50331D 50331D-EnU Student Guide

New Horizons of Austin
Module 0: Introduction
Contents
Introduction ..................................................................................................................................................................... i Facilities ......................................................................................................................................................................... ii Prerequisites ................................................................................................................................................................. iii Course Outline (Modules 1 9) .................................................................................................................................... iv Course Outline (Modules 10 17) ................................................................................................................................ vi Host and Virtual Machine Information .......................................................................................................................... vii Microsoft Exam Preparation ........................................................................................................................................ viii Course Objectives ......................................................................................................................................................... ix
1/9/2012 6:25:39 AM 34c4206d-2a9e-4cef-9011-5d0719f2cbbd Edgar Guzman Warning: This is melog69@hotmail.com's unique copy. It is illegal to reprint, redistribute or resell this content. The Licensed Content is licensed "as-is." Microsoft does not support this Licensed Content in any way and Microsoft gives no express warranties, guarantees or conditions.Please report any unauthorized use to mscwinfo@microsoft.com.
Introduction
Name
Company affiliation
Title/function
Job responsibility
Microsoft Certifications Windows Desktop Operating System Experience Expectations for the course
ii
Facilities
iii
Prerequisites
TCP/IP Troubleshooting skills
Experience working in a domain environment

Experience using desktop & command-line troubleshooting tools Experience installing & troubleshooting desktop application problems
Experience configuring registry and group policy settings
Candidates for this course must have the following skills and experience: TCP/IP Troubleshooting skills Experience working in a domain environment Experience using desktop & command-line troubleshooting tools Experience installing & troubleshooting desktop application problems Experience configuring registry and group policy settings
iv
Course Outline (Modules 1 9)
Module 1 Module 2 Module 3
Identify & Resolve New Software Installation Issues Resolve Software Configuration Issues Resolve Software Failure
Module 4
Identify and Resolve Logon Issues

Identify and Resolve Network Connectivity Issues Identify and Resolve Name Resolution Issues Identify and Resolve Network Printer Issues
Module 8
Module 9
Identify and Resolve Performance Issues

Identify and Resolve Hardware Failure Issues
Module 1: Identify & Resolve New Software Installation Issues Learn how to solve problems that occur during the installation of Windows 7 and new applications. Module 2: Resolve Software Configuration Issues Diagnose and solve problems caused by running applications written for older versions of Windows. Module 3: Resolve Software Failure - Fix problems with applications that will not execute properly or that cause other problems on the computer. Module 4: Identify and Resolve Logon Issues Diagnose and fix problems that prevent user authentication on a system. Module 5: Identify and Resolve Network Connectivity Issues Identify and fix problems caused by improper configuration or unavailable network services. Module 6: Identify and Resolve Name Resolution Issues Identify the different methods of resolving computer names and use this information to fix network communication problems. Module 7: Identify and Resolve Network Printer Issues Install and configure local and network printers to meet different user needs.
Module 8: Identify and Resolve Performance Issues Identify and fix problems that adversely affect the performance of a system. Module 9: Identify and Resolve Hardware Failure Issues Learn how to resolve problems caused by the failure of computer components.
vi
Course Outline (Modules 10 17)
Identify and Resolve Wireless Connectivity Issues Identify and Resolve Remote Access Issues Manage File Synchronization
Module 13
Identify & Resolve Internet Explorer Security Issues

Identify & Resolve Firewall Issues Identify & Resolve Issues Due To Malicious Software Identify & Resolve Encryption Issues
Module 17
Identify & Resolve Software Update Issues
Module 10: Identify and Resolve Wireless Connectivity Issues Diagnose and fix problems with a corporate wireless network. Module 11: Identify and Resolve Remote Access Issues Configure VPN and Dial-Up connections and fix connectivity problems. Module 12: Manage File Synchronization Synchronize network files for users who work with them offline. Module 13: Identify & Resolve Internet Explorer Security Issues Configure Add-ons in Internet Explorer and use its features to secure the browsing experience. Module 14: Identify & Resolve Firewall Issues Identify the different options available when configuring Windows Firewall and fix application connectivity problems caused by a bad configuration. Module 15: Identify & Resolve Issues Due To Malicious Software Use anti-virus and anti-spyware products to prevent malicious attacks on a desktop computer. Module 16: Identify & Resolve Encryption Issues Use EFS and other encryption features to protect important information on the desktop and network. Module 17: Identify & Resolve Software Update Issues Configure WSUS and Automatic Update settings.
vii
Host and Virtual Machine Information
Host Machine and ISO information
Hyper-V Demonstration
NYC-DC1 Student1 / Computer1 / Virtual1
Your instructor will provide you with the following information before starting your labs: Host Machine (Name of the computer on which Hyper-V is running): ______________________________ The following files are in the C:\Labfiles folder of the host machine: Windows 7 Operating System ISO _____________________________________________________ Windows Automated Installation Kit: _____________________________________________________ Windows 7 Software Development Kit: _____________________________________________________ If you are unsure about how to mount an ISO using the Hyper-V image, check with your instructor before beginning your exercises. Two Hyper-V images are used to complete the lab exercises in this course. 50331A-GEN-SRV and 50331A-GENCLI. 50331A-GEN-SRV will be used to run the domain controller NYC-DC1. 50331A-GEN-CLI is a blank image on which the students will install and configure three client computers named Student1, Computer1 and Virtual1. NYC-DC1: This computer is the domain controller for the Contoso.com. Although most of the exercises are performed on the Windows 7 clients, this DC is still needed for most of the domain and network related exercises. It runs Windows Server 2008 R2. Student1 / Computer1 / Virtual1: All of these systems will be installed and configured with Windows 7 by the students. Only two Windows 7 installations will be done for the Student1 and Virtual1 computers. Student1 is later renamed to Computer1 when it is joined to the Contoso.com domain running on NYC-DC1.
viii
Microsoft Exam Preparation
Exam: 70-685 MCITP: EDST 7
Exam: 70-682 Windows XP/Vista Upgrade to MCITP

http://www.microsoft.com/learning
This course covers the objectives for the 70-685 (Pro: Windows 7, Enterprise Desktop Support Technician) certification exam. Passing this test will certify the candidate as an MCITP: Enterprise Desktop Support Technician 7 (other prerequisites, such as passing the 70-680 test, must also be met). For those upgrading from Windows XP or Vista MCDST certification, the materials in this course can be used to prepare for the 70-682 exam requirements (Pro: Upgrading to Windows 7 MCITP Enterprise Desktop Support Technician). More information about the certification tracks for Windows 7 and the prerequisites can be reviewed at http://www.microsoft.com/learning.
ix
Course Objectives
Identify and Resolve Desktop Application Issues
Identify the Cause of and Resolve Networking Issues

Manage and Maintain Systems That Run Windows 7 Support Mobile Users
Identify the Cause of and Resolve Security Issues
This course is intended for IT technicians who will be installing and supporting Windows 7 in a corporate environment. The material can also be used to help candidates prepare for the Microsoft certification exams 70-682 or 70-685. The specific objectives of this course are to teach IT support technicians how to: Identify and resolve desktop application issues Identify the cause of and resolve networking issues Manage and maintain systems that run Windows 7 Support mobile users Identify the cause of and resolve computer security Issues
Module 1: Identify and Resolve New Software Installation Issues
Table of Contents
Overview .................................................................................................................................................................... 1-1 Lesson 1: Planning New Software Deployment ........................................................................................................ 1-2 Lesson 2: Multilingual Deployment............................................................................................................................ 1-6 Lesson 3: Using Group Policy to Install Software..................................................................................................... 1-10 Lesson 4: Using Software Restriction Policies ......................................................................................................... 1-14 Lesson 5: Digitally Signing Software ........................................................................................................................ 1-19 Lesson 6: Using WMI ............................................................................................................................................... 1-22 Lesson 7: Using Applocker ...................................................................................................................................... 1-25 Lesson 8: Using Virtualization for Testing ............................................................................................................... 1-30 Resolve Software Installation Issues........................................................................................................................ 1-34 Review Module 1: Identify and Resolve New Software Installation Issues ............................................................ 1-36 Labs - Module 1: Identify and Resolve New Software Installation Issues ................................................................ 1-38
1-1
Overview
Planning New Software Deployment
Multilingual Deployment
Using Group Policy to install software
Using Software Restriction Policies

Digitally Signing Software Using WMI Using Applocker Using Virtualization for Testing Resolve Software Installation Issues
A new deployment of operating systems and applications in a network is a very important task that affects the productivity of everyone in an organization. Proper planning can prevent unnecessary problems from coming up when configuring the new systems. In many cases, being proactive and aware of the issues that will come up can save a lot of time. Testing the deployment and having a test group work with the new applications beforehand can help in this. Planning for the worst and having a good rollback strategy with good backups to match can also lower the likelihood of problems becoming catastrophic. Some of the more important components that will affect deployment are computer hardware, network services, active directory implementation, computer security settings and software installation methods. New features in Windows 7 like Applocker and enhancements to older features like UAC and virtualization can be used to better secure the desktop. Taking advantage of Group Policy security and configuration options will provide better control of the applications and drivers that are approved for the desktop environment. Using scripting and other tools can also be used to standardize the management and deployment of upgrades or new software. Multilanguage environments present unique challenges but these can be easily handled by using the right deployment tools.
1-2
Lesson 1: Planning New Software Deployment
Application Compatibility
User Account Control

Application Compatibility Toolkit
Running existing applications and software on a new operating system can present some problems. Getting a complete inventory of all approved applications can be challenging in some environments. Application compatibility with the new operating system must be carefully tested in the user environment. The use of User Account Control (UAC) must also be evaluated. Using tools like the Application Compatibility Toolkit (ACT) and features like Group Policy filtering can simplify this process. The ACT allows compatibility issues to be worked out before installation and Group Policy filtering allows for selective deployment of new applications to test groups of users. The User State Migration Tool (USMT) can be used to copy profiles with specialized settings needed by some programs. When an application fails to work on Windows 7 systems regardless of configuration and compatibility changes, Windows XP Mode can be downloaded to create a virtual Windows XP environment for the program to use.
Module 1: Identify and Resolve New Software Installation Issues Application Compatibility
1-3
When an application must be supported on different operating system versions like Windows XP and Windows 7, compatibility problems will sometimes come up. When application testing shows up such problems, they can be mitigated in a number of ways: Upgrading: A newer edition of the application or one with a service pack upgrade might have been written which is compatible with Windows 7. The software vendor should be consulted if there are concerns that an application will not work out. Decommissioning: In some cases the application might be no longer needed, or its functionality might be taken over by another application that is approved and compatible with the O.S. Application Compatibility Mode: Applications that were written for Vista, XP or even older versions of Windows might be able to work if the compatibility mode of the program is changed. In addition to changing the settings to match an older operating system, other compatibility options like color settings, resolution and visual themes can be modified to meet the needs of that program. Assigning Administrator Privileges: Some programs will not work properly unless the user executes it with administrative privileges. This can also be assigned on an application level so the security of the computer system is not unnecessarily compromised. Virtualization: Applications whose compatibility issues cannot be mitigated might have to be run in a virtual or terminal services environment. Virtualization allows an administrator to extend the life-cycle of old applications as much as necessary without compromising present deployment plans for new operating system upgrades. Microsoft Application Virtualization (App-V) and Microsoft User State Virtualization (USV) can be used to provide a consistent experience for users when different operating systems must be supported for end-users.
1-4
The UAC feature was first deployed with Windows Vista and it has been kept and enhanced in Windows 7. It allows an administrator to perform administrative and user functions with a single user account instead of using two of them. Enabling this feature makes the desktop more secure and reduces the likelihood of users installing applications unintentionally or otherwise. UAC now has configurable notification options which can be used to prevent unnecessary messages being presented to the end user. Optional messages include notifications of when changes are made to Windows settings or when software is being installed or updated on the system.
Module 1: Identify and Resolve New Software Installation Issues Application Compatibility Toolkit
1-5
The Application compatibility tool kit is a free download from the Microsoft web-site that allows applications to be tested before a new deployment. It comes with a number of tools that can collect, analyze and test software so compatibility issues can be identified and mitigated. The ACT will work with Windows 7 and operating systems as old as Windows NT 4.0. The main tools in the tool kit are: Application Compatibility Manager (ACM): This tool allows you to collect and analyze data about applications on a system before starting a new deployment. It can also be used to analyze a system before Service Pack or other upgrades. Data Collection Package: This tool is created by the ACM and installed on client computers that need to be evaluated. ACT Database: A SQL Server database that stores data collected by the ACM. Information in the database can be viewed the reports accessed from the ACM. ACT Log Processing Service: This service process the log files uploaded from client computers and adds it to the ACT Database.
1-6
Lesson 2: Multilingual Deployment
Deployment Options
Deployment Features
Deployment Pack Types
The Windows Setup can be used to add language packs to an image or to a specific computer using unattended answer files. The language pack must be added to the image before international settings are configured. The Windows PE configuration pass can be used to do both operations. After any changes to the language pack using Windows Setup, the Lang.ini file should be updated to make sure all the languages on the image are listed and to verify the language that will be displayed during setup. Offline installation tools such as Windows Automated Installation Kit (Windows AIK) and OEM Pre-installation Kit (OPK) are very useful in automating new deployments of the Windows 7 operating system and other client applications. This is especially true when creating images that will be used by employees from different language groups. Some features of the operating system make it easier to deploy multiple language packs such as the language-neutral binaries. Windows 7 operating systems can use only a single language according to the licensing requirements. The only exceptions are Windows 7 Ultimate and Enterprise Editions.
Module 1: Identify and Resolve New Software Installation Issues Deployment Options
1-7
Choose a single language
Choose multiple languages
When deploying an operating system with multiple languages, there are two options: A single language is chosen: Many environments that use different languages might still deploy desktops where only a single language is required. When multiple language packs are installed on a system, the user will choose their default language when the computer is first configured. Single language editions of Windows 7 will automatically delete additional language packs. Multiple languages are chosen: If the system is running Windows 7 Ultimate or Enterprise editions, the end users are allowed to switch between any language pack installed on the computer. Any language pack installed can be removed later except for the default one chosen during the initial setup.
1-8
Deployment Features
Reduced size of language packs
Deployment Image Servicing and Management

Logging
Some new features that simplify and improve the deployment process include: Reduced size of language packs: Many language packs can now be deployed in the same image with less concern as to the amount of space needed for them. Deployment Image Servicing and Management (DISM): Offline management of packages is easier with this new tool that replaces the Package Manager, the International Configuration Tool and PEimg from Windows Vista. Using this tool, language packs can be removed from images without booting them and without the need for answer files. Logging: The logging options are improved with better and more precise messages. Log files are saved in the %WINDIR%\Logs folder and are archived after they reach a certain size.
Module 1: Identify and Resolve New Software Installation Issues Deployment Pack Types
1-9
Full
LIP
Not all language packs have the same functionality and some can be much larger than others. The two main types of language packs are Full and LIP. Full: These will always contain all the resources necessary to localize the user interface. The desktop must have the required licensing to use them. Some of the resources needed by the language pack might be localized in a different language LIP: These are partial language packs that do not contain all the resources needed to localize the user interface. All the necessary language resources will be localized in the LIP however. They do not require licensing and multiple language packs can be installed on any version of Windows 7. They are normally created for small language markets that do not already have a Full language pack available for them.
1-10
Lesson 3: Using Group Policy to Install Software
Assigning /Publishing Software
Distribution Points
Other Group Policy Settings
Configuring new software installs using Group Policy settings simplifies administration of application installs. The OU and domain structures can be used to control which programs are setup for specified groups of users or machines. The method of installation is also configurable and controls can be implemented to verify the configuration of the machine before starting a new setup. Group Policy software installations also support the maintenance and removal of these applications. When applications must be customized for different groups of users, specially created msi and mst files can be used to control what features and options are configured. Example, Office 2010 can be installed on some computers with PowerPoint and without it on others. The same can be done for different language versions of the same software.
Module 1: Identify and Resolve New Software Installation Issues Assigning / Publishing Software
1-11
Maintaining Applications
Assigning Software
Publishing Software
Licensing of applications should be carefully tracked when using this deployment method. By assigning group policy objects to OUs instead of domains and by using GPO filtering, you can restrict which computers and users will use the applications and so limit licensing requirements. Group Policies can also be used to remove unused software. Some older applications might not support this method of deployment. Windows Installer MSI files are the preferred installation method although other options are available. There are two methods available for application installation using Group Policy settings: Assigning Software: Assigned applications can be deployed using the User or Computer settings in Group Policy. If deployed to Users, the program is setup during the next logon process. Computer deployments install the application during machine startup and the application will be available for any user working on the system. This method of deployment is often used for applications that are used by most users on a large portion of the client computers Publishing Software: The option to publish a new application is only available on the User side in a Group Policy Object. The software is not installed during the logon process, but becomes available for install through the Add/Remove Programs window. This method of deployment is often used for applications that are not used regularly and on computers that have limited drive space.
1-12
Distribution Points
Using DFS
Permissions
Hiding Share Locations
When creating a distribution point for the software installation files, it should be easily accessible by the client computers. Creating multiple shares configured in a DFS tree is a recommended solution to ensure high availability of the install files. When packages are assigned or published to users, the software installation is done using the privileges of the system and not the user. However, the user accounts will require read permissions to the network share being used. In most cases, using hidden shares (adding a dollar sign to the end of the share name) is preferred to prevent end users from browsing for software distribution locations.
Module 1: Identify and Resolve New Software Installation Issues Other Group Policy Settings
1-13
WMI Filters
Security Filtering
Slow Link Detection

GPO Location
Other options are available through group policy to control the policy settings that apply to different computers and users. Some important ones to keep in mind are: WMI Filters: They verify hardware and software settings on a machine before applying new software (e.g. free space on the C: drive must be greater than 10GB). Security Filtering: Prevent the installation of software based on group membership. Slow Link Detection: Software is not installed if the speed of the network connection is slower than a predefined limit. This option is often used to prevent installs over modem or VPN connections. 500Kbps or less is the default setting if this option is enabled (Group Policy slow link detection in Computer Configuration > Administrative Templates > System > Group Policy). GPO Location: Whether a Group Policy Object (GPO) is created to install applications or for some other purpose, they can be location in different parts of the Active Directory hierarchy (Site, Domain or OU). Most policy settings can also be applied directly on the local machine. When there are conflicting settings in the different GPOs, the general rule is that the last policy to be applied wins. Since policy settings are applied in the order, Local Machine > Site > Domain > OU, the policy settings in the lowest level OUs will normally prevail.
1-14
Lesson 4: Using Software Restriction Policies
How Software Restriction Policies are Applied
Rule Types
Enforcement Properties
Installing unsupported software on computers is one problem which often creates problems on a desktop. This can cause compatibility issues with other approved software or make the operating system less stable or secure. Software Restriction Policies can be used in group policies to prevent the use of such applications and to some extent, prevent them from being installed in the first place. Some specific areas where software polices can be used to protect and control the desktop are: The use of ActiveX Controls Running applications and scripts with digital signatures Prevent unapproved software from being installed Prevent viruses Blocking applications based on their path or hash settings
Module 1: Identify and Resolve New Software Installation Issues How Software Restriction Policies Are Applied
1-15
Active Directory Hierarchy
User and Computer Settings

White Listing vs. Black Listing
Group policy settings are used to assign restriction policies to computers. They can be applied at any level in the active directory hierarchy (site, domain or OU). After policy settings are assigned to a group policy and applied in active directory, affected machines and users will have these policy settings applied when the user logs in or after the machine starts up depending on how the policy is applied. The policy settings are then enforced by the operating system. There are two strategies for applying policy settings. A specific set of applications can be trusted for execution on the desktop to the exclusion of all others (white list) or all applications can be trusted for execution except for a specified list of denied programs (black list). Using a white list is the best option in terms of desktop security and control of the desktop, but can be difficult to implement when applications change or are upgraded regularly. The black list option allows greater freedom to the end user but is more difficult to control and protect from malicious software attacks.
1-16
Rule Types
Hash
Certificate
Path
Zone
Restrictions on software are implemented by creating rules that allow or prevent the use of a program. There are four different types of rules that can be used to identify and control software: 1. Hash: A cryptographic calculation of the file contents creates a unique ID for the executable file. This fingerprint is unique and does not change if the file if relocated or renamed making it more difficult to circumvent these rules. If a file is digitally signed, the hash value of the signature is used for the calculation. 2. Certificate: The publisher certificate used to sign the file is used to identify it. The certificates can be selfgenerated or be issued from a Public or Private CA. Exceptions to certificate rules can be configured by using hash rules. 3. Path: A fully qualified path to a file or registry key can be used to create a path rule. UNC paths and folders can also be used. For greater flexibility, path rules allow the use of environment variables to point to files or folders. Extra care should be taken when using environment variables since they can be changed by users without administrative privileges. Wild card characters can also be used. 4. Zone: Internet Explorer uses five security zones that represent different parts of your network. Zones rules can be used to control what files can be downloaded in any of them. The five zones are: a. Internet b. Intranet c. Restricted Sites d. Trusted Sites e. My Computer When multiple rules of the same type apply to an application, the most specific rule will be applied. So, if two path rules apply to an executed script but one only applies to the extension (*.vbs) and the other specifies the path and extension (c:\scripts\*.vbs), the more specific rule that uses a path and extension will be used. When rules of different types apply to the same program, the order of precedence is as follows: 1. Hash Rule 2. Certificate Rule

3. 4. 5. Path Rule Zone Rule Default Rule
1-17
1-18
Enforcement Properties
DLL Checking
Skip Administrators
Once policies are configured, there are two additional options that can be used to control how they are enforced. These options can also affect the performance of the system. DLL Checking: In addition to checking the executable files, the DLLs that they depend upon can also be verified with the restriction policies as well. This feature is normally turned off. Enabling it can serious affect the performance of applications because of the additional processing load involved. Skip Administrators: If policy settings should be applied to all users, including administrator accounts, then this can be done. The option to exclude administrators might be necessary in environments where these accounts are used to install or configure applications that will not be controlled with policies.
1-19
Lesson 5: Digitally Signing Software
Driver Signing
Application Signing
Verifying the source of software and drivers is one important way to prevent problems on computers. Requiring the use of digital signatures will allow the legitimacy of the software publisher to be verified. This method can be used to prevent the execution of malicious software, the unauthorized installation of software or upgrading components prematurely. Digital signing can be configured locally on the computer or through Group Policy settings.
1-20
Driver Signing
Windows Hardware Quality Labs
Managing Unsigned Drivers

Disabling Driver Signing
The operating system can be configured to prevent the installation of drivers that are not digitally signed by their developers. Preference can also be given to drivers signed by Windows Hardware Quality Labs (WHQL). Unsigned drivers or drivers not signed by approved publishers can be prevented from being installed on the computer or the user can be prompted with this information and given the choice to continue with the setup. A policy where unapproved drivers are consistently rejected makes for a more stable environment. Before a driver signing policy is implemented, the effect on existing approved applications should be considered. The need for updates to those applications must also be taken into account. Some Windows systems might require driver signing with no GUI options to disable this feature. The 64-bit versions of Windows Vista & 7 fall into this category. If there is a need to disable driver signing on such systems, the bcdedit.exe command can be used to do this. The consequences of disabling this feature should be considered carefully before implementing it. In some cases, deciding to use an alternative application or an upgrade might be a better solution.
Module 1: Identify and Resolve New Software Installation Issues Application Signing
1-21
Trusted Entities
Testing Internal Applications

Self-Signing Applications
If an approved application is digitally signed, the CA of the developer might have to be configured as a trusted entity to allow the use of security settings like certificate rules in software restriction policies. Most application developers are willing to sign their software and have it tested for approval by Microsoft which makes the desktop more stable. If some applications are developed internally by a company however, a specific policy might need to be developed to ensure that the desktop continues to remain safe. Creating rules as to the level of testing necessary before approval, signing and deployment of these applications will prove helpful. While self-signing applications is one available option, using an Enterprise CA in the domain has distinct advantages. Being able to centrally approve and deploy certificates will simplify the process and make it easier to configure desktops with trusted certificate publishers. A Stand-Alone CA that is not integrated into Active Directory can also be used but will not provide the ease of deployment that Enterprise Certificate Authorities do. If applications will be used outside the organization, getting a certificate from a trust public CA will be a better solution, but the cost of this method must be factored in. There is no additional cost for creating a CA on a Windows Server. Whichever CA type is used, methods should be put in place to protect and backup the private key that is used to verify digital signatures.
1-22
Lesson 6: Using WMI
WMI Tasks
WMI Filters in Group Policy
The Windows Management Instrumentation is one important way available to manage Windows operating systems. Administrators can use it as a standard way to query, monitor or change configuration settings on any Windows XP or later system. This is based on the WMI Scripting Library which provides a set of standard objects that can be used to access information about the operating system infrastructure. Scripting languages such as VBscript, Jscript and PowerShell are supported. Group Policy Objects can also be used with WMI to manage domain servers and desktops. In addition to managing hardware resources, WMI can be used to get information about or change software applications, user accounts and services running on the system. Each manageable component is referred to as a managed resource. Because of the uniform way in which Windows operating systems are managed with WMI, changes in desktop and server management tools will not change the way computers are managed. The way a DNS Server is managed on Windows Server 2003 is the same way it will be managed on Windows Server 2008.
Module 1: Identify and Resolve New Software Installation Issues WMI Tasks
1-23
Controlling GPO Assignment
Monitoring Desktops
Configure Services
Manage Applications
The resources that can be managed through the WMI Library are extensive. Some examples of task that can be done are: Controlling GPO assignment: Even after a group policy object is assigned to an OU, an administrator can further limit the machines that it is assigned to. You could, for example, prevent the installation of a software program unless there was a minimum amount of drive resources available. Monitoring Desktops: WMI scripts can retrieve information from event log files and monitor registry changes. Changes to the file system, printers or other components can also be tracked. Configure Services: Network services like DNS can be queried and changed when needed. Desktop service configuration settings, like DHCP, can also be managed. Manage Applications: Microsoft applications like Operations Manager, Exchange Server or SQL Server can be configured with WMI scripts.
1-24
WMI Filters in Group Policy
WMI Query Language
Hardware & Software Settings

Linking to GPOs
Scriptomatic
Using the Group Policy Management Console, WMI scripts can be created and linked to select Group Policy objects. The WMI scripts are referred to as filters and are made up of queries written in the WMI Query Language (WQL). There is a separate folder from which WMI Filters can be created and updated. Once they are linked to a GPO, any changes it specifies will only be applied if the computer system meets the requirements specified in the filter (e.g. minimum memory or drive space availability). A filter can be applied to many GPOs, but each GPO can only have a single filter applied to it. If multiple filters are needed, then the configuration settings must be separately managed from different GPOs. Besides hardware information, WMI filters are often used to verify the operating system version, running services or network connectivity. Depending on the number of queries in a filter, the time taken to startup or logon to a system can be significantly increased. Filters should therefore be kept to a minimum and be as simple as possible to prevent performance problems. Learning the WMI scripting language and syntax can be time consuming, especially if you only need to perform a simple task or query. Scriptomatic is a free utility that can be used to create these scripts. The information it gives about WMI class and property information can give administrators new ideas about how to take advantage of the WMI infrastructure.
1-25
Lesson 7: Using Applocker
System Requirements
Applocker vs. Software Restriction Policies

Creating Rules
One of the new features in Windows 7 that make managing approved software applications easier is Applocker. Using different security options, a technician is able to prevent the use of applications on a computer by a number of different layers of restrictions. Administrators that previously used Software Restriction Policies to provide this functionality might decide to supplement or replace it with this new feature if all clients will be migrating to Windows 7. Like software restriction policies, applocker rules can be configured on the local machine or through group policy settings in active directory. Applocker will also allow the automatic configuration of rules based on applications already installed on the system. The audit mode in applocker allows the testing of new rules to make sure that legitimate applications are not prevented from running. Group Policies will still allow software restriction policies to be applied to Windows 7 systems. Both software restriction policies and applocker rules cannot be applied to the same system. Applocker rules will prevail in such a situation.
1-26
System Requirements
Windows 7 Support
GPMC
Remote Server Administration Tools
Applocker rules will not work on earlier versions of Windows. Windows 7 Professional can be used to create the policies, but they can only be applied to Windows 7 Ultimate or Enterprise Editions. Windows Server 2008 R2 can also use these rules. The Group Policy Management Console (GPMC) in the Remote Server Administration Tools (RSAT) can be used to create rules for group policy deployment.
Module 1: Identify and Resolve New Software Installation Issues Applocker vs. Software Restriction Policies
1-27
Advantages vs. Software Restriction Policies:

Digital Signature Rules Audit Mode White-Listing
Disadvantages vs. Software Restriction Policies:

Support for older operating systems Support for Rule Types
Advantages over Software Restriction Policies:

Applocker rules and software restriction policies cannot be used on the same computer. Many networking environments will find that the advantages of Applocker are worth moving from the use of software restriction policies. Overall, administration and deployment of software rules will be easier because of the following reasons: Digital Signature Rules: Software Restriction Policies allow the creation of certificate rules but there is no option to filter them. Applocker allows the configuration of rules based on attributes of a certificate such as its publisher, product name, file name or file version. Audit Mode: When applying multiple rules to a system, mistakes can prevent the running of a single application or lock down the whole system. The audit only enforcement mode prevents this problem by allowing the administrator to verify which applications will be affected by a new rule before enforcing it. White-listing: Traditional software restriction methods force an administrator to specify all the applications that should not be run on a system (black-listing). Applocker allows a different approach which often simplifies the creation of software rules. The list of programs that should be run a system is normally much shorter than the list of programs that should not be executed. Software Restriction Policies provide this functionality but it is much easier to implement with Applocker through the use of a wizard.
Disadvantages vs. Software Restriction Policies

Not all environments will be able to benefit from the advantages listed above and there are cases where the continued use of software restriction policies might be a better solution. Reasons to keep using software restriction policies include: Support for older operating systems: If there is a need to consistently apply software rules to Windows 7, Vista and XP desktops. This can only be done with software restriction policies. Applocker will not work with all versions of Windows 7. Only the Enterprise and Ultimate editions are supported.
1-28

Support for Rule Types: If your organization already applies Internet Zone, per-machine and registry rules with SRP, these cannot be converted to Applocker rules.
Module 1: Identify and Resolve New Software Installation Issues Creating Rules
1-29
Install and update applications
Automatically Generate Executable Rules

Delete unnecessary rules
Use the Audit only enforcement mode
One of the easiest ways to deploy new applocker rules is to automatically generate them from a reference machine. The Automatically Generate Rules wizard will create only allow rules (white-list). If default rules are not generated first when creating a rule collection, then legitimate applications could be prevented from running. Take advantage of audit mode to prevent this from happening. If rules are generated that prevent the system from running properly, restarting the system in Safe Mode to temporarily disable these rules and fix them. The recommended procedure for creating new rules with the wizard is to do the following: 1. Install and update all the applications that will be used on the computer 2. Create Default Executable Rules 3. Automatically Generate Executable Rules 4. Delete unnecessary rules 5. Use the Audit only enforcement mode to verify that all applications will run successfully
1-30
Lesson 8: Using Virtualization for Testing
Creating a Testing Environment
Limitations of Virtualization
New Features
One of the most convenient ways to test new software and features is by using virtualization. Using VHD images allows a technician to apply and test changes to the operating system confirmation quickly and efficiently. While some changes can only be quality tested properly on a physical machine, the ability to apply and remove changes to an image quickly can be very helpful.
Module 1: Identify and Resolve New Software Installation Issues Creating a Testing Environment
1-31
VHD Images
Network Images
Running standard VHD images in Virtual PC, Virtual Server or Hyper-V creates a testing environment where software updates, hotfixes and new applications can be installed or reconfigured to make sure that they will not cause problems on standard desktops. A single machine running multiple images can be used to test not only the effect of changes on a single system, but how those changes might affect network and connectivity settings.
1-32
Limitations of Virtualization
Testing Drivers
Testing Hardware
Testing Performance
The limitations of the virtualization environment must be factored in when evaluating the results of new tests. The effect of driver and hardware changes are best tested on non-virtualized installations. The actual performance change on user systems needs to be checked in many cases since this is an important factor in whether or not a change will be practical.
Module 1: Identify and Resolve New Software Installation Issues New Features
1-33
Treat VHDs as hard-drives
Direct boot from VHD

Creating VHDs
New virtualization options in Windows 7 which allow VHD files to be easily connected to and treated as a hard drive and the ability to boot the operating system directly from these images can also be leveraged in a testing environment. The diskpart.exe or the Disk Management tool can now be used to create VHD files. These options can be used to improve the portability of test machines and might also be used on user machines to copy existing operating systems to new computers.
1-34
Resolve Software Installation Issues
RESOLVE SOFTWARE INSTALLATION ISSUES

Review the scenarios and problems presented along with their solutions
Like any other troubleshooting task, when trying to find the solution to a software installation problem, isolating the problem area is critical. The problem can be the distribution point, the desktop hardware or software configuration or network issues. Here are some situations that might arise and possible solutions to them. The user does not have permissions to do the install. Verify the permissions of the user or the application doing the install. Group Policy installs do not require administrative rights on the part of the user. If the application does further configuration after the user logs on however, elevated privileges might be necessary. Check the effect of UAC on the install process. The software is not compatible with Windows 7. Try changing the compatibility mode of the application. Test the different settings available such as running with higher privileges or modifying screen resolution. Using Virtual PC to run the application in a previous operating system or taking advantage of Terminal Services to run the software might be another solution. Group Policy is not installing the software or not installing it in the expected manner. Group Policy software installs can be either assigned or published. Published software will not be automatically installed but advertised through Add/Remove Programs. Verify that the GPO applies to the user and is not being blocked or overridden by other policies or WMI settings. The GPMC or gpresult.exe can be used to confirm applied policy settings. The software distribution point should also be checked for availability and appropriate permission settings. Software Restriction Policies are not being applied. Verify that the policy settings are being applied as expected. Policies are always applied at the local machine level first, then the site level, then the domain and lastly the OU levels. The last policy to be applied normally prevails unless they are overridden or blocked. Software Restrictions cannot be combined with Applocker settings. The Applocker configuration will prevail and the Software Restriction Policies will be ignored.
1-35
New drivers cannot be installed on the computer. If the drivers are not signed by a trusted publisher, they might be blocked because of the driver signing configuration. Try to use signed drivers whenever they are available. Local driver signing configurations might be overridden by settings in Active Directory Group Policies. Verify the permissions of the user installing the drivers. Windows 7 will not install more than one language pack. Multiple full language packs can only be installed on systems running the Ultimate or Enterprise editions of Windows WMI Filtering is not working on some desktops. Verify the Group Policy hierarchy and make sure the filters are linked to the right GPOs. WMI filtering will only work on Windows XP or later systems. Software installations done over the network are taking too long. Use DFS trees to make the distributions points available instead of network shares. DFS is automatically site aware and will connect desktops to the closest available share. DFS can also be used to automatically update distribution points when changes are made. Applocker Rules have made a desktop computer unusable. Boot the system in safe mode and delete the rules that are causing the problem. Take advantage of the Audit Only enforcement mode to prevent the problem from occurring again. Software installations are taking a very long time for VPN users. Enable the Slow Network Detection option in Group Policy to prevent software installations over these connections. Set an appropriate bandwidth level if the default is considered too low.
1-36
Review Module 1: Identify and Resolve New Software Installation Issues
REVIEW
Examine the review questions as a class
1.
What versions of Windows 7 support the use of multiple languages?
2.
In what order are machine and active directory policy settings applied?
3.
When would using the Slow Network Detection option in Group Policy be advantageous?
4.
How many Group Policy Objects can a single WMI filter be applied to?
5.
What is the order of precedence for Software Restriction Policy rule types?
6.
What versions of Windows 7 support Applocker rules?
7.
When multiple software restriction path rules apply to the same application, which one will be used?
8.
What command-line tool can be used to disable driver signing requirements?

9.
1-37
When group policy is used to install applications what method will automatically do the setup before the user logs on?
10. True or False. Multiple WMI Filters can be applied to a single GPO.
11. What security option is available with Software Restriction Policies that cannot be used with Applocker?
12. What security option is available with Applocker that cannot be used with Software Restriction Policies?
1-38
Labs - Module 1: Identify and Resolve New Software Installation Issues
Exercise 1: Install and Configure Windows 7
Exercise 2: Install Programs and test Applocker

Exercise 3: Configure Compatibility Settings
Overview: Install and configure Windows 7. Install and configure applications and application access. Unless stated otherwise, use the Windows 7 image for this lab and login as Admin1 with a password of Pa$$w0rd. All ISO images must be 64-bit and will be on the local C: drive in the Labfiles folder.
Estimated Time to complete this lab is 90 minutes.

Exercise 1: Install and configure Windows 7
1. 2. Boot from the Windows 7 ISO image. From the Install Windows screen, choose appropriate language, time and keyboard settings and press Next. 3. Click Install Now 4. Read and accept the license agreement then press Next. 5. Click Custom install. 6. On the Where do you want to install Windows? screen, use the Drive Options to create a partition that is 20480 MB in size. 7. Accept the default option to build an additional partition for system files and click OK. 8. Choose the 20 GB partition just created and click Next. 9. The system will automatically restart a few times to install necessary files and features. 10. On the Set Up Windows screen, create a user name of Admin1 and a computer name of Student1. Click Next 11. Assign a password to your Admin1 account of Pa$$w0rd. Use Lab Password as the password hint. Click Next. 12. If prompted, leave the product key blank and uncheck the option to Automatically activate Windows when online. Click Next.

13. 14. 15. 16. 17. 18.
1-39
19. 20. 21. 22. 23.
On the Help protect your computer and improve Windows automatically screen, click Ask me later. Choose appropriate time and date settings and click Next. On the Select your computers current location window, choose Work network. The system will start up. Click Start and in the Search programs and files window, type command (do not hit Enter). In the Start Menu, right click the Command Prompt program and choose Run as Administrator. Click Yes when the User Account Control (UAC) dialog window appears. Execute the following commands to create a user account, a group and add the user to the group: o net user /add User1 Pa$$w0rd o net localgroup /add Local_Users o net localgroup /add Local_Users User1 Click Start. Right click Computer and choose Manage to open the Computer Management console. From Disk Management, change the drive letter of the first CD/DVD drive to G:. Use the Disk Manager to create two primary partitions of 24 gigabytes each. The first will be the D: drive and the second will be the E: drive. Close the Computer Management console. Use Windows Explorer to create a folder named TEMP on the root of the C:, D: and the E: drives.
Exercise 2: Install Programs and Test Applocker

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. Click Start and navigate to Control Panel > Programs > Turn Windows features on or off. In the Turn Windows features on or off window, install the Games and the Telnet Client Click OK. Verify that the games are installed by navigating to Start > All Programs > Games Verify that the Telnet client is installed by executing telnet from a Command Prompt window. Click Start and in the Search programs and files window, type policy (do not hit Enter). In the Start Menu, right click the Local Security Policy program and run it as an Administrator. In the Local Security Policy window, navigate to Application Control Policies > AppLocker > Executable Rules. Right click on Executable Rules and click Create New Rule. In the Create Executable Rules window, read the information under Before You Begin and click Next. In the Permissions window under Action, click Allow and under User or group, click Select, type Administrators then click OK. Click Next. In the Conditions window, Choose File hash and click Next. Use the Browse Files option to specify the C:\WINDOWS\SYSTEM32\TELNET.EXE file. Click Next. In the Name and Description window, name the rule Telnet (Administrators). Click Create. If asked to create the default rules for AppLocker, choose Yes. In addition to the new rule created, there should be three Default Rules. Examine the properties of the three default rules created. Right click on Executable Rules and click Create New Rule. In the Create Executable Rules window, click Next. In the Permissions window, click the Deny action and choose the Everyone group. Click Next. In the Conditions window, choose File hash and click Next. Use the Browse Files option to specify the C:\WINDOWS\SYSTEM32\TELNET.EXE file. Click Next. In the Name and Description window, name the rule Telnet (Everyone). Click Create. Login as User1 with a password of Pa$$w0rd and verify that you are still able to launch telnet. The Applocker rule is not being applied. Log back onto the system with the Admin1 user account. Click Start and in the Search programs and files box, type services. Run the Services program. Open the properties window of the Application Identity service. Read the description. Change the startup type to Automatic, start the service and close the Services window. Open the Local Security Policy tool and navigate to Application Control Policies > AppLocker. Double click AppLocker and under Configure Rule Enforcement, click Configure rule enforcement.
1-40
31. In the AppLocker Properties window, click the Enforcement tab and enable all three rule categories by checking off the Configured check boxes. Make sure that the Enforce rules option is chosen for all three. 32. In the Advanced tab, read, but DO NOT, configure the option to enable DLL rules. 33. Click OK. Run gpupdate.exe from the Command Prompt. 34. Login as User1. 35. Use the Command Prompt to verify that the Telnet command cannot be executed (if you can still successfully run the Telnet command, restart the Application Identity service and run gpupdate.exe again. 36. Login as Admin1. 37. Use the Command Prompt to verify that the Telnet command still cannot be executed (The deny rule for Everyone will also apply to members of the Administrators group). 38. Use the Local Security Policy window to modify the Telnet (Everyone) rule. Change its name to Telnet(Local_Users) and change the group it applies to as Local_Users. 39. Try to execute the telnet command again. It should now be successful for Admin1 but unsuccessful for User1. If the rule is not working, run gpupdate.exe or restart the computer. 40. Open the Local Security Policy window and navigate to Application Control Policies > Applocker > Executable Rules. 41. Right click on Executable Rules and click Create New Rule. Click Next 42. On the Permissions window, choose Deny for the Action and Everyone for the group. Click Next. 43. On the Conditions window, click Path. Click Next. 44. On the Path window, choose the C:\PROGRAM FILES\MICROSOFT GAMES\ folder. Click Next. 45. On the Exceptions page under Add exception:, choose File hash. 46. Click Add and choose the C:\PROGRAM FILES\MICROSOFT GAMES\SOLITAIRE\SOLITAIRE.EXE file. Click Next. 47. On the Name and Description page, name the rule Microsoft Games. In the Description, type Block all games except Solitaire. Click Create. 48. Try executing three or more games to verify that Solitaire is the only one that will run.
Exercise 3: Configure Compatibility Settings:

1. 2. 3. 4. 5. 6. Use Windows Explorer to go to the C:\WINDOWS folder Locate notepad.exe, right click on it and open the properties window. In the Compatibility tab, notice the different options available (You will not be able to make changes since this is an operating system file). Close the properties window. Open the Command Prompt as an Administrator. Run the command xcopy \\NYC-DC1\classfiles\tools\ppview97.exe E:\TEMP. Use the properties window of the e:\temp\ppview97.exe file to examine the Compatibility tab and the options available. Do not install the program.
Module 2: Resolve Software Configuration Issues
Table of Contents
Overview .................................................................................................................................................................... 2-1 Lesson 1: Change Default Settings on the Image ...................................................................................................... 2-2 Lesson 2: Enable and Disable Features .................................................................................................................... 2-7 Lesson 3: Pointing to a Network Resource .............................................................................................................. 2-12 Lesson 4: Configuring Updates ................................................................................................................................ 2-15 Lesson 5: Resolve Configuration Issues with Group Policy ..................................................................................... 2-19 Lesson 6: Driver Updates ......................................................................................................................................... 2-25 Lesson 7: Problem Steps Recorder ......................................................................................................................... 2-30 Resolve Software Configuration Issues ................................................................................................................... 2-33 Review Module 2: Resolve Software Configuration Issues .................................................................................. 2-35 Labs Module 2: Resolve Software Configuration Issues ...................................................................................... 2-37
2-1
Overview
Change Default Settings on the Image
Enable and Disable Features

Pointing to a Network Resource
Configuring Updates
Resolve Configuration Issues with Group Policy Driver Updates Problem Steps Recorder Resolve Software Configuration Issues
Most software configuration problems can be solved quickly if accurate information about the problem is obtained in a timely manner and appropriate tools are used to solve the issue. Isolating the problem area is often the first step. Is it at the operating system, network or application level? Are other users experiencing the same issue? The best time to solve a problem is before deployment, proper testing of the software in typical usage scenarios can show up problems early in the process. Some problems are solved by enabling or disabling features on the system. Others can be dealt with by changing the environment in which the application is run. Group Policy and other tools can be used to apply updates and fixes quickly and consistently in the network. Updates can be deployed in a staged manner to catch unresolved problems without disrupting the production environment severely. New tools, like the Problem Steps Recorder, can be used by technicians to solve remote end-user problems more efficiently. Other tools like GPMC and gpresult.exe can be used to solve problems with the way Group Policy Objects (GPOs) are deployed. In this chapter, you will be able to work with different Windows tools, old and new to identify and resolve configuration problems with the operating system, applications and drivers.
2-2
Lesson 1: Change Default Settings on the Image
Using ImageX Using Windows Deployment Services
Using the Microsoft Deployment Toolkit
Images are a popular way to deploy operating systems and their applications in a corporate environment. Once properly configured, the image can be used on computers running compatible hardware. Most environments will need multiple images to meet their needs and these might have to be updated regularly to include new applications or remove old ones. ImageX can be used to make such changes. The Sysprep utility can be used to remove unique information before image deployment. Third party utilities are also available that can remove the computer SID, name and other details. Once an image type and configuration is selected, the Windows Deployment Services (WDS) and Microsoft Deployment Toolkit (MDT) tools can be used to deploy the images and make necessary changes to them. The Windows Imaging Format (wim) type is most often chosen because of the flexibility it provides. They are hardware independent and provide a system of storing information where a single copy of a file is recorded only once even if it is referenced in multiple locations (single instance storage). This can significantly reduce the amount of space needed to store image files. Since WIM files can contain multiple disk images, common files that are used by all of them will not need to be duplicated either. WIM images support non-destructive deployments. If the partitions being copied to already have data on them, these files do not need to be overwritten. The partitions used by WIM images must be created before they are deployed. Diskpart.exe or some other utility can be used to do this.
Module 2: Resolve Software Configuration Issues Using ImageX
2-3
/append
/apply
/capture /commit /compress /delete /dir /export
/ref
/split /verify
/mount
/mountrw /unmount
When changes need to be made to a WIM image, the modifications can be done with the ImageX command-line tool. These modifications can be made offline by mounting the image and changing the necessary files. Because ImageX is a command-line tool, its configuration is very flexible and it lends itself easily to scripting operations. Some of the more useful parameters are listed below:
/append /apply /capture /commit /compress /delete /dir /export /ref /split /verify
Appends a volume image into an existing WIM file Applies a volume image to the specified drive Copies a volume image into a new WIM file Commits the changes made to a mounted WIM Sets the compression type to (none, fast, or maximum) Deletes an image from a WIM file with multiple images Displays a list of files and folders within a volume image Transfers an image from one WIM file to another WIM file Sets WIM references for an apply operation Splits an existing WIM file into multiple read-only WIM parts Verifies duplicate and extracted files
2-4

Mounts an image, with read-only access, to the specified directory Mounts an image, with read-write access, to the specified directory
/mount /mountrw
Module 2: Resolve Software Configuration Issues Using WDS
2-5
Create and Deploy Windows 7 Images
Support for RIS

Unattended Setup
Command-line Tool
When WDS is used to deploy Windows 7, it will also include the capability to create, convert and copy images. Older RIS images can be converted to newer WIM formats. Client computers can also be configured to use unattended install files to complete the operating system setup. Management of images can be done from the Windows Deployment Services MMC snap-in or the wdsutil.exe command-line tool. Client computers that are not pre-staged in active directory can be automatically created during the setup process.
2-6
Using the Microsoft Deployment Toolkit
Lite Touch Installation (LTI)
Zero Touch Installation (ZTI)
The MDT can be used as a single tool to manage all the deployment needs for client and server computers. Two types of deployment methods are available with MDT: Lite Touch Installation (LTI): Software distribution tools are not necessary with this deployment method. This method allows interaction at the desktop during the install for some options, like computer name, to be configured. Zero Touch Installation (ZTI): This allows for a totally automated installation to be configured using products like System Center Configuration Manager (SCCM).
2-7
Lesson 2: Enable and Disable Features
Compatibility Mode
Windows XP Mode
UAC Configuration
Internet Explorer 8
Some application setup problems can be solved by changing the Windows 7 configuration or by modifying the configuration of optional components. The management of older applications that are compatible with Windows XP has been greatly improved with the addition of new virtualization options. Other issues caused by the configuration of the display settings, Internet Explorer, Windows Search, Firewall settings or other features can sometimes be mitigated. The solution will sometimes involve a simple configuration change to the Windows 7 feature. Some cases might require the removal of the offending component. When the modification of existing features does not provide a solution, the application might need to be upgraded to a newer version or configured on a Terminal Server. Before such options are used, one of the following configuration settings might be used to solve the problem.
2-8
Compatibility Mode
Operating System Support
Desktop Settings
Run as Administrator
Visualization Themes
Apply to All Users
Sometimes a program needs to be installed or executed using compatibility mode. Compatibility modes can be configured for Windows Vista, XP, 2000, NT 4.0 or 98. Other options can be changed if they are creating compatibility problems like desktop settings, executing as administrator or visualization themes. When different users work with the application on the same machine, the option to apply configured settings to all users can be used to avoid having to make the same changes multiple times.
Module 2: Resolve Software Configuration Issues Windows XP Mode
2-9
Virtual PC Image
Licensing
Windows 7 Edition Support
Applications that are not compatible with Windows 7 can be installed in a virtual Windows XP environment that installs the application using Virtual PC. The XP virtual machine is an optional download that includes a fully licensed version of Windows XP with Service Pack 3. The Virtual PC 7 image is only available on the Professional, Enterprise and Ultimate editions of Windows 7. Although the applications are installed in this virtual image, they are executed from the Windows 7 desktop like any other software program. This installation option should solve most application compatibility issues. If this method is used for all desktop upgrades, the process of verifying that old programs will work on the newly deployed systems could be much faster and easier.
2-10
UAC Configuration
Support for Older Applications
Notification Messages
Auto-elevation
UAC is an important security tool that provides administrators with greater control over user actions on the desktop. In most cases, there should not be a need to disable it because of compatibility problems. New options available in Windows 7 can make the user and software setup experience much smoother than on Windows Vista. The new UAC configuration reduces the number of prompts for elevation a user will get during simple operations like installing new ActiveX controls. The operating mode of UAC is also configurable. The administrator can decide to prevent notification messages when windows settings are being changed and allow desktop interaction with the prompt for the elevation account is present. Using these options allows certain operations to use auto-elevation and improve the user experience without totally disabling this useful security feature.
Module 2: Resolve Software Configuration Issues Internet Explorer 8
2-11
Compatibility View
Intranet Zone Support

URL Support
Some web-sites may not have made changes to display information properly in the newest version of Internet Explorer. The Compatibility View can be configured from the toolbar to allow web-sites to be viewed as they would look in Internet Explorer 7. You have the option to display all sites this way or only intranet sites. A specific list of URLs can also be specified.
2-12
Lesson 3: Pointing to a Network Resource
Security
DFS Configuration
When automating the installation of operating systems and applications, the majority of setups normally occur over the network from a distribution point. These network shares should be secure, highly available and be easily accessible. When the same application can be installed from multiple locations, any changes made to one should be consistently applied to the others. A number of strategies can be used to accomplish these tasks. Taking advantage of Windows Server features and services, a software distribution architecture that is manageable can be configured. Some of the options discussed here depend on a properly configured Active Directory environment.
Module 2: Resolve Software Configuration Issues Security
2-13
NTFS
Network Share
Authentication
Securing the data on software distribution shares is necessary to prevent unauthorized updates to setup files. You can also stop the unlicensed and unsupported installation of software by end users. Share and NTFS permissions can be used together to prevent non-administrator access. If the volume is not formatted as NTFS, the FAT or FAT32 partition can be converted without the loss of existing data on the drive. This operation can be done from the command-line or scripted with the convert.exe utility. When both NTFS and share of permissions are applied, the more restrictive of the two permission sets will be used. Because the NTFS permissions allow a greater granularity of control, these permissions are often preferred. The use of the Everyone group should be avoided when assigning permissions. The Authenticated Users group should be used instead so that domain authentication will be required before access to the resources is granted. To prevent users from even finding the shares in the first place, they should also be hidden. Adding a dollar sign ($) to the end of the share name will accomplish this. When customized updates are made to distribution shares, they should also be backed up regularly. If security sensitive data is copied across the network during setup operations, it should be encrypted. Using customized IPSec policies can protect confidential data without unnecessarily affecting performance. Encrypting File System (EFS) only protects data while it is on the drive and not while it is in transit over the network.
2-14
DFS Configuration
Replica Sets
Site-Aware
Access Permissions
Creating a DFS tree to support software distribution points can improve the availability of those shares and allow automated replication of changes to identical shares. DFS uses logical names to identify network shares. End users can use these logical names or leaves as connection points instead of connecting directly to the share. The DFS leaf names can remain the same even when the share name is changed or moved to a different server. For example, even if the Office 2007 install share is moved from \\Server1\Office2007 to \\Server2\Office07, the original DFS leaf name can remain the same so end users and applications that point to it continue to work the same. DFS also uses replica sets to provide load balancing. A single leaf can point to two or more shares that contain the same files. When users connect to the leaf, the client computers will connect to different shares to balance the load. DFS is also site-aware, so a user will automatically connect to servers in their own location. If one is not available, the DNS service records can be used to find one that is least costly in terms of WAN bandwidth usage. Replication can be configured between shares in the same replica set so that updates only have to be directly made to one of them. The replication engine uses a multi-master model so updates can be made from any share location. DFS replication will also work over WAN connections with limited bandwidth. Normal NTFS and share permissions cannot be violated because of DFS permission settings. Access-based enumeration can also be used to prevent users from seeing files or folders they do not have permissions to access. DFS can be used in combination with other services, like Server Clustering to improve the availability of network shares.
2-15
Lesson 4: Configuring Updates
Windows Updates
Microsoft Updates
Application Updates
To maintain the security and integrity of network computers, regular operating system and application updates should be done. Although many updates are done to improve the functionality of software, a lot of them are also done to protect applications from known malicious attack methods. Many of these attacks are successful because critical updates were not applied to systems in a timely manner. A defense in depth strategy often works best when protecting applications on a network so updates and patches are done at the firewall, network servers and client computers. If automatic updates are not configured for operating systems and applications, there will be a greater need to manage manual updates efficiently. Having a strategy to test updates before deployment is important and these tests should be performed in a timely manner. Using services like SCCM or WSUS can simplify this testing process.
2-16
Windows Updates
Operating System Updates
WSUS Support
Configuring Automatic Updates
These updates will install fixes and patches to the operating system. They can be automatically installed from the Microsoft web-site or configured through a WSUS server created on the local network. Many updates occur in the background or after the user logs off or reboots. Some updates might have to reboot the system for the changes to take effect, which could disrupt work activity. The automatic reboot that some updates may cause, can be disabled to prevent interruption of work activity on the system. The greatest control over updates is allowed with the configuration of a WSUS server. When clients are configured to get their updates directly from it instead of the Microsoft web-site, updates can be tested, staged or skipped altogether. You can control what groups of computers will get what updates and at what times.
Module 2: Resolve Software Configuration Issues Microsoft Updates
2-17
Microsoft Application Support
Integration with Windows Updates
In environments where Microsoft applications are used on the desktop like Microsoft Office or SQL Server, updates need to be done separately from the Windows Updates since they only apply to the operating system. Microsoft Updates presents a way to check for and fix problems with both the operating system and Microsoft applications installed on the computer. There will be no need to do separate Microsoft Office updates, for example. Once a computer starts using Microsoft Updates, it will automatically replace Windows Updates since it includes all the fixes available through that site. Once Microsoft Updates are configured on a computer, it will always be used even if you click the old Windows Update link.
2-18
Application Updates
Vendor Considerations
Automatic vs. Manual Updates

Mitigating Update Issues
Non-Microsoft applications on a desktop might also need updates from time to time. Like Microsoft Updates, a choice must be made as to whether automatic updates will be configured, or if they will be done manually. Automatic updates are more convenient but the vendor must be reputable and trusted. The timing of these updates and how they could disrupt user activity must also be considered. Manual updates allow the patches to be tested in a protected environment and for any bugs and compatibility problems to be worked out. In any environment where automatic updates are configured, a good backup plan should be in place along with a strategy for restoring systems that might be damaged by upgrades that went badly. Drive space and other resources needed by the upgrade must also be considered. The documentation that comes with the updates should also be checked. Some compatibility issues might have already been identified by the vendor and mitigation strategies already specified.
2-19
Lesson 5: Resolve Configuration Issues with Group Policy
Configuring WSUS
GPO Filtering
Other Configuration Options
GPO Tools
Group Policy objects can be used to fix and prevent software configuration problems on a desktop. The centralized nature of administration and the quick deployment of configuration changes make it an ideal tool for changing the desktop configuration in a network. GPOs can be used to control changes to the desktop configuration, limit access to the hard-drive and manage the configuration of some applications. It can also be used to create testing groups when deploying new software or updates.
2-20
Configuring WSUS Updates
GPO Configuration
Reschedule Automatic Update

No Auto-restart
Enabling Windows Update Power Management

Delay Restart for Scheduled Installations
Having a WSUS server on a network allows administrators to deploy Windows and Microsoft Updates from a local server. Deployment can be configured to occur in a staged manner to specific groups of computers at scheduled times. Desktop computers will point to the Microsoft Update server on the Internet by default, but this can be changed through group policy settings. In the Group Policy Object Editor, expand Computer Configuration > Administrative Templates > Windows Components > Windows Update. Edit the Configure Automatic Updates setting and choose the Enabled option. Even after this option is enabled, the administrator will still have additional options to specify how updates are done. These options include: Notify for download and notify for install. This gives the end user the option to specify how and when updates are installed. This is the least disruptive option since it prevents installs that can interfere with the work users are doing. Auto download and notify for install. This option still gives the user the option to specify when updates will be installed, but the files needed for the updates will be downloaded automatically when they become available. Auto download and schedule the install. This option is chosen to make sure that updates are installed in a timely manner. It is possible that updates might interfere with work that is being done on the system at the time, especially if the update requires a reboot of the system. To prevent this problem, a time for the scheduled installations should be chosen when the desktop is not in use. The scheduling options allow a daily or weekly installation of updates. Allow local admin to choose setting. If the user has administrative privileges, they will be able to specify when the updates are installed. Once Automatic Updates are configured, use the Specify intranet Microsoft update service location setting to point to the URL of the WSUS server. The Enable client-side Targeting setting should also be enabled to allow WSUS to target specific updates to the desktop depending on its group membership. Other useful options include:

2-21
Reschedule Automatic Update Scheduled Installations. When updates are not installed at their scheduled time, they can be rescheduled to occur a set number of minutes after the computer is next started. No Auto-restart with logged on users for scheduled automatic updates installations. To prevent disruption in user activity, any update that requires a reboot can be configured to wait until the logged in user does it. The user will be notified that a reboot is required. The updates will not take effect until the required restart of the system. Enabling Windows Update Power Management to automatically wake up the system. When systems are hibernating, the Windows Power Management features can be used to wake up the system to allow the installation of the updates. Delay Restart for scheduled installations. If an update needs to restart the system, the restart can be delayed for a specified number of minutes. This option can be used to give end-users time to complete any work they are doing on the computer.
2-22
GPO Filtering
Testing New Software
GPO Permissions
Group Assignment
When group policies are applied in the Active Directory hierarchy, any group of systems can be affected by the settings depending on the location of the OU that the computer and user account are in. When new updates are being tested, the normal policy inheritance hierarchy might not prove advantageous. Filtering the policy settings allows you to get around this problem. Normally GPOs are configured with permissions that give Authenticated Users Read and Apply Group Policy permissions. This allows the policy to affect all users in the hierarchy. When this permission is removed and specific groups of users are given these permissions, the policy will apply only to them. This configuration allows you to test new software and configuration changes for specific users, regardless of where they are located in Active Directory.
Module 2: Resolve Software Configuration Issues Other Configuration Options
2-23
Windows Firewall
Internet Explorer Maintenance

Slow Link Detection
Group Policy settings are extensible through the use of administrative template settings that allow you to manage registry settings on computers. This allows many applications to be modified after installation through a GPO. Other popular software configuration settings include: Windows Firewall with Advanced Security. Inbound and Outbound rules can be configured to allow applications to run properly. Logging can be enabled to troubleshoot future problems and limits placed on the size of log files. Internet Explorer Maintenance. In addition to logo and toolbar customizations, other application specific settings can be modified like proxy configuration, default programs for Internet resources and security zone options. Slow Link Detection. This setting allows an administrator to control how the system applies certain policy settings if the network speed is 500 Kbps or slower (this default bandwidth setting can be changed). The settings will prevent the installation of new software and provide control over other options like IP Security, EFS, Scripts, Folder Redirection and Internet Explorer Maintenance.
2-24
GPO Tools
GPResult.exe
Gpupdate.exe
GPMC
When policy settings are not being applied or if they are not being applied in an expected fashion, GPO tools can be used to find and solve these problems. GPResult.exe: This command-line tool is used to verify the policy settings that apply to a specific user and computer. It can be executed to retrieve information about remote computers. The results can be displayed in the command window or exported to a text file. Gpupdate.exe: Gpupdate.exe is used to force group policy settings to be applied immediately on the local system. These policy settings can take up to 90 minutes to be updated on a computer after a change is made to a GPO. This tool allows an administrator to refresh the policy settings without logging off or rebooting the system. This option will not work for some settings, like the installation of new software assigned to computer objects. GPMC: The Group Policy Management Console can be used to create, edit and move GPOs with the Active Directory hierarchy. It can also display reports about policy settings that will be applied when specific users log into specific machines. The user does not need to login to the system for these reports to be run. What if scenarios can also be created to find out how policy settings will be applied if computer and user accounts are moved to different OUs. Administrators can use this feature to be proactive in detecting configuration issues caused by planned changes in the future.
2-25
Lesson 6: Driver Updates
Device Manager
Compatibility Mode
Using Safe Mode Driver Verifier
Driver stability has been improved in Windows 7 with additional features to detect function calls and actions that can disrupt applications or operating system. Taking advantage of Driver Signing options can also protect the computer from faulty driver updates.
2-26
Device Manager
Identify Driver Information

Verify Device Installation
Rollback Driver Updates

Remote Configuration
When driver installs and updates create issues on a system, one of the first tools used to provide insight into such a problem is Device Manager. Details about how the driver is configured, the version number, conflicting settings and compatibility problems can be seen from this tool. In the case of new installs, Device Manager can be used to verify that the install was successful and that the device is seen and being used by the system. Conflicting device settings can be fixed and the driver version be verified. Depending on the type of device being managed, the driver can be disabled or uninstalled. If an upgrade of an existing driver has caused a problem, the rollback feature in Device Manager can be used to revert the system to the older configuration. Older devices that require driver settings to be configured manually should be tested carefully. Windows 7 will not load existing drivers for components that are not found. This feature is useful on laptops that use different hardware components in different locations. The System Information tool (msinfo32.exe) or Device Manager can be used to remotely examine hardware components on computers.
Module 2: Resolve Software Configuration Issues Using Compatibility Mode
2-27
Changing Application Install Mode
Compatibility Options
Programs written for older operating systems will not always install their drivers properly during setup on Windows 7. To perform the setup in Compatibility Mode, right-click the install program and click on Properties to get access to the Compatibility tab. Choose the appropriate operating system and settings and then start the install process again.
2-28
Safe Mode
Some driver updates might cause the system to crash before allowing an opportunity to revert to an older driver. When the Last Known Good Configuration option is unable to resolve the problem, Safe Mode can be used to fix the problem. Boot the system in Safe Mode to either remove the device or uninstall the driver.
Module 2: Resolve Software Configuration Issues Driver Verifier
2-29
To isolate and troubleshoot driver problems on a computer, the driver verifier can be used. Specific drivers can be targeted to make sure that they access and use memory and other resources on the system properly. It can be run from the command-line (verifier.exe) with parameters or as a GUI tool to apply driver settings and then record violations of those settings. When driver issues are suspected of causing problems on a system, the verifier can be used to test existing drivers to find which ones might be the source of the problem. Specific driver names can be picked from a list if you have an idea which one is causing the problem. The tool can also detect which drivers were written for older operating systems and only check those. Unsigned drivers can also be isolated and tested. If the source of the problem is unclear, you can simply configure the tool to test all of them.
2-30
Lesson 7: Problem Steps Recorder
Creating Tutorials
Configuration Options
Some configuration problems are resolved remotely with the help of the end-user who will describe the problem to a technician over the phone. Sometimes the description given by the user is not very good because they do not remember the details of the problem or are unable to provide a good description. The Problem Steps Recorder is a new Windows 7 tool that is ideal for such situations. Its main use is to reduce the length and complexity of help desk calls, but it can help in other situations where technicians and end-users interact remotely. Using this tool, a user is able to record screen shots of what happened during the problem. It also documents mouse clicks and key strokes made by the user. The recording is saved in a zipped MHTML format that can be easily transferred over the network for analysis. The file also contains error messages and any comments added by the user for those errors. A detailed log with information recorded by the operating system about the errors is also included.
Module 2: Resolve Software Configuration Issues Creating Tutorials
2-31
Record Screen Shots
MHTML Formatting
Remote Diagnostics
The nature of this tool opens it up for many situations where the help of an IT Professional is needed. Besides its primary purpose of helping technicians remotely diagnose user problems, it may also be used to record problems with software being tested before general deployment. It can also be used to easily pass on information about a problem between different levels of IT support in an organization. Short tutorials can also be quickly created by technicians who want to give end-users specific directions about how to perform a certain operation. To walk a user through using this tool, have them execute the psr.exe file. From the Problem Steps Recorder, they can click the Start Record button when they are ready to duplicate the steps that caused the problem. As they walk through the steps that caused the problem, they might want to add their own comments about what they are doing. They can do this by clicking the Add Comment button and then typing a statement. Once all the steps are completed, they can click the Stop Record button. They will be given the option of saving a zipped MHTML file on their system. Once the technician gets a copy of the file, individual screen shots can be viewed or it may be run as a slide show.
2-32
The Problem Steps Recorder has a number of configurable options. The default location where files are stored can be changed. The ability to capture screen shots can also be disabled. The technician would still be able to duplicate the problem from the mouse click and key stroke details that were recorded. The default number of screen shots in a recording session can also be modified. The default is 25, which means that if 40 screen shots are taken, the first 15 will not be a part of the file. Increasing the default setting in this case would solve the problem.
2-33
Resolve Software Configuration Issues
RESOLVE SOFTWARE CONFIGURATION ISSUES

Solving software configuration issues on a system is normally very straight forward. After the problem is diagnosed, a specific fix in the form of configuration changes, driver updates or feature changes is applied. Here are some scenarios where fixes might be applied quickly. End users are complaining that the computers reboot after updates while they are working on the system. Modify the appropriate Group Policy settings to prevent reboots unless the user authorizes it. Drivers for a new application will not install on the system because they are not signed or the signature is not trusted. The best solution is to get another driver with a trusted signature. If the driver was developed by a trusted source, like a developer within your company, make sure that it is properly tested and configure computers on the network to trust the local certificate authority that issued the certificate. The driver for an older application is not installing properly because it was not developed for Windows 7. The best solution is to get a newer version of the application that was developed for Windows 7. If a newer compatible version of the application is not available, the setup program can be run in compatibility mode to allow the installation to work properly. You suspect that drivers installed by an end-user are creating problems on a desktop. How can you kind these drivers? The verifier.exe tool can be run from the command-line or GUI. It can test specific drivers, or all of them if you are not sure which one is the source of the problems. You have tested a new Windows Update that interferes with an old Windows XP application that runs on most computers. How can you prevent the update from being installed on local systems? Local WSUS servers can be configured to prevent the install of any updates. After the application compatibility problem is fixed, the update can be deployed to network computers.
2-34
Some intranet web-sites will not display information properly in Internet Explorer 8. How can this problem be solved from the desktop? Configure Internet Explorer 8 to use the Compatibility View. This allows web-sites to be viewed as they would look from Internet Explorer 7. Users are complaining about the number of UAC notifications they get when doing some operations on the desktop. How can you maintain the security of the system and accommodate these users? A new feature of Windows 7 is the ability to change the UAC notification level to reduce the number of prompts the users will receive. You have an old Windows XP application that will not run properly on Windows 7, even in compatibility mode. What other option is available? Windows 7 Professional, Enterprise and Ultimate editions have a Virtual PC image with a fully licensed version of Windows XP on it. Applications written for Windows XP will most likely run without problems on these images. A Terminal Services deployment of the application might also be tested. Many software deployment shares on your network contain the same software product. How can updates to these shares be maintained and kept consistent? Configure a DFS server and use the replication features to keep information in shares consistent. The Problem Steps Recorder Tool is not recording all the screens for some of its recordings. What can you do to make sure that it keeps all of them? Change the default setting for the number of screen shots. The default is 25 but a higher number should be used when necessary. A Group Policy deployed application is not being installed automatically on all computers as you expected. It is instead showing up as an option in Add/Remove Programs. How can you fix this? Change the GPO to have the application deployed on the computer side of the policy as an assigned software product. You need to modify the home page on all browsers to point to a web-site on the intranet. How can this be done and enforced on all desktops? By using the Group Policy settings for Internet Explorer Maintenance.
2-35
Review Module 2: Resolve Software Configuration Issues
REVIEW
1.
What feature of WIM files allow them to reduce the drive space needed to store multiple images?
2.
What command-line tool can be used to create new partitions?
3.
What is the ImageX command-line utility used for?
4.
What new feature of UAC can be used to reduce the number of elevation prompts?
5.
True or False. Compatibility Mode options can be automatically applied to all users on a system.
6.
What versions of Windows 7 support Windows XP Mode?
7.
What happens if the NTFS & share permissions are not the same for users connecting over the network?
8.
What DFS feature can be used to prevent uses from viewing folders or files they do not have access to?
9.
How are Windows Updates different from Microsoft Updates?
2-36
10. Why might an administrator disable automatic updates for some computers?
11. What tool can be used to test drivers installed on a system?
12. What tool allows you to revert to an older version of a device driver?
13. What permissions must a user have on a GPO for its settings to be applied to him?
14. What is a WSUS server used for?
15. What is GPO filtering?
16. What format are Problem Step Recorder files stored in?
17. True or False. The ability to store screen shots in a Problem Steps Recorder file can be disabled.
2-37
Labs Module 2: Resolve Software Configuration Issues
Exercise 1: Install Windows Automated Installation Kit Exercise 2: Use WAIK to create Windows PE Image Exercise 3: Create a VHD disk using Disk Management Exercise 4: Copy Windows 7 Install files to VHD
Exercise 5: Add a Boot menu option for the VHD file

Exercise 6: Use the Problem Steps Recorder
Overview: Install Windows 7 deployment tools. Create and work with a Virtual Hard Drive (VHD). Unless stated otherwise, use the Windows 7 image for this lab and login as Admin1 with a password of Pa$$w0rd. All ISO images will be on the local C: drive in the Labfiles folder.
Estimated time to complete this lab is 105 minutes

Exercise 1: Install Windows Automated Installation Kit (WAIK)
1. 2. 3. 4. Mount the ISO image for the WAIK. (KB3AIK_EN.ISO) Run the setup program for WAIK (StartCD.exe) as an administrator. In the Welcome to Windows Automated Installation Kit window, click Windows AIK Setup. Accept the licensing agreement and all the default settings to install the WAIK.
Exercise 2: Use WAIK to create a Windows PE bootable image

1. 2. 3. 4. 5. 6. Click Start > All Programs > Microsoft Windows AIK. Right click Deployment Tools Command Prompt and run as an administrator. Note: Use the Deployment Tools Command Prompt for all future executions of WAIK commands. Use the CD command to navigate to the amd64. (Your instructor will inform you if a different architecture is being used). Run the command: copype <A> E:\WINPE (<A> represents the architecture type e.g. amd64) Run the command: xcopy c:\program files\windows aik\tools\<A>\imagex.exe E:\WINPE\ISO (<A> represents the architecture type) Create the Windows PE image named E:\WINPE\WINPE.ISO by running the command: oscdimg n BE:\WINPE\ETFSBOOT.COM E:\WINPE\ISO E:\WINPE\WINPE.ISO
2-38
7.

