory, and disk space in virtual machines. You can use this report to identify virtual machines that need additional resources or that have been allocated too many resources.
1-35
The Host Utilization report contains information about the utilization of processors, memory, and disk space on hosts. You can use this report to identify hosts that need virtual machines removed or that have sufficient resources free for hosting additional virtual machines. The Host Utilization Growth report shows the percentage of change in resource usage and number of virtual machines. You can use this for trend analysis, to predict when you will require additional hosts.
Monitoring Virtual Machines

You also can monitor the virtualization guests just as you would a physical server. This involves installing the Operations Manager agent on each guest. After you install the agent, you can monitor both the guest operating system and applications installed in the guest. To monitor specific applications in a guest, a management pack for that application is imported into Operations Manager 2007.
1-36
Maintaining a Virtual Environment by Using Configuration Manager 2007
Key Points
You can use Configuration Manager 2007 R2 to manage and maintain both physical and virtual environments, and it treats a virtual machine just like any standard physical machine. Depending upon deployment settings, you can manage a virtual environment by: Automatically deploying the Configuration Manager client through standard discovery and deployment methods. You can discover both physical and virtual machines, and automatically deploy the Configuration Manager client to both. Maintaining inventory of all virtual clients that are deployed throughout the environment. Deploying applications through standard software deployment mechanisms. You can deploy applications to both virtual and physical machines. Managing software updates for both physical and virtual machines through standard update processes.
1-37
Deploying virtualized applications to desktop clients. You can integrate Configuration Manager with App-V 4.5 or newer to distribute the virtual applications prepared in App-V to desktop computers. Integrating with Virtual Machine Manager 2008 and the Offline Virtual Machine Servicing Tool to maintain updates on virtual machines stored within a VMM library. One of the biggest challenges in a virtual environment is managing virtual machines that are not always running on the network, or maintaining virtual machines that are stored within virtual machine libraries. You can accomplish this by integrating features provided by Virtual Machine Manager 2008 and the Offline Virtual Machine Servicing Tool version 2.0.1.
1-38
Managing Desktop Virtualization
Key Points
Desktop virtualization enables you to run multiple desktop operating systems, either on a users client computer or on a server running Hyper-V. Implementing desktop virtualization can increase the complexity of managing your network in several ways: Individual users may use multiple desktops, both physical and virtual. In a traditional network, you only have to ensure that you update and configure one client computer per user to meet the corporate standards. With desktop virtualization, each user may have several client computers that you must maintain. As users move from one desktop computer to another, they might have very different user environments on each computer. For example, they might configure their desktop on their main computer with short cuts, mapped drives, and other settings. When they launch a virtual desktop, the customized settings may not be available, which leads to user inefficiency.
1-39
Deploying virtual desktops can be difficult. If only a few users in your organization need virtual desktops, you might be able to manually enable and configure the virtual desktops. However if you have a large number of users that need to use virtual desktops, it becomes very difficult to manually configure each virtual desktop. In this scenario, you need some means to automate the deployment of standardized virtual desktops.
Microsoft provides several tools for managing desktop virtualization: You can use tools such as Configuration Manager to manage both physical and virtual desktops. With Configuration Manager, you can monitor and maintain updates on all computers. You can use the user state virtualization technologies to provide users with a consistent experience on all desktops. You can use tools such as Group Policy and roaming user profiles to configure the user desktop, map network drives, and redirect folders so that these settings are available across multiple desktop computers. You can use MED-V to configure, manage, and deploy virtual desktops based on Virtual PC 2007. With MED-V, you can create standard virtual desktop computers and then deploy them to users. You can use VDI to manage a centralized virtual desktop deployment. With VDI, you can configure standard virtual desktops that will run on a Windows Server 2008 R2 Hyper-V server, and provide RDP access to those virtual machines. You can configure virtual machines with the same configuration for all users, or you can provide a virtual desktop that the user can customize.
1-40
Managing Application Virtualization
Key Points
You can use application virtualization to enable users to run virtual applications on their user desktops. Implementing application virtualization increases the complexity of managing the user environment in several ways. Users may need to be able to run the applications in several different desktop scenarios. They may need to run the applications from desktop computers in the office, on mobile computers that may be connected to the corporate network, connected from the Internet, or disconnected from all networks. Users in different locations in the organization may require access to the same applications. Distributing applications to users in locations such as branch offices can be complicated. Virtual applications may require security updates or users might require new versions of the virtual applications. Applying updates to virtual applications is more difficult than updating client operating systems or applications that are installed on the client operating systems.
1-41
You must prepare applications to run in a virtual environment before you can deploy them to users. Some applications may require fairly complex virtual environments.
Microsoft provides several tools for managing the application virtualization environment. You can use the App-V Management server to manage the deployment of virtual applications to client computers. The App-V Management console provides a single location for configuring and deploying virtual applications. App-V provides a variety of options for deploying virtual applications to users. App-V can use multiple protocols, and also provides options for deploying multiple servers in different locations to deploy the same applications. You can also create virtual applications as .msi files, which you can then deploy by using Group Policy or Configuration Manager, or install them on client computers that are disconnected from the network. You can update App-V applications with new versions on the App-V Management server and the applications will automatically be distributed to clients. You can use the App-V Sequencer to package applications to prepare them for deploying them to client computers. The App-V sequencer provides a wizarddriven approach for creating virtual applications, and also provides complete customization of the virtual environment that the application will run in.
1-42
Managing Presentation Virtualization
Key Points
Presentation virtualization enables users to run applications installed on centralized servers. Implementing presentation virtualization introduces some complexities to managing an organizations network. Users who are not familiar with desktop virtualization may not understand how to launch remote applications and how the remote application interacts with their usual desktop environment. Users may need to connect to the remote applications from a variety of locations. These locations could include computers on the internal network as well as from computers in branch offices or computers outside the network. In a desktop virtualization deployment, multiple applications may be installed on the same host server. Some of these applications may not be compatible with other applications running on the same server.
1-43
Windows Server 2008 R2 provides several features that optimize the deployment of presentation virtualization: Remote Desktop RemoteApp. With RemoteApp, you can publish the shortcuts for applications running on the RD Session Host computer on the user desktop. Users can launch the application using the normal procedures, and the applications user interface appears on the desktop as if that application were running locally. Remote Desktop Web Access. RD Web Access provides another means for users to launch RemoteApps or connect to remote desktops. RD Web Access provides a Web site that lists all of the applications and desktops that the user has permission to access. Remote Desktop Gateway. RD Gateway provides a secure way for users outside of the organization to connect to applications running on the RD Session Host computers. With RD Gateway, all RDP connections are tunneled through HTTPS. RemoteApp and Desktop Connections. This client application allows users running Windows 7 to easily connect to RemoteApp programs and Remote Desktops. When you configure RemoteApp and Desktop Connections, all of the applications and remote desktops that the user can access are listed on the users Start menu. This list is dynamically updated as new applications or remote desktops become available. You can combine application virtualization with presentation virtualization by deploying virtual applications on a Remote Desktop Session Host server. This enables organizations to run applications that are not compatible with other applications on the same server, and make both applications available to users through RDS.
1-44
Lesson 3
Planning an Application and Desktop Virtualization Deployment
Application and desktop virtualization provide organizations with options for managing application compatibility issues, and you can use them to address some of the issues with deploying new desktop operating systems. These tools also provide options for deploying applications to users outside an organization or who run thin or mobile clients. This lesson describes some of the scenarios for deploying application and desktop virtualization, and provides guidance for planning these virtualization solutions.
1-45
Scenarios for Desktop and Application Virtualization
Key Points
Desktop and application virtualization are designed to address issues with which many large organization need to deal. These issues relate to the applications that users need to be able to run, and to the locations or physical systems that users are using to run the applications.
Application Compatibility Issues

In many organizations, a primary reason for deploying desktop and application virtualization is to address application compatibility issues. The issues can take one of two forms: An application may not be compatible with the desktop operating system. Many organizations have applications that were developed many years ago using technologies very different from what current desktop operating systems expect. These applications may not run on the new desktops, or they may require extensive changes to the operating system or application in order to run.
1-46
Two applications may not both be able to run on the same desktop computer. In some cases, applications may use incompatible technologies or may require different versions of the same application file. Some users may be required to run both applications.
Mobile Users
Many organizations have a mobile workforce that may work both inside and outside the office. In most cases, these users carry laptop computers, but the users may need to be able to do their work regardless of whether they are connected to the internal network, connected to the Internet, or completely disconnected from any network.
Standard Users
In many organizations, large groups of users require the same user desktop with access to the same set of applications. In some cases, users may require access to just one or two applications. In other cases, they may require access to a complete set of business applications. Traditionally, the organization assigns these users to a standard business desktop computer. If the standard user environment is quite static, and the organization assigns all users to an individual desktop computer, there may not be any reason to implement virtualization for these users. If the users need to run incompatible applications, the users may require solutions for addressing application compatibility. In some cases, you may be able to deploy thin clients to all standard users, and then use VDI to provide the users with the required work environment.
External Users
Some organizations have users who work from outside the corporate network and who do not use computers that the internal IT department manages. These users may be contract workers, consultants, or people who work from home. Frequently, these users require access to a very specific set of applications or servers, and do not require a full desktop or set of applications. Question: What types of workers do you have in your organization? What options will you explore to virtualize their environment?
1-47
Choosing a Desktop and Application Virtualization Solution
Key Points
Microsoft provides several different options for implementing desktop and application virtualization. You can use some of the solutions to address more than one business scenario.
Desktop Virtualization
You can use desktop virtualization to address the following scenarios: Application and operating system compatibility issues. If applications require an older operating system, consider deploying Windows Virtual PC or Windows XP Mode. These options mean that users can run the older operating system in a virtual machine that is running on the user desktop. External users. If external users need access to a full desktop computer rather than just an application, consider enabling this by using VDI. With VDI, you can provide users with a preconfigured desktop that includes all of the applications required for their tasks.
1-48
Mobile users. If a large number of mobile users require virtual desktops, consider managing the virtual desktop deployment by using MED-V. By doing this, you can manage and distribute the appropriate virtual machines to all users while the users are connected to the network. Users can then take these virtual desktops with them when they leave the office.
Application Virtualization
You can use application virtualization to address the following scenarios: Compatibility issues with running multiple applications on a single host. If two applications cannot both run on the same operating system, consider using App-V to create an isolated environment in which one or both of the applications can run. Application compatibility issues in presentation virtualization scenarios. You can deploy the App-V client on Remote Desktop Session Host servers, which enables potentially incompatible applications to run on the same remote server.
Presentation Virtualization
You can use presentation virtualization to address the following scenarios: Mobile or external users. Implement Remote Desktop Gateway and provide access to only the specific applications or computers that are required. With Remote Desktop Gateway, you can restrict what users can connect to and what they can access. For additional security, you can integrate RD Gateway with Network Access Protection to ensure that clients are compliant with your corporate security requirements. Application compatibility issues. For scenarios where applications require separate environments, consider deploying one of the applications in an RDS deployment. By using features such as RemoteApp, you can make the user experience with both applications virtually identical.
User State Virtualization

You can integrate user state virtualization with most other virtualization technologies. For example, you can use user state virtualization to ensure that users have a consistent work environment when they use their standard desktop, a virtual desktop, or a virtual application.
1-49
What Are Virtualization Solution Accelerators?
Key Points
To assist organizations in developing and delivering a virtualization strategy, Microsoft has developed free solution accelerators. These automated tools help accelerate assessment, planning, and deployment of Microsoft technologies, such as Windows Server 2008 or virtualization. Some of the Microsoft Virtualization Solution Accelerators include: Microsoft Assessment and Planning Toolkit (MAP). You can use MAP to conduct network-wide deployment-readiness assessments that focus on whether you can migrate Microsoft technologies from servers to desktops and applications. Using MAP, you now can determine which servers you can upgrade to Windows Server 2008 R2, which servers you can migrate to virtual machines on Windows Server 2008 R2 Hyper-V, which applications you may want to virtualize by using App-V, and which client computers you can upgrade to Windows 7.
1-50
Infrastructure Planning and Design Guides. The Infrastructure Planning and Design (IPD) Guides are free guides that describe the architectural considerations, and also streamline the design processes, for planning of Microsoft infrastructure technologies. Each guide addresses a unique infrastructure technology or scenario including server virtualization, application virtualization, terminal services implementation, and more. Microsoft has released the following IPD guides that relate to virtualization: Selecting the Right Virtualization Technology Windows Server Virtualization Windows Server 2008 R2 Remote Desktop Services. Microsoft Application Virtualization 4.6 Windows Optimized Desktop Scenarios Microsoft Enterprise Desktop Virtualization
Hyper-V Security Guide. Implementing virtualization can increase the number of security issues that you must consider because you need to secure both the host computer and the virtual machines. The Hyper-V Security Guide provides guidance and recommendations to address key security concerns about server virtualization. Security Compliance Management Toolkit Series. This includes several different security toolkits that you can use to help your organization plan, deploy, and monitor security baselines for Windows operating systems, including Windows 7, Windows Vista, and Windows Server 2008, and for applications such as the Microsoft Office 2007 system and Internet Explorer 8. Microsoft Deployment Toolkit. This provides guidance and tools to accelerate the deployment of client and server operating systems. The Microsoft Deployment Toolkit supports the deployment of Windows Server 2003, Windows Server 2008, the virtualization role on Windows Server 2008, and other applications. Most organizations use the Microsoft Deployment Toolkit primarily to deploy client desktops.
A typical IT project lifecycle includes three core phases: planning, delivery, and operation. Solution accelerators provide guidance and tools for each of these three key elements of the Microsoft Operations Framework (MOF).
1-51
What Is the Windows Optimized Desktop Scenarios IPD?
Key Points
The Windows Optimized Desktop Scenarios IPD provides detailed guidance for mapping user and business requirements that relate to end users to the Microsoft desktop and application virtualization solutions. The guide includes two components: Windows Optimized Desktop Scenario Assessment. This document provides detailed information on how to use the desktop scenarios and selection tool to identify virtualized solutions for your work place. Windows Optimized Desktop Scenario Selection Tool. The Microsoft Excel spreadsheet enables you to select the user and business requirements that apply to your user populations, and then it identifies which desktop scenarios and virtualization solutions apply to your user population.
1-52
Using the Windows Optimized Desktop Scenarios IPD

When using this guide, you will complete the following steps: 1. Understand the Windows Optimized Desktop scenarios. The guide groups users into one of the following scenarios: 2. Office Worker. Mobile Worker. Task Worker. Contract Worker. Access from Home.
Identify the target user populations for which you want to optimize desktops. In most organizations, you will not be able to implement virtualization for all users at once, so it is important that you identify the specific group of users that are included in the current project. Match user groups with scenarios. You can use the Windows Optimized Desktop Scenario Selection Tool to map the user population to the desktop scenarios. This tool asks a series of questions related to user and business requirements, and then indicates the desktop scenario that applies to the user. Preview the scenario solutions. For each desktop scenario, the guide provides a mapping of potential virtualization products and technologies that can be used to address the requirements. Evaluate relevant Windows Optimized Desktop scenarios. As a final step, you will evaluate the potential solutions to determine which solutions best suit* your organizations requirements or capacity. The tool provides multiple solutions for each scenario, so you will need to identify which of the solutions you will implement.
3.
4.
5.
1-53
Demonstration: Identifying Desktop Virtualization Scenarios
Key Points
In this demonstration, you will see how to use the Windows Optimized Desktop Scenario Select Tool v1.1 to identify desktop virtualization scenarios and solutions.
Demonstration steps:
1. 2. On the NYC-CL3 computer, start the Windows Optimized Desktop Scenario SelectionTool v1.1.xls from Documents folder. Review the options available on the Instructions and Scenario Selection tabs.
Question: What do you think of the Windows Optimized Desktop Scenarios Selection Tool? Are there selection criteria missing? How will you use the results that this tool produces?
1-54
Virtualization and Licensing
Key Points
Microsoft provides many different licensing options depending on the customers requirements. At the highest level, Microsoft provides the following licensing options: OEM: You can purchase this type of license only when you purchase a new computer. Retail: You can purchase this type of license separately from a new computer purchase, and you can use it to upgrade current software or install new software. With this option, each copy of the software requires a separate license. Volume license: This type of license provides the most flexibility as it is the only type of license that you can use to deploy multiple copies of software with a single license.
1-55
Volume License Options

Most organizations will purchase volume licenses to ensure that a single license can be used to deploy Microsoft software to multiple computers. As organizations consider buying volume licenses, they have the following three options: Open License (for organizations with 250 or less desktops) or Select Agreement (for organizations with 250 or more desktops). With this option, organizations can choose the desktop operating systems and the specific applications that will deploy with each desktop. Software Assurance is an option with this type of licensing. Open Value or Enterprise Agreement. With this option, organizations identify a standard desktop with applications and client access licenses, and then licenses all of its desktops based on this standard desktop. The organizations pay for the cost of purchasing the software, and this option includes Software Assurance. Open Value Subscription or Enterprise Value Subscription. With this option, organizations identify a standard desktop with application, and then licenses all desktops based on this standard desktop. The organizations pay an annual fee for renting the software, and this option includes Software Assurance.
Note: With the volume license options, organizations also have the option of including client access licenses (CALs). The CAL options include a core CAL, which enables access to Windows Servers, Exchange Servers, Microsoft Office SharePoint, and a System Center Configuration Manager client. Additional CAL options include Office Communication Server CALs, Operations Manager licenses, and an Enterprise CAL option, which includes enterprise access to Exchange Server, SharePoint Server, and Office Communications Server.
1-56
Microsoft Licensing and Virtualization

Implementing desktop virtualization can increase the complexity of determining what licenses you require. In general, the following principles apply: Microsoft licensing is consistent regardless of whether applications or desktops run in a virtual or physical environment. For example, to run Microsoft Office in a virtual machine requires the same license as running the applications on a physical computer. Accessing a SharePoint server from a virtual machine requires the same CAL as accessing SharePoint from a physical computer. In a desktop virtualization deployment, Microsoft provides a subscription license called Windows Vista Enterprise Centralized Desktops (VECD) which allows customers to use Windows in virtual machines centralized on server hardware. With the Windows Vista Enterprise and Windows 7 Enterprise editions, users can run four or less additional desktop operating systems in virtual machines. To run virtual desktops in a VDI deployment, you will need RDS CALs and licenses for all desktop operating systems that are running simultaneously. In an application virtualization deployment, you can run virtual applications using the same license that you use for running local applications. If you license a desktop to run Microsoft Office, you can run the Office applications locally or in a virtual environment. You can issue RDS CALs per device or user. You can reuse per-device licenses but these license types do limit the number of devices that can connect at one time. Per user licenses enable users to connect using multiple devices. Some virtualization licenses are available only to customers with Software Assurance. For example, MED-V is available only with MDOP, which is available only to customers with Software Assurance.
1-57
Planning a Virtualization Deployment
Key Points
You can use desktop and application virtualization to address significant business requirements within organizations. However, within large organizations that have diverse user groups, implementing virtualization can be complicated and likely will not address all business requirements at once. Consider the following recommendations when planning a desktop and virtualization deployment: Start small. It is highly unlikely, and we do not recommend, that you should virtualize your entire environment immediately. To gain a better understanding of the process for implementing virtualization, and to gain experience in managing a virtual environment, start with a small pilot project. Ensure that you plan this project well and test it thoroughly to ensure that the initial user experience with virtualization is as positive as possible.
1-58
Address a critical business need. To enhance the visibility and viability of virtualization in your organization, ensure that your initial projects address a critical business need. For example, one of the easiest virtualization solutions to deploy is RD Gateway. For organizations with a large number of users who work outside of the corporate network but who require access to internal applications and data, RD Gateway often can address one of the most critical business needs. Implement virtualization incrementally. For many of the virtualization solutions, you can implement the solutions incrementally. For example, if you are considering an App-V deployment for a small group of users, you can begin by manually distributing the App-V clients and applications. Over time, you can incorporate automatic streaming of the client and applications. If deploying desktop virtual machines running in Windows Virtual PC, you can begin by deploying the virtual machines manually, and then later adding MEDV to manage the virtual machine images. By deploying virtualization incrementally, you can gain the benefits of the solutions without investing in the entire infrastructure that may be required to automate the solution fully. Consider the target user group. When considering a virtualization solution, ensure that you keep the target user group in mind. For example, if you need to deploy a virtualization solution for only a small group of users, you likely will use a different virtualization solution than if you need to deploy the same virtualization solution for a large group of users. You also should consider the users locations. If all the users are in the office, and you assign them to the same desktop computer, you can use a different virtualization solution than if the target audience consists of mobile or external users. Consider addressing application compatibility options outside of virtualization. The desktop and application virtualization solutions provide great tools for dealing with application compatibility issues, but in some cases, it may be better to rewrite the application. For example, if all users in your organization need to run an application that can run only in old Windows versions, rewriting the application may enable you to improve the application without deploying and maintaining an entire virtualization environment for that one application.
Question: What additional considerations will you need to include when planning virtualization projects in your organization?
1-59
Lab: Planning Desktop Virtualization Scenarios
Lab Scenario
Contoso, Ltd., is a large corporation with offices in New York, London, and Tokyo, and branch offices in several other cities. Contoso is planning to implement application and desktop virtualization to address several critical business requirements. As a member of project team, you are responsible for analyzing the user and business requirements and identifying the best virtualization solutions for your organization.
Lab Setup
For this lab, you will plan the virtual environment assigned to you. Before you begin the lab, you must: 1. 2. 3. Start the 10324A-NYC-DC1 virtual machine. This virtual machine should remain running for the rest of the course. Start the 10324A-NYC-CL3 virtual machine. Connect to 10324A-NYC-CL3, and log on as Contoso\Administrator with the password Pa$$w0rd.
1-60
Exercise 1: Identifying Virtualization Solutions

Scenario
In preparation for starting the virtualization project, Contoso, Ltd has several analysts that are collecting information on the organizations user population. The analysts have collected the following information: Contoso, Ltd has 7,800 employees, with another 800 short-term and long-term contractors. About 75 percent of employees are in the main offices in New York, London, and Tokyo. Another 15 percent are in smaller branch offices, while the last 10 percent are mobile users. The mobile users travel between the main offices, branch offices, and to client sites. Approximately 500 users at each main office work as sales support personnel. These users require access to e-mail, Intranet Web sites, and a business application that requires that you install a client on each computer. These users share 250 desktop computers, which have limited hardware resources. Because of budget constraints, Contoso, Ltd cannot upgrade the hardware that these users are using. The mobile users require access to most of their applications while disconnected from the network, as well as when they are connected from outside the network. The laptops that the organization provides to mobile users run Windows XP Professional Edition. The corporate security policy states that users must encrypt all data that is stored on their mobile computers. Contoso, Ltd has started migrating the user desktops for all users in the main offices and branch offices from Windows XP to Windows 7. At the same time, they are replacing the laptops that mobile workers use with laptops that run Windows 7. This project should be complete within six months. One application used by a small number of users in the main offices and by all mobile users is incompatible with Windows 7. Contoso, Ltd has started a project to update the application so that it will be compatible with Windows 7, but this project will take more than a year. During this time, the users need to be able to run the current application. During the transition, users also may need to run both the old and new versions of the application.
1-61
The contractors perform a variety of tasks for Contoso, Ltd. Most contractors work as sales support staff in the countries where Contoso, Ltd does not have an office. Some contractors work for software vendors and require access to servers on the Contoso, Ltd corporate network to support their software. Contractors cannot store corporate data on their computers. The contractors are currently connecting to the internal network by using a VPN. However, a new corporate security policy dictates that only laptop computers that are members of the internal AD DS domain can connect to the corporate network through the VPN. Contoso, Ltd will enforce this policy within three months. Contoso, Ltd is not planning to issue laptops to the contractors.
The main tasks for this exercise are: 1. 2. 3. Identify the user groups at Contoso, Ltd. Identify the virtualization solutions. Develop a prioritized list of projects to implement virtualization.
Task 1: Identify the user groups at Contoso, Ltd.

1. 2. Review the scenario information. List all unique user groups at Contoso. For each group, identify the user or business requirements that make the groups unique.
Task 2: Identify the virtualization solutions

1. 2. On NYC-CL3, open the Windows Optimized Desktop Scenario Selection Tool from the Documents folder. Choose two of the user groups that you identified in the first task, and then enter the information into the tool.
User group Selections
1-62
3.
For the two user groups, identify the products and technologies that the selection tool suggests.
User group Products and technologies
Task 3: Develop a prioritized list of projects to implement virtualization

1. 2. 3. Based on the proposed virtualization solutions and the scenario, develop a list of projects that will meet all of the user and business requirements. Assign a priority to each project, assuming that you will implement the projects in the order that you set. Be prepared to discuss your answers.
Results: After this exercise, you will have identified the user groups that may require virtualization at Contoso, identified virtualization solutions that could be implemented to address the organizations business requirements, and developed a prioritized list of projects to implement application and desktop virtualization.
To prepare for the next module

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
1-63
Module Review and Takeaways
Review Questions
1. Your organization has been monitoring the servers in your data center and has identified several servers that are running at less than 5 percent utilization. How can you ensure that you utilize the hardware in your data center appropriately? You are considering deploying an application virtualization solution, but you are concerned about the amount of effort that it will require to deploy virtual applications to a large number of users. What tool can you use to simplify this process? The users in your organization are using a variety of user desktops, including both physical and virtual computers. The users would like to have the same desktop configuration and be able to access the same mapped drives and data from each desktop. How can you enable this?
2.
3.
1-64
Real-World Issues and Scenarios

1. Your organization is testing a custom application. The testers report that when they install the application on computers running an older version of the same application, they get errors. How could you address this issue? Your organization has several hundred part-time employees who work outside of the office. The employees all need to run an application that has to access a database server located in the main offices data center. How can you make this application available to users? Your organization is planning to upgrade all client workstations to Windows 7 Enterprise Edition. Five users need to run an application that only runs on Windows XP. How should you address this issue?
2.
3.
Best Practices Related to Planning a Virtualization Deployment

Supplement or modify the following best practices for your own work situations: When planning or implementing virtualization, it is important to start slowly. You can increase the level of virtualization as you gain experience with the technology. By starting small, you have a better chance of ensuring that the first experience with virtualization is positive. Server virtualization has the potential to significantly decrease the costs of running your organizations IT infrastructure significantly. As you implement Hyper-V, calculate the cost savings, and then use that information to convince management to pay for more virtualization. The cost benefits of implementing desktop and application virtualization may be more difficult to quantify. If you are implementing a solution to address application compatibility issues, you can compare the cost of implementing App-V to the cost of rewriting the application. If you are considering implementing a solution such a Med-V or VDI, you will need to invest quite a bit of money to develop the infrastructure before you see any benefit. Consider virtualization as one option when addressing user, security, or business requirements. You can use virtualization to address many requirements, but you may be able to address the same requirements without virtualization.
Implementing Windows Virtual PC and Windows XP Mode
2-1
Module 2
Contents:
Lesson 1: Installing Windows Virtual PC Lesson 2: Configuring Windows Virtual PC Lesson 3: Installing, Configuring, and Managing the Windows XP Mode Lesson 4: Creating and Deploying Custom Images of Windows XP Mode Lab: Implementing Windows Virtual PC and Windows XP Mode 2-3 2-21 2-39 2-50 2-61
2-2
Module Overview
Windows 7 has introduced a new version of Microsoft Virtual PC software that supports the creation of virtual machines with various operating systems within same virtual environment. Additionally, Windows 7 includes Windows XP Mode, a precreated virtual machine that is running Windows XP Professional Service Pack 3 (SP3), and which supports older applications and enables more convenient migration to Windows 7. In this module, you will learn how to configure and use Windows Virtual PC virtual machines and how to use Windows XP Mode.
2-3
Lesson 1
Installing Windows Virtual PC
Virtual PC software was introduced several years ago as a virtualization platform on workstations and desktop computers. It enables users to use the same physical host machine to install and run several virtual machines simultaneously that have the same, or different, operating systems. To provide the same capability in Windows 7, Microsoft released a new version of Virtual PC, known as Windows Virtual PC. In this lesson, you will learn about Windows Virtual PC, and its features and requirements.
2-4
What Is Windows Virtual PC?
Key Points
Windows Virtual PC is the latest Microsoft client virtualization technology designed for Windows 7, and it enables you to run virtual machines on Windows 7 operating systems. This allows for testing, development, and support of applications made for older operating systems. Windows Virtual PC is a successor of Virtual PC, which Connectix developed originally for the Macintosh and released in June 1997. Connectix then released the first version of Virtual PC for Windows-based systems, version 4.0, in June 2001. In 2003, Microsoft acquired Connectix, and continued to develop this product. Virtual PC 2004 was first version of this software that Microsoft developed, and in 2006, Microsoft released it as a free virtualization product for client platforms. Microsoft then built and released the next version, Virtual PC 2007, to support the Windows Vista operating system. After the release of Windows 7, Microsoft developed Windows Virtual PC to provide virtualization on this new platform.
2-5
Unlike other virtualization platforms such as Virtual Server or Hyper-V, Windows Virtual PC is not for usage in server virtualization scenarios. Although you can install some server operating systems in the Virtual PC environment, we do not support that scenario in a production environment. The primary purpose of Windows Virtual PC is to provide a platform for learning, testing, development, and support of older applications. Additionally, Virtual PC and Virtual Server, are not based on Hypervisor technology, like Hyper-V. This means that communication with physical hardware is through emulating hardware devices inside the virtual machine. That approach provides somewhat lower performance than hardware-based virtualization, such as Hyper-V.
Note: In Windows Virtual PC terminology, we will be referring to the terms host and guest to differentiate between operating systems that are running directly on the physical hardware (hosts) from operating systems that are running inside virtual machines (guests). Basically, the physical machine, or host, has hardware and software capabilities that are sufficient to support the running of one or more virtual machines (guests). In Hyper-V terminology, hosts and guest are typically called parent and child partitions.
Question: Do you use any virtualization software for testing, learning, or development? Question: Have you ever used any version of Virtual PC? Question: If so, what operating systems did you run inside the Virtual PC environment? Question: Do you use any other virtualization products, such as Hyper-V or other non-Microsoft solutions?
2-6
Features of Windows Virtual PC
Key Points
Windows Virtual PC provides several new features, such as providing seamless integration of the virtualized and physical environments, and the ability to leverage the capabilities of the new hardware (mostly processors). The following sections describe the most important new features of Windows Virtual PC. USB support Windows Virtual PC now supports many USB devices, such as printers, scanners, flash memory sticks and external hard disks, digital cameras, and smart card readers. After a user connects a USB device to a physical computer, he can choose if that device will be available exclusively to one virtual machine or if it is shared with other virtual machines. This enables much easier sharing of resources, and greater flexibility and functionality for applications that are running in virtual machines. Later topics will provide more detail on USB support in Windows Virtual PC.
2-7
Device redirection, and drive and folder sharing Windows Virtual PC supports the redirection of some hardware devices and their functionalities to virtual machines. For example, you can redirect printers and smart cards to virtual machines. Beside this, Windows Virtual PC can share hard drives with the physical computer. From the virtual machine, you can access all hard drives that connect to the physical computer. Users also can access their Windows 7 known folders, such as Documents, Pictures, Desktop, Music, and Videos, from within a virtualization Windows environment like Windows XP Mode. Windows XP Mode Windows XP Mode is a new benefit of Windows 7 Professional, Ultimate, and Enterprise, and provides additional application compatibility. It allows you to install and run many of your productivity applications for Windows XP directly from your Windows 7-based PC. It utilizes Windows Virtual PC and Remote Desktop Services (RDS) to provide a virtual Windows XP environment for Windows 7. Later lessons will provide more detail on Windows XP. Clipboard sharing With Windows Virtual PC you can share the Clipboard between the physical machine and the virtual host. For example, you can cut and paste between your Windows 7 host and any virtual machine. Multithread support In Windows Virtual PC, users can run multiple virtual machines concurrently, each running in its own thread. This improves stability and performance.
Note: Windows Virtual PC does not include drag-and-drop functionality between the host and the guest operating system.
Question: For you, what is the most important feature of Windows Virtual PC?
2-8
Software Requirements for Windows Virtual PC
Key Points
To install and use Windows Virtual PC software, you must fulfill several requirements. From the software perspective, the most important requirement is to run the Windows 7 operating system. You can install Windows Virtual PC on the following host operating systems: Windows 7 Home Basic Windows 7 Home Premium Windows 7 Enterprise Windows 7 Professional Windows 7 Ultimate
2-9
As guest operating systems, we support the following operating systems: Windows XP Service Pack 3 (SP3) Professional Windows Vista Enterprise Service Pack 1 (SP1) and newer versions Windows Vista Ultimate Service Pack 1 (SP1) and newer versions Windows Vista Business Service Pack 1 (SP1) and newer versions Windows 7 Professional Windows 7 Enterprise Windows 7 Ultimate
Note: Although you can install Windows Virtual PC software on both the 32-bit and 64-bit versions of Windows 7, inside the virtual machine, you can run only the 32-bit version of any supported operating system. We support virtual applications only on Windows Vista Enterprise or Ultimate, Windows 7 Enterprise or Ultimate, and Windows XP Professional SP3. Virtual applications are applications that you install inside virtual machines but which you run on the desktop of the physical host computer. From the end users perspective, a virtual application launches the same way as a local application. The end user clicks the applications shortcut in the Start menu or on the desktop. Virtual applications are a key feature of Windows Virtual PC. They enable you to run applications transparently in a guest operating system when they are not fully compatible with the host operating system. You also can run other guest operating systems. However, we do not support this, and in this scenario, you may experience impaired functionality of the virtual machines.
Question: Which version of Windows 7 is not supported as a host operating system?
2-10
Hardware Requirements for Windows Virtual PC
Key Points
Windows Virtual PC requires that you have hardware that can support virtualization. The following sections detail the requirements that you must meet to be able to install and run this software. CPU with hardware assisted virtualization support Your computer must have a CPU with hardware-assisted virtualization capability. This feature typically is available in the computers basic input/output system (BIOS). Although manufacturers have been shipping hardware virtualization in PCs for three years, hardware virtualization is not available in all PCs. Therefore, even if your PC is new, it may not have hardware virtualization. Additionally, some manufacturers of new PCs turn off hardware, so you will have to turn it on before you can use it. For instructions on how to enable this feature, consult your computers documentation.
2-11
Note: AMD-V and Intel VT are names of CPU-specific hardware-virtualization features that you must enable to use Windows Virtual PC. Since most computers come with a CPU from one of these two manufacturers, you should look into your computers BIOS for these options. In some BIOS versions, this feature is called Virtualization Technology or Virtualization support, but does not state the official manufacturer name. If you want to check whether your computer supports hardware-assisted virtualization, you should download and run the Hardware Assisted Virtualization Detection Tool. Download this tool for free from http://go.microsoft.com/fwlink /?LinkId=163321. Microsoft has released an update for Windows Virtual PC that is specific to Windows XP virtual machines, such as Windows XP mode. This update removes the requirement to have hardware-assisted virtualization support on a CPU. This means that if you are going to run only Windows XP virtual machines in Windows Virtual PC, your computer does not need to have hardware-assisted virtualization at the CPU level. You should install this update after you install Windows Virtual PC, and you can find it at http://support.microsoft.com/kb/977206. Be aware that if you are running other operating systems inside your virtual machine, they will require hardware virtualization support.
Memory We recommend that you have at least 2 gigabytes (GB) of random access memory (RAM) in a host machine if you want to run one or more virtual machines within Windows Virtual PC. When allocating memory for virtual machines, you should leave at least 512 megabytes (MB) for the host machine. The amount of memory that each virtual machine requires depends on the operating system that you install on it.
Note: If you are using a 32-bit host operating system, you will not be able to allocate more than 4 GB of RAM on the physical host. If you want to run several virtual machines simultaneously, we recommend that you use 64-bit version of Windows 7 as a host operating system because it can allocate more than 4 GBs of RAM.
2-12
Hard drive We recommend that you have at least 15 GB of free space for each virtual machine that you plan to host. Virtual machines can require significant storage, depending on the number of applications that you install inside them. They sometimes require more storage than the host operating system. Also, we recommend that you store virtual machines on separate volume. For best performance, you should use another hard drive that you install in the host machine Other hardware If you want to run Windows Virtual PC, the host computer does not require any other hardware components, such as graphic card, sound card, CD or DVD drive, network cards, USB, or parallel and serial ports. However, if you have this hardware in place, you will experience better functionality when using the virtual machines. Question: What is the benefit of running the 64-bit version of Windows 7 as the host operating system?
2-13
Architecture of Windows Virtual PC
Key Points
Windows Virtual PC architecture differs from other Microsoft virtualization platforms because it combines technologies that are available in the Virtual Server and Hyper-V architectures to provide the best experience and usability for end user. Windows Virtual PC is not built on hypervisor technology like the Hyper-V server, but instead uses the Virtual Machine Extensions (VMX) kernel to provide support similar to that which the hypervisor provides. VMX Kernel is built upon the VMX of Intel Virtualization Technology (Intel VT) technology. It includes the Virtual Machine Monitor (VMM) runtime layer, which provides support for virtual machine execution, memory management, intercept and exception handling, and routing of interrupts that virtual machines raise.
2-14
In Virtual PC, Virtual Server, and Windows Virtual PC, device support was primarily done through hardware emulation. In Windows Virtual PC, the disk, network, and display subsystems present themselves as physical devices that the guest operating system detects at startup, and are indistinguishable (to the guest) from real hardware. However, guest operating systems cannot access physical hardware directly, but rather, only by using device emulators to go through the host operating system. The guest operating system loads the drivers for these corresponding devices, and they execute input/output (I/O) commands as they would in a real environment. These I/O commands are intercepted by the VMM runtime, which is the VMX/ SVM kernel that triggers callbacks of device emulators running within the user mode process VPC.exe. Windows Virtual PC uses VPCBus-based devices coexisting with the current device framework. Windows Virtual PC, unlike products such as Virtual Server and Hyper-V Server, has additional optimization for end users, but not necessarily for experienced IT professionals. It provides some features that are not available on server virtualization products to enable integration between the host and the guest operating system, and to provide greater flexibility and ease of use. Although Windows Virtual PC is built on the Virtual Server engine, it provides much more integration between host and guest operating systems than Virtual Server. In Virtual Server and Hyper-V server, this type of integration can be a security issue, while Windows Virtual PC provides integration as an additional convenience for the end user. You connect to a virtual machine by using RDS technology. When users initiate a connection to a virtual machine, they initiate a console Remote Desktop Protocol (RDP) session using port 3389. Using the same technology, Windows Virtual PC can use device sharing and device redirection between the host and the guest operating system. Question: What are the most important differences between Windows Virtual PC and Hyper-V?
2-15
Windows Virtual PC Modes
Key Points
Unlike virtual machines that are running inside the Hyper-V environment or inside Virtual Server, and therefore are mostly independent from the host operating system, you can integrate virtual machines in Windows Virtual PC with the host operating system with less or more integration details. Integration between the guest and host operating systems in Windows Virtual PC depends mostly on the integration components, which are software components installed inside the virtual machine that provide communication and integration between the host and guest operating systems. In previous Virtual PC versions, it was known as Virtual Machine Additions.
2-16
In Windows Virtual PC, you can achieve this integration at four levels: No integration If you do not install integration components in a virtual machine, or the guest operating system does not support them, there is essentially no integration between the host and the guest operating system. The only interaction in this scenario is by using an emulated console so that you can interact with the virtual machine when the boot process begins. However, there is no device redirection, folder integration, or mouse sharing between the host and the guest operating system. Basic Integration Mode The Basic Mode provides basic integration features between the virtual machine and the host, including mouse and keyboard integration, USB support, time sync, and heartbeat parity. Integration features such as clipboard sharing, drive sharing, and printer redirection are not available in this mode, which is useful for power users in software development and test scenarios, where it is important to display the system-level settings and BIOS messages explicitly as the virtual machine boots up. Enhanced Integration Mode The majority of users will prefer this mode, because it is easy to use, and it provides the complete set of integration features described above. For example, this mode provides the saved credentials feature so that users do not have to login each time they launch the virtual machine. You implement Enhanced Mode by using a connection channel based on the Microsoft RDP protocol. Virtual Application Mode: Seamless Integration Virtual Applications Mode is a seamless solution to application compatibility. You likely will find that this is the most preferable way to launch and run your virtual applications, because they will integrate seamlessly with the Windows 7 desktop and Start menu. When you install an application in the virtual machine, this mode publishes a shortcut automatically to the Start menu of Windows 7.
Question: In which scenarios will you use the No Integration mode?
2-17
Features of Virtual Machine Integration
Key Points
Integration features improve the experience of using a virtual machine by providing features that improve interactions between the virtual machine and the physical computer, as well as between the operating systems of both. Integration features are available for all supported guest operating systems. The Integration Components package, which Windows Virtual PC includes, contains the integration features. For all other supported guest operating systems, you must install the Integration Components package in the guest operating system to make the integration features available. Please be aware that an updated version of the package may be released for a specific guest operating system. In that case, upgrade the Integration Components package in the guest operating system.
2-18
After the integration features are available, you can turn most of them on or off by modifying the virtual machines Integration Features settings. The two exceptions are mouse integration and time synchronization, which are turned on when the package is installed. Mouse integration makes it possible for you to move the mouse seamlessly between the desktops of the host operating system and the guest operating system. Time synchronization keeps the time in the guest operating system synchronized with the host operating system. The integration features that you can turn on or off include: Audio. This setting controls whether audio input and output for the virtual machine is redirected to audio devices in the host, or is managed by an emulated audio device. To improve audio performance, clear the check box for a virtual machine that is running Windows XP, and select the check box for a virtual machine that is running Windows Vista or Windows 7. Clipboard. You can copy and paste data between the host and guest operating systems. For example, you can copy a URL from the browser in a guest operating system, and paste it to a browser in the host operating system. Printer. You can use the printer that is available on the physical computer inside the virtual machine. This allows you to print directly from a virtual application that you are using in the virtual machine Smart cards. Virtual machine can access smart card readers that you install on the physical computer. This means that you can use these cards (and certificates) for authentication, authorization, and encryption inside the virtual machine. Hard drives. This feature shares the drives that you select on the host with the virtual machine, so that you can access host data easily from the virtual machine. This feature also makes it possible to access the host desktop and Documents folder from virtual applications when you select those resources to share.
2-19
Features of Virtual PC 2007 SP1
Key Points
Along with Windows Virtual PC, which is designed for Windows 7, Virtual PC 2007 SP1 is desktop virtualization software for earlier versions of Windows, such as Windows Vista. You also can run Virtual PC 2007 SP1 on Windows 7, but not in parallel with Windows Virtual PC. Unlike Windows Virtual PC, Virtual PC 2007 SP1 does not require that hardware virtualization support is present in the host computers hardware, although it can utilize it. Therefore, you can install Virtual PC 2007 SP1 on older hardware to provide virtualization platform, even if there is no hardware virtualization support available.
2-20
Virtual PC 2007 SP1 does not provide some of the features that Windows Virtual PC provides. One of these features is USB support, which means that you cannot provide access to USB devices to virtual machines that you create with Virtual PC 2007 SP1. Also, Virtual PC 2007 SP1 does not provide virtual application integration with host operating systems, and you cannot use drive sharing the way that you can in Windows Virtual PC. The creation of new virtual machines in Windows Virtual PC integrates in an interface that is like Windows Explorer, while Virtual PC 2007 SP1 uses a separate console for that. Conversely, Windows Virtual PC does not support drag and drop support between the host and guest operating systems which Virtual PC 2007 SP1 does. When you deploy virtual machines, and you plan to switch from Virtual PC 2007 SP1 to Windows Virtual PC, you should consider following: The virtual machine additions components, also known as Integration Components Virtual PC 2007 SP1 are not compatible with Windows Virtual PC. This means that you must uninstall them before migrating virtual machines from Virtual PC 2007 SP1 to Windows Virtual PC. Save state files that you create in Virtual PC 2007 SP1 are not compatible with Windows Virtual PC. You must delete save state files prior to migration. You must recreate the virtual machines configuration when you migrate virtual machines from Virtual PC 2007 SP1 to Windows Virtual PC.
Question: What is a main reason to Virtual PC 2007 SP1 instead of Windows Virtual PC?
2-21
Lesson 2
Configuring Windows Virtual PC
Before starting to use virtual machines, you must configure the software options for Windows Virtual PC and create some components that the virtual machines need, such as virtual hard disks (VHDs). You also must configure virtual hardware settings for each virtual machine, such as networking and USB devices. If you want to use virtual machines efficiently, it is very important to understand VHDs, including what types of VHDs exist and how to use them. This lesson discusses the configuration of virtual machine settings, and the creation and usage of components that virtual machines need.
2-22
Virtual Machine Settings
Key Points
If you want to create and use virtual machine in the Windows Virtual PC environment, you have to create the virtual machines configuration and configure the settings inside the configuration. The virtual machine configuration is an XML-formatted file that describes the hardware configuration of a virtual machine in essentially the same way that you describe a physical machines hardware components. Since virtual machines in Windows Virtual PC do not directly access hardware, the configuration file is used to configure the virtual machines hardware options and components, and defines resources, such as RAM memory, that will be taken from the host machine when you start the virtual machine. You can configure the following settings for virtual machines in Windows Virtual PC: Name. The name setting defines the virtual machines name. This is not the name of the virtual computer, or operating system, that the virtual machine represents, but rather just the name of the configuration file.
2-23
Memory. This setting is where you enter the amount of RAM memory that the virtual machine will allocate from the physical host when you start it. Note that the specified amount of RAM is used only when the virtual machine is running. When calculating the amount of RAM memory that will be available to one machine, take into account the number of virtual machines that will be running simultaneously and the amount of RAM that should remain available for a host operating system.
Note: An example would be if you are going to run three virtual machines simultaneously, and you have 4 GB of RAM memory, then you should not allocate more than 1GB of RAM per virtual machine. Windows Virtual PC does not support memory over commitment.
Hard disk (1, 2, 3). These options allow you to move VHD files to the virtual machine. You can add three VHDs to one virtual machine, and you must define at least one. On the hard disk, you also can start the wizard to create new VHDs and modify existing ones. DVD drive. The DVD Drive setting option allows you to use a physical DVD drive from the host computer or to map the ISO image file as a DVD to the virtual machine. COM1, COM 2. These settings enable you to configure usage of physical Component Object Models (COM) ports inside virtual machine or map virtual COM ports to a named pipe or text file. Networking. The Networking option enables you to add four network adapters to a virtual machine, and change the connection state of each network adapter. Each network adapter in virtual machine can be mapped directly to any physical network adapter in host machine, use network address translation (NAT) through physical network adapter, use Internal Network for communication between virtual machines, or be in disconnected state. This will be discussed later in more detail. Integration features. These features and their corresponding settings allow you to configure the level of integration between the virtual machine and the physical host. You can allow audio, printer, clipboard, and smart-card sharing, and also allow access to physical drives in the host computer. If you want to use integration features, you must install integration components in the virtual machine.
2-24
Keyboard. The Keyboard setting determines how your computer or virtual machine will respond to keyboard shortcuts such as ALT+TAB. The default behavior is to pass these shortcuts to the virtual machine only when you are running in full screen mode. Otherwise, keyboard shortcuts execute on the host operating system. Logon Credentials. The Logon Credentials setting enables you to delete all saved credentials if you previously chose to save credentials that users are entering when they log on to virtual machines. Auto Publish. The Auto Publish setting enables you to configure whether the virtual machine will publish virtual applications automatically to the Windows 7 host machine. If you are going to use Windows Virtual PC to support older applications, we recommend that you to enable this option. Close. The Close setting enables you to define the virtual machines behavior when the user clicks a button to close the virtual machine window. You can choose to be prompted for action each time you try to close the virtual machine window or choose a preconfigured action, such as Hibernate.
If you want to make changes to the virtual machine configuration, you can do it by opening the Settings dialog box after right-clicking the virtual machine icon in the Virtual Machines folder window. For most changes to occur, you must turn off the virtual machine. However, you can make some changes, such as mapping a virtual DVD drive to an .ISO file or physical drive, or changing settings for the virtual network adapter s connection, even while the virtual machine is running. Conversely, you must perform other changes, such as changing the amount of allocated RAM memory or adding VHDs to the virtual machine, when the machine is turned off.
2-25
Features of VHDs
Key Points
VHDs are files on the physical machine that store the hard-disk contents of a virtual machine. Windows Virtual PC treats each VHD file as a separate hard disk, and each virtual machine can have three VHD files attached. You must have at least one VHD attached to the virtual machine if you want to run it. The VHD file format is an open standard and does not depend on virtualization technology in use, and to the host and guest operating systems. Because of that, Windows Virtual PC, Virtual Server, and Hyper-V all use the same format of VHD files.
Note: You cannot directly use VHD files from one virtualization platform in another platform, since Integration Components are not compatible between platforms. For example, if you want to use VHD from a Virtual Server-based virtual machine in Windows Virtual PC, you first must uninstall Virtual Machine Additions before attaching a VHD to the machine in Windows Virtual PC.
2-26
Types of VHDs There are three types of VHDs: fixed-size disks, dynamically expanding disks, and differencing disks. Fixed-size disks take up all of the space that the VHD is allowed to have. For instance, if you create a fixed disk that is 64 GB, the VHD file will occupy 64 GB of hard-disk space from the time of creation, and its size will never vary. However, this type of disk provides the best performance for virtual machines, and we recommend that you use it if you have a disk-intensive application in the virtual machine. Dynamically expanding disks increase in size to take up space as required. The size that you specify when you create a dynamically expanding disk indicates the maximum size to which the disk can grow. For instance, if you create a dynamically expanding disk of size 64 GB, the VHD file might initially occupy only a few hundred kilobytes (KB). It then will grow upon usage to occupy the maximum size that you specify (64 GB). Note, however, that the guest operating system believes it has the full 64 GB from the start. Additionally, these disks do not shrink automatically when you delete some files inside the virtual machine. You must use the Compact option for this. Dynamically expanding disks have a little slower performance than fixed-size disks, to which you can convert them, if necessary. Differencing disks are a VHD that you use to isolate changes to a VHD or the guest operating system by storing them in a separate file. A differencing disk is associated with another VHD that you select when you create the differencing disk. This means that the disk to which you want to associate the differencing disk must exist first. Later topics will provide more detail on these types of disks. Native VHD Support in Windows 7 In addition to the ability to use VHD files as storage, Windows 7 provides native support for booting from a VHD file rather than from the system boot files on the systems hard disk. Booting from VHD enables you to mount a VHD as a bootable drive and, as the name implies, boot from it. This can be very useful for creating multiple operating-system installations without having to create multiple operating-system partitions on your hard drive. However, when you boot a physical machine from a VHD, you do not start a virtual machine. Instead, you use a VHD instead of the physical drive. The operating system that is booted from the VHD has the same level of access to hardware as an OS installed in the traditional way.
2-27
What Are Differencing Disks?
Key Points
One specific type of disk that you can use inside a virtual machine is a differencing disk. A differencing disk is a VHD that you use to isolate changes to a VHD or the guest operating system by storing them in a separate file. A differencing disk is always associated with another VHD that you select when you create the differencing disk. This means that the disk to which you want to associate the differencing disk must exist first. This VHD is the parent disk, and the differencing disk is typically called the child disk. The parent disk is sometimes called the base disk.
2-28
The parent disk can be any type of VHD, even another differencing disk. The differencing disk stores all changes that would otherwise be made to the parent disk if the differencing disk is not in use. The differencing disk provides an ongoing way to save changes without altering the parent disk. You can use the differencing disk to store changes indefinitely, as long as there is enough space on the physical disk where you store the differencing disk. The differencing disk expands dynamically as data is written to it, and it can grow as large as the maximum size that you allocate for the parent disk when you created it. When you create the differencing disk and attach it to the virtual machine, the operating system reads data from both the parent disk and the differencing (child) disk at once. You typically do not use differencing disks in production environments.
Note: We recommend that you write-protect or lock the parent disk before using the differencing disk. Otherwise, if some other process modifies the parent disk, all differencing disks related to it become invalid, and all data written to the differencing disks is lost. You also need to modify the virtual machine by replacing the parent disk with the differencing disk. Otherwise, you will receive an error when you try to start the virtual machine because it cannot use a read-only disk.
Managing the contents of differencing disks You can distribute the contents that the differencing disk stores by merging the differencing disk with the parent disk. This modifies the parent disk with all the changes that the differencing disk stores, and then deletes the differencing disk. There also is an option to merge changes to a new disk. Merging to a new VHD retains both the parent disk and the differencing disk in their current state, and creates a new VHD that is a combination of the contents of the parent disk and the differencing disk. You can use this new disk as a parent for a new virtual machine.
2-29
Using multiple differencing disks with one parent disk You can associate more than one differencing disk to a parent, which means that virtual machines can share one parent disk but have their own differencing disk. This can be useful in a variety of scenarios. For example, a test engineer or callcenter technician could have a dozen or more virtual machines with different configurations, such as different software updates and installed applications. The virtual machines could share a parent disk that contains the operating system, which is common to all virtual machines, and each virtual machine could have its own differencing disk to store the configuration that differs from the parent.
Note: If you use multiple differencing disks that share a parent disk containing an operating system, you must apply any software updates to each differencing disk. If you apply the software update to the parent disk, all differencing disks associated with that parent disk would be unusable.
Chaining differencing disks You can chain differencing disks, which means that a differencing disk can have another differencing disk as a parent disk. Depending on how you design the chain, you can save considerable disk space. For example, if you want to test upgrade scenarios or version compatibility, you could use a parent disk as the base and a chain of differencing disks for the consecutive versions. This approach would save disk space if each differencing disk contained one update only.
Note: Chaining several differencing disks and connecting it to one virtual machine can impair performance, as the operating system must read from several VHD files at the same time. Because of that, we recommend that you keep the number of chained differencing disks under five. When you create a chain of differencing disks, it is particularly important to lock all disks except the most recent child disk. Any changes made to any older disks would invalidate all later disks in the chain. However, the most recent child disk must be writable so that a virtual machine can use it.
Question: What can you achieve by associating multiple differencing disks to one parent disk?
2-30
What Are Undo Disks?
Key Points
Undo Disks is a feature that saves changes to a virtual machines data and configuration in a separate undo disk file in case you want to reverse the changes. The feature provides you with a way to decide whether to modify a virtual machine and its disks permanently each time you end a virtual machine session or revert the virtual machine to its initial state. When you enable Undo Disks, it applies to all VHDs installed on the virtual machine. When you run a virtual machine that is using Undo Disks, any changes to a VHD are temporarily stored in an undo disk (.vud) file, rather than in the original VHD file. This is very similar to using differencing disks. However, there are two notable differences. A differencing VHD is associated with one VHD rather than with the virtual machine, and you are not prompted to decide what to do with the changes when you shut down a virtual machine.
2-31
When you enable Undo Disks, you have the following options to manage them. Apply changes. This option updates the original VHD with all changes that were stored in the undo disk file. This is similar to merging a differencing disk with its parent disk. You can access this option through Virtual Machine settings. Discard changes. This option deletes the undo disk file and leaves the original hard disk file unchanged. Windows Virtual PC creates a new, empty undo disk file the next time you turn on the virtual machine. You can do this by choosing the Turn off and delete changes option when closing the virtual machine or by choosing the Discard Changes option from the Virtual Machine settings. When you discard or apply changes on an undo disk, that action applies to all changes that it stores. In other words, you cannot selectively delete or apply changes on an undo disk. The undo disk file is always created in the same folder as the virtual machine configuration file.
Note: Undo disks do not contain virtual machine configuration changes. Windows Virtual PC does not support snapshots like Hyper-V does. Undo disks provide similar functionality.
2-32
Demonstration: Creating VHDs
In this demonstration, your instructor will show you how to create various types of VHDs.
Create a dynamically expanding VHD in Windows Virtual PC. Create a differencing VHD in Windows Virtual PC. Create a VHD in Windows 7 Disk Management. Attach VHDs.
2-33
USB Support in Windows Virtual PC
Key Points
Windows Virtual PC supports USB devices in virtual environments. This means that you can access various USB devices, such as USB memory sticks, printers, or scanners, from applications that are installed in the virtual machine. You can install up to eight USB devices inside the virtual environment. USB architecture in Windows Virtual PC Windows Virtual PC uses the Redirection Policy Manager (RPM) of the Windows to provide the USB redirection in a virtual machine. It loads an alternate driver in the lieu of the original driver to redirect the device to a virtual machine. WVPC creates a virtualized host controller in the virtual machine that is offered by using a Virtual PC bus channel.
2-34
USB architecture consists of a server-side component running in the host operating system and a client-side component that is running in the virtual machine. The server side involves a connector driver to manage USB devices and a stub instance for every USB device. The client side implements a VPC bus-enumerated virtual host controller that supports the subset of the USB driver interfaces that are necessary for compatibility with the supported devices. The redirection process also triggers the connector driver to send commands to the guest to create the physical device object (PDO) for the redirected device. Then the stub driver, connector driver, and the virtual bus or hub driver work in unison to enable communication of commands, responses, and data between the physical USB device and the redirected USB device. USB device usage in Windows Virtual PC You can use USB devices in two ways: sharing and redirection. In the default mode, with all integration features enabled, you can use storage devices, printers, and smart cards without having to redirect the device manually, by simply sharing it with the physical host. This requires that the device driver is available both in the virtual machine and on the host. If the driver is not available in Windows 7, but is available for the operating system inside the virtual machine, you can redirect the device to the virtual machine. This means that access to the device will be available only to the virtual machine. Using Group Policy to manage device redirection You can use Group Policy to prevent the redirection of selected USB devices to a virtual machine, such as for security or compliance reasons. You can do this at the per device or device-class level. Additionally, you can prevent the use of all USB devices inside a virtual machine. These settings are helpful in an organization where users are not allowed to use these devices in the physical machine. These Group Policy settings can be found by clicking Computer Configuration Administrative Templates, clicking System, clicking Device Redirection, and then clicking Device Redirection Restrictions.
2-35
Networking Options for Virtual Machines
Key Points
Inside the Virtual Machine settings console, you can configure networking options if you want to connect a virtual machine to different type of networks. You can connect each virtual machine to four networks, which means that you can have up to four virtual network adapters installed inside a virtual machine. The Virtual PC host application emulates Intel DEC 21140A network cards. Each emulated network adapter is assigned a unique media access control (MAC) address in the range 00-03-ff-XX-XX-XX. The last three octets are calculated using the host network adapter MAC address. For each network adapter, you can configure the different types of networks that it connects to, including: Not connected. If you configure the network adapter as not connected, that means that it has no connection to any network. It appears in the device manager of the virtual machine, but it is in a disconnected state. It is the same as a physical network adapter, with no connection.
2-36
Internal Network. When you connect the virtual network adapter to this network, it can connect only to the other virtual machines on the same physical machine. Software switch, also known as virtual switch, inside Windows Virtual PC forwards the packets directed for the destination virtual machine without connecting to any external network on the host. This is useful for cases where you want to connect to two or more machines completely isolated from the network.
Note: In Hyper-V terminology, Internal Network is used for communication between virtual machines, and between virtual machines and the host operating system. In Windows Virtual PC, you cannot communicate with the host via this network.
Host network adapter. This option provides you with the ability to connect the virtual machine network adapter to any physical network adapter in the host machine, in bridge mode. This enables you to connect to the external network by using the host network adapters. When you connect the virtual machine by using this option, the virtual card has a unique presence on the network, just like any other physical host machine. This option requires that you install the Virtual PC network filter driver in the hosts networking stack. This driver is installed during the Windows Virtual PC installation process, and by default, it binds to all network adapters based on 802.3 802.11. To disable the Virtual PC Network Filter, double-click on network adaptor in the Network and Sharing Center and click Properties of the host machines physical network adapter, which prevents the virtual machine from using it. If you connect the machine to a physical host adapter, it can communicate with all other hosts on that network (physical and virtual) and with the host where the virtual machine resides. Shared Networking (NAT). Shared networking, or NAT, is another way that the guest can connect to the external network. The main difference between this and the bridge mode is that the virtual machine is behind the NAT, and it does not have a unique identity in the external network. It supports all connections that use TCP/IP. When you connect by using the bridge mode, you must use a separate IP address for the guest, so if there is a shortage of IP addresses, this option may not work. Conversely, NAT would be a good option in this scenario. You also can use this option when you do not want to connect directly to an external network and remain behind this NAT. This acts as a strong firewall that protects the guest from outside attacks.
2-37
There are certain limitations when you connect by using NAT. If the payload contains the source IP address, then it may break when the IP address is replaced with the host because the payload still will contain the guest IP address. We do not support connecting with a virtual private network (VPN) that is inside the guest. Some VPN connections require the opening of raw sockets, which require administrative privileges to open successfully. Conversely, the Windows Virtual PC application runs in the user context. Applications that use TCP/IP, like browsing the Internet, Windows Live Messenger, and shared access, will work when you connect by using NAT. We recommend that you connect by using the bridge mode when the guest needs to use VPN.
Note: You can use shared networking only on the first network adapter in the virtual machine.
Question: If you use shared networking on a virtual network adapter, can the virtual machine communicate with the host computer, such as when it needs to share files?
2-38
Demonstration: Creating and Configuring Virtual Machines
In this demonstration, your instructor will show you how to create and configure virtual machines in Windows Virtual PC.
Create a virtual machine, and then configure it to use an existing disk. Change the virtual machine configuration settings. Start the virtual machine. Demonstrate different networking types.
2-39
Lesson 3
Installing, Configuring, and Managing the Windows XP Mode
Windows XP Mode is a benefit of using Windows 7 and Windows Virtual PC. It provides users with a virtual machine that is preconfigured with Windows XP Professional SP3 installed, primarily to support usage of older applications and devices that cannot work with Windows 7. Windows XP Mode supports seamless application integration, which means that you can run applications installed inside the virtual machine in a same way as you run existing applications installed locally on the Windows 7 machine. This lesson focuses on installing, configuring, and managing Windows XP Mode on Windows 7.
2-40
What Is Windows XP Mode?
Key Points
Designed primarily with small businesses in mind, Windows XP Mode for Windows 7 enables a user to install and run Windows XP applications directly from a Windows 7-based PC. With Windows Virtual PC, Windows XP Mode works in Windows 7 Professional, Enterprise, and Ultimate, and provides a 32-bit Windows XP Professional Service Pack 3 environment that is preloaded on a VHD. Since Windows XP Mode is running inside the Windows Virtual PC environment, the same requirements apply as for other virtual machines that are running inside Windows Virtual PC. Windows XP Mode is not a part of Windows Virtual PC. You must download it separately from the Microsoft Download Center, and then install it manually. We recommend that you download and install Windows XP Mode first, and then install the Windows Virtual PC environment.
Note: Windows XP Mode is available only for Windows Virtual PC and Windows 7. You cannot use it with Virtual PC 2007.
2-41
Using Windows XP Mode is faster and easier than creating your own virtual machine because Windows Virtual PC creates the virtual machine for you, configures it to run Windows XP, and then installs the following: The Integration Components package. These components improve the experience of using a virtual machine by providing features that improve interactions between the virtual machine and the physical computer. Support for virtual applications. This feature requires an update to the guest operating system. In Windows XP Mode, this update is installed by default.
Additionally, since Windows XP Mode is free for Windows 7 users, you do not have to buy separate licenses to run a virtual instance of Windows XP on your Windows 7 machine.
Note: Although some of the features of Windows Virtual PC improve the integration between the host operating system and a guest operating system, such as Windows XP, the operating systems are separate, and you must manage them separately. For example, to receive the maintenance benefits that features and tools such as Windows Update and antivirus programs provide, you must install and run them in the guest operating system.
Windows XP Mode provides users with number of productivity features and benefits, including: Folder integration to allow accessing the hosting Windows 7 disk drives within XP mode. Seamless applications to access the XP mode application in the All Programs menu from the hosting Windows 7 machine. USB support for XP Mode. Clipboard sharing between a hosting Windows 7 machine and XP Mode. Printer redirection for XP Mode.
All of these features are ready to use immediately after you install Windows XP Mode.
2-42
Note: The Windows XP virtual machine that is running in Windows XP Mode is networked by default with the hosting Windows 7 machine by using NAT. You can change this in the virtual machine settings.
When you use Windows XP Mode, you should consider that XP mode is, in effect, a virtual machine like the other virtual machines that you create. It means that you can configure most settings for a Windows XP Mode virtual machine,just like you would configure settings on any other virtual machine. Storage required for running Windows XP Mode By default, Windows XP Mode uses space on the system drive to store the virtual machine and VHDs. The virtual machine requires two VHDs: A parent VHD. The default location is %systemdrive%\Program Files \Windows XP Mode. This is the preconfigured default drive inside the Windows XP Mode package, which you download from the Microsoft Download Center. A differencing VHD. By default, Windows XP Mode Setup creates this disk at %systemdrive%\Users\<username>\AppData\Local\Microsoft\Windows Virtual PC\Virtual Machines. This disk is specific for each user on the Windows 7 machine that is using Windows XP Mode. For each user, a new differencing disk is created. This enables each user to configure his own Windows XP Mode environment and applications.
Question: What is an example of a typical usage scenario for Windows XP Mode?
2-43
Demonstration: Setting Up Windows XP Mode
In this demonstration, your instructor will show you how to install and set up Windows XP Mode.
Start Windows XP Mode setup. Create a password. Configure the Windows Update options. Configure drive sharing. Set up Windows XP Mode. Configure Windows XP Mode in full screen mode.
2-44
Publishing Virtual Applications
Key Points
If you are running a Windows XP Mode virtual machine as a guest operating system, you can run an application installed in a virtual machine directly from the Start menu of the host operating system. This makes it possible for you to run Windows 7 as the host operating system, and then use existing applications, while avoiding problems that might occur if the applications are not compatible with Windows 7. This method of running an application is called a virtual application. You can publish and use virtual applications if the guest operating system is Windows XP Professional Service Pack 3, Windows Vista Enterprise Service Pack 1, Windows Vista Ultimate Service Pack 1, Windows 7 Enterprise, or Windows 7 Ultimate. This scenario does not support other operating systems.
2-45
When you publish a virtual application to a Windows 7 host operating system, files on the host will be associated with the virtual application if those files are not already associated with an application on the host operating system. If the drive on which the file is stored is shared with the virtual machine, you can double-click the file, and the virtual application will open the file.
Note: The system tray of the host operating system may include icons of programs that are running in a virtual machine. For these programs, the tooltip includes (Remote) to help you identify which programs are running in a virtual machine. If the same program is running in both the host and guest operating systems, the system tray shows two instances of the same icon.
Automatic publishing of virtual applications For each virtual machine inside Windows Virtual PC that is running a supported operating system, you can configure Automatic Publishing of virtual applications inside the virtual machine to a physical host that is running Windows 7. This means that each application installed inside the virtual machine will appear in the Start Menu of the Windows 7 computer, and will work via seamless integration. For a Windows-based virtual machine (Windows XP SP3 and newer versions), you need to install the Update for Windows XP SP3 or above to enable RemoteApp or Update for Windows Vista SP1 or above to enable RemoteApp feature inside the virtual machine. Windows XP Mode VHD has this package preinstalled. Also, you need to ensure that autopublishing is enabled in the virtual machine settings. You can verify this by opening the settings for the virtual machine, and then navigating to Auto Publish Setting. By default, applications installed under the All Users profile are autopublished to the Windows 7 host. Therefore, if an application has created its shortcuts in the All Users profile, no action is required from the user. However, there are applications that do not install for the All Users profile, and which are installed for the current user only. In that case, you should copy the application shortcut from the current user profile to the All Users profile so that the application can be published. Controlling application publishing Though autopublishing works automatically, with virtually no user intervention required, there are ways in which you can control publishing.
2-46
Exclude List You may want some applications that you install in the guest to remain unpublished to the hosts Start menu. For this purpose, there is a list inside the guest registry called the Exclude List. This list contains full paths of applications that you do not want to publish to the hosts Start menu. The Exclude List is present in the guest registry at HLKM\Software\Microsoft\Windows NT\CurrentVersion\Virtual Machine\VPCVAppExcludeList. Manual publishing Another way you can control the applications that are published to the host Start menu is through manual publishing. In this scenario, the user disables autopublishing, and then takes total control of what is published to the hosts Start menu. This is very useful for IT administrators who want to restrict applications that are published, irrespective of the number of applications that the user installs inside the guest. Applications that publish to the host Start menu have an entry in the guest registry that the WMI class Win32_TSPublishedApplication manages. You can use scripting to manipulate this WMI class to publish, and rescind publication of, applications manually.
2-47
Demonstration: Publishing and Working with Published Applications
In this demonstration, your instructor will show you how to publish applications and work with published applications.
Demonstrate that the virtual machine has enabled Auto Publish. Install Microsoft Access version 2.0 inside Windows XP Mode. Show that application shortcuts are added to the Start menu in Windows 7. Show that the Start menus search functionality finds them. Start the virtual application.
2-48
Additional Considerations for Implementing Windows XP Mode
Key Points
After you deploy Windows XP Mode, you can perform additional configuration of the Windows XP virtual machine. Some of most common management tasks and considerations for Windows XP mode are: Joining Windows XP Mode virtual machine to workgroup or domain. Just like any other computer, this machine can be domain or workgroup member. You do this by using the same procedures as with a physical host. Before doing this, make sure that the virtual machine is connected to your network so that it can access the workgroup or domain. In order for Windows XP Mode machine to have access to the network, you should connect it to your physical adapter.
2-49
Managing saved credentials. When deploying Windows XP Mode, during its initial setup, you must provide a password for a default user called XPMUser. This password is saved, so user is not prompted to enter it when starting the Windows XP Mode virtual machine. This is very convenient, especially when you are using virtual applications. However if you want to clear saved passwords for this or other user accounts, you can do it by using the Settings menu for the virtual machine. You should be aware that this account is a member of the Administrators group. Using Undo Disks. When you are using a Windows XP Mode virtual machine, you can use the Undo Disk option, which is disabled by default. You can enable it by using the Settings menu. This option is useful if you want to revert a virtual machine to its pre-session state. Using antivirus and antispyware protection. Windows XP Mode virtual machine does not have antivirus or antispyware software installed. Since this machine behaves as any other computer on the network, the host machine cannot protect it. Therefore, it is very important to update this machine regularly through Windows Update service and to install antivirus and antispyware software, especially if you are connecting this machine to the Internet.
2-50
Lesson 4
Creating and Deploying Custom Images of Windows XP Mode
Besides using precreated Windows XP Mode virtual machine, you also can make your own virtual machines. You can make VHD templates that you can use to create new virtual machines, or you can convert physical hard disks that have Windows XP installed to VHDs. This lesson focuses on these tasks, and provides you information about deployment techniques.
2-51
Creating a Custom Windows XP Image
Key Points
Some users may choose to use a custom Windows XP virtual machine instead of the precreated one in Windows XP Mode. That means that to create a virtual machine manually, as well as the virtual hard drive, and then install the supported operating system, which would be Windows XP. After that, you will need to install the integration features to provide integration between the virtual machine and the Windows 7 host computer. Lastly, you have to install the available updates for the virtual machines operating system, and the applications that you will use in the virtual environment. Additionally, we recommend that you install antivirus software inside the virtual machine, because the host operating system does not protect it from viruses.
Note: Building your own Windows XP Mode images requires Windows XP with Service Pack 3 and the proper license.
2-52
If you want to use application integration features, you will need to install an update to the operating system inside the virtual machine. If you have installed Windows XP SP3, you need update KB961742. If you have Windows Vista installed, you need KB961741. These updates provide RemoteApp support inside the virtual machine operating systems. RemoteApp is a technology from Windows Server 2008, and it enables you to run remote or virtual applications, as well as local applications. A Windows XP Mode virtual machine does not require this update, since it is preinstalled. If you will be distributing a Windows XP virtual machine to several users, or you will be including it in a Windows 7 image file, we recommend that you perform preparation with the Sysprep utility, especially if the machine will have a network connection. The Sysprep utility will generalize the operating system inside the virtual machine, and on the next boot, during it will create a new machine security identifier (SID) that makes each machine setup unique. To automate the setup wizard, you can use the Sysprep.inf answer file. Sysprep.inf is a text file that contains settings for automating installation. The easiest way to build Sysprep.inf for automating installation is to use Setup Manager, which is included in the Windows XP deployment tools. Question: Why would you build your own Windows XP virtual machine instead of using Windows XP Mode?
2-53
Capturing a Windows XP Image by Using the Disk2vhd Utility
Key Points
Disk2vhd is a utility that creates VHD versions of physical disks for use in Windows Virtual PC or Hyper-V virtual machines, which makes the process of converting physical computers to virtual machine easier and more convenient. It allows you to continue using the same volume with the same data from the physical disk (and computer) in the virtual machine. The difference between Disk2vhd and other physical-to-virtual tools is that you can run Disk2vhd on an online system. Disk2vhd uses the Volume Snapshot capability, introduced in Windows XP, to create consistent point-in-time snapshots of the volumes that you want to include in a conversion. However, Disk2vhd cannot replicate computer hardware configuration to virtual machine hardware configuration (like System Center Virtual Machine Manager 2008 does), so you will need to create a new virtual machine with hardware characteristics similar to the physical computer, and then attach a disk to it.
2-54
Disk2vhd tool will create one VHD for each disk on which selected volumes reside. It preserves the partitioning information of the disk, but only copies the data contents for volumes on the disk that you select. This enables you to capture just system volumes and exclude data volumes, for example.
Note: Virtual PC supports a maximum virtual disk size of 127 GB. If you create a VHD from a larger disk, it will not be accessible from a Virtual PC virtual machine.
To use VHDs that Disk2vhd produces, create a virtual machine with the desired characteristics, and add the VHDs to the virtual machines configuration as integrated development environment (IDE) disks. On first boot, a virtual machine that is booting a captured copy of Windows will detect the virtual machines hardware and automatically install drivers, if they are present in the image. If the required drivers are not present, you can install them via the Windows Virtual PC or Hyper-V integration components. You also can attach them to VHDs using the Windows 7 or Windows Server 2008 R2 Disk Management or Diskpart utilities. Disk2vhd runs Windows XP SP2, Windows Server 2003 SP1, and newer versions, including x64 systems.
Note: Do not attach to VHDs on the same system on which you create them, if you plan to boot from them. If you do so, Windows will assign the VHD a new disk signature to avoid a collision with the signature of the VHDs source disk. Windows references disks in the boot configuration database (BCD) by disk signature, so when that happens, Windows booted in a virtual machine will fail to locate the boot disk.
2-55
Considerations for Deploying and Maintaining Windows XP Images
Key Points
Before you deploy the Windows XP virtual images that you created to client computers, you should consider the following: Files that should be included. Every virtual machine consists of two files. One is the configuration file, with a .vmcx extension, and the other is the virtual hard drive with a .vhd extension. If you want to have a virtual machine ready out-of-the-box, or manually import a virtual machine on another computer, you need to have both files present. Using differencing disks. The usage of differencing disks can affect performance. If you will be using differencing disks, and if you are going to chain them, be sure to deploy all disks, together with the parent disk, to clients that will be using Windows XP virtual machines.
2-56
Planning Antivirus and Security. When you run Windows XP Mode on a host computer, the antivirus and security applications on the host computer do not provide coverage for the virtual machine that is running Windows XP. Therefore, you must install any antivirus and other security applications in your virtual Windows XP image. Consult the license agreement for your antivirus and security applications to determine whether installation on the host computer and in a virtual Windows XP image uses a single seat or two seats. Most antivirus vendors are aware of the problem and working on licensing solutions to solve it.
Note: Microsoft Security Essentials is a free antimalware product that you can use to protect physical and virtual environments. Consider using it to protect your virtual machines.
Management of updates. Before installing any applications on the virtual Windows XP image, updating the image is important. Download and install the latest security updates from Microsoft Update. Review any recommended and optional updates for installation, as well. For businesses that do not have an update infrastructure, you can simply use Windows Update to update the virtual Windows XP image. You also can manually download and install updates from the Microsoft Download Center, but this makes little sense considering the ease and convenience of using Windows Update. Organizations that have an update infrastructure like Windows Server Update Services (WSUS) will use it to update their virtual Windows XP image. Activation issues. Depending on the license program that your company has, you may have to activate the virtual machine. Be aware that Windows Vista brings new Volume Activation 2.0, which requires that you activate every machine. Image Maintenance. After you deploy Windows XP virtual machines to your clients, you will have to provide support and maintenance for these machines. This includes installing new versions of software, installing updates and fixes, and other upkeep.
2-57
Process for Deploying Windows XP Mode Images
Key Points
It is much more convenient to deploy Windows XP virtual machines to client computers by using Windows XP Mode virtual images instead of creating new Windows XP virtual machines. You can customize a Windows XP Mode virtual machine prior to deployment to client machines. That means that you can include your own applications, security updates, and settings inside this virtual machine before deployment. This process consists of several steps: 1. Determining readiness to run Windows XP Mode. Before deploying Windows XP Mode to client computers, you must ensure that they are capable of running it. In some cases, you might need to upgrade the hardware or free disk space. Although it is no longer necessary to have hardware virtualization support on the CPU level in order to run Windows XP Mode, you must check if all computers have enough memory and free space to run the Windows XP Mode virtual machine.
2-58
2.
Customizing Windows XP Mode images. Before deployment to client computers, you will want to perform additional customization of your Windows XP Mode virtual machine. The easiest way to do this is to extract the VHD from the Windows XP Mode machine. First, you should download Windows Virtual PC and Windows XP Mode from the Windows Virtual PC Home Page, and then install them on a computer. Then copy the VHD from the Windows XP Mode program files directory (%ProgramFiles%\Windows XP Mode\Windows XP Mode base.vhd) to an alternate location. Do not create a differencing disk or use undo disks with this VHD. After copying the VHD, remove the read-only attribute from the file, and create a virtual machine that uses it as a primary VHD. By using this option, you are customizing the copy of the VHD that Windows XP Mode provides. This VHD already has the required components installed. After you boot your newly created virtual machine, you are ready to install applications in the Windows XP Mode VHD file. You probably will want to install an antimalware application and some of your business-related applications that you will use as virtual applications from Windows XP Mode. Do not forget to install all available security updates, fixes, and service packs.
3.
Preparing a Windows XP Mode image for deployment. After customizing the Windows XP VHD with applications and security updates, you can prepare it for deployment to multiple computers. Do this by running Sysprep. This removes the computers SID, resets the activation grace period, and configures the image to run the setup wizard the next time it starts. The wizard will customize the image for each installation, creating a unique computer name and SID. Three files are required before you can run Sysprep, and you must copy all of them to C:\Sysprep: Sysprep.exe. This program prepares the image for deployment. Setupcl.exe. This file is required for running Sysprep.exe. Sysprep.inf. This answer file automates all or part of the setup wizard. You can create it by using Setup Manager or create it manually.
2-59
Use the following steps to prepare the image by running Sysprep: 1. 2. 3. 4. 5. 4. On the virtual machine that is running Window XP Mode, create the folder Sysprep on drive C. Copy Sysprep.exe and Setupcl.exe from the deployment tools to C:\Sysprep. Copy the Sysprep.inf file you created in the previous section to C:\Sysprep. Run C:\Sysprep\Sysprep.exe. In the System Preparation Tool 2.0, select the Do not reset grace period for activation and Use Mini-Setup check boxes. Then, click Reseal.
Deploy virtual machines. At this point, you have a customized Windows XP VHD that you can deploy. Now, you need to distribute this VHD to each destination computer, create the VM configuration (.vmc) file, and register the VM in Windows Virtual PC. The steps for deploying virtual machines are: 1. Install Windows Virtual PC on each computer. Before deploying the Windows XP VHD, you must deploy the Windows Virtual PC update to each computer on which you intend to deploy the Windows XP VHD. Download the update from the Windows Virtual PC Home Page. You can host the update on a network share and instruct users on how to install it (simply double-click the .msu file to install it). You also can install the update by using a logon script or any software deployment infrastructure that your organization uses. You also can include Windows Virtual PC in your Windows 7 images to ensure its availability. The Microsoft Deployment Toolkit 2010 makes it easy to add updates during Windows 7 deployment. Remove the Windows XP Mode shortcut from the Start menu. After deploying Windows Virtual PC, you must remove the Windows XP Mode shortcut that Windows Virtual PC creates when you install it. Otherwise, if users click the Windows XP Mode shortcut, Windows Virtual PC will prompt them to download and install the Windows XP Mode package from the Microsoft download site. You can write a script to remove this shortcut (%programdata%\Microsoft\Windows\Start Menu\Programs\Windows Virtual PC\Virtual Windows XP.lnk) or you can use Group Policy Preferences to remove it.
2.
2-60
5.
Deploy the Windows XP VHD to each computer. To deploy your virtual Windows XP image to multiple computers, copy the VHD to each computer for each user. By default, Windows 7 stores VHD files in %LOCALAPPDATA%\Microsoft\Windows Virtual PC\Virtual Machines. To deploy your customized Windows XP VHD, copy the VHD file to this location for each user on each computer. Create a virtual machine configuration file. You must create this file for each user on each computer. Run cscript CreateVirtualMachine.wsf -p:<vhd_path> vn:<virtual machine name> at an elevated command prompt to create the virtual machine configuration file and register the VM with Windows Virtual PC. You can download the script CreateVirtualMachine.wsf with Deploying Windows XP Mode guide available in the section of this topic.
6.
2-61
Lab: Implementing Windows Virtual PC and Windows XP Mode
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. Ensure that the 10324A-NYC-DC1 and 10324A-NYC-CL2 virtual machines are running. If required, connect to the virtual machines. Log on to the virtual machines as Contoso\Administrator using the password Pa$$w0rd.
2-62
Exercise 1: Installing Windows Virtual PC