This image can now be burned to a CD or USB flash drive for use on systems with a compatible architecture.
Exercise 3: Create a VHD disk using Disk Management

1. 2. 3. 4. 5. 6. 7. Create a folder on the E: drive named VHD7. Open the Computer Management console Double click on Disk Management to view the available drives on the computer Right click Disk Management and choose Create VHD For the location type E:\VHD7\WINDOWS7.VHD Change the VHD size to 20000 MB and use a dynamic virtual disk. Click OK. Right click the new disk and choose the option to initialize it. (If unsuccessful, exit and restart Computer Management then try again.) 8. In the Initialize Disk window, choose the MBR partition style and click OK. 9. Right click on the new drive and choose the option to create a New Simple Volume. 10. Accept all the default settings in the New Simple Volume Wizard. 11. Once the drive is formatted, change the drive letter to V: and exit Computer Management.
Exercise 4: Use WAIK to copy Windows 7 install files to the VHD partition.
1. 2. 3. 4. Use the Media option on the Virtual Machine Connection window to insert the Windows 7 ISO. Click Start > All Programs > Microsoft Windows AIK. Right click Deployment Tools Command Prompt and run as an administrator. Run the command: imagex /info G:\sources\install.wim > info.txt. (This will create a text file that contains the index IDs for the different editions in the install.wim file.) 5. Open the info.txt file by running the command: Notepad info.txt. 6. Use the menu bar in notepad to open the Find window by clicking Edit > Find. 7. Search for the phrase <EDITIONID>Enterprise or <EDITIONID>Ultimate and locate the IMAGE INDEX number associated with it (e.g. <IMAGE INDEX=1>). 8. Close Notepad. 9. Run the command: imagex /apply G:\sources\install.wim <N> V:. (Note: <N> represents the IMAGE INDEX number from the previous step. This command will apply the installation image to the VHD.) 10. Use Windows Explorer or the Command Prompt to verify that the install files are on the V: drive.
Exercise 5: Add a Boot Menu option for the VHD file.

1. From the Command Prompt run: bcdedit.exe /copy {current} /d Windows 7 VHD (Note: This command will create a new GUID, which is a 32-digit hexadecimal number, in the boot loader. {current} automatically references the boot entry for the operating system currently running.) 2. Use the GUID from the command in the previous step to replace <ID> in the following commands: bcdedit /set <ID> device vhd=[E:]\vhd7\windows7.vhd bcdedit /set <ID> osdevice vhd=[E:]\vhd7\windows7.vhd bcdedit /set <ID> detecthal on 3. Run bcdedit /v to verify the new entry in the boot menu 4. Restart the system and choose Windows 7 VHD from the Windows Boot Manager. 5. When the system reboots, make sure to choose Windows 7 VHD from the Boot Manager. 6. Verify the keyboard and other settings when presented and click Next. 7. When prompted, create a user account named Admin1 and use a computer name of Virtual1. 8. When prompted assign a password of Pa$$w0rd and use a password hint of Lab Password. 9. Leave the Product Key blank and uncheck the option to Automatically activate Windows when online. 10. Click Next.

11. 12. 13. 14. 15. 16.
2-39
Read and accept the license agreement. Click Next. On the Help protect your computer and improve Windows automatically screen, choose Ask me later. Assign appropriate Time Zone and date settings. Click Next. On the Select your computers current location window, choose Work Network. Use Disk Management to examine the disk and drive letter assignments. Reboot the computer and login to the original Windows 7 installation.
Exercise 6: Use Problem Steps Recorder to record the steps involved in installing a program 1. 2. 3. 4. Click Start and in the Search programs and files box, type Problem Steps Recorder. Click on Record steps to reproduce a problem. In the Problem Steps Recorder window, press Alt + G and then open the Settings window. Change the output location to E:\TEMP\PPVIEWER.ZIP and the number of screen captures to 50. Make sure the Enable screen capture option is set to Yes. Click OK. 5. In the Problem Steps Recorder window, press Alt + G and then open the Settings window. Choose the option to run the recorder as an administrator. 6. In the Problem Steps Recorder window, click Start Record and minimize the recorder. 7. From the Administrator: Command Prompt, run the command: \\NYCDC1\CLASSFILES\TOOLS\PPVIEWER.EXE 7. In the Power Point Viewer setup, accept the default options to install the application. 8. In the Problem Steps Recorder, click Stop Record and close the Problem Steps Recorder. 9. Use Windows Explorer to open the file E:\TEMP\PPVIEWER.ZIP 10. Double click on the mht file to open it in Internet Explorer. Examine the information recorded.
2-40
Module 3: Resolve Software Failure
Table of Contents
Overview .................................................................................................................................................................... 3-1 Lesson 1: Event Viewer ............................................................................................................................................. 3-2 Lesson 2: Event Forwarding ...................................................................................................................................... 3-8 Lesson 3: Application Compatibility Toolkit .............................................................................................................. 3-12 Lesson 4: Windows Troubleshooting Platform ......................................................................................................... 3-16 Lesson 5: Windows Experience Index ..................................................................................................................... 3-20 Lesson 6: Testing Compatibility with Safe Mode ...................................................................................................... 3-23 Lesson 7: System Restore ....................................................................................................................................... 3-26 Resolve Software Failure ......................................................................................................................................... 3-29 Review Module 3: Resolve Software Failure Issues ............................................................................................ 3-31 Labs Module 3: Resolve Software Failure ............................................................................................................ 3-33
3-1
Overview
Event Viewer
Event Forwarding
Application Compatibility Toolkit
Windows Troubleshooting Platform

Windows Experience Index Testing Compatibility with Safe Mode System Restore Resolve Software Failure
Even the best efforts to be proactive in preventing software failures will not have 100 percent success. There must be a strategy in place to deal with application and operating system failures when they occur. The response to a problem depends on the severity of the failure and how much time will be given to bring the system back to a working condition. Examining system and application log files can provide helpful information in diagnosing the problem and in formulating possible solutions. Severe errors can be a warning precursor to more serious problems. Notifications can be setup to automatically send messages to administrators when resources are close to their limit. Some software and application failures can be fixed with upgrades, modifying feature settings or reinstallation. Using the Safe Mode and Last Known Good Configuration boot options are effective methods of quickly fixing some software issues as well. If the system cannot be fixed, using backups to restore data and system files might be the only option. To minimize the loss of information, System Restore options can be used as a part of the backup strategy. The Windows Easy Transfer tool allows user files and settings to be exported to a file and imported to a new computer quickly and easily. In this chapter, you will learn how to use different Windows 7 tools to solve software failure issues. Regardless of how severe the problem is, there is usually a method available to recover from it, if appropriate proactive measures are taken.
3-2
Lesson 1: Event Viewer
Event Log Types
Event Message Properties

Integration with Task Scheduler
Event Log Settings
The Event Viewer is used on Windows systems to monitor and troubleshoot issues on a computer. When there is a problem with an application, the logs in Event Viewer are one of the first areas checked to get more information about the details of a problem.
Module 3: Resolve Software Failure Event Log Types
3-3
The Application log stores information about programs running on the computer. The Security log stores data about whether or not an attempt to use user rights was successful or not. To store information about how applications and users are accessing resources, some additional configuration might be necessary. The System Log stores general system information about how the operating system and its services are running. The Setup log stores information about new application installs. Information here can help with problems that occurred during a recent installation. In addition to logging computer events, the console can be customized to merge information from different machines and event log files to allow easier management of computers on the network. The filtering options make it easier to track down specific problems and the integration with task scheduler allows you to configure automatic responses to events.
3-4
Event Message Properties
All events logged on a system will have properties associated with it. The properties are: Level: This is used to indicate the severity of the event. Information messages show a change in a system component that does not affect the stability of the system. Warning messages occur when the change to a component is more serious and might impact the stability or performance of the computer. Errors indicate that there is a problem that might affect the functionality of the computer. Critical messages are the most severe and indicate that some resource on the system has stopped functioning. Any of these severity levels can be seen in a system or application log. When working in the Security Log, the Level property will indicate either a Success Audit or Failure Audit. When user rights are used to accomplish some task, like changing permissions or logging onto a system, the computer can be configured to store these details for examining by an administrator. Date and Time: The date and time the event was logged can be used to find out if other activities that occurred at the same time might have caused problems on the computer. Source: The name of the software that logged the event is indicated here. Filtering on this parameter is helping in knowing when and how often an application is experiencing problems on the system. Event ID: This number identifies a particular type of event that can be researched using other tools. If a fix for a particular event ID has already been created, that solution can be easily found by doing research over the Internet (e.g. www.technet.com).

Computer: The name of the computer on which the event happened is only useful when events from multiple computers are being managed on a single system.
3-5
3-6
Integration with Task Scheduler
One of the most helpful troubleshooting features in Event Viewer is the ability to link a whole log file or a specific event in it with a task. If you are concerned about the activity on a computer and want to be notified whenever a particular event is logged, this option can be used to send email messages automatically when the event occurs. You can also configure an automatic response by running a program or script that will fix the problem. If a commandline tool is being executed, you can specify any needed parameters for it when the task is created. There is also an option to display a customized message in response to the event. Users can be warned about any improper actions they are taking and how the system might be affected by their current actions.
Module 3: Resolve Software Failure Event Log Configuration
3-7
Archiving Logs
Changing Log Location

Wevtutil.exe
The information in the log files can be very useful, but only if it is allows you to examine information as far back as necessary. Log information is often kept for a minimum of 30-days to allow recent problems to be diagnosed more easily. Using the properties of any log file you can modify their size and location. The XML structure of the log files means that they store data more efficiently. Using the archiving option is one way to make sure that events are never overwritten. The configuration properties for the Event Viewer log files can also be managed from the command-line with the wevtutil.exe tool.
3-8
Lesson 2: Event Forwarding
Event Forwarding Configuration
Creating Subscriptions
Managing application and operating system failure on a large number of desktops can be tedious without an enterprise monitoring solution. Managing the errors and logs from a central location is more efficient and makes it easier to find and track trends in system performance. Windows 7 does not have a built-in enterprise monitoring solution, but the features of Event Forwarding will allow an administrator or desktop technician to use some of the functionality of such a tool.
Module 3: Resolve Software Failure Event Forwarding Configuration
3-9
Collector Computers
Permissions
Network Settings
Collector computers can be configured to copy log details from multiple source machines on the network. All the log information can be collected, or specific events that are deemed important can be collected. The data being sent can be limited to a particular period of time, like 30-days, or a date range can be specified. Events can be gleaned from specific log files or be marked based upon the source of the event. Event IDs, keywords and categories can also be used to filter the messages that will be forwarded. The default destination log on the collector for these events is called Forwarded Events, but an alternate log like System or Application can also be designated. When necessary, a specific account with read access to the log information on the source computer can be specified. Otherwise, the computer account can be used. For computers that will not always have adequate bandwidth for sending messages to the source machines, the delivery optimization settings allow you to specify alternative settings that can minimize bandwidth usage. Events forwarded over the network are normally retrieved by the collector using HTTP on port 5985, but the port number can be modified and secure HTTPS used for better security.
3-10
Creating Subscriptions
Using GPO Settings
Windows Remote Management

Creating Events
A collector-initiated subscription can be configured manually by using the event viewer to add each source computer as a new subscription and specifying what information will be collected and where it will be stored locally. For larger networks where there are more than a few machines or if the machine names will change regularly, using a sourceinitiated subscription will be the better option. Using group policy, the designated computers can be configured as source machines that will forward events to a collector computer. To do this, open a GPO and go to Computer Configuration > Administrative Templates > Windows Components > Event Forwarding. This feature is supported on both Windows 7 and Vista desktops. Both the source and collector computers must be configured to support Windows Remote Management. Running the command winrm.exe qc q with administrator privileges will accomplish this. The Event Collector service must also be configured on the collector. The command wecutil.exe qc /q will do this. Multiple independent Event Collectors can be setup on the network or a single collector can be configured from which others will pull their events. Specific collectors might also be configured to collect different types of events like security, setup or application information. These systems should only collect information pertinent to the job duties of a technician to avoid a situation where too many messages will mean ignoring all of them.
3-11
In some cases, the collectors are configured to generate messages automatically in response to certain errors that need an immediate response. These message configurations can be tested using the eventcreate.exe command. This command-line utility can generate events that are logged in the Event Viewer. One example of this command is eventcreate.exe /s desktop02 /id 900 /t error /l application /d This is a test. This command would generate an event on a computer named desktop02 with an event id of 900. The event would be classified as an error in the application log file and would show a description of This is a test. Testing task scheduler messages with this tool will allow you to ensure that when the actual event happens, the expected response will take place.
3-12
Lesson 3: Application Compatibility Toolkit
Compatibility Issues
Mitigating Compatibility Problems
The failure of an application to run properly on desktop computers is often due to compatibility issues with the software, drivers or hardware components on the system. Sometimes compatibility issues might arise when working with Internet or Intranet web-sites. All of these situations can be diagnosed, and sometimes fixed with the Application Compatibility Toolkit. While it is best to use this tool before deploying an approved application, it can also be used to fix issues that come up after the fact. It can also be useful in determining if software updates will affect the system.
Module 3: Resolve Software Failure Compatibility Issues
3-13
Internet Explorer Protected Mode

Operating System Version Changes
64-bit vs. 32-bit Applications

Windows Resource Protection Deprecated Features & Files
Some of the compatibility issues that come up for older applications might be because of new features in Windows 7 and Internet Explorer 8. The following technologies are common areas where issues might come up: User Account Control: UAC is a security feature that limits permissions on a system when an administrator logs in. It prevents unauthorized applications from using elevated privileges to perform malicious operations. Applications that do not support UAC often show this during the install phase, but some problems might only surface when the application is being used. Internet Explorer Protected Mode: This feature also protects against malicious programs using elevated privileges to perform unauthorized actions. Legitimate web applications that need to install resources or modify system files and registry entries might also be affected. Operating System Version Changes: Some applications will not install or run properly unless they are running on a system that uses the specified version number for the operating system. The major version number of Windows XP is 5, Windows Vista is 6 and Windows 7 is 7. In most cases, the application developer will have an upgrade that solves this problem. Before upgrading the operating system, the Windows 7 Upgrade Advisor can be used to generate a report that list applications that might have compatibility problems with Windows 7. The report will sometimes provide recommendations that fix the listed problems. The Windows 7 Upgrade Advisor can be freely downloaded from the Microsoft web-site. 64-bit vs. 32-bit Applications: 32-bit applications can be run on the 64-bit version of Windows 7, but they are executed in the Windows on Windows 64 (WOW64) emulator. This will not work for all applications and sometimes an upgrade will be necessary. The emulator might also work for some 16-bit applications, but these must be tested thoroughly. Windows Resource Protection: Some older programs and software are designed to modify registry areas and system files that are now protected in Windows 7. WRP allows those applications to work by redirecting them to unprotected temporary work areas instead.
3-14
Deprecated Features & Files: Some options and files that were available in Windows XP and Vista are no longer supported in Windows 7. Support for and application updates on software that use Session 0 features, GINA DLLs and other options that are slated for removal, should be considered carefully.
Module 3: Resolve Software Failure Mitigating Compatibility Issues
3-15
Registry Changes
Removing Files
Application Configuration
The ACT can give suggestions on fixing compatibility problems. Some of the suggestions might involve changes to applicable registry entries. These might change how and if version information is passed to the application or where in the registry data is written to. In some cases, the solution might involve removing certain files or registry settings or simply instructing the program to ignore the error if its implications are not considered serious.
3-16
Lesson 4: Windows Troubleshooting Platform
Operating System Troubleshooters
Creating Troubleshooters
Troubleshooting Pack Components
When users are able to quickly resolve software problems on their own, this increases their productivity and reduces the administrative load of IT technicians. The Windows Troubleshooting Platform helps in this area by helping endusers to detect and solve computer problems on their own. This is accomplished through the use of built-in troubleshooters. Additional troubleshooters can be created by internal developers and other IT professionals for issues that can be solved without the assistance of help-desk staff.
Module 3: Resolve Software Failure Operating System Troubleshooters
3-17
Fix Hardware Problems
Fix Configuration Problems

Action Center
Download Troubleshooters
The built-in troubleshooters are available to fix problems related to audio, video and performance issues. The program compatibility tool can also be executed to find and fix problems with older software. They can be launched from the Control Panel by going to System and Security and then to the Action Center. Additional troubleshooters can be downloaded to resolve known problems. The troubleshooters can be configured to automatically fix the issues they find or to list them without applying a solution.
3-18
Creating Troubleshooters
PowerShell Scripts
WMI Components
Software Development Kit
The extensibility of this feature makes it very useful for fixing common software problems that might come up from time to time. Software issues that used to be solved by sending technicians to desktops or by issuing detailed instructions to end-users are now fixed by using preconfigured troubleshooting solutions. Troubleshooting packs are a collection of PowerShell scripts and relevant metadata. They use a standard wizard that provides a similar experience for built-in and customized troubleshooters. Even without development experience, these solutions can be created by technicians with some knowledge of Windows Management Instrumentation and PowerShell scripting. The WMI components will allow the creation of troubleshooters that fix problems with the operating system, devices, peripherals and network resources. The Windows 7 SDK is used to create Troubleshooting Packs by using the TSPBuilder.exe utility. Deployment of customized troubleshooting packs can be done manually or through Group Policy Objects. The certificate used to sign the pack must be trusted by the desktops that will use it, but this can also be done through GPO settings as well.
Module 3: Resolve Software Failure Troubleshooting Pack Components
3-19
Troubleshooter Script
Root Cause
Resolver Script
Verifier Script
Each troubleshooting pack is made up of a troubleshooter script, one or more root causes, a resolver script and a verifier script: Troubleshooter Script: This script is the starting point for the troubleshooter and it will specify the verifier script or scripts that will be executed to find the root cause of the problem. The root causes can be automatically fixed or presented to the end user for examination. Root Cause: This is the problem that the troubleshooter is being executed to fix. Each problem will have a resolver associated with it and there can be multiple root causes or resolvers per troubleshooter. Resolver Script: The script associated with a particular root cause or problem. Verifier Script: These scripts are used to detect root causes and to verify that the resolver has fixed the problem.
Each troubleshooting pack project will have a name and other particulars assigned to it like a version number. A proper description and information about supported platforms should also be included in the metadata.
3-20
Lesson 5: Windows Experience Index
How to Use the Base Score
Optimizing Performance with Base Score Information
Some software problems on a system might be due to hardware components that perform poorly although they meet or exceed Windows 7 minimum requirements. One way to find out how Windows applications will perform on a computer is to get the Windows Experience Index base score for it. The base score ranges from 1.0 to 7.9 with higher numbers indicating that you should get better performance on the system. The standards for the tests will sometimes change, so more information about a certain type of hard-drive might result in it getting a lower base score than it received previously. The base score of a system is based on the subscore of individual hardware components. The processor, memory, hard drive and graphics components are rated individually using the same scale as the base score and the lowest subscore will become the base score for the computer. If it is found that some applications will not perform properly on machines with a low base score, that information can be used make decisions on future deployments.
Module 3: Resolve Software Failure How to Use the Base Score
3-21
Subscores
2.0
3.0
4.0 5.0
6.0
To view the base score on a computer, open Performance Information and Tools in the Control Panel. If the score is not already displayed, click the Rate this computer button to get your rating. Since the lowest subscore is always used, the base score will represent the minimum performance level expected from that computer. A score of 2.0 or less means that machine can perform general computing tasks like running desktop applications or Internet browsing. A rating of 3.0 or higher would be needed to run Aero and other basic Windows 7 features. A score of between 4.0 and 5.0 means the system can run multiple applications at the same time and easily support new Windows 7 features. Scores of 6.0 and higher indicate that the system can perform graphics-intensive operations and carry out tasks that require disk-intensive operations.
3-22
Optimizing Performance using Base Score
High scores on all but one component can significantly affect a computers base score. If graphics, memory and processor components are all rated above 6.0 but the hard-disk is rated 2.0, the base score cannot be higher than 2.0. In some cases, improving sub-components might be practical to allow an existing machine to support an application. Here are some suggestions for improving the Windows Experience Index score by fixing the component that is performing the worst: Hard-Disk: Clean up the drive by deleting unnecessary files or moving them off the primary hard drive. The score might improve if more free space is available. Defragmenting the drive is also recommended and adjusting the indexing options can speed up searches for files on the computer. Graphics: Modify the visual effects to reduce the load on the graphics card and adjust display settings. Memory / Processor: Reduce the number of programs that start up automatically at boot time and disable or set to manual services that are not needed or used regularly.
Other things that might be changed to improve performance include the power settings, device drivers and using ReadyBoost features. After the improvements are made, the assessment can be re-run to see if the base score improves.
3-23
Lesson 6: Testing Compatibility with Safe Mode
Safe Mode
Safe Mode Options
Some application problems can be diagnosed by starting the system in Safe Mode to disable unnecessary devices and drivers. From Safe Mode, you can use a minimal set of drivers or run virus and spyware scans to see if the program performs differently. Offending programs and drivers can also be disabled or uninstalled. Repair programs that will not work during a normal boot might run properly from Safe Mode. Problems with registry settings corrupted by an application can also be fixed or restored from backup.
3-24
Safe Mode
Safe Mode
Safe Mode with Command Prompt

Safe Mode with Networking
The Safe Mode options that are available include the following: Safe Mode: The computer starts with the normal GUI but only critical drivers and services will be running. The network drivers are also disabled. The option is often used to test local programs that do not need network access. Make sure that all the resources needed for the test are on the local drive or on DVD and other easily accessible media. Safe Mode with Command Prompt: Only critical drivers and services are loaded, but the interface will be the command prompt. The GUI and networking components are disabled. This is normally used when the option above is not usable because of problems with video drivers. The help options can be used to get information about parameters needed for command-line tools used to make changes to the system. Safe Mode with Networking: Has all the features of Safe Mode with a minimal configuration, but the networking components will be enabled. For applications that are only accessible over the network or that need network resources, this option provides that access. If web-sites or web applications are being tested, it might also be necessary to disable add-ons and test compatibility options in Internet Explorer.
Module 3: Resolve Software Failure Safe Mode Options
3-25
Malware Check
Delete User Profile

Check Log Files
In addition to the above options, Safe Mode can be loaded with the boot log option to store the startup processes in Ntbtlog.txt, base video to use a minimal VGA configuration or OS boot information to show the driver names as they are being loaded during the startup process. These options are available during startup by pressing F8 or by changing the boot options with bcdedit.exe. The boot options can also be managed with the System Configuration tool by running msconfig.exe. The System Configuration tool provides the additional option to make the boot option changes permanent. While in Safe Mode, it is sometimes advantageous to do a virus and spyware scan to make sure that this is not the cause of the application problem. Deleting the existing user profile or using a different one is another useful test. The Event logs should also be checked for additional details that might point to the source of boot or application problems. If Safe Mode cannot be used during system startup, then hardware issues like faulty memory or hard disks might be the problem. BIOS configuration changes might cause some boot problems. A scan for malicious software that does not involve booting the local operating system might be needed to fix some problems.
3-26
Lesson 7: System Restore
Configuring System Restore
How to Use
The System Restore feature allows the configuration of the machine to be reverted to an older setup. When application changes cause problems on the computer, this feature allows you to bring the system back to a working state by using an older configuration. It allows these restores to take place without losing or changing user documents on the machine. Only registry settings, system files and programs are modified during a restore. Changes to script and batch files are also saved. The tools also make it easy for users to perform these tasks on their own.
Module 3: Resolve Software Failure Configuring System Restore
3-27
Automatic Restore Points
System Restore Tool

Startup Options
If the application problems do not prevent you from logging into the computer, System Restore can be accessed from the System Tools folder under Accessories. It can be used to manually create restore points. Automatic restore points are created when doing updates or installing new software. Weekly restore points are also scheduled by default. Any saved restore point can be used. The tool allows you to see a list of applications that will be affected by doing a specific restore. Some programs might need to be reinstalled after the changes. The System Restore tool is also accessible through the startup options when you press F8. When you choose the Repair Your Computer option, it loads the System Recovery Options from which you have access to System Restore. It will provide the options to choose restore points and verify affected programs identical to the interface in System Tools.
3-28
How to Use System Restore
Schedule Restore Points
Undo System Restore

Requirements
When system files are corrupted or deleted, it is often best to use the most recent restore point. If the application causing the problems has been showing signs of problems for some time however, an older restore point might be more prudent. Always verify the applications that will be affected by the changes. Automatic restore points will have a descriptive named assigned to them based on the change that was made, like Installed New Software. Windows updates will also create restore points. Those that are manually created should have a descriptive name assigned to them. All restore points will have a date and time stamp associated with them. System restores can be undone if they do not have the desired effect. Restore points are created each time you apply a system restore. This is not the case however, when doing restore operations in Safe Mode or when using the System Recovery Options. If there is uncertainty as to which restore point to apply, try applying other available points until the problem is fixed. If software needs to be reinstalled, the application problem should be tested again after this. System Restore is automatically turned on for computers as a part of the System Protection feature. It requires that the system use the NTFS file system. The amount of drive space used for restore points can also be controlled and old restore points can be deleted to free up space. When new restore points are created and the drive resources set aside for this purpose are already used up, older restore points will be automatically deleted to make room for the new ones.
3-29
Resolve Software Failure
RESOLVE SOFTWARE FAILURES

The productivity of users is directly affected by whether or not their computers are working. System problems on desktops need to resolved quickly to maintain access to resources need to complete job tasks. The restore options in Windows 7 make it easier for technicians to diagnose and fix problems. They also allow user to easily fix some problems on their own. Here are some problems that might arise and how to fix them. An error message keeps appearing on the screen when a user works with a particular application. Verify the error message in the Event Viewer and find a solution to it using the Knowledge Base or other resources at www.technet.com. You want to mitigate any compatibility issues that might occur with an older application before deploying it to network computers. Use the Application Compatibility Toolkit to verify if there will be any problems and to get suggestions as to how they can be fixed. The installation of a new application crashes a computer and you are not able to log back into the computer. Use the Last Known Good Configuration and if that does not work, try using Safe Mode to boot the system and remove the application. A recent Windows Update is interfering with a custom application that is needed by all users. How can you fix the application quickly? Use the System Restore tool to revert to the system configuration the machine had before the Windows Update. A recent problem with a critical application only happens on computers that have a certain operating system feature disabled. How can you easily test computers for this feature and apply the fix if they need it? Create a Troubleshooting Pack and deploy it using a GPO.
3-30
You support an application that sometimes generates a non-critical error message when being used. How can you configure an automatic response to these errors? Use the Event Viewer to attach a task to that error event. This can be managed from a single computer by using Event Forwarding. You need a consistent system of rating the performance of network computers so better decisions can be made when deploying new applications. What system is already in place that can be used to do this? Use the Windows Experience Index which rates the performance of hardware components on the desktop. A user is having trouble explaining what they did before getting an error message in an application. Without connecting to their desktop, how can you get better details about what they are doing? Have the user run the Problem Steps Recorder to create a record of what they did then have them send the file to you. You are unable to run an Intranet web-site application from some of the computers on the network. How can this problem be diagnosed? Try the compatibility mode in Internet Explorer. You can also try connecting to the web-site in Safe Mode to see if other application drivers might be causing a problem. You need to generate an error and send a notification of it whenever users run a script by developers. How can these tasks be done? Use the eventcreate.exe command to generate the error message in Event Viewer and attach a task to that event that will send an email or display a message.
3-31
Review Module 3: Resolve Software Failure Issues
REVIEW
1.
What are the four possible levels that events can have in the system or application logs?
2.
What command-line utility can be used to manage Event Viewer log files?
3.
What tool is used to configure Remote Management on a desktop?
4.
What can the eventcreate.exe command be used to do?
5.
What service manages subscriptions to events from remote computers?
6.
What functionality is provided by Windows Resource Protection?
7.
What feature allows 32-bit applications to be run on Windows 7 64-bit operating systems?
8.
What kind of scripts are used to design a troubleshooting pack?
9.
What tool is used to create troubleshooting packs?
3-32
10. What three different types of scripts might you create in a troubleshooter pack?
11. How is the Windows Experience Index base score calculated?
12. How can the Windows Experience Index subscore of the primary hard disk be improved?
13. What tool can be used to change the boot options for a computer?
14. True or False. Drivers and Services can be disabled using Safe Mode with Command-Prompt.
15. True or False. System Restore can be used to retrieve deleted user files.
3-33
Labs Module 3: Resolve Software Failure
Exercise 1: Install Applications written for older O.S. Exercise 2: Using the Program Compatibility Tool
Exercise 3: Disable the Network Adapter

Exercise 4: Use the Troubleshooter to Enable the Adapter Exercise 5: Create PowerShell script for Troubleshooter
Exercise 6: Install Windows 7 SDK

Exercise 7: Create a Troubleshooting Pack with the SDK Exercise 8: Configure Event Forwarding Exercise 9: Configure System Restore
Overview: Test the Program Compatibility tool on applications written for older versions of Windows. Use the Software Development Kit to create and test a Troubleshooter. Configure System Restores. Install Windows 7 deployment tools. Start both the Windows 7 client (Student1) and the domain controller images for this lab. If there are connectivity issues during the exercises, temporarily stop the Windows Firewall service.
Estimated time to complete this lab is 120 minutes.

Exercise 1: Install applications written for older versions of Windows
1. 2. 3. Copy xlviewer.exe from \\NYC-DC1\CLASSFILES\TOOLS TO E:\TEMP. Install it using the default settings. Run the installation as an administrator. Execute the application to make sure it runs without error messages.
Exercise 2: Use Program Compatibility tool to configure settings for older applications
1. 2. 3. 4. 5. 6. 7. 8. Click Start > Control Panel (Change the View by: option to Category.) In the Control Panel go to Programs > Run programs made for previous versions of Windows. From the Program Compatibility window, click Advanced, then click Run as administrator. Click Next. Select Microsoft Office Excel Viewer 2003 from the list and click Next. Choose Try Recommended Settings Notice the compatibility mode applied. Click Start the program to verify that it runs without errors and then close the program down.
3-34
9. 10. 11. 12.

In the Program Compatibility window, click Next. Click Yes, save these settings for the program. Click View detailed information to see the Troubleshooting report. Click Next then click Close.
Exercise 3: Disable the Network Adapter by using PowerShell

1. 2. 3. Open the Command Prompt as an administrator Type powershell.exe and execute it. (Note: Notice the change in the prompt with PS indicating that you are in a powershell. Use the ipconfig /all command to get the MAC / Physical address of your adapter and make a note of it. MAC Address ____________________. Note: represent the MAC address as being delimited by colons ( : ) instead of dashes ( - ). Run the wmiobject to get more information about the adapter by running the following command: get-wmiobject win32_networkadapter | where {$_.MACAddress EQ <MAC>}. <MAC> represents the mac address delimited by colons ( : ) instead of dashes ( - ). Assign the adapter information to a variable named $NIC with the following command: $NIC = get-wmiobject win32_networkadapter | where {$_.MACAddress EQ <MAC>}. Disable the network adapter using the variable: $NIC.disable() (Note: The $NIC.enable() command could enable the NIC but we will use the Troubleshooter instead) Run ipconfig to verify that the network adapter is disabled.
4.
5. 6.
7.
Exercise 4: Use the Troubleshooter to enable the network adapter

1. 2. 3. 4. 5. 6. Click Start and in the Search programs and files window, type Network Diagnostics Click Identify and repair network problems The Windows Network Diagnostics window should indicate that the adapter is disabled. Click View detailed information. Click Next. Click Try these repairs as an administrator After the adapter is enabled, click Close.
Exercise 5: Configure Powershell scripts to change the NICs IP address (To be used when creating the Troubleshooter with the SDK)
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Open an Administrator: Command Prompt. Run powershell.exe Get the execution policy for scripts by running this command: Get-ExecutionPolicy Configure the system to execute powershell scripts: Set-ExecutionPolicy unrestricted Verify that the execution policy is now set to unrestricted: Get-ExecutionPolicy Exit powershell, but stay in the Command Prompt. Run the command: xcopy \\NYC-DC1\classfiles\MOD03\*.ps1 e:\temp\ /s/v Modify the E:\Temp\static_ip.ps1 file with notepad and replace the MAC address in the script with the one for your NIC. Save the file. Modify the E:\Temp\dynamic_ip.ps1 file with notepad and replace the MAC address in the script with the one for your NIC. Save the file. Run the command: powershell.exe e:\temp\static_ip.ps1 Use ipconfig to verify that the machine now has a static IP address Run the command: powershell.exe e:\temp\dynamic_ip.ps1 Use ipconfig to verify that the machine is using a dynamic IP address Run the static_ip.ps1 script again to change the IP back to a static address.
3-35
Exercise 6: Install Windows 7 Software Development Kit (SDK).

1. Click Start and navigate to Control Panel > Programs > Programs and Features > Turn Windows features on or off. 2. In the Windows Features window, make sure that all the Microsoft .NET Framework components are selected and installed. 3. Click OK. 4. Restart the computer and login again as Admin1. 5. Use the Virtual Machine Connection menu bar option (Media) to insert the Windows 7 Software Development Kit ISO (GRMSDKX_EN_DVD.iso). Execute the setup.exe program from the SDK ISO as an administrator. 6. During the setup install all modules except for the .NET Framework components. 7. Accept all other default settings to complete the setup. 8. Before finishing the install, make sure that View the Windows SDK Release Notes is checked. 9. Read section 1.1 Recommended Resources,4.1 Installation and Related Content, 4.5 File System Layout and 6.3 Ways to Find Support and Send Feedback in the Release Notes document. 10. Close the document.
Exercise 7: Create a Troubleshooting Pack with the Software Development Kit

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. Click Start > All Programs > Microsoft Windows SDK > Tools > Windows Troubleshooting Pack Designer. From the Windows Troubleshooting Pack Designer, click Project > New. From the Create a Troubleshooting Pack window, name the project Configure DHCP Client and change the location to E:\Temp. In the Privacy URL box, type http://NYC-DC1 Click Add New Root Cause In the Root Cause ID box, type STATIC_IP In the Root Cause Name box, type Client computers with a static IP address Click Define Troubleshooter Under Troubleshooter Properties, note the default options but do not change them. Click Define Resolver. For the Resolver Name box, type Assign Dynamic IP Address and change Elevation to YES. Click Define Verifier. Note the information provided but do not change the default settings. Click Edit Root Cause Scripts. Click the Edit Resolver Script link. In the new dialog window, paste the code from the dynamic_ip.ps1 script. Save and exit from the dialog window. From the Menu bar of the Windows Troubleshooting Pack Designer, click Project > Save. From the Menu bar of the Windows Troubleshooting Pack Designer, click Build > Run. Accept all the default settings to do a test run of the pack. Verify that the Troubleshooter worked by making sure the computer has a dynamic IP address. In the Windows Troubleshooting Pack Designer window, click Build > Build Pack. Click View Output Folder to see the package files. Close Windows Explorer and the Designer.
3-36
Exercise 8: Join the Domain and Configure Event Forwarding

1. 2. Restart the system and login to VIRTUAL1 as Admin1. Click Start > right click Computer and click Properties. Under Computer name, domain, and workgroup settings, click Change Settings. In the Computer Name tab, click Change. Under Member of, click Domain and type CONTOSO.COM. Click OK. Type the Admin1 credentials and click OK. 3. Close all dialog windows and restart the VIRTUAL1 machine after successfully joining the domain. Login to VIRTUAL1 as VIRTUAL1\Admin1. 4. Open the Computer Management console as an Administrator. Navigate to Local Users and Groups > Groups. Open the properties window for the Administrators group. Add the Contoso\Classroom Administrators group to the members list. 5. Add the NYC-DC1 computer to the Event Log Readers group. 6. Login to the domain controller with the Administrator account and a password of Pa$$w0rd and perform the following steps: a. Open a Command Prompt with administrator credentials. b. Run the command: winrm quickconfig (Note: This allows users on other systems to subscribe to events on your computer) c. Accept the changes if prompted to do so. d. Run the command: wecutil qc. Accept the service changes when prompted. 7. On VIRTUAL1 perform the following steps: a. , open the Event Viewer and double click the Subscriptions tab. Accept any system changes specified in pop-up windows. b. Right click the Subscriptions tab and choose Create Subscription c. In the Subscriptions Properties window, name the subscription Server Logs d. Set the Destination log to Forwarded Events e. For the Subscription type, choose Collector initiated. Click the Select Computers button to add NYC-DC1 and Test the connection. Click OK. f. Click Select Events and in the Query Filter window, use the drop-down window for Event Logs to choose the Application, Security, Setup and System Event Logs. Click OK. g. Click OK in the Subscription Properties window. 8. Restart NYC-DC1 and login as Administrator. 9. On VIRTUAL1 in the Computer Management console, open the System Tools > Event Viewer > Windows Logs > Forwarded Events folder. Verify that there are entries from the NYC-DC1 computer. (Note: If the subscription is failing, modify the properties to use the Contoso\Administrator account credentials.) 10. In the Subscriptions folder, Disable the newly created subscription. 11. Optional Exercise: Use the information from the previous steps to configure NYC-DC1 with a subscription of VIRTUAL1 System and Application Logs.
Exercise 9: Configure System Restore

1. 2. 3. 4. 5. 6. 7. 8. 9. On Virtual1, navigate to Control Panel > System and Security > System. Click the System protection link. In the System Properties window on the System Protection tab, click the Create button to create a new restore point named Pre_Application_Install. Create a text document named C:\Temp\test100.txt containing the phrase This is a test.. Run the command \\NYC-DC1\CLASSFILES\TOOLS\XLVIEWER.EXE with administrator credentials to install Excel Viewer. Accept the default settings to complete the setup. Execute the application to verify that it installed properly. Close the application. Open the System Properties window and go to the System Protection tab. Click System Restore. Click the link for Is this process reversible? and read the documentation. Close it when done.

10. 11. 12. 13. 14.
3-37
Click Scan for affected programs. Close the dialog window after it shows the Excel application. Click the Choose a different restore point radio button and click Next. Choose the Pre_Application_Install restore point and click Next. Click Finish and then Yes. Verify that the Excel application has been removed but the C:\Temp\test100.txt file is still available after the reboot of the system. 15. Restart the system and boot into the original Windows 7 installation. 16. Login as Admin1 and create a Restore Point named Post_Lab3.
3-38
Module 4: Identify and Resolve Logon Issues
Table of Contents
Overview .................................................................................................................................................................... 4-1 Lesson 1: Authentication Process .............................................................................................................................. 4-2 Lesson 2: Machine Accounts ..................................................................................................................................... 4-7 Lesson 3: Trust Relationships .................................................................................................................................. 4-11 Lesson 4: Network Services ..................................................................................................................................... 4-18 Lesson 5: User Account Properties .......................................................................................................................... 4-23 Lesson 6: User Profiles ............................................................................................................................................ 4-25 Resolve Logon Issues .............................................................................................................................................. 4-29 Review Module 4: Identify and Resolve Logon Issues ......................................................................................... 4-31 Labs Module 4: Identify and Resolve Logon Issues ............................................................................................. 4-33
4-1
Overview
Authentication Process
Machine Accounts
Trust Relationships
Network Services
User Account Properties User Profiles Resolve Logon Issues
Access to local and network resources are often necessary to perform a job related task. Securing these resources requires that users verify who they are and what level of permissions they have. The domain authentication process is an efficient way to provide access to these resources. This allows a user to login once, but still be able to work with resources on different servers or different domains. In more complex environments, other network services might be used to be authenticated on resources outside of the domain. Creating trust relationships between different directory services can simplify the logon process in some cases. Security and efficiency needs to be balanced when choosing the right authentication options. The compatibility of the method chosen with older operating systems that are still in use on the network must be considered carefully. An efficient way to manage security settings is by using Group Policy settings to create and enforce restrictions on accounts. In this chapter, we will consider the problems that often come up when end-users try to logon to their systems and network servers. The impact of policy decisions like using local or roaming profiles will also be examined. With a proper understanding of the local and network services on which the authentication process depends, fixing logon issues is normally a very straight forward process.
4-2
Lesson 1: Authentication Process
Local Authentication
Domain Authentication
Multi-Factor Authentication
Most users logon to their systems using a user name and password to authenticate to the local computer or the active directory domain. Although transparent to the user, the process is different for both methods and understanding the services involved will make it easier for a technician to diagnose problems that might come up.
Module 4: Identify and Resolve Logon Issues Local Authentication
4-3
SAM database
Local Policy Settings

No Network Access
If user and group accounts are created on the local machine, verification of user credentials during a logon is done by checking information in the local Security Accounts Manager (SAM) database. This is so whether the computer is a part of a domain or not. Local policy settings can be used to create user account policies to make local accounts more secure. No network services are needed to support local authentication. Once the SAM database verifies the credentials, the user is logged on with their user profile. The account will not have access to resources on the network. The user will need to be authenticated again for each server or resource they connect to.
4-4
Domain Authentication
DNS
DHCP
Domain Controller
Network Access
When a domain user account and password are used to login to a computer, the authentication process takes place using services on the network. The computer first tries to find a domain controller for the domain to which the user is connecting. This information is found by using service (SRV) records on the DNS server. The DNS server to which the computer is pointing must have service records for the respective domain, or it must be able to forward requests to a DNS server that does. From the list of domain controllers passed to the computer, one is chosen, and the user credentials are sent to it. Once the credentials are verified and accepted, an access token with a time-stamp is created and sent back to the computer. This access token will be used as a key to connect to network resources without having to provide login credentials again. This access token will also work with other domains that are a part of the active directory forest, or other domains that have trust relationships with the domain. Network problems might interfere with domain authentication. Some services to check out if there are problems include: DNS: DNS services are used to find domain controllers, so if the server is down, or it has out-of-date information, the authentication process will be affected. DHCP: DHCP is needed to have network connectivity, but also because it is often used to point users to their DNS servers.
4-5
Domain Controllers: Client computers will cache the information about domain controllers it can use, and if these are not available for later logons, problems might occur. Making sure that local domain controllers are available and flushing the cache on computers can solve this problem.
4-6
Multifactor Authentication
Smart Card
Fingerprint
Driver Support
Using Smart Card or Fingerprint authentication methods, a network administrator can improve the security of the logon process in the network. Biometrics and multifactor authentication methods are becoming more popular and are now simpler to implement using Windows 7. Special middleware is no longer necessary when using smart card devices from vendors. Drivers can be downloaded using Windows Updates in the same way it is done for other devices. Smart cards can also be used to unlock encrypted drives on the system. Consideration should be given to how certificates will be issued if smart card authentication is chosen. The option to limit an account so that it only uses the smart-card and not the user name and password, while more secure, should be thought over carefully.
4-7
Lesson 2: Machine Accounts
Computer Authentication
Active Directory Placement

Creating Computer Accounts
Like user accounts, computers also register their information in the Active Directory domain that they are a part of. They also have passwords assigned to them during this process. The passwords are automatically changed every 30-days by default. This allows computers to also be authenticated when a user is logging on. If the authentication process for the machine does not work, the user will not be able to logon either. Because the process is handled without user intervention, normal user activity does not create any problems for these operations. The passwords do not expire like those on user accounts, so taking the computer off the network for an extended period of time does not create any issues. The password will be changed when it first contacts a domain controller after being put back on the network. Problems might develop however, if the machine password is changed manually or automatically and this change is not synchronized quickly with all domain controllers. Dual boot systems that use the same computer name might also have issues. Disabling the automatic changing of machine passwords in group policy can prevent these issues. This causes requests by client computers to change the machine password to be refused.
4-8
Computer Authentication
Password Assignment
Resetting Password
Disabling Accounts
Computer accounts can be manually disabled and have their passwords reset from Active Directory Users and Computers. They can be assigned permissions and be added to groups. Applications installed on the computer that require account delegation might need the account of the user to be reconfigured to allow this. This change might also have to be made to the computer account as well.
Module 4: Identify and Resolve Logon Issues Active Directory Placement
4-9
GPO Settings OU Placement
GPO settings in Active Directory are applied to computers during startup. Machine settings will therefore be applied before user account settings. If any group policy settings must be applied to certain machines to compliment or facilitate user logon processes, then the computer account might need to be relocated to facilitate this. Machines are added to the Computers container by default, but using tools like Active Directory Users and Computers make it easy to move them to appropriate OUs when necessary. This does not change the machine password. Containers that are not OUs, like Computers, cannot have GPOs linked to them.
4-10
Creating Computer Accounts
Pre-Staging
Adding During Setup

Scripting
New computer accounts can be created automatically when the machine is joined to a domain, or they can be prestaged in Active Directory. Pre-staging the accounts allows them to be created in the correct OUs instead of automatically putting them in the Computers container and then moving them. The default computers container can be changed with the redircmp.exe command by the domain administrator. For large deployments, scripting strategies that use dsadd.exe or csvde.exe or ldifde.exe can be used to import many computer accounts and locate them in appropriate OUs. When older machines are replaced but the same computer account names are used, one possible strategy is to replace the old accounts by deleting them from Active Directory and then create new ones. The existing accounts can also be re-used, but the old system must be off the network before making this change.
4-11
Lesson 3: Trust Relationships
Transitive Trusts
Shortcut Trusts
Forest Trusts
External Trusts Realm Trusts Security and Connectivity Considerations
Once a user is authenticated with a domain account, they are able to access resources anywhere in that domain without needing to verify their identity again. In networks where there are multiple domains, this single sign-on configuration might not work if the trust relationships are not configured properly. If setup properly, users can access resources in and logon to computers in any domain. There are different types of trust relationships that can be constructed to facilitate easy access to resources. All trusts express relationships between two domains only. Some will allow pass-through authentication while others will only work with the domains that they are directly connected to. Some will allow authentication in both directions while others will not. We will learn about the different types of trusts that can be constructed and in what environments they might be needed.
4-12
Transitive Trusts
Pass-through
Two-Way Authentication
Within a Forest
For all domains in an Active Directory forest, trust relationships will be created automatically that are transitive and two-way. The transitive nature of the trusts means that direct connections are not needed between all domains. If domain A is connected to domain B, but not to domain C, it will still be able to use the trust relationship between B and C to access resources in it. The two-way nature of each connection means that domain C can use the same trust relationships to access resources in domain A. This kind of structure means that without any other changes, any user can access any resource in any domain as long as they all belong to the same Active Directory forest. Appropriate permissions will still need to be assigned to the user to work with these resources. The DNS servers used by the client computers and domain controllers must be able to access domain controllers in all domains. This authentication model is facilitated by communication between the domain controllers in each domain.
Module 4: Identify and Resolve Logon Issues Shortcut Trusts
4-13
Pass-through
One-Way
Within a Forest
Shortcut trusts are created to provide direct authentication between two domains in a single forest. While they are not necessary to allow authentication, they provide faster authentication between two domains that would normally need to authenticate through two or more transitive trusts. These kinds of trusts are normally used where many users need to be authenticated more quickly to resources in a domain to which there is no direct connection. Shortcut trusts are transitive, but not two-way.
4-14
Forest Trusts
Between Forests
Pass-through
Kerberos Authentication
These trusts are constructed to provide authentication between domains in two different forests. They can provide authentication between domains in either forest. The connection is created between the root domains in both forests. These trusts are transitive and two-way. Since Kerberos authentication must be used for all transitive trust connections, the time on the computers in both forests must be synchronized within five minutes.
Module 4: Identify and Resolve Logon Issues External Trusts
4-15
Non-Transitive
NTLM Authentication
One-Way
When a connection is made to a domain that does not use Kerberos authentication (Windows NT 4.0 or earlier), only external trust relationships can be created. They will use NTLM authentication. They are one-way trust connections and do not pass-through authentication since they are non-transitive. If authentication is needed by user accounts in both domains, two separate trust relationships must be constructed.
4-16
Realm Trusts
Kerberos Authentication
Transitive or Non-Transitive
To facilitate access to resources between a Kerberos Realm and an Active Directory domain, a Realm Trust can be created. The trust relationship can be transitive or non-transitive. The administrator will also have the option of making the connection one-way or two-way. Because Kerberos Realms use the same authentication protocol as Active Directory (Kerberos), a single sign-on environment can be constructed in such an environment. In some cases, account mappings might need to be between user accounts in both environments.
Module 4: Identify and Resolve Logon Issues Security and Connectivity Considerations
4-17
One-Way vs. Two-Way Trusts

Verifying Trust Relationships Credential Manager
If all computers do not use the same DNS servers, they must be configured to replicate with each other or be able to forward requests when necessary. Care should be taken when working with one or two-way trusts to ensure security requirements are not compromised. Only domains from which user accounts need to access resources need to be trusted. To prevent problems with domain authentication, the time on all machines should be synchronized by configuring all computers to use the same time servers. The netdom.exe command can be used to create, delete and test trust relationships. To manage authentication to domain and non-domain resources, the Credential Manager is useful in storing different user names and passwords used to connect to servers and web services. It stores authentication details for Windows and non-Windows connections. Certificate-based credentials can also be maintained in its vault. The Credential Manager can also be used to specify online IDs and link them to a user account to make web-based authentication more transparent. A Windows 7 Online ID Provider must be used. All credentials stored in the vault can be backed up to a local drive, network location or removable device and restored to another computer.
4-18
Lesson 4: Network Services
DNS
DHCP
SNTP / Time Server
Domain Controller
When a user logs into a domain, the connection between the client computer and the domain controller are important, but other services on the network also play a part. Kerberos is the authentication protocol normally used and that service also has its own unique requirements as well. If problems develop during domain authentication, these network services might need to be examined.

DNS
4-19
SRV Records
Dynamic & Static Updates

Multiple DNS Configuration
Active Directory Integrated Zones

Primary Zones Secondary Zones
Client computers locate domain controllers by querying service records on the DNS server it is connected to. That DNS server must host the zone records for the respective domain or have a forwarder that it can use to locate them. Domain controllers register information about the services they provide on the DNS server when they are first started up. This assumes that the DNS server allows dynamic updates. If not, the static records will need to be manually updated when the IP address or computer name of the domain controller changes. Client computers will normally retrieve information for more than one domain controller and cache them. This prevents them from having to go back to the DNS server every time a DC is needed. When cached records become out of date, they can be flushed from the DNS server and client computers manually with the ipconfig.exe command. Site information is stored as a part of the DNS service records so client computers can find the servers that are closest to them. It is good practice to have an alternate DNS server configured in case a connection to the first one fails. When DNS server zones are configured as Active Directory Integrated or Primary, they can be updated directly by client and server computers if dynamic updates are enabled. Secondary zones are read-only and cannot be updated directly. Servers with this setup should not be used as the primary DNS server for domain controllers.
4-20 DHCP
DNS & DHCP Integration
Updating Client Configuration
Client computers are often configured to get information about DNS servers from their DHCP server. This makes them important, not only for normal network connectivity, but also for accessing domain controller records. If DNS server records are updated on the DHCP server, these changes are not automatically pushed to client computers. The ipconfig.exe command can be used to manually update these records instead of rebooting the system (e.g. type ipconfig.exe /release and then ipconfig.exe /renew).
Module 4: Identify and Resolve Logon Issues Time Server
4-21
Kerberos Authentication Net Time / W32TM.exe PDC Emulator
The Kerberos authentication process will not work if the time on the client & server computers is out of sync by more than 5 minutes. It is therefore important that all systems on the network use the same time server. By default, the PDC emulator in a domain performs this function. This can be verified by running the net time command from any machine in that domain. A client computer can be configured to use a specific domain or server for time services with the w32tm.exe command. If the default configuration is used, the domain controller acting as the PDC Emulator would take on the role as the authoritative time server.
4-22
Domain Controller
DNS Registration
Netlogon Service
Domain Controllers will register their service records with a DNS server automatically during startup, if the DNS server is configured for dynamic updates. Changes made to them after this are not sent until a reboot of the system. To avoid this, the netlogon service can be manually restarted to update the DNS server.
4-23
Lesson 5: User Account Properties
Logon Hours
Logon To
Password Expiration
Account Expiration
Using Smart Cards Other User Account Properties
Not all account properties will have a direct effect on the logon process, but a number of them will. Using these properties an administrator can control what computers a user logs into, the time of day they have access to the network, whether or not they can change their own password and other settings. We will be looking at some of these properties and considering how they can be used to manage user accounts. Logon Hours: By default a user can logon to the domain at any hour on any day of the week. This setting allows you to change this on an individual user level. If the user is already logged in, another group policy setting can be used to force the user to log off if they are still on the system after specified hours (Network Security: Force logoff when logon hours expire policy at Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options). Log On To: This setting controls which computers the user is able to logon to. The default allows them to logon to any machine in the domain. For secure servers on the network, policy settings can be used to restrict local logon to specific groups as is done for domain controllers (Allow log on locally policy at Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment). This feature allows you to create a list of machines for the user. They will not be able to logon locally to any other computer. They will still be able to connect to other machines over the network. Password Expiration: Users are normally notified 14 days before their passwords expire. This can be changed with group policy settings (Interactive logon: Prompt user to change password before expiration policy at Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options). The Maximum password age setting prevents users from using the same password for too long a period of time. This and other Account Policy settings can be implemented for all accounts in the domain or specific groups of users (Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies). The Minimum password age & Enforce password history settings are also useful in preventing users from repeatedly changing their passwords to circumvent security policies. The Password never expires setting should not be used for end-user or administrator accounts. In some cases it is advantageous to use it for dedicated service accounts. The User cannot change password setting is
4-24

normally enabled for accounts used by contractors or accounts used by a group of people. Administrators will still be able to change the passwords on these accounts. Account Expiration: User accounts never expire by default. When temporary employees are assigned user accounts however, this option allows an administrator to set the account to be automatically disabled after a certain period of time. Require Smart Card: If users are allowed to use smart cards during authentication, the account policies allow the option to use a user name and password to be disabled. Smart cards use two-factor authentication (The card plus the PIN number) which makes them more secure than the default login method. When this is done, plans should be in place to deal with situations where the users forget the cards or lose them. Account Disabled: A number of situations might arise where an administrator decides to disable user accounts to prevent logon. If a user is on vacation, if the account is used as a template for new users or if the user no longer works for the company. Even when the user is fired, it is considered good practice to keep the account and disable it for at least 30-days. Account Delegation: Some applications, like SQL Server, can be configured to take user credentials and automatically pass them to another resource they need to connect to. The user account delegation setting normally needs to be enabled in order to do this. Other options might need to be configured on the application or server computer in order for this feature to work properly. Unlock Account: If a user has too many login attempts with the incorrect password, their account might be locked out. This depends on the account lockout policies for the domain. If the lockout policies specify that the user accounts are locked after a specific number of incorrect passwords, the next step depends on whether an Account Lockout Duration is specified. If so, the user can wait until that threshold is met. If not, an account administrator must unlock the account for them. Both Password Policies and Account Lockout Policies can now be controlled on a user account or group level if the domain has Windows Server 2008 domain controllers (search http://www.technet.com for documentation on fine-grained password policies).
Changing these user properties is normally done from Active Directory Users and Computers, but most of these options can also be managed with the net user or dsmod user command-line tools.
4-25
Lesson 6: User Profiles
Local Profiles
Roaming Profiles
Mandatory Profiles
Whenever a user logs into a machine, a user profile is created for them. A folder is created for them that will contain their desktop, Internet Explorer, Outlook and other settings unique to them. Subsequent logons to that machine will use the existing profile that was created for them. Profiles are created on the system drive in the users folder by default. This can be changed by modifying the registry settings and should be done right after setup before any users start logging into the system. This change can be scripted as a part of the setup process to automate this procedure. User Profiles can be either Local or Roaming. Both configurations have their advantages and some networks will use both strategies, assigning an appropriate profile type to individual users or groups.
4-26
Local Profiles
Optimize Logon Time
Use with Large Profiles

Multiple Profiles
Local profiles, as the name suggests, are created and stored locally on the computer. Once created, the logon time is optimized since the profile does not have to be retrieved from over the network. In environments where users always work on the same machine and do not use other systems, this configuration is best. This configuration is also better suited for users with very large profiles. Because there is only one local copy of these settings however, this configuration presents problems for users who work on many machines. For users who store work documents in their profile, like the My Documents folder, it is easy to end up with multiple versions of the same file. Desktop and network settings might also need to be recreated for each computer they login to. Users could also end up wasting time when they are unsure about which computer important documents are located on. Using the redirection and scripting features in group policy can mitigate such situations.
Module 4: Identify and Resolve Logon Issues Roaming Profiles
4-27
Stored on the Network
Increased Logon Time

Same Profile on all Domain Computers
A roaming profile is stored in a network location. It is retrieved each time the user logs in so the settings and files are always the same regardless of which machine they log into. Any changes made to the profile are written back to the network as soon as the user logs off the machine. Because the profile will always be the same, this configuration is well suited to users that work on different machines. All desktop and network settings will be the same and the documents they store in it will be accessible from any machine. Because network locations where the profiles are stored are normally backed up, this provides protection for user documents and settings. For users that have large profiles however, this can significantly increase the time it takes them to logon. Profiles might also be more likely to get corrupted because of the constant copying back and forth of information. In environments where many users work with large roaming profiles, available network bandwidth can be seriously impacted. Having the users clean up their profiles regularly by deleting documents and temporary data can reduce these problems. Redirecting documents to an alternate location will still keep them accessible from any machine, but also help to reduce the size of roaming profiles. A user can be configured to use a roaming profile by changing the properties of his user account. Using environment variables, roaming profiles can be automatically assigned to new user accounts when they are created from template accounts.
4-28
Mandatory Profiles
Stored on the Network
Never Changes
Can be shared with other users
Local or Roaming profiles can be modified to make them read-only. This allows a profile to be updated with all necessary settings once and then never have to worry about it again. Users will still be able to make changes to their desktop configuration, but they will not be saved when they log off. Many users will also be able to use the same profile. Mandatory profiles are created by renaming the ntuser.dat file in the root of the profile directory to ntuser.man. This file normally has the hidden and system attributes set. This configuration is useful when certain settings and options must always be available to a user or group of users.
4-29
Resolve Logon Issues
RESOLVE LOGON ISSUES

When trying to solve an authentication or logon problem, all the services and resources involved must be considered. Problems can be caused by the computer or user account configuration, trust relationships, user profile problems or account policy settings. Here are some situations that might arise when users have difficulty logging on and how you might go about solving them. A user is complaining that the logon process is taking far too long. How can you improve logon performance? Find out if the user is working with a roaming profile, if so, they can make it smaller to speed up the logon time by deleting unnecessary data. Other sources of this problem could be with issues finding a domain controller or connecting to remote authentication servers instead of local ones. Fixing the DNS configuration can reduce these problems. A user is unable to login to a remote domain that has a trust relationship with their domain. What might cause this problem? The trust relationship might be one-way and pointing in the wrong direction. The netdom.exe command can be used to verify the trust configuration or you can use Active Directory Domains and Trusts under Administrative Tools. Five contractors will be working with the same user account and they should not be able to be able to change the account password or desktop configuration. How can this be done? Enable the User cannot change password property setting and convert the user profile to be mandatory by renaming ntuser.dat to ntuser.man. How can you automatically disable a new user account after 60-days? By assigning an account expiration date
4-30
You need to speed up authentication between two domains in the same forest. They currently pass through trust relations in two other domains. What can be done? Create a shortcut trust between the domains You have a Windows Server 2008 Active Directory forest and an old NT 4.0 domain. How can you configure authentication the old NT 4.0 domain and each domain in your forest? External trust relationships must be created between the NT 4.0 domain and each domain in the forest. NT 4.0 does not support transitive trust because it only uses NTLM authentication. A user complains that they cannot log into a computer that is a part of their domain. They are able to login to other machines successfully. What are some possible reasons for this? The computer might have user rights configured to only allow users in certain groups to login. Their user account properties might also have restrictions as to which computers they are allowed to login to. You have been assigned the task of preventing a user from logging onto the network after 4:00PM. Where can you do this task? Using Active Directory Users and Computers, change the user account properties for Logon Hours. A user computer has incorrect information about available domain controllers cached on the system. What command will remove these entries? From the command prompt type: ipconfig /flushdns You need to create a script that includes a command to point to two new time servers. What command will you include in the script? W32TM.exe /config /manualpeerlist:server1.contoso.com server2.contoso.com /syncfromflags:manual /update
4-31
Review Module 4: Identify and Resolve Logon Issues
REVIEW
1.
What network services are needed to support domain authentication?
2.
Besides using a user name and password, what other authentication methods are possible on Windows?
3.
True or False. Time differences between a DC and the client computer can prevent authentication.
4.
How often are computer account passwords reset in a domain?
5.
What are some tools that can be used to create computer accounts?
6.
What kind of trust relationships are automatically created between domains in the same forest?
7.
What authentication protocols are supported with External Trust relationships?
8.
What command can be used to change the time server of a computer?
9.
What kind of DNS zones do not allow dynamic updates?
4-32
10. What DNS record types provide information about computers that provide authentication services?
11. When might you use the User Cannot Change Password property setting?
12. True or False. All user accounts in a domain must share the same Account Policy settings.
13. What are some reasons to create a roaming profile for a user?
14. How can documents saved in local profiles be automatically protected on the network?
15. How are mandatory profiles created?
4-33
Labs Module 4: Identify and Resolve Logon Issues
Exercise 1: Join the computer to the domain
Exercise 2: Remote Server Administration Tools

Exercise 3: Test and Verify Domain User Accounts
Exercise 4: Create a PowerShell Logoff Script

Exercise 5: Test a Roaming Profile Exercise 6: Test a Mandatory Profile
Overview: Learn how to add a computer to a domain and use Administration Tools to manage domain accounts. Unless stated otherwise, start both the Windows 7 client and domain controller images for this lab. Login as Admin1 with a password of Pa$$w0rd. Note: All user accounts should be reconfigured to use local profiles at the end of this lab.

Exercise 1: Rename your computer and join it to the domain
1. 2. 3. 4. 5. 6. 7. 8. Login to STUDENT1 as Admin1. Click Start, Right click the Computer and choose Properties. Click Change settings. Click Change and specify Computer1 as the new computer name and Contoso.com as the domain. When asked for credentials, use Contoso\Admin1. Reboot the computer for the changes to take effect. Login as Computer1\Admin1 Use the Computer Management console to add the Contoso\Classroom Administrators group to the local Administrators group. Logout Computer1\Admin1 and login as Contoso\Admin1. Logout and login again as Contoso\Admin1 to create a local user profile.
4-34
Exercise 2: Install Remote Server Administration Tools (RSAT)

1. 2. 3. 4. 5. 6. 7. 8. From the Administrator:Command Prompt, run the command NET USE S: \\NYC-DC1\CLASSFILES to map the \\NYC-DC1\CLASSFILES share to the S: drive. Install the RSAT by running the command S:\RSAT\amd64fre_GRMRSATX_MSU.msu. Accept all default installation options to complete the setup. Read the information in the help file about how to enable the tools. Navigate to Control Panel > Programs > Programs and Features and click Turn Windows features on or off. In the Windows Features window, use the check boxes to select ALL the Remote Server Administration Tools. Click OK. When the installation is complete, click Start > Administrative Tools to verify that the tools were installed.
Exercise 3: Test and Verify Domain User Account Properties

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Logoff the computer and try logging on with your Contoso\User1 account. Note the error message. Logon with your Contoso\Admin1 account. Click Start > All Programs > Administrative Tools > Active Directory Users and Computers Navigate to Contoso > Classroom > Users and locate your Admin1 account. Right click on the account and choose properties. Use the Member Of and Account tabs to verify the groups the account belong to, the logon hours, logon computers and the expiration date of your account. Close the properties window. Right click the Classroom OU and choose New > Group. Specify a group name of Classroom Users and verify that the group scope is Global and the group type is Security. Click OK. Right click on the User1 account and choose Enable Account Use the properties of the User1 account to add it to the Classroom Users group and restrict its logon hours to Monday Friday from 6:00AM 6:00PM. Navigate to Contoso > Classroom > Contractors and locate your Contractor1 account Right click on the Contractor1 account and choose Enable Account Use the properties of the Contractor1 account to restrict its logon access to Computer1. (In the Account folder, click the Log On To button. In the Logon Workstations window, click The following computers and type Computer1 in the Computer name: box. Click Add then click OK. Close the properties window.) Create a new user account in the Contoso > Classroom > Contractors OU named Temp1. Give the account a password of Pa$$w0rd, prevent the user from changing the password, restrict the logon computer to Virtual1, restrict its logon hours to Monday Friday from 6:00AM to 6:00PM and set the account to expire in 30 days. Try changing the group membership of any user account outside of the Classroom OU. Try creating an account in any OU outside of Classroom. You should not be successful since the Classroom Administrators group membership only gives you control of the Classroom OU. On Computer1, try logging on with the domain accounts User1, Contractor1 and Temp1. Only the User1 and Contractor1 account logons should be successful. On Virtual1, try logging on with the domain accounts User1, Contractor1 and Temp1. Only the User1 and Temp1 account logons should be successful.
14. 15.
16. 17. 18. 19.
4-35
Exercise 4: Assign a PowerShell Logoff Script (Deletes Files in the %TEMP% folder)
Note: Configure Windows Explorer to show all file extensions before starting this exercise. (From the menu bar (Alt + F) click Tools > Folder Options. In the View tab, uncheck the checkbox for Hide extensions for known file types. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. Login to VIRTUAL1 as Contoso\Admin1. Use the Command-Prompt or Windows Explorer to map the S: drive to \\NYC-DC1\Classfiles. Click Start. In the Search programs and files window, type Group Policy Click Edit Group Policy and navigate to User Configuration > Windows Settings > Scripts > Logoff. Double click Logoff and in the Logoff Properties window, click the PowerShell Scripts tab. Click Show Files. This opens a Windows Explorer window with a path of C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGOFF. Keep this window open. Use Notepad to open and examine the code in S:\MOD04\Logoff.ps1 file. Provide Administrator Credentials if required. Close Notepad. Use Windows Explorer to go to the S:\MOD04 folder. Copy the S:\MOD04\Logoff.ps1 file to the LOGOFF folder. Close all Windows Explorer windows. In the Logoff Properties window, click Add then click Browse. Choose the logoff file and click Open. Click OK twice to close the properties windows. In Local Group Policy Editor navigate to Computer Configuration > Administrative Templates > System > Scripts. Change the properties of the Maximum wait time for Group Policy scripts setting to be Enabled and set the Seconds: box to be 60. Read the Help: section of this policy and click OK. In Local Group Policy Editor navigate to User Configuration > Administrative Templates > System > Scripts. Change the properties of the Run logoff scripts visible setting to be Enabled. Click OK. Close Local Group Policy Editor. Click Start %TEMP% and press Enter to see the files presently in the %TEMP% directory. Logoff the computer and logon again with the same account. (The logoff process might take a few minutes.) Verify that the files in the %TEMP% folder were deleted. A few files might still be left that were involved in active processes. Use Local Group Policy Editor to remove the logoff script.
Exercise 5: Test a Roaming Profile

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Boot your Virtual1 machine and login as Contoso\Admin1 Create a folder named Scripts on your desktop. Copy the PS1 script from the \\NYC-DC1\CLASSFILES\MOD04 folder to the new Scripts folder. Use the Personalization settings to change the Desktop Background to any solid color. Click Start and then right click Computer. Click Show on Desktop. Install the RSAT using the steps provided in Exercise 2. Click Start > All Programs > Administrative Tools Right Click and drag Active Directory Users and Computers (ADUC) Drag the icon to the desktop and use the prompted options to copy a shortcut on the Desktop. Right click the ADUC icon on the desktop and choose properties. In the Shortcut key box type the letter A. It should fill in the box with Ctrl + Alt + A. These shortcut keys can now be used to launch the tool. 12. Click Advanced. Check the box for Run as administrator and click OK.
4-36
13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.

Click OK. Run ADUC with the Contoso\Administrator credentials. Open the properties window of your Admin1 account. In the Profile tab, change the Profile path to \\NYC-DC1\USERS\%USERNAME%. Click Apply. Click OK. Close ADUC. Logoff and logon again as Admin1. Do this step twice. Boot your Computer1 machine and login as Contoso\ Administrator. Open the System Properties window and go to the Advanced tab. User the User Profiles section, click the Settings button. Delete the local profile for Contoso\Admin1. Close System Properties and logout. Login as Contoso\Admin1 Verify that the profile configurations you made on Virtual1 are still available. (Note: Remember that the roaming profile is only updated when you logoff.)
Exercise 6: Test a Mandatory Profile

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Login to COMPUTER1 as Admin1 Use ADUC to change the Logon Hours of Contractor1 so he can login at any time and verify that he can logon to COMPUTER1. In the properties of the Contractor1 account, Use the Profile tab to change the Profile path to \\NYCDC1\USERS\%USERNAME% Close ADUC and logoff. Login as Contoso\Contractor1. Click Start, right click Computer and choose Show on Desktop. Change the Desktop Background to a solid color and create a new text document on the desktop. Logoff and logon with the Contractor1 account twice. Login as Contoso\Admin1 Use Windows Explorer to navigate to the C:\USERS\Contractor1 folder. Use Administrator Credentials if required. Press Alt + F to show the menu bar and go to Tools > Folder Options In the Folder Options window, go to the View tab and enable the following options: Always show menus Show hidden files, folders, and drives In the same tab as the previous step, disable the following options: Hide empty drives in the Computer folder Hide extensions for known file types Hide protected operating system files Click OK. In the \\NYC-DC1\USERS\Contractor1.v2 folder, rename NTUSER.DAT to NTUSER.MAN Log on with the Contractor1 account. Create a text file on the desktop and change the background to a different color. Logoff and on again with the Contractor1 account to verify that changes to the profile are NOT being saved.
13.
14. 15. 16. 17.
Note: Before starting the next lab, login to Computer1 as Contoso\Administrator and use the ADUC to remove all the roaming profile configurations for the user accounts. Also, use the Hyper-V menu options to map the DVD drive to C:\Labfiles\50331D-ENU_Classfiles.iso and execute update1.cmd from the G: drive. Verify that the Admin1 and User1 domain accounts can login without problems after these changes.
Module 5: Identify and Resolve Network Connectivity Issues
Table of Contents
Overview .................................................................................................................................................................... 5-1 Lesson 1: Scope of the Problem ................................................................................................................................ 5-2 Lesson 2: Hardware Issues ........................................................................................................................................ 5-6 Lesson 3: TCP/IP Configuration ............................................................................................................................... 5-10 Lesson 4: Network Routing ...................................................................................................................................... 5-15 Lesson 5: IPSec Configuration ................................................................................................................................. 5-19 Lesson 6: Branch Cache .......................................................................................................................................... 5-23 Lesson 7: Network Connectivity Tools ..................................................................................................................... 5-26 Resolve Network Connectivity Issues ...................................................................................................................... 5-28 Review Module 5: Identify and Resolve Network Connectivity Issues ................................................................. 5-30 Labs Module 5: Identify and Resolve Network Connectivity Issues ..................................................................... 5-32
5-1
Overview
Scope of the Problem
Hardware Issues
TCP/IP Configuration
Network Routing
IPSec Configuration Network Connectivity Tools Branch Cache Resolve Network Connectivity Issues
Although desktop applications allow users to do much of their work on the local machine, most individuals are not able to do their job properly without network connectivity. Whether they are working with a network application, browsing the Internet or using email, a reliable network is necessary to accomplish these tasks. The availability of network services and applications should not be implemented to the detriment of resource security. For the network security protocols and services to work properly, they must be tested thoroughly to ensure that they do not compromise availability. The process of resolving network connectivity problems often involves following a set of predefined steps to isolate exactly where the problem is. Network devices, desktop computers, applications and network services must all be included when doing these checks. Standard desktop tools can often be used to verify the availability and the running state of these components. Some of the features available for Windows 7 allow you to improve the availability of network resources. Even when bandwidth is limited in remote locations, combining the functionality of desktop features and network services can allow the administrator to provide remote users with comparable levels of performance as local users. This chapter will look at ways to identify and fix problems with network connectivity. We will learn how to use network connectivity tools to quickly diagnose the problem areas. A brief overview of network services will be included. We will also see how to improve network connectivity for users who do not have the same connectivity advantages as local users.
5-2
Lesson 1: Scope of the Problem
Network Architecture
Network Services
Server Applications
It can be very difficult to solve network problems without a good understanding of the network architecture, network services and applications being used. When this knowledge is combined with an understanding of exactly what the user is trying to accomplish, then network problems can be more easily understood.
Module 5: Identify and Resolve Network Connectivity Issues Network Architecture
5-3
Subnets
Gateways and Routers

Internet Connections
Reliability & Speed
Knowledge of the network architecture should include how many subnets there are, how they are connected and the gateway used to connect to external networks like the Internet. The number of machines being supported on each network segment and the protocols that they use are also important. Some network devices might have special security settings configured like IPSec encryption or inbound and outbound filtering. These settings on a router or switch can impact the performance and functionality of some applications. Inbound filtering on a router, for example, could be setup to prevent the use of ftp or telnet applications on a network segment. The reliability and speed of network connections should also be known. If some connections are only available at certain times, and if the available bandwidth is limited by other factors, this should be noted. It should also be clear if some connections do not support certain protocols.
5-4
Network Services
DNS
WINS
DHCP
Most organizations rely on TCP/IP as the main or only network protocol. In addition to having reliable services to issue IPs to client computers, the system used for name resolution should also have redundancies built-in. This often involves having two or more DNS and DHCP servers. Replication is often configured on DNS servers to make sure that if one goes does, the others can still provide the same information. Allowing dynamic updates makes it easy for client machines and servers to register changes about the way they are configured. If older applications still rely on NETBIOS resolution, then WINS servers might also be needed. Care should be taken when configuring DHCP servers that they do not provide duplicate or conflicting configuration settings. Machines that always require the same IP configuration can be assigned one manually, or they can create a reservation on the DHCP server. This is done by registering the computers MAC address from the network card and mapping it to a specific IP.
Module 5: Identify and Resolve Network Connectivity Issues Server Applications
5-5
Authentication Requirements
Documentation
When a user wants to connect to a network application, they might need more than a valid name or IP address for it. Applications like SQL Server or SharePoint might have their own authentication and connection requirements. Special client software might need to be installed, Internet Explorer might need to have certain options enabled or the connection might only work with a special gateway or proxy configuration. The documentation on the application should make clear what components need to be setup. On the server, care must also be taken to make sure that network settings are configured properly. Some applications will not allow network connections with a default setup. The security settings might need to be changed to allow non-administrators to work on it as well. By combining your understanding of the network and supported server applications, narrowing down the scope of possible problem components becomes easier. Input from the Server Administrator is often necessary to understand some connection and configuration settings.
5-6
Lesson 2: Hardware Issues
Network Cards
Network Devices
Gateways
Network devices are much more reliable than they used to be, but they do sometimes fail and cause connectivity problems. They might also have problems when they are improperly configured. Problems can come up if there are problems with the network cards on clients and servers, switches, routers or gateways. These problems can often be diagnosed with standard connectivity software installed on a client computer. In some cases, the cabling that connects these devices might be at fault and they should be tested as well.
Module 5: Identify and Resolve Network Connectivity Issues Network Cards
5-7
Hardware Failure
Drivers
Device Manager Settings
If the NIC on a computer is faulty, this can be easily verified by trying to do the same operation with another card. Sometimes the drivers might be the source of the problem and these should be replaced or upgraded before writing off the card. Some network cards have indicator lights to signify if there is a problem with the card, its configuration or cabling. The documentation should allow the technician to identify these problems. If the computer has more than one network card, try enabling and disabling the cards to verify that you are diagnosing the right one. Assigning appropriate names to them should also help to avoid confusing them with each other. Some network card problems can be identified by using the Device Manager. You can verify that the network card is actually seen by the system, whether or not it is enabled and what driver it is using. In the properties window for the driver, the status of the card, whether it is working properly or not, can be seen. Any power management, resource and configuration settings can also be viewed and changed. Driver updates and rollbacks can be done to try and fix the configuration problem. Uninstalling and reinstalling the device is sometimes helpful. Tools like ipconfig.exe or net.exe can be used to verify the MAC or physical address of the NIC.
5-8
Network Devices
Switches
Routers
TCP/IP Tools
Network switches and routers allow devices on different network segments to communicate with each other. Besides verifying physical connectivity through the cables, the device setup must also be checked as well. Using TCP/IP tools like netstat, ping and pathping, you can verify if the devices are working as expected. Trying to connect to remote systems using different protocols is also a good exercise. While the ping command while not work because of ICMP filtering, a connection to a network share or web-site might be successful, indicating that the device is not faulty.
Module 5: Identify and Resolve Network Connectivity Issues Gateways
5-9
Protocols
Security
Gateways can be physical devices or software used to connect two or more different networks. The networks might simply be running different protocols or they might connect different organizations to each other. If they are not implemented properly, gateways can be bottlenecks for network traffic. Security is often a consideration in how they are setup because there might be concerns about confidential information leaking out or malicious users getting in. They will often use firewall capabilities to mitigate this issue. The firewall features might be a part of the gateway or it could come from the functionality of a separate server.
5-10
Lesson 3: TCP/IP Configuration
Minimum Configuration
Manual and Automatic Configuration

Testing the Configuration
IPv6
Manually configuring the IP address for a computer requires at least two pieces of information. The IP address and the subnet mask. The IP address must be unique and the network address must be the same as other computers on the network segment.
Module 5: Identify and Resolve Network Connectivity Issues Minimum Configuration
5-11
IP Address
Subnet Mask
The network address is calculated by matching the IP address and subnet mask and using only the part of the IP associated with the numbered part of the subnet mask. So a computer with an IP address of 192.168.10.5 and a subnet mask of 255.255.0.0 will have a network address of 192.168.0.0. The number of binary bits in the subnet mask is attached to it making the network address 192.168.0.0/16. These calculations can be done with free calculators on the Internet when more complex subnet masks are used.
5-12
Manual and Automatic Configuration
Additional Settings
DHCP
APIPA
In addition to the IP address and subnet mask, computers will often need a default gateway to route traffic outside of the local network. At least one DNS server is also necessary for most networks to provide name resolution. Other settings that might be assigned include domain name, WINS server and NETBIOS name resolution type. Most client computers on a network are issued IP addresses via a DHCP Server. This normally prevents most configuration problems that interfere with network connectivity. Problems with desktop network connectivity are normally associated with a poorly configured DHCP server or one that is not available. To verify that a computer is using a DHCP issued IP, the ipconfig /all command can be used. The ipconfig /release and ipconfig /renew commands can be used to manually connect to a DHCP server. If unsuccessful, the IP will be in the range 169.254.x.x which is the Automatic Private IP Addresses (APIPA). APIPA can be disabled in the registry of the computer. Another option is to manually assign an IP in the Alternate Configuration window. This setting is often used for mobile computers that are used in two different networks. The IP assigned to the Alternate Configuration is only used when a DHCP server is not available.
Module 5: Identify and Resolve Network Connectivity Issues Testing the Configuration
5-13
Loopback Testing
Ping
Network Troubleshooter
Once the computer has an IP address, the local configuration can be tested by pinging the loopback address of the local machine (e.g. ping 127.0.0.1) and then pinging the actual IP. If the address is assigned manually, the validate settings upon exit option can be used to detect and fix problems with the configuration. It can for example detect a duplicate IP address configuration and force the machine to use DHCP instead of the manually assigned address. Connectivity over the network can then be tested by pinging another computer on the local network, the default gateway and a computer on a remote network. An error anywhere in this process is an indication of problems with that part of the network. So, if you are unable to ping any computer on the local network, that could indicate that the computer is using a different network address from the other systems. Name resolution can then be testing by pinging the name of a network server.
5-14 IPv6
Windows 7 Support
Link-Local Addressing
IPv4 Tunneling
The protocol stack on Windows 7 computers provides support for the IPv6 protocol on the network. Even if an address is not assigned, the computer will create its own randomly generated link-local address using any information it receives from local routers. If the network infrastructure does not support IPv6, the computers will still be able to tunnel information through the IPv4 network.
5-15
Lesson 4: Network Routing
Verifying Connectivity
Security
Web Proxy
Communication with computers on the same subnet use direct connections between the machines. When sending or receiving data to other subnets however, the packets will normally travel through one or more routers. By understanding how to diagnose routing issues, you will be able to quickly locate and solve these problems on the network. Before getting into this phase of troubleshooting, you should verify that other issues are not causing the problem. So if one computer is not able to connect to a remote system, verify that other machines on the local subnet have the same problem.
5-16
Verifying Connectivity
ICMP Packets
Pathping
Tracert
The ping command is normally used to verify connectivity with remote systems. By default, the ICMP packets sent to test connectivity are 32 bytes in size. Failure to use the correct packet size for some applications will result in connectivity failure. Modifying the size of the ICMP packets will allow a more thorough test of connectivity between the machines and applications. Using the l parameter allows you to change the size of the packets (e.g. ping l <remote IP>). The t parameter is also useful for doing a continuous ping until you manually stop it. As with most command-line utilities, using the -? option will list all the available options for the ping command. If you cannot ping a remote computer, the pathping command can be used to find out exactly where the problem is. Even if you do not know how the network is laid out, using the pathping <remote IP> command will tell you what routers are being used to connect to the system. If there are any delays in transmitting data, routing loops or if packets are being dropped, pathping will also provide helpful information about this. The offending router can then be fixed or replaced. Pathping comes with a number of optional parameters that allow you to specify the maximum number of hops, if you want to resolve the hostnames of the routers and a timeout value. You can also force the use of either IPv4 or IPv6 when doing the trace. Tracert is another useful tool for verifying connectivity between routers. Like pathping, it shows an ordered list of routers being used to connect to a remote host. It can be configured to resolve the hostname of the router IPs, specify a maximum number of hops and use a specific timeout value.
Module 5: Identify and Resolve Network Connectivity Issues Security
5-17
Filtering
Encryption
Because of the servers or services provided on some network segments, not all network traffic will be allowed through them. Some information might also need to be protected in transit over the network because of their sensitive nature. These options are normally implemented by using filtering and encryption. IP filtering for a router can be configured on each NIC of the device. Each network card can further be configured to use either outbound or inbound filtering. When these filters are created, they should be thoroughly tested to make sure they do not interfere with the functionality of existing applications and services. Alternate routes might have to be manually configured to mitigate such configuration changes. Most routers will support some type of encryption, but this must also be tested thoroughly. If client or server applications will be doing their own encryption, the routers should be configured accordingly. Some configuration options like using Network Address Translation (NAT) might have to be changed to support the applications.
5-18
Web Proxy
Manual Configuration
GPO Configuration
If a proxy server is needed to connect to web applications, Internet Explorer can be manually configured to support this. Exceptions can be created for web-sites that do not require this functionality. These settings can be deployed and enforced using GPO settings as well.
5-19
Lesson 5: IPSec Configuration
Authentication
Profiles
IPSec Tunneling
The importance and confidentiality of some information on the network often means that security measures to protect them on the file system might not be considered enough. It might also be decided to protect that information while it is in transit over the network. IPSec can be configured to meet this need. Not only can it protect the actual data being sent back and forth, but for insecure protocols like FTP, it can be used to protect authentication information as well. IPSec can also be implemented with some network cards which will provide superior performance for the local computer. To configure network encryption using IPSec from the local computer, you can use the Windows Firewall with Advanced Security tool or the Local Security Policy. IPSec can be configured for all communications on a system, but this is rarely done. Because of the performance overhead involved, you should only encrypt the traffic that has elevated security requirements. IPSec can be configured for communication with all network systems, specific networks or specified computers. It is important to test the configuration after the new configuration is applied to make sure that it works as intended. The remote systems must also be configured with compatible settings. While testing connectivity between computers on which IPSec has been enabled, it is sometimes useful to temporarily disable the rules by stopping the IPsec Policy Agent service.
5-20
Authentication
Kerberos
NTLM
Certificates
Preshared Key
The method used to authenticate secure connections should be chosen carefully. The easiest one to setup in a domain environment is Kerberos. After verifying that a computer is really a part of the domain, the systems can then start encrypting network traffic between each other. No additional resources need to be configured to use this authentication method. NTLMv2 can also be used for authentication purposes. Computers can also verify the identity of other machines by using certificates. If there is not already a CA hierarchy configured, then additional work will need to be done to implement it. This method allows computers that are not a part of the trusted Active Directory environment to be configured as trusted machines for network encryption. The least secure method of authentication computers is by using Preshared keys. A word or phrase is assigned to each computer and they will pass this statement to verify their identity to the other system. The word or phrase does not need to meet any special security requirements and it is stored in plaintext. This method does not require Active Directory, a CA hierarchy or any other special settings or applications.
Module 5: Identify and Resolve Network Connectivity Issues Profiles
5-21
Domain
Private
Public
IPSec rules will apply to all computers if the default settings are used, but three predefined profiles or networks can also be used to limit the scope of the rule. The domain profile is used when then rule should be applied on the corporate network. This profile is used if the machine detects the local domain of which it is a member. The private profile will apply when the machine is running at the users home or some other private location. The public profile applies to the Internet or some other network not classified as private or domain. The most restrictive rules are normally reserved for the public profile. The profiles can be used individually or in any combination that matches your security needs.
5-22
IPSec Tunneling
Gateway
Secure Traffic over insecure network
One very useful configuration of IPSec is to use it in tunneling mode. This allows two computers to act as gateways for other machines that might not have their own IPSec capabilities. It can also be used to secure all traffic being sent between two locations over an insecure network. As with other scenarios, such a configuration must be tested thoroughly to ensure that traffic is not being unintentionally blocked or encrypted.
5-23
Lesson 6: Branch Cache
Configuring Branch Caching
Security
Organizations that have offices in different locations might use WAN connections that might not provide sufficient bandwidth to meet the needs of end users. The cost of using leased connections might also limit their usage. To make it easier and faster for remote users to access files over these links, the new Branch Caching feature can be very useful. Taking advantage of this option on Windows 7 and Windows Server 2008 R2 can help to optimize bandwidth usage and improve user access to information. When this feature is enabled access to remote files takes place as it normally does the first time they are retrieved. The file is then cached somewhere on the local network, either the client or another server, depending on the configuration. Subsequent requests for the file will recognize that there is a local copy of the document so it does not have to be retrieved from over the WAN. After the users permissions are verified, they can work with the local copy of the file. Branch Caching supports applications that use the HTTP or SMB protocols to transfer information. So web based applications like SharePoint can take full advantage of these caching features. End-users that work with folder shares and the programs that use them will also be able to benefit from using Branch Caching.
5-24
Configuring Branch Caching
Hosted Caching
Distributed Caching
There are two ways to configure branch caching. A server running Windows Server 2008 R2 can be configured to create a Hosted Caching environment. The caching options and files can be managed centrally from this server. This option is best used in larger branch offices where there are a number of users to support and there might already be a server located in that office that can be used for this purpose. Distributed Caching is enabled by configuring the Windows 7 desktops to cache and hold their own documents. Smaller branch offices or locations where there is no available server might take advantage of this configuration. To configure branch caching, you can use the settings in a GPO or use the netsh command. Only one type of caching can be configured on the client at a time. The Web Service Dynamic Discovery Protocol is used by clients to find local copies of files before trying to retrieve them over the WAN. WS-Discovery facilitates the peer-to-peer sharing of information and also makes sure that users are working with the correct file versions. Firewall settings on the desktops must allow inbound traffic for the WS-Discovery protocol (UDP 3702) and HTTP traffic (TCP 80).
Module 5: Identify and Resolve Network Connectivity Issues Security
5-25
Permissions
Content Hash
Encryption
When a client computer is retrieving a document from a cached location, permission settings will still be verified as if the user were pulling the information from the original server. The client will still retrieve a content hash for the document from the original server over the WAN and compare it with the hash for the local file. If the file was corrupted or modified in any way, then it will not be used. This mechanism can help to protect desktops from malware infected clients. Files that are copied from caches will be encrypted in transit over the network for further protection.
5-26
Lesson 7: Network Connectivity Tools
ARP
Ping
Pathping
Ipconfig
DNSCmd Netdiag Netdom Netsh Netstat
We have already discussed a number of connectivity issues and how to solve them using the tools available on the system. Lets now take a look at the most common tools you might work with when trying to fix network problems. We will describe their main function and how you might find them useful. The available parameters for each of these tools can be retrieved by executing the command with the -? Or /? option. Most of these commands are native to Windows computers, but some of them might require that you install the Support Tools or a Resource Kit. ARP: This command lets you view and manage the Address Resolution Protocol cache (e.g. arp a). This cache lists the MAC address of computers you have recently communicated with. If the computer is a remote machine, the MAC address of the router will be listed instead. Ping: This command uses the Internet Control Message Protocol (ICMP) to verify connectivity between systems. It allows you to change the size of packets and TTL when doing the tests. The tests can include name resolution where necessary and specify either IPv4 or IPv6 (e.g. ping a 192.168.10.100 or ping -4 nyc-dc1) Tracert: It creates a list showing the routers used to connect to a remote system. Pathping: It performs the same function as tracert but can provide more diagnostic information for routers that are dropping packets. Ipconfig: Shows the TCP/IP properties of the local machine. It can also be used to control the DNS cache and renew dynamic IP configurations (e.g. ipconfig /displaydns). The MAC address of network adapters on the machine can also be viewed with the /all parameter. Hostname: Show the name of the local computer
5-27
Nslookup: It allows you to test and troubleshoot forward lookup (A) and reverse lookup (PTR) records on a DNS server. Details for service records on domain controllers and other servers can also be queried on the server (e.g. nslookup contoso.com) Dnscmd: It provides the same testing and querying functionality as nslookup (e.g. dnscmd nyc-dc1 /zoneprint contoso.com) but can also be used to create new zones & records on a DNS server. Dnscmd can be installed on a new system with the Windows Support Tools. Net: This command has many options and parameters and is often used for administrative operations like getting the operating system version, stopping/starting services or creating users and groups (e.g. net config workstation or net stop server or net user /add Admin2 Pa$$w0rd). It can also perform network operations like connecting to a network share or viewing available shared folders on network computers (e.g. net use y: \\nyc-dc1\classfiles or net view nyc-dc1). Net helpmsg <error number> can also be used to get details about a specified error number. Netdiag: This tool will do a series of tests to make sure that TCP/IP is installed and configured properly on a computer. It is installed with the resource kit. Netdom: This tool is used to manage computers that are a part of a domain or query details about the domain controllers (e.g. netdom verify computer1 or netdom query dc). The trust relationship between domains and the location of member computers can be queried, added, removed or changed (e.g. netdom query /d:contoso workstation). Netsh: It can perform a wide range of IP configuration tasks including static IP assignments or managing Firewall settings (e.g. netsh interface ip set address name=Local Area Connection static 192.168.10.50 255.255.255.0 or netsh advfirewall set currentprofile state off). It also has scripting features that make it useful in creating batch processes to implement IP configuration changes. It also facilitates the remote configuration of network settings on network computers. Netstat: Displays information about the current IP configuration on the desktop as well as details about active connections and open ports. It is often used to verify if there are applications on the machine that are listening on certain ports (e.g. netstat a). Nbtstat: Checks the configuration of the NETBIOS over TCP/IP settings on the machine (e.g. nbtstat n). It can also be used to get IP and MAC information about remote clients on a network (e.g. nbtstat a nycdc1). Disabling NETBIOS on a network adapter will prevent this tool from gathering information on it. Route: It will show the routing table of the local system (e.g. route print). Route can also be used to modify the IP routing table.
5-28
Resolve Network Connectivity Issues
RESOLVE NETWORK CONNECTIVITY ISSUES

By using the right tools and features from network devices and software applications, most network problems can be quickly isolated and repaired. Here are some scenarios where connectivity issues can be handled in a timely manner. You need to optimize the bandwidth usage for a branch office that is using a WAN link to download large presentation files from a SharePoint server. What Windows 7 feature can you use to mitigate this problem? You can enable Distributed Caching on the Windows 7 clients in the branch office. If there is a Windows Server 2008 R2 system available, you might also consider using Hosted Caching on a central machine because of the size of the files. You suspect that a router is either offline or dropping some network packets. What tools can you use to verify this? Use either tracert or pathping to try to connect to a computer on the other side of that router. You enabled IPSec on a server to protect traffic for a payroll application being used on it. Other users that use shares and web services are now complaining that they cannot connect to the system and the performance of the server is also very slow. What can you do? Change the IPSec configuration to only encrypt the payroll application traffic. It appears that the server is trying to encrypt all network traffic. You have found that some users are bypassing the proxy server and connecting directly to the Internet by changing their settings in Internet Explorer. How can you prevent this? Assign the proxy server IP address using a Group Policy and use the same GPO to disable the changing of proxy settings. Disabling proxy changes is done from User Configuration > Administrative Templates > Windows Components > Internet Explorer. Assigning the proxy setting is done from User Configuration > Windows Settings > Internet Explorer Maintenance > Connection.
5-29
A desktop computer is not able to communicate with remote machines but has no trouble talking to other systems on the local subnet. What is the next thing you would check if you have already verified that other systems do not have this problem? Verify the default gateway address that the system is using. Two computers are unable to communicate and you suspect that this is because of new IPSec rules that have been implemented on one of them. How can you quickly verify this? Turn off IPSec by stopping the IPsec Policy Agent service A user suspects that he is not getting up-to-date files from a server over the WAN because the new Branch Caching features have been enabled. How can you reassure him? Let the user know that the remote server will send him a file content hash to compare to the one on the locally cached files. This ensures that he will have the correct file and will not be infected by malware that might exist on local systems. You do not use the bootp protocol on any of the computers in your remote office. One of the client computers is having trouble communicating and the IP address on the system shows up as 169.254.50.6. How can you fix this problem? Since DHCP uses bootp, you will manually assign an IP address to the computer. One of the managers uses his laptop on the local network, which uses a DHCP server. He sometimes uses the same laptop at a remote office that requires static IP assignments however. What is the easiest way to solve this problem? Configure the laptop for DHCP and assign an Alternate IP to the configuration of the NIC. The alternate IP will only be used if no DHCP server is detected. You suspect that one of the DNS servers on your network is resolving names with out of date information. How can you test that server from your client machine? You can use the dnscmd or nslookup commands You are creating a DHCP reservation for a computer on a remote subnet. How can you get the MAC address of that computer by using tools on your local machine? You can use the nbtstat.exe command (e.g. nbtstat a <computername>). If the machine was on the local segment, you could use the arp a command after pinging it.
5-30
Review Module 5: Identify and Resolve Network Connectivity Issues
REVIEW
1.
How can a client computer be configured to always get the same IP address from a DHCP server?
2.
How can you prevent users from connection to certain applications on a network segment?
3.
What protocol is used by the ping command to test connectivity with network machines?
4.
What is the pathping.exe command used to do?
5.
How can you verify the MAC or physical address of a network card?
6.
What IP configuration must all computers on the same subnet share?
7.
In what order should resources be pinged when testing the IP configuration of a computer?
8.
What command can you use to see the IP addresses of routers between two machines?
9.
What parameter will allow you to do a continuous ping of a computer until stopped manually?

10. True or False. Windows 7 systems will automatically configure an IPv6 address for themselves.
5-31
11. What are the two different ways of configuring Branch Caching?
12. What ports must be configured for inbound traffic on a desktop computer configured for distributed caching?
13. What are the different ways that IPSec rules can be applied to computers?
14. What three profiles are available when configuring IPSec rules?
15. What IPSec configuration allows a system to be configured as a gateway to encrypt unencrypted traffic?
16. What command can you use to display the local routing table on a computer?
5-32
Labs Module 5: Identify and Resolve Network Connectivity Issues
Exercise 1: Use command-line tools to identify network problems. Exercise 2: Fix connectivity problems with command-line and GUI tools
Objective: Use command-line and GUI tools to troubleshoot and fix network configuration and connectivity problems. Unless stated otherwise, start up the Windows 7 client and domain controller images for this lab. Login with the Contoso\Admin1 account using a password of Pa$$w0rd. Note: Only command-line tools can be used to fix the problems in Exercise 1. GUI or commandline tools can be used to solve problems presented in Exercise 2. At the beginning of each exercise, verify that the Windows Firewall service is running. If you have not already done so, use the Hyper-V menu options to map the DVD drive to C:\Labfiles\50331D-ENU_Classfiles.iso and execute update1.cmd from the G: drive.

Exercise 1: Use command-line tools to identify and solve network problems.
Note: Take advantage of the information in Lesson 7 about the function of different command-line tools. Use the help option (/?) to find the correct parameter to use in each case. Before starting this exercise, create a System Restore point named Pre_Lab5A. 1. What is the MAC address of the network adapter on NYC-DC1?
2.
What version of Windows 7 is installed on your computer?
3.
How could you map the Users share on NYC-DC1 to the U: drive?
5-33
4.
On what port numbers does your machine have active connections?
5.
What visible network shares are now available on NYC-DC1?
6.
What visible and invisible shares are available on your system?
7.
What are the names or IP addresses of computers connected to shares on your system?
8.
How can you list the IP & MAC addresses of computers you have recently communicated with?
9.
How can you register a computers IP address with the DNS Server?
10. How can you get the description of an operating system error number?
11. How can you verify that the DNS server has the correct IP address for your computer?
12. Which computer names are presently in your DNS cache?
13. Which computer names are presently in your netbios cache?
14. How can you verify that NYC-DC1 is using the netbios protocol?
15. What command can you use to verify that your computer has a valid connection to the domain?
16. How can you verify what server is presently acting as your Time Server?
17. What command will show the routing table of your computer?
18. What command will list the IP address or name of routers used to connect to a remote system?
19. How can you display all the records in the Contoso.com DNS zone?
20. What command will list all the domain controllers in your domain?
21. What command will allow you to assign a static IP address to the NIC?
5-34
22. What command will allow you to change the IP configuration from static to dhcp?
23. How can you disable Windows Firewall?
24. What command will create a rule named Telnet Connections that prevents Telnet.exe from creating outbound connections?
25. What command will delete an existing firewall rule named Telnet Connections?
Exercise 2: Fix Connectivity Problems

The script files used in this exercise should not be examined until after the problem they create is solved. The student may use GUI or command-line tools to solve the problems created. Each problemX.cmd script has a solutionX.cmd script in the same folder. 1. 2. 3. 4. Create a System Restore point named Pre_Lab5B. Copy the scripts in the \\NYC-DC1\CLASSFILES\MOD05 folder to E:\Temp\MOD05. Run E:\Temp\MOD05\Problem1.cmd script from Windows Explorer. The scripts will create connectivity problems to or from the Windows 7 client in one of the following areas: Ping and other ICMP traffic will be interrupted. Name resolution will not work properly or perform very slowly. Local or Network shares will not be available. Network routing or domain authentication will be non-functional. Find the problem created by the script and come up with a solution to fix the problem. Close all active network connections. Perform the steps above for next Problem script in the E:\TEMP\MOD05 folder.
5. 6.
Module 6: Identify and Resolve Name Resolution Issues
Table of Contents
Overview .................................................................................................................................................................... 6-1 Lesson 1: DNS Name Resolution............................................................................................................................... 6-2 Lesson 2: Using a Hosts file ....................................................................................................................................... 6-7 Lesson 3: WINS Configuration ................................................................................................................................. 6-11 Lesson 4: Using LMHOSTS files .............................................................................................................................. 6-15 Lesson 5: Name Resolution Order ........................................................................................................................... 6-18 Lesson 6: Manual vs. DHCP Configuration .............................................................................................................. 6-22 Resolve Name Resolution Issues ............................................................................................................................ 6-26 Review Module 6: Identify and Resolve Name Resolution Issues........................................................................ 6-28 Labs Module 6: Identify and Resolve Name Resolution Issues ........................................................................... 6-30
6-1
Overview
DNS Name Resolution
Using a Hosts files

WINS Configuration
Using LMHOSTS files

Name Resolution Order Manual vs. DHCP Configuration Resolve Name Resolution Issues
Communication between two computers on a network normally takes place after they have established the MAC address of each others network adapter. On TCP/IP networks the MAC address is often retrieved from the IP address using the ARP protocol. Since most users find network resources, not by using an IP address, but by using a computer name, there needs to be a mechanism for converting the names into IP addresses. On Windows computers, a number of mechanisms and services are available for doing this. Many desktops still run the NETBIOS protocol on top of TCP/IP, and there are name resolution options available that work with that protocol. Primarily, the Windows Internet Naming Service (WINS) and the LMHOSTS file are used for this. Host name resolution is the primary name resolution system for highly structured networks and the Internet. Most TCP/IP tools and applications like FTP, Telnet and ping will also use host name resolution. DNS servers and HOSTS files are the primary mechanism used for this. In this chapter, we will look into the different ways that name resolution can be configured on a Windows computer. The configuration and structure of each method will be looked into and we will also see how they work together. DHCP services are often used to configure name resolution on desktop computers and we will look into the different ways that this can be done. We will also see how to troubleshoot and fix problems with IP to name resolution.
6-2
Lesson 1: DNS Name Resolution
DNS Structure
Client Configuration
DNS Security
Many networks use DNS as their primary and only name resolution system. Its flexibility allows it to be used on local networks or over the Internet. The hierarchical structure of DNS is one of its greatest strengths which allow an almost limitless number of records to be created and used in it. The use of SRV records also means that it can provide not only name to IP resolution, but also respond to requests for computers that provide a particular service.
Module 6: Identify and Resolve Name Resolution Issues DNS Structure
6-3
Zone Files
Zone Replication
Zone Forwarding
When records are recorded on a DNS server, they are added to a zone file that represents the domain of the machine. A network with three domains must therefore have three zones, one for each of them. Zone information can be shared between DNS servers using forwarding and replication mechanisms. If a DNS server does not have the zone for a computer record but has a forwarder pointing to another server that does, it can copy the information from it and cache it for future requests by other clients. Problems sometimes develop when changes are made to the DNS hierarchy and forwarder information is not updated. Caching stale and out of date records might also create connectivity issues. Regularly updating the DNS properties and using features like stub zones can help to solve these problems. Zone replication can be used to copy all the records in a zone to another server. This allows multiple servers to resolve names and IP address without forwarding requests to remote machines. While this method often results in faster name resolution, copying a large number of records across WAN links can create problems. Using DNS forwarding in such situations is often a better solution. The replication intervals are configurable and should be set to update records in a timely manner so out of date information is not sent to clients.
6-4
One problem that sometimes occurs with DNS servers is very slow resolution of names. This is because most DNS servers are configured to forward unresolved names to the Internet root servers when they cannot resolve a name using their local zones. This configuration should be removed from all internal DNS servers which should then be pointed to an Internet facing server that will resolve names outside of the local network. Another problem occurs when the primary DNS server is offline. The client computer might take some time to give up on it and try the secondary DNS server. Once the client starts using the secondary server, it will keep using it even when the primary comes back online.
Module 6: Identify and Resolve Name Resolution Issues Client Configuration
6-5
Fault-tolerant configuration
Verifying DNS Server

DNS Cache
Client computers should be configured with the IP addresses of at least two DNS servers to provide fault-tolerance in case one of them goes down. When more than two DNS servers need to be assigned, these can be configured in the advanced settings of the network adapter properties or through a DHCP server. If the client computer has trouble connecting to the primary, it will automatically use the secondary even if the primary comes back online. The ipconfig /all command can be used to verify which DNS server a computer is using for its primary resolution. If the primary DNS server returns an authoritative response to the client indicating that it was not able to resolve a name, the secondary DNS server will not be checked in such a situation. Out of date records are automatically flushed from the DNS cache on a computer. When this happens, the computer is forced to try and resolve the name again. Records in the cache can be checked by running ipconfig /displaydns. To delete records from the cache, you can run the ipconfig /flushdns command.
6-6
DNS Security
Dynamic Updates
Active Directory Integrated Zones
Turning off dynamic updates on a server can make it more secure, since only administrators will be able to manually add records to it. This scenario is not feasible on larger networks where there are a lot of client computers that might change their IP addresses regularly. For this reason, dynamic updates are often configured to allow clients to register their computer information in the appropriate DNS zone. This allows unauthorized computers to register fictitious records on the server. One way to solve this problem is to configure secure updates on the DNS server by using Active Directory Integrated zones. Only computers that are a part of the Active Directory structure will be able to register their names and IP addresses.
6-7
Lesson 2: Using a Hosts file
Configuration
Relationship with DNS

Problems with Using Hosts files
The hosts file is one of the fastest ways to configure a client computer to connect to specific servers over the network. Like DNS, hosts files do hostname and fully-qualified domain name resolution. Because hosts files have a flat file structure, they are much simpler to configure than DNS. They are always in a text format and can be modified with any text editor.
6-8
Configuration
All Windows computers have a hosts file in the %systemroot%\System32\drivers\etc folder. When opened in a text editor, entries for new computers can be added by typing an IP address, pressing the spacebar or tab key and then specifying the computer name. Each row can only have information for a single machine. If a computer is known by multiple names, they can be separated by spaces or tabs on the same row. If comments are to be added to the hosts file, the number sign (#) must be the first character in the row. Most hosts files are modified with a simple text editor like notepad. Care should be taken to make sure that an extension, like txt is not assigned to the file. If this is done, the file must be renamed or the system will not use it. Modifying the hosts file in the %systemroot%\System32\drivers\etc folder requires administrative privileges.
Module 6: Identify and Resolve Name Resolution Issues Relationship with DNS
6-9
DNS Cache
Aliasing
One of the advantages of the hosts file is that it is always checked first when resolving names, even before the DNS server. Entries in it are automatically added to the DNS cache of the local computer. In addition to using them to quickly add an IP address for a server they can also be used to create alias names for network computers. A machine that is known as server1 on the network can be resolved as computer1 on the client by adding an alias to the name entry in the hosts file (e.g. 192.168.1.1 server1 computer1). Hosts files are sometimes used to block a computer from connecting to unauthorized web-sites by pointing the name of the web server to the loopback address (e.g. 127.0.0.1 unauthorized.com). Even if the correct IP can be found by some other manner, the hosts file entries have priority because they are automatically loaded in the cache.
6-10
Problems with using Hosts Files
Distributed Configuration
Flat File Structure

Outdated Records
Despite the convenience of configuring hosts files on individual computers, DNS configuration is often preferred when managing domain and hostname resolution on a network. The DNS server can be updated once for the benefit of all the client computers while hosts files must be modified one by one. The hierarchical structure of DNS means that they can maintain many more records than hosts files can. Many problems can develop if individual users start updating their own hosts files as well. Incorrect or outdated entries can cause name resolution problems. Even if the correct entry is on the DNS server, the client will never use it if there is an entry in the hosts file. To prevent these problems, avoid giving users administrative rights on their desktops. Elevated privileges are needed to modify this file because of its location. The file can still be used for occasional entries or private configurations, but most IP to name entries should be managed from a DNS server.
6-11
Lesson 3: WINS Configuration
WINS Setup
DNS vs. WINS

Decommissioning WINS
WINS servers allow client computers to resolve NETBIOS names to IP addresses. The names can be added to the WINS database file dynamically by computers over the network or manually on the server itself. Client computers are configured with the IP address of their WINS server(s) in the TCP/IP properties on the computer.
6-12
WINS Setup
Server Installation
TTL of Records
The configuration of a WINS server can be done very easily. Simply installing the service on a Windows Server and configuring clients to dynamically register their records on it is all that is necessary. WINS clients will automatically register their information with their primary WINS server. In addition to registering names and IP addresses, computers will also register information about any NETBIOS services they offer. The nbtstat command can be used to verify what these services are. It can also be used to manually register updated information on a client so a reboot of the system will not be necessary to do this. Unlike DNS, WINS uses a flat file structure to store computer records The default settings on the WINS server might not work for all environments, but they can be changed. Depending on the version of Windows Server that it is installed on, records might be stored for a few hours to a few days before they must be renewed. This might be of concern on networks where the clients might be offline for days at a time. A short renewal period would be preferable in such situations. Long replication intervals between WINS servers might also allow outdated records to remain available longer than desired. As with DNS servers, it is recommended that each client use two WINS servers so there will be a backup if the primary fails. A simplified name resolution system is often preferred, so you should only use DNS and WINS together when necessary.
Module 6: Identify and Resolve Name Resolution Issues DNS vs. WINS
6-13
Support for Internet Name Resolution
Legacy Applications
Because WINS cannot be used on the Internet and does not support some important network services, DNS is the preferred name resolution method for most networks. Networks that use both services will do so out of necessity and decommission the WINS servers when they are no longer needed. WINS decommissioning should be done carefully to avoid the interruption of needed services. Some legacy applications designed for NETBIOS might require it. Older client operating systems that do not support DNS might also need it. If neither one of these situations exist, it is very possible that NETBIOS servers (WINS) can be removed. Creating an inventory of all applications used on the network will help to make sure that this is not done prematurely.
6-14
Decommissioning WINS
NETBIOS Applications
DNS as Proxy for WINS

NBTSTAT
Even if some older applications still require NETBIOS, it might still be possible to configure the clients to use only DNS resolution. When DNS is setup on Windows Servers, they have the ability to resolve names to WINS servers on behalf of client computers. The DNS server in effect becomes a proxy to resolve names for clients on the WINS server. Verifying the requests made to these special WINS Zones is one way to find out what programs and applications on the network are still using NETBIOS. If problems arise with NETBIOS name resolution, keep in mind that the naming structure is different from DNS. They are always 15 characters or less and never have a domain suffix. A special character is also appended to NETBIOS names indicating the type of service being offered. Nbtstat is one of the best tools to use to find and correct problems with NETBIOS. If NETBIOS is no longer needed on a network, it could be disabled on the client and server computers for better security. This will prevent some network tools like nbtstat from working.
6-15
Lesson 4: Using LMHOSTS files
Configuring LMHOSTS
Disabling LMHOSTS
The primary way of doing NETBIOS name resolution is with a WINS server. Client computers can also be configured with their own personal database of NETBIOS names to IP mappings using an lmhosts file. These are text files that reside on the local drive of the computer in the same location as the hosts file (%systemroot%\system32\drivers\etc). That directory has a sample file named lmhosts.sam. If this file is used, the extension must be removed or the computer will not use the information in it.
6-16
Configuring LMHOSTS
The structure of the file is similar to that of the hosts file. The number sign (#) is used to mark a row as being a comment. IP addresses are listed first and then the name of the machine. There must be at least a single space between them. Each line represents a single address mapping. The lmhosts file also supports a number of extensions not used in the hosts file. They are added to the same line as the record they represent after the name of the computer. They include the following: #PRE: This option will load the name and IP address of the machine into the NETBIOS name cache. If this option is not used, normal resolution takes place and the WINS server is checked looking into this file. #DOM: This tag allows you to link the record to a domain on the network. If the computer belongs to domain XYZ, then the record might appear as follows: 192.168.100.100 Server1 #DOM:XYZ. #INCLUDE: A very useful feature of lmhosts files is their ability to pull information from other files on the network. This is done with the #INCLUDE extension. You could for example, specify that an lmhosts file in the NET share on SERVER1 be used to augment the information in the local file (e.g. #INCLUDE \\SERVER1\NET\lmhosts). Changes could be made in that file to update all the desktops that point to it. The IP address mapping for the server name specified in the #INCLUDE option must be included in the lmhosts file and have the #PRE option. #BEGIN_ALTERNATE & #END_ALTERNATE: These options are used to specify multiple #INCLUDE locations. If the network version of the lmhosts file is kept on multiple shares, this allows you to point to all of them. The client computer only needs to connect successfully to one of the shares.
Keep in mind that different extensions can be used together. The #PRE & #DOM extensions might be used to specify the domain of a computer and preload the record into the cache. Because the #INCLUDE, #BEGIN_ALTERNATE & #END_ALTERNATE options are used independently and are not part of individual records, the number sign is ignored as a comment when used with these options.
Module 6: Identify and Resolve Name Resolution Issues Disabling LMHOSTS
6-17
TCP/IP Properties
DHCP Server
The TCP/IP properties on the network adapter have other options that can be used to control the LMHOSTS file and other NetBIOS options. The advanced TCP/IP options allow you to import information from or disable an LMHOSTS file. NetBIOS resolution can be completely disabled using these property settings or through DHCP server settings applied to the client machine.
6-18
Lesson 5: Name Resolution Order
Name Resolution Methods
Link-Local Multicast Name Resolution (LLMNR)
A number of name resolution methods have been discussed and we have also looked at the advantages and disadvantages of configuring each of them. Most networks will not use a single method by itself however. While DNS continues to be the primary way to resolve computer names to an IP address, hosts files and some NetBIOS resolution methods are sometimes used. To solve name resolution problems it is important to know the order in which these options are used if they are all configured.
Module 6: Identify and Resolve Name Resolution Issues Name Resolution Methods
6-19
DNS Cache
DNS Server
NetBIOS Cache
WINS Server
NetBIOS Broadcast LMHOSTS
NETBIOS over TCP/IP is enabled by default on Windows computers. This allows them to use all the methods we have discussed so far in this chapter. Disabling it will mean that the computer will only use DNS and hosts files. Assuming that it is enabled and that all name resolution methods are configured, this is the order in which hostname resolution takes place: 1. DNS Cache: Information in the cache is always checked first. Keep in mind that records in the hosts file are automatically added here. If the cache has incorrect information, use the ipconfig /flushdns command to remove information from it. DNS Server: If the information needed is not in the cache, the DNS server is queried for the information. Once the client is able to connect to its primary DNS server and get an authoritative response from it, it will not check the secondary DNS servers, even if the primary could not resolve the name. If the name is resolved, it will be added to the DNS cache. NETBIOS Cache: If the DNS server fails to resolve the name, the client will check the NETBIOS cache. Since NETBIOS names do not include name suffixes, these have to be ignored. Hostnames that are longer than 15 characters will need to be truncated. Records in this cache will come from previous NETBIOS resolutions and from records in the lmhosts file with a #PRE extension. Information in this cache can be viewed with the nbtstat c command and purged using nbtstat R. WINS Server: If the name is still not resolved at this point, then the WINS server records will be checked. A successful will send the IP address to the computer and add the information to the NETBIOS cache.
2.
3.
4.
6-20
5.

NETBIOS Broadcast: By default, NETBIOS name lookups that fail on the WINS server will be checked by direct communication with all computers on the local subnet. A response to the broadcast message will be sent by a computer that can resolve the name successfully. This option is disabled in some networks to speed up the resolution process. This can be done through the DHCP server of the client computer or in the machines registry. LMHOSTS: The last place that the computer will try to resolve the name is through the records in the lmhosts file. Remember that these records can be pre-loaded in the NETBIOS cache. New entries in this file can be loaded in the cache with the nbtstat R command which also purges remote records from it.
6.
When working with NETBIOS tools and names, the order of name resolution changes. The first two steps, DNS cache & DNS server are used after the other methods. The order therefore becomes NETBIOS cache, WINS server, NETBIOS broadcast, LMHOSTS, DNS cache then DNS server.
Module 6: Identify and Resolve Name Resolution Issues Link-local Multicast Name Resolution (LLMNR)
6-21
IPv4 and IPv6

Disabling
In addition to the traditional methods of providing name resolution in a network, LLMNR can be used for smaller networks that do not have other name resolution services. It is supported on Windows Vista, Windows Server 2008 and Windows 7 systems. Using multicast connections, it is able to seamlessly exchange name resolution information between computers on the same subnet. Both IPv4 and IPv6 are supported. Multicast Name Resolution can be disabled through group policy settings when a more structured name resolution system is desired (Turn off Multicast Name Resolution setting in Computer Configuration > Policies > Administrative Templates > Network > DNS Client). Removing unnecessary methods simplifies the name resolution process and troubleshooting problems becomes easier. Networks that only use domain & host names and disable NETBIOS will only have to verify the cache, hosts file and DNS when there are problems.
6-22
Lesson 6: Manual vs. DHCP Configuration
Troubleshooting
Most networks with a large number of computers will take advantage of a DHCP configuration for the client computers. Settings can be centrally managed for all the subnets. Most DHCP servers allow global, subnet and individual machine settings to be configured. For computers and devices that must always have the same IP address, a reservation is created for them on the DHCP server using the MAC address of the network card.
Module 6: Identify and Resolve Name Resolution Issues Configuration Options
6-23
Default Gateway
DNS Servers
WINS Servers
Domain Suffix
In addition to the IP and subnet mask, the DHCP server can assign any IP settings for the machine including Default gateway, DNS, WINS, domain suffix and others. Changes applied at the DHCP server will not apply to the client computers until the next time they renew their addresses. This can be done manually from the client with the ipconfig /renew command. A computer can still use manually assigned settings even if it gets its IP address, subnet mask and default gateway from the DHCP server. If any of these settings, e.g. DNS Server, are assigned using both methods, the manually assigned option will be used. When a computer is being switched from a manual to a DHCP configuration, these settings should be verified to make sure that there are not any unintended changes. It is normally preferred to manage all of these settings via DHCP for easier management. Regardless of what settings are viewed via the client TCP/IP properties or the DHCP server configuration, actual client settings can be verified by running the command ipconfig /all.
6-24
Troubleshooting
APIPA
Multiple IP Configuration
Domain Suffix
IPv4 / IPv6
When IP settings are manually configured, an option to validate settings upon exit is provided. This can be used to make sure the computer has a valid IP, subnet mask and gateway assigned to it. The troubleshooter will also detect and warn about problems with duplicate IP assignments. The Alternate Configuration allows you to assign a manual IP address that will be used if a DHCP server is not found. If an alternate IP is not assigned, the default setting is to use APIPA to assign an address in the range 169.254.X.X. This feature can be disabled in the registry or with Group Policy settings. The advanced TCP/IP settings allow other configurations that are not commonly used. If the network adapter needs to be assigned multiple IP addresses, then this can be done from here. Additional default gateways can also be configured. When more than two DNS servers need to be assigned, they can also be done from here. A domain suffix can be assigned and the option to register the NICs IP and suffix with the DNS server can be disabled. Lookups that specify only a hostname (e.g. computer1) are automatically assigned the same suffix as the computer when doing a DNS lookup (e.g. computer1.sales.abc.com). If the lookups should also include parent suffixes (e.g. computer1.abc.com) and other suffixes for domains on the network, these can be applied here. These options are available if you use IPv4 or IPv6.
6-25
Other configuration settings include options for NETBIOS services like WINS lookup addresses, enabling or importing LMHOSTS and disabling NETBIOS entirely. These options are only available for IPv4. Whenever possible, it is easier to manage these options by using DHCP Server settings.
6-26
Resolve Name Resolution Issues
RESOLVE NAME RESOLUTION ISSUES

When there are name resolution issues on a computer, any of the name resolution methods that it uses could be a problem. The type of tool and application being used like nbtstat or ftp is also important. In this section, we will look at some of the more common issues that arise with name resolution and how to deal with them. The DNS server that your client computer uses is not able to resolve names for a partner domain on your network. How can this problem be solved? Configure the DNS Server to use forwarders or configure zone replication so it will have a copy of the records. A user is complaining that new entries they have added to the hosts file on their computer are not being used. What might be causing this problem? The hosts file might have an extension added to it by the text editor or it might not be in the right location (%systemroot%\system32\drivers\etc) A new entry added to a hosts file by a user is not working. The entry is as follows: PRINTSERVER1 192.168.255.254 What is wrong with this entry? The IP address must be specified before the computer name on each row A user is unable to resolve the name of a new server on the network. How can you fix this? You need to know if the computer has registered its name on the DNS server the user is working with. If not, the DNS server should have a forwarder to another DNS server that can. This can be verified with the nslookup command. Users are complaining that the new DNS server is taking too long to resolve the names of some local machines. What might be the problem? It might be configured to forward requests to the root servers on the Internet. This configuration should normally be removed for internal DNS servers.
6-27
You need to configure client computers to resolve the names of servers that register their names on NETBIOS servers. How can this be done without configuring the client computers to use WINS or LMHOSTS? Point the clients to the network DNS server and configure that server with a zone that resolves names on the WINS server. After modifying a hosts file in notepad, a user is no longer able to use it to resolve the names of the new servers or the older servers that were already registered in it. What is most likely the problem? The hosts file was probably saved with a txt extension by mistake or it was accidentally moved to a different location. Verify the fle is in the right location (%systemroot%\system32\drivers\etc) and that the file name has no extension. A client computer is unable to register their information with the DNS server they point to even though they can use it to resolve names. What could be the problem? A number of things could cause this. The DNS server might not be configured for dynamic updates. It could also have a secondary zone which does not allow direct updates. If secure dynamic updates are configured on the server, the client computer must have a valid record in active directory. The zone properties on the DNS server can be used to verify these things. One of the computers you support is not registering service information with the WINS server it points to. How can you verify if NETBIOS has been disabled on the computer? You can check the advanced settings in the properties of the network adapter. You can also run nbtstat n from the command-line. Although a client computer is using the IP address from a DHCP server, it is not using the DNS information that it gives. What is the most likely cause of this problem? The computer probably has a static configuration for DNS in the TCP/IP properties. The static DNS assignment will override the one assigned via DHCP. Your network has three different domains and computers access information from all of them when necessary. The client computers on your network are not checking the other domain suffixes when trying to resolve a hostname. How can you fix this problem? Make sure the TCP/IP properties are configured to automatically append these DNS suffixes by changing the DNS options in the advanced settings of the network adapter properties.
6-28
Review Module 6: Identify and Resolve Name Resolution Issues
REVIEW
1.
What is a DNS zone?
2.
True or False. A client computer will always use the secondary DNS server when the primary is unable to resolve a name.
3.
How can you view or clear the DNS cache on a computer?
4.
True or False. Entries in a hosts file are automatically added to the DNS cache of a computer.
5.
Where must hosts files be located in order for the system to use it?
6.
How is a WINS server different from a DNS server?
7.
What command can you use to verify records on a DNS server?
8.
True or False. Client computers can only be assigned one valid IP address for each network adapter.
9.
What option is used to load lmhosts records into the NETBIOS cache?
6-29
10. When resolving hostnames, what location does the computer check for IP addresses before DNS?
11. If all name resolution methods are configured on a client computer, what is the last location checked to resolve a hostname?
12. True or False. Information on a DNS server will override incorrect data on the hosts file.
13. What methods can be used to disable the use of broadcast requests to find NETBIOS names?
14. How can the NETBIOS protocol be disabled on a network adapter?
15. True or False. A client computer can be assigned only two DNS servers, a primary and a secondary.
16. How can the LMHOSTS file be configured to automatically import data from another source during startup?
6-30
Labs Module 6: Identify and Resolve Name Resolution Issues
Exercise 1: Configure and Test DNS Resolution
Exercise 2: Configure and Test Hosts file Resolution

Exercise 3: Configure and Test NetBIOS resolution
Overview: Troubleshoot name resolution problems caused by issues with DNS, Hosts file or NetBIOS configuration. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Configure and Test DNS Resolution
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Logon to COMPUTER1 as Contoso\Admin1. Create a System Restore point named Pre_Lab6. Click Start > Administrative Tools > DNS. When asked, connect to the DNS server on NYC-DC1. In the DNS Manager, go to Forward Lookup Zones > contoso.com. Right click contoso.com and choose Properties. In the General tab, change the Dynamic Updates option to None. Click OK. Delete all <A> records from the zone. Use the Services console to stop the Computer Browser service and disable it. Use the network adapter properties to disable IPv6. Use the network adapter properties to open the properties of IPv4. In the Internet Protocol Version 4 properties window, click Advanced and in the WINS tab click Disable NetBIOS over TCP/IP. Restart the computer and login again as Admin1 Open the Local Group Policy Editor. Navigate to: Computer Configuration > Administrative Templates > Network > DNS Client Double click Turn off Multicast Name Resolution. In the properties window, click Enabled then click OK. Close the Group Policy Editor. Run the following Ping commands to verify that IP resolution works but remote computer name resolution fails without DNS:
6-31
15. 16. 17. 18. 19. 20. 21. 22. 23. 24.
25. 26. 27. 28. 29. 30. 31. 32. 33.
Ping a <Local IP> Ping 192.168.20.100 Ping -4 COMPUTER1 Ping -4 TestCOMPUTER1 Click Start > All Programs > Administrative Tools > DNS. In the Connect to DNS Server console, click The following computer: and type NYC-DC1. Click OK. In the Forward Lookup Zones folder, open the Contoso.com zone. Right click the contoso.com zone and choose New Host. In the New Host window, in the Name box type COMPUTER1. In the IP address box type your IP address. Click the check box for Create associated pointer (PTR) record Click the check box for Allow any authenticated user to update DNS records. Click Add Host Use the previous steps to add another New Host named TestCOMPUTER1 with an IP address of 169.254.1.1 Keep the DNS Manager window open. Ping Computer1 and TestComputer1 using the -4 parameter (e.g. Ping -4 Computer1). The IP addresses of both records will be resolved, but TestCOMPUTER1 will not get ICMP replies because the address does not exist. In the DNS Manager window, right click on the contoso.com zone and click New Alias. In the Alias name box type VIRTUAL1. In the Fully qualified domain name (FQDN) for target host: box type Computer1.contoso.com. Click OK. Ping the new Alias to test the record (e.g. ping VIRTUAL1). It should resolve to the IP address of COMPUTER1. Run the following command to add another alias record for COMPUTER1 named Machine1: Dnscmd.exe NYC-DC1 /RecordAdd Contoso.com Machine1 CNAME COMPUTER1.contoso.com Test the new alias record with the command: ping Machine1 Add an alias record for TestCOMPUTER1 named TestVIRTUAL1 using DNS Manager. Add an alias record for TestCOMPUTER1 named TestMachine1 using dnscmd.exe. Test both alias records for TestCOMPUTER1.
Exercise 2: Configure and Test Hosts File Resolution 1. 2. 3. 4. 5. 6. 7. Configure the computer to use a static DNS address of 127.0.0.1. Flush the DNS cache (e.g. ipconfig /flushdns). Try to ping the IP address 192.168.10.100 (NYC-DC1). You should be successful. Try to ping the computer name TestComputer1. It should not be successful. Use Windows Explorer to locate the Hosts file in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC directory. Make a copy of the Hosts file named Hosts.old and place it in the same directory. Open the file in Notepad and add the following records: 192.168.10.100 NYC-DC1 NYC-DC1-Alias 192.168.10.110 NYC-Remote1 NYC-Remote1-Alias 192.168.10.240 Computer1 Virtual1 TestCOMPUTER1 Save the file and keep it open in Notepad. Verify that the file does not have an extension (e.g. hosts.txt). Run ipconfig /displaydns to view the DNS cache Ping NYC-Remote1 and its alias to verify the records are being used. In Notepad, add an additional record: 192.168.10.202 Computer2 Virtual2 Save the Hosts file and close it. Use the ping command to verify that the new records work. Copy the Hosts file with the name Hosts.new. Replace the Hosts file with the original Hosts.old file.
8. 9. 10. 11. 12. 13. 14. 15.
6-32
Exercise 3: Configure and Test NetBIOS Resolution 1. 2. 3. 4. Flush the DNS cache Verify that you are unable to resolve the names of remote systems (NYC-DC1). Enable NetBIOS by using the Network Adapter TCP/IP properties. Verify that you are now able to resolve the names of remote systems.
Exercise 4: Cleanup 1. 2. 3. 4. 5. Configure the NIC to get DNS server information via DHCP Enable IPv6 and NETBIOS Enable Multicast Name Resolution Configure the DNS zones for non-secure dynamic updates. Delete static records in DNS zone and re-register dynamic IP records.
Module 7: Identify and Resolve Network Printer Issues
Table of Contents
Overview .................................................................................................................................................................... 7-1 Lesson 1: Connecting to a Network Printer ................................................................................................................ 7-2 Lesson 2: Managing the Print Spooler ....................................................................................................................... 7-6 Lesson 3: Setting Printer Priorities ........................................................................................................................... 7-10 Lesson 4: Creating Printer Pools.............................................................................................................................. 7-13 Lesson 5: Configuring Drivers .................................................................................................................................. 7-16 Lesson 6: Printer Schedules .................................................................................................................................... 7-19 Lesson 7: Printer Permissions.................................................................................................................................. 7-22 Lesson 8: Manage Printers with Group Policy Settings............................................................................................ 7-25 Resolve Network Printer Issues ............................................................................................................................... 7-26 Review Module 7: Identify and Resolve Network Printer Issues .......................................................................... 7-28 Labs Module 7: Identify and Resolve Network Printer Issues .............................................................................. 7-30
7-1
Overview
Connecting to a Network Printer
Managing the Print Spooler

Setting Printer Priorities
Creating Printer Pools

Configuring Drivers Printer Schedules Printer Permissions Manage Printers with Group Policy Settings Resolve Network Printer Issues
One of the most used and essential services for end-users is printing. Whether the printer is configured for network use by many users or locally for a single person, technicians should be aware of the features and troubleshooting options available to them. Printers will have different configuration options depending on the make and model, but they will always have certain standard features that can be managed to meet the needs of users. In some environments, the initial connection to the printer might be automated through group policy or with the help of scripts. When users are allowed to choose their own printers, clear guidelines should be given to help them in making the right choices. Driver configuration and selection should also be as simple as possible. Many of the printer settings available are useful in managing user access to and control of the printers. Print spooler settings allow you to control how many documents can be temporarily archived on the server until the printer is available. Priority settings are used to give some users preferential treatment in the spooler. Printer pools allow a printer to be connected to multiple print devices and print to the first available one. Schedules can be used to control the time at which documents are actually printed. Some control options are also available through group policy. One of the most useful is the ability to pre-populate printer search locations in Active Directory so users can easily find printers that are close to them (Pre-populate printer search location text setting in Computer Configuration > Policies > Administrative Templates > Printers). The location names assigned to the printers must match those assigned to the computers (Computer location setting in Computer Configuration > Policies > Administrative Templates > Printers). By understanding all the options available and where they can be changed, you will be better prepared to handle printer issues when they come up.
7-2
Lesson 1: Connecting to a Network Printer
Connection Methods
Internet Printing
Common Problems
Shared network printers make it easier for administrators to give access to expensive printing equipment and convenient for users to work with them from their desktop. Unless other restrictions are placed on the system, users will be able to use all the features of network printers that they have permissions to.
Module 7: Identify and Resolve Network Printer Issues Connection Methods
7-3
Control Panel
Active Directory
Shared Printers
From the Control Panel, you can access the Add a Printer option by going to Hardware and Sound and clicking on Devices and Printers. The Add Printer window presents the user with two choices of adding a local or network printer. When you click on the Add a network printer option, the system will search for shared printers on the network. Hidden printers (those that have a $ sign at the end of the name) will not show up in the list. When the user connects to their printer of choice, they can choose to configure it as their default printer and print a test page. Printers can be added manually by choosing The printer that I want isnt listed option. One of the options provided by this window is to connect to printers published in Active Directory. If the network administrator makes printers available in this manner, it can be provide other useful information, like the location of the print devices. Another option allows the user to type the share name of the printer. This can be in the form of a share path (\\PRINTSERVER1\HPLJ6) and / or a URL (http://printserver1/printers/hplj6). It depends on the services used to make the printer available. A third option allows you to connect to the printer using a TCP/IP address or hostname. For printers shared directly by means of some network device or through web services, this option allows you to specify the connection options for working with it.
7-4
Internet Printing
IPP
LPR Port Monitor
Specialized printers or printers shared on other operating systems might need additional software to get them to work on Windows 7 systems. The documentation for the software should provide these details. One of the easiest ways to work with non-Windows network printers is to make them available using web services. Turning on the Internet Printing Client feature makes it easier to work with these devices. Information is exchanged between the printer and the client computer using either IPP or RPC over HTTP. For connections to printers on UNIX servers, the LPR Port Monitor can be used to create connections.
Module 7: Identify and Resolve Network Printer Issues Common Problems
7-5
Assigning Permissions Redirecting Print Jobs
Testing Print Jobs

Location Aware Printing
Problems connecting to network printers often involve permission settings. The user will need Print permissions to connect to and use the device. To control printer settings like taking it offline, Manage Printers permission will be needed. Manage Documents permission will allow the technician to control the documents of other users sent to the printer. When network printers go offline for extended periods, the jobs in the queue can be printed when the device comes back online if they were stored in the spooler. If the jobs must be printed immediately, they can be redirected to another print device by changing the port in the printer properties. The new printer must support the same print driver. Many connection problems can be diagnosed before deployment by testing the device after the setup process. Other connection problems might involve printer settings and the drivers chosen. These will be discussed later in this module. Mobile users that use multiple printers in different locations will sometimes have problems printing to the desired device. Windows 7 Professional, Ultimate and Enterprise support a new feature that solves this problem called Location Aware Printing. Instead of using a single default printer, the laptop can now be assigned a different preferred printer based on the network location it is in. This can be done automatically by the laptop or manually using the Manage default printers option in Devices and Printers.
7-6
Lesson 2: Managing the Print Spooler
Setting Permissions
Managing the Service

Relocating the Print Spooler
Network printers are normally configured to spool print jobs on the servers hard drive. The administrator can reconfigure the server to locate the spool location on a drive with enough resources to handle the load of the jobs on all the printers. The jobs in the print spooler can be viewed from the printer on the users computer. They will only be able to see their own jobs if they just have Print permission. If they need to see the jobs of other users, they must be given Manage Documents permission. This permission should be assigned carefully since it also allows them to delete and change the status any of the jobs.
Module 7: Identify and Resolve Network Printer Issues Setting Permissions
7-7
Printer Spooler Folder
Read Permissions
Problems with the spooler can cause problems for all the jobs on all the printers of that server. This is one reason why printers might be located on different servers, even when a single machine can support all of them. If the location of the Print Spooler is changed, verify that the Everyone group has at least read permissions to that folder.
7-8
Managing the Service
Print Jobs
Restarting the Service

Spooling Options
One way that problems with the Print Spooler service are solved is by stopping and starting it, but this will delete all jobs in the queues. The best strategy is to try to fix the problem with the print job first. If restarting the job doesnt solve the problem, then canceling or deleting it would be tried next. The job would have to be resent to the printer to try it again. If the same job gets stuck in the queue many times, it could be a problem with the drivers or application the end user is working with. There are two ways that spooled documents can be treated on the print server. The default setting is for documents to start printing as soon as a part of it is in the spooler. The other option is to force the whole document to be spooled before it starts printing. This option is often used for printers that get very large documents. Users with small documents can start printing before very large documents that were started before them. If any problems develop in the later pages of the document, these can be handled before it starts printing as well. Some network printers do not spool print documents sent to them, but force the local client computer to handle this operation on their own. Jobs are sent directly to the print device and not held on the hard drive of the print server. This slows down the operations on the client computer but reduces the load on the print server.
Module 7: Identify and Resolve Network Printer Issues Relocating the Print Spooler
7-9
Default Location
Print Server Properties
The default location of the print spooler is %SYSTEMROOT%\SYSTEM32\SPOOL\PRINTERS. For very busy servers, this is normally changed to a different location that is a separate physical drive. The Print Server Properties can be used to make this change. In addition to changing the spooling location, you can also control the level of logging desired and whether or not notification messages about the printer should be sent to users. Even though most networks spool print jobs on the print server, the users computer can be used when it is preferred that this load be handled by the client. This is not usually a problem, but some specialized drivers will not work if they require that rendering and spooling be done in the same location. Client-Side Rending (CSR) should be disabled on the client computer printer settings in order to prevent this problem. The Always render print jobs on the server setting in group policy can also be used to manage this feature (Computer Configuration > Policies > Administrative Templates > Printers).
7-10
Lesson 3: Setting Printer Priorities
Priority Options
How to Use
All print jobs have a priority of between 1 and 99. The default is the lowest priority level of 1. This option gives you a lot of flexibility when different groups of users need different levels of access to print devices. Low priority jobs can be printed with the default settings, but higher priority jobs can be sent to the print device with a higher setting. Jobs that are already in the queue can have the priority level changed if they have not already started printing.
Module 7: Identify and Resolve Network Printer Issues Priority Options
7-11
Assign to Job
Assign to Printer
There are two ways to manage print job priorities. One way is by manually changing the priority of a job after it has been printed. You will need Manage Documents permissions to do this. When the priority is increased in this way, the job immediately jumps ahead of other jobs in the queue with a lower priority. The job that is already being printed cannot be interfered even if it has a lower priority setting. The second more structured way of handling priority requirements is by creating an additional printer with a higher priority setting. Only the users that need to print documents faster will be given access to this printer. Both printers will point to the same print device. When a job on the higher priority printer is sent, it skips ahead of the other lower priority jobs in the queue.
7-12
How to Use
Priority Levels
Permissions
This feature can also be used to deal with situations where lower priority jobs need to be managed. The default printer for the device is assigned a higher priority setting and permissions are modified to exclude the lower priority group. This lower priority group is then given permissions to another printer pointing to the same device which has been assigned a lower priority setting. The actual numbers used when assigning priority settings do not matter, only their relative values. So if three printers are pointing to the same device and you want to control their relative priorities, the numbers 1,2,3 would work just as well as 10,11,12. Priority levels can be from 1 through 99. It is important that the permission settings be managed carefully in order for this strategy to work as intended. Users who should use low priority printers should not have permissions on high priority ones.
7-13
Lesson 4: Creating Printer Pools
Printer Pool Requirements
Printer Pool Configuration
Some parts of your network might produce a high volume of print jobs that need to be managed on devices that do not have the capacity to do so. One way this is handled is by creating two or more printers that point to devices in the same location. If one is busy, the user sends the job to the other one. In practice, this solution does not always work. It becomes necessary for users to figure out which device is being used and which is available before sending jobs. One possible solution to this problem is the use of Printer Pools. Their setup and configuration is relatively simple but they will not work in every scenario.
7-14
Printer Pool Requirements
Multiple Print Devices
Support the same Driver
A printer pool is a single printer that points to multiple print devices. Jobs sent to this printer will automatically be sent to the first available print device. This configuration requires that all the print devices support the driver used in the printer. They do not all have to be the same make and model of printer. This solution normally requires that the print devices be in the same location so the users always know where to find their documents. Configuring separator pages with appropriate information makes it easier for users to locate their jobs.
Module 7: Identify and Resolve Network Printer Issues Printer Pool Configuration
7-15
Manage Printer Permissions
Configure Driver
Printer Port Configuration
Creating a printer pool is just as easy as setting up a regular printer. The first print device is configured with the regular setup procedure. The port properties of the printer are then changed to enable printer pooling. This allows someone with Manage Printer permissions to add additional ports to the printer. The ports represent the network locations of the other print devices that will be used. As with all new printer configurations, all the devices should be tested after creating a new printer pool.
7-16
Lesson 5: Configuring Drivers
Additional Drivers
Automatic Installation
A very convenient feature of Windows printers is the ability to assign multiple drivers to them. Users working from different operating systems and hardware platforms will be able to connect to and use the printer without having to install their own drivers. After a user connects to the printer, the appropriate drivers are automatically downloaded and used. Updates to the driver on the server will update the client computers using it as well.
Module 7: Identify and Resolve Network Printer Issues Additional Drivers
7-17
Windows Clients
Non-Windows Clients
Additional drivers installed on the server will only work for Windows operating systems. Non-windows clients must use drivers installed on the local client machine. When additional drivers are loaded on the Windows print server, they should be tested thoroughly to make sure they will not cause problems for the client computers. Checking for approved driver signatures can help to prevent future problems.
7-18
Automatic Installation
Windows Updates
Print Server
Testing
When drivers need to be installed locally because they are not available on the print server, they can be downloaded using Windows Update or installed from the manufacturers media. In either scenario, the driver should be installed automatically after you specify the device you are working with and the source of the driver. If not, the Advanced options in Devices and Printers under the Control Panel can be used for a manual install. Driver updates should also be thoroughly tested especially before deploying them to a large user base. Creating a separate test printer for the driver testing is often better than updating the production printer and testing it from there.
7-19
Lesson 6: Printer Schedules
When to Use
Used with Other Options
By default, all printers will allow users to send and print jobs 24x7. This can be changed in the property settings of the printer. A specific time window can be assigned for the device. This does not prevent users from sending documents to the printer, but they will wait in the spooler until the available hours specified. This feature creates a number of possibilities when managing print jobs for different groups with different printer needs.
7-20
When to Use
Large Documents
Low Priority Documents

Spool Location has adequate drive space
Users that print large documents that are not needed immediately can be assigned to a schedule restrictive printer to better manage the use of the device. A separate printer that points to the same device can be configured for normal print jobs. Permissions for the group that prints the large documents might be removed from this printer. When the large documents are sent and held in the queue, this will not interfere with the jobs sent to the printer configured with the normal schedule. Care should be taken to make sure the partition used for the print spooler files can hold all the documents that will be waiting.
Module 7: Identify and Resolve Network Printer Issues Used with Other Options
7-21
Printer Priorities
Keep Printed Documents
The schedule setting is often used in combination with printer priorities. High volume, low priority jobs can be managed separately to prevent them from interfering with normal work activities. Print jobs managed with schedules are often printed after business hours. If something goes wrong and no one is available, the jobs might have to be resubmitted. The option to Keep printed documents can be used to hold jobs in the queue after they have been printed. The jobs can then be manually deleted after verification that the print process was successful.
7-22
Lesson 7: Printer Permissions
Standard Permissions
Special Permissions
Access to local and network printers are managed by configuring six different levels of permissions. Sharing a printer automatically assigns the Everyone group with the Print permission. In most cases, this will be desirable, but might be modified when restrictions to specialized printers is required.
Module 7: Identify and Resolve Network Printer Issues Standard Permissions
7-23
Print
Manage Documents
Manage Printer
Most permission assignments use the three standard permissions of Print, Manage Printers and Manage Documents. There are also three special permissions that Read, Change and Take Ownership. Knowing what each permission level allows a user or technician to do is important. Print: Users and groups with this permission can send and manage their own documents to the printer. They will also be able to view the Security window to see what the permission settings are for all users. Manage Documents: Users will be able to manage the documents of users in the print queue. In addition deleting, pausing and restarting jobs, you will also be able to take ownership of them. This does not include the ability to print your own documents. Both Print and Manage Documents must be checked off to do this. Manage Printer: This allows you to send documents to, and control the print device. Operations like taking the printer offline, pause printing or cancelling jobs will be possible. You will also be able to give yourself and others the Manage Documents or any special permission.
7-24
Special Permissions
Read Permissions
Change Permissions
Take Ownership
Special permissions are subsets of the existing standard permissions just discussed. There are three of them with the following settings: Read Permissions: This allows you to view the assigned permissions of users and groups on the printer Change Permissions: Users with this permission can assign and remove user permissions for the printer. Take Ownership: Users will be able to take ownership of the printer which allows them to assign themselves and others whatever permissions they want.
7-25
Lesson 8: Manage Printers with Group Policy Settings
Printer Locations
Printer Publishing
Printer Pruning
Most of the operations done during the installation and configuration of a printer can be managed through Group Policy settings. New users can be automatically connected to a printer when they first login even though they may not know its name. Options for web-based printing can also be controlled from the print servers. For new and mobile users, one important feature is the printer location setting. When properly configured, users can find printers, based on where they are located. They can also find printers close to other users they might want to send a document to. Most print drivers now allow the jobs to be rendered on the client even if the job is spooled on the server. This option can be enabled and enforced through group policy is needed. Users that have their own local printers might share it over the network or publish it in Active Directory. GPOs can also be configured to prevent this from happening. The printer pruning option also allows you to remove old printers that are no longer available from Active Directory. Taking advantage of these options can simplify the printing process for end users. You can create an environment where they will always be connected to a printer that is close to their location and that removes unavailable printers from the network.
7-26
Resolve Network Printer Issues
RESOLVE NETWORK PRINTER ISSUES

It is important that users have easy access to printing resources in the organization. Problems in this area can mean loss of productivity and also trust in the IT infrastructure. Knowing how to locate the print devices and control the queue and documents in the queue will help you to fix these issues more efficiently. Cooperation with the administrators who control the print servers is sometimes necessary, but if enough privileges are delegated, many of these problems can be solved by desktop support staff. Taking advantage of the printing permissions and features allows you to deal with scheduling, priority and other print job issues on your own. Here are some situations that might arise and some recommendations as to how they should be dealt with. You need to prevent users from using web services and IPP to connect to network printers. What feature must you turn off to accomplish this? Internet Printing Client A print job is stuck in the queue and other jobs cannot print because of this. How can best deal with this problem? This first step should be to restart the print job to see if it can be printed successfully. If this cannot be done, then the job should be cancelled. The user will be notified that they must resend that job. You need to fix a small problem with a print device quickly, but there are many jobs in the queue. How can you temporarily stop the print jobs so you can make the needed changes on the device? In the options for the printer, choose Pause Printing the device. Uncheck the Pause Printing option when the fix is applied. A very important print job is waiting in the queue behind twelve other jobs. How can you make this job be the next one printed in the queue ahead of the others? Open the properties of the job and change the priority setting to be higher than the other jobs.
7-27
The secretaries in one part of your organization are complaining that it is taking too long to get their print jobs because of the volume generated. You have added additional printers in that location, but they do not want to keep trying to figure out which device is available before printing. What is one solution you could implement to solve this problem? Make sure that the print devices are in the same location and can use the same driver, then configure a printer pool using all the devices. A print device has just been taken offline and will not be fixed for a few more days. How can you salvage the print jobs that are still left in the queue? Change the port assignment of the printer by pointing it to another network printer that will print the jobs. The new device must support the same driver as the one configured on the printer. A number of users are unable to print documents on a Windows Server 2008 shared printer. All the users having this problem are running new systems with Windows 7 installed on them. The older desktops on the network use Windows XP. How can you solve this problem? Install the new printer drivers on the print server and the client computers will automatically download and use it. A user has just finished sending a large document to a network printer. Although the document has been spooled and is waiting in the queue, they are concerned that restarting their computer before it finishes printing will interfere with the job. What can you tell the user about this situation? They have nothing to be concerned about since the document is spooled on the network print server. Restarting their machine will have no effect on it. If the printer server was restarted, the documents would also have remained in the spooler. A document remains in the print queue with an error message for its status. Other print jobs are working fine. What can you try to remove the document? You can try canceling or deleting the job in the print queue. If that is unsuccessful, then you might have to Cancel All Documents to try and clear it. As a last resort, you could try restarting the Print Spooler service, but this would affect all printers on the print server.
7-28
Review Module 7: Identify and Resolve Network Printer Issues
REVIEW
1.
What permissions are needed to control the documents of other users being sent to a printer?
2.
What feature must be enabled to send documents to a printer using a URL?
3.
What protocols can be used to exchange information with web-based printers?
4.
What permissions are needed to take a printer offline?
5.
True or False. The priority of print jobs can be changed while they are in the print queue.
6.
How can you make all jobs on a printer wait until 5:00PM before sending them to the print device?
7.
If the default priority for a printer is 10 and you change the priority for a print job to 5, what will happen to it?
8.
True or False. Pausing a printer prevents you from adding new jobs to the print queue.
9.
True or False. All print devices in a printer pool must be of the same make and model.