Scenario
In this exercise, you will first add Windows Virtual PC to Windows 7, explore its configuration options, and then create a virtual machine. You also will install the integration features. The main tasks for this exercise are: 1. 2. Install Windows Virtual PC and the KB977206 update. Create and configure a virtual machine.
Task 1: Install Windows Virtual PC and the KB977206 update

1. On NYC-CL2, install the Windows Virtual PC feature. The installation files are located at \\NYC-DC1\E$\Labfiles\Mod02. Browse to this location with Windows Explorer and then double-click Windows6.1-KB958559-x86.msu. Restart NYC-CL2, and then log on as Contoso\Administrator with the password of Pa$$w0rd. Open Windows Explorer, and browse to \\NYC-DC1\E$\Labfiles\Mod02. Install update KB977206 to remove the hardware virtualization requirement. Restart NYC-CL2, and then log on as Contoso\Administrator with the password of Pa$$w0rd. From the All Programs menu, click Windows Virtual PC to open the Virtual Machines folder.
2. 3. 4. 5.
2-63
Task 2: Create and configure a virtual machine

1. 2. On NYC-CL2, in the Virtual Machines folder, click Create Virtual Machine. Configure a new virtual machine with the following settings: Name of virtual machine: VMWorkstation1 Accept default path for storing virtual machine 768 MB RAM memory Use host computer network connections Dynamically expanding hard drive stored in C:\VHDs. You will need to create this new folder. Enable Undo Disks Configure machine to go in hibernation when closed.
Results: After this exercise, you should have installed Windows Virtual PC and created a new virtual machine.
2-64
Exercise 2: Using Windows XP Mode

Scenario
In this exercise, you will set up Windows XP Mode, install a legacy application, and explore how you can publish Windows XP Mode applications to a Windows 7 host. You also will use a published application, and find out how it seamlessly integrates with Windows 7. The main tasks for this exercise are: 1. 2. 3. Set up Windows XP Mode. Install a legacy application, and then publish it to the host. Use a published application from the Windows 7 host.
Task 1: Set up Windows XP Mode

1. 2. 3. On NYC-CL2, run WindowsXPMode_en-us.exe from \\NYC-DC1 \E$\Labfiles\Mod02\. Install Windows XP Mode with the default settings. Launch Windows XP mode with the following settings: 4. Installation folder: default Password: Pa$$w0rd Remember credentials: enabled Automatic updates: enabled
In the Virtual Machines window , open Settings for the Windows XP Mode virtual machine, and review the Integration Features settings.
Task 2: Install a legacy application, and then publish it to the host

1. In the Windows XP Mode virtual machine, open Windows Explorer, and browse to the C drive on NYC-CL2. Open the folder called Labfiles\Office, and then double-click Setup.exe to install Microsoft Office 4.3.with the following options: Name: Admin Organization: Contoso
2-65
2.
Directory locations: default Installation Type: Complete/Custom Options List: Remove all check marks except Microsoft Access
From the All Programs menu, start Microsoft Access.
Task 3: Use a published application from the Windows 7 host

1. 2. 3. 4. 5. 6. From NYC-CL2, start Microsoft Access. Create a new database called DB1, and save it to C:\MSOffice. Start the Windows XP Mode virtual machine. Copy DB1.MDB from C:\MSOffice to the VHDs folder on drive C on NYCCL2. Start DB1.MDB from the NYC-CL2 machine by double-clicking the file. Verify that the virtual application starts.
Results: After this exercise, you should have installed and configured Windows XP Mode.
To prepare for the next lab

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click the virtual machines used in this lab, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
2-66
Review Questions
1. 2. 3. What is the main difference between Windows Virtual PC and Virtual PC 2007 SP1? How does Windows XP Mode use differencing disks? When preparing VHD images for distribution and usage on several computers, what must you do before you start creating virtual machines with these disks?
2-67
Common Issues Related to Windows Virtual PC and Windows XP Mode

Issue The mouse moves slowly or inconsistently, and is stuck in the virtual machine window. When you try to install an application, you get the error The Windows Installer does not permit installation from a Remote Desktop Connection. When you try to use Windows XP Mode, you receive the following error: Cannot start Windows XP Mode. You cannot copy and paste files and folders between the guest and host operating systems. Troubleshooting tip

Contoso is discussing implementation of virtualization technologies in order to solve some problems and optimize usage of resources. They want to convert some servers to virtual machines and limit the number of workstations that developers are using for testing applications in various environments. They recently upgraded most of their desktops to Windows 7. Desktop computers have 2 GB of RAM or more. The only department that is not migrated to Windows 7 is the Accounting Department, and that is because of an accounting application that is not working on Windows 7. Contoso is reviewing available virtualization technologies from Microsoft, specifically Hyper-V, Virtual Server, and Windows Virtual PC. What would you recommend to them to address their needs and issues?
2-68
Best Practices related to Windows Virtual PC and Windows XP Mode

Supplement or modify the following best practices for your own work situations: Use Windows XP Mode whenever you need to provide support for older applications. Do not use virtual machines hosted in Windows Virtual PC in a production environment, except for supporting older applications on the local machine. Avoid using too many chained differential drives. Always mark parent drives as read-only before creating differential drives.
Tools
Tool Disk2Vhd Use for Where to find it http://technet.microsoft.com/en-us /sysinternals/ee656415.aspx http://www.microsoft.com /security_essentials/
Converting physical hard

drives to virtual hard drives
Microsoft Security Essentials
Antivirus and antispyware

protection of virtual machines
Implementing Microsoft Enterprise Desktop Virtualization
3-1
Module 3
Contents:
Lesson 1: Overview of MED-V Lesson 2: Implementing MED-V Management Servers Lesson 3: Implementing a MED-V Client Lab: Implementing MED-V 3-3 3-16 3-23 3-32
3-2
Module Overview
Microsoft Enterprise Desktop Virtualization (MED-V) is an enterprise solution that enables incompatible or unsupported applications to be available in a virtual environment. End users then can use them as if they were installed locally on their computers. However, the applications availability from the virtual environment is seamless, or invisible, to the user. It provides a virtual environment for legacy applications, and it enables central administration of applications. MED-V is built on Windows Virtual PC 2007 Service Pack 1 (SP1), and it is available for Windows clients such as the Windows XP, Windows Vista, and Windows 7 operating systems.
3-3
Lesson 1
Overview of MED-V
Microsoft provides different desktop virtualization solutions. While Virtual Desktop Infrastructure (VDI) and Remote Desktop Services (RDS) provide remote virtual desktops and presentation virtualization, MED-V provides a local virtual machine with a client operating system in which legacy applications can run. MEDV enables users to access these legacy applications from the host computer, even when the applications are not compatible with the host operating system. MED-V provides a complete solution for centrally managing client virtual machines; storing, updating, and distributing virtual images; and monitoring user activity. MED-V is part of Microsoft Desktop Optimization Pack (MDOP) for Software Assurance, and the current version is MED-V 1.0 SP1.
3-4
What Is MED-V?
Key Points
Each new version of an operating system provides additional features, but also can cause compatibility issues with older applications. Microsoft offers a variety of methods and tools to address applications that are not working properly on a target operating system. However, every organization has a subset of applications that it does not support or that do not work at all on a new version of an operating system. The process of testing and fixing an application, or upgrading to a new version of it or finding an alternative application, is costly and time-consuming. Meanwhile, users cannot take advantage of the new operating system features, which often delays an organizations upgrade plans. Technologies such as Windows Virtual PC and Windows XP Mode provide a solution for mitigating application-compatibility issues by enabling you to use a virtualized environment. However, they lack support for virtual-machine image delivery and central management of the deployed images. You can use these technologies in small and unmanaged environments, but they do not provide the features and flexibility that larger enterprises require.
3-5
MED-V solves compatibility issues with applications that do not run on a target operating system. MED-V uses Virtual PC to provide a virtual environment that runs a legacy version of the operating system, such as Windows XP, which enables you to mitigate application-compatibility issues. By using MED-V, you can have administrative control over the creation, distribution, and management of virtual images, and ensure that the images are current and comply with regulations. MED-V enables you to do this in a seamless and transparent fashion that does not affect the end user. Applications appear and run as if they were installed on the desktop, they are available on the Start menu and can access the Clipboard, and users can pin them to the task bar. Released in 2008, MED-V is part of MDOP for Software Assurance, and it is the first version that Windows XP and Windows Vista desktops support. MED-V 1.0 SP1, which was released in 2010, adds support for Windows 7 desktops. Question: How does MED-V solve compatibility problems between legacy applications and host operating systems?
3-6
MED-V Features
Key Points
MED-V allows you to deploy Virtual PC images to Windows desktops, and then manage them centrally, while maintaining a seamless end-user experience. One of the main benefits of MED-V is the ability to mitigate application compatibility when upgrading a desktop operating system. MED-V allows you to run legacy applications in a virtual machine that is running an older Microsoft Windows, and it provides seamless application integration of the applications with the host. MED-V provides the following benefits: Centralized deployment, management, and monitoring of deployed virtual images. MED-V provides enterprise management and monitoring for the Virtual PC-based virtual environments. It enables you to control access to virtual images, centrally administer configuration of virtual images, and publish applications by using policies. It also provides a repository for virtual images, deployment of virtual images to clients, and enables monitoring of user activity through reports.
3-7
Application provisioning based on Active Directory Domain Services (AD DS) users and groups. You can assign a MED-V Policy to the AD DS users or groups. A MED-V Policy defines which virtual image MED-V will use, which applications it will publish, and how it will integrate those applications with the host. You can define a MED-V Workspace by using a policy, and you can use the same virtual image for multiple Policies. Using a MED-V Policy to configure usage policy. You can configure the MED-V virtual environment by using MED-V Policies. Policies control various aspects of the virtual environment, such as expiration of virtual machines, time limits for offline work, automatic redirection of predefined Web sites to the virtual environment, and allocation of virtual machine memory. Seamless and transparent integration of published applications. You can access published MED-V applications from virtual images directly from the Windows 7 Start menu, as if they were installed on the Windows 7 host itself. You can use the Search feature to find applications, and then pin them to the taskbar. Clipboard sharing and printer redirection. Based on the MED-V Policy settings, you can cut and paste content between the host and a published application. You also can use printer redirection to print directly from a MED-V published application to a printer attached to the host.
Question: What is the main benefit of using MED-V versus using Virtual PC or Windows XP Mode?
3-8
MED-V Architecture
Key Points
The MED-V solution contains both servers and clients, and requires infrastructure support. The MED-V solution consists of the following components: Administrator-defined virtual machine. This contains a full desktop environment, including an operating system, applications, and optional management and security tools. A virtual machine image is part of the Workspace policy. You can deploy it to the end users computer to provide an environment for running legacy applications. Image repository. This component stores virtual images on a standard Internet Information Services (IIS) server 7.0 or newer, and then enables version management for virtual images, client-authenticated image retrieval, and efficient download by using the Trim Transfer technology.
3-9
Management Server. This component associates workspaces, which include virtual images from the image repository, and workspace policies to AD DS users or groups. The Management Server also collects client events and stores them on a computer that is running a Microsoft SQL Server database for monitoring and reporting. Management Console. This enables administrators to control the Management Server and the image repository, create Workspace policies, and manage the virtual images. MED-V Workspace. This is the desktop environment, in which end users interact with the virtual environment. MED-V policy. This group of configurable settings defines how the virtualized environment and applications perform on the end-user computer. End user client. This component builds on Virtual PC, and provides a virtual environment for running legacy applications. It provides authentication, virtual image retrieval, and enforcement of usage policies. It also provides a single desktop experience, where applications installed in the virtual machine are available through the standard desktop Start menu, and they integrate with other applications on the user desktop. You use the HTTP or HTTPS protocol for communication between the client and the servers.
Question: Do you need a separate server for the image repository?
3-10
Providing Scalability and High Availability with the MED-V Enterprise Architecture
Key Points
The MED-V Management Server can support 5,000 users, depending on its hardware. However, the client-server communication is rather lightweight: The default configuration has the clients polling the server for policy every 15 minutes and for image updates every four hours. If you increase the policy polling time, the server can support more clients.
3-11
The only client-server heavy-duty operation occurs when a new image is available, and multiple clients retrieve several gigabytes (GBs) from the image repository. Since the images repository is a standard IIS Web server, it is possible to add IIS servers as additional image delivery servers, and have them synchronize images with the main images repository. You can place all the image delivery servers behind a load balancer or use the Network Load Balancing (NLB) feature. To improve the download rate, to optimize bandwidth efficiently, and further balance the load, you can place the image delivery servers in multiple geographic locations. You can use Domain Name System (DNS) resolution to direct the MED-V clients to the best available location. Alternatively, you can use a separate distribution mechanism, such as Microsoft System Center Configuration Manager, to deliver the virtual images to the clients. The MED-V client looks for the image in a location that you define. This eliminates the need for image download and a Web infrastructure for MED-V image delivery. The MED-V client operates independently of MED-V servers. If the Management Server malfunctions or stops responding, all clients that are running a workspace can continue working. However, new attempts to start a workspace run in offline mode, and online authentication, policy changes, and image updates become unavailable. Additionally, the MED-V client aggregates events at the client side until the server becomes available. However, to ensure fast recovery from a server failure, MED-V supports a failover structure, in which you can configure two MED-V servers in cluster mode, and then place all files that are mutual to both servers on a file system. The server accesses the files from the file system rather than storing the files locally. Question: Does a typical MED-V deployment utilize the Management Server heavily?
3-12
Overview of the Virtual Image Life Cycle
Key Points
MED-V manages virtual images through its whole life cycle. A typical virtual image life cycle proceeds through the following steps: Creation of a virtual image: Install operating system, applications, management tools, and security, such as antivirus software, in the virtual machine inside Virtual PC. Prepare and test the virtual image through the MED-V Management Console, and upload it to the MED-V image repository. Definition of a MED-V Workspace: A workspace consists of a policy and an assigned virtual image. A MED-V Policy defines a list of applications in the virtual image, which will be available to the users through the Start menu. It also defines the configuration settings for the virtual machine; the Web sites that users can view inside the virtual machine browser; the permissions to work offline and for data transfers between the virtual machine and the host, such as file transfer, copy and paste, and printing. You can provision a workspace to AD DS users and groups.
3-13
Delivery of the virtual image: You can deliver a virtual image to the MED-V client in the following different ways: Over a network. By using standard HTTP or HTTPS protocols. By using enterprise distribution mechanisms, such as System Center Configuration Manager. By including it in the base workstation image, or on removable media, such as DVD. By using the MED-V Packaging Wizard to create a self-install package.
Working with virtual machine: After you deploy a virtual machine to the MEDV client, you can customize it and join it to a domain. After users authenticate against the MED-V Management Server, they can work within the virtual machine. After the first online authentication, MED-V also supports offline work, if the administrator permits that. Based on the policy settings, virtual images can be persistent, whereby the virtual machine preserves any changes, or they can be revertible. Management and update of the workspace: The MED-V Management Console enables administrators to update policies, assign workspaces to additional users, remove users from the workspace, and update the virtual images. MEDV then distributes all updates automatically to relevant users when they work online. Troubleshooting of malfunctioning clients: The MED-V Management Console presents an updated report of all users, and provides detailed information on all client events. This helps the administrator understand the source of problems, and then instruct the user on how to solve it. The MED-V diagnostic tool runs automatically when client installation fails, and you can execute it manually in other cases. You can use the report to understand the problems cause and to recommend to users how to fix it.
Question: What are typical steps in the life cycle of a virtual image?
3-14
Using Trim Transfer to Deliver MED-V Images
Key Points
A MED-V virtual image is represented by a Virtual Hard Drive (VHD) file and this file contains the installed operating system and applications. Images can be several GBs in size, and they are stored in the image repository, which can be on an MEDV Management Server. The MED-V advanced Trim Transfer deduplication technology accelerates the download of initial and updated images over a local area network (LAN) or a wide area network (WAN), which reduces the network bandwidth that you need to transport a MED-V image from the image repository to end users. Trim Transfer is available only when you use an MED-V IIS-based image repository.
3-15
Trim Transfer technology uses existing local data to build the image, and leverages that, in many cases, much of the virtual machine, such as system and application files, already exists on the end-user disk. For example, if MED-V delivers an image containing Windows XP to a client that is running a local copy of Windows XP, MED-V automatically removes from the transfer the redundant Windows XP elements that the client makes available already. To ensure a valid and functional image, the MED-V client cryptographically verifies the integrity of local data before it utilizes it, which ensures that the local blocks of data are identical to those in the desired image. It does not use blocks that do not match. If you use a different operating system on the MED-V client from the one in the virtual image, such as in a Windows XP virtual image on the Windows 7 MED-V client, Trim Transfer does not provide an important benefit, because most files on the host are different from the files in the virtual image. This process is transparent and efficient with regard to bandwidth, and the transfers run in the background, which utilizes unused network and CPU resources. When downloading a new version of a virtual image that exists already on the MED-V client, it downloads only the changed elements, known as deltas. This reduces the required network bandwidth and delivery time significantly. The Trim Transfer process requires an initial host index process to run on the MED-V client. However, indexing is time consuming, so MED-V enables administrators to control which folders the Trim Transfer protocol indexes by modifying the ClientSettings.xml file. Images are configured to use Trim Transfer by default when downloading from an image repository. However, several scenarios result in Trim Transfer not providing the benefits that you might expect, including that: The host operating system and the virtual machine operating system always are different. You need to reduce the length of the first-time setup. MED-V Workspace needs to be persistent instead of revertible.
Question: Would you benefit from using Trim Transfer if you deploy a Windows XP Service Pack 3 (SP3) virtual image to a Windows 7 host?
3-16
Lesson 2
Implementing MED-V Management Servers
You can install a MED-V Management Server on Windows Server 2008 or Windows Server 2008 R2. It provides a virtual images repository, and you can use it as a management point for configuring MED-V clients. A MED-V server should be a domain member, and should use IIS for virtual image delivery.
3-17
Requirements for the MED-V Management Server
Key Points
The MED-V implementation includes both the server and client components. The MED-V Management Server is responsible for storing the MED-V Workspace configuration, which includes MED-V Policy and virtual images. MED-V logs user activity to a computer that is running SQL Server, which you can deploy on the MED-V Management Server or on a separate server. Before accessing the MED-V Workspace, AD DS authenticates users. The following table lists the operating systems that support the MED-V Management Server.
Operating system Windows Server 2008 Edition Standard or Enterprise Standard or Enterprise Service pack SP1 or SP2 System architecture x86 or x64
Windows Server 2008 R2
None
x64
3-18
MED-V 1.0 SP1adds support for Windows Server 2008 R2. For nonproduction use, you can install MED-V Management Server can on a desktop operating system.
Requirements for the MED-V Server

You should ensure that the MED-V Management Server has a dual processor with at least 2.8 gigahertz (GHz) and 2 GB random access memory (RAM). This recommendation assumes that the MED-V server runs on a dedicated machine and that SQL Server runs on a separate machine. Ensure the MED-V Management Server is joined to AD DS. You can add the Web server (IIS) role to the same server or to another domain server. MED-V Management Server requires that you install one of the following NET Framework versions:.NET Framework 2.0 or newer
If you want to gather user activity and generate MED-V reports, your deployment also must include a computer that is running SQL Server. You can install SQL Server on the MED-V Management Server or on a separate server. If you use a separate SQL Server, you should install Microsoft SQL Server Management Objects on the MED-V Management Server. You can install MED-V servers on physical servers or in a Hyper-V virtualized environment. You should have a relatively lighter load on the MED-V Management Server, because after you deploy the MED-V Workspace, client computers check the server every 15 minutes for configuration changes. The disk capacity must be sufficient to store the MED-V Workspace configuration files and virtual images if image repository is on the same server. The MED-V Management Server also should have a fast network connection to the clients to deploy virtual images. The MED-V Management Server uses the SQL Server database to store client status and events. You can install the SQL Server database on the same machine as the MED-V server, or you can place it on a separate server that is running SQL Server. After installation, you can configure the MED-V Management Server by using MED-V Server Configuration Manager. You can administer the MED-V Management Server by using MED-V Management Console, which you can install as part of the MED-V client. However, you cannot install it on a server operating system.
3-19
Configuring IIS for a MED-V Management Server
Key Points
The image repository stores virtual images and enables virtual-image version management, client-authenticated image retrieval, and the efficient upload and download of new virtual images or updates. Each MED-V client needs a virtual image, and a workspace policy, to provide a virtualized environment for running a legacy application. You can deploy virtual images to a client in several ways. The image repository is based on an IIS Web server, and organizations can take advantage of the standard Web scalability and high availability infrastructure. To improve download performance, organizations can create image-repository replicas at branch offices or remote geographic locations. The IIS server can coexist on the same server as the MED-V Management Server and the server that is running SQL Server. In smaller implementations, you can have them all on the same server. However, when the number of MED-V clients increases, you should install the IIS server, SQL server, and the Management Server on separate servers. You also can also run the IIS server on a virtual machine. The IIS server infrastructure must have sufficient throughput to deliver images to clients, and the disk subsystem must meet the input/output (I/O) demands.
3-20
To add and configure Web server (IIS) for MED-V, you must perform the following steps: Add the Web server (IIS) role. During the installation, when you are adding role services, select the following supported authentication methods: Basic Authentication, Windows Authentication, and Client Certificate Mapping Authentication. Install Background Intelligent Transfer Service (BITS). Install this feature and the required role services. MED-V virtual image upload requires BITS support. Add the IIS virtual directory. This virtual directory points to the directory that will store virtual images. By default, the C:\MED-V Server Images folder stores virtual images. Configure BITS. Enable BITS in IIS. Additionally, you should allow clients to upload files to the IIS server by using BITS, and they should upload them to the directory where you want to store virtual images. Configure additional Multipurpose Internet Mail Extensions (MIME) types. Add the .ckm (application/octet-stream) and .index (application/octet-stream) MIME types to the directory in which you want to store virtual images. Optionally, you can change a TCP port on which the IIS Web site accepts connections, and you can configure Windows Firewall to allow connections through that port.
Question: Which feature must you install on the MED-V server? Can you upload virtual images to the MED-V server without installing this feature?
3-21
Deploying and Configuring a MED-V Management Server
Key Points
Installing and configuring a MED-V server is a straightforward process. After running the MED-V server installation package, you need to accept the Microsoft Software License Terms, select an installation folder, and then wait for the installation to finish. After the installation, you should configure the MED-V server by running MED-V Server Configuration Manager, which is the default option in the last step of the setup. The installation also adds, to the Start menu, a shortcut to the configuration tool. You can use MED-V Server Configuration Manager for configuring the following settings: Connections: Configure MED-V client connections settings. Define which protocols and ports to use for connecting to MED-V server. HTTPS is an optional configuration, which you can set to provide encryption and secure transactions between the MED-V Management Server and MED-V clients. To configure HTTPS, you also must add a digital certificate to the server store, and then associate it with the port that the MED-V Management Server uses. If you are using nonstandard ports, you should add a Windows Firewall exception.
3-22
Images: Configure the virtual machine directory, which is the directory in which you want to store the virtual images. You can specify a local or Universal Naming Convention (UNC) path to the image directory on the image repository server, which should be accessible from the MED-V Management Server. You also should specify the URL location of the folder in which you want to store virtual images. Permissions: Configure a list of users and groups who can access the MED-V server, typically by using the MED-V Management Console, so that they can administer MED-V. For each of them, you can configure read-only or read/write permissions. Read-only access allows users to view the MED-V configuration and policies, but not modify them. If they have the Changes Allowed permission, which gives them read/write permissions, users can save changes to the MED-V configuration, effectively administering MED-V. Reports: Enable reports and configure database settings. You can define a connection string, test the connection, and then create a MED-V database on the computer that is running SQL Server. Additionally, you can configure the database maintenance options, such as deleting old records, clearing all data from the database, and dropping the database. If you do not install SQL Server locally, the Reports tab provides instructions on how to install Microsoft SQL Server Management Objects and connect to the remote SQL Server.
MED-V server configuration is saved to ServerSettings.xml file in the %PROGRAMFILES%\Microsoft Enterprise Desktop Virtualization folder. You can perform additional MED-V server configuration by using the MED-V Management Console. You have the option of installing this console on the MED-V client, and you cannot install it on a server operating system. You should install the MED-V Management Console on the administrative workstation, from where you manage the MED-V environment. By using MED-V Management Console, you can configure policy, images, and reports. Question: Which tool can you use for configuring a MED-V Management Server? What can you configure by using this tool?
3-23
Lesson 3
ImplementingaMEDVClient
Only managed desktops support a MED-V client, which is a required component of a MED-V solution. The MED-V client provides an environment for running legacy applications and a seamless integration with the host. The MED-V client is available for Windows XP, Windows Vista, and Windows 7, and it depends on a Virtual PC 2007 SP1, which is a prerequisite. You can deploy the MED-V client in several ways, including manually or through a software distribution system. You can use the MED-V client to perform centralized administration, apply the MED-V Workspace, provide communication between virtual machines and hosts, and publish applications to a host.
3-24
MED-V Client Requirements
Key Points
Before installing the MED-V client, you first must install the Microsoft Virtual PC 2007 SP1 on the desktop along with hotfix 958162. The MED-V client does not work with Windows Virtual PC.
Requirements for a MED-V client

The following operating systems support a MED-V client.
Operating system Windows XP Windows Vista Edition Professional Edition Business, Enterprise, or Ultimate Professional, Enterprise, or Ultimate Service pack SP2 or SP3 SP1 or SP2 System architecture x86 x86
Windows 7
None
x86 or x64
3-25
MED-V 1.0 SP1 includes support for Windows 7. MED-V client does not run in native x64 mode, but does run on Windows 64-bit (WOW64) mode on 64-bit computers. The required RAM on a client varies, but the following table lists the suggested minimum amount of RAM that different operating systems require.
Operating system Windows XP Professional Windows Vista, Windows 7 x86 Windows 7 x64 Minimum required RAM 1 GB 2 GB 3 GB
The MED-V client is not supported in a Hyper-V environment for production use. The MED-V Workspace supports following operating systems in a virtual machine:
Operating system Windows 2000 Windows XP Edition Professional Professional Edition Service pack SP4 SP2 or SP3 System architecture x86 x86
We recommend Windows XP SP3 to ensure that the MED-V Workspace is compatible with future MED-V versions.
Question: You evaluate MED-V 1.0 in the test environment, and you find that you cannot install a MED-V client to the Windows 7 host. What must you do to use MED-V with Windows 7 clients?
3-26
Deployment Options for the MED-V Client
Key Points
You can deploy the MED-V client by: Installing it manually. MED-V client is available as a Windows Installer package, and you can install it manually. While you can use this method for setting up a test or pilot environment, this is not a good approach if you want to deploy MED-V clients in a production environment. Including it in the standard desktop image. You can include the MED-V client in the standard desktop image. When you use this approach, the MED-V client deploys to all new clients. Deploying it via software distribution system. If a company has an existing software distribution system, such as Microsoft System Center Configuration Manager 2007 R2, you can use that for deploying the MED-V client. When you install the MED-V client through a distribution system, you may choose to retrieve the virtual image from the image repository or deliver it to a predefined location by using the software distribution system. In this scenario, the MED-V Client would not download the image from the repository.
3-27
Creating and installing the MED-V deployment package. By using MED-V Management Console, you can create a deployment package. This provides a method of installing the MED-V client, its required prerequisites, and any settings that the administrator predefines. The packaging wizard walks you through the package creation by creating a folder on your local computer and transferring all required installation files to it. You then can move the folders contents to multiple removable media drives for distribution.
The MED-V client is available as a Windows Installer package, and it includes the MED-V client and the MED-V Management Console. You must install the MED-V client on client computers for running MED-V Workspaces. The MED-V Management Console is an administrative tool that you can use for creating and maintaining images, MED-V Workspaces, and policies.
Note: You can install the MED-V client and MED-V Management Console only on Windows 7, Windows Vista, and Windows XP-based computers. You cannot install them on server products.
During the MED-V client installation, you must accept the Microsoft Software License Terms, select a destination folder for client installation, and then define the MED-V client settings. MED-V client settings include the MED-V Management Servers address, the port and protocol it is using, the folder for the virtual machines images, and the option to install the MED-V management application. Question: What is the benefit of installing a MED-V client by using the MED-V deployment package?
3-28
What Is the MED-V Management Console?
Key Points
The MED-V Management Console is the primary MED-V administration tool. You can install it only on a client operating system, and it is available as part of the MED-V client installation. You can use it for managing the MED-V image life cycle through managing policies, images, and reports. The MED-V Management Console user interface (UI) has the following sections: MED-V management buttons. They correspond to the following three modules that you can manage through the console. Policy. You can use the Policy module to define the MED-V Workspace, their related settings, and permissions. This includes the virtual machine configuration, published applications, and their integration settings. Images. You can use the Images module to manage the MED-V Workspace images. This module enables you to create test images, and then package and upload those images to the image repository.
3-29
Reports. You can use the Reports module for generating and viewing MED-V reports. Three report types are available: Status, Activity log, and Error log.
Toolbar. This displays shortcuts, relevant to the selected management module, and user permissions. For example, you can save a policy, add a workspace, and refresh or create a new report here. Display pane. This displays configuration options corresponding to the selected management module. You can configure policy, images, or reports options in this section.
You must log on to the MED-V Management Console before you can use it. For security reasons, the first user that logs on to the MED-V Management Console becomes the only user on that computer that can access the Management Console. The domain user name and password is used for MED-V management login. Question: Is the MED-V Management Console available as a Microsoft Management Console (MMC) snap-in?
3-30
Demonstration: Creating a MED-V Installation Package by Using the Packaging Wizard
Key Points
In this demonstration, you will see how to create a MED-V installation package by using the Packaging Wizard, which is available as part of the MED-V Management Console.
1. 2. 3. 4. On NYC-CL1, start the MED-V Management Console, and then log on as contoso\medv-admin with a password of Pa$$w0rd. Run the Packaging Wizard, and then on the Deployment Package page, click Next. On the Workspace Image page, click Next without selecting Include image in the package. On the MED-V Installation Settings page, point the MED-V installation files to where the installation files are stored, and then click Next.
3-31
5. 6. 7.
On the Additional Installation page, clear the Virtual PC and .NET Framework check boxes, and then click Next. On the Finalize page, enter the package destination, and then click Finish. Open Windows Explorer, and then verify that the package has been created.
Question: In which tool can you find the Packaging Wizard?
3-32
Lab: Implementing MED-V
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. Ensure that the 10324A-NYC-DC1, 10324A-NYC-CL1, and 10324A-NYC-CL2 virtual machines are running. If required, connect to the virtual machines. Log on to the virtual machines as Contoso\Administrator using the password Pa$$w0rd.
3-33
Exercise 1: Configuring the Existing Infrastructure

Scenario
Contoso, Ltd., has a software assurance agreement with Microsoft, so you want to implement MED-V. After reviewing the product documentation and several case studies, you decide that you first will implement the MED-V infrastructure. In this lab, you will review the existing server infrastructure, and then prepare it for MEDV deployment. The main tasks for this exercise are: 1. 2. Verify that a MED-V database does not exist on Microsoft SQL Server. Add Windows Server 2008 R2 role and features.
Task 1: Verify that a MED-V database does not exist on Microsoft SQL Server
1. On the NYC-DC1 server, open Windows Explorer and browse to E:\Labfiles\Mod03\SQL_Update. Install SQLSysClrTypes.msi and SharedManagementObjects.msi. On the NYC-DC1 server, run the Import and Export Data (32-bit) tool. Verify in the Server name field that you are connected to NYC-DC1 \SQLEXPRESS. Expand the Database drop-down box, and then verify that MED-V related database, medv, is not available. Click Cancel.
2. 3. 4.
3-34
Task 2: Add the Windows Server 2008 R2 role and features

1. On the NYC-DC1 server, add the Web Server (IIS) role and the following role services: Basic Authentication, Windows Authentication, and Client Certificate Mapping Authentication. Leave all other default selections. On the NYC-DC1 server, add the Background Intelligent Transfer Service (BITS) feature and the required role services.
2.
Results: After this exercise, you should be logged on to all three computers, and you should have added the required server roles and features to support a MED-V deployment.
3-35
Exercise 2: Deploying the MED-V Server

Scenario
After you verify that the infrastructure is ready, you can begin the MED-V deployment. Before deploying the MED-V clients, you first must install and configure the MED-V Management Server. Additionally, you have decided to store the image repository on the Web server (IIS) and to use SQL Server on the same server as the MED-V Management Server. In this exercise, you will deploy the MED-V Management Server infrastructure, and then ensure that the MED-V database is added on Microsoft SQL Server. The main tasks for this exercise are: 1. 2. 3. 4. Install the MED-V Management Server on NYC-DC1. Configure an IIS Web server for the MED-V Image Repository. Use the MED-V Server Configuration Manager. Verify that the MED-V database exists on SQL Server.
Task 1: Install the MED-V Management Server on NYC-DC1

Run E:\Labfiles\Mod03\MED-V_Server_x64_1.0.105.msi, accept the default values, and then install the MED-V Management Server.
Task 2: Configure an IIS Web server for the MED-V image repository
1. 2. 3. On the IIS server on NYC-DC1, add the vimages virtual directory, and then point it to the C:\MED-V Server Images folder. Configure BITS Upload for the vimages IIS virtual directory, and then set it to Allow clients to upload files. Add two MIME Types for the vimages IIS virtual directory: .ckm file extension with application/octet-stream MIME type, and .index file extension with application/octet-stream MIME type.
3-36
Task 3: Use the MED-V Server Configuration Manager

1. 2. 3. On the NYC-DC1 server, run MED-V Server Configuration Manager, and then review the Connections tab. Verify that VMs Directory is set to C:\MED-V Server Images\, and then set VMs URL to http://nyc-dc1/vimages. Remove permissions for the Everyone group, add group Contoso\MED-V Administrators, and then grant them Changes Allowed. Add group Contoso\MED-V Users, but do not grant them changes. Click Create Database, and then click Test Connection. Start the MED-V Server when prompted. Review file C:\Program Files\Microsoft Enterprise Desktop Virtualization\Servers\ServerSettings.xml in Notepad.
4. 5.
Task 4: Verify that the MED-V database exists on SQL Server

1. 2. 3. On the NYC-DC1 server, run the Import and Export Data (32-bit) tool. Verify in the Server name field that you are connected to NYC-DC1\SQLEXPRESS SQL Server. Expand the Database box, and then confirm that the MED-V related database, medv, is available. Click Cancel.
Results: After this exercise, you should have installed and configured the MED-V Server, and confirmed the creation of the MED-V database.
3-37
Exercise 3: Deploying the MED-V Client

Scenario
After you deploy the MED-V Management Server, you also must install the MED-V client. You want to test different options for client deployment, such as manual installation and using the MED-V deployment package. In this exercise, you will test both scenarios, as well as verify that the MED-V client can connect to the server. The main tasks for this exercise are: 1. 2. 3. Install the MED-V client on NYC-CL1. Verify connectivity to the MED-V Management Server, and create a MED-V deployment package. Install a MED-V client by using the deployment package.
Task 1: Install the MED-V client on NYC-CL1

1. 2. On NYC-CL1, run E:\Labfiles\Mod03\MED-V_1.0.105.msi. Select Install the MED-V management application, and then in the Server address field, enter nyc-dc1.
Task 2: Verify connectivity to the MED-V Management Server, and create a MED-V deployment package
1. 2. 3. On NYC-CL1, run MED-V Management, and then authenticate as Contoso\medv-admin with the password Pa$$w0rd. Run the Packaging Wizard. For MED-V installation file, point to E:\Labfiles\Mod03 \MED-V_1.0.105.msi, and then verify that nyc-dc1 is entered as the Server address. For virtualization software, point to D:\Labfiles\Mod03\VPC 2007 SP1 x86.msi, and for installation of Virtual PC QFE, point to E:\Labfiles\Mod03\KB974918 x86.msp. Uncheck Include installation of Microsoft .NET Framework 2.0.
4.
3-38
5. Enter E:\Labfiles\MED-V Client as the Package destination. 6. After you create the deployment package, explore the content of the E:\Labfiles\MED-V client folder in Windows Explorer.
Task 3: Install a MED-V client by using a deployment package 1. On NYC-CL2, run \\nyc-cl1\med-v client\MedvAutorun.exe.
2. 3.
Accept the default value of C:\MED-V Images, and then click OK. Verify that the MED-V shortcut is added to the desktop.
Results: After this exercise, you should have installed and configured MED-V clients on NYC-CL1 and NYC-CL2, and created a MED-V client deployment package.

Do not shut down the virtual machines. You will use these virtual machines for the next lab.
3-39
Review Questions
1. 2. 3. Can you use MED-V to administer Windows XP Mode on Windows 7 computers? Can you administer MED-V implementation from a MED-V server? Is the complete virtual image always transferred to the MED-V client?
3-40
Common Issues Related to MED-V

Identify the causes for the following common issues related to Microsoft Enterprise Desktop Virtualization, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue You install a MED-V client successfully, but you are not able to run MED-V Workspace. When you try to install a MED-V client on Windows Server 2008, you get an error. You implemented MED-V in a test environment, and cannot upload the virtual images to image repository. You would like to configure a MED-V Management Server, but there is no configuration option available on the Reports tab. Troubleshooting tip
4-1
Module 4
Configuring and Deploying MED-V Images
Contents:
Lesson 1: Configuring MED-V Images Lesson 2: Deploying MED-V Images Lab: Configuring and Deploying MED-V Images 4-3 4-16 4-27
4-2
Module Overview
Microsoft Enterprise Desktop Virtualization (MED-V) uses virtualization to provide an isolated environment, in which you can run legacy applications and publish applications to the host. A virtual image contains the virtual machine and MED-V enables central management of the images. There are certain prerequisites that you must meet when you create a MED-V image. This module describes the purpose and functionality of MED-V images, and the procedures for configuring and testing of the images. The module also explains how to pack and upload MEDV images to the image repository on a MED-V server.
4-3
Lesson 1
Configuring MED-V Images
MED-V provides a virtualized environment that users can use to run legacy applications. MED-V virtual machine images offer several benefits. Before creating MED-V images, you must be aware of their requirements, such as supported operating systems. You can use the VM Prerequisite tool to further prepare and optimize the operating system in the image for virtual environment. After you create an image, you should test it. To test a MED-V image, you need to create a basic policy for testing.
4-4
Benefits of Using a MED-V Virtual Machine Image
Key Points
MED-V enables you to extend the user environment with published MED-V applications, while hiding the complexity of the virtual machine environment from the end-user. You can use a virtual machine to provide a separate environment to run legacy applications, even when the applications are not compatible with the host operating system. End-users do not have to deal with the deployment or management of the virtual machine or the integration of the virtual machine with the host operating system. MED-V enables you to keep the updating and monitoring of MED-V images transparent from the user. There are many benefits of using MED-V virtual machine images: A virtual machine is contained in the virtual image. A virtual image contains an operating system, as well as legacy applications and other data. A virtual image is portable and by deploying the single image, you can ensure that the same environment is available at multiple MED-V clients.
4-5
A virtual machine is isolated and independent from the host. Changes on the host do not affect the virtual environment and changes in the virtual image do not affect the host. Applications from the virtual machine are seamlessly integrated with the host and the end-user experience is similar to what a user gets with locally installed applications. A virtual machine is configured by a policy. You can manage a policy centrally, and store it on a MED-V server. A policy can affect multiple clients. A policy configures a virtual machine and other settings, including to which users or groups it applies. Policies enable central administration and you do not have to configure each client individually. Virtual machines can be configured differently. You can configure the same virtual machine image differently for different users. You can publish different legacy applications and apply different configuration settings to the same virtual image by using different MED-V policies. A virtual machine can be a workgroup or domain member. Based on the requirements, you can isolate a virtual machine from the network, connect it to the network, or configure it to be a domain member. A virtual image can be revertible or persistent. Changes in a virtual image can be persistent, like on a desktop computer, or can be temporary and each time the virtual environment starts from the same state. The concept of revertible and persistent virtual images is similar to Undo disks in Windows Virtual PC. You would typically use a persistent virtual image when you want to preserve changes in the virtual image, such as when a MED-V virtual machine is a domain member. You would use revertible virtual image when you do not want to preserve changes in virtual image and you want to start from the same state always.
4-6
MED-V Image Requirements
Key Points
A virtual image is represented by a Virtual Hard Disk (VHD) file and it is used by Virtual PC 2007 SP1, which runs on the MED-V client. A virtual image contains an installed Windows operating system and legacy applications that are available inside the virtual environment. To create a virtual image, you must first install the supported operating system on a Virtual PC virtual machine. MED-V supports the 32-bit editions of the Microsoft Windows 2000 Professional SP4 operating system and Windows XP Professional SP2 or SP3 operating systems in a virtual image. Newer operating systems, such as the Windows Vista operating system and the Windows 7 operating system, are supported as MED-V clients, but are not supported as an operating system inside the virtual image. Because you use the same image for multiple MED-V clients, you must follow the Windows licensing agreement and install a volume licensing copy of the operating system in the image. You must also install the latest version of the Virtual Machine Additions in the image.
4-7
Note: You should be aware of the support timelines for the operating system and products that are included in the virtual image. If antivirus is installed in the virtual image, you should ensure it is updated.
To use a virtual image with MED-V, the image must include Microsoft .NET Framework 2.0 SP1 or newer, which also requires the installation of Windows Installer 4.5. The virtual image should include all Windows updates. To prepare an operating system in the image for the virtualized environment, you must perform additional configuration. These configuration tasks include: Disable all unnecessary services inside the virtual machine or set them to manual. Set power scheme to always on. Disable hibernation. Disable the automatic restart after a system failure. Disable Undo Virtual PC disks, floppy disk and Shared Folders, because they are not supported by MED-V.
After you install and configure the operating system, you need to install additional applications, which will be published from the MED-V environment. You must follow the licensing requirements of the applications and you should include their latest updates. Before using a virtual image with MED-V, you should install and run the MED-V VM Prerequisite Wizard in the virtual machine. This wizard helps to improve the virtual machine performance and streamline its integration.
Note: If virtual image will be deployed to MED-V clients as persistent workspace, it should be generalized. The only supported tool for that is Sysprep, a system preparation utility for the Windows operating system.
Question: Can you have a MED-V image that has a 64-bit operating system installed?
4-8
Installing and Running the Virtual Machine Prerequisites Tool
Key Points
One of the steps in preparing a MED-V virtual image is to install and run the MED-V VM Prerequisite Wizard. You can use this wizard to automate several of the prerequisite tasks and configure the virtual machine for running optimally in the MED-V environment. For example, you can use it to clear unnecessary temporary data, disable sounds, configure Internet Explorer settings, and enable Windows Auto Logon. The VM Prerequisites Wizard is part of the MED-V deployment and you can install it in the virtual machine by running the MED-V_Workspace_1.0.105.msi Windows Installer package.
Note: The user running the virtual machine prerequisites tool must have local administrator rights and must be the only user logged on.
4-9
The VM Prerequisites Tool has several configuration pages, which include: Windows Settings: This page has options to clear personal history, local temporary directory, and disable sounds. Internet Explorer Settings: This page has options to disable auto complete, disable reuse of windows, clear browsing history, and enable tabbed browsing in Internet Explorer 7. Windows Services: This page has options to select the services that will be set to manual startup mode. Windows Auto Logon: This page has options to enable Windows Auto Logon and define username and password, which will be used for auto logon.
The VM Prerequisites Tool automatically configures some of the settings that are required in the virtual image for MED-V to properly function. These settings include disabling the screen saver or displaying windows content while dragging. You cannot modify these settings in the VM Prerequisites Tool.
Note: Make sure that Group Policy objects do not overwrite the mandatory settings set in the Prerequisites Tool.
Question: Is it mandatory to run the VM Prerequisite Tool before you deploy a MED-V image?
4-10
Preparing a MED-V Image for Domain Environment
Key Points
A MED-V virtual machine can be either in the workgroup or can be a domain member. As a domain member, it has the same access as any other domain computer. Published MED-V applications can access domain resources such as database servers or Windows SharePoint sites. To join a MED-V virtual machine to the domain, you must use a persistent workspace.
4-11
If you want to join MED-V virtual machines to a domain, you need to perform additional tasks for preparing the virtual images. These preparation steps are similar to the steps you need to perform when you prepare the desktop computers deployment. All deployment tools and documentation are available on the Windows XP CD ROM, (or Windows 2000) in the Deploy.cab cabinet file, which can be found in the Support\Tools folder. You can use Sysprep to generalize the image and reset machine security ID (SID). After you run Sysprep, the virtual machine shuts down, and you can then upload the virtual image to image repository. After the MED-V client downloads the image from the repository, the initial mini setup of the virtual image is performed without user interaction; and all the answers must be provided in an unattended answer file, sysprep.inf. You can create this answer file by using the Setup Manager tool, which is also included in Deploy.cab cabinet. After the initial mini setup, the folder containing sysprep.exe and the answer file are automatically deleted. You can control the initial virtual machine setup by using a MED-V Policy. In the policy, you can add setup actions such as Check Connectivity, Join Domain, Rename Computer, or Restart Windows. You can also define a virtual machine computer name pattern and use variables such as username, host name, domain name, and random characters. You can configure some of the settings such as computer name or if a virtual machine is joined to a domain in unattended answer file (sysprep.inf), as well as in MED-V Policy. If you plan to use the virtual machine in a MED-V environment, you should use a MED-V policy to configure these settings.
Important: Be aware that the initial MED-V VM setup process when you join the computer to the domain can be a lengthy process. The MED-V Diagnostic mode can provide additional information about its progress.
Question: What is the main difference between preparing a MED-V image for the domain environment and having the MED-V image in the workgroup?
4-12
Creating a Basic MED-V Policy for Testing
Key Points
After you create and prepare a virtual image for the MED-V environment, you should test the image to verify how it behaves in the end-user environment. Testing is not mandatory, but we strongly recommend testing because it is easier to remove possible issues before you deploy the image to the users. To configure testing of the MED-V image, you need to use the MED-V Management console. In this tool, you can import a prepared MED-V image into the test environment by creating a local test image. Next, you need to apply policy settings to the test image and verify that the image behaves as expected. There are many different policy settings that you can configure, but when testing the MED-V image, you would typically configure the following settings: Assigned Image. Use this option to specify the image that will be used for testing. The image must be first created as a local test image and you can identify this image because it has (test) at the end of its name.
4-13
Seamless Integration. Use this option to specify how published applications are integrated with the host and if there is a frame around each window of the published application. Deployment. Use this option to specify who can test the image. Data Transfer. Use this option to specify whether the Clipboard can be shared and if file transfer should be supported between the host and the virtual environment. Device Control. Use this option to enable printing to the printers connected to the host and to specify if the virtual environment can access the host CD/DVD drive. Published Applications and Published Menus. Use this option to specify which applications and menus from the virtual machine will be published to the host. Web Browsing. Use this option to specify which URLs use the browser from the host and which applications use the browser from the virtual environment.
After you configure the policy, you must save it to the MED-V server.
Note: The following characters cannot be included in the image name: space " < > | \/:*?
Question: What do you configure in a MED-V policy for testing and what is the main difference between testing policy and the policy that is used in production?
4-14
Demonstration: Testing the MED-V Image
Key Points
You perform the actual testing of the MED-V image on the MED-V client. When you log on to the MED-V client, you can choose to use the local (test) or the deployed image. If you opt to use the local image, the MED-V workspace starts faster and you can perform the testing. Based on the policy settings, you should verify if the image behaves as expected. For example, you can test if all published programs are available on the Start menu and you can successfully run them. When the testing is finished, you can stop the MED-V workspace by right-clicking the MED-V client icon on the notification bar.
1. 2. Open MED-V Management on the NYC-CL1 and go to the Images module. Add a new Local Test Image by selecting XP.vmc in E:\LabFiles\VPC folder. Enter XP in the Image name field, and then click OK.
4-15
3.
In the Policy module, create a new workspace, and assign the XP (test) image to the workspace. Enable the workspace for Everyone, publish Notepad application, and then save the Policy. Run the MED-V client on NYC-CL1, log on as contoso\medv-user, and then select the created workspace. Verify that the published programs from the MED-V virtual image are listed. Start XP Notepad. Verify that there is a red line around the Untitled Notepad window. Open Help in Notepad, verify that Notepad is running in Windows XP and that the virtual machine has 256 megabytes (Mb) physical memory available. Copy some text and paste it to the Notepad window that is running on NYC-CL1.
4. 5.
6. 7.
Note: When testing an image, no changes are saved to the image between sessions; instead, they are saved in a separate, temporary file. This is to ensure that when the image is packed and run on the production environment, it is the original, clean image.
Question: What happens to the changes that are performed in the virtual environment when you test the MED-V image?
4-16
Lesson 2
Deploying MED-V Images
After you create and test the MED-V image, you should deploy it to the clients. Before clients can download the virtual image from the image repository, you must first pack the image and then upload it to the repository. Packing compresses the image and you can use the Hypertext Transfer Protocol (HTTP) or HTTP Secure (HTTPS) protocol with Background Intelligent Transfer Service (BITS) to use the remaining bandwidth for the upload. This lesson describes the procedures for updating and deploying the virtual image to the clients.
4-17
Packing the MED-V Image
Key Points
If you want to upload the image to the image repository and deploy it to MED-V clients, you must pack the image. You must pack the image on the administrative workstation and then upload the packed image to the image repository on the MED-V server. Only after the image is uploaded to the server, can you assign it by using a MED-V Policy. Packing the image is the process of compressing the MED-V image to reduce its size. Image packing can take a considerable amount of time, however, a compressed image takes less space and transfers faster. The content of the packed image is the same as it was before packing. The MED-V image packing process can often reduce the image size down to 50% of its initial size. For example, you can compress an 8 gigabytes (GB) image to 4 GB by simply packing the image.
4-18
Although you should first test a MED-V image before packing, you can still pack an image without prior testing. If image testing was performed, changes made during testing are not included in the packed image. You can use the MED-V Management console for image packing and by default packed images are stored in the local MED-V Images\PackedImages folder. A packed image consists of two files: .index, which has the list of files in the image, and .ckm (Kidaro Compressed Machine), which stores the actual compressed image. When you pack an image, you can either create a new packed image or create a new version of the existing packed image. If you create a new packed image, MED-V clients can download the whole image. If you create a new version of the existing image and the MED-V clients have a previous version of the image, the clients download just the changes in the image. This makes the download much smaller and faster when you modify the existing image such as when you install an application update. You can further reduce the image size by implementing pre-packing and precompaction steps in the image build procedure. Typical steps to reduce the image size during a build procedure include: Removing unnecessary files and folders, including unneeded drivers. Uninstalling unnecessary applications. Defragmenting the volume. Running the precompaction utility on the VHD. Removing offline file. Editing or compacting the virtual disk.
Question: Why is it important to pack the image before uploading it to the MED-V server?
4-19
Uploading MED-V Images
Key Points
Local test images and local packed images are available only locally on the MED-V administrative workstation, where the MED-V Management console is installed. But before you can deploy virtual images to MED-V clients, you must first upload them to the image repository on the MED-V server. Depending on the configuration, you can use either the HTTP or the HTTPS protocol for image uploading. You also need BITS on the image repository Web server. If BITS is not configured on the server, you cannot upload the MED-V image.
Note: Before uploading an image, verify that a Web proxy is not defined in your browser settings and that Windows Update is not currently running.
4-20
After you pack a MED-V image, you can upload it to image repository by using the MED-V Management console. If multiple versions of the same packed image are available, only the latest version is uploaded. Upload can take a considerable amount of time because an image can be several GBs in size and BITS uses only the unused bandwidth to transfer the image. After you upload the image, you can assign it to the MED-V workspace and distribute it to the MED-V clients. Local test images can be deleted after the upload. During an image upload, the .index and .ckm files are transferred to the MED-V server and by default, they are stored in the MED-V Server Images folder. Question: How can you specify the users who can upload images to MED-V server?
4-21
Updating MED-V Images
Key Points
As part of the management tasks, you should update MED-V virtual images from time to time just like you update normal computers. There are various reasons for updating the image, which include installing the update to the operating system or applications in the image (update management), installing new applications in the image, or changing the configuration and modifying the content inside a virtual image. There are two different ways of updating a MED-V image. If a virtual machine in the image is joined to the domain, you can use the same updating mechanism that is in place for updating other domain computers. In such a case, you can manage the MED-V virtual machines in the same way as any other computer on the network.
4-22
You can use the second option when a virtual machine is not joined to the domain. In this case, you can open the image inside Virtual PC, update the image, for example by installing the Windows update, and then rerun the VM Prerequisite tool. After the update is complete, shut down the virtual machine, pack the updated image as a new MED-V image version, and then upload it to the image repository. For some updates, such as installing new applications in the virtual image, you need to also modify or create new MED-V policy to benefit from the update. When MED-V clients download a new version of an existing image, the clients download only the parts that have changed, and not the entire virtual machine image. This significantly reduces the download size and delivery time.
Note: When a new version is deployed on the client, it overwrites the existing image. When updating an image, ensure that no data on the client needs to be saved.
Note: If you name the image a different name than the existing version, a new image will be created rather than a new version of the existing image.
Question: Why would you want to update the image?
4-23
Options for Deploying MED-V Images
Key Points
A MED-V image must be available locally before it can be used. After creating and testing a virtual image, you can deliver it to MED-V clients by using different delivery options.
Using Web Download Over a Network

This is the preferred option for deploying a MED-V image. When a virtual image is stored on the image repository, you can deliver it over the network by using the standard HTTP or HTTPS protocols. MED-V uses BITS for bandwidth throttling and Trim Transfer technology to accelerate the download speed and to reduce required bandwidth. Over the network delivery from an IIS Web server is the only supported way of delivering image updates and it is the only delivery mechanism that can benefit from Trim Transfer.
4-24
Using a Deployment Package

The MED-V Management console provides Packaging Wizard. Packaging Wizard provides functionality that is different from packing the image. Packing the image compresses the image and reduces its size, while Packaging Wizard creates a MED-V deployment package for deploying the MED-V client. The deployment package can include MED-V prerequisites, MED-V client, and also a virtual image. If you include a virtual image in the MED-V deployment package, the virtual image is copied to the client workstation local drive as part of the installation. This delivery method is only suitable for initial virtual image delivery and does not support image updates. You can deploy future image updates over the network.
Using a Corporate Deployment System

If a company has an existing corporate deployment system such as System Center Configuration Manager 2007 R2, you can choose to deliver the packed virtual images by using the existing software distribution solution, rather than downloading it from the MED-V server. The MED-V client looks for the package in a predefined path, and then imports the image from there.
Note: Image pre-staging is useful only for the initial image download. It is not supported for image update.
To configure image pre-staging, you must perform the following tasks: 1. 2. On the client computer, under the image store directory, create a folder for the pre-staging image. The registry key, PrestagedImagesPath, located in the HKLM\SOFTWARE\Kidaro directory, points to the default image location. If the image is in a different location, change the path.
When the MED-V client starts, it looks in the specified directory for an image (ckm file and index file). If it finds an image, it imports it. If the image is not located in this path, it downloads it from the server. Question: What is the main benefit of using the Web download method for deploying virtual images?
4-25
Demonstration: Packing and Uploading an Image
Key Points
In this demonstration, you will see how to pack and upload the image to a MED-V server. You use the MED-V Management console for both operations and you should first test and then pack the image. Packing compresses the image and decreases the time, needed for transferring the image. Image is packed on the administrative workstation and stored in the MED-V Images\PackedImages folder.
1. 2. 3. 4. Open MED-V Management on NYC-CL1 and go to Images module. Add a new Packed Image by selecting XP.vmc in E:\LabFiles\VPC folder. Enter XP in the Image name and click OK. While image is packing, click Browse Local Images and show content of PackedImages folder. On NYC-DC1, view the content of C:\MED-V Server Images folder and confirm that no .ckm or .index files are available.
4-26
5. 6. 7.
After Image Packing is complete on the NYC-CL1 computer, verify the image size in Local Packed Images section, verify that compressed file size. Select the XP packed image and click Upload. Switch to NYC-DC1 and verify that .ckm and .index files are available in C:\MED-V Server Images folder.
Question: What tool can you use for packing and uploading the image to MED-V server?
4-27
Lab: Configuring and Deploying MED-V Images
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. Ensure that the 10324A-NYC-DC1 and 10324A-NYC-CL1 virtual machines are running. If required, connect to the virtual machines. Log on to the virtual machines as Contoso\Administrator using the password Pa$$w0rd.
4-28
Exercise 1: Creating MED-V Images

Scenario
As part of implementing a MED-V virtualization solution, you need to first create a virtual image. To do this, you need to install and run the VM Prerequisites Wizard. Then, verify the changes performed by the VM Prerequisites Wizard. The main tasks for this exercise are as follows: 1. 2. 3. Start the virtual machine on NYC-CL1 and review its initial configuration. Install and run VM Prerequisites Wizard. Verify the changes performed by VM Prerequisites Wizard.
Task 1: Start the virtual machine on NYC-CL1 and review its initial configuration
1. 2. 3. 4. On NYC-CL1, start Microsoft Virtual PC and then start the XP virtual machine. Log on as User1 with the password of Pa$$w0rd. Create a new text file with your name in the C:\Documents and Settings\User1\Local Settings\Temp folder. From the Services console, verify service startup type for Security Center, Task Scheduler and System Restore Service. From the Sounds and Audio devices applet in the Control Panel, verify that Windows Logon and Windows Logoff have sounds assigned. You have now reviewed some of the initial configuration settings of the Windows XP virtual machine.
4-29
Task 2: Install and run the VM Prerequisites Wizard

1. From NYC-CL1, copy the E:\LabFiles\Mod04 \MED-V_Workspace_1.0.105.msi file to the XP virtual machine and run it in the virtual machine. During the installation, when prompted for Files Needed, browse to C:\WinXP and then click Open. Click OK. Also when prompted to Insert Disk, click OK and then browse to C:\WinXP. On the NYC-CL1 computer, in the XP virtual machine, launch the VM Prerequisites Tool. On the Windows Auto Logon page, select Enable Windows Auto Logon, enter User1 as User name, Pa$$w0rd as Password, and then click Apply. In the MED-V dialog box, click Yes. On the second MED-V dialog box, click OK. For this lab, a Volume License Key is not required. By running VM Prerequisites Wizard, you prepared the image for the MED-V environment.
2. 3. 4.
Task 3: Verify the changes performed by VM Prerequisites Wizard

1. 2. 3. 4. In the XP virtual machine, verify the content of the C:\Documents and Settings\User1\Local Settings\Temp folder. Verify that Windows Logon and Windows Logoff have no sounds assigned. Verify that Security Center, Task Scheduler, and System Restore Service services startup type is set to Manual. Open the registry editor and navigate to HKLM\SOFTWARE\Microsoft \Windows NT\CurrentVersion\Winlogon and verify values of the DefaultUserName and DefaultPassword keys. By performing these steps, you verified some of the changes that were performed by the VM Prerequisites Wizard. Shut down the XP virtual machine, and then close the Virtual PC Console. All of your changes are saved into the XP virtual machine.
5.
Results: After this exercise, you installed and ran the VM Prerequisites Tool in the XP virtual machine. You also verified some of the modifications, performed by the tool.
4-30
Exercise 2: Testing MED-V Images

Scenario
After the MED-V image is created, you need to test it. You can use the MED-V Management console and the MED-V client for configuring and testing the image. To test the image, import a basic testing MED-V policy and verify the MED-V image works as expected. The main tasks for this exercise are as follows: 1. 2. 3. Add a local test image. Import and assign a basic MED-V testing policy. Test local MED-V image.
Task 1: Add a local test image

1. 2. On NYC-CL1, log on to MED-V Management as contoso\medv-admin, with Pa$$w0rd password. Create a Test Image called XP from E:\Labfiles\VPC\XP.vmc.
Task 2: Import and assign a basic MED-V testing policy

1. 2. On the NYC-CL1 computer, import the MED-V policy from the file E:\LabFiles\Mod04\TestPolicy.xml. On the Virtual Machine tab, select XP (test) as the Assigned Image and save the policy.
Task 3: Test the local MED-V image

1. On the NYC-CL1 computer, log on to MED-V as contoso\medv-user with Pa$$w0rd as password and select to use the test image. In the Windows Security Alert window, click Allow Access for all of the networks to allow Virtual PC 2007 SP1 to communicate. On the NYC-CL1 computer, verify that published programs are listed. Run XP Notepad.
2.
4-31
3. 4. 5.
Run XP Remote Desktop and copy text from XP Remote Desktop Help to Notepad that is running locally on NYC-CL1 computer. On the NYC-CL1 computer, start XP Command Prompt and compare content of C:\ with local C:\ drive. On the NYC-CL1 computer, in the notification area, right-click the MED-V icon and then select Stop Workspace.
Results: After this exercise, you have created a local test image, imported and assigned a basic MED-V testing policy, and tested the local MED-V image.
4-32
Exercise 3: Updating, Packing, and Uploading the Image

Scenario
During testing you discover that a security update was not applied to the virtual machine and one of the applications is not available. You need to update the image by installing the missing application and a security update. After you test the virtual machine and update the virtual machine with the security update and missing application, you need to pack the image and upload it to a MED-V server. The main tasks for this exercise are as follows: 1. 2. 3. 4. Update the image. Pack the MED-V image. Upload the image to image repository. Start the MED-V image download.
Task 1: Update the image

1. 2. On the NYC-CL1 computer, open the Virtual PC Console and start the XP virtual machine. On the NYC-CL1 computer, from the E:\LabFiles\Mod04 folder, copy files XmlNotepad.msi and WindowsXP-KB956802-x86-ENU.exe to C:\ on the XP virtual machine. On the NYC-CL1 computer, in XP virtual machine, double-click XmlNotepad.msi, install it with default options, and then verify that the shortcut has been added to the Start menu. On the NYC-CL1 computer, in XP virtual machine, run WindowsXPKB956802-x86-ENU.exe. Select Do not restart now at the end of the installation. Open Add or Remove Programs and verify that Security Update for Windows XP (KB956802) is listed under Windows XP Software Updates. Shut Down the XP virtual machine and close Virtual PC Console.
3.
4.
5.
4-33
Task 2: Pack the MED-V image

1. 2. 3. On NYC-CL1 computer, create a packed image named XP-Updated from E:\Labfiles\VPC\XP.vmc. Review content of the folder C:\MED-V Images\PackedImages. Switch to NYC-DC1, open Windows Explorer and verify that .ckm and .index files for the XP-updated virtual machine are not available in the C:\MED-V Server Images folder.
Task 3: Upload the image to image repository

On the NYC-CL1 computer, in MED-V Management console, select XPUpdated and click Upload.
Results: After this exercise, you have updated the XP image with a Windows update and custom application. You have also packed the local image and uploaded it to the MED-V server.
4-34
Exercise 4 (Optional): Preparing the MED-V Image for Domain Environment

Scenario
Some of the legacy applications in the virtual image require access to domain resources. You decide to join the MED-V virtual machine to the domain and in this exercise you will prepare the image for domain environment by creating an answer file and running Sysprep to generalize the image.
Note: Because it takes a long time to pack, upload, and deploy the image, you will not perform these steps in this lab exercise, but will only perform the tasks related to generalizing the image.
The main tasks for this exercise are as follows: 1. 2. Create the Sysprep answer file. Run Sysprep.exe to generalize the image.
Task 1: Create the Sysprep answer file

1. 2. 3. 4. On NYC-CL1, open Microsoft Virtual PC and then start the XP virtual machine. Copy the E:\LabFiles\Mod04\Sysprep folder from NYC-CL1 to C:\ on the XP virtual machine. In the XP virtual machine, in the Sysprep folder, run Setup Manager. Create a new Sysprep answer file for Windows XP Professional. Save the answer file as C:\Sysprep\sysprep.inf and review it.
4-35
Task 2: Run Sysprep.exe to generalize the image

1. 2. In the XP virtual computer, in C:\Sysprep folder, double-click sysprep.exe. Select the Dont reset grace period for the activation and Use Mini-Setup options, and then click Reseal. Wait until the XP virtual machine shuts down. Close the Virtual PC Console.
Results: After this exercise, you have created Sysprep answer file and run Sysprep.exe to prepare virtual machine for domain environment.

4-36
Review Questions
1. 2. 3. 4. 5. Why would you use the VM Prerequisite Tool? Is this tool mandatory? Do you need to upload a MED-V image to the image repository if you want to test it? What are the typical steps in virtual image life cycle? Which protocol is used for MED-V virtual image download? How can MED-V virtual image be deployed? What is the benefit of using the Web download option?
4-37
Common Issues Related to Microsoft Enterprise Desktop Virtualization

Identify the causes for the following common issues related to Microsoft Enterprise Desktop Virtualization and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue You created Windows XP virtual image, but when you deploy it to MED-V clients, it requires activation at each client. You are not able to install VM Prerequisite Tool (MED-V Workspace) on Windows Server 2008 R2 virtual machine. You are preparing Windows XP virtual image for domain environment, but you are not able to find Sysprep.exe to generalize the image. You generalized the Windows XP image, but when you deploy it to MED-V clients, initial setup does not perform and virtual machine is not joined to the domain. You created the MED-V image, but you are not able to test it. You want to deploy MED-V image to the new workstation, but you have slow network connectivity to the client. Troubleshooting tip
Managing a MED-V Deployment
5-1
Module 5
Contents:
Lesson 1: Implementing the MED-V Workspace Policy Lesson 2: Working with a MED-V Workspace Lesson 3: Reporting and Troubleshooting MED-V Lab: Managing a MED-V Deployment 5-3 5-17 5-26 5-35
5-2
Module Overview
Managing the Microsoft Enterprise Desktop Virtualization (MED-V) environment typically is one of the most time-consuming activities for MED-V administrators. After you deploy the MED-V infrastructure, you must define MED-V Workspaces by configuring MED-V policies, and then enable the workspaces for users and set options to configure the workspaces that will be available to users. MED-V users work in two separate environments: the host operating system and the MED-V Workspace. If you integrate published applications seamlessly with the host, users typically cannot tell that they are different from applications that are installed locally on their computers. Besides a configurable virtual environment and a seamless integration with the host, MED-V also provides reporting and diagnostics capability. The reporting feature requires Microsoft SQL Server, and it logs MED-V events, and provides three basic report types. The MED-V client provides a diagnostics mode, policy updates, and diagnostic log gathering that you can use to troubleshoot MED-V issues.
5-3
Lesson 1
Implementing the MED-V Workspace Policy
A MED-V Workspace policy is an essential part of a MED-V implementation. It defines how to configure the virtual environment of MED-V clients, which virtual image to use, and which applications to publish to the host, among other things. You create and manage a MED-V Workspace policy in the MED-V Management Console, and users must have the Changes Allowed permission on the MED-V server to save a policy that they create or modify. A MED-V policy has many settings, which are saved in an XML file on the server. MED-V applies the policy to the MED-V client when it starts, and then reapplies it every 15 minutes. You also can update it manually.
5-4
What Is a MED-V Workspace?
Key Points
A MED-V Workspace is the desktop environment that MED-V provides for you to interact with the virtual machine. As a MED-V administrator, you create and customize the MED-V Workspace, which consists of an image and a policy that defines its rules and functionality. You can create multiple MED-V Workspaces, and you can customize each with its own configuration, settings, and rules. You then can apply the workspace to the same image or to multiple images. You can associate a MED-V Workspace with a user or group, or multiple users or groups, making the MED-V Workspace available only to the associated users or group members. You can configure a MED-V Workspace centrally, and then apply it to clients that you assign to this workspace. You can define a MED-V Workspace in the MED-V Management Console by using the policy module, and then store it on the MED-V server. The MED-V policy applies to users when they log on and during periodic refreshes, which is every 15 minutes by default. You also can update the policy manually, by using the Diagnostics option in the MED-V client.
5-5
The MED-V Workspace is separated from the users local desktop, and is a virtual image that runs inside Virtual PC and which you can configure by using MED-V. For example, if you launch a locally installed copy of Microsoft Office Word, create a document, and then save the document, MED-V saves it, by default, in your Documents folder on the local host. But if you launch a copy of Office Word from within the MED-V Workspace, create a second document, and save the document, then by default, MED-V saves this document in the My Documents folder in your workspace, meaning in the virtual machine that is running on the local host. This means that you will have two Documents folders on the same MED-V client computer: one on the local host, and then one in your MED-V Workspace in the virtual machine. There are different options to work around this, such as using the MED-V file transfer tool or configuring folder redirection.
Note: Each MED-V Workspace image can be used only by one Windows user.
Note: You can control the MED-V Workspace from a command prompt by using KidaroCommands.exe, which is located in Management subfolder of the MED-V installation folder.
Question: Can you create a MED-V Workspace without assigning it a virtual image?
5-6
What Is a MED-V Workspace Policy?
Key Points
A MED-V Workspace policy is a group of configurable settings that define how the virtualized environment and applications that you install in that environment perform on the host. By using a MED-V Workspace policy, you can specify how a MED-V virtualized environment is configured on the client and how it interacts with the host. You can define several workspace settings, which include: The image that is assigned to the workspace. Settings for integration and data transfer between the workspace and the host. The user for whom the MED-V Workspace policy is enabled. Settings for device control. The published applications and the virtual machine configuration.
5-7
You can create and manage MED-V Workspace policies by using the MED-V Management Console, which stores them in a single file, ClientPolicy.xml, on the MED-V server. You also can import or export a workspace policy as an XML file on the MED-V client, by using the Import or Export options in the Policy menu in the MED-V Management Console.
Note: When you configure a policy, a warning symbol appears next to the mandatory fields for which you did not enter values. If a mandatory field is empty, the warning symbol also appears on the settings tab.
It is important to decide the MED-V Workspace type that you want to use before you deploy the MED-V Workspace policy. We do not recommend that you change the MED-V Workspace type after you deploy a policy to users. There are two types of MED-V Workspaces available: Persistent. In a persistent MED-V Workspace, all changes and additions that you make to the MED-V Workspace are saved in the MED-V Workspace between sessions. You typically use a persistent MED-V Workspace in a domain environment. Revertible. In a revertible MED-V Workspace, at the completion of each session, when the MED-V Workspace stops, the MED-V Workspace reverts to its original state during deployment. Changes or additions that you made are not saved on the MED-V Workspace between sessions. You cannot use a revertible MED-V Workspace in a domain environment.
Question: What is the difference between a MED-V Workspace and a MED-V Workspace policy?
5-8
General, Virtual Machine, and Deployment Settings
Key Points
You can use the General tab in the MED-V policy to configure the workspace name, description, support contact information, and basic user-experience settings when working with a MED-V Workspace. You can define whether the MED-V Workspace appears in seamless integration or full desktop mode. Seamless integration publishes legacy applications on the host Start menu, and they appear as if they were installed locally on the host. You also can configure the frame color for the legacy applications, which distinguishes them from the local applications on the host. The full desktop presents the desktop of the MED-V Workspace operating system in a separate window. You also can define the command that must be run successfully on the host before the workspace will start. You must assign a Microsoft Virtual PC image to every MED-V Workspace, and you can configure this from the Virtual Machine tab in the MED-V policy. An assigned image can be one of three types: Local test images. These are unpacked images on the local computer. The word test follows these image names in parentheses, and you can use these images for testing purposes only.
5-9
Local packed images. These are packed images on the local computer, and the word local follows the image name in parentheses. Clients cannot download these images until the administrator uploads them to the server. Clients can select a local image if you create a package that is distributed to the client via removable media, such as a USB drive or DVD. Packed images on a server. These are images that are on the server and that are available for download by clients. The word server follows the image name in parentheses.
On the Virtual Machine tab, you also can configure the workspace type to be persistent or revertible. If you choose a persistent workspace, you can specify if a user should use a Windows logon for the virtual machine. You also can configure workspace lock settings and image update settings, such as the number of previous image versions to retain and if you want to use Trim Transfer when downloading images.
Note: You should use Trim Transfer when it would take you less time to index the hard drive than to download the new image version. For example, it would be more efficient to use Trim Transfer when you download a new image version that is similar to an existing image on the client.
On the Deployment tab in the MED-V policy, you can assign a MED-V Workspace to domain users and groups. You can specify the time until which the workspace is available, and whether the user can use it in the offline mode without first connecting to the MED-V server. You also can define the conditions under which the workspace is deleted automatically and the data-transfer options between the host and workspace. Additionally, you can configure device-control options, such as whether printers from the host are available for printing in the workspace or if the workspace can access the hosts CD or DVD drive.
Note: To support file transfer in Windows XP Service Pack 3 (SP3), you must disable offline file synchronization in the virtual image.
Question: How can you control to whom the MED-V policy applies?
5-10
Published Applications Settings
Key Points
You can run applications within the MED-V Workspace that are incompatible with the host operating system, and start them from within the workspace as you would with a locally installed application on thefrom either the Start menu or from a shortcut on the host. Workspace applications, which are available from the host, are called published applications. The MED-V policy defines them. You can publish an application in two ways: As an application. You can publish a specific application by defining the command-line command that runs the application in the virtual machine. Only the applications that you specify and enable in the MED-V policy are published and listed on the hosts Start menu. It is possible to run additional applications from the published application, even if this additional workspace application remains unpublished. For example, you can run any workspace applications from the published workspace command prompt.
5-11
As a menu. You can publish a menu folder that contains multiple applications and subfolders. The host Start menu publishes and displays all of the folders applications and subfolders.
If you publish individual applications, you can define the display name that appears on the host Start menu. You also can define the description of the published application, which appears as a tooltip when the mouse hovers over the shortcut. In the Command line field of the MED-V Management Console, you specify the command that you can use to run the application from the MED-V Workspace. In this command, you need to specify the full path, and you can pass the parameters to the application as you would to any other Windows command.
Note: If the application command line includes spaces, enclose the entire path in quotation marks.
If you publish the whole menu, you can define the menus display name, under which MED-V lists all of the workspace menus content on the host Start menu. The published menu location is a relative path from the Programs folder in the workspace, and if you leave it blank, all programs from the workspace Start menu will publish to the host.
Note: If you want to rename the published application, you can right-click on it, and then select Rename. When you reapply the MED-V policy, the application name will not revert. But when you restart the workspace, the individually published applications will be listed multiple times, with their published and modified names, while applications on published menus will revert to their original workspace names.
All published applications and menus appear as shortcuts on the hosts Start menu under All Programs in MED-V Applications. You can change this folders name in the Start-menu shortcuts folder field on the Applications tab in MED-V policy.
5-12
Web, Network, and Performance Settings
Key Points
Some Web sites and Web applications are not compatible with the hosts Microsoft Internet Explorer version, and do not work correctly even when you use the compatibility view in Internet Explorer. If you need to access such Web sites, you can use older Internet Explorer versions. You do not need to open a browser manually in the MED-V Workspace to view specific Web sites. MED-V automatically redirects you to the browser in MED-V Workspace from the browser in the host, and vice-versa. On the Web tab in the MED-V policy, you can define a list of Web browsing rules for a MED-V Workspace. Users can browse all sites that the rules include, either in the MED-V Workspace browser or in the hosts browser. Users can browse all sites that the rules do not define, from the environment in which the sites were requested. However, you also can configure these sites as a group, which users can browse in the MED-V Workspace or in the host.
5-13
Note: MED-V applies Web settings only to Internet Explorer. It does not apply Web settings to other browsers.
You can configure network settings for MED-V Workspace on the Network tab in the MED-V policy. On this tab, you can define if a workspace uses Network Address Translation (NAT) to share the hosts IP address for outgoing traffic, or if it has its own network address, which it typically obtains from the Dynamic Host Configuration Protocol (DHCP) server. You also can configure Domain Name System (DNS) options, such as whether the workspace uses the hosts DNS server or if you want to use a specific DNS server, and you can define DNS suffixes that MED-V uses for name resolution. You should configure these settings appropriately if you plan to have network connectivity for your MED-V Workspace in scenarios where the workspace is joined to the domain or it includes software that the organization will update over the network. On the Performance tab in the MED-V policy, you can adjust the virtual machine memory, based on how much physical memory the host has. By using this configuration, you can allocate more memory to the virtual machine when the host has more memory available. For example, if a host has 1 gigabyte (GB) of random access memory (RAM), you can allocate the virtual machine 128 megabytes (MB) of memory, and if a host has 2 GB RAM, you can allocate 512 MB of memory to the same virtual machine. Question: Do you need to publish Internet Explorer from the virtual image to use it for browsing certain Web sites that are incompatible with the hosts version of Internet Explorer?
5-14
VM Setup Settings
Key Points
You can configure the virtual machines setup settings on the VM Setup tab in the MED-V policy. By using this tab, you can configure setup options, which MEDV performs when you deploy the virtual machine and run it for the first time on the MED-V client. For example, you use these settings for joining the MED-V virtual machine to the domain environment. You need to configure the virtual machine setup differently for persistent and revertible MED-V Workspaces.
Note: You must use a persistent workspace for domain-joined virtual machines.
5-15
For the persistent workspace, you can configure options to run VM Setup, and then use a script editor to configure actions such as checking connectivity, renaming a computer, joining a domain, or running custom commands from the command line. For most of the actions, you can specify additional parameters, such as the IP address for which you want to test connectivity or user credentials, and the domain name to which you want to join the MED-V virtual machine. If you enable VM setup, you also can define the message that displays on the MED-V client while the script is running.
Note: VM Setup only runs the first time that you start a workspace, after the Windows log on is complete. After you complete the VM Setup steps, the Windows operating system inside the virtual machine shuts down.
For a revertible workspace, you can configure options only to rename the virtual machine. For both persistent and revertible workspaces, you can define a virtual computername pattern. In this pattern, you can include the user name of the logged-on user, the domain name, host name, workspace name, virtual machine name, and the selectable number of random characters.
Note: When you join a virtual machine to the domain, only root-level organizational units (OUs) are supported for creating a computer account.
Question: What are the scenarios in which you would configure and use MED-V VM Setup?
5-16
Demonstration: Configuring a MED-V Workspace Policy
Key Points
In this demonstration, you will see how to use the MED-V Management Console to configure a MED-V policy on an administrative workstation.
Demonstration Steps
1. 2. 3. 4. 5. Run MED-V Management. Log on to the MED-V server by using the administrator credentials. Add a new workspace, which will create a new MED-V policy. Switch through configuration tabs, and set various options. Save the policy to the server. Switch to the MED-V server, and notice that all changes are saved in c:\program files\microsoft enterprise desktop virtualization \servers\ClientSettings.xml file.
5-17
Lesson 2
Working with a MED-V Workspace
After you create and enable the MED-V Workspace for the users or groups, you can deploy the MED-V Workspace. The first time that you deploy a workspace to the MED-V client, the process can be lengthy because you need to download the virtual image first, and then configure it according to the MED-V policy. You can integrate the MED-V Workspace seamlessly with the host, or you can run it in a separate window. Most customers use seamless integration. But you should be aware that MED-V users work in two separate environments: the host operating system and the workspace. Users can share the Clipboard between the two environments, and MED-V provides a transfer tool so that users can transfer files and folders between both environments. If you join a workspace to a domain, you can provide better integration by using additional options, such as sharing the folders between the host and the workspace, or using a Group Policy object (GPO) to configure folder redirection.
5-18
Deploying a MED-V Workspace
Key Points
You can deploy a MED-V Workspace only to the workstations on which you install the MED-V client. The MED-V client runs on top of Virtual PC, applies MED-V policy to the virtualized environment, and integrates the MED-V Workspace with the host. Before you can access the MED-V Workspace and run published applications, you first must log on to MED-V. You can log on to MED-V by using the account of the currently logged-on Windows user or by providing an alternate user account. You can enter the user name in two different ways: domain\username or username@domain. The AD DS domain controller performs user authentication, and the MED-V server performs authorization. If you want to use MED-V, you must have an AD DS user account, and you must enable the MED-V Workspace for your account or the group to which your account belongs. You can log on to the MED-V Workspace automatically by using your Windows user account, or manually by starting the MED-V client, and then providing user credentials. You can configure how the MED-V client starts at logon by rightclicking on the MED-V icon in the notification area, and selecting the Settings option. By using the Settings option, you also can configure MED-V server settings.
5-19
If user authentication is successful and you have enabled multiple workspaces, MED-V prompts you for the workspace that you want to use. You can select one of the workspaces from the list, and make it the default choice. The MED-V server then provides an encryption key to the client, which you can use to decrypt the virtual machine image on the client. If the image is not available on the client, MED-V transfers it from the image repository on the MED-V server. After you decrypt the virtual machine, the MED-V client uses Virtual PC to launch the virtual machine, which initializes the MED-V Workspace. After the MED-V Workspace starts, you can interact with it.
Note: You can deploy multiple virtual images to the client, but you can run only one Virtual PC image at a time. If you enable more than one workspace for a user, then when the user starts the MED-V client, MED-V prompts the user to select the workspace to run.
You can control the MED-V Workspace by right-clicking the MED-V icon on the notification area. If the workspace is running, the MED-V icon has a green check mark. By using the MED-V options in the notification area, you can perform the following tasks: Start, stop, or restart the workspace. Lock the running workspace to prevent access to published applications while the workspace is locked. Modify the workspace settings. Access tools or help, including workspace support information, which the MED-V policy defines.
Question: How can users log on to MED-V? What happens if they have enabled multiple MED-V policies? Question: What is the difference between the first logon and successive logons to a workspace?
5-20
Running Published Applications from the Host
Key Points
You can access published applications from the MED-V Workspace by using the hosts Start menu in the same way as you access locally installed applications. In the MED-V policy, you can control which applications you want to publish and at what spot on the Start menu that they publish. Because published applications integrate with the Start menu on the host, you can use the Search function to find them, and then you can run them in the same way as you would run locally installed applications.
Note: If you want to publish applications in the submenu, you can use the \ character when defining the shortcut folder for the Start menu in the MED-V policy.
5-21
In the MED-V policy, you can specify how applications are published. You can configure applications to have a frame around the application window, which helps distinguish them from locally installed applications. You can start another application from a published application, and then you can run multiple published applications at any time. Be aware that only a single workspace is used at any time, and that all published applications must be from the same virtual image. If you want to protect access to published applications, you can lock the workspace. A MED-V policy can define the idle time after which a workspace locks automatically. Alternatively, you can lock a workspace manually, by right-clicking the MED-V icon, and then selecting the Lock Workspace option. This hides all opened published applications, and you can run a new published application or access running published applications only after you unlock the workspace by providing the MED-V user password. Apart from the Start menu, you also can run published applications from the command prompt on the host. The MED-V Workspace in which you define the published application must be running, and you can run the published application by using the following syntax:
"<Install path>\Manager\KidaroCommands.exe" /run "<published application name>" "<MED-V Workspace name>"
Note: Be aware that the published application name and the MED-V Workspace name are both case-sensitive.
Question: What methods can you use to run published applications from the MED-V Workspace? Question: How can you distinguish between local and published applications?
5-22
Integration of Published Programs with the Host
Key Points
Published applications integrate with the host, and provide a look and feel that is similar to locally installed applications. For example, if an application has an icon in the notification area, this icon is available from the notification area on the host and its context menu. You can press ALT+TAB to switch between running applications on the host, and the list of running applications includes the published applications. However, these applications run in the virtual environment, so in an older operating system, Flip3D, live thumbnail preview, and transparency do not work for published applications. Based on the MED-V policy configuration, you can use Copy and Paste to transfer content between published applications and applications running on the host. Published applications run in the virtual environment, and they access the folder structure on the virtual hard disk. If you want to save data from the published application to the host, you can save it first to the virtual environment, and then use the MED-V File Transfer tool to transfer it from the virtual environment to the host. In the MED-V File Transfer tool, you can choose to transfer an individual file or a folder.
5-23
In the MED-V policy, you can define the following: The direction in which files can be transferred: host to workspace, workspace to host, or both. The file extensions that can be transferred. Whether you want to enable the running of commands on the received files once you transfer them to the host.
Because transferring files from the workspace to the host can be time consuming, you can use different options, such as sharing folders between the host and the workspace, or using Group Policy to configure folder redirection, if the workspace is joined to a domain.
Note: The File Transfer Tool is enabled only when the MED-V Workspace is running.
Published applications are displayed on the host in the same way as RemoteApp programs are displayed when you use Remote Desktop Services (RDS). Question: How can you access a data file that you saved in the MED-V Workspace? Question: What are the alternatives to using the File Transfer tool to access data files that are saved from published applications?
5-24
Browsing the Web and Printing from Published Programs
Key Points
One of the workspace settings that you can control through MED-V policy is the URL addresses that users can browse by using Internet Explorer. You can use this option if Web sites or Web applications are incompatible with Internet Explorer on the host, but they work correctly with the workspaces older version of the Internet Explorer browser. You do not need to publish Internet Explorer from the host to use this feature. You can specify the list of URLs by adding domain suffixes and IP prefixes. You also can select all local addresses, and then define whether a browser from the workspace or from the host will be used for browsing them. Then you can specify how you will browse all other URLs, either by using the browser in the workspace or in the host. When you browse URLs, transitions between the hosts Internet Explorer and Internet Explorer in the workspace is automatic. If you define a URL in the MED-V Policy as a workspace URL, and then type it in the host Internet Explorer window, an Internet Explorer window from the workspace opens and accesses the URL. This browser transition works in reverse, as well, from the workspace browser to a browser on the host.
5-25
Note: Web settings are applied only to Internet Explorer. Web settings are not applied to other browsers.
Another option that you control through a MED-V policy is the ability to print from published applications. You can print either to locally installed printers in the workspace or to printers that are connected to the host. The Enable printing to printers connected to the host option in the MED-V policy controls access to printers that are connected to the host. When you prepare a virtual image, and then install the VM Prerequisites Tool, it adds a printer driver that is represented as the Local Printer. This printer enables you to use any printer that is connected to the host, without installing any additional device drivers inside the virtual image. When you run a published application, you can select to print to the Local Printer, which is the workspaces default printer. You get an additional dialog box, where you select which host printer to use and what print job is sent to that printer. Question: Do you need to install additional printer drivers in the workspace to print to host printers? Question: You are not able to find the Windows XP driver for a printer that is connected to your Windows 7 host. Can you still print from the published application that is running in Windows XP SP3 workspace on this printer, if you configure the printer in the Windows 7 host?
5-26
Lesson 3
Reporting and Troubleshooting MED-V
Reporting and troubleshooting are an integral part of MED-V. You use Microsoft SQL Server for storing the MED-V log events, and then you can view them in the MED-V Management Console. MED-V provides three report types, and enables you to use features such as filtering, grouping, sorting, and exporting MED-V events to a Microsoft Office Excel file. A MED-V client provides troubleshooting capabilities, which includes gathering the diagnostics logs, updating the MED-V policy on the client, enabling the diagnostic mode, and browsing the image store. Features such as the diagnostic mode can be beneficial when you run the workspace for the first time, as it displays a Virtual PC window that shows what is occurring in the virtual environment.
5-27
Features of MED-V Reporting
Key Points
The reporting feature in MED-V gathers, stores, and presents information about client status, user activity, and errors to MED-V administrators in the form of reports. If you want to use MED-V reporting, you must have SQL Server 2005 Service Pack 2 (SP2) or SQL Server 2008 installed locally on the MED-V server or available on a remote server. You can use any SQL Server edition--Express, Standard, or Enterprise--and if you want to use SQL Server on the remote server, you must install Microsoft SQL Server Management Objects on the MED-V server. By default, MED-V adds an additional database, medv, to the SQL Server. This database has six tables, and SQL Server uses it only for logging events, errors, and status messages. You can create and configure a MED-V database through the MED-V Server Configuration Manager on MED-V server. From this tools Reports tab, you can perform the following tasks: Configure a connection string for connecting to the SQL database. Create a MED-V database.
5-28
Test connectivity. Configure database maintenance, such as how long data will be stored in the medv database before MED-V deletes it automatically.
You can select the report type, provide additional parameters, and view reports in the MED-V Management Console, which is available on the MED-V administrative workstation. Before you can view a report, you first must select the report type, and then provide additional parameters, which can include: Number of days. This is the number of days for which MED-V should include events in the report. User name contains. This is the portion of the user name that MED-V should include in the report. If you specify this, MED-V displays only events that any user performs who meets these criteria. If you do not specify this parameter, the report includes events by all users. Host name contains. This is the part of the host name that you are looking for and that you want the reports to include. If you specify this parameter, MED-V displays only events that comply with this parameter. If you do not specify this parameter, the report includes events that happen on any host.
After you specify the parameters, MED-V generates a report, and adds a new tab to the detailed view. You can: Sort the reports entries by clicking on the column heading. Filter events by clicking the filter icon in the column heading. Group events by dragging the column heading to the top of the report or rightclicking on the column heading.
You also can export reports to Office Excel. Question: Where is the MED-V log data stored? Question: Can you always use MED-V reporting?
5-29
Types of MED-V Reports
Key Points
The MED-V client generates the MED-V events, and then stores them in SQL Server when the client is online. The medv database, which contains six tables, stores events. You can use tools such as Excel or Microsoft Office Access to access the log data in the database and create your own reports. Alternately, you can use the MED-V reporting capability that MED-V provides by default. You can use the MEDV Management Console for generating and viewing MED-V reports. The MED-V Management Console provides three report types: Status. You can view the current status of all active users and all MED-V Workspaces for each user, based on the period of time that this report defines. You can view information such as: Computers that are connected to the server currently, and the date and time that they were last connected to the server.
5-30
The status of each computer. Relevant information, such as the workspace used, policy version that was applied, and the MED-V client version on the host.
Activity Log. You can view events that originated from a specific host or user in a defined date range. In this report, you can find events such as: When a virtual image download has started or completed. When a MED-V Workspace has started. Whether a user was authenticated before using the workspace.
This report has the most detailed information on user activity. In larger MED-V implementations, it contains many events.
Note: When you work with reports, you can use a filter or the group by command to categorize your results.
Error Log. You can view errors that originated from a specific host or user in a defined date range. In this report, you can view: At which host the error originated. When the error occurred. The identity of the user. In which workspace the error occurred. The errors description.
Note: If the client is working offline, the server receives the reports when the client reconnects to the network.
5-31
Demonstration: Generating and Working with MED-V Reports
Key Points
In the MED-V Management Console, you can monitor clients by generating a report that contains detailed information about client events. In this demonstration, you will see how to generate and work with MED-V reports.
1. 2. 3. 4. 5. Log on to MED-V Management Console as medv-user, and go to the Reports module. Select Generate Report with default parameters. Review the data on the Status tab. Generate the Activity Log by accepting the default parameters. Review data on the Activity Log tab.
5-32
6. 7.
Sort data by the Event Id heading. Use Filtering to display a specific Event Id. Group rows by Event Id. Reorder columns of the Export data report on the Status tab to Excel.
Question: How can you drill down into MED-V reports and view specific information in the log data?
5-33
Using MED-V Diagnostics to Troubleshoot
Key Points
If you experience problems with starting, downloading, or running a MED-V Workspace, there are several troubleshooting options available. One of them is MED-V reporting. By using MED-V reporting, you can find errors that the MED-V clients report. But you can get more help to troubleshoot specific MED-V client issues by using MED-V Diagnostics, which you can access by right-clicking the MED-V icon in the notification area, and then selecting Help/MED-V Diagnostics. When you start MED-V Diagnostics, the following four sections are available: System. This section provides information about the amount of RAM on the host, as well as the host name, operating system, and Windows user that currently is logged on. You can select the Gather diagnostic logs option, which creates a compressed file with many diagnostic files that are necessary for troubleshooting the MED-V client. The compressed file is saved on the desktop, and includes information such as client configuration files, the virtual machine that the workspace is using, the local host configuration, and its events. You also can gather the diagnostic log from the MED-V Diagnostics Tool that is installed with MED-V client.
5-34
Policy. This section provides information on the MED-V policy version and the time at which it was updated last. The MED-V client updates the policy automatically every 15 minutes, by default, but you also can update it manually by clicking Update policy. You get a notification when the policy is refreshed, and MED-V applies the policy changes immediately.
Note: You can update a policy from a command prompt by running, on the host, the KidaroCommands.exe with the /Refresh parameter.
Workspace. This section provides information on the active workspace, such as its status, expiration date, and the image used, as well as its location, version, and size. In this section, you also will find information regarding whether the MED-V client is connected to the MED-V server or if it works offline. You can use the Enable diagnostics mode option, which shows the Virtual PC desktop, and which is useful in troubleshooting issues in the initial setup of the virtual environment. If you enable the Diagnostics mode, published applications open in the Virtual PC window, not on your host. After you disable the Diagnostics mode, the Virtual PC window hides, and published applications again are visible on the host.
Note: You can enable MED-V diagnostic mode from the command prompt by running, on the host, KidaroCommands.exe with the /TroubleShootingMode parameter.
Image Store. This section provides information on where the image store is located, its size, and the available free disk space on the host. You can click Browse image store, and the local image store opens in Windows Explorer. You also can start browsing local images from the MED-V Management Console.
5-35
Lab: Managing a MED-V Deployment
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. 3. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1 and 10324A-NYC-CL1 virtual machines are running. If required, connect to the virtual machines. Log on to the virtual machines as Contoso\Administrator using the password Pa$$w0rd.
5-36
Exercise 1: Creating and Configuring a Workspace Policy

Scenario
You want to create a MED-V policy to use an existing image on the MED-V server. Users must be able to distinguish applications that run on the host from those that run in the workspace. They must be able to use Clipboard to copy data between the applications and to transfer files from the host to the workspace. The main tasks for this exercise are: 1. 2. Create MED-V Workspace policy, and configure it to use an existing image. Configure additional MED-V Workspace policy options.
Task 1: Create a MED-V Workspace policy, and configure it to use an existing image
1. 2. 3. 4. 5. On NYC-CL1, start MED-V Management, and log on as contoso\medv-admin with Pa$$w0rd as the password. Create a new workspace with the name Legacy Workspace. Provide a workspace description and support information. Verify that the policy defines Seamless Integration for published applications, and then select the pink (255,0,255) frame color. Select XP-Updated (server) as the assigned image. If the image is not available, click Refresh. Select Synchronize Workspace time zone with host.
5-37
Task 2: Configure additional MED-V Workspace policy options

1. 2. 3. Configure the Legacy Workspace to allow only the Contoso\MED-V Users group. In Workspace deletion options, select The Workspace has been disabled. Select the following three options: Support clipboard between host and Workspace, Support file transfer between host and the Workspace, and Enable printing to printers connected to the host. In the Data Transfer section, select Host to Workspace. In the Published Applications section, add the following four applications:
Display name XP Comp Mgmt XP Cmd prompt XP Notepad XP XML Notepad Command line c:\windows\system32\compmgmt.msc c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe c:\program files\XML notepad 2007\XMLnotepad.exe
4. 5.
6. 7. 8.
In the Published Menus section, click Add, enter Published as the Display Name, and Games as Folder in Workspace. In the Start menu shortcut folder field, type MED-V Published Apps. On the Web tab, select Browse the list of URLs defined in the following table and Browse all other URLs. Enter contoso.com as the URL that is browsed in the workspace. On the Performance tab, assign 160 MB memory to the virtual machine if the host has above 550 MB memory; 200 MB if host has above 1,100 MB; and 256 MB virtual-machine memory if the host has above 1,400 MB.
9.
10. Save the policy, and minimize the MED-V Management Console.
Results: After this exercise, you should have created a new policy, defined a new MED-V Workspace, and configured various policy options, including which applications the workspace will publish.
5-38
Exercise 2: Using the MED-V Client

Scenario
After you create and save the MED-V policy, you must test the workspace, and then verify some of the settings that are in the policy. Some users in your organization might not use the workspace for extended periods of time. You need to test how you can lock workspace applications when the workspace is not in use. Additionally, you need to enable users to print from the workspace to the hosts printers. The main tasks for this exercise are: 1. 2. 3. 4. 5. Deploy a MED-V Workspace. Explore the published programs, and manually update the MED-V policy. Lock the MED-V Workspace. Test printing from the published applications. Review the MED-V virtual machine configuration.
Task 1: Deploy a MED-V Workspace

1. 2. On NYC-CL1, run the MED-V client, and log on as contoso\medv-user, with Pa$$w0rd as password. Select Legacy Workspace, and wait until the workspace is deployed and started. At the Windows Firewall prompt, select all of the networks, and then click Allow access.
Task 2: Explore the published programs, and manually update the MED-V policy
1. 2. On NYC-CL1, verify that published applications are listed in the Start menu and that there is a Published subfolder. Use search on the Start menu to start the XP XML Notepad application. Verify that the application has a pink frame around the window. Drag the XML Notepad window around, like the window of the locally installed application. Close the XML Notepad application.
5-39
3. 4.
In the MED-V Management Console, remove the Published menu, and save the policy. On NYC-CL1, update the policy, and then verify that four published applications are still listed on the Start menu, even though the Published subfolder is no longer present.
Task 3: Lock the MED-V Workspace

1. 2. On NYC-CL1, run the XP Notepad published application. From the notification area, right-click the MED-V icon, and select Lock Workspace. Attempt to access XP Notepad or run other published applications. Unlock the workspace, and then verify that you can access XP Notepad and other published applications.
3.
Task 4: Test printing from the published applications

1. 2. 3. 4. Add a local printer on the NYC-CL1 computer. On NYC-CL1, open XP Notepad, enter some text, and from the File menu, select Print. After you select Local Printer, verify that the printer is available for printing. Select the printer, and confirm that the print job was sent to the host. Restore the MED-V Management Console, and disable the ability to print to printers connected to the host, save the policy, and then update the policy on the NYC-CL1 client. Verify that you cannot print to the host printers from published applications.
5.
5-40
Task 5: Review the MED-V virtual machine configuration

1. 2. On the NYC-CL1 computer, run the XP Comp Mgmt published application. In the published Device Manager, verify that Virtual HD, VM Additions S3 Trio32/64 video adapter, and generic Intel 21140 network adapter are available in the workspace. Verify that workspace has 256 MB (261,616 KB) memory available, as policy defines. Try to transfer a file from the host to the workspace, and from the workspace to the host. Confirm that this behavior is consistent with the setting that you defined in the MED-V policy.
3. 4.
Results: After this exercise, you should have deployed a MED-V Workspace, worked with published applications, learned how to lock and unlock the workspace, and verified that the workspace is configured as defined in the MED-V policy.
5-41
Exercise 3: Implementing MED-V Reporting and Troubleshooting

Scenario
After the users in your company start using MED-V, you need to explore the information available in MED-V reports. You are interested in monitoring the workspaces that users started, and you also want to test MED-V diagnostics options. The main tasks for this exercise are: 1. 2. Create and explore MED-V reports. Open MED-V Diagnostics, and explore diagnostic options.
Task 1: Create and explore MED-V reports

1. 2. 3. On NYC-CL1, generate all three Report Types with default parameters. Explore information that each report type provides. In Activity Log, sort the report entries, and use filtering and the Group By feature. Use Group By to see all events for the workspace under one entry. Reorder columns in the report and select the Severity on the start of each row in the report. Export entries in the Status report to an Excel .xls format.
4.
Task 2: Open MED-V Diagnostics, and explore diagnostic options

1. 2. On NYC-CL1, in the notification area, right-click the MED-V icon, and then review the MED-V contact support information. Use the MED-V Diagnostics tool to gather diagnostic logs, and then view the content included in the compressed file that contains the MED-V diagnostics logs.
5-42
3.
Start the XML Notepad application. Enable MED-V Diagnostics mode, and then confirm that the published application was moved to the diagnostics window and cannot move out. Disable the MED-V Diagnostics mode.
4.
Results: After this exercise, you should have reviewed information provided in MEDV reports, worked with MED-V report formatting, gathered MED-V diagnostics logs, and viewed how to use the MED-V diagnostics mode.

5-43
Review Questions
1. 2. 3. 4. 5. 6. 7. 8. 9. What is the MED-V Workspace? How can you configure a MED-V virtual environment? What defines a MED-V Workspace? What must you do to configure a MED-V policy? What is the difference between a persistent and revertible workspace? How can you specify the virtual image to which the MED-V policy should apply? What image types can you assign in MED-V? Can you print to the host printers from the published application in the workspace? What is the easiest way to gather MED-V diagnostic logs on the MED-V client? How can you find out what is going on inside the MED-V virtual environment during initial setup, when you join a virtual machine to the domain?
5-44
Common Issues Related to Microsoft Enterprise Desktop Virtualization

Identify the causes for the following common issues related to Microsoft Enterprise Desktop Virtualization, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue The options for save changes or commit MED-V policy are grayed out in the MED-V Management Console. You modified the MED-V policy, but the changes are not reflected in the client workspace. After you modified the MED-V policy and waited for 15 minutes, the changes still are not reflected in the client workspace. You do not see any MED-V published applications on the host. You have multiple printers available on the host, but none of them is listed when you want to print from the published application. The MED-V virtual machine is using too much memory. Troubleshooting tip
Implementing Microsoft Application Virtualization
6-1
Module 6
Contents:
Lesson 1: Introduction to Application Virtualization Lesson 2: Planning for Application Virtualization Lesson 3: Deploying Application Virtualization Servers Lab: Implementing Application Virtualization 6-3 6-19 6-35 6-45
6-2
Module Overview
The Microsoft Application Virtualization 4.5 Service Pack 1 (App-V 4.5 SP1) and the App-V 4.6 client and sequencer software provide the latest updates to application virtualization technology. This release includes new capabilities that make it easy for enterprise information technology (IT) organizations to support large-scale, global application virtualization implementations. This module provides an overview of application virtualization and App-V components. The module also covers the App-V infrastructure, the deployment scenarios, and the procedures for installing and configuring App-V servers and App-V clients.
6-3
Lesson 1
Introduction to Application Virtualization
Application virtualization is a sophisticated technology that allows organizations to reduce costs and simplify software deployment. Application virtualization allows you to run applications on client computers without having to install them locally. Other virtualization technologies such as Windows XP Mode or Microsoft Enterprise Desktop Virtualization (MED-V) deliver an entire virtual machine to the client computer, whereas App-V delivers a virtual application hosted in a virtual environment based on the host operating system. App-V does not provide a virtual machine. App-V is not an application compatibility product, but instead it is an application management product. This lesson provides an introduction to the concepts behind application virtualization, and the tasks that you can use to manage it.
6-4
What Is Application Virtualization?
Key Points
Application virtualization allows you to run applications on client computers as if they were installed locally. You never install a virtualized application, in the traditional sense, locally on an end users computer. However, a virtualized application behaves as a locally installed application, from the end users perspective. The virtualization client software that you install on the client computer provides an environment that simulates the local operating system. Blocks of the applications code are loaded into this virtual environment on demand. The virtual server initially downloads only the code necessary to start the program, which typically is 20 to 40 percent of the total code. No further code is sent to the client until the user requests it by using features of the application. These blocks of code may be streamed from a network location or reside in a cache on the local hard disk.
6-5
Streaming is the process of obtaining content from an application package. The application runs as if it is interacting with the physical operating system, when in fact it is interacting with virtualized operating-system components, such as registry, .ini files, and dynamic-link library (DLL) files. However, the application never interacts directly with the actual operating system. When the session terminates, the virtual server saves application settings and profiles in a nonvolatile cache, which provides instant access for subsequent use. The cached code enables applications to run locally with full functionality, even without a network connection.
Benefits of Application Virtualization

Management of applications is one of the most time-consuming and costly aspects of an enterprise IT infrastructure. Virtualizing applications provides many benefits when compared to traditional installations, which can reduce management and support costs. Those benefits include: Centralized management. A single management console can connect to all virtual application deployment servers. You can install the management console on multiple hosts for situations where you require distributed administration. Running multiple versions of the same application without conflicts. Users sometimes need to run older versions of an application to support their customers, but they might also need access to the latest version. App-V enables users to run multiple versions of the same application by providing virtual environment isolation. Reduced application conflicts. Sometimes applications are unable to coexist on the same operating system due to DLL or API conflicts. Virtual environment isolation means that applications are unaware of each other and therefore, do not have these types of conflicts. Scalable infrastructure. You can deploy multiple virtualization servers to stream virtual applications to clients across the enterprise, and you can manage these servers from a single console, and load balance them for redundancy. Stand-alone client installers can extend virtual applications to users who do not connect to the local area network (LAN).
6-6
Accessible applications. Because you can target applications at particular users or groups, they are available at any workstation to which a user logs on, as long as that workstation has the App-V client installed. If users have roaming profiles, any personal configuration application settings will be available. Remote Desktop server support. App-V allows an application to run simultaneously with any other application on a Remote Desktop server, eliminating the need for application silos and increasing utilization. This results in the need for fewer servers, and it enables applications that were not designed to run in multiuser mode to run on a single terminal server. There is separate virtual client software for Remote Desktop servers.
Note: For the Windows Server 2008 R2, operating system, Terminal Services has been renamed to Remote Desktop Services.
Reduced license compliance risks. App-V helps to manage license compliance by controlling the number of users permitted to access an application. You can associate applications with license groups to enforce compliance. Usage reporting. You can generate several different reports to track application usage, audit software, and track system utilization and errors.
6-7
Components of an Application Virtualization Solution
Key Points
A virtualization solution consists of a number of components that work together to provide virtualization. Depending on the deployment model that you implement, you might require some or all of the following components: Microsoft Application Virtualization Management Web Service. This service acts as an intermediary between the Application Virtualization Management Console and the Application Virtualization Data Store. The Web service accepts data from the management console and sends it to the database. For example, when a new application is imported, the Web service makes the data store aware of the new application and its configuration. You must install Microsoft Internet Information Server (IIS) 6.0 or newer on the server.
6-8
Microsoft Application Virtualization Management Console. This component interacts with the Web service to provide policies. Virtual application deployments, updates, and terminations are managed by using policies, and administered through the App-V management console. You can install this console on the Windows XP operating system or newer versions, the Windows Server 2003 operating system or newer versions that have the Microsoft Management Console (MMC) 3.0 and the .Net Framework 2.0 or newer versions installed. Microsoft Application Virtualization Management Server. This component stores the application packages in a shared folder for distribution to the clients. During startup, it requests policy information from the data store on a Microsoft SQL Server. The App-V Management Server authorizes and authenticates requests against Active Directory Domain Services (AD DS), and then provides the application streaming, security, metering, monitoring, and data gathering services. Microsoft Application Virtualization Streaming Server. This component provides a lightweight solution for application virtualization. This server only provides streaming services using Real-Time Streaming Protocols (RTSP) and RTSP Secure (RTSPS). It does not provide the full set of management capabilities that the management server delivers. Therefore, it does not require the same infrastructure as the full management server. Microsoft Application Virtualization Client. This component is a small software program that resides on the computers running the virtual applications. These clients communicate and authenticate with the application virtualization server to receive application code, and then locally execute the application. Microsoft Application Virtualization Sequencer. This is a wizard-based tool, which sequencing engineers use to create virtual application packages. Sequenced applications perform as if they are installed on the local machine when users launch them. You perform sequencing on a computer that represents the operating system on which the virtual application will be run. SQL Server. This is required to act as the data store for a full installation of an App-V environment. SQL Server 2005 Express Edition SP2 or newer is required. This data store stores all application records, licensing, logging information, permissions, virtualization server configurations, and reporting.
6-9
Communications Between Management Servers and Clients
Key Points
App-V streaming servers natively use RTSP or Transport Layer Security (TLS) and RTSPS to stream applications to clients. A new feature in App-V 4.5 is the ability to stream over HTTP protocol.
Streaming Over RTSP

RTP is a suite of protocols that an App-V Server uses for the streaming delivery of virtual applications. By default, RTSP listens on port 554 for Microsoft Application Virtualization Client requests, and then dynamically connects to the client on two high ports. One is for Real- Time Control Protocol (RTCP) and one is for RTP. These ports are in the range between 49,152 and 65,535. The App-V Server then uses the port for RTCP for control messages and the RTP port for the actual data transfer of Icon (ICO), Open Software Description (OSD), and file type association FTA files.
6-10
You can use RTSPS if you need only a single port and an encrypted application stream. The default port is 322 in RTSPS. This is a change from previous Microsoft SoftGrid versions that used port 332 to comply with industry standards. However, you can redirect the port to 443. RTSPS uses a single port for both RTCP and RTP traffic, and for all connections to the Application Virtualization Management Server. This can have an effect on performance. RTSPS requires a valid certificate installed on the management server. The streaming server can be set up to support RTSP, RTSPS, or both.
Streaming Over HTTP

The ability to stream over HTTP alleviates the need to have a dedicated App-V streaming server and allows you to just use an IIS computer. The benefits of this include: Administration is easier because IIS is well known and commonly implemented. Streaming over TCP port 80 typically is easier to implement when there is a firewall between the server and the client.
Streaming over HTTP is accomplished by creating a virtual directory that maps to the content folder that holds the sequenced applications. Also, you must add the following Multipurpose Internet Mail Extensions (MIME) types: OSD with the type of App-V Application Virtualized-enabled application file (SFT) with the type of App-V Application
Then, the hypertext reference (HREF) value in the OSD file must reflect that you are using the HTTP protocol and port 80. For secure HTTP, the HREF value must reflect HTTPS protocol and port 443. HTTP streaming is optimized for Internet or intranet delivery over wide area networks (WANs). Therefore, we recommend it for Internet-facing scenarios and businesses that require streaming capabilities across large, disperse networks. Active Upgrade is not available when you are using HTTP streaming.
6-11
Packaging of Virtual Applications
Key Points
Application packaging is the process of preparing virtual applications for deployment on client computers. You can create an application package, also called a sequenced application, by using the App-V Sequencer. Sequencing is typically the first step of implementing a virtualized application. You can use the App-V Sequencer to monitor and record the application installation and capture the files that the application uses to run. The App-V Sequencer then packages all required files into a virtualized, self-contained environment for deployment to App-V clients. Each package created by the sequencer defines its own virtual environment. Packaging is a separate operation from deployment, and you perform it on a separate computer from the deployment or management servers. After you sequence the application, you copy the resulting package to the deployment server for distribution.
6-12
Each virtual application package has several files: ICO. The .ico file specifies the icon that appears on the Microsoft App-V client desktop. OSD. The .osd file provides the information necessary to locate the applications virtualization-enabled application (.sft) file, and then set up and launch the application. SFT. The virtualized-enabled application file (.sft) file contains the asset files that include one or more applications that are based on Windows. SPRJ. The App-V Sequencer project (.sprj) file is generated when a project is saved. The .sprj file contains a list of files, directories, and registry entries that the sequencer excludes. You can load this file in the sequencer to add, change, delete, or upgrade any of the applications in the suite. A common example of when you might use the .sprj file is when you add service packs to an application. Manifest.xml file. Electronic software distribution (ESD) can use the manifest.xml file to deploy applications.
6-13
Deploying Virtual Applications
Key Points
After packaging the application, you can deploy it. Deployment typically involves streaming the package to the App-V client, which you must install on the client computer prior to application deployment. You can place the virtual application package on App-V streaming servers so that you can stream the package to the clients on demand and also have it cached locally. You also can use file servers and Web servers as streaming servers. You can deploy multiple streaming servers to support large distributed environments. There is no built-in method in App-V to replicate application packages between multiple streaming servers delivering the same applications. Package replication must be achieved through other means such as Distributed File System (DFS), scripting, or manually.
6-14
Application streaming is the exchange of data between the desktop virtualization client and an application streaming component on the server. Its purpose is to move the entire application package or parts of the applications code, known as feature blocks, from the virtualization server to a users hard disk, and then import it into the desktop virtualization framework. Most software packages are cached on the user's hard disk after the initial download. This reduces the network impact for subsequent launches of the application. By default, an App-V client goes through the process of desktop configuration refresh (DC Refresh) at logon to get the list of applications that it is allowed to run. The client also populates the host operating system with those applications icons so that the user can access them. Application licensing and user validation also is performed against the virtualization management server. As an example, when a user launches an application package that previously was downloaded, the virtualization client software first calls the management server to verify that the current user remains authorized to run the application. You also can create policies that enable mobile workers to run the application in an offline mode, during which the policy determines how long an application can run without contacting the servers streaming component. For example, the streaming server administrator may set the policy to allow offline applications to continue to run for seven days without contact. The desktop virtualization client enforces the policy, and then can disable or remove the application after the specified period of stand-alone use.
6-15
Features of Virtual Applications
Key Points
When you virtualize an application, it runs inside its own virtual environment. This provides the following advantages: No installs. You can stream Microsoft App-V packages to client systems without having to install the applications on each client. Stand-alone scenarios are possible. In this situation, the application is not streamed to the client computer. Rather, you package the virtual environment and install it for use by the virtual client software component on the client computer. No client footprint. Because you do not install the application, you can remove the package easily without leaving a footprint. This means that there are no orphaned files or registry settings, which typically are left behind in a traditional application uninstall. No wasted resources. Virtualized applications can use local and network drives, CPU, random access memory (RAM), printers, and other local resources on the App-V client.
6-16
Pre-configuration of applications. Virtual applications are self-contained, and include all .ini files and registry settings. During the sequencing operation, the sequencing engineer can configure the application settings, which enables you to deploy the application in the way you want to present it to end users. However, users can make personal configuration changes to the application just as if the application was installed normally, and those settings are stored permanently in a user-specific file named UsrVol_sftfs_v1.pkg in the users profile in the %AppData% directory.
6-17
Maintaining Virtual Applications
Key Points
Updating applications with updates and new revisions can be time consuming and costly for an organization. App-V enables an organization to centralize these tasks, which simplifies how you can update and support applications.
Application Updates
An applications life cycle typically involves updates, which typically are in the form of service packs or hot fixes. When you use virtual applications, however, you need to apply updates only to the package source files. The updated package then replaces the original package on the App-V server, and the App-V client seamlessly receives the updated files the next time it launches the application. There is no interruption in service, and the end user is unaware that an update has been applied.
6-18
Application Support
The Microsoft App-V platform can solve other support-related issues, by reducing conflicts between applications because each virtual application runs in its own virtual environment. Virtual applications are almost immune to users inadvertently or intentionally deleting critical files that are needed to run that application. This effectively reduces the number of help-desk calls that an organization receives. App-V enables organizations to control the number of users who can gain access concurrently to App-V-enabled applications through enforcement of license compliance.
6-19
Lesson 2
Planning for Application Virtualization
Before deploying a virtual solution, you must have an understanding of the supporting infrastructure components and the considerations for planning the deployment. The process for implementing application virtualization is very flexible and scalable. Large deployments require more planning and different components. This lesson will discuss the different considerations and models for application virtualization deployment.
6-20
Considerations for Deploying Application Virtualization
Key Points
All deployment models require the presence of the App-V client software on the client computer. You can achieve the delivery of virtual applications to the App-V client through four main delivery models: App-V full infrastructure (Enterprise) model App-V lightweight infrastructure model Stand-alone deployment model System Center Configuration Manager 2007 R2 integrated model
6-21
App-V Full Infrastructure (Enterprise) Model

This model provides all of the management servers capabilities, including application streaming, authentication, security, licensing, and metering. This model requires AD DS and SQL Server, and is the typical deployment model. In this configuration, you should place the management server close to the SQL Server, on the same LAN segment. Adding streaming servers can push a deployment to a distributed environments remote locations by providing streaming capabilities close to the clients that are using the applications. This model is this courses main focus.
App-V Lightweight Infrastructure Model

The lightweight infrastructure model addresses the needs of organizations that want to use App-V with streaming capabilities, but which might not have or want the infrastructure to support management servers. The lightweight infrastructure consists of the Application Virtualization Streaming Server and the App-V client only. This server provides streaming capabilities, including active package upgrades without the AD DS or SQL Server requirements. However, it does not have the configuration, licensing, or metering capabilities of a full management server. This configuration has no management console or graphical user interface (GUI) method to point the App-V client to the streaming server. You must configure the client manually through a registry hack or command line during installation. This service relies on the manual or scripted addition of a manifest file for virtual application configuration.
Stand-alone Deployment Model

The App-V Stand-alone Model consists of the App-V Sequencer and the App-V Client, and requires no additional App-V infrastructure. The sequencer now has an option to create a Windows Installer file (MSI) during the sequencing process. The MSI file installs the metadata to the machines, and then runs two custom actions using the SFTMIME command-line utility to add and load the application to the App-V client cache. The App-V Sequencer packages the publication information, shortcuts, and the install routines into the MSI, and the virtualized application into an SFT file. When executed, the installer adds the virtual application package to the App-V client, and configures the publication information to load applications from a local location rather than stream them across a WAN.
6-22
Stand-alone deployments require the client to go into stand-alone mode, which only allows MSI-based updates of the virtual applications. You do not configure the App-V client to connect to any App-V server, and applications are delivered to the client through an MSI package. The MSI holds all metadata of the sequenced application, except for the binary SFT file that holds the actual application. Streaming is not allowed in the stand-alone model, which is for those users who connect to the corporate network rarely and do not have access to a server, but who require the power of virtualized applications. The stand-alone delivery scenario enables an organization to deploy virtual applications in situations where no servers are available to support other deployment methods for virtual applications. Use stand-alone deployment when: Remote users cannot connect to the App-V infrastructure. Software management systems, such as System Center Configuration Manager or a third-party ESD system, are in place already. Network bandwidth limitations prevent ESD. In this case, you can use virtual application delivery on physical media.
Because the stand-alone model employs an MSI file, you can distribute it by using an existing software distribution infrastructure, such as Group Policy objects, shared folders, CD or universal serial bus (USB) flash drives, and others. By default, stand-alone applications are available to all users that log on to the computer. This may not be desirable in some environments. To change this behavior, you can use the SFTMIME command-line utility with the /NOGLOBAL option during the MSI install.
System Center Configuration Manager 2007 R2 Integrated Model

You can use Microsoft System Center Configuration Manager 2007 SP1 R2 to distribute virtual applications in the same way as it distributes traditional application packages. You can add virtual applications to the Configuration Manager environment by using a wizard that is very similar to that which you use for traditional applications. Many of the advanced capabilities available for managing traditional packages also are available for virtual application packages, such as using task sequences and building queries in collections to define which devices are targeted. Unlike the App-V full infrastructure, which can target users only, you can target both users and machines.
6-23
This model requires both the App-V client and the Configuration Manager client on each managed system. It does not use any of the server components of application virtualization, but instead uses the existing Configuration Manager distribution points to deliver the virtual application to the client. Application delivery to the client works differently from the App-V Full Infrastructure scenario. In the Full Infrastructure scenario, the App-V client manages its own content, and it can refresh instantly against the Management Server. In the Configuration Manager integrated scenario, it is the Configuration Management client that manages the App-V client. Configuration Manager supports two types of delivery methods for virtual applications: You can enable streaming delivery on Configuration Manager distribution points. This option streams the virtual application to the client through HTTP or HTTPS. Local delivery uses the Configuration Manager 2007 client to first download all the files needed for the application through Background Intelligent Transfer Service (BITS). After downloading the files, the package is loaded (fully) into the App-V client cache.
This model requires in-depth knowledge of System Center Configuration Manager, and is not the focus of this course.
6-24
Considerations for Planning the Supporting Infrastructure for Application Virtualization
Key Points
Before deploying App-V to your enterprise, you must ensure the supporting infrastructure is in place and configured to support the App-V environment.
Active Directory Considerations

App-V uses Active Directory groups to control access to applications and administrative functions. You will use these groups during the server installation process and when publishing applications. Before you install the App-V management server, you must create the following objects in AD DS: App-V administrative group. During the installation of the App-V management server, you must select an Active Directory group to use as the App-V Administrators group that will control administrative access to the management console. You should add to this group all users who require administrative access to the management console. This group must preexist before you install the management server.
6-25
App-V users group. App-V requires that every user who accesses App-V functions must be a member of a provider policy associated with a group. You can use an existing group, such as Domain Users, if all users must have access to App-V, or you can create a new group with selected users.
Microsoft SQL Server Requirements

The App-V Server requires a SQL Server to host the data store, and supports the following versions of SQL Server: SQL Server 2005 (SP1, SP2 or SP3) SQL Server 2008 (no SP or SP1) 32-bit or 64-bit
Requirements for the App-V Management Console

The App-V management console has the following requirements and interactions: Windows XP SP2 or newer and Windows Server 2003 or newer .NET Framework 2.0 or newer MMC 3.0 Connects to the Web Service through HTTP or HTTPS
Requirements for the App-V Management Web Service

The App-V management Web service has the following requirements and interactions: Windows Server 2003 or newer IIS Server IIS 6.0 with ASP.net or IIS 7.0 with ASP.net, Windows Authentication, IIS Management Scripts and Tools, IIS 6 Metabase Compatibility, and IIS 6 WMI Compatibility
.NET Framework 2.0 or newer
6-26
Requires that the data store was previously installed Connects to the data store on port 1433 Communicates with AD DS through Active Directory Service Interfaces (ADSI)
Firewall Considerations
After you install the App-V management server or streaming server, and configure it to use the RTSP or secure RTSPS protocols, you must create firewall exceptions for the App-V programs. Create a firewall exception for sghwdsptr.exe and sghwsvr.exe. These programs are in the C:\Program Files\Microsoft System Center App Virt Management Server\App Virt Management Server\bin folder on a 32-bit operating system. If you are using a 64-bit operating system version, the folder is located in the corresponding location under C:\Program Files (x86).
Load-Balancing Considerations
You can use load balancing to allow a farm of App-V Servers to continually grow to meet company requirements and provide a level of fault tolerance. After you configure load balancing, you need to change the HREF tag in the OSD file to point to the load-balanced IP address or DNS name. For example: HREF="rtsp://{virtual IP or virtual host name}:554/DefaultApp.sft"
Note: App-V does not support clustering solutions.
6-27
Considerations for Implementing an Application Virtualization Management Server
Key Points
The App-V Management Server performs the publishing and streaming functions for virtual applications. App-V Management Servers have direct connectivity to the client workstations, and they deliver virtual applications on-demand to App-V Clients, using RTSP or RTSPS protocols. App-V Management Servers also provide the following services: Authorize and authenticate requests for applications through AD DS. Secure connections to the client through certificates. License enforcement for applications. Application monitoring and gathering of data about application usage.
You can control the management server through the App-V Management Console.
6-28
The management server stores all application packages in its Content share. The Content folder is a standard shared folder. During installation, the user is prompted to provide a location for the content shared folder. You can use any local directory, existing network share, or network accessed storage (NAS), but the default location is in the installation directory. During installation, you will provide the location of a SQL Server and database. The management server must be deployed in the same location and, if possible, on the same LAN as the SQL Server. This ensures good connectivity between the management server and the App-V configuration information that is stored in the SQL Server database. One or more App-V management servers can share a single Application Virtualization SQL data store. The App-V management server has the following requirements and interactions: Windows Server 2003 or newer. A shared folder in which to store the application packages content. This could be a physical file share on the server itself, or it could be a network-accessible location, such as a DFS or storage area network (SAN) device. Requires that the data store is previously installed. Uses open database connectivity (ODBC) to communicate with the data store.
Important: When you install SQL Server and the App-V Management server on the same computer, the Application Virtualization Management Server service fails to start after a server restart if the SQL Server service is not started fully. Because both services try to start at the same time, the Application Virtualization Management Server service detects that the SQL Server service is not running, and therefore, will not start. Setting the Application Virtualization Management Server service to Automatic (Delayed Start) will remedy this. Otherwise, you must start the service manually.
Note: You can install App-V management components on a single server or spread them across multiple computers. For example, a common scenario would be to install the Management Console on a Windows 7 computer and the App-V server and Management Web service on a Windows server, while you place your SQL Server on a separate Windows server or cluster.
6-29
Considerations for Implementing an Application Virtualization Streaming Server
Key Points
You can use the Application Virtualization Streaming Server for those organizations that want to take advantage of the virtualization and the streaming capability of Microsoft Application Virtualization, yet do not want a full App-V management server. There are no AD DS or SQL Server requirements, and there is no user interface for the streaming server. You manage it through registry keys. You must configure clients through the App-V client software during client installation or configure the local registry to point to the streaming server if the client software is installed already.
6-30
The Application Virtualization Streaming Server is a streaming server only. It does not perform any application publishing or management functions. It does not have any application licensing or metering capabilities. It streams the virtual application files (.sft files) from its shared Content directory to the App-V Clients that request them, using the RTSP suite. The Application Virtualization Streaming Server automatically polls its Content directory for applications and packages, and then places this information in RAM to service application requests. It does not authenticate requests to AD DS, but uses NTFS file system permissions on the Content folder for authorization. Because the streaming server does not support desktop configuration refresh, the client is not aware automatically of the applications that are available for streaming. You must add applications to the client in an alternative way, such as using the SFTMIME.exe command-line utility or by using a desktop configuration policy on an App-V management server in a remote location.
6-31
Scenarios for Deploying an App-V Streaming Server
Key Points
Although you can use the streaming server by itself as a lightweight deployment solution, you typically use a streaming server in conjunction with a full infrastructure scenario, or use it with System Center Configuration Manager to deploy to branch offices or areas with poor WAN connectivity to the SQL Server. In this way, you can use a streaming server to increase scalability.
Full Infrastructure Scenario

You should place App-V management servers close to the database for efficient SQL transaction traffic, but the management servers also must be close to their streaming clients. This requires that you replicate multiple instances of SQL to an enterprises remote locations. The streaming server allows you to place a streaming device close to streaming clients in remote locations while maintaining a single management server in a central location. The App-V clients can receive configuration information from the management server and stream the application from the local streaming server. If you load balance multiple streaming servers in a large deployment, all servers in a server group should stream the same applications.
6-32
Consider a typical deployment scenario that utilizes the full infrastructure. In this scenario, you place sequenced applications in the Content shared folder on the App-V management server in the head office for streaming to local App-V clients. You place the same sequenced applications in the Content shared folder on the streaming server in the branch office for streaming to those local App-V clients. The App-V clients perform DC refreshes from the management server in the head office to identify the virtual applications that are available, but the clients stream those applications locally from the streaming server rather than across the WAN. This alleviates the need for management and SQL servers in multiple locations.
Integration of System Center Configuration Manager

Applications that you publish with System Center Configuration Manager 2007 are sequenced in the traditional manner using the App-V Virtualization Sequencer. An organization can deliver applications by leveraging their existing System Center Configuration Manager 2007 solution in conjunction with the App-V client, while removing the need for the entire backend infrastructure of the management server, SQL data store, management Web service, and management console. Taking advantage of a System Center Configuration Manager 2007 solution means that organizations can provision application virtualization packages to hardware devices, rather than just basing them on user accounts. Additionally, organizations can deploy Application Virtualization packages and precache them to devices based on the System Center Configuration Manager 2007 policies. One of this scenarios key prerequisites is that you must install the new App-V streaming server on an existing distribution point for the System Center Configuration Manager 2007 solution. You can use the SFTMIME command to set up and maintain the applications, file type associations, and Desktop Configuration Servers that the App-V client manages.
6-33
Benefits of Deploying the App-V Client for Remote Desktop Services
Key Points
In Remote Desktop Services deployments, application conflicts can lead to silos of Remote Desktop (RD) Session Host servers. To avoid application conflicts, you typically must test applications extensively to determine which have conflicts. You must separate these, and run them on different session host silos. Separating multiple RD Session Host servers to accommodate specific applications typically results in the underutilization of servers, because each one is locked into a specific configuration, and is capable of serving only a limited set of nonconflicting applications.
6-34
The Microsoft Application Virtualization for Remote Desktop Services client allows administrators to deliver any application to any Remote Desktop Services server. Installing the App-V client for Remote Desktop Services on the remote desktop server has the following advantages: Enables applications that cannot run in multiuser mode to be run on remote desktop servers. Consolidates remote desktop servers and increases hardware efficiency while decreasing both hardware and administrative costs. Enables you to prevent users from modifying operating system settings, yet allow applications that require full rights to run properly. Enhances Remote Desktop Server license compliance and usage tracking. Supports roaming profiles and policies.
6-35
Lesson 3
Deploying Application Virtualization Servers
It is important to understand the hardware and software requirements of an App-V solution before you implement it. If you are running a previous version of SoftGrid, you will need to know the implications of upgrading to the latest release. This lesson covers the installation of the server components and what you should consider before you upgrade.
6-36
Process for Installing the App-V Management Server
Key Points
Before installing the App-V management server, ensure that the App-V server computer meets all prerequisites for infrastructure, and hardware and software. You can use the App-V Management Server Installation Wizard to install the management server and to configure the basic settings of the components.
Hardware and Software Requirements

The minimum hardware requirements include: Processor: Intel Pentium III, 1 gigahertz (GHz) RAM: 512 megabytes (MB) Free disk space: 200 MB, not including the content directory
The minimum software requirements include: Any edition of Windows Server 2003 SP1 or newer
6-37
Pre-installation and Post-installation Tasks

You must perform certain pre-installation and post-installation tasks. The pre-installation tasks are: 1. 2. 3. Configure appropriate user and administrative groups in AD DS. If the server will run the Management Web service, you must install and configure IIS. If you use a distributed architecture, and install the Management Web service, the management console and the data store on separate servers then the IIS Server must be trusted for delegation. This is necessary because the Management Web Service will attempt to connect to the App-V data store by using the credentials of the App-V administrator who is using the console. The data store will not accept the administrators credentials from the IIS server unless you configure it to be trusted for delegation. Therefore, the Management Web Service will not be able to connect to the App-V data store. If you choose to use the Secure Connection Mode for communications between the Management Console and the Management Web service, then the server has to have a server certificate provisioned to it from a public key infrastructure (PKI). If a server certificate is not installed on the server, this option is unavailable, and the user cannot select it. You must grant the Network Service account Read permission to the certificate being used.
4.
The post-installation tasks are: 1. Sharing the Content folder. Ensure the App-V users group have Read permission and the users who will be uploading sequenced applications to the share has Full Control. Ensure that the corresponding NTFS permissions have been granted.
Note: You may perform this task before installation, but you must create a folder that will act as the content folder.
2.
If SQL Server is running on the same computer, set the Application Virtualization Management Server service to Automatic (Delayed Start) as the Startup Type, and ensure the service is started.
6-38
3. 4.
Create firewall exceptions. After you deploy the App-V client software, use the App-V Default Application to test whether App-V is functioning correctly.
Installing the App-V Management Server

Access the App-V installation source files and run Setup.exe to start the App-V Management Server Installation Wizard. Selecting a custom installation allows the administrator to install each server role individually; and choose a typical installation of all components on the same server. You are prompted for the SQL Servers location, and after you enter it, the data store is created. During creation of the data store, you need to designate the Administrative Group, the default User Group, and the location of the Content shared folder.
6-39
Demonstration: Installing the App-V Management Server
Key Points
In this demonstration, you will see how to install all of the App-V management components on a single computer that is a domain member server and on which SQL Server is preinstalled.
Create and populate Active Directory groups. a. b. c. Start Active Directory Users and Computers. Create global security groups named ContosoAppVAdmins and ContosoAppVUsers. Add the Domain Admins group to the ContosoAppVAdmins group.
d. Add the Domain Users group to the ContosoAppVUsers group.
6-40
Prepare the App-V Management Server. Add the Web Server (IIS) role with the default settings and the following role services: ASP.NET Windows Authentication IIS Management Scripts and Tools IIS 6 Management Compatibility, with all subcomponents
Install App-V Management Components. a. b. Run the installation wizard as a custom setup, and accept all the defaults to install the management server. Restart the server.
Configure the Startup type for the Application Virtualization Management Server service to be Automatic (Delayed Start) and start the service. Create a firewall exception for sghwdsptr.exe and sghwsvr.exe. Share the Content Folder to Everyone for Read permission, and grant Domain Administrators full control.
6-41
Demonstration: Installing and Configuring an App-V Streaming Server
Key Points
Before installing the App-V Streaming Server, ensure that the App-V server computer meets all hardware and software prerequisites. The server hardware requirements are the same as the App-V Management server, except that the supporting infrastructure is much smaller. There is no requirement for a data store or AD DS. The App-V client is directed to stream applications from the local streaming server by how you configure its registry or from a desktop configuration policy on a remote App-V management server.
Note: Make sure that the App-V Management Server is not installed on this computer. You cannot install the App-V Management Server and the App-V Streaming Server on the same computer.
6-42
1. 2. 3. 4. 5. 6. 7. Run the installation wizard, and accept all defaults to install the streaming server. Restart the server. Open the Start menu, point to Administrative Tools and verify that there is no App-V management console for this server. Share the Content Folder to Everyone for Read access and grant Domain Admins Full Control. Copy an application package to the Content folder. Configure firewall exceptions. Restart the Application Virtualization Streaming Server service. On the client computer, edit the HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\SoftGrid\4.5\Client\Configuration\ApplicationSourceRoot key with the following value: RTSP://<servername>:554. Use the SFTMIME command line utility to add the package to the client cache. Test the application.
8. 9.
Question: Is a Microsoft Application Virtualization Management Server and management infrastructure required to install the Microsoft Application Virtualization Streaming Server? Question: During installation, several options are available for configuration. How can you change them after installation?
6-43
Considerations for Upgrading from Previous Versions of SoftGrid
Key Points
To realize the benefits of the App-V 4.5 SP1 and App-V 4.6 client release, you need to upgrade your existing App-V infrastructure. Before upgrading to App-V 4.6 or newer versions, you must upgrade versions earlier than App-V 4.1to App-V 4.1. You must upgrade the App-V clients first, and then upgrade the server components.
Upgrading the Client

App-V clients that you do not upgrade to App-V 4.6 will continue to work with App-V servers that you have not upgraded. Earlier versions of the client are not supported on servers that you upgrade to App-V 4.6. You can upgrade the SoftGrid 4.1 and newer client software directly to the App-V 4.6 client. You can upgrade clients by installing the new version over the old version, which maintains the client cache and configuration settings during the upgrade. After the client upgrade completes, you must reboot the client operating system.
6-44
Upgrading App-V Servers

Similar to the client, you can upgrade to App-V 4.6 only from App-V 4.1 or newer by running the installer. The installation wizard recognizes the currently installed version, and performs the upgrade automatically. You should conduct server upgrades during nonpeak times, because you must stop the App-V service during the upgrade. You can upgrade servers by installing the new version over the old version. If you have multiple App-V servers, you should upgrade all servers simultaneously. However, clients should not exchange data with different versions of App-V servers simultaneously.
Upgrading the App-V Management Web Service

In cases where the Web service is running on the same server as the App-V server service, the upgrade will happen automatically. If the Web service runs on a separate server, you must run the installer again on that server to perform the upgrade.
Upgrading the Sequencer

Upgrading from previous versions of the Sequencer is not supported. You must uninstall any previous versions of the Sequencer, and then install the App-V Sequencer 4.6. Virtual applications that you sequence by using an earlier version of the Sequencer can be opened and edited using Sequencer 4.6.
Note: For more information, see the TechNet article App-V Upgrade Checklist at http://technet.microsoft.com/en-us/library/ff361462.aspx.
6-45
Lab: Implementing Application Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. 3. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1 and the 10324A-NYC-SVR3 virtual machines are running. If required, connect to the virtual machines. Log on to the computers as Contoso/Administrator using the password Pa$$w0rd.
6-46
Exercise 1: Planning the App-V Implementation

Scenario
Contoso, Ltd. has a distributed computing environment. There is a head office with 150 desktops, and a branch office with 50 desktops. System Center Configuration Manager has not been deployed. There also are several field engineers who use laptops and who rarely connect to the LAN. The head office and branch office are connected via a fast WAN link. All users need access to virtual applications. The head office has multiple file and print servers, application servers, and a domain controller. The branch office has a local file server. You need to develop a high-level plan that ensures that virtual applications are available to all users. Your plan must allow for application metering and license checking, where possible. The main task for this exercise is: 1. Answer questions related to the App-V implementation.
Task 1: Answer questions related to the App-V implementation

Question: How would you recommend deploying virtual applications? Question: How would you deploy the App-V client? Question: How would you implement App-V in the head office? Question: How would you distribute virtual applications to the branch office? Question: How would you distribute virtual applications to the field engineers?
Results: After this exercise, you should have an understanding of how to plan for an App-V deployment.
6-47
Exercise 2: Installing an App-V Management Server

As the first step in implementing an application virtualization solution, you need to perform a default installation of the App-V management server for the head office. SQL Server is installed already on the member server. Next, you will perform the preinstallation tasks of installing IIS 7.0 and creating groups in AD DS for App-V. Then, you will install the App-V management server, and configure the services startup parameters to account for SQL Server on the same computer.
Scenario
The main tasks for this exercise are: 1. 2. 3. 4. 5. Install IIS 7.0. Create groups for App-V users and administrators. Install the App-V management server. Configure Windows Firewall exceptions Configure the App-V management server service.
Task 1: Install IIS 7.0

On NYC-SVR3, open Server Manager and add the Web Server (IIS) role with the following role services: ASP.NET Windows Authentication IIS Management Scripts and Tools IIS 6 Management Compatibility, with all subcomponents
Task 2: Create groups for App-V users and administrators

1. 2. On NYC-DC1, launch Active Directory Users and Computers. Create two global security groups: one named ContosoAppVAdmins, and one named ContosoAppVUsers.
6-48
Task 3: Install the App-V management server

1. On NYC-SVR3, open Windows Explorer and navigate to \\NYC-DC1\E$\Labfiles\Mod06\Server\Management, and launch Setup.exe. Complete the wizard using the following values and then click Install. 3. 4. Microsoft Update: I dont want to use Microsoft Update User Name: Student; Organization: Contoso Setup Type: Custom Configuration Database: NYC-SVR3\SQLEXPRESS Create a new database: APPVIRT Connection Security Mode: Use enhanced security: disabled TCP Port Configuration: 554 Administrator Group: ContosoAppVAdmins Default Provider Group: ContosoAppVUsers Content folder: default location
2.
Restart the system after the wizard completes. Log on to NYC-SVR3 as Contoso\Administrator with the password of Pa$$w0rd.
Task 4: Configure Windows Firewall exceptions

Create an exception for sghwdsptr.exe and sghwsvr.exe in Windows Firewall. These files are located in the C:\Program Files (x86)\Microsoft System Center App Virt Management Server\Bin folder
6-49
Task 5: Configure the App-V Management Server Service

1. On NYC-SVR3, launch the Services console, and locate the Application Virtualization Management Server service. Start the service if it is not running. Set the service Startup type to be Automatic (Delayed Start). In Hyper-V Manager revert the 10324A-NYC-SVR3 virtual machine. Leave 10324A-NYC-DC1 running for the next exercise.
2. 3.
Results: After this exercise, you should have installed the prerequisites for the AppV management server, and installed the default installation of the management server.
6-50
Exercise 3: Installing an App-V Streaming Server

Scenario
After installing the App-V Management server, you next need to install a streamingonly server for use in a branch-office scenario. The client will refresh application information from the management server at the head office, but will stream the application from the local streaming server. You need to ensure that you have shared the content folder for the necessary users. The sequencing team has given you a sequenced application, which you will place in the content folder, and then you will configure the App-V client at the branch office to stream from this server. The main tasks for this exercise are: 1. 2. 3. 4. 5. Install a streaming server. Share the Content folder. Copy a package to the Content folder. Configure Windows Firewall exceptions. Restart the Application Virtualization Streaming Server service.
Task 1: Install a streaming server

1. 2. 3. Start and connect to 10324A-NYC-SVR3. Log on to NYC-SVR3 as Contoso\Administrator with the password of Pa$$w0rd. Open Windows Explorer and navigate to \\NYC-DC1\E$\Labfiles \Mod06\Server\Streaming, and double-click Setup.exe. Complete the wizard by providing the following values, and then click Install: 4. Microsoft Update: I dont want to use Microsoft Update User Name: Student; Organization: Contoso Installation Path: default Connection Security Mode: Use enhanced security: disabled TCP Port Configuration: 554 Content Root: default location Advanced Settings: default
Restart the server when prompted.
6-51
Task 2: Share the Content folder

1. 2. Log on to NYC-SVR3 as Administrator with a password of Pa$$w0rd. Open Windows Explorer and navigate to C:\Program Files (x86) \Microsoft System Center App Virt Streaming Server, and share the content folder. Ensure that the Everyone group has Read permission to this folder. Grant Full Control to the Domain Admins group
3. 4.
Task 3: Copy a package to the Content folder

In Windows Explorer, navigate to \\NYC-DC1\E$\Labfiles\Mod06\, and copy the Word03 folder to C:\Program Files (x86) \Microsoft System Center App Virt Streaming Server\content.

Create an exception for sglwdsptr.exe and sglwsvr.exe in the Windows Firewall. These files are located in the C:\Program Files (x86)\Microsoft System Center App Virt Streaming Server\Bin folder.
Task 5: Restart the Application Virtualization Streaming Server service

Restart the Application Virtualization Streaming Server service.
Results: After this exercise, you should have installed an App-V streaming server, shared the Content folder, and copied a package to the Content folder.
6-52
Exercise 4: Configuring a Client to Use the Streaming Server

Scenario
To stream from an alternate server, you need to configure a client manually. In this exercise, you will configure the client to stream from the streaming-only server. The main task for this exercise is: 1. 2. 3. Edit the client registry key. Use the Sftmime utility to load the package into the client cache. Test the application.
Task 1: Edit the client registry key

1. 2. Start 10324A-NYC-CL1 and log on as Contoso\Administrator with the password of Pa$$w0rd. Open the Registry Editor and edit the App-V client registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client \Configuration key value for Application Source Root to use the RTSP protocol for NYC-SVR3 at port 554.
Task 2: Use the Sftmime utility to load the package into the client cache
Execute the following command on NYC-CL1:
sftmime add package:Word03 /manifest \\\NYCSVR3\Content\Word03\Wordviewer03_manifest.xml
Note: The UNC path in the command requires three backslashes at the beginning of the path
6-53
Task 3: Test the application

Launch the Word Viewer application.
Results: After this exercise, you should have edited the client registry key to configure the client to use the streaming server.