10. How does client-side rendering affect the way printed documents are spooled?
7-29
11. True or False. The Manage Documents permission also includes the ability to print documents.
12. What are some of the requirements for configuring multiple print devices into a printer pool?
7-30
Labs Module 7: Identify and Resolve Network Printer Issues
Exercise 1: Install Local and Network Printers
Exercise 2: Create and Use a Separator Page

Exercise 3: Printer Redirection and Printer Pool
Exercise 4: Move the Print Spooler Directory
Overview: Configure and test different printer configurations. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Install Local and Network Printers Note: If the specified printer driver is not available, choose any other available HP LaserJet 2000 or 4000 series driver.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Login to COMPUTER1 as Contoso\Admin1. Create a System Restore point named Pre_Lab7 Click Start > Devices and Printers then Add a printer. In the Add Printer window, click Add a local printer. Choose Use an existing port: and then highlight LPT1. Click Next. Choose HP and the manufacturer and HP LaserJet P2015 as the Printer. Click Next. In the Printer name box type HPLJ2015. Click Next. In the Share name box type HPLJ2015. Click Next. Click Finish. Confirm that the printer was created and it is your default printer. Right click on the printer and click Open. Double Click Customize your printer. In the Printer Properties window, in the General tab, change the Location: to Office/Classroom Go to the Sharing tab. Uncheck the option to Render print jobs on client computers Check the option to List in the directory
7-31
15. Click Additional Drivers. Note the option to automatically make additional drivers available for other platforms. Click Cancel. 16. Click the Advanced tab. 17. Click the Available from button. Change the hours to show 8:00PM to 6:00AM. 18. Click the Start printing after last page is spooled button. 19. Click the Separator Page button and type C:\Windows\System32\pscript.sep. Click OK. 20. Click the Security tab. 21. Give the domain Classroom Administrators group the Manage documents permission only. They should not have the Print or Manage this printer permissions. 22. Click the General tab. Click the Print Test Page button. 23. In the test page window, click Close. 24. Click Close to close the Printer Properties window. 25. Click the See whats printing option. 26. Highlight and delete the Test Page print job. Close the Printer window. 27. Click Start > Devices and Printers then Add a printer. 28. In the Add Printer window, click Add a Network printer. 29. Click The printer I want isnt listed 30. Click Find a printer in the directory then click Next. 31. In the Find Printers window, you will see a list of all printers published in Active Directory. 32. Click HPLJ1015 then click OK. Click Next. (If HPLJ1015 does not appear in the list, click Clear All and do a search for it by name.) 33. Uncheck the box for Set as the default printer. Click Finish. 34. Perform the steps above to add another network printer named HPLJ1015_HR.
Exercise 2: Create and Use a Separator Page

1. 2. 3. Click Start > All Programs > Accessories. Right Click Notepad and choose Run as Administrator. Add the following five lines to the new text file: \ \U \D \T \E 4. Heres the meaning of each line in the separator file: \ - This is the escape character used in the rest of the file. It could be any other character like $ or @. \U This is the user name of the person who printed the document. \D The date the job was printed. \T The time the job was printed. \E The End of the separator page. 5. Save the file with a name and path of C:\WINDOWS\SYSTEM32\printer.sep. Close Notepad. 6. Open the Properties window of your default printer. 7. Open the Advanced tab and click Separator Page. 8. Browse to C:\WINDOWS\System32 9. Note the other files with an SEP extension besides the one just created. 10. Choose printer.sep and click Open then OK. 11. Click OK to save the changes and close the printer properties window. 12. Note: The C:\WINDOWS\SYSTEM32\PSCRIPT.SEP separator file can be used to switch a printer to PostScript printing mode without including a separator page. To include a separator page and switch to postscript mode, use SYSPRINT.SEP.
7-32
Exercise 3: Configure Printer Redirection and a Printer Pool

1. Open the Properties window of the HPLJ1015_HR printer and use the button on the General tab to Print Test Page. The print job will be stuck in the queue. 2. Click the Ports tab. 3. Click Add Port. 4. In the Printer Ports window, click Local Port then click New Port. 5. In the Enter a port name: box, type \\NYC-DC1\HPLJ1015. 6. Click OK then click Close. Notice the new \\NYC-DC1\HPLJ1015 port in the list. Click Close. 7. Check the queue on HPLJ1015 to verify that the print job has been redirected to that device. 8. Open the properties of the network printer HPLJ1015 and go to the Ports tab. 9. Click the Enable printer pooling check box. 10. You are now able to highlight multiple ports. Click LPT1 and LPT2. Jobs will now be sent to the first available port. Both printers must use compatible drivers.

1. 2. Click Start > Administrative Tools > Services. Restart the Print Spooler service. Verify that jobs in the default printers queue (HPLJ2015) have been removed. If the jobs are still there, stop the Print Spooler service, go to the C:\Windows\System32\Spool\Printers folder and manually delete all files, then restart the Print Spooler service 3. Create a folder named E:\PRINTERS 4. Open the Print Server Properties window. 5. Click the Advanced tab and click Change Advanced Settings. Note the default location of the print spooler. 6. In the Spool folder: box, type E:\PRINTERS. 7. Click OK. 8. Read the warning message and click Yes. 9. Open Windows Explorer to E:\PRINTERS and the HPLJ2015 Properties windows side by side. 10. Click the Print Test Page button a few times and verify that the jobs are being sent to the E:\PRINTERS folder. 11. Clear the print queue on all printers.
Module 8: Identify and Resolve Performance Issues
Table of Contents
Overview .................................................................................................................................................................... 8-1 Lesson 1: Analyzing Event Logs ................................................................................................................................ 8-3 Lesson 2: Setting Power Management ...................................................................................................................... 8-9 Lesson 3: Optimizing Processor Usage ................................................................................................................... 8-13 Lesson 4: Optimizing Memory Usage ...................................................................................................................... 8-17 Lesson 5: Optimizing Hard Drive Usage .................................................................................................................. 8-21 Lesson 6: Optimizing Network Usage ...................................................................................................................... 8-26 Lesson 7: Performance Tools .................................................................................................................................. 8-30 Resolve Performance Issues ................................................................................................................................... 8-32 Review Module 8: Identify and Resolve Performance Issues .............................................................................. 8-35 Labs Module 8: Identify and Resolve Performance Issues .................................................................................. 8-37
8-1
Overview
Analyzing Event Logs
Setting Power Management

Optimize Processor Usage
Optimizing Memory Usage

Optimize Hard Drive Usage Optimize Network Usage Performance Tools Resolve Performance Issues
A computer system will have a reduced level of performance over time for a number of reasons. Hardware problems like disk fragmentation or processor usage issues because of running unnecessary programs are common problems. Memory problems can be caused by loading unneeded programs at startup or running services that are not used by end-users. Malicious software can also use up resources and cause applications to stop functioning properly. Whatever the cause of the problem, Windows 7 has the necessary tools to diagnose and solve these issues. Using the Event Logs can provide information about the resources that are not functioning properly. Task Manager, the Services Snap-in, System Configuration & Performance Monitor are some of the tools that can be used to help troubleshoot computer problems. When diagnosing and fixing these problems, a systematic approach often works the best. Performance problems are normally caused by one of the four baseline components on the system. Memory, Processor, Disk or Network. Narrowing down exactly where the problem area is and the applications that are involved will also help you to come up with solutions that prevent the problem from occurring again. Group Policy settings can be configured to enable or disable options that affect performance. Changing the Visual Effects on a system allows you to manage the use of memory and processor resources. In addition to normal group policy assignments through Active Directory, the Group Policy Targeting feature is useful for applying settings to machines based on their hardware resources and not just their OU locations.
8-2
In this chapter, we will look at problems that might affect each of the main baseline components, how to solve those problems with built-in tools and how to prevent them in the future. We will also look at some basic optimization recommendations that can be used to improve the performance of any system, regardless of what it is used for.
8-3
Lesson 1: Analyzing Event Logs
Applications and Services Logs
System and Application Logs

Recording Performance Events
Responding to Events
The log files in Event Viewer are normally used to diagnose errors that occur while working on a system, but they can also be used to diagnose and fix performance problems. By using alerts and tasks, automatic responses can be configured to error events. Maintaining the performance of a computer can be enhanced by regularly examining the log files and responding to events in them.
8-4
Applications and Services Logs
Admin
Analytic
Debug
Operational
When an application or hardware component fails on a system, errors can be stored in the Applications and Services Logs. Events that are related to a specific component like memory, processor or disk can be examined in their own individual logs. Each log might contain up to four log subtypes: Admin: This log subtype has information that is useful to a technician trying to fix a particular hardware issue. In addition to identifying the problem, a specific solution will also be presented. Analytic: The Analytic log subtype also presents information on a specific problem, but will not provide a solution. Details about the program operation that caused the problem will be included. Debug: Information about program problems will be listed in this log, but the details will mostly be used developers to fix application issues. Operational: Like the Admin log, Operational logs are used by technicians and end-users to diagnose and fix problems. They also provide the ability to start tasks that can fix the specified problem or links to additional information useful in doing further diagnostics.
Module 8: Identify and Resolve Performance Issues System & Application Logs
8-5
System Logs
Application Logs
If a hardware component or application is not performing at a desired level, this information is not normally logged in Event Viewer. Possible failure or loss of a resource can sometimes be detected by information in the System or Application Logs though. The System log contains information about system components like memory resources or drivers. Application logs store events for programs and alerts from the Performance Monitor. For example, a slow hard drive might give warnings before it fails with an Event ID 51 being recorded in the log. A description indicating the hard drive that is having trouble is included with the warning message. A backup of all the data is the first thing that is done in this situation since this is an indication that the drive might soon fail. Disk defragmentation and a scan for bad sectors might buy some time before the disk fails. Sometimes an error message that points to a hardware component as having the problem might really be having trouble with the drivers. For example, an error message that indicates that the video memory is inadequate or failing might be solved by reverting to an older video card driver or updating to a newer one. This problem might also be confirmed by replacing the hardware component with a new device of the same type but experiencing the same issues. Verify that all devices and drivers are compatible with Windows 7 to reduce the likelihood of this problem occurring.
8-6
When the error message indicates that a resource is being used too heavily, changes to the configuration of the computer might be necessary. If the computer is running low on disk space, a cleanup of the hard drive or partition might be needed. Some files might also be moved to different volumes. Memory and processor resource problems might be solved by uninstalling or disabling unneeded services. Every running service on a computer uses these resources, even when they are idle.
Module 8: Identify and Resolve Performance Issues Recording Performance Events
8-7
Performance Monitor Alerts Application Log
Hardware components, services and some applications can be monitored from the Performance Monitor tool. When alerts are configured for these resources, they can be recorded in the application log automatically. This mechanism can be used to record behavior that would not normally be sent to the log files. If you wanted to create a record of what processes are running on the system when the processor usage hits 70% or higher, this could be automated by creating an alert that runs a script to run and record information from the tasklist.exe command.
8-8
Responding to Events
Run a program
Email
Message Box
Events in any of the log files can be configured to run a task the next time that they occur. The task can be setup to run a program, send an email or display a message. The email feature allows you to send an attachment and to forward messages using an SMTP server. This mechanism can be used to proactively deal with problems before they create more issues. A display message could be configured to remind users to remove unnecessary files and archive documents in response to an event indicating that drive space is getting low.
8-9
Lesson 2: Setting Power Management
Hibernation and Sleep Modes
Laptop Components
Power management options are normally used for laptop computers to increase the amount of time the battery will provide power to the system. Improving the performance of the system in this area involves reducing unnecessary power consumption when working on the device. In doing so, it is best to focus on the resources that use the most power such as the display, CPU, hard drive and Wi-Fi components. The built-in tools for Windows 7 also allow you to manage power consumption using GUI or command-line tools. Active Directory group policies allow centralized configuration and enforcement of these settings.
8-10
Hibernation & Sleep Modes
Sleep Mode
Hybrid Sleep Mode

Hibernation
Hibernation and Sleep modes are useful power saving options that can be configured on a laptop. Sleep mode shuts down all components except RAM. The state of all applications is saved there so no work is lost. Everything returns to normal within a few seconds when the user starts working again. Hybrid Sleep mode is a derivative of this that also stores the information in memory to the hard drive in case of total power loss. This option is useful for reducing power consumption on both mobile and desktop computers. Hibernation mode also reduces power consumption, but it does so by shutting down the system completely. As with hybrid sleep mode, information in memory is saved to the hard-drive first so that no data is lost. Instead of just choosing one of these modes, they can be used depending on which is most appropriate for the situation. If a laptop is running on battery power and power usage most be used as efficiently as possible, the hibernation mode would be most advantageous. To automatically reduce power usage on a desktop computer when it is not in use, the hybrid sleep mode should be used. If a laptop is configured for sleep mode and is running critically low on power, it will automatically be put into hibernation mode. When the sleep or hibernation modes are unavailable on a computer, it could be because the power management options are disabled in the BIOS or they are not configured on the system. Older devices or drivers might not support some power management options.
Module 8: Identify and Resolve Performance Issues Laptop Components
8-11
Laptop Display
Desktop Applications
External Devices
The display can consume the most power on some laptop computers. This can be reduced by changing the brightness of the display. Shortening the amount of time the computers waits to turn off or dim the display can also be helpful. Shutting down unnecessary applications can reduce the load on the CPU and hard-drive of a computer. Maintenance tasks can be paused or stopped if the system is running on battery power. The battery life can also be extended significantly if external devices that draw power are disconnected (e.g. USB external hard-drives). Wi-Fi and other wireless components might also draw power, even if they are not being used. They should be turned off until needed.
8-12
Power Options
Group Policy
The most convenient way to manage power settings for many machines is through group policy settings (Computer Configuration > Policies > Administrative Templates > System > Power Management). When this is not feasible, the Power Options can be directly configured through the Control Panel on the computer. The powercfg.exe command allows these options to be viewed and configured from the command-line.
8-13
Lesson 3: Optimizing Processor Usage
Configuring Services
Rogue Applications
Applications that need processing resources on a computer will be automatically given access to them by the operating system when they become available. When these resources are scarce, this can be detected through the poor performance of the applications or by using the Task Manager. A number of strategies can be used to improve the availability of processing threads.
8-14
Resource Usage
Startup Settings
Processor Affinity
Application Priority
Some client applications can be configured to use resources from the remote server they connect to. The list of programs that startup automatically can also be checked and cleaned up to remove unnecessary applications. These are not always used and ran lengthen the startup time of the computer. The System Configuration utility can be used to check and change these settings. The memory and processor usage during the boot process can also be managed in this tool. Multi-processing systems can be configured to control which processors are used by an application. This is sometimes done for older programs that do not request and use processing resources efficiently. Using the Processes tab in Task Manager, the Set Affinity option on any process can be changed to limit which processor it uses. Upgrading an application to a version written for Windows 7 often eliminates these problems. The option to Set Priority can also be used to increase or decrease its use of processing resources. There are six settings available for this option. These offer increased processor access starting from Low, Below Normal, Normal, Above Normal, High and Realtime. Most applications will use the Normal level, but this can be increased or decreased without stopping the program or losing any data. The option to start an application with a specific priority can be configured with the start command directly or from a shortcut. Like the affinity setting, priorities can also be changed from Task Manager.
Module 8: Identify and Resolve Performance Issues Configuring Services
8-15
Removing Services
Disabling Services
Service Dependencies
Each service running on a system will require the use of processing resources, even when idle. Programs that install such services should be removed, or the service should be disabled if they are not being used. Service dependencies should be checked carefully before doing this. The performance options in System Properties also allow you to adjust the way the computer allocates processor resources. The performance can be optimized to get the best performance for applications or services running on the computer.
8-16
Rouge Applications
End Task
End Process
End Process Tree
When you unsuccessfully try to end a program, the resources dedicated to it will be unavailable for other applications. The best way to close these programs is through the Task Manager console. The Applications tab allows you to end the task in most cases. It might also be necessary to end any processes started by the application using the Processes tab. If you are unsure which processes to close, the End Process Tree option can be used to shutdown all processes started directly or indirectly by the program.
8-17
Lesson 4: Optimizing Memory Usage
Alternative Memory
Application Use of Memory

Visual Effects
Most computers will have improved performance from additional and faster RAM being installed on the system. When memory issues start affecting performance adversely, it could be because of the limited amount of memory, improper usage of memory by applications or too many applications running at the same time. Slow performance, memory notifications and error messages are a clear indication of this problem.
8-18
Alternative Memory
Page File
ReadyBoost
If the random access memory (RAM) on the system is not enough to handle all the requirements demanded by the applications, the system will start using memory from other sources to supplement it. The main source of this memory is virtual memory in the form of a page file. Page files move data that cannot fit into the existing RAM to a system controlled file that is stored on a local hard drive. The name of the file is pagefile.sys and it stores the data temporarily until memory becomes available in RAM. The operating system normally controls the size and location of this file, but this can be manually changed. Moving the file to a hard-drive on which operating system files are not stored can sometimes improve performance. The page file also has a minimum and maximum size setting. Increasing both of these options can reduce low memory notifications, but the performance of the system might be adversely affected because of the much slower speed of the hard-drive vs. RAM. ReadyBoost is another useful option to improve memory performance. This feature allows you to use memory on a flash drive as virtual memory. If desired, only a portion of the flash drive resources can be dedicated for this purpose. Whether the virtual memory is used from the hard-drive or a flash drive, it will never perform as well as adding additional RAM to the system.
Module 8: Identify and Resolve Performance Issues Application Use of Memory
8-19
Using Remote Resources
Delay / Schedule Operations

Memory Leaks
16-bit Applications
Some applications will use more memory than others because of the type of operations they are doing. Delaying these operations when more important applications are running is one strategy to deal with this. Some client applications can also be configured to use the memory of remote servers when doing some operations. Memory leak problems can be detected by monitoring memory usage in applications like Task Manager. Programs that fail to shutdown properly when they are closed down might also leave a detectable trail in the Processes tab. Stopping and restarting the application is sometimes necessary. If this is a persistent problem, then an upgrade or fix for the application should be sought from the vendor. Older applications written for 16-bit operating systems will normally run without problems on Windows 7, but they can create problems when two or more of them are running in the same memory space. If the applications only have problems when being run at the same time, they can be configured manually or through a short-cut to run in their own memory space. This requires more resources but eliminates problems caused by resource conflicts.
8-20
Visual Effects
The visual effects on a computer can be turned off to free up resources and improve performance. A number of options which include animations, fading effects and transparency can be disabled in order to get better performance for applications. The option provided to Adjust for best performance disables all visual effects and frees up resources for other desktop operations. The Performance Options window can be accessed through the System Properties window by clicking the Advanced tab and using the Settings button under the Performance section.
8-21
Lesson 5: Optimizing Hard Drive Usage
Free Space
Disk Fragmentation
Disk Integrity
Indexing
Regular maintenance of the hard-drive is needed in order to get the best performance from it. Defragmentation, deleting temporary files and checking for bad sectors can not only help you to get increased performance, but reveal problems before they result in a loss of productivity and data. The effect of features and operations that reduce drive performance should also be weighed against their advantages. BitLocker encryption is a useful security feature, but it will also slow down disk access. Most end-users will not notice the 5 percent or less performance hit taken by enabling BitLocker encryption on the hard-drive.
8-22
Free Space
Disk Cleanup
20 Percent Free Space

Moving Resources
Cleaning up the hard-drive and deleting other unnecessary files can improve day to day read/write tasks and will allow other maintenance tasks to run more efficiently. You should normally have at least 20 percent of free space available on each partition that you use on the system. If a cleanup does not provide enough free space, moving resources to a different drive or archiving them would be advantageous. Disk cleanup operations can be scheduled to run regularly using the Task Scheduler or they can run in response to low free space messages logged on the computer. Disk maintenance tasks should be executed during hours when users are least likely to be working. Scheduled tasks can also be set to run only if the computer is idle for a specified period of time. Automatic restart of the tasks if they fail and maximum execution times can also be configured.
Module 8: Identify and Resolve Performance Issues Disk Fragmentation
8-23
Scheduling
Priority Setting
Busy hard-drives should also be configured for regular defragmentation. Writing and re-writing to the drive often causes separate sections of a file to be stored in different locations on the drive. Reorganizing these files so all its sections are in the same place can improve the performance of applications. Disk defragmentation operations are executed with a low priority by default, but this can be changed.
8-24
Disk Integrity
Chkdsk
Replacing Disk
Problems with corrupt files and bad sectors on a hard drive sometimes signal that it is going bad and needs to be replaced soon. Running a utility like chkdsk might be able to fix the files and mark the bad sectors, but a backup of important data on that drive should be scheduled quickly as well. Chkdsk can be executed from the command-line or by opening the properties of the drive in the Computer console and using the Check now button on the Tools tab.
Module 8: Identify and Resolve Performance Issues Indexing
8-25
What files to Index
Location of Index
Windows Search Service
Searching for documents on a partition can be sped up significantly by using indexing. Only file types that you work with regularly should be indexed. There are options to control where the index file is located, the file types that will be included, whether or not to include encrypted files and what locations or folders on the system will be included. The ability to index emails and their attachments is useful to many business users. The Windows Search service is responsible for managing index operations on the computer.
8-26
Lesson 6: Optimizing Network Usage
Adapter Configuration
Protocol Configuration
Poor network performance on a computer can be caused by a number of factors that include the configuration of client applications, network card settings, the use of caching and protocol configuration. In most cases, Windows tools can be used to modify features and settings to get the performance desired. Problems caused by application configuration can sometimes be fixed in the program, but sometimes, changes on the server might be necessary.
Module 8: Identify and Resolve Performance Issues Adapter Configuration
8-27
Drivers
Microsoft HCL
BIOS Configuration
Changing the configuration of the network card can be done from the Device Manager. Poor performance is sometimes caused by using an out-of-date or incorrect driver. Updating it can fix some problems. You should also verify that the network adapter is on the Microsoft Hardware Compatibility List (HCL). BIOS updates on the motherboard can sometimes fix compatibility problems. The network switch to which the network card connects should also be checked to verify that it uses appropriate settings. Full-duplex is configured on most NICs to get the best bandwidth performance, but this will not work if the switch is not also setup to work in full-duplex mode as well. If the switch is setup to auto-sense the bandwidth capability of the NIC but is not detecting it properly, this might have to be manually configured to force it to use the best data transfer rate.
8-28
Caching
Offline Files
Some applications can be configured to cache information locally on the client computer. If this is information that is accessed regularly but does not change too often, then it might be a good candidate for caching to reduce network bandwidth usage. Configuring offline settings for network shares can help to alleviate this problem as well. To find out what percentage of the bandwidth on a NIC is being used, you can use tools like Task Manager. For more detailed information about what applications are using the network and how much bandwidth they are using, the Resource Monitor can be used.
Module 8: Identify and Resolve Performance Issues Protocol Configuration
8-29
Using Multiple Protocols
NIC Binding
IPv4 and IPv6
Installing multiple network protocols on a network card can increase the connectivity options available and the systems you may communicate with. This produces an additional load for the NIC drivers however and will ultimately slow down performance. If they are not needed by applications, additional network protocols should be removed from the computer. Systems that use multiple NICs can have different protocol settings configured for each of them. Most networks use TCP/IP and will have computers configured to use both IPv4 and IPv6. In most cases, neither protocol should be disabled, even if you are using only one of them. If there is a need to disable one of them, these changes should be thoroughly tested before deployment.
8-30
Lesson 7: Performance Tools
Task Manager
Resource Monitor
Event Viewer
Services Snap-in
System Configuration Disk Defragmenter
For most of the performance problems that you will have on a computer, the Windows operating system will provide the tools needed to diagnose, and in some cases fix the issue. Here is a list of some of the more common tools you will work with and how they can be used. Task Manager: This tool shows a list of the applications and processes running on a system. It is often used to close unresponsive applications or processes. How these processes use CPU resources can also be controlled from this tool. It also allows an administrator to see how memory, processor and network resources are used on the computer. Services can also be stopped and started from Task Manager. Applications can also be identified by the user account that was used to start them. Resource Monitor: Like the Task Manager tool, Resource Monitor will monitor resources in real time, but it gives more details about how the Memory, Processor, Network & Disk components are being used. The user friendly interface allows you to quickly identify bottleneck resources and the processes that are causing the problem. Other similarities to the Task Manager include the ability to stop and start services or end processes. The option to suspend a process is useful if you need to temporarily free up resources. Some data loss is possible when using this option. Event Viewer: The logs in the Event Viewer store information about events and errors on a system. They can log information about resource problems like limited free drive space. Hardware specific data can be found in the Application and Services Logs to diagnose specific component issues. Information about operating system problems can often be found in the System log, while errors generated by programs are likely to be found in the Application log. Installation problems with applications can sometimes be found in the Setup log. The Event Forwarding feature is useful for copying log data between systems automatically to make them more accessible. Tasks can be attached to specific log entries to configure automatic responses to certain events.
8-31
Services Snap-in: The Services MMC Snap-in is available from the Administrative Tools or the Computer Management console. These are applications that run in the background without being manually launched and they normally have preferential access to resources on the computer. The snap-in allows you to see all the services installed on a system and how they are configured. Services can be stopped and started manually and their startup settings can be changed. Services that are no longer needed can be disabled from this tool, although uninstalling the associated application is normally a better option. The Services snap-in also allows you to see the dependencies that exist between the services and the credentials used to start them up. The recovery options allow you to automatically restart a service if it fails for some reason. System Configuration: System Configuration allows you to manage the startup settings on a computer. Services and other applications that startup automatically during the boot process can be enabled or disabled. To diagnose issues with memory and processor resources, System Configuration can be configured to change how they are used during boot up. Disk Defragmenter: This tool is normally run from the Computer Management console, but it can also be executed from the command-line using defrag.exe. Running the tool regularly can help to maintain the performance of the hard-drive on the computer. Reorganizing files in the file system often improves read and write performance on the disk. A sufficient amount of free space (at least 20 percent) should be available before defragmentation.
8-32
Resolve Performance Issues
RESOLVE PERFORMANCE ISSUES

The logs and tools provided in Windows 7 allow anyone with appropriate permissions to quickly diagnose most problems that affect performance on the computer. Some of these problems are common issues that might occur because of general usage. Other issues are caused by user behavior or software problems. Let us examine some of the problems that are likely to affect performance and how to deal with them. You have been asked to create a process that automatically deletes temporary files on a computer when the drive space gets low. What mechanism can be used to do this? In the Event Viewer System Log, configure a task for the low disk space event that will run a program or script to clean up the files. To better understand the resource problems on a computer, you want to configure it to record details about processor usage, when more than 75% of the processing power is being used. How can this be done? Use the Performance Monitor tool to create an alert for a data collector set. The event logs indicate that the memory on a video card is defective and so it is replaced with an identical card which is having the same problem. What should you try doing before getting another video card? Try replacing the existing drivers being used to manage the card. A user is complaining that the laptop he uses does not have the hibernation or sleep options available. What could be causing this problem? The power management options might be disabled in the BIOS of the computer. Another problem could be with the devices or drivers not supporting power management.
8-33
You need to configure an application to always startup with a higher than normal priority setting. How can this be done as simply as possible for end-users to work with? Create a shortcut that uses the start command to initialize the program. Use the high or abovenormal priority setting with the start command. Using the realtime priority setting is normally only recommended for operating system resources. You need to configure a group of laptops to completely shutdown after two hours of inactivity. This should be done without losing any data. The user should be able to pick up where they left off when the computer is turned back on. How can this be done? The hibernation mode should be configured in the power management options on the laptops. This can be done on each machine or by leveraging group policy options in Active Directory. A busy application is using too much of the processing resources on a computer. How can you forcefully reduce its use of the processor without stopping it? Reduce the priority setting of the process running the application by using Task Manager. One of the computer systems on your network is getting memory errors because it is running out of RAM when multiple applications are active at the same time. How can you eliminate these error messages without adding more RAM to the system? Increasing the size of the virtual memory available to the system will reduce or eliminate these messages, but the performance of the applications will be affected. After doubling the RAM on a system to 8 gigabytes, the user disables the use of virtual memory. The user is surprised when he starts getting error messages stating that the system is running out of memory. Why did this happen when the RAM doubled? If many applications are executed at the same time, it is possible that the computer would still need virtual memory. The pagefile is sometimes used to preemptively store data that is in RAM in case it needs to clear that space quickly. It is best to let the operating system decide when the pagefile.sys is, or is not needed. You have an old application that is using too much of the processor resources on the multi-processing systems where it is installed. What can you do to prevent this? Change the processor affinity to force it to use just one processor. Three applications are running on a computer but you want to prevent two of them from using the second processor so its resources can be mainly dedicated to the third program. How can this be done? Use Task Manager to change the affinity setting of the applications to allow or prevent them from using a particular processor. This can be done in the Processes tab. A user is getting errors in an application because of corrupted documents on the file system. A virus scan has verified that the computer is clean. The same problem has been happening with other documents for at least a week. How should this problem be handled? Try to fix with corrupt files with chkdsk and perform a backup of important documents as soon as possible. If the problem persists, it could indicate that the hard-drive is going bad and needs to be replaced. Some of your remote users want to use BitLocker encryption for their laptops but are concerned about performance and application compatibility. What can you tell them? BitLocker encryption is transparent to any application running in Windows and the performance hit because of slower drive access time can be up to 5 percent. This depends on the other related computer resources like the processor, but in most cases, the change in performance will not be noticed for normal desktop usage.
8-34
To get the best network performance from a machine, the port to which it is connected on a network switch is set to full-duplex mode. You are unable to get the improved bandwidth performance you expect from the system however. What is the most likely cause of this problem? In order to double the bandwidth by sending and receiving data at the same time at full network speed (full-duplex mode), the switch and the network card must be configured. Change the duplex settings on the NIC by using the Device Manager.
8-35
Review Module 8: Identify and Resolve Performance Issues
REVIEW
1.
In what log file can Performance Monitor alerts be configured to record events?
2.
What three operations can be performed by an Event Viewer task?
3.
Which Event log file is most likely to contain information about failed system drivers?
4.
What components normally use the most on a laptop?
5.
What power management setting will shut down a computer but save the running state of the system?
6.
True or False. A laptop will completely lose power and data eventually if left in sleep mode?
7.
What feature allows you to use memory on a flash drive as virtual memory for the machine?
8.
What is the purpose of the pagefile.sys system file?
9.
How does an application gain access to processing resources on a computer?
8-36
10. What option in Task Manager allows you to control the processors an application uses?
11. How can you close down a non-functioning program and all processes related to it?
12. True or False. Services will continue to use computer resources even if they are idle.
13. What is the minimum recommended free space for hard-drive partitions?
14. True or False. Scheduled maintenance operations can be configured to run only when the system is idle.
8-37
Labs Module 8: Identify and Resolve Performance Issues
Exercise 1: Schedule & Run a Disk Defragmentation Exercise 2: Using Task Manager Exercise 3: Using Resource Monitor Exercise 4: Configure a pop-up message window
Overview: Use Built-in Windows tools to diagnose and fix network, disk and memory problems. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Schedule and Perform a Disk Defragmentation
1. Open the System Properties window, click the Remote tab and enable Allow connections from computers running any version of Remote Desktop. Click OK. (If prompted for credentials, verify that you are logged in as Contoso\Admin1 and that the account has local administrator privileges. [Module 4, Exercise 1]) 2. Create a System Restore point named Pre_Lab8 3. Click Start > All Programs > Accessories > System Tools > Disk Defragmenter. 4. In Disk Defragmenter click Configure schedule. 5. Change the details of the schedule to be weekly, on Sunday at 6:00PM for the C: drive only. Click OK. 6. Highlight the C: drive and click Defragment disk. Do the same for the D: and E: drives. 7. Do not wait for the defragmentation to complete. Immediately proceed to the following steps. 8. Map the S: drive to the \\NYC-DC1\CLASSFILES share. 9. Verify that Disk Defragmenter does not allow you to work on the S: drive (non-local disk) 10. Login to NYC-DC1 as Contoso\Administrator and enable Remote Desktop using the instructions in the first step of this exercise. 11. On Computer1, click Start > All Programs > Accessories > Remote Desktop Connection. Login to NYC-DC1 using Contoso\Administrator credentials. 12. Defragment the C: drive on NYC-DC1 using the Disk Defragmenter.
8-38
13. Do not wait for the defragmentation process to end. Disconnect the Remote Desktop and continue to the next exercise. 14. Note: Remote defragmentation can also be accomplished with PowerShell scripts using the win32_volume defrag method. Example: a. $c=gwmi win32_volume -computer nyc-dc1 -filter 'driveletter="c:"' b. $c.defrag($true)
Exercise 2: Using Task Manager

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Open the Windows Task Manager Go to the Applications tab. Open the Control Panel, Windows Explorer, Notepad and Internet Explorer. Go back to the Task Manager and notice the newly started applications and their Status. In the menu bar click Options > Always on Top. Notice the behavior of any application when you try to bring it to the front. Go to the Processes tab. Click on the Memory column to sort the processes in order or memory used. Right click on explorer.exe and notice the different options available. Click UAC Virtualization and read the message box provided. (This option is often used on Terminal Servers where multiple people use the same programs, but it should be tested thoroughly first). Click Cancel. Right click on iexplore.exe then click Set Priority. (The Below Normal option is sometimes used for unimportant background applications or processes. Above Normal is used for important applications. The other settings should not normally be used. Right click iexplore.exe and then End Process Tree. Read the message box provided and click End process tree. Click the Show processes from all users button. Press Ctrl +Alt + Delete and choose Switch User. Login as Computer1\User1 and open the Control Panel, Windows Explorer, Notepad and Internet Explorer. Switch User account back to Admin1 and go back to Task Manager. Find the applications launched by User1 by sorting the Processes tab by the User Name column. Close the Notepad and Windows Explorer applications opened by User1 by ending their processes. Click the Services tab. Notice the Services button in the lower right hand corner for opening the Services console. Sort the Services alphabetically by clicking the Name column. Right click the Spooler service and click Go to Process. You are back in the Processes tab with the spoolsv.exe file highlighted. In the Services tab make a note of the Process ID (PID) of the Spooler service. (If the PID column is not visible, add it by using the View > Select Columns option on the menu bar.) Stop and restart the Spooler service. Note the new PID number. (Note: This is an easy way to verify if a process or service has been restarted.) Click the Performance tab. Notice the Processor and Memory information. Make a note of the number of processes running and the up time of the machine. Notice the Resource Monitor button. Click the Users tab. Note the status of both logged on accounts. Use the Send Message button to send a message of Please Logoff the System this evening. to User1. Right click User 1 and click Connect. Provide the User1 password and press OK. Verify that the message from Admin1 was sent successfully. Open Task Manager and click the Users tab. Right click Admin1 and click Connect. Provide the Admin1 password and press OK. Make a note of the error message. Use the Start Menu options to switch to the Admin1 user account login. In the Users tab of the Windows Task Manager, Use the Logoff button to logoff User1.
13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. 33. 34. 35. 36.

37. Close Task Manager.
8-39
Exercise 3: Using Resource Monitor

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. Verify that at least one instance of Notepad, Internet Explorer, Windows Explorer and the Control Panel are open. Click Start and in the Search programs and files box type Resource Monitor. Click Enter. In the Overview tab, click on the grey bars for CPU, Disk, Network & Memory to view detailed information about how each of these resources is being used. On the menu bar, click Monitor > Stop Monitoring and notice that the displays are static. On the menu bar, click Monitor > Start Monitoring and notice that the displays are being updated again. Click the Memory column and sort the processes by Working Set in descending order. From the Physical Memory bar, decipher how much RAM is in use and how much is available for new applications. Hardware reserved memory is used by devices like video cards on the system. Click the CPU tab. Sort the Processes table by CPU usage Sort the Services table by CPU usage In the Processes table, right click explore.exe and choose Analyze Wait Chain. If the application is running normally, then it is not waiting on other processes. This feature can be used to troubleshoot unresponsive programs. In the Processes table, right click iexplore.exe and choose Suspend Process. Note the effect on the CPU usage and on the application itself (It frees up resources without forcing you to end an application.). Right click iexplore.exe and choose Resume Process. In the Services table, locate and stop the Spooler service. Verify that you are unable to see or add new printers. Restart the Spooler service. In the Services table, try to locate the Server and Workstation services. Use the Services Window to stop the Server and Workstation services. Note the effect on your ability to share local folders and your ability to connect to network shares. Restart the Server and Workstation services and close the Services window. In the Resource Monitor, click the Disk tab. In the Processes with Disk Activity table, sort by Read (B/sec) to find the process that is performing the most read operations on your disk. Right click the process and notice the option to Search Online for more information about that process. Click the Network tab. Use the Network Activity table to find the names of the network computers you are communicating with and locate the system that you have sent the most data to. If there is no activity, copy files from the S: drive to the local C:\Temp folder to generate some activity. Use the TCP Connections table to see the local IP and Port data for connections. Notice that you can also see the IP and Port information of the remote computer. You can also verify if there are packet losses when communicating with an application. Use the Listening Ports table to verify what ports your computer is listening on, the protocol being used and the firewall status. Close Resource Monitor.
24.
25. 26.
Exercise 4: Configure a warning message when a service stops

1. 2. 3. 4. Use the Command Prompt to go to the folder C:\WINDOWS\SYSTEM32. (Run as Administrator) Copy the PRINT_SPOOLER_EVENT.CMD file from the server using the following command: XCOPY \\NYC-DC1\CLASSFILES\MOD08\PRINT_SPOOLER_EVENT.CMD C:\WINDOWS\SYSTEM32 Use Notepad to examine the file without making any changes to it. (Note: You can use the EVENTCREATE.EXE /? Command to understand the command options.) Stop the Print Spooler service by running the command: net stop spooler
8-40
5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25.

Run the command print_spooler_event.cmd Use the Event Viewer to verify that a new Warning message has been created in the System Log with a Source of Print Spooler (Event Viewer > Windows Log > System). Right click the Print Spooler message in Event Viewer and choose Attach Task To This Event In the Create a Basic Task Wizard window, click Next. Click Next again to open the Action window. Click Display a message and click Next. In the Title box type Print Spooler Error. In the Message box type The Print Spooler service has stopped!. Click Next. Check the box for: Open the Properties dialog and then Finish. In the Properties window, check Run with highest privileges and click OK. In the System Log, find any event with an ID of 7036 (Generated when a service is stopped or started.). Right click on that event and choose Attach Task To This Event. Click Next twice to get to the Action page. Choose the radio button for Start a program and click Next. In the Program/script: box, type the path: C:\WINDOWS\SYSTEM32\PRINT_SPOOLER_EVENT.CMD. Click Next. Check the box for: Open the Properties dialog and then Finish. In the Properties window, check Run with highest privileges and click OK. Open the Services console and verify that the Print Spooler service is running. Stop and then Start the Print Spooler service to verify that the message box does appear. Click Start > Task Scheduler and press Enter. In the Task Scheduler Library > Event Viewer Tasks folder, disable the two tasks that were just created.
Module 9: Identify and Resolve Hardware Failure Issues
Table of Contents
Overview .................................................................................................................................................................... 9-1 Lesson 1: Diagnosing Memory Failure Issues ........................................................................................................... 9-2 Lesson 2: Hard Drive Issues ...................................................................................................................................... 9-5 Lesson 3: Network Card Issues ................................................................................................................................. 9-8 Lesson 4: Power Supply Issues ............................................................................................................................... 9-13 Lesson 5: Windows Hardware Diagnostic Tools ...................................................................................................... 9-16 Resolve Hardware Failure Issues ............................................................................................................................ 9-18 Review Module 9: Identify and Resolve hardware Failure Issues ......................................................................... 9-20 Labs Module 9: Identify and Resolve hardware Failure Issues ............................................................................ 9-22
9-1
Overview
Diagnosing Memory Failure Issues
Hard Drive Issues

Network Card Issues
Power Supply Issues

Windows Hardware Diagnostic Tools Resolve Hardware Failure Issues
Computer hardware for the most part is very reliable and reliability ratings are improving all the time. The longer a systems components are used, the lower the overall cost of the computer becomes which improves the bottom line of the organization. Some problems are not cost effective to troubleshoot however, so you should be conscious of situations where simply replacing a component is probably the most cost effective solution. When a computer problem is caused by issues with the hardware on the system, a technician should be able to diagnose and solve such problems quickly. The resolution does not always involve replacing the equipment, but might require you to optimize its use or configuration. By taking advantage of the tools available in Windows 7, many of these problems can be diagnosed quickly. Event Log messages can also warn you when a problem is developing. By paying attention to these messages, you can be proactive in fixing some issues. There will be times when diagnostic tools from the manufacturer are needed to understand or fix a problem. Some components can also do their own diagnostic and let you know what is required. The components that you might spend some time fixing or optimizing occasionally are the hard-drive and BIOS. Sometimes memory components might also need to be replaced. Using information provided by the user of a system and the log files is often enough to narrow down what component needs to be looked at. In addition to looking at common hardware component failure scenarios, we will discuss how Windows 7 tools can be used to find and fix many of these issues. We will also examine some recommendations for replacing defective hardware and performing regular maintenance to prevent problems in the future.
9-2
Lesson 1: Diagnosing Memory Failure Issues
Windows Memory Diagnostic
Troubleshooting
Because memory problems are not always obvious, they are sometimes difficult to diagnose. The symptoms might mirror problems caused by malicious software or insufficient memory. Sometimes the Event Log error messages might provide clues that there is a problem. You might also be able to do a BIOS test to verify that the memory chips are seated properly and working. Verifying that the amount of system memory detected by Windows 7 is the same as that installed on the computer is a simple test that can confirm if there is a problem.
Module 9: Identify and Resolve Hardware Failure Issues Windows Memory Diagnostic
9-3
Windows Memory Diagnostic Tool
System Reboot
Permissions Needed
Replacing Memory Chips
To thoroughly test the memory on a computer, you can run the Windows Memory Diagnostic Tool. A memory diagnostic will be automatically executed if the system detects possible issues with the memory on the system. The dialog provided by the tool gives the user the option of rebooting the system so the test can be started immediately. If that is not desirable, the diagnostic can be scheduled for the next time the system is restarted. You must have administrative rights to run a memory diagnostic. Before starting the test, all user information should be saved. The diagnostic will indicate if there are any problems with the memory chips, after which the system will reboot again. If a problem is indicated by the diagnostic, do not immediately replace the module. Try to reseat it first and then run the diagnostic again. Warranty and servicing requirements should be checked before attempting to replace internal components.
9-4
Troubleshooting
Cleaning Overclocking Memory Slots Documentation
Other things that can be done before replacing the memory modules are to dust and clean them carefully, verify that none of the components is being overclocked and try to seat the module in a different memory slot. The documentation for the memory module and motherboard should provide guidelines as to how these steps should be done.
9-5
Lesson 2: Hard Drive Issues
Sources of Problems
Fixing Problems
One of the most common hardware components to fail on a system is the hard drive. Disk problems can usually be identified easily. The system might shut down or refuse to boot with an error message about the boot volume or missing system files. Indications that a drive will fail soon can sometimes be found in the Event Logs with warning messages about bad sectors or other drive issues.
9-6
Sources of Problems
Registry
Power Cables
Hard-Drive Cables
BIOS Configuration
If the problems encountered are with a new hard-drive, check that information about it is registered properly in the registry. In some cases, a registry update might be needed to work with the drive properly or see all its resources. Make sure that the power and data cables are connected properly. If you cannot hear the drive spinning up or it cannot be identified in the BIOS of the computer that could be an indicator that there are cabling issues. Testing another hard-drive with the same cables would confirm if the drive or the cables was the source of the problem.
Module 9: Identify and Resolve Hardware Failure Issues Fixing Problems
9-7
Marking Bad Sectors
Check Disk
Defragmentation
Replace Disk
Some drive problems can be fixed by marking bad sectors and moving files to new working locations on the drive. Using tools like chkdsk.exe or the Check Disk option in the properties window for the hard-drive can help with these problems. Both of these tools require elevated privileges in order to run the commands. Performing a regular scheduled defragmentation of the drive might also help. In addition to the Computer Management MMC, a disk defragmentation can also be done from the command-line with defrag.exe. If you suspect that a drive is close to failing, you should back up important information that it contains immediately and schedule a time to replace the drive.
9-8
Lesson 3: Network Card Issues
Physical Configuration
Drivers
Protocol Configuration
Diagnostics
Network connectivity problems can be caused by a number of issues that do not involve the NIC itself. If you suspect that the card is the problem, a number of things can be done to confirm this. Most of your troubleshooting can be done with tools available in Windows 7 or by directly checking the device.
Module 9: Identify and Resolve Hardware Failure Issues Physical Configuration
9-9
Cabling
Hardware Settings
Conflicts
Checking the network cable connection is one of the first things you might do to diagnose this issue. You might even replace the cable to make sure that it is not the source of the problem. The network cards hardware settings and driver configuration can also be verified in Device Manager. Make sure that the card is recognized and does not have any conflicts for the resources that it uses.
9-10 Drivers
Rollback
Uninstall & Reinstall
In some cases, driver updates can fix problems with the network adapter. If a new driver is the source of the problem, you can roll back to an older one by using the options in Device Manager. In some situations, uninstalling and removing problem drivers might be necessary before reinstalling the device. The File Signature Verification tool (sigverif.exe) can be used to verify that drivers for network cards and other devices are signed by trusted vendors.
Module 9: Identify and Resolve Hardware Failure Issues Protocol Configuration
9-11
Multiple Network Adapters Default Gateway
If a new adapter is installed on a system, Windows 7 should automatically detect it and install appropriate drivers. Multiple network cards on a computer will not cause connectivity problems unless they are not configured correctly. In most cases, only one network card should be configured with a default gateway for routing to function properly.
9-12
Diagnostics
The Windows Network Diagnostic tool can be used to find possible solutions to network problems when you are not sure what the issue might be. This tool can be accessed by right-clicking on the Network icon in the taskbar. Specific problems can be diagnosed such as the inability to connect to a network or if you need to use a specific network connection method. As with any other hardware component on a system, you should verify that it is supported on the Windows 7 Hardware Compatibility List (HCL). This can be checked out before purchasing new computers from a manufacturer and also for upgrade/replacement components that might be kept in stock. If items will be used that are not on the HCL, they should be thoroughly tested and an appropriate support agreement should be made with the manufacturer.
9-13
Lesson 4: Power Supply Issues
Diagnosing Problems
Fixing Problems
The main purpose of the power supply is to filter the voltage into the smaller increments required by computer hardware components. This very important operation must work well all the time, otherwise the motherboard and the components on it could be permanently damaged. Safety will be your first priority when diagnosing or fixing problems with a power supply.
9-14
Diagnosing Problems
Random Reboots Computer Lockups External Devices Safety First
Signs that the power supply unit (PSU) supply might be going bad include random reboots of the computer or unexplained computer lockups. Some power supply problems could be mistaken for software issues. Some power supplies might not have adequate power to run all the components required. Installing additional components or using USB and fire-wire devices that draw power from the computer might push the power supply beyond what it is capable of doing. The PSU can be tested with a multimeter to make sure that it is functioning properly. The voltage output of different power connectors on the device can be tested to make sure it is within acceptable ranges. Proper procedures should be followed to protect the system from static electricity. Under no circumstances should a technician perform these tests if he is unsure of the right procedures to follow. Power Supply units should never be opened or fixed if they have problems. They should only be replaced. If you have not been trained to use a multimeter or to perform other PSU tests, replacement of the unit will be your only safe option. Even then, manufacturer safety standards should be followed for removal, replacement and disposal of all components.
Module 9: Identify and Resolve Hardware Failure Issues Fixing Problems
9-15
Never Open the PSU Dispose of PSU Follow Manufacturers Instructions Safety First
A failed power supply will sometimes be obvious because a system will not boot or when smoke & burning smells come from it. You should never try to fix a defective power supply. They should be replaced and discarded according to the manufacturers instructions. The new unit should be from a reputable manufacturer and have enough power to manage all the internal and external components that will be used on the computer. Avoiding future problems with the power supply can protect not only the PSU, but the components in the system as well. Keeping the unit away from dust and using power outlets & surge protectors safely should be standard practice. In some cases a UPS or power conditioner might be required because of poor power conditions.
9-16
Lesson 5: Windows Hardware Diagnostic Tools
Event Viewer Logs Safe Mode System Configuration Chkdsk
Hardware Diagnostic Tools

Resource Monitor
Performance Monitor
Reliability Monitor
Some hardware problems require specialized devices to diagnose them properly. Some will use software provided by the manufacturer. Windows has its own tools however that can be very useful in finding and fixing many hardware issues. Here are a few of them.
Event Viewer Logs

The System log in Event Viewer can provide information about hardware components that have failed or are about to fail. Logs with specific information for hardware components like memory or disk can also be accessed from the Applications and Services Log. Components that indicate that they are not functioning properly should be tested and replaced as quickly as possible to avoid down time.
Safe Mode
Safe Mode allows you to test the computer system with a minimal device configuration. This is useful if the source of the problems is elusive and you need to verify that the operating system will function with a minimal configuration. Safe Mode is sometimes used when experiencing problems with network and accessory devices.
System Configuration
The System Configuration tool allows you to manage exactly what services are enabled or disabled during the boot process. In addition to specifying Safe Mode, you can also control the startup of system services, startup items and whether or not you want a command-line or GUI boot interface. You also have access to System Restore options to revert to an earlier configuration.
Module 9: Identify and Resolve Hardware Failure Issues Chkdsk
9-17
This tool is used to check the integrity of a specified partition and to possibly fix problems that it finds. The parameters of this tool allow you to specify a number of options including the logging of errors, whether or not to dismount a disk and the level of checking to perform on the computer.
Hardware Diagnostic Tools

Some hardware components have their own Windows 7 diagnostic tools such as memory modules and network cards. Built-in wizards can sometimes provide useful information to point the technician in the right direction when he is unsure about how to proceed, such as the Windows Network Diagnostics tool. Some of these tools require a reboot of the system, so user data and settings should be saved before running them.
Resource Monitor
The Resource Monitor tool not only allows you to view the performance of hardware components, but also to suspend, stop and restart processes and services. Individual processes can also be analyzed when they are not running properly. It is specifically designed to monitor the four main hardware components that affect system performance which are CPU, Memory, Disk and Network.
Performance Monitor
While the Task Manager is often used to monitor the use of resources in real time, the Performance Monitor tool can do this also, along with the ability to record this data for later analysis. Alert thresholds can be created to notify administrators when specific problems occur. Performance Monitor can monitor information from remote systems and record performance data from multiple systems at the same time.
Reliability Monitor
The Reliability Monitor allows a technician to see how changes to a computer affect its overall stability. Based on problems encountered with hardware and software resources, a numerical rating between 1 and 10 (10 being the best rating) is assigned to the system. The report generated by the Reliability Monitor can be used to identify events that adversely affect the computers rating. Each event is classified as an Application, Windows or Miscellaneous failure. Problems that do not involve the failure of a system component are classified as Warnings or Informational messages. If a problem or failure can be fixed, the system allows you to check for solutions. Implementing the solutions can improve the reliability rating of the computer.
9-18
Resolve Hardware Failure Issues
RESOLVE HARDWARE FAILURE ISSUES

The main performance components on any computer are the processor, memory, disk and network. While any of these resources can fail and cause problems, most hardware issues are normally caused by the power supply, disk or memory. It often depends on how the system is used and whether you are working with a desktop or laptop. Not to be overlooked are the configuration problems caused by an improperly configured or out dated BIOS. In this section, we will see some of the more common problems that might come up, and how to diagnose and fix them using the information you have from the system and the tools available in Windows 7. A user is concerned that the power supply on her computer is going to fail soon. Although it is working now, she has noticed some problems that concern her. What kind of issues might indicate that a power supply will soon fail? Unexpected and random reboots of the computer or system freeze up for no apparent reason. Some of the indicators mirror problems normally associated with malware issues. After installing a new memory module on a computer, the memory diagnostic indicates that there are errors with it. What can you do to try and fix the problem before replacing the module? You should try to reseat the module and check for overclocking on any other memory or processing components. The memory and motherboard instruction guides should be read carefully and followed closely when doing this kind of work. Special care should be taken to follow instructions on protecting the system from static electricity. The computer manufacturers warranty and servicing guidelines should also be taken into consideration. After installing a new hard-drive on a computer, you realize that Windows recognizes only a fraction of the total space available on it. How can you fix this problem? This issue is sometimes caused by problems with an out of date BIOS. Upgrading it should fix the problem. In some cases, jumper or pin configurations on the drive might be at fault. After noticing that the computer regularly freezes up on him, a user scans the computer for viruses and other malware but finds nothing. What else could be causing this problem?
9-19
This could be either a power supply or memory problem. He should check the Event Log for any warning messages and perform a memory diagnostic. If the memory is found to have to have no errors, a technician can diagnose power supply issues with a multimeter. One of the department managers you support is having trouble with a computer that performs very poorly every afternoon between 1:00PM and 1:30PM. He suspects an application is scheduled to perform a memory intensive task during that period. What tool can he use to track down the applications that are running on his system at this time? He can use the Performance Monitor tool or Resource Monitor. One of the technicians on your team is recommending the purchase of a new video card that will be used to upgrade some of the high-end desktops used by the engineering department. What is the best way to make sure that this card will work for you on this project? You should first of all verify that the card is on the HCL for Windows 7. It should also be thorough tested with the applications that the engineers will be using for their day to day work.
9-20
Review Module 9: Identify and Resolve hardware Failure Issues
REVIEW
1.
What are some things that you can do to prevent future power supply unit problems?
2.
True or False. A faulty power supply can damage other components inside a computer.
3.
What command-line tool can you execute to test and fix errors on a partition?
4.
What kind of device can be used to test the voltage output for a power connector on a PSU?
5.
What is a Hardware Compatibility List?
6.
What command-line tool can be used to reduce fragmentation on a hard-drive?
7.
Under what circumstances would it be appropriate to fix a power supply unit?
8.
True or False. A laptop can be configured with multiple independent network connections.
9.
How does using System Configuration allow you to diagnose hardware problems on a computer?

10. What tool can be used to monitor the performance of hardware components in real time?
9-21
11. What are the four main hardware components that affect performance on most computer systems?
12. What tools could you use to monitor and stop the processes that are using most of your memory resources?
9-22
Labs Module 9: Identify and Resolve hardware Failure Issues
Exercise 1: Using Windows Memory Diagnostic Tool
Exercise 2: Fix Hard Disk Errors

Exercise 3: Use the Reliability Monitor
Exercise 4: Use Event Viewer to find Hardware Info.
Overview: Use built-in Windows tools to log and fix disk and memory problems. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Use the Windows Memory Diagnostics Tool
1. 2. 3. Click Start and in the Search programs and files box, type Windows Memory Diagnostic. Press Enter. In the Windows Memory Diagnostic window, click Restart now After the reboot, the Windows Memory Diagnostic Tool window will start testing the memory and provide the current test status. If the test takes longer than 30 minutes, press ESC to exit. Inform the instructor if this happens. When the system restarts, login with your ContosoAdmin1 account.
4.

1. 2. 3. 4. 5. 6. Open a Command Prompt window. Run the command: chkdsk /? And examine the options available with this tool. Exit the Command Prompt. Click Start > Computer. Right click on the E: drive and click Properties. In the Tools tab, click Check Now.

7. 8. 9. 10. 11.
9-23
In the Check Disk box, check the options to automatically fix file system errors & to recovery bad sectors. Click Start. In the dialog box click, Schedule disk check. Restart the computer and verify that it performs a scan of the disk. If the disk scan was cancelled during the reboot, open an Administrator: Command Prompt to run the command chkntfs /t:0 and repeat the previous steps in this exercise.

1. 2. 3. 4. 5. 6. 7. 8. Click Start and in the Search programs and files box, type Reliability History. Press Enter. In the Reliability Monitor, Click View by: Days. Make a note of the current stability index (1-10 with 10 representing the highest level of stability) Note the kind of events that will have an effect on the stability index. Make a note of the last time there was an Application failure, Windows failure, Miscellaneous failure or Warning. Click on the bar representing any day where any of such errors occurred and note the information shown at the bottom of the window in the Reliability details section. In the Reliability details section under the Action column, click on View technical details for any of the error messages. Close the Reliability Monitor
Exercise 4: Use Event Viewer to find Hardware Information

1. 2. 3. 4. 5. 6. 7. 8. Open the Event Viewer and go to the Application Log. Find the latest events with a Source of Wininit. One of them will have the details of the chkdsk operation completed earlier. Go to Applications and Services Logs > Microsoft > Windows > MemoryDiagnostics-Results Open the Debug log to view the report for the Memory diagnostic completed earlier. Go to Applications and Services Logs > Microsoft > Windows > Reliability-Analysis-Engine. Open the Operational log to view the calculated stability index assigned over the last few days. Close the Event Viewer.
9-24
Module 10: Identify and Resolve Wireless Connectivity Issues
Table of Contents
Overview .................................................................................................................................................................. 10-1 Lesson 1: Signal Strength ........................................................................................................................................ 10-2 Lesson 2: Wireless Security ..................................................................................................................................... 10-7 Lesson 3: Wireless Profiles .................................................................................................................................... 10-11 Lesson 4: Management Options for Wireless Devices ........................................................................................... 10-14 Resolve Wireless Connectivity Issues.................................................................................................................... 10-19 Review Module 10: Identify and Resolve Wireless Connectivity Issues ............................................................. 10-21
10-1
Overview
Signal Strength
Wireless Security
Wireless Profiles
Management Options for Wireless Devices

Resolve Wireless Connectivity Issues
More and more corporations are including wireless network devices as part of their infrastructure. While it is most often used for portable computers and devices, desktop computers are sometimes configured to use them. In some situations, this is more convenient and cost effective than running cabling in some parts of the network. While security and connectivity concerns should be examined carefully before implementing a corporate wireless network, the convenience and productivity advantages are often enough to justify the investment. Most hardware related problems can be identified and solved quickly with proper troubleshooting procedures. The documentation of these devices often has clear instructions on fixing problems as well. Most of these wireless router problems can be fixed without making any changes to the client computer. These include problems with the wireless channel being used, encryption protocols or signal strength. When changes are needed on the client computer, these are often made automatically by the operating system or wireless client software. Client software configuration problems can often be avoided by using a standard setup procedure for all computers. Group Policy configuration of wireless settings and software is often the best way to deploy and manage these settings. The wireless operation of portable computers outside of the corporate network should also be managed carefully. In this chapter, we will see how to resolve common wireless network problems that might come up. Issues might come up that involve device drivers, hardware setup, wireless profiles or group policy configuration. Using Windows tools and troubleshooting wizards will allow you to solve most problems that might occur.
10-2
Lesson 1: Signal Strength
Position
Channel
Antennas & Repeaters
Other Fixes
Once configured and deployed, the range of a wireless router will depend on a number of factors. The signal strength available to end-users will depend on the channel being used, their position and the use of repeaters and antennas.
Module 10: Identify and Resolve Wireless Connectivity Issues Position
10-3
Central Location
Other Electronic Devices

Walls
The wireless router will often provide the widest coverage if located in a central location that covers the area it will support. The smaller and fewer the objects that exist between the router and the computer, the better the signal strength will be. The location of devices that produce their own signal that might interfere with the router should also be considered. Microwaves and cordless phones can sometimes be a problem. Avoid their use near the router. Moving them or replacing them with devices that do not interfere with the signal should be considered. To avoid problems caused by multiple devices working over the same frequency, check the document of all wireless devices being used. Metal devices and walls might also produce interference and affect signal strength, so adjusting the device location accordingly should help.
10-4
Channel
Changing Router Configuration
Changing the channel used to broadcast data might also improve performance. The software that comes with the router should allow you to make this change and test the available channels. The client computers will not need to be reconfigured if a new channel is chosen. They will automatically detect and use the new one.
Module 10: Identify and Resolve Wireless Connectivity Issues Antennas & Repeaters
10-5
Changing Antennas
Additional Antennas
Security
Changing antennas or adding additional ones can also boost signal strength where desired. Omni directional antennas that send a signal in all directions are sometimes desired, but when it is preferred to send the signal in a particular direction because of the location of the router, a high gain antenna will work better. This might also improve security by not transmitting signals in locations where unauthorized users might take advantage of it. If the antenna is not able to transmit the data far enough, then repeaters can be used to boost the signal of the router.
10-6
Other Fixes
Firmware Upgrade
Devices from the Same Manufacturer

802.11b vs. 802.11g
Some solutions to signal problems will not always work, but are worth a try if problems persist. One solution that should not be overlooked is to upgrade the firmware of the device. If there are known problems that the manufacturer has fixed, these are often implemented through these upgrades. Keep in mind that manufacturers often include optimizations that work best when all the wireless hardware being used is created by them. If using an older wireless network protocol like 802.11a (speed=54Mbps, frequency=5GHz, range<100ft) or 802.11b (speed=11Mbps, frequency=2.4GHz, range=100ft) you will notice significant improvements in performance by upgrading to newer networks. 802.11g works on the same frequency and has the same range as 802.11b, but provides much better speeds of up to 54Mbps. 802.11n supports the 2.4GHz and 5GHz frequencies, which provides backward compatibility for 802.11a, 802,11b and 802.11g networks. Data rates and ranges can be significantly higher than those provided by any of the older networks depending on the configuration used. When connectivity issues persist and the WAP is ruled out as the source of the problem, different settings can be tested on the wireless adapter of the computer. Transit Mode and Roaming Aggressiveness are two properties that can be tested.
10-7
Lesson 2: Wireless Security
Authentication
Encryption
Firewall
Protecting information sent between a wireless client and a wireless access point (WAP) is important because of the danger of revealing private data to people inside or outside of the organization. Changing or hiding the Service Set Identifier SSID is standard practice for most secure access points. By using the strongest authentication and encryption methods, you can avoid problems with private data falling into the wrong hands. Regularly checking for unauthorized and insecure WAPs is also important. Users should not be allowed to configure their own systems as gateways into the network. Setting up preferences through group policy (Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network) can prevent this problem from occurring for authorized systems, but this will not eliminate the need to regularly scan for unauthorized WAPs.
10-8
Authentication
MAC Address WAP Login Certificates
In addition to the user authentication methods available, client computers can should also be verified in secure WLANs. Many environments require pre-registration of the MAC address of mobile devices before they can use the network. The WAP might also require its own login. Because these credentials are normally stored in the profile and do not require memorization by end users, the password should be complex and long. A certificate based authentication method will often prove to be more secure than using passwords or MAC addresses that are easier to compromise. Certificate based authentication can be accomplished with the use of the Extensible Authentication Protocol (EAP) which is also capable of doing mutual-authentication with the right configuration.
Module 10: Identify and Resolve Wireless Connectivity Issues Encryption
10-9
WEP
WPA
WPA2
Ciphering the data sent between client computers and WAPs should never be optional. A number of protocols are available to do this and the strongest protocol supported by the device should always be used. WEP: Wired Equivalent Privacy is the oldest wireless encryption protocol still being used, but also the most insecure. Although the encryption key can be up to 128-bits, the method of creating the ciphered connection (using RC4 encryption) has a number of security issues. Some attacks might allow automated decryption of wireless traffic as it is happening. WPA: To overcome the security problems found in WEP, Wi-Fi Protected Access (WPA) was created as a more secure method of sending data wirelessly. It still used RC4 encryption, but the Temporal Key Integrity Protocol (TKIP) was used to prevent some of the known security issues with WEP. WPA2: As the name suggests, WPA2 is a later more secure version of WPA. It uses the stronger and more secure Advanced Encryption Standard (AES) to replace the use of RC4 keys in WEP and WPA connections. AES encryption typically uses a 128-bit key, but the encryption process is more complex and much safer than RC4. While this provides a more secure wireless environment on Windows 7 systems, a reduction in performance of the system should be expected. Further strengthening the security of WPA2 connections is their support of the CCMP protocol to replace the less secure TKIP.
The main reasons for choosing WPA instead of WPA2 encryption is to get better performance or hardware support. When this is done, strong password keys should be used to mitigate some of the security problems. Some devices will also support WPA2 after a firmware upgrade. When configuring the encryption type as WPA or WPA2, the option to use them with a Personal or Enterprise configuration will be presented. The Personal setting allows a pre-shared key or password to be used for the connection to the access point. For better security, the network might use a RADIUS server to authenticate the wireless devices, in which case the Enterprise setting will provide a more secure connection.
10-10 Firewall
Additional Configuration
Additional Cost
Baseline Performance
Some networks will require that WAPs connect to the LAN through the same firewall used to connect VPN users. This can provide better control and auditing of these connections. If this solution is not workable, a dedicated firewall configuration can be used to manage Wi-Fi connections to the network. While the additional cost and maintenance involved in such a solution must be considered carefully, the ability to centrally manage and audit these connections to the LAN will reduce security problems and provide a more stable environment for mobile users to work in. The expected level of performance needed for users to be productive must also be considered, but security should never be compromised to achieve this goal.
10-11
Lesson 3: Wireless Profiles
Automatic Configuration
Creating a wireless profile allows a user to connect to the WAP without specifying all the settings again and again for each new connection. The profile can be created manually or automatically through a scripting method or group policy deployment.
10-12
Using the Network and Sharing Center in the Control Panel, you will have access to the Manage Wireless Networks link. From here you can see the existing wireless networks that are available and try to connect to the one desired. If a password is needed to create the connection, this can be typed in manually and stored for future use. If the network you need to connect to is not shown in the list, this might be because the SSID is hidden. A new connection can be manually added by specifying the SSID. Each wireless profile has connection and security settings that can be configured. The connection settings allow you to specify if the connection should be automatically used when detected or if it should be used when the SSID is not being broadcast. When multiple networks are available in the same location, configuring the profiles to connect automatically can have unexpected results. The networks that are higher in the list will be tried first when multiple connections are available. Changing the order of the profiles and configuring them to connect manually instead of automatically will give you better control and more predictable connection results.
Module 10: Identify and Resolve Wireless Connectivity Issues Automatic Configuration
10-13
Group Policy
Windows Connect Now

USB Configuration
The easiest way to deploy wireless profiles automatically is through group policy settings. This allows configuration settings to be managed from a central location with changes deployed automatically to connected clients. The Windows Connect Now technology can also be used to quickly deploy profiles to computers. By entering a PIN for the access point, the configuration for the profile can be automatically downloaded and installed wirelessly. The configuration data can also be sent to a USB drive and installed from it. Profiles configured manually on a computer can also be exported to USB drives for later deployment.
10-14
Lesson 4: Management Options for Wireless Devices
Virtual Wi-Fi
Group Policy
Wake on LAN
Mobile Broadband Devices
Some of the features in Windows 7 have been included to improve the way that wireless devices are installed, managed and used. Here are a few of those options and what can be done to fix problems that might occur with them.
Module 10: Identify and Resolve Wireless Connectivity Issues Virtual Wi-Fi
10-15
Virtualize Wireless Adapters
Driver Support
Multiple Access Points
This new feature in Windows 7 allows wireless adapters to be virtualized so you will be able to connect a single device to multiple networks. Beyond connecting your computer to multiple access points this feature can also be used to convert the laptop into an access point for other devices. The drivers used for the wireless device must specifically support this option in order to use it.
10-16
Group Policy
As with most other desktop features, the best way to control wireless settings is by using group policy. Group Policy allows you to create wireless policies and deploy them using the Active Directory infrastructure. You will be able to control what computers get which policy settings, how often they check for modifications to policy settings, the networks and computers they are allowed to connect to and the required security settings. Group Policy wireless profiles can be configured with Network Names (SSID), auto-connect or preferred network settings. Whether or not the connection should be activated when the SSID is not broadcasting can also be managed. Security settings to manage authentication and encryption options are available and the option to cache user information can also be set. Other security options are also available to prevent connections to ad-hoc networks, allow the creation of wireless profiles by end-users or control access to ad-hoc or infrastructure networks. Allowed and denied networks can be configured and access to wireless networks can be expressly denied unless they are assigned through group policy. The group policy setting for slow link detection can also be used to control what type of settings will not be applied when using much slower wireless connections. This is a useful option to prevent the installation of software assigned through group policy when the wireless network is being used.
Module 10: Identify and Resolve Wireless Connectivity Issues Wake on LAN
10-17
Remotely Turn on Computer
Power Management Settings

BIOS Configuration
This feature allows a computer to be turned on remotely by sending a signal to the network device that it uses. This option can be controlled in the properties of the network card in the Power Management settings. The appropriate BIOS settings must also be enabled for it to work. Wake on LAN (WoL) is supported for both wired and wireless network connections.
10-18
Mobile Broadband Devices
Driver Configuration
Standard Interface
Troubleshooting
The use of mobile broadband devices is becoming more common as a way to provide connectivity for users that travel regularly. The setup and configuration of these devices might have presented issues in the past, but with the new driver-based model used for them in Windows 7 these problems have been significantly reduced. Different devices no longer need specialized drivers to be installed and configured for them. When users connect these devices, there will be no need to install new drivers or learn a specialized software configuration. The standard interface used to manage them also makes it easier for IT staff to troubleshoot and fix problems.
10-19
Resolve Wireless Connectivity Issues
RESOLVE WIRELESS CONNECTIVITY ISSUES

Maintaining a wireless network presents its own unique challenges and concerns that are not of concern in a wired network. Some of the troubleshooting tasks will be the same or similar, but problems with bandwidth, signal strength and encryption are often dealt with differently. We will examine some scenarios where such problems might come up and see possible solutions to dealing with these issues. You have reconfigured a Wi-Fi router to use a new channel that provides better signal strength. What must be done to allow the client computers to use this new configuration? Nothing. They will automatically use the new channel configured on the router. To better secure wireless communications, you have decided to use a RADIUS Server to authenticate the computers. What protocol changes are necessary on the client computers? You must configure WPA or WPA2 to use an Enterprise connection instead of Personal. A user is having trouble keeping their connection to the wireless network when they change between different user profiles. How might this problem be solved? Configure the profile as all-user instead of per-user. All-user profiles do not disconnect when switching Windows profiles. A laptop configured with multiple wireless profiles is not using the preferred network when the user is in the office. How can this problem be solved without deleting the other profiles? Change the order of the profiles in the Manage Wireless Networks window to put the preferred network at the top of the list. Removing the option to connect automatically to the other networks would also work. The sales staff will be issued new wireless devices to connect to the Internet while traveling with their laptops. The cards will be issued by the phone carrier that the company presently uses. What information must you include in the written procedures that will be given to them for installing the devices?
10-20
The driver-based model implemented to install these devices on Windows 7 systems means that the user will not need to install any third-party software. Your 802.11b network needs to be upgraded to 802.11g. You want to upgrade the routers and adapters in the least disruptive manner. What concerns do you have about the order in which this is done? There should be no concerns in this case. The 802.11g adapters and routers provide backward compatibility with the 802.11b ones. The devices can be changed or upgraded in any order. Another technician in your office wants to configure the Wake on LAN feature for some remote laptops that connect to the network wirelessly. What can you tell him about this feature? Wake on LAN is supported for wireless connections, but it must be enabled in the BIOS and on the properties of the device.
10-21
Review Module 10: Identify and Resolve Wireless Connectivity Issues
REVIEW
1.
What are some recommendations to following in finding a good location for a wireless router?
2.
What Wi-Fi network is backward compatible with 802.11b?
3.
What methods can be used to secure the default SSID on a wireless access point?
4.
What wireless protocol was created to replace WEP because of its security problems?
5.
True or False. A WAPs signal strength and connectivity might be improved by changing the channel.
6.
What technology allows wireless profiles to be setup automatically by downloading configuration settings directly from the device?
7.
True or False. The Wake on LAN feature is available for wired and wireless network connections.
8.
What capability is available on wireless devices that support the Virtual Wi-Fi feature?
9.
What is a SSID?
10-22
10. How can a WAP be configured to only allow connections from specific laptops on the network?
11. What is the best way to copy wireless profile settings between laptops that are not on the same network?
12. True or False. Hiding the SSID of a wireless access point will prevent hackers from viewing network traffic.
10-23
Labs Module 10: Identify and Resolve Wireless Connectivity Issues
No Lab Exercises for this module.
No Lab Exercises:
10-24
Module 11: Identify and Resolve Remote Access Issues
Table of Contents
Overview .................................................................................................................................................................. 11-1 Lesson 1: Remote Access Methods ......................................................................................................................... 11-3 Lesson 2: Dial-up Configuration ............................................................................................................................... 11-8 Lesson 3: VPN Configuration ................................................................................................................................. 11-11 Lesson 4: DirectAccess Configuration ................................................................................................................... 11-15 Lesson 5: Authentication Protocols ........................................................................................................................ 11-18 Resolve Remote Access Issues ............................................................................................................................. 11-22 Review Module 11: Identify and Resolve Remote Access Issues ...................................................................... 11-24 Labs Module 11: Identify and Resolve Remote Access Issues .......................................................................... 11-26
11-1
Overview
Remote Access Methods
Dial-up Configuration
VPN Configuration
DirectAccess Configuration
Authentication Protocols Resolve Remote Access Issues
The ability to connect remotely to the corporate network infrastructure is an important productivity tool that many users rely on. These connections should be easy for end users to configure and work with without compromising security. Windows 7 provides a number of options to create an environment that meets these requirements. The options available include the traditional RAS and VPN features. New options are available in Windows 7 however to make creating these connections easier in different environments. When troubleshooting problems with remote access, familiarity with the available options and features is necessary. There will be many cases where two or more features can meet the needs of a particular remote access problem. Choosing the best solution in such cases will also require an understanding the existing network infrastructure and business goals. When troubleshooting remote access issues, it is important to keep in mind the infrastructure components on which it depends. Connectivity problems are often caused by insufficient IP addresses being available (DHCP), name resolution problems (DNS) or authentication problems (Domain Controllers or Network Policy Servers). Authorization of client computers is normally managed from individual remote access servers, but this function can be centrally configured using NPS to setup RADIUS services on a Windows Server 2008 system. Windows Server 2003 implements this service using the IAS service.
11-2
When verifying client configuration, normal network troubleshooting tools like ipconfig and ping can be used to verify the IP configuration and test connectivity and name resolution. The t parameter can be used with the ping command to do a continuous ping for slow or dial-up connections. Firewall rules on the network and for the client location must also be verified to make sure they support the protocols being used. One sure sign of a firewall problem is if the connection works for one protocol but not for another. In this chapter, we will not only look at the available remote access options in Windows 7. We will see how to fix problems that might come up when using and configuring client computers.
11-3
Lesson 1: Remote Access Methods
Connection Methods
Connection Manager Administration Kit

IPv6 Support
Remote access allows clients computers to connect to resources in a network from a different location. Users can continue to use email, file or database services even if they are thousands of miles away. While this capability might not be made available for all in the organization, employees that travel regularly like executives or sales staff might increase their productivity by using these options.
11-4
Connection Methods
Dial-Up
VPN
DirectAccess
Traditionally, remote access options for Windows clients have been a choice between VPN and Dial-Up connections. Windows 7 can support a third method known as DirectAccess. Here is a quick overview of these methods: Dial-Up: These connections use a phone-line with a modem to create a connection to a Dial-Up RAS server on the network. The server requires a modem for each client connection. While this setup is easy to configure, the bandwidth limitations and cost of long distance connections does not make it ideal for many situations. Some of these problems can be mitigated with special configurations. Multilink connections might be used to configure multiple phone lines & modems as a single connection to improve bandwidth for example. It is often used for very remote locations where there are no other options available. VPN: Virtual Private Networks (VPNs) are the most common way to connect remote users in many large organizations. The servers supporting these connections can use a single network card to support many client connections. The client computer and network VPN server must be connected to the same network, which is most often the Internet. The low cost and high availability of these connections all over the world make this an ideal solution for many environments. In many cases, high speed connections between the client and server allow users to do most or all of the things they would normally do while in the office. DirectAccess: DirectAccess is a new method of connecting to remote networks from Windows 7 client computers. It is similar to VPN setups in that the connection is normally facilitated over the Internet. It allows bi-directional communication over the network the client computer and most network services. The network must have a Windows Server 2008 computer to facilitate this connection. The Windows 7 Enterprise or Ultimate editions are required to use this new feature.
11-5
Each of these methods has its own advantages and there will be cases when a network uses two or all three of them. Each will also have its own unique problems and troubleshooting methods. The infrastructure needs of each method, such as required servers, must also be carefully considered.
11-6
Connection Manager Administration Kit (CMAK)
Creating a Template Profile
Computer Architecture
The CMAK can be used to easily configure connection profiles that will be setup on client computers. This method of configuration and deployment is more likely to be used on networks where many client systems are supported. One problem that might come up is if the template profile is created on a system that uses a processor architecture that is different than what is used on the client machines. If the connection profiles will be used on 32-bit and 64-bit computers, then separate profiles must be created for each type of system.
Module 11: Identify and Resolve Remote Access Issues IPv6 Support
11-7
Native Support
In environments that are upgrading their networks to IPv6, support for the protocol is supported in Windows 7. Any remote access technology used that requires the use of IPv6 does not need any special software loaded to support it. Windows 7 systems can be configured to use IPv4 and IPv6 on the same network card and a number of technologies allow automatic configuration of IPv6 on IPv4 networks.
11-8
Lesson 2: Dial-up Configuration
Troubleshooting
Creating a dial-up connection manually is easy when using the Setup a Connection or Network wizard. Automatic configurations can be configured through the domain or using the Connection Manager Administration Kit (CMAK). A simple setup will include the phone number of the RAS server and the login account information which is normally the same as the users regular domain login. An appropriate name should be given to the profile before saving it. As with other profiles, it can be configured to be used only by the existing login account or for use by anyone logging onto the system.
Module 11: Identify and Resolve Remote Access Issues Configuration Options
11-9
Active Directory
Dial-up Prefix
Callback
Multilink
If special configuration options are needed for a dial out prefix or carrier codes for long distance and international calls, these can be setup in the beginning so they do not have to be provided at each connection attempt. If information must be provided for calling cards to which the calls will be charged, these can be stored as a part of the profile. Multiple dialing rules can be created and stored for different locations. Some dial-up options are only available if appropriate settings are configured on the remote server or in Active Directory. Callback is normally used as a security feature and configures the server to callback a pre-specified number to make sure the user is calling from the authorized location. Active Directory permissions to manage user accounts are needed to configure this setting. The callback number can be specified by the user, but this option is not often used. Multilink allows multiple modems on the server to be used by a single connection to increase the bandwidth available to the client computer.
11-10
Troubleshooting
Domain User Settings

RAS Server Settings
Remote connectivity is often disabled by default for users in a domain. In addition to verifying connectivity settings, make sure that the policies in the domain and on the remote server allow the user to connect. Available IP addresses must also be sufficient for all connections. Maximum connection time settings might also prevent a user from working for longer than a specified time or leaving the connection idle for too long. The administrator of the RAS servers controls all of these settings regardless of the connection method used.
11-11
Lesson 3: VPN Configuration
Encryption
VPN Reconnect
Troubleshooting
Virtual Private Network connections are a popular way of connecting remote client machines to the corporate network. Using encrypted connections over the Internet, client computers can send and receive data as if they were on the network. Restrictions as to what parts of the network will be visible can be configured from the server. To configure and save the connection profile, the address of the VPN server is specified along with the credentials if you want to store them. Once the VPN server accepts the credentials, an IP address is issued with which the client can browse the network. For better security, smartcard authentication can be used with a VPN profile. VPN connections are also compatible with other security options like Network Access Protection (NAP). A number of configuration settings might lead to connection problems. The error message received after the connection failure often provides details that lead to where the problem is. Verify the URL or IP address of the server and the credentials entered. The Internet connection must also be working before attempting the connection. The Internet connection cannot use a Winsock proxy client. If you suspect name resolution problems, try connecting to the server with an IP address instead.
11-12
Encryption
Client/Server Compatibility
Minimum Encryption Levels
The encryption settings between the VPN client and the VPN server must be compatible. If the error message indicates that this is a problem, contact the administrator to verify what protocol settings must be used. The client computer can be configured to reject connections that do not meet a minimum encryption level. This will not be a problem when connecting to Windows VPN servers, but might be an issue other server types.
Module 11: Identify and Resolve Remote Access Issues VPN Reconnect
11-13
Automatically restore broken connections
Server Requirements
Protocol Requirements
When communication between the VPN client and server is interrupted, this normally means that the connection must be broken and re-established. VPN Reconnect is a new feature which can prevent this problem. The tunnel can be automatically restored if the connection was not broken for too long a period. This period is specified on the VPN server configured for VPN Reconnect which must be running at least Windows Server 2008 R2. VPN Reconnect can also be used for mobile devices that might switch to a different network to keep the tunnel connection active. VPN Reconnect only uses IPsec, so firewall settings must be configured to allow IKE (UDP ports 500 & 4500) and ESP (TCP/UDP port 50) traffic through.
11-14
Troubleshooting
Server Settings
Client Profile
IP Configuration
When the client is able to connect successfully to the VPN server but is still unable to work with resources on the network, this usually indicates a problem with the server configuration. The client configuration should also be checked to make sure changes were not made. Verify connection settings like the IP address that was issued and provide the information to the server administrator.
11-15
Lesson 4: DirectAccess Configuration
User Experience
Network Support
DirectAccess is a new method for remote users to connect to the corporate network over the Internet. Unlike a VPN connection, no profiles need to be configured or run by the user. The connection is transparent to the user but provides a high level of security and access. The experience is intended to mirror what the user would experience if directly connected to the network. This feature will work on either the Ultimate or Enterprise editions of Windows 7. The server on the network used for the connections must run Windows Server 2008 R2.
11-16
User Experience
Transparent access to network resources
Block access to resources

Applying Group Policy
When configured, a Direct Access setup can be used to access any resource on the network. The user experience of working with Intranet web-sites, email or file shares does not change. When full access to network resources is not desired for remote clients, specific resources can be blocked to improve security. The application of group policy settings can be configured, even if the user is not logged into the system. Other maintenance tasks can also be performed as if the computer were actually on the local network.
Module 11: Identify and Resolve Remote Access Issues Network Support
11-17
IPv6
IPSec
Smart Card
Network Access Protection
DirectAccess uses IPv6 technologies. IPSec is used to encrypt authentication and data traffic. As with VPN connections, Smart Cards can also be used for authenticating users and Network Access Protection (NAP) can be configured to check the health of the system before allowing it to connect. DirectAccess also does authentication of the client computer. To improve the use of network bandwidth, DirectAccess supports intelligent routing. Data traffic intended for the Internet or external networks is not passed through the connection to the corporate network. Not only can this method of data routing be a cost savings, but it is also required by law in some countries. The connections use standard HTTPS settings (port 443) which makes configuration easier and transparent on most networks, even with restrictive firewall settings.
11-18
Lesson 5: Authentication Protocols
DirectAccess Authentication
VPN and Dial-Up Authentication
When evaluating the different authentication methods available for remote access connections, security, compatibility and configuration options need to be evaluated. The protocol that provides the best encryption might not always be cost effective either. The options for authentication depend on the method chosen to connect the users as well. DirectAccess uses different methods than those available with Dial-Up or VPN.
Module 11: Identify and Resolve Remote Access Issues DirectAccess Authentication
11-19
IPSec
Machine Authentication
Smart Card Authentication
IPSec over IPv6 is the only protocol used for authenticating DirectAccess connections. The machine is authenticated even if the user is not logged into the system. This makes the system available for group policy updates and other maintenance tasks. The user authentication information is also protected with IPSec. The use of Smart Card authentication is supported.
11-20
VPN and Dial-Up Authentication
Extensible Authentication Protocol
MSCHAPv2
CHAP
PAP
A number of protocol options are available for authentication VPN or Dial-Up connections. In most cases, the strongest protocol should be configured. The protocols available are: EAP: Extensible Authentication Protocol is the most secure method available for remote connections. It supports smart card authentication and has a number of types available that can be extended. The different types include PEAP, Smart Card and MSCHAPv2. MSCHAPv2: While not as secure as EAP, MSCHAPv2 is a strong authentication method used on Windows systems. It overcomes some of the security issues of the first version of MSCHAP and no longer supports LAN Manager encoded responses and includes the ability to configure mutual authentication. CHAP: Challenge Hand-Shake Authentication Protocol uses the Message Digest 5 hashing scheme to protect user data. It is widely supported on Windows on non-Windows desktops. The fact that it requires reversible encryption is one of its security limitations in comparison to MSCHAPv2. PAP: Password Authentication Protocol is a legacy protocol that should only be used as a last resort. It sends the authentication information in plain-text. Because it is so vulnerable, it is often disabled on both client and server systems to prevent its use.
11-21
Client computers can be configured to use any of these protocols. If EAP is configured, the other protocol options are disabled. The same holds true if you enable any of the other protocols. When multiple protocols are configured, the system will automatically negotiate with the server and use the strongest protocol supported on both systems.
11-22
Resolve Remote Access Issues
RESOLVE REMOTE ACCESS ISSUES

Remote access connectivity issues should be treated like most network problems and troubleshooting should be done in a similar manner. Because of the unique settings that include protocol and bandwidth options however, some troubleshooting tools and techniques will be different. We will look at some problems that you might experience with such connections and how you might go about fixing them. It has been decided to use dial-up as the remote connection solution for a new user who will be working from home. How can you improve the bandwidth capabilities of this user and what are the infrastructure components needed for your solution? Using the multilink protocol allows the bandwidth of several modems to be combined for a single connection. Multiple phone lines will also be necessary and the RAS server must have the multilink protocol enabled. One of the technicians on your team wants to configure callback security for a user who uses dial-up connections to work on the network. Where must be make such a change? This change is made in Active Directory and he would need permissions to manage the users account. You need to test connectivity for a dial-up client configuration that has intermittent problems. How can you use the ping command to continuously send ICMP packets until you manually stop the operation? Use the t parameter with the ping command. E.g. ping SERVER1 -t You need to provide support for the laptops belonging to a new group of employees who will be working from home much of the time. What remote access solution will allow you to seamlessly manage and configure these laptops and allow easy connection by the users from home? DirectAccess will be the best solution. It does not require any configuration or connection options to be setup by the user and remote administration of the computers can also be easily done.
11-23
A few of the new home users that use VPN to connect to the network are having trouble using their existing profiles to connect to the corporate network. Other users are not having any trouble with the same preconfigured profile. Where should you start your troubleshooting? The problem is likely originating from their location. Verify firewall settings on their computers and their home networks. A new company policy requires your IT department to implement a solution for remote users that allows the computers to be managed as simply as possible. They need to be kept in compliance with Active Directory policies and automatically updated with security and other patches. What solution best meets these criteria? DirectAccess allows the computers to be managed even if the users are not logged in. Only a connection to the Internet is required. Your network is configured with Windows 7 Enterprise desktops and Windows Server 2003 Enterprise servers. Your IT Manager is planning to upgrade the existing VPN infrastructure to use DirectAccess instead. What should you tell him to do before implementing this plan? Windows 7 clients running Enterprise or Ultimate editions are supported, so the existing desktop infrastructure is ok. The DirectAccess server must be running Windows Server 2008 R2 however.
11-24
Review Module 11: Identify and Resolve Remote Access Issues
REVIEW
1.
How is a network connection completed when the callback dial-up option is configured?
2.
Why would you create more than one dialing rule to connect to a RAS server on your network?
3.
True or False. Callback security must specify a predefined number to be used by the remote server?
4.
True or False. VPN connections cannot work over networks that use an active Winsock proxy client.
5.
How can you verify whether there are DNS resolution issues when connecting to a VPN server URL?
6.
What is the strongest authentication protocol available for VPN connections?
7.
What protocol is used to protect data traffic send over a DirectAccess connection?
8.
What editions of Windows 7 support a DirectAccess configuration?
9.
What protocols can be used to authenticate client computers using DirectAccess connections?

10. What feature allows client computers to automatically re-establish a lost VPN connection?
11-25
11. What methods can be used to issue IP addresses to VPN clients?
12. What function is provided by a Network Policy Server to remote access clients?
11-26
Labs Module 11: Identify and Resolve Remote Access Issues
Exercise 1: Verify VPN access for Domain Account
Exercise 2: Create and Test a VPN Connection
Overview: Configure ADUC to allow Remote Access configuration of domain accounts. Create a VPN connection. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Administrator user account with a password of Pa$$w0rd.

Exercise 1A: Update the Active Directory Users and Computers snap-in installed from the RSAT
1. 2. 3. Open Active Directory Users and Computers. In the properties window for the Admin1 user account, try to locate the Dial-In folder. Close the ADUC tool. Note: The original RSAT version of this tool does not contain the Dial-in folder used to see and configure Dial-in settings for domain users. Perform the following steps to add it. If it is already there, skip the following steps and continue to Exercise 1B. Copy the following files from NYC-DC1 to the corresponding location on Computer1 (You can also do this by opening a Command Prompt as Contoso\Administrator and running the script: \\nyc-dc1\classfiles\mod11\aduc_update.cmd). %windir%\system32\mprsnap.dll %windir%\system32\rasuser.dll %windir%\system32\rtrfiltr.dll %windir%\system32\en-us\mprsnap.dll.mui %windir%\system32\en-us\rasuser.dll.mui %windir%\system32\en-us\rtrfiltr.dll.mui Run the following command to register the Rasuser.dll file on Computer1: regsvr32.exe %windir%\system32\rasuser.dll
4.
5.

6.
11-27
Open the properties window of the Admin1 user account in ADUC to verify that you can now see the Dial-in folder.
Exercise 1B: Verify VPN/Dial-in permissions for user accounts

1. 2. 3. Use the ADUC to access the properties of the Admin1 account using Contoso\Administrator credentials. In the Dial-in folder verify that the Network Access Permission is set to Allow access, then click OK. Perform the same check for the User1 account and verify that the Network Access Permission has been set to Deny access. (The user account should be enabled).
Exercise 2: Create and test a VPN connection.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Open the Network and Sharing Center. Click Set up a new connection or network. Click Connect to a workplace and then click Next. Click Use my Internet connection (VPN). If prompted for a new Internet connection, choose Ill set up an Internet connection later. In the Internet address: box type NYC-DC1. In the Destination name: box type Contoso Network. Click the check box for Allow other people to use this connection. Click Next. Fill in the User name (Admin1), Password (Pa$$w0rd) and Domain (Contoso) boxes and click Create. Verify that the configuration was successful and click Close. Click Change adapter settings. Right click Contoso Network and click connect. Use the Admin1 account credentials and click Connect. Verify that the connection was successful by using ipconfig to check that an IP address (192.168.20.X) was issued to the Contoso Network adapter. 14. Disconnect from the Contoso Network. 15. Right click Contoso Network and click connect. Use the User1 account credentials and click Connect. 16. Verify that the connection is unsuccessful (User1 is not allowed to connect over the VPN).
11-28
Module 12: Manage File Synchronization
Table of Contents
Overview .................................................................................................................................................................. 12-1 Lesson 1: Configuring Offline File Access ................................................................................................................ 12-2 Lesson 2: Synchronization Settings ......................................................................................................................... 12-6 Lesson 3: Transparent Caching ............................................................................................................................... 12-9 Lesson 4: Roaming Profiles ................................................................................................................................... 12-12 Lesson 5: Restoring Local and Network Files ........................................................................................................ 12-16 Resolve File Synchronization Problems ................................................................................................................. 12-19 Review Module 12: Manage File Synchronization............................................................................................... 12-21 Labs Module 12: Manage File Synchronization.................................................................................................. 12-23
12-1
Overview
Configuring Offline File Access Synchronization Settings Transparent Caching Roaming Profiles
Restoring Network Files

Resolve File Synchronization Problems
Users need access to important network files whether their computer is connected to the local network or Internet. For users that might need to work with and change these files while they are not on the network, there are a number of tools within Windows 7 to accomplish this. Synchronizing the changes when the files are modified from different offline locations is important to maintain the integrity of the file. These features that allow users to work with files when they are not connected to the network are useful in other ways. When the network file server is down for one reason or another, users can continue to work and maintain their productivity. You can automatically maintain a single version of a document even if multiple users work with it offline. It also provides another mechanism for restoring network files that have been accidentally deleted. A number of synchronization options are available when working with offline or cached documents on Windows computers. Some of the methods and features are new to Windows 7. In the following lessons, we will examine and compare these methods. We will also present troubleshooting recommendations for connectivity and synchronization issues that might arise.
12-2
Lesson 1: Configuring Offline File Access
Configuring the Network Share
Configuring the Client Computer

Security
If a computer is disconnected from the network or if a file server becomes unavailable, a computer configured with offline file access to these resources will still have access to them. Copies of the files on the network share can be automatically cached to the local machine and changes made to them later updated to the network version.
Module 12: Manage File Synchronization Configuring the Network Share
12-3
The ability to configure a file or folder for offline access depends on how the network share is configured. If this feature is enabled, anyone with permissions to connect to the share will be able to cache files from that location. The default setting for shared folders on a server or Windows 7 client is to enable offline files. It will only work for network shares that are located on NTFS formatted drives. If enabled, the offline files option on a share can be configured in one of two ways. The default setting will only cache files or programs that the users specify. With this option, no files will be available offline by default. The other option is to automatically cache all files or programs that the users open or execute. When this option is chosen, you will be able to configure the Optimize for performance check box. This will run cached executable files directly from the cache the next time they are needed. The ability to cache only documents and not executables can be configured from the command-line with the Net Share command.
12-4
Configuring the Client Computer
Automatic Caching
Always Available Offline

Event Viewer Logging
Once the offline files feature is enabled on the network share, the way the client will cache the documents depends on how it was configured. With automatic caching, the user does nothing. Simply opening or running the file will cache it on the local machine. If the default setting is used on the server, offline files must be setup manually on the client machine. Once connected to the share, you simply right click the file or folder that you want to cache and choose the Always available offline option. You would remove the check mark beside this option to disable offline files. The Event Viewer can be used to track the Offline Files service if problems develop with this feature. Enabling the Operational log for Offline Files is done by configuring it under the Applications and Services log. You should navigate to Microsoft > Windows > OfflineFiles. This can also be done with the command-line tool wevutil.exe. If more details about problems are needed, the Analytic and Debug logs can also be enabled.
Module 12: Manage File Synchronization Security
12-5
Encryption
Sync Center
Offline Files Cache
To protect offline files on mobile computers, it is recommended that they be encrypted. The Sync Center allows you to configure the encryption of all offline files and also to limit the percentage of your drive that is dedicated to them. If the drive space reserved for them is used up, older cached files are removed to make room for new ones. The cache can be deleted if the files are no longer necessary. Automatic caching should only be used when all files need to be kept locally, regardless of whether they have been used in the past.
12-6
Lesson 2: Synchronization Settings
Configuring Options
Offline Files
Individual files and folders can be synchronized by right clicking on them and choosing the Sync option. Other synchronization options are available in the accessories tool Sync Center. In addition to offline files on network shares, Sync Center can also synchronize data with mobile devices connected to the computer. You can also use it to verify that files are in sync or if there were errors or conflicts.
Module 12: Manage File Synchronization Configuration Options
12-7
Automatic Synchronization
Scheduling
Controlling Synchronization
In addition to the automatic synchronization that takes place when you reconnect to the network, Sync Center gives other options for updating changes made on the client or network. Updates can be done at specific times or when certain events take place on the computer. The events can be the locking or unlocking of the computer, logging onto the system or if the computer has been idle for a specified period of time. You can also check to make sure that a laptop is using external power before starting synchronization. Synchronization can be automatically stopped if the computer is no longer idle or if it loses external power.
12-8
Offline Files
Network Files
Redirected Files
Group Policy Configuration
The offline files feature works well with normal network files, but it can also be used for redirected files such as those in My Documents. Being able to work offline with personal documents that are normally stored on the network but have them synchronize automatically when you reconnect can be very valuable to some users. In some environments, this feature is enabled by default. If the impact that it has is too great because of the drive resources or network bandwidth being used, it can be disabled using group policy settings (Allow or Disallow use of the Offline Files feature setting in Computer Configuration > Policies > Administrative Templates > Network > Offline Files).
12-9
Lesson 3: Transparent Caching
Compared to Offline Files
Configuring Transparent Caching
The advantages of offline files make it a very useful feature, especially for mobile users. The caching capabilities can also be useful for regular desktop users as well. The ability to use the caching feature to optimize the use of network bandwidth or speed up access to large files over slow networks is not provided by offline files however. These capabilities are now available on Windows 7 through a new feature called Transparent Caching.
12-10
Compared to Offline Files
Required Network Connectivity
Temporary Cache
Processing Changes
One important difference between these technologies is that offline files provide access to information when the network resource is unavailable. Transparent Caching does not. The files stored in the cache are temporary and the synchronization options available with offline files cannot be used. This feature is normally used when files are retrieved and used over slow network connections. Instead of downloading it every time it is used, the second and subsequent uses of the file are done from the cache. The integrity of the file is verified before using it. Changes to the file are written immediately to the network version of it. Transparent caching can be configured to prevent specified file types from being put in the cache.
Module 12: Manage File Synchronization Configuring Transparent Caching
12-11
Local Cache
When to use
The amount of space available for this feature is limited by the space configured for offline files since they are stored in the same location. Transparent caching is disabled by default, but can be enabled using group policy settings (Enable Transparent Caching setting in Computer Configuration > Policies > Administrative Templates > Network > Offline Files). A big advantage of this feature is that the user makes no changes to the way that they work with network documents. When working with large files over slow connections however, they will likely notice an improvement in the time it takes to work with them. Network bandwidth will also be used more efficiently which can provide cost savings.
12-12
Lesson 4: Roaming Profiles
How it Works
User Experience
Configuring Mandatory Profiles
It is not uncommon to have users that do their work from different computers on the network. When this happens, it is easier for them to get their work done if they have access to the same desktop and resources that they normally use. Creating a roaming profile for the user accomplishes this task.
Module 12: Manage File Synchronization How it Works
12-13
Network copy of user profile
Configure User Account Properties

Logoff Process
The user profile that is normally stored on the local computer is copied to a network location. Their domain account will be configured to automatically load this network profile instead of creating one on a new computer they may log into. If a local profile exists, it is replaced with the network roaming profile. One problem which sometimes comes up with these profiles is their size. Large profiles can significantly increase logon time while the information is being copied from the network. The logoff process also copies the profile back to the network for use the next time. Folder Redirection is one way of reducing the size of these profiles. Important documents will then be automatically redirected to a predefined network location instead of in the user profile. Teaching users to store information this way or encouraging them to store files directly to network locations will help.
12-14
User Experience
Saving User Profile Changes
Longer Login and Logout Process
Users might also have problems that arise from not understanding the way that roaming profiles work. When a user logs into a computer and makes changes to the desktop, network connections and other profile settings, these will not update the network profile until they log off the computer. When they log into another machine but do not see the desktop environment they are expecting, this is often the problem. In most cases, the logon process might be noticeably longer when working with larger profiles.
Module 12: Manage File Synchronization Configuring Mandatory Profiles
12-15
Copy Profile to the network
Modify permissions on the network profile

Rename ntuser.dat to ntuser.man
Roaming profiles can be configured for use by multiple users. When this is done, care should be taken to make sure that it is not updated by any of the users otherwise the others might lose their access to it. Mandatory profiles are used to meet these requirements. They can be created by performing the following steps: 1. 2. 3. Copy the profile to be used to the network Assign permissions so all the users can use the profile Rename the NTUSER.DAT file to NTUSER.MAN
Mandatory profiles can be updated by an administrator who directly modifies the information in it. When a user logs on with the profile however, changes they make will not be copied back to the network location when they log off as with normal roaming profiles.
12-16
Lesson 5: Restoring Local and Network Files
Previous Versions
Backups
While the offline files feature is useful when working with network documents while not connected to the share, it does not provide a mechanism for restoring deleted files. Documents removed from the network or the local cache will be deleted from the other location after synchronization. Traditional backup and restore methods are important to have, but the Previous Versions feature can be useful as a client initiated method of restoring documents.
Module 12: Manage File Synchronization Previous Versions
12-17
Files in Network Shares
System Restore Points

Accessing Previous Versions of a file
Previous versions create copies of files located in network shares. They are created when a restore point is created for the partition. System protection must be turned on for the partition on which you want to create a restore point. The System Protection settings allow you to specify the amount of drive space that can be used, if system settings should be backed up along with previous versions of files and if you want to do a manual deletion of existing restore points. Older restore points are automatically deleted to create room for new ones when the maximum disk space assigned is used up. In order to backup older versions of documents, restore points must be scheduled regularly on the machine. The Task Scheduler must be running for these scheduled operations to execute successfully. Access to the older versions of these files is gained through the network shares. By right-clicking on a document or folder, you can see how many versions are available of it. These files can be opened, copied or restored in any location. If end users understand how to use this feature and take advantage of it. It can reduce the workload from restoring lost files.
12-18 Backups
Schedule Backups
External Media
Network Backups
When the user is concerned about restoring files that might be lost from the local system, their best option is to schedule regular backups with Task Scheduler. These backups should be done to reliable external media that can be flash drives, CD/DVDs or network drives. When a file needs to be restored, connect the media to the computer and use the Backup and Restore option under System and Security in the Control Panel to specify the files that need to be restored and the location they should be restore to. It is best to encourage users to store important information to the network so that administrator backups can be used to protect their files.
12-19
Resolve File Synchronization Problems
RESOLVE FILE SYNCHRONIZATION PROBLEMS

While the process of configuring file synchronization is usually simple, problems often develop because of a lack of end-user training. Problems understanding how the different configuration and recovery options work might also create issues. Here are some problems which you might face when configuring these features and some possible solutions to them. The offline files feature has been working well for a group of managers in the Sales Department, but it has been decided that this data needs to be encrypted whenever the laptops leave the office. How can this be done without impacting the way the users already use this feature? Configure the laptops to automatically encrypt offline files by using the Sync Center. This change can also be automatically pushed to the systems by using group policy. A user has configured his laptop to automatically synchronize files in a folder on a network share. He now wants to configure synchronization to take place automatically at 3:45PM every evening, but only for that folder. What can you tell the user? Different schedules can be assigned to different offline file locations using the Sync Center. Fifteen contractors working on a project for your company have been assigned individual domain user accounts. You need to control their profiles so that they all have a standard desktop, printer and network configuration when they logon. How can you accomplish this? Create a mandatory profile that is assigned to their user accounts. They will be allowed to make changes when they logon, but those changes will not be restored the next time they logon with their account. A number of users a concerned with the length of time it takes them to login to their computers. After checking, you realize that the size of the roaming profiles is very large mainly because of work documents and project files. What can be done to help these users?
12-20
Configuring folder redirection will reduce the size of the profiles if the users store these resources in the My Documents folder. If they do not already do this, they should be encouraged to start. If folder redirection is not used or there are files they do not want to store there, they should be asked to store these in a network location instead. After configuring Transparent Caching on their laptop, a user is complaining that the files are unavailable when he is not connected to the network. What can you tell him? This is the expected behavior of Transparent Caching. This feature is used to optimize network bandwidth and speed up access to network files. For offline access to the files, Offline Files should be configured instead. After configuring a network shared folder for offline file access, a user realizes that his files are not being cached. He wants to have files automatically cached if he opens them. What can he do? The offline settings are configured on the server and the user has no control of those options. He can however mark individual files that he wants to cache on his machine. A user is trying to restore a document that was deleted this morning by mistake from a network share. While there are older versions of the file, the version from the day before is not available in the list. What is likely the cause of this problem? A restore point was not created for that partition on the date that he wants. If this is a feature that users will rely on, the creation of restore points should be scheduled on the server.
12-21
Review Module 12: Manage File Synchronization
REVIEW
1.
What command-line tool can be used to configure the caching options available on a network share?
2.
How can Transparent Caching be enabled for computers on your network?
3.
True or False. Transparent Caching provides access to files when the network is unavailable.
4.
What are the two reasons that might lead you to enable Transparent Caching for computers on the network?
5.
What is a roaming profile?
6.
What file must be renamed to change a roaming profile into a mandatory profile?
7.
How often are updates & changes written to a network roaming profile?
8.
True or False. An NTFS drive is required to use the offline files feature.
9.
What happens when the network version of an offline file is deleted after reconnecting to the share?
12-22
10. What must be done to generate a previous version of a file shared over the network?
11. What service must be running for scheduled operations to execute on a computer?
12. What will the operating system do when new files need to be added to an offline files cache that is full?
12-23
Labs Module 12: Manage File Synchronization
Exercise 1: Configure and Test Offline Files
Exercise 2: Restore the Previous Version of a file
Overview: Configure and test offline files and previous files configurations. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Configure and test offline files.
1. 2. 3. 4. 5. Login to COMPUTER1 as Contoso\Admin1. Click Start > Administrative Tools. Hold down the Shift Key and right click on Computer Management to choose Run as different user Login as Contoso\Administrator with a password of Pa$$w0rd. Right Click Computer Management and click Connect to another computer. Specify the NYC-DC1 computer and click OK. Click System Tools (If the connection is prevented because of RPC failure, connect to NYC-DC1 using Remote Desktop and run the command netsh advfirewall firewall set rule group=remote administration new enable=yes). Click System Tools > Shared Folders > Shares. Verify that there is no available share named Temp. If there is, delete it. Right click Shares and choose New Share Click Next and type the path C:\TEMP and click Next. Click the Change button. Read the options available in the Offline Settings window. Click the option for All files and programs that users open from the shared folder are automatically available offline. Click the Optimize for performance check box. Click OK.
6. 7. 8. 9. 10. 11. 12. 13.
12-24
14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31.

In the Share name: box, type TEMP. Click Next. In the Shared Folder Permissions window, customize the permissions to give Everyone Full-Control. Click Finish and close the Computer Management console. Map the \\192.168.10.100\TEMP share to the T: drive. Connect using the Contoso\Administrator credentials (You must use the IP address to connect so as not to create a credential conflict with existing shares). Connect to the T: drive in Windows Explorer and right click on any two text files to enable the option for Always available offline. Edit both files by adding a new line of text saying This is a test. and save the changes. Disable the network adapter. Verify that you still have access to the two offline files on the T: drive. Add another line of text to one of the files that says This is another test.. Enable the network adapter. Re-establish a connection to the T: drive. Verify that the changes you made are still on the network version of the file. In Windows Explorer, right click on the T: drive and open the properties window. In the Offline Files tab, click the option for Always available offline then Apply. Close the properties window when the synchronization is complete. Disable the network adapter. Try accessing any file on the T: drive. You should have access to any of them. Enable the network adapter. Disable offline files feature for the T: drive and disconnect the drive.
Exercise 2: Restore the Previous Version of a File

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. On Computer1, share the C:\TEMP folder with the name TEMP. Use the default settings for the share. Create a text file named C:\TEMP\TEST.TXT. Add the phrase This is a test to the file and save it. Open a Command Prompt and specify Run as administrator Open a PowerShell prompt Run the command: CheckPoint-Computer Description Test1 to create a restore point named Test1. Keep the Command Prompt open. Use Windows Explorer to open the C:\TEMP folder. Edit the Test.txt file to add another line of text This is another test. Save the file and close the editor. Right click the file Test.txt and choose Restore previous versions Use the Open option to see the file and verify that it is the previous version of it. Save the file with the name C:\TEMP\TEST2.TXT and close Notepad. From the Command Prompt run the PowerShell command: Get-ComputerRestorePoint Make a note of the sequence number for the Test1 restore point. Run the command: Restore-Computer RestorePoint <SN> -Confirm. <SN> represents the sequence number. 16. Close all applications before typing Y and pressing Enter to confirm the system restore operation. 17. After the system restarts, login and verify that neither of the files in the C:\TEMP folder were changed as a result of the system restore.
Module 13: Identify and Resolve Internet Explorer Issues
Table of Contents
Overview .................................................................................................................................................................. 13-1 Lesson 1: Configure Security Zones ........................................................................................................................ 13-2 Lesson 2: Configure Security Levels ........................................................................................................................ 13-7 Lesson 3: Configure Privacy Settings .................................................................................................................... 13-13 Lesson 4: Managing Add-ons ............................................................................................................................... 13-19 Lesson 5: Configure SmartScreen Filter ................................................................................................................ 13-23 Lesson 6: Other Internet Explorer Issues ............................................................................................................... 13-26 Resolve Internet Explorer Security Issues ............................................................................................................. 13-32 Review Module 13: Identify & Resolve Internet Explorer Security Issues ........................................................... 13-34 Labs Module 13: Identify and Resolve Internet Explorer Security Issues ........................................................... 13-36
Module 13: Identify and Resolve Internet Explorer Security Issues
13-1
Overview
Configure Security Zone
Configure Security Levels

Configure Privacy Settings Managing Add-ons Configure Smart Screen Filter Other Internet Explorer Issues
Resolve Internet Explorer Security Issues
Most users in an organization will do some form of work on the Internet and the local Intranet regularly. This makes Internet Explorer (IE) one of the most used applications on desktops today. Maintaining the functionality and security of IE is therefore critical to maintaining the productivity of end users. Using Group Policy and other tools, you are able to centrally manage Internet Explorer settings to prevent the user from making changes that could cause problems. This is often the best way to lock down certain options, especially when they pertain to security. Some options should be left to the user, even when they can be locked down. Since IE is a productivity tool, it is better to allow some customization by the end user. A variety of options allow you to control security settings for different environments. The security settings normally used for Internet web-sites might not be desired when connecting to partner organizations. Using client certificates can enhance security when transmitting confidential data. The browser history and cookies in the browser contain useful, but very often, confidential data as well. Using IE settings allows you to manage how these are used so that security options do not unnecessarily hinder a users productivity. Most security settings can be configured manually directly from the browser by using the menu bar to navigate to Tools > Internet Options and then the Security tab. In this chapter, we will look at the different configuration options available in Internet Explorer and how they can be used to protect the user as they do their work. Taking advantage of encryption and confidentiality features will also be discussed. We will also look at how to resolve common issues that might come up because of configuration issues. Knowing how to deal with these problems quickly will help to maintain the productivity of all users.
13-2
Lesson 1: Configure Security Zones
Internet Zone
Local Intranet Zone

Trusted Sites Zone
Restricted Sites Zone
The security settings in a web browser will determine what web-sites you are able to visit, what type of ActiveX controls or scripts or plug-ins can be used, how you will be authenticated and other security options. Web-sites can have different security settings applied to them depending on what type of content they provide, where they are located and what security options they offer. Instead of applying these security settings on a site by site basis, Internet Explorer classifies web-sites in four different zones that can have different security options applied to them. By controlling the zone a web-site belongs to, you will manage what security settings will be applied to it. The four security zones are Internet, Local Intranet, Trusted Sites and Restricted Sites.
Module 13: Identify and Resolve Internet Explorer Security Issues Internet Zone
13-3
This is the default zone that all web-sites will belong to if they are not located in one of the other three zones. Sites cannot be manually added to this zone. Because any site can use the security settings of this zone, it should be restrictive. Care should be taken when changing options that apply to running ActiveX or scripting components. Download options should also be scrutinized for possible problems that might come up when users connect to sites created for malicious purposes.
13-4
Local Intranet Zone
Web-sites and other web services that are available on the local network will be classified as belonging to this zone. These sites can be automatically detected by the browser or manually added to the zone. The option to require encrypted connections (https) is also available but not often used. You may automatically add locations that use UNC paths or bypass the proxy server.
Module 13: Identify and Resolve Internet Explorer Security Issues Trusted Sites Zone
13-5
The Trusted Sites zone in most cases contains Internet & Extranet web-sites that require the least restrictive security settings. By default no sites belong to this zone. When they are added, you will have the option to specify that an encrypted (https) connection is required, and this is often used for sites in this zone. The authentication, scripting and ActiveX restrictions are often reduced to meet the special needs of these sites. All the sites that belong to this zone should have identical or similar security requirements.
13-6
Restricted Sites Zone
Like with the Trusted Sites zone, no web-site belongs to this zone by default. They must be added manually using the Sites option. There is no option to require encrypted connections, although you can specify https for each URL added to the zone. This zone normally has the most restrictive security settings. Web-sites that you do not want to block, but that might have harmful content are normally managed from this zone. The scripting options are restricted by default, but any of the security options can be manually reconfigured.
13-7
Lesson 2: Configure Security Levels
Low
Medium-Low
Medium
Medium-High
High
While the security zone controls the classification of web-sites, the security level controls exactly what security settings will be applied to them. Each zone may use its own customized security options, but there are five preconfigured security levels that can be used to simplify what options will be applied. The levels are Low, Mediumlow, Medium, Medium-high and High.
13-8 Low
This level is used when minimal level of security is needed. It should only be used when the web-sites concerned are trusted or when testing compatibility, security or other options. All sites in the affected zone will be able to run any kind of script or active content and users will be able to download components without restrictions. This level is rarely used in a production environment.
Module 13: Identify and Resolve Internet Explorer Security Issues Medium-Low
13-9
This is the default security level for the Local Intranet zone. This level of security is similar to low except that unsigned ActiveX controls will not be downloaded. It is often used for trusted Internet or Extranet web-sites or those on the local network. Like the low level, it is available for use in the Local Intranet or Trusted Sites zones.
13-10 Medium
This is the default security level used for the Trusted Sites zone. It is similar to the Medium-low configuration except that users are prompted before downloading content that might be unsafe to the computer. The Medium security level is available for the Internet, Local Intranet and Trusted Sites zones.
Module 13: Identify and Resolve Internet Explorer Security Issues Medium-high
13-11
This is the default security level used for the Internet zone. As the second strongest security level, it is often used for locations that need above normal security restrictions. This security level is available for the Internet, Local Intranet and Trusted Sites zones.
13-12 High
This is the default security level used for the Restricted Sites zone. As the level with the most restrictive options, it is normally only used for testing purposes or for web-sites that are not trusted. Web-sites that are known to have harmful content should be blocked at the firewall, but if that is not feasible, this is the next best option. When this level of security is required for a zone, protected mode should also be enabled as well. In addition to the preconfigured security levels, other options can be used to enhance the security of the browser. The Enable Protected Mode setting, for example, can help to protect the system from the accidental download of malicious software. When turned on, this option will warn you before software is installed through a web-page or if the browser tries to run an application. Each zone can be separately configured with the enable Protected Mode option. If you need to reset security zones to their original settings after trying to customize them, this can also be done for all of them or individually.
13-13
Lesson 3: Configure Privacy Settings
Cookies
Popup-Blocker
InPrivate Browsing and Filtering
An important consideration when protecting user security over the Internet is making sure that they do not inadvertently give away confidential information about themselves. The privacy options in Internet Explorer are configured by using the menu bar to navigate to Tools > Internet Options and then access the Privacy tab. Using the options presented, you will be able to manage settings to control the use of cookies, pop-ups and InPrivate filtering.
13-14 Cookies
Cookies are created on the local computer by web-sites that the users connect to. They are small text files that cannot be executed directly. The web-site can use these cookies to store user preferences, session data and other information about the user or his computer. Enabling cookies is useful because they can give you access to important features on a web-site, but this also presents a security risk because they allow web-sites to track your actions. The security settings for cookies allow you to accept all of them or deny their use entirely when working on the Internet. Neither of these options is practical in most cases, so there are other configuration options that allow you to deny or enable the use of first or third-party cookies. First party cookies are generated by the web-site you are visiting. Third-party cookies, which are generally considered to be less desirable from a security standpoint, are owned by a web-site different from the one that put it on your computer. Cookies can also be allowed or blocked based on the type of privacy policy the web-site has.
13-15
If there are specific web-sites that should be exempt from the general privacy policy you are using for Internet cookies, they can be manually added to an exception list. The list allows you to allow or block all cookies for any web-site specified.
13-16
Pop-Up Blocker
This Internet Explorer feature allows you to prevent or limit the automatic generation of new browser windows when you go to or use certain features on a web-site. Some of these pop-ups are used by web-sites for legitimate purposes like providing a logon authentication window, but many are used to generate advertisements and other unwanted information. It is generally recommended that this feature be left on unless a third-party pop-up blocker is used. Enabling two pop-up blockers at the same time can create application conflicts and prevent authorized web-sites from working. The level of blocking can also be configured. You can block all pop-ups, most automatic pop-ups or only pop-ups from unsecure sites. To prevent specific web-sites from being affected by the pop-up blocker, you can add them to a list of allowed sites.
Module 13: Identify and Resolve Internet Explorer Security Issues InPrivate Browsing and Filtering
13-17
Using information generated by Internet Explorer for browser history, passwords and cookies, it is often possible to track the previous actions of a user on the Internet. To keep this information confidential, the InPrivate option can be enabled. InPrivate Browsing automatically deletes session information generated for the user such as the browsing history and cookies. InPrivate Browsing is not automatically used in a browser when it is enabled. The Safety option in the browser toolbar can be used to activate it for the active browser window you are using. The keyboard shortcut keys for this feature are Ctrl + Shift + P. InPrivate Browsing changes the behavior of a number of browser settings when it is activated for a browser window: Cookies: The cookies are kept in memory but deleted when the browser window is closed. History: No history is kept of the web-sites visited. Passwords: No passwords are stored.
13-18


Temporary Internet Files: These are still generated and used but automatically deleted when the browser window is closed. Address Bar: Web-pages and other locations used in the address bar are not stored. Automatic Crash Restore: When a window that uses InPrivate Browsing crashes, it cannot be restored using ACR. Document Object Model: DOM information is not kept after an InPrivate Browsing window is closed.
InPrivate Filtering is another option that can be enabled to protect confidential user information. As with InPrivate Browsing, enabling it does not activate for all browser windows. It is also turned on from the Safety option in the browser toolbar or by using the Ctrl + Shift + F shortcut keys. InPrivate Filtering lets the user prevent third-party content providers from receiving information about their browsing activity. You can block all or specific content providers. Using this feature will sometimes prevent the user from accessing some options on a web-site.
13-19
Lesson 4: Managing Add-ons
Installing Add-ons
Enable / Disable Add-ons

Removing Add-ons
Add-ons are used in Internet Explorer to improve the browsing experience for users. These add-ons can sometimes present security and compatibility issues however. When this is the case, the add-ons can be easily disabled and enabled to fix problems or for testing purposes. Existing add-ons can be managed from the menu bar by browsing to Tools > Manage Add-ons.
13-20
Installing Add-ons
New add-ons can be downloaded and installed for IE from the Microsoft and other trusted web-sites. Using the links in the Manage Add-ons page is the easiest way to find new trusted add-ons. The add-ons can provide a number of services including news, toolbars, weather and other information. Each new add-on will likely increase the workload of the system and can slow down or interfere with other applications, so policies should be in place to test add-ons before they are approved for end-users.
Module 13: Identify and Resolve Internet Explorer Security Issues Enable / Disable Add-ons
13-21
Once installed, add-ons can be disabled and then enabled again when desired. They are normally disabled if they are causing a problem or slowing down the system. If a specific add-on is suspected of causing a problem, the system can be tested to try and repeat the problem after disabling it. Care should be taken when disabling add-ons that have dependent components. They system will warn of these before the item is disabled. If you are unsure of which add-on is causing problems, they can be disabled one-by-one, starting usually with the ones that have been installed recently or that do not have verified publishers. The browser can be started without any add-ons enabled by using the preconfigured browser under Accessories in the System Tools folder. Manually running Internet Explorer with the extoff parameter (iexplore.exe extoff) will also accomplish the same thing.
13-22
Removing Add-ons
Uninstall the Program
Anti-Malware Software
When an add-on is no longer useful or if it is found to have or cause problems on the system, it should be uninstalled. The Manage Add-ons window does not provide an option to remove existing add-ons. Uninstalling the program used to install them is the best way to do accomplish this. In some cases, you may need to use anti-virus or spyware software to help in identifying and removing the add-ons and the programs used to install them. This is especially the case when the program is deliberately configured to not show up in the list of Managed add-ons or installed programs.
13-23
Lesson 5: Configure SmartScreen Filter
How it Works
Protection Offered
While it is important for corporate computers to have software that protects against malicious attacks, Internet Explorer has its own features that can provide partial protection against some forms of attacks. SmartScreen Filter is one of those features that can help to detect phishing websites and dangerous files before they are downloaded. The Enable SmartScreen Filter option can be enabled in the Advanced tab of the Internet Options window.
13-24
How It Works
Microsoft SmartScreen Service
Registered URLs
Address Bar Coloring
When enabled, this feature will send the addresses of web-sites that you visit to the Microsoft SmartScreen service. This service compares the URL to a list of sites known for malware and phishing attacks. If the site is on the list, it will be blocked, but the user has the option of bypassing the block and continuing to the site. The address bar will be colored red while visiting such a site. Individual users can report web-sites they suspect of having problems and site owners can dispute registration in the list by using the SmartScreen Filter service.
Module 13: Identify and Resolve Internet Explorer Security Issues Protection Offered
13-25
Social Engineering
Known Malware & Phishing Sites

Downloading Malware
An important advantage of enabling this feature is that it can also protect against some forms of social engineering attacks. Sites that encourage users to download accelerators or malware protection often end up damaging the system or compromising private information. Free software is another form of bait used by such sites. Legitimate looking emails that encourage a user to use a link to update their username and password at what they think is their bank or another legitimate institution they work with. Regardless of the method used to get users to browse to a dangerous site or download harmful software, once the site is marked with SmartScreen Filter, they will be warned before using the site.
13-26
Lesson 6: Other Internet Explorer Issues
Using Certificates
Browsing History
Group Policy Restrictions Restoring Default Settings New Features in Internet Explorer 9
Internet Explorer has many features and options that can be used to maintain a secure environment when browsing web-sites. By using encryption, history, password and group policy options, you will be able to provide a working environment for end-users that they can trust.
Module 13: Identify and Resolve Internet Explorer Security Issues Using Certificates
13-27
Certificates installed on web-sites allow the end-user to encrypt data sent back and forth to them. Whenever confidential data is being sent over the network, the user should be trained to verify encrypted connections by looking for the use of the HTTPS protocol in the URL. The source of the certificates should be a trusted organization. In addition to the trusted Certificate Authorities (CAs) configured in IE, you can add certificates used by Intranet and partner organization sites. Client certificates are those installed on the local computer. They allow web-sites and other authentication systems to verify the identity of your machine. This provides a mutual authentication environment where the client computer can still verify the identity of the server, but it can also verify the identity of the client connecting to it. This system is sometimes used for more secure access to web-based applications used on web-sites managed by partnering organizations. Client certificates can be automatically issued through Active Directory using group policy settings. Instead of simply accepting the information provided in a servers certificate, the browser can be configured to verify the certificate by contacting the CA that issued it. This ensures that the certificate was not only issued properly, but that it has not expired. This setting (Check for server certificate revocation) can be configured by using the menu bar to go to Tools > Internet Options and then navigate to the Advanced tab.
13-28
Browsing History
The settings to control the storage of Internet Explorers browsing history are on the menu bar under Tools > Internet Options in the General tab. These options can be used to control how temporary files, cookies, passwords and URL browsing history are handled. You are able to control the amount of drive space dedicated to Temporary Internet Files, where they will be stored on the hard-drive and how many days to keep URLs in the browser history. The Temporary Internet Files are stored in the user profile by default. There are instances where you might change the location, such as when you are working with roaming profiles. The browsing history can be deleted manually or automatically when the browser window is closed. If there are specific web-sites that you want to keep Temporary Internet Files and cookies for when manually deleting the history, add the URLs to your favorites and use the options in browsing history to keep this information.
Module 13: Identify and Resolve Internet Explorer Security Issues Group Policy Restrictions
13-29
If there are general rules in place for how options in Internet Explorer are configured for a group of users, group policy settings are normally the best way to manage these options. The options available are many, but include many security features such as InPrivate Browsing & Filtering, the Favorites Bar, Encryption support, Browsing History, the use of Accelerators and Certificates. Some options such as Compatibility View, which supports applications written for IE7, while not directly related to security can affect the usability of the browser.
13-30
Restoring Default Settings
If changes made to the Internet Options start causing problems to the functionality or performance of the system, these settings can be reset in two ways. Both options are available by using the menu bar to go to Tools > Internet Options and then opening the Advanced tab. The option to Restore advanced settings is used if you are sure that the problem was caused by changing settings only in the Advanced tab. If you are unsure about what changes are causing the problem, then all settings can be reset by clicking the Reset button at the bottom of the same tab.
Module 13: Identify and Resolve Internet Explorer Security Issues New Features in Internet Explorer 9
13-31
Security Improvements HTML5 Support Hardware Acceleration JavaScript Engine
Computer systems that upgrade from Internet Explorer 8 to version 9 will use new options that can improve performance for end-users and programming features for developers. New security features will include options to help the user in choosing safe download content (Application Reputation), limit the use of ActiveX controls to specific web-sites (ActiveX Filtering), prevent web-sites from tracking browser activity (Tracking Protection), and help to neutralize some scripting attacks. Other changes will provide support for HTML5, Improved hardware acceleration and a faster JavaScript engine. By adding support for more HTML5 features in IE9, the browser will perform better and allow developers to create web applications using a more consistent programming model. The improved capabilities of HTML5 will reduce the need to use add-ons for some application features. The new browser uses DirectX rendering to make graphical and text representations faster and better. By using hardware acceleration in this way, not only is the user experience better when browsing, but developers will also be able to take advantage of this new capability without modifying their code significantly. The new JavaScript engine in IE9 is significantly faster than the ones in earlier versions of Internet Explorer. This is mainly due to the new multi-core processor support. The browser will make better use of multi-core processor architecture to compile and run code. In addition to providing specific security improvements, the new IE9 features provide the ability to run web applications with less complex coding and reduce the need for add-ons. This improves the stability of the system and reduces its susceptibility to malware attacks. When add-ons are needed, their performance impact can be evaluated with the new Add-on Performance Advisor.
13-32
Resolve Internet Explorer Security Issues
RESOLVE INTERNET EXPLORER SECURITY ISSUES

Internet Explorer is used by many users not simply to browse the Internet, but to access network services and web applications that they need to do their jobs. Problems with Internet Explorer might mean that they are unable to complete an important task that affects their productivity. Being able to fix browser issues quickly can contribute to the bottom line of an organization. Here are some problems that you might face when troubleshooting IE issues on the job and some recommended ways of dealing with them. When trying to solve problems, the security of personal information, network resources or other data should never be compromised. The security settings for Internet web-sites are very restrictive in your organization, but you need to lower them for a small group of web-sites. These sites are controlled by another company with which you will be partnering on a government project. How could you go about allowing access to these web-sites without compromising your existing security structure? You should add the web-sites of the partner company to the Trusted Sites zone. The security settings you apply there will not affect other Internet web-sites. Because of virus problems in the past, it has been decided that users should not be allowed to install programs deliberately or otherwise through their browsers. The only exception will be if they work with the trusted web-sites in the Trusted Sites zone. How can you implement this new policy? Configure the security settings in everyones browser to enable protected mode. This will be done for all zones except Trust Sites. To continually enforce this policy, it is best to implement this using Group Policy.
While testing some new security settings for the Local Intranet zone, you realize that the new options will not work. You did not write down the original settings but need to put them back to how they were before. What is the easiest way to do this? Use the Default level button for the Local Intranet zone to revert to the original settings.
13-33
The Security Policy of your organization requires that all web-sites without a compact security policy should have their cookies blocked. You need to allow the cookies generated by a web-site owned by a new partnering firm, even though they do not have a privacy policy. How can this be done without compromising the general policy your company has for cookies? Use the Privacy options in the browser to add the web-site of the partnering company to the list of managed sites. Specifically configure it to allow cookies for that site. After enabling InPrivate Browsing in Internet Explorer, a user realizes that it is not being used in his browser window. She has tried exiting and restarting the browser a few times with no success. What should you tell this user about using this feature? InPrivate Browsing is activated for a browser window by using the options in the Safety window of the browser toolbar. She can also use the Ctrl +Shift + P keys as a keyboard shortcut to activate it. Some of the users on your network are concerned about their private information being passed to third-party web-sites that they do not directly visit. What features in Internet Explorer can they use to control this kind of data transfer? The privacy options in IE allow the user to specify whether or not third-party cookies can be used. InPrivate Filtering can also be used to block content from being sent to such web-sites. A user calls to ask you about a web-site they are working on in the browser because the address bar background is red. They received a message box before connecting to the site, but did not read it before closing it. What should you tell the user? The user should close the web-site immediately and delete any files downloaded from the site. The red background is an indicator that this is a site known for phishing or malware attacks. A virus and malware scan of the system would also be prudent. If the user believes that the site is legitimate and has some business reason for using it, this can be further investigated and the owner of the site can be encouraged to send feedback to the SmartScreen Filter. After installing a new Add-on for Internet Explorer, a user keeps getting error messages when they browse some web-sites. What should the user do? He should disable the add-on by using the menu bar to browse to Tools > Manage Add-ons. A user has been testing a number of options in IE and now finds that they cannot work on some of the Intranet or Internet web-sites. They cannot recall all the options they changed. How can you help this user? Have the user reset all their Internet Explorer options back to their default settings. Use the menu bar to go to Tools > Internet Options and in the Advanced tab, use the Reset button at the bottom of the window.
13-34
Review Module 13: Identify & Resolve Internet Explorer Security Issues
REVIEW
1.
What are the four security zones in Internet Explorer?
2.
Which IE security zone will normally be configured the least restrictive security settings?
3.
When a web-site is not specifically assigned to a security zone where will it be assigned?
4.
What IE setting if enabled will warn you about a webpage trying to run an application?
5.
What is the default security level used for web-sites added to the Trusted Sites zone?
6.
True or False. All Internet Explorer pop-ups are illegitimate and should always be blocked.
7.
What are third-party cookies?
8.
Why would you enable the InPrivate Browsing option in Internet Explorer?
9.
True or False. InPrivate Browsing can be used to protect user information transmitted over the network.
13-35
10. What shortcut keys are used to activate the InPrivate Filtering feature?
11. When would you use the Compatibility View option in Internet Explorer?
12. True or False. Certificates must be installed on the client system to encrypt data using the HTTPS protocol.
13-36
Labs Module 13: Identify and Resolve Internet Explorer Security Issues
Exercise 1: Configure Trusted Security Zones
Exercise 2: Configure Security and Privacy Features

Exercise 3: Configure Group Policy Restrictions
Overview: Configure and test Internet Explorer security features using the local browser and group policy settings. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Configure Trusted Security Zone for automatic authentication on Intranet Site
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Open Internet Explorer Press Alt + F to access them menu bar, go to Tools and click Internet Options In the Security tab, click Trusted sites Click the Custom level button and scroll all the way to the bottom of the settings window. In the User Authentication section, make sure that Automatic logon only in Intranet zone is selected. Click OK. Click the Sites button. Uncheck the box for Require server verification (https) for all sites in this zone Add http://contoso.com to represent your local intranet site. Click Close.
Exercise 2: Configure the Security and Privacy Features in Internet Explorer

1. 2. Open the Internet Options window in Internet Explorer. Go to the General tab.

3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21.
13-37
Click the Settings button under Browsing history. Set the disk space to use 8MB. Set the days to keep pages in history to 0. Click OK. Click the check box for Delete browsing history on exit. Click Delete under the Browsing history section. Read the description of each check box and enable all of them. Click Delete. Go to the Privacy tab. Enable both options for InPrivate Filtering. These options prevent private data from being shared with thirdparty web-sites. Go to the Advanced tab. Scroll down to the Security section and verify that the options to check for certificate revocation are checked. Go to the Programs tab Click the Manage add-ons button to see all the add-ons available in the browser. Click any Add-on and notice the option to disable it. Add-ons can also be uninstalled by removing the application that installed it. Click Close and close Internet Explorer. Click Start > All Programs > Accessories >System Tools. Open Internet Explorer (No Add-ons). This option is good for troubleshooting issues created by add-ons installed in IE. The same thing can be done by executing iexplore.exe extoff. In Internet Explorer, open the menu bar with Alt + F. Notice the options under Tools for InPrivate Browsing, InPrivate Filtering and SmartScreen Filter. Enable each of these options and find out what the features do by using Windows Help and Support. In Internet Explorer, use the menu bar to go to Tools > Compatibility View Settings. Notice the options available for adding and configuring the behavior of web-sites designed for older versions of IE.
Exercise 3: Configure Group Policy Settings for Internet Explorer

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Open the Group Policy Management console with Contoso\Administrator credentials. Edit the Default Domain Policy. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. Under Browser User Interface, configure Browser Title to say Contoso Corporation. Under Connection, configure Proxy Settings to use an IP of 192.168.10.100 on Port 8080. Under URLs, double click Favorites and Links. Click the check box for Place favorites and links at the top of the list in the order specified below. Click the check box for Delete existing Favorites and Links, if present. Use the Add URL button to create a URL with the Name: Contoso Home Page and a URL of http://contoso.com. Click OK twice. Under Internet Explorer Maintenance, click URLs. Open the properties of Important URLs. Specify http://contoso.com as the Home page URL. Click OK and close the Group Policy Management Console. Open Internet Explorer and verify the changes just made. If the policy settings are not being enforced, logout and log back in or use the gpupdate /force command.
13-38
Module 14: Identify and Resolve Firewall Issues
Table of Contents
Overview .................................................................................................................................................................. 14-1 Lesson 1: Securing Network Applications and Features .......................................................................................... 14-2 Lesson 2: Windows Firewall Rules........................................................................................................................... 14-5 Lesson 3: Configure Notifications and Logging ...................................................................................................... 14-10 Lesson 4: Network Security Tools .......................................................................................................................... 14-14 Resolve Firewall Issues ......................................................................................................................................... 14-16 Review Module 14: Identify & Resolve Firewall Issues ....................................................................................... 14-18 Labs Module 14: Identify and Resolve Firewall Issues ....................................................................................... 14-20
14-1
Overview
Securing Network Applications and Features
Windows Firewall Rules

Configuring Notifications and Logging
Network Security Tools

Resolve Firewall Issues
An important way to protect desktop computers on your network is to configure them to use the protection provided by Windows Firewall. While the organization will probably have a firewall to protect the whole Intranet, the desktop firewall configuration can be seen as part of a defense in depth strategy, which requires having multiple layers of protection at different levels on the network. The features in Windows Firewall allow you to control what applications and services are able to do over the network. You can use port and protocol information or the actual names of the programs involved. The rules can be applied to all connections or only to those that meet certain conditions. While a firewall will provide important network protection for a computer, it will not prevent all problems. Virus attacks via emails or downloaded documents will only be prevented by up-to-date anti-virus software. The same goes for phishing and spyware attacks. The firewall can prevent some types of worm attacks and can infected computers from spreading malware to other systems. This section of the course will provide details about how you can use your Windows Firewall to protect your system. We will also look at ways to deal with specific problems that might come up when configuring it and some other security tools in Windows 7 that can be used to test and troubleshoot it.
14-2
Lesson 1: Securing Network Applications and Features
Blocking Ports and Applications
Configuring the Firewall
Network communication with a computer takes place after identifying the IP address of the system and the port and protocol information for the application or service you will be connecting to. Most FTP servers, for example, communicate with client computers on port 21 using the TCP protocol. With that information and the correct name or IP address of the system, you will be able to connect to this service. This information can also be used by the firewall to prevent connections to specified services and applications.
Module 14: Identify and Resolve Firewall Issues Blocking Ports and Applications
14-3
Listening Ports
Block Applications
Block Features
Windows Firewall is able to protect a computer from outside attacks by allowing communication on only authorized ports. Even if an FTP server is running on a system, if the port it listens on is blocked, clients will not be able to connect to it. By blocking the ports used by well known applications (e.g. DNS, FTP SMTP or Web Server), you are able to better secure a system. You also have the option of blocking specific programs and features installed on the system, regardless of the ports that they use. The Telnet application or any other program that uses the network program could therefore be prevented from communicating over the Intranet or Internet.
14-4
Configuring the Firewall
The best configuration for Windows Firewall is to configure it to block all applications and services, only allowing connections for those with rules created for them. Windows Firewall has many preconfigured rules for common applications used on the system. These can be reconfigured to allow or deny access to the specified program. If the application you are concerned about is not already listed, a new rule can be manually configured to meet your needs. Care should be taken when creating new rules that allow or deny access to a system. All the network and Internet services that the user works with should be tested with the new configuration if you are unsure of the ramifications of a certain change. While client and server communications will be the main concern, communication between client systems should also be tested.
14-5
Lesson 2: Windows Firewall Rules
Exceptions List
Creating New Rules

Conflicting Firewall Rules
When Windows Firewall blocks an application that you want to use, you can configure an exception for it. Turning off the firewall is not recommended, unless this will be for a short time and if it is done in a secure environment. Creating a new rule might also accomplish the same task but consequences of creating rules that conflict with each other should be considered carefully.
14-6
Exceptions List
User applications can be allowed network access even when a block rule is in effect by adding an exception to that rule. Exceptions can be specified for Users, Computers, Programs and Ports. The options available vary but exceptions should be used sparingly. Too many exceptions to a rule can invalidate for practical purposes, in which case it might be more practical to simply delete it.
Module 14: Identify and Resolve Firewall Issues Creating New Rules
14-7
Separate firewall rules can be created for different network types of networks that the user might work on, especially for mobile devices. These rules are grouped together into profiles that apply to Domain, Private or Public network connections. Domain networks are automatically identified when authentication is done through a domain controller. Private networks must be specifically identified as such by the user such as when they work from home. All other networks are categorized as Public. These are normally insecure and the strongest security rules are reserved for these locations. A rule can be created for all networks or for specific network profiles. On computers with multiple network connections, you can specify which ones will use the new rule and to what IP addresses it will apply. Authentication can be required or requested for inbound or outbound connections. If authentication is required, the type to use will be specified. When it is requested, remote systems that attempt authentication will still be allowed to connect if the process fails. The authentication protocol chosen can be NTLMv2, Kerberos, Certificate-based or Preshared key. The Preshared key is the least secure method and uses a word or phrase configured on both systems to verify the connection. Kerberos authentication is the simplest method to setup in an Active Directory environment because client and server computers already use it. NTLMv2 is used for backward compatibility with older Windows systems. Certificate based authentication is very secure and allows for authentication to non-Windows systems, but requires a PKI infrastructure to support it.
14-8
The firewall rules will also allow you to configure protocol and port numbers for each endpoint. A specific protocol type can be chosen from a preconfigured list or you can choose the Custom option to specify the number you want to use. When specifying the computers you will be connecting to, you have the option of choosing specific IPs, a range of IPs, or a subnet. When you choose the option to specify a predefined set of computers, you can choose the local subnet, the default gateway, WINS, DNS or DHCP servers.
Module 14: Identify and Resolve Firewall Issues Conflicting Firewall Rules
14-9
Windows Service Hardening
Connection Security
Authenticated Bypass
Block
Allow Default Rules Specificity
In situations where multiple rules apply to the same connection, the firewall will categorize and sort them to decide which one to enforce. The category a rule belongs to depends on the rule type. There are six rules types that are applied in the following order: Windows Service hardening, Connection Security, Authenticated Bypass, Block, Allow and Default rules. Within each category, the most specific rule is chosen when multiple or conflicting rules apply to a particular connection scenario. Firewall rules can be configured on the local machine or applied through group policy settings (Windows Firewall with Advanced Security setting in Computer Configuration > Policies > Windows Settings > Security Settings). When this happens, all the rules are merged together. Group Policies can be configured to override local machine settings when desired.
14-10
Lesson 3: Configure Notifications and Logging
Configure Logging
Configure Notifications
Keeping track of attempts to circumvent firewall rules on computers will help to make the systems more secure. They may not always indicate attempted security breaches, but will help the technician to better understand how computers and applications communicate with each other over the network. When legitimate programs are not working properly, the notifications given by the firewall might indicate that the rules need to be modified. Logs can be used to track consistent attempts to use a service or application on a computer.
Module 14: Identify and Resolve Firewall Issues Configure Logging
14-11
The success or failure of firewall processes can be logged for later examining. This information can be used for diagnosing problems or tracing security breaches. The logging options allow you to specify where the information will be stored and what events should be recorded. Each firewall profile can be configured with its own log settings. The Windows Firewall application will automatically record operational information to the Event Viewer. Issues with connection security or firewall rules can be researched in these logs. The verbose logs generate very detailed information that can be used for diagnostic purposes. They are disabled by default and should only be enabled temporarily to fix specific problems.
14-12
On the Windows Firewall with Advanced Security application in the Action menu, the properties option allows you to configure log settings for each firewall profile. The name, location and size of the log file can be specified. Whether or not you want to log dropped or successful connections can also be specified. When these settings are modified by means of group policy settings, the account assigned to the Windows Firewall service must be given write permissions to the new location of the log file. The account used by the Windows Firewall service is the Local Service account by default.
Module 14: Identify and Resolve Firewall Issues Configure Notifications
14-13
Firewall notifications allow a user to respond immediately when programs or services are blocked. He will have the option to continue to block the application or automatically create a rule that will unblock it. Notifications will only appear if there are no existing rules that apply to the program and if it is being blocked by the default behavior of Windows Firewall. The option to unblock the application will only be available if the user is an administrator or network configuration operator. As with the logging settings, the option to display notifications can be configured for each firewall profile.
14-14
Lesson 4: Network Security Tools
Windows Defender
Netsh
Netstat
Tasklist
Resource Monitor Performance Monitor Route
Windows 7 comes with a number of security tools can be used with Windows Firewall to improve overall security on the desktops and the network. Knowing when and how to use them will be helpful to any software technician. Windows Defender: This is an anti-spyware program that helps to protect the system from unwanted and dangerous software. It will detect these programs whether they are being installed over the network or from local media. Windows Defender will continually monitor the system when it is turned on. You will normally disable it if a product that performs the same service is installed. Netsh: The netsh tool is run from the command-line and is normally used by administrators to configure network interfaces, protocols, routing, filters and also firewall rules. It has many different uses and parameters. Information about what parameters and options are available can be displayed by using the help option (e.g. netsh /?). Netstat: Netstat is a command-line tool that is used to view data about port and protocol settings. Information about the Ethernet statistics, routing table or process IDs associated with ports can also be displayed. It is often used to find out the active ports being used on a computer and to decipher what network services are being offered on it. Tasklist: Most users will use the Task Manager to view the processes running on a computer and the properties associated with them. This information can also be viewed from the command prompt with the tasklist.exe command. Information about the local or a remote system can be displayed. The parameters available with this command allow you to filter the processes based on DLL modules, user name, services, memory or processor usage. The status of services on local or remote machines can be verified when troubleshooting connectivity problems. Resource Monitor: This administrative tool allows you to monitor the use of memory, processor, disk and network resources. It can be used to manage processes running on the system. It is often used to identify services and processes that are using resources heavily and to manage unresponsive applications. The ability to monitor Listening Ports on the computer and to compare them with their Firewall Status is very useful for quickly identifying and diagnosing connectivity problems.
14-15
Performance Monitor: This tool is used to view the performance data of system and hardware resources. If there is concern about how a program is using resources and if it is interfering with other applications you can use this tool to view that information in real time. Route: The route.exe command can be used to view and change the routing table on a computer. This can be useful when a computer has multiple network connections and you need to verify the path of data connections between two systems.
14-16
Resolve Firewall Issues
RESOLVE FIREWALL ISSUES

The firewall settings on a Windows desktop are extensive and allow end-users or administrators to control what kind of data gets in or out of a machine and how that data should be protected. Problems can sometimes arise when settings are configured without understanding the impact on all applications used on the machine. Compatibility with other desktops on the network must also be factored in. Here is a list of possible issues that might arise from improper configuration and how you might deal with them. You are configuring a new firewall rule that will be used for all clients connecting to one of the accounting servers in your domain. It has been decided that these connections must be authenticated. What is the simplest authentication protocol to setup when configuring this rule? In an Active Directory environment, Kerberos authentication will be the fastest and simplest solution to setup. All domain computers will already have the capability to use this protocol. A desktop computer has locally configured firewall rules, but you know that it also has group policy rules that are being enforced as well. How will these rules be applied on this system? The rules will be merged together. When applying the rules, the system will sort and categorize all of them to decide which ones to apply. When multiple rules belong to the same category, the most specific one that applies will be used. The name and location of the Windows Firewall log file for the public profile has been changed using group policy settings. What additional configuration change must you make to ensure that information will be logged to the new file? The Windows Firewall service account must be assigned write permissions to the new file and folder. A number of users in your domain are experiencing network communication problems because they are improperly configuring their own firewall security rules. How can you restrict this capability without changing the user permission settings they have on their computers?

Configure appropriate firewall rules using group policy objects and use these settings to override any locally configured rules.
14-17
A developer is testing a new client application and is concerned that the firewall rules are preventing it from communicating with a server on the network. What is the easiest way to let the developer know when the firewall is blocking his program? Configure the firewall to notify the user when it blocks a new program. A taskbar notification will alert him to what has happened. If he has Administrator or Network Configuration Operator permissions, he will be able to automatically unblock the application. You are in the process of locking down a system that will store confidential information and want to create a list of all the ports on which the system listens for incoming connections. What tool can you use to get this information? The netstat.exe command can be used with the A parameter to create a list of all listening ports and the O parameter to find the process id associated with them. To filter the list so only listening ports are shown and to export the data to a text file, you could use the command netstat.exe ao | find /I listening > listeningports.txt.
14-18
Review Module 14: Identify & Resolve Firewall Issues
REVIEW
1.
What is involved in creating a defense in depth strategy for a network?
2.
What kind of network attacks will a firewall not prevent?
3.
True or False. Windows Firewall rules can be defined for locations other than the Internet.
4.
Besides the IP address of a computer, what other information is needed to communicate with a specific application on a machine?
5.
What three network locations can be configured with Windows Firewall settings?
6.
True or False. Windows 7 firewall rules can be applied to users based on their group membership.
7.
What command-line tool can be used to configure firewall rules on a computer?
8.
What tool allows you to show Process ID information from the command-line?
9.
What command-line tool can be used to view and modify the routing table of a system?
14-19
10. Where can you find log data for Windows Firewall?
11. Under what circumstances will Windows Firewall display a notification after enabling this feature?
12. Where must rule merging settings be configured?
14-20
Labs Module 14: Identify and Resolve Firewall Issues
Exercise 1: Configure and Test Firewall Rules
Exercise 2: Fix problems caused by Firewall Rules
Overview: Create and test firewall rules for network applications. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Configure and Test Firewall Rules for an Application
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Create a System Restore point named Pre_Lab14. Open the Services MMC using Contoso\Administrator credentials and connect to NYC-DC1. Change the startup status of Telnet to automatic and manually start it. Close the Services window. Open an Administrator: Command Prompt. Run the command: Telnet NYC-DC1. Run the command hostname to verify the machine name. Exit the telnet session and keep the Command Prompt window open. Open the Windows Firewall with Advanced Security console. Right click Windows Firewall with Advanced Security and click Export policy. Save the policy file on the desktop as Firewall.wfw. Double click Outbound Rules. Right click Outbound Rules and click New Rule. In the Rule Type window click Program then click Next. In the Program window click This program path: and type c:\windows\system32\telnet.exe. Click Next. In the Action window, click Block the connection. Click Next. In the Profile window, make sure that only the Domain location is checked. Click Next. In the Name window, name the rule Telnet (Domain). Click Finish. Use the Command Prompt to test the telnet connection to NYC-DC1. Verify that the connection fails. Use the Windows Firewall tool to locate the new Telnet (Domain) rule.