6-54
Review Questions
1. 2. 3. What is the primary function of the OSD file? How can you replicate application packages between multiple streaming servers? How are App-V administrators determined?
6-55
Common Issues Related to Implementing Application Virtualization

Identify the causes for the following common issues related to implementing application virtualization, and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Client is unable to connect to the streaming server. Client is able to connect, but cannot stream the application. Troubleshooting tip

1. Your organization is geographically distributed. How can you ensure that your application virtualization solution does not affect the network bandwidth and increase costs? Application licensing can be difficult to track and enforce. Using App-V can simplify license compliance and even reduce ownership costs. Your renewal time is coming up for a particular application that you run in the App-V environment. You want to track the actual number of users who run the application concurrently, so that you can purchase the appropriate number of licenses. What solution could you implement?
2.
Best Practices Related to Implementing Application Virtualization

Supplement or modify the following best practices for your own work situations: Secure communications between server components with Internet Protocol Security (IPsec) in high security environments. Use HTTP streaming for Internet facing clients. Use Network Load Balancing (NLB) to provide redundancy.
Planning and Deploying App-V Clients
7-1
Module 7
Contents:
Lesson 1: Overview of the App-V Client Lesson 2: Installing and Configuring the App-V Client Lab A: Deploying the App-V Client in Stand-Alone Mode Lesson 3: Managing Client Configuration Features Lab B: Managing Client Configuration Features 7-3 7-17 7-29 7-33 7-48
7-2
Module Overview
The Microsoft Application Virtualization (App-V) Client software is the one component that you always require to implement App-V solutions. Therefore, before you deploy the App-V Client, you must consider various factors very carefully. You should consider the best client to deploy, the deployment method that you will use, and the configurations that your intended deployment will require. You also should be aware of the prerequisites for installing the client. This module provides an overview of the desktop and remote desktop client, including the several installation methods. The module also describes the recommendations for deploying and managing the App-V Client.
7-3
Lesson 1
Overview of the App-V Client
There are two different types of App-V Client software: the App-V Client for Remote Desktop Services (RDS), which you use on Remote Desktop Session Host (RD Session Host) server systems, and the App-V Desktop Client, which you use for all other computers. RDS formerly was known as Terminal Services. As the network administrator, you must deploy the client software to all host computers on which you want to run virtualized applications. This lesson describes the characteristics of the App-V Clients and the features of the desktop and remote desktop clients. The lesson also describes the configuration options that are available to the client software and the considerations for configuring these options.
7-4
What Is the App-V Desktop Client?
Key Points
The Microsoft App-V Desktop Client is a small program that runs on startup on desktops and laptops. Users might never know that the App-V Client is installed because it runs in the background. Although it is possible for users to access the client software, in most cases users do not interact directly with the App-V Client. The App-V Management Console is stored in the Administrative Tools folder, and most users do not have access to that folder. Applications that run in the App-V Client look and feel like normally installed applications. In a typical deployment, the App-V desktop clients communicate and authenticate with the App-V Management Server so that it can stream the application to the client. The client sets up the runtime environment, and then executes the application code locally.
7-5
The App-V Client software controls all aspects of the virtual application, including communicating with the streaming server and verifying the .osd file. The Client executes any scripts that the .osd file specifies. The App-V Client also is responsible for setting up the client cache, publishing program shortcuts and icons, dealing with file-type associations, and saving any client-side configurations to the users profile. Finally, the App-V Client is responsible for disconnecting from the management server. The App-V Desktop Client makes virtual applications available over networks such as local area networks (LANs); wide area networks (WANs); virtual private networks (VPNs); wireless networks; and the Internet. You can use this accessibility feature without rewriting any application source code. The App-V Desktop Client provides the following features: Eliminates significant deployment issues, such as application and system conflicts. Enables different versions of the same application to run on the same desktop. Enables the same application, with different configurations, to run on the same desktop. Enables you to prevent any modifications to the operating system, yet still allow applications that require full rights to run properly. Centralizes application provisioning, licensing, and updates. Scales to thousands of users from a single server. Includes fail-over protection: In the event of a network outage, users that connect via a LAN can continue working, since code resides on the local computer.
7-6
How the App-V Client Accesses an Application
Key Points
A number of steps occur in the background when the App-V Client starts and attempts to stream an application to the users computer. The events are transparent to the user, but it is useful to know how this process works in case you have to troubleshoot it. In a typical scenario, the following sequence of steps occurs when a user launches a virtual application: 1. When users log on to their workstations, the App-V Client service starts, captures the users token, and then passes it to the App-V Management Server that you configure the App-V Client to use. The App-V Management Server gets each applications group information from the application records in the data store. The App-V Management Server compares the information in the users access token to the groups to which you assign permissions in the application records.
2. 3.
7-7
4.
For any applications that App-V determines need to be provisioned to the user, the App-V Management Server sends the location of the icon (.ico) and Open Software Description (OSD) files. The App-V Client retrieves the designated ICO and OSD files from the configured location, and then copies them to the local system. When a user launches an application, the App-V Management Server uses an Open Database Connectivity (ODBC) connection to return to the data store and verify if that user still has permissions to the application record. If you implement licensing on that application, the App-V Management Server also queries the data store to see if there is an available license for that user. If the location is an App-V streaming-only server, the streaming server checks the NTFS permissions of the content folder that contains the package. If users have the correct permissions, they will see the application shortcuts to which they have access, and they then can launch an application by double-clicking the shortcut. When the user launches an application, the streaming server will access the \Content share, and then mount the virtualized-enabled application file (SFT) file into the servers random access memory (RAM) to stream it to the client. Note that the streaming server does not mount the entire SFT file into its RAM at one time. The App-V Management Server caches application code on the client computer so that the streaming server does not have to stream subsequent launches. After the initial launch, the App-V Management Server caches the code, which is known as Feature Block 1, at the client workstation, and then the application launches, and the user can use it as if it were installed locally. On subsequent launches, the client checks with the management server to ensure that access to the application is still valid, but uses the code in the local cache to launch and run the application when possible. If the user attempts to use new application features, the App-V streaming server streams the requisite code, known as Feature Block 2.
5. 6.
7.
8.
9.
7-8
What Is the App-V Client for Remote Desktops?
Key Points
The App-V Client for Remote Desktop Services is installed only on the Remote Desktop Session Host (RDSession Host) servers. The Client for Remote Desktop Services performs the same function and behaves in the same way as the App-V Desktop Client, only on a RD Session Host server. When users connect to the RD Session Host server and launch an application, the application runs in a virtual environment on the RD Session Host server. Application code executes on the RD Session Host server, and users access their Remote Desktop applications in the normal fashion. Users are unaware that they are using a virtual application. This can alleviate situations where you have application conflicts and have to deploy multiple RD Session Host servers because of these conflicts. Virtualization allows multiple instances of an application to run concurrently on RDS servers, you can deploy applications that typically are designed for a single user in a Remote Desktop environment on a single server. This eliminates the need for application silos, where multiple RD Session Host servers are required to support multiple applications because those applications cannot coexist on the same computer.
7-9
You can use Windows Server 2008 or Windows Server 2003 Remote Desktop Services to take advantage of App-V virtual applications. After you load an application on a RD Session Host server in the App-V cache, any user who has permissions for that application can use it on the RD Session Host server. The App-V Client for Remote Desktops is a separate installation executable. Installing the App-V Remote Desktop Services Client is no different than installing other applications on a RD Session Host server. Installing applications on a RD Session Host server requires using the install mode for the RD Session Host server.
7-10
Storage Locations for App-V Client Data
Key Points
The App-V Client component stores data in multiple locations on the local computer. This data includes the client cache, the OSD and Icon cache directories, and the Shortcut_ex.dat file. The App-V Client assembles that data at application runtime, and presents it to the user as a locally running application.
Client Cache
One of the functions of the App-V Client is to create the App-V cache on the client hard disk. The cache is instantiated as a single file, known as sftfs.fsd. When a user launches the application, the contents of the file are mounted to the virtual drive that the App-V Client creates. Normally, this is drive Q. Users see drive Q in Windows Explorer as a normal volume in the graphical user interface (GUI), but users cannot access it. This virtual drive provides access to the file system and the files in the application package. After the initial streaming of Feature Block 1, the App-V Client stores packages in the cache file persistently for subsequent launches.
7-11
The sftfs.fsd file is in the Public profile on Windows Vista and newer operating systems, and in the All Users profile on Windows XP. Both operating systems share the same path in their respective profile, which is Documents \SoftGrid Client, though you can choose a location as the caches path during installation. If you change the path post-installation, you must restart the client computer.
Note: The size of the cache is set during client installation, and you cannot change it without destroying the contents of the cache.
Note: Microsoft has released the Application Virtualization Cache Configuration Tool. The App-V Client cache resizing tool (AppVCacheSize) allows administrators to increase the App-V Client cache size through a scriptable command-line interface. AppVCacheSize uses the parameters you specify to configure the desired cache size, and to toggle between using a threshold for free disk space or the maximum cache size. This is a free download from the Microsoft Download Center. However, Microsoft does not support this application.
OSD Cache and Icon Cache Directories

Icons that you use in shortcuts and file type associations are part of the application package that streams to the client, and they are cached in a location that is available to all users of the computer. The OSD cache stores information, such as the location of the streaming server, in the osd file. This information is required to launch the virtual application. The OSD cache directories are located in the Documents\SoftGrid Client path in the Public profile on Windows Vista and newer operating systems, and in the same path in All Users Profile on Windows XP. An icon cache directory also is created for each individual user, which stores per user icons. By default, this icon cache directory is stored under the users profile at \AppData\Roaming\SoftGrid Client\ on Windows Vista and newer operating systems, and it is stored under the users profile at \Application Data\SoftGrid Client on Windows XP.
7-12
The Shortcut_ex.dat File

The shortcut_ex.dat file contains the list of application shortcuts. During a publishing refresh, any discovered application shortcuts that are available to the client are listed in this file. Both the user and the machine have their own shortcut files. When the user logs off the machine, this updates the per-user file with data from publishing refresh operations. Additionally, the machine-based file is updated when you add a package by using SFTMIME ADD PACKAGE with the /Global switch or when you add a package that you base on Microsoft Windows Installer (MSI). These files are located in the following profiles: Per User: \UserProfile\AppData\Roaming\SoftGrid Client on Windows Vista and \UserProfile\Application Data\SoftGrid Client on Windows XP. Per Computer: \Public\Documents\SoftGrid Client on Windows Vista and \All Users\Documents\SoftGrid Client on Windows XP
7-13
Considerations for Configuring Client Options
Key Points
Before installing the desktop or remote desktop App-V Clients, you need to plan the client configuration. The considerations for either client are similar, but some of the settings require additional consideration for deployment on a RD Session Host server.
App-V Client Considerations

You should consider the following settings carefully when planning an App-V Client installation: Global data location. This location is the default store of the sftfs.fsd file or client cache, along with other App-V files. You can move the App-V file system cache independently of the global data location. Because the cache file can be quite large, consider placing it in an alternate location from the default, which is in the All Users profile. For RD Session Host servers, you should preload the entire contents of the SFT file into the cache. You can do this by using the SFTMIME command-line utility.
7-14
Preferred drive letter. This setting determines the drive letter that the App-V Client will use to mount the virtual file system. If you change the drive letter from the default drive Q, you should set it consistently on all App-V Clients, and then match the drive letter that is assigned to the second disk partition on a sequencing workstation. User-specific data locations. This setting determines where the App-V Client stores user-specific changes to virtual application packages, such as usrvol_sftfs_v1.pkg. By default, the App-V Client for Remote Desktop Services places the user-specific data in the AppData folder of the users profile. If you have roaming users or you use mandatory Remote Desktop profiles, you should redirect the AppData folder of user profiles to a network location, such as a subdirectory within the users Remote Desktop home directory or any network location to which the user always has access. Cache size settings. The App-V Client (desktop or Remote Desktop Services) allows you to configure the cache (sftfs.fsd file) by using one of the following two methods: Use maximum cache size: This method sets the cache to an absolute maximum size, with an upper limit of 1 terabyte. For most client systems, this means that you can use all the available free disk space for the cache. The default value is 6 gigabytes (GB). For most users who run a few virtual applications, this space is sufficient. If you know that you will be running large virtual applications, you should set the cache accordingly. Consider what future applications you might deploy virtually and leave room for expansion. Use free disk space threshold: This method sets the cache to increase as long as there is a predetermined amount of available disk space on the server. When you use this option, the cache uses all the free disk space available except for a predetermined amount. The default size is 5 GB. You can use this method when you want to ensure that you leave enough free disk space for other purposes, but you also want as much disk space as possible available for the cache.
Note: You should give special consideration to the cache size for RD Session Host servers that host multiple applications to ensure the cache is large enough.
7-15
Methods for Deploying the App-V Client
Key Points
The App-V Client supports four standard deployment methods. Because the App-V Client is an application itself, you can use any method of installation that your organization uses to deploy the client software. There are several standard installation methods, including: Manual: Use a portable media, such as a CD or a USB flash drive, a network share, or the Setup file. This requires that the user log on as a local administrator. Group Policy object (GPO) Deployment: Deploy the Setup.msi file to the machine or user. This method does not require that the user is logged on as a local administrator, but it does require that you install the prerequisite software. Because this method uses the MSI installer file, the prerequisite software is not installed automatically. You must ensure that the prerequisites software is installed on the client computer in order for this method to succeed.
7-16
Systems Center Configuration Manager 2007 or Systems Management Server (SMS) 2003: Deploy the Setup.msi file to the user or a machine. This method does not require the user to be an administrator, but does require the prerequisite software to be installed. Imaging: Install the App-V Client to the reference computer, and then image it using your organizations standard imaging methods. You must have local administrative rights.
If you use Active Directory Domain Services (AD DS), Group Policy software deployment is a good choice. You can use a GPO to deploy the client software to selected computers or users. Large organizations may prefer to use System Center Configuration Manager. You can schedule the installation of the software to occur at a particular time using this method. If you have a current imaging solution, and want all users to have the App-V Client you can choose to embed the client in the standard desktop image. This also allows you to embed the prerequisite software. Many organizations have a role based approach to imaging. For example, you might deploy images with the client installed and configured differently based on location or type, such as desktop or laptop.
7-17
Lesson 2
Installing and Configuring the App-V Client
You can use several ways to deploy virtual applications that require using different back-end components. However, no matter what virtualization scenario you use, you would require the App-V Client. This lesson describes the ways to install and configure the App-V Client for different scenarios.
7-18
Prerequisites for Installing the App-V Desktop Client
Key Points
Before installing the App-V Client, you should be aware of the recommended hardware and software prerequisites for the App-V Desktop Client and the App-V Client for RDS. In general, the requirements are similar for each. Both clients have two installer files. To install the App-V Desktop Client, you need an executable named Setup.exe, and to install the App-V Client for Remote Desktop Services, you need an MSI file named Setup.msi. The behavior of these installers differs in certain aspects. Setup.exe checks for the following prerequisite software: Microsoft Visual C++ 2008 Service Pack 1 (SP1) Redistributable Package [x86] (4.6 client only) Microsoft Visual C++ 2005 SP1 Redistributable Package [x86] Microsoft Application Error Reporting Microsoft Core XML Services (MSXML) 6.0 SP1 (x86)
7-19
If these components are not present, the Setup.exe client installer installs them. The MSI.exe also checks for the prerequisite software, but does not install it. You must install the prerequisite software using some other method. If the Setup.msi does not detect the prerequisite software, the installation returns an error and fails.
Requirements for the App-V Desktop Client

The following operating systems support the App-V 4.5 SP1 or 4.6 client: Windows XP Professional with SP2 or SP3 Windows Vista Business, Enterprise, or Ultimate editions with no service pack, SP1, or SP2 Windows 7 Professional, Enterprise, or Ultimate
The App-V Client does not require processor or random access memory (RAM) capacity beyond what is needed for the operating system being used. The App-V Client requires a minimum disk space of 30 megabytes (MB) for installation and 6 GB for cache.
Note: App-V 4.5 SP1 supports only 32-bit architecture. The App-V Client 4.6 release is the first version of App-V to support both x64 and x86 Windows platforms. The primary focus of this release is to enable App-V to take advantage of 64-bit Windows platforms, including Windows 7 and Windows Server 2008 R2.
Requirements for the App-V Client for Remote Desktop Services

The following operating systems support the App-V 4.5 SP1 or 4.6 client: Windows Server 2003 Standard, Enterprise, or Datacenter editions with SP1 or SP2 Windows Server 2003 R2 Standard, Enterprise, or Datacenter editions with no service pack or SP2 Windows Server 2008 Standard, Enterprise, or Datacenter with SP1 or SP2 Windows Server R2 2008 Standard, Enterprise, or Datacenter
7-20
Demonstration: Installing the App-V Desktop Client
Key Points
In this demonstration, you will see how to install the App-V Desktop Client by using the Setup.exe file
1. 2. 3. Launch Setup.exe. Perform a custom installation. Notice the software requirements and install them. Accept the defaults, except using Microsoft Updates, to complete the installation wizard.
7-21
What Is the Application Source Root Value?
Key Points
The Application Source Root (ASR) value configures the App-V Client to stream Application Virtualization package files from an alternate location other than the application's specified OSD file. In a typical scenario, the OSD file has a line of XML code known as a hypertext reference (HREF) tag, which indicates a protocol, server name, and path from where you can find and stream the SFT file. If you wish to have the client stream the SFT file from a location other than the Management Server, such as a branch streaming server, or use a different protocol, such as HTTP, you can set the ASR on the client. Setting this value on the client overrides the HREF tag value.
7-22
You can set the ASR value during the client installation process. After installation, you must configure the ASR value for the application virtualization client by using a Group Policy object or by manually modifying the registry in the HKLM\software\Microsoft\SoftGrid\4.5\Configuration key. The two available options are: A URL: <protocol>://<server>:<port> A UNC: \\computername\sharefolder\subfolder1
Configuring the ASR value replaces sections of the OSD file on the App-V Client with the values from the ASR. For example: If the OSD file has the following HREF tag: Rtsp://sgserver:554/Microsoft_Office_2007/Microsoft_Office_2007.sft And you configure the ASR as: \\BOS-1\AppV The App-V Client will use the ASR value to override the OSD file and look for the Microsoft_Office_2007.sft in the following Universal Naming Convention (UNC): \\BOS-1\SoftGrid\Microsoft_Office_2007
7-23
Managing the App-V Client by Using the Desktop Notification Area
Key Points
The Microsoft App-V Client uses sfttray.exe for displaying pop-up status messages in the notification area. These messages report the applications current load percentage and successful launch. In the event of an error, the sfttray.exe reports in the notification area, Launch Failed. If the user clicks on that message once, an error code displays. This error code, along with any message, is written to the clients log file, sftlog.txt, for future reference. Sfttray.exe places an icon in the notification area that enables users to perform a limited set of actions for virtual applications. From the Notification tray icon or sfttray.exe, you can: Refresh the list of available applications, shortcuts, and file-type associations from a defined publishing server.
7-24
Fully load applications in the cache for use while in disconnected mode. If you are not connected to the streaming server, an error generates. Applications load one at a time, and you can skip individual applications during the load process. Cancel loading of applications into the cache. Toggle between working online and offline. Exit from the client.
By default, the Notification tray is shown in the notification area only when the client is in use. You can configure this behavior in the properties of the App-V Client on the Interface tab. You also can run sfttray.exe from the command prompt to force the icon to display in the notification area.
7-25
Configuring the Disconnected Operation Mode
Key Points
The disconnected operation mode lets the App-V Client run applications that are in the local file system cache if the client cannot connect to the App-V Management Server. Clients automatically go into the disconnected mode when the user chooses to work offline or when there is a server failure, network outage, or network disconnection. To work in the disconnected mode, right-click the App-V notification area icon, and then click Work Offline. You also can configure the disconnected mode by setting the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client \Network\AllowDisconnectedOperation registry key value to 1.
7-26
Mobile users may want to load the applications fully into the cache to use them during the disconnected operation. If an application is not 100 percent cached, and the user tries to perform an operation that requires additional code from the server, the system warns the user, and then shuts down the application in two minutes. By default, the disconnected operation mode is enabled, and the time-out is 90 days. The maximum time-out optional setting is 999 days. You also can configure time limits on the disconnected mode by setting the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client \Network\LimitDisconnectedOperation registry key value to 1 and setting the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SoftGrid\4.5\Client \Network\DOTimeoutMinutes registry key to a value, in minutes, between 1 and 999999. To allow unlimited use of disconnected operation mode, set this value to zero. To load the application(s) fully, right-click the App-V Client notification area icon, and then click Load Applications.
Note: For Remote Desktop Clients, you should allow unlimited use of disconnected operation mode.
7-27
Configuring a Client for Stand-Alone Operation
Key Points
The Stand-Alone mode is meant for those users who connect rarely, and who need virtualized applications, but who do not have access to a streaming server. For the Stand-Alone mode, you require an MSI file that the App-V sequencer and the App-V Client software create. This MSI file contains the ICO, OSD, and Manifest.xml files that are necessary for publishing the application on the machine from which it is run from and information on how to import the SFT file into the App-V Client cache. You do not need any additional App-V infrastructure. The SFT file is not part of the MSI that generates during sequencing, and it needs to be in the same directory as the MSI to complete successfully by default. If the SFT file is in an alternate location, such as a network share, then you can use the SFTPATH parameter to specify the location. For example: Msiexec.exe /i \\PathToMsi\packagename.msi SFTPATH=\\server\share \package.sft /q
7-28
Note: Applications installed in Stand-Alone mode are available to all users who log onto the computer.
You can configure the Stand-Alone mode during installation, through the registry after installation, or by using GPOs with the App-V ADM Template. To configure the Stand-Alone mode during installation, configure settings on the Runtime Policy Package Configuration page by performing the following steps: 1. 2. 3. 4. Clear the Require User authorization even when cached check box. Select the Allow streaming from file check box. Clear the On Launch check box. Clear the On Logon check box.
You also can use GPOs to configure these settings, though by definition, the client computers may not be able to receive the policy because they are disconnected from the network. These settings are in the Group Policy App-V ADM Template in the Communications folder.
Note: You cannot set up the client to be in Stand-Alone mode and streaming mode simultaneously.
7-29
Lab A: Deploying the App-V Client in Stand-Alone Mode
Lab Setup
On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A- NYC-DC1 and 10324A- NYC-CL2 virtual machines are running. If required, connect to the virtual machines. Log on to the virtual machines as Contoso\Administrator using the password Pa$$w0rd.
Important: Start the NYC-DC1 virtual machine first, and ensure that it starts fully before you start the other virtual machines.
7-30
Exercise 1: Installing and Configuring the App-V Client

Some users in Contoso, Ltd. do not connect to the LAN. You want to provide access to virtual applications for those users, and you want to install the App-V Client software, and then configure it for Stand-Alone mode. This enables those users to run their line-of-business (LOB) applications without having to install them on their laptops. The main task for this exercise is: 1. Install the App-V Client in Stand-Alone mode.
Task 1: Install the App-V Client in Stand-Alone mode

1. 2. On NYC-CL2, open Windows Explorer, browse to \\NYC-DC1 \E$\Labfiles\Mod07\Client\x86, and then launch Setup.exe. Perform a custom installation of the App-V Client, accepting the defaults, with the following exceptions: Select I dont want to use Microsoft Update to using Microsoft Updates. On the Runtime Package Policy Configuration page, clear the Require User authorization even when cached check box. In the Application Authorization section, select the Allow streaming from file check box. In the Automatically Load Application section, under When to Auto Load, clear the On Launch and On Login check boxes.
7-31
Exercise 2: Installing a Stand-Alone Package

The sequencing team has created a stand-alone MSI file. You need to deploy and test the functionality of the stand-alone package that you will distribute to the field engineers who do not connect to the LAN. The main tasks for this exercise are: 1. 2. Install a stand-alone package. Examine the properties of the package file and the data locations.
3. Test the application. Task 1: Install a stand-alone package

1. 2. 3. On NYC-CL2, open Windows Explorer, and then browse to \\NYC-DC1\E$\Labfiles\Mod07\. Copy the Word03 folder to C:\. In C:\Word03, double-click Wordviewer03.msi.
Task 2: Examine the properties of the package file and the data locations
1. 2. 3. Launch the Application Virtualization Client from the Administrative Tools in Control Panel. In the Applications node, access the properties of the Microsoft Office Word Viewer 2003 application. Click the Package tab, and then observe the Current Statistics: Question: What is the Package Size? Question: What is the Size in Cache? Question: What is the Launch Data Size? 4. 5. Click Cancel, and then close the Application Virtualization Client and Control Panel. Show hidden files and folders.
7-32
6.
Open Windows Explorer, browse to the global data location at C:\ProgramData\Microsoft\Application Virtualization Client \SoftGrid Client, and then examine the contents. Question: What is the size of the sftfs.fsd file?
7.
Navigate to the user-specific data location at C:\Users\Administrator.CONTOSO\AppData\Roaming\SoftGrid Client, and notice the shortcut_ex.dat and the userinfo.dat files. These files maintain per-user shortcut and identity information. Close all open windows on NYC-CL2.
8.

1. On NYC-CL2, launch Microsoft Office Word Viewer 2003 from the All Programs menu. A message will appear above the notification area indicating that Word Viewer is launching. Click the Microsoft Application Virtualization Desktop Client Notification icon in the notification area, and then click Exit. Click OK to close the application.
2.

When you finish the lab, revert the virtual machines to their initial state by completing the following steps: 1. 2. 3. On the host computer, start Hyper-V Manager. Right-click the virtual machine name in the Virtual Machines list, and then click Revert. In the Revert Virtual Machine dialog box, click Revert.
7-33
Lesson 3
Managing Client Configuration Features
The App-V Client Management Console enables you to configure some aspects of the client, such as logging and permissions, and some settings of the virtual applications, such as file type associations and publishing servers. Though you can configure most of these settings from the server or through GPOs, the client settings allow you to have configurations for individual clients that might need special settings. This lesson describes how to configure App-V Client nodes.
7-34
Managing App-V Client Properties
Key Points
Although configuration of the client is done during the installation process, there may be times when you need to modify those settings. The property pages of the client software allow you to modify many of the client settings. You can access the properties from the root nodes shortcut menu in the App-V Client Management Console. Six tabs in the Properties dialog box control the following settings: The General tab contains the following options: Logging. This option controls logging levels and location of log files. Global Data Directory. This option controls the location of the App-V data that all users share. User Data Directory. This option controls the location user-specific App-V data.
7-35
The Interface tab: Run Settings. This option controls when to show the App-V Client icon in the notification area. Popup Messages. This option controls how or if to display error and information messages.
The File System tab: Client Cache Configuration Settings. This option controls the size of the client cache. Drive Letter. This option controls the virtual drive letter used (Q by default).
The Import Search Path tab. This option controls the SFT search path when you are importing applications. The Connectivity tab. This option controls disconnected operation values to limit the number of days allowed and if the user can work offline. If you allow offline mode, the App-V Client does not attempt to connect to streaming or publishing servers. The Permissions tab. This option controls the permissions that users have over virtual applications on this computer. These permissions are for all users, and you cannot assign them on a per-user basis. Administrators always can perform all tasks.
7-36
Managing Virtual Applications
Key Points
You can use the App-V Client Management Console to manage virtual applications in the client cache. The Applications node allows an administrator to view and manipulate the applications on the App-V Client. By right-clicking the Applications node, a context-sensitive menu displays, which enables you to add a new application and export a list of applications to a text file. By right-clicking an application in the details pane, you can display a menu from which you can: Create new shortcuts to be associated with the application. Create a new file type association. Unload an application, which removes it from the client cache.
7-37
Clear an application. Clearing an application removes the settings, shortcuts, and file type associations that correspond to the application and removes the application from the users list of applications. Repair an application. Repairing an application will remove any custom user settings and restore default settings. Lock the application from being removed from the client cache.
7-38
Managing File Type Associations
Key Points
The File Type Association node allows you to view, add, and manipulate the file types on the App-V Client. When you select the File Types Association node, a list of available file types is displayed in the App-V Client Management Console Results pane. By right-clicking the node, you display a menu that allows you to add new file type associations and link them to applications. By right-clicking an existing file extension, you can delete an extension or modify the properties associated with that extension, including: Changing the icon Changing the associated application Creating or modifying launch parameters Modifying the Content Type
7-39
Managing Server Connections
Key Points
You can use the Desktop Configuration Servers node to create, delete, edit, and manually refresh the clients designated management server, known as a publishing server. By right-clicking the Desktop Configuration Servers node, you display a menu that allows you to add a new publishing server. A client can receive applications from multiple publishing servers simultaneously. The New Publishing Server Wizard allows the administrator to provide a display name and type of publishing server. You can select the following types of publishing servers: Application Virtual Server. This selection uses port 554, by default. Enhanced Security Application Virtual Server. This is the default selection, and uses port 322. Standard HTTP Server. Uses port 80, by default. Enhanced Security HTTP Server. Uses port 443, by default.
7-40
Note: When selecting HTTP or HTTPS protocol, you must provide a folder path.
After you configure a server, you can modify the properties. You can modify all the properties that were configured during installation, and you can configure the server refresh setting. The desktop client queries the Management Server at intervals to receive information from the server about new applications or changes to existing applications, such as package upgrades. This process is known as DC Refresh. The client also uses this time to populate the host operating systems with the icons for those applications so that users can access them. You can configure the client to: Refresh at logon (default setting). Refresh every number of days. Manually refresh immediately.
7-41
Demonstration: Configuring a Publishing Server
Key Points
In this demonstration, you will see how to configure the App-V Client with a publishing server.
1. 2. Launch the App-V Client. Add a new publishing server of the Application Virtualization Server type with the host name NYC-SVR2.contoso.com.
7-42
Configuring the App-V Client by Using a Command Line
Key Points
Sftmime.exe is a command-line interface that you can use to manage many client configuration settings. Sftmime operations are either commands or queries. Commands are actions that have some effect on the computers state, such as a command that loads an application into the cache. Queries are requests for information that generate output. These commands are most useful in scenarios where you need to configure App-V Clients by using scripts.
Sftmime Commands
All commands have a similar structure. The sftmime command is followed by a verb, an object, and additional parameters. The following examples illustrate the more common uses for SFTMIME: Remove all applications from cache, their file type associations, and shortcuts for all users:
sftmime remove obj:app /global /complete
7-43
Add applications:
sftmime add app:"MSProject" /osd http://server/Microsoft SoftGrid Application Virtualization/MSProject.osd
Load applications:
sftmime load app: MSProject
Sftmime Queries
All queries start by using the /query verb and are followed by an object type that identifies whether the query applies to applications, servers, or file type associations. You can use the available queries to list all applications, all Multipurpose Internet Mail Extensions (MIME) servers, and all file type associations. For example:
To find the package that you want to configure, run the following command:
sftmime query obj:package
This command returns each discovered package name as a globally unique identifier (GUID) in the first column of output. For example, the return might be {AF78ABE1-57D4-4297-89DE-C308684AEDD6}. To list all the publishing servers the client is configured to use, run the following command:
sftmime query obj:server
To have the output of the command redirected to a file, use the /log parameter. For example, to have the query output of the previous command redirected to a text file in the C:\logs directory, run the following command:
sftmime query obj:server /log:C:\logs\serverquery.txt
Note: The command does not create the destination directory. You must create it prior to running the command.
7-44
What Is the App-V ADM Template for Group Policy?
Key Points
You can use the Microsoft App-V ADM template to configure client settings for the App-V Desktop Client and for the App-V Client for Remote Desktop Services. The ADM template manages common client configurations centrally by using the existing Group Policy infrastructure. The template allows you to configure 37 different registry settings that affect the App-V Client. These settings fall into three categories, and common settings are grouped together under the following categories in the templates Group Policy Editor: Communication Permissions Client Interface
7-45
Although the settings appear in the Policies container in the Group Policy Management Editor, you implement the ADM template for App-V as Group Policy preference settings. Preferences behave differently than policies in Group Policy objects. Preferences do not make permanent registry changes, which means that users can change the settings either by editing the registry or by using the application. Also, even if you remove the GPO, the settings are not removed.
Setup Considerations
After you apply the ADM template, it updates the preference settings of client computers that already have the App-V Client installed. However, if you install the App-V Client after you apply the ADM template settings to a computer, the installer overwrites the preference settings from the ADM template with the installers default settings. This causes inconsistencies between clients. You can implement an optional switch during the client setup to ensure that the template preferences do not overwrite the registry settings: setup.exe KEEPCURRENTSETTINGS=1 msiexec.exe /i setup.msi "KEEPCURRENTSETTINGS=1"
Note: Parameters are case-sensitive and must be entered all in uppercase letters, as the above example shows. Additionally, you must enclose all parameter values in double quotes.
Implementing the App-V ADM Template

You must install the App-V ADM template from the Microsoft download site, and then install it separately. To deploy settings using the App-V Client ADM template, you need to complete the following steps: 1. 2. 3. Download the ADM Template MSI file from http://go.microsoft.com/fwlink/?LinkId=121835. Install the ADM Template by choosing a location to extract the ADM files. Add the extracted ADM Template into a GPO by right-clicking on Administrative Templates, clicking Add/Remove Templates, and specifying the location of the ADM files.
7-46
What Is Autoload?
Key Points
Autoload governs how the primary (Feature Block 1) and secondary (Feature Block 2) sections of an application are delivered to the client. Normally, the primary feature block streams and provides the code to launch an application initially. This usually represents only 10 to 30 percent of the applications code. Feature Block 2, which is the rest of the applications code, downloads only in parts on demand. You can configure the client to ensure that after Feature Block 1 downloads, the client continues to stream Feature Block 2 in the background until the application is 100 percent in cache. The autoload feature is especially useful for mobile clients and other clients that might not have constant communications with the management or streaming server. Use of autoload triggers can increase the initial network traffic of SFT streaming following an installation. Autoloading occurs over Real-Time Streaming Protocol (RTSP), and is set as a lower priority process so that it does not affect or degrade performance for the user. Feature Block 1 is loaded as quickly as possible. Feature Block 2 is loaded in the background to enable foreground operations to take priority and to provide optimal performance.
7-47
You can implement autoload for the App-V Client in any of the following ways: By using the client installation wizard during the installation. By using parameters while you run the installer manually. By editing the registry after you install the client. By using the Sftmime command-line utility. By using a Group Policy object that utilizes the App-V template.
Autoload Options
You can configure autoload to load the application on the following triggers: On Launch. Background streaming begins when the application launches for anything outside of the primary feature block. On Login. User-authorized applications start background streaming when the user logs on. On Publishing Refresh. A new application that is granted to the user begins streaming in the background following the periodic publishing refresh.
You can control the applications that will be affected by autoload by using the following options: Do not automatically load applications. No applications will be loaded. Automatically load previously used applications. Applications previously assigned to the user, and which a user launched previously, will autoload into the cache via background streaming. Automatically Load all applications. All applications assigned to the user will be loaded into the cache via background streaming.
7-48
Lab B: Managing Client Configuration Features
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. 3. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR2, and 10324A-NYCCL1 virtual machines are running. If required, connect to the virtual machines. Log on to the virtual machines as Contoso\Administrator using the password Pa$$w0rd.
7-49
Exercise 1: Configuring the App-V Client Properties

You have installed the App-V Client software as a default installation. You are now required to use the App-V Client Management Console to configure the properties of the client to meet your organizations needs. You need to configure the log files to record errors and store them in the Windows\Logs directory. You also want to configure the App-V Client icon to displays continuously in the notification area, and then limit the disconnected mode to 120 days. Additionally, you need to configure the client cache to use all but 5 GB of the available hard disk space and set permissions so that any user can manage the publishing server. The main tasks for this exercise are: 1. 2. 3. Access the App-V Client properties. Configure logging levels and locations. Configure the App-V Client properties.
Task 1: Access the App-V Client properties

On NYC-CL1, open the Application Virtualization Client, and then access the Properties dialog box of the root node.
Task 2: Configure logging levels and locations

1. 2. On the General tab click the drop-down arrow under Log Level, and select Error. Beside the Location field, click Browse, and then browse to C:\Windows\Logs. Click Save, and then click Apply.
Task 3: Configure the App-V Client properties

1. 2. 3. 4. On the Interface tab, configure the App-V Client icon to show continuously in the notification area. On the File System tab, set the minimum free space to be 5,000 MB. On the Connectivity tab, set the disconnected limit to be 120 days. On the Permissions tab, allow all users to manage publishing servers.
7-50
Exercise 2: Configuring a Publishing Server for the App-V Client

After configuring client properties, you need to configure the App-V Client to connect to the App-V Management Server over RTSP. You want to make sure that the client is refreshing from the management server correctly. During your testing period, you want the DC Refresh policy to take effect on login and refresh every two hours. You also must refresh the client manually. This enables the client to remain current on the policy changes that you want to test. The main tasks for this exercise are: 1. 2. Add a new publishing server for the App-V Client. Configure the DC Refresh settings, and then refresh the client manually.
Task 1: Add a new publishing server for the App-V Client

Right-click the Publishing Server node, and then add a new server with the following parameters: Display Name: Contoso App-V Management Type: Application Virtualization Server Host Name: NYC-SVR2
Task 2: Configure the DC Refresh settings, and then refresh the client manually
1. 2. 3. On NYC-CL1, in the Publishing Servers node, access the Contoso App-V Management properties, and then click the Refresh tab. Set the refresh interval to be every 2 Hours. Click Refresh to perform an immediate refresh.
7-51
Exercise 3: Configuring Applications by Using the Desktop Client

You are required to observe how the application behaves in the client cache. You also need to configure a custom file extension for a LOB application. In this exercise, you will inspect the properties of the application package, load the application into the client cache, and then see the effect on the cache. You also will create a new file type association, and then test it by creating a test file with an extension. The main tasks for this exercise are: 1. 2. 3. Inspect the properties, and then load the application into the cache. Create a custom file extension. Test the file extension.
Task 1: Inspect the properties, and then load the application into the cache
1. On NYC-CL1, in the Application Virtualization Client, click the Applications node. Notice the current Package Status is Idle.
Note: You may have to refresh the view to see the application listed.
2.
Open the Properties of the Microsoft Word Viewer application, and answer the following questions Question: What is the Package Size? Question: What is the Launch Data in Cache? Question: What is the Launch Data Size?
3. 4.
Load the package into the client cache Access the Properties of the application again. Question: What is the Launch Data in Cache? Question: What is the Launch Data Size?
7-52
Task 2: Create a custom file extension

1. 2. 3. Create a new file type association named ABC. Associate the extension with the Microsoft Word Viewer application. Click the File Type Associations node, and notice that the ABC file extension is now listed and associated with the Microsoft Office Word Viewer application.
Task 3: Test the file extension

1. 2. 3. On NYC-CL1, start a command prompt. Type fsutil file createnew test.abc 1000 to create a new file. Start Windows Explorer, and then navigate to C:\Users\Administrator.Contoso. Notice that the file has been created and shows the icon of Microsoft Office Word Viewer. Open the Test.abc file. The file opens in Microsoft Word Viewer application. Close all open windows on NYC-CL1.
4. 5.
7-53
Exercise 4: Installing and Configuring Settings by Using the Group Policy App-V Template
You want to be able to control all App-V Client configuration in a centralized fashion. To do this, you have downloaded the App-V Group Policy template from the Microsoft download site. You now plan to install it, and then add it to the GPO to test the configuration of App-V Clients. As a test, you will grant users permission to add applications. The main tasks for this exercise are: 1. 2. 3. Install the App-V Group Policy template. Add the template to the Group Policy Object Editor of the Default Domain Policy. Grant permission to add applications to all users.
Task 1: Install the App-V Group Policy template

On NYC-DC1, open Windows Explorer, browse to E:\Labfiles\Mod07, and install AppVADMTemplate.msi.
Task 2: Add the template to the Group Policy Object Editor of the Default Domain Policy
1. 2. 3. On NYC-DC1, start the Group Policy Management Console. Edit the Default Domain Policy. Add C:\AppVADMTemplate\AppVirt.adm to the Administrative Templates.
Task 3: Grant permission to add applications to all users

1. In the Group Policy Management Editor navigate to Administrative Templates> Classic Administrative Templates (ADM)> Microsoft Application Virtualization Client> Permissions. Enable the Add Application permission. Switch back to NYC-CL1. On NYC-CL1, use GPupdate to refresh Group Policy.
2. 3. 4.
7-54
5. 6. 7.
Start the Application Virtualization Client. In the Application Virtualization Client, access the root node properties. Click the Permissions tab, and then note that the Add applications check box is now checked, which grants users this permission.

7-55
Review Questions
1. 2. 3. 4. Where should the user-specific data location be for roaming users? What is the major difference between the two client installer files: Setup.exe and Setup.msi? What command-line utility allows you to query the client? What is the ASR value used for?
7-56
Common Issues Related to Implementing Application Virtualization

Issue Mobile users are unable to run virtual applications when they are not connected to the LAN. The App-V Client cannot stream the application. The App-V Client receives a Failure on Desktop Configuration Server request to URL error. Event ID 3131. Troubleshooting tip

Your organization has multiple applications that typically are incompatible on the same computer. Your field engineers need to run these applications, but they seldom connect to the corporate LAN. Your company deploys App-V applications to users on the LAN. What possible solutions are available for the field engineers?
Best Practices Related to Implementing Application Virtualization

Use the App-V Client for Remote Desktop Services to alleviate application compatibility issues on RD Session Host servers. Use the App-V Client for Remote Desktop Services to ensure that all packages preload into the cache to improve performance. The App-V Client for Remote Desktop Services should allow unlimited use of disconnected operation mode. Ensure that the client cache is large enough to handle the applications being assigned to the user. If you do not scale the cache properly, then the users can experience application failures when they disconnect. If you do not use the default virtual drive letter, ensure the drive letter you choose is consistent across clients. Deploy the App-V ADM Template settings after installing the App-V Clients.
8-1
Module 8
Managing and Administering Application Virtualization
Contents:
Lesson 1: Using the Application Virtualization Management Console Lesson 2: Publishing Applications into the App-V Environment Lab A: Publishing Applications in the App-V Environment Lesson 3: Performing Advanced Administration Tasks for Application Virtualization Lab B: Implementing License Enforcement 8-3 8-15 8-32 8-38 8-52
8-2
Module Overview
After you deploy the Microsoft Application Virtualization (App-V) infrastructure, you should be able to manage and administer the App-V solution by using the Application Virtualization Management Console. This console enables you to control the entire App-V environment from a single workstation. You deploy the Application Virtualization Management Console on the administrative workstation, and then use it to perform administrative tasks, such as modifying and publishing virtualized applications, and configuring version upgrades. This module provides an overview of the Application Virtualization Management Console and the permissions that users must have to administer the App-V Management Server. The module also covers the steps you must take to perform these administrative tasks, and how to enforce license compliance and manage server groups and server objects.
8-3
Lesson 1
Using the Application Virtualization Management Console
You can perform all tasks related to Application Virtualization management and administration in the Microsoft Management Console (MMC) snap-in called the Application Virtualization Management Console. As an administrator, you would need to manage applications, packages, servers, users, and administrators, and you may have to create policies to configure connection settings and application access for users. The Application Virtualization Management Console provides several features and functionalities that you can use for performing these administrative tasks. This lesson provides an overview of the console and explains how to control administrative access, and describes the functionality and administrative functions that the console provides.
8-4
Connecting the Management Console to the App-V Web Service
Key Points
The Application Virtualization Management Console is the main configuration tool for the App-V environment. The Management Console does not connect directly to the App-V Management Server. Rather, it connects to the Web service, which in turn connects to the computer that is running the Microsoft SQL Server database and the Management Server. To perform any administrative tasks, you first must connect to the Web service with the proper credentials. You can configure how users must connect to the local App-V Web service in several ways: On initial startup of the App-V Management Console. By configuring the connection in the root node of the Management Console. By using the Configure Connection link on the Management Server object.
8-5
When you first start the Application Virtualization Management Console, it prompts you to connect to a specific App-V Web service. You can host this Web service on a specific server, or configure it on multiple servers for load balancing and redundancy. The Web service in turn connects to the configuration database. Users can connect to the Web service by using a standard HTTP port such as 80, or by using Secure HTTP (HTTPS) on 443 for a secure connection. We recommend that you use secure connections between these components. To connect to the Web service using HTTPS, you need to obtain a Secure Sockets Layer (SSL) certificate, and bind it to the Web service. Users making this connection must be members of the App-V Administrators Group, or provide the login credentials of one of the groups users. The following table summarizes the connection options:
Option Web Service Host Name Value Specifies the IP address or host name of the App-V Web service to which the snap-in connects. Specifies that the Management Consoles connection to the Web service be over a secure connection. Port 443 is the default port. This field specifies the port number to which the Web service listens for requests from the Management Console. Port 80 is the default port. Specifies that the credentials of the currently logged-on user will be used to connect to the Web service. Specifies that account credentials entered in the Name and Password fields will be used when opening the Management Console session. Specifies the account name that is authorized to access the Web service. The format is Domain\username. Specifies the password that authorizes the account identified in the Name field, which provides access to the Web service.
Use Secure Connection
Port
Use Current Microsoft Windows Account Specify Windows Account
Name
Password
8-6
Exploring the Application Virtualization Management Console
Key Points
The Console pane in the Application Virtualization Management Console consists of several default containers that display existing objects, and that provide access to object properties and wizards that assist in creating additional objects. The Application Virtualization Management Console contains the following nodes: Applications. This node displays a list of applications that are available within the Application Virtualization system. You can use this node to create application groups; create or import new applications; and move, copy, or duplicate applications to other virtualization management systems. File Type Associations. This node displays a list of file type associations. You can use this node to add new file type associations that applications require. Packages. This node displays a list of packages configured on the App-V system. You primarily will use this node when you need to introduce a new version (.sft file) for a specific package or application.
8-7
Application Licenses. You can use this node to configure application access based either on a specific number of concurrent users or by specific user names. Server Groups. You can use this node to create a logical container and grouping of any App-V servers that should share a common provider policy Logging configuration, and a set of virtualized applications. Provider Policies. You can use this node to configure general rules for any user connecting to the Application Virtualization system. The Application Virtualization system initially configures a default provider to provide default connection settings for clients. Administrators. You can use this node to add or remove security groups responsible for App-V system administration. Reports. You can use this node to create and view various types of reports related to system utilization and application activity.
8-8
Managing App-V Administrators
Key Points
You can use the App-V Administrators container to view the group that is responsible for App-V system administration. You specify this group during installation. You also can add or remove security groups from this container. If the Active Directory Domain Services (AD DS) domain functional level is Windows Server 2003 or newer, you can use any security group. If the domain functional level is earlier than Windows Server 2003, you can use Global Groups only. You might have situations where you need to reset the security groups that you want to allow to manage the App-V system. For example, if you delete the security group that the App-V Administrators container specifies from within AD DS, no one would be able to log onto the Management Console. In this situation, you must reset the App-V Administrators group.
8-9
To reset the App-V Administrators group, you can launch the Management Console, right-click Application Virtualization Systems, and then click Reset Administrators to launch the Reset Administrators Wizard. You must provide database connection information to the configuration database. You then can add or remove security groups to provide the necessary administration permissions for the App-V system. Question: Can you assign an individual to be an App-V administrator through the App-V Management Console?
8-10
Configuring System Options
Key Points
You can control certain system-wide options by right-clicking the Server container in the Application Virtualization Management Console. These options include the Default Content Path, Database sizing controls, and Usage History. Default Content Path: This option allows you to set the default Universal Naming Convention (UNC) share or URL location for .sod and .icon files, which specify application records and file-type associations. For example, a default content path can be \\SERVERNAME\ContentSharePath or HTTP://SERVERNAME/content. App-V uses the Default Content Path when you import or copy applications from another system.
Note: If you use the actual physical path to the content share, such as C:\Content, or if you specify nothing at all, your published applications will not work.
8-11
Database Size: The App-V system has the ability to limit the size to which the database can grow. The default maximum size is 1024 megabytes (MB), but you can set this value to be between 1 MB and 2,147,483,647 MB. The database contains configuration information and stores usage information for the App-V infrastructure. The following is a list of App-V Infrastructure operations that use the database: Publishing refreshes Application load Application launch authorization Server management console Application usage data collection and metering Most of these operations place a small load on the SQL server. The growth rate of the database is dependent on the number of application launches and the amount of reporting information that you are collecting. You will have to monitor the database over time to determine the correct values when limiting database size.
The system automatically cleans up obsolete data and orphaned transactions to ensure that your database does not reach this size limit. The default high watermark is 95 percent of the defined size, and the default low watermark is 85 percent. When your database reaches the 95-percent mark, the system deletes 10 percent of the usage data, and leaves 85 percent of the data. The system deletes both package and application usage data. Usage History: You can specify how many months worth of data you wish to keep. On a monthly basis, the database ensures that the database retains data only from the number of months that you specify. It deletes the rest. The default specification is set to six months, but you can configure it to be anywhere between one to 120 months.
Note: You must set the SQL Server Agent to start automatically if you want to enable management of the databases size. By default, App-V begins the database sizing action on the first of every month at 02:00.
8-12
Planning an App-V Management Strategy
Key Points
When planning your App-V management strategy, there are several factors regarding credentials and connections that you should consider, including: Credentials. Determine the credentials that a user must provide to connect to the Web service. You must use an account that has App-V management rights, but you should avoid using a domain administrator account. Connection. Determine whether you need to use a secure connection to the Management Console. If so, you must consider the strategy for deploying SSL certificates. Typically, you should use secure connections. Security groups. Determine the security groups that require App-V administrative rights. Ensure that the proper users are in the security groups that have the administrative rights. Only use accounts that have enough rights to perform the required tasks.
8-13
Content path and protocol. Ensure that the content path is correct and uses the proper protocol. Ensure you use a UNC or URL, and not a local path. Consider using a storage area network (SAN) that has room for expansion to hold the content folder, which can become very large as you deploy hundreds or thousands of applications.
8-14
Demonstration: Connecting and Configuring the App-V Console
In this demonstration, you will see how to connect the Application Virtualization Management Console to the App-V Web service. You then will see how to use the Management Console to configure system options and to add Domain Admins as App-V administrators.
1. 2. 3. 4. Launch the Application Virtualization Management Console. Configure the Connection Login Credentials. Configure the System Options settings. Add the Domain Admins group as an App-V Administrator group.
8-15
Lesson 2
Publishing Applications into the App-V Environment
One of the primary App-V administrative tasks is to publish virtualized applications so that you can make them available to authorized clients. When you publish virtualized applications, the client software can discover the virtual application, and then download it to the client computer. To publish an application, you first need to import it into the App-V system, and then you must configure various options, including general properties, shortcut options, file type associations, and access permissions. This lesson explains how to manage application groups, and how to publish applications into the virtualized environment.
8-16
What Is the Applications Container?
Key Points
The first container in the Application Virtualization Management Console is the Applications container. For an administrator, this is one of the most important and most utilized containers. You use the Applications container to either manually add or import applications into the virtualization system, so that authorized users can access them. To add a new application manually, you need to provide detailed publishing information about the application to the New Application wizard. The import function uses the Sequencer Project (SPRJ) file or the Open Software Descriptor (OSD) file to provide that information about the application. You also can use the Applications container to view, add, remove, or change properties for any application within the system. By default, an application record for the default application populates the Applications container. You use this free application only to test connectivity between the App-V Client and the App-V Server.
8-17
As organizations begin to use the Application Virtualization system, the number of applications easily can number in the triple digits. When organizations approach these numbers, you would require a way to organize those applications logically within the Application Virtualization Management Console. You can use the New Application Group Wizard to create containers that can store common application types. These containers act similar to folders in the file system and simply allow you to organize applications into a more manageable format. When you import or move applications into a specific application group, you can modify the following entire groups properties, which affects all of the groups applications: Description Enabled Application License Group Server Group Shortcuts Access Permissions
If you delete an application group, this deletes all applications within that group. If you do not want to delete a specific application, you can right-click the application, and then move or copy it to another application group or to a different Application Virtualization system. When you delete an application, App-V does not remove the package that references the application. Therefore, you have to delete the package specifically to remove all traces of the previous application.
Note: Even when you use application groups, you must provide unique names to all applications imported into the Application Virtualization system. For example, if you have one application group called Office 2003, and another application group called Office 2007, only one of these groups can contain an application called Microsoft Word. However, each group could have its own Microsoft Word application if the applications were each given a unique name, such as Microsoft Word 2003 and Microsoft Word 2007.
8-18
Considerations for Importing Applications
Key Points
When you import an application, you must verify that the .osd path matches the server\content directory. If the path in the .osd file is incorrect, the App-V client software cannot locate the applications sft file. If you specify a system variable for the server name, you need to configure each client to resolve the variable. A system variable is useful for configuring the placement of a single package on multiple servers. In this case, you do not have to modify the .osd file to specify a specific server name. By using the system variable, you easily can change the name of the streaming server on the client computers if that becomes necessary.
Note: You can set the %SFT_SOFTGRIDSERVER% variable in the system properties of the client or through Group Policy preferences.
8-19
You can publish shortcuts on the users desktop, Quick Launch toolbar, Start menu, Send To menu, or a specific location. Users typically are familiar with these shortcuts. The location for shortcuts is something that you should discuss and determine with your stakeholders. During the Application Sequencing task, App-V detects file associations automatically. You can, however, add or remove specific file associations when you are importing the application. You first need to determine the file type associations that you want to use with the application, including any custom associations for extensions that you do not specify in the sequenced application. Access permissions are applied based upon the Active Directory security group membership. You should determine who needs access to the application, and then create a specific application-based security group. For example, if you import Microsoft Word 2007 as an application, you may want to create a global security group called Microsoft Word 2007 Users. You may need to create new groups in AD DS to accommodate this. Consider using role-based groups to define who should have access to specific applications. Remember that there are no levels of permission. Either users have the ability to use the application, and all of its features, or they do not. You cannot place restrictions on application usage through App-V permissions.
8-20
Process for Importing Applications
Key Points
When you publish applications, you first must import them from the Content shared folder into the Application Virtualization Management Console. This populates the database with the applications configuration information. The New Application Wizard walks you through the steps to provide the information required for publishing the application. After you sequence an application, you must complete the following tasks to import the application into the App-V system: Copy the package to the content location: You must copy the entire sequenced package to the shared content location, which you configured in the System Options of the Application Virtualization Management Console. Make sure that all of the packages files are in the same location as the .sprj file
8-21
Import the .sprj or .osd file using the New Application Wizard: When you import an application, you can select the .sprj file or the .osd file. The .sprj file contains the information required to import a single sequenced application or a suite of sequenced applications. The .osd file, which you can import directly, contains only information about a single application.
Note: When you import a suite of applications by importing the .sprj file, the suite is not enabled by default. However, when you import a single application (by .sprj or .osd), it is enabled by default.
8-22
Options for Configuring Published Applications
Key Points
During the import process, App-V imports a number of configurations settings automatically, such as the Open Software Description (OSD) path and file associations. You can modify these options during or after the import process. You also can configure other options, such as the server or license group. You can modify the configuration settings of individual applications after you import them. Do this by accessing their properties through the Management Console. The Properties dialog box has four tabs with the following options: The General tab allows you to specify the following: Version identifier Enabled checkbox Description field OSD Path Icon Path
8-23
Application License Group (no group is specified by default) Server Group (no group is specified by default)
The Shortcuts tab allows you to publish shortcuts to any or all of the following: Publish to Users Desktop Publish to Users Quick Launch Toolbar Publish to Users Send To Menu Publish to Users Start Menu (Default selection) Advanced: other specific locations
The File Associations tab allows you to add, edit, or remove file associations. This tab is not available for application groups properties. The Access Permissions tab allows you to add or remove user groups that have access to the application. You cannot grant permissions directly to individual users. You must assign them to AD DS security groups. There are no different levels of permissions to an application. Either you allow users to use the application or you do not.
8-24
Demonstration: Importing and Configuring an Application
Key Points
In this demonstration, you will see how to import a sequenced application into the App-V system. You then will see how to create an application group, and move the application into the new group. Finally, you will examine the properties of the published application.
Import a sequenced application 1. 2. Copy the sequenced application to the content folder. Launch the Application Virtualization Management Console. Notice that the Default Application is preinstalled. You can use it for testing connections between client and server. Additionally, the Microsoft Word Viewer 2007 application currently is published. Import the Word03 sequenced application from the C:\Content directory. Review the settings in the General Information tab. Publish a shortcut to the users desktop.
3. 4.
8-25
5. 6.
Keep the default file associations. Grant permission to Domain Users.
Create an application group and move the viewer applications into the new group 1. 2. Create an application group named Office Viewers. Move both of the Microsoft Office Word Viewer applications into the Office Viewers group.
Examine the properties 1. 2. Open the properties of the Office Viewers group, and review the configurable properties. Modify permissions so that only the AppVUsers group has access.
Question: Which property page is unavailable for the Application Group properties?
8-26
What Is a Package?
Key Points
A package is the output of the sequencing process. A package in the Packages node is a representation of the virtual application, and it contains information about the relative path in the content folder and the version of the .sft file. You can use packages to control virtualized application versions, which you use for client computer Active Upgrades. When you import an application into the Applications container by referencing a .sprj or .osd file, App-V creates a new package automatically in the Packages node of the Management Console, with a version number of 1. The packages name follows the name of the .sft file. However, App-V replaces the .sft extension with the word Package. For example, if an applications .sft file is named Excel.sft, than the package that App-V generates is named Excel_Package. If you create a new application record without using the Import Applications feature, you need to create a package manually for the application by referencing the .sft file in the New Package Wizard.
8-27
Upgrading and Retiring Virtual Applications
Key Points
Over time, you might need to upgrade most applications. Distributing the upgrades to multiple users typically is a time-consuming and expensive process. App-V simplifies that process by allowing the sequencing engineer to upgrade the application, and then seamlessly distribute an updated .sft file to the users as a new version of the package.
Active Upgrade
Active Upgrade refers to the functionality that allows you to upgrade a package seamlessly without requiring users to disconnect or Virtual Application servers to restart. When you upgrade a package by using the Add Version process, App-V adds a version identifier automatically to the resulting .sft file. For example, if the packages .sft file were named Microsoft_Office_2003.sft before the upgrade, the packages .sft file would be called Microsoft_Office_2003 _2.sft after you complete the package upgrade.
8-28
You must perform the following steps to add a new package version and make it available for Active Upgrade: 1. 2. 3. 4. 5. 6. Apply the upgrade, and then resequence the application. Copy the new .sft file to the same Content share as the existing packages .sft file In the Application Virtualization Management Console, right-click the package name, and then select Add Version. Enter the full path to the .sft file. Enter the relative path from the Content share to the .sft file. Verify that the information is correct to finish the upgrade.
Any user who has an active connection to the previous .sft file continues to receive data from that file until the user disconnects. Any user who makes a new connection to the application in the package receives the updated data from the new .sft file version.
Note: Users do not lose any specific applications when an upgrade occurs.
Retiring Virtual Applications

You can use the Application Virtualization Management Console to retire packages that you are not using. After you are certain that a package version no longer is being used, you can remove the package by going into the Application Virtualization Management Console, deleting the package version record, and then removing the .sft file from the content folder on each system. Question: How would standalone App-V clients receive upgraded applications?
8-29
Publishing Applications by Using HTTP
Key Points
Publishing virtual applications does not always require an App-V full infrastructure. You can use an Internet Information Server (IIS) to publish applications over HTTP. This solution only provides publishing features, such as DC Refresh. Because there is no SQL database collecting the information, it does not provide the full set of features that the App-V management server provides, such as usage history, reporting, licensing and metering.
Note: It is possible to create customized HTTP solutions that collect and use information stored in corporate databases or AD DS to deploy applications to users intelligently.
8-30
Preparing the IIS Server

You must install IIS with the following role services: Common HTTP Features: Select all except HTTP redirection Application Development Health and Diagnostics: HTTP logging and Request Monitor only IIS 6 Management Compatibility Security: All authentication options Management Tools
You must create a virtual directory under the Default Web site that points to the Content shared folder, and then enable Directory Browsing and Read permissions. You also must configure the following MIME types: .OSD: application/softricity-osd .SFT: application/softricity-sft .SPRJ: application/softricity-sprj
Note: If you are using SSL, than the appropriate certificates must be generated and installed on the server.
What Is the Publishing Document?

The Publishing Document is an .aspx page that the App-V client connects to in order to send its request for applications. This document is a single XML file that contains the publishing information associated with each application, including its shortcuts, file type associations, and Dynamic Data Exchange (DDE) entries. The document consists of a single parent section that contains two child sections-the Policy section and the Applist section.
8-31
The Policy section allows you to specify the Publishing Refresh frequency, in minutes and a boolean that determines if publishing refresh occurs when the user first logs in. All of the application-specific publishing information is placed in the Applist section. App-V takes this information directly from the manifest files that were generated by the Sequencer. The Applist section should contain all the information from all of the applications that you wish to publish using this method. When complete, App-V places the publishing document in the root of the Content shared folder and serves it to requesting App-V clients.
Configuring the App-V Client

You can configure the App-V client in the same way as an App-V management or streaming server. The publishing server in the client software is configured as a Standard (or Secure) HTTP Server where the hostname is the name of the Web server and the path is /name-of-publishing-document.aspx. For example /Publishing.aspx.
8-32
Lab A: Publishing Applications in the App-V Environment
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. 3. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR2, and 10324A-NYCCL1 virtual machines are running. If required, connect to the virtual machines. Log on to the 10324A-NYC-DC1 and 10324A-NYC-SVR2 virtual machines as Contoso\Administrator using the password Pa$$w0rd Do not log on to 10324A-NYC-CL1 until directed to do so.
4.
8-33
Exercise 1: Configuring System Options

Scenario
As the first step in publishing applications by using the Application Virtualization Management Console, you need to connect to the App-V Web Service, and then configure the system options. To do this, you are required to use the domain administrator credentials. You then can configure the default content path and the options for database usage. The main tasks for this exercise are: 1. 2. Connect to the App-V Web service. Configure the default content path and the duration for database usage.
Task 1: Connect to the App-V Web service

1. 2. On NYC-SVR2, start the Application Virtualization Management Console. Configure the Web service connection to use Contoso\Administrator with a password of Pa$$w0rd for the Login Credentials.
Task 2: Configure the default content path and the duration for database usage
1. 2. Open System Options, and ensure that the UNC path \\NYC-SVR2\Content is specified. Set the duration for database usage for 12 months.
Results: After this exercise, you should have changed the login credentials for the App-V Web service, and then confirmed the default content path and set the database to retain its history for 12 months.
8-34
Exercise 2: Managing App-V Administrators

Scenario
You need to grant administrative access to the Domain Admins group so that they can publish and test applications in the App-V environment. To grant administrative rights to the security group, you need to use the Application Virtualization Management Console. The main task for this exercise is: 1. Grant administrative access to the Domain Admins group.
Task 1: Grant administrative access to the Domain Admins group

Use the Application Virtualization Management Console to add the Domain Admins group as App-V administrators.
Results: After this exercise, you should have granted administrative access to the Domain Admins security group.
8-35
Exercise 3: Publishing and Configuring an Application

Scenario
You have users who need to support certain clients by running the old Word Viewer version from the Microsoft Office 2003 suite. The sequencing group has sequenced the application. To publish this legacy application, you need to copy the sequenced application to the Content shared folder, and then import the application into the management console. You should configure the application to be available to all domain users. You then must create and populate an application group, and then modify and test the permissions for the applications. The main tasks for this exercise are: 1. 2. 3. 4. 5. Copy the sequenced application to the Content Shared folder. Import the sequenced application to the Management Console. Create an Application Group. Move the Microsoft Office Viewer applications into the group. Modify permissions for the Application Group.
Task 1: Copy the sequenced application to the Content Shared folder

On NYC-SVR2, open Windows Explorer, navigate to \\NYC-DC1\E$ \Labfiles\Mod08, and then copy the Word03 folder to the C:\Content folder.
Task 2: Import the sequenced application to the Management Console

Import the C:\Content\Word03 application into the Application Virtualization Management Console, and accept the default settings, except for the following: Publish the shortcut to the users desktop. Grant access to the Domain Users and the AppVUsers groups.
Task 3: Create an Application Group

Create a new application group named Microsoft Office Viewers.
8-36
Task 4: Move the Microsoft Office Viewer applications into the Application Group
Move the Microsoft Office Word Viewer 2003 and the Microsoft Word Viewer from the Applications node into the Microsoft Office Viewers group.
Task 5: Modify permissions for the Application Group

1. 2. Open the properties of the Microsoft Office Viewers group, and then remove permission from the Domain Users group. Verify that the AppVUsers group has permission.
Results: After this exercise, you should have added a sequenced application to the content folder and imported the application. You also should have created an application group, and populated it. Lastly, you should have modified the permissions of the application group.
8-37
Exercise 4: Verifying Application Permissions

Scenario
After publishing the virtualized application, you need to test its functionality in the App-V system. You have installed the App-V client software on a Windows 7 computer and you will use to test the App-V environment and permissions on the applications. You will log on to NYC-CL1 as a user in the AppVUsers group, and then ensure that the published applications are present. You then will log on as a test user that does not have permission to the viewer applications, and ensure they are not available. The main task for this exercise is: 1. Test permissions for users.
Task 1: Test permissions for users

1. 2. 3. 4. Log on to NYC-CL1 as Contoso\AppVUser1 with a password of Pa$$w0rd. Ensure the icons for both Microsoft Office Viewers appear on the desktop. Log off NYC-CL1. Log on as Contoso\ruser with a password of Pa$$w0rd. Ensure the icons for the Microsoft Office Viewers do not appear on the desktop. Log off NYC-CL1.
Results: After this exercise, you should have verified the functionality of the virtual applications by testing user permissions.
Important: Keep the virtual machines running for the next lab.
8-38
Lesson 3
PerformingAdvancedAdministrationTasksfor ApplicationVirtualization
In some organizations, you may need to track application usage or enforce licensing. This helps the organization to comply with license regulations for applications, and can reduce costs if an organization does not have to license applications that users are not using. You can use provider policies to configure user connection settings and to apply license enforcement. The App-V Server provides a number of advanced administration settings that you can configure to manage server connections and application licenses. This lesson describes how you can manage server connections by using Provider Policies and Server Groups. This lesson also explains what an Application License is, and how you can use it to monitor or control the use of applications that are streamed within the virtualized environment.
8-39
What Are Provider Policies?
Key Points
Provider policies specify a set of rules that you apply to users that are connecting to virtualized applications. As connections come into the Server Group (Provider), the server appends several rules (Provider Policy) to the connection. If the users connection does not specify a custom provider policy, the system applies the rules of the default provider policy. To create a new provider policy, use the New Provider Policy Wizard. The following table describes the wizards options, which also are available when you modify an existing provider policy.
Note: After creating a new provider policy, you must restart the Application Virtualization Management Server service.
8-40
Provider Policy Properties

Field Policy Name Manage Client Desktop Using the Management Console Description A descriptive name for the policy. Specifies that App-V will apply the Application Virtualization Management Console settings defined for application shortcuts and file-type associations to all clients. If there are conflicting settings at the client, then the servers settings will take precedence. This is selected by default. Specifies that an App-V Client will contact the App-V Server for updated desktop-configuration information whenever the user logs on. Specifies that an Application Virtualization Client will refresh desktop configuration information at the defined interval. Intervals can be set for a specified number of days, hours, or minutes. Designates the AD DS groups that will be assigned to the policy. Allows you to configure an authentication method. Windows Authentication is the only available method by default. The current use that is logged on will pass his credentials to the App-V server. If the credentials fail, the Alternate Credentials dialog box will display. Specifies, when selected (the default), that access to all applications will be resolved against Access Permissions configured under the application record. Specifies, when selected, that a metering module is enabled in the Provider Policy to measure user sessions from start to normal end (application ended by client), or abnormal end (application ended by server). The logged information also contains which server and applications were used.
Refresh Desktop Configuration when a user logs on Refresh Configuration every n days
Group Assignment
Authentication
Enforce Access Permission Settings
Log Usage Information
8-41
(continued)
Field Licensing Description Specifies, when selected, that a licensing module is enabled in the Provider Policy to track or grant licenses (default is not selected). The following license types are available: Audit License Usage Only: Will not prevent a user from launching an application if the specified maximum license quantity is reached. Enforce License Policies: Will require every user who makes a connection by using the Provider Policy to have an available and valid license for the application in order to launch it.
Important: You must configure applications to use custom provider policies by modifying the hypertext reference (HREF) tag in the applications osd files. For example, if your custom provider policy is named Sales, you would modify the HREF tag in the osd file of the application as illustrated here:
HREF="rtsp://sgserver:554/Excel.sft?Customer=Sales"
Question: You have created a new provider policy and associated it with an application. Now certain users cannot access the application. What area might you troubleshoot to resolve this issue?
8-42
Demonstration: Creating a New Provider Policy
Key Points
In this demonstration, you will see how to create a new provider policy.
1. 2. 3. 4. In the Application Virtualization Management Console, use the New Provider Policy Wizard to create a new policy named Office_Viewers. Add the AppVUsers group as the Group Assignment. Set licensing to be Enforce License Policies. Restart the Application Virtualization Management Server service.
Question: Can you describe scenarios where you would want to use a custom Provider Policy with which users can connect?
8-43
What Are Server Groups?
Key Points
A Server Group is a logical collection of App-V servers. You can use Server Groups to provide a common Provider policy, and configure logging properties of all servers that are members of the group. Most organizations only have one server group--the Default Server Group. However, an organization that consists of multiple physical sites can create a server group that represents each site. For example, your organization may have multiple physical locations that contain App-V servers. To ensure that each server does not log information over the wide area network (WAN) connection, you can create a Server Group for each location, and then configure each Server Group to log only information to a local computer that is running SQL Server.
8-44
You can manipulate the characteristics of all servers in a Server Group by using three property pages. The configuration settings are available in the following tabs: General. Use to set the default Provider policy for the Server Group, and to enable or disable the Server Group. Logging. Use to control how App-V Servers record their information within the virtualization system. There are two ways to store usage information: logging to a file or logging to a SQL Server database. The recommended method is to allow the default behavior, which is to log to the data stores SQL Server database. Applications. Use to view which applications belong to this Server Group. You also use it to verify the Enabled or Disabled status of applications. This tab is for informational purposes only.
8-45
What Are Server Objects?
Key Points
For every App-V Server that you install, App-V creates a matching server object in the Server Group that you specified during installation. This is the Default Server Group. The App-V Server object provides several property pages to configure the characteristics of the specified App-V Server, including: General. Use to provide the Domain Name System (DNS) host name of the App-V Server Ports. If you need to change any of the default port values for application virtualization, you need to make this change on the Ports tab. Changing any of the values on this page requires a restart of the App-V service. If you also require that any .sft files streamed over a network connection must be encrypted with a Transport Layer Security (TLS) header, you need to add the Real-Time Streaming Protocol Secure (RTSPS) protocol, and associate an available SSL/TLS certificate to the Server object. The default RTSPS port is 322.
8-46
Advanced. From the Advanced tab, you can change how the selected Virtual Application Server utilizes system resources, including random access memory (RAM) and CPU. You would use this tab only for advanced configuration of the App-V system.
8-47
What Is License Enforcement?
Key Points
License enforcement provides you the ability to create an application license that is stored in the Application Virtualization data store. Every time a user attempts to launch an application, the system queries the data store for an available license. If a license is available, the user can launch the application. However, if there is no available license, the application reports Launch Failed, and an error message displays that indicates that there is no available license. The Application Licenses node in the Application Virtualization Management Console provides the ability to create Application License Groups. Application License Groups contain generic application licenses, and are not applicationspecific. Therefore, you might apply one Application License Group to multiple applications, although typically, you create most with specific application requirements in mind. Licensing control in App-V refers to licenses that you create within the App-V system. These license options have no impact on license agreements, such as Microsoft Software License Terms, but typically are tied logically to the number of end user licenses that the company has purchased.
8-48
You can create and assign the following types of licenses to virtualized applications: Unlimited License. This enables any number of users to have simultaneous access to the applications that have been associated with the license. Unlimited License Groups can be effective in evaluating the number of licenses that the organization would need for an application. When used in conjunction with reporting, Unlimited Licensing can assist in purchasing decisions. Concurrent License. This permits a limited number of users to have simultaneous access to applications that have been associated with the concurrent license. Concurrent License Groups are the most common type of licensing implemented on virtualized applications. For example, even in an enterprise-size organization, only a select number of users need to run a specialized drafting program. Between the different shifts that the employees work, a maximum of 10 employees will run that application at any one time. For this situation, you could create a Concurrent License Group to limit the maximum number of simultaneous launches of that application to 10. The system refuses any additional people who attempt to launch the application, and an error appears indicating that there are no more licenses available. Named License. This permits only explicitly named users to have access to an application associated with the license. For example, an organization has a sales group within AD DS that assigns permissions to several general-use applications, including a management database program. However, only certain individuals within that sales group should actually be able to run this management application. You could create a Named License Group, and specify only those individuals who should run it. If a user is not in the license, and then attempts to launch the application, the system refuses the user.
Question: What type of license would be appropriate when distributing an application to all employees with a volume license agreement in place?
8-49
Demonstration: Creating and Enforcing Licenses
In this demonstration, you will see how to create a concurrent license, and then associate it with an application. You also will see how to enforce it through the default provider policy.
1. Open the Application Virtualization Management Console, and then use the New Concurrent License Wizard to create a new Application License Group named Word_Viewer_2003. 2. Provide the following description: Allows 25 concurrent users. Set the Concurrent License Quantity to 25.
In the Applications node, access the properties of Microsoft Office Word Viewer 2003, and set the Application License Group to be the Word_Viewer_2003 group. Modify the .osd file to use the Office_Viewers provider policy.
3.
8-50
Features of App-V Reporting
Key Points
The Reports node in the App-V management console allows you to generate a variety of different reports about usage and system error tracking. You can generate report information by querying the App-V SQL database. Reports do not run automatically. You must run each report explicitly. You can create the following types of reports by running the New Report wizard: System Utilization Report. Graphs the total daily usage, to help you determine the load on your application virtualization system. Usage is reported by day of the week and hour of the day. Software Audit Report.Lists the usage information during the reporting period for all applications defined in the database to help you determine which applications are the most heavily used. The report provides information about the number of sessions and the number of times an application was used. Application Utilization Report. Tracks usage information for a specified application to help you determine how heavily a specific application is used.
8-51
System Error Report.Tracks the number of errors and warnings logged over time during the specified reporting period for the specified server or server group.
Note: The amount of usage reporting data available is dependant on how long you elect to retain usage history in the database. You can configure that in the App-V System Options. For example, if you want to track one year of usage data then the database must keep at least one year of usage history.
After you create a report, the management console displays the output. You can export the report to either PDF format or to a Microsoft Office Excel spreadsheet.
Creating a Report
Run the New Reports wizard from the Reports node of the management console. You must provide the following information to the wizard: Report Name Report Type (The remaining information required by the wizard will depend on the selection.) Report period Server nameApplication
8-52
Lab B: Implementing License Enforcement
Lab Setup
For this lab, you will use the available virtual machine environment that should be running from Lab A. Before you begin the lab, you must: 1. 2. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR2, and 10324A-NYCCL1 virtual machines are running. If required, connect to the virtual machines. Log on to the 10324A-NYC-DC1 and 10324A-NYC-SVR2 virtual machines as Contoso\Administrator using the password Pa$$w0rd. Do not log on to 10324A-NYC-CL1 until directed to do so.
3.
8-53
Exercise 1: Publishing an Application

Scenario
Contoso, Ltd., wants you to use license enforcement to control the number of users who can access virtual applications. Before you can implement license enforcement, you need to import and publish an application for testing purposes. You decide to publish the Microsoft Excel viewer application. The main tasks in this exercise are: 1. 2. Copy a sequenced application to the Content folder. Publish Microsoft Excel Viewer.
Task1: Copy a sequenced application to the Content folder

On NYC-SVR2, open Windows Explorer, and then copy the \\NYC-DC1 \E$\Labfiles\Mod08\Excel folder to C:\Content.
Task 2: Publish Microsoft Excel Viewer

1. 2. 3. Open the Application Virtualization Management Console, and then import the Excel project file into the applications node. Publish a shortcut to the users desktop and to a Start menu folder called Excel. Grant permission to AppVUsers.
8-54
Exercise 2: Creating a License Group

Scenario
The first step in license enforcement is to create a license group. To test license enforcement, you decide to create a new named license for a specific test user, and then assign that license to the Excel Viewer application. The main tasks in this exercise are: 1. 2. Create a new named license. Assign the license group to an application.
Task 1: Create a new named license

On NYC-SVR2, create a new named license with the following parameters: Name: Excel Users License Description: Excel Named License Enable: Selected Named License User: Contoso\AppVUser1
Task 2: Assign the license group to an application

In the Properties dialog box for the Microsoft Office Excel Viewer, assign Excel Users as the Application License Group.
8-55
Exercise 3: Creating a New Provider Policy

Scenario
The management team at Contoso, Ltd., wants you to associate license policies with certain applications. You must create a new provider policy that will enforce the license restrictions. Additionally, you must restart the App-V Management Server whenever you create a new provider policy, and you must modify the .osd file of the application to indicate to the application that it is subject to the new policy. The main tasks in this exercise are: 1. 2. 3. Create a new provider policy. Restart the service. Modify the Excel osd file to use the new provider policy.
Task1: Create a new provider policy

Create a new provider policy with the following parameters: Policy Name: Licensed Manage client desktop using the Management Console: Enabled Refresh desktop configuration when a user logs in: Enabled Group Assignment: AppVUsers Authentication: Windows Authentication Enforce Access Permission Settings: Enabled Log Usage Information: Enabled Licensing: Enforce License Policies
8-56
Task2: Restart the service

Restart the Application Virtualization Management Server service.
Task 3: Modify the Excel .osd file to use the new provider policy
1. 2. On NYC-SVR2, open Windows Explorer, and then browse to C:\Content\Excel. Use Notepad to modify the Microsoft Office Excel Viewer 12.0.6219.1000.osd file as follows:
HREF= RTSP://NYC-SVR2:554/Excel/Excel.sft?Customer=Licensed"
3.
Save and close the file.
8-57
Exercise 4: Testing License Enforcement

Scenario
As part of the proof-of-concept testing, you will test the application against two test users in the AppVUsers group to ensure that App-V is enforcing your license restriction properly. The main task in this exercise is: 1. Test license enforcement.
Task 1: Test license enforcement

1. Log on to NYC-CL1 as AppVUser2 using the password Pa$$w0rd, and then attempt to start the published copy of Microsoft Office Excel Viewer. Notice that you are not able to start the application. Click OK, and then log off. Log on to NYC-CL1 as AppVUser1 using the password Pa$$w0rd, and attempt to start the published copy of Microsoft Office Excel Viewer. Notice that the application starts as expected.
2.

8-58
Review Questions
1. An administrator has accidentally deleted the AD DS security group that is managing the Application Virtualization servers. What can you do to address this issue? You would like to import an application that your Sequencing Engineer has provided. What are the standard configuration settings that you need to consider? Describe scenarios where you would want to use a custom Provider Policy with which users can connect.
2.
3.
8-59
Common Issues Related to Managing Virtual Applications

Identify the causes for the following common issues related to managing virtual applications, and then fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Management console on the App-V server is unable to connect to itself by computer name, but succeeds by 'localhost' or IP Address Troubleshooting tip
Best Practices Related to Publishing Applications

Supplement or modify the following best practices for your own work situations: Consider setting the %SFT_SOFTGRIDSERVER% system variable on clients. Even if you only have a single streaming server today, in the future, you may scale out the implementation to include other streaming servers. Use application groups to simplify administration. Application groups allow the configuration of settings to easily be applied to all the applications in a group. Use license groups to track application usage or enforce policies.
Sequencing Applications for Virtualization
9-1
Module 9
Contents:
Lesson 1: Overview of Application Sequencing Lesson 2: Planning and Configuring the Sequencer Environment Lesson 3: Performing Application Sequencing Lesson 4: Advanced Sequencing Scenarios Lab: Sequencing Applications for Virtualization 9-3 9-12 9-23 9-32 9-45
9-2
Module Overview
To use applications in a Microsoft Application Virtualization (App-V) solution, you must first package them into a form that can run in a virtualized environment. You can create these application packages by using the App-V Sequencer. You can sequence applications that you plan to deploy by using the App-V infrastructure or stand-alone installation. By using App-V sequencing, you create a set of files that contain all the information that the application requires to run in a virtual environment. The App-V Sequencer provides several packaging options that you can choose based on your specific requirements. This module describes how to install and configure the App-V Sequencer to create application packages. The module also describes how to upgrade existing packages and create stand-alone packages.
9-3
Lesson 1
Overview of Application Sequencing
The App-V Sequencer collects information from the Microsoft Windows installation procedures, and converts the files, registry information, and .ini files into a cohesive package. In many environments, application developers who are familiar with the applications carry out the sequencing process. As an App-V administrator, you likely will have to troubleshoot App-V deployments, so you need to understand the sequencing process. It can help you determine if the problem is with the configuration of the implantation or if the problem occurred during the sequencing process. This lesson describes the functionality of App-V Sequencer, the features of a virtual environment, and it explains how virtual environments communicate.
9-4
What Is the App-V Sequencer?
Key Points
The App-V Sequencer is a wizard-based software application that you can use to create Microsoft App-V application packages. You can then deploy these packages to App-V-enabled desktops and Remote Desktop servers. The Sequencer captures an applications installation, and then organizes the applications unique data so that it can operate in the App-V environment. This process also determines the files and data that are applicable to all users and the information that users can customize. The software allows the sequencing engineer to determine what makes up Feature Block 1 and provides the ability to add files, registry settings, associate file types, and many other tasks to the application package.
9-5
The sequencer also creates logical divisions in the applications program data, so that an App-V Streaming Server can stream the application in chunks to an App-V Client. Optionally, the sequencer can package applications as a self-contained Microsoft Installer package, a .msi file, which you can then deploy via an electronic software distribution (ESD) system such as Systems Management Server (SMS) or System Center Configuration Manager. To use the App-V Sequencer effectively, you must understand how to configure and deploy your applications
Note: App-V Sequencer Release 4.6 is now available. This release supports 64-bit platforms, and it can sequence both 32-bit and 64-bit applications. You can sequence applications on 32-bit systems, and then run the applications on 64-bit systems, and vice versa.
9-6
Overview of the Sequencing Process
Key Points
Sequencing is the process of creating a version of an application that can run in a virtual environment on a client computer. You can use special sequencing software to record the installation steps and the files that the application uses. You can use that information to create a package that you can stream down to software on the client computer. You run sequenced applications (packages) in virtual environments that software creates on the client computer. The virtual environment controls all the communication between the application and the operating system. You can run multiple virtual environments with each environment hosting its own virtual application.
9-7
The sequencing process is broken down into five steps: 1. The Sequencer monitors an applications standard installation process. The standard setup routine installs files and registry settings, configures environment variables, register dynamic-link libraries (DLLs), as well as other steps. Additionally, it records any changes to the system. The Sequencer then creates a virtual environment, and loads the application into it, along with all information that was recorded during the installation phase. If the application is large, you can stream it in multiple chunks of code that the App-V Streaming Server delivers to the client on demand. To do this, you must start the application and perform the most common tasks to determine what the minimal startup requirements are for the application. After the Sequencer determines which bits are required to start the application, it packages these application bits into a Feature Block 1, which is the minimum amount of data necessary to start an application and perform the most common tasks. Therefore, you only need to transfer Feature Block 1 from the App-V Server to the App-V Client when you initially run the application. As users access additional application features, App-V streams the bits required to execute those features in the background as additional Feature Blocks.
2.
3.
Note: If you do not launch application at all during this phase, the entire application becomes Feature Block 1. This means App-V streams the entire application down to the client and caches it. This usually is not desirable for large applications.
4.
You can now package the virtual application, and create the supporting files. These include the .sft file that holds the application data, and the .ico file that is a capture of the applications default icon. Additionally, the .sprj, .osd, and .xml files provide information about the application. You then move all of these files to the App-V server, which imports the application for distribution.
5.
Question: What does Feature Block 1 include?
9-8
Components of a Sequenced Application
Key Points
A sequenced application is a collection of files that the sequencing process generates, which includes five major files: The .sft file contains the sequenced Windows application. The file must be located on each server that will stream applications. The .sft files can contain multiple applications, for example, a suite of applications such as Microsoft Office. The .sprj file is an .xml-based text file that contains parse items and exclusions for application suites, and which manages multiple .osd files. For example, Office 2007 contains multiple applications, each with its own .osd file, and each with possible additional requirements. You can specify these requirements as exclusions and parse items in the .sprj file. If this file does not import with the application, it may cause issues such as file conflicts or missing information.
9-9
Note: A parse item is the Virtual File System equivalent of an actual directory. For example, an application may install a DLL file to the System32 directory. During sequencing, the Sequencer intercepts the DLL file and places it in the packages virtual drive folder. When the application later makes a call for that DLL file to the System32 directory, it parses the call, and then redirects it to the Virtual File System.
The .ico files are icon files that are used for application shortcuts to provide a consistent end-user experience. When a user double-clicks an icon as they normally would, the .ico file initiates the .osd file, which in turn causes the application to load on the App-V Client. The .osd file provides information necessary to launch the application, such as the protocol to use and the streaming server that holds the sft file. Each application requires an .osd file. The Manifest.xml file stores information required for the App-V Streaming Server to stream applications. You would use Streaming Servers in branchoffice deployment scenarios where it is not feasible to deploy a complete AppV infrastructure. The Manifest.xml file informs the App-V Client where to find the sequenced application.
Question: Which file provides information about the .sft files location?
9-10
Overview of the Dynamic Suite Composition
Key Points
Dynamic Suite Composition (DSC) allows virtual environments to communicate with each other. This eliminates the need to sequence dependent applications with every primary application that requires them. For example, in previous versions of App-V, (formerly known as Microsoft SoftGrid Application Virtualization,) if an application has a dependency such as the Java Runtime Environment, you would have to sequence that dependent application with every primary application that required it. DSC is an App-V feature that enables you to sequence applications separately from the plug-ins and the middleware applications they rely on, while you can still utilize the virtual resources such as file system and registry settings, in the virtual environment. The packages run and interact with one another as if they were all installed locally on a computer. The primary package also assumes the entire virtual environment of the secondary package, including the virtual file system.
9-11
The following steps provide an overview of the DSC process: Sequence the primary application on a clean sequencer, which is a sequencer on which unnecessary applications are not installed. After you package the primary application, you reset the sequencer to a clean state. Install the primary application on the sequencer in the normal fashion. This is important because the secondary application might use APIs or registry entries from the primary application. Sequence the secondary application. Modify the primary applications osd file to define the dependency. Create the DEPENDENCIES tag under the VirtualEnv\Policies tag of the osd file, copy and insert the CODEBASE tag from each secondary package you need to define for the primary package. You will need the HREF, globally unique identifier (GUID), and SYSGUARDFILE elements. The MANDATORY element determines whether the primary application requires the secondary application. The DSC process forms a CODEBASE tag for each secondary package at sequencing time with the information required to define the dependency. You will have to remove the unnecessary properties in the tag. The following sample code shows an example of the resulting section of primary applications osd file with a dependency on a secondary application named Midware.
<VIRTUALENV TERMINATECHILDREN=FALSE> <POLICIES> </POLICIES> <DEPENDENCIES> <CODEBASE HREF=RTSP://%SFT_SOFTGRIDSERVER%:554/midware/midware.sft GUID=06DCD3EF-1D70-4282-A117-2241BE970C27 SYSGUARDFILE=midware\osguard.CP MANDATORY=TRUE/> </DEPENDENCIES> <ENVLIST/> </VIRTUALENV>
Publish both applications
9-12
Lesson 2
Planning and Configuring the Sequencer Environment
The Application Sequencer is capable of detecting the smallest change in the Windows environment. Therefore, it is very important that you follow proper steps when planning the Sequencers environment. If extraneous elements such as antivirus scans, which do not belong in the sequenced environment, get included in the sequencing process, the application might not function correctly when you deploy it. This lesson provides details about the Sequencer hardware and software requirements, and describes the best practices for configuring the sequencer environment. The lesson also describes the most common ways of configuring the Sequencer.
9-13
Requirements for Installing the Sequencer
Key Points
The sequencer should reflect the computing environment of the computers to which you plan to deploy the applications. If the majority of computers run the Windows XP Service Pack 3 (SP3) operating system, you should configure the sequencer to run the same operating system.
Hardware Requirements
The hardware requirements for the App-V sequencer are very basic and generally reflect the hardware on the computers to which you will deploy the virtual applications. The minimum requirements are: A Pentium III 1 gigahertz (GHz) or higher CPU, and either a 32-bit or a 64-bit processor. The sequencing process is a single-threaded process, and it does not take advantage of dual processors. 1 gigabyte (GB) or more of random access memory (RAM).
9-14
A physical drive designated to represent the virtual drive. This can also be a partition on a single drive. The drive letter assigned on the workstations where you install the Application Virtualization Sequencer should match the drive letter assigned to the Application Virtualization Client. This is usually drive Q.
You also have the option of hosting the sequencer on a virtual machine. This can affect the sequencer performance, but you can revert the virtual machine to a base state very quickly.
Software Requirements
Windows XP SP2 or newer Windows Vista Business, Enterprise, or Ultimate Windows 7 Professional, Enterprise, or Ultimate
9-15
Best Practices for Installing the Sequencer
Key Points
When you configure the sequencing computer, there are a number of considerations: Always use a clean operating system install. The sequencer should match the computers to which you will deploy the application. For example, if the typical client in the enterprise is running Windows XP with SP3 and Office 2007, the sequencer should match that configuration. Sequence to the lowest operating system version used in the target environment. If your client computers run multiple operating systems at various service pack levels, and it is not practical to sequence the applications multiple times, sequence to the lowest common denominator. However, there is no guarantee that an application sequenced on one operating system functions as expected on a different operating system. For example, if you know that an application does not function on Windows 7, then it will not work to sequence it on Windows XP and deploy it to Windows 7.
9-16
Do not install monitoring agents, antivirus software, or any other software that runs background tasks. These types of program interact with the operating system core components and can alter the results of the sequencing operation thus affecting the package. Reset the environment after you create each package. Create the sequencer image again, or if you use a virtual machine, reset the virtual machine.
9-17
Typical Configuration for the Sequencer
Key Points
You should sequence applications on the lowest operating system version in the environment. For example, if the environment is currently running Windows XP and Windows Vista, you should base the sequencers configuration on Windows XP. There is no guarantee that an application that you sequence on an older operating system will function correctly on a newer one. However, applications that function correctly on both operating systems should function correctly when you virtualize them on the older system. You can mount the application package on a drive other than drive Q, when the client is using it. However, you should maintain consistency throughout the environment. If an application hard-codes a path into its configuration during setup, this can cause problems if you have defined a letter other than the one used during sequencing for the client.
9-18
To avoid problems with long file name references in applications, you must use the 8.3 naming convention for the package root directory. For example, when you install Microsoft Office, this creates a short-path shortcut called Micros~1. Some applications still refer to these short paths. This can cause problems because the sequencer sequences each application in an isolated, clean environment. In this example, every application that starts with Microsoft is abbreviated to Micros~1. By using the 8.3 format, you can be sure that applications will always refer to the correct folder. The 8.3 format consists of a maximum of eight characters with a three-character extension. For example, a folder named Word2003Vwr could be renamed to Word2003.Vwr to comply with the 8.3 format. Question: If you have a computing environment consisting of the Windows XP, Windows Vista, and Windows 7 operating systems, on which operating system should you perform sequencing?
9-19
Demonstration: Installing the App-V Sequencer
Key Points
The installation of the App-V Sequencer software is a very simple process. First, you should perform a fresh install of a supported operating system. Ensure you create at least two partitions. Ideally, you would have two separate hard disks: one to hold the operating system and one that would become drive Q. As a best practice, if you choose to use a virtual machine, you should create a second virtual hard disk (VHD).
Note: Do not install the App-V sequencer on a computer that hosts the App-V Server or the App-V Client.
9-20
Locate and launch one of the installer files for the App-V Sequencer. Similar to the App-V Client, there is a Setup.msi and a Setup.exe. Also just like the client, you first need to install prerequisite software such as Microsoft Visual C++ 2005 SP1. The Setup.exe file installs the software, while the Setup.msi file only detects the presence or absence of the software. The Setup.msi installation fails if it cannot detect the prerequisite software. The InstallShield Wizard performs the installation. After you launch the wizard, you must allow it to install the prerequisite software. Then you simply accept the license and allow the wizard to install the sequencer software. Other than declaring the installation folder, you do not need to perform any configuration during setup. In this demonstration, you will see how to install the App-V Sequencer on a Windows 7 computer, and then create drive Q.
1. 2. 3. 4. Run Setup.exe. Perform a default installation of the App-V sequencer. Use Computer Management to create a new simple volume using the unallocated space. Assign the drive letter Q, and then format the volume.
Question: What is the benefit of installing the sequencer by using the Setup.exe file versus the Setup.msi file?
9-21
Configuring the App-V Sequencer Options
Key Points
After you install the sequencer, you can configure a number of settings by using the Options menu item in the Tools menu. This opens the Options dialog box, which has three tabs that provide access to several configuration settings. The following sections detail these tabs.
The Paths tab

The Paths tab allows you to define the settings that the following table describes:
Setting Scratch directory Description Specifies the path to the location where the sequencer will temporarily save files that it generates during sequencing. Scratch, the default folder, resides in the installation folder. Specifies the path to where the log files will be saved. Logs, the default folder, resides in the installation folder.
Log directory
9-22
(continued)
Setting Allow use of MSI installer Allow virtualization of events Description Allows interaction between the sequencer and the application installer. Allows you to virtualize low-level, operating-system activities of the application when you run a sequenced application package on App-V desktop clients. Allows virtualization of services that the application requires when the application runs on App-V desktop clients. Automatically appends the sequenced version number for the application package to the file name.
Allow virtualization of services Append package version to filename
We recommend that you do not make any changes to these options, and instead accept the default settings.
The Parse Items Tab

This tab displays the mapping rules that the sequencer uses to accommodate differences that exist between configurations on the sequencing computer and the App-V desktop client. The columns display the variable that the sequencer reads and the variable that the sequencer substitutes during the sequencing process. For example, the value of C:\ProgramData is parsed to %CSIDL_COMMON_APPDATA%
The Exclusion Items Tab

The Exclusions Items tab allows you to designate data that you do not want the App-V Sequencer to monitor while it is running. An example of data that you should not capture is Internet cookies. If you configure the Sequencer to capture the cookies in the virtual environment, it links the application installation permanently to the user who initially set up the virtual environment. Typically, you should exclude any data that is unique to a specific user or a specific session from the Sequencer.
9-23
Lesson 3
Performing Application Sequencing
Sequencing applications is often the most labor-intensive aspect of deploying virtualized applications. It requires a thorough knowledge of the application that you are sequencing, and you need to pay close attention to the details that the sequencer captures. This lesson describes the sequencing process, and explains the functionality of the Sequencing Wizard. The lesson also provides details about the best practices that you should implement when you sequence applications.
9-24
Best Practices for Sequencing
Key Points
Sequencing applications correctly is the most important part in deploying virtual applications. There are several things that you should keep in mind and follow some best practices to help ensure a successful deployment. Perform a local install. Familiarize yourself with the application installation procedure before sequencing it. This is very important. You should understand all of the application dependencies, as well as all of the steps required to make the application usable for the end-user. Document the install process. This is also a very important step. Knowing how you installed an application prepares you better for creating the sequenced package, or upgrading the application should it become necessary. Following a step-by- step procedure while you are sequencing applications leads to more successful sequencing sessions. Set compression to Off, and use the optimal 64-kilobyte (KB) block size. This allows your client workstations to have the best performance during usage, because they will not have to decompress the sequenced software.
9-25
Use an 8.3 naming convention for the Install path. As previously mentioned, this helps avoid application short name path conflicts. Make sure each path is unique to all sequenced applications. Sequence all dependent applications under the same paths. Always choose the Run from My Computer or Not Available options when you select the method of installing application components in the Application Setup Wizards. Do not select the Install on First Use option because this causes the application to search for its install source files. This will not work because even if the application can find the install source files, the application cannot update the install on the client. Disable the applications Automatic Updates option while sequencing occurs. The virtual environment does not allow you to update the application once it is running on a client. If an update is unnecessary, you should update it on the Application Virtualization Sequencer by upgrading the package. The post installation process completes the application configuration while the Sequencer is still monitoring the installation process. This provides you the opportunity to open the application and set the initial startup environment. You can configure default options that you always want end users to see when they start the application. This may cause the application to access DLLs and other system items that it did not previously use during the Setup Wizard. This may include application activation. You also can capture and virtualize this information. Always reply Yes to reboot requests. The Sequencer detects the reboot task and notifies the sequencing specialist that it has processed a reboot request. It then continues the installation as if the reboot had occurred.
9-26
Creating a Package by Using the Sequencing Wizard
Key Points
The 4.6 version of the App-V Sequencer displays a splash screen at launch that allows the sequencing engineer to perform three tasks: Create a package Edit a package Upgrade a package
When you click Create a Package, the Sequencing Wizard launches, and then simplifies the sequencing process into six major steps, which the following sections detail.
Package Information
As the first step, fill in the package name with any display name that you wish. You also can input comments, such as the platform on which the application was sequenced and the name of the sequencing engineer. You also can select to see the Advanced Options page.
9-27
Advanced Options
On the Advanced Options page, you can select to allow Microsoft Update to run during monitoring or to rebase DLLs. Allowing Microsoft Update simply allows the application to update from the Internet if required. Rebasing DLLs remaps DLL libraries to a contiguous space in RAM, and may save memory and improve performance. These selections are unselected by default.
Monitor Installation
This page allows you to start the monitoring process. Before you can start the actual application installation, you need to specify where the application is installed. This is a folder on drive Q. The name of this folder must adhere to the 8.3 naming convention, but subfolders under it do not. Each application you sequence must have a separate directory. After selecting the install folder, you must wait while the virtual environment loads and monitoring can commence. Then install the application as you would normally install it on the client, and select the folder that you specified on drive Q as the install destination. During monitoring, the App-V Sequencer adds all new and changed application components to the application package. When you finalize the applications installation, you need to return to the App-V wizard, and use the Stop Monitoring button.
Configure Applications
This page displays the available shortcuts and file type associations for an application. You can edit, add, or remove the shortcut and file types. For example, if the application is a video player, you may want to associate many different video file types with the application.
Launch Applications
This phase serves two purposes. For some applications, you might need to perform some configuration at first launch, such as accepting license agreements. Additionally, the sequencer adds any steps that you perform during this launch to Feature Block 1. Therefore, the sequencing engineer should perform the most common actions, such as opening files, creating files, and whatever other actions a normal end user would most often perform.
Sequence Package
This step completes the sequencing of the application and finishes the wizard. There is no configuration during this step.
9-28
Manually Modifying the Sequencer Package
Key Points
After you create the sequencer package, you can adjust the settings that the wizard creates. You would typically do this when a package needs special modifications to make it operational in the virtual environment. You can view the properties, such as the applications GUID, and edit the package name. The Deployment tab is one of the most important post-configuration considerations. You must configure deployment properties such as the protocol, the hostname of the streaming server, the port number, and the relative path inside the content folder. You can also determine which operating systems are allowed to receive this virtual application and generate a Windows installer file for the virtual application. You can view the history of any changes to the package in addition to many other pieces of information about the package such as Windows version. This information is read-only.
9-29
You can edit the Virtual Registry to remove registry data that may not pertain to the application. The Installation Wizard is preconfigured to ignore changes to certain registry keys. Sometimes, you might need to configure those changed registry keys, and sometimes other registry keys for the sequencers other software might change during sequencing. You can add or remove files from the Virtual File System. This is useful to correct any errors made when files that are erroneously detected by the installation wizard, are removed to keep the sequenced application as small as possible. During sequencing, App-V identifies and sequences a list of embedded services. These embedded services assist the operation system. You can edit the properties of individual services, such as the startup type, required by the application. You can edit the .osd file before App-V incorporate it into the sequenced package. This can be useful if you need to customize an element of the .osd file, such as defining a dependency for DSC. Refer to product documentation for details about the different elements with which you can configure the .osd file.
Post Sequencing Steps

After you finish configuring the package, you must save it to a folder. The folder name you save it to must have the same name as what you specified in the Path text box in the Package Configuration Wizard. The .osd file specifies this location in the content folders relative path. After you save the application, transfer the folder to the content folder on the AppV Server. If you create an MSI package, you can provide the MSI package to enterprise deployment systems as needed. Question: What name must you use for the folder into which you save the package?
9-30
Demonstration: Sequencing an Application
Key Points
In this demonstration, you will see how to use the sequencing wizard to sequence an application and configure the applications protocol, port, and path.
1. 2. 3. 4. 5. 6. 7. Launch the App-V sequencer, and create a package. Create a folder on drive Q as the installation folder, and begin monitoring. Install the application drive Q. Stop monitoring, and then click Next. Launch and close the application, and then complete the wizard. In the dialog box, click the Deployment tab, and then configure the protocol as RTSP. Configure the Hostname to match the server name that will host the application.
9-31
8. 9.
Configure the relative path. Save the package.
10. Open the folder, and then examine the contents. 11. Use Notepad to open the osd file, and then examine the HREF tag.
9-32
Lesson 4
Advanced Sequencing Scenarios
When you perform sequencing tasks, some application types require special considerations. For example, you may have applications that are hard-coded to install on drive C. Additionally, you may need to upgrade existing sequencer packages, or create a package branch that allows you to upgrade an existing package, and then run it side-by-side with the original package. You can use several advanced sequencing techniques in such scenarios, and this lesson describes how to perform them.
9-33
Upgrading Existing Packages by Using Active Upgrade
Key Points
Over time, you would need to upgrade applications to newer versions. This is a costly process for most organizations. Active upgrade provides a method that allows you to apply updates on an existing package and to redistribute it seamlessly to the client computer. This method does not require a server restart or a client disconnect from the server. Users continue to use the currently streamed application until they disconnect. When they reconnect, the updated version streams automatically. You can accomplish this functionality within the sequencing process by tagging the changed blocks of code with the new version number. When the client launches the application, App-V compares the version information within the .sft file to the version on the streaming server, and then downloads only the required blocks of code to the client.
9-34
Important: Active upgrade is not supported for Hypertext Transfer Protocol (HTTP) or Server Message Block (SMB) streaming. You must change the HREF tag explicitly in the .osd file to point to the location of the applications new version.
The following steps provide an overview of the active upgrade process: 1. 2. 3. 4. 5. If required, copy the package folder of the application that you are upgrading from the streaming servers content folder to the sequencer. Launch the sequencer, and the Upgrade a Package Wizard appears. Open the project file of the package that you want to upgrade. Specify the package name for the updated package. If you want to download and install Microsoft Updates for the application, use the Advanced Monitoring Options page to allow Microsoft Update to update the application as it sequences. Begin monitoring. Install and apply the updates to the application. Stop monitoring. Complete the wizard by configuring shortcuts, adding or removing file type associations as required, and launching the application.
6. 7. 8. 9.
10. To save the updated package, use the File menu, and save the package. If you need to create an installer file (.msi), use the Create MSI option in the Tools menu. . 11. Copy the updated package back to the content folder on the streaming server. This overwrites the original. 12. In the App-V Management Console, right-click the original package, and add a version. Browse to the new .sft file, which will have the numeral 2 in its file name.
9-35
After the Sequencing administrator performs the steps necessary for the package upgrade, App-V saves a new .sft file, and automatically appends a version identifier to it. You can use this automatic version controller to ensure that the active upgrade process works seamlessly with users connecting to the application, and they receive the updated package. This method of upgrade preserves any user customizations. Question: How would you upgrade packages that are streaming over HTTP?
9-36
Demonstration: Upgrading an Application
Key Points
In this demonstration, you will see how to upgrade an existing application
1. 2. 3. 4. 5. 6. 7. Launch the sequencer, and click Upgrade a Package. Open the sprj file that you want to upgrade. Begin monitoring. Run the upgrade installation file. After installation completes, stop monitoring. Save the package. Open the package folder, and examine the contents. Note that the .sft file now has a 2 at the end of its name. The entire folder now is copied into the content folder, and has replaced the original folder on the App-V Server. You have upgraded the original package to a new version, which users will receive the next time they launch the application.
9-37
Editing Existing Packages
Key Points
Occasionally you may wish to make changes to an application package without having to resequence the entire application. For example, you may need to generate an .msi file for stand-alone clients, or create a new file type association for an application. The Edit a Package feature allows you to open a package and make certain types of changes, including: Editing registry settings. Adding or removing allowed operating systems. Generating a .msi file. Modifying the .osd file. Adding file type associations. Viewing package properties. Renaming shortcuts. Editing mappings for virtual file systems.
9-38
Limitations of Editing
You can perform only limited actions by using this method. Most importantly, you cannot apply updates to an application, and additionally, you cannot: Review all associated operating system file properties for a package. Add additional services. Add additional files. Collect and configure associated security descriptors. Apply security updates or upgrade to a new version. Add an additional application. Apply updates that require the application to open. Apply updates that require the computer to restart.
9-39
What Is Package Branching?
Key Points
Package branching allows you to modify an existing package in some way, and then save it as a new package. The primary advantage of this method is that you can run the upgrade process simultaneously with the existing version. This allows users to run both versions. Users can test the updated application, while still having access to the old version. Package branching is useful in the following circumstances: You can stream upgraded applications versions while still providing access to the previous versions. You can use complex packages as a baseline for creating new or updated packages. You can create specialized packages for specific users.
9-40
The process for branching is very similar to active upgrade. The difference is at the end of the process. In active upgrade, you save the new package to overwrite the old one. In package branching, you perform a Save As at the end of the process. The result of the Save As is essentially a completely new SFT file. This is a new version of the application and you can import it to the App-V Management Console.
When you want to branch an existing package, perform the following steps: Copy the original application package that you want to modify, to a clean Sequencer workstation. In the Sequencer application, select the File menu, and then click Open. You can then select the name of the .sprj file to be branched. Use the Package Configuration Wizard to provide new values for the package name, and path. Update the HREF tag information on the Deployment tab. You will need to modify the Path parameter to reflect the name of the new folder you will save the package to). Modify any other required wizard options. In the Sequencer application, select the File menu, and then click Save As. Choose a new file name and Save In location. Be sure to select the check box next to Save As New Package. Provide a unique Package root directory name and a new Package name. You will then be prompted with two options: Open Package. This option opens the package for minor edits, but does not decode the files to the new Package root directory. Open for Package Upgrade. This option decodes the files to a new application folder, allowing you to add updates as needed.
Rename all the .osd files to a new, unique name. Move the new files to the App-V Management Server, and then import the new package.
9-41
Sequencing Hard-Coded Applications
Key Points
You may be able to install certain applications only on the local drive C, while other applications may provide you with a choice of destination paths during installation. The latter are hard-coded applications. You can still sequence hard-coded applications, and then stream them to run from the clients virtual drive (typically drive Q). You can accomplish this by performing a Virtual File System of the install. Note that during the sequencing of a hard-coded application, the entire application runs from the Virtual File System.
9-42
A high-level view of sequencing a hard-coded application includes the following steps: 1. 2. During the Sequencer installation phase, you create a directory on drive Q for the application to use. During the Monitoring task, you will receive a prompt in which you can select the primary directory to which you want to install the application. Select both drive Q and the directory that you created for the application. This causes the App-V Streaming Server to copy the entire applications assets to the Virtual File System located on drive Q. Let the application install, as required, to drive C. The next sequencing task is the execution phase. During this phase, execute the application from the virtual drive and root directory that you created during the installation phase. This will order the blocks of code into units that the App-V Streaming Server will stream to the client in Feature Block 1 or Feature Block 2.
3. 4.
9-43
Creating an MSI Package for Stand-Alone Clients
Key Points
For clients that are unable to connect to the streaming server, you can use the stand-alone deployment model. In this model, you do not configure the App-V Client to connect to any App-V Management Server delivery system. To deliver the virtual application to the client, you can create an .msi file that you can deliver by using ESD technologies such as Microsoft System Center Configuration Manager. The .msi file holds all .osd files, icons, and other information of the packaged application except for the .sft file that makes up the actual application. The .sft file is not inside the .msi file because of size limitations of Windows Installer. The .msi file loads the metadata to the client, and it then uses the SFTMIME.exe utility to add and load the application from the installation directory to the App-V Client cache. Additionally, you configure the .msi file to load, by default, the .sft file from the same directory as the .msi file.
9-44
Note: For more information on deploying the .msi file, see Configuring a Client for Stand-Alone Operation in Module 7 of this course.
To create the .msi file, you simply select the Generate Microsoft Windows Installer (MSI) Package check box on the Deployment tab after the sequencing wizard completes. Then, when you save the application, the App-V Management Server creates and saves the msi file in the same directory as the rest of the package files. You can also generate an .msi file for applications for which sequencing occurred when you opened the package for editing. Question: From what location will the msi file attempt to load the application code by default.
9-45
Lab: Sequencing Applications for Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. 3. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1, 10324A-NYC-CL1, 10324A-NYC-SRV2, and 10324A-NYC-CL2 virtual machines are running. If required, connect to the virtual machines. Log on to 10324A-NYC-DC1, 10324A-NYC-CL2, and 10324A-NYC-SRV2 as Contoso\Administrator using the password Pa$$w0rd. Do not log on to 10324A-NYC-CL1 until directed to do so.
4.
9-46
Exercise 1: Installing the App-V Sequencer

Scenario
Your organization deploys Windows 7 as a standard desktop operation system. You need to sequence applications on the same operating system. You have created a clean installation of Windows 7 on a test computer. Now you will install the sequencing software, and then prepare the second disk to be drive Q. The main tasks for this exercise are: 1. 2. Install the App-V Sequencer. Create drive Q.
Task 1: Install the App-V Sequencer

1. 2. On NYC-CL2, open Windows Explorer, browse to \\NYC-DC1 \E$\Labfiles\Mod09\Sequencer\x86, and then double-click Setup.exe. Perform a default installation of the Microsoft Application Virtualization Sequencer.
Task 2: Create drive Q

1. 2. Open Computer Management. Use Disk Management to create drive Q with the unallocated space.
Results: After this exercise, you should have installed the App-V sequencer and created drive Q.
9-47
Exercise 2: Sequencing an Application

Scenario
All your users need to view Microsoft Office Word documents, but you do not want to install a full version of Office on all computers. You will sequence and deploy a virtual version of Word Viewer 2003. The main task for this exercise is: 1. Sequence Microsoft Office Word Viewer 2003.
Task 1: Sequence Microsoft Office Word Viewer 2003

1. On NYC-CL2, open Windows Explorer, and then browse to \\NYC-DC1\E$ \Labfiles\Mod09. Copy the Word Viewer 2003 folder to C:\. Close Windows Explorer. Launch Microsoft Application Virtualization Sequencer. Use the New Package Wizard to create a package for Wordviewer03 with the following information: 3. 4. 5. 6. 7. Package Name: WordViewer03 Comments: Sequenced on Windows 7 Click Begin Monitoring Primary directory: Q:\Word03
2.
Navigate to C:\Word Viewer 2003, and then install Wdviewer.exe to Q:\Word03. Click Stop Monitoring. On the Configure Applications page, remove the Microsoft Office 2003 component. Launch the application, and then complete the wizard On the Deployment tab, configure the Protocol to be RTSP.
9-48
8. 9.
Configure the Hostname to be NYC-SVR2. Configure the Path to be Word03.
10. Save the package to a new folder named Word03 in the Documents folder.
Results: After this exercise, you should have sequenced the Microsoft Office Word Viewer 2003.
9-49
Exercise 3: Deploying and Testing the Application

Scenario
To ensure that the application functions correctly, you plan to deploy the Word Viewer application to a test client and view the results. The main tasks for this exercise are: 1. 2. 3. Copy the application to the Content folder. Import the application. Test the application.
Task 1: Copy the application to the Content folder

On NYC-CL2, copy the Word03 folder from the Documents folder to \\NYC-SVR2\Content.
Task 2: Import the application

On NYC-SVR2, launch the Application Virtualization Management Console. Import the Wordviewer03.sprj file from C:\Content\Word03. Publish a shortcut to the users desktop. Grant permission to the AppVUsers group.

Log on to NYC-CL1 as AppVUser1 with a password of Pa$$w0rd. Launch the Microsoft Office Word Viewer 2003 application. Use the Help menu to verify the applications version number. Log off NYC-CL1.
Results: After this exercise, you should have copied the application to the content folder, and then imported and tested the application.
9-50
Exercise 4: Upgrading and Redeploying the Application

Scenario
You know that a security update is available for the Microsoft Office Word Viewer 2003. You already have deployed the viewer. You must upgrade the package to the new version and deploy the upgrade without interrupting the current users of the existing version The main tasks for this exercise are: 1. 2. 3. 4. Upgrade the application. Copy the application to the Content folder. Upgrade the package version. Test the deployment.
Task 1: Upgrade the application

On NYC-CL2, launch the Microsoft Application Virtualization Sequencer: Upgrade a package. Navigate to the Documents\Word03 folder, open the Wordviewer03.sprj file, and overwrite the existing destination. Begin monitoring. Navigate to C:\Word Viewer 2003, and run the office2003-KB923276FullFile-ENU.exe update. Stop monitoring. Launch the application, and finish the wizard. Save the package. Close the sequencer.

On NYC-CL2, copy the Word03 folder from the Documents folder to \\NYC-SVR2\Content, thereby overwriting the original folder.
9-51
Task 3: Upgrade the package version

Return to NYC-SVR2. Launch the Application Virtualization Management Console. Click the Packages node, Use the Add Package Version Wizard to add a version and update the relative path to the new Wordviewer03_Package. In the Packages node, click the Wordviewer03 package. Notice that there now are two versions
Task 4: Test the deployment

Log on to NYC-CL1 as AppVUser1. Launch Microsoft Office Word Viewer 2003. Use the Help menu to verify the applications version number. Log off NYC-CL1.
Results: After this exercise, you should have upgraded a sequenced application, copied the application to the Content folder, upgraded the package version, and tested the deployment.
9-52
Exercise 5: Sequencing a Hard-Coded Application

Scenario
You want to deploy the Microsoft Office PowerPoint viewer for those users that need to view or host presentations, and you know that the PowerPoint viewer is hard coded to install on drive C. You need to test whether you can sequence this application successfully. The main task for this exercise is: 1. Sequence the PowerPoint Viewer.
Task 1: Sequence the Microsoft Office PowerPoint Viewer

On NYC-CL2, launch the Microsoft Application Virtualization Sequencer. Create a package named PPT with the comment Sequenced on Windows 7. Click Begin Monitoring. Create a folder named PPT on drive Q. Open Windows Explorer, navigate to \\NYC-DC1\E$ \LabFiles\Mod09, and then install PowerPointViewer.exe. Stop monitoring. Launch the application, and then complete the wizard. On the Deployment tab, configure the Protocol to use RTSP and the Hostname to be NYC-SVR2. Configure the Port to be 554 and the Path to be PPT. Save the package to a folder named PPT in the Documents folder.
Results: After this exercise, you should have sequenced a hard-coded application.
9-53

9-54
Review Questions
1. 2. 3. After you upgrade an application by using active upgrade, what task must users perform to receive the updated application? When performing package branching, what must you do at the end of the sequencing wizard to create a new package. What prerequisite software do you need to install the App-V sequencer?
9-55
Common Issues Related to Sequencing an Application

Identify the causes for the following common issues related to a particular technology area in the module and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue You used package branching to create an upgraded version of an application. Users are unable to see any shortcuts for the upgraded version the application. Troubleshooting tip

1. Your environment is a mixture of Windows XP and Windows 7 clients. You want to sequence an application that will run on both operating systems. Which operating system should you sequence the application on so that it will have the best chance of functioning correctly? You sequence an application on Windows XP. You deploy that application to users running Windows 7 and Windows XP. The users on Windows XP receive the application, but none of the Windows 7 computers has received it. What might be the issue? You have deployed version 1 of an application, but version 2 now is available. You want to deploy it to your users, and you must ensure that their personal settings from the applications current version carry over to the new version. How do you accomplish this?
2.
3.
9-56
Best Practices Related to Sequencing Applications

Supplement or modify the following best practices for your own work situations: When sequencing, if the client machine to which you are deploying an application has user account control (UAC) enabled, then you must ensure that you enable it on the sequencing machine. Use the Comments field in the sequencer (Abstract Tag) to add any details about the package you may want to include. This will allow you to revisit the sequence later and have a record of this information. Use the Application Wizard to launch each executable in a suite of applications. This will ensure that each application will have the required initial launch data on the App-V Client. Ensure that you perform all the common tasks that will be part of Feature Block 1 during the launch phase of sequencing the application. Processes and scheduled tasks that normally run on your computer, such as antivirus software, can slow down the sequencing process and cause the gathering of unnecessary data during sequencing. You should shut down these programs before you begin sequencing.
Configuring Remote Desktop Services and RemoteApp
10-1
Module 10
Contents:
Lesson 1: Overview of RDS Lesson 2: Publishing RemoteApp Programs by Using RDS Lesson 3: Accessing RemoteApp Programs from Clients Lab: Configuring RDS and RemoteApp Programs 10-3 10-15 10-30 10-50
10-2
Module Overview
Remote Desktop Services (RDS) provide a form of virtualization known as presentation virtualization. Although you connect to a remote desktop or to individual remote applications, your experience is similar to running local applications on your computer. RDS features such as device redirection, single sign-on (SSO), and Remote Desktop (RD) Easy Print mean that it is not easy to distinguish between whether you are using remote or local applications. This module provides an overview of RDS and related role services, and the procedures for connecting to an RD Session host. The module also describes RemoteApp programs and the methods for accessing them. The module also explains how to use RD Gateway to access RDS infrastructure securely from an external network.
10-3
Lesson 1
Overview of RDS
RDS is the new version of Terminal Services and it is a Windows Server 2008 R2 server role. Users can access session-based desktops, virtual machine based desktops and remote applications from anywhere. Clients connect to an RDS server by using Remote Desktop Protocol (RDP). RDP 7.0 provides improved and new features, such as Windows Media redirection, Windows Aero Glass support, and true multimonitor support. To benefit from the new and improved RDP features, you must use the Remote Desktop Connection (RDC) 7.0 client, which is in Windows 7 and Windows Server 2008 R2. You also can download the RDC 7.0 client for Windows XP Service Pack 3 (SP3), Windows Vista Service Pack 1 (SP1), and newer operating systems.
10-4
What Is RDS?
Key Points
RDS, formerly known as Terminal Services, provides technologies that enable you to access session-based desktops, virtual machine-based desktops, and remote applications that are running on centralized servers. You can establish secure connections from a local network or from Internet. RDS provides a rich desktop and application experience and you can connect securely from managed or unmanaged devices. RDS provides the following capabilities: You can run an application or a full desktop in one location, and you can control the applications or desktops from another remote location. You can maintain the installation and management on centralized servers in the data center. An RDS server delivers screen images to users, and then users client machines send keystrokes and mouse movements back to the RDS server. You can present users with a full desktop environment or with the individual applications window and data that they require for their job.
10-5
Remote RDS applications integrate seamlessly with the user local desktop. They look, feel, and behave as if they are local applications. RDS enables secure remote access to an entire desktop, remote application, or virtual machine without establishing a virtual private network (VPN) connection. You can centrally control which users can access RDS servers, as well as which RDS servers that users can access, and additional configuration, such as device redirection settings.
There are many benefits of using RDS instead of running an application on local computer. These benefits include: Application deployment. You can quickly deploy Windows-based programs to various devices across an enterprise. RDS is especially useful when you have programs that are frequently updated, infrequently used, or difficult to manage. Application consolidation. You can run and install programs from an RD Session Host server, and eliminate the need for updating programs on each client computer. Remote access. Users can access remote programs from devices such as home computers, kiosks, low-powered hardware, and operating systems other than Windows. Branch office access. RDS provides better program performance for branch office users who need access to centralized data stores. Data-intensive programs often are not optimized for low-speed connections, and such programs often perform better over an RDS connection than a typical wide area network (WAN).
Question: How is RDS different from Remote Desktop?
10-6
RDS Role Services
Key Points
The RDS role provides six role services, which have new names in Windows Server 2008 R2, and which provide additional and improved features. RDS in Windows Server 2008 R2 introduces a new role service, known as RD Virtualization Host. You use it in VDI scenarios to provide users with access to virtual desktops. The RDS role includes the role services that the following sections detail.
RD Session Host
You require the RD Session Host server role to enable RDS. The RD Session Host server runs Windows-based programs and provides users with remote access to these programs or the full Windows desktop. Users can connect to an RD Session Host server by using RDP, and then can run programs, save files, and use network resources on that server.
10-7
RD Licensing
To use RDS, you must deploy an RD licensing server in your environment. When a client, either a user or a device, connects to an RD Session Host server, the RD Session Host server determines if an RDS Client Access License (CAL) is necessary. You can use RD Licensing to install, issue, and track the availability of RDS CALs. For small deployments, you can install the RD Licensing and RD Session Host role service on the same server.
Note: You must configure RD licensing mode within 120 days of adding the RD Session Host role service, or RDS stops working.
RD Connection Broker
The RD Connection Broker role service provides load balancing and session reconnection services for RDS sessions. When users connect to an RDS environment, and you deploy RD Connection Broker in the environment, RD Connection Broker can balance the client connections across the available RD Session hosts, and can reconnect clients to the same session host if the client is disconnected. RD Connection Broker also connects users to the appropriate virtual machine in a VDI deployment.
RD Gateway
RD Gateway is an optional role service in an RDS deployment. RD Gateway enables remote users to access applications running on session hosts by tunneling RDP traffic through Hypertext Transfer Protocol Secure (HTTPS). This means users outside the company network can securely access the RDS environment without first establishing a VPN.
RD Web Access
RD Web Access provides a user with an aggregated view of remote applications and desktop connections via a Web browser or through the Start menu on Windows 7 computers. Using RD Web Access, a user can view all remote applications and virtual desktops (personal virtual desktops and virtual desktop pools) published to that user.
10-8
RD Virtualization Host
RD Virtualization Host integrates with the Microsoft Hyper-V role to host virtual machines and provide them to users as virtual desktops. You can assign a unique virtual desktop to each user in your organization or provide them shared access to a pool of virtual desktops. Question: What is the new RDS role service that is included in RDS?
10-9
Client Experience Features with RDS
Key Points
Windows Server 2008 R2 enhances the Remote Desktop client experience for computers that are running Windows 7, Windows Server 2008 R2 or RDC 7.0 clients. These enhancements improve the experience of remote users by providing a look and feel similar to what users experience when they access resources locally. The following enhancements are available to Remote Desktop users when they connect to an RD Session Host server: Windows media redirection. This feature provides high-quality multimedia by redirecting Windows media files and streams so that servers can send audio and video content in its original format to the client, and render the content by using the clients local media playback capabilities. True multimonitor support. This feature enables support for up to 16 monitors in any size, resolution, or layout. The applications function just as they do when they run locally in multimonitor configurations.
10-10
Audio input and recording. This feature supports any microphone connected to a users local computer. It enables audio recording support and speech recognition for RemoteApp and Remote Desktop. This may be useful for organizations that use voice chat or Windows Speech Recognition. Aero Glass support. This feature provides users with the ability to use the Aero Glass for client desktops, ensuring that the Remote Desktop sessions look and feel like local desktop sessions. You must connect from Windows 7 or Windows Server 2008 R2 client to take advantage of the Aero Glass support. Enhanced bitmap redirection. This feature improves the remote display of three-dimensional (3D) and other media-rich applications, such as Adobe Flash and Microsoft Silverlight on the server. Improved audio and video synchronization. RDP improvements provide closer synchronization of audio and video. Language bar redirection. This feature provides users with the ability to control the language settings easily and seamlessly in RemoteApp programs by using the language bar. Task scheduler. This feature ensures that scheduled applications never appear to users connecting with RemoteApp and reduces user confusion.
Windows Server 2008 R2 and Windows 7 include RDC 7.0, and it is available for Windows XP SP3, Windows Vista SP1, Windows Embedded Standard 2009, Windows Embedded POSReady 2009, and newer operating systems. Question: Are enhanced features that RDP 7.0 provides available just on Windows 7 and Windows Server 2008 R2 clients?
10-11
Overview of the RDC Client
Key Points
Windows clients connect to RD Session Host by using RDC client. RDC is included with the Windows operating system and uses RDP to transfer user actions, mouse movements, keyboard inputs, and redirected devices to the RD Session Host and graphical display from RD Session Host to the RDC client. The RDC client can display the entire remote desktop or just the window of the running remote application (RemoteApp program). RDC is available in the Accessories folder in the Start menu, and it has the following configuration tabs: General. On this tab, you can specify the RD Session Host server to which a user can connect and user credentials. You also can save RDC connection settings in a text file with an .rdp extension.
10-12
Display. On this tab, you can choose the size of the remote desktop window, including the option to run the remote desktop in full screen mode. You can select to use all local monitors for the remote session, select color depth, and enable connection bar when the remote desktop is running in full screen mode. Local Resources. On this tab, you can set remote audio settings, such as whether you want to enable remote audio playback and recording. You also can specify the location where Windows shortcuts are applied, and whether local devices and resources in remote session are available. For example, you can enable the option to make clipboard, local drives and printers, and devices that you plug in later available in the remote session. Programs. On this tab, you can specify the program that will start when you connect to the remote computer. When you close the program, your session will log off. Experience. On this tab, you can select the connection speed to optimize performance. You can enable different features such as: Desktop background Font smoothing or visual styles in RDC Automatic reconnect if the connection is dropped
Advanced. On this tab, you can configure server authentication and connect from anywhere settings. For example, you can specify if you want to use RD Gateway and then configure its settings.
Note: We do not support Aero Glass for connections for which you enable multiple monitor support. In this scenario, Aero Glass support is turned off.
10-13
Demonstration: Establishing a Remote Desktop Connection
Key Points
To establish a remote desktop connection, you must add the RDS role to the remote server and you must have RDC, which is already included in the Windows operating system. Your user account must also be a member of Remote Desktop Users group on the remote server or has appropriate user rights. You can establish a remote desktop connection by running the RDC client, and then configuring the desired options or loading them from the saved .rdp file. In this demonstration, you will see how to establish a remote desktop connection.
1. 2. On the NYC-DC1 server, verify that Remote Desktop is enabled. On the NYC-CL1 computer, start the RDC client and review its options.
10-14
3.
On NYC-CL1, in the RDC client, configure the display resolution to 800 x 600 and NYC-DC1 as the computer to which you want to connect, and then save the settings to a file. Open the RDC configuration file, and then review the settings.
4.
10-15
Lesson 2
Publishing RemoteApp Programs by Using RDS
When you install an RD Session Host server, users can access the entire remote desktop, including the Start menu and all installed applications. However, on an RD Session Host server, you can publish individual applications and make them available to remote users, without providing the user access to the full remote desktop. Those published remote applications are called RemoteApp programs, and they integrate seamlessly with local applications that run on the client. You can list remote applications on the RD Web Access Web page and by using RemoteApp User Assignment, and you can make remote applications visible only for selected users.
10-16
What Are RemoteApp Programs?
Key Points
In previous versions of Windows Server, when you connect to Terminal Server, you always access the full remote desktop. Full remote desktop looks similar to the local desktop and you could easily be confused between the local and remote environments. In Windows Server 2008 and newer versions, users have the option to choose between a full remote desktop and an individual remote application window. The individual application window integrates with the client desktop, runs in its own resizable window, and has its own entry in the taskbar. If the remote application uses a notification area icon, this icon appears in the client's notification area. RDS redirects the dialog boxes and other windows to the local desktop. You also can redirect local drives and printers can be redirected and make them available in the remote applications. The applications that run on the RD Session Host server and appear as if they were running on the local computer are called RemoteApp programs. Users might not be aware that RemoteApp programs are running remotely and such programs run side by side with locally installed applications. If you run more than one remote application on the same RD Session Host server, RemoteApp programs share the same RD session.
10-17
There are several scenarios where RemoteApp programs are especially useful: Remote users: Users often need to access applications from remote locations, such as while working from home or while traveling. RemoteApp programs allow these users to access these applications over an Internet connection. Using RemoteApp programs with RD Gateway helps ensure secure remote access to the applications. Additionally, you can choose to allow users to access remote applications through a Web page or integrate the applications on the Start menu of Windows 7 users with RD Web Access. Line of Business applications deployment: Companies often need to run consistent Line of Business (LOB) applications on computers that are running different Microsoft Windows versions and configurations. Instead of deploying the LOB applications to all the computers in the company, you can install applications on a RD Session Host server and make them available as RemoteApp programs. Roaming users: In some companies, a user may work on several different computers. If users are working on a computer where the application is not installed, they can access the application remotely through RDS. Branch offices: In a branch office environment, there may be limited local IT support and limited network bandwidth. By using RemoteApp programs, you can centralize management of applications and improve the performance of remote applications in limited bandwidth scenarios.
To access RemoteApp programs, you must be using at least RDC 6.0 and to access RemoteApp programs through RD Web Access, you must be using RDC 6.1 or newer.
10-18
Process for Publishing RemoteApp Programs
Key Points
Before you can access and run RemoteApp programs, you must first configure the server to host them, make them available, and then allow RDP user connections to the server. Because you run RemoteApp programs on the RD Session Host server, you must first add the RDS role to the server, and then add the RD Session Host role service. After that, you need to install the applications that will be available as RemoteApp programs, such as Microsoft Office suite.
Note: If you have programs that have dependencies on each other, you should install the programs on the same RD Session Host server. For example, you should install Microsoft Office as a suite on the same server instead of installing individual Office programs on separate RD Session Host servers.
10-19
When you add the RD Session Host role service, you enable remote desktop connections by default, even if they were not enabled before. If users or groups need to connect to the RD Session Host server to access Remote Desktop or run RemoteApp programs, then you must add them to the Remote Desktop Users group or grant them privileges to Allow log on through Remote Desktop Services. After you prepare the RD Session Host server, you can use RemoteApp Manager to manage RemoteApp programs. To make a RemoteApp program available, you must add the program to the RemoteApp Programs list.
Note: The Choose programs to add to the RemoteApp Programs list page displays the same programs that the All Users Start menu on the RD Session Host server contains. If the program that you want to add to the RemoteApp Programs list is not visible in Choose programs to add to the RemoteApp Programs list, click Browse, and then specify the location of the program's .exe file.
Note: In Windows Server 2008 R2, you can install Windows Installer packages normally on the RD Session Host server, and then propagate the per-user install settings correctly. This removes the need to put the server in install mode.
You can configure global deployment settings that apply to all RemoteApp programs in the RemoteApp Programs list. Windows uses these settings by default if you create .rdp files or Windows Installer packages from any of the listed RemoteApp programs. These global deployment settings include: RD Session Host server settings RD Gateway settings Common RDP settings Custom RDP settings Digital signature settings
Question: Which RDS role service do you require to publish a RemoteApp program?
10-20
Distribution Options for RemoteApp Program Links
Key Points
You can distribute links to RemoteApp programs in different ways. One of the options is to use RD Web Access, where you can control visibility of the RemoteApp programs by using RemoteApp User Assignment. You can also specify if a RemoteApp program is available through RD Web Access or not. Other distribution options include creating and copying a .rdp file that connects and starts a remote application or creating and deploying a Windows Installer package that installs a link to the RemoteApp program. By using one of these two methods, you can specify additional settings, such as the RD Session Host server or the RD farm to which a user should connect to run a RemoteApp program, as well as the RD Gateway that is used when users run the RemoteApp program over a public network. When you create a Windows Installer package, you also can specify if you want to associate file extensions with a RemoteApp program.
10-21
You can use RemoteApp Manager on the RD Session Host server to create and configure an .rdp file or a Windows Installer package for a RemoteApp program. This creates an .rdp or .msi file in the local Packaged Programs folder, and you can deploy them to the clients by using one of the following methods: Copying the .rdp file or installing the .msi file Using Group Policy Configuring Group Policy preferences Using a software distribution system, such as Microsoft System Center Configuration Manager
Depending on the deployment method that you use, you can run RemoteApp programs by: Clicking a link to the program on RD Web Access Web site Double-clicking a .rdp file (which could be available locally or on file share) Double-clicking a program icon on the desktop or in the Start menu Double-clicking a file with a file extension that is associated with the RemoteApp program
Question: Why would you distribute links to published RemoteApp programs to your users?
10-22
Functions of the RD Connection Broker
Key Points
RD Connection Broker enhances the user experience when connecting to RD Session Hosts that are part of a load-balanced farm. RD Connection Broker supports load balancing and reconnection to existing sessions on virtual desktops, Remote Desktop sessions, and RemoteApp programs. RD Connection Broker also aggregates a list of available RemoteApp programs and virtual desktops from multiple servers. RD Connection Broker keeps track of user sessions in a load-balanced RD Session Host server farm. The RD Connection Broker database stores session information, including the name of the RD Session Host server where each session resides, as well as the session state, session identifier (ID), and the user name associated with the session. RD Connection Broker uses this information to redirect a user who has an existing session to the RD Session Host server where the users session resides.
10-23
If a user disconnects from a session intentionally or because of a network failure, the applications that the user is running will continue to run on the RD Session Host server. When the user reconnects, the Remote Desktop client queries the RD Connection Broker to determine whether the user has an existing session, and if so, on which RD Session Host server. If there is an existing session, RD Connection Broker redirects the client to the RD Session Host server where the session exists. The RD Connection Broker load balancing feature enables you to distribute the session load between servers in a load-balanced RDS server farm. When a user without an existing session connects to an RD Session Host server in the loadbalanced RD Session Host server farm, RD Connection Broker load balancing redirects the user to the RD Session Host server with the fewest sessions. If a user with an existing session reconnects, RD Connection Broker load balancing redirects the user to the RD Session Host server where the users existing session resides. To distribute the session load between more powerful and less powerful servers in the farm, you can assign a relative server-weight value to a server. To participate in an RD Connection Broker farm, the RD Session Host server must be a member of the following: An Active Directory Domain Services (AD DS) domain The Session Broker Computers local group on the RD Connection Broker server A load-balanced RD Session Host server farm
Note: To avoid a single point of failure, you can configure the RD Connection Broker role service in the Windows Server 2008 R2 failover cluster.
Question: Is it necessary to use RD Connection Broker if you want to list RemoteApp programs from multiple sources on the RD Web Access Web page?
10-24
What Is Remote Desktop Web Access?
Key Points
RD Web Access is the RDS role service that provides a single place to list available RemoteApp programs, remote desktops, and virtual desktops. You can access RD Web Access from a Web browser. Then, on Windows 7 clients, you can integrate the list of available resources with the Start menu by using RemoteApp and Desktop Connections. When you install RD Web Access, Web Server, or Microsoft Internet Information Services (IIS), also is installedas a required component. Benefits of using RD Web Access include: Authorized users can quickly access a list of available RemoteApp programs, remote desktops, and virtual desktops from anywhere, on the Web page. You can modify the list of available resources easily without the need to distribute, install. and uninstall applications on the local computers.
10-25
RD Web Access provides a simple out-of-the box solution, while providing an infrastructure that can be used for more complex scenarios. Users can launch the RDC client from the RD Web Access Web site, which enables users to connect remotely to the desktop of any computer where they have Remote Desktop access.
Note: RD Web Access does not require Windows 7 clients, but to establish a connection, the client computers must be using RDC 6.1 or newer, and Internet Explorer 6 or newer.
When a user starts a RemoteApp program, an RDS session also starts on the RD Session Host server that hosts the RemoteApp program. When a user connects to a virtual desktop, the RD Session Host Server makes a RDC to a virtual machine that is running on a RD Virtualization Host server.
Note: RD Web Access only provides a link to launch RemoteApp programs or to connect to a Remote Desktop session. RD Web Access does not proxy the client request. For the user to run the application, or connect to the virtual machine or remote desktop, the client must be able to communicate with the RD Session Host server, the RD Virtualization Host server, or with the computer on which you enable the remote desktop.
Question: Why would you use RD Web Access?
10-26
What Is RemoteApp User Assignment?
Key Points
RDS introduces the RemoteApp User Assignment feature in Windows Server 2008 R2, and it provides you with the ability to configure a personalized list of RemoteApp programs. Before this feature became available, the same list of RemoteApp programs and Desktop Connections was available for all users. With RemoteApp User Assignment, each user gets a personalized list, which displays the users available RemoteApp programs, desktop connections, and virtual desktops.
10-27
You can implement the RemoteApp User Assignment feature by adding an access control list (ACL) to the RemoteApp program link. When a user logs on to RD Web Access, it obtains from the RD Session Host servers the list of available RemoteApp programs for the user or group of which the user is a member. If you configure RD Web Access to obtain the list of available RemoteApp programs from one or more RD Session Host servers, RD Web Access directly queries the servers. If you configure RD Web Access to obtain the list of available RemoteApp programs from RD Connection Broker, the RD Connection Broker server queries the RD Session Host servers, and then filters the list of RemoteApp programs. By default, when you publish RemoteApp program, all users can see the published RemoteApp program. You can change the User Assignment through RemoteApp program properties or by using Windows PowerShell. Here are some factors to consider when you are establishing a RemoteApp User Assignment: You can assign the RemoteApp programs only to domain users or domain groups, not local users or local groups. The computer that performs the check of a users credentials against the RemoteApp User Assignment settings must be a member of the domains Windows Authorization Access Group or be joined to a domain that is running in Windows 2000 compatibility mode.
Note: RemoteApp User Assignment is not a security feature. It is a discoverability mechanism. There are other ways to secure access to an RD Session Host server, and the RemoteApp User Assignment feature does nothing to change or improve upon these methods This feature only helps reduce the number of unnecessary applications that display to users.
Question: Why would you use RemoteApp User Assignment?
10-28
Demonstration: How to Publish RemoteApp Programs
Key Points
In this demonstration, you will see how RD Web Access can retrieve and aggregate a list of available RemoteApp programs from multiple RD Session Host servers. You also will see how to assign RemoteApp program to a user or group.
1. 2. 3. On the NYC-SVR1 server, configure RD Web Access to retrieve the aggregated list of RemoteApp programs from the NYC-SVR1 and NYC-DC1 servers. Publish Calculator and Paint as RemoteApp programs on NYC-DC1. Publish Notepad and WordPad as RemoteApp programs on NYC-SVR1.
10-29
4. 5. 6.
On NYC-SVR1, on the RD Web Access page as administrator verify the available RemoteApp programs. On the NYC-SVR1, assign the WordPad RemoteApp program to contoso\ruser. On NYC-SVR1, refresh Internet Explorer, and then verify that WordPad is not listed.
10-30
Lesson 3
Accessing RemoteApp Programs from Clients
If you configure RemoteApp programs properly, you can seamlessly integrate these programs and users usually cannot distinguish between RemoteApp programs and local applications. You can access RemoteApp programs in different ways: via the RD Web Access Web site, by using the .rdp file, by clicking on the installed RemoteApp icon, by opening file with extension associated with RemoteApp program, or by running it from Start menu. When you configure additional options, such as a trusted .rdp publisher, SSO, and device redirection, user experience with RemoteApp programs is almost identical to locally running applications. With the RD Easy Print feature, printing from remote applications is similar to printing from local applications. When you configure and use RD Gateway, you can access RemotaApp programs from anywhere. RDP protocol provides security by encrypting the traffic, but RD Gateway provides additional level of security, by encapsulating and encrypting RDP traffic inside HTTPS packets. RD Gateway enables secure access to RDS servers from a public network, without first establishing a VPN connection.
10-31
Accessing RemoteApp Programs on RD Web Access
Key Points
When you log on to RD Web Access, RD Web Access displays the list of available RemoteApp programs. You can start RemoteApp programs from the RD Web Access Web page, but you should be aware that you use RDC to connect to the RDS server. RD Web Access provides links only to start the remote applications. You can also start a full remote desktop session from RD Web Access or connect to a virtual desktop, when the VDI infrastructure is in place. You use the HTTP protocol for connecting to RD Web Access Web site and the RDP protocol to connect to remote applications or remote desktops.
10-32
When you start a RemoteApp program in the default configuration, you will see a warning that the publisher of the RemoteApp program cannot be identified, and that you must decide if you want to continue. This is because the .rdp files are unsigned. To avoid this warning, you must configure the digital signature settings, and then specify a trusted digital certificate on the RD Session Host server. However, even when you configure digital signing, users will continue to receive notifications when they run RemoteApp programs. The only way to avoid notifications is to configure thumbprints of the trusted .rdp publisher certificates in Group Policy. You also receive a prompt to enter your user credentials. Even when you are logged on to the domain account, you need to provide credentials for running a RemoteApp program. You can avoid this prompt by configuring SSO. This lesson details SSO later. After the RemoteApp program starts, its look and feel is similar to a locally installed application. You can recognize a RemoteApp application by the (Remote) suffix in Task Manager and the slightly modified icon on the taskbar. Question: How is running a RemoteApp program in default configuration different from running a locally installed application?
10-33
What Is RemoteApp and Desktop Connections?
Key Points
In Windows Server 2008 R2, RDS provides the ability to group and personalize RemoteApp programs, as well as virtual desktops, and make them available on the Start menu of a computer that is running Windows 7. This feature is known as RemoteApp and Desktop Connections. RemoteApp and Desktop Connections works with a new feature of RD Web Access--the RemoteApp and Desktop Connections feed. Instead of presenting RemoteApp programs in the form of a Web page, this feed presents the programs in the form of an XML document, which it parses and displays on the Start menu of the Windows 7 or Windows Server 2008 R2 client. With RemoteApp and Desktop Connections, you subscribe to a feed of RemoteApp programs by providing the client with the feeds URL, typically in the form of https://contoso.com/RDWeb/Feed/webfeed.aspx. Then, it updates and places a list of published resources automatically in the users Start menu.
10-34
The RemoteApp and Desktop Connections feature offers several benefits, which include: RemoteApp programs launch from the Start menu, just like a locally installed application. Published RDCs and virtual desktops are included together with RemoteApp programs on the Start menu. Changes to the available resources, such as newly published RemoteApp programs, update automatically. Users can access and launch RemoteApp programs easily with Windows Search. RemoteApp and Desktop Connections does not require domain membership for client computers. RemoteApp and Desktop Connections is built on standard technologies, such as XML and HTTPS, which makes it possible for developers to build solutions around it.
You can create a client configuration file (.wcx) in the Remote Desktop Connection Manager console and distribute it to the users. You can also write and distribute a script to run the client configuration file automatically, so that RemoteApp and Desktop Connections is set up automatically when the user logs on to a Windows 7 computer.
Note: If users are not running Windows 7, they can access resources available through RemoteApp and Desktop Connections from a Web browser, by signing on to the RD Web Access server.
Note: If you require Secure Sockets Layer (SSL) for clients to access the RD Web Access server and you deploy RemoteApp and Desktop Connections, you must install a certificate that client computers trust on the RD Web Access server. If the clients do not trust the certificate, the updates from the RD Web Access server will fail.
10-35
Demonstration: Accessing RemoteApp Programs
Key Points
In this demonstration, you will see how to access a RemoteApp program by using RD Web Access Web page and locally available RemoteApp program link. You will also see how to package and distribute links for RemoteApp programs.
1. 2. 3. On NYC-CL1, navigate to the RD Web Access Web page as contoso\ruser. Start the Notepad RemoteApp program, compare it with the local application, and then close it. On the NYC-SVR1 server, create a Windows Installer package for the WordPad RemoteApp program. Select to associate client extensions with this RemoteApp program, and share the folder to which the Windows Installer package is saved.
10-36
4. 5.
On NYC-CL1, run the Windows Installer package from the share. On NYC-CL1, create a file with a .docx extension. Double-click it, and verify that it opens in the WordPad RemoteApp program.
Question: What is the benefit of using the Windows Installer package to distribute RemoteApp programs instead of using an .rdp file?
10-37
What Is SSO?
Key Points
SSO is an authentication method that allows domain users to log on once, using a password or a smart card, and then gain access to remote servers without having to enter their credentials again. If you use the same user account on your local computer and RD Session Host server, enabling SSO will allow you to connect to RD Session Host server seamlessly, without having to type your password again. You typically use SSO when you deploy line-of -business (LOB) applications or centralized applications. Due to lower maintenance costs, many companies prefer to install their LOB applications on an RD Session Host server, and then make these applications available as RemoteApp programs or through remote desktop. SSO makes it possible to give users a better experience by eliminating the need for them to enter credentials every time they initiate a remote session.
10-38
To implement the SSO functionality in RDS, ensure that you meet the following requirements: Users can use SSO for remote connections only from a Windows XP SP3 or newer operating system to connect to a Windows Server 2008 Terminal Server or Windows Server 2008 R2 RDS Session Host. If the server to which you are connecting cannot be authenticated via Kerberos or SSL certificate, SSO will not work. If you have saved credentials for the target machine, they take precedence over the current credentials. If the terminal server is configured to Always prompt or RDP file setting Always prompt, then SSO will not work. User accounts that are used for logging on have appropriate rights to log on to both the RD Session Host and the Windows client. The client computer and RD Session Host must be joined to a domain.
Note: You can enable SSO by using domain or local Group Policy. You should configure the Allow Delegating Default Credentials setting in the Computer part of Group Policy.
Question: What is the advantage of using SSO when you start a RemoteApp program?
10-39
What Is Device Redirection?
Key Points
When you configure device redirection, you can use the redirected device in a remote desktop session. You can redirect most devices, including printers, smart cards, serial ports, drives, Plug and Play devices, media players based on the Media Transfer Protocol (MTP). You can redirect digital cameras based on the Picture Transfer Protocol (PTP). When the user connects to the RD Session Host server, the Plug and Play device that is redirected automatically installs on the remote RDS server and Plug and Play notifications appear in the notification area on the remote computer. If you select the Devices that I plug in later check box in the RDC client, the Plug and Play device is installed on the remote computer when you connect the device in the local computer during the remote desktop session. After RD Session Host server installs the redirected Plug and Play device on the remote computer, the Plug and Play device is available for use in a session. For example, if the digital camera is redirected, you can access it from Scanner and Camera Wizard on the remote computer in the Remote Desktop session.
10-40
Plug and Play device redirection is not supported over cascaded RDCs. This means that when you connect remotely to one RD Session Host server, and from within that session you connect to another RDS server, the second connection is cascaded. For example, you can redirect, and then use, a Plug and Play device attached to your local computer when you connect to a remote computer. However, if you connect to a second remote computer from the first one, you cannot redirect and use the Plug and Play device with the second computer.
Note: Due to security restrictions, you cannot copy a file from a remote computer to the root folder of a drive on the computer unless you are logged on using the default computer administrator account.
Note: You can control device redirection by using Group Policy settings.
Question: Can you redirect only the devices that are connected locally when you establish a remote connection?
10-41
Demonstration: Using Device Redirection
Key Points
In this demonstration, you will see how to use the device redirection feature.
1. 2. 3. On NYC-CL1, establish an RDC as Administrator to the NYC-DC1 server, without redirecting the printers to the session. Verify that the local drives are redirected and available in the remote session. Assess the redirected C: drive. Verify that the files are on the local drive C, and then log off the RDC.
10-42
What Is RD Easy Print?
Key Points
The RD Easy Print feature enables you to print from a RemoteApp program or from a Remote Desktop session to the local or network printers that you configure on the client computer, without having to install printer drivers on the RD Session Host server. The RD Easy Print feature uses the print drivers installed locally on the client to print from a RD session, which results in a consistent printing experience between local and remote sessions. When you print from the RD session to a local printer, you can see the full printer properties dialog box from the client and you can access all of the printer functionality. RD Easy Print universal driver acts as a proxy and redirects all printing-related work to the client, even if the drivers are not available on the RD Session Host server. RD Easy Print renders the document to be printed in XPS format on the RD Session Host server and then transfers it to the client, where the local print driver prints the document. Since you can create and print XPS documents on x86 and x64 platforms and are platform-independent, there are no cross-platform compatibility issues when using RD Easy Print.
10-43
You can use Group Policy to configure RD printer redirection options, such as limiting the number of printers that are redirected to just the default printer or using the RD Easy Print printer driver first. To use the RD Easy Print feature, clients must run the RDC 6.1 or newer and have at least Microsoft .NET Framework 3.0 Service Pack 1 installed. Both of these components are included with the current Windows operating systems and are available for download for Windows Vista and earlier client operating systems.
10-44
Accessing RemoteApp Programs from an External Network
Key Points
RD Gateway is a role service in the RDS role that allows authorized remote users to connect to RD Session Host and remote desktop computers that you host behind firewalls on private networks and across Network Address Translation (NAT) devices. More specifically, RD Gateway enables authorized remote users to connect to terminal servers, RD Session Host servers, and remote desktops on the corporate network from any Internet-connected device that is running RDC 6.0 or newer. RD Gateway tunnels all RDP traffic over HTTPS to provide a secure, encrypted connection. All traffic between the users client computer and RD Gateway is encrypted while in transit over the Internet. When the perimeter network receives data through an external firewall, RD Gateway decrypts HTTPS and contacts the domain controller to authenticate the connection. RD Gateway also contacts the network policy server to verify if the user can cross the gateway and contact the RDS host. If the user receives validation, and the connection is allowed, RD Gateway passes the RDP traffic to the destination host and establishes a security-enhanced connection between the user who sends the data and the destination host.
10-45
RD Gateway eliminates the need to configure VPN connections, enabling remote users to connect to the corporate network through the Internet, while providing a comprehensive security configuration model that enables you to control access to specific resources on the network. The RD Gateway Management snap-in console provides a single, one-stop tool that enables you to configure policies to define conditions that users must meet to connect to resources on the network. RD Gateway: Provides a comprehensive security configuration model that enables you to control access to specific internal network resources. Provides a secure and flexible RDP connection that allows users to access resources to which their RDP host has access, and prevents remote users direct network connectivity to all internal network resources. This helps protect the internal resources. Enables remote users to connect to internal network resources that are hosted behind firewalls on private networks and across NAT devices. Enables you to configure authorization policies to define conditions for remote users to connect to internal network resources by using RD Gateway Manager. Enables you to configure RD Gateway servers and Remote Desktop clients to use Network Access Protection (NAP) to enhance security. Provides tools to help you monitor the RD Gateway connection status, health, and events. By using RD Gateway Manager, you can specify events such as unsuccessful connection attempts to the RD Gateway server that you want to monitor for auditing purposes.
Question: In which situations would you use RD Gateway?
10-46
Demonstration: Configuring RD Gateway
Key Points
To function correctly, RD Gateway requires that you install, and run, several other Windows Server 2008 R2 role services and features. When you install the RD Gateway role service, the required server roles and services are installed and started automatically, if they are not already installed. In this demonstration, you will see how to configure the RD Gateway by performing following steps: Install the TS Gateway role service. Obtain and configure a SSL certificate for the RD Gateway server. Create a Remote Desktop connection authorization policy (RD CAP). Create a Remote Desktop resource authorization policy (RD RAP). Limit the maximum number of simultaneous connections though RD Gateway (optional).
10-47
1. 2. 3. 4. 5. On the NYC-SVR1 server, configure RD Gateway to use the external.contoso.msft digital certificate. On the NYC-SVR1 server, create a new Connection Authorization Policy, and then name it Authorized Remote Users. Allow RD Users to connect through RD Gateway,and accept default options for other settings. On the NYC-SVR1 server, create a new Resource Authorization Policy, and then name it Authorized Target Computers. Allow members of RD Users group to connect to computers in RD Web Computers group and accept other default settings.
Question: What will be the consequences if you skip one of the steps in configuring RD Gateway such as not configuring RD CAP?
10-48
Using Group Policy to Configure an RD Client
Key Points
Although you can set most RD connection properties by using the administrative tools or the RDC client, you might want to set them by using Group Policy. Using Group Policy typically is a simpler method for configuring RDS, especially in an environment with multiple RDS servers. Group Policy provides many RDS related settings in Computer, as well as in User configuration. They are available under Administrative Templates, in Windows Components part of the Group Policy settings. By using Group Policy, you can configure the following properties: RD Licensing and Security settings, such as client connection encryption level and prompt for password. Remote Session and Environment settings, such as display resolution, color depth, font smoothing, or session time limits. RDC Client settings, such as trusted .rdp publisher. RD Client settings, such as redirection of devices, printers, and resources.
10-49
Do not forget that some Group Policy settings, such as Credentials Delegation, which is required for SSO, also apply for remote desktop sessions!
Note: RDS settings that you configure by using Group Policy take precedence over the user account properties that you configure in the Active Directory Users and Computers snap-in, and the per-connection settings that you configure by using the Remote Desktop Session Host Configuration snap-in.
Question: What is the result if you configure the same RDC Group Policy setting in the Computer Configuration node, as well as in the User Configuration node?
10-50
Lab: Configuring RDS and RemoteApp Programs
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. 3. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR1, and 10324A-NYCCL1, virtual machines are running. If required, connect to the virtual machines. Log on to 10324A-NYC-DC1, and 10324A-NYC-SVR1 as Contoso\Administrator using the password Pa$$w0rd. Log on to 10324A-NYC-CL1 as Contoso\ruser using the password Pa$$w0rd.
4.
10-51
Exercise 1: Preparing the RDS Environment

Scenario
You have Windows Server 2008 R2 server infrastructure. Security regulations require that certain applications are available just on central servers, so you need to provide RDS to your users. The main tasks for this exercise are: 1. 2. 3. Add the Remote Desktop Service role to the NYC-DC1 server. Add the Remote Desktop Service role to the NYC-SVR1 server. Configure Group Membership on the RD Session Host servers.
Task 1: Add the Remote Desktop Service role to the NYC-DC1 server
1. On NYC-DC1, add the Remote Desktop Session Host role service of the Remote Desktop Services role. Specify Require Network Level Authentication for Authentication Method, and then accept the default values for the other settings. After the restart, log on to NYC-DC1 as Contoso\Administrator with Pa$$w0rd as password.
2.
Task 2: Add the Remote Desktop Service role to the NYC-SVR1 server
1. On NYC-SVR1, add the Remote Desktop Session Host, Remote Desktop Connection Broker, and Remote Desktop Web Access role services of the Remote Desktop Services role. Specify Require Network Level Authentication for Authentication Method, and accept the default values for the other settings. After the restart, log on to NYC-SVR1 as Contoso\Administrator with Pa$$w0rd as password.
2.
10-52
Task 3: Configure Group Membership on the RD Session Host servers

1. On NYC-DC1, add the RD Web Computers group as a member to TS Web Access Computers group, and the RD Users group as a member to the Remote Desktop Users group. On NYC-SVR1, add the RD Web Computers group as a member to the local TS Web Access Computers group, and add the RD Users group as a member to the local Remote Desktop Users group.
2.
Results: After this exercise, you should have added the RDS role to the NYC-DC1 and NYC-SVR1 servers and configured group membership to allow access to the RD Web Access server.
10-53
Exercise 2: Publishing RemoteApp Programs

Scenario
After you prepare the RDS infrastructure, you want to provide users with access to available RemoteApp programs. You want to provide a central place from where users can see and access only the applications for which they have permissions. The main tasks for this exercise are: 1. 2. 3. 4. 5. Publish RemoteApp programs. Configure Remote Desktop Connection Broker to aggregate a list of RemoteApp programs. Configure Remote Desktop Web Access to use Remote Desktop Connection Broker. Access Remote Desktop Web Access from the client. Configure and test RemoteApp User Assignment.
Task 1: Publish RemoteApp programs

1. 2. On NYC-DC1, use RemoteApp Manager to add Calculator and Paint to the RemoteApp Programs list. On NYC-SVR1, use RemoteApp Manager to add WordPad and Notepad to the RemoteApp Programs list (Notepad is in the Windows\System32 folder).
Task 2: Configure Remote Desktop Connection Broker to aggregate a list of RemoteApp programs
On NYC-SVR1, add NYC-DC1.contoso.com and NYC-SVR1.contoso.com as a RemoteApp source name in Remote Desktop Connection Manager.
10-54
Task 3: Configure Remote Desktop Web Access to use Remote Desktop Connection Broker
1. 2. On NYC-SVR1, use Remote Desktop Web Access Configuration to configure to use NYC-SVR1.contoso.com as the RD Connection Broker server. Verify that the Enterprise Remote Access Web page displays four RemoteApp published applications.
Task 4: Access Remote Desktop Web Access from the client

1. On NYC-CL1, connect to https://NYC-SVR1.contoso.com/RDWeb in Internet Explorer, and then log on as Contoso\ruser with Pa$$w0rd as password Start the Notepad RemoteApp program. Verify that the RemoteApp program looks and behaves as if it was installed locally, and then close Notepad.
2. 3.
Task 5: Configure and test RemoteApp User Assignment

1. 2. 3. 4. On NYC-SVR1, use RemoteApp User Assignment to assign WordPad to contoso\Administrator. On NYC-CL1, refresh the Web page in Internet Explorer and verify the number of listed RemoteApp programs. On NYC-DC1, select Hide in RD Web Access for the Paint RemoteApp program. On NYC-CL1, refresh the Web page in Internet Explorer, and then verify the number of listed RemoteApp programs.
Results: After this exercise, you have several published RemoteApp programs on two RD Session Host servers. You also have configured RD Web Access to use RD Connection Broker, which aggregates a list of available RemoteApp programs, and you tested access to the RD Web Access Web page and RemoteApp User Assignment.
10-55
Exercise 3: Accessing Published RemoteApp Programs

Scenario
After you provide RD Web Access Web portal to users, you discover that users do not have a seamless experience when running RemoteApp programs. You want to change that, so that users do not receive multiple prompts when they start remote applications. Additionally, to reduce training costs, you want to provide shortcuts to the remote application on the desktops of users, and you want to integrate the available RemoteApp programs on the Start menu. The main tasks for this exercise are: 1. 2. 3. 4. 5. 6. Configure digital signing of .rdp files on RD Session Host servers. Configure SSO for accessing RD Session Host servers. Configure a trusted .rdp publisher. Package a RemoteApp program as a Windows Installer package. Install and test the RemoteApp Windows Installer package. Implement RemoteApp and Desktop Connections.
Task 1: Configure digital signing of .rdp files on RD Session Host servers

1. 2. 3. On NYC-SVR1, configure a Digital Signature for .rdp files by selecting the digital certificate for NYC-SVR1.contoso.com. On NYC-DC1, configure a Digital Signature for .rdp files by selecting the digital certificate for NYC-DC1.contoso.com. On NYC-CL1, refresh the Web page in Internet Explorer.
Task 2: Configure SSO for accessing RD Session Host servers

On NYC-CL1, enable Credentials Delegation in Local Group Policy. To find this setting in Local Group Policy expand Computer Configuration, expand Administrative Templates, and then expand System and then click Credentials Delegation. Enable the Allow Delegating Default Credentials setting and enter TERMSRV/* as the Value. You need to click the Show... button first.
10-56
Task 3: Configure a trusted .rdp publisher

1. On NYC-CL1, enable the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers Local Group Policy setting. To find this configuration expand Computer Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, and then click Remote Desktop Connection Client. On NYC-CL1, switch to Internet Explorer, and copy the value of the Thumbprint field for the NYC-SVR1.contoso.com computer certificate that you want to use to sign .rdp files.
2.
Note: Do not highlight the leading or ending space in the thumbprint box!
3. 4.
Paste Thumbprint field value to the Comma-separated list of SHA1 trusted certificate thumbprints entry box of the Group Policy setting. On NYC-CL1, in Internet Explorer, click Notepad, and then verify that it starts without any prompts.
Task 4: Package a RemoteApp program as a Windows Installer package

1. On NYC-SVR1, create a Windows Installer package for the WordPad RemoteApp program. Select to create a shortcut on the Desktop, and then associate client extensions with the RemoteApp program. Share C:\Program Files\Packaged Programs with default permissions.
2.
Task 5: Install and test the RemoteApp Windows Installer package

1. 2. 3. On NYC-CL1, install \\nyc-svr1\Packaged Programs\wordpad.msi. Start WordPad from the desktop, and then verify that it opens without any prompt. Close WordPad. On the desktop, create a file called Report.docx, and then double-click it. Verify that file opens in the Wordpad RemoteApp program, and then close Wordpad.
10-57
Task 6: Implement RemoteApp and Desktop Connections

1. On NYC-CL1, set up a new connection with RemoteApp and Desktop Connections, and specify https://NYC-SVR1.contoso.com/RDweb /Feed/webfeed.aspx as the Connection URL. Verify that there is new program group, RemoteApp and Desktop Connections, available in All Programs on the Start menu.
2.
Results: After this exercise, you have configured digital signing for .rdp files, trusted .rdp publisher and enabled SSO for NYC-CL1 computer. You also created Windows Installer package for RemoteApp program, install it and test how RemoteApp and Desktop Connections works.