18. Right click on the rule and choose Disable Rule. 19. Use the Command Prompt window to test the telnet connection again and verify that it works. 20. Keep the application open.
14-21
Exercise 2: Fix Application problems caused by Firewall Rules

1. Use Windows Features to Install the following three components: Internet Information Services > FTP Server > FTP Service. Internet Information Services > FTP Server > FTP Extensibility. Internet Information Services > Web Management Tools > IIS Management Console. Click Start > Administrative Tools > Internet Information Services (IIS) Manager Right click Computer01 and click Add FTP Site. Name the site Default FTP Site and use the physical path of C:\TEMP. Click Next. On the Binding and SSL Settings window, choose No SSL. Click Next. On the Authentication and Authorization Information window, click the Anonymous and Basic authentication methods. Under the Authorization section, choose All users. Under the Permissions section, check Read and Write. Click Finish. Close Internet Information Services (IIS) Manager. Use the Command Prompt to run the command: netstat an | find /i LISTENING. Verify that the computer is listening on the ftp port (21). Restart the computer and login as Contoso\Admin1. Open the Command Prompt with the Contoso\Administrator account. Run the command: telnet NYC-DC1. Execute the following commands to use ftp.exe on NYC-DC1: a. Netsh advfirewall firewall add rule name=FTP Command dir=in action=allow program=c:\windows\system32\ftp.exe b. Netsh advfirewall firewall add rule name=FTP Command dir=out action=allow program=c:\windows\system32\ftp.exe From the telnet session, run the command: ftp Computer1. The connection should fail because of the firewall settings on Computer1. Leave the session window open. Open the Windows Firewall with Advanced Security console. Under Inbound Rules, find and enable the following rules: FTP Server (FTP Traffic-In) FTP Server Passive (FTP Passive Traffic-In) Under Outbound Rules, find and enable the FTP Server (FTP Traffic-Out) rule. Try the ftp connection again to verify that the new firewall rules allow the connection.
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.
14. 15. 16.
17. 18.
14-22
Module 15: Identify and Resolve Issues Due to Malicious Software
Table of Contents
Overview .................................................................................................................................................................. 15-1 Lesson 1: Proactive Malware Protection .................................................................................................................. 15-2 Lesson 2: Protecting Internet Explorer ..................................................................................................................... 15-9 Lesson 3: Recovering From Malware Infection ...................................................................................................... 15-11 Lesson 4: Malicious Software Tools ....................................................................................................................... 15-16 Resolve Issues Due To Malicious Software ........................................................................................................... 15-18 Review Module 15: Identify & Resolve Issues Due To Malicious Software ......................................................... 15-20 Labs Module 15: Identify and Resolve Issues due to Malicious Software .......................................................... 15-22
Module 15: Identify and Resolve Issues Due To Malicious Software
15-1
Overview
Proactive Malware Protection
Protecting Internet Explorer

Recovering From Malware Infection
Malicious Software Tools

Resolve Issues Due To Malicious Software
Attacks on a computer in the form of a virus, spyware or worm can disable the machine and reduce productivity. There is also the chance of losing data or compromising the confidentiality of private information. The reputation of an organization might also be affected when customers and partners are affected because of these problems on the network. Every reasonable care should therefore be made to prevent and fix these problems quickly. Malicious software can affect different aspects of a computer. Email applications like Microsoft Outlook might be infected by virus laden attachments which can then cause problems for other computers. System files and Services running on the computer might be infected or replaced without the user knowing it. Internet Explorer is another gateway used to get into the system in the form of browser add-ons. Regardless of the source of the problem, all computers on a network should have software installed to prevent these situations from arising as part of a defense in depth strategy. In this chapter, we will look at a number of methods that can be used to prevent these problems from occurring and also how to use Windows 7 features to mitigate the damage that such attacks might cause. Besides anti-virus and anti-spyware applications, using options in Internet Explorer, User Account Control and Windows Firewall can help to alert users and administrators to problem files and applications.
15-2
Lesson 1: Proactive Malware Protection
Before the Infection Anti-Virus Protection Anti-Spyware Software Other Methods of Attack
Other Considerations
Microsoft Security Essentials
The damage done to a computers resources by a virus cannot always be measured in actual dollar amounts if resources are lost or compromised. In addition to lost documents and services, concerns about user productivity will move most organizations to install anti-virus and anti-spyware software. These resources, if properly maintained, can pay for themselves easily through increased productivity and improved availability of computer services. Understanding how these programs work and using techniques to reduce the likelihood of infection are important skills for any technician that supports desktop computers.
Module 15: Identify and Resolve Issues Due To Malicious Software Before the Infection
15-3
Backup Plan Documentation Security Updates System Hardening
User Training
As with any good security procedure, some protection mechanisms are put in place before a problem develops. Instituting a backup plan for important organization and user files is always critical. Another important procedure involves keeping a record of what processes are run on the computers, a description of what the processes do, the owner accounts and the DLL files that they use. A number of products are available that can automatically create files with this information, such as Process Explorer available from www.sysinternals.com. Many malware products work by taking advantage of known vulnerabilities on a system. By removing the vulnerabilities, you can neutralize the malware. Staying up-to-date with security updates for the operating system and desktop applications is one way to do this. Another way is to harden the system by removing the sources of the vulnerabilities. This might involve removing unnecessary programs or services. In other cases, simply disabling features that are the source of the problem will be sufficient. One of the most effective ways to prevent malware attacks is through user training. Even if a virus gets through the protections implemented at the firewall or email server, the desktop can be protected by a diligent user. Not running executable attachments, not opening emails from unknown recipients, avoiding web-sites with suspect content, not installing or using unsanctioned software, following company policy on the use of external drives and personal files on corporate machines, verifying the source of macros and scripts before using them, properly responding to and reporting malware alerts are all good practices to follow.
15-4
Anti-Virus Software
On-Access Scanning
Scheduled Scanning
Network Communication
Remove Virus
Quarantine Virus
One of the most important forms of malware protection is the anti-virus program. Many of these programs will include additional features to prevent other forms of malware attack. Virus attacks are very prevalent and have many ways of infecting a computer. While their capabilities and features will differ, most products should have a core set of capabilities that allow you to compare them to one another. Anti-virus products will normally perform on-access scanning of a system to prevent active applications like email clients or Internet browsers from infecting a computer. You can also perform scheduled and on demand scanning. Many products will also monitor and prevent scripts from damaging the system. Network communication programs that transfer files and information (e.g. Instant Messaging) should also be included among the resources that are protected. When a virus is found, the program will normally try to remove the infection, but will also be capable of quarantining it. This prevents it from being accidentally executed until it can be removed or the infected file is deleted.
Module 15: Identify and Resolve Issues Due To Malicious Software Anti-Spyware Software
15-5
Compromise Private Data
Check Internet Explorer Add-ons

Registry Protection
The harm done by spyware applications can be very damaging to the user of a system. By tracking and recording user behavior, these programs can compromise private and confidential information. Most anti-spyware programs will also provide protection against adware, applications that download and display advertisements. Many spyware programs find their way on the system through the web browser while the user is working on the Internet. The anti-spyware product should therefore be able to check add-ons and scripts for damaging behavior. Spyware applications will also be able to protect and check for problems in the registry. Programs that record user activity, download and run programs or allow remote users to access the system will also be checked by your antispyware program.
15-6
Other Methods of Attack
Worms Trojans
Keyloggers
There are other types of malware that could cause problems to a system. Worms, Trojans and Keyloggers are all ways of damaging a system or comprising data. A virus spreads itself from computer to computer by attaching itself to files and programs on the infected system. Worms are a type of virus that can replicate themselves even if nothing is done by the end-user. Trojan horses can also damage a system, but might be deliberately installed by unsuspecting users that do not know they are attached to a program that also performs some useful function. Keyloggers can also hide themselves by taking the form of a Trojan and record keystrokes to capture confidential information. Because of the varied methods of attack and the effort needed to protect against each of them, many organizations will use a single application that will protect against all forms of malware instead of having to maintain a number of them. While this strategy will often use less computer resources, allow for easier updates and management of the software, using separate software products for different types of malware will sometimes provide better protection for the desktop.
Module 15: Identify and Resolve Issues Due To Malicious Software Other Considerations
15-7
Performance on Test Computers
Scheduled Updates
Logging and Notifications
Certification
Before any new anti-malware product is purchased for desktop computers, it should be tested in an environment that mirrors normal user activity. This allows you to evaluate how they affect the performance of the system and applications. Regardless of what type of protection is installed on a system, it should be regularly updated and there should be a process in place to analyze logged events and respond to notifications. All products used to provide malware protection should be certified by a recognized and trusted third-party that has tested the software. Some organizations recognized for their work in this field include: AV-Comparatives, AV-Test, ICSA, Virus Bulletin and West Coast labs.
15-8
Microsoft Security Essentials
Organizations that need a comprehensive tool for protecting their Windows 7 systems from malware can now take advantage of Microsoft Security Essentials. It is the replacement for Windows Live OneCare. Microsoft Security Essentials contains many of the features of other comprehensive anti-malware products. It provides real-time protection, protects against common forms of malware and allows for customized and scheduled scanning configurations. An easy to read color coded status indicator can also be used by end-users to verify if the system is presently being protected. Virus and spyware definitions can be updated automatically or manually to maintain the effectiveness of the software. A record is kept of when the system is scanned and the level of scanning completed. If malware is found, the system will either clean or quarantine it. Information about quarantined items can be obtained from the History tab. The Settings tab allows you to change the schedule for scanning, default responses to infection and what files to exclude from scanning. System Restore points can be automatically created before scanning a system. The option to scan removable drives and archive files is also configurable. As with all anti-malware software, Microsoft Essentials should be tested with existing user systems before implementation. It has been tested and certified by ICSA and West Coast Labs.
15-9
Lesson 2: Protecting Internet Explorer
Updates Microsoft Security Notifications Add-ons Scripts
Cookies
Pop-Ups
InPrivate Browsing
SmartScreen Filtering Reset Internet Explorer Settings
Most malware attacks take place over the network or through the Internet, so Internet Explorer is often a gateway for them to infect a computer. By hardening the configuration of your web browser, you can better protect your system. Here are some things that can help to make IE more secure. Updates: Vulnerabilities in Internet Explorer are often fixed by means of updates that can be downloaded to the system. When Internet Explorer updates are tested before deployment, security related fixes should be given priority so they can be installed quickly. Microsoft Security Notifications: By subscribing to Microsoft Security alerts, you will be notified of security problems quickly. In situations where there is not already an update to fix a problem, you might be given information about how to mitigate it. Add-ons: Add-ons are often used to extend the capabilities of the browser, but they should be tested and approved to make sure that they will not damage the system. Only using add-ons from trusted websites will help to prevent such problems. When browsing on web-sites that are not trusted, consider turning off all add-ons. A browser with all add-ons turned off can be launched from the Accessories > System Tools tab or by running the command: iexplore.exe -extoff. Scripts: Restricting the use of scripts on Internet sites will help to prevent problems on the computer. If these features are needed when connecting to sites owned by partner organizations, they should be added to the Trusted Sites security zone which can safely use less restrictive security settings. Cookies: Cookies can be used to track user behavior and store information about data exchanged over the network. Restricting the use of third-party cookies and those that do not have a good privacy policy can improve computer security.
15-10

Pop-ups: While some sites will require the use of pop-ups, the pop-up blocker should be enabled for general web browsing. This can be done through IE or through an anti-malware program that provides this option. InPrivate Browsing: When turned on, this feature prevents private information from being stored on the computer. Toolbars and extensions will also be disabled. To open a browser window with this feature turned on, press Ctrl + Shift + P from any IE browser window. This option can help to protect private information when working on computers owned by other users or organizations. SmartScreen Filtering: This feature provides real time protection by warning the user before he connects to a web-site that is known for phishing or malware problems. It is enabled by using the IE menu to go to Tools > Internet Options and then going to the Advanced tab to configure the Security settings. Reset Internet Explorer Settings: If the browser becomes unstable, a last resort is to reset all security, pop-up, privacy and add-on settings. From the Internet Options, open the Advanced tab to access the Reset button which removes existing settings in the browser to revert them to their default configuration. When resetting the browser, the technician will be presented with the option of deleting personal settings. Search providers, cookies, passwords, homes pages and accelerator settings can all be removed.
15-11
Lesson 3: Recovering From Malware Infection
Symptoms of Malware Infection
Disconnect from the Network

Gathering Information
Clean the Infection
The signs of malware infection are varied and sometimes misleading. Some of the systems might appear as computer performance problems and be ignored. Once an attack is confirmed, immediate measures must be put in place to protect other systems, gather information and clean the infected computer.
15-12
Symptoms of Malware Infection
Slow down in performance of the computer
Increased resource usage

Unauthorized installation of programs
Unauthorized firewall configuration changes

Regular Firewall Notifications Unauthorized Browser configuration changes Excessive Browser Pop-ups
Some of the problems experienced on a computer that might be a sign of some form of malware attack include: Slow down in performance of the computer Increased activity in memory, processor, disk & network resources when nothing should be happening Unauthorized installation or removal of applications and services Unauthorized disabling of the computer firewall Constant notifications from Windows Firewall about unauthorized programs trying to access the network Unauthorized reconfiguration of web browser options and features such as home or search pages Excessive pop-ups that are hard to, or cannot be disabled In most cases, a good anti-malware product will be able to detect and remove products that can damage the system or compromise security. Where the malware cannot be cleaned, quarantine or removal of the file/product is the next best option. The sophistication of some malware products makes them difficult to detect or remove however. This means that other procedures are sometimes necessary to fix the problem. In rare cases, it might be even necessary to seek the help of security contractors who specialize in dealing with such problems.
Module 15: Identify and Resolve Issues Due To Malicious Software Disconnect from the Network
15-13
Isolate the infected system
Document symptoms and actions
Once you have confirmation that a system is infected, it should be immediately disconnected from any network. Isolating the machine is important to make sure that other systems are not infected. The next step will depend on the policies and procedures of your company. In some cases, an immediate reimaging of the system will be mandated. Other organizations will seek to get more information about the problem before making any changes on the system. Regardless of what procedures are in place, the technician should keep a record of his actions and notify his supervisors of his actions in a timely manner.
15-14
Gathering Information
Interview the user Recent changes to the system Computer Logs Determine scope of the problem
The user or users of the system should be interviewed about possible activity they engaged in that might have caused the problem. The use of USB drives, accessing email attachments or downloading files are all areas of interest. While recent activity is going to be most relevant, keep in mind that the malware might have been on the system for some time. Operating system, application and firewall logs might also have useful information. Using information from the computer logs and the user interview will help technicians determine if other client computers or network servers should be checked for infected files.
Module 15: Identify and Resolve Issues Due To Malicious Software Clean the Infection
15-15
Anti-Malware Scan
Safe Mode
Reinstallation
Reimaging
When up-to-date malware products are unable to clean a computer, then this might need to be done manually. This often involves restarting the system in Safe Mode. Safe Mode is best because it runs a minimal operating system configuration. If the normal anti-malware product is still unsuccessful, another program should be tried. Repairing the system files might be necessary to remove the infection. The installation DVD or System Repair Disk can be used for this. A repair disk can be created from the Backup and Restore console in the Control Panel. If this is successful, you should reinstall any operating system service packs and patches as soon as the system is verified as being clean. If the malware cannot be removed by using any standard procedures or processes recommended by the antimalware vendor, that the system must be totally rebuilt. To be safe, the hard-drive must be completely wiped before reimaging the system. Some malware programs can infect parts of the hard-drive that might not be written over during the imaging process.
15-16
Lesson 4: Malicious Software Tools
Task Manager
System File Checker

Registry Editor Programs and Features

Action Center Microsoft Baseline Security Analyzer Malicious Software Removal Tool File Signature Verification
All desktops on a corporate network should have protection against malicious software. At a minimum this would include a program that protects the system against viruses. Most of these products will include features to protect against other forms of malware. Some of the programs you might use to diagnose and fix malware issues are already a part of the operating system or available as free downloads from Microsoft or supported vendors. While they can be very useful, they do not replace the need for a well rated malware product. Some of these tools are listed here along with a description of their capabilities: Task Manager: This tool allows you to see the resources that a process or service is using on a machine. If the hard-drive, memory or other resources are being heavily used, you will be able to verify the applications responsible and stop them if necessary. When more information is needed about the relationship between applications, processes and services, the console allows you to track this information down. The ability to end a Process Tree allows you to kill processes related to a rogue application without actually knowing their names. System File Checker: System File Checker (sfc.exe) is a command-line tool used to find system files that have been deleted or changed. You must run the program with administrative privileges. The scan will check individual files or all protected system files. The repair can be carried out offline if the operating system is not bootable. Regedit: Regedit allows you to make changes to the system registry on a computer. Because of the damage that incorrect changes can cause, it should only be used by technicians who understand the changes they are making. A backup of the registry should be made before making extensive changes to it. Some types of malicious software will make changes to the registry to damage the system or automatically run harmful applications. These changes can be manually removed. Whenever possible system registry

changes should be made from tools that will not damage it, such as the Control Panel or System Configuration.
15-17
Programs and Features: The Program and Features console in the Control Panel allows you to view a list of programs installed on the computer. The date and size of the install is also included. This information can be used to track down programs that were installed recently or in the time frame when the problems on the computer started. Most applications can be removed using this console. Programs that did not register themselves here, however, cannot be managed with this tool. User Account Control: UAC helps to protect a computer against malware and other security issues by informing the user when a program performs an operation that requires administrator privileges. This can alert a user to a new installation or configuration attempt by malware products. User Account Control will prompt the user asking for administrator credentials needed to authorize the change to the system. Users without administrative privileges will not be able to continue the operation. Action Center: The Action Center lists important notifications about maintenance and security issues in the taskbar of a computer. When experiencing problems with a system, you can check here first to see if the operating system has already detected an issue. In some cases a solution might already be provided. The Action Center also has shortcuts that an administrator can use to restore files or change User Account Control settings. The messages you receive in the console might relate to problems with the firewall, spyware, operating system updates and other issues. The types of problems you want to monitor are configurable. Windows Defender: Windows Defender is an anti-spyware product included with the operating system. It provides real time protection by monitoring the systems behavior on the network and in applications. Manual and scheduled scanning can also be configured. Like any other malware product, Windows Defender is only useful if it has up to date definitions of new spyware products. Windows Update will automatically update these definitions when it searches for other operating system updates. The updates can also be downloaded manually. Microsoft Baseline Security Analyzer: MBSA is a freely downloaded tool that allows you to access how up-to-date the Microsoft products on a computer are. It will provide information about security and other updates available for Windows 7 and other Microsoft operating systems, Internet Explorer, Microsoft Office and other Microsoft applications. Malicious Software Removal Tool: This tool will automatically detect and remove viruses, worms and Trojans from a computer. It will not remove spyware. It does not replace other malware products because it is designed to remove existing infections, not to prevent them. The program can run in the background without interfering with current user processes. The notification of the infection will normally include a recommendation to perform a full scan of the system. Infected files will normally be cleaned, but can be damaged in the process, as with other anti-virus software. When malware changes the configuration of applications on the desktop, these programs will have to be reconfigured manually. File Signature Verification: The file signature verification tool (sigverif.exe) is used to check if all drivers used on the computer have been digitally signed. It will create a log file (sigverif.txt) that list the name, location, vendor and version number for each driver on the system and also specifies which ones are signed or not signed. Malware and instability issues can often be traced to the use of unauthorized or unsigned drivers.
15-18
Resolve Issues Due To Malicious Software
RESOLVE ISSUES DUE TO MALICIOUS SOFTWARE

The best way to protect against malware attacks is to prevent them in the first place. This will not always be possible, and there should be measures in place to quickly clean and quarantine infected computers and files. User training is another important component. Avoiding risky behavior like downloading programs from un-trusted websites should be standard behavior. In this section we will look at some ways that a technician can solve problems created by viruses and other malware. Many of these solutions will involve the use of programs purchased to solve these kinds of problems. Such software should be considered one of the core desktop applications needed for maintaining system performance. A user is trying to remove a virus from a file with his anti-virus program but is unsuccessful. The program has the latest updates installed. What should the user do to protect his system? The file should be deleted from his system. The IT staff responsible for protecting his computer might decide to quarantine the file for further analysis. You have been asked to create a report that compares two anti-malware products that are being evaluated for use on your network. How can you get independent evaluations of these programs and what factors should you evaluate in your own testing? A number of organizations will evaluate and certify the capabilities of anti-malware software. They include: ICSA, West Coast Labs, Virus Bulletin, AV-Comparatives and AV-Test. When evaluating the products, compare how they affect PC performance and how they interact with client applications. A member of your sales team is at a customers office and wants to use their public computer to connect to a secure extranet site. What features in Internet Explorer can he use to make the browsing experience as secure as possible? He can disable all browser add-ons and enable InPrivate browsing while at the customers office.
15-19
After installing an application on a computer, it configures a new service to startup automatically so that it will be running even if no one logs onto the system. How can you get more information about the processes that are associated with this new service? The Task Manager has a Services tab that allows you to right click on any running service to find the process associated with it. The anti-malware program on a computer detects a virus while the user is logged in, but it is unable to remove it. What should you try to do before reimaging this computer? Boot the system in Safe Mode and try to clean the virus again. If you are still unsuccessful, try another anti-virus program or the system repair process. One of the test computers you manage is generating messages in the taskbar because you do not have the firewall configured ad have not installed an anti-virus program. How can you stop these messages? Change the configuration options in the Action Center.
15-20
Review Module 15: Identify & Resolve Issues Due To Malicious Software
REVIEW
1.
What capability is provided by anti-virus programs that do on-access scanning?
2.
What harm can be done to a computer by spyware programs?
3.
What are some organizations that provide testing or certification for anti-malware products?
4.
How can you enable InPrivate browsing in Internet Explorer?
5.
How can you launch Internet Explorer with all add-ons disabled?
6.
What kind of protection is offered by enabling Smartscreen filters in IE?
7.
What are some signs of malware infection on a computer system?
8.
What are some of the things you will immediately do after confirming that a malware infected system cannot be cleaned by the software product you normally use?

9. How can you create a System Repair Disk for a computer?
15-21
10. Why should a technician question the users of a malware infected system as soon as the infection is identified?
11. What are web browser cookies used for?
12. What should be done before reimaging a malware infected hard-drive?
13. What anti-spyware product is automatically available as a part of Windows 7?
14. What tools might be able to make system registry changes without going directly to regedit?
15. What tool can you use to find out which program is using computer resources heavily?
15-22
Labs Module 15: Identify and Resolve Issues due to Malicious Software
Exercise 1: Use Action Center to manage UAC Exercise 2: Use System File Checker Exercise 3: Use the Malicious Software Removal Tool
Exercise 4: Install Microsoft Security Essentials
Overview: Configure controls to prevent unauthorized installations. Scan computer files for malware and changes to system files. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. At the end of the lab exercises, change the UAC settings back to the default configuration using the Action Center.

Exercise 1: Use Action Center to Manage UAC Settings
1. 2. 3. 4. 5. Create a System Restore point named Pre_Lab15 Click Start > Control Panel > System and Security > Action Center Click Change User Account Control settings Click on each of the four UAC settings and read the description of each. Choose the Always notify option and click OK to accept the change.
Exercise 2: Use System File Checker

1. 2. 3. 4. 5. Click Start > All Programs > Accessories. Right click Command Prompt and click Run as Administrator. Click Yes. Run the command: sfc.exe /?. Read the description and the options available for this tool. Run the command: sfc.exe /scannow. The scanning process can take 10 or more minutes. Review the results for any errors found and verify that they were fixed automatically.
15-23
Exercise 3: Use the Malicious Software Removal Tool

1. 2. 3. 4. 5. Use Windows Explorer to connect to \\NYC-DC1\Classfiles Copy the \\NYC-DC1\Classfiles\Tools\windows-kb890830-x64-v3.0.exe file to the C:\TEMP folder. Execute C:\TEMP\windows-kb890830-x64-v3.0.exe as an Administrator. Read and accept the licensing agreement and click Next. Read the information and instructions on the Welcome to the Microsoft Windows Malicious Software Removal Tool page. 6. Click Next. 7. On the Scan type page, click the radio button to perform a Customized scan. 8. Click the Choose Folder button. 9. In the Browse For Folder window, choose the C: drive and click OK. 10. Click Next and allow the scan to check files on the C: drive. 11. Close the program after the scan is complete 12. If the scan takes more than 10 minutes, cancel it.
Exercise 4: Install Microsoft Security Essentials

1. 2. Go to the C:\Labfiles folder on the host server and execute L15-4.exe. Walk through the simulation as it mimics an installation and anti-viral scan using Microsoft Security Essentials.
Note: Change the UAC settings back to the default configuration.
15-24
Module 16: Identify and Resolve Encryption Issues
Table of Contents
Overview .................................................................................................................................................................. 16-1 Lesson 1: Configuring a Recovery Agent ................................................................................................................. 16-3 Lesson 2: Using EFS ............................................................................................................................................... 16-7 Lesson 3: Using BitLocker ..................................................................................................................................... 16-12 Resolve Encryption Issues ..................................................................................................................................... 16-17 Review Module 16: Identify & Resolve Encryption Issues ................................................................................... 16-19 Labs Module 16: Identify and Resolve Encryption Issues .................................................................................. 16-21
16-1
Overview
Configuring a Recovery Agent
Using EFS
Using BitLocker
Encryption Tools
Resolve Encryption Issues
Encryption technologies are used to improve the security of computer and network information by ciphering data. This prevents unauthorized users from reading or accessing confidential information. Windows 7 supports a number of encryption technologies that can be used to protect information sent over the network and files on local NTFS drives. Portable devices, such as USB drives, now have better protection using these new tools. While encryption technologies can be implemented relatively easily, careful consideration should be given to how they will be configured and maintained. Using group policy to implement some of these features is advantageous because of the ease of deployment. Creating a policy for managing Recovery Agents is also important to prevent data loss. One of the security advantages of file encryption is that it allows users to be relatively certain about the privacy of information in them. The normal permission structure is secure, but anyone with appropriate permissions on a users file will be able to read and copy them. Once a file is encrypted however, not only do you need to have permissions on it, possession of a valid certificate key used to encrypt it is also needed. While this feature can be useful in maintaining confidentiality, it is open to abuse by users who feel the need to encrypt other resources they should not have exclusive access to. It also takes up additional processing resources on a system. In most cases, encrypting all your data is not practical and it could prevent the use of some troubleshooting techniques. Security and confidentiality are the aims of encryption and it should be implemented to meet specific needs such as working at an insecure location, or working with mobile devices that have confidential data.
16-2
In this part of our course, we will look at encryption technologies such as EFS and BitLocker. We will also look at the algorithms or keys on which these technologies depend. Deploying and protecting these keys is an important part of the process that should not be overlooked. Procedures for recovering data when the keys are lost will also be looked into.
16-3
Lesson 1: Configuring a Recovery Agent
Protecting Encryption Keys
EFS Recovery Agent

BitLocker Recovery Agent
When users take advantage of BitLocker and EFS to protect their documents, there is a chance that the keys they use to encrypt documents might be lost. Although the files might have been stored on the network, the computer with the users profile might have crashed. An administrator might have also reset their password. Whatever the case, there should be a plan in place to access these files after such an event.
16-4
Protecting Encryption Keys
Backup
Recovery Agent
Having a secure backup of user encryption keys will allow administrators to restore end-user access to their encrypted files. These backups also allow keys to be transferred between users when their roles and responsibilities change in the organization. Even if backup copies of the keys are available however, it is still prudent to configure a Recovery Agent. In domain environments, this allows an administrator to configure an account or group of accounts that will be able to decrypt any file encrypted by any user.
Module 16: Identify and Resolve Encryption Issues EFS Recovery Agent
16-5
Exporting Private Key
Import into Dedicated Recovery Account

Group Policy Options
The process of creating an EFS recovery agent involves exporting the recovery agent private key and importing it into an account set aside for this purpose. This process is normally performed by a domain administrator. The built-in administrator accounts user profile on the first domain controller will normally contain the recovery agent private key for domain accounts. Since this administrator account will not be accessible to lower level administrators or technicians, the key needs to be exported and imported into a more accessible account. This is usually a dedicated account created for this purpose. The account is sometimes logged into a secure computer system from which the recovery agent can work. After the key is imported into the profile, anyone with access to the account will be able to use the key. Group Policy settings can be used to change the account and the key used by the Recovery Agent.
16-6
BitLocker Recovery Agent
Configure Recovery Agent

Encrypting Files
BitLocker Recovery Agents have access to keys that they can use to decrypt the entire drive. They are configured using Group Policy or Local Policy settings. Multiple certificates can be assigned as recovery agents and any user account with the private keys for those certificates will be able to decrypt the drive. It is important to remember that EFS and BitLocker recovery agents are only intended to decrypt files. If the recovery agent account is used to encrypt the files, they would not be accessible by the original user since that user does not have the recovery agents private key.
16-7
Lesson 2: Using EFS
EFS Requirements
Sharing Encrypted Files

Configuring EFS
EFS Recommendations
One of the easiest ways for a user to protect confidential files is to encrypt them. The Encrypting File System (EFS) is available as an operating system feature for all files on hard-drives formatted with the NTFS file system. This feature is useful in a number of situations. Mobile users who have confidential information on their laptops can use it as an extra layer of protection in case the computer is stolen. Users who work with important files on network shares can use it to ensure that others do not use their administrative permissions to unknowingly browse confidential data. Although recovery agents can decrypt any file, they cannot later encrypt it again for access by the original user unless they have access to that users keys.
16-8
EFS Requirements
Public Keys
File Encryption Key (FEK)

Storing the FEK
Although EFS requires the use of public keys in the encryption process, the actual encryption is done by means of a symmetric key. The file encryption key (FEK) is used to encrypt the file and it in turn is protected by the public key of the user. This system allows a document to be encrypted only once, but the symmetric key can be encrypted many times by the public keys of different users and administrators. The encryption and storage of the FEK is done in the file header. When a user is ready to decrypt a document their private decrypts their copy of the FEK that was encrypted with their public key. A copy of the FEK is always encrypted by the public key of the recovery agent. It is important that when files are encrypted that they be distinguishable from unencrypted documents. This can be done by using the menu bar to navigate to Tools > Folder Options and then to the View tab. Enable the option that says Show encrypted or compressed NTFS files in color. This will cause encrypted and compressed files to be displayed in a different color from other files (If the menu bar is missing in Windows Explorer, use the F10 or Alt key to display it). Although both options are available in the file properties of a document, you cannot use the encryption and compression features on a file at the same time.
Module 16: Identify and Resolve Encryption Issues Sharing Encrypted Files
16-9
Multiple Encryption Keys
Permission Settings
When more than one person needs access to an encrypted document, EFS allows the user to configure shared access to the file. The EFS encryption keys for the additional users are added to the encrypted file. The additional users will still need appropriate permissions (e.g. Read or Write) on the document in order to use it.
16-10
Configuring EFS
NTFS
Moving Encrypted Files

Copying Encrypted Files
Windows Explorer allows you to copy and move encrypted files as if they were regular documents. To make sure the file remains protected, its encryption settings remain the same. The only exception is when files are moved or copied to partitions that are not NTFS. In these situations, the encryption settings will not be maintained. Users without a decryption key will not be able to copy or move the file even if they have ownership of it. It is important to verify the permission and encryption settings on files when they are moved between partitions. EFS can be managed from the command-line by using the cipher.exe tool. In addition to encrypting or decrypting files and folders, you are also able to update or create new certificate information. Cipher.exe can be used to generate EFS recovery agent keys.
Module 16: Identify and Resolve Encryption Issues EFS Recommendations
16-11
When not to use
Encrypting Folders
Configure Recovery Agent
Encrypting Network Data
EFS should not normally be enabled for all users. Only computers and users with predefined security needs should use this option. Group Policy settings can be used to disable this feature (Encrypting File System setting in Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies). By default, users are able to encrypt documents they have access to. Ownership of the file is not necessary. Only Write Attributes, Create Files/Write Data and List Folder/Read Data special permissions are needed. If a user encrypts files owned by other users, the owner will not be able to access them. Either the user or the Recovery Agent will need to decrypt those documents. While EFS works well to protect files on the local computer, it does not protect information that is sent over the network. To protect confidential files being sent over the network, a network encryption protocol like IPSec should be used.
16-12
Lesson 3: Using BitLocker
BitLocker Requirements
BitLocker Configuration
Encrypting Removable Disks
BitLocker Drive Encryption is used to protect data on a drive using encryption. Like EFS, BitLocker encryption is transparent to the user working on the drive. Files are automatically encrypted or decrypted regardless of which application is being used. Unlike EFS, BitLocker encrypts the entire drive partition. This prevents the drive from being used even if it is removed from the computer and placed in another system.
Module 16: Identify and Resolve Encryption Issues BitLocker Requirements
16-13
Trusted Platform Module
USB Flash Drive

Hard Disk Partitions
To configure BitLocker on a hard-drive, the computer must have a compatible Trusted Platform Module (TPM) or a USB flash drive. The option to store the BitLocker key on a USB drive must be configured by an administrator. If you are using it on an operating system drive, it must have at least two partitions. The operating system drive must always be formatted as NTFS while data drives can use FAT or NTFS (FAT partitions can be converted to NTFS without losing data by using the convert.exe command). The BitLocker Drive Encryption options are available in the Control Panel under System and Security. Verify that the drive has at least 64MB of available space before starting the BitLocker encryption process.
16-14
BitLocker Configuration
Windows Explorer
Control Panel
BitLocker Password
Suspending Encryption
Reversing Encryption
Enabled BitLocker can be done from the Control Panel or Windows Explorer. The length of the encryption process will be the same regardless of how much data is on the volumes because the whole drive is being encrypted. After the process is done, all files added or changed to the drive will be automatically protected. You have the option of configuring a password to access the hard-drive that can be stored on a USB drive. If the drive on which the operating system is located is encrypted, BitLocker will perform security checks during the boot process to protect the system. Changes seen as security risks are handled by locking the drive. Access will only be granted after the BitLocker recovery key, created at the beginning of the process, is provided. BitLocker encryption is reversible and turning it off does not result in any data loss. Decrypting the drive will return it to its previous unencrypted state. The drive encryption can also be temporarily suspended. The data is still encrypted in this state, but decryption of existing files is done by using a plain text key stored on the drive. A suspension might be necessary when changes are made to the BIOS or startup files. These changes might cause a system lockdown if done while BitLocker is enabled. BitLocker encryption should be resumed as soon as these changes are made. Because of the specific situations that might require suspension, this option is only available for operating system drives.
Module 16: Identify and Resolve Encryption Issues Encrypting Removable Disks
16-15
BitLocker To Go
Password or Smart Card Access
In addition to protecting internal hard-drive volumes, it can also be used to encrypt removable hard-drives and flash drives. This feature is called BitLocker To Go. It can be enabled for an external drive using options in the Control Panel or from Windows Explorer. Group Policy settings can be used to configure access to these encrypted removable drives from Windows Vista or XP systems. During the BitLocker configuration, the user will have the option of enabling data access to the drive using either a password or smart card. If a password is used, the user will have the option of storing the password on the computer system so it does not have to be provided again during the next connection attempt.
16-16
Recovery Keys
Recovery Agent
BitLocker can be configured through group policy options to centrally manage the process for client machines in the domain. The 48-digit recovery keys can also be stored in Active Directory. At least one data recovery agent should also be setup to allow easier decryption of drives when necessary (BitLocker Drive Encryption setting in Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies).
16-17
Resolve Encryption Issues
RESOLVE ENCRYPTION ISSUES

Even with proper end-user training, it is likely that problems might come up when encryption technologies are improperly used. Problems might also occur because basic administrative tasks, like resetting a password might change the encryption keys. With proper troubleshooting techniques and by using the tools available, most problems can be solved. Being proactive is important though. There is no substitute for configuring a recovery agent or exporting and saving importing keys. Here are a number of issues that might arise if you use EFS or BitLocker on your network. Understanding the encryption process for both systems will go a long way in diagnosing such problems. You have found a number of encrypted files on a domain computer and need to decrypt them as soon as possible. You login as the local administrator but are unable to decrypt the files. Why is the administrator account unable to do this? The local administrator account is not a recovery agent for the files encrypted with a domain account. You need an account with the domain recovery agent key to decrypt the files. A user is unable to encrypt a folder on their hard drive because the option to do so is not available in the properties of the folder. He was able to encrypt files on another volume of the same computer. What could be causing this problem? The file system is either FAT or FAT32. Files can only be encrypted on NTFS volumes. Another possibility is that there are EFS restrictions being applied through group policy. After encrypting all the files in a folder, a user realizes that he is not able to distinguish the encrypted from the unencrypted documents. What must he do? Change the Folder Options for Windows Explorer so that the setting for Show encrypted or compressed NTFS files in color is enabled.
16-18
Five users working on a special project need shared access to confidential documents. In addition to setting appropriate permissions, these files will be encrypted. How can these users share the same encrypted file? The file encryption key (FEK) can be encrypted by the public keys of more than one user. The first user to encrypt the document can designate that it will be shared and specify the other user accounts. Each of these users must have their own general purpose or EFS key. You are having trouble enabling BitLocker for the system drive on a desktop computer. The drive has a 80 gigabyte partition, that is formatted with NTFS. The system has 1 gigabyte of RAM and the BIOS has a 1.2 TPM enabled. Which of these components will prevent BitLocker configuration? Since you are encrypting the drive that stores the operating system files, it must have at least two partitions formatted with the NTFS file system. After configuring BitLocker encryption on a flash drive, a user forgets the password he created to access it. What can he do to gain access to the data? Use the recovery key created at the beginning of the encryption process. BIOS upgrades are scheduled for group of laptops on which BitLocker encryption has been enabled. How can this be done without taking the time to decrypt and then encrypt the drives again? BitLocker encryption can be suspended during the BIOS upgrade and then enabled again after it is done. The drive will remain encrypted but a clear text password will be used for file decryption which will allow changes to start files and the BIOS.
16-19
Review Module 16: Identify & Resolve Encryption Issues
REVIEW
1.
What is a recovery certificate used for?
2.
True or False. EFS keys might be lost when a users password is reset by an administrator.
3.
What file systems support EFS and BitLocker?
4.
How many partitions are needed to configure BitLocker encryption on a data drive?
5.
True or False. A document can be both encrypted & compressed with Windows Explorer property settings.
6.
True or False. In order to encrypt a file the user must have ownership for Full Control permissions on it.
7.
What command-line tool can you use to encrypt or decrypt documents?
8.
What happens to an encrypted file if it is copied to a FAT or FAT32 partition?
9.
What two methods can be used to access BitLocker encrypted flash drives?
16-20
10. How long are the recovery keys created when BitLocker encryption is enabled?
11. True or False. Deleting as many files as possible on a drive before enabling BitLocker encryption will speed up the process.
12. What encryption protocol can be used to protect confidential data sent over the network?
16-21
Labs Module 16: Identify and Resolve Encryption Issues
Exercise 1: Encrypt Files using EFS
Exercise 2: Configure EFS Sharing

Exercise 3: Configure a Recovery Agent
Overview: Configure EFS and share encrypted files. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Encrypt files using EFS
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Create a System Restore point named Pre_Lab16 Use Windows Explorer to open the C:\TEMP folder. Right click on one of the files and choose Properties. In the General tab, click Advanced. Check the box for Encrypt contents to secure data. Click OK and accept the default settings to close the properties window and encrypt the file (If prompted, only encrypt the file and not the folder). Notice the change in file color. If the encrypted file does not have a different color from the other files in the directory, modify the Folder Options and check the option for Show encrypted or compressed NTFS files in color. Logout and then login as User1. Create a folder named E:\TEMP\TESTEFS Create two text files in the E:\TEMP\TESTEFS folder named test1.txt and test2.txt. Add one line of text to both files (This is a test.) and save them. Right click the E:\TEMP\TESTEFS folder and click Properties. In the General tab, click Advanced. Check the box for Encrypt contents to secure data. Click OK twice to close the Properties window.
16-22
16. 17. 18. 19. 20.

In the Confirm Attribute Changes box, choose Apply changes to this folder, subfolders and files. Click OK. Confirm that the two text files have been encrypted. Logout and then login as Admin1. Verify that Admin1 has permissions to the file, but does not have access to open and view them. Try to take ownership of the files and give yourself Full Control permissions. Access will still be denied.

1. 2. 3. 4. 5. 6. 7. 8. Login as User1 Open the properties of the test1.txt file. In the General tab click Advanced. In the Advanced Attributes window, click Details In the Users who can access this file: section, click Add. Choose the Admin1 account and click OK. Close the properties of the test1.txt file. Login as Admin1 and verify that you now have access to test1.txt.
Exercise 3: Configure a Recovery Agent

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. Open an Administrator:Command Prompt. Run the command cipher.exe /r:e:\temp\recovery When prompted, use a password of Pa$$w0rd. Verify that the E:\TEMP folder has recovery certificate files named recovery.cer and recovery.pfx. Open the Group Policy Management console using the Contoso\Administrator credentials. Edit the Default Domain Policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Encrypting File System. Right click Encrypting File System and click Add Data Recovery Agent. Click Next. Click Browse Folders. Specify the E:\TEMP\recovery.cer file and click Open. Read the message in the Add Recovery Agent window and click Yes. Click Next and then Finish. Verify that the Admin1 account is now an EFS recovery agent (The Intended Purposes column should specify File Recovery). Open an MMC console and add the Certificates snap-in. When prompted, use the My user account option. In the Certificates snap-in, open the Personal > Certificates folder. Right click the Certificates folder and choose All Tasks and then Import. Follow the instructions in the wizard to import the E:\Temp\recovery.pfx file. When prompted for the password, use Pa$$w0rd. Enable all the options presented except Enable strong private key protection. Click Next. Make sure that the Personal store is chosen and click Next then click Finish. Restart the system and login as Contoso\User1. Add a line with the words This is another test to both the test1.txt and test2.txt files in the E:\Temp\TestEFS folder. Logout and login again as Contoso\Admin1. In the properties of the E:\Temp\TestEFS\test1.txt file, click the Advanced button on the General tab. In the Advanced Attributes window, click the Details button and verify that Admin1 is a recovery agent (If the status has not been updated as yet, run gpupdate.exe /force or restart the system and try again.) Perform the above two steps for the E:\Temp\TestEFS\test2.txt file. Click Cancel and decrypt the E:\Temp\TestEFS\test2.txt file by removing the Encrypt contents to secure data check mark and clicking OK twice. Verify that the file is now decrypted and can be edited by Admin1.
Module 17: Identify and Resolve Software Update Issues
Table of Contents
Overview .................................................................................................................................................................. 17-1 Lesson 1: Types of Windows Updates ..................................................................................................................... 17-2 Lesson 2: Using Windows Update ........................................................................................................................... 17-3 Lesson 3: Using Microsoft Update ........................................................................................................................... 17-8 Resolve Software Update Issues ........................................................................................................................... 17-11 Review Module 17: Identify & Resolve Software Update Issues ......................................................................... 17-13 Labs Module 17: Identify and Resolve Software Update Issues ........................................................................ 17-15
17-1
Overview
Types of Windows Updates
Using Windows Updates

Using Microsoft Updates
Resolve Software Update Issues
Operating System and Application updates are fixes or upgrades that improve the security or performance of the computer system. They are often used to fix known security problems as well. These patches can fix problems with the Windows 7 operating system or Microsoft applications installed on the computer. Automatic updates allow these changes to be installed on the computer as soon as they are available. Network applications and services like Active Directory and Windows Server Update Services (WSUS) can be used to implement further controls to manage when changes are applied and for which systems. WSUS will only work for Microsoft software however. If a comprehensive tool is needed for managing updates from any software vendor, then System Center Configuration Manager (SCCM) can be used. Centrally managing the updates on client computers is the preferred way of configuring these resources. Allowing individual users to decide what updates to apply and when will often result in problems. Knowing that all systems have certain fixes applied to them will help to make the network safer and speed up the troubleshooting process. In this section we will learn about the different types of updates that can be applied to computer systems. We will also examine the options available when configuring automatic updates. The steps to take when handling application and operating system update problems will also be examined.
17-2
Lesson 1: Types of Windows Updates
Important
Recommended
Optional
Featured
All Windows Updates are classified before they are deployed so administrators will know how to deal with them and their level of importance. All updates are designed to provide some kind of fix or improvement to the system, but not all computer systems will benefit from them. Knowing the classification of an update is one way to help an administrator make this determination. Updates can be classified as Important, Recommended, Optional or Featured. Important: After testing them, these updates should be quickly installed on all applicable computer systems. They are often used to apply fixes that improve the security or reliability of the system. Recommended: Although these fixes are not critical to the functioning of the computer, they normally apply changes that enhance its performance or improve the computing experience. They are often automatically installed along with important updates. Optional: This classification of updates is the least important of the four categories. Unlike Important or Recommended updates, their installation cannot be automated using the local computer Windows Update settings. They are often used to install updated drivers or software for print devices. Featured: Featured updates are a special category of upgrades that often fall into the category of Important. They are installed to meet a particular need and are divided in three areas: Security Updates: These are released to meet a particular security issue. The security problem will always be classified in a Microsoft security bulletin as critical, important, moderate or low. Critical Updates: These are fixes that are not directly related to a security problem. The problem usually affects many systems. Service Packs: These releases include a cumulative set of fixes and updates. Once applied, they will include all the Important and Recommended updates for an operating system since its initial release.
17-3
Lesson 2: Using Windows Update
Network Installation Methods
Testing Updates
The windows update feature is installed automatically on all Windows 7 systems. It allows the manual or automatic fixing or upgrading of operating system components. Updates can be installed directly from the Microsoft web-site or by using servers configured on the local network. Regardless of which method is chosen, updates should normally be tested before system-wide deployment.
17-4
Windows Update Icon
Using WSUS
To check for new Windows Updates, a user can use the Windows Update icon in the Start Menu. A manual check will go to the Microsoft web-site to find updates. If a WSUS server is setup on the local network, client computers can be redirected there to look for updates approved by network administrators. Use group policy settings to configure client computers to look for updates on the local WSUS servers (Specify intranet Microsoft update service location setting in Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update). This configuration allows updates to be tested before they are approved for installation on local computers.
Module 17: Identify and Resolve Software Update Issues Automatic Configuration
17-5
The Windows Update window also allows administrators to change the default settings for the application. Updates can be automatically downloaded and installed or downloaded with the user deciding the time of installation. Automatic updates should be done outside of normal business hours to prevent problems with active applications. Security options that allow users without administrative privileges to install updates can be assigned. Recommended updates can be installed with the same settings as important updates. Microsoft application updates can be configured with the same installation settings as Windows Updates in the settings window. The detailed notification of new updates that are available can also be enabled or disabled from this window. If there are concerns about previous updates on the system, a history of these changes is logged and stored for later examination. The date and time of the installation, its level of importance and whether or not its installation was successful can be viewed. A number of methods are available for troubleshooting unsuccessful updates. The Windows Update Troubleshooter is one of the easiest ways to find what the problem was. If it finds a solution, you can automatically apply the fix with the troubleshooter.
17-6
Network Installation Methods
SCCM
WSUS
When a policy decision is made to prevent the installation of certain updates, this can be better controlled if the network uses System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS). SCCM is a comprehensive tool for deploying Windows operating systems, applications and updates. The deployment process supports applications from different vendors. WSUS is used as a method of deploying updates and fixes for operating systems and applications developed by Microsoft. This allows the deployment process for these updates to be managed by local administrators instead of from the Windows or Microsoft Update web-sites.
Module 17: Identify and Resolve Software Update Issues Testing Updates
17-7
Compatibility Problems
Driver Issues
Fixing Update Failures
Some updates might cause problems on the system. Devices might stop working or their performance might decrease. Some applications might have compatibility problems with new drivers as well. To prevent such problems, all updates should be thoroughly tested before deployment. If problems do arise, Device Manager can be used to roll back driver configurations to a previous version. Some problems might require you to boot to use the Last Known Good configuration or Safe Mode to fix the issue. Windows Updates can make significant changes to the computer system and should therefore be handled as if an installation is being done. Closing all applications, browser windows and temporarily stopping scheduled tasks can improve the update process. When an upgrade fails, trying again after closing down all running applications might fix the problem. Verifying network connectivity and that the system is free of malware might also solve some problems. When nothing else works, a restart of the system might be necessary before manually trying to do the update again. If an important update cannot be installed on a computer using the usual methods, the knowledge base article (KB) that was created for that update should be read thoroughly to make sure that all the necessary components are in place to allow it to work.
17-8
Lesson 3: Using Microsoft Update
Updating Microsoft Applications
Upgrade Issues
Windows Update provides updates for the Windows operating system. Microsoft Update can be used to provide operating system and application updates. The options and features available for Windows Updates are also available for Microsoft Updates.
Module 17: Identify and Resolve Software Update Issues Updating Microsoft Applications
17-9
Microsoft Office
Windows Defender
Visual Studio
Microsoft Expression
Windows Live
Deploying updates and fixes for Microsoft applications regular is one way to improve the stability of desktops on the network. Updates can be installed for server applications like Microsoft Exchange and SQL Server. Desktops that use Microsoft Office, Windows Defender, Visual Studio, Microsoft Expression or Windows Live can be maintained as well. New fixes, patches and services packs can be downloaded and installed for Microsoft applications along with other Windows Updates. This is done by enabling the Microsoft Update option in the Windows Update settings. The recommendations for troubleshooting problems with Microsoft Updates are the same as for Windows Updates. In addition to the recommendations provided earlier for Windows Updates, keep in mind that third-party browsers may not be fully compatible with the Microsoft Update service. You might also need to free up enough space for the update on the hard-drive, delete the Internet Explorer cache and clean up the systems temporary folder. Depending on the security settings configured in IE, you might also need to add the Microsoft Update site to the list of Trusted sites in the browser.
17-10
Upgrade Issues
Multiple Versions of the Same Product Compatibility Components
Some upgrade and update problems might be unique however, because of having multiple versions of the same product on the same computer. A system on which Microsoft Office 2007 has been upgraded to 2010 might still receive updates for both versions of the product. Removing the older version completely by using Programs and Features & manually deleting related registry settings will normally solve this problem. In addition to fixes and security patches, application components can be installed through Microsoft Update. Microsoft Office in particular can download and install spam and junk mail filters. These can improve the security and functionality of the Outlook client. Compatibility components might also be made available to improve the interaction between older and newer versions of a product.
17-11
Resolve Software Update Issues
RESOLVE SOFTWARE UPDATE ISSUES

Software updates are necessary to maintain the security and functionality of computer systems. Whether they are for the operating system or client applications, they should be applied in a timely manner. Speed should not be used to compromise safety however, and updates need to be tested before deployment to client computers. Compatibility with applications and hardware devices might cause problems on some computers. Not all updates will be necessary. The purpose of the update along with important details about troubleshooting installation problems can often be found in knowledge base articles. Updates that are not critical can be postponed if they cause problems. Problems with critical updates must be looked into quickly so they can be deployed in a timely manner. In this section, we will look at some problems that might arise when performing software updates. The solutions provided will work although there can be other possible fixes not presented. Your IT manager wants all client computers to have their Windows and Microsoft Updates tested before they are installed. What is the best way to do this and have it affect all domain computers? Use group policy settings to direct all computers to get their updates from local Windows Server Update Services (WSUS) computers. Test all updates downloaded from the Microsoft web-site to the WSUS server before they are approved for installation. After trying unsuccessfully to install a Windows Update, you have decided to get more details about why it was created and who should install it. Where is the best place to check for this information? Most Windows Updates have a knowledge base article written for them. This is the best source of information as to why it was created. When viewing the history of windows updates on a system, you find that one of them was not installed successfully. What is the easiest method to find the cause of the problem and to possibly fix it automatically?
17-12
Windows Update has its own troubleshooter that can be run to find the cause of unsuccessful updates. The advanced settings of the troubleshooter allow you to apply repairs automatically if they are found. After some configuration changes on a computer, the user is unable to install any Windows Updates. The administrator is able to do so when he logs into the computer. How can this problem be solved? Change the Windows Update settings to Allow all users to install updates on this computer. The new updates for a printer driver need to be installed on a few computers after they are made available through Windows Update. They will not be available as automatic updates however. Why is this so? These are classified as optional updates which must be installed manually since automatic installation is not available for them.
17-13
Review Module 17: Identify & Resolve Software Update Issues
REVIEW
1.
What server application can be used to apply updates to Microsoft and third-party applications?
2.
How can you prevent Windows Update from trying to install an unapproved patch on a computer?
3.
True or False. It is best to schedule updates to happen while users are working on the system.
4.
What tool can be used to undo driver updates on a device?
5.
How are the Windows Update and Microsoft Update services different?
6.
What are software notifications?
7.
True or False. Windows Updates apply to all users regardless of who is logged in when they are installed.
8.
What classification of updates cannot be installed automatically on a computer?
9.
What feature can be used to configure automatic updates for Microsoft Office on a computer?
17-14
10. How are service packs different from other forms of updates?
11. What tool is designed to automatically detect and fix problems with Windows Updates?
12. What are the four levels of classification available for security problems solved by security updates?
17-15
Labs Module 17: Identify and Resolve Software Update Issues
Exercise 1: Configure Windows Updates on the Desktop Exercise 2: Configure Windows Updates with Group Policy
Overview: Configure Windows Update settings using Desktop tools and group policy settings. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd.

Exercise 1: Configure Windows Updates on the Desktop
1. 2. 3. 4. 5. 6. 7. 8. 9. Open the Action Center and click the link for Windows Update. Click Updates: frequently asked questions and read the sections for How do I let all users on my computer install updates? and What do the different types of updates mean? Close the Help and Support window. Click Change Settings. Under the section for Important Updates, choose the option for Install updates automatically. Change the time of updates to 5:00AM. Check the option for Give me recommended updates the same way I receive important updates. Check the option for Allow all users to install updates on this computer. Click OK. End any attempt to download and install updates. Close the Action Center.
17-16
Exercise 2: Configure Windows Updates Using Group Policy

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Open the Group Policy Management console using the Contoso\Administrator credentials. Edit the Default Domain Policy. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update Edit the setting for Enable client-side targeting and read the Help section. Enable this setting and assign a target group name of IT. Click OK. Edit the setting for No auto-restart with logged on users for scheduled automatic updates installations and read the Help section. Enable this setting and click OK. Enable the setting for Allow non-administrators to receive update notifications. Edit the setting for Configure Automatic Updates and read the Help section. Enable this setting and in the Options under Configure automatic updating, choose Allow local admin to choose setting. Schedule the updates for 6:00AM every morning. Click OK. Edit the setting for Specify intranet Microsoft update service location and read the Help section. Enable this setting and configure the intranet update and statistics server to use the http://NYC-DC1 URL. Click OK and close the Group Policy.
Appendix A: Condensed Lab Exercises

Note: Perform all the exercises marked as Optional unless the instructor says otherwise. For lab exercises where both student machines are used, always start the Windows Server DC image (50331A-GEN-SRV) before the Windows 7 client image (50331A-GEN-CLI). All exercises will be performed on the 50331A-GEN-CLI image unless stated otherwise. Your instructor will provide you with the following information before starting your labs:
Host Machine (Name of the computer on which Hyper-V is running): __________ The following files are in the C:\Labfiles folder of the host machine: Windows 7 Operating System ISO ___________________________________ Windows Automated Installation Kit: ___________________________________ Windows 7 Software Development Kit: ___________________________________
If you are unsure about how to access an ISO using the Hyper-V image, check with your instructor before beginning your exercises.
Table of Contents
Labs Module 1: Identify and Resolve New Software Installation Issues .................................................................. A-1 Exercise 1: Install and configure Windows 7 ......................................................................................................... A-1 Exercise 2: Install Programs and Test Applocker .................................................................................................. A-1 Exercise 3: Configure Compatibility Settings: ........................................................................................................ A-2 Labs Module 2: Resolve Software Configuration Issues ........................................................................................ A-4 Exercise 1: Install Windows Automated Installation Kit (WAIK) ............................................................................. A-4 Exercise 2: Use WAIK to create a Windows PE bootable image ........................................................................... A-4 Exercise 3: Create a VHD disk using Disk Management ....................................................................................... A-4 Exercise 4: Use WAIK to copy Windows 7 install files to the VHD partition. .......................................................... A-5 Exercise 5: Add a Boot Menu option for the VHD file. ........................................................................................... A-5 Exercise 6: Use Problem Steps Recorder to record the steps involved in installing a program (Optional) ............ A-5 Labs Module 3: Resolve Software Failure .............................................................................................................. A-7 Exercise 1: Install applications written for older versions of Windows ................................................................... A-7 Exercise 2: Use Program Compatibility tool to configure settings for older applications ........................................ A-7 Exercise 3: Disable the Network Adapter with a PowerShell Script ....................................................................... A-7 Exercise 4: Use the Troubleshooter to enable the network adapter ...................................................................... A-8 Exercise 5: Configure Powershell scripts to change the NICs IP address (To be used when creating the Troubleshooter with the SDK)................................................................................................................................. A-8 Exercise 6: Install Windows 7 Software Development Kit (SDK). .......................................................................... A-8
Exercise 7: Create a Troubleshooting Pack with the Software Development Kit ................................................... A-9 Exercise 8: Join the Domain and Configure Event Forwarding.............................................................................. A-9 Exercise 9: Configure System Restore ................................................................................................................ A-10 Labs Module 4: Identify and Resolve Logon Issues ............................................................................................. A-11 Exercise 1: Join the computer to the domain ....................................................................................................... A-11 Exercise 2: Install Remote Server Administration Tools (RSAT) ......................................................................... A-11 Exercise 3: Test and Verify Domain User Account Properties ............................................................................. A-11 Exercise 4: Assign a PowerShell Logoff Script (Deletes Files in the %TEMP% folder) ....................................... A-12 Exercise 5: Test a Roaming Profile (Optional) ..................................................................................................... A-13 Exercise 6: Test a Mandatory Profile (Optional) .................................................................................................. A-13 Labs Module 5: Identify and Resolve Network Connectivity Issues ..................................................................... A-15 Exercise 1: Use command-line tools to identify and solve network problems. ..................................................... A-15 Exercise 2: Fix Connectivity Problems ................................................................................................................ A-16 Labs Module 6: Identify and Resolve Name Resolution Issues ........................................................................... A-17 Exercise 1: Configure and Test DNS Resolution ................................................................................................. A-17 Exercise 2: Configure and Test Hosts File Resolution......................................................................................... A-18 Exercise 3: Configure and Test NetBIOS Resolution .......................................................................................... A-18 Exercise 4: Cleanup ............................................................................................................................................ A-18 Labs Module 7: Identify and Resolve Network Printer Issues .............................................................................. A-19 Exercise 1: Install Local and Network Printers..................................................................................................... A-19 Exercise 2: Create and Use a Separator Page (Optional) ................................................................................... A-20 Exercise 3: Configure Printer Redirection and a Printer Pool .............................................................................. A-20 Exercise 4: Move the Print Spooler Directory ...................................................................................................... A-20 Labs Module 8: Identify and Resolve Performance Issues .................................................................................. A-22 Exercise 1: Schedule and Perform a Disk Defragmentation ................................................................................ A-22 Exercise 2: Using Task Manager ......................................................................................................................... A-22 Exercise 3: Using Resource Monitor ................................................................................................................... A-23 Exercise 4: Configure a Warning Message When a Service Stops (Optional) .................................................... A-24 Labs Module 9: Identify and Resolve hardware Failure Issues ............................................................................ A-26 Exercise 1: Use the Windows Memory Diagnostics Tool ..................................................................................... A-26 Exercise 2: Fix Hard Disk Errors.......................................................................................................................... A-26 Exercise 3: Use the Reliability Monitor ................................................................................................................ A-26 Exercise 4: Use Event Viewer to find Hardware Information (Optional) ............................................................... A-27 Labs Module 11: Identify and Resolve Remote Access Issues ............................................................................ A-28 Exercise 1A: Update the Active Directory Users and Computers snap-in installed from the RSAT ..................... A-28 Exercise 1B: Verify VPN/Dial-in permissions for user accounts ........................................................................... A-28 Exercise 2: Create and test a VPN connection. ................................................................................................... A-28 Labs Module 12: Manage File Synchronization (Optional) ................................................................................... A-30
Exercise 1: Configure and Test Offline Files........................................................................................................ A-30 Exercise 2: Restore the Previous Version of a File.............................................................................................. A-31 Labs Module 13: Identify and Resolve Internet Explorer Security Issues (Optional) ............................................ A-32 Exercise 1: Configure Trusted Security Zone for automatic authentication on Intranet Site ................................ A-32 Exercise 2: Configure the Security and Privacy Features in Internet Explorer .................................................... A-32 Exercise 3: Configure Group Policy Settings for Internet Explorer ...................................................................... A-33 Labs Module 14: Identify and Resolve Firewall Issues (Optional) ........................................................................ A-34 Exercise 1: Configure and Test Firewall Rules for an Application ....................................................................... A-34 Exercise 2: Fix Application problems caused by Firewall Rules .......................................................................... A-34 Labs Module 15: Identify and Resolve Issues due to Malicious Software (Optional) ........................................... A-36 Exercise 1: Use Action Center to Manage UAC Settings .................................................................................... A-36 Exercise 2: Use System File Checker .................................................................................................................. A-36 Exercise 3: Use the Malicious Software Removal Tool ....................................................................................... A-36 Exercise 4: Install Microsoft Security Essentials (Optional) ................................................................................. A-37 Labs Module 16: Identify and Resolve Encryption Issues .................................................................................... A-38 Exercise 1: Encrypt files using EFS ..................................................................................................................... A-38 Exercise 2: Configure EFS Sharing ..................................................................................................................... A-38 Exercise 3: Configure a Recovery Agent ............................................................................................................. A-39 Labs Module 17: Identify and Resolve Software Update Issues (Optional) .......................................................... A-40 Exercise 1: Configure Windows Updates on the Desktop ................................................................................... A-40 Exercise 2: Configure Windows Updates Using Group Policy ............................................................................. A-40
A-1
Labs Module 1: Identify and Resolve New Software Installation Issues

Overview: Install and configure Windows 7. Install and configure applications and application access. Unless stated otherwise, use the Windows 7 image for this lab and login as Admin1 with a password of Pa$$w0rd. All ISO images will be on the local C: drive in the Labfiles folder.
Estimated Time to complete this lab is 60 minutes. Exercise 1: Install and configure Windows 7
1. In the Hyper-V console, select the 50331A-GEN-SRV image and use the Actions pane to start it. Select the 50331A-GEN-CLI image and use the Actions pane to open the Settings window. Change the DVD Drive to point to Windows 7 Enterprise ISO in the C:\Labfiles folder. Verify with the instructor that it is the 64-bit version. Change the floppy drive to use the C:\Labfiles\w7install.vfd file. Close the Settings window. In the Action pane, click Start and then Connect to start the computer and open the Virtual Machine Connection window. The unattended install of Windows 7 will begin. After the installation is complete, configure the following components: A. B. C. D. E. Name the computer Student1 Name the administrator account Admin1 with a password of Pa$$w0rd Create a group named Local_Users Create a user named User1 and add it to the Local_Users group C: drive will be at least 20 GB and the D: and E: drives are 24 gigabytes each (dynamic drive configurations) F. Create a TEMP folder on each drive. G. Change the DVD drive letter to G:
2.
Exercise 2: Install Programs and Test Applocker

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. Login to Student1 as Admin1 with a password of Pa$$w0rd. Click Start and navigate to Control Panel > Programs > Programs and Features > Turn Windows features on or off. In the Turn Windows features on or off window, select the check boxes to install Games and Telnet Client. Click OK. Verify that the games are installed by navigating to Start > All Programs > Games Verify that the Telnet client is installed by executing telnet from a Command Prompt window. Click Start and in the Search programs and files window, type policy (do not hit Enter). In the Start Menu, right click the Local Security Policy program and run it as an Administrator. In the Local Security Policy window, navigate to Application Control Policies > AppLocker > Executable Rules. Right click on Executable Rules and click Create New Rule. In the Create Executable Rules window, read the information under Before You Begin and click Next. In the Permissions window under Action, click Allow and under User or group, click Select, type Administrators then click OK. Click Next. In the Conditions window, Choose File hash and click Next. Use the Browse Files option to specify the C:\WINDOWS\SYSTEM32\TELNET.EXE file. Click Next. In the Name and Description window, name the rule Telnet (Administrators). Click Create. If asked to create the default rules for AppLocker, choose Yes.
A-2
17. In addition to the new rule created, there should be three default rules. Examine the properties of the three default rules created. 18. Right click on Executable Rules and click Create New Rule. 19. In the Create Executable Rules window, click Next. 20. In the Permissions window, click the Deny action and choose the Everyone group. Click Next. 21. In the Conditions window, choose File hash and click Next. 22. Use the Browse Files option to specify the C:\WINDOWS\SYSTEM32\TELNET.EXE file. Click Next. 23. In the Name and Description window, name the rule Telnet (Everyone). Click Create. 24. Login as User1 with a password of Pa$$w0rd and verify that you are still able to launch telnet. The Applocker rule is not being applied. 25. Log back onto the system with the Admin1 user account. 26. Click Start and in the Search programs and files box, type services. 27. Run the Services program. 28. Open the properties window of the Application Identity service. Read the description. 29. Change the startup type to Automatic and close the services window. 30. Open the Local Security Policy tool and navigate to Application Control Policies > AppLocker. 31. Double click AppLocker and under Configure Rule Enforcement, click Configure rule enforcement. 32. In the AppLocker Properties window, click the Enforcement tab and enable all three rule categories by checking off the Configured check boxes. Make sure that the Enforce rules option is chosen for all three. 33. In the Advanced tab, read, but DO NOT, configure the option to enable DLL rules. 34. Click OK. And restart the system. 35. Login as User1. 35. Use the Command Prompt to verify that the telnet command cannot be executed. (if the telnet command still runs successfully, wait a few minutes for policy settings to be updated and try again.) 36. Logout as User1 and login as Admin1. 37. Use the Command Prompt to verify that the telnet command still cannot be executed (The deny rule for Everyone will also apply to members of the Administrators group). 38. Use the Start menu to open the Local Security Policy window. Navigate to Application Control Policies > AppLocker > Executable Rules and open the Telnet (Everyone) rule. Change its name to Telnet (Local_Users) and change the User or group option to use the Local_Users group. Click OK and close the Local Security Policy window. 39. Try to execute the telnet command again. It should now be successful for Admin1 but unsuccessful for User1. If the rule is not working, restart the computer and verify that the Application Identity service is running. 40. Open the Local Security Policy window and navigate to Application Control Policies > Applocker > Executable Rules. 41. Right click on Executable Rules and click Create New Rule. Click Next 42. On the Permissions window, choose Deny for the Action and Everyone for the group. Click Next. 43. On the Conditions window, click Path. Click Next. 44. On the Path window, choose the C:\PROGRAM FILES\MICROSOFT GAMES\ folder. Click Next. 45. On the Exceptions page under Add exception:, choose File hash. 46. Click Add and choose the C:\PROGRAM FILES\MICROSOFT GAMES\SOLITAIRE\SOLITAIRE.EXE file. Click Next. 47. On the Name and Description page, name the rule Microsoft Games. In the Description, type Block all games except Solitaire. Click Create. 48. Try executing three or more games to verify that Solitaire is the only one that will run.
Exercise 3: Configure Compatibility Settings:

1. 2. 3. Use Windows Explorer to go to the C:\WINDOWS folder Locate notepad.exe, right click on it and open the properties window. In the Compatibility tab, notice the different options available (You will not be able to make changes since this is an operating system file).

4. 5. 6.
A-3
Close the properties window. Open the Command Prompt as an Administrator. Run the command Xcopy \\NYCDC1\classfiles\tools\ppview97.exe E:\TEMP. Use the properties window of the e:\temp\ppview97.exe file to examine the Compatibility tab and the options available. Cancel the installation of the program.
A-4
Labs Module 2: Resolve Software Configuration Issues

Overview: Install Windows 7 deployment tools. Create and work with a Virtual Hard Drive (VHD). Unless stated otherwise, use the Windows 7 image for this lab and login as Admin1 with a password of Pa$$w0rd. All ISO images will be on the local C: drive in the Labfiles folder of the host machine.
Estimated time to complete this lab is 90 minutes Exercise 1: Install Windows Automated Installation Kit (WAIK)
1. Login to STUDENT1 as Admin1. Use the Media option on the Virtual Machine Connection window to insert the WAIK ISO in the C:\Labfiles folder. 2. Run the setup program for WAIK (G:\StartCD.exe) as an administrator. 3. In the Welcome to Windows Automated Installation Kit window, click Windows AIK Setup. 4. Accept the licensing agreement and all the default settings to install the WAIK.
Exercise 2: Use WAIK to create a Windows PE bootable image

1. 2. 3. 4. 5. 6. 7. Click Start > All Programs > Microsoft Windows AIK. Right click Deployment Tools Command Prompt and run as an administrator. Note: Use the Deployment Tools Command Prompt for all future executions of WAIK commands. Use the CD command to navigate to the amd64. (Your instructor will inform you if a different architecture is being used). Run the command: copype <A> E:\WINPE (<A> represents the architecture type e.g. amd64) Run the command: xcopy c:\program files\windows aik\tools\<A>\imagex.exe E:\WINPE\ISO (<A> represents the architecture type) Create the Windows PE image named E:\WINPE\WINPE.ISO by running the command: oscdimg n BE:\WINPE\ETFSBOOT.COM E:\WINPE\ISO E:\WINPE\WINPE.ISO This image can now be burned to a CD or USB flash drive for use on systems with a compatible architecture.
Exercise 3: Create a VHD disk using Disk Management

1. 2. 3. 4. 5. 6. Create a folder on the E: drive named VHD7. Open the Computer Management console Double click on Disk Management to view the available drives on the computer Right click Disk Management and choose Create VHD In the Create and Attach Virtual hard Disk window, use a Location of E:\VHD7\WINDOWS7.VHD. Change the Virtual hard disk size to 20000 MB and the Virtual hard disk format to Dynamically expanding. Click OK. 7. Right click the new disk and choose the option to initialize it. (If unsuccessful, exit and restart Computer Management then try again.) 8. In the Initialize Disk window, choose the MBR partition style and click OK. 9. Right click on the unallocated space on the new disk and choose the option to create a New Simple Volume. 10. Accept all the default settings in the New Simple Volume Wizard. 11. Once the drive is formatted, change the drive letter to V: and exit Computer Management.
A-5
Exercise 4: Use WAIK to copy Windows 7 install files to the VHD partition.
1. 2. 3. 4. 5. 6. 7. Use the Media option on the Virtual Machine Connection window to insert the Windows 7 ISO. Click Start > All Programs > Microsoft Windows AIK. Right click Deployment Tools Command Prompt and run as an administrator. Run the command: imagex /info G:\sources\install.wim > info.txt. (This will create a text file that contains the index IDs for the different editions in the install.wim file.) Open the info.txt file by running the command: notepad info.txt. Use the menu bar in notepad to open the Find window by clicking Edit > Find. Search for the phrase IMAGE INDEX and make a note of the number associated with it (e.g. IMAGE INDEX=1). If there are multiple occurrences of IMAGE INDEX, use the number associated with the Windows 7 Enterprise image. Close notepad. Run the command: imagex /apply G:\sources\install.wim <N> V:. (Note: <N> represents the IMAGE INDEX number from the previous step. This command will apply the installation image to the VHD.) Use Windows Explorer or the Command Prompt to verify that the install files are on the V: drive.
8. 9.
Exercise 5: Add a Boot Menu option for the VHD file.