10-58
Review Questions
1. 2. 3. 4. Do you need to install the RDS role if you only want to provide Remote Desktop access for remote administration? Is the RD Web Access role service required if you want to provide RemoteApp program access for your clients? Can you connect from Windows Vista SP1 client to RD Session Host server on Windows Server 2008 R2? How can you control who sees the RemoteApp program link on the RD Web Access Web page?
10-59
5. 6.
What benefits does SSO provide when you run RemoteApp programs and where can you configure it? Does RD Gateway provide full end-to-end protection of RDP traffic?
Common Issues and Troubleshooting Tips Related to RDS

Identify the causes for the following common issues related to RDS and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module.
Issue Users can connect to the RD Session Host server from Windows 7 and Windows Vista clients, but they cannot connect from Windows XP clients. When users establish a Remote Desktop session with RD Session Host, they cannot use any of the Windows 7 features, like desktop themes and photo management. When users establish an RD session from a Windows 7 client, they can see the Aero Glass effect in the session. However, when the same users establish an RD session from a Windows Vista client, the Aero Glass effect is not available. Troubleshooting tip
10-60
(continued)
Issue Several users can see a published RemoteApp program on the RD Web Access Web page, while other users cannot. When users start RemoteApp programs, they always receive prompts for their credentials. Users can open data files in a RemoteApp program, but when they double-click on the same file in Windows Explorer, the RemoteApp program does not start. Troubleshooting tip
Implementing User State Virtualization
11-1
Module 11
Contents:
Lesson 1: Overview of User State Lesson 2: Configuring Roaming Profiles and Folder Redirection Lab: Implementing User State Virtualization 11-3 11-18 11-37
11-2
Module Overview
User state virtualization is a concept that allows administrators to provide more flexible client environments, and to provide users with ability to have documents and settings following them from computer to computer. Also, this concept provides better ability to backup and centralize user data, as well as to prevent data loss. By virtualizing user state, you provide ability to users to have their data always with them, no matter on which machine they log on. This technology can be combined with other virtualization technologies. This module discusses technologies that provide user state virtualization and various ways to provide virtualization. This module also discusses how to configure roaming profiles and users folder redirection as part of user state.
11-3
Lesson 1
Overview of User State
User state consists of several operating system files from users documents, data and settings. The user state presents whole environment that makes user unique to the system. Many users spend significant time customizing and configuring their environment items such as desktop wallpaper, screen savers, and other unique Windows operating system elements. They usually expect these settings to be available to them, no matter which computer they use. Files and settings that contain user states are usually stored locally on computer where the user is working. They can also be placed on a network location, and they can follow user on all computers that the user logs on to. This lesson discusses user state and user profiles, their types and scenarios of usage.
11-4
What Is User State?
Key Points
User state is a general term to describe several categories that determine user environment, user data and settings. User state cannot be identified in one specific file or setting, but it rather presents a set of various files and settings. In operating systems such as Windows Vista and Windows 7, the user state separates the user environment, files and settings from files and settings specific to the installed operating system as well as those belonging to applications. Also, user state is specific to each user of computer, which means that every user has its own user state that is mostly independent of other users.
11-5
The user state includes users data as well as application or operating system configuration settings. Traditionally, users PCs contain the authoritative copy of users data and settings.
Note: User state is often equivalent with a user profile, however, when it comes to virtualization, the term user state is used to describe the process of how data from a user profile moves with user.
User state consists of four main categories of data: User settings. This component of user state describes all settings that user has personalized to himself after operating system is installed. User Registry. This is part of machines registry that is specific to each user. Registry node HKEY_CURRENT_USER (HKCU) stores settings that are specific to the currently logged-in user. The HKCU key is a link to the subkey of the HKEY_USERS node that corresponds to the user. The same information is accessible in both locations. On Windows Vista and Windows 7 based systems, each user's settings are stored in their own files called NTUSER.DAT and USRCLASS.DAT inside their own Users folder on boot volume. Settings in this node follow users with a roaming profile from machine to machine. Application data. This is one of the folders that are part of user state. This folder contains mostly application settings specific for a user. For example, if a user installs Microsoft Word, and personalizes its settings to fit his needs (e.g. adjust toolbars, set language, etc.) these settings will be stored in the Application Data folder. In Windows 7 this folder is called AppData and it is stored inside users profile folder. Unlike previous version of Windows, such as Windows XP, where Application Data folder stores application-related data with little or no separation of user-related or computer-related application settings, in Windows 7, the AppData folder replaces Application Data, and provides a high degree of separation for user-related and computer-related application settings. User data. This component contains all user specific data, such as files in My Documents folder, Favorites folder, Pictures folder, etc.
Question: What is the main difference in handling user state in Windows XP comparing to Windows Vista and Windows 7?
11-6
Benefits and Challenges of User State Virtualization
Key Points
Before discussing virtualization of user state, let us discuss some main challenges to user state management in general. There are three main challenges with managing the user state. The first challenge is how to back up user data and settings that are scattered from PC to PC and then restore users productivity after a computer replacement or after a laptop is lost or stolen. Many users make a lot of changes to their environment, and save a lot of data inside their user profiles. Since files are stored locally, it might be hard to backup these data, as well as restore them on new PC if necessary.
11-7
The second challenge is how to migrate the user state during operating system migrations. Currently, this challenge is mostly addressed by using Windows Easy Transfer and User State Migration Tool utilities. While Windows Easy Transfer is mostly intended for single use, USMT can be used in enterprises during operating system migrations. However, users might not be aware or familiar with these utilities, and also usage of these utilities requires additional time and resources. The final challenge is how to make the data available to the user regardless of the PC being used. In many companies, users are using several computers, sometimes even in different office locations. It might be pretty tricky to enable user to have access to his data and settings all the time and on every computer. Also, if you want to provide users with same environment when they are using Remote Desktop Services (RDS) with Terminal Services or with Virtual PC (like Windows XP Mode), it might be difficult to achieve that if user profiles are located locally. In any case, user state virtualization provides a solution. With user state virtualization, organizations store users data and settings in a central location (and, optionally, cache them locally for offline usage when users are mobile). That location is usually a network share on file server or Storage Area Network (SAN). The result is that users are free to roam, and their data and settings follow them from computer to computer. The whole point of this concept is to separate data that are user-specific (and can roam) from data that are computer-specific and must be stored locally. User state virtualization can also mitigate productivity loss of PC replacement. The central copy of the data is on the network, so it is easily restored in case of a lost or stolen PC and the users settings can be re-applied automatically. When the IT department sets up the policy to allow offline access to the redirected folder, Windows BitLocker Full Volume Encryption can be applied to the PC to help ensure data safety. A typical example of this type of virtualization is using Windows with Windows 7 Folder Redirection with Offline Files and a Roaming User Profile, which will be discussed later.
11-8
Core technologies that enable usage of user state virtualization are: Roaming Profiles Folder Redirection Offline files
These technologies are enhanced in Windows Server 2008 R2 and Windows 7 and will be discussed in later topics and lessons. Question: How your companies address user state management challenges presented in this topic?
11-9
What Is a User Profile?
Key Points
A user profile consists of a folder hierarchy, or namespace, files, junctions and registry settings that store the appropriate and often personalized settings for a users computer and application environment. In Windows Vista and Windows 7, user profile is located in %SystemDrive%\Users folder, inside NTUSER.DAT file, on partition where operating system is installed. User profile is always named after user logon name, and it contains several folders inside. Some folders inside user profiles are hidden and can be viewed only after option for showing hidden files and folders are enabled while others are accessible by default. The first time a user logs on to a computer, the Windows operating system creates the desktop environment according to various defaults and administratorconfigured settings. Any changes made to that environment during the session are saved automatically when the user logs off, thereby ensuring that the settings are available for future sessions. However, other users can also log on that very same machine and create their own environment.
11-10
User environment settings defined in user profile include following: The appearance and behavior of the users desktop Settings for applications that have been configured by the user Documents, pictures, music, and other data files belonging to the user The users favorites in Microsoft Internet Explorer Any other user-specific application settings and data
Beside folders that contain user documents, in Windows 7 and Windows Vista, user profile has a new folder called AppData that separates local and roaming data, via appropriate subfolders. This is approach is new to Windows Vista and Windows 7. These subfolders are: Local. This folder contains application settings and data that are computer specific. These data should not be roaming, or are too large to be used for roaming. Content of this folder is essentially the same as content of folder Local Settings\Application Data that was used in Windows XP. Roaming. This folder contains data and settings that are roaming when Roaming user profiles are configured and used. Data inside this folder are not computer dependent, so they can roam with user from computer to computer. Content of this folder is the same as content of Application Data folder in root folder of user profile in Windows XP. LocalLow. This folder has very specific intention of usage. It did not exist in Windows XP. Data stored in this folder is written by processes that could potentially compromise operating system security or functionality. For example, applications running within Internet Explorer Protected Mode are using this location for their data and settings.
In general, there are two main types of user profiles: Local and Roaming. Local profiles are located on users machine, and can not be automatically moved to another machine, without using specific utilities such as Easy Transfer or User State Migration Tool (USMT). Roaming profiles are located on network location, and they are used on each machine where user logs on. Both Local and Roaming profiles have additional profile subtypes, which will be discussed later.
11-11
How Does a User Profile Work?
Key Points
When a user logs on for the first time, Windows creates their initial profile by using either the default local profile or the default network profile which depends on how the system is configured. Windows connects to the specified profile path (locally it is %SYSTEMDRIVE%\Users), and creates a subfolder beneath the specified path that matches the users account name. Similarly, this will also happen on network profile location, if one is specified. After subfolder is created, Windows assigns full-control NTFS file system permissions to the user account on the subfolder, and marks the user account as the folder owner. This process creates a structure of user profile folder. Initially, content of default profile (either local or network) is copied inside users profile folder while folders that contain user data (such as Documents, Pictures, etc.) are mostly empty. Now the user can begin to customize its settings and environment, as well as to store data inside his profile. Registry node HKEY_CURRENT_USER (HKCU) plays very important role in working with user profiles. All settings related to user-specific environment are stored in registry while user is logged on. All changes to the user environment are also reflected in registry.
11-12
Each time when user logs on, content of NTUSER.DAT file is loaded to registry node HKCU. During user session, when user changes his environment, changes are performed in registry. When user logs off, changes are saved back to NTUSER.DAT file, so they are retained for future use. Since each user has its own NTUSER.DAT file, each user can have its own set of settings, loaded in registry node HKCU while user is logged on. However, there are some settings that are common to all users of one computer. For example, application installed on a computer might be used by all users, so it creates its shortcut in common location in Start Menu or Desktop. For that purpose, a profile called Public is used in Windows Vista and Windows 7 (earlier, it was AllUsers profile in Windows XP). The content of this profile is accessible to all users of the computer. Unlike regular profiles, this profile does not have specific registry node, since this profile is never directly loaded. Settings contained in this profile are written to HKEY_LOCAL_MACHINE (HKLM) and they are applied to each user that logs on to that computer. If, for any reason, user profiles cannot be loaded into registry, a temporary user profile is used. Temporary profiles are deleted at the end of each session, and changes made by the user to their desktop settings and files are lost when the user logs off. If user is logged on using temporary profile, warning message will be issued at logon. Logging to temporary profile is not normal, and it requires troubleshooting. It is also important to know that not all user data are stored in the registry. Inside the users profile there are several folders that contain user documents such as, music, pictures, etc. These data can also be virtualized by using folder redirection which will be discussed in Lesson 2.
Logging to Terminal Server

If user logs on to a computer using terminal session, procedure of loading user profile is slightly different. Besides working with HKCU registry node, HKLM is also used in this scenario. Key HKLM\Software\Microsoft\WindowsNT \CurrentVersion\Profile List contains a list of all currently logged on users with profiles that they are using. In this registry node, users are identified with their security identifiers (SID) but you can easily identify user by browsing the node as you will find locations for users roaming profile. Question: From the perspective of user profiles, what is the main difference between HKCU and HKLM?
11-13
Types of User Profiles
Key Points
There are several user profile types available in Windows Vista and Windows 7 used in various scenarios. In general, Local and Roaming user profiles are the main types, but they both have its subtypes. These types are: Default profile. Windows stores a default profile in the C:\Users\Default folder. Windows uses this default profile to build the users initial desktop environment. This default profile can also be stored on a domain controller in the Netlogon shared folder.
Note: It is recommended to use Group Policy to configure Default Profile path. Also, some issues may arise if you have different versions of client operating systems.
11-14
Local user profile. As descried earlier, when a user logs off, their desktop environment is saved in a local user profile file (NTUSER.DAT). This profile is used the next time the user logs on to the same computer. The Local User profile is not accessible if the user logs on to a different computer. Local user profiles are stored in the C:\Users folder, in a subfolder related to the users account name. All users/Public. Previous Windows versions provided the All Users desktop profile. Windows Vista and Windows 7 replace all users with the public profile. Windows merges the Public profile folder contents. For example, Desktop and Start menu, with the users own profile during logon. Roaming profile. Domain user accounts with a roaming profile location can be configured. When the user logs off, the desktop environment is saved to the designated folder so that it is available at next logoneven if that logon is to a different computer. Roaming profiles will be discussed in more detail in later topics. Temporary user profile. A temporary user profile is issued each time an error condition prevents the user's profile from loading. Temporary profiles are deleted at the end of each session, and changes made by the user to desktop settings and files are lost when the user logs off. Mandatory profile. A mandatory profile is a read-only version of roaming profile that is preconfigured and secured by the network administrator to ensure a consistent look and behavior for all users. Users cannot modify settings in mandatory profile. When user account is configured to use mandatory profile, each time user logs on to machine, profile content will be downloaded from network share, just like with roaming profiles. However, if a user makes changes during their session, these changes will not be stored in their profile when user logs off. In the next logon session, the user will be presented with original settings and environment specified in mandatory profile. You can create mandatory profiles similar to creating roaming profiles. If Windows cannot successfully load the mandatory profile, the user can still log on. Windows creates a transient profile in this situation, but this condition usually needs troubleshooting.
Note: If you use mandatory profiles, you must configure folder redirection in order to allow users to save files to their personal folders that are part of their profile, since no changes can be made to mandatory profile.
11-15
Super mandatory profile. The super mandatory profile is a mandatory profile with extra security. However, unlike mandatory profile, if the user is configured to use super mandatory profile, he will not be able to log on if super mandatory profile is not available, or can not be loaded into registry for any reason. Therefore, super-mandatory user profiles should be used only in environments in which the network infrastructure is very reliable and the presence of the user profile is critical. Special identitys profiles. In Windows Vista and Windows 7, special identities are used for service accounts such as Local system, Local service, and Network service. These accounts also use profiles. These profiles are located on following locations: LocalSystem - %WinDir%\system32\confi g\systemprofile LocalService - %WinDir%\serviceprofiles\Localservice NetworkService - %WinDir%\serviceprofiles\Networkservice
Question: In which scenarios should you use super mandatory profiles?
11-16
Demonstration: Exploring User Profiles
In this demonstration, your instructor will show you how to access and browse user profile folders, and how to use roaming and mandatory profiles. Demonstration steps: 1. 2. 3. 4. 5. Unhide protected/hidden files and folders using Control Panel Folder Options applet on NYC-DC1. Browse to folder C:\Users\Administrator and see the folder structure. Create a folder called Profiles on NYC-DC1 and share it as Profiles with Authenticated Users. Create a folder called mandatory.v2 within the Profiles folder. From NYC-CL1 computer, copy default profile to \\NYC-DC1\Profiles \mandatory.v2 location. After files are copied, browse this folder on NYC-DC1 and rename file NTUSER.dat to NTUSER.man.
11-17
6.
In Active Directory Users and Computers console, configure Candy Spoon to have her profile located at \\NYC-DC1\Profiles\%username%. Configure Terri Chudzik to have her profile located at \\NYC-DC1\Profiles$ \mandatory. Log on to NYC-CL1 as Candy Spoon, make some changes to desktop environment and log off. Log on to NYC-CL2 as Candy Spoon, and verify that all changes that are made on NYC-CL1 are retained. Log on to NYC-CL1 as Terri, and make some changes to desktop environment.
7. 8. 9.
10. Log off and log back on and verify that no changes are retained.
11-18
Lesson 2
Configuring Roaming Profiles and Folder Redirection
Roaming profiles and Folder Redirection are two technologies that provide companies with the ability for users to roam between computers and access their personalized desktop environments with their personal data and settings. Corporate roaming also provides enterprises with flexibility in seating arrangements. Users need not be guaranteed the same computer each time they come to work, such as in a call center where users have no assigned desk or seating and must therefore share computers with other users at different times or on different days, but still want to retain their personal settings and data.
11-19
How Roaming Profiles Work
Key Points
Roaming User Profiles allow enterprises to store users profiles on a central network location instead locally on client computers. Roaming profile structure is the same as with local profiles, however the location of roaming folder is not. The main benefit of storing user profiles on network location is that users can access their desktop, application settings, and data from any computer they have access to. When a user logs on to his machine, instead of loading local NTUSER.DAT file into registry the roaming profile from network is loaded. During the users session, he might change his environment, and create and save data. All these changes will be copied to roaming profile location after user logs off, so they are retained for next session. Also, if a user changes his computer, all data and settings will be available to him, as roaming profile will be used from network.
11-20
Creating and Using Default Network Profile

Just like local users profiles can be replaced with roaming profiles, you can also replace default local profile with default network profile. As explained earlier, default profile is used to create new user profile. It is used only once for each user, during first log on. Default location for this profile is C:\Users\Default. However, you can also configure this profile to be on network location, so that each user uses the same default profile for creation of their roaming or local profiles. If the computer is joined to a domain, Windows first checks to see whether there is a default network user profile. In Windows Vista and Windows 7, the default network user profile must be named Default User.v2 and stored in Netlogon folder on domain controller. Default network user profiles are optional. You do not need to create them if you do not want to. Also, it is not mandatory to use default network profile if you are using roaming profiles and vise-versa. Question: When should you use default network profile?
11-21
Configuring Roaming User Profiles
Key Points
Roaming profiles are not enabled by default. You must first prepare infrastructure before you enable user accounts to use roaming profiles. Before you create a roaming user profile, you need to create each user account. Then, log on to a server as an administrator to create a network share to store the roaming user profiles, designate the groups of users to receive the roaming user profiles, and grant all users Full Control permissions. Let us discuss steps that need to be performed to configure roaming user profiles and enable users to use them.
11-22
First we need to prepare storage location for roaming profiles. In order to achieve that, you must complete following steps: 1. Create a shared folder. Create a shared folder on an appropriate file server. In a large organization, you might use a departmental server to host this shared folder. In a smaller organization with a single server, you might use the domain controller to host the shared folder. The folder should be identifiable, and therefore use a recognizable share name such as Profiles. If you have many users, you might need to create a shared folder for roaming profiles on multiple servers or use DFS to achieve better availability. Secure the shared folder. Users require at least Change permissions on the shared folder. Therefore, remove the default shared folder permission, and enable the Allow Change permission for the Authenticated Users group.
2.
After location is prepared, you should configure user accounts to use roaming profiles. You should do following: 1. 2. 3. On the domain controller, open Active Directory Users and Computers. Locate the user account, and then modify the profile path for the user. When configuring a user account to use a roaming profile, you typically designate a Universal Naming Convention (UNC) path that includes the variable %username%. For example, you can specify the path \\sea-dc1\profiles \%username%, where the users name is substituted for the username variable when the profile is created during the logoff process. Windows then creates a folder named username.v2 in the parent shared folder.
4.
Best Practices for Roaming Profiles

To optimize the logon process and to help ensure trouble-free user profile processing, consider the following points when planning user profiles: Exclude folders such as the Documents folder from the roaming profile. To ensure that roaming profiles are loaded quickly and efficiently, consider excluding frequently used folders, such as Documents from the users roaming profile. Availability of these folders can be achieved through folder redirection feature. Do not use the Encrypting File System (EFS) with roaming profiles. The EFS is not compatible with roaming profiles. If you encrypt user profile folders with EFS, the users profile will not roam.
11-23
Do not use offline folders on roaming profile shares. You must disable offline folder caching for the roaming user profile shared folders. Failure to do so may result in synchronization problems when both the offline folders and roaming user profiles try to synchronize files in a users profile Use folder redirection for data folders when logging on to both Windows XP and Windows 7. Because of the significant differences in profile structure between Windows XP and Windows Vista, consider using folder redirection. Create only the root profile share, and let Windows create the folders for each user. This ensures that the appropriate file permissions are assigned. Failure to observe this recommendation could result in users having either excessive permissions in other users profile folders, or insufficient permissions in their own profile folders.
11-24
Limitations of Roaming User Profiles
Key Points
Although Roaming User Profiles provides several benefits to both end users and administrators, there are some limitations that you must be aware of when using this technology. Some of important limitations of roaming user profiles are: Potentially bad performance. Since the entire user profile folder is synchronized between client and server, this can result in slow logon and logoff procedures. This can be especially slow, when user is logging on a computer for the first time as the whole profile must be downloaded. Synchronization of entire profile. Each time when a user log off from machine roaming profile on server is updated with changes that user has performed locally. However, entire profile is synchronized every time, even if only a single setting has changed.
11-25
No online synchronization on Windows Vista and older. By design, roaming profile is updated only when user logs off from the computer. If user is not logging off but rather than that hibernates his computer (which is very often with laptops) changes made will not be uploaded to roaming profile for a long time.
Note: Beginning in Windows 7, users with roaming user profiles will have their current user settings in HKCU (in other words, the entire NTuser.dat from their profile) periodically synchronized back to the server while they are logged on to their computers. This is a change from Windows Vista and earlier versions, in which roaming user profiles were synchronized back to the server only on logoff.
Simultaneous logons. There are potential sync issues that can arise if you use simultaneous logons on several computers. For example, if a user logs on to one computer, edits and saves a document stored in the Documents folder, leaves the computer logged on and then moves to a second computer, logs on, edits and saves the same document, and then logs off from both computers, the computer from which the user logs off of last will take precedence. That is, the edits made to the document on that computer will be the only edits that will be preserved. The edits done on the other computer will be lost. It is important to remember that when conflicts like this occur, roaming user profile (RUP) resolves them on a last-writer-wins basis. Application inconsistencies. If an application makes changes to a user profile that might not produce expected result on all computers that user is using. For example, if user installs an application and it creates a shortcut on desktop, that shortcut will be shown on all computers where that user logs on. However, not all computers will be able to start that application if it is not installed.
Note: you can use the Exclude Directories On Roaming Profile Group Policy setting to prevent roaming the Desktop folder, which will prevent this inconsistency from arising.
11-26
Enabling on individual basis. If you want to use roaming user profiles you must enable them on per-user basis by configuring user account Properties or by using a script. You can also use template accounts to enable roaming profile for each new user. Coexistence with older platforms. If you have a user that roams between various operating system platforms, you might not be able to use roaming profiles for that user. Each operating system platform has its own folder structure, and they are not compatible.
11-27
What Is Folder Redirection?
Key Points
Before discussing Folder Redirection, let us focus on one limitation of using Roaming Profiles. If a user is configured to use Roaming Profile, each time he logs on, whole profile is downloaded to its local machine. Since profile contain users folders like My Documents, Music, Videos and Downloads, and these folders usually contain large amount of data, process of downloading these data can take significant amount of time. This can result in very slow logons. Similar, when user logs off, whole profile is synchronized back to network location, and that cause very slow log offs. Based on this process, it is very convenient if we separate user data content from users profile, but still be able to keep that on network location so data can follow users but do not slow down logon and logoff procedures. Technology that enables this is called Folder Redirection. Folder redirection is a client-side technology that provides the ability to change the target location of user specific folders, such as My Documents, found within the user profile. This redirection is transparent to the user and gives the user a consistent way of saving their data, regardless of its storage location.
11-28
Folder redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times because Windows downloads less data when user is logging on, and that directly speed up logon process. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile. Folder Redirection can be used with or without Roaming profiles. If you need only data to follow users, but not their settings of environment, Folder Redirection is enough. Also, if user is simultaneously using computers with various operating systems (such as Windows 7 and Windows XP), usage of roaming profiles can result in incompatibility issues. Folder Redirection is agnostic to this, so it can be safely used on various operating system platforms. Folder Redirection is configured by using Group Policy settings. Besides just setting up location for redirected users folders, there are several other options that can be configured. This will be discussed in next topic. You must be aware that not all folders are redirected. This mostly depends on operating system used on client side. Core user folders that can be redirected on all client platforms from Windows XP are: Documents, Pictures, Desktop Start Menu, Application Data
Additional folders can be redirected in Windows Vista and Windows 7: Pictures Music Videos Favorites Contacts Downloads Links Searches Saved Games
11-29
Demonstration: Configuring Folder Redirection
In this demonstration, your instructor will show and explain to you available options for Folder Redirection.
1. 2. 3. 4. Open Group Policy Management Console on the Domain Controller. Create new Group Policy Object. Start Group Policy Management Editor. Browse through Folder Redirection options.
11-30
Guidelines for Folder Redirection
Key Points
Usage of Folder Redirection can provide many benefits to both end users and IT administrators. However, in order to have full potential from Folder Redirection and avoid issues, you should follow these guidelines: Do not redirect folders to your home directory unless you have legacy home directories in your organization. The Documents folder and its subfolders allow you to select the Redirect to the users home directory redirection option. This redirects the Documents folder, and optionally, its subfolders, to the home folder path configured in the user objects properties. Unless you are using legacy home folders in this way, avoid configuring this option. Let Windows create folders for each user. To ensure that the folders required for Folder Redirection are created and secured properly, do not manually create the folders. Instead, let Windows create and secure them when users log on. You must create the parent folder and share it with the previously described permissions.
11-31
Use the Follow Documents folder setting. The Music, Pictures, and Videos folders support the Follow Documents folder setting. This setting redirects these folders as Documents folder subfolders. This option causes the selected subfolder to inherit Folder Redirection options from the parent Documents folder, and it disables other Folder Redirection options for the selected folder. Consider using this setting to store all user data folder structure elements in one place without the need to individually configure Folder Redirection for each subfolder. Consider the impact of removing a Folder Redirection Group Policy setting. The default behavior for Folder Redirection removal settings is for the redirected folder to remain in its location even after you remove the policy setting. In some scenarios, you might want to copy the files back to the original locationthat is, to the users local profile. Bear in mind that changing a Folder Redirection policy setting can have an impact on network performance. For example, if you select to redirect the folder back to the local user profile location when the policy setting is removed.
When troubleshooting Folder Redirection, be aware that this technology relies on shared folders stored on remote file servers. You should verify network connectivity to the target folders before you investigate more complex reasons for Folder Redirection failure. Pay special attention to NTFS and shared folder permissions. If you have implemented Advanced Redirection for specific Windows security groups, verify that the user experiencing the problem belongs to the appropriate groups. Also, verify Group Policy settings. Because you implement Folder Redirection with Group Policy settings, determine if the problem is related to a Group Policy problem.
11-32
What Are Offline Files?
Key Points
Offline files allow mobile users to download and use shared files on their local computers when they are not connected to the network. This benefit also applies to onsite workers who temporarily lose network connectivity due to technical problems. When you designate a shared file for offline use, the local computer downloads, or caches, a local copy of the file. You can then continue to work using this file even if you are not connected to the network. When the computer connects to the network again, the operating system automatically compares any changes made to the offline file, with the copy stored on the server, and resolves any differences In Windows Vista and Windows 7, you can encrypt your offline files to help secure private information. When you encrypt offline files, only your user account can access the cached data.
11-33
Offline files can be used together with Folder Redirection. This enables you to provide access to redirected folders even when user is not connected to network. Since Folder Redirection is used to redirect user personal folders, if you make these folders available for offline access, users will always be able to have their documents. These two technologies can also be combined with Roaming User profiles to achieve full functionality. Offline files are very convenient in scenarios where user is connected to a slow network. Since local copy is cached on users computer, he can work on these files without being affected by slow network.
Offline Files Operating Modes

There are four operating modes for Offline files: Online Mode. This is default mode for operating Offline Files. In this mode, user is connected to network and every change that is made on files, is actually made on network copy, and after that on local cached copy. When user reads the file, it is being read from local cache to improve performance. Auto Offline Mode. If Offline Files detects a network error during a file operation with a shared folder, Offline Files automatically transitions the network share to auto offline mode. When share is in this mode, all changes are performed on local level, while Offline Files client is trying to access network copy every two minutes. During Auto Offline Mode user cannot initiate manual synchronization, nor can he access previous versions of file. Manual Offline Mode. In this mode, user manually puts network resources in Offline Mode. This means that all file operations are performed on local cached copy. Synchronization is preformed only if user initiates it manually. Offline mode remains active until computer restarts or until user manually switches back to Online Mode. Slow-link Mode. This mode is dependent on Group Policy setting that specifies slow link detection. If this setting is configured, it will be applied to Offline Files. When slow link is detected, Offline Files will automatically switch to Offline Mode and also will switch back to Online mode if network conditions are improved.
Offline files are configured on several locations. You must enable Offline caching on shares for which you want to allow caching. Also, you should configure Offline caching behavior on user side. At the end, Group Policy can be used to control Offline Files.
11-34
Offline Files Improvements in Windows 7

In Windows 7, Offline files are additionally improved comparing to Windows Vista and Window XP. Most important improvements are: Offline support with Background Sync. Usually Offline support provides remote and branch office users with faster access to files that are located in a network folder across a slow network connection. Windows 7 enhances this feature by including Background Sync, a feature that synchronizes Offline Files in the background, ensuring that the server is frequently updated with the latest changes. When a client computers network connection to a server is slow (as configured by the administrator), Offline Files automatically transitions the client computer into an Offline (slow connection) mode. The user then works from the local Offline Files cache. On Windows 7, Background Sync runs at regular intervals as a background task to automatically synchronize and reconcile changes between the client computer and the server. IT administrators can configure synchronization intervals and block out times. With this feature, users no longer must worry about manually synchronizing their data with the server when working offline. Exclusion List. The Exclusion List feature reduces synchronization overhead and disk space usage on the server, and speeds up backup and restore operations by excluding files of certain types from replication across all Folder Redirection clients. Prior to Windows 7, all files in an Offline Files folder were replicated to the server. This often meant that a users personal files or large files not relevant to the enterprise were replicated to one or more servers, thereby consuming disk space and slowing backup and restore times. On Windows 7, administrators can use the Offline Files Exclusion List feature to prevent files of certain types (for example, MP3 files) from being synchronized. The list of file types is configured by the IT administrator by using Group Policy.
11-35
Transparent caching. Transparent caching optimizes bandwidth consumption on wide area network (WAN) links and provides near local read response times for mobile users and branch office workers that are accessing network files and folders that are not explicitly made available offline. Prior to Windows 7, to open a file across a slow network, client computers always retrieved the file from the server, even if the client computer had recently read the file. With Windows 7 transparent caching, the first time a user opens a file in a shared folder, Windows 7 reads the file from the server and then stores it in the Offline Files cache on the local hard disk drive. The subsequent times that a user opens the same file, Windows 7 retrieves the cached file from the hard disk drive instead of reading it from the server. To provide data integrity, Windows 7 always contacts the server to ensure that the cached copy is up to date. The cache is never accessed if the server is unavailable, and updates to the file are always written directly to the server. Transparent caching is not enabled by default. IT administrators can use a Group Policy setting to enable transparent caching, improve the efficiency of the cache, and configure the amount of hard disk drive space that the cache uses.
11-36
Demonstration: Configuring Offline Files
In this demonstration, your instructor will show you how to configure Offline Files.
1. Create a CorpData folder on (C:) drive on NYC-DC1, share it and configure permissions so that Authenticated Users have Full control on share and NTFS permissions. Configure caching options on this folder so that only the files and programs that users specify will be available offline. Open Default Domain policy GPO, and navigate to Computer Configuration, Policies, Administrative Templates, Network, and select Offline Files. Enable option Administratively assigned offline files, and enter \\NYC-DC1\CorpData as a location.
2. 3.
11-37
Lab: Implementing User State Virtualization
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must: 1. 2. 3. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1, 10324A-NYC-CL1, and 10324A-NYC-CL2 virtual machines are running. If required, connect to the virtual machines. Log on to 10324A-NYC-DC1 as Contoso\Administrator using the password Pa$$w0rd. Do not log on to the client machines until directed to do so.
11-38
Exercise 1: Configuring and Testing Roaming Profiles

Scenario
In order to provide users with the ability to move data and settings between computers, you want to implement Roaming Profiles. In the testing phase, you will implement Roaming Profiles for a pilot group of users, and you will test some basic functionality of this technology. The main tasks for this exercise are as follows: 1. 2. 3. Configure a roaming profile and configure a pilot group of users to use roaming profiles. Make changes to user environment. Log on to a second computer, and verify roaming of the changes.
Task 1: Configure a roaming profile and configure a pilot group of users to use roaming profiles
1. On NYC-DC1, configure C:\Profiles as follows: 2. Shared as Profiles Share permissions: Authenticated Users: Change, Administrators: Full control Caching: No files or programs should be available offline
Configure the User Accounts Candy Spoon and Terri Chudzik to use roaming profiles to the \\NYC-DC1\Profiles\%username% location, by editing Properties of their user accounts in Active Directory Users and Computers on NYC-DC1.
Task 2: Make changes to user environment

1. 2. Log on to NYC-CL1 as Candy with the password of Pa$$w0rd. Change the Desktop theme to Landscapes, change the Desktop Background picture location to Windows Desktop Backgrounds and create a shortcut to C:\ on the Desktop. Log off of NYC-CL1.
3.
11-39
Task 3: Log on to a second computer and verify roaming of the changes

1. Log on to NYC-CL2 as Candy with the password of Pa$$w0rd. Question: Do the Desktop personalization options appear as you configured them, including the desktop shortcut? Question: Is the shortcut to drive C retained on Desktop? 2. Log off of NYC-CL2.
Results: After this exercise, you should have configured and tested Roaming User Profiles.
11-40
Exercise 2: Configuring and Testing Folder Redirection

Scenario
The IT department of Contoso requires that users data is centralized and available from every machine that users are logging onto. However, in order to reduce logon time, they do not want to place this data in roaming profiles. You propose folder redirection as a solution. Now you have to test this solution and see how it performs on few pilot users. The main tasks for this exercise are as follows: 1. 2. Configure folder redirection. Verify that folders are redirected and not stored in the profile.
Task 1: Configure folder redirection

1. 2. On NYC-DC1, on the C:\ drive, create folder named Redirected Folders and two subfolders named Marketing and Production. Configure hidden shares for folders Marketing and Production and set permissions that only members of groups Marketing and Production can access corresponding folders and have ability to Create folders / append data. Create a new GPO named Redirection and link it to domain. Configure the Redirection GPO in a way that the Documents folder for the Marketing group is redirected to \\NYC-DC1\marketing$ and the Documents folder for the Production group is redirected to \\NYC-DC1 \Production$. Configure folders Music, Pictures and Videos to follow the Documents folder. Configure the Redirection GPO so that redirected folders are back to users profile after policy is removed. Log on to NYC-CL1 as Contoso\Administrator with the password of Pa$$w0rd. Refresh Group Policy on NYC-CL1.
3. 4.
5. 6.
11-41
Task 2: Verify that folders are redirected and not stored in the profile
1. 2. 3. 4. 5. Log on to NYC-CL1 as Contoso\Adam with the password of Pa$$w0rd. Open the Documents folder and verify the path. Create a text document in the Documents folder. Log off of NYC-CL1. Log on to NYC-CL1 as Contoso\Bart with the password of Pa$$w0rd. Open the My Documents folder and identify the path. Question: What path is revealed? 6. 7. 8. 9. Browse to Barts profile located in C:\Users\Bart. Ensure that the folders redirected in Task 1 are not present. Log off of NYC-CL1. Switch to the NYC-DC1 computer, and browse to C:\Redirected Folders. Question: Can you see the Bart folder? 10. Close all open windows on NYC-DC1.
Results: After this exercise, you should have configured and tested Folder Redirection.
11-42
Exercise 3: Configuring Offline Files

Scenario
Contoso has some important data that must be available even if the network is not available. You will implement Offline Files to achieve this. The main tasks for this exercise are as follows: 1. 2. 3. 4. 5. Create and share the company-wide data folder. Configure the client-side offline settings using Group Policy. Refresh Group Policy on the client workstations. Create a text document and make it available offline. Simulate a network problem and try to access offline file.
Task 1: Create and share the company-wide data folder

1. 2. 3. On NYC-DC1, create folder named C:\CorpData. Share the folder and allow Authenticated Users to have Full Access to folder. Enable Offline access on the CorpData folder.
Task 2: Configure the client-side offline settings using Group Policy

1. Open Group Policy Management and then edit the Default Domain Policy. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click Offline Files. Configure the GPO setting Administratively assigned offline files to be Enabled. Type CorpData in Value name field and type \\NYC-DC1 \CorpData in Value field. Enable the GPO setting Synchronize all offline files when logging on.
2.
3.
Task 3: Refresh Group Policy on the client workstations

Log on to both NYC-CL1 and NYC-CL2 as Contoso\Administrator with the password of Pa$$w0rd. Refresh group policy. Log off when instructed to do so by the group policy refresh.
11-43
Task 4: Create a text document and make it available offline

1. 2. Log on to NYC-CL1 as Contoso\Don with the password of Pa$$w0rd. Map network drive Z as \\NYC-DC1\CorpData. In CorpData folder, create a folder named Don, and create a rich text document file named Dons Document in the folder. Open the document, type Saved by Don, and save the document. Close Wordpad. Make the document available offline and then close all open windows.
3.
Task 5: Simulate a network problem and try to access offline file

1. 2. Disable network interface on NYC-DC1. From NYC-CL1, try to access CorpData folder and make sure that text document from Task 4 is available.
Results: After this exercise, you should have configured and tested Offline Files.

11-44
Review Questions
1. 2. 3. 4. 5. What is a User Profile? What types of User profiles exist? What is the main benefit of User state virtualization? List some limitations and drawbacks when using Roaming Profiles. Which technology will enable users that are disconnected from network to access data on specific file shares on network servers? You want to configure permissions for the Administrator user account on all users roaming profile folders, but you do not want to make this change folderby-folder. How can you achieve this objective quickly and easily?
11-45
Common Issues related to user state virtualization

Issue User is logged on using temporary profile Redirected files and folders are not present when user is offline Folder redirection is not applied Folders are not redirected back to User local profile after GPO is removed Troubleshooting tip

Adatum is considering implementing user state virtualization to address some issues that they currently have. After discussing with IT administrator, you defined following as their main requirements and issues: A. Datum IT Admins team wishes to create a standard desktop that loads each time a user logs on for the first time. Occasionally, network outages prevent users from completing important project work. Where possible, it must be ensured that users can continue working on important files. It is important to incorporate users files into the backup regime by placing them on file servers. In addition, it must be ensured that users can recover their own local files when the need arises.
11-46
Any shared folders used to implement profiles must be hidden. Question: What kind of solution will you recommend?
Best Practices Related to User State Virtualization

Supplement or modify the following best practices for your own work situations: Combine Roaming User Profiles with Folder Redirection instead of storing user data within profile. Create default network profile if you want to have consistent and equal initial user environment for each new user. Use mandatory and super mandatory profiles on computers that are publicly accessed (such as kiosks, info-portals, etc). Do not enable Offline Files feature on all file shares, but only on those that should be accessible in offline mode. Do not use EFS with roaming profiles.
Tools
Tool Control Panel System Properties Group Policy Management Console Offline Files Management Used for Where to find it Control Panel
Management of local user

profiles
Create and apply GPOs that

handle folder redirection
Administrative Tools
Setting client options for Offline Control Panel Sync

Files feature Center
Configuring Virtual Desktop Infrastructure
12-1
Module 12
Contents:
Lesson 1: Overview of Windows Server 2008 R2 Hyper-V Lesson 2: Introduction to VDI Lesson 3: Configuring Personal and Pooled Virtual Desktops Lab: Configuring Virtual Desktop Infrastructure 12-3 12-21 12-37 12-49
12-2
Module Overview
Using virtualization technologies for desktop virtualization can be very convenient. Microsoft provides virtual desktop infrastructure (VDI) as a technology that relies on Windows Server 2008 R2 Hyper-V and Remote Desktop Services (RDS) to enable administrators to configure virtual desktops as working environments. To use VDI, you should be familiar with Hyper-V and RDS, as well as with VDI features and configuration procedures.
12-3
Lesson 1
Overview of Windows Server 2008 R2 Hyper-V
Windows Server 2008 R2 Hyper-V is a latest Microsoft virtualization platform that enables you to run multiple virtual machines on a single server in production environments. Hyper-V leverages the latest hardware technologies to provide a reliable virtual environment that performs well. To implement Hyper-V, you should be familiar with its key concepts and with the key components that you need to build a virtual machine. This lesson provides a high-level overview of Hyper-V technology, and also provides information about virtual hard drives and virtual networks, which are key components to building and using virtual machines.
12-4
What Is Hyper-V?
Key Points
Hyper-V provides software infrastructure and basic management tools in Windows Server 2008 that you can use to create and manage a virtualized server-computing environment. You can use this virtualized environment to address a variety of business goals that improve efficiency and reduce costs. Hyper-V provides the engine, or hypervisor, that supports the operation of multiple virtual machines on top of standard server hardware. The hypervisor is a thin layer of software that resides between the operating system and the hardware. Because it integrates with the Windows Server operating system, Hyper-V benefits from the existing Windows Server feature set. Additionally, Hyper-V relies on the Designed for Windows hardware specification, which provides access to thousands of validated platform configurations.
12-5
Type 1 Hypervisor
Hyper-V is a Type 1 hypervisor, which is a bare-metal hypervisor that runs directly on top of hardware. Another name for Type 1 hypervisors are hardware virtualization engines. Hyper-V uses a 64-bit hypervisor, which allows multiple virtual machines to access physical memory and CPU resources without conflicts. Also, it allows creation of 64-bit guest operating systems. In combination with virtualization-aware hardware, including processors that use Intel VT and AMD V technology, the Hyper-V hypervisor enables high performance and excellent scalability for guest operating systems. Because the Hyper-V hypervisor takes advantage of Intel VT and AMD-V technology, the processing hardware performs more of the work of virtualizing multiple operating systems, so the virtualization stack and hypervisor have to do less work.
Type 2 Hypervisor
Microsofts previous hypervisor offerings, such as Virtual Server 2005 or Virtual PC 2007, were Type 2 hypervisors that operated as applications on top of existing operating systems, and provided software virtualization. Virtualization platforms that rely on software emulation of hardware must frequently interrupt guest operating systems by performing on-the-fly translation of hardware requests into a form that is compatible with the virtualization environment. The new Microsoft operating system, Windows 7, includes a similar softwarebased virtualization solution, called Windows Virtual PC, which allows users to run virtual machines with supported operating systems installed.
Scenarios of Usage for Hyper-V

You can use Hyper-V for: Physical server consolidation. By using Hyper-V virtualization, you can consolidate servers on fewer Hyper-V physical hosts, while maintaining isolation between them. This also provides better physical hardware utilization. Implementing Hyper-V does not necessarily mean that you will reduce the number of servers that you are using, but you will experience better utilization and use a fewer number of physical hosts. Business continuity and disaster recovery. Hyper-V enables you to reduce scheduled and unscheduled downtime, with the ability to recover an entire computer, including data and operating-system state, to a previous point in time, last known good configuration, or bare metal state.
12-6
Testing and development. Hyper-V enables you to establish a development or testing environment that is identical to your production environment. You should be able to create new virtual machines quickly and return them to their previous state. Dynamic data center. Hyper-V enables you to migrate virtual machines to the most suitable physical hosts, without any downtime.
Question: What is the main benefit of using a Type 1 hypervisor versus previous Microsoft virtualization solutions that used Type 2 hypervisors?
12-7
Hyper-V Features
Key Points
Hyper-V provides you with a dynamic, reliable, and scalable virtualization platform that combines with a set of integrated tools to manage both physical and virtual resources. Hyper-V enables the data centers of business enterprises to be highly responsive and dynamic. The key features of Hyper-V are: New and improved architecture. Hyper-V is a 64-bit, hypervisor-based virtualization technology for Windows Server. However, it also is available free as Microsoft Hyper-V Server. Hyper-V supports isolation, in terms of partition, which is a logical unit of isolation that the hypervisor supports and in which operating systems run. In Hyper-V terminology, the host operating system is the parent partition, while guest operating systems running inside virtual machines are the child partitions. Child partitions can be both 32-bit and 64-bit, but parent partitions must be 64-bit.
12-8
Broad operating system support. Hyper-V supports different operating systems that can run simultaneously, including 32-bit and 64-bit systems across different server platforms. Hyper-V supports the following operating systems: Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 Server Windows 7 Windows Vista Windows XP Novell SUSE Linux Red Hat Linux
Symmetric multiprocessing (SMP) support. Hyper-V supports a maximum of 64 processors in Windows Server 2008 R2, and a maximum of 16 processors in Windows Server 2008. Each virtual machine can use a minimum of one and maximum of four virtual processors, depending on the virtual machines operating system. Network Load Balancing (NLB). Hyper-V includes virtual switch capabilities. You can configure virtual machines to run with Windows NLB Service to balance the load across virtual machines on different servers. Hardware sharing architecture. Hyper-V provides improved access and utilization of core resources, such as disk, networking, and video when you are running guest operating systems that have a hypervisor-aware kernel and that are equipped with requisite virtual server client (VSC) code, which is known as Hyper-V enlightened input/output (I/O). Enlightenments are operating-system enhancements that help reduce the cost of certain operating-system functions, like memory management. Presently, Windows Server 2008 R2, Windows 7, and Windows Vista support Hyper-V enlightened I/O and a hypervisor-aware kernel via installation of Hyper-V integration services. Integration components, which include VSC drivers, also are available for other client operating systems. However, for these operating systems, you need to install the integration components manually to benefit from Virtual Service Provider (VSP) and Virtual Service Client (VSC) architecture.
12-9
Quick Migration. Hyper-V enables rapid migration of running a virtual machine from one physical host system to another with minimal downtime. It uses familiar high availability capabilities of Windows Server and Microsoft System Center management tools. Windows Server 2008 R2 adds support for Live Migration, which enables migration or running a virtual machine without downtime. Virtual machine snapshots. Using Hyper-V, you can take snapshots of a virtual machine while it is running. A snapshot consists of the virtual machines state, data, and hardware configuration. This will help you revert to a previous point in time. Virtual machine snapshots typically are used in development and test environments. Scalability. With support for multiple processors at the host level, and improved memory access within virtual machines, you can vertically scale your virtualization environment to support a large number of virtual machines within a given host, and to continue to leverage Live Migration for scalability across multiple hosts. Extensible virtualization. Hyper-V provides standards-based Windows Management Instrumentation (WMI) interfaces and an application programming interface (API), so third parties can build custom tools, utilities, and enhancements for the virtualization platform.
Hyper-V in Windows Server 2008 R2 Hyper-V in Windows Server 2008 R2 includes features such as Live Migration, dynamic virtual machine storage, improved virtual hard disk (VHD) performance, enhanced processor support, and enhanced networking support. Live Migration allows you to move virtual machines from one node of the failover cluster to another node in the same cluster, without dropping the network connection or impacting end users with any perceived downtime, because the virtual machines continue to run. Failover clustering is a group of independent computers that work together to increase the availability of applications and services across an environment. You connect the clustered servers, called nodes, by physical cables and software. If one of the cluster nodes fails, another node provides service. This process is known as failover clustering, and it means that end users experience minimum disruption in services when a node fails.
12-10
Note: Live Migration requires that you add and configure the failover clustering role on the servers that are running Hyper-V. Additionally, failover clustering requires shared storage for the cluster nodes. On a server running Hyper-V, only one Live Migration, to or from the server, can be in progress at any given time. You cannot use Live Migration to move multiple virtual machines simultaneously. Also, you should be aware that you can achieve zero downtime when you use Live Migration to move virtual machines between hosts only if both hosts are up and running. If a host stops working because it fails, then Live Migration moves virtual machines to another host, but there is a period of downtime.
Cluster Shared Volume (CSV) feature of failover clustering in Windows Server 2008 R2 with Live Migration. CSV provides increased reliability when you use it with Live Migration and with virtual machines that you configure in a failover cluster. It also provides a single, consistent file namespace, so that all servers running Windows Server 2008 R2 view the same storage. Processor Compatibility Mode, makes it possible for you to move virtual machines or perform Live Migration between different processor versions within the same processor family, such as Intel or AMD. You cannot perform Live Migration between different processor vendors.
Dynamic Virtual Machine Storage

Improvements to virtual machine storage in Windows Server 2008 R2 include: Support for hot plug-in of the storage. Support for hot removal of the storage.
If required, you can reconfigure virtual machine storage easily because the dynamic virtual storage functionality supports adding and removing hard disks and physical disks while the virtual machine is running.
Note: A hot plug-in and removal of storage requires that Integration Services be present in the enlightened guest operating system.
12-11
Improved VHD Performance

Hyper-V on Windows Server 2008 R2 improves the performance of the dynamically expanding and fixed-size VHDs, and makes the latter nearly identical to native throughput. You should use fixed-size disks for production, because they preallocate disk usage.
Enhanced Processor Support

Hyper-V supports up to 64 logical processors and can run up to 384 virtual machines with up to 512 virtual processors.
Enhanced Networking Support

Improvements in networking support include: Support for jumbo frames. Support for jumbo frames has been extended and is available to virtual machines, if the underlying physical network supports it. Virtual machines can use jumbo frames up to 9,014 bytes in size. Hyper-V includes jumbo frame support on that are 1 gigabyte (GB) or faster. Support for Chimney (TCP Offloads). The TCP Chimney feature offloads the processing of network traffic from the networking stack, which reduces processor usage and increases network performance. Support for Virtual Machine Queue (VMQ). This reduces the overhead associated with network traffic.
These two technologies allow Hyper-V to take advantage of network offload technologies. Instead of a core CPU that processes the network packets, you can move these packets to the offload engine on the 10 GB network adaptor. This reduces processor usage and improves performance. Many of the new Hyper-V features, such as VNQ, Chimney, and CPU core parking, require compatible hardware.
12-12
Demonstration: Hot Adding and Removing a VHD to a Running Virtual Machine
In this demonstration, your instructor will show you how to add and remove a VHD from a running virtual machine.
1. 2. 3. On the physical host computer, open Disk Management, create a VHD, and then copy some files to it. Add a VHD, as an additional Small Computer System Interface (SCSI) disk, to the 10324A-NYC-CL1 virtual machine while it is running. Initialize and format a new disk from Disk Management on the host machine. Access the disk from the NYC-CL1 virtual machine, and then add additional content, such as by creating a few text files. Remove a VHD from the virtual machine. Mount the VHD on the physical host computer, and then list its content to verify that all of the files that you created are there.
4. 5.
12-13
Virtual Network Settings for Hyper-V
Key Points
Virtual Network Manager gives you the ability to create a mechanism for binding virtual machines to a physical network, and to create and manage virtual networks. You can use Virtual Network Manager to add, remove, and modify the virtual networks. Virtual Network Manager is available from Hyper-V Manager. When you create a virtual network, Hyper-V creates a virtual switch that routes traffic based on either the media access control (MAC) addresses or the virtual local area network (VLAN) Identifiers (ID). The virtual switch modifies the MAC addresses of packets to route traffic with different MAC addresses than the physical network cards MAC address. The advantage is that it can bind to any 802.3complaint physical Ethernet network adapter.
12-14
You cannot connect a virtual network to a wireless network adapter. The virtual switch changes the MAC address of the source packet so that it does not match its own MAC address. As a result, you cannot provide wireless networking capabilities to virtual machines, because the 802.11 standard does not support the MAC address changes. You can attach only one virtual network to a specific physical network adapter at a time. You cannot attach multiple virtual networks to the same physical network adapter. When you create a virtual network: Hyper-V creates a software-based switch. You can associate only one Hyper-V virtual network with a single physical network adaptor. Once a virtual network is bound to a physical network adapter, all other protocols are unbound automatically. You can use virtual networks to control and secure network traffic that enters and leaves a virtual machine.
Windows Server 2008 R2 Hyper-V supports three types of virtual networks: External. An external virtual network binds to a physical network adapter on the Hyper-V server so that the virtual machine can have access to a physical network. When you create a new external virtual network, Hyper-V creates a virtual network adapter on the parent partition unless you clear the option to Allow management operating system to share this network adapter. If you clear this option, then you dedicate the network adapter to the virtual machine. You would use an external connection when your virtual machine needs to access or be accessed on the corporate network or beyond the corporate environment.
Note: When you create an external virtual network, and clear the option to Allow management operating system to share this network adapter, the physical network adapter will be available only for virtual machines. It will not be accessible by the host computer. This is a best practice if you want to isolate virtual-machine network traffic from host network traffic. In this scenario, you must not clear this option on at least one network adapter, or you must not create a virtual network that uses one of the physical network adapters, to ensure that the host computer can communicate on the network.
12-15
Internal. When you create an internal virtual network, it allows the virtual machines to communicate with each other and with the Hyper-V server, but they cannot communicate with the physical network. You typically would use this scenario to simulate a networked environment with the base system, and you might use an internal network in a training environment. Private. The creation of a private virtual network enables the virtual machines to communicate with each other, but there is no association with any physical network adapter in the parent partition. This means that the virtual machines can communicate with each other, but not with the host computer or with other computers on external networks. You can use private networks if you need to isolate virtual machines for security reasons. You also may have virtual machines that you are using for testing, and you do not want the virtual machines to access the corporate network inadvertently.
When you create a virtual network through either the Hyper-V Manager or WMI, you also create a new software-based switch. There is no limit to the number of virtual networks or ports for virtual machine connections that you can create.
Configuring VLANs
Hyper-V supports VLANs, and because a VLAN configuration is software-based, you can move computers easily and maintain their network configurations. For each virtual network adapter that you connect to a virtual machine, you can configure a VLAN ID for the virtual machine. You will need the following to configure VLANs: A physical network adapter that supports VLANs. A physical network adapter that supports network packets with VLAN IDs that are applied already.
On the management operating system, you will need to configure the virtual network to allow network traffic on the physical port. This is for the VLAN IDs that you want to use internally with virtual machines. Next, you configure the virtual machine to specify the VLAN that the virtual machine will use for all network communications. There are two modes in which you can configure a VLAN: access mode and trunk mode.
12-16
When you configure your VLAN in access mode, this restricts the virtual networks external port to a single VLAN ID in the user interface (UI). You can have multiple VLANs using WMI. Use access mode when your physical network adapter connects to a port on the physical network switch that also is in access mode. To give a virtual machine external access on the virtual network that is in access mode, you must configure the virtual machine to use the same VLAN ID that is configured in the virtual networks access mode. Trunk mode allows multiple VLAN IDs to share the connection between the physical network adapter and the physical network. To give virtual machines external access on the virtual network in multiple VLANs, you need to configure the port on the physical network to be in trunk mode. You also will need to know the specific VLANs that you are using, and all of the VLAN IDs used by the virtual machines that the virtual network supports. Your physical switch will need to support 802.1q Question: Which type of network allows a virtual machine to access a physical network? In what scenarios would you use this type of network?
12-17
What Are Hyper-V Virtual Machine Snapshots?
Key Points
Virtual machine snapshots capture the state, data, and hardware configuration of a virtual machine that is running. Snapshots provide a fast and easy way to revert the virtual machine to a previous state. For this reason, virtual machine snapshots mainly are for use in development and test environments. Having an easy way to revert a virtual machine can be very useful if you need to recreate a specific state or condition so that you can troubleshoot a problem. There are certain circumstances in which it may make sense to use snapshots in a production environment. For example, you can use snapshots to provide a way to revert a potentially risky operation in a production environment, such as applying an update to the software running in the virtual machine. Hyper-V snapshots are implemented in the virtualization layer, and can be taken at any time with guest operating system (even during an operating system installation). Snapshots can be taken whether the virtual machine is running or stopped. If the virtual machine is running when the snapshot is taken, there is no downtime involved to create the snapshot.
12-18
Snapshot data files are stored as .avhd files, which is a snapshot-specific differencing disk that is used as the running point of a virtual. After Hyper-V creates the snapshot, all system changes are written to the AVHD disk going forward, and the base VHD no longer is modified. The AVHD is linked to its parent disk. If you were to move one of these two files, the virtual machine would break. You can continue to create additional snapshots, and each one links to its parent in a linear (timeline) arrangement. They cannot link in a branched tree arrangement because that would create dead branches. When you go back to a previous point in time (return to a snapshot), everything to the right of the timeline is destroyed (rendered unusable) because you altered the virtual machine at a previous point. Snapshot data files are located in the same folder as the virtual machine, by default, unless one of the following conditions applies: If you import the virtual machine with snapshots, the snapshots are stored in their own folder. If the virtual machine has no snapshots, and you configure the snapshot setting for the virtual machine, then the snapshots will be stored in the folder that you specify.
Note: Taking multiple snapshots can quickly consume storage space.
Considerations for Using Snapshots

Keep the following considerations in mind, particularly if you plan to use snapshots on a production environments virtual machine: The presence of a virtual machine snapshot reduces the virtual machines disk performance. When you delete a snapshot, the .avhd files that store the snapshot data remain in the storage location until you shut down or turn off the virtual machine, or you place it in a saved state. As a result, when you delete a snapshot, you will need to put the production virtual machine into one of those states at some point to be able to complete the snapshots safe removal. We do not recommend that you use snapshots on virtual machines that provide time-sensitive services or when performance or the availability of storage space is critical.
12-19
Note: We do not recommend, or support, the use of snapshots on virtual machines that are hosting the Active Directory Domain Services (AD DS) role, which also is known as domain controllers, or on virtual machines that are hosting the Active Directory Lightweight Directory Services (AD LDS) role. For more information, see the Microsoft TechNet article Operational Considerations for Virtualized Domain Controllers.
You can create snapshots by using Hyper-V Manager or by using the Virtual Machine Connection window. To create a snapshot by using Hyper-V Manager, select a virtual machine, and then select Snapshot from the Action menu or panel. To create a snapshot using the Virtual Machine Connection window, click on the Snapshot button in the toolbar. Question: Can you list additional scenarios where it would not be appropriate to use snapshots?
12-20
Demonstration: Using Snapshots in Hyper-V
In this demonstration, your instructor will show you how to use snapshots in Hyper-V.
1. 2. 3. Create snapshots of the NYC-CL1 virtual machine in Hyper-V Manager. Modify the virtual machine. Apply a previous snapshot, and then identify that modifications no longer are present.
12-21
Lesson 2
Introduction to VDI
VDI is an alternative desktop-delivery model that allows users to access desktops that are running in a data center. In VDI, each user gets access to a personal virtual desktop from any authorized device, which improves desktop flexibility. You can use VDI in two modes: personal and pooled desktops. The Remote Desktop Connection Broker (RD Connection Broker) role service is one of key components in VDI that manages a users connection to virtual desktops. This lesson describes VDI, as well as the benefits of using it, and important components and procedures in VDI.
12-22
What Is VDI?
Key Points
VDI is a centralized desktop-delivery architecture that allows you to centralize the storage, execution, and management of Windows desktops in a data center. VDI enables you to run and manage Windows 7, Windows Vista, and other desktop environments in virtual machines on a centralized server. A user can connect to a virtual desktop with Remote Desktop Client (RDC) or by using Web access. As a technology, VDI provides better flexibility, improved cost control, and has a smaller environmental footprint, but it does increase the demand for security and compliance so that corporate data is more secure. To meet these challenges, Windows Server 2008 R2 updates RD Connection Broker and flexible presentation virtualization architecture beneath the VDI.
12-23
The VDI User Desktop

The two key deployment scenarios that VDI supports are personal virtual machines and pooled virtual machines. When you use personal virtual machines, there is a one-to-one linking of virtual machines to users. Each user is assigned a dedicated virtual machine, which the user can personalize and customize. The oneto-one linking preserves any changes that the user makes. Therefore, by deploying personal virtual desktops, you are providing great flexibility to end users. In pooled virtual machines, a single image is replicated. The user state can be stored through profiles and folder redirection, but it will not continue to stay on the virtual machine after the user logs off. This frees up some system resources, and provides you with the ability to separate user data from the virtual machine. In both cases, the Windows Server 2008 R2 solution supports image storage on the Hyper-V host, and clients connect to the virtual machine by using Remote Desktop Protocol (RDP). Additionally, in both cases, administrators can store and maintain a user work area in a data center. Each device accessing the VDI image requires the Windows Virtual Enterprise Centralized Desktop (VECD) license. VDI for Windows Server 2008 R2 operated in a previous versions of Windows but under a different name and form. Hyper-V and RDS roles are key technologies to enable VDI. Question: Is your organization using VDI? Which environments can benefit considerably by implementing VDI?
12-24
Key Benefits of VDI
Key Points
Many organizations are considering implementing VDI to optimize resource usage and improve management of desktop machines. VDI provides several benefits to various types of organizations.
Benefits
Some of the most important benefits are:
Access to data and applications from any device

When you are using VDI, users can access their virtual desktops from any device. Also, the location of the device that is initiating a connection is not relevant. It can be both in internal or external network.
Improved data security and compliance

VDI helps you improve data security and compliance. Data is more secure because VDI means that no data transfers to the physical machine on which the user is working.
12-25
Simplified application management and deployment

When you use VDI, you deploy applications to virtual machines, not to users workstations, which means that you can control the operating system inside the virtual machine and make the whole desktop environment more consistent and avoid problems with application compatibility. Also, application deployment is much easier because you control all virtual desktops from one place.
Improved business continuity through data centralization

You deploy virtual machines in VDI on Hyper-V hosts, which you can make highly available by using various technologies, such as failover clustering and live migration. With these technologies, desktop virtual machines are also highly available.
Integrated management of physical, virtual, and session-based desktops

You can manage virtual desktops by using the same tools and technologies as you use for physical computers, such as Windows Server Update Services (WSUS) or System Center Configuration Manager. This means that you can fully centralize and integrate management of VDI and physical workstations. For offline virtual machines, you can use the Offline Virtual Machine Servicing tool for management.
Quicker recovery from device malfunctions

Virtual machines are much easier to recover then physical machines. Also, virtual machines are much less dependant on device drivers, so the number of malfunctions is much lower.
Centralized data storage and backup, which reduce losses from stolen devices
Backup and restore in VDI is much more centralized than backups in physical environments. Since you deploy virtual machines on Hyper-V hosts, you can use a VSS-aware backup utility on enlightened guests. We recommend that you use Data Protection Manager (DPM) 2010 as it fully supports Hyper-V 2.0 and VDI backups and restores. Also, since machines are not moving with users, the risk of intellectual property being stolen from devices is much lower, as is the risk of the devices themselves being stolen.
12-26
Types of VDI
Key Points
There are various ways to architect VDI, but in general, there are two types of VDI deployment: personal virtual desktops and pooled virtual desktops.
Personal Virtual Desktops

When using a personal virtual desktop deployment, each virtual machine is like a traditional personal computer, where user data, settings, applications, and operating systems are all stored together, and each user has a unique virtual machine. If there are 100 users in an organization, there will be 100 virtual machine images. This deployment model utilizes both the presentation virtualization and server virtualization. When deploying personal virtual desktops, you must be aware that you can assign only one personal virtual desktop to a user, and that you can assign a virtual machine as a personal virtual desktop to only one user at a time.
12-27
Pooled Virtual Desktops

When you use pooled virtual desktops, each virtual machine is created when a user logs on. Based on the setup in the Active Directory Domain Services (AD DS), you select a copy of a virtual machine with an operating system, and then create it and place it on the server. You then grant specific application access to that virtual machine, deploy a users settings and attach data. When the user logs off, the virtual machine copy is either destroyed or returned to a pristine state for future use. When you use this model, you reduce the number of virtual machine images that you need, and additionally, this model uses user state virtualization and application virtualization, as well as presentation and server virtualization. Users should not save files on a virtual machine that is located in a virtual desktop pool. If a user logs off from a virtual machine in a virtual desktop pool, and then later logs on to the virtual desktop pool, the user might be connected to a different virtual machine in the virtual desktop pool. If you want to preserve user data, you have to use some of user state virtualization technologies. Question: What is the main difference between personal virtual desktops and pooled virtual desktops?
12-28
VDI Components in Windows Server 2008 R2
Key Points
VDI in Windows Server 2008 R2 consists of several components and technologies. These components work together to provide users with a seamless and unified experience when they are using desktop virtual machines. All components that VDI needs are present in Windows Server 2008 R2, so there is no need to install any additional software. The following sections detail the components and technologies in VDI in Windows Server 2008 R2.
Remote Desktop Web Access

Remote Desktop Web Access (RD Web Access) provides a user with an aggregated view of remote applications and desktop connections via a Web browser interface. It enables the user to view all remote applications and virtual desktops (personal virtual desktops and virtual desktop pools) published to that user. Additionally, the user can choose and connect to remote applications or virtual machines.
12-29
AD DS
In Active Directory, administrator can assign virtual machines to users, which means that users always use the same virtual machine. VDI components contact Active Directory to provide information about virtual machine that a specific user should use.
RD Connection Broker
RD Connection Broker creates a unified experience for traditional session-based remote desktops and new virtual machine-based remote desktops. RD Connection Broker, as part of the VDI solution, is an extensible platform for partners; and it includes extensive APIs to add value with regards to the manageability and scalability of the brokering solution. Extensibility points include the ability to create policy plug-ins, such as those that determine the appropriate virtual machine or virtual machine pool; filter plug-ins, such as those for preparing a virtual machine to accept RDP connections; and resource plug-ins, such as those for placing a virtual machine on the proper host, which you determine based on the hosts load. The main purpose of this role service is to broker a user connection to an appropriate endpoint, which involves: Identifying the virtual machine to which you want the user to make a remote connection. Preparing the virtual machine for remote connections by communicating with the Remote Desktop Virtualization Host server (RD Virtualization Host). An example of this is when you wake the virtual machine from a saved state. Querying the IP address of the virtual machine by communicating with the RD Virtualization Host server. This IP address is returned to the Remote Desktop Session Host server running in redirection mode. Monitoring user sessions in a virtual desktop-pool scenario. Users with existing sessions in pools are redirected to the virtual machines that are hosting their sessions.
RD Virtualization Host
RD Virtualization Host is a Remote Desktop Services role service in Windows Server 2008 R2, and it integrates with Hyper-V to provide virtual machines that you can use as personal virtual desktops or virtual desktop pools.
12-30
An RD Virtualization Host server: Monitors virtual machine guest sessions and reports these sessions to the RD Connection Broker server. Prepares the virtual machine for a remote desktop connection when the RD Connection Broker server requests this.
In order for RD Virtualization Host to perform these functions, you must configure the guest operating system to give permission to the RD Virtualization Host.
Remote Desktop Session Host

A Remote Desktop Session Host was known as Terminal Server (in application mode) in earlier Windows Server versions. To deliver virtual desktops to users in Windows Server 2008 R2, you must configure the RD Session Host to provide virtual machine redirection, which securely redirects an RDP client connection to a virtual machine. When you configure a RD Session Host server to provide virtual machine redirection, the following changes are made to the RD Session Host server: The user logon mode is changed to allow reconnections, but prevent new logons. If you need to connect to this machine for administrative tasks, be sure to use the /admin parameter, or you will not be able to connect. All programs are removed from the RemoteApp Programs list in RemoteApp Manager. The Authenticated Users group is added to the Remote Desktop Users group.
The RD Session Host server running in redirection mode does not allow interactive user sessions, unless the user requests an administrative session by using the /admin parameter. When a user requests a virtual machine, the RD Session Host server running in redirection mode queries the RD Connection Broker server. The RD Connection Broker server then provisions a virtual machine for the user and returns its IP address to the RD Session Host server that is running in redirection mode. The RD Session Host server that is running in redirection mode then redirects the RDP client to connect to the virtual machine by using the IP address.
12-31
We recommend that the RD Connection Broker role service resides on the same machine as the RD Session Host server that is running in redirection mode. However, we also support the scenario in which the RD Session Host server is running in redirection mode and the RD Connection Broker role service is running, on separate machines.
Remote Desktop Gateway

This is an optional role service in a Microsoft VDI deployment, and its main purpose is to securely route RDP connections over the Internet through a firewall. Remote Desktop Gateway (RD Gateway) enables users to connect to virtual machines or remote application from Internet by using same settings as the local network, without you having to configure a virtual private network (VPN) connection.
12-32
RD Connection Broker in VDI Deployments
Key Points
RD Connection Broker is one of the key roles in VDI deployment, and it communicates with other components to provide users with access to the proper virtual machine or application. In earlier Windows Server versions, it was known as TS Session Broker. The most important tasks that RD Connection Broker performs include: Providing users with access to virtual desktops that RD Virtualization Host servers host, and to RemoteApp programs through RemoteApp and Desktop Connection. Allowing users to reconnect to their existing sessions in a load-balanced RD Session Host server farm. This prevents a user with a disconnected session from being connected to a different RD Session Host server in the farm and having to start a new session. Enabling you to distribute the session load evenly among RD Session Host servers in a load-balanced RD Session Host server farm.
12-33
Providing Access to Virtual Desktops

In a VDI deployment, you use RD Connection Broker to broker connections from clients to virtual machines. RD Connections Broker maintains a list of available virtual desktops, and when a client makes a request, it provides the client with the connection information for the most appropriate virtual desktop, or a response which indicates that an appropriate virtual desktop is not available. In some scenarios, if more than one appropriate virtual desktop exists, the connection broker will provide the client with a list of possible candidates for connection. If a virtual desktop is assigned to the user through AD DS, Remote Desktop Connection Broker will query AD DS for the users personal virtual desktop. Since one of main benefits of VDI is optimization of resource usage, you should turn off virtual desktop systems when they are not in use. RD Connection Broker monitors virtual desktops after you assign them, and it instructs the virtualization host to shut them off or suspend them when they are idle or logged off. Similarly, RD Connection Broker also will instruct the virtualization host to start a virtual desktop when necessary, and after the virtual machine starts, it redirects the client to the virtual machine.
Connection to Existing Sessions

RD Connection Broker keeps track of user sessions in a load-balanced RD Session Host server farm. The RD Connection Broker database stores session information, including the name of the RD Session Host server where each session resides; the session state for each session; the session ID for each session; and the user name associated with each session. RD Connection Broker uses this information to redirect a user who has an existing session to the RD Session Host server where the users session resides. If a user disconnects from a session intentionally or because of a network failure, the applications that the user is running will continue to run. When the user reconnects, the RD client queries the RD Connection Broker to determine whether the user has an existing session, and if so, on which RD Session Host server in the farm. If there is an existing session, RD Connection Broker redirects the client to the RD Session Host server where the session exists.
12-34
Load Balancing with RD Connection Broker

The Load Balancing feature in RD Connection Broker enables you to distribute the session load between servers in a load-balanced RDS server farm. When a user without an existing session connects to an RD Session Host server in the loadbalanced RD Session Host server farm, the Load Balancing feature redirects the user to the RD Session Host server with the fewest sessions. If a user with an existing session reconnects, it redirects the user to the RD Session Host server where the users existing session resides. To distribute the session load between more powerful and less powerful servers in the farm, you can assign a relative server weight value to a server.
12-35
How VDI Works
Key Points
The way users connect to a virtual machine is based on the VDI configuration. If you configure VDI for personal virtual desktops, users connect to a virtual machine in the following way: 1. A user initiates the connection to the personal virtual desktop by using RD Web Access or RemoteApp and Desktop Connection. The user sends the request to the RD Session Host server running in redirection mode (RD Redirector) by using RD Web Access or RemoteApp and Desktop Connection. The RD Session Host server that is running in redirection mode (RD Redirector) forwards the request to the RD Connection Broker server to get information about the target virtual machine. The RD Connection Broker server queries AD DS, and retrieves the name of the virtual machine that is assigned to the requesting user account. The RD Connection Broker server sends a request to the RD Virtualization Host server to start the virtual machine.
2.
3. 4.
12-36
5.
The RD Virtualization Host server returns the IP address of the fully qualified domain name (FQDN) to the RD Connection Broker server. The RD Connection Broker server then sends this information to the RD Session Host server that is running in redirection mode (RD Redirector) The RD Session Host server redirects the request to the client computer that initiated the connection. The client computer connects to the personal virtual desktop.
6. 7.
If you configure VDI for pooled virtual desktops, users are connected to a virtual machine in the following way: 1. A user initiates the connection to the virtual desktop pool by using RD Web Access or by using RemoteApp and Desktop Connection. The user sends the request to the RD Session Host server running in redirection mode either by using RD Web Access or RemoteApp and Desktop Connection. The RD Session Host server redirects the request to the RD Connection Broker server. The RD Connection Broker server verifies whether an existing session exists for the requesting user account. If a session exists, the RD Connection Broker server returns the virtual machine name to the RD Session Host server that is running in redirection mode. If the session does not exist, the RD Connection Broker server sends a request to the RD Virtualization Host server to locate and start the virtual machine. The RD Connection Broker server returns the virtual machine name to the RD Session Host server that is running in redirection mode. The RD Session Host server redirects the request to the client computer that initiated the connection. The client computer connects to the virtual desktop pool.
2. 3.
4. 5.
12-37
Lesson 3
Configuring Personal and Pooled Virtual Desktops
A very important part of VDI deployment is configuration of virtual desktops. In Windows Server 2008 R2 VDI, you can configure desktops as personal and pooled, and you can configure additional settings and specify how users will connect to their virtual desktops. This lesson focuses on configuration of virtual desktops.
12-38
Configuring Virtual Machines for Virtual Desktops
Key Points
Before you use virtual desktops in a VDI deployment, you must configure virtual machines for this purpose. After you install Windows Server 2008 R2 and the Hyper-V platform, you should create virtual machines that you can use as virtual desktops by performing the following steps: 1. Install the supported operating system. Supported client operating systems include Windows XP, Windows Vista, or Windows 7. We recommend that you use Windows 7, if possible. Also, you should configure the appropriate network settings in the virtual machines so that they can access your physical network. 2. Join the virtual machines to a domain. You should join each virtual machine that you will use as a virtual desktop to the AD DS domain. We recommend that you place these virtual machines inside the appropriate organization unit in your AD DS structure, so you can manage them easily by using Group Policy.
12-39
3.
Configure the virtual machines for RDS. On each machine, you should enable Remote Desktop functionality in System Properties. Also, you should add all users that will be using these machines through VDI to the local Remote Desktop Users group. By using registry editor, you also should allow RPC for RDS. In Windows firewall, you should create a firewall exception for Remote Service Management and RDS. At the end, you also should add the RD Virtualization Host server to the permissions list for the RDP-Tcp listener.
Note: You can perform all of these steps by using a Windows PowerShell script. Script examples are located at Configure Guest OS for Microsoft VDI (Windows PowerShell Script) .
4.
Creating virtual machine snapshots (optional) If you will be using virtual machines in a pooled virtual desktop scenario, you should create Hyper-V snapshots on each virtual machine, and you should name the snapshots RDV_Rollback. These snapshots will be applied each time a user logs off from a machine.
12-40
What Are Personal Virtual Desktops?
Key Points
A personal virtual desktop is a virtual machine that a RD Virtualization Host server hosts and assigns to a specific user account from AD DS. Unlike a virtual desktop pool, where you can configure a virtual machine to roll back changes when a user logs off, a personal virtual desktop retains all changes made by the user as well as the users data. The RD Connection Broker Manager assigns an unassigned virtual machine to a user, and AD DS stores this assignment as a user account property. The virtual machine name in Hyper-V Manager and user account property must be the same as the FQDN of the virtual computer. Personal virtual desktops can only use Windows client operating systems. You cannot install Windows Server 2008 R2 on a virtual machine and assign it as a personal virtual desktop.
12-41
To deploy personal virtual desktops, your schema for the AD DS forest must be at least Windows Server 2008. To use the added functionality provided by the Personal Virtual Desktop tab in the User Account Properties dialog box in Active Directory Users and Computers, you must run Active Directory Users and Computers from a computer that is running Windows Server 2008 R2 or a computer that is running Windows 7 that has Remote Server Administration Tools (RSAT) installed. You must use a domain functional level of at least Windows 2000 Server native mode. We do not support the functional levels of Windows 2000 Server mixed mode and Windows Server 2003 interim mode. The assignment of a virtual machine stays intact even after users log off from their assigned personal virtual desktops. An administrator can reassign a personal virtual desktop or make changes to the assignment through RD Connection Broker Manager. You can assign only one machine per user. Independent software vendors (ISVs) can extend the inbox solution and provide users access to more than one personal virtual desktop
Note: It is incorrect to add a virtual machine designated as a personal virtual desktop to a virtual desktop pool, if you want to allow only the assigned user to access that virtual machine. When the designated user makes a connection to his personal virtual desktop, which now is part of a virtual desktop pool, the connection will fail, and a mismatch event is logged.
12-42
What Are Virtual Desktop Pools?
Key Points
A virtual desktop pool temporarily assigns a virtual machine to the user. The RD Connection Broker automatically makes this assignment without any prior assignment configuration. The user-to-virtual-machine assignment is removed as soon as the user logs off. Since there is no permanent assignment of a virtual machine in a virtual desktop pool to a user, as long as there is a virtual machine available in the pool, one will be assigned to the user. A virtual machine can be a member of only one virtual desktop pool. You configure all virtual machines in a virtual desktop pool identically, so when users see the same virtual desktop regardless of which virtual machine in the virtual desktop pool they connect to. Since users might connect to a different virtual machine in the virtual desktop pool each time they log on, we recommend that you use user state virtualization technologies to manage user settings and data centrally.
12-43
Note: You must configure all virtual machines in a virtual desktop pool identically, including the installed programs. If you need various configurations of virtual machines, you should create additional pools.
Virtual desktops can use only Windows client operating systems. You cannot install Windows Server 2008 R2 on a virtual machine and add it to a virtual desktop pool. To assign a virtual machine from a virtual desktop pool, you choose a Hyper-V server that has the least number of running virtual machines, and then select a virtual machine belonging to this virtual desktop pool. A random selection is made if two or more Hyper-V servers have the same number of running virtual machines. ISVs can enhance the inbox solution by implementing their own load-balancing algorithm. When users disconnect from a virtual machine in a virtual desktop pool, they are redirected to their disconnected virtual machines the next time they log in. However, when a user logs off from the virtual machine, the virtual machine can be configured to rollback to a state determined by an administrator. You can do this by applying the RDV_Rollback snapshot. You can make multiple virtual desktop pools available through RD Web Access. The user sees a different icon for each virtual desktop pool.
12-44
Additional Virtual Desktop Settings
Key Points
After you configure the VDI infrastructure, you can set some additional options on a Personal Virtual Desktop level, by using the Remote Desktop Connection Manager Console in the RD Virtualization host server node. These improve the users experience when they are using virtual desktops.
General Settings
On the General settings tab, you can configure whether icons for personal desktops will appear in RD Web Access, if you assign a user to a virtual machine. Also, on this tab, you can configure the behavior of virtual machines when users log off or disconnect from a session. For example, you can configure that virtual machine goes into saved state after five minutes when users log off. We recommend this option because it enables you to save system resources when machines are not in use.
12-45
Common RDP Settings

On this tab, you can configure devices, resources, and display settings that will be applied when a user is using a virtual desktop. For example, you can configure that the user can access a local disk drives or printers from the virtual desktop session. It is possible to make smart cards and plug-and-play devices from the physical host available to virtual desktops. Also, you can configure that all monitors on the client side are used in virtual desktop sessions. For a better user experience, you can enable font smoothing and color quality.
Custom RDP Settings

You can specify custom RDP settings for virtual desktops, such as audio redirection. These settings apply when a user connects to a virtual desktop. To configure these settings, you should type, or copy and paste, the settings in the Custom RDP settings box. The easiest way to configure custom RDP settings is to create an .rdp file, and then use its settings: To create an .rdp file from which to copy the settings, do the following: 1. 2. 3. 4. Open the RDC, and then click Options. Configure the settings that you want, such as audio redirection. When you are finished, on the General tab, click Save As, and then save the .rdp file. Open the .rdp file in Notepad, and then copy the desired settings into the Custom RDP settings box on the Custom RDP Settings tab.
12-46
Options for Accessing Virtual Desktops
Key Points
When you create virtual desktop, users can connect to their virtual machines in several ways. Depending on what type of VDI scenario you use, administrators can choose one or more ways to provide users with connections to their virtual desktops. Using Remote Desktop Web Access is very convenient way to connect to virtual desktop, since it is using Web interface. Users should use the https://servername/RDWeb URL to get to RD Web Access page. From that page, they can directly access their virtual desktops. Also, from this page, users can choose to connect to some other computer (if they have the requisite permissions), or they can choose to run Remote applications, if they are published.
12-47
If a user is accessing a virtual machine from Windows 7 client, you can configure remote desktop connections in the Control Panel applet called RemoteApp and Desktop Connections. To use this feature, you must configure the connecting URL in form https://servername/RDWeb/feed/Webfeed.aspx. Also, the server must have an installed, valid certificate that the client trusts. After the connection to the server is made, connections to the virtual desktop and remote applications (if any) will be published to the users Start menu inside the RemoteApp and Desktop Connections folder. These connections periodically are updated automatically or you can initiate the update process manually. This means that if the administrator changes settings on the server side or publishes new resources, these changes will be applied to a user during the next update cycle. Another alternative is for the users to use their classic .rdp file to connect to their virtual desktops. Either an administrator or the user can create this file in the Remote Desktop Client. This file contains connection configuration settings. If you are using the Remote Desktop Client to connect to a virtual desktop, there are additional settings that you can configure to provide a richer user experience.
12-48
Demonstration: Configuring and Accessing Virtual Desktops
In this demonstration, your instructor will show you how to configure the VDI infrastructure and prepare virtual machines for VDI.
1. Add the Remote Desktop services role to NYC-SVR1, with the following services: Remote Desktop Session Host, Remote Desktop Connection Broker and Remote Desktop Web Access. Add the Remote Desktop services role with the Remote Desktop Virtualization Host service to the physical host computer. Prepare the NYC-VDP1 virtual machine to serve as a virtual desktop. Assign a Personal Virtual Desktop. Connect to RD Web Access, and access the new personal virtual desktop.
2. 3. 4. 5.
12-49
Lab: Configuring Virtual Desktop Infrastructure
Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must perform the following steps: 1. 2. 3. 4. 5. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1 virtual machine is running. If required, connect to the virtual machine. Log on to 10324A-NYC-DC1 as Contoso\Administrator using the password Pa$$w0rd. On the physical host machine, open Network and Sharing Center, and then click Change adapter settings. Open the Properties for the network connection that is labeled Internal Network.
12-50
6.
Ensure that the IPv4 settings are configured as follows: IP address: 192.168.10.100/24 DNS server: 192.168.10.1
7. 8. 9.
On the physical host computer, click Start, right-click Computer, and then click Properties. Under Computer name, domain, and workgroup settings, click Change settings. On the System Properties box, on the Computer Name tab, click Change.
10. Under Computer name, change the name to Hostx (where x is a number that your instructor provides). 11. Under Member of, click the Domain option, and then type Contoso. Click OK. 12. In the Windows Security box, provide Contoso\Administrator and Pa$$w0rd for the credentials, and then click OK. 13. In the Computer Name/Domain Changes box, click OK. At the second prompt, click OK again. 14. In the System Properties box, click Close. 15. At the restart prompt click Restart Later. You will shut down NYC-DC1 before restarting the host computer. 16. On NYC-DC1, click Start, and then next to Log off, point to the arrow, and click Shut down. Type shut down in the comment field, and then click OK. 17. After NYC-DC1 shuts down, restart the physical host computer. 18. After the host computer restarts, log on as the local administrator. 19. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 20. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR1, 10324A-NYC-CL1, 10324A-NYC-CL2, and 10324A-NYC-CL3 virtual machines are running. When prompted for user credentials, logon as the local administrator. 21. If required, connect to the virtual machines. Log on to all virtual machines except 10324A-NYC-CL1 as Contoso\Administrator using the password Pa$$w0rd. Do not log on to 10324A-NYC-CL1 until instructed to do so.
12-51
22. In Hyper-V Manager, change the 10324A-NYC-CL2 display name to NYC-CL2.contoso.com. 23. In Hyper-V Manager, change the 10324A-NYC-CL3 display name to NYC-CL3.contoso.com.
12-52
Exercise 1: Configuring RDS Infrastructure for VDI