1. 2. 3. From the Command Prompt run: bcdedit.exe /copy {current} /d Windows 7 VHD (Note: This command will create a new GUID, which is a 32-digit hexadecimal number, in the boot loader. {current} automatically references the boot entry for the operating system currently running.) Use the GUID from the command in the previous step to replace <ID> in the following commands: bcdedit /set <ID> device vhd=[E:]\vhd7\windows7.vhd bcdedit /set <ID> osdevice vhd=[E:]\vhd7\windows7.vhd bcdedit /set <ID> detecthal on Run bcdedit /v to verify the new entry in the boot menu Restart the system and choose Windows 7 VHD from the Windows Boot Manager. When the system reboots, make sure to choose Windows 7 VHD from the Boot Manager again. Verify the keyboard and other settings when presented and click Next. When prompted, type a user account named Admin1 and a computer name of VIRTUAL1. When prompted assign a password of Pa$$w0rd and a hint of Lab Password. Click Next. Leave the Product Key blank and uncheck the option to Automatically activate Windows when online. (The option to specify a product key might not appear depending on what version of Windows 7 is being installed.) Click Next. Read and accept the license agreement. Click Next. On the Help protect your computer and improve Windows automatically screen, choose Ask me later. Assign appropriate Time Zone and date settings. Click Next. On the Select your computers current location window, choose Work network. Use Disk Management to examine the disk and drive letter assignments. Reboot the computer and login to the original Windows 7 installation.
4. 5. 6. 7. 8. 9. 10.
11. 12. 13. 14. 15. 16. 17.
Exercise 6: Use Problem Steps Recorder to record the steps involved in installing a program (Optional)
1. 2. 3. 4. Click Start and in the Search programs and files box, type Problem Steps Recorder. Click on Record steps to reproduce a problem. In the Problem Steps Recorder window, press Alt + G and then open the Settings window. Change the output location to E:\TEMP\PPVIEWER.ZIP and the number of screen captures to 50. Make sure the Enable screen capture option is set to Yes. Click OK.
A-6
5. In the Problems Steps Recorder windows, press Alt + G and choose the option to Run as administrator. 6. In the Problem Steps Recorder window, click Start Record and minimize the recorder. 7. Click Start and navigate to All Programs > Accessories and the Command Prompt as an administrator. Run the command: \\NYC-DC1\CLASSFILES\TOOLS\PPVIEWER.EXE. In the Power Point Viewer setup, accept the default options to install the application. 8. In the Problem Steps Recorder, click Stop Record and close the Problem Steps Recorder. 9. Use Windows Explorer to open the file E:\TEMP\PPVIEWER.ZIP 10. Double click on the mht file to open it in Internet Explorer. Review the information in the section Recorded Problem Steps and use the links available to Review the recorded problem steps, Review the recorded problem steps as a slide show and Review the additional details.
A-7
Labs Module 3: Resolve Software Failure

Overview: Test the Program Compatibility tool on applications written for older versions of Windows. Use the Software Development Kit to create a test a Troubleshooter. Configure System Restores. Install Windows 7 deployment tools. Create and work with a Virtual Hard Drive (VHD). Unless stated otherwise, use the Windows 7 client and domain controller images for this lab. Login as Admin1 with a password of Pa$$w0rd. All ISO images will be on the local C: drive in the Labfiles folder. The client computer should now be configured with two installs of Windows 7. References to STUDENT1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (STUDENT1).
Estimated time to complete this lab is 120 minutes. Exercise 1: Install applications written for older versions of Windows
1. 2. 3. Copy xlviewer.exe from \\NYC-DC1\CLASSFILES\TOOLS TO E:\TEMP. Install it using the default settings. Run the installation as an administrator. Execute the application to make sure it runs without error messages.
Exercise 2: Use Program Compatibility tool to configure settings for older applications
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Click Start > Control Panel (Change the View by: option to Category.) In the Control Panel go to Programs > Run programs made for previous versions of Windows. From the Program Compatibility window, click Advanced, then click Run as administrator. Click Next. Select Microsoft Office Excel Viewer 2003 from the list and click Next. Choose Try Recommended Settings Notice the compatibility mode applied. Click Start the program to verify that it runs without errors and then close the program down. In the Program Compatibility window, click Next. Click Yes, save these settings for the program. Click View detailed information to see the Troubleshooting report. Click Next then click Close.
Exercise 3: Disable the Network Adapter with a PowerShell Script

Note: This exercise can also be completed by using the script: \\NYC-DC1\CLASSFILES\MOD03\disable_nic.ps1. 1. 2. 3. Open the Command Prompt as an administrator Type powershell.exe and execute it. (Note: Notice the change in the prompt with PS indicating that you are in a powershell. Use the ipconfig /all command to get the MAC / Physical address of your adapter and make a note of it. MAC Address ____________________. Note: represent the MAC address as being delimited by colons ( : ) instead of dashes ( - ).
A-8
4.

Run the wmiobject to get more information about the adapter by running the following command: get-wmiobject win32_networkadapter | where {$_.MACAddress EQ <MAC>}. <MAC> represents the mac address delimited by colons ( : ) instead of dashes ( - ). Assign the adapter information to a variable named $NIC with the following command: $NIC = get-wmiobject win32_networkadapter | where {$_.MACAddress EQ <MAC>}. Disable the network adapter using the variable: $NIC.disable() (Note: The $NIC.enable() command could enable the NIC but we will use the Troubleshooter instead) Run ipconfig to verify that the network adapter is disabled.
5. 6.
7.
Exercise 4: Use the Troubleshooter to enable the network adapter

1. 2. 3. 4. 5. 6. Click Start and in the Search programs and files window, type Network Diagnostics Click Identify and repair network problems The Windows Network Diagnostics window should indicate that the adapter is disabled. Click View detailed information. Click Next. Click Try these repairs as an administrator After the adapter is enabled, click Close.
Exercise 5: Configure Powershell scripts to change the NICs IP address (To be used when creating the Troubleshooter with the SDK)
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Open a Command Prompt as administrator. Run powershell.exe Get the execution policy for scripts by running this command: Get-ExecutionPolicy Configure the system to execute powershell scripts: Set-ExecutionPolicy unrestricted Verify that the execution policy is now set to unrestricted: Get-ExecutionPolicy Exit powershell, but stay in the Command Prompt. Run the command: xcopy \\NYC-DC1\classfiles\MOD03\*.ps1 e:\temp\ /s/v Modify the E:\Temp\static_ip.ps1 file with notepad and replace the MAC address in the script with the one for your NIC. Save the file. Modify the E:\Temp\dynamic_ip.ps1 file with notepad and replace the MAC address in the script with the one for your NIC. Save the file. Run the command: powershell.exe e:\temp\static_ip.ps1 Use ipconfig to verify that the machine now has a static IP address Run the command: powershell.exe e:\temp\dynamic_ip.ps1 Use ipconfig to verify that the machine is using a dynamic IP address Run the static_ip.ps1 script again to change the IP back to a static address.
Exercise 6: Install Windows 7 Software Development Kit (SDK).

1. 2. 3. 4. 5. Click Start and navigate to Control Panel > Programs > Programs and Features > Turn Windows features on or off. In the Windows Features window, make sure that all the Microsoft .NET Framework components are selected and installed. Click OK. Restart the computer and login again as Admin1. Use the Virtual Machine Connection menu bar option (Media) to insert the Windows 7 Software Development Kit ISO (GRMSDKX_EN_DVD.iso). Execute the setup.exe program from the SDK ISO as an administrator.

6. 7. 8. 9. During the setup install all modules except for the .NET Framework components. Accept all other default settings to complete the setup. Before finishing the install, make sure that View the Windows SDK Release Notes is checked. Read section 1.1 Recommended Resources,4.1 Installation and Related Content, 4.5 File System Layout and 6.3 Ways to Find Support and Send Feedback in the Release Notes document. 10. Close the document.
A-9
Exercise 7: Create a Troubleshooting Pack with the Software Development Kit

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. Click Start > All Programs > Microsoft Windows SDK > Tools > Windows Troubleshooting Pack Designer. From the Windows Troubleshooting Pack Designer, click Project > New. From the Create a Troubleshooting Pack window, name the project Configure DHCP Client and change the location to E:\Temp. Click Create. In the privacy URL box, type http://NYC-DC1. Click Add New Root Cause In the Root Cause ID box, type STATIC_IP In the Root Cause Name box, type Client computers with a static IP address Click Define Troubleshooter Under Troubleshooter Properties, note the default options but do not change them. Click Define Resolver. For the Resolver Name box, type Assign Dynamic IP Address and change Elevation to YES. Click Define Verifier. Note the information provided but do not change the default settings. Click Edit Root Cause Scripts. Click the Edit Resolver Script link. In the new dialog window, note the commented information in the top window that starts with # Resolver Script. Use notepad to open the E:\TEMP\DYNAMIC_IP.PS1 file and paste the code below the commented information. Save and exit from the dialog window. From the Menu bar of the Windows Troubleshooting Pack Designer, click Project > Save. From the Menu bar of the Windows Troubleshooting Pack Designer, click Build > Run. Accept all the default settings to do a test run of the pack. Verify that the Troubleshooter worked by making sure the computer has a dynamic IP address. In the Windows Troubleshooting Pack Designer window, click Build > Build Pack. Click View Output Folder to see the package files. Close Windows Explorer and the Windows Troubleshooting Pack Designer.
16. 17. 18. 19. 20. 21. 22. 23.
Exercise 8: Join the Domain and Configure Event Forwarding

1. 2. Restart the system and login to VIRTUAL1 as Admin1. Click Start > right click Computer and click Properties. Under Computer name, domain, and workgroup settings, click Change Settings. In the Computer Name tab, click Change. Under Member of, click Domain and type CONTOSO.COM. Click OK. Type the Admin1 credentials and click OK. Close all dialog windows and restart the VIRTUAL1 machine after successfully joining the domain. Login to VIRTUAL1 as VIRTUAL1\Admin1. Open the Computer Management console as an Administrator. Navigate to Local Users and Groups > Groups. Open the properties window for the Administrators group. Add the Contoso\Classroom Administrators group to the members list. Add the NYC-DC1 computer to the Event Log Readers group. Login to the domain controller with the Administrator account and a password of Pa$$w0rd and perform the following steps: a. Open a Command Prompt with administrator credentials.
3. 4.
5. 6.
A-10

b.
Run the command: winrm quickconfig (Note: This allows users on other systems to subscribe to events on your computer) c. Accept the changes if prompted to do so. d. Run the command: wecutil qc. Accept the service changes when prompted. 7. On VIRTUAL1 perform the following steps: a. , open the Event Viewer and double click the Subscriptions tab. Accept any system changes specified in pop-up windows. b. Right click the Subscriptions tab and choose Create Subscription c. In the Subscriptions Properties window, name the subscription Server Logs d. Set the Destination log to Forwarded Events e. For the Subscription type, choose Collector initiated. Click the Select Computers button to add NYC-DC1 and Test the connection. Click OK. f. Click Select Events and in the Query Filter window, use the drop-down window for Event Logs to choose the Application, Security, Setup and System Event Logs. Click OK. g. Click OK in the Subscription Properties window. 8. Restart NYC-DC1 and login as Administrator. 9. On VIRTUAL1 in the Computer Management console, open the System Tools > Event Viewer > Windows Logs > Forwarded Events folder. Verify that there are entries from the NYC-DC1 computer. 10. In the Subscriptions folder, Disable the newly created subscription.
Exercise 9: Configure System Restore

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. On Virtual1, navigate to Control Panel > System and Security > System. Click the System protection link. In the System Properties window on the System Protection tab, click the Create button to create a new restore point named Pre_Application_Install. Create a text document named C:\Temp\test100.txt containing the phrase This is a test.. Run the command \\NYC-DC1\CLASSFILES\TOOLS\XLVIEWER.EXE with administrator credentials to install Excel Viewer. Accept the default settings to complete the setup. Execute the application to verify that it installed properly. Close the application. Open the System Properties window and go to the System Protection tab. Click System Restore. Click the link for Is this process reversible? and read the documentation. Close it when done. Click Scan for affected programs. Close the dialog window after it shows the Excel application. Click the Choose a different restore point radio button and click Next. Choose the Pre_Application_Install restore point and click Next. Click Finish and then Yes. Verify that the Excel application has been removed but the C:\Temp\test100.txt file is still available after the reboot of the system. Restart the system and boot into the original Windows 7 installation. Login as Admin1 and create a Restore Point named Post_Lab3.
A-11
Labs Module 4: Identify and Resolve Logon Issues

Overview: Learn how to add a computer to a domain and use Administration Tools to manage domain accounts. Unless stated otherwise, use the Windows 7 client and domain controller images for this lab. Login as Admin1 with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1). Note: All user accounts should be reconfigured to use local profiles at the end of this lab.
Estimated time to complete this lab is 60 minutes. Exercise 1: Join the computer to the domain
1. 2. 3. 4. 5. 6. 7. 8. Login to STUDENT1 as Admin1. Click Start, Right click Computer and choose Properties. Click Change settings. Click Change and specify COMPUTER1 as the new computer name and Contoso.com as the domain. Click OK and when asked for credentials, use Contoso\Admin1. Reboot the computer for the changes to take effect. Login as COMPUTER1\Admin1 Use the Computer Management console to add the Contoso\Classroom Administrators group to the local Administrators group. Logout and login again as Contoso\Admin1 Login with your domain Admin1 account (Contoso\Admin1)
Exercise 2: Install Remote Server Administration Tools (RSAT)

1. 2. 3. 4. 5. 6. 7. 8. From the Administrator:Command Prompt, run the command NET USE S: \\NYC-DC1\CLASSFILES to map the \\NYC-DC1\CLASSFILES share to the S: drive. Install the RSAT by running the command S:\RSAT\amd64fre_GRMRSATX_MSU.msu. Accept all default installation options to complete the setup. Read the information in the help file about how to enable the tools. Navigate to Control Panel > Programs > Programs and Features and click Turn Windows features on or off. In the Windows Features window, use the check boxes to select ALL the Remote Server Administration Tools. Click OK. When the installation is complete, click Start > Administrative Tools to verify that the tools were installed.
Exercise 3: Test and Verify Domain User Account Properties

1. 2. 3. 4. 5. Logoff the computer and try logging on with your Contoso\User1 account. Note the error message. Logon with your Contoso\Admin1 account. Click Start > All Programs > Administrative Tools > Active Directory Users and Computers Navigate to Contoso > Classroom > Users and locate your Admin1 account. Right click on the account and choose properties.
A-12
6. 7. 8. 9. 10. 11. 12. 13.
14. 15.
16. 17. 18. 19.
Use the Member Of and Account tabs to verify the groups the account belong to, the logon hours, logon computers and the expiration date of your account. Close the properties window. Right click the Classroom OU and choose New > Group. Specify a group name of Classroom Users and verify that the group scope is Global and the group type is Security. Click OK. Right click on the User1 account and choose Enable Account Use the properties of the User1 account to add it to the Classroom Users group and restrict its logon hours to Monday Friday from 6:00AM 6:00PM. Navigate to Contoso > Classroom > Contractors and locate your Contractor1 account Right click on the Contractor1 account and choose Enable Account Use the properties of the Contractor1 account to restrict its logon access to Computer1. (In the Account folder, click the Log On To button. In the Logon Workstations window, click The following computers and type Computer1 in the Computer name: box. Click Add then click OK. Close the properties window.) Create a new user account in the Contoso > Classroom > Contractors OU named Temp1. Give the account a password of Pa$$w0rd, prevent the user from changing the password, restrict the logon computer to Virtual1, restrict its logon hours to Monday Friday from 6:00AM to 6:00PM and set the account to expire in 30 days. Try changing the group membership of any user account outside of the Classroom OU. Try creating an account in any OU outside of Classroom. You should not be successful since the Classroom Administrators group membership only gives you control of the Classroom OU. On Computer1, try logging on with the domain accounts User1, Contractor1 and Temp1. Only the User1 and Contractor1 account logons should be successful. On Virtual1, try logging on with the domain accounts User1, Contractor1 and Temp1. Only the User1 and Temp1 account logons should be successful.
Exercise 4: Assign a PowerShell Logoff Script (Deletes Files in the %TEMP% folder)
Note: Configure Windows Explorer to show all file extensions before starting this exercise. (From the menu bar (Alt + F) click Tools > Folder Options. In the View tab, uncheck the checkbox for Hide extensions for known file types. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Login to VIRTUAL1 as Contoso\Admin1. Use the Command-Prompt or Windows Explorer to map the S: drive to \\NYC-DC1\Classfiles. Click Start. In the Search programs and files window, type Group Policy Click Edit Group Policy and navigate to User Configuration > Windows Settings > Scripts > Logoff. Double click Logoff and in the Logoff Properties window, click the PowerShell Scripts tab. Click Show Files. This opens a Windows Explorer window with a path of C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGOFF. Keep this window open. Use Notepad to open and examine the code in S:\MOD04\Logoff.ps1 file. Provide Administrator Credentials if required. Close Notepad. Use Windows Explorer to go to the S:\MOD04 folder. Copy the S:\MOD04\Logoff.ps1 file to the LOGOFF folder. Close all Windows Explorer windows. In the Logoff Properties window, click Add then click Browse. Choose the logoff file and click Open. Click OK twice to close the properties window. In Local Group Policy Editor navigate to Computer Configuration > Administrative Templates > System > Scripts. Change the properties of the Maximum wait time for Group Policy scripts setting to be Enabled and set the Seconds: box to be 60. Read the Help: section of this policy and click OK. In Local Group Policy Editor navigate to User Configuration > Administrative Templates > System > Scripts. Change the properties of the Run logoff scripts visible setting to be Enabled. Click OK.

18. 19. 20. 21.
A-13
Close Local Group Policy Editor. Click Start %TEMP% and press Enter to see the files presently in the %TEMP% directory. Logoff the computer and logon again with the same account. (The logoff process might take a few minutes.) Verify that the files in the %TEMP% folder were deleted. A few files might still be left that were involved in active processes. 22. Use Local Group Policy Editor to remove the logoff script.
Exercise 5: Test a Roaming Profile (Optional)

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. Boot your Virtual1 machine and login as Contoso\Admin1 Create a folder named Scripts on your desktop. Copy the PS1 script from the \\NYC-DC1\CLASSFILES\MOD04 folder to the new Scripts folder. Use the Personalization settings to change the Desktop Background to any solid color. Click Start and then right click Computer. Click Show on Desktop. Install the RSAT using the steps provided in Exercise 2. Click Start > All Programs > Administrative Tools Right Click and drag Active Directory Users and Computers (ADUC) Drag the icon to the desktop and use the prompted options to copy a shortcut on the Desktop. Right click the ADUC icon on the desktop and choose properties. In the Shortcut key box type the letter A. It should fill in the box with Ctrl + Alt + A. These shortcut keys can now be used to launch the tool. Click Advanced. Check the box for Run as administrator and click OK. Click OK. Run ADUC with the Contoso\Administrator credentials. Open the properties window of your Admin1 account. In the Profile tab, change the Profile path to \\NYC-DC1\USERS\%USERNAME%. Click Apply. Click OK. Close ADUC. Logoff and logon again as Admin1. Do this step twice. Boot your Computer1 machine and login as Contoso\ Administrator. Open the System Properties window and go to the Advanced tab. User the User Profiles section, click the Settings button. Delete the local profile for Contoso\Admin1. Close System Properties and logout. Login as Contoso\Admin1 Verify that the profile configurations you made on Virtual1 are still available. (Note: Remember that the roaming profile is only updated when you logoff.)
Exercise 6: Test a Mandatory Profile (Optional)

1. 2. 3. Login to COMPUTER1 as Admin1 Use ADUC to change the Logon Hours of Contractor1 so he can login at any time. In the properties of the Contractor1 account, Use the Profile tab to change the Profile path to \\NYCDC1\USERS\%USERNAME% 4. Close ADUC and logoff. 5. Login as Contoso\Contractor1. 6. Click Start, right click Computer and choose Show on Desktop. 7. Change the Desktop Background to a solid color and create a new text document on the desktop. 8. Logoff and logon with the Contractor1 account twice. 9. Login as Contoso\Admin1 10. Use Windows Explorer to navigate to the C:\USERS\Contractor1 folder. Use Administrator Credentials if required.
A-14
11. Press Alt + F to show the menu bar and go to Tools > Folder Options 12. In the Folder Options window, go to the View tab and enable the following options: Always show menus Show hidden files, folders, and drives 13. In the same tab as the previous step, disable the following options: Hide empty drives in the Computer folder Hide extensions for known file types Hide protected operating system files 14. Click OK. 15. In the \\NYC-DC1\USERS\Contractor1.v2 folder, rename NTUSER.DAT to NTUSER.MAN 16. Log on with the Contractor1 account. Create a text file on the desktop and change the background to a different color. 17. Logoff and on again with the Contractor1 account to verify that changes to the profile are NOT being saved.
Note: Before starting the next lab, login to Computer1 as Contoso\Administrator and use the ADUC to remove all the roaming profile configurations for the user accounts. Also, use the Hyper-V menu options to map the DVD drive to C:\Labfiles\50331D-ENU_Classfiles.iso and execute update1.cmd from the G: drive. Verify that the Admin1 and User1 domain accounts can login without problems after these changes.
A-15
Labs Module 5: Identify and Resolve Network Connectivity Issues

Objective: Use command-line and GUI tools to troubleshoot and fix network configuration and connectivity problems. Unless stated otherwise, start up the Windows 7 client and domain controller images for this lab. Login with the Contoso\Admin1 account using a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1). Note: Only command-line tools can be used to fix the problems in Exercise 1. GUI or commandline tools can be used to solve problems presented in Exercise 2. At the beginning of each exercise, verify that the Windows Firewall service is running. If you have not already done so, use the Hyper-V menu options to map the DVD drive to C:\Labfiles\50331D-ENU_Classfiles.iso and execute update1.cmd from the G: drive.
Estimated time to complete this lab is 90 minutes. Exercise 1: Use command-line tools to identify and solve network problems.
Note: Take advantage of the information in Lesson 7 about the function of different command-line tools. Use the help option (/?) to find the correct parameter to use in each case. Before starting this exercise, create a System Restore point named Pre_Lab5A. 1. 2. 3. 4. 5. 6. 7. 8. 9. What is the MAC address of the network adapter on NYC-DC1? What edition of Windows 7 is installed on your computer? How could you map the Users share on NYC-DC1 to the U: drive? On what port numbers does your machine have active connections? What visible network shares are now available on NYC-DC1? What visible and invisible shares are available on your system? What are the names or IP addresses of computers connected to shares on your system? How can you list the IP & MAC addresses of computers you have recently communicated with? How can you register the IP address with the primary DNS server?
10. How can you get the description of an operating system error number? 11. How can you verify that the DNS server has the correct IP address for your computer? 12. Which computer names are presently in your DNS cache? 13. Which computer names are presently in your netbios cache?
A-16
14. How can you verify that NYC-DC1 is using the netbios protocol? 15. What command can you use to verify that your computer has a valid connection to the domain? 16. How can you verify what server is presently acting as your Time Server? 17. What command will show the routing table of your computer? 18. What command will list the IP address or name of routers used to connect to a remote system? 19. How can you display all the records in the Contoso zone? 20. What command will list all the domain controllers in your domain? 21. What command will allow you to assign a static IP address to the NIC? 22. What command will allow you to change the IP configuration from static to dhcp? 23. How can you disable Windows Firewall? 24. What command will create a rule that prevents Telnet.exe from creating outbound connections? 25. What command will delete an existing firewall rule named FTP Application?
Exercise 2: Fix Connectivity Problems

The script files used in this exercise should not be examined until after the problem they create is solved. The solutions can be attained with the help of GUI or command-line tools. Run each script with elevated privileges. 1. 2. 3. 4. Create a System Restore point named Pre_Lab5B Copy the scripts in the \\NYC-DC1\CLASSFILES\MOD05 folder to E:\Temp\MOD05 Run E:\Temp\MOD05\Problem1.cmd script from Windows Explorer as an administrator. The scripts will create connectivity problems to or from the Windows 7 client in one of the following areas: Ping and other ICMP traffic will be interrupted Name resolution will not work properly or perform very slowly Local or Network shares will not be available Network routing or domain authentication will be non-functional Find the problem created by the script and come up with a solution to fix the problem. If the system reboots, login again as Admin1. Close all active network connections. Perform the steps above for the next ProblemX script.
5. 6.
A-17
Labs Module 6: Identify and Resolve Name Resolution Issues

Overview: Troubleshoot name resolution problems caused by issues with DNS, Hosts file or NetBIOS configuration. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 60 minutes. Exercise 1: Configure and Test DNS Resolution
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. Logon to COMPUTER1 as Contoso\Admin1. Create a System Restore point named Pre_Lab6. Click Start > Administrative Tools > DNS. When asked, connect to the DNS server on NYC-DC1. In the DNS Manager, go to Forward Lookup Zones > contoso.com. Right click contoso.com and choose Properties. In the General tab, change the Dynamic Updates option to None. Click OK. Delete all <A> records from the zone. Use the Services console to stop the Computer Browser service and disable it. Use the network adapter properties to disable IPv6. Use the network adapter properties to open the properties of IPv4. In the Internet Protocol Version 4 properties window, click Advanced and in the WINS tab click Disable NetBIOS over TCP/IP. Restart the computer and login again as Admin1 Open the Local Group Policy Editor. Navigate to: Computer Configuration > Administrative Templates > Network > DNS Client Double click Turn off Multicast Name Resolution. In the properties window, click Enabled then click OK. Close the Group Policy Editor. Run the following Ping commands to verify that IP resolution works but remote computer name resolution fails without DNS: Ping a <Local IP> Ping 192.168.20.100 Ping -4 COMPUTER1 Ping -4 TestCOMPUTER1 Click Start > All Programs > Administrative Tools > DNS. In the Connect to DNS Server console, click The following computer: and type NYC-DC1. Click OK. In the Forward Lookup Zones folder, open the Contoso.com zone. Right click the contoso.com zone and choose New Host. In the New Host window, in the Name box type COMPUTER1. In the IP address box type your IP address. Click the check box for Create associated pointer (PTR) record Click the check box for Allow any authenticated user to update DNS records. Click Add Host Use the previous steps to add another New Host named TestCOMPUTER1 with an IP address of 169.254.1.1 Keep the DNS Manager window open. Ping Computer1 and TestComputer1 using the -4 parameter (e.g. Ping -4 Computer1). The IP addresses of both records will be resolved, but TestCOMPUTER1 will not get ICMP replies because the address does not exist. In the DNS Manager window, right click on the contoso.com zone and click New Alias. In the Alias name box type VIRTUAL1.
15. 16. 17. 18. 19. 20. 21. 22. 23. 24.
25. 26.
A-18
27. In the Fully qualified domain name (FQDN) for target host: box type Computer1.contoso.com. Click OK. 28. Ping the new Alias to test the record (e.g. ping VIRTUAL1). It should resolve to the IP address of COMPUTER1. 29. Run the following command to add another alias record for COMPUTER1 named Machine1: Dnscmd.exe NYC-DC1 /RecordAdd Contoso.com Machine1 CNAME COMPUTER1.contoso.com 30. Test the new alias record with the command: Ping Machine1 31. Add an alias record for TestCOMPUTER1 named TestVIRTUAL1 using DNS Manager. 32. Add an alias record for TestCOMPUTER1 named TestMachine1 using dnscmd.exe. 33. Test both alias records for TestCOMPUTER1.
Exercise 2: Configure and Test Hosts File Resolution

1. 2. 3. 4. 5. 6. 7. Change the network adapter properties to use a static DNS address of 127.0.0.1 Flush the DNS cache (ipconfig /flushdns) Try to ping the IP address 192.168.10.100 (NYC-DC1). You should be successful. Try to ping the computer name TestCOMPUTER1. It should not be successful. Use Windows Explorer to locate the Hosts file in the C:\WINDOWS\SYSTEM32\DRIVERS\ETC directory. Make a copy of the Hosts file named Hosts.old and place it in the same directory. Open the Hosts file in Notepad and add the following records: 192.168.10.100 NYC-DC1 NYC-DC1-Alias 192.168.10.110 NYC-Remote1 NYC-Remote1-Alias 192.168.10.240 COMPUTER1 VIRTUAL1 TestCOMPUTER1 Save the file and keep it open in Notepad. Verify that the file does not have an extension (e.g. hosts.txt). Run ipconfig /displaydns to view the DNS cache Ping NYC-Remote1 and its alias to verify the records are being used. In Notepad, add an additional record: 192.168.10.202 Computer2 Virtual2 Save the Hosts file and close it. Use the ping command to verify that the new records work. Copy the Hosts file with the name Hosts.new. Replace the Hosts file with the original Hosts.old file.
8. 9. 10. 11. 12. 13. 14. 15.
Exercise 3: Configure and Test NetBIOS Resolution

1. 2. 3. 4. Flush the DNS cache Verify that you are unable to resolve the names of remote systems (NYC-DC1). Enable NetBIOS by using the Network Adapter TCP/IP properties. Verify that you are now able to resolve remote names.
Exercise 4: Cleanup
1. 2. 3. 4. 5. Configure the NIC to get DNS server information via DHCP Enable IPv6 and NETBIOS. Enable Multicast Name Resolution Configure the DNS zones for non-secure dynamic updates. Delete static client computer records in the contoso.com DNS zone.
A-19
Labs Module 7: Identify and Resolve Network Printer Issues

Overview: Configure and test different printer configurations. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 30 minutes. Exercise 1: Install Local and Network Printers
Note: If the specified printer driver is not available, choose any other available HP LaserJet 2000 or 4000 series driver.
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31. 32. Login to COMPUTER1 as Contoso\Admin1. Create a System Restore point named Pre_Lab7 Click Start > Devices and Printers then Add a printer. In the Add Printer window, click Add a local printer. Choose Use an existing port: and then highlight LPT1. Click Next. Choose HP and the manufacturer and HP LaserJet P2015 as the Printer. Click Next. In the Printer name box type HPLJ2015. Click Next. In the Share name box type HPLJ2015. Click Next. Click Finish. Confirm that the printer was created and it is your default printer. Right click on the printer and click Open. Double Click Customize your printer. In the Printer Properties window, in the General tab, change the Location: to Office/Classroom Go to the Sharing tab. Uncheck the option to Render print jobs on client computers Check the option to List in the directory Click Additional Drivers. Note the option to automatically make additional drivers available for other platforms. Click Cancel. Click the Advanced tab. Click the Available from button. Change the hours to show 8:00PM to 6:00AM. Click the Start printing after last page is spooled button. Click the Separator Page button and type C:\Windows\System32\pscript.sep. Click OK. Click the Security tab. Give the domain Classroom Administrators group the Manage documents permission only. They should not have the Print or Manage this printer permissions. Click the General tab. Click the Print Test Page button. In the test page window, click Close. Click Close to close the Printer Properties window. Click the See whats printing option. Highlight and delete the Test Page print job. Close the Printer window. Click Start > Devices and Printers then Add a printer. In the Add Printer window, click Add a Network printer. Click The printer I want isnt listed Click Find a printer in the directory then click Next. In the Find Printers window, you will see a list of all printers published in Active Directory. Click HPLJ1015 then click OK. Click Next. (If HPLJ1015 does not appear in the list, click Clear All and do a search for it by name.)
A-20
33. Uncheck the box for Set as the default printer. Click Finish. 34. Perform the steps above to add another network printer named HPLJ1015_HR.
Exercise 2: Create and Use a Separator Page (Optional)

1. 2. 3. Click Start > All Programs > Accessories. Right Click Notepad and choose Run as Administrator. Add the following five lines to the new text file: \ \U \D \T \E 4. Heres the meaning of each line in the separator file: \ - This is the escape character used in the rest of the file. It could be any other character like $ or @. \U This is the user name of the person who printed the document. \D The date the job was printed. \T The time the job was printed. \E The End of the separator page. 5. Save the file with a name and path of C:\WINDOWS\SYSTEM32\printer.sep. Close Notepad. 6. Open the Properties window of your default printer. 7. Open the Advanced tab and click Separator Page. 8. Browse to C:\WINDOWS\System32 9. Note the other files with an SEP extension besides the one just created. 10. Choose printer.sep and click Open then OK. 11. Click OK to save the changes and close the printer properties window. 12. Note: The C:\WINDOWS\SYSTEM32\PSCRIPT.SEP separator file can be used to switch a printer to PostScript printing mode without including a separator page. To include a separator page and switch to postscript mode, use SYSPRINT.SEP.
Exercise 3: Configure Printer Redirection and a Printer Pool

1. Open the Properties window of the HPLJ1015_HR printer and use the button on the General tab to Print Test Page. The print job will be stuck in the queue. 2. Click the Ports tab. 3. Click Add Port. 4. In the Printer Ports window, click Local Port then click New Port. 5. In the Enter a port name: box, type \\NYC-DC1\HPLJ1015. 6. Click OK then click Close. Notice the new \\NYC-DC1\HPLJ1015 port in the list. Click Close. 7. Check the queue on HPLJ1015 to verify that the print job has been redirected to that device. 8. Open the properties of the network printer HPLJ1015 and go to the Ports tab. 9. Click the Enable printer pooling check box. 10. You are now able to highlight multiple ports. Click LPT1 and LPT2. Jobs will now be sent to the first available port. Both printers must use compatible drivers.

1. 2. Click Start > Administrative Tools > Services. Restart the Print Spooler service. Verify that jobs in the default printers queue (HPLJ2015) have been removed. If the jobs are still there, stop the Print Spooler service, go to the
A-21
C:\Windows\System32\Spool\Printers folder and manually delete all files, then restart the Print Spooler service. 3. Create a folder named E:\PRINTERS 4. Open the Print Server Properties window. 5. Click the Advanced tab and click Change Advanced Settings. Note the default location of the print spooler. 6. In the Spool folder: box, type E:\PRINTERS. 7. Click OK. 8. Read the warning message and click Yes. 9. Open Windows Explorer to E:\PRINTERS and the HPLJ2015 Properties windows side by side. 10. Click the Print Test Page button a few times and verify that the jobs are being sent to the E:\PRINTERS folder.
A-22
Labs Module 8: Identify and Resolve Performance Issues

Overview: Use Built-in Windows tools to diagnose and fix network, disk and memory problems. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 45 minutes. Exercise 1: Schedule and Perform a Disk Defragmentation
1. Open the System Properties window, click the Remote tab and enable Allow connections from computers running any version of Remote Desktop. Click OK. (If prompted for credentials, verify that you are logged in as Contoso\Admin1 and that the account has local administrator privileges. [Module 4, Exercise 1]) Create a System Restore point named Pre_Lab8 Click Start > All Programs > Accessories > System Tools > Disk Defragmenter. In Disk Defragmenter click Configure schedule. Change the details of the schedule to be weekly, on Sunday at 6:00PM for the C: drive only. Click OK. Highlight the C: drive and click Defragment disk. Do the same for the D: and E: drives. Do not wait for the defragmentation to complete. Immediately proceed to the following steps. Map the S: drive to the \\NYC-DC1\CLASSFILES share. Verify that Disk Defragmenter does not allow you to work on the S: drive (non-local disk) Login to NYC-DC1 as Contoso\Administrator and enable Remote Desktop using the instructions in the first step of this exercise. On Computer1, click Start > All Programs > Accessories > Remote Desktop Connection. Login to NYC-DC1 using Contoso\Administrator credentials. Defragment the C: drive on NYC-DC1 using the Disk Defragmenter. Do not wait for the defragmentation process to end. Disconnect the Remote Desktop and continue to the next exercise. Note: Remote defragmentation can also be accomplished with PowerShell scripts using the win32_volume defrag method. Example: a. $c=gwmi win32_volume -computer nyc-dc1 -filter 'driveletter="c:"' b. $c.defrag($true)
2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14.
Exercise 2: Using Task Manager

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Open the Windows Task Manager Go to the Applications tab. Open the Control Panel, Windows Explorer, Notepad and Internet Explorer. Go back to the Task Manager and notice the newly started applications and their Status. In the menu bar click Options > Always on Top. Notice the behavior of any application when you try to bring it to the front. Go to the Processes tab. Click on the Memory column to sort the processes in order or memory used. Right click on explorer.exe and notice the different options available. Click UAC Virtualization and read the message box provided. (This option is often used on Terminal Servers where multiple people use the same programs, but it should be tested thoroughly first).
A-23
11. Click Cancel. 12. Right click on iexplore.exe then click Set Priority. (The Below Normal option is sometimes used for unimportant background applications or processes. Above Normal is used for important applications. The other settings should not normally be used. 13. Right click iexplore.exe and then End Process Tree. 14. Read the message box provided and click End process tree. 15. Click the Show processes from all users button. 16. Press Ctrl +Alt + Delete and choose Switch User. 17. Login as Computer1\User1 and open the Control Panel, Windows Explorer, Notepad and Internet Explorer. 18. Switch User account back to Admin1 and go back to Task Manager. 19. Find the applications launched by User1 by sorting the Processes tab by the User Name column. 20. Close the Notepad and Windows Explorer applications opened by User1 by ending their processes. 21. Click the Services tab. 22. Notice the Services button in the lower right hand corner for opening the Services console. 23. Sort the Services alphabetically by clicking the Name column. 24. Right click the Spooler service and click Go to Process. You are back in the Processes tab with the spoolsv.exe file highlighted. 25. In the Services tab make a note of the Process ID (PID) of the Spooler service. (If the PID column is not visible, add it by using the View > Select Columns option on the menu bar.) 26. Stop and restart the Spooler service. Note the new PID number. (Note: This is an easy way to verify if a process or service has been restarted.) 27. Click the Performance tab. 28. Notice the Processor and Memory information. Make a note of the number of processes running and the up time of the machine. Notice the Resource Monitor button. 29. Click the Users tab. 30. Note the status of both logged on accounts. 31. Use the Send Message button to send a message of Please Logoff the System this evening. to User1. 32. Right click User 1 and click Connect. Provide the User1 password and press OK. 33. Verify that the message from Admin1 was sent successfully. 34. Open Task Manager and click the Users tab. Right click Admin1 and click Connect. Provide the Admin1 password and press OK. Make a note of the error message. 35. Use the Start Menu options to switch to the Admin1 user account login. 36. In the Users tab of the Windows Task Manager, Use the Logoff button to logoff User1. 37. Close Task Manager.
Exercise 3: Using Resource Monitor

1. Verify that at least one instance of Notepad, Internet Explorer, Windows Explorer and the Control Panel are open. 2. Click Start and in the Search programs and files box type Resource Monitor. Click Enter. 3. In the Overview tab, click on the grey bars for CPU, Disk, Network & Memory to view detailed information about how each of these resources is being used. 4. On the menu bar, click Monitor > Stop Monitoring and notice that the displays are static. 5. On the menu bar, click Monitor > Start Monitoring and notice that the displays are being updated again. 6. Click the Memory column and sort the processes by Working Set in descending order. 7. From the Physical Memory bar, decipher how much RAM is in use and how much is available for new applications. Hardware reserved memory is used by devices like video cards on the system. 8. Click the CPU tab. 9. Sort the Processes table by CPU usage 10. Sort the Services table by CPU usage 11. In the Processes table, right click explore.exe and choose Analyze Wait Chain. 12. If the application is running normally, then it is not waiting on other processes. This feature can be used to troubleshoot unresponsive programs.
A-24
13. In the Processes table, right click iexplore.exe and choose Suspend Process. Note the effect on the CPU usage and on the application itself (It frees up resources without forcing you to end an application.). 14. Right click iexplore.exe and choose Resume Process. 15. In the Services table, locate and stop the Spooler service. Verify that you are unable to see or add new printers. Restart the Spooler service. 16. In the Services table, try to locate the Server and Workstation services. 17. Use the Services Window to stop the Server and Workstation services. Note the effect on your ability to share local folders and your ability to connect to network shares. 18. Restart the Server and Workstation services and close the Services window. 19. In the Resource Monitor, click the Disk tab. 20. In the Processes with Disk Activity table, sort by Read (B/sec) to find the process that is performing the most read operations on your disk. 21. Right click the process and notice the option to Search Online for more information about that process. 22. Click the Network tab. 23. Use the Network Activity table to find the names of the network computers you are communicating with and locate the system that you have sent the most data to. If there is no activity, copy files from the S: drive to the local C:\Temp folder to generate some activity. 24. Use the TCP Connections table to see the local IP and Port data for connections. Notice that you can also see the IP and Port information of the remote computer. You can also verify if there are packet losses when communicating with an application. 25. Use the Listening Ports table to verify what ports your computer is listening on, the protocol being used and the firewall status. 26. Close Resource Monitor.
Exercise 4: Configure a Warning Message When a Service Stops (Optional)

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. Use the Command Prompt to go to the folder C:\WINDOWS\SYSTEM32. (Run as Administrator) Copy the PRINT_SPOOLER_EVENT.CMD file from the server using the following command: XCOPY \\NYC-DC1\CLASSFILES\MOD08\PRINT_SPOOLER_EVENT.CMD C:\WINDOWS\SYSTEM32 Use Notepad to examine the file without making any changes to it. (Note: You can use the EVENTCREATE.EXE /? Command to understand the command options.) Stop the Print Spooler service by running the command: net stop spooler Run the command print_spooler_event.cmd Use the Event Viewer to verify that a new Warning message has been created in the System Log with a Source of Print Spooler (Event Viewer > Windows Log > System). Right click the Print Spooler message in Event Viewer and choose Attach Task To This Event In the Create a Basic Task Wizard window, click Next. Click Next again to open the Action window. Click Display a message and click Next. In the Title box type Print Spooler Error. In the Message box type The Print Spooler service has stopped!. Click Next. Check the box for: Open the Properties dialog and then Finish. In the Properties window, check Run with highest privileges and click OK. In the System Log, find any event with an ID of 7036 (Generated when a service is stopped or started.). Right click on that event and choose Attach Task To This Event. Click Next twice to get to the Action page. Choose the radio button for Start a program and click Next. In the Program/script: box, type the path: C:\WINDOWS\SYSTEM32\PRINT_SPOOLER_EVENT.CMD. Click Next. Check the box for: Open the Properties dialog and then Finish. In the Properties window, check Run with highest privileges and click OK. Open the Services console and verify that the Print Spooler service is running. Stop and then Start the Print Spooler service to verify that the message box does appear.
A-25
24. Click Start > Task Scheduler and press Enter. 25. In the Task Scheduler Library > Event Viewer Tasks folder, disable the two tasks that were just created.
A-26
Labs Module 9: Identify and Resolve hardware Failure Issues

Overview: Use built-in Windows tools to log and fix disk and memory problems. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 45 minutes. Exercise 1: Use the Windows Memory Diagnostics Tool
(Note: If you need to save additional time, perform this exercise on NYC-DC1 and proceed immediately to Exercise 2 on Computer1) 1. Login to COMPUTER1 as Contoso\Admin1. 2. Click Start and in the Search programs and files box, type Windows Memory Diagnostic. Press Enter. 3. In the Windows Memory Diagnostic window, click Restart now and check for problems 4. After the reboot, the Windows Memory Diagnostic Tool window will start testing the memory and provide the current test status. If the test takes longer than 30 minutes, press ESC to exit. Inform the instructor if this happens. 5. When the system restarts, login as Contoso\Admin1.

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Open a Command Prompt window. Run the command: chkdsk /? And examine the options available with this tool. Exit the Command Prompt. Click Start > Computer. Right click on the E: drive and click properties. In the Tools tab, click Check Now. In the Check Disk box, check the options to automatically fix file system errors & to recovery bad sectors. Click Start. In the dialog box click, Schedule disk check. Restart the computer and verify that it performs a scan of the disk. If the disk scan was cancelled during the reboot, open an Administrator: Command Prompt to run the command chkntfs /t:0 and repeat the steps in this exercise.

1. 2. 3. 4. 5. 6. Click Start and in the Search programs and files box, type Reliability History. Press Enter. In the Reliability Monitor, Click View by: Days. Make a note of the current stability index (1-10 with ten being the most stable) Note the kind of events that will have an effect on the stability index. Make a note of the last time there was an Application failure, Windows failure, Miscellaneous failure or Warning. Click on the bar representing any day where any of such errors occurred and note the information shown at the bottom of the window in the Reliability details section.

7. 8.
A-27
In the Reliability details section under the Action column, click on View technical details for any of the error messages. Close the Reliability Monitor
Exercise 4: Use Event Viewer to find Hardware Information (Optional)

1. 2. 3. 4. 5. 6. 7. 8. Open the Event Viewer and go to the Application Log. Find the latest events with a Source of Wininit. One of them will have the details of the chkdsk operation completed earlier. Go to Applications and Services Logs > Microsoft > Windows > MemoryDiagnostics-Results Open the Debug log to view the report for the Memory diagnostic completed earlier. Go to Applications and Services Logs > Microsoft > Windows > Reliability-Analysis-Engine. Open the Operational log to view the calculated stability index assigned over the last few days. Close the Event Viewer.
A-28
Labs Module 11: Identify and Resolve Remote Access Issues

Overview: Configure ADUC to allow Remote Access configuration of domain accounts. Create a VPN connection. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Administrator user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 30 minutes. Exercise 1A: Update the Active Directory Users and Computers snap-in installed from the RSAT
1. 2. 3. Open Active Directory Users and Computers. In the properties window for the Admin1 user account, try to locate the Dial-In folder. Close the ADUC tool. Note: The original RSAT version of this tool does not contain the Dial-in folder used to see and configure Dial-in settings for domain users. Perform the following steps to add it. If it is already there, skip the following steps and continue to Exercise 1B. Copy the following files from NYC-DC1 to the corresponding location on Computer1 (You can also do this by opening a Command Prompt as Contoso\Administrator and running the script: \\nyc-dc1\classfiles\mod11\aduc_update.cmd). %windir%\system32\mprsnap.dll %windir%\system32\rasuser.dll %windir%\system32\rtrfiltr.dll %windir%\system32\en-us\mprsnap.dll.mui %windir%\system32\en-us\rasuser.dll.mui %windir%\system32\en-us\rtrfiltr.dll.mui Run the following command to register the Rasuser.dll file on Computer1: regsvr32.exe %windir%\system32\rasuser.dll Open the properties window of the Admin1 user account in ADUC to verify that you can now see the Dial-in folder.
4.
5. 6.
Exercise 1B: Verify VPN/Dial-in permissions for user accounts

1. 2. 3. Use the ADUC to access the properties of the Admin1 account using Contoso\Administrator credentials. In the Dial-in folder verify that the Network Access Permission is set to Allow access, then click OK. Perform the same check for the User1 account and verify that the Network Access Permission has been set to Deny access. (The user account should be enabled).
Exercise 2: Create and test a VPN connection.

1. 2. 3. 4. 5. Open the Network and Sharing Center. Click Set up a new connection or network. Click Connect to a workplace and then click Next. Click Use my Internet connection (VPN). If prompted for a new Internet connection, choose Ill set up an Internet connection later.

6. 7. 8. 9. 10. 11. 12. 13.
A-29
In the Internet address: box type NYC-DC1. In the Destination name: box type Contoso Network. Click the check box for Allow other people to use this connection. Click Next. Fill in the User name (Admin1), Password (Pa$$w0rd) and Domain (Contoso) boxes and click Create. Verify that the connection was successful and click Close. Click Change adapter settings. Right click Contoso Network and click connect. Use the Admin1 account credentials and click Connect. Verify that the connection was successful by using ipconfig to check that an IP address (192.168.20.X) was issued to the Contoso Network adapter. 14. Disconnect from the Contoso Network. 15. Right click Contoso Network and click connect. Use the User1 account credentials and click Connect. 16. Verify that the connection is unsuccessful (User1 is not allowed to connect over the VPN).
A-30
Labs Module 12: Manage File Synchronization (Optional)

Overview: Configure and test offline files and previous files configurations. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 45 minutes. Exercise 1: Configure and Test Offline Files
1. 2. 3. 4. 5. Login to COMPUTER1 as Contoso\Admin1. Click Start > Administrative Tools. Hold down the Shift Key and right click on Computer Management to choose Run as different user Login as Contoso\Administrator with a password of Pa$$w0rd. Right Click Computer Management and click Connect to another computer. Specify the NYC-DC1 computer and click OK. Click System Tools (If the connection is prevented because of RPC failure, connect to NYC-DC1 using Remote Desktop and run the command netsh advfirewall firewall set rule group=remote administration new enable=yes). Click System Tools > Shared Folders > Shares. Verify that there is no available share named Temp. If there is, delete it. Right click Shares and choose New Share Click Next and type the path C:\TEMP and click Next. Click the Change button. Read the options available in the Offline Settings window. Click the option for All files and programs that users open from the shared folder are automatically available offline. Click the Optimize for performance check box. Click OK. In the Share name: box, type TEMP. Click Next. In the Shared Folder Permissions window, customize the permissions to give Everyone Full-Control. Click Finish and close the Computer Management console. Map the \\192.168.10.100\TEMP share to the T: drive. Connect using the Contoso\Administrator credentials (You must use the IP address to connect so as not to create a credential conflict with existing shares). Connect to the T: drive in Windows Explorer and right click on any two text files to enable the option for Always available offline. Edit both files by adding a new line of text saying This is a test. and save the changes. Disable the network adapter. Verify that you still have access to the two offline files on the T: drive. Add another line of text to one of the files that says This is another test.. Enable the network adapter. Re-establish a connection to the T: drive. Verify that the changes you made are still on the network version of the file. In Windows Explorer, right click on the T: drive and open the properties window. In the Offline Files tab, click the option for Always available offline then Apply. Close the properties window when the synchronization is complete. Disable the network adapter. Try accessing any file on the T: drive. You should have access to any of them. Enable the network adapter. Disable offline files feature for the T: drive and disconnect the drive.
6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. 30. 31.
A-31
Exercise 2: Restore the Previous Version of a File

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. On Computer1, share the C:\TEMP folder with the name TEMP. Use the default settings for the share. Create a text file named C:\TEMP\TEST.TXT. Add the phrase This is a test to the file and save it. Open a Command Prompt and specify Run as administrator Open a PowerShell prompt Run the command: CheckPoint-Computer Description Test1 to create a restore point named Test1. Keep the Command Prompt open. Use Windows Explorer to open the C:\TEMP folder. Edit the Test.txt file to add another line of text This is another test. Save the file and close the editor. Right click the file Test.txt and choose Restore previous versions Use the Open option to see the file and verify that it is the previous version of it. Save the file with the name C:\TEMP\TEST2.TXT and close Notepad. From the Command Prompt run the PowerShell command: Get-ComputerRestorePoint Make a note of the sequence number for the Test1 restore point. Run the command: Restore-Computer RestorePoint <SN> -Confirm. <SN> represents the sequence number. 16. Close all applications before typing Y and pressing Enter to confirm the system restore operation. 17. After the system restarts, login and verify that neither of the files in the C:\TEMP folder were changed as a result of the system restore.
A-32
Labs Module 13: Identify and Resolve Internet Explorer Security Issues (Optional)
Overview: Configure and test Internet Explorer security features using the local browser and group policy settings. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 30 minutes. Exercise 1: Configure Trusted Security Zone for automatic authentication on Intranet Site
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Open Internet Explorer Press Alt + F to access them menu bar, go to Tools and click Internet Options In the Security tab, click Trusted sites Click the Custom level button and scroll all the way to the bottom of the settings window. In the User Authentication section, make sure that Automatic logon only in Intranet zone is selected. Click OK. Click the Sites button. Uncheck the box for Require server verification (https) for all sites in this zone Add http://contoso.com to represent your local intranet site. Click Close.
Exercise 2: Configure the Security and Privacy Features in Internet Explorer

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. Open the Internet Options window in Internet Explorer. Go to the General tab. Click the Settings button under Browsing history. Set the disk space to use 8MB. Set the days to keep pages in history to 0. Click OK. Click the check box for Delete browsing history on exit. Click Delete under the Browsing history section. Read the description of each check box and enable all of them. Click Delete. Go to the Privacy tab. Enable both options for InPrivate Filtering. These options prevent private data from being shared with thirdparty web-sites. Go to the Advanced tab. Scroll down to the Security section and verify that the options to check for certificate revocation are checked. Go to the Programs tab Click the Manage add-ons button to see all the add-ons available in the browser. Click any Add-on and notice the option to disable it. Add-ons can also be uninstalled by removing the application that installed it. Click Close and close Internet Explorer. Click Start > All Programs > Accessories >System Tools. Open Internet Explorer (No Add-ons). This option is good for troubleshooting issues created by add-ons installed in IE. The same thing can be done by executing iexplore.exe extoff. In Internet Explorer, open the menu bar with Alt + F.

18. 19. 20. 21.
A-33
Notice the options under Tools for InPrivate Browsing, InPrivate Filtering and SmartScreen Filter. Enable each of these options and find out what the features do by using Windows Help and Support. In Internet Explorer, use the menu bar to go to Tools > Compatibility View Settings. Notice the options available for adding and configuring the behavior of web-sites designed for older versions of IE.
Exercise 3: Configure Group Policy Settings for Internet Explorer

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Open the Group Policy Management console with Contoso\Administrator credentials. Edit the Default Domain Policy. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance. Under Browser User Interface, configure Browser Title to say Contoso Corporation. Under Connection, configure Proxy Settings to use an IP of 192.168.10.100 on Port 8080. Under URLs, double click Favorites and Links. Click the check box for Place favorites and links at the top of the list in the order specified below. Click the check box for Delete existing Favorites and Links, if present. Use the Add URL button to create a URL with the Name: Contoso Home Page and a URL of http://contoso.com. Click OK twice. Under Internet Explorer Maintenance, click URLs. Open the properties of Important URLs. Specify http://contoso.com as the Home page URL. Click OK and close the Group Policy Management Console. Open Internet Explorer and verify the changes just made. If the policy settings are not being enforced, logout and log back in or use the gpupdate /force command.
A-34
Labs Module 14: Identify and Resolve Firewall Issues (Optional)

Overview: Create and test firewall rules for network applications. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 45 minutes. Exercise 1: Configure and Test Firewall Rules for an Application
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. Create a System Restore point named Pre_Lab14. Open the Services MMC using Contoso\Administrator credentials and connect to NYC-DC1. Change the startup status of Telnet to automatic and manually start it. Close the Services window. Open an Administrator: Command Prompt. Run the command: Telnet NYC-DC1. Run the command hostname to verify the machine name. Exit the telnet session and keep the Command Prompt window open. Open the Windows Firewall with Advanced Security console. Right click Windows Firewall with Advanced Security and click Export policy. Save the policy file on the desktop as Firewall.wfw. Double click Outbound Rules. Right click Outbound Rules and click New Rule. In the Rule Type window click Program then click Next. In the Program window click This program path: and type c:\windows\system32\telnet.exe. Click Next. In the Action window, click Block the connection. Click Next. In the Profile window, make sure that only the Domain location is checked. Click Next. In the Name window, name the rule Telnet (Domain). Click Finish. Use the Command Prompt to test the telnet connection to NYC-DC1. Verify that the connection fails. Use the Windows Firewall tool to locate the new Telnet (Domain) rule. Right click on the rule and choose Disable Rule. Use the Command Prompt window to test the telnet connection again and verify that it works. Keep the application open.
Exercise 2: Fix Application problems caused by Firewall Rules

1. Use Windows Features to Install the following three components: Internet Information Services > FTP Server > FTP Service. Internet Information Services > FTP Server > FTP Extensibility. Internet Information Services > Web Management Tools > IIS Management Console. Click Start > Administrative Tools > Internet Information Services (IIS) Manager Right click Computer01 and click Add FTP Site. Name the site Default FTP Site and use the physical path of C:\TEMP. Click Next. On the Binding and SSL Settings window, choose No SSL. Click Next. On the Authentication and Authorization Information window, click the Anonymous and Basic authentication methods. Under the Authorization section, choose All users. Under the Permissions section, check Read and Write. Click Finish.
2. 3. 4. 5. 6. 7. 8.
A-35
9. Close Internet Information Services (IIS) Manager. 10. Use the Command Prompt to run the command: netstat an | find /i LISTENING. Verify that the computer is listening on the ftp port (21). 11. Restart the computer and login as Contoso\Admin1. 12. Open the Command Prompt with the Contoso\Administrator account. 13. Run the command: telnet NYC-DC1. Execute the following commands to use ftp.exe on NYC-DC1: a. Netsh advfirewall firewall add rule name=FTP Command dir=in action=allow program=c:\windows\system32\ftp.exe b. Netsh advfirewall firewall add rule name=FTP Command dir=out action=allow program=c:\windows\system32\ftp.exe 14. From the telnet session, run the command: ftp Computer1. The connection should fail because of the firewall settings on Computer1. Leave the session window open. 15. Open the Windows Firewall with Advanced Security console. 16. Under Inbound Rules, find and enable the following rules: FTP Server (FTP Traffic-In) FTP Server Passive (FTP Passive Traffic-In) 17. Under Outbound Rules, find and enable the FTP Server (FTP Traffic-Out) rule. 18. Try the ftp connection again to verify that the new firewall rules allow the connection.
A-36
Labs Module 15: Identify and Resolve Issues due to Malicious Software (Optional)
Overview: Configure controls to prevent unauthorized installations. Scan computer files for malware and changes to system files. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 45 minutes. Exercise 1: Use Action Center to Manage UAC Settings
1. 2. 3. 4. 5. Create a System Restore point named Pre_Lab15 Click Start > Control Panel > System and Security > Action Center Click Change User Account Control settings Click on each of the four UAC settings and read the description of each. Choose the Always notify option and click OK to accept the change.
Exercise 2: Use System File Checker

1. 2. 3. 4. 5. Click Start > All Programs > Accessories. Right click Command Prompt and click Run as Administrator. Click Yes. Run the command: sfc.exe /?. Read the description and the options available for this tool. Run the command: sfc.exe /scannow. The scanning process can take 10 or more minutes. Review the results for any errors found and verify that they were fixed automatically.
Exercise 3: Use the Malicious Software Removal Tool

1. 2. 3. 4. 5. Use Windows Explorer to connect to \\NYC-DC1\Classfiles Copy the \\NYC-DC1\Classfiles\Tools\windows-kb890830-x64-v3.0.exe file to the C:\TEMP folder. Execute C:\TEMP\windows-kb890830-x64-v3.0.exe as an Administrator. Read and accept the licensing agreement and click Next. Read the information and instructions on the Welcome to the Microsoft Windows Malicious Software Removal Tool page. 6. Click Next. 7. On the Scan type page, click the radio button to perform a Customized scan. 8. Click the Choose Folder button. 9. In the Browse For Folder window, choose the C: drive and click OK. 10. Click Next and allow the scan to check files on the C: drive. 11. Close the program after the scan is complete 12. If the scan takes more than 10 minutes, cancel it.
Appendix A: Condensed Lab Exercises Exercise 4: Install Microsoft Security Essentials (Optional)
1. 2. Go to the C:\Labfiles folder on the host server and execute L15-4.exe. Walk through the simulation as it mimics an installation and anti-viral scan using Microsoft Security Essentials.
A-37
Note: Change the UAC settings back to the default configuration.
A-38
Labs Module 16: Identify and Resolve Encryption Issues

Overview: Configure EFS and share encrypted files. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 30 minutes. Exercise 1: Encrypt files using EFS
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. Create a System Restore point named Pre_Lab16 Use Windows Explorer to open the C:\TEMP folder. Right click on one of the files and choose Properties. In the General tab, click Advanced. Check the box for Encrypt contents to secure data. Click OK and accept the default settings to close the properties window and encrypt the file (If prompted, only encrypt the file and not the folder). Notice the change in file color. If the encrypted file does not have a different color from the other files in the directory, modify the Folder Options and check the option for Show encrypted or compressed NTFS files in color. Logout and then login as User1. Create a folder named E:\TEMP\TESTEFS Create two text files in the E:\TEMP\TESTEFS folder named test1.txt and test2.txt. Add one line of text to both files (This is a test.) and save them. Right click the E:\TEMP\TESTEFS folder and click Properties. In the General tab, click Advanced. Check the box for Encrypt contents to secure data. Click OK twice to close the Properties window. In the Confirm Attribute Changes box, choose Apply changes to this folder, subfolders and files. Click OK. Confirm that the two text files have been encrypted. Logout and then login as Admin1. Verify that Admin1 has permissions to the file, but does not have access to open and view them. Try to take ownership of the files and give yourself Full Control permissions. Access will still be denied.

1. 2. 3. 4. 5. 6. 7. 8. Login as User1 Open the properties of the test1.txt file. In the General tab click Advanced. In the Advanced Attributes window, click Details In the Users who can access this file: section, click Add. Choose the Admin01 account and click OK. Close the properties of the test1.txt file. Login as Admin1 and verify that you now have access to test1.txt.
Appendix A: Condensed Lab Exercises Exercise 3: Configure a Recovery Agent

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23.
A-39
Open an Administrator:Command Prompt. Run the command cipher.exe /r:e:\temp\recovery When prompted, use a password of Pa$$w0rd. Verify that the E:\TEMP folder has recovery certificate files named recovery.cer and recovery.pfx. Open the Group Policy Management console using the Contoso\Administrator credentials. Edit the Default Domain Policy. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Encrypting File System. Right click Encrypting File System and click Add Data Recovery Agent. Click Next. Click Browse Folders. Specify the E:\TEMP\recovery.cer file and click Open. Read the message in the Add Recovery Agent window and click Yes. Click Next and then Finish. Verify that the Admin1 account is now an EFS recovery agent (The Intended Purposes column should specify File Recovery). Open an MMC console and add the Certificates snap-in. When prompted, use the My user account option. In the Certificates snap-in, open the Personal > Certificates folder. Right click the Certificates folder and choose All Tasks and then Import. Follow the instructions in the wizard to import the E:\Temp\recovery.pfx file. When prompted for the password, use Pa$$w0rd. Enable all the options presented except Enable strong private key protection. Click Next. Make sure that the Personal store is chosen and click Next then click Finish. Restart the system and login as Contoso\User1. Add a line with the words This is another test to both the test1.txt and test2.txt files in the E:\Temp\TestEFS folder. Logout and login again as Contoso\Admin1. In the properties of the E:\Temp\TestEFS\test1.txt file, click the Advanced button on the General tab. In the Advanced Attributes window, click the Details button and verify that Admin1 is a recovery agent (If the status has not been updated as yet, run gpupdate.exe /force or restart the system and try again.) Perform the above two steps for the E:\Temp\TestEFS\test2.txt file. Click Cancel and decrypt the E:\Temp\TestEFS\test2.txt file by removing the Encrypt contents to secure data check mark and clicking OK twice. Verify that the file is now decrypted and can be edited by Admin1.
A-40
Labs Module 17: Identify and Resolve Software Update Issues (Optional)
Overview: Configure Windows Update settings using Desktop tools and group policy settings. Unless stated otherwise, startup the Windows 7 client and the domain controller images. Login with the Contoso\Admin1 user account with a password of Pa$$w0rd. References to COMPUTER1 mean that you should be using the first option in the Windows Boot Manager (Windows 7). References to VIRTUAL1 mean that you should be using the second option in the Windows Boot Manager (Windows 7 VHD). If the computer name for an exercise is not specified, use the default Windows 7 boot option (COMPUTER1).
Estimated time to complete this lab is 15 minutes. Exercise 1: Configure Windows Updates on the Desktop
1. 2. 3. 4. 5. 6. 7. 8. 9. Login to COMPUTER1 as Contoso\Admin1. Open the Action Center and click the link for Windows Update. Click Updates: frequently asked questions and read the sections for How do I let all users on my computer install updates? and What do the different types of updates mean? Close the Help and Support window. Click Change Settings. Under the section for Important Updates, choose the option for Install updates automatically. Change the time of updates to 5:00AM. Check the option for Give me recommended updates the same way I receive important updates. Check the option for Allow all users to install updates on this computer. Click OK. End any attempt to download and install updates. Close the Action Center.
Exercise 2: Configure Windows Updates Using Group Policy

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. Open the Group Policy Management console using the Contoso\Administrator credentials. Edit the Default Domain Policy. Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update Edit the setting for Enable client-side targeting and read the Help section. Enable this setting and assign a target group name of IT. Click OK. Edit the setting for No auto-restart with logged on users for scheduled automatic updates installations and read the Help section. Enable this setting and click OK. Enable the setting for Allow non-administrators to receive update notifications. Edit the setting for Configure Automatic Updates and read the Help section. Enable this setting and in the Options under Configure automatic updating, choose Allow local admin to choose setting. Schedule the updates for 6:00AM every morning. Click OK. Edit the setting for Specify intranet Microsoft update service location and read the Help section. Enable this setting and configure the intranet update and statistics server to use the http://NYC-DC1 URL. Click OK and close the Group Policy.
Appendix B: PowerShell for Desktop Support Technicians
Table of Contents
Overview ................................................................................................................................................... B-1 Lesson 1: Compared to Other Scripting Languages ................................................................................. B-2 Lesson 2: Configuring and Using PowerShell........................................................................................... B-5 Lesson 3: Creating and Running Scripts ................................................................................................ B-11 Lesson 4: Administering Local Resources .............................................................................................. B-16 Lesson 5: Administering Network Resources ......................................................................................... B-22 Resolve PowerShell Scripting Problems ................................................................................................. B-23 Review PowerShell for Desktop Support Technicians ......................................................................... B-25 Labs Appendix B: PowerShell for Desktop Support Technicians ....................................................... B-27
B-1
Overview
Compared to Other Scripting Languages
Configuring and Using PowerShell

Creating and Running Scripts
Administering Local Resources

Administering Network Resources Resolve PowerShell Scripting Problems
PowerShell is a command-line shell and scripting language used on Windows computers. It is supported on Windows Server 2003 & 2008, Windows XP, Windows Vista and Windows 7. The tools and options available with this platform allow technicians to perform configuration and administration tasks using the same methods regardless of operating system platform. The script used to disable the network card on a Windows Vista system can also be used to perform the same function on Windows 7 computers. Technicians familiar with command-line tools in the Windows Command Shell (cmd.exe) or those used on UNIX and Linux command shells will be able to carry those skills over into the PowerShell environment. The ability to use existing scripting skills and then build on them with more sophisticated tools and options makes the transition to PowerShell scripting easier. More sophisticated scripts can be constructed and they have access to all the features of the .NET framework. The uniform way in which different Windows systems can be administered with PowerShell and the tools available that support daily administrative tasks are important reasons to learn this language. PowerShell allows administrators to install applications & features, view & add information to Event Logs, change the domain, local & network properties of a computer, modify security settings and setup automated tasks. Besides the operating system, commands can be created to configure applications such as Exchange and SQL Server. In this module, students will learn about the capabilities of PowerShell and through exercises, will see practical ways to use this tool. Although this skill set is not measured in current desktop support exams, it should prove useful for technicians seeking to improve their administrative skills for Windows desktops.
B-2
Lesson 1: Compared to Other Scripting Languages
PowerShell vs. Windows Command Shell
PowerShell vs. Windows Scripting Host
PowerShell features make it the preferred scripting language on a Windows-based network. Scripts written for popular platforms can be used in it without being modified (CMD and WSH). UNIX and Linux shell commands will also work in a PowerShell environment. It exposes all the capabilities of the .NET framework to the user, so complex tasks can be performed without a great deal of programming skill. Administration can be performed remotely over the network and the same commands can be used to administer different Windows platforms. PowerShell will not always be the best tool for a given situation however. Depending on the task being done and the operating system or application that is being used, another scripting language might provide a better solution. Before learning more about the capabilities of PowerShell, we will compare it to other scripting environments such as Windows Command Shell and Windows Scripting Host (WSH).

PowerShell vs. Windows Command Shell
B-3
.NET Framework Support

Compatibility
For technicians that use the Windows Command Shell (cmd.exe), moving to a PowerShell environment is relatively easy because most of the commands and scripts they used before will still work in this environment. CMD.exe does not have the flexibility of PowerShell and the ability to use the libraries in the .NET framework. The advantage of using Windows Command Shell is that it will work on all Windows operating systems, not just Windows XP and above. Also, unlike PowerShell, the components are already a part of the operating system and do not need to be installed or enabled.
B-4
PowerShell vs. Windows Scripting Host
.NET Framework Support

Security
WSH scripts provide the programmer with greater flexibility and access to object configuration than Windows Command Shell. It is available on all Windows operating systems since Windows 98 and can run commands from the command-line or GUI. WSH is a scripting environment and not a scripting language. It requires the use of a scripting language like VBScript or Jscript. It uses the Wscript.exe or Cscript.exe command depending on whether the script is being run from the Windows GUI or Command-line. Despite its capabilities, many administrators do not use it because the programming environment is not standardized and significant security vulnerabilities exposed when using it. These issues are overcome with the use of PowerShell.
B-5
Lesson 2: Configuring and Using PowerShell
New Features in PowerShell 2.0
Getting Started
Redirection
Variables
PowerShell requires the .NET Framework to be installed on the local computer. It is supported on Windows XP, Vista, Windows Server 2003 & 2008. Depending on the version of PowerShell being used, a service pack upgrade might be required by the operating system. The Windows 7 operating system comes with PowerShell 2.0 already installed. If you will be using PowerShell for day-to-day desktop management, it is best to upgrade the version of PowerShell being used on older operating systems to keep them uniform. You can verify the version of PowerShell being used on a system by running the command get-host.
B-6
New Features in PowerShell 2.0
Remote Management
New Cmdlets
Integrated Scripting Environment (ISE)
Background Jobs
Transactions Debugger
There are significant improvements in the version that comes with Windows 7 vs. the one that might be installed on older operating systems. New capabilities include the following: Remote Management: One or multiple computers can be controlled from a single remote system. New Cmdlets: Over 100 new cmdlets have been added to provide easier access to domain and other functions. Integrated Scripting Environment (ISE): ISE allows technicians to write and debug PowerShell scripts in a GUI environment. Keyboard shortcuts and menu options can now be used to perform options that were once available only from the command-line. Background Jobs: Jobs, in the form of PowerShell scripts can now be run in the background which allows the technician to continue working in the shell. Transactions: Operations can be grouped together to have them complete or fail as a single unit. If a command fails, other commands that already succeeded but belong to the same group can be reversed. Debugger: Scripts and code can be checked for errors. You can step through your code and create breakpoints to find problems more quickly.

Getting Started
B-7
Command-line and GUI Interface
Getting Help
Executables
Naming Convention
The PowerShell shell can be accessed from the command-line or GUI. Running the command powershell.exe will create a command-line shell and powershell_ise.exe will open the Graphical User Interface. For those who already know how to run commands from the Command Prompt or WSH, they will be able to use their commands and scripts for the most part. To start using PowerShell commands, simply type the name of the command and press enter. The cmdlets are not case-sensitive. Cmdlets such as Get-Service are executables that provide preconfigured functionality without having to create the code yourself. Some cmdlets can be used to help you get started in PowerShell by providing helpful information about existing commands and their syntax. Running the command Get-Help Get-Service provides information about how the getservice command can be used. Using the Detailed parameter can provide much more information if needed. Running get-command will list all of the preconfigured commands available to you and get-command set-* will only list the commands that start with set-. The wildcard characters (* or ?) can be used to add flexibility to the commands that are executed. To get information about all commands with the word computer, you could run the command getcommand *computer*. Detailed information about a command and how to perform operations in PowerShell can be accessed by using builtin documentation. The command get-help about will show a list of the available libraries and individual libraries can be accessed in the same way (e.g. get-help about_scripts). Many of the commands used are not cmdlets, but aliases. Commands familiar to those who work with UNIX or CMD.exe will work because they have been mapped to existing cmdlets that perform the same function. The ls, dir, clear and cls aliases are examples of these. To see the cmdlet being used to support an alias, use the command get-command (e.g. get-command cls).
B-8
Because of the straight forward naming structure of the cmdlets, it is relatively easy to understand what a command will do and to get at the names of related commands. Cmdlets that retrieve information will always begin with get, those that add information begin with add and if existing information is being changed, they will begin with set.