Scenario
The first task of your pilot VDI deployment is to configure RDS services for VDI. You will do it by adding the RDS role, configuring the RD virtualization host server, and then enabling Remote Desktop Web Access. The main tasks for this exercise are: 1. 2. 3. Add the RDS role to the NYC-SVR1 server. Configure the RD Virtualization Host Server. Configure RD Web Access to use RD Connection Broker.
Task 1: Add the RDS role to the NYC-SVR1 server

1. 2. On the NYC-SVR1 server, start the Add Roles Wizard in Server Manager. Add the Remote Desktop Services role, and add the following role services: Remote Desktop Session Host, Remote Desktop Connection Broker, and Remote Desktop Web Access. In the wizard, configure the server to require Network Level Authentication. Restart NYC-SVR1 when prompted, and then log on as Contoso\Administrator with the password of Pa$$w0rd.
3. 4.
Task 2: Configure the RD Virtualization Host Server

1. 2. On the physical host computer, start the Add Roles Wizard in Server Manager. Add the Remote Desktop Services role, and add the Remote Desktop Virtualization Host role service.
12-53
Task 3: Configure RD Web Access to use RD Connection Broker

1. On NYC-SVR1 open Remote Desktop Web Access Configuration from Administrative Tools\Remote Desktop Services. Click Continue to this website (not recommended). This error occurs because the shortcut points to localhost and not to NYC-SVR1.contoso.com, as it is defined in the digital certificate that the Web site uses. Log on as Contoso\Administrator with Pa$$w0rd as the password. Click the An RD Connection Broker server radio button, enter NYC-SVR1.contoso.com in Source name text box, and then click OK. Close Internet Explorer.
2. 3. 4.
Results: After this exercise, you should have configured the RDS infrastructure for VDI.
12-54
Exercise 2: Configuring a Virtual Machine for VDI

Scenario
After you configure the Remote Desktop Services infrastructure, you have to configure test virtual machines that will be used as virtual desktops. Also, you have to create snapshot that you can use for a virtual machine rollback in a pooled virtual desktop scenario. The main tasks for this exercise are: 1. 2. Configure Windows 7 virtual machines for VDI. Create a snapshot to enable virtual machines to roll back.
Task 1: Configure Windows 7 virtual machines for VDI

1. On NYC-CL2, open System Properties, enable Remote Desktop with the Allow connections only from computers running Remote Desktop with Network Level Authentication option. Add the Contoso\RD Users group to the Remote Desktop Users local group on NYC-CL2 by using the Computer Management console. Using Registry editor on NYC-CL2, navigate to: HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\Terminal Server, and then change the value for AllowRemoteRPC key to 1. Make an exception in Windows Firewall for Remote Service Management.
2. 3.
4. 5.
Grant the RD Virtualization Host computer account (physical host computer) permissions to the RDP protocol on NYC-CL2. A script for this is in \\NYC-DC1\E$\Labfiles\Mod12\RDSConfig\. Edit RDS-pool.bat to replace <physical host> with the name of your physical host server, and then save the modified file. Run RDS-pool.bat. When prompted, press Y to continue the operation, and stop the service.
Log off from NYC-CL2. Repeat steps 1 to 6 on NYC-CL3.
6. 7.
12-55
Task 2: Create a snapshot to enable the virtual machines to roll back

1. 2. 3. Using the Hyper-V Manager console on the physical host, make a snapshot for NYC-CL2, and name it RDV_Rollback. Using the Hyper-V Manager console on the physical host, make a snapshot for NYC-CL3, and name it RDV_Rollback. Save both NYC-CL2 and NYC-CL3 virtual machines. By performing this task, you created snapshots for both virtual machines, from which they will start after any user uses them. You also saved virtual machines, as Remote Desktop (RD) Connector Broker will request from RD Virtualization Host to start the virtual machine when the user tries to connect to it.
Results: After this exercise, you should have configured virtual machines for VDI.
12-56
Exercise 3: Configuring and Testing the Personal Virtual Desktop

Scenario
The first part of testing is to deploy a personal virtual desktop. You will configure a test user, and will also set security options. After that, you will try to access the personal virtual desktop. The main tasks for this exercise are: 1. 2. 3. 4. Configure the Personal Virtual Desktop. Configure the digital signing of .rdp files, single sign-on, and the trusted .rdp publisher. Test the Personal Virtual Desktop. Remove the assignment of the personal virtual desktop from a user.
Task 1: Configure the Personal Virtual Desktop

1. 2. 3. 4. On NYC-SVR1, start the Configure Virtual Desktops Wizard in the Remote Desktop Connection Manager console. For RD Virtualization host server, enter your physical host name. On the Configure Redirection Settings and Specify RD Web Access server pages, enter NYC-SVR1.contoso.com. Assign a personal virtual desktop named NYC-CL2.contoso.com to the Contoso\ruser user account.
12-57
Task 2: Configure digital signing of .rdp files, single sign-on, and the trusted .rdp publisher
When you want to connect to a virtual desktop, by default, you get a security prompt because the .rdp file is not digitally signed. You then must provide user credentials for logging on to the virtual desktop. You can avoid those prompts by configuring digital signing of .rdp files, adding a trusted .rdp publisher, and configuring single sign-on. For this lab, we will use local Group Policy to configure those settings, but in real life you would configure them by using domain Group Policy. 1. On NYC-SVR1, in Remote Desktop Connection Manager, configure the digital signature found in the Properties dialog box of the RD Virtualization Host Servers to use the NYC-SVR1.contoso.com certificate. On NYC-CL1, log on as Contoso\ruser, and open the Local Group Policy Editor using Run As Administrator. Expand Computer Configuration, Administrative Templates, System, and click on Credentials Delegation. In the details pane, double-click Allow Delegating Default Credentials, select Enabled, click Show, and then enter TERMSRV/* as the Value. From NYC-CL1, browse to https://NYC-SVR1.contoso.com/RDWeb. Run the Add-on, and then log on as contoso\ruser with the password of Pa$$w0rd. Select the This is a private computer option. Click the My Desktop icon. On Remote Desktop Connection dialog, click NYC-SVR1.contoso.com Publisher name. In the Certificate window, click the Details tab, and then select Thumbprint. Select the thumbprint numbers in the details box, copy them by pressing CTRL+C.
2. 3. 4. 5. 6. 7. 8.
Important: Do not select the leading space at the front of the thumbprint.
9.
Switch to the Local Group Policy Editor, navigate to Computer Configuration,click Administrative Templates, click Windows Components, click Remote Desktop Services, and then click Remote Desktop Connection Client.
12-58
10. In the details pane, double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers, and then select Enabled. 11. Right-click in Coma-separated list of SHA1 trusted certificate thumbprint entry box, and then select Paste.
Task 3: Test the Personal Virtual Desktop

1. 2. 3. From NYC-CL1, on the Enterprise Remote Access Web page, click My Desktop. Click Connect. Verify that you are logged on to NYC-CL2. After you are logged on, create a new folder on desktop of NYC-CL2, name the folder with your name (such as Joe), and then log off. Repeat step 1, and verify that folder that you have created in the previous session still exists as snapshot is not applied since you assigned the virtual desktop to a user. Log off NYC-CL2. After you verified the personal virtual desktops functionality, use Hyper-V Manager to revert NYC-CL2 to the most recent snapshot.
4.
Task 4: Remove the assignment of a personal virtual desktop from a user

1. 2. On NYC-DC1, open Active Directory Users and Computers, and in the RDS Users organizational unit, open the Properties dialog box for ruser. Click the Personal Virtual Desktop tab, and remove the assignment of the NYC-CL2 virtual machine.
Results: After this exercise, you should have configured and tested personal virtual desktops.
12-59
Exercise 4: Configuring and Testing User State Virtualization and the Virtual Desktop Pool
Scenario
The final part of the pilot VDI deployment is to test the virtual desktop pool. First, you will configure user state virtualization technologies to prevent the loss of user data, and then you will configure and try to use a Virtual Desktop Pool. The main tasks for this exercise are: 1. 2. 3. Configure a roaming profile and folder redirection Group Policy object (GPO). Configure the Virtual Desktop Pool. Verify the Virtual Desktop Pool functionality.
Task 1: Configure a roaming profile and folder redirection

1. On NYC-DC1, open Active Directory Users and Computers, and in the Properties dialog box for the VDI user, on the Profile tab, enter \\NYC-DC1.contoso.com\Profiles\%username% as the Profile path. In the Group Policy Management console on NYC-DC1, create new GPO named Folder Redirection, and link it to the RDS Users organization unit. Open the Folder Redirection GPO for editing, and then browse to User Configuration, Policies, Windows Settings and Folder Redirection. Rightclick on the Desktop node, and select Properties. In the Desktop Properties window, select Basic Redirect everyones folder to the same location setting, enter \\NYC-SVR1.contoso.com\desktops as Root Path, and then click OK.
2. 3.
Task 2: Configure the Virtual Desktop Pool

1. 2. On NYC-SVR1, in Remote Desktop Connection Manager, start the Create Virtual Desktop Pool Wizard. Add NYC-CL2.contoso.com and NYC-CL3.contoso.com to the Virtual Desktop Pool, and name the pool as Contoso Virtual Desktop Pool. Enter CONTOSO_VDP as Pool ID.
12-60
Task 3: Verify the Virtual Desktop Pool functionality

1. On NYC-CL1, if necessary, log on as Contoso\ruser, open Remote Desktop Web Access by navigating to https://NYC-SVR1.contoso.com/RDWeb, and verify that Contoso Virtual Desktop Pool has appeared. Click on that item and verify that you are logged on to the NYC-CL2 virtual machine. On desktop of NYC-CL2, create a folder called Pooled VDI, and log off the machine. Switch to NYC-DC1, open Remote Desktop Web Access by browsing to http://NYC-SVR1.contoso.com/RDWeb, and log on as Contoso\vdi with password Pa$$w0rd. After you are logged on, click Contoso Virtual Desktop Pool. More prompts may appear while logging. This is normal as NYC-DC1 is not configured to delegate credentials. Verify that you are connected to the NYC-CL2 virtual computer. Open Windows Explorer, and verify that inside the C:\Users folder there is no ruser subfolder. It should have been discarded when the user logged off and the RDV_Rollback snapshot was applied. Switch to NYC-CL1, and access Contoso Virtual Desktop pool again. Verify that you are connected to the NYC-CL3 virtual computer and that Pooled VDI folder is on the desktop. Log off NYC-CL3.
2. 3.
4.
5. 6. 7.
Results: After this exercise, you should have configured and tested the virtual desktop pool.
To complete the lab

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click the virtual machines used in this lab, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. For the NYC-CL2 and NYC-CL3 virtual machines, you will need to delete the RDV_Rollback snapshots first, and then revert to the first snapshot.
12-61
Review Questions
1. 2. 3. 4. 5. Which hypervisor type is used in Hyper-V? What is the main difference between hypervisor in Hyper-V and in Virtual PC? List some of the most important improvements to Hyper-V in Windows Server 2008 R2. In which modes you can deploy Virtual Desktop Infrastructure? Can you assign the same virtual machine to more than one user? How do you preserve user data in the virtual desktop pool scenario?
12-62
Common Issues Related to Virtual Desktop Infrastructure

Issue Users are prompted for credentials when connecting to personal virtual desktops. Virtual machine cannot start from saved state. User data is not retained when using pooled virtual desktops. Troubleshooting tip

Contoso has 40 client computers that are running the Windows 2000 Professional operating system. These computers are used by 60 users, 30 of which are resident, and 30 who are using computers occasionally, when they are in the office. In these situations, they share computers with resident employees. These computers have old hardware, and you cannot upgrade them to a newer version of the operating system. Recently, Contoso has implemented virtual infrastructure based on Hyper-V 2.0, in order to virtualize physical servers and optimize resource usage. This virtual infrastructure is planned to support further growth and has enough spare resources. Now, managers at Contoso are considering ways to upgrade client computers to Windows 7. One option is to buy new hardware for all clients. You are hired as consultant, and you have to prepare proposition of solution to use VDI instead of buying new client hardware. Contoso managers are interested in this solution but they have some concerns about managing users data. Currently, all user data is located on local client machines.
Best Practices Related to Virtual Desktop Infrastructure

Supplement or modify the following best practices for your own work situations: Use high availability technologies, such as Live Migration for Hyper-V. Use System Center Virtual Machine Manager 2008 R2 for management of your whole virtual infrastructure and for deployment of new virtual machines. Configure personal virtual desktops to go in saved state mode after the user logs off. This optimizes usage of system resources.
Summary of Desktop Virtualization Technologies
13-1
Module 13
Contents:
Lesson 1: Review of Desktop Virtualization Technologies Lesson 2: Real-World Usage Scenarios 13-3 13-20
13-2
Module Overview
This module summarizes all of the desktop-virtualization technologies that this course presents. Additionally, it helps you identify typical usage scenarios for each technology, and it covers some real-world scenarios.
13-3
Lesson 1
Review of Desktop Virtualization Technologies
Microsoft provides several desktop-virtualization technologies that include Windows Virtual PC, Virtual PC 2007 Service Pack 1 (SP1), Microsoft Enterprise Desktop Virtualization (MED-V), Microsoft Application Virtualization (App-V), Remote Desktop Services (RDS), User State Virtualization, and Virtual Desktop Infrastructure (VDI). This lesson summarizes all of these technologies, and it briefly reviews the features and benefits of each one.
13-4
Review of Windows Virtual PC
Key Points
Windows Virtual PC is client virtualization software that you can use on a Windows 7 host operating system to create and run multiple virtual machines. Each of these virtual machines can run a different or the same one. You can obtain Windows Virtual PC as a free download from the Windows Virtual PC Web site. The primary purpose of Windows Virtual PC is to serve as the virtualization engine for Windows XP Mode, which is a preconfigured virtual machine that is running Windows XP Service Pack that Microsoft provides. You can deploy Windows XP Mode on Windows 7 Professional, Ultimate, and Enterprise editions. For guest operating systems, Windows Virtual PC supports Windows XP Service Pack 3 (SP3), Windows Vista Service Pack 2 (SP2), and Windows 7. To the guest operating system running in the virtual machine, Windows Virtual PC provides virtual hardware, including a disk, CPU, memory, input/output (I/O), and other devices.
13-5
Windows Virtual PC offers the following key features and benefits: Seamless integration into the Windows desktop, which enables you to launch and use a full virtual machine and virtual applications as if they are a native Windows 7 application. Additionally, you can navigate freely between the host and guest environments, and applications. A new user interface, which includes a full virtual machine console, settings interface, and a wizard-based interface. You can use the console and interfaces to create new virtual machines, and perform advanced management tasks for various types of virtual hard disks (VHDs). The ability to run in two modes: a Virtual Applications mode to run legacy applications seamlessly, and a Full Desktop mode, which provides the user with the full desktop experience of the guest operating system. The ability to use universal serial bus (USB) devices, such as printers, flash memory sticks, external hard disks and backup disks, digital cameras, and smartcards. Windows Virtual PC enables easy use of USB devices because of its hardware redirection technology. Extensive networking capabilities, which enable you to configure network connections between a virtual machine and the host, among multiple virtual machines, and between virtual machines and the external network. The use of the Hardware Assisted Virtualization (HAV) feature (Intel VT and AMD-V) that improves the performance and robustness of virtual machines on HAV-capable hardware. You must have HAV to use Windows Virtual PC on Windows 7.
To deploy Windows Virtual PC, you do not need any server infrastructure. However, you can integrate Windows Virtual PC into a standard image that you can use for deploying workstations. Additionally, you can deploy it, optionally, with Windows XP Mode. The central vision of Windows Virtual PC is to encourage organizations to use Windows 7 by addressing the legacy application-compatibility needs of enterprise and small-business users with a very simple, readily accessible, and seamless presentation of applications and virtual desktops.
13-6
Typically, home users, who need to have older or other platforms present on their Windows 7 desktop computers, use Windows Virtual PC, as do companies that must support older applications, on a smaller number of computers that are running Windows 7. You also can deploy Windows Virtual PC in larger enterprise environments, but since there is no native centralized management for this virtual platform, you need to use other methods to manage virtual machines that are running inside Windows Virtual PC. You can use Group Policy if you join the virtual machines to domain, or you can use technologies such as Microsoft System Center Configuration Manager.
13-7
Review of Virtual PC 2007 SP1
Key Points
Virtual PC 2007 SP1 is desktop virtualization software developed for earlier Windows versions, such as Windows Vista and Windows XP. You also can run Virtual PC 2007 SP1 on Windows 7. However, you cannot run both Virtual PC 2007 SP1 and Windows Virtual PC on the same computer. Virtual PC 2007 SP1 does not require hardware virtualization support on the host computer, although it can partly utilize it if it is available. Therefore, you can install Virtual PC 2007 SP1 on older hardware to provide a virtualization platform, even if there is no available support for hardware virtualization. Free downloads of the 32-bit and 64-bit versions of Virtual PC 2007 SP1 are available at the Microsoft Web site.
13-8
Virtual PC 2007 SP1 offers the following key features: Support for dragging and dropping folders and files between the host and the guest operating system. A administration console that enables you to create and manage virtual machines. It enables you to provide virtualization on older hardware platforms. It does not require a server infrastructure, but it supports centralized management through MED-V. Support for application publication, when you use it with MED-V. You typically would use Virtual PC 2007 SP1 if you have older operating systems, but you need a virtualization platform for testing or for legacy application support. You also can use it as a managed client-virtualization platform in enterprise environments where you deploy MED-V.
13-9
Review of MED-V
Key Points
MED-V is a management and deployment platform for desktop virtualization. It provides virtual machines and application integration in a Virtual PC 2007 SP1 environment that is running on a previous version of the operating system, such as Windows XP. Applications appear and operate as if they were installed on the desktop, and for information technology (IT) administrators, MED-V helps deploy, provision, control, and support virtual environments. While VDI and RDS provide remote virtual desktops and presentation virtualization, MED-V provides a local virtual machine with a client operating system in which legacy applications can run. Additionally, it offers a complete solution for centrally managing client virtual machines; storing, updating, and distributing virtual images; and monitoring user activity. MED-V is part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance, and the most current version is MED-V 1.0 SP1.
13-10
MED-V offers the following key features and benefits: Centralized deployment, management, and monitoring of deployed virtual images. Application provisioning based on Active Directory Domain Services (AD DS) users and groups. Seamless and transparent integration of published applications. Clipboard sharing and printer redirection.
You need to deploy the server infrastructure for MED-V, and you need storage for storing virtual images. Also, you must deploy MED-V client to all workstations that will be running MED-V virtual images. Typically, you would use MED-V in larger environments where it is critical that you maintain compatibility with older applications and operating systems. In these scenarios, MED-V is beneficial because it enables you to centralize control, deployment, and monitoring of all virtual images that are running older applications. The only drawback of MED-V is that users must download the virtual image on a client, which can take time and consume valuable network resources.
13-11
Review of App-V
Key Points
Application virtualization is a sophisticated technology that allows organizations to reduce costs and simplify software deployment. Other virtualization technologies, such as Windows XP Mode or MED-V, deliver an entire virtual machine to the client computer. However, App-V delivers a virtual application hosted in a virtual environment, which is based on the host operating system. App-V does not provide a virtual machine. It provides only an application and the environment necessary to run the application independently of the host operating system App-V is not an application-compatibility product, but rather, is an application-management product. From an end users perspective, a virtualized application behaves as a locally installed application. The virtualization client software that you install on the client computer provides an environment that simulates the local operating system. The most current version is App-V 4.6. When you use it in conjunction with Windows 7, Windows Server 2008 R2, and Microsoft Office 2010, it provides a seamless user experience, streamlined application deployment, and simplified application management.
13-12
Application management is one of the most time-consuming and costly aspects of an enterprise IT infrastructure. However, there are many benefits to virtualizing applications, including a reduction of management and support costs. App-V offers the following key features and benefits: Centralized management. The ability to run multiple versions of the same application without conflicts. Reduced application conflicts. A scalable infrastructure. Support for Remote Desktop Servers. Reduced license-compliance risks. Usage reporting.
To deploy App-V, you must build a fairly complex server and client infrastructure that can include many components, such as the Microsoft Application Virtualization Management Web Service, the App-V Management Console, the AppV Management Server, the App-V Streaming Server, the App-V Client, the App-V Sequencer, and Microsoft SQL Server. Depending on your usage scenario, you can deploy some or all of the components of an App-V solution. You typically would deploy App-V in your organization if you need to have full control over applications that deploy to workstations and to address potential compatibility issues. App-V cannot address incompatibility issues between an operating system and an application, but it enables you to run several incompatible versions of the same application on a single computer. Also, you can run App-V on RDS Session Host computers.
13-13
Review of RDS
Key Points
RDS provides a form of virtualization known as presentation virtualization. RDS, formerly known as Terminal Services, provides technologies that enable you to access session-based desktops, virtual machine-based desktops, and remote applications that are running on centralized servers. You can establish a secure connection from a local network or from the Internet. Clients connect to an RDS server by using Remote Desktop Protocol (RDP). RDP 7.0 provides improved and new features, such as Windows Media redirection, Aero Glass support, and true multimonitor support. To benefit from the new and improved RDP features, you must use Remote Desktop Connection 7.0 client, which both Windows 7 and Windows Server 2008 R2 include. RDS consists of several services, including Remote Desktop (RD) Session Host, RD Licensing, RD Connection Broker, RD Gateway, RD Web Access, and the RD Virtualization Host. All these services work together to provide end users with an experience that is similar to running local applications on their computers. Features such as device redirection, single sign-on (SSO), and RD Easy Print make it difficult to distinguish between remote and local applications.
13-14
RDS offers the following capabilities and features: You can run an application or full desktop in one location, while accessing the applications or desktops from a remote location. You can maintain the installation and management of centralized servers in the data center. You can present users with a full desktop environment or with the individual applications window and data that they require for their job. Remote RDS applications integrate seamlessly with the user local desktop. They look, feel, and behave as if they are local applications. It enables secure remote access to an entire desktop, remote application, or virtual machine, without users having to establish a connection to a virtual private network (VPN). You can maintain control centrally of which users can access RDS servers, which RDS servers users can access, and of additional configuration information, such as device redirection settings.
RDS is part of a Windows Server 2008 R2 operating system, and can be relatively easy to deploy. The most common usage scenario for RDS is application consolidation and optimization of resource usage. If you want to centralize application deployment only to application servers, and not to clients, then you can use RDS services such as RemoteApp and RD Web Access to publish applications to clients. Also, some RDS services, such as RD Gateway, provide unified access to RDP hosts from any location inside or outside the company.
13-15
Review of User State Virtualization
Key Points
User state is a general term that describes several categories that determine user environment, user data, and settings. You do not identify a user state in one specific file or setting, but rather in a set of files and settings known as User settings, User Registry, Application data, and User data. If you virtualize the user state, you make available a users data and settings on any computer to which that user logs on. User state virtualization, unlike other technologies that this course details, is more conceptual virtualization then technical virtualization. To provide user state virtualization, you can use technologies in Windows Server 2008, including folder redirection, roaming profiles, and offline files.
13-16
To implement any of these technologies as a support for user state virtualization, you must understand the benefits and drawbacks of each. When you utilize user state virtualization with these technologies, you receive the following benefits and features: Access to data and settings from any computer that is a domain member. A unified user environment on every computer. A centralized location for users data and settings. Access to files from network shares, even when a computer is offline.
You do not need additional software to deploy user state virtualization. You can configure most of these features by using Group Policy in Windows Server. However, you must decide which technology you will apply and where you want to store user data. You typically would deploy user state virtualization in environments where user data centralization is critical. You also would implement this virtualization in scenarios where users frequently change the computer on which they work, or if a company has several users that work offsite, but who still need access to company data. Additionally, you typically would combine technologies that are part of user state virtualization with other virtualization technologies, such as RDS and VDI.
13-17
Review of VDI
Key Points
VDI is an alternative model for desktop delivery that enables users to access desktops that are running in a data center. When you use VDI, each user has access to a personal virtual desktop from any device that you authorize, which improves desktop flexibility. VDI provides an architecture for desktop delivery that enables you to centralize the storage, execution, and management of a data centers Windows desktops, and it enables you to run Windows 7, Windows Vista, and other desktop environments, and then manage them in virtual machines on a centralized server. Users can connect to a virtual desktop with Remote Desktop Client (RDC), and can initiate a connection from a preconfigured .rdp file or from their Start Menu or a Web page. VDI supports two key deployment scenarios: personal virtual machines and pooled virtual machines.
13-18
Personal virtual machines have a one-to-one linking for virtual machines and users, which means that you assign each user a dedicated virtual machine, which that user can personalize and customize. This preserves any changes that the user makes. You provide the greatest flexibility to end users by deploying personal virtual desktops. Pooled virtual machines replicate a single image, and you can store user state information through profiles and folder redirection. However, the virtual machine does not retain the user state after the user logs off. This feature can free up system resources, and it enables you to separate user data from virtual machines. VDI offers the following benefits: Access to data and applications from any device that is capable of running the RDC client. Improved data security and compliance. Simplified management and deployment of applications. Improved business continuity through data centralization. Integrated management of physical, virtual, and session-based desktops. Quicker recovery from device malfunctions. Centralized data storage and backup, which reduces losses from stolen devices.
To deploy VDI, you need to deploy the RDS role and services, and Hyper-V 2.0. Requirements on the client side are minimal. The client must be able to run the RDC client software, and it should be a domain member. You typically would deploy VDI in organizations and environments where you want to unify and centralize desktops. You can use VDI in an organization where a large number of users require a standard, simple desktop. Additionally, some organizations might deploy VDI instead of buying new physical hardware for their users, which optimizes resource usage. It is common to use user state virtualization with VDI, especially if you deploy pooled desktops.
13-19
Comparing Desktop Virtualization Technologies
Key Points
The table provided on the slide compares the different desktop virtualization technologies that this course covered. While you can implement each technology and treat it separately, you also can combine many of them together to achieve better results and increased functionality. However, to implement the technology that is most suitable for your needs, you should identify the usage scenario and expected results before you start the planning and deployment of these technologies. Also, you should consider licensing requirements since they vary with each technology. Some of the technologies are free, such as Windows Virtual PC, some of them are part of packages such as MDOP, while certain technologies such as RDS require you to buy a license. You also should evaluate each technology before making a final decision. Your hands-on experience can greatly help you in choosing a proper technology. Additionally, Microsoft provides appropriate evaluation resources for each technology on the Technet and MSDN Web sites.
13-20
Lesson 2
Real-World Usage Scenarios
Based on your organizations requirements and usage needs, you can deploy the virtualization technology that provides the optimal solution. This lesson covers some of the predefined and real-world scenarios for desktop virtualization.
13-21
Discussion: Scenario 1Contoso, Ltd
Key Points
Contoso, Ltd is a large multinational company that has several offices around the world. The company has 5,000 users with approximately 5,000 workstations in several offices in the United States and Europe, and its core infrastructure is on Windows Server 2008 AD DS. All domain controllers run on Windows Server 2008, while some member servers run on Windows Server 2003. Client computers run various versions of the Windows operating system. Approximately 50 percent are running Windows XP Professional, while 20 percent are running Windows Vista SP2 Enterprise, and 30 percent are running Windows 7 Enterprise.
13-22
Contoso, Ltd uses approximately 40 applications for business and testing, and approximately 10 percent of those are core business applications that are installed on nearly all computers. The other applications mostly are used for testing in the developmental department and for the support of the systems of various vendors. Deployment of these applications is becoming more and more difficult. First, not all applications are compatible with all of the operating systems deployed at Contoso, Ltd. During the next 12 months, Contoso, Ltd plans to upgrades most computers to Windows 7, which could cause an issue because some core business applications are not compatible with Windows 7. Additionally, very few application specialists are available, so end users sometime must wait too long for an application to deploy to their computers. Lastly, providing support for these applications can be complex because there is no unified method by which the organization can update applications. Applications that the development department uses must run in an isolated environment, and therefore, these applications should access the internal network only after testing is complete. Some users at Contoso, Ltd work from home. Currently, they access the corporate network through a VPN, but they have problems with some applications that do not work through a VPN connection. You are a consultant for Contoso, Ltd, and you need to propose a solution that will address most, if not all, of their problems with application deployment and support. Your primary goals are: To simplify application deployment to client computers, as much as possible. To enable fast and secure deployment of core business applications. Additionally, you must deploy up-to-date applications. To provide remote access to core business applications in a secure, userfriendly way.
Question: What will you recommend to address issues with core business applications at Contoso, Ltd? Question: What will you recommend for maintaining those applications that the organization uses for testing and development? Question: What are the options for users that are working from home?
13-23
Discussion: Scenario 2Northwind Traders
Key Points
Northwind Traders is a company in the United States that has five branch offices, with 1,000 users and approximately 700 workstations. All users and computers are deployed in a single domain. Domain controllers run Windows Server 2008 R2. Recently, the company bought several servers to use for virtualization. These servers run Windows Server 2008 R2 with Hyper-V. Workstations at Northwind Traders are heterogeneous, which means that they run various versions of the Windows operating systems, from Windows 2000 to Windows 7. Not all users have their own workstation, so some of them share the same workstation. Since some users do not have dedicated workstations, if they save data on one workstation, it is sometime hard to access it from another workstation, and is also can cause version conflicts on documents. Additionally, some users have older computers that are not capable of running new applications. The organization uses various platforms, so administrators are having a hard time unifying desktop environments.
13-24
Each year, the company employs temporary workers that work outside the company. They use computers occasionally, when they are in the company office, and then mostly for checking e-mail and information on the companys intranet portal or for writing work reports. These employees do not need dedicated workstations, but must be able to use a computer when necessary and save their reports. You are a consultant at Northwind Traders, which is considering desktop virtualization technologies as a solution. However, the IT department is not sure which technology will address the companys needs. Question: What solution would you recommend to unify desktop environments for existing users?
13-25
Discussion: Real-World Scenarios
Key Points
In this topic, you should discuss your environment with the rest of class. During preparation for this discussion, you should answer the following questions: 1. 2. 3. 4. 5. 6. Do you need any virtualization in your environment? Do you have to support legacy applications? Do you plan to upgrade to Windows 7 in the near future? Do you often face application compatibility issues in your environment? Do you have a need to unify user desktop platforms? Do you have problems with backing up user data that is on desktops?
13-26
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience. Please work with your training provider to access the course evaluation form. Microsoft will keep your answers to this survey private and confidential, and will use your responses to improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1

Exercise 1: Identifying Virtualization Solutions
Task 1: Identify the user groups at Contoso, Ltd.
1. 2. Review the scenario information. Contoso, Ltd., has the following user groups with unique business requirements: Regular users: Little information is provided for this group, so you can assume they have the regular business desktop requirements. Some users likely will be affected by the application that is incompatible with the Windows 7 operating system. Branch office users: No information specific to these users is provided, so they can be grouped with the regular users. Sales support personnel: Require access to a limited set of applications. Share desktops with limited hardware resources.
Mobile users: Require local access to applications. Data on the laptops must be encrypted. Require an application that is not compatible with Windows 7.
Contractors: Require access to internal servers and applications. Will not be able to connect through the virtual private network (VPN) in three months. Will not be issued company laptops.
L1-2
Task 2: Identify the virtualization solutions

1. 2. 3. On NYC-CL3, click Start, and then click Documents. Double-click Windows Optimized Desktop Scenario SelectionTool v1.1.xls. Use the following table to configure the requirements for two of the user groups. Select Yes for all Solution Prerequisite criteria except where indicated below.
Note: You will need to fill in the information in the spreadsheet twice, once for each user group.
User group Regular and branch office users
Selections User Requirements: 1. Yes 2. No 3. Yes 4. No 5. No 6. No 7. Unanswered 8. No Business Requirements: 9. No 10. No 11. No 12. No What is the suggested scenario? Office Worker
L1-3
(continued)
User group Sales support personnel Selections User Requirements: 1. No 2. Yes 3. No 4. No 5. Yes 6. No 7. Unanswered 8. No Business Requirements: 9. No 10. No 11. No 12. No Solution requirements: 13. No What is the suggested scenario? Task Worker Mobile workers User Requirements: 1. Yes 2. No 3. Yes 4. Yes 5. No 6. No 7. Unanswered 8. No Business Requirements: 9. No 10. No
L1-4
(continued)
User group Selections 11. No 12. No What is the suggested scenario? Mobile Worker Contractors User Requirements: 1. No 2. No 3. No 4. No 5. No 6. Yes 7. Yes 8. No Business Requirements: 9. No 10. Yes 11. No 12. No What is the suggested scenario? Contract Worker
L1-5
4.
The recommended products and technologies for each type of user group is listed in the following table:
User group Regular and branch office users Products and technologies Required products and technologies Microsoft System Center Configuration Manager Microsoft Application Virtualization (App-V) Windows 7 Enterprise clients Profile virtualization technologies AppLocker and BitLocker As needed products and technologies RemoteApp App-V for Remote Desktop Services Sales support personnel Required products and technologies RemoteApp App-V for Remote Desktop Services System Center Configuration Manager App-V Profile virtualization technologies AppLocker and BitLocker To Go As needed products and technologies Windows Fundamentals for Legacy PCs Windows 7 Enterprise
L1-6
(continued)
Mobile Workers Required products and technologies System Center Configuration Manager App-V Windows 7 Enterprise clients Profile virtualization technologies AppLocker and BitLocker DirectAccess As needed products and technologies RemoteApp App-V for Remote Desktop Services BranchCache Contractors Required products and technologies Windows Virtual Enterprise Centralized Desktops Hyper-V technology Virtual Machine Manager System Center Configuration Manager App-V Windows 7 Enterprise clients Profile virtualization technologies BitLocker To Go As needed products and technologies App-V for Remote Desktop Services Windows Fundamentals for Legacy PCs
L1-7
Task 3: Develop a prioritized list of projects to implement virtualization

To address all of the organizations virtualization requirements, Contoso should consider the following prioritized list of projects: a. Implement Remote Desktop Services and Remote Desktop Gateway for the contractors to remove the need for them to connect using the VPN. This project has the highest priority because the organization will block VPN access in three months. Implement App-V for applications that are not compatible with Windows 7. The organization should implement a full App-V solution using System Center Configuration Manager to stream the virtual application to all mobile users and to internal users who require the application. Implement a Virtual Desktop Infrastructure (VDI) solution for the sales support personnel. This solution will enable them to continue to run the applications that they require without upgrading the user desktops.
b.
c.
Results: At the end of this exercise, you will have identified the user groups that may require virtualization at Contoso, identified virtualization solutions that the organization could implement to address its business requirements, and developed a prioritized list of projects to implement application and desktop virtualization.

L2-9

Exercise 1: Installing Windows Virtual PC
Task 1: Install Windows Virtual PC, and the KB977206 update
1. 2. 3. 4. 5. 6. On NYC-CL2, open Windows Explorer, browse to \\NYC-DC1\E$ \Labfiles\Mod02, and then double-click Windows6.1-KB958559-x86.msu. When prompted whether you want to install Update for Windows (KB958559), click Yes. On Download and Install Updates, click I Accept. After the installation finishes, click Restart Now. Wait until the computer restarts. Log on as Contoso\Administrator as username and Pa$$w0rd for password. Open Windows Explorer, and browse to \\NYC-DC1\E$\Labfiles\Mod02. Double-click Windows6.1-KB977206-x86-second.msu. Repeat steps 2 and 3, and restart as prompted. On NYC-CL2, click Start, click All Programs, and then click Windows Virtual PC. Two items will appear under the resulting menu: Windows Virtual PC and Windows XP Mode. Notice that Windows XP Mode actually is not installed yet, and click Windows Virtual PC. The Virtual Machines folder opens.
7.
8.
Task 2: Create and configure a virtual machine

1. 2. 3. On NYC-CL2, in the Virtual Machines window, click Create virtual machine on the task bar. A wizard for creating a new virtual machine will start. Type VMWorkstation1 in the Name field, and then click Next. On Specify memory and networking options, type 768. Make sure that the Use computer network connections option is selected, and then click Next.
L2-10
4.
On the Add a virtual hard disk page, click Create dynamically expanding virtual hard disk. In Location field, click Browse. Navigate to Local Disk (C:\), and then click Make New Folder. Type VHDs, and then click OK. Click the check box next to Enable Undo Disks, and then click Create. Ensure that VMWorkstation1 appears in the Virtual Machines window. Right-click VMWorkstation1, and then click Settings. Click Close, click Automatically close with the following action, click Hibernate, and then click OK. Right-click VMWorkstation1, and then click Open. The virtual machine will start the boot process.
5. 6. 7. 8. 9.
10. After the machine starts, click X in upper-right corner of the Windows Virtual PC window, and make sure that machine goes into hibernation without asking you for options.
L2-11
Exercise 2: Using Windows XP Mode

Task 1: Set up Windows XP Mode
1. 2. 3. 4. 5. 6. On NYC-CL2, open Windows Explorer, navigate to \\NYC-DC1\E$ \Labfiles\Mod02\, and then double-click WindowsXPMode_en-us.exe. On the Welcome to Setup for Windows XP Mode page, click Next. For the install location accept the default value, and then click Next. When Setup Completed page appears, click Finish. Leave the check mark next to Launch Windows XP Mode. On the Windows XP Mode Setup page, click I accept the license terms, and then click Next. On the Installation folder and credentials page, accept the default value for the Installation folder, and then enter Pa$$w0rd as the password for XPMUser. Make sure that the check box next to Remember credentials (Recommended) is selected, and then click Next. On the Help protect your computer page, click Help protect my computer by turning on Automatic Updates now, and then click Next. On the Setup will share the drives on this computer with Windows XP Mode page, click Start Setup. Wait until the setup finishes. After the setup finishes, the Windows XP Mode virtual machine will start and boot. After it boots, it will log on using saved credentials.
7. 8. 9.
10. In the upper-right corner of the Windows XP Mode- Windows Virtual PC window, click the icon in the middle to go to full-screen mode. 11. Click the same icon again to revert to a window mode. Leave Windows XP Mode virtual machine in a running state. 12. In the Virtual Machines window, right-click Windows XP Mode, and then click Settings. 13. Navigate to the Integration Features node, and review the available options. Close the Windows XP Mode Windows Virtual PC Settings dialog box.
L2-12
Task 2: Install a legacy application, and then publish it to the host

1. 2. If necessary, open the Virtual Machines folder. Right-click Windows XP Mode, and click Settings. Click the Auto Publish option. Ensure that automatically publish virtual applications is selected. Click Cancel to close Settings.
Note: If Auto Publish is not enabled, you have to turn off the virtual machine, enable this option, and then turn on the virtual machine.
3. 4. 5. 6. 7. 8. 9.
Switch to Windows XP Mode. Open Windows Explorer, and then browse to the C drive on NYC-CL2. Open folder Labfiles\Office, and double-click the Setup file. Click OK. Type Admin for the Name and Contoso for the Organization, and then click OK eight times. Click Complete/Custom on the Microsoft Office 4.3 Professional Setup page. In the options list, remove all check marks except for the one next to Microsoft Access, and then click Continue. On Microsoft Office 4.3 Professional Choose Program Group, click Continue.
10. Click OK after the wizard is finished. Close the Microsoft Office window. 11. In the Windows XP Mode virtual machine, click Start, click All Programs, click Microsoft Office, and then click Microsoft Access.
Task 3: Use a published application from the Windows 7 host

1. Switch to NYC-CL2, click Start, and in the Search box, type Access. Confirm that Microsoft Access (Windows XP Mode) has appeared in the search results. Click Start, click All Programs, click Windows Virtual PC, click Windows XP Mode Applications, and then expand Microsoft Office.
2.
L2-13
3. 4. 5. 6. 7. 8. 9.
Click Microsoft Access (Windows XP Mode). If a prompt appears that the virtual machine must be closed, click Continue. After few seconds, Microsoft Access should appear on your Windows 7 desktop. Close MS Access Cue Cards. Click the first icon from the left to create a new database. Name the file DB1.MDB, and then save it to C:\MSOffice. Close Microsoft Access. Click Start, All Programs, Windows Virtual PC and click Windows XP Mode. In the Windows XP Mode virtual machine, open Windows Explorer, copy DB1.MDB from C:\MSOffice to C on NYC-CL2 in the VHDs folder.
10. Close Windows XP Mode. 11. Navigate to C:\VHDs, and then double-click DB1.MDB. 12. The Microsoft Access virtual application opens.

L3-15
Lab: Implementing MED-V

Exercise 1: Configuring the Existing Infrastructure
Task 1: Verify that a MED-V database does not exist on Microsoft SQL Server
1. 2. On NYC-DC1, open Windows Explorer and browse to E:\Labfiles\Mod03\SQL_Update. Double-click SQLSysClrTypes.msi. On the Welcome page, click Next. Accept the license agreement, and then click Next. On the Registration Information page, click Next and then click Install. Click Finish. Double-click SharedManagementObjects.msi. On the Welcome page, click Next. Accept the license agreement, and then click Next. On the Registration Information page, click Next and then click Install. Click Finish. Close the SQL_Update window. Click Start, click All Programs, click Microsoft SQL Server 2008, and then click Import and Export Data (32-bit). The SQL Server Import and Export Wizard opens. Click Next, and then verify in the Server name box that you are connected to NYC-DC1\SQLEXPRESS. Expand the Database box, and then verify that the MED-V database, medv, is not available in the list. Notice that the database is not available even when you click Refresh. Click Cancel in the SQL Server Import and Export Wizard.
3.
4.
5. 6.
7.
L3-16
Lab: Planning and Deploying Mailbox Services
Task 2: Add the Windows Server 2008 R2 role and features

1. On NYC-DC1, start Server Manager, right-click Roles, click Add Roles. Click Next, select the check box next to Web Server (IIS), and then click Next twice. On the Select Role Services page, under the Security node, add Basic Authentication, Windows Authentication, and Client Certificate Mapping Authentication, click Next, and then click Install. Click Close when the installation finishes. In Server Manager, right-click Features, click Add Features, and then select the check box next to Background Intelligent Transfer Service (BITS). When the Add Features Wizard opens, click Add Required Role Services, click Next three times, and then click Install. Click Close when the installation finishes, and then minimize Server Manager.
2.
3. 4.
5.
L3-17
Exercise 2: Deploying the MED-V Server

Task 1: Install the MED-V Management Server on NYC-DC1
1. 2. 3. 4. 5. 6. On NYC-DC1, open Windows Explorer, browse to E:\Labfiles\Mod03, and then double-click the MED-V_Server_x64_1.0.105.msi file. On the Welcome page, click Next. On the License Agreement page, select I accept the terms in the license agreement, and then click Next. On the Destination Folder page, click Next. On Ready to Install the Program page, click Install. After the MED-V Server is installed, clear the Launch MED-V Server Configuration Manager check box, and then click Finish. Close the Mod03 folder.
Task 2: Configure an IIS Web server for the MED-V image repository
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-DC1, click Start, expand Administrative Tools, and then click Internet Information Services (IIS) Manager. Expand NYC-DC1 (Contoso\Administrator), expand Sites, right-click Default Web Site, and then select Add Virtual Directory. In Alias type vimages, and in the Physical path, point to C:\MED-V Server Images, and then click OK. Verify that in the Navigation pane, the vimages virtual directory is selected, and in Features View, double-click BITS Upload. On the BITS Upload page, select the Allow clients to upload files check box. Verify Use default settings from parent is selected, and then click Apply. Click vimages in the Navigation pane, and in Features View, double-click MIME Types. In the Actions pane, click Add, and in the File name extension box, enter .ckm, enter application/octet-stream as MIME type, and then click OK. In the Actions pane, click Add, enter .index in the File name extension box, enter application/octet-stream as MIME type, and then click OK. Close the IIS Manager.
L3-18
Task 3: Use the MED-V Server Configuration Manager

1. 2. 3. On NYC-DC1, click Start, click All Programs, point to MED-V, and then click MED-V Server Configuration Manager. Verify that on the Connections tab, the Enable unencrypted connections (http) option is selected, and that port 80 is set. On the Images tab, verify that the VMs Directory is set to C:\MED-V Server Images\, and then set the VMs URL to http://nyc-dc1/vimages. On the Permissions tab, remove the Everyone group, add the Contoso\MED-V Administrators group, and then grant the Changes Allowed permission to this group. Add the Contoso\MED-V Users group, and ensure that this group does not have the permission to make changes. Note that both groups were added for the purpose of this lab, and that they are not created by default. On the Reports tab, review the Connection string, and then click Create Database. In the Database Creation window, click OK. Click Test Connection, and in the Connection Test window, click OK. Click Clear Options, review the settings, and in the Clear Database Options window, click Cancel. In MED-V Server Configuration Manager, click OK, and then click Yes.
4.
5.
6. 7. 8. 9.
10. Open Windows Explorer, navigate to C:\Program Files \Microsoft Enterprise Desktop Virtualization\Servers, and then open the ServerSettings.xml file in Notepad. 11. Review the configuration file, confirm that all settings from MED-V Server Configuration Manager are stored there, and then close Notepad.
L3-19
Task 4: Verify that the MED-V database exists on SQL Server

1. On NYC-DC1, click Start, click All Programs, point to Microsoft SQL Server 2008, and then click Import and Export Data (32-bit). The SQL Server Import and Export Wizard opens. Click Next, and then verify in the Server name box that you are connected to NYC-DC1\SQLEXPRESS SQL Server. Expand the Database box, and then verify that the MED-V database, medv, is available in the list. Click Cancel in the SQL Server Import and Export Wizard.
2. 3. 4.
L3-20
Exercise 3: Deploying the MED-V Client

Task 1: Install the MED-V client on NYC-CL1
1. 2. 3. 4. 5. On NYC-CL1, open Windows Explorer, browse to E:\Labfiles\Mod03, and double-click MED-V_1.0.105.msi. On the Welcome page, click Next. On the License Agreement page, select I accept the terms in the license agreement, and then click Next. On the Destination Folder page, accept the default location, and then click Next. On the MED-V Settings page, select Install the MED-V management application. In Server address, enter nyc-dc1, accept the default server port of 80, and the virtual machines images folder of C:\MED-V Images\, and then click Next. On the Ready to Install the Program page, click Install. After the installation finishes, clear the Launch Microsoft Enterprise Desktop Virtualization check box, and then click Finish. Close the Mod03 window.
6. 7.
Task 2: Verify connectivity to the MED-V Management Server, and create a MED-V deployment package
1. 2. 3. 4. 5. 6. On the desktop of the NYC-CL1 computer, double-click MED-V Management. Enter Contoso\medv-admin as User name, enter Pa$$w0rd as Password, and then click OK. In the MED-V Management Console, on the Tools menu, select Packaging Wizard. On the Deployment Package page, click Next. On the Workspace Image page, click Next. On the MED-V Installation Settings page, for MED-V installation file, point to E:\Labfiles\Mod03\MED-V_1.0.105.msi. Verify that nyc-dc1 is entered as the Server address, and then click Next.
L3-21
7.
On the Additional Installations page, select the Include installation of Virtual PC QFE check box, and then clear the Include installation of Microsoft .NET Framework 2.0 check box. For virtualization software, point to E:\Labfiles\Mod03\VPC 2007 SP1 x86.exe, and for installation of Virtual PC QFE, point to E:\Labfiles\Mod03\KB974918 x86.msp and then click Next. On the Finalize page, in the Package destination, enter E:\Labfiles \MED-V Client, then and click Finish. After the deployment package has been created, click No in the MED-V Management window.
8. 9.
10. Close the MED-V Management Console, and then explore the contents of the E:\Labfiles\MED-V client folder in Windows Explorer.
Task 3: Install a MED-V client by using a deployment package

1. 2. 3. 4. 5. 6. 7. On NYC-CL2, click the Start menu, in the Search field, enter \\nyc-cl1 \med-v client, and then press ENTER. Windows Explorer then opens. In Windows Explorer, double-click MedvAutorun.exe. In the MED-V window, click Yes to install the MED-V package. In Images Folder Selection, accept the default value of C:\MED-V Images, and then click OK. After the installation finishes, in the MED-V Installer window, click Close. Close the med-v client window. Verify that MED-V shortcut is added to the desktop on NYC-CL2.

L4-23

Exercise 1: Creating MED-V Images
Task 1: Start the virtual machine on NYC-CL1 and review its initial configuration
1. 2. On the Start menu of the NYC-CL1 computer, click All Programs, and then click Microsoft Virtual PC. The Virtual PC Console opens. In the Virtual PC Console, select the XP virtual machine, and then click Start. Wait until the virtual machine starts and then log on as User1 with the password of Pa$$w0rd. In the XP virtual machine, create a new text file with your name in the C:\Documents and Settings\User1\Local Settings\Temp folder. Close the Temp folder. In the XP virtual machine, open the Services console from the Administrative Tools menu, and verify service startup type for Security Center, Task Scheduler and System Restore Service. Startup type of all services will be Automatic. Close the Services console. In the XP virtual machine, in Control Panel, open Sounds and Audio Devices, and on the Sounds tab verify that Windows Logon and Windows Logoff have Windows XP Logon Sound and Windows XP Logoff Sound sounds assigned. Close the Sound dialog box and close the Control Panel.
3.
4.
5.
Task 2: Install and run the VM Prerequisites Wizard

1. On the NYC-CL1 computer, open Windows Explorer, and then drag and drop MED-V_Workspace_1.0.105.msi file from E:\LabFiles\Mod04 to the desktop of the XP virtual machine. In the XP virtual machine, double-click MED-V_Workspace_1.0.105.msi on the desktop. On the Welcome page, click Next.
2. 3.
L4-24
4. 5. 6.
On the License Agreement page, select I accept the terms in the license agreement, and then click Next. On the Ready to Install the Program page, click Install. When prompted for Files Needed, browse to C:\WinXP and then click Open. Click OK. Also when prompted to Insert Disk, click OK and then browse to C:\WinXP. Wait until the Microsoft Enterprise Desktop Virtualization 1.0 SP (Workspace) is installed. Verify that the Launch VM Prerequisites Tool is selected and click Finish. The MED-V VM Prerequisite Wizard opens. Click Next. On the Windows Settings page, review the changes that will be performed, and then click Next.
7.
8. 9.
10. On the Internet Explorer Settings page, review the changes that will be performed, and then click Next. 11. On the Windows Services page, review the services whose startup mode will be set to manual, and then click Next. 12. On the Windows Auto Logon page, select Enable Windows Auto Logon, enter User1 as User name, Pa$$w0rd as Password, and then click Apply. 13. In the MED-V dialog box, click Yes. On the second MED-V dialog box, click OK. For this lab, a Volume License Key is not required. 14. On the Summary window, click Finish.
Task 3: Verify the changes performed by VM Prerequisites Wizard

1. In the XP virtual machine, open Windows Explorer, and then verify content of the C:\Documents and Settings\User1\Local Settings\Temp folder. The content of this folder, including the file with your name, was deleted by the VM Prerequisites tool. In Control Panel, open Sounds and Audio Devices, and on the Sounds tab verify that Windows Logon and Windows Logoff have no sounds assigned. Open the Services console and verify that the Security Center, Task Scheduler, and System Restore Service services startup type is set to Manual. Those are just some of the Windows XP services that were set to Manual by the VM Prerequisites Tool.
2. 3.
L4-25
4.
Open the Registry Editor (Regedit.exe), navigate to HKLM\SOFTWARE \Microsoft\Windows NT\CurrentVersion\Winlogon, and then verify values of the DefaultUserName and DefaultPassword keys. They are the same as the values that you entered at the Windows Auto Logon page in VM Prerequisites Tool. Shut down the XP virtual machine and then close the Virtual PC Console. All of your changes are saved into the XP virtual machine.
5.
L4-26
Exercise 2: Testing MED-V Images

Task 1: Add a local test image
1. 2. On the desktop of NYC-CL1 computer, double-click the MED-V Management shortcut. In the MED-V Management Login window, enter contoso\medv-admin as User name, Pa$$w0rd as password, and then click OK. Wait until MED-V Management opens. In the MED-V Management console, click the Images icon. On the Images menu, click New, and then click Test Image. On the Test Image Creation dialog box, click Browse, point to the E:\Labfiles\VPC folder, select XP.vmc, and then click Open. Enter XP in the Image name box, and then click OK.
3. 4. 5.
Task 2: Import and assign a basic MED-V testing policy

1. 2. 3. 4. 5. 6. On the NYC-CL1 computer, in MED-V Management, click the Policy icon. On the Policy menu, click Import. Select E:\LabFiles\Mod04 \TestPolicy.xml, and then click Open. On the Virtual Machine tab, click Refresh, and then select XP (test) as the Assigned Image. Click the Save changes icon. Click Yes in the MED-V Management window. Minimize MED-V Management.
Task 3: Test a local MED-V image

1. 2. On the desktop of NYC-CL1, double-click the MED-V shortcut. In the Start Workspace window, enter contoso\medv-user as User name, Pa$$w0rd as password, and then click OK. The Medv-user has already been created as a member of the MED-V Users group. Click Use Test Image in the Confirm Running Test window. Wait while the Starting Workspace window shows progress. You can click the Details >> button to review details of the progress.
3. 4.
L4-27
5. 6.
In the Windows Security Alert window, click Allow Access for all of the networks to allow Virtual PC 2007 SP1 to communicate. When Starting Workspace disappears, on the Start menu of the NYC-CL1 computer, click All Programs, click MED-V Programs, and then verify that published programs from the MED-V virtual image are listed. Click XP Notepad. Verify that there is a red line around Untitled Notepad window. In the Untitled Notepad window, select Help, and then click About Notepad. The About Notepad window opens, with a red line around it. It shows that Notepad is running on Windows XP and that the virtual machine has 256 megabytes (MB) of memory available. Click OK and close Notepad. On the Start menu of the NYC-CL1 computer, click All Programs, click MED-V Programs, and then click XP Remote Desktop.
7. 8.
9.
10. On the Remote Desktop Connection menu, click Help. In Remote Desktop Connection Help, select some text, right-click on it, and select Copy. 11. On the NYC-CL1 computer, open Notepad, right-click on the Notepad window, and then select Paste. Verify that the copied text from the published application (Remote Desktop Connection help) is pasted. This shows that you can copy and paste between published MED-V applications and locally installed applications. 12. Close Notepad and dont save changes. Close Remote Desktop Connection and Remote Desktop Connection Help closes automatically. 13. On the Start menu of the NYC-CL1 computer, in the Search field, enter xp. Verify that published programs from the MED-V virtual image are listed. Click XP Command Prompt. 14. In the command prompt window, enter time, and press ENTER twice. Verify that time is synchronized between NYC-CL1 and the MED-V virtual machine. 15. Use dir c:\ command to compare the content of the C:\ drive in MED-V virtual machine and c:\ drive in NYC-CL1 computer. 16. Close the command prompt window. 17. On the notification area of the NYC-CL1 computer, click Show hidden icons, right-click on MED-V icon, and then select Stop Workspace. 18. Click Yes in the MED-V dialog box and wait until the Workspace is stopped.
L4-28
Exercise 3: Updating, Packing, and Uploading the Image

Task 1: Update the image
1. 2. On the Start menu of the NYC-CL1 computer, click All Programs, and then click Microsoft Virtual PC. The Virtual PC Console opens. In the Virtual PC Console, select the XP virtual machine, and then click Start. Wait until virtual machine starts and the user is automatically logged on.
Note: The XP_0 virtual machine is the saved image from the previous exercise. You should select the XP virtual machine for this exercise.
3. 4.
Open Windows Explorer in the XP virtual machine, and point it to C:\ drive. Open Windows Explorer on NYC-CL1 and drag and drop the XmlNotepad.msi and WindowsXP-KB956802-x86-ENU.exe files from E:\LabFiles\Mod04 to the C:\ drive of the XP virtual machine. In the XP virtual machine, in Windows Explorer, double-click c:\XmlNotepad.msi. On the XML Notepad 2007 Setup page, click Next. Accept the terms in the license agreement, click Next twice, click Install and after program is installed, click Finish. In the XP virtual machine, close Internet Explorer with Welcome to XML Notepad 2007 page and on the Start menu, click on All Programs and then verify that folder for XML Notepad 2007 is added. In the XP virtual machine, in Windows Explorer, double-click c:\WindowsXPKB956802-x86-ENU.exe. Click Next. On the License Agreement page, select I Agree, and then click Next.
5. 6.
7.
8. 9.
10. On the Completing the Security Update page, select Do not restart now, and then click Finish. 11. On the Start menu, click Control Panel, and then double-click Add or Remove Programs. 12. Select Show updates and verify that Security Update for Windows XP (KB956802) is listed under Windows XP Software Updates. 13. On the Start menu of the XP virtual machine, click Shut Down, click OK, and then wait until the XP virtual machine shuts down. Close Virtual PC Console.
L4-29
Task 2: Pack the MED-V image

1. 2. 3. 4. On the NYC-CL1 computer, maximize MED-V Management. In the MED-V Management console, click the Images icon. On the Images menu, click New, and then click Packed Image. On the Packed Image Creation dialog box, click the Browse button, point to the E:\Labfiles\VPC folder, select XP.vmc, and then click Open. Enter XP-Updated in the Image name box, and then click OK. The Packing the image files dialog box opens and shows the progress of the packing. On the Images menu, click Browse Local Images. Windows Explorer opens. In Windows Explorer, double-click the PackedImages folder. Verify that it contains .ckm (Compressed Machine) and .index files. You can press F5 to update the view and observe how the size of the packaged image is increasing. Wait until the image is packaged. In the Complete XP-Updated packed successfully window, click OK. In the Local Packed Images section, verify that compressed file size of the image is considerably smaller than uncompressed size.
5. 6. 7.
8. 9.
10. Switch to NYC-DC1, open Windows Explorer and verify that .ckm and .index files for the XP-updated virtual machine are not available in the C:\MED-V Server Images folder.
Task 3: Upload the image to image repository

1. 2. 3. 4. 5. On NYC-CL1, in the MED-V Management console, in the Local Packed Images section, select XP-Updated and click Upload. A progress window opens and shows how the XP-Updated upload is progressing. Wait until image is uploaded to the MED-V server. In the Complete XP-Updated uploaded successfully to the server window, click OK. In the Packaged Images on the Server section in MED-V Management console, verify that XP-Updated is listed. Switch to the NYC-DC1 server and verify that .ckm and .index files are available in C:\MED-V Server Images folder. They were uploaded by using Background Intelligent Transfer Service (BITS) in this task.
L4-30
Exercise 4 (Optional): Preparing the MED-V Image for Domain Environment

Task 1: Create the Sysprep answer file
1. 2. 3. 4. On the Start menu of the NYC-CL1 computer, click All Programs, and then click Microsoft Virtual PC. The Virtual PC Console opens. In Microsoft Virtual PC select the XP virtual machine and click Start. Wait until the virtual machine starts and the user is automatically logged on. Open Windows Explorer in the XP virtual machine and browse to C:\ drive. Open Windows Explorer on NYC-CL1 and drag and drop the Sysprep folder from E:\LabFiles\Mod04 to the C:\ drive of the XP virtual machine. The Sysprep folder contains deployment tools and documentation from the Deploy.cab cabinet file from Windows XP CD. The whole folder is automatically deleted after Sysprep.exe tool is used. In the Sysprep folder, double click setupmgr.exe. Setup Manager opens. On the Welcome to Setup Manager page, click Next. On the New or Existing Answer File page, verify that the Create new option is selected and click Next. On the Type of Setup page, select Sysprep setup option and click Next. On the Product page, verify that Windows XP Professional is selected and click Next.
5. 6. 7. 8. 9.
10. On the License Agreement page, select Yes, fully automate the installation and click Next. 11. On the Name and Organization page, enter MED-V user as Name, Contoso as Organization and click Next. 12. On the Display Settings, accept default values and click Next. 13. On the Time Zone page, select your Time zone and click Next. 14. On the Product Key page, enter following product key: 11111-11111-1111111111-11111 and click Next. Dont forget that virtual image must be based on the volume licensing product and in real environment you would enter valid volume licensing key. After you use the Sysprep tool, the entire folder, including answer file, will be automatically deleted.
L4-31
15. On the Computer Name page, select Automatically generate computer name and click Next. You will use MED-V Policy for deploying the image and the computer name will be set there. 16. On the Administrator Password page, enter and confirm Pa$$word as Password. Enable the option When a destination computer starts, automatically log on as Administrator and set it to value 10. This option will be defined by MED-V Policy when you deploy virtual image. 17. Accept default values for other questions. In Setup Manager, select File menu and click Save. 18. Accept default path and file name of C:\Sysprep\sysprep.inf and click OK. 19. In Setup Manager, select File menu and click Exit. 20. In Windows Explorer, verify that sysprep.inf file was created in the C:\Sysprep folder and that it contains all the answers you provided through Setup Manager.
Task 2: Run Sysprep.exe to generalize the image

1. 2. 3. 4. 5. In the XP virtual computer, in C:\Sysprep folder, double-click sysprep.exe. On the System Preparation Tool 2.0 dialog box, click OK. On the System Preparation Tool 2.0 page, select options Dont reset grace period for the activation and Use Mini-Setup, then click Reseal. On the System Preparation Tool 2.0 dialog box, click OK to regenerate security identifiers (SIDs). Wait until the XP virtual machine shuts down. Close the Virtual PC Console.

L5-33

Exercise 1: Creating and Configuring a Workspace Policy
Task 1: Create a MED-V Workspace policy, and configure it to use an existing image
1. 2. On the desktop of NYC-CL1, double-click MED-V Management. In the MED-V Management Login window, enter contoso\medv-admin as the user name and Pa$$w0rd as password, and then click OK. Wait until MED-V Management opens. In the MED-V Management Console, on the Policy menu, click New Workspace. Select workspace in the display pane, click the General tab, and then type Legacy Workspace as the workspace name. Enter Workspace for running legacy applications in the description and support@contoso.com in the Support contact info text box. In the Workspace user interface (UI) section, verify that Seamless Integration is selected, and then select the pink (255,0,255) frame color. Click the Virtual Machine tab, and in the Virtual Machine Settings section, select XP-Updated (server) as the assigned image. If image is not available, click Refresh first. Select Synchronize Workspace time zone with host. By selecting this option, the time zone between the virtualized environment and the host will be synchronized.
3. 4. 5. 6. 7.
8.
L5-34
Task 2: Configure additional MED-V Workspace policy options

1. 2. On NYC-CL1, in the MED-V Management window, click the Deployment tab. Under Users/Groups, select Everyone, and then click Remove. Click Add, enter med-v users, click Check Names, and then click OK. The MED-V Users group already has been created for this lab. Only members of this group will have access to the workspace. Click Workspace deletion options, select The Workspace has been disabled, and then click OK. Select the following three options: Support clipboard between host and Workspace, Support file transfer between host and the Workspace, and Enable printing to printers connected to the host. In the Data Transfer section, select Host to Workspace in the drop-down list. Click the Applications tab, and in the Published Applications section, click Add four times. Modify the list of the published applications to include:
Display name XP Comp Mgmt XP Cmd prompt XP Notepad XP XML Notepad Command line c:\windows\system32\compmgmt.msc c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe c:\program files\XML notepad 2007 \XMLnotepad.exe
3. 4.
5. 6. 7.
8. 9.
In the Published Menus section, click Add, enter Published as the Display Name, and Games as Folder in Workspace. In the Start menu shortcut folder field, type MED-V Published Apps.
10. Click the Web tab, and then select Browse the list of URLs defined in the following table and Browse all other URLs. 11. Click Add, leave Domain as the Type, and then enter contoso.com as the Value. 12. Review the settings on the VM Setup tab, but do not select any options. Most of these options are available when you use a persistent workspace and you configure revertible workspaces.
L5-35
13. Review the settings on the Network tab, but do not select any options. 14. Click the Performance tab, and assign 160 if host has Above 550 MB and assign 200 if host has Above 1100 MB. Click Add, and then assign 256 MB VM Memory, if host has Above 1400 MB. 15. Verify the Policy Version in the title bar of MED-V Management Console. 16. In the Policy menu, select Commit or click Save Changes in the Toolbar. 17. Confirm that the Policy Version has increased, and then minimize the MED-V Management Console.
L5-36
Exercise 2: Using the MED-V Client

Task 1: Deploy a MED-V Workspace
1. 2. 3. 4. On the desktop of NYC-CL1, double-click MED-V. In the Start Workspace window, enter contoso\medv-user as User name and Pa$$w0rd as password, and then click OK. The Workspace Selection window opens. Select Legacy Workspace, and then click OK. Wait while the workspace downloads and the setup completes. At the Windows Firewall prompt, select all of the networks, and then click Allow access.
Task 2: Explore the published programs, and manually update the MED-V policy
1. On NYC-CL1, click Start, click All Programs, click MED-V Published Apps, and then verify that the four published applications and the Published subfolder are listed. Click the Published subfolder, and verify that it includes XP games from the workspace. Click Start, point to the Search field, and then enter xp. Verify that the published applications are listed. Click XP XML Notepad, and verify that the application has a pink frame around the window. Drag the window around, like the window of the locally installed application. Confirm that the window content is shown while you drag the window. Click Exit to close the application. Restore the MED-V Management Console. Verify that Legacy Workspace is selected, that you are in Policy module, and the Applications tab is selected. In the Published Menus section, uncheck Published, and verify the policy version in the title bar of the tool. Click Save changes, and confirm that policy version has increased. Minimize MED-V Management. On NYC-CL1, in the notification area, right-click the MED-V icon, point to Help, and then click MED-V Diagnostics. The Diagnostics window opens.
2. 3. 4.
5.
6. 7.
L5-37
8.
In the Policy section, determine the last time that the policy was updated, and then confirm that the previous version of the policy was used. Click Update policy. A notification window displays that indicates that the policy updated successfully. Verify that the policy version and update time are updated, and then click Close.
9.
10. On NYC-CL1, click Start, click All Programs, click MED-V Published Apps, and then verify that four published applications are still listed, but the Published subfolder no longer is present.
Task 3: Lock the MED-V Workspace

1. 2. On NYC-CL1, run XP Notepad. In the notification area, right-click the MED-V icon, and then click Lock Workspace. The published XP Notepad window no longer is visible, and the Unlock Workspace window opens. Try to start the XP Cmd prompt published application. You will get a notification that the application cannot be launched while the workspace is locked, and then the Unlock Workspace window opens. In the Unlock Workspace window, type Pa$$w0rd as Password, and then click Unlock. The published XP Notepad window becomes visible, and you can start the XP Cmd prompt published application. Close XP Notepad and XP Cmd prompt.
3.
4. 5. 6.
Task 4: Test printing from the published applications

1. 2. 3. 4. 5. 6. On NYC-CL1, click Start, and then click Device and Printers. Click Add a printer, click Add a local printer, and then click Next. On the Install the printer driver page, select one of the listed printers, click Next three time to accept the default values, and then click Finish. Confirm that the local printer was added, and then close Device and Printers. On NYC-CL1, open XP Notepad, enter some text, and then from the File menu, select Print. In the Print window, verify that Local Printer is selected, and then click Print.
L5-38
7. 8.
The Print window opens, and in the Name drop-down box, you can select host printers. Verify that default host printer is selected, and then click OK. Verify that the printer icon is added to the notification area and that the print job is listed. This confirms that published applications can print on the printers that are connected to the host. Maximize the MED-V Management Console on the NYC-CL1 computer. Verify that the Legacy Workspace is selected, that you are in the Policy module, and that the Deployment tab is selected. In the Data Transfer section, uncheck Enable printing to printers connected to the host.
9.
10. Click Save changes, and confirm that the policy version has increased. Minimize MED-V Management. 11. In the notification area, right-click the MED-V icon, point to Help, and then select MED-V Diagnostics. 12. In the Policy section, click Update policy, and then click Close. 13. Switch to Untitled Notepad window, and from the File menu, select Print. 14. In the Print window, click Print. 15. The Printing is disallowed window displays, and it informs you that you are not permitted to print in this workspace. Click OK, and then close Notepad without saving changes.
Task 5: Review the MED-V virtual machine configuration

1. On NYC-CL1, click Start, click All Programs, click XP Published Apps, click XP Comp Mgmt, and verify that Computer Management opens, with a pink frame around the window. Select the Device Manager node, and verify that Virtual HD, VM Additions S3 Trio32/64 video adapter and generic Intel 21140 network adapter are available. Minimize Computer Management, and run XP Notepad. In the Untitled Notepad window, click the Help menu, and then click About Notepad.
2.
3. 4.
L5-39
5.
In the About Notepad window, confirm that virtual environment has 256 Mb (261,616 kilobytes [KB]) available. This complies with the MED-V policy that you configured and which specifies 256 megabytes (MB) memory for the MED-V virtual machine if the host has more than 1,400 MB memory. Click OK. In the notification area of NYC-CL1, right-click the MED-V icon, point to Tools, and then select File Transfer. In the File Transfer window, click Browse next to File to copy. Select C:\Windows\Win.ini, and then click Open. In the File Transfer window, click Browse next to Destination. Select Local Disk (C:) in the workspace, and then click OK. In the File Transfer window, click Start. The file Win.ini is transferred from the host to the workspace.
6. 7. 8. 9.
10. In the File Transfer window, select Copy from Legacy Workspace Workspace to My Computer, select the file C:\Windows\Clock.avi in the workspace, and then select E:\ as the destination. 11. In the File Transfer window, click Start. In Authentication Required window, enter contoso\medv-user as the User name and Pa$$w0rd as password, and then click OK. 12. The MED-V dialog box opens, and informs you that medv-user is not allowed to transfer files from the workspace. You defined that setting in the MED-V policy. Click OK, and then click Cancel in the Authentication Required window. 13. On NYC-CL1, click Start, click All Programs, click MED-V Published Apps, and then click XP Cmd prompt. Run dir c:\ to confirm that Win.ini is present on the root of drive C in the workspace.
L5-40
Exercise 3: Implementing MED-V Reporting and Troubleshooting

Task 1: Create and explore MED-V reports
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-CL1, maximize MED-V Management, and then click Reports. In the Reports menu, click Generate Report. The Report Parameters window opens. In the Report Parameters window, click OK. In the details view, review data on the Status tab. In the Report Types, select Activity Log, and then click Generate. In the Report Parameters window, click OK. In the details view, review data on the Activity Log tab. Click the Event ID header to sort the rows in the report. Use the filtering icon to show specific Event Ids, and then click All to show all of the events. Drag the Event ID header to the top of the report to group rows by Event ID. Expand Event ID: 4 to see all events for the workspace under one entry. Expand several other event groups, and then drag Event ID after the Category header. You can reorder the reports columns by dragging column headers to different positions.
10. Click the Status tab. On the Reports menu, select Export to Excel, select Desktop as destination, and then click Save. You can export MED-V reports to an Excel .xls format. 11. Minimize the MED-V Management Console.
Task 2: Open MED-V Diagnostics, and explore diagnostic options

1. 2. On NYC-CL1, in the notification area, right-click the MED-V icon, point to Help, and then select Contact Support. The Support Contact Information window opens and displays the information that you provided in the MED-V policy, in the Support contact info field. Click OK. On NYC-CL1, in the notification area, right-click the MED-V icon, point to Help, and then select MED-V Diagnostics. The Diagnostics window opens.
3.
L5-41
4. 5. 6. 7. 8. 9.
Review information about the host in the System section, and then click Gather diagnostic logs. The MED-V Log Tool opens. Click Gather Logs. Wait until the tool finishes, click OK, and then click Close. Double-click the MED-V-Diagnostics compressed file on the desktop, and review the gathered log files. Close Windows Explorer. On NYC-CL1, start the XP XML Notepad program. Verify that you can move it around. In the Diagnostics window, in the Workspace section, click Enable diagnostic mode.
10. The Legacy Workspace Workspace Microsoft Virtual PC 2007 window opens. This window displays Virtual PC desktop, and you can use it for workspace diagnostics when virtual machine starts up. 11. In the Diagnostics window, click Disable diagnostics mode, click Close, and then click Exit to close XML Notepad program.

L6-43
Lab: Implementing Application Virtualization

Exercise 1: Planning the App-V Implementation
Task 1: Answer questions related to the App-V implementation
Question: How would you recommend deploying virtual applications? Answer: Possible solution: Preliminary steps will include: 1. Create Application Virtualization (App-V) user and administrative groups in Active Directory Domain Services (AD DS). 2. 3. Create the appropriate firewall exceptions. Install and configure Microsoft Internet Information Services (IIS) if required
Question: How would you deploy the App-V client? Answer: You can use a Group Policy object (GPO) for the users who are connecting through a local area network (LAN). For the field engineers, you can use manual deployment via DVD or USB flash drive. You also can use other options, such as a third-party software distribution system. Question: How would you implement App-V in the head office? Answer: You can deploy an App-V management server with the management Web services. Deploy or use an existing Microsoft SQL Server to host the data store. Configure licensing and usage metering policies.
L6-44
Question: How would you distribute virtual applications to the branch office? Answer: Deploy the App-V streaming server to the local file server, and then configure the App-V client to stream from the local server. Branch office clients will receive publishing information from the head offices management server, but will stream applications from the local server. Question: How would you distribute virtual applications to the field engineers? Answer: Create an MSI file during the sequencing process. Deploy the App-V client in standalone mode, and then distribute the Windows Installer (MSI) file by using DVD or USB flash drives that the field engineers can install on their laptops. Other options could involve HTTP streaming via the Internet.
L6-45
Exercise 2: Installing an App-V Management Server

Task 1: Install IIS 7.0
1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR3, click the Server Manager icon in the task bar. Click Roles, and then in the details pane, click Add Roles. In the Add Roles Wizard, click Next. On the Select Server Roles page, select the Web Server (IIS) check box. Click Next. On the Web Server (IIS) page, click Next. On the Select Role Services page, select the ASP.NET check box. Click Add Required Role Services. Select the Windows Authentication check box. Select the IIS Management Scripts and Tools check box.
10. Select the IIS 6 Management Compatibility check box, and then click Next. 11. Click Install, and then click Close. Close the Server Manager.
Task 2: Create groups for App-V users and administrators

1. On NYC-DC1 log on as Administrator with a password of Pa$$w0rd. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. Expand Contoso.com. Right-click the Users container, point to New and then click Group. In the New Object - Group dialog box, enter ContosoAppVAdmins as the group name, and then click OK. Repeat steps 3 and 4 to create a second group named ContosoAppVUsers. Close Active Directory Users and Computers.
2. 3. 4. 5. 6.
L6-46
Task 3: Install the App-V management server

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR3, click Start, and then click Run. In the Open box, type \\NYC-DC1\E$\Labfiles\Mod06\Server \Management and then press ENTER. Double-click Setup.exe. On the System Center Application Virtualization Management Server welcome page, click Next. Select the check box to accept the license agreement, and then click Next. On the Microsoft Update page, click I don't want to use Microsoft Update, and then click Next. On the Registering Information page, type Contoso in the Organization field, and then click Next. On the Setup Type page, click Custom, and then click Next. Observe the available options, and then click Next. On the Configuration Database page, ensure that NYC-SVR3\SQLEXPRESS is the displayed in the Server name field, and then click Next.
10. On the Configuration Database page, click Create a new database. Keep the default name of APPVIRT, and then click Next. 11. On the Connection Security Mode page, remove the check mark next to Use enhanced security, and then click Next. 12. On the TCP Port Configuration page, note the default port of 554, and then click Next. 13. On the Administrator Group page, type ContosoAppVAdmins in the Group Name field, and then click Next. 14. On the Default Provider Group page, type ContosoAppVUsers, and then click Next. 15. On the Content Path page, note the default location of the content folder, and then click Next. 16. Click Install. The installation will take a few moments. 17. Click Finish, and then click Yes to restart the system. 18. Log on to NYC-SVR3 as Contoso\Administrator with the password of Pa$$w0rd.
L6-47

1. 2. 3. 4. 5. Launch Control Panel, click System and Security, and open the Windows Firewall applet. Click Allow a program or feature through Windows Firewall. On the Allowed Programs dialog box, click Allow another program. In the Add a Program dialog box, click Browse. Navigate to C:\Program Files (x86)\Microsoft System Center App Virt Management Server\App Virt Management Server\bin, select sghwdsptr.exe, click Open, and then click Add. Repeat steps 3 to 5 to add sghwsvr.exe. In the Allowed Programs dialog box, click OK and then close Windows Firewall.
6. 7.
Task 5: Configure the App-V Management Server Service

1. 2. 3. 4. On NYC-SVR3, click Start, type Services.msc, and then press ENTER. Locate the Application Virtualization Management Server service. Start the service manually if it is not running. Right-click the Application Virtualization Management Server service, and then click Properties. Click the drop-down menu for the Startup type, and then select Automatic (Delayed Start). Click OK.
Note: You are performing this step because the SQL Server is running on the same computer. The App-V Management service is dependent on the start of the SQL service and occasionally times out if the SQL service is slow to start.
5.
In Hyper-V Manager, revert the 10324A-NYC-SVR3 virtual machine. Leave 10324A-NYC-DC1 running for the next exercise.
L6-48
Exercise 3: Installing an App-V Streaming Server

Task 1: Install a streaming server
1. 2. 3. 4. 5. 6. 7. 8. 9. Start 10324A-NYC-SVR3 and wait for the server to start completely. Log on to NYC-SVR3 as Contoso\Administrator with a password of Pa$$w0rd. Click Start, and then in the search box type \\NYC-DC1\E$\Labfiles \Mod06\Server\Streaming , and then press ENTER. Double-click Setup.exe. On the Microsoft Application Virtualization Streaming Server welcome page, click Next. Select the check box to accept the license agreement, and then click Next. On the Microsoft Update page, click I don't want to use Microsoft Update, and then click Next. On the Customer Information page, type Contoso in the Organization field, and then click Next. On the Installation Path page, click Next. On the Connection Security Mode page, remove the check mark next to Use enhanced security and then click Next.
10. On the TCP Port Configuration page, note the default port of 554, and then click Next. 11. On the Content Root page, note the default location of the content folder, and then click Next. 12. On the Advanced Settings page, notice the available options, and then click Next. 13. On the Ready to Install the Program page, click Install. 14. Click Finish, and then click Yes to restart the system.
L6-49
Task 2: Share the Content folder

1. 2. Log on to NYC-SVR3 as Administrator with a password of Pa$$w0rd. Open Windows Explorer, navigate to C:\Program Files (x86) \Microsoft System Center App Virt Streaming Server, right-click the content folder, point to Share with, and then click Advanced sharing. In the content Properties box, click the Advanced Sharing button. In the Advanced Sharing dialog box, select the Share this folder check box. Click Permissions, and ensure that Read permission to this folder is given to Everyone. Click Add, add the Domain Admins group, grant Full Control, and then click OK. Click OK again to close the Advanced Sharing box, and then click Close.
3. 4. 5. 6.
Task 3: Copy a package to the Content folder

1. 2. 3. 4. In Windows Explorer navigate to \\NYC-DC1\E$\Labfiles\Mod06\. Right-click the Word03 folder, and then click Copy. Navigate to C:\Program Files (x86)\Microsoft System Center App Virt Streaming Server\content folder, and then click Paste. Close Windows Explorer.

1. 2. 3. 4. 5. Launch Control Panel, click System and Security, and open the Windows Firewall applet. Click Allow a program or feature through Windows Firewall. On the Allowed Programs dialog box, click Allow another program. In the Add a Program dialog box, click Browse. Navigate to C:\Program Files (x86)\Microsoft System Center App Virt Streaming Server\ bin, select sglwdsptr.exe, click Open, and then click Add.
L6-50
6. 7.
Repeat steps 3 to 5 to add sglwsvr.exe. In the Allowed Programs dialog box, click OK and then close Windows Firewall.
Task 5: Restart the Application Virtualization Streaming Server service

1. 2. 3. Click Start and type Services.msc in the Search box and press ENTER. Locate the Application Virtualization Streaming Server service and click Restart. Close the Services console.
L6-51
Exercise 4: Configuring a Client to Use the Streaming Server

Task 1: Edit the client registry key
1. 2. 3. 4. 5. 6. Start the 10324A-NYC-CL1 virtual machine. Log on as Contoso\Administrator with a password of Pa$$w0rd. Click Start, type Regedit.exe, and then press Enter. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\SoftGrid\4.5\Client\Configuration key. In the details pane, double-click ApplicationSourceRoot. In the Edit String dialog box, enter RTSP://NYC-SVR3:554 in the Value data: field. Click OK and then close the Registry Editor.
Task 2: Use the Sftmime utility to load the package into the client cache
1. 2. 3. Click Start and then click All Programs. Notice there is no icon for Microsoft Office Word Viewer 2003. In the Search box, type cmd, and then press ENTER. In the Command Prompt, type the following command and press ENTER:
sftmime add package:Word03 /manifest \\\NYCSVR3\Content\Word03\Wordviewer03_manifest.xml
Note: The UNC path in the command requires three backslashes at the beginning of the path.

Click Start, click All Programs, and then click the icon for Microsoft Office Word Viewer 2003. The application will check for updates on the streaming server and successfully launch.
L6-52

L7-53

Exercise 1: Installing and Configuring the App-V Client
Task 1: Install the App-V Client in Stand-Alone mode
1. On NYC-CL2, open Windows Explorer, browse to \\NYC-DC1\E$\Labfiles\Mod07\Client\x86, and then double-click Setup.exe. In the InstallShield dialog box, notice the listed software requirements have a status of Pending, and then click Install. On the Welcome page, click Next. On the License Agreement page, accept the license, and then click Next. On the Microsoft Update page, click I dont want to use Microsoft Update, and then click Next. On the Setup Type page, click Custom, and then click Next. On the Destination Folder page, click Next. On the Application Virtualization Data Location page, notice the default locations, and then click Next. On the Cache Size Settings page, notice the available options, and then click Next.
2. 3. 4. 5. 6. 7. 8. 9.
10. On the Runtime Package Policy Configuration page, clear the Require User authorization even when cached check box. 11. In the Application Authorization section, select the Allow streaming from file check box.
L7-54
12. In the Automatically Load Application section, under When to Auto Load, clear the On Launch and On Login check boxes, and then click Next. 13. On the Publishing Server page, click Next, click Install, and then click Finish. Close Windows Explorer.
L7-55
Exercise 2: Installing a Stand-Alone Package

Task 1: Install a stand-alone package
1. 2. 3. 4. 5. On NYC-CL2, open Windows Explorer, and then browse to \\NYC-DC1\E$ \Labfiles\Mod07. Copy the Word03 folder to C:\. In C:\Word03, double-click Wordviewer03.msi. On the Welcome to the Wordviewer03 Setup Wizard page, click Next. Click Close when the installation completes, and then close Windows Explorer.
Task 2: Examine the properties of the package file and the data locations
1. Click Start, click Control Panel, click System and Security, click Administrative Tools, and then double-click Application Virtualization Client. Click Applications, and in the details pane, double-click Microsoft Office Word Viewer 2003. Click the Package tab, and then observe the Current Statistics: Question: What is the Package Size? Answer: 39 megabytes (MB) Question: What is the Size in Cache? Answer: 39 MB Question: What is the Launch Data Size? Answer: 9 MB 4. 5. 6. 7. Click Cancel. Close the Microsoft Application Virtualization Client and Control Panel. Click Start, and then click Computer. Click the Organize drop-down arrow on the toolbar, and then click Folder and search options. Click the View tab, click Show hidden files, folders, and drives, and then click OK.
2. 3.
L7-56
8.
Navigate to the global data location at C:\ProgramData\Microsoft \Application Virtualization Client\SoftGrid Client, and then examine the contents: Question: What is the size of the sftfs.fsd file? Answer: The file will be approximately 44 MB.
9.
Navigate to the user specific data location at C:\Users\Administrator.CONTOSO\AppData\Roaming\SoftGrid Client, and then notice the shortcut_ex.dat file and the userinfo.dat file. These files maintain per-user shortcut and identity information.
10. Close all open windows on NYC-CL2.

1. On NYC-CL2, click Start, click All Programs, and then click Microsoft Office Word Viewer 2003. A message will appear above the notification area indicating that Microsoft Word Viewer is launching. Click the Microsoft Application Virtualization Desktop Client Notification icon in the system tray, and then click Exit. Click OK to close the application.
2.

L7-57

Exercise 1: Configuring the App-V Client Properties
Task 1: Access the App-V Client properties
1. 2. On NYC-CL1, click Start, type Sftcmc.msc, and then press ENTER. In the Application Virtualization Client console right-click Application Virtualization (Local), and then click Properties.
Task 2: Configure logging levels and locations

1. 2. On the General tab, click the drop-down arrow under Log Level, and then select Error. Beside the Location field, click Browse, and then browse to C:\Windows\Logs. Click Save, and then click Apply.
Task 3: Configure the App-V Client properties

1. 2. 3. 4. 5. Click the Interface tab, click Always show the App Virt Client in the notification area, and then click Apply. Click the File System tab, and then click Use free disk space threshold. Type 5000 in the Minimum free space (MB) field to allow the cache to use all but 5 gigabytes (GB) of the disk space, and then click Apply. Click the Connectivity tab, type 120 in the Limit disconnected operation to (days) box, and then click Apply. Click the Permissions tab, select the Manage Publishing Servers check box, and then click OK.
L7-58
Exercise 2: Configuring a Publishing Server for the App-V Client

Task 1: Add a new publishing server for the App-V Client
1. 2. 3. 4. In the Application Virtualization Client, right-click the Publishing Servers node, and then click New Server. In the New Publishing Server - Step 1 dialog box, type Contoso App-V Management as the display name. Click the drop-down arrow under Type, select Application Virtualization Server, and then click Next. In the New Publishing Server - Step 2 dialog box, type NYC-SVR2 in the Host Name field, and then click Finish.
Task 2: Configure the DC Refresh settings, and then refresh the client manually
1. On NYC-CL1, select the Publishing Servers node, right-click the Contoso App-V Management server entry in the details pane, and then click Properties. Click the Refresh tab. Select the Refresh publishing every: check box, set the time interval to be 2 hours, and then click Apply. Click Refresh to force the immediate refresh to the server manually, and then click OK.
2. 3.
L7-59
Exercise 3: Configuring Applications by Using the Desktop Client

Task 1: Inspect the properties, and then load the application into the cache
1. Click the Applications node in the Application Virtualization Client. Notice the current Package Status is Idle (0%).
Note: You may have to refresh the view to see the application listed.
2. 3.
Right-click the Microsoft Word Viewer application, and then click Properties. Inspect the properties. In the Microsoft Word Viewer Properties dialog box, click the Package tab. Answer the following questions. Question: What is the Package Size? Answer: 6 MB Question: What is the Launch Data in Cache? Answer: 0 MB Question: What is the Launch Data Size? Answer: 0 MB
4. 5.
Click Load and then click OK. Notice the Package Status changes to Loading. Press F5 to refresh the console view. Access the Properties of the application again and click the Package tab. Question: What is the Launch Data in Cache? Answer: 2 MB Question: What is the Launch Data Size? Answer: 2 MB
L7-60
Task 2: Create a custom file extension

1. 2. 3. 4. Right-click the File Type Associations node, and then click New Association. In the New Association - Step 1 dialog box, type ABC in the Extension field, and then click Next. In the New Association - Step 2 dialog box, ensure that the Microsoft Word Viewer application is selected, and then click Finish. Click the File Type Associations node, and then notice that the ABC file extension is now listed and associated with the Microsoft Office Word Viewer application.
Task 3: Test the file extension

1. 2. 3. 4. 5. 6. 7. 8. On NYC-CL1, click Start, type CMD in the Search box, and then press ENTER. In the command prompt, type fsutil file createnew test.abc 1000, and then press ENTER. Close the command prompt. Click Start, and then click Computer. Navigate to C:\Users\Administrator.Contoso, and notice the file has been created and shows the icon of Microsoft Office Word Viewer. Double-click the Test.abc file. The file opens in Microsoft Word Viewer application. Close the Microsoft Word Viewer application. Close all open windows on NYC-CL1.
L7-61
Exercise 4: Installing and Configuring Settings by Using the Group Policy App-V Template
Task 1: Install the App-V Group Policy template
1. 2. 3. 4. On NYC-DC1, open Windows Explorer, browse to E:\Labfiles\Mod07, and then double-click AppVADMTemplate.msi. Accept the license agreement, and then click Next. On the Select Installation Folder page, click Next. On the Confirm Installation page, click Next. After installation completes, click Close. Close Windows Explorer.
Task 2: Add the template to the Group Policy Object Editor of the Default Domain Policy
1. 2. 3. 4. On NYC-DC1, click Start, click Administrative Tools, and then click Group Policy Management. Expand Forest, expand Domains, and then expand Contoso.com. Right-click Default Domain Policy, and then click Edit. Expand Default Domain Policy, expand Computer Configuration, expand Policies, right-click Administrative Templates, and then click Add/Remove Templates. In the Add/Remove Templates dialog box, click Add. In the Policy Templates dialog box, navigate to C:\AppVADMTemplate, click AppVirt.adm, click Open, and then click Close.
5. 6.
Task 3: Grant permission to add applications to all users

1. In the Group Policy Management Editor, expand Administrative Templates, expand Classic Administrative Templates (ADM), expand Microsoft Application Virtualization Client, and then click Permissions. In the details pane, double-click Add Application. In the Add Application dialog box, click Enabled, and then click OK. Switch back to NYC-CL1.
2. 3. 4.
L7-62
5. 6. 7. 8.
On NYC-CL1, click Start, type GPUpdate in the Search box, and then press ENTER. Click Start, type Sftcmc.msc, and then press ENTER. In the Application Virtualization Client, right-click Application Virtualization (Local), and then click Properties. Click the Permissions tab, and note that the Add applications check box is now selected to grant users this permission.

L8-63

Exercise 1: Configuring System Options
Task 1: Connect to the App-V Web service
1. 2. 3. 4. 5. 6. On NYC-SVR2, click Start, point to Administrative Tools, and then click Application Virtualization Management Console. Right-click NYC-SVR2, and then click Configure Connection. Ensure the Use Secure Connection check box is cleared, and that the Port is 80. In the Configure Connection dialog box, click Specify Windows Account. In the Name field, type Contoso\Administrator. In the Password field, type Pa$$w0rd, and then click OK.
Task 2: Configure the default content path and the duration for database usage
1. 2. Right-click NYC-SVR2, and then click System Options. On the General tab of the System Options dialog box, ensure that the Universal Naming Convention (UNC) path \\NYC-SVR2\Content is specified. Click the Database tab. In the Usage History section, set the Keep Usage For (Months) field to be 12 months, and then click OK.
3. 4.
L8-64
Exercise 2: Managing App-V Administrators

Task 1: Grant administrative access to the Domain Admins group
1. 2. 3. In the Application Virtualization Management Console, expand NYC-SVR2, and then click the Administrators node. In the Actions pane, click Add Administrator Group. Type Domain Admins in the Select Groups dialog box, and then click OK.
L8-65
Exercise 3: Publishing and Configuring an Application

Task 1: Copy the sequenced application to the Content Shared folder
1. 2. 3. 4. On NYC-SVR2, click the Windows Explorer button in the taskbar. Navigate to \\NYC-DC1\E$\Labfiles\Mod08, right-click the Word03 folder, and then click Copy. Navigate to C:\Content, right-click, and then click Paste. Close Windows Explorer.
Task 2: Import the sequenced application to the Management Console

1. 2. 3. 4. 5. 6. 7. 8. In the Application Virtualization Management Console, select and then rightclick the Applications node, and then click Import Applications. Navigate to C:\Content\Word03, click the Wordviewer03.sprj file, and then click Open. In the New Application Wizard, on the General Information page, observe the settings, and then click Next. On the Published Shortcuts page, click the check box to Publish to Users Desktop, and then click Next. On the File Associations page, click Next. On the Access Permissions page, click Add. Type Domain Users; AppVUsers in the Select Groups dialog box, click OK, and then click Next. Click Finish to complete the import.
Task 3: Create an Application Group

1. 2. Right-click the Applications node, and then click New Application Group. In the New Application Group Wizard dialog box, type Microsoft Office Viewers in the Application Group Name field, and then click Finish.
L8-66
Task 4: Move the Microsoft Office Viewer applications into the Application Group
1. 2. 3. In the Applications node, right-click the Microsoft Office Word Viewer 2003 application, and then click Move. In the Select Target dialog box, expand Applications, click Microsoft Office Viewers, and then click OK. Repeat the procedure to move the Microsoft Word Viewer into the Microsoft Office Viewers group.
Task 5: Modify permissions for the Application Group

1. 2. 3. 4. Right-click the Microsoft Office Viewers application group, and then click Properties. In the Microsoft Office Viewers Properties dialog box, click the Access Permissions tab. Select Domain Users, and then click Remove. Verify that the AppVUsers group has access permissions, and then click OK.
L8-67
Exercise 4: Verifying Application Permissions

Task 1: Test permissions for users
1. 2. 3. 4. Log on to NYC-CL1 as Contoso\AppVUser1 with a password of Pa$$w0rd. Ensure the icons for both Microsoft Office Viewers appear on the desktop. Log off. Log on as Contoso\ruser with a password of Pa$$w0rd. Ensure the icons for the Microsoft Office Viewers do not appear on the desktop. Log off NYC-CL1.
L8-68

Exercise 1: Publishing an Application
Task1: Copy a sequenced application to the Content folder
1. 2. 3. On NYC-SVR2, open Windows Explorer, and then navigate to \\NYC-DC1\E$\Labfiles\Mod08. Copy the Excel folder to the C:\Content folder. Close Windows Explorer.
Task 2: Publish Microsoft Excel Viewer

1. 2. 3. 4. 5. 6. 7. 8. 9. If required, launch the Application Virtualization Management Console from Administrative Tools. Right-click the Applications node, and then click Import Applications. Browse to C:\Content\Excel, click Excel.sprj, and then click Open. On the General Information page, click Next. On the Published Shortcuts page, click the check box to Publish to Users Desktop. Verify that Publish to Users Start Menu is selected, type Excel in the text box, and then click Next. On the File Associations page, click Next. On the Access Permissions page, click Add. Type AppVUsers, click OK, and then click Next.
10. Click Finish.
L8-69
Exercise 2: Creating a License Group

Task 1: Create a new named license
1. 2. 3. 4. 5. 6. On NYC-SVR2, in the Application Virtualization Management Console, rightclick the Application Licenses node, and then click New Named License. In the Application License Group Name field, type Excel Users, and then click Next. In the License Description field, type Excel Named License, and then click Next. On the Named License User page, click Add. In the User Name field, type Contoso\AppVUser1, and then click OK. Click Finish.
Task 2: Assign the license group to an application

1. In the Application Virtualization Management Console, click the Applications node, and in the details pane, right-click Microsoft Office Excel Viewer, and then click Properties. On the General page, click the drop-down arrow under Application License Group, select Excel Users, and then click OK.
2.
L8-70
Exercise 3: Creating a New Provider Policy

Task1: Create a new provider policy
1. 2. 3. 4. 5. 6. 7. Right-click the Provider Policies node, and click New Provider Policy. On the Provider Policy Properties page, type Licensed in the Policy Name field, and then click Next. On the Group Assignment page, click Add. Type AppVUsers, click OK, and then click Next. On the Provider Pipeline page, click the Licensing check box, and then select Enforce License Policies from the drop-down list. Click Finish. Click OK in the information dialog box.
Task2: Restart the service

1. 2. 3. Click Start, then type Services.msc in the Search box, and then press ENTER. Locate and click the Application Virtualization Management Server service, and then click Restart the service. Close the Services console.
Task 3: Modify the Excel .osd file to use the new provider policy
1. 2. 3. On NYC-SVR2, open Windows Explorer, and then navigate to C:\Content\Excel. Use Notepad.exe to open the Microsoft Office Excel Viewer 12.0.6219.1000.osd file. Modify the hypertext reference (HREF) tag line by inserting the ?Customer=Licensed text so that the HREF tag now reads:
HREF="RTSP://NYC-SVR2:554/Excel/Excel.sft?Customer=Licensed"
4.
Save and close the file.
L8-71
Exercise 4: Testing License Enforcement

Task 1: Test license enforcement
1. Log on to NYC-CL1 as AppVUser2 using the password Pa$$w0rd, and then attempt to start the published copy of Microsoft Office Excel Viewer. Notice that you are not able to start the application. Click OK, and then log off. Log on to NYC-CL1 as AppVUser1 using the password Pa$$w0rd, and then attempt to start the published copy of Microsoft Office Excel Viewer. Notice that the application starts as expected.
2.

L9-73

Exercise 1: Installing the App-V Sequencer
Task 1: Install the App-V Sequencer
1. On NYC-CL2, click the Windows Explorer button in the task bar, browse to \\NYC-DC1\E$\Labfiles\Mod09\Sequencer\x86, and then double-click Setup.exe. In the InstallShield Wizard, click Install to install Microsoft Visual C++ 2005 Service Pack 1 (SP1) Redistributable Package (x86), and then click Next. Accept the license agreement, and then click Next. Accept the default destination folder, and then click Next. Click Install. Clear the Launch the program check box, and then click Finish. Close Windows Explorer.
2. 3. 4. 5. 6. 7.
Task 2: Create drive Q

1. 2. 3. 4. 5. 6. 7. 8. Click Start, right-click Computer, and then click Manage. In Computer Management, expand Storage, and then click Disk Management. On Disk 0, right-click the Unallocated space, and then click New Simple Volume. In the New Simple Volume Wizard, click Next. On the Specify Volume Size page, click Next. On the Assign Drive Letter or Path page, click the drop-down arrow, select Q as the drive letter, and then click Next. On the Format Partition page, click Next, and then click Finish. Close all open windows.
L9-74
Exercise 2: Sequencing an Application

Task 1: Sequence Microsoft Office Word Viewer 2003
1. On NYC-CL2, open Windows Explorer, and then browse to \\NYC-DC1\E$ \Labfiles\Mod09. Copy the Word Viewer 2003 folder to C:\. Close Windows Explorer. Click Start, click All Programs, click Microsoft Application Virtualization, and then click Microsoft Application Virtualization Sequencer. In the Microsoft Application Virtualization Sequencer application, click Create a Package. On the Package Information page, type WordViewer03. In the Comments field, type Sequenced on Windows 7, and then click Next. On the Monitor Installation page, click Begin Monitoring. In the Browse For Folder dialog box, ensure drive Q is selected, and then click Make New Folder. Name the new folder Word03, and then click OK. Wait for the virtual environment to load. Click Start, and then click Computer. Navigate to C:\Word Viewer 2003, and then double-click the Wdviewer.exe file.
2. 3. 4. 5. 6. 7. 8. 9.
10. Accept the license agreement, and then click Next. 11. Click Browse, navigate to the Q:\Word03 folder, and then click OK. 12. Click Install. 13. On the Microsoft Office Word Viewer 2003 Setup has Completed dialog box, click OK. 14. Close the Word Viewer 2003 window, and return to the App-V Sequencer. 15. Click Stop Monitoring, and then click Next. 16. On the Configure Applications page, in the right pane, click the Microsoft Office 2003 component, and then click Remove. Click OK in the message box, and then click Next. 17. On the Launch Applications page, click Launch All. You are establishing feature block 1.
L9-75
18. After the application launches, close the application, and then click Next. 19. On the Sequence Package page, click Finish. 20. In the Wordviewer03 dialog box, take note of the Launch Size and the Package Size values, and then click the Deployment tab. 21. Click the drop-down arrow below Protocol, and then select RTSP. 22. In the Hostname field, type NYC-SVR2. 23. Ensure the port as 554. 24. In the Path field, type Word03. This is the relative path in the content folder. 25. On the Menu bar, click Package, and then click Save. 26. In the Documents folder, right-click, point to New, and then click Folder. 27. Name the new folder Word03. 28. Save the WordViewer03.sprj file into the Word03 folder. 29. Close the sequencer, and then close all open windows.
L9-76
Exercise 3: Deploying and Testing the Application

1. 2. 3. 4. 5. Click Start, and then click Documents. Right-click the Word03 folder, and then click Copy. Click Start, type \\NYC-SVR2, and then press ENTER. Open the Content shared folder, and then right-click and click Paste. Close all open windows.
Task 2: Import the application

1. 2. 3. 4. 5. 6. 7. 8. 9. On NYC-SVR2, click Start, click Administrative Tools, and then click Application Virtualization Management Console. Expand NYC-SVR2, right-click Applications, and then click Import Applications. In the Open dialog box, navigate to C:\Content\Word03, click Wordviewer03.sprj, and then click Open. In the New Application Wizard, click Next. On the Published Shortcuts page, select the Publish to User's Desktop check box, and then click Next. On the File Associations page, click Next. On the Access Permissions page, click Add. In the Select Groups dialog box, type AppVUsers, click OK, and then click Next. Click Finish.
L9-77

1. 2. 3. 4. Log on to NYC-CL1 as AppVUser1 with a password of Pa$$w0rd. Double-click the Microsoft Office Word Viewer 2003 desktop shortcut. Ensure that the application launches correctly. Click Cancel to close the Open dialog box. On the Microsoft Word Viewer menu bar, click Help, and then click About Microsoft Office Word Viewer. Take note of the version number. It should be 11.6506.6505. Click OK, and then close Microsoft Word Viewer. Log off NYC-CL1.
5. 6.
L9-78
Exercise 4: Upgrading and Redeploying the Application

Task 1: Upgrade the application
1. On NYC-CL2, click Start, click All Programs, click Microsoft Application Virtualization, and then click Microsoft Application Virtualization Sequencer. Click Upgrade a Package. In the Open For Package Upgrade dialog box, navigate to the Documents\Word03 folder, click the Wordviewer03.sprj file, and then click Open. Click Yes to Overwrite Decode Destination. In the Package Information dialog box, click Next. On the Monitor Installation page, click Begin Monitoring. Click Start, and then click Computer. Navigate to C:\Word Viewer 2003, and then double-click the office2003KB923276-FullFile-ENU.exe file. Click Yes to install the update.
2. 3.
4. 5. 6. 7. 8. 9.
10. Click Yes to accept the license agreement. 11. Click OK to acknowledge that the update applied successfully. 12. Close the Word Viewer 2003 window. 13. Click Stop Monitoring, and then click Next. 14. On the Configure Applications page, click Next. 15. On the Launch Applications page, click Launch All. 16. After the application launches, close the application, and then click Next. 17. Click Finish. On the Properties tab, note that the Launch Size and Package Size values are both larger than the original package. 18. On the Menu bar, click Package, and then click Save. 19. Close the sequencer.
L9-79

1. On NYC-CL2, click Start, click Documents, and open the Word03 folder. Notice that the Wordviewer03 file now has a 2 at the end of the file name to indicate the version. Click the back arrow to return to the Documents folder. Right-click the Word03 folder, and then click Copy. Click the address bar, and then type \\NYC-SVR2\Content, and then press ENTER. Right-click and click Paste. In the Confirm Folder Replace dialog box, click Yes. In the Copy File dialog box, select the check box below Do this for the next 2 conflicts, and then click Copy and Replace. In the Confirm Folder Replace dialog box, select the check box below Do this for all current items, and then click Yes. Close all open windows.
2. 3. 4. 5. 6. 7. 8. 9.
Task 3: Upgrade the package version

1. 2. 3. 4. 5. 6. 7. 8. 9. Return to NYC-SVR2. Click Start, click Administrative Tools, and then click Application Virtualization Management Console. Expand NYC-SVR2, and then click the Packages node. In the details pane, right-click the Wordviewer03_Package, and then click Add Version. In the Add Package Version Wizard, click Browse. In the Open dialog box, navigate to C:\Content\Word03 \Wordviewer03_2.sft, click Open, and then click Next. In the Enter Relative Path for package file folder, click Next. On the Summary page, click Finish. Expand the Packages node, and then click the Wordviewer03_Package. In the details pane, notice that there now are two versions.
L9-80
Task 4: Test the deployment

1. 2. 3. 4. On NYC-CL1, log on again as AppVUser1 with a password of Pa$$w0rd. Double-click the Microsoft Office Word Viewer 2003 desktop shortcut. Notice a pop-up box in the notification tray says Checking for Updates. Click Cancel to close the Open dialog box. On the Microsoft Word Viewer menu bar, click Help, and then click About Microsoft Office Word Viewer. Take note of the version number. It should be 11.8104.6505. Click OK, and then close Microsoft Word Viewer. Log off NYC-CL1.
5. 6.
L9-81
Exercise 5: Sequencing a Hard-Coded Application

Task 1: Sequence the Microsoft Office PowerPoint Viewer
1. On NYC-CL2 click Start, click All Programs, click Microsoft Application Virtualization, and then click Microsoft Application Virtualization Sequencer. In the Microsoft Application Virtualization Sequencer application, click Create a Package. On the Package Information page, type PPT. In the Comments field, type Sequenced on Windows 7, and then click Next. On the Monitor Installation page, click Begin Monitoring. In the Browse For Folder dialog box, ensure drive Q is selected, and then click Make New Folder. Name the new folder PPT, and then click OK. Wait for the virtual environment to load. Open Windows Explorer, navigate to \\NYC-DC1\E$\LabFiles\Mod09, and then double-click the PowerPointViewer.exe file. Accept the license agreement, and then click Continue. Click OK to acknowledge that the installation is complete, and then close the Mod09 folder.
2. 3. 4. 5. 6. 7. 8. 9.
10. Click Stop Monitoring, and then click Next. 11. On the Configure Applications page, click Next. 12. On the Launch Applications page, click Launch All. 13. After the application launches, accept the license terms, close the application, and then click Next. 14. On the Sequence Package page, click Finish. 15. On the Deployment tab, click the drop-down arrow below Protocol, and then click RTSP. 16. In the Hostname field, type NYC-SVR2. 17. Ensure the port is 554. 18. In the Path field, type PPT. This is the relative path in the content folder. 19. On the Menu bar, click Package, and then click Save.
L9-82
20. Browse to the Documents folder, right-click and then point to New and then click Folder. 21. Name the new folder PPT. 22. Save the PPT.sprj file into the PPT folder. 23. Close all open windows, and then log off.

L10-83

Exercise 1: Preparing the RDS Environment
Task 1: Add the Remote Desktop Service role to the NYC-DC1 server
1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of the NYC-DC1 server, point to Administrative Tools, and then click Server Manager. The Server Manager window opens. In Server Manager, right-click Roles, and then select Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select Remote Desktop Services, and then click Next twice. On the Select Role Services page, select Remote Desktop Session Host. In the Add Roles Wizard dialog box, click Install Remote Desktop Role Session Host anyway (not recommended), and then click Next twice. On the Specify Authentication Method for Remote Desktop Session Host page, click Require Network Level Authentication, and then click Next. Click Next three more times, and then click Install. Wait until installation finishes. On Installation Results page, click Close. In Add Roles Wizard dialog box, click Yes to restart the computer.
10. Wait until the server restarts. Log on to NYC-DC1 as Contoso\Administrator, with Pa$$w0rd as password. 11. After you log on to NYC-DC1, Server Manager opens. Wait until the Resume Configuration Wizard finishes. On the Installation Results page, click Close, and then minimize Server Manager.
L10-84
Task 2: Add the Remote Desktop Service role to the NYC-SVR1 server
1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, and then click Server Manager. The Server Manager window opens. In Server Manager, right-click Roles, and then select Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select Remote Desktop Services, and then click Next twice. On the Select Role Services page, select Remote Desktop Session Host, Remote Desktop Connection Broker, and Remote Desktop Web Access. In the Add Roles Wizard dialog box, click Add Required Role Services, and then click Next twice. On the Specify Authentication Method for Remote Desktop Session Host page, click Require Network Level Authentication, and then click Next. Click Next five more times, and then click Install. Wait until installation finishes. On Installation Results page, click Close. In the Add Roles Wizard dialog box, click Yes to restart the computer.
10. Wait until the server restarts. Log on to NYC-SVR1 as Contoso\Administrator with Pa$$w0rd as password. 11. After you log on to NYC-SVR1, Server Manager opens. Wait until the Resume Configuration Wizard finishes. On the Installation Results page, click Close, and then minimize Server Manager.
Task 3: Configure Group Membership on the RD Session Host servers

1. On NYC-DC1, switch to Server Manager, expand Roles, expand Active Directory Domain Services, expand Active Directory Users and Computers, expand Contoso.com, and then click the Users container. Add the RD Web Computers group as a member to the TS Web Access Computers Group. Select the Builtin container, and then add the RD Users group as a member to the Remote Desktop Users group.
2. 3.
L10-85
4. 5. 6. 7. 8.
Minimize Server Manager on NYC-DC1. On NYC-SVR1, switch to Server Manager, expand Configuration, expand Local Users and Groups, and click Groups. Add the RD Web Computers group as a member to the local TS Web Access Computers Group. Add the RD Users group as a member to the local Remote Desktop Users group. Minimize Server Manager on NYC-SVR1.
L10-86
Exercise 2: Publishing RemoteApp Programs

Task 1: Publish RemoteApp programs
1. You will first publish RemoteApp programs on the NYC-DC1 Remote Desktop Session Host server. On the Start menu of the NYC-DC1 server, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager. The RemoteApp Manager window opens. In the Actions pane of RemoteApp Manager, click Add RemoteApp Programs. Click Next in the Welcome to the RemoteApp Wizard. Select the check box next to Calculator and Paint, and then click Next. Calculator and Paint represent applications that are available on a Remote Desktop Session Host Server. However, in reality, you could make any business application available. Click Finish in the Review Settings window. Calculator and Paint are added to the list of available RemoteApp Programs. Next you will publish RemoteApp programs on the NYC-SVR1 Remote Desktop Session Host server. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, point to Remote Desktop Services, and then click RemoteApp Manager. The RemoteApp Manager window opens. In the Actions pane of RemoteApp Manager, click Add RemoteApp Programs. Click Next in the Welcome to the RemoteApp Wizard. Click Browse, point to Notepad in the Windows\System32 folder, and then click Open.
2. 3. 4.
5. 6.
7. 8. 9.
10. Select the check box next to WordPad, and then click Next. WordPad and Notepad are used to represent applications that are available on a Remote Desktop Session Host Server. However, in reality, you can make any business application available. 11. Click Finish in the Review Settings window. Notepad.exe and WordPad are added to the list of available RemoteApp Programs. By publishing different applications on different Remote Desktop Host Session servers, you are separating the workload.
L10-87
Task 2: Configure Remote Desktop Connection Broker to aggregate list of RemoteApp programs
1. You will configure Remote Desktop Connection Broker on NYC-SVR1 to aggregate published RemoteApp applications on two RD Session Host servers-NYC-DC1 and NYC-SVR1. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager. The Remote Desktop Connection Manager window opens. In Remote Desktop Connection Manager, click RemoteApp Sources, and then in the Actions pane, click Add RemoteApp Source. Enter NYC-DC1.contoso.com as RemoteApp source name, and then click Add. Click Add RemoteApp Source, enter NYC-SVR1.contoso.com as RemoteApp source name, and then click Add. Close the Remote Desktop Connection Manager window.
2. 3. 4. 5.
Task 3: Configure Remote Desktop Web Access to use Remote Desktop Connection Broker
1. In this task, you will configure Remote Desktop Web Access to provide a list of all RemoteApp programs that are available on two RD Session Host servers. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Web Access Configuration. The Internet Explorer window opens. Click Continue to this website (not recommended). This error occurs because the Web site certificate is issued to NYC-SVR1.contoso.msft, and you are connecting to localhost. Enter contoso\administrator as the Domain\username and Pa$$w0rd as Password, and then click Sign in.
2.
3.
L10-88
4.
Select the An RD Connection Broker server radio button, enter NYCSVR1.contoso.com in Source name, and then click OK. The Enterprise Remote Access setting configures the Remote Desktop Web Access page to retrieve the aggregated list of RemoteApp programs from the RD Connection Broker computer. Verify that all four RemoteApp published applications are displayed on the Enterprise Remote Access Web page.
5.
Task 4: Access Remote Desktop Web Access from the client

1. In this task, you will test the configuration of the Remote Desktop Connection Broker to verify that you see all four published RemoteApp applications available on one Remote Desktop Services Web Access page. On NYC-CL1, start Internet Explorer, and then enter https://NYC-SVR1.contoso.com /RDWeb in the address bar. Press ENTER. Right-click the information bar, and then select Run Add-on to allow the Microsoft Remote Desktop Services Web Access add-on to install on the computer. Click Run in Internet Explorer Security Warning dialog box. Enter contoso\ruser as Domain\username and Pa$$w0rd as Password, and then click Sign in. Verify that all four RemoteApp published applications are displayed on the Enterprise Remote Access Web page. Click Notepad. Review the warning in the RemoteApp dialog box, and then click Connect. Log on as Contoso\ruser with Pa$$w0rd as password and then click OK. The Notepad RemoteApp program opens. Verify that the RemoteApp program looks and behaves as if it was installed locally, and then close Notepad.
2.
3. 4. 5. 6. 7. 8.
L10-89
Task 5: Configure and test RemoteApp User Assignment

1. In this task, you will implement and test RemoteApp User Assignment. This is new feature in Windows Server 2008 R2 Remote Desktop Services, and it specifies which users can see the icon for a RemoteApp program. On NYCSVR1 server, switch to RemoteApp Manager, right-click WordPad in the RemoteApp Programs list, and then select Properties. On the User Assignment tab, select Specified domain users and domain groups, and then click Add. Enter contoso\Administrator, and then click OK. This allows only administrators to view the RemoteApp icon for WordPad. Click OK in the RemoteApp Properties dialog box. Switch to NYC-CL1, and refresh the page in Internet Explorer. As ruser no longer has permissions for the WordPad RemoteApp program, the WordPad icon no longer is available, and there are only three RemoteApp programs available on the Enterprise Remote Access Web page. You also can remove the RemoteApp program icon from the RD Web Access Web page for all users. To test this feature, on NYC-DC1 server, switch to RemoteApp Manager, right-click Paint in RemoteApp Programs, and then click Hide in RD Web Access. Switch to NYC-CL1, and refresh the page in Internet Explorer. The Paint icon no longer is available, and there are only two RemoteApp programs available on the Enterprise Remote Access Web page.
2.
3.
4.
5.
L10-90
Exercise 3: Accessing Published RemoteApp Programs

Task 1: Configure digital signing of .rdp files on RD Session Host servers
1. In the previous exercise, you found out that when you start a RemoteApp program from the RD Web Access Web page, you get additional dialog boxes before the remote application starts. In this exercise you will configure RDS to avoid such prompts. On NYC-SVR1, switch to RemoteApp Manager, and in the Actions pane, click Digital Signature Settings. In the RemoteApp Deployment Settings dialog box, on the Digital Signature tab, select the check box next to Sign with a digital certificate, and then click Change. In the Windows Security window, select NYC-SVR1.contoso.com, click OK, and then click OK again to close the RemoteApp Deployment Settings dialog box. On NYC-DC1, switch to RemoteApp Manager, and then in the Actions pane, click Digital Signature Settings. In the RemoteApp Deployment Settings dialog box, on the Digital Signature tab, select the check box next to Sign with a digital certificate, and then click Change. In the Windows Security window, select the digital certificate for NYC-DC1.contoso.com, click OK, and then click OK again to close the RemoteApp Deployment Settings dialog box. Switch to NYC-CL1, and then refresh the page in Internet Explorer.
2.
3.
4. 5.
6.
7.
Task 2: Configure SSO for accessing RD Session Host servers

1. You will configure SSO by configuring Local Group Policy. On NYC-CL1, on the Start menu, in the Search field, enter gpedit.msc. Right-click gpedit.msc, and then click Run as administrator. In the User Account Control prompt, enter contoso\administrator as the user name, Pa$$w0rd as the password, and then cick Yes. The Local Group Policy Editor opens.
2.
L10-91
3.
In the Local Group Policy Editor, expand Computer Configuration, expand Administrative Templates, expand System, and then click Credentials Delegation. In details pane, double-click Allow Delegating Default Credentials, select Enabled, click Show, and then enter TERMSRV/* as the Value. By doing that, you will allow credentials delegation to any RD Session Host server. Click OK twice, and then minimize the Local Group Policy Editor window.
4.
Task 3: Configure a trusted .rdp publisher

1. If you want to avoid the RemoteApp warning that specifies that the remote program could harm your computer, you must configure a trusted .rdp publisher. In this task, you will use Local Group Policy, but in a production environment, you would use domain Group Policy. On NYC-CL1, switch to the Local Group Policy Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, and then click Remote Desktop Connection Client. In the details pane, double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers, and then click Enabled. On NYC-CL1, switch to Internet Explorer, where you have the Enterprise Remote Access page open, and then click Notepad. In the RemoteApp dialog box, click the NYC-SVR1.contoso.com link. In the Certificate window, click the Details tab, scroll down, and then click the Thumbprint field. Highlight the thumbprint numbers in the details box, copy them by pressing CTRL+C, click OK, and then click Cancel in the RemoteApp dialog box.
2. 3.
4.
Note: Do not highlight the leading or ending space in the thumbprint box!
5.
Switch to the Specify SHA1 thumbprints of certificates representing trusted .rdp publishers window, right-click in the Comma-separated list of SHA1 trusted certificate thumbprints entry box, and then select Paste. Click OK, and then minimize Local Group Policy Editor. In Internet Explorer, on the Enterprise Remote Access page, click Notepad. Verify that the Notepad RemoteApp program opens without any prompt. With this configuration, users can start RemoteApp programs in the same way as locally installed programs. Close Notepad.
6.
L10-92
Task 4: Package a RemoteApp program as a Windows Installer package

1. 2. 3. 4. On NYC-SVR1, in RemoteApp Manager, right-click WordPad, and then click Create Windows Installer Package. In the Welcome to the RemoteApp Wizard, click Next. On the Specify Package Settings page, accept the default settings, and then click Next. On the Configure Distribution Package page, clear the check box next to the Start menu folder option, and select the check boxes for Desktop and Associate client extensions for this program with the RemoteApp program. Click Next, and then click Finish. Windows Explorer opens. Navigate to C:\Program Files, right-click Packaged Programs, point to Share with, and then click Advanced sharing. Click Advanced Sharing, select the check box next to Share this folder, click OK, and then click Close. Close the Windows Explorer window.
5. 6.
Task 5: Install and test the RemoteApp Windows Installer package

1. 2. 3. 4. 5. 6. On NYC-CL1, on the Start menu, type \\nyc-svr1\ in the Search field. Click Packaged Programs. Double-click wordpad.msi. In the User Account Control prompt, enter contoso\administrator as the user name, Pa$$w0rd as the password, and then click Yes. Verify that after installation is complete, the Wordpad shortcut is added to the desktop. Double-click the Wordpad shortcut, and then verify that the RemoteApp program opens without any prompt. Close Wordpad. Right-click the desktop, point to New, and then click Text Document. Specify the file name as Report.docx. Docx is one of the extensions that is associated with Wordpad, and you selected to associate extensions for this program with the RemoteApp program. Click Yes in the Rename dialog box. Double-click Report.docx, and verify that it opens in the Wordpad RemoteApp program. Close Wordpad.
7. 8.
L10-93
Task 6: Implement RemoteApp and Desktop Connection

1. In this task, you will integrate published RemoteApp programs with the Start menu of a client computer. On the Start menu of NYC-CL1, in the Search field, type remote, and from the results list, click RemoteApp and Desktop Connections. Click Set up a new connection with RemoteApp and Desktop Connections. Enter https://NYC-SVR1.contoso.com/RDweb/Feed/webfeed.aspx in the Connection URL, and then click Next. Click Next on Ready to set up the connection. Click Finish on You have successfully set up the following connection. Verify that there is new program group available, RemoteApp and Desktop Connections, on your Start menu, All Programs. The program group contains all RemoteApp applications that are available to the user. You also can create a configuration file that creates this program group by using Remote Desktop Connection Manager.
2. 3. 4. 5. 6.

L11-95

Exercise 1: Configuring and Testing Roaming Profiles
Task 1: Configure a roaming profile and configure a pilot group of users to use roaming profiles
1. 2. 3. 4. 5. 6. 7. 8. On NYC-DC1, click Start, click Computer and then double-click Local Disk (C:). Right-click Profiles, and then click Properties. In the Profiles Properties dialog box, click the Sharing tab. Click Advanced Sharing. In the Advanced Sharing dialog box, verify that the Share this folder check box is selected. Click Permissions. In the Permissions for Profiles dialog box, click Everyone, click Remove, and then click Add. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Authenticated Users, and then click Check Names. Click OK, and in the Permissions for Profiles dialog box, click Authenticated Users, select the Change check box under Allow, and then click OK.
9.
10. In the Advanced Sharing dialog box, click Caching. 11. In the Offline Settings dialog box, click No Files or programs from the shared folder are available offline, and then click OK. 12. In the Advanced Sharing dialog box, click OK. 13. In the Profiles Properties dialog box, click Close. 14. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
L11-96
15. In Active Directory Users and Computers, expand Active Directory Users and Computers, expand Contoso.com, and then click IT. 16. In the results pane, click Candy Spoon, press CTRL, and then click Terri Chudzik. 17. Right-click any of these two objects, and then click Properties. 18. In the Properties for Multiple Items dialog box, click the Profile tab. 19. Select the Profile path check box, in the Profile path box, type \\NYC-DC1\Profiles\%username%, and then click OK.
Task 2: Make changes to user environment

1. 2. 3. Log on to NYC-CL1 as Candy with password Pa$$w0rd. Right-click the Desktop, and then click Personalize. In Personalization, click the Landscapes theme. Click Desktop Background and next to Picture location, select Windows Desktop Backgrounds. Click Save changes and then close the Personalization window. Click Start, and then click Computer. Resize Windows Explorer so that you can also see the desktop. Right-click Local Disk (C:), and then click Create shortcut. Log off of NYC-CL1.
4. 5. 6. 7.
Task 3: Log on to a second computer and verify roaming of the changes

1. Log on to the NYC-CL2 virtual machine as Candy using the password Pa$$w0rd. Question: Do the Desktop personalization options appear as you configured them, including the desktop shortcut? Answer: Yes. Question: Is the shortcut to drive C retained on Desktop? Answer: Yes. 2. Log off of NYC-CL2.
L11-97
Exercise 2: Configuring and Testing Folder Redirection

Task 1: Configure folder redirection
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-DC1 virtual machine. Click Start, click Computer, and then double-click Local Disk (C:). In Windows Explorer, click New folder. Type Redirected Folders, and then press ENTER. Double-click Redirected Folders. In Windows Explorer, click New folder. Type Marketing, and then press ENTER. In Windows Explorer, click New folder. Type Production, and then press ENTER.
10. Right-click Marketing and then click Properties. 11. In the Marketing Properties dialog box, click the Sharing tab. 12. Click Advanced Sharing. 13. In the Advanced Sharing dialog box, select the Share this folder check box. 14. In the Share name box, type Marketing$. 15. Click Permissions. 16. In the Permissions for Marketing$ dialog box, ensure that Everyone is clicked, click Remove, and then click Add. 17. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Marketing, click Check Names, and then click OK. 18. In the Permissions for Marketing$ dialog box, click Marketing, under Allow select the Full Control check box, and then click OK. 19. In the Advanced Sharing dialog box, click OK. 20. In the Marketing Properties dialog box, click Close. 21. Right-click Production, and then click Properties. 22. In the Production Properties dialog box, click the Sharing tab. 23. Click Advanced Sharing.
L11-98
24. In the Advanced Sharing dialog box, select the Share this folder check box. 25. In the Share name box, type Production$. 26. Click Permissions. 27. In the Permissions for Production$ dialog box, ensure that Everyone is clicked, click Remove, and then click Add. 28. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Production, and then click Check Names. 29. Click OK, and in the Permissions for Production$ dialog box, click Production, select the Full Control check box under Allow, and then click OK. 30. In the Advanced Sharing dialog box, click OK. 31. In the Production Properties dialog box, click Close. 32. Right-click Marketing, and then click Properties. 33. Click the Security tab. 34. Click Advanced. 35. Click Change Permissions. 36. Clear the Include inheritable permissions from this objects parent check box. 37. In the Windows Security dialog box, click Add. 38. In the Advanced Security Settings for Marketing dialog box, click OK, and then click OK again. 39. In the Marketing Properties dialog box, click Edit. 40. In the Permissions for Marketing dialog box, click Add. 41. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Marketing, click Check Names, and then click OK. 42. In the Permissions for Marketing dialog box, click OK. 43. In the Marketing Properties dialog box, click Advanced, and then click Change Permissions. 44. In the Permissions entries list, click Marketing (CONTOSO\Marketing), and then click Edit.
L11-99
45. In the Permission Entry for Marketing dialog box, in the Apply to list, click This folder only, in the Permissions list select the Create folders / append data check box under Allow column, and then click OK. 46. Click OK three times to close all dialog boxes. 47. Right-click Production, and then click Properties. 48. Click the Security tab. 49. Click Advanced. 50. Click Change Permissions. 51. Clear the Include inheritable permissions from this objects parent check box. 52. In the Windows Security dialog box, click Add. 53. In the Advanced Security Settings for Production dialog box, click OK, and then click OK again. 54. In the Production Properties dialog box, click Edit. 55. In the Permissions for Production dialog box, click Add. 56. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Production, click Check Names, and then click OK. 57. In the Permissions for Production dialog box, click OK. 58. In the Production Properties dialog box, click Advanced, and then click Change Permissions. 59. In the Permissions entries list, click Production (CONTOSO\ Production), and then click Edit. 60. In the Permission Entry for Production dialog box, in the Apply to list, click This folder only, in the Permissions list, select the Create folders / append data check box under Allow column, and then click OK four times. 61. Click Start, point to Administrative Tools, and then click Group Policy Management. 62. In Group Policy Management, expand Forest: Contoso.com. 63. Expand Domains, right click Contoso.com, and then click Create a GPO in this domain, and Link it here
L11-100 Lab: Implementing User State Virtualization
64. In the New GPO dialog box, type Redirection in Name box, and then click OK. 65. Right-click Redirection, and then click Edit. 66. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand Windows Settings, and then expand Folder Redirection. 67. Right-click Documents, and then click Properties. 68. In the Documents Properties dialog box, in the Setting list, click Advanced Specify locations for various user groups. 69. Click Add, and in the Specify Group and Location dialog box, in the Security Group Membership box, type Marketing. 70. In the Target Folder Location list, click Create a folder for each user under the root path. 71. In the Root Path box, type \\NYC-DC1\marketing$ and then click OK. 72. Click Add, and in the Specify Group and Location dialog box, in the Security Group Membership box, type Production. 73. In the Target Folder Location list, click Create a folder for each user under the root path. 74. In the Root Path box, type \\NYC-DC1\Production$, and then click OK. 75. In the Documents Properties dialog box, click the Settings tab. 76. Under Policy Removal, click Redirect the folder back to the local userprofile location when policy is removed, and then click OK. 77. In the Warning dialog box, click Yes. 78. In the Group Policy Management Editor, in the tree, right-click Pictures, and then click Properties. 79. On the Target tab, in the Setting list, click Follow the Documents folder, and then click OK. 80. In the Warning dialog box, click Yes. 81. Repeat steps 78-80 for the Music and Videos folders. 82. Close the Group Policy Management Editor. 83. Close Group Policy Management. 84. Switch to the NYC-CL1 virtual machine.
Module 11: Implementing User State Virtualization L11-101
85. Log on to the NYC-CL1 virtual machine as Contoso\Administrator using the password Pa$$w0rd. 86. Click Start, point to All Programs, click Accessories, and then click Command Prompt. 87. At the command prompt, type gpupdate /force, and then press ENTER. 88. Read the message at the command prompt, type Y, and then press ENTER.
Task 2: Verify that folders are redirected and not stored in the profile
1. 2. 3. 4. 5. 6. 7. 8. 9. Log on to the NYC-CL1 virtual machine as Contoso\Adam using the password Pa$$w0rd. Click Start, and then click Adam Carter and then double-click My Documents. In My Documents click the Address bar and make sure that path \\NYC-DC1\marketing$\adam\Documents is revealed. In Documents, right-click some free space in the window, point to New, and click Text Document. Press ENTER to confirm the filename. Double-click the file. Type Updated, and in File menu, click Save. Close the file. Log off of NYC-CL1.
10. Log on to the NYC-CL1 virtual machine as Contoso\Bart using the password Pa$$w0rd. 11. Click Start, click Bart Duncan and then double-click My Documents. 12. In My Documents, click the Address bar. Question: What path is revealed? Answer: \\NYC-DC1\production$\Bart\Documents
13. Click Start, click Computer, double click Local Disk (C:). 14. Double click the Users folder and then double click the folder named Bart. 15. Make sure that the folders Documents, Pictures and Videos are not present in Barts local folder. 16. Log off of NYC-CL1. 17. Switch to the NYC-DC1 virtual machine. 18. In Windows Explorer, locate C:\Redirected Folders\Production. Question: Can you see the Bart folder? Answer: Yes. 19. Close all open windows.
Exercise 3: Configuring Offline Files

Task 1: Create and share the company-wide data folder
1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-DC1 virtual machine. Click Start, click Computer, and then double-click Local Disk (C:). In Windows Explorer, click New folder. Type CorpData, and then press ENTER. Right-click CorpData, and then click Properties. In the CorpData Properties dialog box, click the Sharing tab. Click Advanced Sharing. In the Advanced Sharing dialog box, select the Share this folder check box. Click Permissions.
10. In the Permissions for CorpData dialog box, click Everyone, click Remove, and then click Add. 11. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Authenticated Users, and then click Check Names. 12. Click OK, and in the Permissions for CorpData dialog box, click Authenticated Users, under Allow, select the Full Control check box, and then click OK. 13. In the Advanced Sharing dialog box, click Caching. 14. In the Offline Settings dialog box, ensure that Only the files and programs that users specify will be available offline is selected, and then click OK. 15. In the Advanced Sharing dialog box, click OK. 16. In the CorpData Properties dialog box, click the Security tab. 17. Click Advanced. 18. Click Change Permissions. 19. Clear the Include inheritable permissions from this objects parent check box. 20. In the Windows Security dialog box, click Add.
21. In the Advanced Security Settings for CorpData dialog box, click OK, and then click OK again. 22. In the CorpData Properties dialog box, click Edit. 23. In the Permissions for CorpData dialog box, click Add. 24. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type Authenticated Users, click Check Names, and then click OK. 25. In the Permissions for CorpData dialog box, in the Group or user names list, click Authenticated Users, and then in the Permissions for Authenticated Users list, under Allow, select the Full control check box. 26. In the Permissions for CorpData dialog box, click OK. 27. In the CorpData Properties dialog box, click Close.
Task 2: Configure the client-side offline settings using Group Policy

1. 2. 3. Click Start, point to Administrative Tools, and then click Group Policy Management. Right-click Default Domain Policy, and then click Edit. In the Group Policy Management Editor, ensure that the option Computer Configuration is expanded, expand Policies, expand Administrative Templates, expand Network, and then click Offline Files. In the results pane, double-click Administratively assigned offline files. In the Administratively assigned offline files dialog box, click Enabled, and then click Show. In the Show Contents box, in Value name field type CorpData, and in Value field type \\NYC-DC1\CorpData, and then click OK. In the Administratively assigned offline files dialog box, click OK. In the results pane, double-click Synchronize all offline files when logging on. In the Synchronize all offline files when logging on dialog box, click Enabled, and then click OK.
4. 5. 6. 7. 8. 9.
10. Close the Group Policy Management Editor. 11. Close Group Policy Management.
Task 3: Refresh Group Policy on the client workstations

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-CL1 virtual machine. Log on to the NYC-CL1 virtual machine as Contoso\administrator using the password Pa$$w0rd. Click Start, point to All Programs, click Accessories, and then click Command Prompt. At the command prompt, type gpupdate /force, and then press ENTER. Read the message at the command prompt, type Y, and then press ENTER. Switch to the NYC-CL2 virtual machine. Log on to the NYC-CL2 virtual machine as Contoso\administrator using the password Pa$$w0rd. Click Start, point to All Programs, click Accessories, and then click Command Prompt. At the command prompt, type gpupdate /force, and then press ENTER.
10. Read the message at the command prompt, type Y, and then press ENTER.
Task 4: Create a text document and make it available offline

1. 2. 3. 4. 5. 6. 7. 8. 9. Switch to the NYC-CL1 virtual machine. Log on to the NYC-CL1 virtual machine as Contoso\Don using the password Pa$$w0rd. Click Start, right-click Computer, and then click Map network drive. In the Map Network Drive dialog box, in the Folder box, type \\NYC-DC1\CorpData, and then click Finish. In CorpData (\\NYC-DC1) (Z:), click New folder. Type Don, and then press ENTER. Double-click Don, and then right-click some free space in the folder. Click New, and then click Rich Text Document. Type Dons Document, and then press ENTER.
10. Double-click Dons Document..
11. Type Saved by Don, and then click the Office button. 12. Click Save, and then close WordPad. 13. Right-click Dons Document, and then click Always Available Offline. Close all open windows.
Task 5: Simulate a network problem and try to access offline file

1. 2. 3. 4. 5. 6. Switch to the NYC-DC1 virtual machine. Click Start, right-click Network, and then click Properties. In Network and Sharing Center, in the Tasks list, click Change adapter settings In Network Connections, right-click Local Area Connection 2, and then click Disable. Switch to NYC-CL1, click Start, click Computer and then double click CorpData (\\NYC-DC1) (Z:) drive. Verify that you can access Dons Document file even when NYC-DC1 is not available.

Module 12: Configuring Virtual Desktop Infrastructure L12-107
Module 12: Configuring Virtual Desktop Infrastructure
Lab: Configuring Virtual Desktop Infrastructure

Lab Setup
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must perform the following steps: 1. 2. 3. 4. 5. 6. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. Ensure that the 10324A-NYC-DC1 virtual machine is running. If required, connect to the virtual machine. Log on to 10324A-NYC-DC1 as Contoso\Administrator using the password Pa$$w0rd. On the physical host machine, open Network and Sharing Center and click Change adapter settings. Open the Properties for the network connection that is labeled Internal Network. Ensure that the IPv4 settings are configured as follows: 7. 8. 9. IP address: 192.168.10.100/24 DNS server: 192.168.10.1
On the physical host computer, click Start, right-click Computer, and then click Properties. Under Computer name, domain, and workgroup settings, click Change settings. On the System Properties box, on the Computer Name tab, click Change.
10. Under Computer name, change the name to Hostx (where x is a number that your instructor provides). 11. Under Member of, click the Domain option, and then type Contoso.com. Click OK. 12. In the Windows Security box, provide Contoso\Administrator and Pa$$w0rd for the credentials, and then click OK.
L12-108 Lab: Configuring Virtual Desktop Infrastructure
13. In the Computer Name/Domain Changes box, click OK. At the second prompt, click OK again. 14. In the System Properties box, click Close. 15. At the restart prompt, click Restart Later. You will shut down NYC-DC1 before restarting the host computer. 16. On NYC-DC1, click Start, and then next to Log off, point to the arrow, and click Shut down. Type shut down in the comment field, and then click OK. 17. After NYC-DC1 shuts down, restart the physical host computer. 18. After the host computer restarts, log on as the local administrator. 19. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager. 20. Ensure that the 10324A-NYC-DC1, 10324A-NYC-SVR1, 10324A-NYC-CL1, 10324A-NYC-CL2, and 10324A-NYC-CL3 virtual machines are running. If you are prompted for user credentials, logon as the local administrator. 21. If required, connect to the virtual machines. Log on to all virtual machines except 10324A-NYC-CL1 as Contoso\Administrator using the password Pa$$w0rd. Do not log on to 10324A-NYC-CL1 until instructed to do so. 22 In Hyper-V Manager, rename 10324A-NYC-CL2 display name to NYC-CL2.contoso.com. 23. In Hyper-V Manager, rename 10324A-NYC-CL3 display name to NYC-CL3.contoso.com.
Exercise 1: Configuring RDS Infrastructure for VDI

Task 1: Add the RDS role to the NYC-SVR1 server
1. 2. 3. 4. 5. 6. 7. 8. 9. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, and then click Server Manager. The Server Manager window opens. In Server Manager, right-click Roles, and then click Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select Remote Desktop Services, and then click Next twice. On the Select Role Services page, select Remote Desktop Session Host, Remote Desktop Connection Broker, and Remote Desktop Web Access. In the Add Roles Wizard dialog box, click Add Required Role Services, and then click Next twice. On the Specify Authentication Method for Remote Desktop Session Host page, click Require Network Level Authentication, and then click Next. Accept the default values on the following pages by clicking Next five more times, and then click Install. Wait until installation finishes. On the Installation Results page, click Close. In the Add Roles Wizard dialog box, click Yes to restart the computer.
10. Wait until the server restarts. Log on to the NYC-SVR1 server as Contoso\Administrator, with Pa$$w0rd as password. 11. After you log on to NYC-SVR1, Server Manager opens. Wait until the Resume Configuration Wizard finishes. On the Installation Results page, click Close, and then minimize Server Manager.
Task 2: Configure the RD Virtualization Host Server

1. 2. 3. 4. On the physical host computer, on Start menu, point to Administrative Tools, and then click Server Manager. Under the Roles Summary heading, click Add Roles. On the Before You Begin page, click Next. On the Select Server Roles page, select the Remote Desktop Services check box, and then click Next.
5. 6. 7. 8.
On the Remote Desktop Services page, click Next. On the Select Role Services page, select the Remote Desktop Virtualization Host check box, and then click Next. On the Confirm Installation Selections page, click Install. After the installation is complete, click Close, and then close Server Manager on the physical host server.
Task 3: Configure RD Web Access to use RD Connection Broker

1. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Web Access Configuration. The Microsoft Internet Explorer window opens. Click Continue to this website (not recommended). This error occurs because shortcut points to localhost and not to NYC-SVR1.contoso.com, as it is defined in the digital certificate that the Web site uses. Enter Contoso\administrator as Domain\username, Pa$$w0rd as Password, and then click Sign in. Select An RD Connection Broker server, enter NYC-SVR1.contoso.com in Source name, and then click OK. The Enterprise Remote Access Web page is displayed, but it is empty, as there are no published RemoteApp programs or virtual desktops available yet. On NYC-SVR1, close Internet Explorer.
2.
3. 4.
5.
Exercise 2: Configuring a Virtual Machine for VDI

Task 1: Configure Windows 7 virtual machines for VDI
1. 2. On NYC-CL2, click Start, right-click Computer, click Properties, and then click Remote settings. Under Remote Desktop, click Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure), click OK, and then close the System window. On NYC-CL2, click Start, right-click Computer, and then click Manage. When Computer Management opens, expand Local Users and Groups, click Groups, and add Contoso\RD Users to local group Remote Desktop Users. Close Computer Management. Click Start, in the Search field, type regedit, and then press ENTER. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Terminal Server, double-click the AllowRemoteRPC registry entry, and in the Value data box type 1, click OK, and then close Registry Editor. On the Start menu, in the Search field, type firewall, and from the results list, click Allow a program through Windows Firewall. Select the Remote Service Management check box, and then click OK. Finally, you must grant the RD Virtualization Host computer account (physical host computer) permissions to the RDP protocol on NYC-CL2 and then restart the Remote Desktop Services service. A script for this has been provided in \\NYC-DC1\E$\Labfiles\Mod12\RDSConfig\. Edit RDS-pool.bat to replace <physical host> with the name of your physical host server, and then save the modified file. Run RDS-pool.bat. When prompted, type Y and press ENTER to continue the operation. Log off NYC-CL2.
3.
4. 5.
6. 7. 8.
9.
10. Repeat steps 1 to 9 on NYC-CL3.
Task 2: Create a snapshot to enable the virtual machines to roll back

1. 2. 3. 4. 5. 6. In the NYC-CL2 window, on the Action menu, click Snapshot. In the Snapshot Name window, enter RDV_Rollback as the snapshot name, and then click Yes. On NYC-CL2, on the Action menu, click Save. In the NYC-CL3 window, on the Action menu, click Snapshot. In the Snapshot Name window, enter RDV_Rollback as the snapshot name, and then click Yes. On NYC-CL3, on the Action menu, click Save.
Exercise 3: Configuring and Testing the Personal Virtual Desktop

Task 1: Configure the Personal Virtual Desktop
1. On the Start menu of the NYC-SVR1 server, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Connection Manager. In the Actions pane of Remote Desktop Connection Manager, click Configure Virtual Desktops. On the Before You Begin page, click Next. On the Specify an RD Virtualization Host Server page, in the Server name box, type name of your physical host server, click Add, and then click Next. On the Configure Redirection Settings page, in the Server name box, type NYC-SVR1.contoso.com, and then click Next. On the Specify an RD Web Access Server page, in the Server name box, type NYC-SVR1.contoso.com, and then click Next. On the Confirm Changes page, click Apply.
2. 3. 4. 5. 6. 7.
8. On the Summary Information page, verify that the Assign personal virtual desktop check box is selected, and then click Finish.
9. On the Assign Personal Virtual Desktop page, click Select User. 10. In the Enter the object name to select box, type Contoso\ruser, and then click OK. 11. In the Virtual machine box, select NYC-CL2.contoso.com, and then click Next. 12. Confirm that the User name and Virtual machine boxes are correct, and then click Assign. 13. Clear the Assign another virtual machine to another user check box, and then click Finish. You can verify which virtual machine is assigned to the user in Active Directory Users and Computers, on the Personal Virtual Page tab of ruser properties.
Task 2: Configure digital signing of .rdp files, single sign-on, and trusted .rdp publisher
When you want to connect to a virtual desktop, by default, you get a security prompt because the .rdp file is not digitally signed. You then must provide user credentials for logging on to the virtual desktop. You can avoid those prompts by configuring digital signing of .rdp files, adding a trusted .rdp publisher, and configuring single sign-on. For this lab, we will use local Group Policy to configure those settings, but in real life you would configure them by using domain Group Policy. 1. On NYC-SVR1, in Remote Desktop Connection Manager, click RD Virtualization Host Servers, right-click RD Virtualization Host Servers, and then click Properties. In Virtual Desktops Properties, select the Digital Signature tab, and then select the check box next to Sign with a digital certificate. Click Select, select NYC-SVR1.contoso.com, and then click OK. In Virtual Desktops Properties, click OK, and minimize Remote Desktop Connection Manager. From the Hyper-V Manager console, connect to NYC-CL1, and log on as Contoso\ruser with the password Pa$$w0rd. On NYC-CL1, on the Start menu, in the Search field, enter gpedit.msc. In the Programs list, right-click gpedit.msc, and then click Run as administrator. In User Account Control prompt, enter contoso\administrator as the user name, Pa$$w0rd as the password, and then click Yes. The Local Group Policy Editor opens. In the Local Group Policy Editor, expand Computer Configuration, expand Administrative Templates, expand System, and then click Credentials Delegation. In details pane, double-click on Allow Delegating Default Credentials, select Enabled, click Show, and enter TERMSRV/* as the Value. By doing that, you will allow credentials delegation to any RD Session Host server. Click OK twice, and then minimize the Local Group Policy Editor window.
2.
3. 4. 5. 6.
7.
8.
9. On NYC-CL1, open Internet Explorer, and navigate to the https://NYC-SVR1.contoso.com/RDWeb page.

10. Right-click on the information bar, and then select Run Add-on to allow the Microsoft Remote Desktop Service Web Access add-on to run on the computer. Click Run in the Internet Explorer - Security Warning dialog box.
11. Enter contoso\ruser as Domain\username, Pa$$w0rd as Password, and select This is a private computer, and then click Sign in. 12. Verify that there is a My Desktop icon on the Enterprise Remote Access Web page. Click the My Desktop icon.
13. In the Remote Desktop Connection dialog box, click NYC-SVR1.contoso.com Publisher name. 14. In the Certificate window, click the Details tab, scroll down, and then select Thumbprint. Select the thumbprint numbers in the details box, copy them by pressing CTRL+C, click OK in the Certificate window, and then click Cancel in the Remote Desktop Connection dialog.
Important: Do not select the leading space at the front of the thumbprint.
15. On NYC-CL1, switch to Local Group Policy Editor, expand Computer Configuration, expand Administrative Templates, expand Windows Components, expand Remote Desktop Services, and then click Remote Desktop Connection Client. 16. In the details pane, double-click Specify SHA1 thumbprints of certificates representing trusted .rdp publishers, and then select Enabled. 17. Right-click in Coma-separated list of SHA1 trusted certificate thumbprint entry box, and then select Paste. Click OK, and then close Local Group Policy Editor.
Task 3: Test the Personal Virtual Desktop

1. 2. On NYC-CL1, switch to Internet Explorer, and on the Enterprise Remote Access Web page, click the My Desktop icon. View the Remote Desktop Connection dialog box. After a few seconds, it will display that it is waking the virtual machine. You can follow in Hyper-V Manager on the physical host server that the NYC-CL2.contoso.com virtual machine is starting. When you log on to NYC-CL2, right-click on the desktop, point to New, and then click Folder. Name the folder as you like (you can give it your name, such as Joe.) On the Start menu, select Log off, and then log off from the virtual computer.
3.
4.
5. 6.
In Internet Explorer, on the Enterprise Remote Access Web page, click the My Desktop icon again. When you log on to NYC-CL2, verify that the folder with your name is still on the desktop. This is because when you are using a personal virtual desktop, RDV_Rollback snapshot is not applied, and the local user profile is preserved on the virtual computer. On the Start menu, select Log off, and log off from the virtual computer. On NYC-CL1, minimize Internet Explorer. On the physical host server, in Hyper-V Manager, select NYC-CL2.contoso.com, and in the Actions pane, click Revert. In Revert Virtual Machine dialog, click Revert.
7. 8. 9.
Task 4: Remove the assignment of a personal virtual desktop from a user

1. On NYC-DC1, switch to Server Manager, expand Roles, expand Active Directory Domain Services, expand Active Directory Users and Computers, and expand Contoso.com, and then click the RDS Users organizational unit. Right-click ruser, select Properties, and then click the Personal Virtual Desktop tab. Remove the check mark from Assign a personal virtual desktop to this user, and then click OK. Minimize Server Manager on NYC-DC1.
2. 3. 4.
Exercise 4: Configuring and Testing User State Virtualization and the Virtual Desktop Pool
Task 1: Configure a roaming profile and folder redirection
1. On NYC-DC1, switch to Server Manager, expand Roles, expand Active Directory Domain Services, expand Active Directory Users and Computers, and expand Contoso.com, and then click the RDS Users organizational unit. Right-click the VDI user, select Properties, and then click the Profile tab. Enter \\NYC-DC1.contoso.com\Profiles\%username% as the Profile path, and then click OK. In Server Manager, expand Features, expand Group Policy Management, expand Forest:contoso.com, expand Domains, expand contoso.com, and then click RDS Users. Right-click the RDS Users organizational unit, and then select Create a GPO in this domain, and Link it here. In the New GPO window, enter Folder Redirection as Name, and then click OK. In the Server Manager, expand RDS Users organizational unit, right-click on Folder Redirection, and then select Edit. The Group Policy Management Editor opens. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand Windows Settings, and then expand Folder Redirection. Right-click the Desktop node, and then select Properties. In the Desktop Properties window, select Basic Redirect everyones folder to the same location setting, enter \\NYC-SVR1.contoso.com\desktops as the Root Path, and then click OK. In the Warning window, click Yes, because there are no Windows XP or older computers in the environment. Close Group Policy Management Editor, and then minimize Server Manager.
2.
3.
4. 5.
6.
7.
8.
Task 2: Configure the Virtual Desktop Pool

As your already specified your physical server as RD Virtualization Host, in Exercise 3, Task 1, you can start configuring your virtual desktop pool. If RD Virtualization Host would not be specified yet, you would need to run the Configure Virtual Desktops Wizard first. 1. 2. On the NYC-SVR1 server, maximize Remote Desktop Connection Manager. In the Remote Desktop Connection Manager, in the navigation pane, click Remote Desktop Connection Manager: NYC-SVR1, and in the Actions pane, click Create Virtual Desktop Pool. On the Welcome to the Create Virtual Desktop Pool Wizard page, click Next. On the Select Virtual Machines page, select NYC-CL2.contoso.com and NYC-CL3.contoso.com virtual machines, and then click Next. On the Set Pool Properties page, in the Display Name box, type Contoso Virtual Desktop Pool. In the Pool ID box, type CONTOSO_VDP, and then click Next. On the Results page, click Finish. Minimize Remote Desktop Connection Manager on NYC-SVR1.
3. 4. 5.
6. 7.
Task 3: Verify the Virtual Desktop Pool functionality

1. 2. On NYC-CL1, in Internet Explorer, press F5 to refresh the page. Verify that there is Contoso Virtual Desktop Pool icon on the Enterprise Remote Access Web page, and then click the Contoso Virtual Desktop Pool icon. Verify that remote desktop connection is established to NYC-CL2. When you log on, right-click on the desktop, select New, Folder, and then name the folder Pooled VDI. On the Start menu, select Log off, and then log off the virtual computer. Now you will establish connection to the virtual desktop on the NYC-CL2 computer as a different user, so that Remote User (ruser) will next time connect to second virtual computer in the pool. On the NYC-DC1 server, start Internet Explorer, and then enter http://NYC-SVR1.contoso.com/RDWeb in the address bar.
3.
4. 5.
6.
Right-click on the information bar, and then select Run Add-on to allow Microsoft Remote Desktop Service Web Access add-on on the computer. Click Run in the Internet Explorer Security Warning dialog box. On NYC-DC1, in Internet Explorer, on the Enterprise Remote Access Web page, enter contoso\vdi as Domain\username and Pa$$w0rd as Password, select This is a private computer, and then click Sign in. In Internet Explorer on the Enterprise Remote Access Web page, click the Contoso Virtual Desktop Pool icon. As we configured trusted .rdp publisher and credentials delegation in Local Group Policy on NYC-CL1, you are presented with prompts that do not occur on NYC-CL1. In the Remote Desktop Connection dialog, click Connect, and in Windows Security, click Use another account, and then provide Contoso\vdi as the user name and Pa$$w0rd as the password. Click OK.
7.
8. 9.
10. Verify that you are connected to the NYC-CL2 virtual computer. Open Windows Explorer, and verify that inside C:\Users folder there is no ruser subfolder because it was discarded after that user logged off, when RDV_Rollback snapshot was applied. Minimize the remote desktop session. 11. On NYC-CL1, in Internet Explorer, on the Enterprise Remote Access Web page, click the Contoso Virtual Desktop Pool icon. Because you configured trusted .rdp publisher and credentials delegation, no additional prompts are shown. 12. Verify that you are connected to the NYC-CL3 virtual computer, and that Pooled VDI folder is on the desktop. Because you configured user state virtualization, the state of the user is available on any computer in the virtual desktop pool. 13. On the Start menu, select Log off, and then log off the virtual computer. On the physical server host, in Hyper-V Manager, follow the status of the NYCCL3.contoso.com virtual computer. Its status will change from Saving to Saved, then to Starting, and finally to Running, as RDV_Rollback snapshot is taking effect, and all changes in the NYC-CL3.contoso.com virtual machine are discarded.
To complete the lab

When you finish the lab, revert the virtual machines to their initial state. To do this, complete the following steps: 1. 2. 3. 4. On the host computer, start Hyper-V Manager. Right-click the virtual machines used in this lab, and then click Revert. In the Revert Virtual Machine dialog box, click Revert. For the NYC-CL2 and NYC-CL3 virtual machines, you will need to delete the RDV_Rollback snapshots first, and then revert to the first snapshot.

10324A-EnU MEDV TrainerHandbook

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

10324A-EnU MEDV TrainerHandbook

Hochgeladen von

Copyright:

Verfügbare Formate

OFFICIAL

Implementing and Managing Microsoft Desktop Virtualization

Product Number: 10324A Part Number: X17-14982 Released: 10/2010

5. ADDITIONAL LICENSING REQUIREMENTS AND/OR USE RIGHTS.

Sincerely, Microsoft Learning www.microsoft.com/learning

Implementing and Managing Microsoft Desktop Virtualization

Gary DunlopContent Developer

Damir Dizdarevic Content Developer

Slavko Kukrika Content Developer

Stan Reimer Content Developer

Implementing and Managing Microsoft Desktop Virtualization

Nelson Ruest Technical Reviewer

Implementing and Managing Microsoft Desktop Virtualization

Module 2: Implementing Windows Virtual PC and Windows XP Mode

Module 3: Implementing Microsoft Enterprise Desktop Virtualization

Module 4: Configuring and Deploying MED-V Images

Implementing and Managing Microsoft Desktop Virtualization

Module 5: Managing a MED-V Deployment

Module 6: Implementing Microsoft Application Virtualization

Module 7: Planning and Deploying App-V Clients

Module 8: Managing and Administering Application Virtualization

Module 9: Sequencing Applications for Virtualization

Implementing and Managing Microsoft Desktop Virtualization

Module 10: Configuring Remote Desktop Services and RemoteApp

Module 11: Implementing User State Virtualization

Module 12: Configuring Virtual Desktop Infrastructure

Module 13: Summary of Desktop Virtualization Technologies

Appendix: Lab Answer Keys

Implementing and Managing Microsoft Desktop Virtualization

L8-68 L9-73 L10-83 L11-95 L12-107

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Virtual Machine Environment

Virtual Machine Configuration

10324A -NYC-CL1 10324A -NYC-CL2 10324A -NYC-CL3 10324A -NYC-SVR1

About This Course

MCT USE ONLY. STUDENT USE PROHIBITED

Course Hardware Level

MCT USE ONLY. STUDENT USE PROHIBITED

Overview of Desktop and Application Virtualization

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing and Managing Microsoft Desktop Virtualization

MCT USE ONLY. STUDENT USE PROHIBITED

Overview of Desktop and Application Virtualization

MCT USE ONLY. STUDENT USE PROHIBITED

Implementing and Managing Microsoft Desktop Virtualization

MCT USE ONLY. STUDENT USE PROHIBITED

Challenges of Traditional Network Environments

Data Centers Are Reaching Capacity