Redirection
B-9
Creating an Output File
Appending to an Output File

Redirecting Errors
A very useful feature in most scripting languages is the ability to redirect output intended for the computer screen to a different location. PowerShell is also capable of this and this feature is often used to capture information from errors or for logging purposes. A number of redirection operators are available to meet different needs. The redirector (>) is used to forward information that is normally sent to the screen to a different location, such as a file (e.g. Get-ChildItem > DirList.txt). If the file being written to already exists, it will be overwritten with the new information. Two redirectors (>>) are used to append to the file when it already exists. If it does not exist it will be created. If the information being captured was generated from an error, use the number 2 in front of the redirector (2>). To append the information to an existing file instead of creating a new one, use the number 2 and two redirectors (2>>).
B-10
Variables
Types of Variables
Naming Variables
Data Types
PowerShell uses variables as a holding area for data that is used in different parts of your code. The variable name is defined once, but the information in it can be used as many times as needed. In addition to the built-in variables you can define your own. The variable name always has a prefix of $ and values can be assigned to them at the time of creation (e.g. $Variable1=This is a test). The naming conventions and characters allowed are very flexible. Although the use of special characters and spaces is not recommended they can be used if the variable is enclosed in braces (e.g. ${Variable.1}=This is a test). To avoid issues with variable names, only use letters of the alphabet, numbers and the underscore character. The name of the variable should also be descriptive of the kind of information it will contain. Community best practices also recommend using camel casing for the names. The first word is in all lower-case and subsequent words have the first letter capitalized (e.g. firstPrintServer). Variables are most often used in scripts to simply the code and make it more readable. The information they contain can also be manipulated when necessary and the new variable values made available in the script. You can also manage the data type of the variable which allows you to perform specific tasks on them related to the kind of information they store. For example the use of integer values ($int1=4; $int2=5;$int3=$int1 + $int2;$int3) allows you to perform mathematical calculations on the variables. Working with text information however ( $string1=This is a test ; $string2=of concatenation.; $string3=$string1 + $string2; $string3) allows the information to be concatenated or manipulated in other ways (e.g. $string3.ToUpper()). PowerShell can automatically change the data type of a variable based on the information that is assigned to it. In some cases, you might prefer to hard-code the data type to control the kind of data that can be assigned to a variable. Using the expression [int]$value1=5 for example, would not only assign the number 5 to the $value1 variable, but also generate an error if you tried to change it to a non-numeric value.
B-11
Lesson 3: Creating and Running Scripts
Security
Digitally Signing Scripts

Development
The ability to run code interactively from a shell is a very useful feature of PowerShell, but the scripting capabilities multiply its effectiveness by allowing technicians to do multiple operations at the same time. This is done by saving your code to a text file with a PS1 extension. This file can then be executed which carries out all the actions the code would have performed interactively. These files can be used for day-to-day tasks, scheduled operations and Windows Troubleshooters. The only resource need to create a PowerShell script is Notepad or another text editor. The PowerShell Integrated Scripting Environment (ISE) is very useful because of its GUI interface and debugging features. It is the preferred tool for technicians who regularly create scripts. As with variables, script names should be descriptive and avoid the use of special characters. The cmdlet naming convention which uses a combination Verb-Noun syntax is also recommended (e.g. Get-Service). The pascal casing convention which capitalizes the first character in each word used in the name is also recommended. Useful coding examples and tutorials can be found www.microsoft.com/powershell or www.powershellcommunity.org. A major concern with any scripting language is security. Mechanisms are needed to prevent accidental execution of scripts and measures must be taken to prevent unauthorized code from running. We will see how PowerShell is configured to address these concerns. Writing a script is relatively simple if you already know how to perform an operation interactively with the correct code, but we will also look at recommendations for configuring the scripting environment. While the capabilities of PowerShell are extensive we will be focusing on tasks that desktop technicians might perform in carrying out their duties.
B-12
Security
Restricted
AllSigned
RemoteSigned
UnRestricted
The default configuration of PowerShell prevents the execution of scripts by default. Interactive execution of code is always possible, but the ability to run PS1 files must be enabled. The setting is controlled by configuring the execution policy. It can be set to Restricted, AllSigned, RemoteSigned or UnRestricted (e.g. Set-ExecutionPolicy AllSigned). As with other options that affect the security of the system, administrative credentials are necessary to carry out this operation. Restricted: This is the default and most secure setting. No PowerShell scripts can be executed on the system if this setting is left in place. Everything must be done by running the code directly from the shell. It does allow the execution of configuration files if they are signed and the publisher is trusted. AllSigned: This option allows scripts to be executed but only if they are digitally signed by a trusted publisher. This is the most secure option that allows the execution of scripts. If the computers are configured for remote management using PowerShell, this requirement will apply to remote scripts as well as local ones. RemoteSigned: This option allows scripts to be run locally or remotely, but requires that scripts downloaded from the Internet zone be signed by a trusted authority. Because the metadata identifying Internet downloaded files can be easily changed, this should not be considered a secure method to prevent the use of Internet scripts on the local network. UnRestricted: This option allows all scripts, local and remote, to be executed without being signed. Scripts executed remotely will present a warning message that must be acknowledged before being run.
While the UnRestricted setting might make it easier to execute scripts, it is not recommended for security reasons. The most secure scripting option, AllSigned, can be implemented in a domain environment without extensive changes. PowerShell options, Remote Management settings and Certification deployment can all be configured and
B-13
maintained through Group Policy. If technicians still need the ability to run scripts locally without signing them, the RemoteSigned option can be used. After enabling an appropriate execution policy, scripts still must be executed by specifying the full path. If the script is in the local folder, it can be run by specifying .\ in front of the script name (e.g. .\TestScript.ps1). This helps to prevent a common problem in other scripting environments of scripts being executed accidentally or opening the door to the possibility of running malicious code. A further security measure is that PS1 files are opened by default with notepad.exe and not powershell.exe. Doubleclicking a script from Windows Explorer will simply open it Notepad. This association can, but should not be changed on systems used in a production environment. Its a further mechanism to prevent accidental execution of scripts. Whenever possible, all scripts should be tested and executed without Administrative privileges before deployment to a production environment.
B-14
Digitally Signing Scripts
Using AllSigned and RemoteSigned
Certificate Authority
Makecert.exe
Advantage over other Scripting Methods
If the recommended execution policies of AllSigned or RemoteSigned are used, there will be a need to use a certificate management system. These certificates are used to sign a script and therefore identify its source. The computer system can identify this source from the information in the certificate and compare it with a list of trusted certificate sources that the network administrators can manage through Group Policy. Scripts signed by sources that are not on the trusted list can be prevented from running. This helps to protect the network from malicious code or unapproved scripts. The server that issues the certificates (Certificate Authority or CA) can be from a trusted Internet organization (e.g. VeriSign). If the additional cost of doing this is not permissible or if the certificates will be used purely for Intranet purposes, an internal Windows Server can configured to generate and store the certificates. This feature can also be integrated with Active Directory and Group Policy to make the process easier. The easiest method of signing scripts is to use the makecert.exe tool to create them. It is one of the tools installed with the Windows Software Development Kit. Makecert.exe can generate a new certificate for signing PowerShell scripts without the need of a Certificate Authority. Because this certificate would be generated locally and selfsigned, it would need to be added to the domain list of trusted publishers. This can also be done through Group Policy. While the steps to get the certificate infrastructure working might take some time, it would only have to be done once and would help to secure your scripting environment. This is one of the key advantages of PowerShell vs. other scripting methods, so it should not be side stepped lightly.

Development
B-15
Testing Environment
Security Configuration
Whatif / Confirm
Comments / Documentation
Scripts should always be tested thoroughly before deployment to a production environment. Depending on the amount and level of scripting done, separate development computers or virtual machines might be set aside for these tasks. Some of the normal security measures might be disabled in such an environment since production systems will not be at risk. Disabling the requirement to sign scripts before execution can speed up development if the right precautions are taken. If the testing is being done on production systems, all security precautions previously mentioned should be in force. In particular, make sure that digital signatures are required for remote execution and that powershell.exe is not associated with the PS1 files. When testing the code to be used in a script, a technician can use the WhatIf and Confirm parameters with the cmdlets to make sure that no unintended changes are made. The WhatIf parameter will display a message showing what would happen if the command were executed without actually running it (e.g. Set-Alias Srv Get-Service WhatIf). The Confirm parameter will actually execute the statement but only after the user is given a prompt which allows them to continue or stop the operation (e.g. Set-Alias Srv Get-Service Confirm). It is also good practice to include comments in a script to make them easier to understand. Using the pound (#) symbol as the first character in a line will let the system know that all the information on that line is to be ignored when interpreting your code. If the script is used for an important operation and extensive comments are needed, an additional text file with the necessary information might be included as a part of the deployment process.
B-16
Lesson 4: Administering Local Resources
WMI Classes
Registry
Log Files
File System
Network Adapter
Because PowerShell uses the .NET Framework libraries, it can be used to access and change almost any component on a system. Also, access to WMI classes makes it relatively easy to administer operating system services and devices. As a Windows 7 technician, you can take advantage of this to manage the computer registry, log files, file system and different devices such as the network adapter.

WMI Classes
B-17
Get-WmiObject
Win32_OperatingSystem
Win32_Service
Win32_ComputerSystem
An important path to accessing information about components on a computer is the WMI classes. Using the GetWmiObject cmdlet as a gateway allows you to view details about important computer components. Information about the computer can be accessed from Win32_ComputerSystem, operating system version information can be retrieved with Win32_OperatingSystem, a list of services running on a system can be retrieved from Win32_Service, disk information is available in Win32_LogicalDisk and NIC information can be accessed with Win32_NetworkAdapter or Win32_NetworkAdapterConfiguration (e.g. Get-WmiObject Win32_ComputerSystem). A list of available classes can be viewed by running Get-WmiObject list. The classes available and the information they provide are extensive. Tools such as PowerShell Scriptomatic can be used to browse this information graphically.
B-18
Registry
HKLM
HKCU
Information in the registry can be accessed and manipulated like data on a file system. Querying information can be done by accessing the right .NET class such as Microsoft.Win32.Registry or Microsoft.Win32.RegistryKey. The GetChildItem, New-Item and Remove-Item cmdlets can also be used to browse and change registry information (e.g. Get-Childitem Path HKLM:\Software\Microsoft or New-Item Path HKCU:\TestKey). Set-Location can be used for connecting to and navigate the registry as you would the file system (e.g. Set-Location HKLM:).

Log Files
B-19
Get-EventLog
Write-EventLog
[System.Diagnostics.EventLog]
Information in Event Logs can be browsed by using the Get-EventLog cmdlet. A list of available log files can be seen with the List parameter and other options allow you to specify what events you want to see from which log files (e.g. Get-EventLog LogName System Newest 10). New events can be added to a log file with the Write-EventLog cmdlet. Parameters normally associated with a log entry can be specified such as category, eventid, source and message (e.g. Write-EventLog LogName Application EventID 5000 Message This is a test. Source PS Entry). If the Source entry is not already linked with the LogName being used, the association will have to be created (e.g. [System.Diagnostics.EventLog]::CreateEventSource(PS Entry,Application)).
B-20
File System
Win32_LogicalDisk
Filtering
WQL
Browsing the file system can be done easily with the Get-ChildItem cmdlet. It has preconfigured aliases commonly used in the DOS and UNIX environments such as dir and ls. The creation or deletion of files and folders can be managed with the Add-Item and Remove-Item cmdlets. They also have commonly used aliases assigned to them. To view the information inside of a text file, the Get-Content cmdlet can be used. Information about the drives on a system such as the total size or free space available is accessible with the Win32_LogicalDisk class. Filtering options can be used to specify which particular drive you need information on (e.g. Get-WmiObject Win32_LogicalDisk Filter DeviceID=C: or Get-WmiObject Win32_LogicalDisk Filter FreeSpace > 2000000000). These statements can also be written using WMI Query Language (WQL) if preferred (e.g. Get-WmiObject Query Select * From Win32_LogicalDisk Where DeviceID=C: or Get-WmiObject Query Select * From Win32_LogicalDisk Where FreeSpace>2000000000).

Network Adapter
B-21
Win32_NetworkAdapter
Win32_NetworkAdapterConfiguration
Enable / Disable NIC
IP Address Assignment
For information about network adapters, use the Get-WmiObject Win32_NetworkAdapterConfiguration command. Details about the card such as adapter speed, IP address and DHCP Settings will be displayed. MAC address information is accessible with the Win32_NetworkAdapter class. Assigning new settings for static IP configuration, enabling DHCP or enabling/disabling an adapter can be done with the Win32_NetworkAdapterConfiguration class. Here is a method that can be used to enable or disable a network adapter by taking advantage of variable assignments: $NetworkAdapter=Get-WmiObject Q Select * From Win32_NetworkAdapter Where AdapterType like %ethernet% $NetworkAdapter.Disable() $NetWorkAdapter.Enable() A similar method can be used to configure a network card for static or dynamic IP configuration: $NetworkConfig=Get-WmiObject Q Select * From Win32_NetworkAdapterConfiguration Where DNSDomain=Contoso.com $NetworkConfig.EnableStatic(192.168.10.140,255.255.255.0); $NetworkConfig.SetGateways(192.168.10.100); $NetworkConfig.SetDNSServerSearchOrder(192.168.10.100) $NetworkConfig.EnableDHCP(); $NetworkConfig.SetDNSServerSearchOrder()
B-22
Lesson 5: Administering Network Resources
Windows Remote Management
Windows Remote Shell

All the information available about a system locally using PowerShell cmdlets is accessible remotely using Windows Remote Management. This service can be configured from the command-line with the winrm.exe command. It will automatically configure the appropriate firewall exceptions for the service to work properly. After the setup, technicians will be able to view and change remote computer settings. When combined with PowerShell scripting this allows for convenient remote administration of desktop components and features. The Windows Remote Shell command (winrs.exe) allows you to execute PowerShell cmdlets, scripts and functions on remote systems as if you were sitting at the computer (e.g. winrs r:computer1 netstat an). The command allows different authentication credentials to be provided when performing these operations. Windows Remote Management and Windows Remote Shell can be centrally managed through Group Policy options. These features should only be enabled for desktops on which this feature will be used. Authentication credentials will always be verified before performing an operation, but enabling the feature without using it opens up unnecessary security holes.
B-23
Resolve PowerShell Scripting Problems
RESOLVE POWERSHELL SCRIPTING PROBLEMS

When using PowerShell, a desktop technician will use it mostly for getting information about systems, troubleshooting and desktop administrative tasks. Problems encountered when executing code interactively or by using a script will often be related to configuration, syntax or permission issues. In this section, we will look at some of those issues and how they might be resolved. Your network has Windows 7, Vista and XP computers. PowerShell is installed and configured on all of them. You realize that some of the commands you use on the Windows 7 systems are not available on Windows Vista or XP. What could be the cause of this problem? They are probably using different versions of PowerShell. Upgrade the systems so they all use the same version of PowerShell. Some of the cmdlets used in your PowerShell scripts can make significant changes to a domain computer. How can you add prompts to the code that require confirmation before a cmdlet is executed? All PowerShell comdlets can use the Confirm parameter. It will prompt the user to carry out the operation, stop it or suspend it. To simplify the testing of scripts, a technician has changed the command associated with PS1 files from notepad.exe to powershell.exe and recommended that this be done on all systems. How might such a change affect script security? The default configuration of not associating PS1 files with powershell.exe was deliberately done as a security measure to prevent the accidental execution of legitimate script files or malicious code. While this association might be changed on testing and development computers, it should not be done on production systems. After testing a script on the local computer, you are unsuccessful when trying to remotely execute it on another computer. After verifying that the remote system has PowerShell installed, what else should you check?
B-24
Make sure that Windows Remote Management is configured and that the PowerShell execution policy allows remote execution of scripts. A technician on your team has recommended that the PowerShell execution policy be set to unrestricted because the network does not have a Certificate Authority and scripts will be used extensively for administrative purposes. What are the pitfalls of this recommendation and how can you solve this problem without compromising security? An execution policy of unrestricted allows scripts to be executed without verification of their source. The Makecert.exe command can be used to generate a certificate that can be used for signing scripts. This can be done without a CA but still be deployed as trusted through Active Directory Group Policy settings. When you try to execute the Set-ExecutionPolicy cmdlet on a computer, it fails because you are unable to make the needed changes to the registry. How can you solve this problem? Open a new shell with Administrative credentials and run the command again. Some of the technicians on your team are new to PowerShell and need help to understand the functionality of some common cmdlets used for desktop management. How can they get this kind of information directly from the shell? They can use the Get-Help cmdlet, the Help command or the Help parameter (e.g. Get-Help Get-Service or Help Get-Service or Get-Service -?). They can also use the help files that provide information about different features and options in PowerShell. A list of the help files is accessible by running the command Get-Help *about*. Some of the technicians on your team are complaining about the names used for scripts and variables created for administrative purposes. What rules can be followed to make sure that appropriate names are assigned to these objects? For scripts, always use names that are descriptive, use pascal casing for the names and use the Verb-Noun syntax used with cmdlets. For variables, use descriptive names and camel casing for the names. A few technicians that are experienced in VBScript are recommending it as a scripting solution instead of PowerShell. They do not see any advantages to PowerShell and insist they would have to re-write existing scripts if the company moved to that environment. How can you respond to these statements? PowerShell will have performance gains vs. VBScripts in some situations and offers more security options for protecting computer systems. It is also easier to learn. Existing VBScripts will not have to be re-written to run in a PowerShell environment. Your network will be migrating from a VBScript to a PowerShell environment. Before the changes are made your IT Manager wants you to create a report detailing the advantages of VBScript over PowerShell. What are some of the details you would include in such a report? VBScript is supported on more versions of Windows than PowerShell and does not need any components to be installed for it to work (Windows Vista and earlier versions require PowerShell installation).
B-25
Review PowerShell for Desktop Support Technicians
REVIEW
1.
What cmdlet is used to enable the use of scripts in PowerShell?
2.
What service must be enabled to run PowerShell scripts on a remote system?
3.
What tool can be used to create a certificate for a script?
4.
True or False. The data type of a variable can be changed dynamically in a script.
5.
What cmdlet can be used to list all PowerShell commands?
6.
What command could you use to get helpful information about using the New-Alias cmdlet?
7.
How can you send the output from the Get-ChildItem cmdlet to a new file named Info.txt?
8.
How can you append the errors generated by the Get-Help -f command to a file named Errors.txt?
9.
True or False. CMD.exe and UNIX commands can be executed from a PowerShell shell.
B-26
10. How can you capture a list of filenames that have a TXT extension?
11. How can you generate a list of all the aliases configured in a Shell?
12. True or False. Script debugging can only be done manually from the command-line or a text editor.
B-27
Labs Appendix B: PowerShell for Desktop Support Technicians
Exercise 1: Use PowerShell to get System Information and Change Computer Settings Exercise 2: Use PowerShell documentation to Understand and use Cmdlets
Exercise 3: Create and Execute Scripts

Exercise 4: Configure and Test Remote Management
Overview: Exercises will teach students how to run PowerShell commands interactively and from scripts. You will perform tasks to configure PowerShell security options and setup remote management using PowerShell. You must be working on a Windows 7 domain client for these exercises to work. If you have not already done so, it is recommended that you complete the labs in Modules 1 4 before starting these exercises. Unless otherwise stated, use Computer1 and login with the Contoso\Administrator account and a password of Pa$$w0rd.
Estimated Time to complete this lab is 90 - 120 minutes.

Exercise 1: Use PowerShell to get System Information and Change Computer Settings
1. 2. Login to Computer1 as Contoso\Admin1. Open the PowerShell console as an Administrator by clicking Start > All Programs > Accessories > Windows PowerShell, Right Click the Windows PowerShell icon and click Run as administrator. Click Yes in the User Account Control window. Run the following commands and notice the results: o Get-Command o Get-Help | More o Get-Help Get-WMIObject Detail | More o Get-Help *about* o Get-Help About_Scripts | More o CD ~; Cls; Dir o Get-Alias CD; Get-Alias CLS; Get-Alias Dir o Get-WmiObject Win32_NetworkAdapterConfiguration
3.
B-28

o o o o o o o o o o Get-WmiObject Query Select * From Win32_NetworkAdapterConfiguration Get-WmiObject Query Select * From Win32_NetworkAdapterConfiguration Where DNSDomain=Contoso.com Get-WmiObject Query Select * From Win32_NetworkAdapterConfiguration | Format-Table IPAddress,MACAddress,DNSDomain Get-WmiObject Win32_ComputerSystem | Format-Table Name,Domain,TotalPhysicalMemory Set-Location HKLM:\Software; Dir; Set-Location C: New-Item Path c:\temp\tmp type directory New-Item Path c:\temp\tmp\test.txt type file Set-Alias Copy-Con Set-Content Copy-Con test.txt This is a test Type test.txt
Exercise 2: Use PowerShell Documentation to Understand and use Cmdlets

Note: For each of the following steps, use the information in Lessons 2 4 and Exercise 1 to choose the correct command for each task. Unless otherwise stated, each task must be completed with a PowerShell cmdlet. If a task changes the computer configuration, verify that the operation completed successfully. 1. Get a list of all the Set- commands.
2.
Get detailed information about the Stop-Service cmdlet.
3.
Stop the Spooler service and then restart it.
4.
Get a list of all active processes running on the computer
5.
Get the process ID number for any process with the name iexplore (To perform this step, start an Internet Explorer session if you do not already have one running.)
6.
Stop an Internet Explorer session using the process ID number assigned to it.
7.
Assign the string This is a test to a variable named $String1.
8.
Assign the string of concatenation. to a variable named $String2.
9.
Concatenate $String1 and $String2 as a new variable named $String3 and print its value to the screen.
10. Do a folder and file listing in your home directory and send the data to a text file named C:\Temp\Dir.txt.
11. Peform a directory listing of the C:\Users folder and append the information to the C:\Temp\Dir.txt file. 12. Perform a directory listing on the fictitious folder named C:\Temporary and redirect the error message to C:\Temp\Errors.txt.
B-29
13. Perform a query to get information about all logical drives on the computers.
14. Display the logical drives in a list, showing only their name, size and freespace.
15. Display the logical drives in a table, showing only their name,size and freespace. Do not include drives with zero drive space.
16. Perform a query to get the amount of free disk space on drive C:
17. Create a folder named C;\Logs
18. Create two files named C:\Logs\Errors.log and C:\Logs\Errors2.log
19. Add two lines to the C:\Logs\Errors.log file that say Error Number 1 and Error Number 2.
20. Delete the C:\Logs\Errors2.log file.
21. Rename the C:\Logs\Errors.log file to C:\Logs\Errors.dat.
22. View the last 5 entries in the Application Event Log.
23. Record the last 50 entries from the System Event Log to a file named C:\Log\System.log
24. Create a new Source for the Event Viewer Application Log named Admin Script.
25. Add an entry to the Application log with an EventID of 5500, a Message of The Task Completed Successfully. and a Source of Admin Script.
26. Disable the Network Adapter.
27. Enable the Network Adapter.
28. Assign a static IP address of 192.168.10.50 to the network card.
29. Configure the network adapter to use DHCP.
B-30
30. Add a folder to the HKEY_CURRENT_USER registry hive named PSLogic, verify that it was added correctly and then remove it.
Exercise 3: Create and Execute Scripts

1. Open Notepad and add the following lines to the text file: o # This script will copy all events from the Windows PowerShell Log to the C:\Log\PS.log file o # It will clear events from the Windows Power Shell Log after getting confirmation from the user. o Get-EventLog Windows PowerShell > C:\Log\PS.log o Clear-Eventlog Windows PowerShell Confirm 2. Save the file with the name C:\Temp\backupPowerShellLog.ps1. Make sure it does not get saved with a txt extension. 3. Open a PowerShell console with administrative credentials. 4. Run the cd \temp command to go to the C:\Temp folder. 5. Run the command backupPowerShellLog.ps1. Make a note of the error message. You must specify the full or relative path of the script (e.g. c:\temp\backupPowerShellLog.ps1). 6. Run the command .\backupPowerShellLog.ps1. Make a note of the error message. The execution policy prevents the running of scripts by default. 7. Run the command get-executionpolicy to verify that the execution policy is set to Restricted. 8. Run the command Set-Executionpolicy Unrestricted. 9. Run the command .\backupPowerShellLog.ps1. It should run successfully this time. Confirm the deletion of messages in the Windows PowerShell log when asked to do so. 10. Verify that the C:\Log\PS.log file has the log information and that the Windows PowerShell Event Log is empty (Get-Content C:\Log\PS.log; Get-EventLog List).
Exercise 4: Configure and Test Remote Management

1. 2. Login to NYC-DC1 as Contoso\Administrator. Open the PowerShell console as an Administrator by clicking Start > All Programs > Accessories > Windows PowerShell, right click the Windows PowerShell icon and click Run as administrator. 3. Ping Computer1 to verify connectivity. If necessary, temporarily stop the Windows Firewall service on Computer1 (Run Services.msc and stop the Windows Firewall service). 4. Run the command: Get-WmiObject computer Computer1 Win32_ComputerSystem. 5. Make a note of the error message. You cannot perform remote management because WinRM has not been configured on the Windows 7 client. 6. Login to Computer1 as Contoso\Administrator. 7. Open the PowerShell console as an Administrator by clicking Start > All Programs > Accessories > Windows PowerShell, right click the Windows PowerShell icon and click Run as administrator. 8. Run the command: winrm quickconfig. At each prompt, type Y and press Enter to accept the changes being made. This will configure remote management on the system. 9. From NYC-DC1, run the command: Get-WmiObject computer Computer1 Win32_ComputerSystem again. It should be successful this time. If not successful, restart the Windows Remote Management service on Computer1 and try again. 10. Using the information from Exercise 1 and 2, use PowerShell cmdlets to perform the following tasks on Computer1 while logged into NYC-DC1: o Get the MAC Address of the network card o Get a list of all running services o Find out how much RAM is on the computer o Find out how much free space is available on the C: drive o View the last 10 entries in the Event Viewer Security Log 11. From NYC-DC1, execute the following commands to test the Windows Remote Shell command: o Winrs r:computer1 hostname

o o o o o o Winrs r:computer1 ipconfig /all Winrs r:computer1 nbtstat n Winrs r:computer1 netstat n Winrs r:computer1 md c:\temp2 Winrs r:computer1 net share temp2=c:\temp2 Winrs r:computer1 net share
B-31
B-32
Appendix C: Review and Lab Answers
Table of Contents
Review Answers for Module 1 .................................................................................................................................... C-1 Review Answers for Module 2 .................................................................................................................................... C-2 Review Answers for Module 3 .................................................................................................................................... C-4 Review Answers for Module 4 .................................................................................................................................... C-5 Review Answers for Module 5 .................................................................................................................................... C-6 Answers for Lab 5, Exercise 1.................................................................................................................................... C-8 Review Answers for Module 6 .................................................................................................................................. C-10 Review Answers for Module 7 .................................................................................................................................. C-11 Review Answers for Module 8 .................................................................................................................................. C-12 Review Answers for Module 9 .................................................................................................................................. C-13 Review Answers for Module 10 ................................................................................................................................ C-14 Review Answers for Module 11 ................................................................................................................................ C-15 Review Answers for Module 12 ................................................................................................................................ C-16 Review Answers for Module 13 ................................................................................................................................ C-17 Review Answers for Module 14 ................................................................................................................................ C-18 Review Answers for Module 15 ................................................................................................................................ C-19 Review Answers for Module 16 ................................................................................................................................ C-21 Review Answers for Module 17 ................................................................................................................................ C-22 Review Answers for Appendix B .............................................................................................................................. C-23 Answers for Appendix B, Exercise 2 ........................................................................................................................ C-24
C-1
Review Answers for Module 1

1. What versions of Windows 7 support the use of multiple languages? Ultimate and Enterprise. In what order are machine and active directory policy settings applied? Local Machine > Site > Domain > OU When would using the Slow Network Detection option in Group Policy be advantageous? When applying policy settings to systems that connect over slow connections How many Group Policy Objects can a single WMI filter be applied to? As many as necessary What is the order of precedence for Software Restriction Policy rule types? Hash > Certification > Path > Zone What versions of Windows 7 support Applocker rules? Windows 7 Enterprise and Ultimate When multiple software restriction path rules apply to the same application, which one will be used? The most specific one What command-line tool can be used to disable driver signing requirements? Bcdedit.exe When group policy is used to install applications what method will automatically do the setup before the user logs on? Assigning the software to the user or computer side of the policy will accomplish this.
2.
3.
4.
5.
6.
7.
8.
9.
10. True or False. Multiple WMI Filters can be applied to a single GPO. False. 11. What security option is available with Software Restriction Policies that cannot be used with Applocker? The ability to apply rules to Internet Explorer Security Zones. 12. What security option is available with Applocker that cannot be used with Software Restriction Policies? Both methods allow the use of certificate rules, but only Applocker allows the configuration of rules based on attributes of the certificate other than the publisher name (e.g. product name, file version or file name).
C-2

1. What feature of WIM files allow them to reduce the drive space needed to store multiple images? Single Instance Storage What command-line tool can be used to create new partitions? Diskpart.exe What is the ImageX command-line utility used for? ImageX is used to create, modify and deploy WIM files. What new feature of UAC can be used to reduce the number of elevation prompts? Auto-Elevation True or False. Compatibility Mode options can be automatically applied to all users on a system. True What versions of Windows 7 support Windows XP Mode? Professional, Enterprise and Ultimate What happens if the NTFS & share permissions are not the same for users connecting over the network? The more restrictive of the two permission sets is used What DFS feature can be used to prevent uses from viewing folders or files they do not have access to? Access-based enumeration How are Windows Updates different from Microsoft Updates? Both update options include patches for the operating system but only Microsoft Updates include fixes for Microsoft applications like Office, SQL Server or Exchange.
2.
3.
4.
5.
6.
7.
8.
9.
10. Why might an administrator disable automatic updates for some computers? To allow time for testing the updates before applying them or to control when the fixes are applied. 11. What tool can be used to test drivers installed on a system? Verifier.exe 12. What tool allows you to revert to an older version of a device driver? Device Manager 13. What permissions must a user have on a GPO for its settings to be applied to him? Read and Apply Group Policy 14. What is a WSUS server used for? To manage Microsoft Updates from a server on the local network 15. What is GPO filtering? Changing the permissions on a GPO so that it only applies to a select group of users. This technique is often used to test new software installs and updates.

16. What format are Problem Step Recorder files stored in? Zipped MHTML files 17. True or False. The ability to store screen shots in a Problem Steps Recorder file can be disabled. True
C-3
C-4

1. What are the four possible levels that events can have in the system or application logs? Information or Warning or Error or Critical. What command-line utility can be used to manage Event Viewer log files? Wevtutil.exe What tool is used to configure Remote Management on a desktop? Winrm.exe What can the eventcreate.exe command be used to do? Generate events for the log files in Event Viewer on the local machine or remotely. What service manages subscriptions to events from remote computers? Windows Event Collector What functionality is provided by Windows Resource Protection? It redirects applications to unprotected areas in the registry where they may write information. What feature allows 32-bit applications to be run on Windows 7 64-bit operating systems? Windows on Widnows 64 (WOW64). This is an emulation tool. What kind of scripts are used to design a troubleshooting pack? PowerShell scripts What tool is used to create troubleshooting packs? TSPBuilder.exe in the Windows 7 Software Development Kit
2.
3.
4.
5.
6.
7.
8.
9.
10. What three different types of scripts might you create in a troubleshooter pack? Troubleshooter, Verifier and Resolver scripts 11. How is the Windows Experience Index base score calculated? The lowest subscore of the hardware components is used 12. How can the Windows Experience Index subscore of the primary hard disk be improved? Moving resources to a different drive and defragmenting the drive. 13. What tool can be used to change the boot options for a computer? System Configuration (msconfig.exe) 14. True or False. Drivers and Services can be disabled using Safe Mode with Command-Prompt. True 15. True or False. System Restore can be used to retrieve deleted user files. False. (It only works for repairing registry, system and application files.)
C-5

1. What network services are needed to support domain authentication? DNS and available domain controllers Besides using a user name and password, what other authentication methods are possible on Windows? Smart Card and Fingerprint True or False. Time differences between a DC and the client computer can prevent authentication. True. (The time cannot be out of sync by more than 5 minutes for Kerberos authentication) How often are computer account passwords reset in a domain? Every 30 days What are some tools that can be used to create computer accounts? Dsadd.exe or csvde.exe or ldifde.exe What kind of trust relationships are automatically created between domains in the same forest? The trust relationships are two-way and transitive What authentication protocols are supported with External Trust relationships? Only NTLM What command can be used to change the time server of a computer? W32tm.exe /config /manualpeerlist:nyc-dc1.contoso.com /syncfromflags:manual /update What kind of DNS zones do not allow dynamic updates? Secondary zones
2.
3.
4.
5.
6.
7.
8.
9.
10. What DNS record types provide information about computers that provide authentication services? Service (SRV) records 11. When might you use the User Cannot Change Password property setting? If the account is used by more than one user 12. True or False. All user accounts in a domain must share the same Account Policy settings. False (Policy settings can now be assigned to user accounts and global security groups. 13. What are some reasons to create a roaming profile for a user? Make it easier to access personal information from any computer and to automatically copy it to a network location where it will be backed up. 14. How can documents saved in local profiles be automatically protected on the network? By using folder redirection in group policy 15. How are mandatory profiles created? By renaming the ntuser.dat file to ntuser.man
C-6

1. How can a client computer be configured to always get the same IP address from a DHCP server? By creating an IP address reservation using the network card MAC address How can you prevent users from connection to certain applications on a network segment? Configure inbound filters on the switch or router that will block the protocols used by the application What protocol is used by the ping command to test connectivity with network machines? ICMP What is the pathping.exe command used to do? To find which routers are used to connect to a remote system and to verify if there were packet losses on any of them How can you verify the MAC or physical address of a network card? By using the commands ipconfig /all or net config rdr What IP configuration must all computers on the same subnet share? They must all have the same network address In what order should resources be pinged when testing the IP configuration of a computer? Loopback address > Local IP > Local Subnet IP > Default Gateway > Remote Computer What command can you use to see the IP addresses of routers between two machines? Tracert.exe or Pathping.exe What parameter will allow you to do a continuous ping of a computer until stopped manually? -t
2.
3.
4.
5.
6.
7.
8.
9.
10. True or False. Windows 7 systems will automatically configure an IPv6 address for themselves. True 11. What are the two different ways of configuring Branch Caching? Hosted Caching and Distributed Caching 12. What ports must be configured for inbound traffic on a desktop computer configured for distributed caching? Ports 3702 and 80 (for the WS-Discovery protocol and HTTP) 13. What are the different ways that IPSec rules can be applied to computers? Locally by using the Local Security Policies or Windows Firewall with Advanced Security and by using GPOs 14. What three profiles are available when configuring IPSec rules? The three profiles are Domain, Private or Public. They can be used individually or in any combination.
C-7
15. What IPSec configuration allows a system to be configured as a gateway to encrypt unencrypted traffic? IPSec Tunnel 16. What command can you use to display the local routing table on a computer? Netstat r or route print
C-8
Answers for Lab 5, Exercise 1

1. What is the MAC address of the network adapter on NYC-DC1? Nbtstat a NYC-DC1 What version of Windows 7 is installed on your computer? Net config rdr How could you map the Users share on NYC-DC1 to the U: drive? Net use u: \\NYC-DC1\users On what port numbers does your machine have active connections? Netstat n What visible network shares are now available on NYC-DC1? Net view NYC-DC1 What visible and invisible shares are available on your system? Net share What are the names or IP addresses of computers connected to shares on your system? Netstat How can you list the IP & MAC addresses of computers you have recently communicated with? Arp a How can you register a computers IP address with the DNS Server? Ipconfig /registerdns
2.
3.
4.
5.
6.
7.
8.
9.
10. How can you get the description of an operating system error number? Net helpmsg <error number> (e.g. Net helpmsg 1014) 11. How can you verify that the DNS server has the correct IP address for your computer? Nslookup Computer1 12. Which computer names are presently in your DNS cache? Ipconfig /displaydns 13. Which computer names are presently in your netbios cache? Nbtstat c 14. How can you verify that NYC-DC1 is using the netbios protocol? Nbtstat a NYC-DC1 15. What command can you use to verify that your computer has a valid connection to the domain? Netdom verify Computer1 16. How can you verify what server is presently acting as your Time Server? Net time or W32tm.exe /monitor 17. What command will show the routing table of your computer? Netstat r or Route Print
C-9
18. What command will list the IP address or name of routers used to connect to a remote system? Pathping 192.168.20.100 or Tracert 192.168.20.100 19. How can you display all the records in the Contoso.com DNS zone? Dnscmd NYC-DC1 /zoneprint contoso.com 20. What command will list all the domain controllers in your domain? Netdom query dc 21. What command will allow you to assign a static IP address to the NIC? Netsh interface ip set address name=Local Area Connection static 192.168.10.10 255.255.255.0 22. What command will allow you to change the IP configuration from static to dhcp? Netsh interface ip set address name=Local Area Connection DHCP 23. How can you disable Windows Firewall? Netsh advfirewall set currentprofile state off 24. What command will create a rule named Telnet Connections that prevents Telnet.exe from creating outbound connections? Netsh advfirewall firewall add rule name=Telnet Connections dir=out action=block program =c:\windows\system32\telnet.exe enable=yes 25. What command will delete an existing firewall rule named Telnet Connections? Netsh advfirewall firewall delete rule name=Telnet Connections
C-10

1. What is a DNS zone? This is the file or folder on a DNS server that holds records for a particular domain True or False. A client computer will always use the secondary DNS server when the primary is unable to resolve a name. False How can you view or clear the DNS cache on a computer? Ipconfig /displaydns will show the records in the cache and ipconfig /flushdns will delete them True or False. Entries in a hosts file are automatically added to the DNS cache of a computer. True Where must hosts files be located in order for the system to use it? %systemroot%\system32\drivers\etc How is a WINS server different from a DNS server? They both do name resolution, but WINS resolves NETBIOS names What command can you use to verify records on a DNS server? Nslookup True or False. Client computers can only be assigned one valid IP address for each network adapter. False What option is used to load lmhosts records into the NETBIOS cache? #PRE
2.
3.
4.
5.
6.
7.
8.
9.
10. When resolving hostnames, what location does the computer check for IP addresses before DNS? DNS cache 11. If all name resolution methods are configured on a client computer, what is the last location checked to resolve a hostname? LMHOSTS file 12. True or False. Information on a DNS server will override incorrect data on the hosts file. False 13. What methods can be used to disable the use of broadcast requests to find NETBIOS names? This setting can be disabled from the DHCP server or in the registry of the client computer. 14. How can the NETBIOS protocol be disabled on a network adapter? You can use the advanced settings in the TCP/IP properties of the NIC card. On the WINS folder, choose the option to Disable NetBIOS over TCP/IP 15. True or False. A client computer can be assigned only two DNS servers, a primary and a secondary. False 16. How can the LMHOSTS file be configured to automatically import data from another source during startup? Use the #INCLUDE extension to point it to another file.
C-11

1. What permissions are needed to control the documents of other users being sent to a printer? Manage Documents What feature must be enabled to send documents to a printer using a URL? Internet Printing Client What protocols can be used to exchange information with web-based printers? IPP or RPC What permissions are needed to take a printer offline? Manage Printer True or False. The priority of print jobs can be changed while they are in the print queue. True How can you make all jobs on a printer wait until 5:00PM before sending them to the print device? Configure a Printer Schedule for the printer If the default priority for a printer is 10 and you change the priority for a print job to 5, what will happen to it? It will fall to the bottom of the print queue and wait until there are no jobs left to be printed. True or False. Pausing a printer prevents you from adding new jobs to the print queue. False True or False. All print devices in a printer pool must be of the same make and model. False (They only need to support the same print driver)
2.
3.
4.
5.
6.
7.
8.
9.
10. How does client-side rendering affect the way printed documents are spooled? It does not. The document can be rendered on the client and be spooled on either the client or server. 11. True or False. The Manage Documents permission also includes the ability to print documents. False. (To do this the Print permission must also be assigned) 12. What are some of the requirements for configuring multiple print devices into a printer pool? They should all support the same print driver and be located in the same area.
C-12

1. In what log file can Performance Monitor alerts be configured to record events? Application Log What three operations can be performed by an Event Viewer task? Starting a program or sending an email or displaying a message Which Event log file is most likely to contain information about failed system drivers? System Log What components normally use the most on a laptop? CPU, Display, Wi-Fi and Hard Drive What power management setting will shut down a computer but save the running state of the system? Hibernation mode True or False. A laptop will completely lose power and data eventually if left in sleep mode? False. The computer will automatically go into hibernation mode when power levels become critical. What feature allows you to use memory on a flash drive as virtual memory for the machine? ReadyBoost What is the purpose of the pagefile.sys system file? This is the virtual memory file that stores information to the hard-drive to free up Random Access Memory. How does an application gain access to processing resources on a computer? They are assigned by the operating system. This helps to prevent resource conflicts and improve the stability of the system.
2.
3.
4.
5.
6.
7.
8.
9.
10. What option in Task Manager allows you to control the processors an application uses? Set Affinity 11. How can you close down a non-functioning program and all processes related to it? Use the End Process Tree option for the process in Task Manager 12. True or False. Services will continue to use computer resources even if they are idle. True 13. What is the minimum recommended free space for hard-drive partitions? 20 percent 14. True or False. Scheduled maintenance operations can be configured to run only when the system is idle. True
C-13

1. What are some things that you can do to prevent future power supply unit problems? Clean it regularly and keep it away from dust & use surge protectors and power outlets safely True or False. A faulty power supply can damage other components inside a computer. True What command-line tool can you execute to test and fix errors on a partition? Chkdsk.exe What kind of device can be used to test the voltage output for a power connector on a PSU? A multimeter. This should only be done by technicians who follow safety precautions and are comfortable using a multimeter. What is a Hardware Compatibility List? The HCL specifies the hardware components that have been tested for compatibility with a particular O.S. What command-line tool can be used to reduce fragmentation on a hard-drive? Defrag.exe Under what circumstances would it be appropriate to fix a power supply unit? This is never appropriate. They should be replaced if there are any issues with them. True or False. A laptop can be configured with multiple independent network connections. True. Any computer can be configured with multiple NIC, wireless and dial-up connections. How does using System Configuration allow you to diagnose hardware problems on a computer? You can start the system in Safe Mode and control the startup of device drivers and services.
2.
3.
4.
5.
6.
7.
8.
9.
10. What tool can be used to monitor the performance of hardware components in real time? Performance Monitor 11. What are the four main hardware components that affect performance on most computer systems? Processor and Memory and Disk and Network 12. What tools could you use to monitor and stop the processes that are using most of your memory resources? Task Manager or Resource Monitor
C-14

1. What are some recommendations to following in finding a good location for a wireless router? Put it in a central location and detect & mitigate situations where other devices cause interference. What Wi-Fi network is backward compatible with 802.11b? 802.11g What methods can be used to secure the default SSID on a wireless access point? Change the name of the SSID and configure it not to broadcast the new name What wireless protocol was created to replace WEP because of its security problems? Wi-Fi Protected Access (WPA) True or False. A WAPs signal strength and connectivity might be improved by changing the channel. True What technology allows wireless profiles to be setup automatically by downloading configuration settings directly from the device? Windows Connect Now (WCN) True or False. The Wake on LAN feature is available for wired and wireless network connections. True. What capability is available on wireless devices that support the Virtual Wi-Fi feature? The ability to connect a single wireless NIC to multiple networks What is a SSID? The Service Set Identifier uniquely identifies a WAP and is used by wireless devices to connect to it
2.
3.
4.
5.
6.
7.
8.
9.
10. How can a WAP be configured to only allow connections from specific laptops on the network? Configure the access point to only allow connections from the MAC addresses of those laptops 11. What is the best way to copy wireless profile settings between laptops that are not on the same network? Export the profile to a USB drive and install it from the flash drive on the other system 12. True or False. Hiding the SSID of a wireless access point will prevent hackers from viewing network traffic. False
C-15

1. How is a network connection completed when the callback dial-up option is configured? After the client calls the RAS server, the connection is disconnected. The server then calls back at a predefined number to make sure the user is connecting from the right location. Why would you create more than one dialing rule to connect to a RAS server on your network? To store connection options for dialing in from different locations True or False. Callback security must specify a predefined number to be used by the remote server? False. The Callback option can include the ability for the user to specify the number. True or False. VPN connections cannot work over networks that use an active Winsock proxy client. True How can you verify whether there are DNS resolution issues when connecting to a VPN server URL? Try to use the IP address of the VPN server. If successful, there is a name resolution issue. What is the strongest authentication protocol available for VPN connections? Extensible Authentication Protocol. The strongest configuration of EAP uses Smart Card for authentication. What protocol is used to protect data traffic send over a DirectAccess connection? IPSec What editions of Windows 7 support a DirectAccess configuration? The Enterprise & Ultimate editions What protocols can be used to authenticate client computers using DirectAccess connections? IPSec is the only authentication or encryption protocol used.
2.
3.
4.
5.
6.
7.
8.
9.
10. What feature allows client computers to automatically re-establish a lost VPN connection? VPN Reconnect 11. What methods can be used to issue IP addresses to VPN clients? DHCP or VPN servers. IP addresses can also be assigned to user accounts in Active Directory. 12. What function is provided by a Network Policy Server to remote access clients? It provides RADIUS services which are used to centrally manage authentication and authorization for all remote access servers.
C-16

1. What command-line tool can be used to configure the caching options available on a network share? NET SHARE How can Transparent Caching be enabled for computers on your network? By using Group Policy settings True or False. Transparent Caching provides access to files when the network is unavailable. False. Although the files are stored in the offline files cache losing the connection makes them unavailable. What are the two reasons that might lead you to enable Transparent Caching for computers on the network? To optimize network bandwidth for slow or highly utilized networks & to speed up user access to large files. What is a roaming profile? This is a user profile that is saved to a network location so it can be used on any machine a user logs into. What file must be renamed to change a roaming profile into a mandatory profile? NTUSER.DAT must be renamed to NTUSER.MAN How often are updates & changes written to a network roaming profile? As often as the user logs off. Changes are not written as soon as the user makes them. True or False. An NTFS drive is required to use the offline files feature. True What happens when the network version of an offline file is deleted after reconnecting to the share? The local copy of the file will also be deleted.
2.
3.
4.
5.
6.
7.
8.
9.
10. What must be done to generate a previous version of a file shared over the network? A restore point must be created for the partition on which the share is located. 11. What service must be running for scheduled operations to execute on a computer? Task Scheduler 12. What will the operating system do when new files need to be added to an offline files cache that is full? It will delete older files to make room for the newer ones.
C-17

1. What are the four security zones in Internet Explorer? Internet and Local Intranet and Trusted Sites and Restricted Sites Which IE security zone will normally be configured the least restrictive security settings? Trusted Sites When a web-site is not specifically assigned to a security zone where will it be assigned? To the Internet Zone What IE setting if enabled will warn you about a webpage trying to run an application? Protected Mode What is the default security level used for web-sites added to the Trusted Sites zone? Medium True or False. All Internet Explorer pop-ups are illegitimate and should always be blocked. False What are third-party cookies? Cookies that are owned by a web-site other than the one that placed it on your computer Why would you enable the InPrivate Browsing option in Internet Explorer? To automatically delete caching, history, cookies & other user information after the browser is closed True or False. InPrivate Browsing can be used to protect user information transmitted over the network. False. It only protects user information that is normally stored on the local machine.
2.
3.
4.
5.
6.
7.
8.
9.
10. What shortcut keys are used to activate the InPrivate Filtering feature? Ctrl + Shift + F 11. When would you use the Compatibility View option in Internet Explorer? To provide backward compatibility with older web-applications written for previous versions of IE 12. True or False. Certificates must be installed on the client system to encrypt data using the HTTPS protocol. False. The certificate only needs to be installed on the web server.
C-18

1. What is involved in creating a defense in depth strategy for a network? This means that your network has different levels at which local resources are protected, such as having an organizational firewall for all outside connections, but also configuring firewall settings at the desktop. What kind of network attacks will a firewall not prevent? Virus, phishing or spyware True or False. Windows Firewall rules can be defined for locations other than the Internet. True Besides the IP address of a computer, what other information is needed to communicate with a specific application on a machine? Port number and transport protocol (TCP or UDP). What three network locations can be configured with Windows Firewall settings? Domain or Public or Private True or False. Windows 7 firewall rules can be applied to users based on their group membership. True What command-line tool can be used to configure firewall rules on a computer? Netsh advfirewall What tool allows you to show Process ID information from the command-line? Tasklist What command-line tool can be used to view and modify the routing table of a system? Route.exe
2.
3.
4.
5.
6.
7.
8.
9.
10. Where can you find log data for Windows Firewall? Event Viewer and the firewall profile log files. 11. Under what circumstances will Windows Firewall display a notification after enabling this feature? If there is no existing rule for the program and the default configuration of the firewall blocks the application 12. Where must rule merging settings be configured? Rule merging happens when local and group policy firewall rules are brought together. The merge rules can only be configured through Group Policy.
C-19

1. What capability is provided by anti-virus programs that do on-access scanning? This means the program will analyze new files being added to the computer or being accessed by software What harm can be done to a computer by spyware programs? They can record user actions and share confidential data with unauthorized people What are some organizations that provide testing or certification for anti-malware products? AV-Comparatives, AV-Test, ICSA, Virus Bulletin and West Coast labs How can you enable InPrivate browsing in Internet Explorer? From an active browser window, type Ctrl + Shift + P to open a new window with this feature turned on How can you launch Internet Explorer with all add-ons disabled? Launch it by using the link under Accessories > System Tools or execute iexplore.exe extoff. What kind of protection is offered by enabling Smartscreen filters in IE? It provides real time protection against phishing and malware attacks from web-sites known to be unsafe. What are some signs of malware infection on a computer system? Unauthorized installation, removal of programs, unexpected disabling of the firewall and an unexpected drop in the performance of resources What are some of the things you will immediately do after confirming that a malware infected system cannot be cleaned by the software product you normally use? Disconnect the system from the network and notify supervisors How can you create a System Repair Disk for a computer? From the Control Panel, go to the Backup and Restore console and use the available link to create a system repair disc
2.
3.
4.
5.
6.
7.
8.
9.
10. Why should a technician question the users of a malware infected system as soon as the infection is identified? To find how the computer was infected and if other systems might have been infected as well 11. What are web browser cookies used for? To track user behavior on the Internet and to improve the browsing experience when using websites. They can also be used maliciously because of the personal information they might contain. 12. What should be done before reimaging a malware infected hard-drive? It is best to completely wipe the hard-drive before reimaging it. 13. What anti-spyware product is automatically available as a part of Windows 7? Windows Defender
C-20
14. What tools might be able to make system registry changes without going directly to regedit? System Configuration or Control Panel 15. What tool can you use to find out which program is using computer resources heavily? Task Manager or Process Explorer
C-21

1. What is a recovery certificate used for? To recovery the information in encrypted files if the original encryption key is lost True or False. EFS keys might be lost when a users password is reset by an administrator. True What file systems support EFS and BitLocker? Only NTFS supports either of them. How many partitions are needed to configure BitLocker encryption on a data drive? One. Only operating system drives need at least two partitions. True or False. A document can be both encrypted & compressed with Windows Explorer property settings. False True or False. In order to encrypt a file the user must have ownership for Full Control permissions on it. False. Only Write Attributes, Create Files/Write Data and List Folder/Read Data permissions are needed. What command-line tool can you use to encrypt or decrypt documents? Cipher.exe What happens to an encrypted file if it is copied to a FAT or FAT32 partition? It is decrypted automatically What two methods can be used to access BitLocker encrypted flash drives? A password or smart card
2.
3.
4.
5.
6.
7.
8.
9.
10. How long are the recovery keys created when BitLocker encryption is enabled? They are 48 digits in length 11. True or False. Deleting as many files as possible on a drive before enabling BitLocker encryption will speed up the process. False 12. What encryption protocol can be used to protect confidential data sent over the network? IPSec
C-22

1. What server application can be used to apply updates to Microsoft and third-party applications? System Center Configuration Manager (SCCM) How can you prevent Windows Update from trying to install an unapproved patch on a computer? Hiding the update will prevent Windows Update from requesting its installation True or False. It is best to schedule updates to happen while users are working on the system. False. What tool can be used to undo driver updates on a device? Device Manager. Using the option to roll back the driver will replace it with the previous version. How are the Windows Update and Microsoft Update services different? Windows Updates are provided for the operating system while Microsoft Updates are for Microsoft applications like Microsoft Office, Exchange or SQL Server. What are software notifications? These are provided through Windows Update to provide information about new programs that can improve the computing experience of the user. True or False. Windows Updates apply to all users regardless of who is logged in when they are installed. True What classification of updates cannot be installed automatically on a computer? Optional Updates What feature can be used to configure automatic updates for Microsoft Office on a computer? Microsoft Update
2.
3.
4.
5.
6.
7.
8.
9.
10. How are service packs different from other forms of updates? Regular updates apply a single fix or upgrade to the system. Service packs are cumulative and contain all changes since the release of the operating system or application. 11. What tool is designed to automatically detect and fix problems with Windows Updates? Windows Update Troubleshooter 12. What are the four levels of classification available for security problems solved by security updates? Critical, Important, Moderate and Low
C-23
Review Answers for Appendix B

1. What cmdlet is used to enable the use of scripts in PowerShell? Set-ExecutionPolicy What service must be enabled to run PowerShell scripts on a remote system? Windows Remote Management. It can be configured from the command line using Winrm.cmd. What tool can be used to create a certificate for a script? Makecert.exe. This tool is available with the Windows Software Development Kit. True or False. The data type of a variable can be changed dynamically in a script. True. To prevent this, assign a data type to the variable at the time of creation (e.g. [int]$Var1). What cmdlet can be used to list all PowerShell commands? Get-Command What command could you use to get helpful information about using the New-Alias cmdlet? Get-Help New-Alias | More (The More command pauses at each page.) How can you send the output from the Get-ChildItem cmdlet to a new file named Info.txt? Get-ChildItem > Info.txt How can you append the errors generated by the Get-Help -f command to a file named Errors.txt? Get-Help -f 2>> Errors.txt True or False. CMD.exe and UNIX commands can be executed from a PowerShell shell. True. (In addition to the aliases provided, new ones can also be defined.)
2.
3.
4.
5.
6.
7.
8.
9.
10. How can you capture a list of filenames that have a TXT extension? Get-ChildItem name filter *.txt 11. How can you generate a list of all the aliases configured in a Shell? Get-Alias 12. True or False. Script debugging can only be done manually from the command-line or a text editor. False. The PowerShell ISE provides a GUI interface for creating and debugging scripts.
C-24
Answers for Appendix B, Exercise 2

(Use PowerShell Documentation to understand and use Cmdlets)
Note: For each of the following steps, use the information in Lessons 2 4 and Exercise 1 to choose the correct command for each task. Unless otherwise stated, each task must be completed with a PowerShell cmdlet. If a task changes the computer configuration, verify that the operation completed successfully.
1.
Get a list of all the Set- commands. Get-Command *set* Get detailed information about the Stop-Service cmdlet. Get-Help Stop-Service Detail | More Stop the Spooler service and then restart it. Stop-Service Spooler -F; Start-Service Spooler (Also: Restart-Service Spooler F) Get a list of all active processes running on the computer Get-Process Get the process ID number for any process with the name iexplore (To perform this step, start an Internet Explorer session if you do not already have one running.) Get-Process iexplore Stop an Internet Explorer session using the process ID number assigned to it. Stop-Process <ID> Assign the string This is a test to a variable named $String1. $String1=This is a test Assign the string of concatenation. to a variable named $String2. $String2= of concatenation. Concatenate $String1 and $String2 as a new variable named $String3 and print its value to the screen. $String3=$String1+$String2; $String3
2.
3.
4.
5.
6.
7.
8.
9.
10. Do a folder and file listing in your home directory and send the data to a text file named C:\Temp\Dir.txt. CD ~; Dir > c:\temp\Dir.txt 11. Peform a directory listing of the C:\Users folder and append the information to the C:\Temp\Dir.txt file. Dir C:\Users >> c:\temp\Dir.txt 12. Perform a directory listing on the fictitious folder named C:\Temporary and redirect the error message to C:\Temp\Errors.txt. Dir C:\Temporary 2> C:\Temp\Errors.txt 13. Perform a query to get information about all logical drives on the computers. Get-WmiObject Win32_LogicalDisk 14. Display the logical drives in a list, showing only their name, size and freespace. Get-WmiObject Win32_LogicalDisk | Format-List Name,Size,Freespace
C-25
15. Display the logical drives in a table, showing only their name,size and freespace. Do not include drives with zero drive space. Get-WmiObject Query Select * From Win32_LogicalDisk Where Size > 0 | Format-Table Name,Size,Freespace 16. Perform a query to get the amount of free disk space on drive C: Get-WmiObject Query Select * From Win32_LogicalDisk Where DeviceID=C: 17. Create a folder named C;\Logs New-Item Path C:\Logs Type Directory 18. Create two files named C:\Logs\Errors.log and C:\Logs\Errors2.log New-Item Path C:\Logs\Errors.log Type File; New-Item Path C:\Logs\Errors2.log Type File 19. Add two lines to the C:\Logs\Errors.log file that say Error Number 1 and Error Number 2. Add-Content C:\Logs\Errors.log Error Number1; Add-Content C:\Logs\Errors.log Error Number 2 20. Delete the C:\Logs\Errors2.log file. Remove-Item C:\Logs\Errors2.log 21. Rename the C:\Logs\Errors.log file to C:\Logs\Errors.dat. Rename-Item C:\Logs\Errors.log C:\Logs\Errors.dat 22. View the last 5 entries in the Application Event Log. Get-EventLog Application Newest 5 23. Record the last 50 entries from the System Event Log to a file named C:\Log\System.log Get-EventLog System Newest 50 > C:\Log\System.log 24. Create a new Source for the Event Viewer Application Log named Admin Script. [System.Diagnostics.EventLog]::CreateEventSource(Admin Script,Application); 25. Add an entry to the Application log with an EventID of 5500, a Message of The Task Completed Successfully. and a Source of Admin Script. Write-EventLog LogName Application EventID 5500 Message The Task Completed Successfully. Source Admin Script 26. Disable the Network Adapter. $NetworkAdapter=Get-WmiObject Q Select * From Win32_NetworkAdapter Where AdapterType like %ethernet%; $NetworkAdapter.Disable() 27. Enable the Network Adapter. $NetworkAdapter=Get-WmiObject Q Select * From Win32_NetworkAdapter Where AdapterType like %ethernet%; $NetworkAdapter.Enable() 28. Assign a static IP address of 192.168.10.50 to the network card. $NetworkConfig=Get-WmiObject Q Select * From Win32_NetworkAdapterConfiguration Where DNSDomain=Contoso.com; $NetworkConfig.EnableStatic(192.168.10.50,255.255.255.0); 29. Configure the network adapter to use DHCP. $NetworkConfig=Get-WmiObject Q Select * From Win32_NetworkAdapterConfiguration Where DNSDomain=Contoso.com; $NetworkConfig.EnableDHCP()
C-26
30. Add a folder to the HKEY_CURRENT_USER registry hive named PSLogic, verify that it was added correctly and then remove it. New-Item HKCU:\PSLogic; Get-ChildItem HKCU:; Remove-Item HKCU:\PSLogic
Index
Index
8
802.11, 10-6, 10-20 DHCP server, 4-19, 5-4, 5-12, 5-29, 5-30, 6-5, 6-17, 6-20, 6-23, 6-24, 6-27 Reserving an IP, 5-29 DirectAccess, 1, 11-4, 11-15, 11-17, 11-18, 11-19, 11-22, 11-23, 11-24, 11-25 DirectX, 13-31 Disk Management tool, 1-33 Diskpart, 2-2 Diskpart.exe, 1-33 DNS, 4-18 DNS server, 4-4, 4-18, 4-19, 4-21, 5-12, 5-27, 5-33, 6-3, 6-4, 6-5, 6-6, 6-9, 6-10, 6-14, 6-19, 6-20, 6-24, 6-26, 627, 6-28, 6-29, 6-30, 6-31, 6-32 DNS vs. WINS, 6-13 Name Resolution Order, 6-18 zone records, 4-18 Zone replication, 6-3 DNS Server, 1-22, 6-19, 6-26, 6-31 Domain Authentication, 4-4 Driver Updates, 2-25 Driver Verifier, 2-29
A
ACT Database, 1-5 Action Center, 3-17, 15-17, 15-19, 15-22, 15-24, 17-15 Active Directory, 1-21, 1-35, 2-12, 2-22, 2-24, 3-36, 4-7, 48, 4-9, 4-10, 4-12, 4-16, 4-18, 4-23, 4-28, 4-29, 4-33, 434, 5-20, 6-6, 7-3, 7-25, 7-31, 8-1, 8-9, 8-33, 10-16, 11-9, 11-22, 11-23, 11-26, 13-27, 14-7, 14-16, 16-16, 17-1 ActiveX, 1-14, 2-10, 13-2, 13-3, 13-5, 13-9 Address Resolution Protocol ARP, 5-26, 6-1 APIPA, 5-12, 6-24 Application Compatibility, 1-2, 1-3, 1-5 Application Compatibility Toolkit, 3-1, 3-12, 3-29 Applocker, 1, 1-1, 1-25, 1-26, 1-27, 1-28, 1-34, 1-35, 1-36, 1-37, 1-39, 1-40 AV-Comparatives, 15-7, 15-18 AV-Test, 15-7, 15-18
E
Encrypting File System EFS, 2-13, 2-23, 1, 16-2, 16-3, 16-5, 16-6, 16-7, 16-8, 169, 16-10, 16-11, 16-12, 16-17, 16-18, 16-19, 16-21, 1622 Ethernet, 14-14 Event Forwarding, 3-1, 3-8, 3-9, 3-10, 3-30, 3-36, 8-30 Event Log, 3-3, 3-7, 3-36, 9-1, 9-2, 9-19 Event Viewer, 3-1, 3-2, 3-6, 3-7, 3-11, 3-29, 3-30, 3-31, 336, 8-3, 8-5, 8-30, 8-32, 8-35, 8-39, 8-40, 9-16, 9-23, 124, 14-11 eventcreate.exe, 3-11, 3-30, 3-31
B
BitLocker, 8-21, 8-33, 1, 16-2, 16-3, 16-6, 16-12, 16-13, 1614, 16-15, 16-16, 16-17, 16-18, 16-19, 16-20 Branch Cache, 1, 5-23 Branch Caching Distributed Caching, 5-24, 5-28 Hosted Caching, 5-24, 5-28
C
Certificate Authorities, 1-21, 13-27 Certificates, 1-16, 1-21, 4-6, 5-20, 13-1, 13-27, 16-6 Chkdsk, 8-24, 9-17 Compatibility Mode, 1-3, 1-34, 2-8, 2-33, 2-34, 3-30, 3-33
F
Folder Redirection, 2-23, 12-13
D
Deployment Image Servicing and Management, 1-8 Deployment Pack, 1-9 Device Manager, 2-26, 5-7, 8-27, 8-34, 9-9, 9-10, 17-7 DFS, 1-12, 1-35, 2-14, 2-34, 2-35 permissions, 2-14 Replication, 2-14 DHCP
G
GPO Filtering, 2-22 GPResult.exe, 2-24 Gpupdate.exe, 2-24 Group Policy, 1, 1-1, 1-2, 1-10, 1-11, 1-13, 1-19, 1-22, 1-24, 1-34, 1-35, 1-36, 1, 2-1, 2-19, 2-20, 2-22, 2-23, 2-24, 233, 2-34, 3-18, 4-1, 4-34, 5-28, 6-24, 6-30, 6-31, 1, 7-25,
ii
Index
Malware Trojan, 15-6 Malware Infection, 1, 15-11, 15-12 Symtoms of, 15-12 MHTML, 2-30, 2-31 Microsoft Baseline Security Analyzer, 15-17 Microsoft Deployment Toolkit, 2-6 Microsoft Outlook, 15-1 Microsoft Security Essentials, 15-8, 15-23 MSI, 1-10 MST, 1-10 Multifactor Authentication, 4-6 Multilingual Deployment, 1, 1-6 multimeter, 9-14, 9-19
8-1, 10-1, 10-7, 10-16, 13-1, 13-29, 13-32, 13-37, 16-5, 16-6, 16-11, 16-16, 17-16 Assigning Software, 1-11 slow link detection, 10-16 Group Policy Management Console, 1-26 GPMC, 1-26, 1-34, 2-1, 2-24
H
HOSTS, 6-1 HTML5, 13-31 HTTPS, 3-9, 11-17, 13-27, 13-35 Hyper-V, 1-31
I
ICSA, 15-7, 15-8, 15-18 ImageX, 2-3, 2-35 Internet Explorer Add-ons, 15-9 Cookies, 13-14 InPrivate Browsing, 13-17 InPrivate Filtering, 13-18, 13-33, 13-35, 13-37 Internet Explorer 8, 2-11, 2-34, 3-13, 13-31 Internet Explorer 9, 13-31 Internet Explorer Protected Mode, 3-13 Pop-Up Blocker, 13-16 Security Levels, 13-7 SmartScreen Filtering, 15-10 IPSec, 2-13, 1, 5-3, 5-19, 5-21, 5-22, 5-27, 5-28, 5-29, 5-31, 11-17, 11-19, 16-11
N
NETBIOS, 5-4, 5-12, 5-27, 6-1, 6-11, 6-12, 6-13, 6-14, 6-15, 6-16, 6-17, 6-19, 6-20, 6-21, 6-25, 6-27, 6-28, 6-29, 6-32 Netsh, 5-24, 14-14 Netstat, 5-27, 14-14 Netstat.exe, 14-17 Network Address Translation, 5-17 NTLM NTLMv2, 5-20, 14-7
O
OEM Pre-installation Kit, 1-6 Offline Files, 12-3, 12-4, 12-5, 12-6, 12-8, 12-9, 12-10, 1211, 12-16, 12-19, 12-21, 12-22, 12-23, 12-24
J
JavaScript, 13-31 junk e-mail, 17-10
P
Performance Monitor, 8-1, 8-5, 8-32, 8-35, 9-17, 9-19, 1415 power supply unit, 9-14, 9-20 PowerShell, 1-22, 3-18, 3-34, 4-33, 4-34, 12-24 Print Permissions, 7-5 print spooler, 7-6, 7-9, 7-20, 7-32 Print Spooler Relocating, 7-9 printer priorities, 7-21 Printer Priorities, 7-10 Problem Steps Recorder, 1, 2-1, 2-30, 2-31, 2-32, 2-34, 236, 2-39, 3-30, 15-23
K
Kerberos authentication, 4-14, 4-15, 4-20, 14-7, 14-16 Kerberos Realm, 4-16 Keyloggers, 15-6
L
Last Known Good Configuration, 2-28, 3-1, 3-29 Link-local Multicast Name Resolution. See LLMNR LLMNR, 6-21 LMHOSTS, 1, 6-1, 6-15, 6-16, 6-17, 6-20, 6-25, 6-27, 6-29 Local Security Policy, 5-19
R
Recovery Agent, 1, 16-3, 16-4, 16-5, 16-6, 16-11, 16-22 Remote Server Administration Tools RSAT, 1-26, 4-33 Repeaters, 10-5 Resource Monitor, 8-28, 8-30, 8-38, 8-39, 9-17, 9-19, 14-15 Route.exe, 14-15
M
MAC address, 3-34, 5-4, 5-26, 5-29, 5-32, 6-1, 6-22, 10-8 MAC Address Physical Address, 5-7, 5-30 Malicious Software Removal Tool, 15-17, 15-23
Index
S
Safe Mode, 1-29, 2-28, 3-1, 3-23, 3-24, 3-25, 3-28, 3-29, 330, 3-32, 9-16, 15-15, 15-19, 17-7 SAM database, 4-3 Security Zones, 1, 13-2, 13-37 Slow Link Detection, 1-13 SMTP, 8-8 Software Development Kit (SDK), 3-18 Software Restriction Policies, 1, 1-14, 1-15, 1-25, 1-27, 134, 1-35, 1-37 Certificate, 1-16 Hash, 1-16 Path, 1-16 Zone, 1-16 SSID, 10-7, 10-12, 10-16, 10-21, 10-22 System Configuration tool, 3-25, 9-16 System File Checker, 15-23 System Restore, 3-1, 3-26, 3-27, 3-28, 3-29, 3-32, 3-36, 337, 5-32, 5-34, 6-30, 7-30, 8-37, 9-16, 14-20, 15-8, 15-22, 16-21
iii
UAC, 1-1, 1-2, 1-4, 1-34, 2-10, 2-34, 2-35, 3-13, 8-38, 1517, 15-22, 15-24 User Account Properties, 4-22 User Profiles, 1, 4-24, 4-35 Roaming Profiles, 4-26, 1, 12-12
V
VHD, 1-30, 1-31, 1-33, 2-37, 2-38, 3-33 Virtualization, 1-3 Virus, 15-6 Virus Bulletin, 15-7, 15-18 VPN, 1-13, 1-35, 1, 11-1, 11-4, 11-11, 11-12, 11-13, 11-14, 11-15, 11-17, 11-18, 11-20, 11-23, 11-24, 11-25, 11-26, 11-27
W
Wake on LAN, 10-17, 10-20, 10-21 wecutil.exe, 3-10 West Coast Labs, 15-7 Wi-Fi Virtual Wi-Fi, 10-15, 10-21 Windows 7 Features, 2-7 Windows Automated Installation Kit, 1-6, 2-37 Windows Defender, 14-14 Windows Deployment Services WDS, 2-5 Windows Experience Index, 3-1, 3-20, 3-22, 3-30, 3-32 Windows Firewall, 2-23, 3-33, 5-19, 5-34, 1, 14-1, 14-3, 144, 14-5, 14-10, 14-11, 14-12, 14-13, 14-14, 14-16, 14-18, 14-19, 14-20, 14-21, 15-1, 15-12 Windows Hardware Quality Labs, 1-20 Windows Imaging Format WIM, 2-2 Windows Installer, 1-11 Windows PE, 1-6, 2-37, 2-38 Windows Remote Management winrm.exe, 3-10 Windows Software Update Services WSUS, 2-15, 2-16, 2-20, 2-21, 2-33, 2-36, 17-1, 17-4, 176, 17-11 Windows Troubleshooting Platform, 3-1, 3-16 Creating Troubleshooters, 3-18 Operating System Troubleshooters, 3-17 Windows Updates, 2-16, 2-17, 2-36, 4-6, 1, 17-2, 17-4, 175, 17-7, 17-8, 17-9, 17-11, 17-12, 17-13, 17-14, 17-15, 17-16 Windows XP Mode, 2-9, 2-35 WINS, 6-11 Wired Equivalent Privacy WEP, 10-9 WMI, 1, 1-13, 1-22, 1-23, 1-24, 1-34, 1-35, 1-36, 1-37, 3-18
T
Task Manager, 8-1, 8-13, 8-14, 8-16, 8-19, 8-28, 8-30, 8-33, 8-36, 8-37, 8-38, 8-39, 9-17, 14-14, 15-16, 15-19 Task Scheduler, 3-6, 8-22, 8-39, 8-40, 12-17, 12-18, 12-23 TCP/IP Alternate IP, 5-29 ICMP, 5-8, 5-16, 5-26, 5-34, 6-31, 11-22 IP address, 3-34, 3-35, 4-18, 5-5, 5-10, 5-11, 5-12, 5-13, 5-28, 5-29, 5-30, 5-33, 6-1, 6-3, 6-8, 6-9, 6-11, 6-16, 619, 6-22, 6-23, 6-24, 6-26, 6-27, 6-28, 6-31, 11-11, 1114, 11-27, 14-2, 14-18 IPv4, 5-14, 5-16, 5-26, 6-21, 6-24, 6-25, 6-30, 6-31, 8-29, 11-7 IPv6, 5-14, 5-16, 5-26, 5-27, 5-31, 6-21, 6-24, 6-30, 6-32, 8-29, 11-7, 11-17, 11-19 Minimum Configuration, 5-11 subnet mask, 5-10, 5-11, 5-12, 6-23, 6-24 TCP/IP, 1, 5-4, 5-8, 5-10, 5-26, 5-27, 6-1, 6-11, 6-17, 619, 6-23, 6-24, 6-27, 6-30, 6-32, 7-3, 8-29 Time Server, 4-20, 5-33 Tracert, 5-16, 5-26 Transparent Caching, 12-9 Trust Relationships, 1, 4-11
U
unattended install, 2-5 Upgrade Advisor, 3-13 User Account Control, 1-2, 1-4
iv
Index
WPA, 10-9, 10-19 WPA2, 10-9, 10-19 WQL, 1-24
WMI Filters, 1-13 Worms, 15-6 WPA
Notes:
Notes:

50331D 50331D-EnU Student Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

50331D 50331D-EnU Student Guide

Hochgeladen von

Copyright:

Verfügbare Formate

New Horizons of Austin

New Horizons of Austin

New Horizons of Austin

New Horizons of Austin

New Horizons of Austin

TCP/IP Troubleshooting skills

Experience working in a domain environment

Experience configuring registry and group policy settings

New Horizons of Austin

Course Outline (Modules 1 9)

Module 1 Module 2 Module 3

Identify and Resolve Logon Issues

Identify and Resolve Performance Issues

New Horizons of Austin

New Horizons of Austin

Course Outline (Modules 10 17)

Module 10 Module 11 Module 12

Identify & Resolve Internet Explorer Security Issues

Identify & Resolve Software Update Issues

New Horizons of Austin

Host and Virtual Machine Information

Host Machine and ISO information

New Horizons of Austin

Microsoft Exam Preparation

Exam: 70-685 MCITP: EDST 7

Exam: 70-682 Windows XP/Vista Upgrade to MCITP

New Horizons of Austin

Identify and Resolve Desktop Application Issues

Identify the Cause of and Resolve Networking Issues

Identify the Cause of and Resolve Security Issues

New Horizons of Austin

New Horizons of Austin

Module 1: Identify and Resolve New Software Installation Issues

New Horizons of Austin

New Horizons of Austin

Module 1: Identify and Resolve New Software Installation Issues

Planning New Software Deployment

Using Software Restriction Policies

New Horizons of Austin

Module 1: Identify and Resolve New Software Installation Issues

Lesson 1: Planning New Software Deployment

User Account Control

New Horizons of Austin

New Horizons of Austin

Module 1: Identify and Resolve New Software Installation Issues

User Account Control

New Horizons of Austin

New Horizons of Austin

Module 1: Identify and Resolve New Software Installation Issues

Lesson 2: Multilingual Deployment

New Horizons of Austin

Choose a single language

Choose multiple languages

New Horizons of Austin

Module 1: Identify and Resolve New Software Installation Issues

Reduced size of language packs

Deployment Image Servicing and Management

New Horizons of Austin

New Horizons of Austin

Module 1: Identify and Resolve New Software Installation Issues

Lesson 3: Using Group Policy to Install Software

Assigning /Publishing Software

New Horizons of Austin